The Exim configuration file contains global definitions at the top (we will call this the main section), followed by several other sections[1]. Each of these other sections starts with:
begin section |
We will spend most of our time in the acl section (i.e. after begin acl); but we will also add and/or modify a few items in the transports and routers sections, as well as in the main section at the top of the file.
As of version 4.xx, Exim incorporates perhaps the most sophisticated and flexible mechanism for SMTP-time filtering available anywhere, by way of so-called Access Control Lists (ACLs).
An ACL can be used to evaluate whether to accept or reject an aspect of an incoming message transaction, such as the initial connection from a remote host, or the HELO/EHLO, MAIL FROM:, or RCPT TO: SMTP commands. So, for instance, you may have an ACL named acl_rcpt_to to validate each RCPT TO: command received from the peer.
An ACL consists of a series of statements (or rules). Each statement starts with an action verb, such as accept, warn, require, defer, or deny, followed by a list of conditions, options, and other settings pertaining to that statement. Every statement is evaluated in order, until a definitive action (besides warn) is taken. There is an implicit deny at the end of the ACL.
A sample statement in the acl_rcpt_to ACL above may look like this:
deny message = relay not permitted !hosts = +relay_from_hosts !domains = +local_domains : +relay_to_domains delay = 1m |
This statement will reject the RCPT TO: command if it was not delivered by a host in the "+relay_from_hosts" host list, and the recipient domain is not in the "+local_domains" or "+relay_to_domains" domain lists. However, before issuing the "550" SMTP response to this command, the server will wait for one minute.
To evaluate a particular ACL at a given stage of the message transaction, you need to point one of Exim's policy controls to that ACL. For instance, to use the acl_rcpt_to ACL mentioned above to evaluate the RCPT TO:, the main section of your Exim configuration file (before any begin keywords) should include:
acl_smtp_rcpt = acl_rcpt_to |
For a full list of such policy controls, refer to section 14.11 in the Exim specifications.
A large number of expansion items are available, including run-time variables, lookup functions, string/regex manipulations, host/domain lists, etc. etc. An exhaustive reference for the last x.x0 release (i.e. 4.20, 4.30..) can be found in the file "spec.txt"; ACLs are described in section 38.
In particular, Exim provides twenty general purpose expansion variables to which we can assign values in an ACL statement:
$acl_c0 - $acl_c9 can hold values that will persist through the lifetime of an SMTP connection.
$acl_m0 - $acl_m9 can hold values while a message is being received, but are then reset. They are also reset by the HELO, EHLO, MAIL, and RSET commands.
[1] | Debian users: The exim4-config package gives you a choice between splitting the Exim configuration into several small chunks distributed within subdirectories below /etc/exim4/conf.d, or to keep the entire configuration in a single file. If you chose the former option (I recommend this!), you can keep your customization well separated from the stock configuration provided with the exim4-config package by creating new files within these subdirectories, rather than modifying the existing ones. For instance, you may create a file named /etc/exim4/conf.d/acl/80_local-config_rcpt_to to declare your own ACL for the RCPT TO: command (see below). The Exim "init" script (/etc/init.d/exim4) will automatically consolidate all these files into a single large run-time configuration file next time you (re)start. |