diff options
author | Philip Hazel <ph10@hermes.cam.ac.uk> | 2005-10-11 09:30:41 +0000 |
---|---|---|
committer | Philip Hazel <ph10@hermes.cam.ac.uk> | 2005-10-11 09:30:41 +0000 |
commit | 5de37277102d8c5afce49171c75ced28af2363fe (patch) | |
tree | fa49ae59def78936f044ed5b6389bf68e65d6362 /src | |
parent | e4a4084a92fdadeb51f5e182c157dc41a3895899 (diff) |
In the default configuration, move the relay_from_hosts and
authenticated client checks to before the DNS black list checks.
Diffstat (limited to 'src')
-rw-r--r-- | src/src/configure.default | 49 |
1 files changed, 25 insertions, 24 deletions
diff --git a/src/src/configure.default b/src/src/configure.default index da3f99601..0a10ee9b9 100644 --- a/src/src/configure.default +++ b/src/src/configure.default @@ -1,4 +1,4 @@ -# $Cambridge: exim/src/src/configure.default,v 1.3 2005/05/10 14:48:07 ph10 Exp $ +# $Cambridge: exim/src/src/configure.default,v 1.4 2005/10/11 09:30:41 ph10 Exp $ ###################################################################### # Runtime configuration file for Exim # @@ -310,11 +310,29 @@ acl_check_rcpt: require verify = sender + # Accept if the message comes from one of the hosts for which we are an + # outgoing relay. Recipient verification is omitted here, because in many + # cases the clients are dumb MUAs that don't cope well with SMTP error + # responses. If you are actually relaying out from MTAs, you should probably + # add recipient verification here. Note that, by putting this test before + # any DNS black list checks, you will always accept from these hosts, even + # if they end up on a black list. The assumption is that they are your + # friends, and if they get onto a black list, it is a mistake. + + accept hosts = +relay_from_hosts + + # Accept if the message arrived over an authenticated connection, from + # any host. Again, these messages are usually from MUAs, so recipient + # verification is omitted. And again, we do this check before any black list + # tests. + + accept authenticated = * + ############################################################################# - # There are no checks on DNS "black" lists because the domains that contain - # these lists are changing all the time. However, here are two examples of - # how you could get Exim to perform a DNS black list lookup at this point. - # The first one denies, while the second just warns. + # There are no default checks on DNS black lists because the domains that + # contain these lists are changing all the time. However, here are two + # examples of how you can get Exim to perform a DNS black list lookup at this + # point. The first one denies, whereas the second just warns. # # deny message = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text # dnslists = black.list.example @@ -344,30 +362,13 @@ acl_check_rcpt: endpass verify = recipient - # Accept if the address is in a domain for which we are relaying, but again, - # only if the recipient can be verified. + # Accept if the address is in a domain for which we are an incoming relay, + # but again, only if the recipient can be verified. accept domains = +relay_to_domains endpass verify = recipient - # If control reaches this point, the domain is neither in +local_domains - # nor in +relay_to_domains. - - # Accept if the message comes from one of the hosts for which we are an - # outgoing relay. Recipient verification is omitted here, because in many - # cases the clients are dumb MUAs that don't cope well with SMTP error - # responses. If you are actually relaying out from MTAs, you should probably - # add recipient verification here. - - accept hosts = +relay_from_hosts - - # Accept if the message arrived over an authenticated connection, from - # any host. Again, these messages are usually from MUAs, so recipient - # verification is omitted. - - accept authenticated = * - # Reaching the end of the ACL causes a "deny", but we might as well give # an explicit message. |