X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/da47dd4d092ba35e4f8ff055d79693cc1266c816..38089ca5c8f4c06092324099fc38494f8491b53c:/src/src/configure.default diff --git a/src/src/configure.default b/src/src/configure.default index 946137fc9..3761dafbf 100644 --- a/src/src/configure.default +++ b/src/src/configure.default @@ -147,15 +147,15 @@ acl_smtp_data = acl_check_data # spamd_address = 127.0.0.1 783 -# If Exim is compiled with support for TLS, you may want to enable the -# following options so that Exim allows clients to make encrypted -# connections. In the authenticators section below, there are template -# configurations for plaintext username/password authentication. This kind -# of authentication is only safe when used within a TLS connection, so the -# authenticators will only work if the following TLS settings are turned on -# as well. +# If Exim is compiled with support for TLS, you may want to change the +# following option so that Exim disallows certain clients from makeing encrypted +# connections. The default is to allow all. +# In the authenticators section below, there are template configurations for +# plaintext username/password authentication. This kind of authentication is +# only safe when used within a TLS connection, so the authenticators will only +# work if TLS is allowed here. -# Allow any client to use TLS. +# This is equivalent to the default. # tls_advertise_hosts = * @@ -458,6 +458,20 @@ acl_check_rcpt: require verify = sender + # Reject all RCPT commands after too many bad recipients + # This is partly a defense against spam abuse and partly attacker abuse. + # Real senders should manage, by the time they get to 10 RCPT directives, + # to have had at least half of them be real addresses. + # + # This is a lightweight check and can protect you against repeated + # invocations of more heavy-weight checks which would come after it. + + deny condition = ${if and {\ + {>{$rcpt_count}{10}}\ + {<{$recipients_count}{${eval:$rcpt_count/2}}} }} + message = Rejected for too many bad recipients + logwrite = REJECT [$sender_host_address]: bad recipient count high [${eval:$rcpt_count-$recipients_count}] + # Accept if the message comes from one of the hosts for which we are an # outgoing relay. It is assumed that such hosts are most likely to be MUAs, # so we set control=submission to make Exim treat the message as a @@ -490,11 +504,6 @@ acl_check_rcpt: control = submission control = dkim_disable_verify - # Insist that a HELO/EHLO was accepted. - - require message = nice hosts say HELO first - condition = ${if def:sender_helo_name} - # Insist that any other recipient address that we accept is either in one of # our local domains, or is in a domain for which we explicitly allow # relaying. Any other domain is rejected as being unacceptable for relaying. @@ -540,11 +549,11 @@ acl_check_rcpt: # to the first recipient must be deferred unless the sender talks PRDR. # # defer !condition = $prdr_requested - # condition = ${if > {0}{$receipients_count}} + # condition = ${if > {0}{$recipients_count}} # condition = ${if !eq {$acl_m_content_filter} \ # {${lookup PER_RCPT_CONTENT_FILTER}}} # warn !condition = $prdr_requested - # condition = ${if > {0}{$receipients_count}} + # condition = ${if > {0}{$recipients_count}} # set acl_m_content_filter = ${lookup PER_RCPT_CONTENT_FILTER} ############################################################################# @@ -834,9 +843,9 @@ smarthost_smtp: # request with your smarthost provider to get things fixed: hosts_require_tls = * tls_verify_hosts = * - # As long as tls_verify_hosts is enabled, this won't matter, but if you - # have to comment it out then this will at least log whether you succeed - # or not: + # As long as tls_verify_hosts is enabled, this this will have no effect, + # but if you have to comment it out then this will at least log whether + # you succeed or not: tls_try_verify_hosts = * # # The SNI name should match the name which we'll expect to verify;