ACL Options
Posted by Matthew Jeffels, Last modified by Matthew Jeffels on 30 September 2016 02:55 PM

ACL Options

In this section we cover the ACL Options for Exim Configuration.

The first Three Options are below;

ACL Options

Apache SpamAssassin™ reject spam score threshold

This option allows you to define the Apache SpamAssassin spam score threshold. You can enter a positive or negative number which may contain a single decimal point. If you enter a decimal SpamAssassin will multiply it by 10.

If you select "No Reject Rule by Spam Score" this will disable this option.

Dictionary attack protection

This setting allows you to drop and rate limit hosts that have more than four failed recipients. This is to prevent dictionary attacks whereby a malicious user attempts to guess passwords with words in a password dictionary.

Reject remote mail sent to the server's hostname

This option allows you to set it so that the server will automatically reject mail in which the recipient address contains the server primary hostname. This is a common target for spammers and in general shouldn't receive mail from outside of the server itself.

ACL Options

Ratelimit suspicious SMTP servers

This setting allows you to enforce a rate limit on SMTP servers that have violated the RFCs. This will rate-limit mail servers that do not send QUIT, recently matched an RBL or recently attacked a server.

In order to ensure you do not rate limit an SMTP connection you should add the server to a whitelist. In order to do this edit the Trusted SMTP IP Addresses in the Access List tab.

Apache SpamAssassin™: ratelimit spam score threshold

This setting allows you to rate limit hosts that send spam to your server. When this option is enabled the rate limit will delay email sent from hosts that send your server spam. 

The system will activate the rate limit when it meets BOTH of these conditions;

  1. A host reaches or exceeds the Apache SpamAssassin score that you have entered in the text box.
  2. That host exceeds the number of emails that the rate-limit formula specifies.

Ratelimit incoming connections with only failed recipients

This setting allows you to rate-limit incoming SMTP connections that have only sent mail to failed recipients during five separate connection times in the past hour.

ACL Options

Require HELO before MAIL

This setting allows you to have it so that SMTP connections are required to send a HELO command before sending mail to your server. 

A HELO is a command that mail servers send before an email that specifies the name of the sending domain.Enabling this option allows Apache SpamAssassin to perform various checks on this information (for example, it can ensure that the domain name matches the IP address that sent the message). This ensures that your server does not receive spam that reports a false domain names.

Introduce a delay into the SMTP transaction for unknown hosts and messages detected as spam.

This setting causes the SMTP receiver to wait a few additional seconds for a connection when it detects spam messages. A legitimate mailing server will normally wait past this delay. Where as spammers often do not.

Do not delay the SMTP connections for hosts in the Greylisting “Trusted Hosts” list

If this option is enabled then the server will not enforce a delay on trusted "grey listed" hosts. Even when the system detects them sending spam.

 

ACL Options

Do not delay the SMTP connections for hosts in the Greylisting “Common Mail Providers” list

If this option is enabled then the server will not enforce a delay on "grey listed". Even when the system detects them sending spam.

Require remote (hostname/IP address) HELO

This setting allows you to set it such that your server requires that incoming SMTP connections send a HELO command that does not match your server's primary hostname or a local IP address (IPv4 or IPv6). If you enable this option it will allow your server to block emails with a forged sender address (spoofed emails).

Require remote (domain) HELO

This setting allows you to set it such that your server requires that incoming SMTP connections send a HELO command that does not match your server's local domains. If you enable this option it will allow your server to block emails with a forged sender address (spoofed emails).

ACL Options

Require RFC-compliant HELO

This setting allows you to enforce that your server requires that incoming SMTP connections send a HELO command that conforms with the Internet standards in RFC 2821 4.1.1.1.

 

Allow DKIM verification for incoming messages

This setting allows you to enable the use of DomainKeys Identified Mail (DKIM) verification to verify incoming messages.

Warning: If enabled, this verification process can slow your server's performance.

 

Reject DKIM failures

This setting allows you to reject email at SMTP time if the sender fails DKIM key validation. This option is only available should you have enabled DKIM verification.

ACL Options

Maximum message recipients (soft limit) (Minimum: 1; Maximum: 100)

This setting allows you to set the number of recipient addresses that your server will accept in a single message. If you select "No rejection based on number of recipients" it will disable this option.

Maximum message recipients before disconnect (hard limit) (Minimum: 1; Maximum: 100)

This setting allows you set the number of recipient addresses that your server will accept in a single message before it disconnects and enforces a rate-limit on the connection. If you select "No disconnection based on number of recipients" it will disable this option.

Thanks

Matt Jeffels
PAC Web Hosting

(0 vote(s))
Helpful
Not helpful

Comments (0)