begin acl

#
# Die Liste wird fuer jedes rcpt Kommando im SMTP Dialog abgearbeitet 
# Die Reihenfolge der Regeln ist wichtig
# Wenn check_recipient nicht vorhanden ist gibt es auf jedes RCPT TO
# nur einen Fehler
#
check_recipient:
    # Wer authentisiert ist, darf Mail einliefern
    accept  authenticated = *
    # Lokal generierte Mail ist ok
    accept  hosts = :
    # Postmaster muss alles nehmen
    accept  local_parts   = postmaster
            domains       = +local_domains

    # HELO/EHLO leer
    deny    !recipients = dbm;DBM/recipients_spamadmin
            !hosts = +relay_hosts
            condition = ${if or{{!def:sender_helo_name}{eq{$sender_helo_name}{}}}{yes}{no}}
            log_message = (Spam HELO empty)
    # HELO/EHLO von ausserhalb mit unseren Domains/IPs
    deny    !recipients = dbm;DBM/recipients_spamadmin
            !hosts = +relay_hosts
            condition = ${lookup {$sender_helo_name} nwildlsearch{DBM/helo_reject}{yes}{no}}
            log_message = (Spam HELO $sender_helo_name)

    # Von gewissen Hosts/Sendern ablehnen - "Spamschutz Administrator"
    deny    ! recipients = dbm;DBM/recipients_spamadmin
            senders = DBM/sender_reject
            log_message = (Spam sender_reject)
    deny    ! recipients = dbm;DBM/recipients_spamadmin
            hosts = DBM/host_reject
            log_message = (Spam host_reject)

    # DNSBL - ausser DUL = 127.1.0.2
    deny    ! recipients = dbm;DBM/recipients_spambl
            hosts = +rbl_hosts
            dnslists = rbl-plus.mail-abuse.org=127.1.0.1,127.1.0.3,\
                        127.1.0.4,127.1.0.5,127.1.0.6,127.1.0.7,127.1.0.8 : \
                        relays.ordb.org
            message    = Your host $sender_host_address is blacklisted at $dnslist_domain\nSee http://www.tu-chemnitz.de/urz/mail/filter/rbl.php?$sender_host_address
            log_message =    (RBL $dnslist_domain)

    # dsn.rfc-ignorant.org
    deny    ! recipients = dbm;DBM/recipients_spambl
            hosts = +rbl_hosts
            dnslists = dsn.rfc-ignorant.org/$sender_address_domain
            message  = Sender domain $sender_address_domain is RFC ignorant - listed at $dnslist_domain
            log_message = (RBL $sender_address_domain.$dnslist_domain)

    # DNSBL Warnings fuer alle
    warn    hosts = +rbl_hosts
            dnslists = rbl-plus.mail-abuse.org : relays.ordb.org
            message  = X-RBL-Warning: $sender_host_address is listed at $dnslist_domain
            log_message = (RBL warning $dnslist_domain)

    warn    hosts = +rbl_hosts
            dnslists = dsn.rfc-ignorant.org/$sender_address_domain
            message  = X-RBL-Warning: Sender domain $sender_address_domain is RFC ignorant - listed at $dnslist_domain
            log_message = (RBL warning $sender_address_domain.$dnslist_domain)

    # bestimmte Zeichen im local_part wollen wir nicht
    deny    local_parts = ^.*[@!/|]
    # Der Rest nur wenn der Sender verifiziert werden kann
    require verify = sender

    accept  domains = +local_domains 
            endpass
            verify = recipient

    accept  domains = +relay_domains
    accept  hosts   = +relay_hosts

    # Alles andere wird abgelehnt
    deny    message = relay not permitted

# exiscan ACLs: Ueberprüfen des Mail-Inhaltes
check_message:
	# Ueberpruefen ob schon mal gescant
	accept condition = ${if eq {${hmac{md5}{IRvAm8dt}{$body_linecount}}}{$h_X-Scan-Signature:} {1}{0}}

	# Ueberpruefen ob unerwuenschte Anhaenge vorhanden
	# Liste von http://support.microsoft.com/default.aspx?scid=kb;en-us;291369
	warn    message = X-Content-Warning: Executable attachment $found_extension
		log_message = Executable attachment $found_extension: $sender_address -> $recipients ($header_to:) $header_subject
		demime  = ade:adp:bas:bat:chm:cmd:com:cpl:exe:hlp:hta:\
		          inf:ins:isp:js:jse:lnk:mdb:mde:msc:msi:msp:mst:pcd:pif:\
			  reg:scr:sct:shs:shb:url:vb:vbe:vbs:wsc:wsf:wsh

    # Bei schweren MIME-Fehlern Header einfügen:
	warn	message = X-Mime-Error: Serious MIME defect detected ($demime_reason)
		demime  = *
		condition = ${if >{$demime_errorlevel}{2}{1}{0}}

    # Virencheck via clamd:
	warn	message = X-Virus-Warning: Virus $malware_name
		log_message = Virus $malware_name: $sender_address -> $recipients ($header_to:) $header_subject
		demime = *
		malware = *

    # SpamAssassin = Textanalyse:
	warn	message = X-Spam-Score: $spam_score ($spam_bar)
		condition = ${if <{$message_size}{100k} {1}{0}}
		spam = nobody:true
	warn	message = X-Spam-Report: $spam_report
		condition = ${if <{$message_size}{100k} {1}{0}}
		spam = nobody:true

   # Markieren, dass wir die Mail gescannt haben:
	warn message = X-Scan-Signature: ${hmac{md5}{IRvAm8dt}{$body_linecount}}

# Auch das würde viel Spam abhalten, aber einige Mailprogramme fallen hier durch:
#	require verify = header_syntax

	# Wenn wir hier sind, akzeptieren wir:
	accept