2. The Exim Configuration File

The Exim configuration file contains global definitions at the top (we will call this the main section), followed by several other sections[15]. Each of these other sections starts with:

begin section

We will spend most of our time in the acl section (i.e. after begin acl); but we will also add and/or modify a few items in the transports and routers sections, as well as in the main section at the top of the file.

2.1. Access Control Lists

As of version 4.xx, Exim incorporates perhaps the most sophisticated and flexible mechanism for SMTP-time filtering available anywhere, by way of so-called Access Control Lists (ACLs).

An ACL can be used to evaluate whether to accept or reject an aspect of an incoming message transaction, such as the initial connection from a remote host, or the HELO/EHLO, MAIL FROM:, or RCPT TO: SMTP commands. So, for instance, you may have an ACL named acl_rcpt_to to validate each RCPT TO: command received from the peer.

An ACL consists of a series of statements (or rules). Each statement starts with an action verb, such as accept, warn, require, defer, or deny, followed by a list of conditions, options, and other settings pertaining to that statement. Every statement is evaluated in order, until a definitive action (besides warn) is taken. There is an implicit deny at the end of the ACL.

A sample statement in the acl_rcpt_to ACL above may look like this:

  deny
    message  = relay not permitted
    !hosts   = +relay_from_hosts
    !domains = +local_domains : +relay_to_domains
    delay    = 1m

This statement will reject the RCPT TO: command if it was not delivered by a host in the +relay_from_hosts host list, and the recipient domain is not in the +local_domains or +relay_to_domains domain lists. However, before issuing the 550 SMTP response to this command, the server will wait for one minute.

To evaluate a particular ACL at a given stage of the message transaction, you need to point one of Exim's policy controls to that ACL. For instance, to use the acl_rcpt_to ACL mentioned above to evaluate the RCPT TO:, the main section of your Exim configuration file (before any begin keywords) should include:

acl_smtp_rcpt = acl_rcpt_to

For a full list of such policy controls, refer to section 14.11 in the Exim specifications.

2.2. Expansions

A large number of expansion items are available, including run-time variables, lookup functions, string/regex manipulations, host/domain lists, etc. etc. An exhaustive reference for the last x.x0 release (i.e. 4.20, 4.30..) can be found in the file spec.txt; ACLs are described in section 38.

In particular, Exim provides twenty general purpose expansion variables to which we can assign values in an ACL statement:

  • $acl_c0 - $acl_c9 can hold values that will persist through the lifetime of an SMTP connection.

  • $acl_m0 - $acl_m9 can hold values while a message is being received, but are then reset. They are also reset by the HELO, EHLO, MAIL, and RSET commands.



[15] Debian users: The exim4-config package gives you a choice between splitting the Exim configuration into several small chunks distributed within subdirectories below /etc/exim4/conf.d, or to keep the entire configuration in a single file.

If you chose the former option (I recommend this!), you can keep your customization well separated from the stock configuration provided with the exim4-config package by creating new files within these subdirectories, rather than modifying the existing ones. For instance, you may create a file named /etc/exim4/conf.d/acl/80_local-config_rcpt_to to declare your own ACL for the RCPT TO: command (see below).

The Exim init script (/etc/init.d/exim4) will automatically consolidate all these files into a single large run-time configuration file next time you (re)start.