Access Control in the default configuration
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The Debian exim 4 packages come with a default configuration that
allows flexible access control and blacklisting of sites and hosts.
The acls involved can be found in /etc/exim4/conf.d/acl, or in
/etc/exim4/exim4.conf.template, depending on which configuration
scheme you use. Most rejections of messages due to this mechanism
happen at RCPT time. Local configuration of the mechanisms happens
through data files in /etc/exim4 or via exim macros that you can set
in /etc/exim4/conf.d/main, so there is normally no need to change the
files in the acl subdirectory in a split-config setup. If you use
the non-split config, you need to edit /etc/exim4/exim4.conf.template,
which, as a big dpkg-conffile, won't give you any advantage of the
.ifdef scheme.

/etc/exim4/local_sender_blacklist contains a list of envelope senders
whose messages will be denied with the error message "locally
blacklisted".  This is a full exim 4 address list, and all available
features can be used. This includes negative items, and so it is
possible to exclude addresses from being blacklisted. For convenience,
as an additional method to whitelist addresses from being blocked, an
explicit whitelist is read in from /etc/exim4/local_sender_whitelist.
Entries in the whitelist override corresponding blacklist entries.

In the blacklist, the trick is to read a line break as "or" if it
follows a positive item, and as "and" if it follows a negative item.

For example, a /etc/exim4/local_sender_blacklist

domain1.example
!local@domain2.example
domain2.example
domain3.example

Exim just evaluates left to right (or up-down in the file listing
context), so you don't get the same kind of operator binding as in a
programming language.

/etc/exim4/local_host_blacklist contains a list of IP addresses,
networks and host names whose messages will be denied with the error
message "locally blacklisted". This is a full exim 4 host list. Again,
negative items can be used here, and there is also an explicit
whitelist read in from /etc/exim4/local_host_whitelist, and whitelist
entries override blacklistings.

The access list file also contains quite a few configuration options
that are too restrictive for a real-life site. These are masked by
.ifdef statements, can be activated by setting the appropriate macros, 
and are documented in the ACL file itself.
