+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
# This is the main exim4 configuration file based on the 28.08.05 version by
# ametzler
# It is hand crafted, do not replace with anything generated by a config
# us. This is primarily only usefull for emergancy 'queue
# flushing' operations, but should be populated with a list
# of trusted machines. Wildcards are not permitted
+# mailhubdomains - Domains for which we are the MX, but the mail is relayed
+# elsewhere. This is designed for use with small volume or
+# restricted machines that need to use a smarthost for mail
+# traffic. We will relay for them based on ssl cert validation
+# but we need to teach exim how to route the mail to them. This is
+# that list.
# The division of files is designed so that all hosts may share rcpthosts
# and relayhosts, these could be replicated automatically if necessary.
# accept mail for them.
domainlist rcpthosts = partial-lsearch;/etc/exim4/rcpthosts
hostlist debianhosts = 127.0.0.1 : net-lsearch;/var/lib/misc/thishost/debianhosts
+domainlist mailhubdomains = lsearch;/etc/exim4/manualroute
.ifndef RESERVEDADDRS
RESERVEDADDRS = 0.0.0.0/8 : 127.0.0.0/8 : 10.0.0.0/8 : 169.254.0.0/16 : \
hostlist reservedaddrs = RESERVEDADDRS
+.ifdef USE_TLS
+tls_certificate = /etc/exim4/ssl/thishost.crt
+tls_privatekey = /etc/exim4/ssl/thishost.key
+tls_try_verify_hosts = *
+tls_verify_certificates = /etc/exim4/ssl/ca.crt
+tls_crl = /etc/exim4/ssl/ca.crl
+.endif
+
#system_filter = /etc/exim4/filter
#system_filter_file_transport = address_file
av_scanner = CLAMAV
.endif
-.ifdef HAVE_USER_DEBBUGS
+.ifdef HAVE_USER_DEBBUGS MAIL_RELAY STUPID_FIREWALL
daemon_smtp_ports = 25 : 587
.endif
+.ifdef EVEN_MORE_STUPID_FIREWALL
+daemon_smtp_ports = 25 : 2025
+.endif
admin_groups = adm
remote_sort_domains = *.debian.org:*.debian.net
pipelining_advertise_hosts = !*
+.ifdef USE_TLS
+tls_advertise_hosts = *
+.endif
smtp_enforce_sync = true
log_selector = +tls_cipher +tls_peerdn +queue_time +deliver_time +smtp_connection +smtp_incomplete_transaction +smtp_confirmation
#!!# ACL that is used after the RCPT command on the submission port
check_submission:
+ # Accept if the source is local SMTP (i.e. not over TCP/IP).
+ # We do this by testing for an empty sending host field.
+ accept hosts = : 127.0.0.1
# Defer after too many bad RCPT TO's. Legit MTAs will retry later.
# This is a rough pass at preventing addres harvesting or other mail blasts.
+.ifdef MAIL_RELAY
+ accept verify = certificate
+.endif
+
defer log_message = Too many bad recipients ${eval:$rcpt_fail_count} out of $rcpt_count
message = Too many bad recipients, try again later
condition = ${if > {${eval:$rcpt_fail_count}}{3}{yes}{no}}
defer
ratelimit = 5 / 60m / per_rcpt / $sender_host_address
+ !hosts = +debianhosts
message = sorry, only 5 reports per hour for submission
+ accept domains = +local_domains
+ hosts = +debianhosts
+ endpass
+ message = unknown user
+ verify = recipient
+
+ accept domains = +mailhubdomains
+ endpass
+ message = unknown user
+ verify = recipient/callout=30s,defer_ok,use_sender,no_cache
+
accept domains = +submission_domains
endpass
message = unknown user
#!!# ACL that is used after the RCPT command
check_recipient:
+.ifdef MAIL_RELAY
+ accept verify = certificate
+.endif
+
# Defer after too many bad RCPT TO's. Legit MTAs will retry later.
# This is a rough pass at preventing addres harvesting or other mail blasts.
defer !hosts = +debianhosts
condition = ${if >{${eval:$acl_c1}}{0}}
ratelimit = 10 / 60m / per_rcpt / $sender_host_address
- message = slow down (no reverse dns, or dialup)
+ message = slow down (no reverse dns, mismatched ehlo, dialup, or in blacklists)
.ifdef HAVE_POLICYD
# Check with policyd-weight - this only works with a version after etch's,
warn domains = rt.debian.org
set acl_m1 = RTMail
- set acl_m12 = ${if def:acl_m12 {$acl_m12} {${if match{$local_part}{[^+]+\\+\\d+} {RTMailRecipientHasSubaddress}}}}
+ set acl_m12 = ${if def:acl_m12 {$acl_m12} {${if or{{match{$local_part}{[^+]+\\+\\d+}}{match{$local_part}{[^+]+\\+new}}} {RTMailRecipientHasSubaddress}}}}
warn domains = packages.qa.debian.org
set acl_m1 = PTSMail
!hosts = +debianhosts : WHITELIST
!verify = sender/callout
+ accept domains = +mailhubdomains
+ endpass
+ message = unknown user
+ verify = recipient/callout=30s,defer_ok,use_sender,no_cache
+
accept domains = +handled_domains
endpass
message = unknown user
message = Blackisted URI found in body
deny condition = ${if eq {$acl_m1}{DBSignedMail}}
- condition = ${if and {{!match {$message_body}{PGP MESSAGE}} \
- {!match {$message_body}{PGP SIGNED MESSAGE}} \
- {!match {$message_body}{PGP SIGNATURE}} \
- } \
+ condition = ${if and {{!match {$message_body}{PGP MESSAGE}} \
+ {!match {$message_body}{PGP SIGNED MESSAGE}} \
+ {!match {$message_body}{PGP SIGNATURE}} \
+ {!match {$header_content-type:}{multipart/signed}} \
+ {!match {$header_content-type:}{pgp}} \
+ } \
}
message = Mail to this address needs to be PGP-signed
# An address is passed to each in turn until it is accepted. #
######################################################################
+relay_manualroute:
+ driver = manualroute
+ domains = +mailhubdomains
+ transport = remote_smtp
+ route_data = ${lookup{$domain}lsearch{/etc/exim4/manualroute}}
+ require_files = /etc/exim4/manualroute
+
bsmtp:
debug_print = "R: bsmtp for $local_part@$domain"
driver = manualroute
transport = remote_smtp
ignore_target_hosts = +reservedaddrs
+.ifdef SMARTHOST
+smarthost:
+ debug_print = "R: smarthost for $local_part@$domain"
+ driver = manualroute
+ domains = !+handled_domains
+ transport = remote_smtp_smarthost
+ route_list = * SMARTHOST
+ host_find_failed = defer
+ same_domain_copy_routing = yes
+ no_more
+.endif
# This router routes to remote hosts over SMTP using a DNS lookup.
# Ignore reserved network responses, including localhost.
dnslookup:
.endif
# This router delivers for rt.d.o
-rt:
+rt_force_new_verbose:
+ debug_print = "R: rt for $local_part+new@$domain"
+ driver = redirect
+ domains = rt.debian.org
+ require_files = /usr/bin/rt-mailgate : RT_QUEUE_MAP
+ local_parts = ${lookup{${sg{$local_part}{-comment}{}}}lsearch{RT_QUEUE_MAP}{$local_part}{}}
+ local_part_suffix = +new
+ pipe_transport = rt_pipe
+ data = "|/usr/bin/rt-mailgate --queue '${lookup{${sg{$local_part}{-comment}{}}}lsearch{RT_QUEUE_MAP}}' --url https://rt.debian.org/ --action ${if match{$local_part}{.*-comment.*}{comment}{correspond}}"
+ headers_add = "Delivered-To: ${local_part}${local_part_suffix}@${domain}"
+
+# FIXME: figure out how to generalize this approach so that all of the following would work
+# - rt+NNNN@rt.debian.org : attach correspondence to ticket (verbose)
+# - rt+NNNN-quiesce@rt.debian.org : attach correspondence to ticket (quiesce)
+# - rt+NNNN-<action>@rt.debian.org : attach correspondence to ticket (some action)
+# requires modification to custom condition in 'scrips'
+rt_force_new_quiesce:
+ debug_print = "R: rt for $local_part+new-quiesce@$domain"
+ driver = redirect
+ domains = rt.debian.org
+ require_files = /usr/bin/rt-mailgate : RT_QUEUE_MAP
+ local_parts = ${lookup{${sg{$local_part}{-comment}{}}}lsearch{RT_QUEUE_MAP}{$local_part}{}}
+ local_part_suffix = +new-quiesce
+ pipe_transport = rt_pipe
+ data = "|/usr/bin/rt-mailgate --queue '${lookup{${sg{$local_part}{-comment}{}}}lsearch{RT_QUEUE_MAP}}' --url https://rt.debian.org/ --action ${if match{$local_part}{.*-comment.*}{comment}{correspond}}"
+ headers_add = "X-RT-Mode: quiesce"
+ headers_add = "Delivered-To: ${local_part}${local_part_suffix}@${domain}"
+
+rt_otherwise:
debug_print = "R: rt for $local_part@$domain"
driver = redirect
domains = rt.debian.org
remote_smtp:
driver = smtp
connect_timeout = 1m
- hosts_avoid_tls = *
+.ifdef USE_TLS
+ tls_certificate = /etc/exim4/ssl/thishost.crt
+ tls_privatekey = /etc/exim4/ssl/thishost.key
+.endif
+
+remote_smtp_smarthost:
+ debug_print = "T: remote_smtp_smarthost for $local_part@$domain"
+ driver = smtp
+.ifdef SMARTHST_PORT
+ port = SMARTHST_PORT
+.endif
+.ifdef USE_TLS
+ tls_tempfail_tryclear = false
+ tls_certificate = /etc/exim4/ssl/thishost.crt
+ tls_privatekey = /etc/exim4/ssl/thishost.key
+.endif
# Send the message to procmail
procmail_pipe:
projects / mirror / dsa-puppet.git / blobdiff