smtp_accept_max = 300
smtp_accept_queue = 200
smtp_accept_queue_per_connection = 50
+smtp_accept_reserve = 25
<% else %>
smtp_accept_max = 30
smtp_accept_queue = 20
smtp_accept_queue_per_connection = 10
+smtp_accept_reserve = 5
<% end %>
-smtp_accept_reserve = 25
smtp_reserve_hosts = +debianhosts
split_spool_directory = true
out
%>
+ warn acl = acl_getprofile
+ condition = ${if eq{$acl_m_prf}{}}
+ set acl_m_prf = $acl_m_rprf
+
+ defer condition = ${if eq{$acl_m_prf}{$acl_m_rprf}{no}{yes}}
+ log_message = Only one profile at a time, please
+
# Defer after too many bad RCPT TO's. Legit MTAs will retry later.
# This is a rough pass at preventing addres harvesting or other mail blasts.
defer log_message = Too many bad recipients ${eval:$rcpt_fail_count} out of $rcpt_count
+ condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}}
message = Too many bad recipients, try again later
!hosts = +debianhosts
condition = ${if > {${eval:$rcpt_fail_count}}{3}{yes}{no}}
# Dump spambots that are so stupid they say helo as our IP address
drop !hosts = +debianhosts
+ condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}}
condition = ${if eq {$sender_helo_name}{$interface_address}{yes}{no}}
message = HELO mismatch Forged HELO for ($sender_helo_name)
# Also for spambots that say helo as us or one of our domains
drop !hosts = +debianhosts
+ condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}}
condition = ${if match_domain{$sender_helo_name}{$primary_hostname:+handled_domains}}
condition = ${if !match{$sender_host_name}{${rxquote:$sender_helo_name}\N$\N}}
message = HELO mismatch Forged HELO for ($sender_helo_name)
# say helo as a name in the list but we can't look them up
defer !hosts = +debianhosts
+ condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}}
condition = ${if eq{$acl_m_frg}{}{no}{yes}}
condition = ${if eq{$sender_host_name}{}{yes}{no}}
condition = ${if eq{$host_lookup_failed}{1}{no}{yes}}
# If DNS works, go ahead and reject them
drop !hosts = +debianhosts
+ condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}}
condition = ${if and { {!eq{$acl_m_frg}{}}{!match{$sender_host_name}{${rxquote:$acl_m_frg}\N$\N}}}{yes}{no}}
message = HELO mismatch Forged HELO for ($sender_helo_name)
condition = ${if match_local_part {$sender_address_local_part}{${extract{directory}{VDOMAINDATA}{${value}/neversenders}}}{1}{0}}
message = no mail should ever come from <$sender_address>
- warn acl = acl_getprofile
- condition = ${if eq{$acl_m_prf}{}}
- set acl_m_prf = $acl_m_rprf
-
- defer condition = ${if eq{$acl_m_prf}{$acl_m_rprf}{no}{yes}}
- log_message = Only one profile at a time, please
-
warn condition = ${if eq{$acl_m_prf}{localonly}}
set acl_m_lrc = ${if eq{$acl_m_lrc}{}{$local_part@$domain}{$acl_m_lrc, $local_part@$domain}}
!verify = sender
defer !hosts = +debianhosts
+ condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}}
condition = ${if >{${eval:$acl_c_scr+0}}{0}}
ratelimit = 10 / 60m / per_rcpt / $sender_host_address
message = slow down (no reverse dns, mismatched ehlo, dialup, or in blacklists)
# closure, but I\'m fairly sure it\'s now worth it, since the backport of
# policyd-weight is trivial.
warn !hosts = +debianhosts
+ condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}}
set acl_m_pw = ${readsocket{inet:127.0.0.1:12525}\
{request=smtpd_access_policy\n\
protocol_state=RCPT\n\
# Defer on socket error
defer !hosts = +debianhosts
+ condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}}
condition = ${if eq{$acl_m_pw}{socket failure}{yes}{no}}
message = Cannot connect to policyd-weight. Please try again later.
# Set proposed action to $acl_m_act and message to $acl_m_mes
warn !hosts = +debianhosts
+ condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}}
set acl_m_mes = ${extract{action}{$acl_m_pw}}
set acl_m_act = ${sg{$acl_m_pw}{\Naction=[^ ]+ (.*)\n\n\N}{\$1}}
# Add X-policyd-weight header line to message
warn !hosts = +debianhosts
+ condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}}
message = $acl_m_mes
condition = ${if eq{$acl_m_act}{PREPEND}{yes}{no}}
# Write log message, if policyd-weight can\'t run checks
warn !hosts = +debianhosts
+ condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}}
log_message = policyd-weight message: $acl_m_mes
condition = ${if eq{$acl_m_act}{DUNNO}{yes}{no}}
# Deny mails which policyd-weight thinks are spam
deny !hosts = +debianhosts
+ condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}}
message = policyd-weight said: $acl_m_mes
condition = ${if eq{$acl_m_act}{550}{yes}{no}}
# Defer messages when policyd-weight suggests so.
defer !hosts = +debianhosts
+ condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}}
message = policyd-weight said: $acl_m_mes
condition = ${if eq{$acl_m_act}{450}{yes}{no}}
'
{/etc/greylistd/whitelist-hosts}{}} : \
${if exists {/var/lib/greylistd/whitelist-hosts}\
{/var/lib/greylistd/whitelist-hosts}{}}
+ condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}}
!authenticated = *
domains = +handled_domains : +rcpthosts
condition = ${readsocket{/var/run/greylistd/socket}\
warn
!senders = :
!hosts = : +debianhosts : WHITELIST
+ condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}}
condition = ${if def:acl_m_grey {no}{yes}}
set acl_m_grey = $pid.$tod_epoch.$sender_host_port
defer
!senders = :
!hosts = : +debianhosts : WHITELIST
+ condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}}
!authenticated = *
domains = +handled_domains : +rcpthosts
local_parts = GREYLIST_LOCAL_PARTS
warn
!senders = :
!hosts = : +debianhosts : WHITELIST
+ condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}}
!authenticated = *
domains = +handled_domains : +rcpthosts
local_parts = GREYLIST_LOCAL_PARTS
condition = ${if eq{$acl_m_srb}{false}{no}{yes}}
log_message = discarded surbl message for $recipients
- warn condition = ${if <{$message_size}{256000}}
- condition = ${if eq {$acl_m_prf}{markup}}
- set acl_m_srb = ${perl{surblspamcheck}}
- condition = ${if eq{$acl_m_srb}{false}{no}{yes}}
- message = X-Surbl-Hit: $primary_hostname: $acl_m_srb
-
- accept condition = ${if eq {$acl_m_prf}{markup}}
-
deny condition = ${if <{$message_size}{256000}}
+ condition = ${if eq {$acl_m_prf}{markup}{no}{yes}}
+ condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}}
set acl_m_srb = ${perl{surblspamcheck}}
condition = ${if eq{$acl_m_srb}{false}{no}{yes}}
log_message = $acl_m_srb
message = $acl_m_srb
+ warn condition = ${if <{$message_size}{256000}}
+ condition = ${if eq {$acl_m_prf}{markup}}
+ set acl_m_srb = ${perl{surblspamcheck}}
+ condition = ${if eq{$acl_m_srb}{false}{no}{yes}}
+ message = X-Surbl-Hit: $primary_hostname: $acl_m_srb
+
accept
'
end
%>
acl_check_predata:
- deny condition = ${if eq{$acl_m_lcl}{localonly}}
+ deny condition = ${if eq{$acl_m_prf}{localonly}}
message = mail for $acl_m_lrc is only accepted internally
accept
#!!# ACL that is used after the DATA command
check_message:
- require verify = header_syntax
- message = Invalid syntax in the header
-
<%=
out=''
if nodeinfo['rtmaster']
}
message = Mail to this address needs to be PGP-signed
+ accept verify = certificate
+
+ deny condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}}
+ !verify = header_syntax
+ message = Invalid syntax in the header
+
# RFC 822 and 2822 say that headers must be ASCII. This kinda emulates
# postfix's strict_7bit_headers option, but only checks a few common problem
# headers, as there doesn't appear to be an easy way to check them all.
{match {$rh_To:}{[\200-\377]}}\
{match {$rh_From:}{[\200-\377]}}\
{match {$rh_Cc:}{[\200-\377]}}}{true}{false}}
+ condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}}
message = improper use of 8-bit data in message header: message rejected
deny
condition = ${if match {$rh_Subject:}{[^[:print:]]\{8\}}{true}{false}}
+ condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}}
message = Your mailer is not RFC 2047 compliant: message rejected
<%=
log_message = discarded malware message for $recipients
deny condition = ${if eq {$acl_m_prf}{markup}{no}{yes}}
+ condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}}
demime = *
malware = */defer_ok
message = malware detected: $malware_name: message rejected
condition = ${if eq{$acl_m_srb}{false}{no}{yes}}
log_message = discarded surbl message for $recipients
+ deny condition = ${if <{$message_size}{256000}}
+ condition = ${if eq {$acl_m_prf}{markup}{no}{yes}}
+ condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}}
+ set acl_m_srb = ${perl{surblspamcheck}}
+ condition = ${if eq{$acl_m_srb}{false}{no}{yes}}
+ log_message = $acl_m_srb
+ message = $acl_m_srb
+
warn condition = ${if <{$message_size}{256000}}
condition = ${if eq {$acl_m_prf}{markup}}
set acl_m_srb = ${perl{surblspamcheck}}
condition = ${if eq{$acl_m_srb}{false}{no}{yes}}
message = X-Surbl-Hit: $primary_hostname: $acl_m_srb
- accept condition = ${if eq {$acl_m_prf}{markup}}
-
- deny condition = ${if <{$message_size}{256000}}
- set acl_m_srb = ${perl{surblspamcheck}}
- condition = ${if eq{$acl_m_srb}{false}{no}{yes}}
- log_message = $acl_m_srb
- message = $acl_m_srb
'
end
out
driver = manualroute
domains = !+handled_domains
transport = remote_smtp_smarthost
- route_list = * ' + nodeinfo['smarthost'] + '
+ route_list = * ' + nodeinfo['smarthost']
+ if nodeinfo['smarthost'] == 'mailout.debian.org'
+ out += '/MX'
+ end
+ out += '
host_find_failed = defer
same_domain_copy_routing = yes
no_more
projects / mirror / dsa-puppet.git / blobdiff