# us. This is primarily only usefull for emergancy 'queue
# flushing' operations, but should be populated with a list
# of trusted machines. Wildcards are not permitted
+<%=
+out = ""
+if nodeinfo['mailrelay']
+ out = '
# mailhubdomains - Domains for which we are the MX, but the mail is relayed
# elsewhere. This is designed for use with small volume or
# restricted machines that need to use a smarthost for mail
# traffic. We will relay for them based on ssl cert validation
# but we need to teach exim how to route the mail to them. This is
# that list.
-
+'
+end
+out
+%>
# Exim's wildcard mechanism is a bit odd in that to say "any address in
# debian.org including debian.org" you must use two patterns,
# *.debian.org
# MAIN CONFIGURATION SETTINGS #
######################################################################
+<%=
+out=''
+if nodeinfo.has_key?('heavy_exim') and not nodeinfo['heavy_exim'].empty?
+ out = "
+perl_startup = do '/etc/exim4/exim_surbl.pl'
+"
+end
+out
+%>
+
# These options specify the Access Control Lists (ACLs) that
# are used for incoming SMTP messages - after the RCPT and DATA
# commands, respectively.
acl_smtp_helo = check_helo
acl_smtp_rcpt = ${if ={$interface_port}{587} {check_submission}{check_recipient}}
acl_smtp_data = check_message
+<%=
+out=''
+if nodeinfo.has_key?('heavy_exim') and not nodeinfo['heavy_exim'].empty?
+ out = "acl_smtp_mime = acl_check_mime"
+end
+out
+%>
+acl_smtp_predata = acl_check_predata
# accept domain literal syntax in e-mail addresses. To actually make use of
# this a router is also required
# accept mail for them.
domainlist rcpthosts = partial-lsearch;/etc/exim4/rcpthosts
hostlist debianhosts = 127.0.0.1 : net-lsearch;/var/lib/misc/thishost/debianhosts
+<%=
+out = ""
+if nodeinfo['mailrelay']
+ out = '
domainlist mailhubdomains = lsearch;/etc/exim4/manualroute
+'
+end
+out
+%>
hostlist reservedaddrs = <%= nodeinfo['reservedaddrs'] %>
<%= out = ""
-if has_variable?("exim_ssl_certs") && exim_ssl_certs == true
+if has_variable?("exim_ssl_certs") && exim_ssl_certs == "true"
out = "tls_certificate = /etc/exim4/ssl/thishost.crt
tls_privatekey = /etc/exim4/ssl/thishost.key
tls_try_verify_hosts = *
out = "daemon_smtp_ports = "
ports << 25
-if results['bugsmaster']
+if nodeinfo['bugsmaster']
ports << 587
end
-if not results['mail_port'].empty?
- ports << results['mail_port']
+if not nodeinfo['mail_port'].to_s.empty?
+ ports << nodeinfo['mail_port']
end
-if results['mailrelay']
- ports << results['smarthost_port']
+if nodeinfo['mailrelay']
+ ports << nodeinfo['smarthost_port']
end
out += ports.uniq.sort.join(" : ")
pipelining_advertise_hosts = !*
<%= out = ""
-if has_variable?("exim_ssl_certs") && exim_ssl_certs == true
+if has_variable?("exim_ssl_certs") && exim_ssl_certs == "true"
out = 'tls_advertise_hosts = *'
end
out
######################################################################
begin acl
+acl_localonly:
+ accept local_parts = +local_only_users
+ domains = +local_domains
+ hosts = !+debianhosts
+
+ deny
+
check_helo:
warn set acl_c1 = 0
<%=
out = ""
-if results['mailrelay']
+if nodeinfo['mailrelay']
out = " accept verify = certificate"
end
out
<%=
out = ""
-if results['mailrelay']
+if nodeinfo['mailrelay']
out = " accept verify = certificate"
end
out
message = unknown user
verify = recipient
+<%=
+out = ""
+if nodeinfo['mailrelay']
+ out = '
accept domains = +mailhubdomains
endpass
message = unknown user
verify = recipient/callout=30s,defer_ok,use_sender,no_cache
+'
+end
+out
+%>
accept domains = +submission_domains
endpass
#!!# ACL that is used after the RCPT command
check_recipient:
-<%=
+<%=
out = ""
-if results['mailrelay']
+if nodeinfo['mailrelay']
out = " accept verify = certificate"
end
out
# This logic gives you a list of commonly forged domains in helo to reject against
- warn set acl_m2 = ${lookup{$sender_helo_name} \
+ warn set acl_m_frg = ${lookup{$sender_helo_name} \
nwildlsearch{/etc/exim4/helo-check} \
{${if eq{$value}{}{$sender_helo_name}{$value}}}{}}
# say helo as a name in the list but we can't look them up
defer !hosts = +debianhosts
- condition = ${if eq{$acl_m2}{}{no}{yes}}
+ condition = ${if eq{$acl_m_frg}{}{no}{yes}}
condition = ${if eq{$sender_host_name}{}{yes}{no}}
condition = ${if eq{$host_lookup_failed}{1}{no}{yes}}
message = Access temporarily denied. Resolve failed PTR for $sender_host_address
# If DNS works, go ahead and reject them
- drop !hosts = +debianhosts
- condition = ${if and { {!eq{$acl_m2}{}}{!match{$sender_host_name}{${rxquote:$acl_m2}\N$\N}}}{yes}{no}}
+ drop !hosts = +debianhosts
+ condition = ${if and { {!eq{$acl_m_frg}{}}{!match{$sender_host_name}{${rxquote:$acl_m_frg}\N$\N}}}{yes}{no}}
message = HELO mismatch Forged HELO for ($sender_helo_name)
# disabled accounts don't even get local mail.
condition = ${if match_local_part {$sender_address_local_part}{${extract{directory}{VDOMAINDATA}{${value}/neversenders}}}{1}{0}}
message = no mail should ever come from <$sender_address>
- deny local_parts = +local_only_users
- domains = +local_domains
- hosts = !+debianhosts
- message = mail for $local_part is only accepted internally
+ warn condition = ${if eq{$acl_m_lcl}{}}
+ acl = acl_localonly
+ set acl_m_lcl = localonly
+ set acl_m_lrc = ${if eq{$acl_m_lrc}{}{$local_part@$domain}{$acl_m_lrc, $local_part@$domain}}
+
+ warn condition = ${if eq{$acl_m_lcl}{}}
+ !acl = acl_localonly
+ set acl_m_lcl = normal
+
+ defer condition = ${if eq{$acl_m_lcl}{localonly}}
+ !acl = acl_localonly
+ log_message = Only one profile at a time, please
+ defer condition = ${if eq{$acl_m_lcl}{normal}}
+ acl = acl_localonly
+ log_message = Only one profile at a time, please
+
+<%=
+out=''
+if 0 == 1:
+out='
deny message = address $sender_host_address is listed in $dnslist_domain; $dnslist_text
hosts = !+debianhosts
dnslists = rbl.debian.net : rbl.debian.net/$sender_address_domain
+'
+end
+out
+%>
deny !recipients = survey@popcon.debian.org
!verify = sender
condition = ${if >{${eval:$acl_c1}}{0}}
ratelimit = 10 / 60m / per_rcpt / $sender_host_address
message = slow down (no reverse dns, mismatched ehlo, dialup, or in blacklists)
-
<%=
out = ""
if has_variable?("policydweight") && policydweight == "true"
# closure, but I\'m fairly sure it\'s now worth it, since the backport of
# policyd-weight is trivial.
warn !hosts = +debianhosts
- set acl_m9 = ${readsocket{inet:127.0.0.1:12525}\
+ set acl_m_pw = ${readsocket{inet:127.0.0.1:12525}\
{request=smtpd_access_policy\n\
protocol_state=RCPT\n\
protocol_name=${uc:$received_protocol}\n\
# Defer on socket error
defer !hosts = +debianhosts
- condition = ${if eq{$acl_m9}{socket failure}{yes}{no}}
+ condition = ${if eq{$acl_m_pw}{socket failure}{yes}{no}}
message = Cannot connect to policyd-weight. Please try again later.
- # Set proposed action to $acl_m8 and message to $acl_m7
+ # Set proposed action to $acl_m_act and message to $acl_m_mes
warn !hosts = +debianhosts
- set acl_m8 = ${extract{action}{$acl_m9}}
- set acl_m7 = ${sg{$acl_m9}{\Naction=[^ ]+ (.*)\n\n\N}{\$1}}
+ set acl_m_mes = ${extract{action}{$acl_m_pw}}
+ set acl_m_act = ${sg{$acl_m_pw}{\Naction=[^ ]+ (.*)\n\n\N}{\$1}}
# Add X-policyd-weight header line to message
warn !hosts = +debianhosts
- message = $acl_m7
- condition = ${if eq{$acl_m8}{PREPEND}{yes}{no}}
+ message = $acl_m_mes
+ condition = ${if eq{$acl_m_act}{PREPEND}{yes}{no}}
# Write log message, if policyd-weight can\'t run checks
warn !hosts = +debianhosts
- log_message = policyd-weight message: $acl_m7
- condition = ${if eq{$acl_m8}{DUNNO}{yes}{no}}
+ log_message = policyd-weight message: $acl_m_mes
+ condition = ${if eq{$acl_m_act}{DUNNO}{yes}{no}}
# Deny mails which policyd-weight thinks are spam
deny !hosts = +debianhosts
- message = policyd-weight said: $acl_m7
- condition = ${if eq{$acl_m8}{550}{yes}{no}}
+ message = policyd-weight said: $acl_m_mes
+ condition = ${if eq{$acl_m_act}{550}{yes}{no}}
# Defer messages when policyd-weight suggests so.
defer !hosts = +debianhosts
- message = policyd-weight said: $acl_m7
- condition = ${if eq{$acl_m8}{450}{yes}{no}}
+ message = policyd-weight said: $acl_m_mes
+ condition = ${if eq{$acl_m_act}{450}{yes}{no}}
'
end
out
warn recipients = survey@popcon.debian.org
set acl_m1 = PopconMail
+<%=
+out=''
+if nodeinfo['rtmaster']
+ out='
warn domains = rt.debian.org
set acl_m1 = RTMail
- set acl_m12 = ${if def:acl_m12 {$acl_m12} {${if or{{match{$local_part}{[^+]+\\+\\d+}}{match{$local_part}{[^+]+\\+new}}} {RTMailRecipientHasSubaddress}}}}
-
+ set acl_m12 = ${if def:acl_m12 {$acl_m12} {${if or{{match{$local_part}{\N[^+]+\+\d+\N}}{match{$local_part}{\N[^+]+\+new\N}}} {RTMailRecipientHasSubaddress}}}}
+'
+end
+out
+%>
+<%=
+out=''
+if nodeinfo['packagesqamaster']
+ out='
warn domains = packages.qa.debian.org
set acl_m1 = PTSMail
warn recipients = owner@packages.qa.debian.org : postmaster@packages.qa.debian.org
set acl_m1 = PTSOwner
- warn recipients = change@db.debian.org : changes@db.debian.org : chpasswd@db.debian.org : ping@db.debian.org : recommend@nm.debian.org
- set acl_m1 = DBSignedMail
-
warn senders = :
domains = packages.qa.debian.org
condition = ${if match{$local_part}{\N^bounces+\N}}
set acl_m1 = PTSListBounce
+'
+end
+out
+%>
+ warn recipients = change@db.debian.org : changes@db.debian.org : chpasswd@db.debian.org : ping@db.debian.org : recommend@nm.debian.org
+ set acl_m1 = DBSignedMail
<%=
out = ""
elsif has_variable?("postgrey") && postgrey == "true"
out = '
# next three are greylisting, inspired by http://www.bebt.de/blog/debian/archives/2006/07/30/T06_12_27/index.html
- # this adds acl_m4 if there isn\'t one (so unique per message)
+ # this adds acl_m_grey if there isn\'t one (so unique per message)
warn
!senders = :
!hosts = : +debianhosts : WHITELIST
- condition = ${if def:acl_m4 {no}{yes}}
- set acl_m4 = $pid.$tod_epoch.$sender_host_port
+ condition = ${if def:acl_m_grey {no}{yes}}
+ set acl_m_grey = $pid.$tod_epoch.$sender_host_port
# and defers the message if postgrey thinks it should be defered ...
defer
!authenticated = *
domains = +handled_domains : +rcpthosts
local_parts = GREYLIST_LOCAL_PARTS
- set acl_m3 = request=smtpd_access_policy\n\
+ set acl_m_pgr = request=smtpd_access_policy\n\
protocol_state=RCPT\n\
protocol_name=${uc:$received_protocol}\n\
- instance=${acl_m4}\n\
+ instance=${acl_m_grey}\n\
helo_name=${sender_helo_name}\n\
client_address=${substr_-3:${mask:$sender_host_address/24}}\n\
client_name=${sender_host_name}\n\
sender=${sender_address}\n\
recipient=$local_part@$domain\n\n
- set acl_m3 = ${sg{\
- ${readsocket{/var/run/postgrey/socket}{$acl_m3}\
+ set acl_m_pgr = ${sg{\
+ ${readsocket{/var/run/postgrey/socket}{$acl_m_pgr}\
{5s}{}{action=DUNNO}}\
}{action=}{}}
- message = ${sg{$acl_m3}{^\\w+\\s*}{}}
+ message = ${sg{$acl_m_pgr}{^\\\\w+\\\\s*}{}}
log_message = greylisted.
- condition = ${if eq{${uc:${substr{0}{5}{$acl_m3}}}}{DEFER}}
+ condition = ${if eq{${uc:${substr{0}{5}{$acl_m_pgr}}}}{DEFER}}
# ... or adds a header with information about how long the delay was
warn
!authenticated = *
domains = +handled_domains : +rcpthosts
local_parts = GREYLIST_LOCAL_PARTS
- condition = ${if eq{${uc:${substr_0_7:$acl_m3}}}{PREPEND}}
- message = ${sg{$acl_m3}{^\\w+\\s*}{}}
+ condition = ${if eq{${uc:${substr_0_7:$acl_m_pgr}}}{PREPEND}}
+ message = ${sg{$acl_m_pgr}{^\\\\w+\\\\s*}{}}
'
+end
out
%>
!hosts = +debianhosts : WHITELIST
!verify = sender/callout
+<%=
+out = ""
+if nodeinfo['mailrelay']
+ out = '
accept domains = +mailhubdomains
endpass
message = unknown user
verify = recipient/callout=30s,defer_ok,use_sender,no_cache
-
+'
+end
+out
+%>
accept domains = +handled_domains
endpass
message = unknown user
deny message = relay not permitted
+<%=
+out=''
+if nodeinfo.has_key?('heavy_exim') and not nodeinfo['heavy_exim'].empty?
+out='
+acl_check_mime:
+
+ deny condition = ${if <{$message_size}{256000}}
+ set acl_m_srb = ${perl{surblspamcheck}}
+ condition = ${if eq{$acl_m_srb}{false}{no}{yes}}
+ log_message = $acl_m_srb
+ message = $acl_m_srb
+
+ accept
+'
+end
+out
+%>
+
+acl_check_predata:
+ deny condition = ${if eq{$acl_m_lcl}{localonly}}
+ message = mail for $acl_m_lrc is only accepted internally
+
+ accept
+
+
#!!# ACL that is used after the DATA command
check_message:
require verify = header_syntax
message = Invalid syntax in the header
+<%=
+out=''
+if nodeinfo['rtmaster']
+ out='
deny condition = ${if eq {$acl_m1}{RTMail}}
condition = ${if and{{!match {${lc:$rh_Subject:}} {debian rt}} \
- {!match {${lc:$rh_Subject:]}} {\\[rt.debian.org }} \
+ {!match {${lc:$rh_Subject:]}} {\N\[rt.debian.org \N}} \
{!match {$acl_m12}{RTMailRecipientHasSubaddress}}}}
message = messages to the Request Tracker system require a subject tag or a subaddress
-
+'
+end
+out
+%>
+<%=
+out=''
+if nodeinfo['packagesqamaster']
+ out='
deny !hosts = +debianhosts : 217.196.43.134
condition = ${if eq {$acl_m1}{PTSMail}}
condition = ${if def:h_X-PTS-Approved:{false}{true}}
message = messages to the PTS require an X-PTS-Approved header
-
+'
+end
+out
+%>
deny condition = ${if match {$message_body}{\Nhttp:\/\/[a-z\.-]+\/video1?.exe\N}}
message = Blackisted URI found in body
end
out
%>
-
- deny spam = $value/defer_ok
- domains = +handled_domains : +rcpthosts
- message = message got a spam score of $spam_score
- local_parts = ${if exists {/etc/exim4/sa_users}\
- {${if match_domain{$domain}{+virtual_domains}\
- {${lookup{$local_part@$domain}nwildlsearch{/etc/exim4/sa_users}{$local_part}{}}}\
- {${lookup{$local_part}lsearch{/etc/exim4/sa_users}{$local_part}{}}}}}}
-
+<%=
+out=''
+if nodeinfo.has_key?('heavy_exim') and not nodeinfo['heavy_exim'].empty?
+out='
+ deny condition = ${if <{$message_size}{256000}}
+ set acl_m_srb = ${perl{surblspamcheck}}
+ condition = ${if eq{$acl_m_srb}{false}{no}{yes}}
+ log_message = $acl_m_srb
+ message = $acl_m_srb
+'
+end
+out
+%>
# Check header_sender except for survey@popcon.d.o
deny condition = ${if eq{$acl_m1}{PopconMail}{false}{true}}
!verify = header_sender
<%=
out = ""
-if results['mailrelay']
+if nodeinfo['mailrelay']
out = '
relay_manualroute:
driver = manualroute
<%=
out = ""
-if not results['smarthost'].empty?
+if not nodeinfo['smarthost'].empty?
out = '
smarthost:
debug_print = "R: smarthost for $local_part@$domain"
driver = manualroute
domains = !+handled_domains
transport = remote_smtp_smarthost
- route_list = * ' + smarthost + '
+ route_list = * ' + nodeinfo['smarthost'] + '
host_find_failed = defer
same_domain_copy_routing = yes
no_more
# the virts, and delivering to them. blah.
<%=
out = ""
-if results['packagesmaster']
+if nodeinfo['packagesmaster']
out = '
# This router delivers for packages.d.o
packages:
<%=
out = ""
-if results['bugsmaster']
+if nodeinfo['bugsmaster']
out = '
# This router delivers for bugs.d.o
bugs:
<%=
out = ""
-if results['rtmaster']
+if nodeinfo['rtmaster']
out = '
# This router delivers for rt.d.o
rt_force_new_verbose:
# - rt+NNNN@rt.debian.org : attach correspondence to ticket (verbose)
# - rt+NNNN-quiesce@rt.debian.org : attach correspondence to ticket (quiesce)
# - rt+NNNN-<action>@rt.debian.org : attach correspondence to ticket (some action)
-# requires modification to custom condition in 'scrips'
+# requires modification to custom condition in \'scrips\'
rt_force_new_quiesce:
debug_print = "R: rt for $local_part+new-quiesce@$domain"
driver = redirect
remote_smtp:
driver = smtp
connect_timeout = 1m
+ delay_after_cutoff = false
<%=
out = ""
if has_variable?("exim_ssl_certs") && exim_ssl_certs == "true"
out
%>
+<%=
+out = ""
+if not nodeinfo['smarthost'].empty?
+out = '
remote_smtp_smarthost:
debug_print = "T: remote_smtp_smarthost for $local_part@$domain"
driver = smtp
-<%=
-out = ""
-if not results['smarthost'].empty?
- out += " port = " + results['smarthost_port'] + "\n"
-end
-
-if has_variable?("exim_ssl_certs") && exim_ssl_certs == "true"
- out += ' tls_tempfail_tryclear = false
+ delay_after_cutoff = false
+ port = '
+ out += nodeinfo['smarthost_port'].to_s + "\n"
+ if has_variable?("exim_ssl_certs") && exim_ssl_certs == "true"
+ out += ' tls_tempfail_tryclear = false
+ hosts_require_tls = ' + nodeinfo['smarthost'] + '
tls_certificate = /etc/exim4/ssl/thishost.crt
tls_privatekey = /etc/exim4/ssl/thishost.key
'
+ end
end
out
%>
<%=
out = ""
-if results['bugsmaster']
+if nodeinfo['bugsmaster']
out = '
bugs_pipe:
driver = pipe
<%=
out = ""
-if results['rtmaster']
+if nodeinfo['rtmaster']
out = '
rt_pipe:
debug_print = "T: rt_pipe for $local_part${local_part_suffix}@$domain"