# Domains we relay for; that is domains that aren't considered local but we
# accept mail for them.
-hostlist debianhosts = 127.0.0.1 : net-lsearch;/var/lib/misc/thishost/debianhosts
+hostlist debianhosts = 127.0.0.1 : /var/lib/misc/thishost/debianhosts
<%=
out = ""
if nodeinfo['mailrelay']
# expensive, you can specify the networks for which a lookup is done, or
# remove the setting entirely.
host_lookup = *
-dns_ipv4_lookup = !localhost
+# dns_ipv4_lookup = !localhost (disabled upon sgrans request, zobel, 2010-03-16)
# If this option is set, then any process that is running as one of the
# listed users may pass a message to Exim and specify the sender's
######################################################################
begin acl
+acl_spamlovers:
+ # There are a few profiles that don't want much smtp time checking of
+ # mail. It's easier to track them in one place
+
+ accept condition = ${if eq {$acl_m_prf}{PopconMail}}
+ accept condition = ${if eq {$acl_m_prf}{BugsMail}}
+ deny
+
acl_getprofile:
# This is a bad hack to reset the variable, by defining it be something
# never referenced.
%>
<%=
out = ''
+if nodeinfo['bugsmx']
+ out = '
+ warn domains = bugs.debian.org
+ set acl_m_rprf = BugsMail
+
+ accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}}
+'
+end
+out
+%>
+<%=
+out = ''
if nodeinfo['packagesmaster']
out = '
warn domains = packages.debian.org
accept domains = +local_domains
hosts = +debianhosts
endpass
- message = unknown user
verify = recipient
<%=
out = '
accept domains = +mailhubdomains
endpass
- message = unknown user
verify = recipient/callout=30s,defer_ok,use_sender,no_cache
'
end
accept domains = +submission_domains
endpass
- message = unknown user
verify = recipient
deny message = relay not permitted
# This is a rough pass at preventing addres harvesting or other mail blasts.
defer log_message = Too many bad recipients ${eval:$rcpt_fail_count} out of $rcpt_count
- condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}}
+ !acl = acl_spamlovers
message = Too many bad recipients, try again later
!hosts = +debianhosts
condition = ${if > {${eval:$rcpt_fail_count}}{3}{yes}{no}}
# Dump spambots that are so stupid they say helo as our IP address
- drop !hosts = +debianhosts
- condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}}
- condition = ${if eq {$sender_helo_name}{$interface_address}{yes}{no}}
- message = HELO mismatch Forged HELO for ($sender_helo_name)
+ drop !hosts = +debianhosts
+ !acl = acl_spamlovers
+ condition = ${if eq {$sender_helo_name}{$interface_address}{yes}{no}}
+ message = HELO mismatch Forged HELO for ($sender_helo_name)
# Also for spambots that say helo as us or one of our domains
- drop !hosts = +debianhosts
- condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}}
- condition = ${if match_domain{$sender_helo_name}{$primary_hostname:+handled_domains}}
- condition = ${if !match{$sender_host_name}{${rxquote:$sender_helo_name}\N$\N}}
- message = HELO mismatch Forged HELO for ($sender_helo_name)
+ drop !hosts = +debianhosts
+ !acl = acl_spamlovers
+ condition = ${if match_domain{$sender_helo_name}{$primary_hostname:+handled_domains}}
+ condition = ${if !match{$sender_host_name}{${rxquote:$sender_helo_name}\N$\N}}
+ message = HELO mismatch Forged HELO for ($sender_helo_name)
# This logic gives you a list of commonly forged domains in helo to reject against
# This is a failsafe in case DNS fails - we defer instead of hard reject if they
# say helo as a name in the list but we can't look them up
- defer !hosts = +debianhosts
- condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}}
- condition = ${if eq{$acl_m_frg}{}{no}{yes}}
- condition = ${if eq{$sender_host_name}{}{yes}{no}}
- condition = ${if eq{$host_lookup_failed}{1}{no}{yes}}
- message = Access temporarily denied. Resolve failed PTR for $sender_host_address
+ defer !hosts = +debianhosts
+ !acl = acl_spamlovers
+ condition = ${if eq{$acl_m_frg}{}{no}{yes}}
+ condition = ${if eq{$sender_host_name}{}{yes}{no}}
+ condition = ${if eq{$host_lookup_failed}{1}{no}{yes}}
+ message = Access temporarily denied. Resolve failed PTR for $sender_host_address
# If DNS works, go ahead and reject them
- drop !hosts = +debianhosts
- condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}}
- condition = ${if and { {!eq{$acl_m_frg}{}}{!match{$sender_host_name}{${rxquote:$acl_m_frg}\N$\N}}}{yes}{no}}
- message = HELO mismatch Forged HELO for ($sender_helo_name)
+ drop !hosts = +debianhosts
+ !acl = acl_spamlovers
+ condition = ${if and { {!eq{$acl_m_frg}{}}{!match{$sender_host_name}{${rxquote:$acl_m_frg}\N$\N}}}{yes}{no}}
+ message = HELO mismatch Forged HELO for ($sender_helo_name)
# disabled accounts don't even get local mail.
- deny local_parts = lsearch;/var/lib/misc/$primary_hostname/mail-disable
- domains = +local_domains
- message = ${lookup{$local_part}lsearch{/var/lib/misc/$primary_hostname/mail-disable}{$value}}
-
- deny domains = +virtual_domains
- local_parts = ${if exists {${extract{directory}{VDOMAINDATA}{${value}/localonly}}}\
- {${extract{directory}{VDOMAINDATA}{${value}/localonly}}}\
- {}}
- hosts = !+debianhosts
- message = mail for <$local_part@$domain> only accepted from debian.org machines
+ deny local_parts = lsearch;/var/lib/misc/$primary_hostname/mail-disable
+ domains = +local_domains
+ message = ${lookup{$local_part}lsearch{/var/lib/misc/$primary_hostname/mail-disable}{$value}}
+
+ deny domains = +virtual_domains
+ local_parts = ${if exists {${extract{directory}{VDOMAINDATA}{${value}/localonly}}}\
+ {${extract{directory}{VDOMAINDATA}{${value}/localonly}}}\
+ {}}
+ hosts = !+debianhosts
+ message = mail for <$local_part@$domain> only accepted from debian.org machines
# Accept if the source is local SMTP (i.e. not over TCP/IP).
# We do this by testing for an empty sending host field.
accept hosts = :
out = '
accept domains = +mailhubdomains
endpass
- message = unknown user
verify = recipient/callout=30s,defer_ok,use_sender,no_cache
'
end
%>
accept domains = +handled_domains
endpass
- message = unknown user
verify = recipient/defer_ok
accept hosts = +debianhosts
check_local_user
domains = +local_domains
headers_add = "Delivered-To: ${local_part}${local_part_suffix}@${domain}"
+ local_part_suffix = -*
+ local_part_suffix_optional
no_verify
no_expn
require_files = $local_part:$home/.procmailrc
no_more
local_parts = ${if match\
{$local_part}\
- {\N^(\d+)(\d{2})(?:-(?:(?:submit|maintonly|quiet|forwarded|done|close|request|submitter)|(?:unsubscribe|ignore|(?:sub(?:scribe|help|yes|approve|reject))|unsubyes|bounce|probe|approve|reject|setlistyes|setlistsilentyes).*))?$\N}\
+ {\N^(\d+)(\d{2})(?:-(?:(?:submit|maintonly|quiet|forwarded|done|close|request|submitter)|(?:unsubscribe|ignore|help|(?:sub(?:scribe|help|yes|approve|reject))|unsubyes|bounce|probe|approve|reject|setlistyes|setlistsilentyes).*))?$\N}\
{${if exists{/org/bugs.debian.org/spool/db-h/$2/$1$2.summary}\
{$local_part}fail}}fail}
'
out
%>
-virt_alias_verify:
- debug_print = "R: virt_aliases for $local_part@$domain"
- driver = redirect
- data = ${if exists{\
- ${extract{directory}{VDOMAINDATA}{${value}/aliases}}}\
- {${lookup{$local_part}lsearch*{\
- ${extract{directory}{VDOMAINDATA}{$value/aliases}}\
- }}}}
- directory_transport = address_directory
- cannot_route_message = Unknown user
- domains = +virtual_domains
- file_transport = address_file
- pipe_transport = address_pipe
- qualify_preserve_domain
- retry_use_local_part
- transport_current_directory = ${extract{directory}{VDOMAINDATA}}
- transport_home_directory = ${extract{directory}{VDOMAINDATA}}
- verify_only
-
virt_direct_verify:
debug_print = "R: virt_direct for $local_part@$domain"
driver = redirect
retry_use_local_part
transport_current_directory = ${extract{directory}{VDOMAINDATA}}
transport_home_directory = ${extract{directory}{VDOMAINDATA}}
- no_verify
user = ${extract{user}{VDOMAINDATA}}
# This is a qmailesque deliver into a directory of .forward files
begin retry
debian.org * F,2h,10m; G,16h,2h,1.5; F,14d,8h
+* * senders=: F,2h,10m
* rcpt_4xx F,2h,5m; F,4h,10m; F,4d,15m
* * F,2h,15m; G,16h,2h,1.5; F,4d,8h
projects / mirror / dsa-puppet.git / blobdiff