# Other domain and host lists may follow.
# @ is the local FQDN, @[] matches the IP adress of any local interface.
-.include_if_exists /etc/exim4/local-settings.conf
-
domainlist local_domains = @ : \
@[] : \
localhost : \
out
%>
+<%=
+out = ""
+if nodeinfo['smarthost'].empty?
+ out = '
# These are in HELO acl so that they are only run once. They increment a counter,
- # so we don't want it to increment per rcpt to.
+ # so we don\'t want it to increment per rcpt to.
warn dnslists = list.dnswl.org&0.0.0.3
log_message = Hit on list.dnswl.org for $sender_host_address
dnslists = dul.dnsbl.sorbs.net
set acl_c_scr = ${eval:$acl_c_scr+15}
- # If the sender's helo name is empty, the message will be rejected later
+ # If the sender\'s helo name is empty, the message will be rejected later
# because the helo is empty. If the rDNS lookup failed, we are already
# going to greylist them, so no sense worrying about it here. Finally,
# if rDNS does not match helo name (both lower cased first), greylist.
condition = ${if eq {$host_lookup_failed}{1}{no}{yes}}
condition = ${if def:sender_helo_name {yes}{no}}
condition = ${if eq {${lc:$sender_helo_name}}{${lc:$sender_host_name}}{no}{yes}}
- log_message = HELO doesn't match rDNS
+ log_message = HELO doesn\'t match rDNS
set acl_c_scr = ${eval:$acl_c_scr+8}
# Regexes of doom
set acl_c_scr = ${eval:$acl_c_scr+7}
# Random HELO (run of 7 consonants) (constructed by viruses). We purposefully
- # skip matching on machines named .*smtp.*, since that's 4 already. This is a fairly
- # naive test, so it's not worth much
+ # skip matching on machines named .*smtp.*, since that\'s 4 already. This is a fairly
+ # naive test, so it\'s not worth much
warn condition = ${if match {${lc:$sender_helo_name}}{smtp}{no}{yes}}
condition = ${if match {${lc:$sender_helo_name}}{\N^[a-z0-9]+\.[a-z]+$\N}}
condition = ${if match {${lc:$sender_helo_name}}{\N.*[bcdfghjklmnpqrstvwxz]{7,}.*\.[a-z]+$\N}}
log_message = random HELO
set acl_c_scr = ${eval:$acl_c_scr+5}
+'
+end
+out
+%>
# Implicit, but simpler to just say it
accept
out
%>
+ warn acl = acl_getprofile
+ condition = ${if eq{$acl_m_prf}{}}
+ set acl_m_prf = $acl_m_rprf
+
+ defer condition = ${if eq{$acl_m_prf}{$acl_m_rprf}{no}{yes}}
+ log_message = Only one profile at a time, please
+
# Defer after too many bad RCPT TO's. Legit MTAs will retry later.
# This is a rough pass at preventing addres harvesting or other mail blasts.
defer log_message = Too many bad recipients ${eval:$rcpt_fail_count} out of $rcpt_count
+ condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}}
message = Too many bad recipients, try again later
!hosts = +debianhosts
condition = ${if > {${eval:$rcpt_fail_count}}{3}{yes}{no}}
# Dump spambots that are so stupid they say helo as our IP address
drop !hosts = +debianhosts
+ condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}}
condition = ${if eq {$sender_helo_name}{$interface_address}{yes}{no}}
message = HELO mismatch Forged HELO for ($sender_helo_name)
# Also for spambots that say helo as us or one of our domains
drop !hosts = +debianhosts
+ condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}}
condition = ${if match_domain{$sender_helo_name}{$primary_hostname:+handled_domains}}
condition = ${if !match{$sender_host_name}{${rxquote:$sender_helo_name}\N$\N}}
message = HELO mismatch Forged HELO for ($sender_helo_name)
# say helo as a name in the list but we can't look them up
defer !hosts = +debianhosts
+ condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}}
condition = ${if eq{$acl_m_frg}{}{no}{yes}}
condition = ${if eq{$sender_host_name}{}{yes}{no}}
condition = ${if eq{$host_lookup_failed}{1}{no}{yes}}
# If DNS works, go ahead and reject them
drop !hosts = +debianhosts
+ condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}}
condition = ${if and { {!eq{$acl_m_frg}{}}{!match{$sender_host_name}{${rxquote:$acl_m_frg}\N$\N}}}{yes}{no}}
message = HELO mismatch Forged HELO for ($sender_helo_name)
condition = ${if match_local_part {$sender_address_local_part}{${extract{directory}{VDOMAINDATA}{${value}/neversenders}}}{1}{0}}
message = no mail should ever come from <$sender_address>
- warn acl = acl_getprofile
- condition = ${if eq{$acl_m_prf}{}}
- set acl_m_prf = $acl_m_rprf
-
- defer condition = ${if eq{$acl_m_prf}{$acl_m_rprf}{no}{yes}}
- log_message = Only one profile at a time, please
-
warn condition = ${if eq{$acl_m_prf}{localonly}}
set acl_m_lrc = ${if eq{$acl_m_lrc}{}{$local_part@$domain}{$acl_m_lrc, $local_part@$domain}}
!verify = sender
defer !hosts = +debianhosts
+ condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}}
condition = ${if >{${eval:$acl_c_scr+0}}{0}}
ratelimit = 10 / 60m / per_rcpt / $sender_host_address
message = slow down (no reverse dns, mismatched ehlo, dialup, or in blacklists)
senders = ${if exists{/etc/exim4/blacklist}{/etc/exim4/blacklist}{}}
message = We have blacklisted <$sender_address>. Please stop mailing us
+<%=
+out = ""
+if nodeinfo['smarthost'].empty?
+ out = '
deny message = host $sender_host_address is listed in $dnslist_domain; see $dnslist_text
dnslists = ${if match_domain{$domain}{+virtual_domains}\
{${if exists {${extract{directory}{VDOMAINDATA}{${value}/rbllist}}}\
${lookup{$local_part}lsearch{/var/lib/misc/$primary_hostname/mail-rbl}{$value}{}}}}
domains = +handled_domains : +rcpthosts
!hosts = +debianhosts : WHITELIST
+'
+end
+out
+%>
deny message = domain $sender_address_domain is listed in $dnslist_domain; see $dnslist_text
dnslists = ${if match_domain{$domain}{+virtual_domains}\
domains = +handled_domains : +rcpthosts
!hosts = +debianhosts : WHITELIST
+<%=
+out = ""
+if nodeinfo['smarthost'].empty?
+ out = '
deny domains = +handled_domains : +rcpthosts
local_parts = ${if match_domain{$domain}{+virtual_domains}\
{${if exists {${extract{directory}{VDOMAINDATA}{${value}/callout_users}}}\
${lookup{$local_part}lsearch{/var/lib/misc/$primary_hostname/mail-callout}{$local_part}{}}}}
!hosts = +debianhosts : WHITELIST
!verify = sender/callout
+'
+end
+out
+%>
<%=
out = ""
accept verify = certificate
- require verify = header_syntax
- condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}}
+ deny condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}}
+ !verify = header_syntax
message = Invalid syntax in the header
# RFC 822 and 2822 say that headers must be ASCII. This kinda emulates
driver = manualroute
domains = !+handled_domains
transport = remote_smtp_smarthost
- route_list = * ' + nodeinfo['smarthost'] + '
+ route_list = * ' + nodeinfo['smarthost']
+ if nodeinfo['smarthost'] == 'mailout.debian.org'
+ out += '/MX'
+ end
+ out += '
host_find_failed = defer
same_domain_copy_routing = yes
no_more