# is much like a local domain, execpt that the delivery location
# and allowed set of users is controlled by a virtual domain
# alias file and not /etc/passwd. Wildcards are permitted
-# relayhosts - Hostnames that can send any arbitarily addressed mail to
-# us. This is primarily only useful for emergency 'queue
-# flushing' operations, but should be populated with a list
-# of trusted machines. Wildcards are not permitted
# bsmtp_domains - Domains that we deliver locally via bsmtp
# submission-domains - Domains for which mail will be accepted via the
# submission port
# If a user has not explicitly disabled the option, the assumption is in
# favour of filtering.
HAS_DEFAULT_OPTIONS = ${if and {\
- {eq{${lookup{$local_part}dbmnz{/var/lib/misc/$primary_hostname/default-mail-options.db}{$value}{TRUE}}}{TRUE}}\
- {exists{${extract{directory}{VDOMAINDATA}{${value}/mail-forward.db}}}}\
- {! eq {${lookup{$local_part}dbmnz{${extract{directory}{VDOMAINDATA}{${value}/mail-forward.db}}}}}{}}\
- }}
+ {eq{${lookup{$local_part}dbmnz{/var/lib/misc/$primary_hostname/default-mail-options.db}{$value}{TRUE}}}{TRUE}}\
+ {exists{${extract{directory}{VDOMAINDATA}{${value}/mail-forward.db}}}}\
+ {! eq {${lookup{$local_part}dbmnz{${extract{directory}{VDOMAINDATA}{${value}/mail-forward.db}}}}}{}}\
+ }}
<%- if @is_rtmaster -%>
# This subject rewrite is embedded in double-quoted strings. As such, some of
# the items need more escaping than usual, otherwise \N becomes simply "N" and
message = Different profile, please retry
log_message = Only one profile at a time, please
+ warn set acl_m_rdefopt = ${if bool_lax{HAS_DEFAULT_OPTIONS}}
+
+ warn condition = ${if eq{$acl_m_defopt}{}}
+ set acl_m_defopt = $acl_m_rdefopt
+
+ defer condition = ${if !eq{$acl_m_defopt}{$acl_m_rdefopt}}
+ message = Different profile, please retry
+ log_message = Only one default options profile at a time, please
+
# Set a flag to indicate whether the current recipient
# has explicitly requested greylisting
warn set acl_m_grey_recip = 0
<%- if @is_packagesmaster -%>
warn condition = ${if eq {$acl_m_prf}{PackagesMail}}
condition = ${if eq {$sender_address}{$local_part@$domain}}
- message = X-Packages-FromTo-Same: yes
+ add_header = X-Packages-FromTo-Same: yes
<%- end -%>
deny condition = ${if !eq {$acl_m_prf}{PopconMail}}
log_message = greylisted.
condition = ${if or { \
{eq{$acl_m_grey_recip}{1}} \
- {bool_lax{HAS_DEFAULT_OPTIONS}} \
+ {bool_lax{$acl_m_defopt}} \
} \
}
!senders = :
domains = +handled_domains
condition = ${if or { \
{eq{$acl_m_grey_recip}{1}} \
- {bool_lax{HAS_DEFAULT_OPTIONS}} \
+ {bool_lax{$acl_m_defopt}} \
} \
}
set acl_m_pgr = request=smtpd_access_policy\n\
domains = +handled_domains
condition = ${if or { \
{eq{$acl_m_grey_recip}{1}} \
- {bool_lax{HAS_DEFAULT_OPTIONS}} \
+ {bool_lax{$acl_m_defopt}} \
} \
}
condition = ${if eq{${uc:${substr_0_7:$acl_m_pgr}}}{PREPEND}}
domains = +virtual_domains : +bsmtp_domains
<%- unless @use_smarthost -%>
- deny message = host $sender_host_address is listed in $dnslist_domain ($dnslist_value); see $dnslist_text
+ deny message = host $sender_host_address is listed in $dnslist_domain ($dnslist_value)${if >{${strlen:${dnslist_text}}}{0}{; see $dnslist_text}}
dnslists = ${if match_domain{$domain}{+virtual_domains}\
{${if exists {${extract{directory}{VDOMAINDATA}{${value}/rbllist}}}\
{${lookup{$local_part}lsearch*{${extract{directory}{VDOMAINDATA}{${value}/rbllist}}}{$value}{}}}{}}}\
domains = +handled_domains
!hosts = +debianhosts : WHITELIST
- deny message = host $sender_host_address is listed in $dnslist_domain ($dnslist_value); see $dnslist_text
+ deny message = host $sender_host_address is listed in $dnslist_domain ($dnslist_value)${if >{${strlen:${dnslist_text}}}{0}{; see $dnslist_text}}
dnslists = noserver.dnsbl.sorbs.net
domains = +handled_domains
!hosts = +debianhosts : WHITELIST
- deny message = host $sender_host_address is listed in $dnslist_domain ($dnslist_value); see $dnslist_text
- condition = ${if bool_lax{HAS_DEFAULT_OPTIONS}}
+ deny message = host $sender_host_address is listed in $dnslist_domain ($dnslist_value)${if >{${strlen:${dnslist_text}}}{0}{; see $dnslist_text}}
+ condition = ${if bool_lax{$acl_m_defopt}}
dnslists = relays.dnsbl.sorbs.net : xbl.spamhaus.org
domains = +handled_domains
!hosts = +debianhosts : WHITELIST
<%- end -%>
- deny message = domain $sender_address_domain is listed in $dnslist_domain ($dnslist_value); see $dnslist_text
+ deny message = domain $sender_address_domain is listed in $dnslist_domain ($dnslist_value)${if >{${strlen:${dnslist_text}}}{0}{; see $dnslist_text}}
dnslists = ${if match_domain{$domain}{+virtual_domains}\
{${if exists {${extract{directory}{VDOMAINDATA}{${value}/rhsbllist}}}\
{${expand:${lookup{$local_part}lsearch*{${extract{directory}{VDOMAINDATA}{${value}/rhsbllist}}}{$value}{}}}}{}}}\
domains = +handled_domains
!hosts = +debianhosts : WHITELIST
- deny message = domain $sender_address_domain is listed in $dnslist_domain ($dnslist_value); see $dnslist_text
+ deny message = domain $sender_address_domain is listed in $dnslist_domain ($dnslist_value)${if >{${strlen:${dnslist_text}}}{0}{; see $dnslist_text}}
dnslists = nomail.rhsbl.sorbs.net/$sender_address_domain
domains = +handled_domains
!hosts = +debianhosts : WHITELIST
- deny message = domain $sender_address_domain is listed in $dnslist_domain ($dnslist_value); see $dnslist_text
- condition = ${if bool_lax{HAS_DEFAULT_OPTIONS}}
+ deny message = domain $sender_address_domain is listed in $dnslist_domain ($dnslist_value)${if >{${strlen:${dnslist_text}}}{0}{; see $dnslist_text}}
+ condition = ${if bool_lax{$acl_m_defopt}}
dnslists = dbl.spamhaus.org/$sender_address_domain
domains = +handled_domains
!hosts = +debianhosts : WHITELIST
condition = ${if eq {$acl_m_prf}{markup}}
set acl_m_srb = ${perl{surblspamcheck}}
condition = ${if !eq{$acl_m_srb}{false}}
- message = X-Surbl-Hit: $primary_hostname: $acl_m_srb
+ add_header = X-Surbl-Hit: $primary_hostname: $acl_m_srb
# Dump MIME parts to disk. "default" creates sequentially-named files
# in <spool_directory>/scan/<message_id>/ which should then be
# postfix's strict_7bit_headers option, but only checks a few common problem
# headers, as there doesn't appear to be an easy way to check them all.
deny
- condition = ${if or {{match {$rh_Subject:}{[\200-\377]}}\
+ condition = ${if or {{match {$rh_Subject:}{[\200-\377]}}\
{match {$rh_To:}{[\200-\377]}}\
{match {$rh_From:}{[\200-\377]}}\
{match {$rh_Cc:}{[\200-\377]}}}}
condition = ${if !eq {$acl_m_prf}{PopconMail}}
message = Your mailer is not RFC 2047 compliant: message rejected
+ discard condition = ${if eq {$acl_m_prf}{blackhole}}
+ condition = ${if bool_lax{$acl_m_defopt}}
+ condition = ${if or {\
+ {match {$message_body}{Wenn Sie zukünftig keine weiteren Informationen erhalten möchten, <br />unwissentlich oder unbeabsichtigt in den Verteiler aufgenommen wurden,}} \
+ }\
+ }
+ log_message = Discarded suspicious content for $recipients
+
+ deny condition = ${if !eq {$acl_m_prf}{markup}}
+ condition = ${if bool_lax{$acl_m_defopt}}
+ condition = ${if or {\
+ {match {$message_body}{Wenn Sie zukünftig keine weiteren Informationen erhalten möchten, <br />unwissentlich oder unbeabsichtigt in den Verteiler aufgenommen wurden,}} \
+ }\
+ }
+ message = Rejected due to suspicious content
+
+ warn condition = ${if eq {$acl_m_prf}{markup}}
+ condition = ${if bool_lax{$acl_m_defopt}}
+ condition = ${if or {\
+ {match {$message_body}{Wenn Sie zukünftig keine weiteren Informationen erhalten möchten, <br />unwissentlich oder unbeabsichtigt in den Verteiler aufgenommen wurden,}} \
+ }\
+ }
+ add_header = X-debian-content-warning: yes
+
<%- if has_variable?("clamd") && @clamd -%>
discard condition = ${if eq {$acl_m_prf}{blackhole}}
malware = */defer_ok