# is much like a local domain, execpt that the delivery location
# and allowed set of users is controlled by a virtual domain
# alias file and not /etc/passwd. Wildcards are permitted
-# relayhosts - Hostnames that can send any arbitarily addressed mail to
-# us. This is primarily only useful for emergency 'queue
-# flushing' operations, but should be populated with a list
-# of trusted machines. Wildcards are not permitted
# bsmtp_domains - Domains that we deliver locally via bsmtp
# submission-domains - Domains for which mail will be accepted via the
# submission port
smtp_enforce_sync = true
log_selector = \
+ +subject \
+tls_cipher \
+tls_peerdn \
+queue_time \
{${lookup{$local_part}lsearch*{${extract{directory}{VDOMAINDATA}{${value}/grey_users}}}{$local_part}{}}}{}}}\
{${lookup{$local_part}lsearch{/etc/exim4/grey_users}{$local_part}{}}}} : \
${lookup{$local_part}lsearch{/var/lib/misc/$primary_hostname/mail-greylist}{$local_part}{}}
-HAS_DEFAULT_OPTIONS = ${if eq{${lookup{$local_part}dbmnz{/var/lib/misc/$primary_hostname/default-mail-options.db}{$value}{TRUE}}}{TRUE}}
+# Users from LDAP can decide whether to subscribe to default filtering.
+# If a user has not explicitly disabled the option, the assumption is in
+# favour of filtering.
+HAS_DEFAULT_OPTIONS = ${if and {\
+ {eq{${lookup{$local_part}dbmnz{/var/lib/misc/$primary_hostname/default-mail-options.db}{$value}{TRUE}}}{TRUE}}\
+ {exists{${extract{directory}{VDOMAINDATA}{${value}/mail-forward.db}}}}\
+ {! eq {${lookup{$local_part}dbmnz{${extract{directory}{VDOMAINDATA}{${value}/mail-forward.db}}}}}{}}\
+ }}
<%- if @is_rtmaster -%>
# This subject rewrite is embedded in double-quoted strings. As such, some of
# the items need more escaping than usual, otherwise \N becomes simply "N" and
message = Different profile, please retry
log_message = Only one profile at a time, please
+ warn set acl_m_rdefopt = ${if bool_lax{HAS_DEFAULT_OPTIONS}}
+
+ warn condition = ${if eq{$acl_m_defopt}{}}
+ set acl_m_defopt = $acl_m_rdefopt
+
+ defer condition = ${if !eq{$acl_m_defopt}{$acl_m_rdefopt}}
+ message = Different profile, please retry
+ log_message = Only one default options profile at a time, please
+
+ # Set a flag to indicate whether the current recipient
+ # has explicitly requested greylisting
+ warn set acl_m_grey_recip = 0
+
+ warn local_parts = GREYLIST_LOCAL_PARTS
+ domains = +handled_domains
+ set acl_m_grey_recip = 1
+
# Defer after too many bad RCPT TO's. Legit MTAs will retry later.
# This is a rough pass at preventing address harvesting or other mail blasts.
condition = ${lookup{$sender_address_local_part}lsearch{${extract{directory}{VSENDERDOMAINDATA}{${value}/neversenders}}}{true}}
message = no mail should ever come from <$sender_address>
+ deny domains = +virtual_domains
+ senders = :
+ condition = ${if exists {${extract{directory}{VDOMAINDATA}{${value}/neversenders}}}}
+ condition = ${lookup{$local_part}lsearch{${extract{directory}{VDOMAINDATA}{${value}/neversenders}}}{true}}
+ message = <$local_part@$domain> does not send mail; rejecting bogus NDR
+
warn condition = ${if eq{$acl_m_prf}{localonly}}
set acl_m_lrc = ${if eq{$acl_m_lrc}{}{$local_part@$domain}{$acl_m_lrc, $local_part@$domain}}
<%- if @is_packagesmaster -%>
warn condition = ${if eq {$acl_m_prf}{PackagesMail}}
condition = ${if eq {$sender_address}{$local_part@$domain}}
- message = X-Packages-FromTo-Same: yes
+ add_header = X-Packages-FromTo-Same: yes
<%- end -%>
deny condition = ${if !eq {$acl_m_prf}{PopconMail}}
defer
message = $sender_host_address is not yet authorized to deliver mail from <$sender_address> to <$local_part@$domain>.
log_message = greylisted.
- local_parts = ${if match_domain{$domain}{+virtual_domains}\
- {${if exists {${extract{directory}{VDOMAINDATA}{${value}/grey_users}}}\
- {${lookup{$local_part}lsearch*{${extract{directory}{VDOMAINDATA}{${value}/grey_users}}}{$local_part}{}}}{}}}\
- {${lookup{$local_part}lsearch{/etc/exim4/grey_users}{$local_part}{}} : \
- ${lookup{$local_part}lsearch{/var/lib/misc/$primary_hostname/mail-greylist}{$local_part}{}}}}
+ condition = ${if or { \
+ {eq{$acl_m_grey_recip}{1}} \
+ {bool_lax{$acl_m_defopt}} \
+ } \
+ }
!senders = :
!hosts = : +debianhosts : WHITELIST : \
${if exists {/etc/greylistd/whitelist-hosts}\
{/etc/greylistd/whitelist-hosts}{}} : \
${if exists {/var/lib/greylistd/whitelist-hosts}\
{/var/lib/greylistd/whitelist-hosts}{}}
+ !dnslists = list.dnswl.org&0.0.0.3
condition = ${if !eq {$acl_m_prf}{PopconMail}}
!authenticated = *
domains = +handled_domains
warn
!senders = :
!hosts = : +debianhosts : WHITELIST
+ !dnslists = list.dnswl.org&0.0.0.3
condition = ${if !eq {$acl_m_prf}{PopconMail}}
condition = ${if ! def:acl_m_grey}
set acl_m_grey = $pid.$tod_epoch.$sender_host_port
defer
!senders = :
!hosts = : +debianhosts : WHITELIST
+ !dnslists = list.dnswl.org&0.0.0.3
condition = ${if !eq {$acl_m_prf}{PopconMail}}
!authenticated = *
domains = +handled_domains
- local_parts = GREYLIST_LOCAL_PARTS
+ condition = ${if or { \
+ {eq{$acl_m_grey_recip}{1}} \
+ {bool_lax{$acl_m_defopt}} \
+ } \
+ }
set acl_m_pgr = request=smtpd_access_policy\n\
protocol_state=RCPT\n\
protocol_name=${uc:$received_protocol}\n\
warn
!senders = :
!hosts = : +debianhosts : WHITELIST
+ !dnslists = list.dnswl.org&0.0.0.3
condition = ${if !eq {$acl_m_prf}{PopconMail}}
!authenticated = *
domains = +handled_domains
- local_parts = GREYLIST_LOCAL_PARTS
+ condition = ${if or { \
+ {eq{$acl_m_grey_recip}{1}} \
+ {bool_lax{$acl_m_defopt}} \
+ } \
+ }
condition = ${if eq{${uc:${substr_0_7:$acl_m_pgr}}}{PREPEND}}
message = ${sg{$acl_m_pgr}{\N^\w+\s*\N}{}}
domains = +virtual_domains : +bsmtp_domains
<%- unless @use_smarthost -%>
- deny message = host $sender_host_address is listed in $dnslist_domain; see $dnslist_text
+ deny message = host $sender_host_address is listed in $dnslist_domain ($dnslist_value)${if >{${strlen:${dnslist_text}}}{0}{; see $dnslist_text}}
+ domains = +handled_domains
+ !hosts = +debianhosts : WHITELIST
dnslists = ${if match_domain{$domain}{+virtual_domains}\
{${if exists {${extract{directory}{VDOMAINDATA}{${value}/rbllist}}}\
{${lookup{$local_part}lsearch*{${extract{directory}{VDOMAINDATA}{${value}/rbllist}}}{$value}{}}}{}}}\
{${lookup{$local_part}lsearch{/etc/exim4/rbllist}{$value}{}}}} : \
${lookup{$local_part}lsearch{/var/lib/misc/$primary_hostname/mail-rbl}{$value}{}}
- domains = +handled_domains
- !hosts = +debianhosts : WHITELIST
- deny message = host $sender_host_address is listed in $dnslist_domain; see $dnslist_text
- dnslists = noserver.dnsbl.sorbs.net
+ deny message = host $sender_host_address is listed in $dnslist_domain ($dnslist_value)${if >{${strlen:${dnslist_text}}}{0}{; see $dnslist_text}}
domains = +handled_domains
!hosts = +debianhosts : WHITELIST
+ dnslists = noserver.dnsbl.sorbs.net
+
+ deny message = host $sender_host_address is listed in $dnslist_domain ($dnslist_value)${if >{${strlen:${dnslist_text}}}{0}{; see $dnslist_text}}
+ condition = ${if bool_lax{$acl_m_defopt}}
+ domains = +handled_domains
+ !hosts = +debianhosts : WHITELIST
+ dnslists = relays.dnsbl.sorbs.net : xbl.spamhaus.org
<%- end -%>
- deny message = domain $sender_address_domain is listed in $dnslist_domain; see $dnslist_text
+ deny message = domain $sender_address_domain is listed in $dnslist_domain ($dnslist_value)${if >{${strlen:${dnslist_text}}}{0}{; see $dnslist_text}}
+ domains = +handled_domains
+ !hosts = +debianhosts : WHITELIST
dnslists = ${if match_domain{$domain}{+virtual_domains}\
{${if exists {${extract{directory}{VDOMAINDATA}{${value}/rhsbllist}}}\
{${expand:${lookup{$local_part}lsearch*{${extract{directory}{VDOMAINDATA}{${value}/rhsbllist}}}{$value}{}}}}{}}}\
{${expand:${lookup{$local_part}lsearch{/etc/exim4/rhsbllist}{$value}{}}}}} : \
${expand:${lookup{$local_part}lsearch{/var/lib/misc/$primary_hostname/mail-rhsbl}{$value}{}}}
- domains = +handled_domains
- !hosts = +debianhosts : WHITELIST
- deny message = domain $sender_address_domain is listed in $dnslist_domain; see $dnslist_text
- dnslists = nomail.rhsbl.sorbs.net/$sender_address_domain
+ deny message = domain $sender_address_domain is listed in $dnslist_domain ($dnslist_value)${if >{${strlen:${dnslist_text}}}{0}{; see $dnslist_text}}
domains = +handled_domains
!hosts = +debianhosts : WHITELIST
+ dnslists = nomail.rhsbl.sorbs.net/$sender_address_domain
+
+ deny message = domain $sender_address_domain is listed in $dnslist_domain ($dnslist_value)${if >{${strlen:${dnslist_text}}}{0}{; see $dnslist_text}}
+ condition = ${if bool_lax{$acl_m_defopt}}
+ domains = +handled_domains
+ !hosts = +debianhosts : WHITELIST
+ dnslists = dbl.spamhaus.org/$sender_address_domain
<%- unless @use_smarthost -%>
deny domains = +handled_domains
condition = ${if eq {$acl_m_prf}{markup}}
set acl_m_srb = ${perl{surblspamcheck}}
condition = ${if !eq{$acl_m_srb}{false}}
- message = X-Surbl-Hit: $primary_hostname: $acl_m_srb
+ add_header = X-Surbl-Hit: $primary_hostname: $acl_m_srb
# Dump MIME parts to disk. "default" creates sequentially-named files
# in <spool_directory>/scan/<message_id>/ which should then be
# header. Take their crack pipe away.
drop condition = ${if match{${lc:$h_From:}}{\Npostmaster@([^.]+\.)?debian\.org\N}}
+ # If the sending system says the mail is spam, believe them
+ deny condition = ${if eqi {$h_X-Spam-Status:}{YES}}
+ message = Incoming spam flags
+
<%- if @is_rtmaster -%>
deny condition = ${if eq {$acl_m_prf}{RTMail}}
condition = ${if and{{!match {${lc:$rh_Subject:}} {debian rt}} \
# postfix's strict_7bit_headers option, but only checks a few common problem
# headers, as there doesn't appear to be an easy way to check them all.
deny
- condition = ${if or {{match {$rh_Subject:}{[\200-\377]}}\
+ condition = ${if or {{match {$rh_Subject:}{[\200-\377]}}\
{match {$rh_To:}{[\200-\377]}}\
{match {$rh_From:}{[\200-\377]}}\
{match {$rh_Cc:}{[\200-\377]}}}}
condition = ${if !eq {$acl_m_prf}{PopconMail}}
message = Your mailer is not RFC 2047 compliant: message rejected
+ discard condition = ${if eq {$acl_m_prf}{blackhole}}
+ condition = ${if bool_lax{$acl_m_defopt}}
+ condition = ${if or {\
+ {match {$message_body}{Wenn Sie zukünftig keine weiteren Informationen erhalten möchten, <br />unwissentlich oder unbeabsichtigt in den Verteiler aufgenommen wurden,}} \
+ }\
+ }
+ log_message = Discarded suspicious content for $recipients
+
+ deny condition = ${if !eq {$acl_m_prf}{markup}}
+ condition = ${if bool_lax{$acl_m_defopt}}
+ condition = ${if or {\
+ {match {$message_body}{Wenn Sie zukünftig keine weiteren Informationen erhalten möchten, <br />unwissentlich oder unbeabsichtigt in den Verteiler aufgenommen wurden,}} \
+ }\
+ }
+ message = Rejected due to suspicious content
+
+ warn condition = ${if eq {$acl_m_prf}{markup}}
+ condition = ${if bool_lax{$acl_m_defopt}}
+ condition = ${if or {\
+ {match {$message_body}{Wenn Sie zukünftig keine weiteren Informationen erhalten möchten, <br />unwissentlich oder unbeabsichtigt in den Verteiler aufgenommen wurden,}} \
+ }\
+ }
+ add_header = X-debian-content-warning: yes
+
<%- if has_variable?("clamd") && @clamd -%>
discard condition = ${if eq {$acl_m_prf}{blackhole}}
malware = */defer_ok
modemask = 002
directory_transport = address_directory
domains = +virtual_domains
+<%- if @is_trackermaster -%>
+ local_part_suffix = +*
+<%- else -%>
local_part_suffix = -*
+<%- end -%>
local_part_suffix_optional
file = $home/.forward-\
${if exists {${home}/.forward-${local_part}}{${local_part}}\
group = ${extract{group}{VDOMAINDATA}}
headers_add = "Delivered-To: ${local_part}${local_part_suffix}@${domain}"
modemask = 002
+<%- if @is_trackermaster -%>
+ local_part_suffix = +*
+<%- else -%>
local_part_suffix = -*
+<%- end -%>
local_part_suffix_optional
pipe_transport = address_pipe
reply_transport = address_reply