# us. This is primarily only usefull for emergancy 'queue
# flushing' operations, but should be populated with a list
# of trusted machines. Wildcards are not permitted
+# bsmtp_domains - Domains that we deliver locally via bsmtp
<%=
out = ""
if nodeinfo['mailrelay']
# will trigger things like rcpt to rate limiting or possibly a reject if
# enough hits are triggered.
#
-# value is stored in acl_c1
+# value is stored in acl_c_scr
######################################################################
# MAIN CONFIGURATION SETTINGS #
domainlist submission_domains = ${if exists {/etc/exim4/submission-domains}{/etc/exim4/submission-domains}{}}
-domainlist handled_domains = +local_domains : +virtual_domains
+domainlist bsmtp_domains = ${if exists {/etc/exim4/bsmtp}{partial-lsearch;/etc/exim4/bsmtp}{}}
+
+domainlist handled_domains = +local_domains : +virtual_domains : +bsmtp_domains
localpartlist local_only_users = lsearch;/etc/exim4/localusers
+localpartlist postmasterish = postmaster : abuse : hostmaster : root
+
# Domains we relay for; that is domains that aren't considered local but we
# accept mail for them.
domainlist rcpthosts = partial-lsearch;/etc/exim4/rcpthosts
message_size_limit = 100M
message_logs = false
-smtp_accept_max = 300
smtp_accept_max_per_host = ${if match_ip {$sender_host_address}{+debianhosts}{0}{7}}
+<% if nodeinfo.has_key?('heavy_exim') and not nodeinfo['heavy_exim'].empty? %>
+smtp_accept_max = 300
smtp_accept_queue = 200
smtp_accept_queue_per_connection = 50
+<% else %>
+smtp_accept_max = 30
+smtp_accept_queue = 20
+smtp_accept_queue_per_connection = 10
+<% end %>
smtp_accept_reserve = 25
smtp_reserve_hosts = +debianhosts
delay_warning =
+<% if nodeinfo.has_key?('heavy_exim') and not nodeinfo['heavy_exim'].empty? %>
queue_run_max = 50
deliver_queue_load_max = 50
queue_only_load = 15
+<% else %>
+queue_run_max = 5
+deliver_queue_load_max = 10
+queue_only_load = 5
+<% end %>
queue_list_requires_admin = false
<%= out = ""
######################################################################
begin acl
-acl_localonly:
- accept local_parts = +local_only_users
- domains = +local_domains
- hosts = !+debianhosts
+acl_getprofile:
+ # This is a bad hack to reset the variable, by defining it be something
+ # never referenced.
- deny
+ warn set acl_m_rprf = $acl_m_undefined
+
+ warn recipients = survey@popcon.debian.org
+ set acl_m_rprf = PopconMail
+
+ accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}}
+
+ warn local_parts = +local_only_users
+ domains = +local_domains
+ hosts = !+debianhosts
+ set acl_m_rprf = localonly
+
+ accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}}
+
+<%=
+out=''
+if nodeinfo['rtmaster']
+ out='
+ warn domains = rt.debian.org
+ set acl_m_rprf = RTMail
+
+ accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}}
+'
+end
+out
+%>
+<%=
+out = ''
+if nodeinfo['packagesmaster']
+ out = '
+ warn domains = packages.debian.org
+ set acl_m_rprf = PackagesMail
+
+ accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}}
+'
+end
+out
+%>
+<%=
+out = ''
+if nodeinfo['packagesqamaster']
+ out='
+ warn recipients = owner@packages.qa.debian.org : postmaster@packages.qa.debian.org
+ set acl_m_rprf = PTSOwner
+
+ accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}}
+
+ warn senders = :
+ domains = packages.qa.debian.org
+ condition = ${if match{$local_part}{\N^bounces+\N}}
+ set acl_m_rprf = PTSListBounce
+
+ accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}}
+
+ warn domains = packages.qa.debian.org
+ set acl_m_rprf = PTSMail
+
+ accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}}
+'
+end
+out
+%>
+ warn recipients = change@db.debian.org : changes@db.debian.org : chpasswd@db.debian.org : ping@db.debian.org : recommend@nm.debian.org
+ set acl_m_rprf = DBSignedMail
+
+ accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}}
+
+ warn domains = +virtual_domains
+ condition = ${if exists {${extract{directory}{VDOMAINDATA}{${value}/contentinspectionaction}}}}
+ condition = ${if eq{${lookup{$local_part}lsearch*{${extract{directory}{VDOMAINDATA}{${value}/contentinspectionaction}}}{$value}{}}}{markup}}
+ set acl_m_rprf = markup
+
+ accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}}
+
+ warn condition = ${if eq{${lookup{$local_part}cdb{/var/lib/misc/${primary_hostname}/mail-contentinspectionaction.cdb}{$value}{}}}{markup}}
+ set acl_m_rprf = markup
+
+ accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}}
+
+ warn condition = ${if eq{${lookup{$local_part}cdb{/var/lib/misc/${primary_hostname}/mail-contentinspectionaction.cdb}{$value}{}}}{blackhole}}
+ set acl_m_rprf = blackhole
+
+ accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}}
+
+ warn domains = +virtual_domains
+ condition = ${if exists {${extract{directory}{VDOMAINDATA}{${value}/contentinspectionaction}}}}
+ condition = ${if eq{${lookup{$local_part}lsearch*{${extract{directory}{VDOMAINDATA}{${value}/contentinspectionaction}}}{$value}{}}}{blackhole}}
+ set acl_m_rprf = blackhole
+
+ accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}}
+
+ warn set acl_m_rprf = normal
+
+ accept
check_helo:
- warn set acl_c1 = 0
+ warn set acl_c_scr = 0
<%=
out = ""
warn dnslists = list.dnswl.org&0.0.0.3
log_message = Hit on list.dnswl.org for $sender_host_address
- set acl_c1 = ${eval:$acl_c1-30}
+ set acl_c_scr = ${eval:$acl_c_scr-30}
warn dnslists = list.dnswl.org&0.0.0.2
log_message = Hit on list.dnswl.org for $sender_host_address
- set acl_c1 = ${eval:$acl_c1-20}
+ set acl_c_scr = ${eval:$acl_c_scr-20}
warn dnslists = list.dnswl.org
log_message = Hit on list.dnswl.org for $sender_host_address
- set acl_c1 = ${eval:$acl_c1-10}
+ set acl_c_scr = ${eval:$acl_c_scr-10}
warn condition = ${if isip {$sender_helo_name}{true}{false}}
log_message = remote host used IP address in HELO/EHLO greeting
- set acl_c1 = ${eval:$acl_c1+20}
+ set acl_c_scr = ${eval:$acl_c_scr+20}
warn !hosts = +debianhosts
condition = ${if eq{$host_lookup_failed}{1}}
- set acl_c1 = ${eval:$acl_c1+20}
+ set acl_c_scr = ${eval:$acl_c_scr+20}
warn !hosts = +debianhosts
condition = ${if eq{$host_lookup_failed}{0}}
condition = ${if match{$sender_host_name}{\N(^[^\.]*[0-9]\-+[0-9]|^[^\.]*[0-9]{5,}[^\.]|^([^\.]+\.)?[0-9][^ \.]*\.[^\.]+\..+\.[a-z]|^[^\.]*[0-9]\.[^\.]*[0-9]-[0-9]|^(dyn|cable|dhcp|dialup|ppp|adsl)[^\.]*[0-9])\N}}
- set acl_c1 = ${eval:$acl_c1+20}
+ set acl_c_scr = ${eval:$acl_c_scr+20}
warn !hosts = +debianhosts
condition = ${if match{$sender_helo_name}{\N(^[^\.]*[0-9]\-+[0-9]|^[^\.]*[0-9]{5,}[^\.]|^([^\.]+\.)?[0-9][^ \.]*\.[^\.]+\..+\.[a-z]|^[^\.]*[0-9]\.[^\.]*[0-9]-[0-9]|^(dyn|cable|dhcp|dialup|ppp|adsl)[^\.]*[0-9])\N}}
- set acl_c1 = ${eval:$acl_c1+20}
+ set acl_c_scr = ${eval:$acl_c_scr+20}
warn !hosts = +debianhosts
dnslists = dul.dnsbl.sorbs.net
- set acl_c1 = ${eval:$acl_c1+15}
+ set acl_c_scr = ${eval:$acl_c_scr+15}
# If the sender's helo name is empty, the message will be rejected later
# because the helo is empty. If the rDNS lookup failed, we are already
condition = ${if def:sender_helo_name {yes}{no}}
condition = ${if eq {${lc:$sender_helo_name}}{${lc:$sender_host_name}}{no}{yes}}
log_message = HELO doesn't match rDNS
- set acl_c1 = ${eval:$acl_c1+8}
+ set acl_c_scr = ${eval:$acl_c_scr+8}
# Regexes of doom
# matches 098325879 - looks fishy
} \
}
log_message = non-FQDN HELO
- set acl_c1 = ${eval:$acl_c1+12}
+ set acl_c_scr = ${eval:$acl_c_scr+12}
# Matches DOMAIN99.com - looks bad
warn condition = ${if match {$sender_helo_name}{\N^[A-Z]+[A-Z0-9\-]+\.[A-Za-z0-9]+$\N}}
log_message = SHOUTING HELO
- set acl_c1 = ${eval:$acl_c1+7}
+ set acl_c_scr = ${eval:$acl_c_scr+7}
# Random HELO (run of 7 consonants) (constructed by viruses). We purposefully
# skip matching on machines named .*smtp.*, since that's 4 already. This is a fairly
condition = ${if match {${lc:$sender_helo_name}}{\N^[a-z0-9]+\.[a-z]+$\N}}
condition = ${if match {${lc:$sender_helo_name}}{\N.*[bcdfghjklmnpqrstvwxz]{7,}.*\.[a-z]+$\N}}
log_message = random HELO
- set acl_c1 = ${eval:$acl_c1+5}
+ set acl_c_scr = ${eval:$acl_c_scr+5}
# Implicit, but simpler to just say it
accept
condition = ${if match_local_part {$sender_address_local_part}{${extract{directory}{VDOMAINDATA}{${value}/neversenders}}}{1}{0}}
message = no mail should ever come from <$sender_address>
- warn condition = ${if eq{$acl_m_lcl}{}}
- acl = acl_localonly
- set acl_m_lcl = localonly
- set acl_m_lrc = ${if eq{$acl_m_lrc}{}{$local_part@$domain}{$acl_m_lrc, $local_part@$domain}}
-
- warn condition = ${if eq{$acl_m_lcl}{}}
- !acl = acl_localonly
- set acl_m_lcl = normal
+ warn acl = acl_getprofile
+ condition = ${if eq{$acl_m_prf}{}}
+ set acl_m_prf = $acl_m_rprf
- defer condition = ${if eq{$acl_m_lcl}{localonly}}
- !acl = acl_localonly
+ defer condition = ${if eq{$acl_m_prf}{$acl_m_rprf}{no}{yes}}
log_message = Only one profile at a time, please
- defer condition = ${if eq{$acl_m_lcl}{normal}}
- acl = acl_localonly
- log_message = Only one profile at a time, please
+ warn condition = ${if eq{$acl_m_prf}{localonly}}
+ set acl_m_lrc = ${if eq{$acl_m_lrc}{}{$local_part@$domain}{$acl_m_lrc, $local_part@$domain}}
<%=
out=''
end
out
%>
-
- deny !recipients = survey@popcon.debian.org
- !verify = sender
+<%=
+out=''
+if nodeinfo['packagesmaster']
+ out='
+ warn condition = ${if eq {$acl_m_prf}{PackagesMail}}
+ condition = ${if eq {$sender_address}{$local_part@$domain}}
+ message = X-Packages-FromTo-Same: yes
+'
+end
+out
+%>
+ deny condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}}
+ !verify = sender
defer !hosts = +debianhosts
- condition = ${if >{${eval:$acl_c1}}{0}}
+ condition = ${if >{${eval:$acl_c_scr+0}}{0}}
ratelimit = 10 / 60m / per_rcpt / $sender_host_address
message = slow down (no reverse dns, mismatched ehlo, dialup, or in blacklists)
<%=
end
out
%>
- warn recipients = survey@popcon.debian.org
- set acl_m1 = PopconMail
-
<%=
out=''
if nodeinfo['rtmaster']
out='
- warn domains = rt.debian.org
- set acl_m1 = RTMail
- set acl_m12 = ${if def:acl_m12 {$acl_m12} {${if or{{match{$local_part}{\N[^+]+\+\d+\N}}{match{$local_part}{\N[^+]+\+new\N}}} {RTMailRecipientHasSubaddress}}}}
-'
-end
-out
-%>
-<%=
-out=''
-if nodeinfo['packagesqamaster']
- out='
- warn domains = packages.qa.debian.org
- set acl_m1 = PTSMail
-
- warn recipients = owner@packages.qa.debian.org : postmaster@packages.qa.debian.org
- set acl_m1 = PTSOwner
-
- warn senders = :
- domains = packages.qa.debian.org
- condition = ${if match{$local_part}{\N^bounces+\N}}
- set acl_m1 = PTSListBounce
+ warn condition = ${if eq{$acl_m_prf}{RTMail}}
+ set acl_m12 = ${if def:acl_m12 {$acl_m12} {${if or{{match{$local_part}{\N[^+]+\+\d+\N}}{match{$local_part}{\N[^+]+\+new\N}}} {RTMailRecipientHasSubaddress}}}}
'
end
out
%>
- warn recipients = change@db.debian.org : changes@db.debian.org : chpasswd@db.debian.org : ping@db.debian.org : recommend@nm.debian.org
- set acl_m1 = DBSignedMail
-
<%=
out = ""
if has_variable?("greylistd") && greylistd == "true"
out
%>
- accept local_parts = postmaster
+ accept local_parts = +postmasterish
domains = +handled_domains : +rcpthosts
+ deny hosts = ${if exists{/etc/exim4/host_blacklist}{/etc/exim4/host_blacklist}{}}
+ message = I'm terribly sorry, but it seems you have been blacklisted
+ log_message = blacklisted IP
+
deny log_message = <$sender_address> is blacklisted
senders = ${if exists{/etc/exim4/blacklist}{/etc/exim4/blacklist}{}}
message = We have blacklisted <$sender_address>. Please stop mailing us
out='
acl_check_mime:
+ discard condition = ${if <{$message_size}{256000}}
+ condition = ${if eq {$acl_m_prf}{blackhole}}
+ set acl_m_srb = ${perl{surblspamcheck}}
+ condition = ${if eq{$acl_m_srb}{false}{no}{yes}}
+ log_message = discarded surbl message for $recipients
+
+ warn condition = ${if <{$message_size}{256000}}
+ condition = ${if eq {$acl_m_prf}{markup}}
+ set acl_m_srb = ${perl{surblspamcheck}}
+ condition = ${if eq{$acl_m_srb}{false}{no}{yes}}
+ message = X-Surbl-Hit: $primary_hostname: $acl_m_srb
+
+ accept condition = ${if eq {$acl_m_prf}{markup}}
+
deny condition = ${if <{$message_size}{256000}}
set acl_m_srb = ${perl{surblspamcheck}}
condition = ${if eq{$acl_m_srb}{false}{no}{yes}}
out=''
if nodeinfo['rtmaster']
out='
- deny condition = ${if eq {$acl_m1}{RTMail}}
+ deny condition = ${if eq {$acl_m_prf}{RTMail}}
condition = ${if and{{!match {${lc:$rh_Subject:}} {debian rt}} \
{!match {${lc:$rh_Subject:]}} {\N\[rt.debian.org \N}} \
{!match {$acl_m12}{RTMailRecipientHasSubaddress}}}}
if nodeinfo['packagesqamaster']
out='
deny !hosts = +debianhosts : 217.196.43.134
- condition = ${if eq {$acl_m1}{PTSMail}}
+ condition = ${if eq {$acl_m_prf}{PTSMail}}
condition = ${if def:h_X-PTS-Approved:{false}{true}}
message = messages to the PTS require an X-PTS-Approved header
'
end
out
%>
- deny condition = ${if match {$message_body}{\Nhttp:\/\/[a-z\.-]+\/video1?.exe\N}}
- message = Blackisted URI found in body
-
- deny condition = ${if eq {$acl_m1}{DBSignedMail}}
+ deny condition = ${if eq {$acl_m_prf}{DBSignedMail}}
condition = ${if and {{!match {$message_body}{PGP MESSAGE}} \
{!match {$message_body}{PGP SIGNED MESSAGE}} \
{!match {$message_body}{PGP SIGNATURE}} \
out = ""
if has_variable?("clamd") && clamd == "true"
out = '
- deny
+ discard condition = ${if eq {$acl_m_prf}{blackhole}{no}{yes}}
+ demime = *
+ malware = */defer_ok
+ log_message = discarded malware message for $recipients
+
+ deny condition = ${if eq {$acl_m_prf}{markup}{no}{yes}}
demime = *
malware = */defer_ok
message = malware detected: $malware_name: message rejected
+
+ warn condition = ${if eq {$acl_m_prf}{markup}}
+ demime = *
+ malware = */defer_ok
+ message = X-malware detected: $malware_name
'
end
out
out=''
if nodeinfo.has_key?('heavy_exim') and not nodeinfo['heavy_exim'].empty?
out='
+ discard condition = ${if <{$message_size}{256000}}
+ condition = ${if eq {$acl_m_prf}{blackhole}}
+ set acl_m_srb = ${perl{surblspamcheck}}
+ condition = ${if eq{$acl_m_srb}{false}{no}{yes}}
+ log_message = discarded surbl message for $recipients
+
+ warn condition = ${if <{$message_size}{256000}}
+ condition = ${if eq {$acl_m_prf}{markup}}
+ set acl_m_srb = ${perl{surblspamcheck}}
+ condition = ${if eq{$acl_m_srb}{false}{no}{yes}}
+ message = X-Surbl-Hit: $primary_hostname: $acl_m_srb
+
+ accept condition = ${if eq {$acl_m_prf}{markup}}
+
deny condition = ${if <{$message_size}{256000}}
set acl_m_srb = ${perl{surblspamcheck}}
condition = ${if eq{$acl_m_srb}{false}{no}{yes}}
out
%>
# Check header_sender except for survey@popcon.d.o
- deny condition = ${if eq{$acl_m1}{PopconMail}{false}{true}}
- !verify = header_sender
- message = No valid sender found in the From:, Sender: and Reply-to: headers
+ deny condition = ${if eq{$acl_m_prf}{PopconMail}{false}{true}}
+ !verify = header_sender
+ message = No valid sender found in the From:, Sender: and Reply-to: headers
+<%=
+out = ""
+if nodeinfo['packagesmaster']
+ out = '
+ deny message = Congratulations, you scored $spam_score points.
+ log_message = spam: $spam_score points.
+ condition = ${if eq {$acl_m_prf}{PackagesMail}}
+ !authenticated = *
+ !verify = certificate
+ !hosts = +debianhosts
+ condition = ${if <{$message_size}{256000}}
+ spam = pkg_user : true
+ condition = ${if >{$spam_score_int}{59}}
+'
+end
+out
+%>
accept
bsmtp:
debug_print = "R: bsmtp for $local_part@$domain"
driver = manualroute
- domains = !+local_domains
+ domains = +bsmtp_domains
require_files = /etc/exim4/bsmtp
route_list = * ${extract{file}{\
${lookup{$domain}partial-lsearch{/etc/exim4/bsmtp}\
ignore_target_hosts = +reservedaddrs
no_more
+postmasterish:
+ debug_print = "R: postmasterish for $local_part@$domain"
+ driver = redirect
+ verify = false
+ unseen = true
+ expn = true
+ local_parts = +postmasterish
+ domains = +handled_domains
+ data = debian-admin@debian.org
+ headers_add = "Delivered-To: ${local_part}${local_part_suffix}@${domain}"
+
# This router handles aliasing using a traditional /etc/aliases file.
# If any of your aliases expand to pipes or files, you will need to set
# up a user and a group for these deliveries to run under. You can do
begin retry
debian.org * F,2h,10m; G,16h,2h,1.5; F,14d,8h
-* * senders=: F,2h,10m
* rcpt_4xx F,2h,5m; F,4h,10m; F,4d,15m
* * F,2h,15m; G,16h,2h,1.5; F,4d,8h
projects / mirror / dsa-puppet.git / blobdiff