X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;ds=sidebyside;f=modules%2Fexim%2Ftemplates%2Feximconf.erb;h=4777ce8c76f4e089c61b925e71c7de932c985443;hb=906277d3c7c09fa4437fdc4a87cab4b7896bfe67;hp=462daa849ee39ebff2a35c1e8bde5300f60cfd0c;hpb=45626e335240068131d0dce27b3f78b8a254c6bd;p=mirror%2Fdsa-puppet.git diff --git a/modules/exim/templates/eximconf.erb b/modules/exim/templates/eximconf.erb index 462daa849..4777ce8c7 100644 --- a/modules/exim/templates/eximconf.erb +++ b/modules/exim/templates/eximconf.erb @@ -136,7 +136,7 @@ localpartlist postmasterish = postmaster : abuse : hostmaster : root # Domains we relay for; that is domains that aren't considered local but we # accept mail for them. -hostlist debianhosts = 127.0.0.1 : net-lsearch;/var/lib/misc/thishost/debianhosts +hostlist debianhosts = 127.0.0.1 : /var/lib/misc/thishost/debianhosts <%= out = "" if nodeinfo['mailrelay'] @@ -165,7 +165,7 @@ out # expensive, you can specify the networks for which a lookup is done, or # remove the setting entirely. host_lookup = * -dns_ipv4_lookup = !localhost +# dns_ipv4_lookup = !localhost (disabled upon sgrans request, zobel, 2010-03-16) # If this option is set, then any process that is running as one of the # listed users may pass a message to Exim and specify the sender's @@ -293,6 +293,14 @@ RT_QUEUE_MAP = /srv/rt.debian.org/mail/rt_queue_map ###################################################################### begin acl +acl_spamlovers: + # There are a few profiles that don't want much smtp time checking of + # mail. It's easier to track them in one place + + accept condition = ${if eq {$acl_m_prf}{PopconMail}} + accept condition = ${if eq {$acl_m_prf}{BugsMail}} + deny + acl_getprofile: # This is a bad hack to reset the variable, by defining it be something # never referenced. @@ -325,6 +333,18 @@ out %> <%= out = '' +if nodeinfo['bugsmx'] + out = ' + warn domains = bugs.debian.org + set acl_m_rprf = BugsMail + + accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}} +' +end +out +%> +<%= +out = '' if nodeinfo['packagesmaster'] out = ' warn domains = packages.debian.org @@ -529,7 +549,6 @@ out accept domains = +local_domains hosts = +debianhosts endpass - message = unknown user verify = recipient <%= @@ -538,7 +557,6 @@ if nodeinfo['mailrelay'] out = ' accept domains = +mailhubdomains endpass - message = unknown user verify = recipient/callout=30s,defer_ok,use_sender,no_cache ' end @@ -547,7 +565,6 @@ out accept domains = +submission_domains endpass - message = unknown user verify = recipient deny message = relay not permitted @@ -574,25 +591,25 @@ out # This is a rough pass at preventing addres harvesting or other mail blasts. defer log_message = Too many bad recipients ${eval:$rcpt_fail_count} out of $rcpt_count - condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} + !acl = acl_spamlovers message = Too many bad recipients, try again later !hosts = +debianhosts condition = ${if > {${eval:$rcpt_fail_count}}{3}{yes}{no}} # Dump spambots that are so stupid they say helo as our IP address - drop !hosts = +debianhosts - condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} - condition = ${if eq {$sender_helo_name}{$interface_address}{yes}{no}} - message = HELO mismatch Forged HELO for ($sender_helo_name) + drop !hosts = +debianhosts + !acl = acl_spamlovers + condition = ${if eq {$sender_helo_name}{$interface_address}{yes}{no}} + message = HELO mismatch Forged HELO for ($sender_helo_name) # Also for spambots that say helo as us or one of our domains - drop !hosts = +debianhosts - condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} - condition = ${if match_domain{$sender_helo_name}{$primary_hostname:+handled_domains}} - condition = ${if !match{$sender_host_name}{${rxquote:$sender_helo_name}\N$\N}} - message = HELO mismatch Forged HELO for ($sender_helo_name) + drop !hosts = +debianhosts + !acl = acl_spamlovers + condition = ${if match_domain{$sender_helo_name}{$primary_hostname:+handled_domains}} + condition = ${if !match{$sender_host_name}{${rxquote:$sender_helo_name}\N$\N}} + message = HELO mismatch Forged HELO for ($sender_helo_name) # This logic gives you a list of commonly forged domains in helo to reject against @@ -603,31 +620,31 @@ out # This is a failsafe in case DNS fails - we defer instead of hard reject if they # say helo as a name in the list but we can't look them up - defer !hosts = +debianhosts - condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} - condition = ${if eq{$acl_m_frg}{}{no}{yes}} - condition = ${if eq{$sender_host_name}{}{yes}{no}} - condition = ${if eq{$host_lookup_failed}{1}{no}{yes}} - message = Access temporarily denied. Resolve failed PTR for $sender_host_address + defer !hosts = +debianhosts + !acl = acl_spamlovers + condition = ${if eq{$acl_m_frg}{}{no}{yes}} + condition = ${if eq{$sender_host_name}{}{yes}{no}} + condition = ${if eq{$host_lookup_failed}{1}{no}{yes}} + message = Access temporarily denied. Resolve failed PTR for $sender_host_address # If DNS works, go ahead and reject them - drop !hosts = +debianhosts - condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} - condition = ${if and { {!eq{$acl_m_frg}{}}{!match{$sender_host_name}{${rxquote:$acl_m_frg}\N$\N}}}{yes}{no}} - message = HELO mismatch Forged HELO for ($sender_helo_name) + drop !hosts = +debianhosts + !acl = acl_spamlovers + condition = ${if and { {!eq{$acl_m_frg}{}}{!match{$sender_host_name}{${rxquote:$acl_m_frg}\N$\N}}}{yes}{no}} + message = HELO mismatch Forged HELO for ($sender_helo_name) # disabled accounts don't even get local mail. - deny local_parts = lsearch;/var/lib/misc/$primary_hostname/mail-disable - domains = +local_domains - message = ${lookup{$local_part}lsearch{/var/lib/misc/$primary_hostname/mail-disable}{$value}} - - deny domains = +virtual_domains - local_parts = ${if exists {${extract{directory}{VDOMAINDATA}{${value}/localonly}}}\ - {${extract{directory}{VDOMAINDATA}{${value}/localonly}}}\ - {}} - hosts = !+debianhosts - message = mail for <$local_part@$domain> only accepted from debian.org machines + deny local_parts = lsearch;/var/lib/misc/$primary_hostname/mail-disable + domains = +local_domains + message = ${lookup{$local_part}lsearch{/var/lib/misc/$primary_hostname/mail-disable}{$value}} + + deny domains = +virtual_domains + local_parts = ${if exists {${extract{directory}{VDOMAINDATA}{${value}/localonly}}}\ + {${extract{directory}{VDOMAINDATA}{${value}/localonly}}}\ + {}} + hosts = !+debianhosts + message = mail for <$local_part@$domain> only accepted from debian.org machines # Accept if the source is local SMTP (i.e. not over TCP/IP). # We do this by testing for an empty sending host field. accept hosts = : @@ -904,7 +921,6 @@ if nodeinfo['mailrelay'] out = ' accept domains = +mailhubdomains endpass - message = unknown user verify = recipient/callout=30s,defer_ok,use_sender,no_cache ' end @@ -912,7 +928,6 @@ out %> accept domains = +handled_domains endpass - message = unknown user verify = recipient/defer_ok accept hosts = +debianhosts @@ -1305,6 +1320,8 @@ procmail: check_local_user domains = +local_domains headers_add = "Delivered-To: ${local_part}${local_part_suffix}@${domain}" + local_part_suffix = -* + local_part_suffix_optional no_verify no_expn require_files = $local_part:$home/.procmailrc @@ -1388,7 +1405,7 @@ bugs: no_more local_parts = ${if match\ {$local_part}\ - {\N^(\d+)(\d{2})(?:-(?:(?:submit|maintonly|quiet|forwarded|done|close|request|submitter)|(?:unsubscribe|ignore|(?:sub(?:scribe|help|yes|approve|reject))|unsubyes|bounce|probe|approve|reject|setlistyes|setlistsilentyes).*))?$\N}\ + {\N^(\d+)(\d{2})(?:-(?:(?:submit|maintonly|quiet|forwarded|done|close|request|submitter)|(?:unsubscribe|ignore|help|(?:sub(?:scribe|help|yes|approve|reject))|unsubyes|bounce|probe|approve|reject|setlistyes|setlistsilentyes).*))?$\N}\ {${if exists{/org/bugs.debian.org/spool/db-h/$2/$1$2.summary}\ {$local_part}fail}}fail} ' @@ -1444,25 +1461,6 @@ end out %> -virt_alias_verify: - debug_print = "R: virt_aliases for $local_part@$domain" - driver = redirect - data = ${if exists{\ - ${extract{directory}{VDOMAINDATA}{${value}/aliases}}}\ - {${lookup{$local_part}lsearch*{\ - ${extract{directory}{VDOMAINDATA}{$value/aliases}}\ - }}}} - directory_transport = address_directory - cannot_route_message = Unknown user - domains = +virtual_domains - file_transport = address_file - pipe_transport = address_pipe - qualify_preserve_domain - retry_use_local_part - transport_current_directory = ${extract{directory}{VDOMAINDATA}} - transport_home_directory = ${extract{directory}{VDOMAINDATA}} - verify_only - virt_direct_verify: debug_print = "R: virt_direct for $local_part@$domain" driver = redirect @@ -1505,7 +1503,6 @@ virt_aliases: retry_use_local_part transport_current_directory = ${extract{directory}{VDOMAINDATA}} transport_home_directory = ${extract{directory}{VDOMAINDATA}} - no_verify user = ${extract{user}{VDOMAINDATA}} # This is a qmailesque deliver into a directory of .forward files @@ -1724,6 +1721,7 @@ out begin retry debian.org * F,2h,10m; G,16h,2h,1.5; F,14d,8h +* * senders=: F,2h,10m * rcpt_4xx F,2h,5m; F,4h,10m; F,4d,15m * * F,2h,15m; G,16h,2h,1.5; F,4d,8h