X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;ds=sidebyside;f=modules%2Fexim%2Ftemplates%2Feximconf.erb;h=70ac44893b640e4b959ea639aedeb2528df21bfb;hb=347c885dc052bcd082ff8bd438fcb774b7ac775a;hp=38e89bd777b6bcb6a6b3889f345d86555327b701;hpb=bc087e036cd6bc75711a06ad0062f883a295794a;p=mirror%2Fdsa-puppet.git diff --git a/modules/exim/templates/eximconf.erb b/modules/exim/templates/eximconf.erb index 38e89bd77..70ac44893 100644 --- a/modules/exim/templates/eximconf.erb +++ b/modules/exim/templates/eximconf.erb @@ -78,7 +78,7 @@ out # will trigger things like rcpt to rate limiting or possibly a reject if # enough hits are triggered. # -# value is stored in acl_c1 +# value is stored in acl_c_scr ###################################################################### # MAIN CONFIGURATION SETTINGS # @@ -281,16 +281,83 @@ RT_QUEUE_MAP = /srv/rt.debian.org/mail/rt_queue_map ###################################################################### begin acl -acl_localonly: - accept local_parts = +local_only_users - domains = +local_domains - hosts = !+debianhosts +acl_getprofile: + # This is a bad hack to reset the variable, by defining it be something + # never referenced. - deny + warn set acl_m_rprf = $acl_m_undefined + + warn recipients = survey@popcon.debian.org + set acl_m_rprf = PopconMail + + accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}} + + warn local_parts = +local_only_users + domains = +local_domains + hosts = !+debianhosts + set acl_m_rprf = localonly + + accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}} + +<%= +out='' +if nodeinfo['rtmaster'] + out=' + warn domains = rt.debian.org + set acl_m_rprf = RTMail + + accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}} +' +end +out +%> +<%= +out = "" +if nodeinfo['packagesmaster'] + out = ' + warn domains = packages.debian.org + set acl_m_rprf = PackagesMail + + accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}} +' +end +out +%> +<%= +if nodeinfo['packagesqamaster'] + out=' + warn recipients = owner@packages.qa.debian.org : postmaster@packages.qa.debian.org + set acl_m_rprf = PTSOwner + + accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}} + + warn senders = : + domains = packages.qa.debian.org + condition = ${if match{$local_part}{\N^bounces+\N}} + set acl_m_rprf = PTSListBounce + + accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}} + + warn domains = packages.qa.debian.org + set acl_m_rprf = PTSMail + + accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}} +' +end +out +%> + warn recipients = change@db.debian.org : changes@db.debian.org : chpasswd@db.debian.org : ping@db.debian.org : recommend@nm.debian.org + set acl_m_rprf = DBSignedMail + + accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}} + + warn set acl_m_rprf = normal + + accept check_helo: - warn set acl_c1 = 0 + warn set acl_c_scr = 0 <%= out = "" @@ -305,36 +372,36 @@ out warn dnslists = list.dnswl.org&0.0.0.3 log_message = Hit on list.dnswl.org for $sender_host_address - set acl_c1 = ${eval:$acl_c1-30} + set acl_c_scr = ${eval:$acl_c_scr-30} warn dnslists = list.dnswl.org&0.0.0.2 log_message = Hit on list.dnswl.org for $sender_host_address - set acl_c1 = ${eval:$acl_c1-20} + set acl_c_scr = ${eval:$acl_c_scr-20} warn dnslists = list.dnswl.org log_message = Hit on list.dnswl.org for $sender_host_address - set acl_c1 = ${eval:$acl_c1-10} + set acl_c_scr = ${eval:$acl_c_scr-10} warn condition = ${if isip {$sender_helo_name}{true}{false}} log_message = remote host used IP address in HELO/EHLO greeting - set acl_c1 = ${eval:$acl_c1+20} + set acl_c_scr = ${eval:$acl_c_scr+20} warn !hosts = +debianhosts condition = ${if eq{$host_lookup_failed}{1}} - set acl_c1 = ${eval:$acl_c1+20} + set acl_c_scr = ${eval:$acl_c_scr+20} warn !hosts = +debianhosts condition = ${if eq{$host_lookup_failed}{0}} condition = ${if match{$sender_host_name}{\N(^[^\.]*[0-9]\-+[0-9]|^[^\.]*[0-9]{5,}[^\.]|^([^\.]+\.)?[0-9][^ \.]*\.[^\.]+\..+\.[a-z]|^[^\.]*[0-9]\.[^\.]*[0-9]-[0-9]|^(dyn|cable|dhcp|dialup|ppp|adsl)[^\.]*[0-9])\N}} - set acl_c1 = ${eval:$acl_c1+20} + set acl_c_scr = ${eval:$acl_c_scr+20} warn !hosts = +debianhosts condition = ${if match{$sender_helo_name}{\N(^[^\.]*[0-9]\-+[0-9]|^[^\.]*[0-9]{5,}[^\.]|^([^\.]+\.)?[0-9][^ \.]*\.[^\.]+\..+\.[a-z]|^[^\.]*[0-9]\.[^\.]*[0-9]-[0-9]|^(dyn|cable|dhcp|dialup|ppp|adsl)[^\.]*[0-9])\N}} - set acl_c1 = ${eval:$acl_c1+20} + set acl_c_scr = ${eval:$acl_c_scr+20} warn !hosts = +debianhosts dnslists = dul.dnsbl.sorbs.net - set acl_c1 = ${eval:$acl_c1+15} + set acl_c_scr = ${eval:$acl_c_scr+15} # If the sender's helo name is empty, the message will be rejected later # because the helo is empty. If the rDNS lookup failed, we are already @@ -346,7 +413,7 @@ out condition = ${if def:sender_helo_name {yes}{no}} condition = ${if eq {${lc:$sender_helo_name}}{${lc:$sender_host_name}}{no}{yes}} log_message = HELO doesn't match rDNS - set acl_c1 = ${eval:$acl_c1+8} + set acl_c_scr = ${eval:$acl_c_scr+8} # Regexes of doom # matches 098325879 - looks fishy @@ -357,13 +424,13 @@ out } \ } log_message = non-FQDN HELO - set acl_c1 = ${eval:$acl_c1+12} + set acl_c_scr = ${eval:$acl_c_scr+12} # Matches DOMAIN99.com - looks bad warn condition = ${if match {$sender_helo_name}{\N^[A-Z]+[A-Z0-9\-]+\.[A-Za-z0-9]+$\N}} log_message = SHOUTING HELO - set acl_c1 = ${eval:$acl_c1+7} + set acl_c_scr = ${eval:$acl_c_scr+7} # Random HELO (run of 7 consonants) (constructed by viruses). We purposefully # skip matching on machines named .*smtp.*, since that's 4 already. This is a fairly @@ -373,7 +440,7 @@ out condition = ${if match {${lc:$sender_helo_name}}{\N^[a-z0-9]+\.[a-z]+$\N}} condition = ${if match {${lc:$sender_helo_name}}{\N.*[bcdfghjklmnpqrstvwxz]{7,}.*\.[a-z]+$\N}} log_message = random HELO - set acl_c1 = ${eval:$acl_c1+5} + set acl_c_scr = ${eval:$acl_c_scr+5} # Implicit, but simpler to just say it accept @@ -465,7 +532,7 @@ out # This logic gives you a list of commonly forged domains in helo to reject against - warn set acl_m2 = ${lookup{$sender_helo_name} \ + warn set acl_m_frg = ${lookup{$sender_helo_name} \ nwildlsearch{/etc/exim4/helo-check} \ {${if eq{$value}{}{$sender_helo_name}{$value}}}{}} @@ -473,15 +540,15 @@ out # say helo as a name in the list but we can't look them up defer !hosts = +debianhosts - condition = ${if eq{$acl_m2}{}{no}{yes}} + condition = ${if eq{$acl_m_frg}{}{no}{yes}} condition = ${if eq{$sender_host_name}{}{yes}{no}} condition = ${if eq{$host_lookup_failed}{1}{no}{yes}} message = Access temporarily denied. Resolve failed PTR for $sender_host_address # If DNS works, go ahead and reject them - drop !hosts = +debianhosts - condition = ${if and { {!eq{$acl_m2}{}}{!match{$sender_host_name}{${rxquote:$acl_m2}\N$\N}}}{yes}{no}} + drop !hosts = +debianhosts + condition = ${if and { {!eq{$acl_m_frg}{}}{!match{$sender_host_name}{${rxquote:$acl_m_frg}\N$\N}}}{yes}{no}} message = HELO mismatch Forged HELO for ($sender_helo_name) # disabled accounts don't even get local mail. @@ -521,22 +588,15 @@ out condition = ${if match_local_part {$sender_address_local_part}{${extract{directory}{VDOMAINDATA}{${value}/neversenders}}}{1}{0}} message = no mail should ever come from <$sender_address> - warn condition = ${if eq{$acl_m6}{}} - acl = acl_localonly - set acl_m6 = localonly - set acl_m7 = ${if eq{$acl_m7}{}{$local_part@$domain}{$acl_m7, $local_part@$domain}} - - warn condition = ${if eq{$acl_m6}{}} - !acl = acl_localonly - set acl_m6 = normal + warn acl = acl_getprofile + condition = ${if eq{$acl_m_prf}{}} + set acl_m_prf = $acl_m_rprf - defer condition = ${if eq{$acl_m6}{localonly}} - !acl = acl_localonly + defer condition = ${if eq{$acl_m_prf}{$acl_m_rprf}{no}{yes}} log_message = Only one profile at a time, please - defer condition = ${if eq{$acl_m6}{normal}} - acl = acl_localonly - log_message = Only one profile at a time, please + warn condition = ${if eq{$acl_m_prf}{localonly}} + set acl_m_lrc = ${if eq{$acl_m_lrc}{}{$local_part@$domain}{$acl_m_lrc, $local_part@$domain}} <%= out='' @@ -549,12 +609,22 @@ out=' end out %> - - deny !recipients = survey@popcon.debian.org - !verify = sender +<%= +out='' +if nodeinfo['packagesqamaster'] + out=' + warn condition = ${if eq {$acl_m_prf}{PackagesMail}} + condition = ${if eq {$sender_address}{$local_part@$domain}} + message = X-Packages-FromTo-Same: yes +' +end +out +%> + deny condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} + !verify = sender defer !hosts = +debianhosts - condition = ${if >{${eval:$acl_c1}}{0}} + condition = ${if >{${eval:$acl_c_scr}}{0}} ratelimit = 10 / 60m / per_rcpt / $sender_host_address message = slow down (no reverse dns, mismatched ehlo, dialup, or in blacklists) <%= @@ -618,41 +688,16 @@ out = ' end out %> - warn recipients = survey@popcon.debian.org - set acl_m1 = PopconMail - <%= out='' if nodeinfo['rtmaster'] out=' - warn domains = rt.debian.org - set acl_m1 = RTMail - set acl_m12 = ${if def:acl_m12 {$acl_m12} {${if or{{match{$local_part}{\N[^+]+\+\d+\N}}{match{$local_part}{\N[^+]+\+new\N}}} {RTMailRecipientHasSubaddress}}}} + warn condition = ${if eq{$acl_m_prf}{RTMail}} + set acl_m12 = ${if def:acl_m12 {$acl_m12} {${if or{{match{$local_part}{\N[^+]+\+\d+\N}}{match{$local_part}{\N[^+]+\+new\N}}} {RTMailRecipientHasSubaddress}}}} ' end out %> -<%= -out='' -if nodeinfo['packagesqamaster'] - out=' - warn domains = packages.qa.debian.org - set acl_m1 = PTSMail - - warn recipients = owner@packages.qa.debian.org : postmaster@packages.qa.debian.org - set acl_m1 = PTSOwner - - warn senders = : - domains = packages.qa.debian.org - condition = ${if match{$local_part}{\N^bounces+\N}} - set acl_m1 = PTSListBounce -' -end -out -%> - warn recipients = change@db.debian.org : changes@db.debian.org : chpasswd@db.debian.org : ping@db.debian.org : recommend@nm.debian.org - set acl_m1 = DBSignedMail - <%= out = "" if has_variable?("greylistd") && greylistd == "true" @@ -809,8 +854,8 @@ out %> acl_check_predata: - deny condition = ${if eq{$acl_m6}{localonly}} - message = mail for $acl_m7 is only accepted internally + deny condition = ${if eq{$acl_m_lcl}{localonly}} + message = mail for $acl_m_lrc is only accepted internally accept @@ -824,7 +869,7 @@ check_message: out='' if nodeinfo['rtmaster'] out=' - deny condition = ${if eq {$acl_m1}{RTMail}} + deny condition = ${if eq {$acl_m_prf}{RTMail}} condition = ${if and{{!match {${lc:$rh_Subject:}} {debian rt}} \ {!match {${lc:$rh_Subject:]}} {\N\[rt.debian.org \N}} \ {!match {$acl_m12}{RTMailRecipientHasSubaddress}}}} @@ -838,7 +883,7 @@ out='' if nodeinfo['packagesqamaster'] out=' deny !hosts = +debianhosts : 217.196.43.134 - condition = ${if eq {$acl_m1}{PTSMail}} + condition = ${if eq {$acl_m_prf}{PTSMail}} condition = ${if def:h_X-PTS-Approved:{false}{true}} message = messages to the PTS require an X-PTS-Approved header ' @@ -848,7 +893,7 @@ out deny condition = ${if match {$message_body}{\Nhttp:\/\/[a-z\.-]+\/video1?.exe\N}} message = Blackisted URI found in body - deny condition = ${if eq {$acl_m1}{DBSignedMail}} + deny condition = ${if eq {$acl_m_prf}{DBSignedMail}} condition = ${if and {{!match {$message_body}{PGP MESSAGE}} \ {!match {$message_body}{PGP SIGNED MESSAGE}} \ {!match {$message_body}{PGP SIGNATURE}} \ @@ -898,10 +943,27 @@ end out %> # Check header_sender except for survey@popcon.d.o - deny condition = ${if eq{$acl_m1}{PopconMail}{false}{true}} - !verify = header_sender - message = No valid sender found in the From:, Sender: and Reply-to: headers + deny condition = ${if eq{$acl_m_prf}{PopconMail}{false}{true}} + !verify = header_sender + message = No valid sender found in the From:, Sender: and Reply-to: headers +<%= +out = "" +if nodeinfo['packagesmaster'] + out = ' + deny message = Congratulations, you scored $spam_score points. + log_message = spam: $spam_score points. + condition = ${if eq {$acl_m_prf}{PackagesMail}} + !authenticated = * + !verify = certificate + !hosts = +debianhosts + condition = ${if <{$message_size}{256000}} + spam = pkg_user : true + condition = ${if >{$spam_score_int}{59}} +' +end +out +%> accept