X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Fexim%2Ffiles%2Fcommon%2Fexim4.conf;h=4b048612e7a4ccf8e68d16d1073ec3cf9c99ac21;hb=4d75b2db79978fa0592442ea11ff9a6843e527a8;hp=85201374bc4ca676393b471d94907facafa3a5be;hpb=be70abdd6ebea0169f6e65d766554a4e2379a484;p=mirror%2Fdsa-puppet.git diff --git a/modules/exim/files/common/exim4.conf b/modules/exim/files/common/exim4.conf index 85201374b..4b048612e 100644 --- a/modules/exim/files/common/exim4.conf +++ b/modules/exim/files/common/exim4.conf @@ -39,6 +39,12 @@ # us. This is primarily only usefull for emergancy 'queue # flushing' operations, but should be populated with a list # of trusted machines. Wildcards are not permitted +# mailhubdomains - Domains for which we are the MX, but the mail is relayed +# elsewhere. This is designed for use with small volume or +# restricted machines that need to use a smarthost for mail +# traffic. We will relay for them based on ssl cert validation +# but we need to teach exim how to route the mail to them. This is +# that list. # The division of files is designed so that all hosts may share rcpthosts # and relayhosts, these could be replicated automatically if necessary. @@ -115,6 +121,7 @@ localpartlist local_only_users = lsearch;/etc/exim4/localusers # accept mail for them. domainlist rcpthosts = partial-lsearch;/etc/exim4/rcpthosts hostlist debianhosts = 127.0.0.1 : net-lsearch;/var/lib/misc/thishost/debianhosts +domainlist mailhubdomains = lsearch;/etc/exim4/manualroute .ifndef RESERVEDADDRS RESERVEDADDRS = 0.0.0.0/8 : 127.0.0.0/8 : 10.0.0.0/8 : 169.254.0.0/16 : \ @@ -124,6 +131,14 @@ RESERVEDADDRS = 0.0.0.0/8 : 127.0.0.0/8 : 10.0.0.0/8 : 169.254.0.0/16 : \ hostlist reservedaddrs = RESERVEDADDRS +.ifdef USE_TLS +tls_certificate = /etc/exim4/ssl/thishost.crt +tls_privatekey = /etc/exim4/ssl/thishost.key +tls_try_verify_hosts = * +tls_verify_certificates = /etc/exim4/ssl/ca.crt +tls_crl = /etc/exim4/ssl/ca.crl +.endif + #system_filter = /etc/exim4/filter #system_filter_file_transport = address_file @@ -182,18 +197,33 @@ queue_list_requires_admin = false av_scanner = CLAMAV .endif -.ifdef HAVE_USER_DEBBUGS +.ifdef HAVE_USER_DEBBUGS MAIL_RELAY MAIL_IN_VIA_SUBMISSION daemon_smtp_ports = 25 : 587 +.else +.ifdef MAIL_IN_VIA_2025 +daemon_smtp_ports = 25 : 2025 +.endif .endif admin_groups = adm remote_sort_domains = *.debian.org:*.debian.net pipelining_advertise_hosts = !* +.ifdef USE_TLS +tls_advertise_hosts = * +.endif smtp_enforce_sync = true log_selector = +tls_cipher +tls_peerdn +queue_time +deliver_time +smtp_connection +smtp_incomplete_transaction +smtp_confirmation +received_header_text = Received: ${if def:sender_rcvhost {from $sender_rcvhost\n\t}\ + {${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)\n\t}}}}\ + ${if and {{eq {$tls_certificate_verified}{1}}{def:tls_peerdn}}{from $tls_peerdn\n\t}}\ + by $primary_hostname ${if def:received_protocol {with $received_protocol}} ${if def:tls_cipher {($tls_cipher)\n\t}}\ + (Exim $version_number)\n\t\ + ${if def:sender_address {(envelope-from <$sender_address>)\n\t}}\ + id $message_exim_id${if def:received_for {\n\tfor $received_for}} + # macro definitions. # Do not wrap! VDOMAINDATA = ${lookup{$domain}partial-lsearch{/etc/exim4/virtualdomains}{$value}} @@ -298,17 +328,36 @@ check_helo: #!!# ACL that is used after the RCPT command on the submission port check_submission: + # Accept if the source is local SMTP (i.e. not over TCP/IP). + # We do this by testing for an empty sending host field. + accept hosts = : 127.0.0.1 # Defer after too many bad RCPT TO's. Legit MTAs will retry later. # This is a rough pass at preventing addres harvesting or other mail blasts. +.ifdef MAIL_RELAY + accept verify = certificate +.endif + defer log_message = Too many bad recipients ${eval:$rcpt_fail_count} out of $rcpt_count message = Too many bad recipients, try again later condition = ${if > {${eval:$rcpt_fail_count}}{3}{yes}{no}} defer ratelimit = 5 / 60m / per_rcpt / $sender_host_address + !hosts = +debianhosts message = sorry, only 5 reports per hour for submission + accept domains = +local_domains + hosts = +debianhosts + endpass + message = unknown user + verify = recipient + + accept domains = +mailhubdomains + endpass + message = unknown user + verify = recipient/callout=30s,defer_ok,use_sender,no_cache + accept domains = +submission_domains endpass message = unknown user @@ -319,6 +368,10 @@ check_submission: #!!# ACL that is used after the RCPT command check_recipient: +.ifdef MAIL_RELAY + accept verify = certificate +.endif + # Defer after too many bad RCPT TO's. Legit MTAs will retry later. # This is a rough pass at preventing addres harvesting or other mail blasts. @@ -413,7 +466,7 @@ check_recipient: defer !hosts = +debianhosts condition = ${if >{${eval:$acl_c1}}{0}} ratelimit = 10 / 60m / per_rcpt / $sender_host_address - message = slow down (no reverse dns, or dialup) + message = slow down (no reverse dns, mismatched ehlo, dialup, or in blacklists) .ifdef HAVE_POLICYD # Check with policyd-weight - this only works with a version after etch's, @@ -476,7 +529,7 @@ check_recipient: warn domains = rt.debian.org set acl_m1 = RTMail - set acl_m12 = ${if def:acl_m12 {$acl_m12} {${if match{$local_part}{[^+]+\\+\\d+} {RTMailRecipientHasSubaddress}}}} + set acl_m12 = ${if def:acl_m12 {$acl_m12} {${if or{{match{$local_part}{[^+]+\\+\\d+}}{match{$local_part}{[^+]+\\+new}}} {RTMailRecipientHasSubaddress}}}} warn domains = packages.qa.debian.org set acl_m1 = PTSMail @@ -596,6 +649,11 @@ check_recipient: !hosts = +debianhosts : WHITELIST !verify = sender/callout + accept domains = +mailhubdomains + endpass + message = unknown user + verify = recipient/callout=30s,defer_ok,use_sender,no_cache + accept domains = +handled_domains endpass message = unknown user @@ -632,10 +690,12 @@ check_message: message = Blackisted URI found in body deny condition = ${if eq {$acl_m1}{DBSignedMail}} - condition = ${if and {{!match {$message_body}{PGP MESSAGE}} \ - {!match {$message_body}{PGP SIGNED MESSAGE}} \ - {!match {$message_body}{PGP SIGNATURE}} \ - } \ + condition = ${if and {{!match {$message_body}{PGP MESSAGE}} \ + {!match {$message_body}{PGP SIGNED MESSAGE}} \ + {!match {$message_body}{PGP SIGNATURE}} \ + {!match {$header_content-type:}{multipart/signed}} \ + {!match {$header_content-type:}{pgp}} \ + } \ } message = Mail to this address needs to be PGP-signed @@ -710,6 +770,13 @@ begin routers # An address is passed to each in turn until it is accepted. # ###################################################################### +relay_manualroute: + driver = manualroute + domains = +mailhubdomains + transport = remote_smtp + route_data = ${lookup{$domain}lsearch{/etc/exim4/manualroute}} + require_files = /etc/exim4/manualroute + bsmtp: debug_print = "R: bsmtp for $local_part@$domain" driver = manualroute @@ -730,6 +797,17 @@ ipliteral: transport = remote_smtp ignore_target_hosts = +reservedaddrs +.ifdef SMARTHOST +smarthost: + debug_print = "R: smarthost for $local_part@$domain" + driver = manualroute + domains = !+handled_domains + transport = remote_smtp_smarthost + route_list = * SMARTHOST + host_find_failed = defer + same_domain_copy_routing = yes + no_more +.endif # This router routes to remote hosts over SMTP using a DNS lookup. # Ignore reserved network responses, including localhost. dnslookup: @@ -924,7 +1002,34 @@ bugs: .endif # This router delivers for rt.d.o -rt: +rt_force_new_verbose: + debug_print = "R: rt for $local_part+new@$domain" + driver = redirect + domains = rt.debian.org + require_files = /usr/bin/rt-mailgate : RT_QUEUE_MAP + local_parts = ${lookup{${sg{$local_part}{-comment}{}}}lsearch{RT_QUEUE_MAP}{$local_part}{}} + local_part_suffix = +new + pipe_transport = rt_pipe + data = "|/usr/bin/rt-mailgate --queue '${lookup{${sg{$local_part}{-comment}{}}}lsearch{RT_QUEUE_MAP}}' --url https://rt.debian.org/ --action ${if match{$local_part}{.*-comment.*}{comment}{correspond}}" + headers_add = "Delivered-To: ${local_part}${local_part_suffix}@${domain}" + +# FIXME: figure out how to generalize this approach so that all of the following would work +# - rt+NNNN@rt.debian.org : attach correspondence to ticket (verbose) +# - rt+NNNN-quiesce@rt.debian.org : attach correspondence to ticket (quiesce) +# - rt+NNNN-@rt.debian.org : attach correspondence to ticket (some action) +# requires modification to custom condition in 'scrips' +rt_force_new_quiesce: + debug_print = "R: rt for $local_part+new-quiesce@$domain" + driver = redirect + domains = rt.debian.org + require_files = /usr/bin/rt-mailgate : RT_QUEUE_MAP + local_parts = ${lookup{${sg{$local_part}{-comment}{}}}lsearch{RT_QUEUE_MAP}{$local_part}{}} + local_part_suffix = +new-quiesce + pipe_transport = rt_pipe + data = "|/usr/bin/rt-mailgate --queue '${lookup{${sg{$local_part}{-comment}{}}}lsearch{RT_QUEUE_MAP}}' --url https://rt.debian.org/ --action ${if match{$local_part}{.*-comment.*}{comment}{correspond}}" + headers_add = "Delivered-To: ${local_part}${local_part_suffix}@${domain}\nX-RT-Mode: quiesce" + +rt_otherwise: debug_print = "R: rt for $local_part@$domain" driver = redirect domains = rt.debian.org @@ -1115,7 +1220,22 @@ address_reply: remote_smtp: driver = smtp connect_timeout = 1m - hosts_avoid_tls = * +.ifdef USE_TLS + tls_certificate = /etc/exim4/ssl/thishost.crt + tls_privatekey = /etc/exim4/ssl/thishost.key +.endif + +remote_smtp_smarthost: + debug_print = "T: remote_smtp_smarthost for $local_part@$domain" + driver = smtp +.ifdef SMARTHST_PORT + port = SMARTHST_PORT +.endif +.ifdef USE_TLS + tls_tempfail_tryclear = false + tls_certificate = /etc/exim4/ssl/thishost.crt + tls_privatekey = /etc/exim4/ssl/thishost.key +.endif # Send the message to procmail procmail_pipe: