X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Fexim%2Ftemplates%2Feximconf.erb;h=0bfe9bdc83bb18697355ff5377572899ae41c2cd;hb=b5249bd3292990afe0418a45410101dead763153;hp=5b6c56825dfcc4708aa05a67db98824f5eb5818f;hpb=c03e9f5c38648134d0c4d3b00e438026642110bc;p=mirror%2Fdsa-puppet.git diff --git a/modules/exim/templates/eximconf.erb b/modules/exim/templates/eximconf.erb index 5b6c56825..0bfe9bdc8 100644 --- a/modules/exim/templates/eximconf.erb +++ b/modules/exim/templates/eximconf.erb @@ -138,6 +138,8 @@ domainlist handled_domains = +local_domains : +virtual_domains : +bsmtp_domains localpartlist local_only_users = lsearch;/etc/exim4/localusers +localpartlist postmasterish = postmaster : abuse : hostmaster : root + # Domains we relay for; that is domains that aren't considered local but we # accept mail for them. domainlist rcpthosts = partial-lsearch;/etc/exim4/rcpthosts @@ -367,6 +369,34 @@ out accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}} + warn domains = +virtual_domains + condition = ${if exists {${extract{directory}{VDOMAINDATA}{${value}/contentinspectionaction}}}} + condition = ${if eq{${lookup{$local_part}lsearch*{${extract{directory}{VDOMAINDATA}{${value}/contentinspectionaction}}}{$value}{}}}{markup}} + log_message = $local_part@$domain: markup + set acl_m_rprf = markup + + accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}} + + warn condition = ${if eq{${lookup{$local_part}cdb{/var/lib/misc/${primary_hostname}/mail-contentinspectionaction.cdb}{$value}{}}}{markup}} + log_message = $local_part@$domain: markup + set acl_m_rprf = markup + + accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}} + + warn condition = ${if eq{${lookup{$local_part}cdb{/var/lib/misc/${primary_hostname}/mail-contentinspectionaction.cdb}{$value}{}}}{blackhole}} + log_message = $local_part@$domain: blackhole + set acl_m_rprf = blackhole + + accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}} + + warn domains = +virtual_domains + condition = ${if exists {${extract{directory}{VDOMAINDATA}{${value}/contentinspectionaction}}}} + condition = ${if eq{${lookup{$local_part}lsearch*{${extract{directory}{VDOMAINDATA}{${value}/contentinspectionaction}}}{$value}{}}}{blackhole}} + log_message = $local_part@$domain: blackhole + set acl_m_rprf = blackhole + + accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}} + warn set acl_m_rprf = normal accept @@ -492,7 +522,7 @@ out hosts = +debianhosts endpass message = unknown user - verify = recipient/callout=30s,use_sender + verify = recipient <%= out = "" @@ -640,7 +670,7 @@ out !verify = sender defer !hosts = +debianhosts - condition = ${if >{${eval:$acl_c_scr}}{0}} + condition = ${if >{${eval:$acl_c_scr+0}}{0}} ratelimit = 10 / 60m / per_rcpt / $sender_host_address message = slow down (no reverse dns, mismatched ehlo, dialup, or in blacklists) <%= @@ -789,9 +819,13 @@ end out %> - accept local_parts = postmaster + accept local_parts = +postmasterish domains = +handled_domains : +rcpthosts + deny hosts = ${if exists{/etc/exim4/host_blacklist}{/etc/exim4/host_blacklist}{}} + message = I'm terribly sorry, but it seems you have been blacklisted + log_message = blacklisted IP + deny log_message = <$sender_address> is blacklisted senders = ${if exists{/etc/exim4/blacklist}{/etc/exim4/blacklist}{}} message = We have blacklisted <$sender_address>. Please stop mailing us @@ -857,6 +891,20 @@ if nodeinfo.has_key?('heavy_exim') and not nodeinfo['heavy_exim'].empty? out=' acl_check_mime: + discard condition = ${if <{$message_size}{256000}} + condition = ${if eq {$acl_m_prf}{blackhole}} + set acl_m_srb = ${perl{surblspamcheck}} + condition = ${if eq{$acl_m_srb}{false}{no}{yes}} + log_message = discarded surbl message for $recipients + + warn condition = ${if <{$message_size}{256000}} + condition = ${if eq {$acl_m_prf}{markup}} + set acl_m_srb = ${perl{surblspamcheck}} + condition = ${if eq{$acl_m_srb}{false}{no}{yes}} + message = X-Surbl-Hit: $primary_hostname: $acl_m_srb + + accept condition = ${if eq {$acl_m_prf}{markup}} + deny condition = ${if <{$message_size}{256000}} set acl_m_srb = ${perl{surblspamcheck}} condition = ${if eq{$acl_m_srb}{false}{no}{yes}} @@ -870,7 +918,7 @@ out %> acl_check_predata: - deny condition = ${if eq{$acl_m_lcl}{localonly}} + deny condition = ${if eq{$acl_m_prf}{localonly}} message = mail for $acl_m_lrc is only accepted internally accept @@ -878,9 +926,6 @@ acl_check_predata: #!!# ACL that is used after the DATA command check_message: - require verify = header_syntax - message = Invalid syntax in the header - <%= out='' if nodeinfo['rtmaster'] @@ -906,9 +951,6 @@ if nodeinfo['packagesqamaster'] end out %> - deny condition = ${if match {$message_body}{\Nhttp:\/\/[a-z\.-]+\/video1?.exe\N}} - message = Blackisted URI found in body - deny condition = ${if eq {$acl_m_prf}{DBSignedMail}} condition = ${if and {{!match {$message_body}{PGP MESSAGE}} \ {!match {$message_body}{PGP SIGNED MESSAGE}} \ @@ -919,6 +961,11 @@ out } message = Mail to this address needs to be PGP-signed + accept verify = certificate + + require verify = header_syntax + message = Invalid syntax in the header + # RFC 822 and 2822 say that headers must be ASCII. This kinda emulates # postfix's strict_7bit_headers option, but only checks a few common problem # headers, as there doesn't appear to be an easy way to check them all. @@ -937,10 +984,20 @@ out out = "" if has_variable?("clamd") && clamd == "true" out = ' - deny + discard condition = ${if eq {$acl_m_prf}{blackhole}} + demime = * + malware = */defer_ok + log_message = discarded malware message for $recipients + + deny condition = ${if eq {$acl_m_prf}{markup}{no}{yes}} demime = * malware = */defer_ok message = malware detected: $malware_name: message rejected + + warn condition = ${if eq {$acl_m_prf}{markup}} + demime = * + malware = */defer_ok + message = X-malware detected: $malware_name ' end out @@ -949,6 +1006,20 @@ out out='' if nodeinfo.has_key?('heavy_exim') and not nodeinfo['heavy_exim'].empty? out=' + discard condition = ${if <{$message_size}{256000}} + condition = ${if eq {$acl_m_prf}{blackhole}} + set acl_m_srb = ${perl{surblspamcheck}} + condition = ${if eq{$acl_m_srb}{false}{no}{yes}} + log_message = discarded surbl message for $recipients + + warn condition = ${if <{$message_size}{256000}} + condition = ${if eq {$acl_m_prf}{markup}} + set acl_m_srb = ${perl{surblspamcheck}} + condition = ${if eq{$acl_m_srb}{false}{no}{yes}} + message = X-Surbl-Hit: $primary_hostname: $acl_m_srb + + accept condition = ${if eq {$acl_m_prf}{markup}} + deny condition = ${if <{$message_size}{256000}} set acl_m_srb = ${perl{surblspamcheck}} condition = ${if eq{$acl_m_srb}{false}{no}{yes}} @@ -1080,6 +1151,17 @@ dnslookup: ignore_target_hosts = +reservedaddrs no_more +postmasterish: + debug_print = "R: postmasterish for $local_part@$domain" + driver = redirect + verify = false + unseen = true + expn = true + local_parts = +postmasterish + domains = +handled_domains + data = debian-admin@debian.org + headers_add = "Delivered-To: ${local_part}${local_part_suffix}@${domain}" + # This router handles aliasing using a traditional /etc/aliases file. # If any of your aliases expand to pipes or files, you will need to set # up a user and a group for these deliveries to run under. You can do