X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Fexim%2Ftemplates%2Feximconf.erb;h=38e89bd777b6bcb6a6b3889f345d86555327b701;hb=3aefff738687e27e594f9860bbab971f98cf94ab;hp=1ea37fe5c9a504bd2b77128f91c45d24a02193b4;hpb=ed417d176455e33a6b49f7586f4b674c14173410;p=mirror%2Fdsa-puppet.git diff --git a/modules/exim/templates/eximconf.erb b/modules/exim/templates/eximconf.erb index 1ea37fe5c..38e89bd77 100644 --- a/modules/exim/templates/eximconf.erb +++ b/modules/exim/templates/eximconf.erb @@ -35,13 +35,20 @@ # us. This is primarily only usefull for emergancy 'queue # flushing' operations, but should be populated with a list # of trusted machines. Wildcards are not permitted +<%= +out = "" +if nodeinfo['mailrelay'] + out = ' # mailhubdomains - Domains for which we are the MX, but the mail is relayed # elsewhere. This is designed for use with small volume or # restricted machines that need to use a smarthost for mail # traffic. We will relay for them based on ssl cert validation # but we need to teach exim how to route the mail to them. This is # that list. - +' +end +out +%> # Exim's wildcard mechanism is a bit odd in that to say "any address in # debian.org including debian.org" you must use two patterns, # *.debian.org @@ -77,6 +84,16 @@ # MAIN CONFIGURATION SETTINGS # ###################################################################### +<%= +out='' +if nodeinfo.has_key?('heavy_exim') and not nodeinfo['heavy_exim'].empty? + out = " +perl_startup = do '/etc/exim4/exim_surbl.pl' +" +end +out +%> + # These options specify the Access Control Lists (ACLs) that # are used for incoming SMTP messages - after the RCPT and DATA # commands, respectively. @@ -84,6 +101,14 @@ acl_smtp_helo = check_helo acl_smtp_rcpt = ${if ={$interface_port}{587} {check_submission}{check_recipient}} acl_smtp_data = check_message +<%= +out='' +if nodeinfo.has_key?('heavy_exim') and not nodeinfo['heavy_exim'].empty? + out = "acl_smtp_mime = acl_check_mime" +end +out +%> +acl_smtp_predata = acl_check_predata # accept domain literal syntax in e-mail addresses. To actually make use of # this a router is also required @@ -114,7 +139,15 @@ localpartlist local_only_users = lsearch;/etc/exim4/localusers # accept mail for them. domainlist rcpthosts = partial-lsearch;/etc/exim4/rcpthosts hostlist debianhosts = 127.0.0.1 : net-lsearch;/var/lib/misc/thishost/debianhosts +<%= +out = "" +if nodeinfo['mailrelay'] + out = ' domainlist mailhubdomains = lsearch;/etc/exim4/manualroute +' +end +out +%> hostlist reservedaddrs = <%= nodeinfo['reservedaddrs'] %> @@ -248,6 +281,13 @@ RT_QUEUE_MAP = /srv/rt.debian.org/mail/rt_queue_map ###################################################################### begin acl +acl_localonly: + accept local_parts = +local_only_users + domains = +local_domains + hosts = !+debianhosts + + deny + check_helo: warn set acl_c1 = 0 @@ -371,10 +411,18 @@ out message = unknown user verify = recipient +<%= +out = "" +if nodeinfo['mailrelay'] + out = ' accept domains = +mailhubdomains endpass message = unknown user verify = recipient/callout=30s,defer_ok,use_sender,no_cache +' +end +out +%> accept domains = +submission_domains endpass @@ -386,7 +434,7 @@ out #!!# ACL that is used after the RCPT command check_recipient: -<%= +<%= out = "" if nodeinfo['mailrelay'] out = " accept verify = certificate" @@ -473,14 +521,34 @@ out condition = ${if match_local_part {$sender_address_local_part}{${extract{directory}{VDOMAINDATA}{${value}/neversenders}}}{1}{0}} message = no mail should ever come from <$sender_address> - deny local_parts = +local_only_users - domains = +local_domains - hosts = !+debianhosts - message = mail for $local_part is only accepted internally + warn condition = ${if eq{$acl_m6}{}} + acl = acl_localonly + set acl_m6 = localonly + set acl_m7 = ${if eq{$acl_m7}{}{$local_part@$domain}{$acl_m7, $local_part@$domain}} + + warn condition = ${if eq{$acl_m6}{}} + !acl = acl_localonly + set acl_m6 = normal + + defer condition = ${if eq{$acl_m6}{localonly}} + !acl = acl_localonly + log_message = Only one profile at a time, please + + defer condition = ${if eq{$acl_m6}{normal}} + acl = acl_localonly + log_message = Only one profile at a time, please +<%= +out='' +if 0 == 1: +out=' deny message = address $sender_host_address is listed in $dnslist_domain; $dnslist_text hosts = !+debianhosts dnslists = rbl.debian.net : rbl.debian.net/$sender_address_domain +' +end +out +%> deny !recipients = survey@popcon.debian.org !verify = sender @@ -489,7 +557,6 @@ out condition = ${if >{${eval:$acl_c1}}{0}} ratelimit = 10 / 60m / per_rcpt / $sender_host_address message = slow down (no reverse dns, mismatched ehlo, dialup, or in blacklists) - <%= out = "" if has_variable?("policydweight") && policydweight == "true" @@ -503,7 +570,7 @@ out = ' # closure, but I\'m fairly sure it\'s now worth it, since the backport of # policyd-weight is trivial. warn !hosts = +debianhosts - set acl_m9 = ${readsocket{inet:127.0.0.1:12525}\ + set acl_m_pw = ${readsocket{inet:127.0.0.1:12525}\ {request=smtpd_access_policy\n\ protocol_state=RCPT\n\ protocol_name=${uc:$received_protocol}\n\ @@ -520,33 +587,33 @@ out = ' # Defer on socket error defer !hosts = +debianhosts - condition = ${if eq{$acl_m9}{socket failure}{yes}{no}} + condition = ${if eq{$acl_m_pw}{socket failure}{yes}{no}} message = Cannot connect to policyd-weight. Please try again later. - # Set proposed action to $acl_m8 and message to $acl_m7 + # Set proposed action to $acl_m_act and message to $acl_m_mes warn !hosts = +debianhosts - set acl_m8 = ${extract{action}{$acl_m9}} - set acl_m7 = ${sg{$acl_m9}{\Naction=[^ ]+ (.*)\n\n\N}{\$1}} + set acl_m_mes = ${extract{action}{$acl_m_pw}} + set acl_m_act = ${sg{$acl_m_pw}{\Naction=[^ ]+ (.*)\n\n\N}{\$1}} # Add X-policyd-weight header line to message warn !hosts = +debianhosts - message = $acl_m7 - condition = ${if eq{$acl_m8}{PREPEND}{yes}{no}} + message = $acl_m_mes + condition = ${if eq{$acl_m_act}{PREPEND}{yes}{no}} # Write log message, if policyd-weight can\'t run checks warn !hosts = +debianhosts - log_message = policyd-weight message: $acl_m7 - condition = ${if eq{$acl_m8}{DUNNO}{yes}{no}} + log_message = policyd-weight message: $acl_m_mes + condition = ${if eq{$acl_m_act}{DUNNO}{yes}{no}} # Deny mails which policyd-weight thinks are spam deny !hosts = +debianhosts - message = policyd-weight said: $acl_m7 - condition = ${if eq{$acl_m8}{550}{yes}{no}} + message = policyd-weight said: $acl_m_mes + condition = ${if eq{$acl_m_act}{550}{yes}{no}} # Defer messages when policyd-weight suggests so. defer !hosts = +debianhosts - message = policyd-weight said: $acl_m7 - condition = ${if eq{$acl_m8}{450}{yes}{no}} + message = policyd-weight said: $acl_m_mes + condition = ${if eq{$acl_m_act}{450}{yes}{no}} ' end out @@ -554,23 +621,37 @@ out warn recipients = survey@popcon.debian.org set acl_m1 = PopconMail +<%= +out='' +if nodeinfo['rtmaster'] + out=' warn domains = rt.debian.org set acl_m1 = RTMail - set acl_m12 = ${if def:acl_m12 {$acl_m12} {${if or{{match{$local_part}{[^+]+\\+\\d+}}{match{$local_part}{[^+]+\\+new}}} {RTMailRecipientHasSubaddress}}}} - + set acl_m12 = ${if def:acl_m12 {$acl_m12} {${if or{{match{$local_part}{\N[^+]+\+\d+\N}}{match{$local_part}{\N[^+]+\+new\N}}} {RTMailRecipientHasSubaddress}}}} +' +end +out +%> +<%= +out='' +if nodeinfo['packagesqamaster'] + out=' warn domains = packages.qa.debian.org set acl_m1 = PTSMail warn recipients = owner@packages.qa.debian.org : postmaster@packages.qa.debian.org set acl_m1 = PTSOwner - warn recipients = change@db.debian.org : changes@db.debian.org : chpasswd@db.debian.org : ping@db.debian.org : recommend@nm.debian.org - set acl_m1 = DBSignedMail - warn senders = : domains = packages.qa.debian.org condition = ${if match{$local_part}{\N^bounces+\N}} set acl_m1 = PTSListBounce +' +end +out +%> + warn recipients = change@db.debian.org : changes@db.debian.org : chpasswd@db.debian.org : ping@db.debian.org : recommend@nm.debian.org + set acl_m1 = DBSignedMail <%= out = "" @@ -602,12 +683,12 @@ if has_variable?("greylistd") && greylistd == "true" elsif has_variable?("postgrey") && postgrey == "true" out = ' # next three are greylisting, inspired by http://www.bebt.de/blog/debian/archives/2006/07/30/T06_12_27/index.html - # this adds acl_m4 if there isn\'t one (so unique per message) + # this adds acl_m_grey if there isn\'t one (so unique per message) warn !senders = : !hosts = : +debianhosts : WHITELIST - condition = ${if def:acl_m4 {no}{yes}} - set acl_m4 = $pid.$tod_epoch.$sender_host_port + condition = ${if def:acl_m_grey {no}{yes}} + set acl_m_grey = $pid.$tod_epoch.$sender_host_port # and defers the message if postgrey thinks it should be defered ... defer @@ -616,22 +697,22 @@ elsif has_variable?("postgrey") && postgrey == "true" !authenticated = * domains = +handled_domains : +rcpthosts local_parts = GREYLIST_LOCAL_PARTS - set acl_m3 = request=smtpd_access_policy\n\ + set acl_m_pgr = request=smtpd_access_policy\n\ protocol_state=RCPT\n\ protocol_name=${uc:$received_protocol}\n\ - instance=${acl_m4}\n\ + instance=${acl_m_grey}\n\ helo_name=${sender_helo_name}\n\ client_address=${substr_-3:${mask:$sender_host_address/24}}\n\ client_name=${sender_host_name}\n\ sender=${sender_address}\n\ recipient=$local_part@$domain\n\n - set acl_m3 = ${sg{\ - ${readsocket{/var/run/postgrey/socket}{$acl_m3}\ + set acl_m_pgr = ${sg{\ + ${readsocket{/var/run/postgrey/socket}{$acl_m_pgr}\ {5s}{}{action=DUNNO}}\ }{action=}{}} - message = ${sg{$acl_m3}{^\\w+\\s*}{}} + message = ${sg{$acl_m_pgr}{^\\\\w+\\\\s*}{}} log_message = greylisted. - condition = ${if eq{${uc:${substr{0}{5}{$acl_m3}}}}{DEFER}} + condition = ${if eq{${uc:${substr{0}{5}{$acl_m_pgr}}}}{DEFER}} # ... or adds a header with information about how long the delay was warn @@ -640,8 +721,8 @@ elsif has_variable?("postgrey") && postgrey == "true" !authenticated = * domains = +handled_domains : +rcpthosts local_parts = GREYLIST_LOCAL_PARTS - condition = ${if eq{${uc:${substr_0_7:$acl_m3}}}{PREPEND}} - message = ${sg{$acl_m3}{^\\w+\\s*}{}} + condition = ${if eq{${uc:${substr_0_7:$acl_m_pgr}}}{PREPEND}} + message = ${sg{$acl_m_pgr}{^\\\\w+\\\\s*}{}} ' end out @@ -681,11 +762,18 @@ out !hosts = +debianhosts : WHITELIST !verify = sender/callout +<%= +out = "" +if nodeinfo['mailrelay'] + out = ' accept domains = +mailhubdomains endpass message = unknown user verify = recipient/callout=30s,defer_ok,use_sender,no_cache - +' +end +out +%> accept domains = +handled_domains endpass message = unknown user @@ -702,22 +790,61 @@ out deny message = relay not permitted +<%= +out='' +if nodeinfo.has_key?('heavy_exim') and not nodeinfo['heavy_exim'].empty? +out=' +acl_check_mime: + + deny condition = ${if <{$message_size}{256000}} + set acl_m_srb = ${perl{surblspamcheck}} + condition = ${if eq{$acl_m_srb}{false}{no}{yes}} + log_message = $acl_m_srb + message = $acl_m_srb + + accept +' +end +out +%> + +acl_check_predata: + deny condition = ${if eq{$acl_m6}{localonly}} + message = mail for $acl_m7 is only accepted internally + + accept + + #!!# ACL that is used after the DATA command check_message: require verify = header_syntax message = Invalid syntax in the header +<%= +out='' +if nodeinfo['rtmaster'] + out=' deny condition = ${if eq {$acl_m1}{RTMail}} condition = ${if and{{!match {${lc:$rh_Subject:}} {debian rt}} \ - {!match {${lc:$rh_Subject:]}} {\\[rt.debian.org }} \ + {!match {${lc:$rh_Subject:]}} {\N\[rt.debian.org \N}} \ {!match {$acl_m12}{RTMailRecipientHasSubaddress}}}} message = messages to the Request Tracker system require a subject tag or a subaddress - +' +end +out +%> +<%= +out='' +if nodeinfo['packagesqamaster'] + out=' deny !hosts = +debianhosts : 217.196.43.134 condition = ${if eq {$acl_m1}{PTSMail}} condition = ${if def:h_X-PTS-Approved:{false}{true}} message = messages to the PTS require an X-PTS-Approved header - +' +end +out +%> deny condition = ${if match {$message_body}{\Nhttp:\/\/[a-z\.-]+\/video1?.exe\N}} message = Blackisted URI found in body @@ -757,15 +884,19 @@ out = ' end out %> - - deny spam = $value/defer_ok - domains = +handled_domains : +rcpthosts - message = message got a spam score of $spam_score - local_parts = ${if exists {/etc/exim4/sa_users}\ - {${if match_domain{$domain}{+virtual_domains}\ - {${lookup{$local_part@$domain}nwildlsearch{/etc/exim4/sa_users}{$local_part}{}}}\ - {${lookup{$local_part}lsearch{/etc/exim4/sa_users}{$local_part}{}}}}}} - +<%= +out='' +if nodeinfo.has_key?('heavy_exim') and not nodeinfo['heavy_exim'].empty? +out=' + deny condition = ${if <{$message_size}{256000}} + set acl_m_srb = ${perl{surblspamcheck}} + condition = ${if eq{$acl_m_srb}{false}{no}{yes}} + log_message = $acl_m_srb + message = $acl_m_srb +' +end +out +%> # Check header_sender except for survey@popcon.d.o deny condition = ${if eq{$acl_m1}{PopconMail}{false}{true}} !verify = header_sender @@ -1283,6 +1414,7 @@ address_reply: remote_smtp: driver = smtp connect_timeout = 1m + delay_after_cutoff = false <%= out = "" if has_variable?("exim_ssl_certs") && exim_ssl_certs == "true" @@ -1292,20 +1424,23 @@ end out %> -remote_smtp_smarthost: - debug_print = "T: remote_smtp_smarthost for $local_part@$domain" - driver = smtp <%= out = "" if not nodeinfo['smarthost'].empty? - out += " port = " + nodeinfo['smarthost_port'] + "\n" -end - -if has_variable?("exim_ssl_certs") && exim_ssl_certs == "true" - out += ' tls_tempfail_tryclear = false +out = ' +remote_smtp_smarthost: + debug_print = "T: remote_smtp_smarthost for $local_part@$domain" + driver = smtp + delay_after_cutoff = false + port = ' + out += nodeinfo['smarthost_port'].to_s + "\n" + if has_variable?("exim_ssl_certs") && exim_ssl_certs == "true" + out += ' tls_tempfail_tryclear = false + hosts_require_tls = ' + nodeinfo['smarthost'] + ' tls_certificate = /etc/exim4/ssl/thishost.crt tls_privatekey = /etc/exim4/ssl/thishost.key ' + end end out %>