X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Fexim%2Ftemplates%2Feximconf.erb;h=3cae25a344bcfcd80d8b2196bee585e63f06d324;hb=e97959a10c37d86418743654cb238dc1909a1a2a;hp=c3ef30b6e610acee345770b630861898457ddda8;hpb=bdb6a18523e035623d0855d9e2677387342a29eb;p=mirror%2Fdsa-puppet.git diff --git a/modules/exim/templates/eximconf.erb b/modules/exim/templates/eximconf.erb index c3ef30b6e..3cae25a34 100644 --- a/modules/exim/templates/eximconf.erb +++ b/modules/exim/templates/eximconf.erb @@ -254,6 +254,7 @@ received_header_text = Received: ${if def:sender_rcvhost {from $sender_rcvhost\n # macro definitions. # Do not wrap! +MAX_SCAN_SIZE = 256000 VDOMAINDATA = ${lookup{$domain}partial-lsearch{/etc/exim4/virtualdomains}{$value}} VSENDERDOMAINDATA = ${lookup{$sender_address_domain}partial-lsearch{/etc/exim4/virtualdomains}{$value}} WHITELIST = ${if match_domain{$domain}{+virtual_domains}\ @@ -295,7 +296,7 @@ acl_getprofile: warn recipients = survey@popcon.debian.org set acl_m_rprf = PopconMail - accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}} + accept condition = ${if !eq {$acl_m_rprf}{}} warn local_parts = +local_only_users domains = +local_domains @@ -309,92 +310,92 @@ acl_getprofile: set acl_m_rprf = localonly <%- end -%> - accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}} + accept condition = ${if !eq {$acl_m_rprf}{}} <%- if @is_rtmaster -%> warn domains = rt.debian.org set acl_m_rprf = RTMail - accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}} + accept condition = ${if !eq {$acl_m_rprf}{}} <%- end -%> <%- if @is_bugsmx -%> warn domains = bugs.debian.org set acl_m_rprf = BugsMail - accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}} + accept condition = ${if !eq {$acl_m_rprf}{}} <%- end -%> <%- if @is_packagesmaster -%> warn domains = packages.debian.org set acl_m_rprf = PackagesMail - accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}} + accept condition = ${if !eq {$acl_m_rprf}{}} <%- end -%> <%- if @is_packagesqamaster -%> warn recipients = owner@packages.qa.debian.org : postmaster@packages.qa.debian.org set acl_m_rprf = PTSOwner - accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}} + accept condition = ${if !eq {$acl_m_rprf}{}} warn senders = : domains = packages.qa.debian.org condition = ${if match{$local_part}{\N^bounces+\N}} set acl_m_rprf = PTSListBounce - accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}} + accept condition = ${if !eq {$acl_m_rprf}{}} warn domains = packages.qa.debian.org set acl_m_rprf = PTSMail - accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}} + accept condition = ${if !eq {$acl_m_rprf}{}} <%- end -%> warn recipients = change@db.debian.org : changes@db.debian.org : chpasswd@db.debian.org : ping@db.debian.org : recommend@nm.debian.org set acl_m_rprf = DBSignedMail - accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}} + accept condition = ${if !eq {$acl_m_rprf}{}} warn domains = +virtual_domains condition = ${if exists {${extract{directory}{VDOMAINDATA}{${value}/contentinspectionaction}}}} condition = ${if eq{${lookup{$local_part}lsearch*{${extract{directory}{VDOMAINDATA}{${value}/contentinspectionaction}}}{$value}{}}}{markup}} set acl_m_rprf = markup - accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}} + accept condition = ${if !eq {$acl_m_rprf}{}} warn domains = +virtual_domains condition = ${if exists {${extract{directory}{VDOMAINDATA}{${value}/contentinspectionaction}}}} condition = ${if eq{${lookup{$local_part}lsearch*{${extract{directory}{VDOMAINDATA}{${value}/contentinspectionaction}}}{$value}{}}}{blackhole}} set acl_m_rprf = blackhole - accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}} + accept condition = ${if !eq {$acl_m_rprf}{}} warn domains = +virtual_domains condition = ${if exists {${extract{directory}{VDOMAINDATA}{${value}/contentinspectionaction.cdb}}}} condition = ${if eq{${lookup{$local_part}cdb{${extract{directory}{VDOMAINDATA}{${value}/contentinspectionaction.cdb}}}{$value}{}}}{markup}} set acl_m_rprf = markup - accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}} + accept condition = ${if !eq {$acl_m_rprf}{}} warn domains = +virtual_domains condition = ${if exists {${extract{directory}{VDOMAINDATA}{${value}/contentinspectionaction.cdb}}}} condition = ${if eq{${lookup{$local_part}cdb{${extract{directory}{VDOMAINDATA}{${value}/contentinspectionaction.cdb}}}{$value}{}}}{blackhole}} set acl_m_rprf = blackhole - accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}} + accept condition = ${if !eq {$acl_m_rprf}{}} warn domains = +local_domains condition = ${if eq{${lookup{$local_part}cdb{/var/lib/misc/${primary_hostname}/mail-contentinspectionaction.cdb}{$value}{}}}{markup}} set acl_m_rprf = markup - accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}} + accept condition = ${if !eq {$acl_m_rprf}{}} warn domains = +local_domains condition = ${if eq{${lookup{$local_part}cdb{/var/lib/misc/${primary_hostname}/mail-contentinspectionaction.cdb}{$value}{}}}{blackhole}} set acl_m_rprf = blackhole - accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}} + accept condition = ${if !eq {$acl_m_rprf}{}} warn set acl_m_rprf = normal @@ -424,7 +425,7 @@ check_helo: log_message = Hit on list.dnswl.org for $sender_host_address set acl_c_scr = ${eval:$acl_c_scr-10} - warn condition = ${if isip {$sender_helo_name}{true}{false}} + warn condition = ${if isip {$sender_helo_name}} log_message = remote host used IP address in HELO/EHLO greeting set acl_c_scr = ${eval:$acl_c_scr+20} @@ -451,9 +452,9 @@ check_helo: # if rDNS does not match helo name (both lower cased first), greylist. warn !hosts = +debianhosts - condition = ${if eq {$host_lookup_failed}{1}{no}{yes}} - condition = ${if def:sender_helo_name {yes}{no}} - condition = ${if eq {${lc:$sender_helo_name}}{${lc:$sender_host_name}}{no}{yes}} + condition = ${if !eq {$host_lookup_failed}{1}} + condition = ${if def:sender_helo_name} + condition = ${if !eq {${lc:$sender_helo_name}}{${lc:$sender_host_name}}} log_message = HELO doesn't match rDNS set acl_c_scr = ${eval:$acl_c_scr+8} @@ -478,7 +479,7 @@ check_helo: # skip matching on machines named .*smtp.*, since that's 4 already. This is a fairly # naive test, so it's not worth much - warn condition = ${if match {${lc:$sender_helo_name}}{smtp}{no}{yes}} + warn condition = ${if !match {${lc:$sender_helo_name}}{smtp}} condition = ${if match {${lc:$sender_helo_name}}{\N^[a-z0-9]+\.[a-z]+$\N}} condition = ${if match {${lc:$sender_helo_name}}{\N.*[bcdfghjklmnpqrstvwxz]{7,}.*\.[a-z]+$\N}} log_message = random HELO @@ -509,7 +510,7 @@ check_submission: defer log_message = Too many bad recipients ${eval:$rcpt_fail_count} out of $rcpt_count message = Too many bad recipients, try again later - condition = ${if > {${eval:$rcpt_fail_count}}{3}{yes}{no}} + condition = ${if > {${eval:$rcpt_fail_count}}{3}} defer ratelimit = 5 / 60m / per_rcpt / $sender_host_address @@ -545,7 +546,7 @@ check_recipient: condition = ${if eq{$acl_m_prf}{}} set acl_m_prf = $acl_m_rprf - defer condition = ${if eq{$acl_m_prf}{$acl_m_rprf}{no}{yes}} + defer condition = ${if !eq{$acl_m_prf}{$acl_m_rprf}} message = Different profile, please retry log_message = Only one profile at a time, please @@ -556,13 +557,13 @@ check_recipient: !acl = acl_spamlovers message = Too many bad recipients, try again later !hosts = +debianhosts - condition = ${if > {${eval:$rcpt_fail_count}}{3}{yes}{no}} + condition = ${if > {${eval:$rcpt_fail_count}}{3}} # Dump spambots that are so stupid they say helo as our IP address drop !hosts = +debianhosts !acl = acl_spamlovers - condition = ${if eq {$sender_helo_name}{$interface_address}{yes}{no}} + condition = ${if eq {$sender_helo_name}{$interface_address}} message = HELO mismatch Forged HELO for ($sender_helo_name) # Also for spambots that say helo as us or one of our domains @@ -584,16 +585,16 @@ check_recipient: defer !hosts = +debianhosts !acl = acl_spamlovers - condition = ${if eq{$acl_m_frg}{}{no}{yes}} - condition = ${if eq{$sender_host_name}{}{yes}{no}} - condition = ${if eq{$host_lookup_failed}{1}{no}{yes}} + condition = ${if !eq{$acl_m_frg}{}} + condition = ${if eq{$sender_host_name}{}} + condition = ${if !eq{$host_lookup_failed}{1}} message = Access temporarily denied. Resolve failed PTR for $sender_host_address # If DNS works, go ahead and reject them drop !hosts = +debianhosts !acl = acl_spamlovers - condition = ${if and { {!eq{$acl_m_frg}{}}{!match{$sender_host_name}{${rxquote:$acl_m_frg}\N$\N}}}{yes}{no}} + condition = ${if and { {!eq{$acl_m_frg}{}}{!match{$sender_host_name}{${rxquote:$acl_m_frg}\N$\N}}}} message = HELO mismatch Forged HELO for ($sender_helo_name) # disabled accounts don't even get local mail. @@ -635,8 +636,8 @@ check_recipient: hosts = !+debianhosts message = mail from <$sender_address> not allowed externally - deny condition = ${if match_domain{$sender_address_domain}{+virtual_domains}{1}{0}} - condition = ${if exists {${extract{directory}{VSENDERDOMAINDATA}{${value}/neversenders}}}{1}{0}} + deny condition = ${if match_domain{$sender_address_domain}{+virtual_domains}} + condition = ${if exists {${extract{directory}{VSENDERDOMAINDATA}{${value}/neversenders}}}} condition = ${lookup{$sender_address_local_part}lsearch{${extract{directory}{VSENDERDOMAINDATA}{${value}/neversenders}}}{true}} message = no mail should ever come from <$sender_address> @@ -649,26 +650,19 @@ check_recipient: message = X-Packages-FromTo-Same: yes <%- end -%> - deny condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} + deny condition = ${if !eq {$acl_m_prf}{PopconMail}} !verify = sender defer !hosts = +debianhosts - condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} + condition = ${if !eq {$acl_m_prf}{PopconMail}} condition = ${if >{${eval:$acl_c_scr+0}}{0}} ratelimit = 10 / 60m / per_rcpt / $sender_host_address message = slow down (no reverse dns, mismatched ehlo, dialup, or in blacklists) <%- if has_variable?("policydweight") && @policydweight -%> - # Check with policyd-weight - this only works with a version after etch's, - # sadly. etch's version attempts to hold the socket open, since that's what - # postfix expects. Exim, on the other hand, expects the remote side to close - # the socket when it's finished sending data, so it see each transaction as - # an incomplete read. I'm sure there's a way we could force Exim to do - # something sick and clever to force either the interpretation or the socket - # closure, but I'm fairly sure it's now worth it, since the backport of - # policyd-weight is trivial. + # Check with policyd-weight warn !hosts = +debianhosts - condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} + condition = ${if !eq {$acl_m_prf}{PopconMail}} set acl_m_pw = ${readsocket{inet:127.0.0.1:12525}\ {request=smtpd_access_policy\n\ protocol_state=RCPT\n\ @@ -686,39 +680,39 @@ check_recipient: # Defer on socket error defer !hosts = +debianhosts - condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} - condition = ${if eq{$acl_m_pw}{socket failure}{yes}{no}} + condition = ${if !eq {$acl_m_prf}{PopconMail}} + condition = ${if eq{$acl_m_pw}{socket failure}} message = Cannot connect to policyd-weight. Please try again later. # Set proposed action to $acl_m_act and message to $acl_m_mes warn !hosts = +debianhosts - condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} + condition = ${if !eq {$acl_m_prf}{PopconMail}} set acl_m_mes = ${extract{action}{$acl_m_pw}} set acl_m_act = ${sg{$acl_m_pw}{\Naction=[^ ]+ (.*)\n\n\N}{\$1}} # Add X-policyd-weight header line to message warn !hosts = +debianhosts - condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} + condition = ${if !eq {$acl_m_prf}{PopconMail}} message = $acl_m_mes - condition = ${if eq{$acl_m_act}{PREPEND}{yes}{no}} + condition = ${if eq{$acl_m_act}{PREPEND}} # Write log message, if policyd-weight can't run checks warn !hosts = +debianhosts - condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} + condition = ${if !eq {$acl_m_prf}{PopconMail}} log_message = policyd-weight message: $acl_m_mes - condition = ${if eq{$acl_m_act}{DUNNO}{yes}{no}} + condition = ${if eq{$acl_m_act}{DUNNO}} # Deny mails which policyd-weight thinks are spam deny !hosts = +debianhosts - condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} + condition = ${if !eq {$acl_m_prf}{PopconMail}} message = policyd-weight said: $acl_m_mes - condition = ${if eq{$acl_m_act}{550}{yes}{no}} + condition = ${if eq{$acl_m_act}{550}} # Defer messages when policyd-weight suggests so. defer !hosts = +debianhosts - condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} + condition = ${if !eq {$acl_m_prf}{PopconMail}} message = policyd-weight said: $acl_m_mes - condition = ${if eq{$acl_m_act}{450}{yes}{no}} + condition = ${if eq{$acl_m_act}{450}} <%- end -%> <%- if @is_rtmaster -%> @@ -744,7 +738,7 @@ check_recipient: {/etc/greylistd/whitelist-hosts}{}} : \ ${if exists {/var/lib/greylistd/whitelist-hosts}\ {/var/lib/greylistd/whitelist-hosts}{}} - condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} + condition = ${if !eq {$acl_m_prf}{PopconMail}} !authenticated = * domains = +handled_domains condition = ${readsocket{/var/run/greylistd/socket}\ @@ -760,15 +754,15 @@ check_recipient: warn !senders = : !hosts = : +debianhosts : WHITELIST - condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} - condition = ${if def:acl_m_grey {no}{yes}} + condition = ${if !eq {$acl_m_prf}{PopconMail}} + condition = ${if ! def:acl_m_grey} set acl_m_grey = $pid.$tod_epoch.$sender_host_port # and defers the message if postgrey thinks it should be defered ... defer !senders = : !hosts = : +debianhosts : WHITELIST - condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} + condition = ${if !eq {$acl_m_prf}{PopconMail}} !authenticated = * domains = +handled_domains local_parts = GREYLIST_LOCAL_PARTS @@ -797,7 +791,7 @@ check_recipient: warn !senders = : !hosts = : +debianhosts : WHITELIST - condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} + condition = ${if !eq {$acl_m_prf}{PopconMail}} !authenticated = * domains = +handled_domains local_parts = GREYLIST_LOCAL_PARTS @@ -870,24 +864,24 @@ acl_check_mime: accept verify = certificate accept hosts = +debianhosts - discard condition = ${if <{$message_size}{256000}} + discard condition = ${if <{$message_size}{MAX_SCAN_SIZE}} condition = ${if eq {$acl_m_prf}{blackhole}} set acl_m_srb = ${perl{surblspamcheck}} - condition = ${if eq{$acl_m_srb}{false}{no}{yes}} + condition = ${if !eq{$acl_m_srb}{false}} log_message = discarded surbl message for $recipients - deny condition = ${if <{$message_size}{256000}} - condition = ${if eq {$acl_m_prf}{markup}{no}{yes}} - condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} + deny condition = ${if <{$message_size}{MAX_SCAN_SIZE}} + condition = ${if !eq {$acl_m_prf}{markup}} + condition = ${if !eq {$acl_m_prf}{PopconMail}} set acl_m_srb = ${perl{surblspamcheck}} - condition = ${if eq{$acl_m_srb}{false}{no}{yes}} + condition = ${if !eq{$acl_m_srb}{false}} log_message = $acl_m_srb message = $acl_m_srb - warn condition = ${if <{$message_size}{256000}} + warn condition = ${if <{$message_size}{MAX_SCAN_SIZE}} condition = ${if eq {$acl_m_prf}{markup}} set acl_m_srb = ${perl{surblspamcheck}} - condition = ${if eq{$acl_m_srb}{false}{no}{yes}} + condition = ${if !eq{$acl_m_srb}{false}} message = X-Surbl-Hit: $primary_hostname: $acl_m_srb accept @@ -918,7 +912,7 @@ check_message: <%- if @is_packagesqamaster -%> deny !hosts = +debianhosts condition = ${if eq {$acl_m_prf}{PTSMail}} - condition = ${if def:h_X-PTS-Approved:{false}{true}} + condition = ${if !def:h_X-PTS-Approved:} message = messages to the PTS require an X-PTS-Approved header <%- end -%> @@ -935,7 +929,7 @@ check_message: accept verify = certificate accept hosts = +debianhosts - deny condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} + deny condition = ${if !eq {$acl_m_prf}{PopconMail}} !verify = header_syntax message = Invalid header syntax: $acl_verify_message @@ -946,13 +940,13 @@ check_message: condition = ${if or {{match {$rh_Subject:}{[\200-\377]}}\ {match {$rh_To:}{[\200-\377]}}\ {match {$rh_From:}{[\200-\377]}}\ - {match {$rh_Cc:}{[\200-\377]}}}{true}{false}} - condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} + {match {$rh_Cc:}{[\200-\377]}}}} + condition = ${if !eq {$acl_m_prf}{PopconMail}} message = improper use of 8-bit data in message header: message rejected deny - condition = ${if match {$rh_Subject:}{[^[:print:]]\{8\}}{true}{false}} - condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} + condition = ${if match {$rh_Subject:}{[^[:print:]]\{8\}}} + condition = ${if !eq {$acl_m_prf}{PopconMail}} message = Your mailer is not RFC 2047 compliant: message rejected <%- if has_variable?("clamd") && @clamd -%> @@ -963,8 +957,8 @@ check_message: malware = */defer_ok log_message = discarded malware message for $recipients - deny condition = ${if eq {$acl_m_prf}{markup}{no}{yes}} - condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} + deny condition = ${if !eq {$acl_m_prf}{markup}} + condition = ${if !eq {$acl_m_prf}{PopconMail}} <%- if scope.call_function('versioncmp', [@lsbmajdistrelease, '8']) <= 0 -%> demime = * <%- end -%> @@ -980,29 +974,29 @@ check_message: <%- end -%> <%- if @heavy -%> - discard condition = ${if <{$message_size}{256000}} + discard condition = ${if <{$message_size}{MAX_SCAN_SIZE}} condition = ${if eq {$acl_m_prf}{blackhole}} set acl_m_srb = ${perl{surblspamcheck}} - condition = ${if eq{$acl_m_srb}{false}{no}{yes}} + condition = ${if !eq{$acl_m_srb}{false}} log_message = discarded surbl message for $recipients - deny condition = ${if <{$message_size}{256000}} - condition = ${if eq {$acl_m_prf}{markup}{no}{yes}} - condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} + deny condition = ${if <{$message_size}{MAX_SCAN_SIZE}} + condition = ${if !eq {$acl_m_prf}{markup}} + condition = ${if !eq {$acl_m_prf}{PopconMail}} set acl_m_srb = ${perl{surblspamcheck}} - condition = ${if eq{$acl_m_srb}{false}{no}{yes}} + condition = ${if !eq{$acl_m_srb}{false}} log_message = $acl_m_srb message = $acl_m_srb - warn condition = ${if <{$message_size}{256000}} + warn condition = ${if <{$message_size}{MAX_SCAN_SIZE}} condition = ${if eq {$acl_m_prf}{markup}} set acl_m_srb = ${perl{surblspamcheck}} - condition = ${if eq{$acl_m_srb}{false}{no}{yes}} + condition = ${if !eq{$acl_m_srb}{false}} message = X-Surbl-Hit: $primary_hostname: $acl_m_srb <%- end -%> # Check header_sender except for survey@popcon.d.o - deny condition = ${if eq{$acl_m_prf}{PopconMail}{false}{true}} + deny condition = ${if !eq{$acl_m_prf}{PopconMail}} !verify = header_sender message = No valid sender found in the From:, Sender: and Reply-to: headers @@ -1013,7 +1007,7 @@ check_message: !authenticated = * !verify = certificate !hosts = +debianhosts - condition = ${if <{$message_size}{256000}} + condition = ${if <{$message_size}{MAX_SCAN_SIZE}} spam = pkg_user : true condition = ${if >{$spam_score_int}{59}} @@ -1369,7 +1363,7 @@ rt_otherwise: <%- end -%> # Exim fails the router if it can't change to the user/group for delivery -# during verification. So we have to seperate the cases of verifying +# during verification. So we have to separate the cases of verifying # the virts, and delivering to them. blah. virt_direct_verify: @@ -1454,17 +1448,13 @@ virt_users: local_part_suffix_optional retry_use_local_part -<%= -out = "" -if @is_bugsmx - domain = 'bugs.debian.org' - out = ' +<%- if @is_bugsmx -%> # This router delivers for bugs.d.o bugs: debug_print = "R: bugs for $local_part@$domain" driver = accept transport = bugs_pipe - domains = ' + domain + ' + domains = bugs.debian.org cannot_route_message = Unknown or archived bug require_files = /srv/bugs.debian.org/mail/run-procmail no_more @@ -1473,10 +1463,7 @@ bugs: {\N^(\d+)(\d{2})(?:-(?:(?:submit|maintonly|quiet|forwarded|done|close|request|submitter)|(?:unsubscribe|ignore|help|(?:sub(?:scribe|help|yes|approve|reject))|unsubyes|bounce|probe|approve|reject|setlistyes|setlistsilentyes).*))?$\N}\ {${if exists{/srv/bugs.debian.org/spool/db-h/$2/$1$2.summary}\ {$local_part}fail}}fail} -' -end -out -%> +<%- end -%> ###################################################################### # TRANSPORTS CONFIGURATION # ######################################################################