X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Fexim%2Ftemplates%2Feximconf.erb;h=46f624e60efaec77ab2aea5896194bbc03673021;hb=489c57a538241de27243d5a3bc2413c559d73022;hp=5cf1322ad6657c55c5c2ec0ae5efd1396c368642;hpb=60992035029ddcd7bb911fe41fdc9025b4aec4c6;p=mirror%2Fdsa-puppet.git diff --git a/modules/exim/templates/eximconf.erb b/modules/exim/templates/eximconf.erb index 5cf1322ad..46f624e60 100644 --- a/modules/exim/templates/eximconf.erb +++ b/modules/exim/templates/eximconf.erb @@ -84,6 +84,16 @@ out # MAIN CONFIGURATION SETTINGS # ###################################################################### +<%= +out='' +if nodeinfo.has_key?('heavy_exim') and not nodeinfo['heavy_exim'].empty? + out = " +perl_startup = do '/etc/exim4/exim_surbl.pl' +" +end +out +%> + # These options specify the Access Control Lists (ACLs) that # are used for incoming SMTP messages - after the RCPT and DATA # commands, respectively. @@ -91,6 +101,14 @@ out acl_smtp_helo = check_helo acl_smtp_rcpt = ${if ={$interface_port}{587} {check_submission}{check_recipient}} acl_smtp_data = check_message +<%= +out='' +if nodeinfo.has_key?('heavy_exim') and not nodeinfo['heavy_exim'].empty? + out = "acl_smtp_mime = acl_check_mime" +end +out +%> +acl_smtp_predata = acl_check_predata # accept domain literal syntax in e-mail addresses. To actually make use of # this a router is also required @@ -263,6 +281,13 @@ RT_QUEUE_MAP = /srv/rt.debian.org/mail/rt_queue_map ###################################################################### begin acl +acl_localonly: + accept local_parts = +local_only_users + domains = +local_domains + hosts = !+debianhosts + + deny + check_helo: warn set acl_c1 = 0 @@ -496,14 +521,34 @@ out condition = ${if match_local_part {$sender_address_local_part}{${extract{directory}{VDOMAINDATA}{${value}/neversenders}}}{1}{0}} message = no mail should ever come from <$sender_address> - deny local_parts = +local_only_users - domains = +local_domains - hosts = !+debianhosts - message = mail for $local_part is only accepted internally + warn condition = ${if eq{$acl_m6}{}} + acl = acl_localonly + set acl_m6 = localonly + set acl_m7 = ${if eq{$acl_m7}{}{$local_part@$domain}{$acl_m7, $local_part@$domain}} + + warn condition = ${if eq{$acl_m6}{}} + !acl = acl_localonly + set acl_m6 = normal + + defer condition = ${if eq{$acl_m6}{localonly}} + !acl = acl_localonly + log_message = Only one profile at a time, please + defer condition = ${if eq{$acl_m6}{normal}} + acl = acl_localonly + log_message = Only one profile at a time, please + +<%= +out='' +if 0 == 1: +out=' deny message = address $sender_host_address is listed in $dnslist_domain; $dnslist_text hosts = !+debianhosts dnslists = rbl.debian.net : rbl.debian.net/$sender_address_domain +' +end +out +%> deny !recipients = survey@popcon.debian.org !verify = sender @@ -512,7 +557,6 @@ out condition = ${if >{${eval:$acl_c1}}{0}} ratelimit = 10 / 60m / per_rcpt / $sender_host_address message = slow down (no reverse dns, mismatched ehlo, dialup, or in blacklists) - <%= out = "" if has_variable?("policydweight") && policydweight == "true" @@ -583,14 +627,14 @@ if nodeinfo['rtmaster'] out=' warn domains = rt.debian.org set acl_m1 = RTMail - set acl_m12 = ${if def:acl_m12 {$acl_m12} {${if or{{match{$local_part}{[^+]+\\+\\d+}}{match{$local_part}{[^+]+\\+new}}} {RTMailRecipientHasSubaddress}}}} + set acl_m12 = ${if def:acl_m12 {$acl_m12} {${if or{{match{$local_part}{\N[^+]+\+\d+\N}}{match{$local_part}{\N[^+]+\+new\N}}} {RTMailRecipientHasSubaddress}}}} ' end out %> <%= out='' -if nodeinfo['packagesmaster'] +if nodeinfo['packagesqamaster'] out=' warn domains = packages.qa.debian.org set acl_m1 = PTSMail @@ -746,6 +790,31 @@ out deny message = relay not permitted +<%= +out='' +if nodeinfo.has_key?('heavy_exim') and not nodeinfo['heavy_exim'].empty? +out=' +acl_check_mime: + + deny condition = ${if <{$message_size}{256000}} + set acl_m5 = ${perl{surblspamcheck}} + condition = ${if eq{$acl_m5}{false}{no}{yes}} + log_message = $acl_m5 + message = $acl_m5 + + accept +' +end +out +%> + +acl_check_predata: + deny condition = ${if eq{$acl_m6}{localonly}} + message = mail for $acl_m7 is only accepted internally + + accept + + #!!# ACL that is used after the DATA command check_message: require verify = header_syntax @@ -757,7 +826,7 @@ if nodeinfo['rtmaster'] out=' deny condition = ${if eq {$acl_m1}{RTMail}} condition = ${if and{{!match {${lc:$rh_Subject:}} {debian rt}} \ - {!match {${lc:$rh_Subject:]}} {\\[rt.debian.org }} \ + {!match {${lc:$rh_Subject:]}} {\N\[rt.debian.org \N}} \ {!match {$acl_m12}{RTMailRecipientHasSubaddress}}}} message = messages to the Request Tracker system require a subject tag or a subaddress ' @@ -766,7 +835,7 @@ out %> <%= out='' -if nodeinfo['packagesmaster'] +if nodeinfo['packagesqamaster'] out=' deny !hosts = +debianhosts : 217.196.43.134 condition = ${if eq {$acl_m1}{PTSMail}} @@ -824,6 +893,18 @@ out {${lookup{$local_part@$domain}nwildlsearch{/etc/exim4/sa_users}{$local_part}{}}}\ {${lookup{$local_part}lsearch{/etc/exim4/sa_users}{$local_part}{}}}}}} +<%= +out='' +if nodeinfo.has_key?('heavy_exim') and not nodeinfo['heavy_exim'].empty? +out=' + deny condition = ${if <{$message_size}{256000}} + set acl_m5 = ${perl{surblspamcheck}} + condition = ${if eq{$acl_m5}{false}{no}{yes}} + log_message = $acl_m5 +' +end +out +%> # Check header_sender except for survey@popcon.d.o deny condition = ${if eq{$acl_m1}{PopconMail}{false}{true}} !verify = header_sender