X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Fexim%2Ftemplates%2Feximconf.erb;h=5d154af16f59f914df97f1e99e87208eb616e26a;hb=bef12474e235e96c8e79a1a8453f74ef5247f535;hp=87424134f91efaf7a87abf84be228d3f046c49fe;hpb=5db7697b8faf7de29fff5e2ea3e0a8f378a96bb3;p=mirror%2Fdsa-puppet.git

diff --git a/modules/exim/templates/eximconf.erb b/modules/exim/templates/eximconf.erb
index 87424134f..5d154af16 100644
--- a/modules/exim/templates/eximconf.erb
+++ b/modules/exim/templates/eximconf.erb
@@ -35,6 +35,7 @@
 #           us. This is primarily only usefull for emergancy 'queue
 #           flushing' operations, but should be populated with a list
 #           of trusted machines. Wildcards are not permitted
+#  bsmtp_domains - Domains that we deliver locally via bsmtp
 <%=
 out = ""
 if nodeinfo['mailrelay']
@@ -131,10 +132,14 @@ domainlist virtual_domains = partial-lsearch;/etc/exim4/virtualdomains
 
 domainlist submission_domains = ${if exists {/etc/exim4/submission-domains}{/etc/exim4/submission-domains}{}}
 
-domainlist handled_domains = +local_domains : +virtual_domains
+domainlist bsmtp_domains = ${if exists {/etc/exim4/bsmtp}{partial-lsearch;/etc/exim4/bsmtp}{}}
+
+domainlist handled_domains = +local_domains : +virtual_domains : +bsmtp_domains
 
 localpartlist local_only_users = lsearch;/etc/exim4/localusers
 
+localpartlist postmasterish = postmaster : abuse : hostmaster : root
+
 # Domains we relay for; that is domains that aren't considered local but we 
 # accept mail for them.
 domainlist rcpthosts = partial-lsearch;/etc/exim4/rcpthosts
@@ -198,12 +203,13 @@ smtp_accept_max_per_host = ${if match_ip {$sender_host_address}{+debianhosts}{0}
 smtp_accept_max = 300
 smtp_accept_queue = 200
 smtp_accept_queue_per_connection = 50
+smtp_accept_reserve = 25
 <% else %>
 smtp_accept_max = 30
 smtp_accept_queue = 20
 smtp_accept_queue_per_connection = 10
+smtp_accept_reserve = 5
 <% end %>
-smtp_accept_reserve = 25
 smtp_reserve_hosts = +debianhosts
 
 split_spool_directory = true
@@ -364,6 +370,34 @@ out
 
   accept  condition      = ${if eq {$acl_m_rprf}{}{no}{yes}}
 
+  warn    domains        = +virtual_domains
+          condition      = ${if exists {${extract{directory}{VDOMAINDATA}{${value}/contentinspectionaction}}}}
+          condition      = ${if eq{${lookup{$local_part}lsearch*{${extract{directory}{VDOMAINDATA}{${value}/contentinspectionaction}}}{$value}{}}}{markup}}
+          log_message    = $local_part@$domain: markup
+          set acl_m_rprf = markup
+
+  accept  condition      = ${if eq {$acl_m_rprf}{}{no}{yes}}
+
+  warn    condition      = ${if eq{${lookup{$local_part}cdb{/var/lib/misc/${primary_hostname}/mail-contentinspectionaction.cdb}{$value}{}}}{markup}}
+          log_message    = $local_part@$domain: markup
+          set acl_m_rprf = markup
+
+  accept  condition      = ${if eq {$acl_m_rprf}{}{no}{yes}}
+
+  warn    condition      = ${if eq{${lookup{$local_part}cdb{/var/lib/misc/${primary_hostname}/mail-contentinspectionaction.cdb}{$value}{}}}{blackhole}}
+          log_message    = $local_part@$domain: blackhole
+          set acl_m_rprf = blackhole
+
+  accept  condition      = ${if eq {$acl_m_rprf}{}{no}{yes}}
+
+  warn    domains        = +virtual_domains
+          condition      = ${if exists {${extract{directory}{VDOMAINDATA}{${value}/contentinspectionaction}}}}
+          condition      = ${if eq{${lookup{$local_part}lsearch*{${extract{directory}{VDOMAINDATA}{${value}/contentinspectionaction}}}{$value}{}}}{blackhole}}
+          log_message    = $local_part@$domain: blackhole
+          set acl_m_rprf = blackhole
+
+  accept  condition      = ${if eq {$acl_m_rprf}{}{no}{yes}}
+
   warn    set acl_m_rprf = normal
 
   accept
@@ -637,7 +671,7 @@ out
           !verify        = sender
 
   defer   !hosts         = +debianhosts
-          condition      = ${if >{${eval:$acl_c_scr}}{0}}
+          condition      = ${if >{${eval:$acl_c_scr+0}}{0}}
           ratelimit      = 10 / 60m / per_rcpt / $sender_host_address
           message        = slow down (no reverse dns, mismatched ehlo, dialup, or in blacklists)
 <%=
@@ -786,9 +820,13 @@ end
 out
 %>
 
-  accept  local_parts   = postmaster
+  accept  local_parts   = +postmasterish
           domains       = +handled_domains : +rcpthosts
 
+  deny    hosts        = ${if exists{/etc/exim4/host_blacklist}{/etc/exim4/host_blacklist}{}}
+          message      = I'm terribly sorry, but it seems you have been blacklisted
+          log_message  = blacklisted IP
+
   deny   log_message   = <$sender_address> is blacklisted
          senders       = ${if exists{/etc/exim4/blacklist}{/etc/exim4/blacklist}{}}
          message       = We have blacklisted <$sender_address>.  Please stop mailing us
@@ -854,6 +892,20 @@ if nodeinfo.has_key?('heavy_exim') and not nodeinfo['heavy_exim'].empty?
 out='
 acl_check_mime:
 
+ discard condition     = ${if <{$message_size}{256000}}
+         condition     = ${if eq {$acl_m_prf}{blackhole}}
+         set acl_m_srb = ${perl{surblspamcheck}}
+         condition     = ${if eq{$acl_m_srb}{false}{no}{yes}}
+         log_message   = discarded surbl message for $recipients
+
+  warn   condition     = ${if <{$message_size}{256000}}
+         condition     = ${if eq {$acl_m_prf}{markup}}
+         set acl_m_srb = ${perl{surblspamcheck}}
+         condition     = ${if eq{$acl_m_srb}{false}{no}{yes}}
+         message       = X-Surbl-Hit: $primary_hostname: $acl_m_srb
+
+  accept condition     = ${if eq {$acl_m_prf}{markup}}
+
   deny   condition     = ${if <{$message_size}{256000}}
          set acl_m_srb = ${perl{surblspamcheck}}
          condition     = ${if eq{$acl_m_srb}{false}{no}{yes}}
@@ -867,7 +919,7 @@ out
 %>
 
 acl_check_predata:
-  deny   condition     = ${if eq{$acl_m_lcl}{localonly}}
+  deny   condition     = ${if eq{$acl_m_prf}{localonly}}
          message       = mail for $acl_m_lrc is only accepted internally
 
   accept
@@ -875,9 +927,6 @@ acl_check_predata:
 
 #!!# ACL that is used after the DATA command
 check_message:
-  require verify = header_syntax
-          message = Invalid syntax in the header
-
 <%=
 out=''
 if nodeinfo['rtmaster']
@@ -903,9 +952,6 @@ if nodeinfo['packagesqamaster']
 end
 out
 %>
-  deny    condition      = ${if match {$message_body}{\Nhttp:\/\/[a-z\.-]+\/video1?.exe\N}}
-          message        = Blackisted URI found in body
-
   deny    condition      = ${if eq {$acl_m_prf}{DBSignedMail}}
           condition      = ${if and {{!match {$message_body}{PGP MESSAGE}}              \
                                      {!match {$message_body}{PGP SIGNED MESSAGE}}       \
@@ -916,6 +962,11 @@ out
                             }
           message        = Mail to this address needs to be PGP-signed
 
+  accept verify  = certificate
+
+  require verify = header_syntax
+          message = Invalid syntax in the header
+
 # RFC 822 and 2822 say that headers must be ASCII.  This kinda emulates
 # postfix's strict_7bit_headers option, but only checks a few common problem
 # headers, as there doesn't appear to be an easy way to check them all.
@@ -934,10 +985,20 @@ out
 out = ""
 if has_variable?("clamd") && clamd == "true"
 out = '
-  deny    
+  discard condition       = ${if eq {$acl_m_prf}{blackhole}}
+          demime          = *
+          malware         = */defer_ok
+          log_message     = discarded malware message for $recipients
+
+  deny    condition       = ${if eq {$acl_m_prf}{markup}{no}{yes}}
   	  demime          = *
           malware         = */defer_ok
           message         = malware detected: $malware_name: message rejected
+
+  warn    condition       = ${if eq {$acl_m_prf}{markup}}
+  	  demime          = *
+          malware         = */defer_ok
+          message         = X-malware detected: $malware_name
 '
 end
 out
@@ -946,6 +1007,20 @@ out
 out=''
 if nodeinfo.has_key?('heavy_exim') and not nodeinfo['heavy_exim'].empty?
 out='
+ discard condition     = ${if <{$message_size}{256000}}
+         condition     = ${if eq {$acl_m_prf}{blackhole}}
+         set acl_m_srb = ${perl{surblspamcheck}}
+         condition     = ${if eq{$acl_m_srb}{false}{no}{yes}}
+         log_message   = discarded surbl message for $recipients
+
+  warn   condition     = ${if <{$message_size}{256000}}
+         condition     = ${if eq {$acl_m_prf}{markup}}
+         set acl_m_srb = ${perl{surblspamcheck}}
+         condition     = ${if eq{$acl_m_srb}{false}{no}{yes}}
+         message       = X-Surbl-Hit: $primary_hostname: $acl_m_srb
+
+  accept condition     = ${if eq {$acl_m_prf}{markup}}
+
   deny   condition     = ${if <{$message_size}{256000}}
          set acl_m_srb = ${perl{surblspamcheck}}
          condition     = ${if eq{$acl_m_srb}{false}{no}{yes}}
@@ -1032,7 +1107,7 @@ out
 bsmtp:
   debug_print = "R: bsmtp for $local_part@$domain"
   driver = manualroute
-  domains = !+local_domains
+  domains = +bsmtp_domains
   require_files = /etc/exim4/bsmtp
   route_list = * ${extract{file}{\
                    ${lookup{$domain}partial-lsearch{/etc/exim4/bsmtp}\
@@ -1077,6 +1152,17 @@ dnslookup:
   ignore_target_hosts = +reservedaddrs
   no_more
 
+postmasterish:
+  debug_print = "R: postmasterish for $local_part@$domain"
+  driver = redirect
+  verify = false
+  unseen = true
+  expn = true
+  local_parts = +postmasterish
+  domains = +handled_domains
+  data = debian-admin@debian.org
+  headers_add = "Delivered-To: ${local_part}${local_part_suffix}@${domain}"
+
 # This router handles aliasing using a traditional /etc/aliases file.
 # If any of your aliases expand to pipes or files, you will need to set
 # up a user and a group for these deliveries to run under. You can do