X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Fexim%2Ftemplates%2Feximconf.erb;h=5d4af665bfbcc8ff44fd3f352b9f93c8c504203a;hb=f5b39e0c787ebdbc2ecc7a920b681a30f6b4193e;hp=7b47197d12fa3e350b5f27682397ac11291c978e;hpb=9230a47dd4914d7701adc87d0b2ea2377c09a23c;p=mirror%2Fdsa-puppet.git diff --git a/modules/exim/templates/eximconf.erb b/modules/exim/templates/eximconf.erb index 7b47197d1..5d4af665b 100644 --- a/modules/exim/templates/eximconf.erb +++ b/modules/exim/templates/eximconf.erb @@ -121,8 +121,6 @@ allow_domain_literals = true # Other domain and host lists may follow. # @ is the local FQDN, @[] matches the IP adress of any local interface. -.include_if_exists /etc/exim4/local-settings.conf - domainlist local_domains = @ : \ @[] : \ localhost : \ @@ -414,8 +412,12 @@ end out %> +<%= +out = "" +if nodeinfo['smarthost'].empty? + out = ' # These are in HELO acl so that they are only run once. They increment a counter, - # so we don't want it to increment per rcpt to. + # so we don\'t want it to increment per rcpt to. warn dnslists = list.dnswl.org&0.0.0.3 log_message = Hit on list.dnswl.org for $sender_host_address @@ -450,7 +452,7 @@ out dnslists = dul.dnsbl.sorbs.net set acl_c_scr = ${eval:$acl_c_scr+15} - # If the sender's helo name is empty, the message will be rejected later + # If the sender\'s helo name is empty, the message will be rejected later # because the helo is empty. If the rDNS lookup failed, we are already # going to greylist them, so no sense worrying about it here. Finally, # if rDNS does not match helo name (both lower cased first), greylist. @@ -459,7 +461,7 @@ out condition = ${if eq {$host_lookup_failed}{1}{no}{yes}} condition = ${if def:sender_helo_name {yes}{no}} condition = ${if eq {${lc:$sender_helo_name}}{${lc:$sender_host_name}}{no}{yes}} - log_message = HELO doesn't match rDNS + log_message = HELO doesn\'t match rDNS set acl_c_scr = ${eval:$acl_c_scr+8} # Regexes of doom @@ -480,14 +482,18 @@ out set acl_c_scr = ${eval:$acl_c_scr+7} # Random HELO (run of 7 consonants) (constructed by viruses). We purposefully - # skip matching on machines named .*smtp.*, since that's 4 already. This is a fairly - # naive test, so it's not worth much + # skip matching on machines named .*smtp.*, since that\'s 4 already. This is a fairly + # naive test, so it\'s not worth much warn condition = ${if match {${lc:$sender_helo_name}}{smtp}{no}{yes}} condition = ${if match {${lc:$sender_helo_name}}{\N^[a-z0-9]+\.[a-z]+$\N}} condition = ${if match {${lc:$sender_helo_name}}{\N.*[bcdfghjklmnpqrstvwxz]{7,}.*\.[a-z]+$\N}} log_message = random HELO set acl_c_scr = ${eval:$acl_c_scr+5} +' +end +out +%> # Implicit, but simpler to just say it accept @@ -556,10 +562,18 @@ end out %> + warn acl = acl_getprofile + condition = ${if eq{$acl_m_prf}{}} + set acl_m_prf = $acl_m_rprf + + defer condition = ${if eq{$acl_m_prf}{$acl_m_rprf}{no}{yes}} + log_message = Only one profile at a time, please + # Defer after too many bad RCPT TO's. Legit MTAs will retry later. # This is a rough pass at preventing addres harvesting or other mail blasts. defer log_message = Too many bad recipients ${eval:$rcpt_fail_count} out of $rcpt_count + condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} message = Too many bad recipients, try again later !hosts = +debianhosts condition = ${if > {${eval:$rcpt_fail_count}}{3}{yes}{no}} @@ -567,12 +581,14 @@ out # Dump spambots that are so stupid they say helo as our IP address drop !hosts = +debianhosts + condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} condition = ${if eq {$sender_helo_name}{$interface_address}{yes}{no}} message = HELO mismatch Forged HELO for ($sender_helo_name) # Also for spambots that say helo as us or one of our domains drop !hosts = +debianhosts + condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} condition = ${if match_domain{$sender_helo_name}{$primary_hostname:+handled_domains}} condition = ${if !match{$sender_host_name}{${rxquote:$sender_helo_name}\N$\N}} message = HELO mismatch Forged HELO for ($sender_helo_name) @@ -587,6 +603,7 @@ out # say helo as a name in the list but we can't look them up defer !hosts = +debianhosts + condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} condition = ${if eq{$acl_m_frg}{}{no}{yes}} condition = ${if eq{$sender_host_name}{}{yes}{no}} condition = ${if eq{$host_lookup_failed}{1}{no}{yes}} @@ -595,6 +612,7 @@ out # If DNS works, go ahead and reject them drop !hosts = +debianhosts + condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} condition = ${if and { {!eq{$acl_m_frg}{}}{!match{$sender_host_name}{${rxquote:$acl_m_frg}\N$\N}}}{yes}{no}} message = HELO mismatch Forged HELO for ($sender_helo_name) @@ -635,13 +653,6 @@ out condition = ${if match_local_part {$sender_address_local_part}{${extract{directory}{VDOMAINDATA}{${value}/neversenders}}}{1}{0}} message = no mail should ever come from <$sender_address> - warn acl = acl_getprofile - condition = ${if eq{$acl_m_prf}{}} - set acl_m_prf = $acl_m_rprf - - defer condition = ${if eq{$acl_m_prf}{$acl_m_rprf}{no}{yes}} - log_message = Only one profile at a time, please - warn condition = ${if eq{$acl_m_prf}{localonly}} set acl_m_lrc = ${if eq{$acl_m_lrc}{}{$local_part@$domain}{$acl_m_lrc, $local_part@$domain}} @@ -671,6 +682,7 @@ out !verify = sender defer !hosts = +debianhosts + condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} condition = ${if >{${eval:$acl_c_scr+0}}{0}} ratelimit = 10 / 60m / per_rcpt / $sender_host_address message = slow down (no reverse dns, mismatched ehlo, dialup, or in blacklists) @@ -842,6 +854,10 @@ out senders = ${if exists{/etc/exim4/blacklist}{/etc/exim4/blacklist}{}} message = We have blacklisted <$sender_address>. Please stop mailing us +<%= +out = "" +if nodeinfo['smarthost'].empty? + out = ' deny message = host $sender_host_address is listed in $dnslist_domain; see $dnslist_text dnslists = ${if match_domain{$domain}{+virtual_domains}\ {${if exists {${extract{directory}{VDOMAINDATA}{${value}/rbllist}}}\ @@ -850,6 +866,10 @@ out ${lookup{$local_part}lsearch{/var/lib/misc/$primary_hostname/mail-rbl}{$value}{}}}} domains = +handled_domains : +rcpthosts !hosts = +debianhosts : WHITELIST +' +end +out +%> deny message = domain $sender_address_domain is listed in $dnslist_domain; see $dnslist_text dnslists = ${if match_domain{$domain}{+virtual_domains}\ @@ -860,6 +880,10 @@ out domains = +handled_domains : +rcpthosts !hosts = +debianhosts : WHITELIST +<%= +out = "" +if nodeinfo['smarthost'].empty? + out = ' deny domains = +handled_domains : +rcpthosts local_parts = ${if match_domain{$domain}{+virtual_domains}\ {${if exists {${extract{directory}{VDOMAINDATA}{${value}/callout_users}}}\ @@ -868,6 +892,10 @@ out ${lookup{$local_part}lsearch{/var/lib/misc/$primary_hostname/mail-callout}{$local_part}{}}}} !hosts = +debianhosts : WHITELIST !verify = sender/callout +' +end +out +%> <%= out = "" @@ -975,8 +1003,8 @@ out accept verify = certificate - require verify = header_syntax - condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} + deny condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} + !verify = header_syntax message = Invalid syntax in the header # RFC 822 and 2822 say that headers must be ASCII. This kinda emulates @@ -1149,7 +1177,11 @@ smarthost: driver = manualroute domains = !+handled_domains transport = remote_smtp_smarthost - route_list = * ' + nodeinfo['smarthost'] + ' + route_list = * ' + nodeinfo['smarthost'] + if nodeinfo['smarthost'] == 'mailout.debian.org' + out += '/MX' + end + out += ' host_find_failed = defer same_domain_copy_routing = yes no_more