X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Fexim%2Ftemplates%2Feximconf.erb;h=6dd0a376c935b9289e036bcd9a88b9badb5e7625;hb=09f53cc3299c6699be7959e6aff131d0034d97f8;hp=bbd5ef17ac5e45a87e7dae4d6f573a83d2e209f5;hpb=da2ecce802c0e374b251464986f65bc26350f9be;p=mirror%2Fdsa-puppet.git diff --git a/modules/exim/templates/eximconf.erb b/modules/exim/templates/eximconf.erb index bbd5ef17a..6dd0a376c 100644 --- a/modules/exim/templates/eximconf.erb +++ b/modules/exim/templates/eximconf.erb @@ -27,10 +27,6 @@ # is much like a local domain, execpt that the delivery location # and allowed set of users is controlled by a virtual domain # alias file and not /etc/passwd. Wildcards are permitted -# rcpthosts - recipient hosts or relay domains. This is a list of -# all hosts that we mail exchange for. All domains that list -# this host in their MX records should be listed here. Wildcards -# are permitted. # relayhosts - Hostnames that can send any arbitarily addressed mail to # us. This is primarily only usefull for emergancy 'queue # flushing' operations, but should be populated with a list @@ -121,8 +117,6 @@ allow_domain_literals = true # Other domain and host lists may follow. # @ is the local FQDN, @[] matches the IP adress of any local interface. -.include_if_exists /etc/exim4/local-settings.conf - domainlist local_domains = @ : \ @[] : \ localhost : \ @@ -142,7 +136,6 @@ localpartlist postmasterish = postmaster : abuse : hostmaster : root # Domains we relay for; that is domains that aren't considered local but we # accept mail for them. -domainlist rcpthosts = partial-lsearch;/etc/exim4/rcpthosts hostlist debianhosts = 127.0.0.1 : net-lsearch;/var/lib/misc/thishost/debianhosts <%= out = "" @@ -203,12 +196,13 @@ smtp_accept_max_per_host = ${if match_ip {$sender_host_address}{+debianhosts}{0} smtp_accept_max = 300 smtp_accept_queue = 200 smtp_accept_queue_per_connection = 50 +smtp_accept_reserve = 25 <% else %> smtp_accept_max = 30 smtp_accept_queue = 20 smtp_accept_queue_per_connection = 10 +smtp_accept_reserve = 5 <% end %> -smtp_accept_reserve = 25 smtp_reserve_hosts = +debianhosts split_spool_directory = true @@ -220,7 +214,8 @@ delay_warning = <% if nodeinfo.has_key?('heavy_exim') and not nodeinfo['heavy_exim'].empty? %> queue_run_max = 50 deliver_queue_load_max = 50 -queue_only_load = 15 +queue_only_load = 35 +smtp_load_reserve = 20 <% else %> queue_run_max = 5 deliver_queue_load_max = 10 @@ -240,7 +235,7 @@ ports = [] out = "daemon_smtp_ports = " ports << 25 -if nodeinfo['bugsmaster'] +if nodeinfo['bugsmaster'] or nodeinfo['bugsmx'] ports << 587 end @@ -413,8 +408,11 @@ end out %> +<%= +if nodeinfo['smarthost'].empty? + out = ' # These are in HELO acl so that they are only run once. They increment a counter, - # so we don't want it to increment per rcpt to. + # so we don\'t want it to increment per rcpt to. warn dnslists = list.dnswl.org&0.0.0.3 log_message = Hit on list.dnswl.org for $sender_host_address @@ -449,7 +447,7 @@ out dnslists = dul.dnsbl.sorbs.net set acl_c_scr = ${eval:$acl_c_scr+15} - # If the sender's helo name is empty, the message will be rejected later + # If the sender\'s helo name is empty, the message will be rejected later # because the helo is empty. If the rDNS lookup failed, we are already # going to greylist them, so no sense worrying about it here. Finally, # if rDNS does not match helo name (both lower cased first), greylist. @@ -458,7 +456,7 @@ out condition = ${if eq {$host_lookup_failed}{1}{no}{yes}} condition = ${if def:sender_helo_name {yes}{no}} condition = ${if eq {${lc:$sender_helo_name}}{${lc:$sender_host_name}}{no}{yes}} - log_message = HELO doesn't match rDNS + log_message = HELO doesn\'t match rDNS set acl_c_scr = ${eval:$acl_c_scr+8} # Regexes of doom @@ -479,14 +477,24 @@ out set acl_c_scr = ${eval:$acl_c_scr+7} # Random HELO (run of 7 consonants) (constructed by viruses). We purposefully - # skip matching on machines named .*smtp.*, since that's 4 already. This is a fairly - # naive test, so it's not worth much + # skip matching on machines named .*smtp.*, since that\'s 4 already. This is a fairly + # naive test, so it\'s not worth much warn condition = ${if match {${lc:$sender_helo_name}}{smtp}{no}{yes}} condition = ${if match {${lc:$sender_helo_name}}{\N^[a-z0-9]+\.[a-z]+$\N}} condition = ${if match {${lc:$sender_helo_name}}{\N.*[bcdfghjklmnpqrstvwxz]{7,}.*\.[a-z]+$\N}} log_message = random HELO set acl_c_scr = ${eval:$acl_c_scr+5} +' +else + out = ' + drop !hosts = +debianhosts + log_message = mail from non-d.o host + message = Interesting. I doubt that should have happened. +' +end +out +%> # Implicit, but simpler to just say it accept @@ -521,7 +529,6 @@ out accept domains = +local_domains hosts = +debianhosts endpass - message = unknown user verify = recipient <%= @@ -530,7 +537,6 @@ if nodeinfo['mailrelay'] out = ' accept domains = +mailhubdomains endpass - message = unknown user verify = recipient/callout=30s,defer_ok,use_sender,no_cache ' end @@ -539,7 +545,6 @@ out accept domains = +submission_domains endpass - message = unknown user verify = recipient deny message = relay not permitted @@ -555,10 +560,18 @@ end out %> + warn acl = acl_getprofile + condition = ${if eq{$acl_m_prf}{}} + set acl_m_prf = $acl_m_rprf + + defer condition = ${if eq{$acl_m_prf}{$acl_m_rprf}{no}{yes}} + log_message = Only one profile at a time, please + # Defer after too many bad RCPT TO's. Legit MTAs will retry later. # This is a rough pass at preventing addres harvesting or other mail blasts. defer log_message = Too many bad recipients ${eval:$rcpt_fail_count} out of $rcpt_count + condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} message = Too many bad recipients, try again later !hosts = +debianhosts condition = ${if > {${eval:$rcpt_fail_count}}{3}{yes}{no}} @@ -566,12 +579,14 @@ out # Dump spambots that are so stupid they say helo as our IP address drop !hosts = +debianhosts + condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} condition = ${if eq {$sender_helo_name}{$interface_address}{yes}{no}} message = HELO mismatch Forged HELO for ($sender_helo_name) # Also for spambots that say helo as us or one of our domains drop !hosts = +debianhosts + condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} condition = ${if match_domain{$sender_helo_name}{$primary_hostname:+handled_domains}} condition = ${if !match{$sender_host_name}{${rxquote:$sender_helo_name}\N$\N}} message = HELO mismatch Forged HELO for ($sender_helo_name) @@ -586,6 +601,7 @@ out # say helo as a name in the list but we can't look them up defer !hosts = +debianhosts + condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} condition = ${if eq{$acl_m_frg}{}{no}{yes}} condition = ${if eq{$sender_host_name}{}{yes}{no}} condition = ${if eq{$host_lookup_failed}{1}{no}{yes}} @@ -594,6 +610,7 @@ out # If DNS works, go ahead and reject them drop !hosts = +debianhosts + condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} condition = ${if and { {!eq{$acl_m_frg}{}}{!match{$sender_host_name}{${rxquote:$acl_m_frg}\N$\N}}}{yes}{no}} message = HELO mismatch Forged HELO for ($sender_helo_name) @@ -634,13 +651,6 @@ out condition = ${if match_local_part {$sender_address_local_part}{${extract{directory}{VDOMAINDATA}{${value}/neversenders}}}{1}{0}} message = no mail should ever come from <$sender_address> - warn acl = acl_getprofile - condition = ${if eq{$acl_m_prf}{}} - set acl_m_prf = $acl_m_rprf - - defer condition = ${if eq{$acl_m_prf}{$acl_m_rprf}{no}{yes}} - log_message = Only one profile at a time, please - warn condition = ${if eq{$acl_m_prf}{localonly}} set acl_m_lrc = ${if eq{$acl_m_lrc}{}{$local_part@$domain}{$acl_m_lrc, $local_part@$domain}} @@ -670,6 +680,7 @@ out !verify = sender defer !hosts = +debianhosts + condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} condition = ${if >{${eval:$acl_c_scr+0}}{0}} ratelimit = 10 / 60m / per_rcpt / $sender_host_address message = slow down (no reverse dns, mismatched ehlo, dialup, or in blacklists) @@ -686,6 +697,7 @@ out = ' # closure, but I\'m fairly sure it\'s now worth it, since the backport of # policyd-weight is trivial. warn !hosts = +debianhosts + condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} set acl_m_pw = ${readsocket{inet:127.0.0.1:12525}\ {request=smtpd_access_policy\n\ protocol_state=RCPT\n\ @@ -703,31 +715,37 @@ out = ' # Defer on socket error defer !hosts = +debianhosts + condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} condition = ${if eq{$acl_m_pw}{socket failure}{yes}{no}} message = Cannot connect to policyd-weight. Please try again later. # Set proposed action to $acl_m_act and message to $acl_m_mes warn !hosts = +debianhosts + condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} set acl_m_mes = ${extract{action}{$acl_m_pw}} set acl_m_act = ${sg{$acl_m_pw}{\Naction=[^ ]+ (.*)\n\n\N}{\$1}} # Add X-policyd-weight header line to message warn !hosts = +debianhosts + condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} message = $acl_m_mes condition = ${if eq{$acl_m_act}{PREPEND}{yes}{no}} # Write log message, if policyd-weight can\'t run checks warn !hosts = +debianhosts + condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} log_message = policyd-weight message: $acl_m_mes condition = ${if eq{$acl_m_act}{DUNNO}{yes}{no}} # Deny mails which policyd-weight thinks are spam deny !hosts = +debianhosts + condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} message = policyd-weight said: $acl_m_mes condition = ${if eq{$acl_m_act}{550}{yes}{no}} # Defer messages when policyd-weight suggests so. defer !hosts = +debianhosts + condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} message = policyd-weight said: $acl_m_mes condition = ${if eq{$acl_m_act}{450}{yes}{no}} ' @@ -762,8 +780,9 @@ if has_variable?("greylistd") && greylistd == "true" {/etc/greylistd/whitelist-hosts}{}} : \ ${if exists {/var/lib/greylistd/whitelist-hosts}\ {/var/lib/greylistd/whitelist-hosts}{}} + condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} !authenticated = * - domains = +handled_domains : +rcpthosts + domains = +handled_domains condition = ${readsocket{/var/run/greylistd/socket}\ {--grey \ $sender_host_address \ @@ -778,6 +797,7 @@ elsif has_variable?("postgrey") && postgrey == "true" warn !senders = : !hosts = : +debianhosts : WHITELIST + condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} condition = ${if def:acl_m_grey {no}{yes}} set acl_m_grey = $pid.$tod_epoch.$sender_host_port @@ -785,8 +805,9 @@ elsif has_variable?("postgrey") && postgrey == "true" defer !senders = : !hosts = : +debianhosts : WHITELIST + condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} !authenticated = * - domains = +handled_domains : +rcpthosts + domains = +handled_domains local_parts = GREYLIST_LOCAL_PARTS set acl_m_pgr = request=smtpd_access_policy\n\ protocol_state=RCPT\n\ @@ -809,8 +830,9 @@ elsif has_variable?("postgrey") && postgrey == "true" warn !senders = : !hosts = : +debianhosts : WHITELIST + condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} !authenticated = * - domains = +handled_domains : +rcpthosts + domains = +handled_domains local_parts = GREYLIST_LOCAL_PARTS condition = ${if eq{${uc:${substr_0_7:$acl_m_pgr}}}{PREPEND}} message = ${sg{$acl_m_pgr}{^\\\\w+\\\\s*}{}} @@ -820,7 +842,7 @@ out %> accept local_parts = +postmasterish - domains = +handled_domains : +rcpthosts + domains = +handled_domains deny hosts = ${if exists{/etc/exim4/host_blacklist}{/etc/exim4/host_blacklist}{}} message = I'm terribly sorry, but it seems you have been blacklisted @@ -830,14 +852,22 @@ out senders = ${if exists{/etc/exim4/blacklist}{/etc/exim4/blacklist}{}} message = We have blacklisted <$sender_address>. Please stop mailing us +<%= +out = "" +if nodeinfo['smarthost'].empty? + out = ' deny message = host $sender_host_address is listed in $dnslist_domain; see $dnslist_text dnslists = ${if match_domain{$domain}{+virtual_domains}\ {${if exists {${extract{directory}{VDOMAINDATA}{${value}/rbllist}}}\ {${lookup{$local_part}lsearch*{${extract{directory}{VDOMAINDATA}{${value}/rbllist}}}{$value}{}}}{}}}\ {${lookup{$local_part}lsearch{/etc/exim4/rbllist}{$value}{}} : \ ${lookup{$local_part}lsearch{/var/lib/misc/$primary_hostname/mail-rbl}{$value}{}}}} - domains = +handled_domains : +rcpthosts + domains = +handled_domains !hosts = +debianhosts : WHITELIST +' +end +out +%> deny message = domain $sender_address_domain is listed in $dnslist_domain; see $dnslist_text dnslists = ${if match_domain{$domain}{+virtual_domains}\ @@ -845,17 +875,25 @@ out {${expand:${lookup{$local_part}lsearch*{${extract{directory}{VDOMAINDATA}{${value}/rhsbllist}}}{$value}{}}}}{}}}\ {${expand:${lookup{$local_part}lsearch{/etc/exim4/rhsbllist}{$value}{}}} : \ ${expand:${lookup{$local_part}lsearch{/var/lib/misc/$primary_hostname/mail-rhsbl}{$value}{}}}}} - domains = +handled_domains : +rcpthosts + domains = +handled_domains !hosts = +debianhosts : WHITELIST - deny domains = +handled_domains : +rcpthosts +<%= +out = "" +if nodeinfo['smarthost'].empty? + out = ' + deny domains = +handled_domains local_parts = ${if match_domain{$domain}{+virtual_domains}\ {${if exists {${extract{directory}{VDOMAINDATA}{${value}/callout_users}}}\ {${lookup{$local_part}lsearch*{${extract{directory}{VDOMAINDATA}{${value}/callout_users}}}{$local_part}{}}}{}}}\ {${lookup{$local_part}lsearch{/etc/exim4/callout_users}{$local_part}{}} : \ ${lookup{$local_part}lsearch{/var/lib/misc/$primary_hostname/mail-callout}{$local_part}{}}}} !hosts = +debianhosts : WHITELIST - !verify = sender/callout + !verify = sender/callout=90s,maxwait=300s +' +end +out +%> <%= out = "" @@ -863,7 +901,6 @@ if nodeinfo['mailrelay'] out = ' accept domains = +mailhubdomains endpass - message = unknown user verify = recipient/callout=30s,defer_ok,use_sender,no_cache ' end @@ -871,14 +908,8 @@ out %> accept domains = +handled_domains endpass - message = unknown user verify = recipient/defer_ok - accept domains = +rcpthosts - endpass - message = unrouteable address - verify = recipient - accept hosts = +debianhosts accept authenticated = * @@ -897,20 +928,20 @@ acl_check_mime: condition = ${if eq{$acl_m_srb}{false}{no}{yes}} log_message = discarded surbl message for $recipients - warn condition = ${if <{$message_size}{256000}} - condition = ${if eq {$acl_m_prf}{markup}} - set acl_m_srb = ${perl{surblspamcheck}} - condition = ${if eq{$acl_m_srb}{false}{no}{yes}} - message = X-Surbl-Hit: $primary_hostname: $acl_m_srb - - accept condition = ${if eq {$acl_m_prf}{markup}} - deny condition = ${if <{$message_size}{256000}} + condition = ${if eq {$acl_m_prf}{markup}{no}{yes}} + condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} set acl_m_srb = ${perl{surblspamcheck}} condition = ${if eq{$acl_m_srb}{false}{no}{yes}} log_message = $acl_m_srb message = $acl_m_srb + warn condition = ${if <{$message_size}{256000}} + condition = ${if eq {$acl_m_prf}{markup}} + set acl_m_srb = ${perl{surblspamcheck}} + condition = ${if eq{$acl_m_srb}{false}{no}{yes}} + message = X-Surbl-Hit: $primary_hostname: $acl_m_srb + accept ' end @@ -918,7 +949,7 @@ out %> acl_check_predata: - deny condition = ${if eq{$acl_m_lcl}{localonly}} + deny condition = ${if eq{$acl_m_prf}{localonly}} message = mail for $acl_m_lrc is only accepted internally accept @@ -926,9 +957,6 @@ acl_check_predata: #!!# ACL that is used after the DATA command check_message: - require verify = header_syntax - message = Invalid syntax in the header - <%= out='' if nodeinfo['rtmaster'] @@ -964,6 +992,12 @@ out } message = Mail to this address needs to be PGP-signed + accept verify = certificate + + deny condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} + !verify = header_syntax + message = Invalid syntax in the header + # RFC 822 and 2822 say that headers must be ASCII. This kinda emulates # postfix's strict_7bit_headers option, but only checks a few common problem # headers, as there doesn't appear to be an easy way to check them all. @@ -972,22 +1006,25 @@ out {match {$rh_To:}{[\200-\377]}}\ {match {$rh_From:}{[\200-\377]}}\ {match {$rh_Cc:}{[\200-\377]}}}{true}{false}} + condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} message = improper use of 8-bit data in message header: message rejected deny condition = ${if match {$rh_Subject:}{[^[:print:]]\{8\}}{true}{false}} + condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} message = Your mailer is not RFC 2047 compliant: message rejected <%= out = "" if has_variable?("clamd") && clamd == "true" out = ' - discard condition = ${if eq {$acl_m_prf}{blackhole}{no}{yes}} + discard condition = ${if eq {$acl_m_prf}{blackhole}} demime = * malware = */defer_ok log_message = discarded malware message for $recipients deny condition = ${if eq {$acl_m_prf}{markup}{no}{yes}} + condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} demime = * malware = */defer_ok message = malware detected: $malware_name: message rejected @@ -1010,19 +1047,20 @@ out=' condition = ${if eq{$acl_m_srb}{false}{no}{yes}} log_message = discarded surbl message for $recipients + deny condition = ${if <{$message_size}{256000}} + condition = ${if eq {$acl_m_prf}{markup}{no}{yes}} + condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} + set acl_m_srb = ${perl{surblspamcheck}} + condition = ${if eq{$acl_m_srb}{false}{no}{yes}} + log_message = $acl_m_srb + message = $acl_m_srb + warn condition = ${if <{$message_size}{256000}} condition = ${if eq {$acl_m_prf}{markup}} set acl_m_srb = ${perl{surblspamcheck}} condition = ${if eq{$acl_m_srb}{false}{no}{yes}} message = X-Surbl-Hit: $primary_hostname: $acl_m_srb - accept condition = ${if eq {$acl_m_prf}{markup}} - - deny condition = ${if <{$message_size}{256000}} - set acl_m_srb = ${perl{surblspamcheck}} - condition = ${if eq{$acl_m_srb}{false}{no}{yes}} - log_message = $acl_m_srb - message = $acl_m_srb ' end out @@ -1130,7 +1168,11 @@ smarthost: driver = manualroute domains = !+handled_domains transport = remote_smtp_smarthost - route_list = * ' + nodeinfo['smarthost'] + ' + route_list = * ' + nodeinfo['smarthost'] + if nodeinfo['smarthost'] == 'mailout.debian.org' + out += '/MX' + end + out += ' host_find_failed = defer same_domain_copy_routing = yes no_more @@ -1324,14 +1366,18 @@ out <%= out = "" -if nodeinfo['bugsmaster'] +if nodeinfo['bugsmaster'] or nodeinfo['bugsmx'] + domain = 'bugs.debian.org' + if nodeinfo['bugsmaster'] + domain = 'bugs-master.debian.org' + end out = ' # This router delivers for bugs.d.o bugs: debug_print = "R: bugs for $local_part@$domain" driver = accept transport = bugs_pipe - domains = bugs.debian.org + domains = ' + domain + ' cannot_route_message = Unknown or archived bug require_files = /org/bugs.debian.org/mail/run-procmail no_more @@ -1393,25 +1439,6 @@ end out %> -virt_alias_verify: - debug_print = "R: virt_aliases for $local_part@$domain" - driver = redirect - data = ${if exists{\ - ${extract{directory}{VDOMAINDATA}{${value}/aliases}}}\ - {${lookup{$local_part}lsearch*{\ - ${extract{directory}{VDOMAINDATA}{$value/aliases}}\ - }}}} - directory_transport = address_directory - cannot_route_message = Unknown user - domains = +virtual_domains - file_transport = address_file - pipe_transport = address_pipe - qualify_preserve_domain - retry_use_local_part - transport_current_directory = ${extract{directory}{VDOMAINDATA}} - transport_home_directory = ${extract{directory}{VDOMAINDATA}} - verify_only - virt_direct_verify: debug_print = "R: virt_direct for $local_part@$domain" driver = redirect @@ -1454,7 +1481,6 @@ virt_aliases: retry_use_local_part transport_current_directory = ${extract{directory}{VDOMAINDATA}} transport_home_directory = ${extract{directory}{VDOMAINDATA}} - no_verify user = ${extract{user}{VDOMAINDATA}} # This is a qmailesque deliver into a directory of .forward files @@ -1624,7 +1650,7 @@ bsmtp: <%= out = "" -if nodeinfo['bugsmaster'] +if nodeinfo['bugsmaster'] or nodeinfo['bugsmx'] out = ' bugs_pipe: driver = pipe