X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Fexim%2Ftemplates%2Feximconf.erb;h=7b47197d12fa3e350b5f27682397ac11291c978e;hb=9230a47dd4914d7701adc87d0b2ea2377c09a23c;hp=e759624fe60e133221ba9c793c07dae61c141ac2;hpb=689a416a3728f91afe1c247717422b784d7f59b3;p=mirror%2Fdsa-puppet.git diff --git a/modules/exim/templates/eximconf.erb b/modules/exim/templates/eximconf.erb index e759624fe..7b47197d1 100644 --- a/modules/exim/templates/eximconf.erb +++ b/modules/exim/templates/eximconf.erb @@ -35,6 +35,7 @@ # us. This is primarily only usefull for emergancy 'queue # flushing' operations, but should be populated with a list # of trusted machines. Wildcards are not permitted +# bsmtp_domains - Domains that we deliver locally via bsmtp <%= out = "" if nodeinfo['mailrelay'] @@ -131,10 +132,14 @@ domainlist virtual_domains = partial-lsearch;/etc/exim4/virtualdomains domainlist submission_domains = ${if exists {/etc/exim4/submission-domains}{/etc/exim4/submission-domains}{}} -domainlist handled_domains = +local_domains : +virtual_domains +domainlist bsmtp_domains = ${if exists {/etc/exim4/bsmtp}{partial-lsearch;/etc/exim4/bsmtp}{}} + +domainlist handled_domains = +local_domains : +virtual_domains : +bsmtp_domains localpartlist local_only_users = lsearch;/etc/exim4/localusers +localpartlist postmasterish = postmaster : abuse : hostmaster : root + # Domains we relay for; that is domains that aren't considered local but we # accept mail for them. domainlist rcpthosts = partial-lsearch;/etc/exim4/rcpthosts @@ -193,11 +198,18 @@ timeout_frozen_after=14d message_size_limit = 100M message_logs = false -smtp_accept_max = 300 smtp_accept_max_per_host = ${if match_ip {$sender_host_address}{+debianhosts}{0}{7}} +<% if nodeinfo.has_key?('heavy_exim') and not nodeinfo['heavy_exim'].empty? %> +smtp_accept_max = 300 smtp_accept_queue = 200 smtp_accept_queue_per_connection = 50 smtp_accept_reserve = 25 +<% else %> +smtp_accept_max = 30 +smtp_accept_queue = 20 +smtp_accept_queue_per_connection = 10 +smtp_accept_reserve = 5 +<% end %> smtp_reserve_hosts = +debianhosts split_spool_directory = true @@ -206,9 +218,15 @@ check_spool_space = 20M delay_warning = +<% if nodeinfo.has_key?('heavy_exim') and not nodeinfo['heavy_exim'].empty? %> queue_run_max = 50 deliver_queue_load_max = 50 queue_only_load = 15 +<% else %> +queue_run_max = 5 +deliver_queue_load_max = 10 +queue_only_load = 5 +<% end %> queue_list_requires_admin = false <%= out = "" @@ -312,7 +330,7 @@ end out %> <%= -out = "" +out = '' if nodeinfo['packagesmaster'] out = ' warn domains = packages.debian.org @@ -324,6 +342,7 @@ end out %> <%= +out = '' if nodeinfo['packagesqamaster'] out=' warn recipients = owner@packages.qa.debian.org : postmaster@packages.qa.debian.org @@ -351,6 +370,34 @@ out accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}} + warn domains = +virtual_domains + condition = ${if exists {${extract{directory}{VDOMAINDATA}{${value}/contentinspectionaction}}}} + condition = ${if eq{${lookup{$local_part}lsearch*{${extract{directory}{VDOMAINDATA}{${value}/contentinspectionaction}}}{$value}{}}}{markup}} + log_message = $local_part@$domain: markup + set acl_m_rprf = markup + + accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}} + + warn condition = ${if eq{${lookup{$local_part}cdb{/var/lib/misc/${primary_hostname}/mail-contentinspectionaction.cdb}{$value}{}}}{markup}} + log_message = $local_part@$domain: markup + set acl_m_rprf = markup + + accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}} + + warn condition = ${if eq{${lookup{$local_part}cdb{/var/lib/misc/${primary_hostname}/mail-contentinspectionaction.cdb}{$value}{}}}{blackhole}} + log_message = $local_part@$domain: blackhole + set acl_m_rprf = blackhole + + accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}} + + warn domains = +virtual_domains + condition = ${if exists {${extract{directory}{VDOMAINDATA}{${value}/contentinspectionaction}}}} + condition = ${if eq{${lookup{$local_part}lsearch*{${extract{directory}{VDOMAINDATA}{${value}/contentinspectionaction}}}{$value}{}}}{blackhole}} + log_message = $local_part@$domain: blackhole + set acl_m_rprf = blackhole + + accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}} + warn set acl_m_rprf = normal accept @@ -609,12 +656,22 @@ out=' end out %> - +<%= +out='' +if nodeinfo['packagesmaster'] + out=' + warn condition = ${if eq {$acl_m_prf}{PackagesMail}} + condition = ${if eq {$sender_address}{$local_part@$domain}} + message = X-Packages-FromTo-Same: yes +' +end +out +%> deny condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} !verify = sender defer !hosts = +debianhosts - condition = ${if >{${eval:$acl_c_scr}}{0}} + condition = ${if >{${eval:$acl_c_scr+0}}{0}} ratelimit = 10 / 60m / per_rcpt / $sender_host_address message = slow down (no reverse dns, mismatched ehlo, dialup, or in blacklists) <%= @@ -630,6 +687,7 @@ out = ' # closure, but I\'m fairly sure it\'s now worth it, since the backport of # policyd-weight is trivial. warn !hosts = +debianhosts + condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} set acl_m_pw = ${readsocket{inet:127.0.0.1:12525}\ {request=smtpd_access_policy\n\ protocol_state=RCPT\n\ @@ -647,31 +705,37 @@ out = ' # Defer on socket error defer !hosts = +debianhosts + condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} condition = ${if eq{$acl_m_pw}{socket failure}{yes}{no}} message = Cannot connect to policyd-weight. Please try again later. # Set proposed action to $acl_m_act and message to $acl_m_mes warn !hosts = +debianhosts + condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} set acl_m_mes = ${extract{action}{$acl_m_pw}} set acl_m_act = ${sg{$acl_m_pw}{\Naction=[^ ]+ (.*)\n\n\N}{\$1}} # Add X-policyd-weight header line to message warn !hosts = +debianhosts + condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} message = $acl_m_mes condition = ${if eq{$acl_m_act}{PREPEND}{yes}{no}} # Write log message, if policyd-weight can\'t run checks warn !hosts = +debianhosts + condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} log_message = policyd-weight message: $acl_m_mes condition = ${if eq{$acl_m_act}{DUNNO}{yes}{no}} # Deny mails which policyd-weight thinks are spam deny !hosts = +debianhosts + condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} message = policyd-weight said: $acl_m_mes condition = ${if eq{$acl_m_act}{550}{yes}{no}} # Defer messages when policyd-weight suggests so. defer !hosts = +debianhosts + condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} message = policyd-weight said: $acl_m_mes condition = ${if eq{$acl_m_act}{450}{yes}{no}} ' @@ -706,6 +770,7 @@ if has_variable?("greylistd") && greylistd == "true" {/etc/greylistd/whitelist-hosts}{}} : \ ${if exists {/var/lib/greylistd/whitelist-hosts}\ {/var/lib/greylistd/whitelist-hosts}{}} + condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} !authenticated = * domains = +handled_domains : +rcpthosts condition = ${readsocket{/var/run/greylistd/socket}\ @@ -722,6 +787,7 @@ elsif has_variable?("postgrey") && postgrey == "true" warn !senders = : !hosts = : +debianhosts : WHITELIST + condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} condition = ${if def:acl_m_grey {no}{yes}} set acl_m_grey = $pid.$tod_epoch.$sender_host_port @@ -729,6 +795,7 @@ elsif has_variable?("postgrey") && postgrey == "true" defer !senders = : !hosts = : +debianhosts : WHITELIST + condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} !authenticated = * domains = +handled_domains : +rcpthosts local_parts = GREYLIST_LOCAL_PARTS @@ -753,6 +820,7 @@ elsif has_variable?("postgrey") && postgrey == "true" warn !senders = : !hosts = : +debianhosts : WHITELIST + condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} !authenticated = * domains = +handled_domains : +rcpthosts local_parts = GREYLIST_LOCAL_PARTS @@ -763,9 +831,13 @@ end out %> - accept local_parts = postmaster + accept local_parts = +postmasterish domains = +handled_domains : +rcpthosts + deny hosts = ${if exists{/etc/exim4/host_blacklist}{/etc/exim4/host_blacklist}{}} + message = I'm terribly sorry, but it seems you have been blacklisted + log_message = blacklisted IP + deny log_message = <$sender_address> is blacklisted senders = ${if exists{/etc/exim4/blacklist}{/etc/exim4/blacklist}{}} message = We have blacklisted <$sender_address>. Please stop mailing us @@ -831,12 +903,26 @@ if nodeinfo.has_key?('heavy_exim') and not nodeinfo['heavy_exim'].empty? out=' acl_check_mime: + discard condition = ${if <{$message_size}{256000}} + condition = ${if eq {$acl_m_prf}{blackhole}} + set acl_m_srb = ${perl{surblspamcheck}} + condition = ${if eq{$acl_m_srb}{false}{no}{yes}} + log_message = discarded surbl message for $recipients + deny condition = ${if <{$message_size}{256000}} + condition = ${if eq {$acl_m_prf}{markup}{no}{yes}} + condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} set acl_m_srb = ${perl{surblspamcheck}} condition = ${if eq{$acl_m_srb}{false}{no}{yes}} log_message = $acl_m_srb message = $acl_m_srb + warn condition = ${if <{$message_size}{256000}} + condition = ${if eq {$acl_m_prf}{markup}} + set acl_m_srb = ${perl{surblspamcheck}} + condition = ${if eq{$acl_m_srb}{false}{no}{yes}} + message = X-Surbl-Hit: $primary_hostname: $acl_m_srb + accept ' end @@ -844,7 +930,7 @@ out %> acl_check_predata: - deny condition = ${if eq{$acl_m_lcl}{localonly}} + deny condition = ${if eq{$acl_m_prf}{localonly}} message = mail for $acl_m_lrc is only accepted internally accept @@ -852,9 +938,6 @@ acl_check_predata: #!!# ACL that is used after the DATA command check_message: - require verify = header_syntax - message = Invalid syntax in the header - <%= out='' if nodeinfo['rtmaster'] @@ -880,9 +963,6 @@ if nodeinfo['packagesqamaster'] end out %> - deny condition = ${if match {$message_body}{\Nhttp:\/\/[a-z\.-]+\/video1?.exe\N}} - message = Blackisted URI found in body - deny condition = ${if eq {$acl_m_prf}{DBSignedMail}} condition = ${if and {{!match {$message_body}{PGP MESSAGE}} \ {!match {$message_body}{PGP SIGNED MESSAGE}} \ @@ -893,6 +973,12 @@ out } message = Mail to this address needs to be PGP-signed + accept verify = certificate + + require verify = header_syntax + condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} + message = Invalid syntax in the header + # RFC 822 and 2822 say that headers must be ASCII. This kinda emulates # postfix's strict_7bit_headers option, but only checks a few common problem # headers, as there doesn't appear to be an easy way to check them all. @@ -901,20 +987,33 @@ out {match {$rh_To:}{[\200-\377]}}\ {match {$rh_From:}{[\200-\377]}}\ {match {$rh_Cc:}{[\200-\377]}}}{true}{false}} + condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} message = improper use of 8-bit data in message header: message rejected deny condition = ${if match {$rh_Subject:}{[^[:print:]]\{8\}}{true}{false}} + condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} message = Your mailer is not RFC 2047 compliant: message rejected <%= out = "" if has_variable?("clamd") && clamd == "true" out = ' - deny + discard condition = ${if eq {$acl_m_prf}{blackhole}} + demime = * + malware = */defer_ok + log_message = discarded malware message for $recipients + + deny condition = ${if eq {$acl_m_prf}{markup}{no}{yes}} + condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} demime = * malware = */defer_ok message = malware detected: $malware_name: message rejected + + warn condition = ${if eq {$acl_m_prf}{markup}} + demime = * + malware = */defer_ok + message = X-malware detected: $malware_name ' end out @@ -923,11 +1022,26 @@ out out='' if nodeinfo.has_key?('heavy_exim') and not nodeinfo['heavy_exim'].empty? out=' + discard condition = ${if <{$message_size}{256000}} + condition = ${if eq {$acl_m_prf}{blackhole}} + set acl_m_srb = ${perl{surblspamcheck}} + condition = ${if eq{$acl_m_srb}{false}{no}{yes}} + log_message = discarded surbl message for $recipients + deny condition = ${if <{$message_size}{256000}} + condition = ${if eq {$acl_m_prf}{markup}{no}{yes}} + condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} set acl_m_srb = ${perl{surblspamcheck}} condition = ${if eq{$acl_m_srb}{false}{no}{yes}} log_message = $acl_m_srb message = $acl_m_srb + + warn condition = ${if <{$message_size}{256000}} + condition = ${if eq {$acl_m_prf}{markup}} + set acl_m_srb = ${perl{surblspamcheck}} + condition = ${if eq{$acl_m_srb}{false}{no}{yes}} + message = X-Surbl-Hit: $primary_hostname: $acl_m_srb + ' end out @@ -1009,7 +1123,7 @@ out bsmtp: debug_print = "R: bsmtp for $local_part@$domain" driver = manualroute - domains = !+local_domains + domains = +bsmtp_domains require_files = /etc/exim4/bsmtp route_list = * ${extract{file}{\ ${lookup{$domain}partial-lsearch{/etc/exim4/bsmtp}\ @@ -1054,6 +1168,17 @@ dnslookup: ignore_target_hosts = +reservedaddrs no_more +postmasterish: + debug_print = "R: postmasterish for $local_part@$domain" + driver = redirect + verify = false + unseen = true + expn = true + local_parts = +postmasterish + domains = +handled_domains + data = debian-admin@debian.org + headers_add = "Delivered-To: ${local_part}${local_part_suffix}@${domain}" + # This router handles aliasing using a traditional /etc/aliases file. # If any of your aliases expand to pipes or files, you will need to set # up a user and a group for these deliveries to run under. You can do @@ -1567,7 +1692,6 @@ out begin retry debian.org * F,2h,10m; G,16h,2h,1.5; F,14d,8h -* * senders=: F,2h,10m * rcpt_4xx F,2h,5m; F,4h,10m; F,4d,15m * * F,2h,15m; G,16h,2h,1.5; F,4d,8h