X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Fexim%2Ftemplates%2Feximconf.erb;h=8762026addbd655b2c4dbd1a68433d2409e61b4c;hb=ebc9e50e5eed864a91ba0773c69cc1bab77b9bfb;hp=d843e341abf39208fac5ce43cbb10e2ba7790271;hpb=76bd84e8cb84a445026004bf75a37fb81906be92;p=mirror%2Fdsa-puppet.git diff --git a/modules/exim/templates/eximconf.erb b/modules/exim/templates/eximconf.erb index d843e341a..8762026ad 100644 --- a/modules/exim/templates/eximconf.erb +++ b/modules/exim/templates/eximconf.erb @@ -35,6 +35,7 @@ # us. This is primarily only usefull for emergancy 'queue # flushing' operations, but should be populated with a list # of trusted machines. Wildcards are not permitted +# bsmtp_domains - Domains that we deliver locally via bsmtp <%= out = "" if nodeinfo['mailrelay'] @@ -131,7 +132,9 @@ domainlist virtual_domains = partial-lsearch;/etc/exim4/virtualdomains domainlist submission_domains = ${if exists {/etc/exim4/submission-domains}{/etc/exim4/submission-domains}{}} -domainlist handled_domains = +local_domains : +virtual_domains +domainlist bsmtp_domains = ${if exists {/etc/exim4/bsmtp}{partial-lsearch;/etc/exim4/bsmtp}{}} + +domainlist handled_domains = +local_domains : +virtual_domains : +bsmtp_domains localpartlist local_only_users = lsearch;/etc/exim4/localusers @@ -193,10 +196,16 @@ timeout_frozen_after=14d message_size_limit = 100M message_logs = false -smtp_accept_max = 300 smtp_accept_max_per_host = ${if match_ip {$sender_host_address}{+debianhosts}{0}{7}} +<% if nodeinfo.has_key?('heavy_exim') and not nodeinfo['heavy_exim'].empty? %> +smtp_accept_max = 300 smtp_accept_queue = 200 smtp_accept_queue_per_connection = 50 +<% else %> +smtp_accept_max = 30 +smtp_accept_queue = 20 +smtp_accept_queue_per_connection = 10 +<% end %> smtp_accept_reserve = 25 smtp_reserve_hosts = +debianhosts @@ -206,9 +215,15 @@ check_spool_space = 20M delay_warning = +<% if nodeinfo.has_key?('heavy_exim') and not nodeinfo['heavy_exim'].empty? %> queue_run_max = 50 deliver_queue_load_max = 50 queue_only_load = 15 +<% else %> +queue_run_max = 5 +deliver_queue_load_max = 10 +queue_only_load = 5 +<% end %> queue_list_requires_admin = false <%= out = "" @@ -352,6 +367,30 @@ out accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}} + warn domains = +virtual_domains + condition = ${if exists {${extract{directory}{VDOMAINDATA}{${value}/mail-contentinspectionaction}}}} + condition = ${if eq{${lookup{$local_part}lsearch*{${extract{directory}{VDOMAINDATA}{${value}/mail-contentinspectionaction}}}{$value}{}}}{markup}} + set acl_m_rprf = markup + + accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}} + + warn condition = ${if eq{${lookup{$local_part}cdb{/var/lib/misc/${primary_hostname}/mail-contentinspectionaction.cdb}{$value}{}}}{markup}} + set acl_m_rprf = markup + + accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}} + + warn condition = ${if eq{${lookup{$local_part}cdb{/var/lib/misc/${primary_hostname}/mail-contentinspectionaction.cdb}{$value}{}}}{blackhole}} + set acl_m_rprf = blackhole + + accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}} + + warn domains = +virtual_domains + condition = ${if exists {${extract{directory}{VDOMAINDATA}{${value}/mail-contentinspectionaction}}}} + condition = ${if eq{${lookup{$local_part}lsearch*{${extract{directory}{VDOMAINDATA}{${value}/mail-contentinspectionaction}}}{$value}{}}}{blackhole}} + set acl_m_rprf = blackhole + + accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}} + warn set acl_m_rprf = normal accept @@ -625,7 +664,7 @@ out !verify = sender defer !hosts = +debianhosts - condition = ${if >{${eval:$acl_c_scr}}{0}} + condition = ${if >{${eval:$acl_c_scr+0}}{0}} ratelimit = 10 / 60m / per_rcpt / $sender_host_address message = slow down (no reverse dns, mismatched ehlo, dialup, or in blacklists) <%= @@ -842,6 +881,14 @@ if nodeinfo.has_key?('heavy_exim') and not nodeinfo['heavy_exim'].empty? out=' acl_check_mime: + warn condition = ${if <{$message_size}{256000}} + condition = ${if eq {$acl_m_prf}{markup}} + set acl_m_srb = ${perl{surblspamcheck}} + condition = ${if eq{$acl_m_srb}{false}{no}{yes}} + message = X-Surbl-Hit: $acl_m_srb + + accept condition = ${if eq {$acl_m_prf}{markup}} + deny condition = ${if <{$message_size}{256000}} set acl_m_srb = ${perl{surblspamcheck}} condition = ${if eq{$acl_m_srb}{false}{no}{yes}} @@ -891,9 +938,6 @@ if nodeinfo['packagesqamaster'] end out %> - deny condition = ${if match {$message_body}{\Nhttp:\/\/[a-z\.-]+\/video1?.exe\N}} - message = Blackisted URI found in body - deny condition = ${if eq {$acl_m_prf}{DBSignedMail}} condition = ${if and {{!match {$message_body}{PGP MESSAGE}} \ {!match {$message_body}{PGP SIGNED MESSAGE}} \ @@ -922,10 +966,16 @@ out out = "" if has_variable?("clamd") && clamd == "true" out = ' - deny + # FIXME: make blackhole work + deny condition = ${if eq {$acl_m_prf}{markup}{no}{yes}} demime = * malware = */defer_ok message = malware detected: $malware_name: message rejected + + warn condition = ${if eq {$acl_m_prf}{markup}} + demime = * + malware = */defer_ok + message = X-malware detected: $malware_name ' end out @@ -934,6 +984,14 @@ out out='' if nodeinfo.has_key?('heavy_exim') and not nodeinfo['heavy_exim'].empty? out=' + warn condition = ${if <{$message_size}{256000}} + condition = ${if eq {$acl_m_prf}{markup}} + set acl_m_srb = ${perl{surblspamcheck}} + condition = ${if eq{$acl_m_srb}{false}{no}{yes}} + message = X-Surbl-Hit: $acl_m_srb + + accept condition = ${if eq {$acl_m_prf}{markup}} + deny condition = ${if <{$message_size}{256000}} set acl_m_srb = ${perl{surblspamcheck}} condition = ${if eq{$acl_m_srb}{false}{no}{yes}} @@ -1020,7 +1078,7 @@ out bsmtp: debug_print = "R: bsmtp for $local_part@$domain" driver = manualroute - domains = !+local_domains + domains = +bsmtp_domains require_files = /etc/exim4/bsmtp route_list = * ${extract{file}{\ ${lookup{$domain}partial-lsearch{/etc/exim4/bsmtp}\