X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Fexim%2Ftemplates%2Feximconf.erb;h=b95cd8387c81754f2009890202dba0cb89cbfe4d;hb=a5dad1d1925409a441d2d8635b4d533e149be0b4;hp=6ce79a48d501ad644b7b86ce4464449c1dc80396;hpb=776831bc68efac834cc0226f65e2a4abd3b1327d;p=mirror%2Fdsa-puppet.git diff --git a/modules/exim/templates/eximconf.erb b/modules/exim/templates/eximconf.erb index 6ce79a48d..b95cd8387 100644 --- a/modules/exim/templates/eximconf.erb +++ b/modules/exim/templates/eximconf.erb @@ -32,6 +32,8 @@ # flushing' operations, but should be populated with a list # of trusted machines. Wildcards are not permitted # bsmtp_domains - Domains that we deliver locally via bsmtp +# submission-domains - Domains for which mail will be accepted via the +# submission port <%- if @is_mailrelay -%> # mailhubdomains - Domains for which we are the MX, but the mail is relayed # elsewhere. This is designed for use with small volume or @@ -41,6 +43,11 @@ # that list. <%- end -%> +# From /var/lib/misc / UD: +# +# mail-forward.cdb - aliases for @d.o +# user-forward.cdb - aliases for @thishost.d.o + # Exim's wildcard mechanism is a bit odd in that to say "any address in # debian.org including debian.org" you must use two patterns, # *.debian.org @@ -121,10 +128,16 @@ localpartlist local_only_users = lsearch;/etc/exim4/localusers localpartlist postmasterish = postmaster : abuse : hostmaster -hostlist debianhosts = <; ; 127.0.0.1 ; ::1 ; /var/lib/misc/thishost/debianhosts ; 89.16.166.49 ; 82.195.75.76 ; 2001:41b8:202:deb:bab5:0:52c3:4b4c +hostlist debianhosts = <; ; 127.0.0.1 ; ::1 ; /var/lib/misc/thishost/debianhosts hostlist reservedaddrs = 0.0.0.0/8 : 127.0.0.0/8 : 10.0.0.0/8 : 169.254.0.0/16 : 172.16.0.0/12 : 192.0.0.0/24 : 192.168.0.0/16 : 224.0.0.0/4 : 240.0.0.0/5 : 248.0.0.0/5 +domainlist google_mxen = aspmx.l.google.com : gmail-smtp-in.l.google.com : \ + *.aspmx.l.google.com : *.gmail-smtp-in.l.google.com + +domainlist single_domain_mx = +google_mxen +domainlist ipv4_only_domain_mx = +google_mxen + <%- if @is_mailrelay -%> # Domains we relay for; that is domains that aren't considered local but we # accept mail for them. @@ -142,7 +155,6 @@ tls_crl = /etc/exim4/ssl/ca.crl # expensive, you can specify the networks for which a lookup is done, or # remove the setting entirely. host_lookup = * -# dns_ipv4_lookup = !localhost (disabled upon sgrans request, zobel, 2010-03-16) # If this option is set, then any process that is running as one of the # listed users may pass a message to Exim and specify the sender's @@ -166,6 +178,13 @@ local_from_check = false gecos_pattern = ^([^,:]*) gecos_name = $1 +# Do *not* include the body of the original message in a bounce +# The combination of bounce_return_message and bounce_return_body +# allows us to return only the headers within a bounce + +bounce_return_message = true +bounce_return_body = false + # This tells Exim to immediately discard error messages (ie double bounces). ignore_bounce_errors_after = 0s auto_thaw = 1d @@ -242,7 +261,23 @@ pipelining_advertise_hosts = !* tls_advertise_hosts = * smtp_enforce_sync = true -log_selector = +tls_cipher +tls_peerdn +queue_time +deliver_time +smtp_connection +smtp_incomplete_transaction +smtp_confirmation +smtp_protocol_error +log_selector = \ + +tls_cipher \ + +tls_peerdn \ + +queue_time \ + +queue_time_overall \ + +deliver_time \ + +received_recipients \ + +sender_on_delivery \ + +return_path_on_delivery \ + +incoming_port \ + +unknown_in_list \ + +smtp_connection \ + +smtp_incomplete_transaction \ + +smtp_confirmation \ + +smtp_syntax_error \ + +smtp_no_mail \ + +smtp_protocol_error received_header_text = Received: ${if def:sender_rcvhost {from $sender_rcvhost\n\t}\ {${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)\n\t}}}}\ @@ -288,10 +323,11 @@ acl_spamlovers: deny acl_getprofile: - # This is a bad hack to reset the variable, by defining it be something - # never referenced. - warn set acl_m_rprf = $acl_m_undefined + # Determine the mail profile for this recipient. + # An empty string implies no match has been found. + + warn set acl_m_rprf = warn recipients = survey@popcon.debian.org set acl_m_rprf = PopconMail @@ -497,8 +533,6 @@ check_helo: #!!# ACL that is used after the RCPT command on the submission port check_submission: - # Accept if the source is local SMTP (i.e. not over TCP/IP). - # We do this by testing for an empty sending host field. accept hosts = +debianhosts <%- if @is_mailrelay -%> @@ -636,7 +670,7 @@ check_recipient: hosts = !+debianhosts message = mail from <$sender_address> not allowed externally - deny condition = ${if match_domain{$sender_address_domain}{+virtual_domains}} + deny sender_domains= +virtual_domains condition = ${if exists {${extract{directory}{VSENDERDOMAINDATA}{${value}/neversenders}}}} condition = ${lookup{$sender_address_local_part}lsearch{${extract{directory}{VSENDERDOMAINDATA}{${value}/neversenders}}}{true}} message = no mail should ever come from <$sender_address> @@ -653,6 +687,12 @@ check_recipient: deny condition = ${if !eq {$acl_m_prf}{PopconMail}} !verify = sender + warn !hosts = +debianhosts + condition = ${if !eq {$acl_m_prf}{PopconMail}} + condition = ${if >{${eval:$acl_c_scr+0}}{0}} + ratelimit = 10 / 60m / per_rcpt / strict / $sender_host_address + log_message = Sender rate $sender_rate / $sender_rate_period (limit: $sender_rate_limit) + defer !hosts = +debianhosts condition = ${if !eq {$acl_m_prf}{PopconMail}} condition = ${if >{${eval:$acl_c_scr+0}}{0}} @@ -660,14 +700,7 @@ check_recipient: message = slow down (no reverse dns, mismatched ehlo, dialup, or in blacklists) <%- if has_variable?("policydweight") && @policydweight -%> - # Check with policyd-weight - this only works with a version after etch's, - # sadly. etch's version attempts to hold the socket open, since that's what - # postfix expects. Exim, on the other hand, expects the remote side to close - # the socket when it's finished sending data, so it see each transaction as - # an incomplete read. I'm sure there's a way we could force Exim to do - # something sick and clever to force either the interpretation or the socket - # closure, but I'm fairly sure it's now worth it, since the backport of - # policyd-weight is trivial. + # Check with policyd-weight warn !hosts = +debianhosts condition = ${if !eq {$acl_m_prf}{PopconMail}} set acl_m_pw = ${readsocket{inet:127.0.0.1:12525}\ @@ -778,11 +811,7 @@ check_recipient: protocol_name=${uc:$received_protocol}\n\ instance=${acl_m_grey}\n\ helo_name=${sender_helo_name}\n\ -<%- if scope.call_function('versioncmp', [@lsbmajdistrelease, '8']) <= 0 -%> - client_address=${substr_-3:${mask:$sender_host_address/24}}\n\ -<%- else -%> client_address=${sender_host_address}\n\ -<%- end -%> client_name=${sender_host_name}\n\ sender=${sender_address}\n\ recipient=$local_part@$domain\n\n @@ -790,7 +819,7 @@ check_recipient: ${readsocket{/var/run/postgrey/socket}{$acl_m_pgr}\ {5s}{}{action=DUNNO}}\ }{action=}{}} - message = ${sg{$acl_m_pgr}{^\\w+\\s*}{}} + message = ${sg{$acl_m_pgr}{\N^\w+\s*\N}{}} log_message = greylisted. condition = ${if eq{${uc:${substr{0}{5}{$acl_m_pgr}}}}{DEFER}} @@ -803,7 +832,7 @@ check_recipient: domains = +handled_domains local_parts = GREYLIST_LOCAL_PARTS condition = ${if eq{${uc:${substr_0_7:$acl_m_pgr}}}{PREPEND}} - message = ${sg{$acl_m_pgr}{^\\w+\\s*}{}} + message = ${sg{$acl_m_pgr}{\N^\w+\s*\N}{}} <%- end -%> deny hosts = ${if exists{/etc/exim4/host_blacklist}{/etc/exim4/host_blacklist}{}} @@ -958,24 +987,15 @@ check_message: <%- if has_variable?("clamd") && @clamd -%> discard condition = ${if eq {$acl_m_prf}{blackhole}} - <%- if scope.call_function('versioncmp', [@lsbmajdistrelease, '8']) <= 0 -%> - demime = * - <%- end -%> malware = */defer_ok log_message = discarded malware message for $recipients deny condition = ${if !eq {$acl_m_prf}{markup}} condition = ${if !eq {$acl_m_prf}{PopconMail}} - <%- if scope.call_function('versioncmp', [@lsbmajdistrelease, '8']) <= 0 -%> - demime = * - <%- end -%> malware = */defer_ok message = malware detected: $malware_name: message rejected warn condition = ${if eq {$acl_m_prf}{markup}} - <%- if scope.call_function('versioncmp', [@lsbmajdistrelease, '8']) <= 0 -%> - demime = * - <%- end -%> malware = */defer_ok message = X-malware detected: $malware_name @@ -1056,9 +1076,13 @@ begin routers <%- if @is_mailrelay -%> relay_manualroute: + debug_print = "R: relay_manualroute for $local_part@$domain" driver = manualroute domains = +mailhubdomains - transport = remote_smtp + transport = ${if forany{${lookup dnsdb{>: mxh=$domain}}}\ + {match_domain{$item}{+single_domain_mx}}\ + {remote_smtp_single_domain}{remote_smtp}\ + } route_data = ${lookup{$domain}lsearch{/etc/exim4/manualroute}} require_files = /etc/exim4/manualroute @@ -1101,8 +1125,15 @@ dnslookup: debug_print = "R: dnslookup for $local_part@$domain" driver = dnslookup domains = !+handled_domains - transport = remote_smtp - ignore_target_hosts = +reservedaddrs + transport = ${if forany{${lookup dnsdb{>: mxh=$domain}}}\ + {match_domain{$item}{+single_domain_mx}}\ + {remote_smtp_single_domain}{remote_smtp}\ + } + ignore_target_hosts = +reservedaddrs : \ + ${if forany{${lookup dnsdb{>: mxh=$domain}}}\ + {match_domain{$item}{+ipv4_only_domain_mx}}\ + {::::/0}{}\ + } no_more postmasterish: @@ -1336,7 +1367,7 @@ rt_force_new_verbose: pipe_transport = rt_pipe data = "|/usr/bin/rt-mailgate --queue '${lookup{${sg{$local_part}{-comment}{}}}lsearch{RT_QUEUE_MAP}}' --url https://rt.debian.org/ --ca-file /etc/ssl/ca-debian/ca-certificates.crt --action ${if match{$local_part}{.*-comment.*}{comment}{correspond}}" headers_remove = Subject - headers_add = "Delivered-To: ${local_part}${local_part_suffix}@${domain}\nSubject: ${if and {{first_delivery}{match {$h_subject:}{(?is)(.*?)\\\\[?debian rt\\\\]?[:\\s]*(.*)}}} {$1$2}{$h_subject:}}" + headers_add = "Delivered-To: ${local_part}${local_part_suffix}@${domain}\nSubject: ${if and {{first_delivery}{match {$h_subject:}{\N(?is)(.*?)\[?debian rt\]?[:\s]*(.*)\N}}} {$1$2}{$h_subject:}}" # FIXME: figure out how to generalize this approach so that all of the following would work # - rt+NNNN@rt.debian.org : attach correspondence to ticket (verbose) @@ -1353,7 +1384,7 @@ rt_force_new_quiesce: pipe_transport = rt_pipe data = "|/usr/bin/rt-mailgate --queue '${lookup{${sg{$local_part}{-comment}{}}}lsearch{RT_QUEUE_MAP}}' --url https://rt.debian.org/ --ca-file /etc/ssl/ca-debian/ca-certificates.crt --action ${if match{$local_part}{.*-comment.*}{comment}{correspond}}" headers_remove = Subject - headers_add = "Delivered-To: ${local_part}${local_part_suffix}@${domain}\nX-RT-Mode: quiesce\nSubject: ${if and {{first_delivery}{match {$h_subject:}{(?is)(.*?)\\\\[?debian rt\\\\]?[:\\s]*(.*)}}} {$1$2}{$h_subject:}}" + headers_add = "Delivered-To: ${local_part}${local_part_suffix}@${domain}\nX-RT-Mode: quiesce\nSubject: ${if and {{first_delivery}{match {$h_subject:}{\N(?is)(.*?)\[?debian rt\]?[:\s]*(.*)\N}}} {$1$2}{$h_subject:}}" rt_otherwise: debug_print = "R: rt for $local_part@$domain" @@ -1366,7 +1397,7 @@ rt_otherwise: pipe_transport = rt_pipe data = "|/usr/bin/rt-mailgate --queue '${lookup{${sg{$local_part}{-(comment|done)}{}}}lsearch{RT_QUEUE_MAP}}' --url https://rt.debian.org/ --ca-file /etc/ssl/ca-debian/ca-certificates.crt --extension ticket --action ${if match{$local_part}{.*-comment.*}{comment}{${if match{$local_part}{.*-done.*}{correspond-resolve}{correspond}}}}" headers_remove = Subject - headers_add = "Delivered-To: ${local_part}${local_part_suffix}@${domain}\nSubject: ${if and {{first_delivery}{match {$h_subject:}{(?i)(.*?)\\\\[?debian rt\\\\]?[:\\s]*(.*)}}} {$1$2}{$h_subject:}}" + headers_add = "Delivered-To: ${local_part}${local_part_suffix}@${domain}\nSubject: ${if and {{first_delivery}{match {$h_subject:}{\N(?i)(.*?)\[?debian rt\]?[:\s]*(.*)\N}}} {$1$2}{$h_subject:}}" <%- end -%> # Exim fails the router if it can't change to the user/group for delivery @@ -1455,17 +1486,13 @@ virt_users: local_part_suffix_optional retry_use_local_part -<%= -out = "" -if @is_bugsmx - domain = 'bugs.debian.org' - out = ' +<%- if @is_bugsmx -%> # This router delivers for bugs.d.o bugs: debug_print = "R: bugs for $local_part@$domain" driver = accept transport = bugs_pipe - domains = ' + domain + ' + domains = bugs.debian.org cannot_route_message = Unknown or archived bug require_files = /srv/bugs.debian.org/mail/run-procmail no_more @@ -1474,10 +1501,7 @@ bugs: {\N^(\d+)(\d{2})(?:-(?:(?:submit|maintonly|quiet|forwarded|done|close|request|submitter)|(?:unsubscribe|ignore|help|(?:sub(?:scribe|help|yes|approve|reject))|unsubyes|bounce|probe|approve|reject|setlistyes|setlistsilentyes).*))?$\N}\ {${if exists{/srv/bugs.debian.org/spool/db-h/$2/$1$2.summary}\ {$local_part}fail}}fail} -' -end -out -%> +<%- end -%> ###################################################################### # TRANSPORTS CONFIGURATION # ###################################################################### @@ -1493,6 +1517,7 @@ begin transports # directory. (The alternative, which most other unixes use, is to deliver # as the user's own group, into a sticky-bitted directory) local_delivery: + debug_print = "T: local_delivery for $local_part@$domain" driver = appendfile file = /var/mail/${local_part} group = mail @@ -1509,6 +1534,7 @@ local_delivery: # want this to happen only when the pipe fails to complete normally. address_pipe: + debug_print = "T: address_pipe for $local_part@$domain" driver = pipe current_directory = ${home} environment = "EXTENSION=${substr_1:${local_part_suffix}}:\ @@ -1523,10 +1549,12 @@ address_pipe: # mentioned elsewhere in this configuration file. address_file: + debug_print = "T: address_file for $local_part@$domain" driver = appendfile return_path_add address_file_group: + debug_print = "T: address_file_group for $local_part@$domain" driver = appendfile return_path_add mode = 0660 @@ -1549,6 +1577,7 @@ address_file_group: # are passed to address_directory. address_directory: + debug_print = "T: address_directory for $local_part@$domain" driver = appendfile check_string = maildir_format @@ -1560,14 +1589,25 @@ address_directory: # option of the forwardfile director. It has a conventional name, since it # is not actually mentioned elsewhere in this configuration file. address_reply: + debug_print = "T: address_reply for $local_part@$domain" driver = autoreply # This transport is used for delivering messages over SMTP connections. remote_smtp: + debug_print = "T: remote_smtp for $local_part@$domain" + driver = smtp + connect_timeout = 15s + delay_after_cutoff = false + tls_certificate = /etc/exim4/ssl/thishost.crt + tls_privatekey = /etc/exim4/ssl/thishost.key + +remote_smtp_single_domain: + debug_print = "T: remote_smtp_single_domain for $local_part@$domain" driver = smtp connect_timeout = 15s delay_after_cutoff = false + no_multi_domain tls_certificate = /etc/exim4/ssl/thishost.crt tls_privatekey = /etc/exim4/ssl/thishost.key @@ -1584,12 +1624,14 @@ remote_smtp_smarthost: <%- end -%> # Send the message to procmail procmail_pipe: + debug_print = "T: procmail_pipe for $local_part@$domain" driver = pipe command = /usr/bin/procmail -a ${substr_1:${local_part_suffix}} return_path_add user = ${local_part} bsmtp: + debug_print = "T: bsmtp for $local_part@$domain" driver = appendfile batch_max = 100 file = ${host} @@ -1603,6 +1645,7 @@ bsmtp: <%- if @is_bugsmx -%> bugs_pipe: + debug_print = "T: bugs_pipe for $local_part@$domain" driver = pipe command = /srv/bugs.debian.org/mail/run-procmail environment = "EXTENSION=${substr_1:${local_part_suffix}}:\ @@ -1628,21 +1671,37 @@ rt_pipe: # RETRY CONFIGURATION # ###################################################################### -# This single retry rule applies to all domains and all errors. It specifies -# retries every 15 minutes for 2 hours, then increasing retry intervals, -# starting at 2 hours and increasing each time by a factor of 1.5, up to 16 -# hours, then retries every 8 hours until 4 days have passed since the first -# failed delivery. - # Domain Error Retries # ------ ----- ------- - begin retry +## Note that retry rules specify when an address / host / mail should +## become eligible for retrying. They do not specify when the retry +## attempt will actually occur, as this is dependent on queue run +## frequency and timing. + +# For mail to debian.org addresses, this rule starts with +# retries every 10 minutes for 2 hours, then increasing retry intervals, +# starting at 2 hours and increasing each time by a factor of 1.5, up to 16 +# hours, then retries every 8 hours until 14 days have passed since the first +# failed delivery. debian.org * F,2h,10m; G,16h,2h,1.5; F,14d,8h + +# Bounces should get retried every 10 minutes for up to 2 hours * * senders=: F,2h,10m + +# Temporary errors at RCPT TO get retried at 5 minute intervals for +# 2 hours, then 10 minute intervals for 4 hours, and finally at 15 +# minute intervals for 4 days. This assumes that the cause of the +# error will get resolved quickly in most cases. * rcpt_4xx F,2h,5m; F,4h,10m; F,4d,15m + +# For all remaining mails, addresses and hosts, this rule starts with +# retries every 15 minutes for 2 hours, then increasing retry intervals, +# starting at 2 hours and increasing each time by a factor of 1.5, up to 16 +# hours, then retries every 8 hours until 4 days have passed since the first +# failed delivery. * * F,2h,15m; G,16h,2h,1.5; F,4d,8h # End of Exim 4 configuration