X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Fexim%2Ftemplates%2Feximconf.erb;h=c619856cef0b6cfb8cbe2b9edc573ff2a0d34de9;hb=a1dd5aff5fcc24d382c60a32a56bf6797b444d02;hp=10038ade479680e123e5f9fb057cf7cd6950d24a;hpb=4525f6c21ab0a6d9ab7f77e792296ae42c510918;p=mirror%2Fdsa-puppet.git
diff --git a/modules/exim/templates/eximconf.erb b/modules/exim/templates/eximconf.erb
index 10038ade4..c619856ce 100644
--- a/modules/exim/templates/eximconf.erb
+++ b/modules/exim/templates/eximconf.erb
@@ -27,10 +27,6 @@
# is much like a local domain, execpt that the delivery location
# and allowed set of users is controlled by a virtual domain
# alias file and not /etc/passwd. Wildcards are permitted
-# relayhosts - Hostnames that can send any arbitarily addressed mail to
-# us. This is primarily only useful for emergency 'queue
-# flushing' operations, but should be populated with a list
-# of trusted machines. Wildcards are not permitted
# bsmtp_domains - Domains that we deliver locally via bsmtp
# submission-domains - Domains for which mail will be accepted via the
# submission port
@@ -266,6 +262,7 @@ tls_advertise_hosts = *
smtp_enforce_sync = true
log_selector = \
+ +subject \
+tls_cipher \
+tls_peerdn \
+queue_time \
@@ -306,7 +303,14 @@ GREYLIST_LOCAL_PARTS = ${if match_domain{$domain}{+virtual_domains}\
{${lookup{$local_part}lsearch*{${extract{directory}{VDOMAINDATA}{${value}/grey_users}}}{$local_part}{}}}{}}}\
{${lookup{$local_part}lsearch{/etc/exim4/grey_users}{$local_part}{}}}} : \
${lookup{$local_part}lsearch{/var/lib/misc/$primary_hostname/mail-greylist}{$local_part}{}}
-HAS_DEFAULT_OPTIONS = ${if eq{${lookup{$local_part}dbmnz{/var/lib/misc/$primary_hostname/default-mail-options.db}{$value}{TRUE}}}{TRUE}}
+# Users from LDAP can decide whether to subscribe to default filtering.
+# If a user has not explicitly disabled the option, the assumption is in
+# favour of filtering.
+HAS_DEFAULT_OPTIONS = ${if and {\
+ {eq{${lookup{$local_part}dbmnz{/var/lib/misc/$primary_hostname/default-mail-options.db}{$value}{TRUE}}}{TRUE}}\
+ {exists{${extract{directory}{VDOMAINDATA}{${value}/mail-forward.db}}}}\
+ {! eq {${lookup{$local_part}dbmnz{${extract{directory}{VDOMAINDATA}{${value}/mail-forward.db}}}}}{}}\
+ }}
<%- if @is_rtmaster -%>
# This subject rewrite is embedded in double-quoted strings. As such, some of
# the items need more escaping than usual, otherwise \N becomes simply "N" and
@@ -601,6 +605,23 @@ check_recipient:
message = Different profile, please retry
log_message = Only one profile at a time, please
+ warn set acl_m_rdefopt = ${if bool_lax{HAS_DEFAULT_OPTIONS}}
+
+ warn condition = ${if eq{$acl_m_defopt}{}}
+ set acl_m_defopt = $acl_m_rdefopt
+
+ defer condition = ${if !eq{$acl_m_defopt}{$acl_m_rdefopt}}
+ message = Different profile, please retry
+ log_message = Only one default options profile at a time, please
+
+ # Set a flag to indicate whether the current recipient
+ # has explicitly requested greylisting
+ warn set acl_m_grey_recip = 0
+
+ warn local_parts = GREYLIST_LOCAL_PARTS
+ domains = +handled_domains
+ set acl_m_grey_recip = 1
+
# Defer after too many bad RCPT TO's. Legit MTAs will retry later.
# This is a rough pass at preventing address harvesting or other mail blasts.
@@ -692,6 +713,12 @@ check_recipient:
condition = ${lookup{$sender_address_local_part}lsearch{${extract{directory}{VSENDERDOMAINDATA}{${value}/neversenders}}}{true}}
message = no mail should ever come from <$sender_address>
+ deny domains = +virtual_domains
+ senders = :
+ condition = ${if exists {${extract{directory}{VDOMAINDATA}{${value}/neversenders}}}}
+ condition = ${lookup{$local_part}lsearch{${extract{directory}{VDOMAINDATA}{${value}/neversenders}}}{true}}
+ message = <$local_part@$domain> does not send mail; rejecting bogus NDR
+
warn condition = ${if eq{$acl_m_prf}{localonly}}
set acl_m_lrc = ${if eq{$acl_m_lrc}{}{$local_part@$domain}{$acl_m_lrc, $local_part@$domain}}
@@ -781,13 +808,18 @@ check_recipient:
defer
message = $sender_host_address is not yet authorized to deliver mail from <$sender_address> to <$local_part@$domain>.
log_message = greylisted.
- local_parts = GREYLIST_LOCAL_PARTS
+ condition = ${if or { \
+ {eq{$acl_m_grey_recip}{1}} \
+ {bool_lax{HAS_DEFAULT_OPTIONS}} \
+ } \
+ }
!senders = :
!hosts = : +debianhosts : WHITELIST : \
${if exists {/etc/greylistd/whitelist-hosts}\
{/etc/greylistd/whitelist-hosts}{}} : \
${if exists {/var/lib/greylistd/whitelist-hosts}\
{/var/lib/greylistd/whitelist-hosts}{}}
+ !dnslists = list.dnswl.org&0.0.0.3
condition = ${if !eq {$acl_m_prf}{PopconMail}}
!authenticated = *
domains = +handled_domains
@@ -804,6 +836,7 @@ check_recipient:
warn
!senders = :
!hosts = : +debianhosts : WHITELIST
+ !dnslists = list.dnswl.org&0.0.0.3
condition = ${if !eq {$acl_m_prf}{PopconMail}}
condition = ${if ! def:acl_m_grey}
set acl_m_grey = $pid.$tod_epoch.$sender_host_port
@@ -812,10 +845,15 @@ check_recipient:
defer
!senders = :
!hosts = : +debianhosts : WHITELIST
+ !dnslists = list.dnswl.org&0.0.0.3
condition = ${if !eq {$acl_m_prf}{PopconMail}}
!authenticated = *
domains = +handled_domains
- local_parts = GREYLIST_LOCAL_PARTS
+ condition = ${if or { \
+ {eq{$acl_m_grey_recip}{1}} \
+ {bool_lax{HAS_DEFAULT_OPTIONS}} \
+ } \
+ }
set acl_m_pgr = request=smtpd_access_policy\n\
protocol_state=RCPT\n\
protocol_name=${uc:$received_protocol}\n\
@@ -837,10 +875,15 @@ check_recipient:
warn
!senders = :
!hosts = : +debianhosts : WHITELIST
+ !dnslists = list.dnswl.org&0.0.0.3
condition = ${if !eq {$acl_m_prf}{PopconMail}}
!authenticated = *
domains = +handled_domains
- local_parts = GREYLIST_LOCAL_PARTS
+ condition = ${if or { \
+ {eq{$acl_m_grey_recip}{1}} \
+ {bool_lax{HAS_DEFAULT_OPTIONS}} \
+ } \
+ }
condition = ${if eq{${uc:${substr_0_7:$acl_m_pgr}}}{PREPEND}}
message = ${sg{$acl_m_pgr}{\N^\w+\s*\N}{}}
@@ -857,7 +900,7 @@ check_recipient:
domains = +virtual_domains : +bsmtp_domains
<%- unless @use_smarthost -%>
- deny message = host $sender_host_address is listed in $dnslist_domain; see $dnslist_text
+ deny message = host $sender_host_address is listed in $dnslist_domain ($dnslist_value); see $dnslist_text
dnslists = ${if match_domain{$domain}{+virtual_domains}\
{${if exists {${extract{directory}{VDOMAINDATA}{${value}/rbllist}}}\
{${lookup{$local_part}lsearch*{${extract{directory}{VDOMAINDATA}{${value}/rbllist}}}{$value}{}}}{}}}\
@@ -866,13 +909,19 @@ check_recipient:
domains = +handled_domains
!hosts = +debianhosts : WHITELIST
- deny message = host $sender_host_address is listed in $dnslist_domain; see $dnslist_text
+ deny message = host $sender_host_address is listed in $dnslist_domain ($dnslist_value); see $dnslist_text
dnslists = noserver.dnsbl.sorbs.net
domains = +handled_domains
!hosts = +debianhosts : WHITELIST
+ deny message = host $sender_host_address is listed in $dnslist_domain ($dnslist_value); see $dnslist_text
+ condition = ${if bool_lax{HAS_DEFAULT_OPTIONS}}
+ dnslists = relays.dnsbl.sorbs.net : xbl.spamhaus.org
+ domains = +handled_domains
+ !hosts = +debianhosts : WHITELIST
+
<%- end -%>
- deny message = domain $sender_address_domain is listed in $dnslist_domain; see $dnslist_text
+ deny message = domain $sender_address_domain is listed in $dnslist_domain ($dnslist_value); see $dnslist_text
dnslists = ${if match_domain{$domain}{+virtual_domains}\
{${if exists {${extract{directory}{VDOMAINDATA}{${value}/rhsbllist}}}\
{${expand:${lookup{$local_part}lsearch*{${extract{directory}{VDOMAINDATA}{${value}/rhsbllist}}}{$value}{}}}}{}}}\
@@ -881,11 +930,17 @@ check_recipient:
domains = +handled_domains
!hosts = +debianhosts : WHITELIST
- deny message = domain $sender_address_domain is listed in $dnslist_domain; see $dnslist_text
+ deny message = domain $sender_address_domain is listed in $dnslist_domain ($dnslist_value); see $dnslist_text
dnslists = nomail.rhsbl.sorbs.net/$sender_address_domain
domains = +handled_domains
!hosts = +debianhosts : WHITELIST
+ deny message = domain $sender_address_domain is listed in $dnslist_domain ($dnslist_value); see $dnslist_text
+ condition = ${if bool_lax{HAS_DEFAULT_OPTIONS}}
+ dnslists = dbl.spamhaus.org/$sender_address_domain
+ domains = +handled_domains
+ !hosts = +debianhosts : WHITELIST
+
<%- unless @use_smarthost -%>
deny domains = +handled_domains
local_parts = ${if match_domain{$domain}{+virtual_domains}\
@@ -1013,6 +1068,30 @@ check_message:
condition = ${if !eq {$acl_m_prf}{PopconMail}}
message = Your mailer is not RFC 2047 compliant: message rejected
+ discard condition = ${if eq {$acl_m_prf}{blackhole}}
+ condition = ${if bool_lax{$acl_m_defopt}}
+ condition = ${if or {\
+ {match {$message_body}{Wenn Sie zukünftig keine weiteren Informationen erhalten möchten,
unwissentlich oder unbeabsichtigt in den Verteiler aufgenommen wurden,}} \
+ }\
+ }
+ log_message = Discarded suspicious content for $recipients
+
+ deny condition = ${if !eq {$acl_m_prf}{markup}}
+ condition = ${if bool_lax{$acl_m_defopt}}
+ condition = ${if or {\
+ {match {$message_body}{Wenn Sie zukünftig keine weiteren Informationen erhalten möchten,
unwissentlich oder unbeabsichtigt in den Verteiler aufgenommen wurden,}} \
+ }\
+ }
+ message = Rejected due to suspicious content
+
+ warn condition = ${if eq {$acl_m_prf}{markup}}
+ condition = ${if bool_lax{$acl_m_defopt}}
+ condition = ${if or {\
+ {match {$message_body}{Wenn Sie zukünftig keine weiteren Informationen erhalten möchten,
unwissentlich oder unbeabsichtigt in den Verteiler aufgenommen wurden,}} \
+ }\
+ }
+ add_header = X-debian-content-warning: yes
+
<%- if has_variable?("clamd") && @clamd -%>
discard condition = ${if eq {$acl_m_prf}{blackhole}}
malware = */defer_ok
@@ -1441,7 +1520,11 @@ virt_direct_verify:
modemask = 002
directory_transport = address_directory
domains = +virtual_domains
+<%- if @is_trackermaster -%>
+ local_part_suffix = +*
+<%- else -%>
local_part_suffix = -*
+<%- end -%>
local_part_suffix_optional
file = $home/.forward-\
${if exists {${home}/.forward-${local_part}}{${local_part}}\
@@ -1471,7 +1554,11 @@ virt_direct:
group = ${extract{group}{VDOMAINDATA}}
headers_add = "Delivered-To: ${local_part}${local_part_suffix}@${domain}"
modemask = 002
+<%- if @is_trackermaster -%>
+ local_part_suffix = +*
+<%- else -%>
local_part_suffix = -*
+<%- end -%>
local_part_suffix_optional
pipe_transport = address_pipe
reply_transport = address_reply