X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Fexim%2Ftemplates%2Feximconf.erb;h=e055cceecce0ce0e1ec9809434e43fc72319d823;hb=436211e11f3c995c3289705c59660c1459f1bf4c;hp=d00e4efc2131309ec8b2ee6f68d2775944e1cd1c;hpb=f234a737e32de46ed011121187e8410f2312c930;p=mirror%2Fdsa-puppet.git diff --git a/modules/exim/templates/eximconf.erb b/modules/exim/templates/eximconf.erb index d00e4efc2..e055cceec 100644 --- a/modules/exim/templates/eximconf.erb +++ b/modules/exim/templates/eximconf.erb @@ -27,10 +27,6 @@ # is much like a local domain, execpt that the delivery location # and allowed set of users is controlled by a virtual domain # alias file and not /etc/passwd. Wildcards are permitted -# rcpthosts - recipient hosts or relay domains. This is a list of -# all hosts that we mail exchange for. All domains that list -# this host in their MX records should be listed here. Wildcards -# are permitted. # relayhosts - Hostnames that can send any arbitarily addressed mail to # us. This is primarily only usefull for emergancy 'queue # flushing' operations, but should be populated with a list @@ -140,7 +136,6 @@ localpartlist postmasterish = postmaster : abuse : hostmaster : root # Domains we relay for; that is domains that aren't considered local but we # accept mail for them. -domainlist rcpthosts = partial-lsearch;/etc/exim4/rcpthosts hostlist debianhosts = 127.0.0.1 : net-lsearch;/var/lib/misc/thishost/debianhosts <%= out = "" @@ -170,7 +165,7 @@ out # expensive, you can specify the networks for which a lookup is done, or # remove the setting entirely. host_lookup = * -dns_ipv4_lookup = !localhost +# dns_ipv4_lookup = !localhost (disabled upon sgrans request, zobel, 2010-03-16) # If this option is set, then any process that is running as one of the # listed users may pass a message to Exim and specify the sender's @@ -219,7 +214,8 @@ delay_warning = <% if nodeinfo.has_key?('heavy_exim') and not nodeinfo['heavy_exim'].empty? %> queue_run_max = 50 deliver_queue_load_max = 50 -queue_only_load = 15 +queue_only_load = 35 +smtp_load_reserve = 20 <% else %> queue_run_max = 5 deliver_queue_load_max = 10 @@ -239,7 +235,7 @@ ports = [] out = "daemon_smtp_ports = " ports << 25 -if nodeinfo['bugsmaster'] +if nodeinfo['bugsmaster'] or nodeinfo['bugsmx'] ports << 587 end @@ -413,11 +409,10 @@ out %> <%= -out = "" if nodeinfo['smarthost'].empty? - out = " + out = ' # These are in HELO acl so that they are only run once. They increment a counter, - # so we don't want it to increment per rcpt to. + # so we don\'t want it to increment per rcpt to. warn dnslists = list.dnswl.org&0.0.0.3 log_message = Hit on list.dnswl.org for $sender_host_address @@ -452,7 +447,7 @@ if nodeinfo['smarthost'].empty? dnslists = dul.dnsbl.sorbs.net set acl_c_scr = ${eval:$acl_c_scr+15} - # If the sender's helo name is empty, the message will be rejected later + # If the sender\'s helo name is empty, the message will be rejected later # because the helo is empty. If the rDNS lookup failed, we are already # going to greylist them, so no sense worrying about it here. Finally, # if rDNS does not match helo name (both lower cased first), greylist. @@ -461,7 +456,7 @@ if nodeinfo['smarthost'].empty? condition = ${if eq {$host_lookup_failed}{1}{no}{yes}} condition = ${if def:sender_helo_name {yes}{no}} condition = ${if eq {${lc:$sender_helo_name}}{${lc:$sender_host_name}}{no}{yes}} - log_message = HELO doesn't match rDNS + log_message = HELO doesn\'t match rDNS set acl_c_scr = ${eval:$acl_c_scr+8} # Regexes of doom @@ -482,15 +477,21 @@ if nodeinfo['smarthost'].empty? set acl_c_scr = ${eval:$acl_c_scr+7} # Random HELO (run of 7 consonants) (constructed by viruses). We purposefully - # skip matching on machines named .*smtp.*, since that's 4 already. This is a fairly - # naive test, so it's not worth much + # skip matching on machines named .*smtp.*, since that\'s 4 already. This is a fairly + # naive test, so it\'s not worth much warn condition = ${if match {${lc:$sender_helo_name}}{smtp}{no}{yes}} condition = ${if match {${lc:$sender_helo_name}}{\N^[a-z0-9]+\.[a-z]+$\N}} condition = ${if match {${lc:$sender_helo_name}}{\N.*[bcdfghjklmnpqrstvwxz]{7,}.*\.[a-z]+$\N}} log_message = random HELO set acl_c_scr = ${eval:$acl_c_scr+5} -" +' +else + out = ' + drop !hosts = +debianhosts + log_message = mail from non-d.o host + message = Interesting. I doubt that should have happened. +' end out %> @@ -528,7 +529,6 @@ out accept domains = +local_domains hosts = +debianhosts endpass - message = unknown user verify = recipient <%= @@ -537,7 +537,6 @@ if nodeinfo['mailrelay'] out = ' accept domains = +mailhubdomains endpass - message = unknown user verify = recipient/callout=30s,defer_ok,use_sender,no_cache ' end @@ -546,7 +545,6 @@ out accept domains = +submission_domains endpass - message = unknown user verify = recipient deny message = relay not permitted @@ -784,7 +782,7 @@ if has_variable?("greylistd") && greylistd == "true" {/var/lib/greylistd/whitelist-hosts}{}} condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} !authenticated = * - domains = +handled_domains : +rcpthosts + domains = +handled_domains condition = ${readsocket{/var/run/greylistd/socket}\ {--grey \ $sender_host_address \ @@ -809,7 +807,7 @@ elsif has_variable?("postgrey") && postgrey == "true" !hosts = : +debianhosts : WHITELIST condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} !authenticated = * - domains = +handled_domains : +rcpthosts + domains = +handled_domains local_parts = GREYLIST_LOCAL_PARTS set acl_m_pgr = request=smtpd_access_policy\n\ protocol_state=RCPT\n\ @@ -834,7 +832,7 @@ elsif has_variable?("postgrey") && postgrey == "true" !hosts = : +debianhosts : WHITELIST condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} !authenticated = * - domains = +handled_domains : +rcpthosts + domains = +handled_domains local_parts = GREYLIST_LOCAL_PARTS condition = ${if eq{${uc:${substr_0_7:$acl_m_pgr}}}{PREPEND}} message = ${sg{$acl_m_pgr}{^\\\\w+\\\\s*}{}} @@ -844,7 +842,7 @@ out %> accept local_parts = +postmasterish - domains = +handled_domains : +rcpthosts + domains = +handled_domains deny hosts = ${if exists{/etc/exim4/host_blacklist}{/etc/exim4/host_blacklist}{}} message = I'm terribly sorry, but it seems you have been blacklisted @@ -857,16 +855,16 @@ out <%= out = "" if nodeinfo['smarthost'].empty? - out = " + out = ' deny message = host $sender_host_address is listed in $dnslist_domain; see $dnslist_text dnslists = ${if match_domain{$domain}{+virtual_domains}\ {${if exists {${extract{directory}{VDOMAINDATA}{${value}/rbllist}}}\ {${lookup{$local_part}lsearch*{${extract{directory}{VDOMAINDATA}{${value}/rbllist}}}{$value}{}}}{}}}\ {${lookup{$local_part}lsearch{/etc/exim4/rbllist}{$value}{}} : \ ${lookup{$local_part}lsearch{/var/lib/misc/$primary_hostname/mail-rbl}{$value}{}}}} - domains = +handled_domains : +rcpthosts + domains = +handled_domains !hosts = +debianhosts : WHITELIST -" +' end out %> @@ -877,22 +875,22 @@ out {${expand:${lookup{$local_part}lsearch*{${extract{directory}{VDOMAINDATA}{${value}/rhsbllist}}}{$value}{}}}}{}}}\ {${expand:${lookup{$local_part}lsearch{/etc/exim4/rhsbllist}{$value}{}}} : \ ${expand:${lookup{$local_part}lsearch{/var/lib/misc/$primary_hostname/mail-rhsbl}{$value}{}}}}} - domains = +handled_domains : +rcpthosts + domains = +handled_domains !hosts = +debianhosts : WHITELIST <%= out = "" if nodeinfo['smarthost'].empty? - out = " - deny domains = +handled_domains : +rcpthosts + out = ' + deny domains = +handled_domains local_parts = ${if match_domain{$domain}{+virtual_domains}\ {${if exists {${extract{directory}{VDOMAINDATA}{${value}/callout_users}}}\ {${lookup{$local_part}lsearch*{${extract{directory}{VDOMAINDATA}{${value}/callout_users}}}{$local_part}{}}}{}}}\ {${lookup{$local_part}lsearch{/etc/exim4/callout_users}{$local_part}{}} : \ ${lookup{$local_part}lsearch{/var/lib/misc/$primary_hostname/mail-callout}{$local_part}{}}}} !hosts = +debianhosts : WHITELIST - !verify = sender/callout -" + !verify = sender/callout=90s,maxwait=300s +' end out %> @@ -903,7 +901,6 @@ if nodeinfo['mailrelay'] out = ' accept domains = +mailhubdomains endpass - message = unknown user verify = recipient/callout=30s,defer_ok,use_sender,no_cache ' end @@ -911,14 +908,8 @@ out %> accept domains = +handled_domains endpass - message = unknown user verify = recipient/defer_ok - accept domains = +rcpthosts - endpass - message = unrouteable address - verify = recipient - accept hosts = +debianhosts accept authenticated = * @@ -1309,6 +1300,8 @@ procmail: check_local_user domains = +local_domains headers_add = "Delivered-To: ${local_part}${local_part_suffix}@${domain}" + local_part_suffix = -* + local_part_suffix_optional no_verify no_expn require_files = $local_part:$home/.procmailrc @@ -1375,20 +1368,24 @@ out <%= out = "" -if nodeinfo['bugsmaster'] +if nodeinfo['bugsmaster'] or nodeinfo['bugsmx'] + domain = 'bugs.debian.org' + if nodeinfo['bugsmaster'] + domain = 'bugs-master.debian.org' + end out = ' # This router delivers for bugs.d.o bugs: debug_print = "R: bugs for $local_part@$domain" driver = accept transport = bugs_pipe - domains = bugs.debian.org + domains = ' + domain + ' cannot_route_message = Unknown or archived bug require_files = /org/bugs.debian.org/mail/run-procmail no_more local_parts = ${if match\ {$local_part}\ - {\N^(\d+)(\d{2})(?:-(?:(?:submit|maintonly|quiet|forwarded|done|close|request|submitter)|(?:unsubscribe|ignore|(?:sub(?:scribe|help|yes|approve|reject))|unsubyes|bounce|probe|approve|reject|setlistyes|setlistsilentyes).*))?$\N}\ + {\N^(\d+)(\d{2})(?:-(?:(?:submit|maintonly|quiet|forwarded|done|close|request|submitter)|(?:unsubscribe|ignore|help|(?:sub(?:scribe|help|yes|approve|reject))|unsubyes|bounce|probe|approve|reject|setlistyes|setlistsilentyes).*))?$\N}\ {${if exists{/org/bugs.debian.org/spool/db-h/$2/$1$2.summary}\ {$local_part}fail}}fail} ' @@ -1444,25 +1441,6 @@ end out %> -virt_alias_verify: - debug_print = "R: virt_aliases for $local_part@$domain" - driver = redirect - data = ${if exists{\ - ${extract{directory}{VDOMAINDATA}{${value}/aliases}}}\ - {${lookup{$local_part}lsearch*{\ - ${extract{directory}{VDOMAINDATA}{$value/aliases}}\ - }}}} - directory_transport = address_directory - cannot_route_message = Unknown user - domains = +virtual_domains - file_transport = address_file - pipe_transport = address_pipe - qualify_preserve_domain - retry_use_local_part - transport_current_directory = ${extract{directory}{VDOMAINDATA}} - transport_home_directory = ${extract{directory}{VDOMAINDATA}} - verify_only - virt_direct_verify: debug_print = "R: virt_direct for $local_part@$domain" driver = redirect @@ -1505,7 +1483,6 @@ virt_aliases: retry_use_local_part transport_current_directory = ${extract{directory}{VDOMAINDATA}} transport_home_directory = ${extract{directory}{VDOMAINDATA}} - no_verify user = ${extract{user}{VDOMAINDATA}} # This is a qmailesque deliver into a directory of .forward files @@ -1675,7 +1652,7 @@ bsmtp: <%= out = "" -if nodeinfo['bugsmaster'] +if nodeinfo['bugsmaster'] or nodeinfo['bugsmx'] out = ' bugs_pipe: driver = pipe