X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Fexim%2Ftemplates%2Feximconf.erb;h=e7280c817001dd811caa1859d5a8becd9ba3311d;hb=84ae359a4dd89da06aa33e2e75d62476d7b6ea82;hp=10038ade479680e123e5f9fb057cf7cd6950d24a;hpb=4525f6c21ab0a6d9ab7f77e792296ae42c510918;p=mirror%2Fdsa-puppet.git diff --git a/modules/exim/templates/eximconf.erb b/modules/exim/templates/eximconf.erb index 10038ade4..e7280c817 100644 --- a/modules/exim/templates/eximconf.erb +++ b/modules/exim/templates/eximconf.erb @@ -27,10 +27,6 @@ # is much like a local domain, execpt that the delivery location # and allowed set of users is controlled by a virtual domain # alias file and not /etc/passwd. Wildcards are permitted -# relayhosts - Hostnames that can send any arbitarily addressed mail to -# us. This is primarily only useful for emergency 'queue -# flushing' operations, but should be populated with a list -# of trusted machines. Wildcards are not permitted # bsmtp_domains - Domains that we deliver locally via bsmtp # submission-domains - Domains for which mail will be accepted via the # submission port @@ -111,7 +107,7 @@ allow_domain_literals = true # local_domains. It will be referenced # later on by the syntax "+local_domains". # Other domain and host lists may follow. -# @ is the local FQDN, @[] matches the IP adress of any local interface. +# @ is the local FQDN, @[] matches the IP address of any local interface. domainlist local_domains = @ : \ @[] : \ @@ -266,6 +262,7 @@ tls_advertise_hosts = * smtp_enforce_sync = true log_selector = \ + +subject \ +tls_cipher \ +tls_peerdn \ +queue_time \ @@ -306,7 +303,14 @@ GREYLIST_LOCAL_PARTS = ${if match_domain{$domain}{+virtual_domains}\ {${lookup{$local_part}lsearch*{${extract{directory}{VDOMAINDATA}{${value}/grey_users}}}{$local_part}{}}}{}}}\ {${lookup{$local_part}lsearch{/etc/exim4/grey_users}{$local_part}{}}}} : \ ${lookup{$local_part}lsearch{/var/lib/misc/$primary_hostname/mail-greylist}{$local_part}{}} -HAS_DEFAULT_OPTIONS = ${if eq{${lookup{$local_part}dbmnz{/var/lib/misc/$primary_hostname/default-mail-options.db}{$value}{TRUE}}}{TRUE}} +# Users from LDAP can decide whether to subscribe to default filtering. +# If a user has not explicitly disabled the option, the assumption is in +# favour of filtering. +HAS_DEFAULT_OPTIONS = ${if and {\ + {eq{${lookup{$local_part}dbmnz{/var/lib/misc/$primary_hostname/default-mail-options.db}{$value}{TRUE}}}{TRUE}}\ + {exists{${extract{directory}{VDOMAINDATA}{${value}/mail-forward.db}}}}\ + {! eq {${lookup{$local_part}dbmnz{${extract{directory}{VDOMAINDATA}{${value}/mail-forward.db}}}}}{}}\ + }} <%- if @is_rtmaster -%> # This subject rewrite is embedded in double-quoted strings. As such, some of # the items need more escaping than usual, otherwise \N becomes simply "N" and @@ -601,6 +605,23 @@ check_recipient: message = Different profile, please retry log_message = Only one profile at a time, please + warn set acl_m_rdefopt = ${if bool_lax{HAS_DEFAULT_OPTIONS}} + + warn condition = ${if eq{$acl_m_defopt}{}} + set acl_m_defopt = $acl_m_rdefopt + + defer condition = ${if !eq{$acl_m_defopt}{$acl_m_rdefopt}} + message = Different profile, please retry + log_message = Only one default options profile at a time, please + + # Set a flag to indicate whether the current recipient + # has explicitly requested greylisting + warn set acl_m_grey_recip = 0 + + warn local_parts = GREYLIST_LOCAL_PARTS + domains = +handled_domains + set acl_m_grey_recip = 1 + # Defer after too many bad RCPT TO's. Legit MTAs will retry later. # This is a rough pass at preventing address harvesting or other mail blasts. @@ -692,13 +713,19 @@ check_recipient: condition = ${lookup{$sender_address_local_part}lsearch{${extract{directory}{VSENDERDOMAINDATA}{${value}/neversenders}}}{true}} message = no mail should ever come from <$sender_address> + deny domains = +virtual_domains + senders = : + condition = ${if exists {${extract{directory}{VDOMAINDATA}{${value}/neversenders}}}} + condition = ${lookup{$local_part}lsearch{${extract{directory}{VDOMAINDATA}{${value}/neversenders}}}{true}} + message = <$local_part@$domain> does not send mail; rejecting bogus NDR + warn condition = ${if eq{$acl_m_prf}{localonly}} set acl_m_lrc = ${if eq{$acl_m_lrc}{}{$local_part@$domain}{$acl_m_lrc, $local_part@$domain}} <%- if @is_packagesmaster -%> warn condition = ${if eq {$acl_m_prf}{PackagesMail}} condition = ${if eq {$sender_address}{$local_part@$domain}} - message = X-Packages-FromTo-Same: yes + add_header = X-Packages-FromTo-Same: yes <%- end -%> deny condition = ${if !eq {$acl_m_prf}{PopconMail}} @@ -781,13 +808,18 @@ check_recipient: defer message = $sender_host_address is not yet authorized to deliver mail from <$sender_address> to <$local_part@$domain>. log_message = greylisted. - local_parts = GREYLIST_LOCAL_PARTS + condition = ${if or { \ + {eq{$acl_m_grey_recip}{1}} \ + {bool_lax{$acl_m_defopt}} \ + } \ + } !senders = : !hosts = : +debianhosts : WHITELIST : \ ${if exists {/etc/greylistd/whitelist-hosts}\ {/etc/greylistd/whitelist-hosts}{}} : \ ${if exists {/var/lib/greylistd/whitelist-hosts}\ {/var/lib/greylistd/whitelist-hosts}{}} + !dnslists = list.dnswl.org&0.0.0.3 condition = ${if !eq {$acl_m_prf}{PopconMail}} !authenticated = * domains = +handled_domains @@ -804,6 +836,7 @@ check_recipient: warn !senders = : !hosts = : +debianhosts : WHITELIST + !dnslists = list.dnswl.org&0.0.0.3 condition = ${if !eq {$acl_m_prf}{PopconMail}} condition = ${if ! def:acl_m_grey} set acl_m_grey = $pid.$tod_epoch.$sender_host_port @@ -812,10 +845,15 @@ check_recipient: defer !senders = : !hosts = : +debianhosts : WHITELIST + !dnslists = list.dnswl.org&0.0.0.3 condition = ${if !eq {$acl_m_prf}{PopconMail}} !authenticated = * domains = +handled_domains - local_parts = GREYLIST_LOCAL_PARTS + condition = ${if or { \ + {eq{$acl_m_grey_recip}{1}} \ + {bool_lax{$acl_m_defopt}} \ + } \ + } set acl_m_pgr = request=smtpd_access_policy\n\ protocol_state=RCPT\n\ protocol_name=${uc:$received_protocol}\n\ @@ -837,10 +875,15 @@ check_recipient: warn !senders = : !hosts = : +debianhosts : WHITELIST + !dnslists = list.dnswl.org&0.0.0.3 condition = ${if !eq {$acl_m_prf}{PopconMail}} !authenticated = * domains = +handled_domains - local_parts = GREYLIST_LOCAL_PARTS + condition = ${if or { \ + {eq{$acl_m_grey_recip}{1}} \ + {bool_lax{$acl_m_defopt}} \ + } \ + } condition = ${if eq{${uc:${substr_0_7:$acl_m_pgr}}}{PREPEND}} message = ${sg{$acl_m_pgr}{\N^\w+\s*\N}{}} @@ -857,34 +900,46 @@ check_recipient: domains = +virtual_domains : +bsmtp_domains <%- unless @use_smarthost -%> - deny message = host $sender_host_address is listed in $dnslist_domain; see $dnslist_text + deny message = host $sender_host_address is listed in $dnslist_domain ($dnslist_value)${if >{${strlen:${dnslist_text}}}{0}{; see $dnslist_text}} + domains = +handled_domains + !hosts = +debianhosts : WHITELIST dnslists = ${if match_domain{$domain}{+virtual_domains}\ {${if exists {${extract{directory}{VDOMAINDATA}{${value}/rbllist}}}\ {${lookup{$local_part}lsearch*{${extract{directory}{VDOMAINDATA}{${value}/rbllist}}}{$value}{}}}{}}}\ {${lookup{$local_part}lsearch{/etc/exim4/rbllist}{$value}{}}}} : \ ${lookup{$local_part}lsearch{/var/lib/misc/$primary_hostname/mail-rbl}{$value}{}} - domains = +handled_domains - !hosts = +debianhosts : WHITELIST - deny message = host $sender_host_address is listed in $dnslist_domain; see $dnslist_text - dnslists = noserver.dnsbl.sorbs.net + deny message = host $sender_host_address is listed in $dnslist_domain ($dnslist_value)${if >{${strlen:${dnslist_text}}}{0}{; see $dnslist_text}} domains = +handled_domains !hosts = +debianhosts : WHITELIST + dnslists = noserver.dnsbl.sorbs.net + + deny message = host $sender_host_address is listed in $dnslist_domain ($dnslist_value)${if >{${strlen:${dnslist_text}}}{0}{; see $dnslist_text}} + condition = ${if bool_lax{$acl_m_defopt}} + domains = +handled_domains + !hosts = +debianhosts : WHITELIST + dnslists = relays.dnsbl.sorbs.net : xbl.spamhaus.org <%- end -%> - deny message = domain $sender_address_domain is listed in $dnslist_domain; see $dnslist_text + deny message = domain $sender_address_domain is listed in $dnslist_domain ($dnslist_value)${if >{${strlen:${dnslist_text}}}{0}{; see $dnslist_text}} + domains = +handled_domains + !hosts = +debianhosts : WHITELIST dnslists = ${if match_domain{$domain}{+virtual_domains}\ {${if exists {${extract{directory}{VDOMAINDATA}{${value}/rhsbllist}}}\ {${expand:${lookup{$local_part}lsearch*{${extract{directory}{VDOMAINDATA}{${value}/rhsbllist}}}{$value}{}}}}{}}}\ {${expand:${lookup{$local_part}lsearch{/etc/exim4/rhsbllist}{$value}{}}}}} : \ ${expand:${lookup{$local_part}lsearch{/var/lib/misc/$primary_hostname/mail-rhsbl}{$value}{}}} - domains = +handled_domains - !hosts = +debianhosts : WHITELIST - deny message = domain $sender_address_domain is listed in $dnslist_domain; see $dnslist_text - dnslists = nomail.rhsbl.sorbs.net/$sender_address_domain + deny message = domain $sender_address_domain is listed in $dnslist_domain ($dnslist_value)${if >{${strlen:${dnslist_text}}}{0}{; see $dnslist_text}} domains = +handled_domains !hosts = +debianhosts : WHITELIST + dnslists = nomail.rhsbl.sorbs.net/$sender_address_domain + + deny message = domain $sender_address_domain is listed in $dnslist_domain ($dnslist_value)${if >{${strlen:${dnslist_text}}}{0}{; see $dnslist_text}} + condition = ${if bool_lax{$acl_m_defopt}} + domains = +handled_domains + !hosts = +debianhosts : WHITELIST + dnslists = dbl.spamhaus.org/$sender_address_domain <%- unless @use_smarthost -%> deny domains = +handled_domains @@ -938,7 +993,7 @@ acl_check_mime: condition = ${if eq {$acl_m_prf}{markup}} set acl_m_srb = ${perl{surblspamcheck}} condition = ${if !eq{$acl_m_srb}{false}} - message = X-Surbl-Hit: $primary_hostname: $acl_m_srb + add_header = X-Surbl-Hit: $primary_hostname: $acl_m_srb # Dump MIME parts to disk. "default" creates sequentially-named files # in /scan// which should then be @@ -965,6 +1020,10 @@ check_message: # header. Take their crack pipe away. drop condition = ${if match{${lc:$h_From:}}{\Npostmaster@([^.]+\.)?debian\.org\N}} + # If the sending system says the mail is spam, believe them + deny condition = ${if eqi {$h_X-Spam-Status:}{YES}} + message = Incoming spam flags + <%- if @is_rtmaster -%> deny condition = ${if eq {$acl_m_prf}{RTMail}} condition = ${if and{{!match {${lc:$rh_Subject:}} {debian rt}} \ @@ -1001,7 +1060,7 @@ check_message: # postfix's strict_7bit_headers option, but only checks a few common problem # headers, as there doesn't appear to be an easy way to check them all. deny - condition = ${if or {{match {$rh_Subject:}{[\200-\377]}}\ + condition = ${if or {{match {$rh_Subject:}{[\200-\377]}}\ {match {$rh_To:}{[\200-\377]}}\ {match {$rh_From:}{[\200-\377]}}\ {match {$rh_Cc:}{[\200-\377]}}}} @@ -1013,6 +1072,37 @@ check_message: condition = ${if !eq {$acl_m_prf}{PopconMail}} message = Your mailer is not RFC 2047 compliant: message rejected + deny condition = ${if match {$rh_Received:}{\N from [^ ]+\.example\.com \N}} + log_message = Implausible Received header + message = Header problem: message rejected + + warn set acl_m_body = ${sg{$message_body}{= }{}} + + warn condition = ${if bool_lax{$acl_m_defopt}} + condition = ${if or {\ + {match {$message_body}{Wenn Sie zukünftig keine weiteren Informationen erhalten möchten,
unwissentlich oder unbeabsichtigt in den Verteiler aufgenommen wurden,}} \ + {match {$message_body}{\N(?i)Dear Beneficiary.*You have been selected.*Thousand United States Dollars\N}} \ + {match {$message_body}{\N(?i)receiving sum of money into your account for safe keeping\N}} \ + {match {$message_body}{\N(?i)I got your e-mail address through an internet marketing firm\N}} \ + {match {$message_body}{\N(?i)De conformidad con lo establecido en la Ley 34/2002 Lssice le comunicamos que este escrito procede de Search Task\N}} \ + {match {$message_body}{\NIf you are already our customer then please ignore this email\N}} \ + {match {$acl_m_body}{\N\.debian\.org Webmail Administrator\N}} \ + }\ + } + set acl_m_content = 1 + + discard condition = ${if eq {$acl_m_prf}{blackhole}} + condition = ${if eq {$acl_m_content}{1}} + log_message = Discarded suspicious content for $recipients + + deny condition = ${if !eq {$acl_m_prf}{markup}} + condition = ${if eq {$acl_m_content}{1}} + message = Rejected due to suspicious content + + warn condition = ${if eq {$acl_m_prf}{markup}} + condition = ${if eq {$acl_m_content}{1}} + add_header = X-debian-content-warning: yes + <%- if has_variable?("clamd") && @clamd -%> discard condition = ${if eq {$acl_m_prf}{blackhole}} malware = */defer_ok @@ -1441,7 +1531,11 @@ virt_direct_verify: modemask = 002 directory_transport = address_directory domains = +virtual_domains +<%- if @is_trackermaster -%> + local_part_suffix = +* +<%- else -%> local_part_suffix = -* +<%- end -%> local_part_suffix_optional file = $home/.forward-\ ${if exists {${home}/.forward-${local_part}}{${local_part}}\ @@ -1471,7 +1565,11 @@ virt_direct: group = ${extract{group}{VDOMAINDATA}} headers_add = "Delivered-To: ${local_part}${local_part_suffix}@${domain}" modemask = 002 +<%- if @is_trackermaster -%> + local_part_suffix = +* +<%- else -%> local_part_suffix = -* +<%- end -%> local_part_suffix_optional pipe_transport = address_pipe reply_transport = address_reply