X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Fexim%2Ftemplates%2Feximconf.erb;h=f867c3d20aaff625104c41125057c6d95c5105d9;hb=667bada7f2880c285980d22094f812b21bb4688a;hp=276b0812078c4f2d9350682b58d43aec2d1c15e2;hpb=9fec9108b5c755706fef0678f89ab436027094fa;p=mirror%2Fdsa-puppet.git diff --git a/modules/exim/templates/eximconf.erb b/modules/exim/templates/eximconf.erb index 276b08120..f867c3d20 100644 --- a/modules/exim/templates/eximconf.erb +++ b/modules/exim/templates/eximconf.erb @@ -35,6 +35,7 @@ # us. This is primarily only usefull for emergancy 'queue # flushing' operations, but should be populated with a list # of trusted machines. Wildcards are not permitted +# bsmtp_domains - Domains that we deliver locally via bsmtp <%= out = "" if nodeinfo['mailrelay'] @@ -131,7 +132,9 @@ domainlist virtual_domains = partial-lsearch;/etc/exim4/virtualdomains domainlist submission_domains = ${if exists {/etc/exim4/submission-domains}{/etc/exim4/submission-domains}{}} -domainlist handled_domains = +local_domains : +virtual_domains +domainlist bsmtp_domains = ${if exists {/etc/exim4/bsmtp}{partial-lsearch;/etc/exim4/bsmtp}{}} + +domainlist handled_domains = +local_domains : +virtual_domains : +bsmtp_domains localpartlist local_only_users = lsearch;/etc/exim4/localusers @@ -193,10 +196,16 @@ timeout_frozen_after=14d message_size_limit = 100M message_logs = false -smtp_accept_max = 300 smtp_accept_max_per_host = ${if match_ip {$sender_host_address}{+debianhosts}{0}{7}} +<% if nodeinfo.has_key?('heavy_exim') and not nodeinfo['heavy_exim'].empty? %> +smtp_accept_max = 300 smtp_accept_queue = 200 smtp_accept_queue_per_connection = 50 +<% else %> +smtp_accept_max = 30 +smtp_accept_queue = 20 +smtp_accept_queue_per_connection = 10 +<% end %> smtp_accept_reserve = 25 smtp_reserve_hosts = +debianhosts @@ -206,9 +215,15 @@ check_spool_space = 20M delay_warning = +<% if nodeinfo.has_key?('heavy_exim') and not nodeinfo['heavy_exim'].empty? %> queue_run_max = 50 deliver_queue_load_max = 50 queue_only_load = 15 +<% else %> +queue_run_max = 5 +deliver_queue_load_max = 10 +queue_only_load = 5 +<% end %> queue_list_requires_admin = false <%= out = "" @@ -281,12 +296,80 @@ RT_QUEUE_MAP = /srv/rt.debian.org/mail/rt_queue_map ###################################################################### begin acl -acl_localonly: - accept local_parts = +local_only_users - domains = +local_domains - hosts = !+debianhosts +acl_getprofile: + # This is a bad hack to reset the variable, by defining it be something + # never referenced. - deny + warn set acl_m_rprf = $acl_m_undefined + + warn recipients = survey@popcon.debian.org + set acl_m_rprf = PopconMail + + accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}} + + warn local_parts = +local_only_users + domains = +local_domains + hosts = !+debianhosts + set acl_m_rprf = localonly + + accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}} + +<%= +out='' +if nodeinfo['rtmaster'] + out=' + warn domains = rt.debian.org + set acl_m_rprf = RTMail + + accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}} +' +end +out +%> +<%= +out = '' +if nodeinfo['packagesmaster'] + out = ' + warn domains = packages.debian.org + set acl_m_rprf = PackagesMail + + accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}} +' +end +out +%> +<%= +out = '' +if nodeinfo['packagesqamaster'] + out=' + warn recipients = owner@packages.qa.debian.org : postmaster@packages.qa.debian.org + set acl_m_rprf = PTSOwner + + accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}} + + warn senders = : + domains = packages.qa.debian.org + condition = ${if match{$local_part}{\N^bounces+\N}} + set acl_m_rprf = PTSListBounce + + accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}} + + warn domains = packages.qa.debian.org + set acl_m_rprf = PTSMail + + accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}} +' +end +out +%> + warn recipients = change@db.debian.org : changes@db.debian.org : chpasswd@db.debian.org : ping@db.debian.org : recommend@nm.debian.org + set acl_m_rprf = DBSignedMail + + accept condition = ${if eq {$acl_m_rprf}{}{no}{yes}} + + warn set acl_m_rprf = normal + + accept check_helo: @@ -521,22 +604,15 @@ out condition = ${if match_local_part {$sender_address_local_part}{${extract{directory}{VDOMAINDATA}{${value}/neversenders}}}{1}{0}} message = no mail should ever come from <$sender_address> - warn condition = ${if eq{$acl_m_lcl}{}} - acl = acl_localonly - set acl_m_lcl = localonly - set acl_m_lrc = ${if eq{$acl_m_lrc}{}{$local_part@$domain}{$acl_m_lrc, $local_part@$domain}} - - warn condition = ${if eq{$acl_m_lcl}{}} - !acl = acl_localonly - set acl_m_lcl = normal + warn acl = acl_getprofile + condition = ${if eq{$acl_m_prf}{}} + set acl_m_prf = $acl_m_rprf - defer condition = ${if eq{$acl_m_lcl}{localonly}} - !acl = acl_localonly + defer condition = ${if eq{$acl_m_prf}{$acl_m_rprf}{no}{yes}} log_message = Only one profile at a time, please - defer condition = ${if eq{$acl_m_lcl}{normal}} - acl = acl_localonly - log_message = Only one profile at a time, please + warn condition = ${if eq{$acl_m_prf}{localonly}} + set acl_m_lrc = ${if eq{$acl_m_lrc}{}{$local_part@$domain}{$acl_m_lrc, $local_part@$domain}} <%= out='' @@ -549,9 +625,19 @@ out=' end out %> - - deny !recipients = survey@popcon.debian.org - !verify = sender +<%= +out='' +if nodeinfo['packagesmaster'] + out=' + warn condition = ${if eq {$acl_m_prf}{PackagesMail}} + condition = ${if eq {$sender_address}{$local_part@$domain}} + message = X-Packages-FromTo-Same: yes +' +end +out +%> + deny condition = ${if eq {$acl_m_prf}{PopconMail}{no}{yes}} + !verify = sender defer !hosts = +debianhosts condition = ${if >{${eval:$acl_c_scr}}{0}} @@ -618,41 +704,16 @@ out = ' end out %> - warn recipients = survey@popcon.debian.org - set acl_m1 = PopconMail - <%= out='' if nodeinfo['rtmaster'] out=' - warn domains = rt.debian.org - set acl_m1 = RTMail - set acl_m12 = ${if def:acl_m12 {$acl_m12} {${if or{{match{$local_part}{\N[^+]+\+\d+\N}}{match{$local_part}{\N[^+]+\+new\N}}} {RTMailRecipientHasSubaddress}}}} + warn condition = ${if eq{$acl_m_prf}{RTMail}} + set acl_m12 = ${if def:acl_m12 {$acl_m12} {${if or{{match{$local_part}{\N[^+]+\+\d+\N}}{match{$local_part}{\N[^+]+\+new\N}}} {RTMailRecipientHasSubaddress}}}} ' end out %> -<%= -out='' -if nodeinfo['packagesqamaster'] - out=' - warn domains = packages.qa.debian.org - set acl_m1 = PTSMail - - warn recipients = owner@packages.qa.debian.org : postmaster@packages.qa.debian.org - set acl_m1 = PTSOwner - - warn senders = : - domains = packages.qa.debian.org - condition = ${if match{$local_part}{\N^bounces+\N}} - set acl_m1 = PTSListBounce -' -end -out -%> - warn recipients = change@db.debian.org : changes@db.debian.org : chpasswd@db.debian.org : ping@db.debian.org : recommend@nm.debian.org - set acl_m1 = DBSignedMail - <%= out = "" if has_variable?("greylistd") && greylistd == "true" @@ -824,7 +885,7 @@ check_message: out='' if nodeinfo['rtmaster'] out=' - deny condition = ${if eq {$acl_m1}{RTMail}} + deny condition = ${if eq {$acl_m_prf}{RTMail}} condition = ${if and{{!match {${lc:$rh_Subject:}} {debian rt}} \ {!match {${lc:$rh_Subject:]}} {\N\[rt.debian.org \N}} \ {!match {$acl_m12}{RTMailRecipientHasSubaddress}}}} @@ -838,7 +899,7 @@ out='' if nodeinfo['packagesqamaster'] out=' deny !hosts = +debianhosts : 217.196.43.134 - condition = ${if eq {$acl_m1}{PTSMail}} + condition = ${if eq {$acl_m_prf}{PTSMail}} condition = ${if def:h_X-PTS-Approved:{false}{true}} message = messages to the PTS require an X-PTS-Approved header ' @@ -848,7 +909,7 @@ out deny condition = ${if match {$message_body}{\Nhttp:\/\/[a-z\.-]+\/video1?.exe\N}} message = Blackisted URI found in body - deny condition = ${if eq {$acl_m1}{DBSignedMail}} + deny condition = ${if eq {$acl_m_prf}{DBSignedMail}} condition = ${if and {{!match {$message_body}{PGP MESSAGE}} \ {!match {$message_body}{PGP SIGNED MESSAGE}} \ {!match {$message_body}{PGP SIGNATURE}} \ @@ -898,10 +959,27 @@ end out %> # Check header_sender except for survey@popcon.d.o - deny condition = ${if eq{$acl_m1}{PopconMail}{false}{true}} - !verify = header_sender - message = No valid sender found in the From:, Sender: and Reply-to: headers + deny condition = ${if eq{$acl_m_prf}{PopconMail}{false}{true}} + !verify = header_sender + message = No valid sender found in the From:, Sender: and Reply-to: headers +<%= +out = "" +if nodeinfo['packagesmaster'] + out = ' + deny message = Congratulations, you scored $spam_score points. + log_message = spam: $spam_score points. + condition = ${if eq {$acl_m_prf}{PackagesMail}} + !authenticated = * + !verify = certificate + !hosts = +debianhosts + condition = ${if <{$message_size}{256000}} + spam = pkg_user : true + condition = ${if >{$spam_score_int}{59}} +' +end +out +%> accept @@ -957,7 +1035,7 @@ out bsmtp: debug_print = "R: bsmtp for $local_part@$domain" driver = manualroute - domains = !+local_domains + domains = +bsmtp_domains require_files = /etc/exim4/bsmtp route_list = * ${extract{file}{\ ${lookup{$domain}partial-lsearch{/etc/exim4/bsmtp}\ @@ -1515,7 +1593,6 @@ out begin retry debian.org * F,2h,10m; G,16h,2h,1.5; F,14d,8h -* * senders=: F,2h,10m * rcpt_4xx F,2h,5m; F,4h,10m; F,4d,15m * * F,2h,15m; G,16h,2h,1.5; F,4d,8h