--- /dev/null
+/var/log/auth.log {
+ rotate 4
+ missingok
+ notifempty
+ weekly
+ compress
+}
+
+/var/log/cron.log {
+ rotate 4
+ weekly
+ missingok
+ notifempty
+ compress
+}
+
+/var/log/daemon.log {
+ rotate 7
+ weekly
+ missingok
+ notifempty
+ compress
+}
+
+/var/log/debug {
+ rotate 4
+ weekly
+ missingok
+ notifempty
+ compress
+}
+
+/var/log/kern.log {
+ rotate 4
+ weekly
+ missingok
+ notifempty
+ compress
+}
+
+/var/log/lpr.log {
+ rotate 4
+ weekly
+ missingok
+ notifempty
+ compress
+}
+
+/var/log/mail.err {
+ rotate 30
+ daily
+ dateext
+ missingok
+ notifempty
+ compress
+}
+
+/var/log/mail.info {
+ rotate 30
+ daily
+ dateext
+ missingok
+ notifempty
+ compress
+}
+
+/var/log/mail.log {
+ rotate 30
+ daily
+ dateext
+ missingok
+ notifempty
+ compress
+ # listmaster asked for this one
+ delaycompress
+}
+
+/var/log/mail.warn {
+ rotate 30
+ daily
+ dateext
+ missingok
+ notifempty
+ compress
+}
+
+/var/log/messages {
+ rotate 4
+ weekly
+ missingok
+ notifempty
+ compress
+}
+
+
+/var/log/user.log {
+ rotate 4
+ weekly
+ missingok
+ notifempty
+ compress
+}
+
+/var/log/uucp.log {
+ rotate 4
+ missingok
+ notifempty
+ weekly
+ compress
+}
+
+/var/log/syslog {
+ rotate 7
+ daily
+ compress
+ postrotate
+ /usr/sbin/invoke-rc.d syslog-ng reload >/dev/null
+ endscript
+}
--- /dev/null
+module Puppet::Parser::Functions
+ newfunction(:extractnodeinfo, :type => :rvalue) do |args|
+
+ nodeinfo = args[0]
+ key = args[1]
+
+ if nodeinfo.has_key?(key)
+ return nodeinfo[key]
+ else
+ return "false"
+ end
+ end
+end
end
end
- ldap = LDAP::Conn.new('samosa.debian.org')
+ if yaml.has_key?('services')
+ ['bugsmaster', 'qamaster', 'mailrelay', 'rtmaster', 'packagesmaster'].each do |service|
+ if yaml['services'].has_key?(service)
+ results[service] = host == yaml['services'][service]
+ end
+ end
+ end
+
+ results['mail_port'] = ''
+ results['smarthost'] = ''
+ results['heavy_exim'] = ''
+ results['smarthost_port'] = 587
+ results['reservedaddrs'] = '0.0.0.0/8 : 127.0.0.0/8 : 10.0.0.0/8 : 169.254.0.0/16 : 172.16.0.0/12 : 192.0.0.0/17 : 192.168.0.0/16 : 224.0.0.0/4 : 240.0.0.0/5 : 248.0.0.0/5'
+
+ if yaml.has_key?('mail_port') and yaml['mail_port'].has_key?(host)
+ results['mail_port'] = yaml['mail_port'][host]
+ end
+
+ if yaml.has_key?('need_smarthost') and yaml['need_smarthost'].include?(host)
+ results['smarthost'] = "mailout.debian.org"
+ end
+
+ if yaml.has_key?('reservedaddrs') and yaml['reservedaddrs'].has_key?(host)
+ results['reservedaddrs'] = yaml['reservedaddrs'][host]
+ end
+
+ if yaml.has_key?('heavy_exim') and yaml['heavy_exim'].include?(host)
+ results['heavy_exim'] = "true"
+ end
+
+ ldap = LDAP::Conn.new('db.debian.org')
results['ldap'] = []
filter = '(hostname=' + host +')'
--- /dev/null
+#
+# Configuration file for syslog-ng under Debian
+#
+# attempts at reproducing default syslog behavior
+
+# the standard syslog levels are (in descending order of priority):
+# emerg alert crit err warning notice info debug
+# the aliases "error", "panic", and "warn" are deprecated
+# the "none" priority found in the original syslogd configuration is
+# only used in internal messages created by syslogd
+
+
+######
+# options
+
+options {
+ # disable the chained hostname format in logs
+ # (default is enabled)
+ chain_hostnames(0);
+
+ # the time to wait before a died connection is re-established
+ # (default is 60)
+ time_reopen(10);
+
+ # the time to wait before an idle destination file is closed
+ # (default is 60)
+ time_reap(360);
+
+ # the number of lines buffered before written to file
+ # you might want to increase this if your disk isn't catching with
+ # all the log messages you get or if you want less disk activity
+ # (say on a laptop)
+ # (default is 0)
+ #sync(0);
+
+ # the number of lines fitting in the output queue
+ log_fifo_size(2048);
+
+ # enable or disable directory creation for destination files
+ create_dirs(yes);
+
+ # default owner, group, and permissions for log files
+ # (defaults are 0, 0, 0600)
+ #owner(root);
+ group(adm);
+ perm(0640);
+
+ # default owner, group, and permissions for created directories
+ # (defaults are 0, 0, 0700)
+ #dir_owner(root);
+ #dir_group(root);
+ dir_perm(0755);
+
+ # enable or disable DNS usage
+ # syslog-ng blocks on DNS queries, so enabling DNS may lead to
+ # a Denial of Service attack
+ # (default is yes)
+ use_dns(no);
+
+ # maximum length of message in bytes
+ # this is only limited by the program listening on the /dev/log Unix
+ # socket, glibc can handle arbitrary length log messages, but -- for
+ # example -- syslogd accepts only 1024 bytes
+ # (default is 2048)
+ #log_msg_size(2048);
+
+ #Disable statistic log messages.
+ stats_freq(0);
+
+ # Some program send log messages through a private implementation.
+ # and sometimes that implementation is bad. If this happen syslog-ng
+ # may recognise the program name as hostname. Whit this option
+ # we tell the syslog-ng that if a hostname match this regexp than that
+ # is not a real hostname.
+ bad_hostname("^gconfd$");
+};
+
+
+######
+# sources
+
+# all known message sources
+source s_all {
+ # message generated by Syslog-NG
+ internal();
+ # standard Linux log source (this is the default place for the syslog()
+ # function to send logs to)
+ unix-stream("/dev/log");
+ # messages from the kernel
+ file("/proc/kmsg" log_prefix("kernel: "));
+ # use the following line if you want to receive remote UDP logging messages
+ # (this is equivalent to the "-r" syslogd flag)
+ # udp();
+};
+
+
+######
+# destinations
+
+# some standard log files
+destination df_auth { file("/var/log/auth.log"); };
+destination df_syslog { file("/var/log/syslog"); };
+destination df_cron { file("/var/log/cron.log"); };
+destination df_daemon { file("/var/log/daemon.log"); };
+destination df_kern { file("/var/log/kern.log"); };
+destination df_lpr { file("/var/log/lpr.log"); };
+destination df_mail { file("/var/log/mail.log" group(maillog)); };
+destination df_mail_info { file("/var/log/mail.info" group(maillog)); };
+destination df_mail_warn { file("/var/log/mail.warn" group(maillog)); };
+destination df_mail_err { file("/var/log/mail.err" group(maillog)); };
+destination df_user { file("/var/log/user.log" perm(0644)); };
+destination df_uucp { file("/var/log/uucp.log"); };
+
+# these files are meant for the mail system log files
+# and provide re-usable destinations for {mail,cron,...}.info,
+# {mail,cron,...}.notice, etc.
+destination df_facility_dot_info { file("/var/log/$FACILITY.info"); };
+destination df_facility_dot_notice { file("/var/log/$FACILITY.notice"); };
+destination df_facility_dot_warn { file("/var/log/$FACILITY.warn"); };
+destination df_facility_dot_err { file("/var/log/$FACILITY.err"); };
+destination df_facility_dot_crit { file("/var/log/$FACILITY.crit"); };
+
+# these files are meant for the news system, and are kept separated
+# because they should be owned by "news" instead of "root"
+destination df_news_dot_notice { file("/var/log/news/news.notice" owner("news")); };
+destination df_news_dot_err { file("/var/log/news/news.err" owner("news")); };
+destination df_news_dot_crit { file("/var/log/news/news.crit" owner("news")); };
+
+# some more classical and useful files found in standard syslog configurations
+destination df_debug { file("/var/log/debug"); };
+destination df_messages { file("/var/log/messages"); };
+
+# pipes
+# a console to view log messages under X
+destination dp_xconsole { pipe("/dev/xconsole"); };
+
+# consoles
+# this will send messages to everyone logged in
+destination du_all { usertty("*"); };
+
+
+######
+# filters
+
+# all messages from the auth and authpriv facilities
+filter f_auth { facility(auth, authpriv); };
+
+# all messages except from the auth and authpriv facilities
+filter f_syslog { not facility(auth, authpriv); };
+
+# respectively: messages from the cron, daemon, kern, lpr, mail, news, user,
+# and uucp facilities
+filter f_cron { facility(cron); };
+filter f_daemon { facility(daemon); };
+filter f_kern { facility(kern); };
+filter f_lpr { facility(lpr); };
+filter f_mail { facility(mail); };
+filter f_news { facility(news); };
+filter f_user { facility(user); };
+filter f_uucp { facility(uucp); };
+
+# some filters to select messages of priority greater or equal to info, warn,
+# and err
+# (equivalents of syslogd's *.info, *.warn, and *.err)
+filter f_at_least_info { level(info..emerg); };
+filter f_at_least_notice { level(notice..emerg); };
+filter f_at_least_warn { level(warn..emerg); };
+filter f_at_least_err { level(err..emerg); };
+filter f_at_least_crit { level(crit..emerg); };
+
+# all messages of priority debug not coming from the auth, authpriv, news, and
+# mail facilities
+filter f_debug { level(debug) and not facility(auth, authpriv, news, mail); };
+
+# all messages of info, notice, or warn priority not coming form the auth,
+# authpriv, cron, daemon, mail, and news facilities
+filter f_messages {
+ level(info,notice,warn)
+ and not facility(auth,authpriv,cron,daemon,mail,news);
+};
+
+# messages with priority emerg
+filter f_emerg { level(emerg); };
+
+# complex filter for messages usually sent to the xconsole
+filter f_xconsole {
+ facility(daemon,mail)
+ or level(debug,info,notice,warn)
+ or (facility(news)
+ and level(crit,err,notice));
+};
+
+
+######
+# logs
+# order matters if you use "flags(final);" to mark the end of processing in a
+# "log" statement
+
+# these rules provide the same behavior as the commented original syslogd rules
+
+# auth,authpriv.* /var/log/auth.log
+log {
+ source(s_all);
+ filter(f_auth);
+ destination(df_auth);
+};
+
+# *.*;auth,authpriv.none -/var/log/syslog
+log {
+ source(s_all);
+ filter(f_syslog);
+ destination(df_syslog);
+};
+
+# this is commented out in the default syslog.conf
+# cron.* /var/log/cron.log
+#log {
+# source(s_all);
+# filter(f_cron);
+# destination(df_cron);
+#};
+
+# daemon.* -/var/log/daemon.log
+log {
+ source(s_all);
+ filter(f_daemon);
+ destination(df_daemon);
+};
+
+# kern.* -/var/log/kern.log
+log {
+ source(s_all);
+ filter(f_kern);
+ destination(df_kern);
+};
+
+# lpr.* -/var/log/lpr.log
+log {
+ source(s_all);
+ filter(f_lpr);
+ destination(df_lpr);
+};
+
+# mail.* -/var/log/mail.log
+log {
+ source(s_all);
+ filter(f_mail);
+ destination(df_mail);
+};
+
+# user.* -/var/log/user.log
+log {
+ source(s_all);
+ filter(f_user);
+ destination(df_user);
+};
+
+# uucp.* /var/log/uucp.log
+log {
+ source(s_all);
+ filter(f_uucp);
+ destination(df_uucp);
+};
+
+# mail.info -/var/log/mail.info
+log {
+ source(s_all);
+ filter(f_mail);
+ filter(f_at_least_info);
+ destination(df_mail_info);
+};
+
+# mail.warn -/var/log/mail.warn
+log {
+ source(s_all);
+ filter(f_mail);
+ filter(f_at_least_warn);
+ destination(df_mail_warn);
+};
+
+# mail.err /var/log/mail.err
+log {
+ source(s_all);
+ filter(f_mail);
+ filter(f_at_least_err);
+ destination(df_mail_err);
+};
+
+# news.crit /var/log/news/news.crit
+log {
+ source(s_all);
+ filter(f_news);
+ filter(f_at_least_crit);
+ destination(df_news_dot_crit);
+};
+
+# news.err /var/log/news/news.err
+log {
+ source(s_all);
+ filter(f_news);
+ filter(f_at_least_err);
+ destination(df_news_dot_err);
+};
+
+# news.notice /var/log/news/news.notice
+log {
+ source(s_all);
+ filter(f_news);
+ filter(f_at_least_notice);
+ destination(df_news_dot_notice);
+};
+
+
+# *.=debug;\
+# auth,authpriv.none;\
+# news.none;mail.none -/var/log/debug
+log {
+ source(s_all);
+ filter(f_debug);
+ destination(df_debug);
+};
+
+
+# *.=info;*.=notice;*.=warn;\
+# auth,authpriv.none;\
+# cron,daemon.none;\
+# mail,news.none -/var/log/messages
+log {
+ source(s_all);
+ filter(f_messages);
+ destination(df_messages);
+};
+
+# *.emerg *
+log {
+ source(s_all);
+ filter(f_emerg);
+ destination(du_all);
+};
+
+
+# daemon.*;mail.*;\
+# news.crit;news.err;news.notice;\
+# *.=debug;*.=info;\
+# *.=notice;*.=warn |/dev/xconsole
+log {
+ source(s_all);
+ filter(f_xconsole);
+ destination(dp_xconsole);
+};
+
include sudo
include debian-org
include monit
- include samhain
include apt-keys
$nodeinfo = nodeinfo($fqdn, "/etc/puppet/modules/debian-org/misc/local.yaml")
include motd
+ include samhain
case $smartarraycontroller {
"true": { include debian-proliant }
}
case $mta {
- "exim4": { include exim }
+ "exim4": {
+ case extractnodeinfo($nodeinfo, 'heavy_exim') {
+ "true": { include exim::mx }
+ default: { include exim }
+ }
+ }
default: {}
}
case $apache2 {
"true": { case $hostname {
- carver,rore,draghi,tartini: { include apache2 }
+ carver,rore,draghi,tartini,samosa,duarte,piatti: { include apache2 }
default: {}
} }
default: {}
}
case $hostname {
- ancina,arcadelt,argento,brahms,goedel,goetz,lafayette,malo,murphy,praetorius,puccini:
+ ancina,arcadelt,argento,brahms,goedel,goetz,lafayette,malo,murphy,praetorius,puccini,paer:
{ include buildd }
default: {}
}
+
+# maybe wait for rietz to be upgraded to lenny
+# case $hostname {
+# rietz,raff,klecker:
+# { include named-secondary }
+# default: {}
+# }
+
case $hostname {
geo1,geo2,geo3:
{ include geodns }
file {
"/etc/apt/sources.list.d/buildd.list":
source => "puppet:///files/etc/apt/sources.list.d/buildd.list",
- require => Package["apt-transport-https"]
+ require => Package["apt-transport-https"],
+ notify => Exec["apt-get update"],
;
"/etc/apt/trusted-keys.d/buildd.debian.org.asc":
"dnsutils": ensure => installed;
"bash-completion": ensure => installed;
"libfilesystem-ruby1.8": ensure => installed;
+ "syslog-ng": ensure => installed;
+ "sysklogd": ensure => purged;
+ "klogd": ensure => purged;
+ "rsyslog": ensure => purged;
}
file {
"/etc/apt/preferences":
source => "puppet:///files/etc/apt/preferences";
"/etc/apt/sources.list.d/backports.org.list":
- source => "puppet:///files/etc/apt/sources.list.d/backports.org.list";
+ source => "puppet:///files/etc/apt/sources.list.d/backports.org.list",
+ notify => Exec["apt-get update"];
"/etc/apt/sources.list.d/debian.org.list":
- source => "puppet:///files/etc/apt/sources.list.d/debian.org.list";
+ source => "puppet:///files/etc/apt/sources.list.d/debian.org.list",
+ notify => Exec["apt-get update"];
"/etc/apt/sources.list.d/security.list":
- source => "puppet:///files/etc/apt/sources.list.d/security.list";
+ source => "puppet:///files/etc/apt/sources.list.d/security.list",
+ notify => Exec["apt-get update"];
"/etc/apt/sources.list.d/volatile.list":
- source => "puppet:///files/etc/apt/sources.list.d/volatile.list";
+ source => "puppet:///files/etc/apt/sources.list.d/volatile.list",
+ notify => Exec["apt-get update"];
"/etc/apt/apt.conf.d/local-recommends":
source => "puppet:///files/etc/apt/apt.conf.d/local-recommends";
"/etc/apt/apt.conf.d/local-pdiffs":
"/etc/default/puppet":
source => "puppet:///files/etc/default/puppet",
notify => Exec["puppet restart"];
+
+ "/etc/syslog-ng/syslog-ng.conf":
+ source => "puppet:///files/etc/syslog-ng/syslog-ng.conf",
+ notify => Exec["syslog-ng reload"],
+ ;
+ "/etc/logrotate.d/syslog-ng":
+ source => "puppet:///files/etc/logrotate.d/syslog-ng",
+ ;
}
case $hostname {
handel: {
path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
refreshonly => true,
}
+ exec { "syslog-ng reload":
+ path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
+ refreshonly => true,
+ }
exec { "dpkg-reconfigure tzdata -pcritical -fnoninteractive":
path => "/usr/bin:/usr/sbin:/bin:/sbin",
refreshonly => true,
- }
+ }
+ exec { "apt-get update":
+ command => 'apt-get update',
+ path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
+ refreshonly => true
+ }
}
class debian-proliant inherits debian-org {
}
file {
"/etc/apt/sources.list.d/debian.restricted.list":
- source => "puppet:///files/etc/apt/sources.list.d/debian.restricted.list";
+ source => "puppet:///files/etc/apt/sources.list.d/debian.restricted.list",
+ notify => Exec["apt-get update"];
}
}
schroeder.debian.org: "- This host is using an iptables firewall. See /etc/rc.boot/firewall{,6}"
verdi.debian.org: "- This host is using an iptables firewall. See /etc/ferm/ferm.conf"
zelenka.debian.org: "Debian s390 porter system kindly provided by Zentrum fuer Informationsverarbeitung und Informationstechnik [zivit]"
+need_smarthost:
+ - ancina.debian.org
+ - allegri.debian.org
+ - piatti.debian.org
+heavy_exim:
+ - raff.debian.org
+ - gluck.debian.org
+ - merkel.debian.org
+ - spohr.debian.org
+ - draghi.debian.org
+ - master.debian.org
+ - ries.debian.org
+ - rietz.debian.org
+ - klecker.debian.org
+ - powell.debian.org
+services:
+ bugsmaster: rietz.debian.org
+ qamaster: merkel.debian.org
+ mailrelay: spohr.debian.org
+ rtmaster: spohr.debian.org
+ packagesmaster: powell.debian.org
+mail_port:
+ ancina.debian.org: 2025
+ allegri.debian.org: 2025
+ piatti.debian.org: 2025
+ kassia.debian.org: 587
+reservedaddrs:
+ ball.debian.org: "0.0.0.0/8 : 127.0.0.0/8 : 10.0.0.0/8 : 169.254.0.0/16 : 172.16.0.0/12 : 192.0.0.0/17 : 192.168.0.0/16 : 224.0.0.0/4 : 240.0.0.0/5 : 248.0.0.0/5"
---
--- /dev/null
+2000.hu
+ab.ca
+ab.se
+abo.pa
+ac.ae
+ac.am
+ac.at
+ac.bd
+ac.be
+ac.cn
+ac.com
+ac.cr
+ac.cy
+ac.fj
+ac.fk
+ac.gg
+ac.gn
+ac.hu
+ac.id
+ac.il
+ac.im
+ac.in
+ac.ir
+ac.je
+ac.jp
+ac.ke
+ac.kr
+ac.lk
+ac.ma
+ac.me
+ac.mw
+ac.ng
+ac.nz
+ac.om
+ac.pa
+ac.pg
+ac.rs
+ac.ru
+ac.rw
+ac.se
+ac.th
+ac.tj
+ac.tz
+ac.ug
+ac.uk
+ac.vn
+ac.yu
+ac.za
+ac.zm
+ac.zw
+act.au
+ad.jp
+adm.br
+adult.ht
+adv.br
+adygeya.ru
+aero.mv
+aero.tt
+aeroport.fr
+agr.br
+agrar.hu
+agro.pl
+ah.cn
+aichi.jp
+aid.pl
+ak.us
+akita.jp
+al.us
+aland.fi
+alderney.gg
+alt.na
+alt.za
+altai.ru
+am.br
+amur.ru
+amursk.ru
+aomori.jp
+ar.us
+arkhangelsk.ru
+army.mil
+arq.br
+art.br
+art.do
+art.dz
+art.ht
+art.pl
+arts.co
+arts.ro
+arts.ve
+asn.au
+asn.lv
+ass.dz
+assedic.fr
+assn.lk
+asso.dz
+asso.fr
+asso.gp
+asso.ht
+asso.mc
+asso.re
+astrakhan.ru
+at.tf
+at.tt
+atm.pl
+ato.br
+au.com
+au.tt
+augustow.pl
+auto.pl
+av.tr
+avocat.fr
+avoues.fr
+az.us
+babia-gora.pl
+baikal.ru
+barreau.fr
+bashkiria.ru
+bbs.tr
+bc.ca
+bd.se
+be.tt
+bedzin.pl
+bel.tr
+belgie.be
+belgorod.ru
+beskidy.pl
+bg.tf
+bialowieza.pl
+bialystok.pl
+bib.ve
+bielawa.pl
+bieszczady.pl
+bio.br
+bir.ru
+biz.az
+biz.bh
+biz.cy
+biz.et
+biz.fj
+biz.ly
+biz.mv
+biz.nr
+biz.om
+biz.pk
+biz.pl
+biz.pr
+biz.tj
+biz.tr
+biz.tt
+biz.ua
+biz.vn
+bj.cn
+bl.uk
+bmd.br
+boleslawiec.pl
+bolt.hu
+bourse.za
+br.com
+brand.se
+british-library.uk
+bryansk.ru
+buryatia.ru
+busan.kr
+bydgoszcz.pl
+bytom.pl
+c.se
+ca.tf
+ca.tt
+ca.us
+casino.hu
+cbg.ru
+cc.bh
+cci.fr
+ch.tf
+ch.vu
+chambagri.fr
+chel.ru
+chelyabinsk.ru
+cherkassy.ua
+chernigov.ua
+chernovtsy.ua
+chiba.jp
+chirurgiens-dentistes.fr
+chita.ru
+chukotka.ru
+chungbuk.kr
+chungnam.kr
+chuvashia.ru
+cieszyn.pl
+cim.br
+city.hu
+city.za
+ck.ua
+club.tw
+cmw.ru
+cn.com
+cn.ua
+cng.br
+cnt.br
+co.ae
+co.ag
+co.am
+co.ao
+co.at
+co.ba
+co.bw
+co.ck
+co.cr
+co.dk
+co.ee
+co.fk
+co.gg
+co.hu
+co.id
+co.il
+co.im
+co.in
+co.ir
+co.je
+co.jp
+co.ke
+co.kr
+co.ls
+co.ma
+co.me
+co.mu
+co.mw
+co.mz
+co.nz
+co.om
+co.rs
+co.rw
+co.st
+co.th
+co.tj
+co.tt
+co.tv
+co.tz
+co.ua
+co.ug
+co.uk
+co.us
+co.uz
+co.ve
+co.vi
+co.yu
+co.za
+co.zm
+co.zw
+com.ac
+com.ae
+com.af
+com.ag
+com.ai
+com.al
+com.am
+com.an
+com.ar
+com.au
+com.aw
+com.az
+com.ba
+com.bb
+com.bd
+com.bh
+com.bm
+com.bn
+com.bo
+com.br
+com.bs
+com.bt
+com.bz
+com.cd
+com.ch
+com.cn
+com.co
+com.cu
+com.cy
+com.dm
+com.do
+com.dz
+com.ec
+com.ee
+com.eg
+com.er
+com.es
+com.et
+com.fj
+com.fk
+com.fr
+com.ge
+com.gh
+com.gi
+com.gn
+com.gp
+com.gr
+com.gt
+com.gu
+com.hk
+com.hn
+com.hr
+com.ht
+com.io
+com.jm
+com.jo
+com.kg
+com.kh
+com.ki
+com.kw
+com.ky
+com.kz
+com.la
+com.lb
+com.lc
+com.li
+com.lk
+com.lr
+com.lv
+com.ly
+com.mg
+com.mk
+com.mm
+com.mn
+com.mo
+com.mt
+com.mu
+com.mv
+com.mw
+com.mx
+com.my
+com.na
+com.nc
+com.nf
+com.ng
+com.ni
+com.np
+com.nr
+com.om
+com.pa
+com.pe
+com.pf
+com.pg
+com.ph
+com.pk
+com.pl
+com.pr
+com.ps
+com.pt
+com.py
+com.qa
+com.re
+com.ro
+com.ru
+com.rw
+com.sa
+com.sb
+com.sc
+com.sd
+com.sg
+com.sh
+com.st
+com.sv
+com.sy
+com.tj
+com.tn
+com.tr
+com.tt
+com.tw
+com.ua
+com.uy
+com.uz
+com.vc
+com.ve
+com.vi
+com.vn
+com.vu
+com.ws
+com.ye
+conf.au
+conf.lv
+consulado.st
+coop.br
+coop.ht
+coop.mv
+coop.mw
+coop.tt
+cpa.pro
+cq.cn
+cri.nz
+crimea.ua
+csiro.au
+ct.us
+cul.na
+cv.ua
+cz.tf
+czeladz.pl
+czest.pl
+d.se
+daegu.kr
+daejeon.kr
+dagestan.ru
+dc.us
+de.com
+de.net
+de.tf
+de.tt
+de.us
+de.vu
+dk.org
+dk.tt
+dlugoleka.pl
+dn.ua
+dnepropetrovsk.ua
+dni.us
+dns.be
+donetsk.ua
+dp.ua
+dpn.br
+dr.tr
+dudinka.ru
+e-burg.ru
+e.se
+e12.ve
+e164.arpa
+ebiz.tw
+ecn.br
+ed.ao
+ed.cr
+ed.jp
+edu.ac
+edu.af
+edu.ai
+edu.al
+edu.am
+edu.an
+edu.ar
+edu.au
+edu.az
+edu.ba
+edu.bb
+edu.bd
+edu.bh
+edu.bm
+edu.bn
+edu.bo
+edu.br
+edu.bt
+edu.ck
+edu.cn
+edu.co
+edu.cu
+edu.dm
+edu.do
+edu.dz
+edu.ec
+edu.ee
+edu.eg
+edu.er
+edu.es
+edu.et
+edu.ge
+edu.gh
+edu.gi
+edu.gp
+edu.gr
+edu.gt
+edu.gu
+edu.hk
+edu.hn
+edu.ht
+edu.hu
+edu.in
+edu.it
+edu.jm
+edu.jo
+edu.kg
+edu.kh
+edu.kw
+edu.ky
+edu.kz
+edu.lb
+edu.lc
+edu.lk
+edu.lr
+edu.lv
+edu.ly
+edu.me
+edu.mg
+edu.mm
+edu.mn
+edu.mo
+edu.mt
+edu.mv
+edu.mw
+edu.mx
+edu.my
+edu.na
+edu.ng
+edu.ni
+edu.np
+edu.nr
+edu.om
+edu.pa
+edu.pe
+edu.pf
+edu.ph
+edu.pk
+edu.pl
+edu.pr
+edu.ps
+edu.pt
+edu.py
+edu.qa
+edu.rs
+edu.ru
+edu.rw
+edu.sa
+edu.sb
+edu.sc
+edu.sd
+edu.sg
+edu.sh
+edu.sk
+edu.st
+edu.sv
+edu.tf
+edu.tj
+edu.tr
+edu.tt
+edu.tw
+edu.ua
+edu.uk
+edu.uy
+edu.ve
+edu.vi
+edu.vn
+edu.vu
+edu.ws
+edu.ye
+edu.yu
+edu.za
+edunet.tn
+ehime.jp
+ekloges.cy
+elblag.pl
+elk.pl
+embaixada.st
+eng.br
+ens.tn
+ernet.in
+erotica.hu
+erotika.hu
+es.kr
+es.tt
+esp.br
+etc.br
+eti.br
+eu.com
+eu.org
+eu.tf
+eu.tt
+eun.eg
+experts-comptables.fr
+f.se
+fam.pk
+far.br
+fareast.ru
+fax.nr
+fed.us
+fgov.be
+fh.se
+fhs.no
+fhsk.se
+fhv.se
+fi.cr
+fie.ee
+film.hu
+fin.ec
+fin.tn
+firm.co
+firm.ht
+firm.in
+firm.ro
+firm.ve
+fj.cn
+fl.us
+fm.br
+fnd.br
+folkebibl.no
+forum.hu
+fot.br
+fr.tt
+fr.vu
+from.hr
+fst.br
+fukui.jp
+fukuoka.jp
+fukushima.jp
+fylkesbibl.no
+g.se
+g12.br
+ga.us
+game.tw
+games.hu
+gangwon.kr
+gb.com
+gb.net
+gbr.me
+gc.ca
+gd.cn
+gda.pl
+gdansk.pl
+geek.nz
+gen.in
+gen.nz
+gen.tr
+geometre-expert.fr
+ggf.br
+gifu.jp
+glogow.pl
+gmina.pl
+gniezno.pl
+go.cr
+go.id
+go.jp
+go.ke
+go.kr
+go.th
+go.tj
+go.tz
+go.ug
+gob.bo
+gob.do
+gob.es
+gob.gt
+gob.hn
+gob.mx
+gob.ni
+gob.pa
+gob.pe
+gob.pk
+gob.sv
+gob.ve
+gok.pk
+gon.pk
+gop.pk
+gorlice.pl
+gos.pk
+gouv.fr
+gouv.ht
+gouv.rw
+gov.ac
+gov.ae
+gov.af
+gov.ai
+gov.al
+gov.am
+gov.ar
+gov.au
+gov.az
+gov.ba
+gov.bb
+gov.bd
+gov.bf
+gov.bh
+gov.bm
+gov.bo
+gov.br
+gov.bt
+gov.by
+gov.ch
+gov.ck
+gov.cn
+gov.co
+gov.cu
+gov.cx
+gov.cy
+gov.dm
+gov.do
+gov.dz
+gov.ec
+gov.eg
+gov.er
+gov.et
+gov.fj
+gov.fk
+gov.ge
+gov.gg
+gov.gh
+gov.gi
+gov.gn
+gov.gr
+gov.gu
+gov.hk
+gov.hu
+gov.ie
+gov.il
+gov.im
+gov.in
+gov.io
+gov.ir
+gov.it
+gov.je
+gov.jm
+gov.jo
+gov.jp
+gov.kg
+gov.kh
+gov.kw
+gov.ky
+gov.kz
+gov.lb
+gov.lc
+gov.li
+gov.lk
+gov.lr
+gov.lt
+gov.lu
+gov.lv
+gov.ly
+gov.ma
+gov.me
+gov.mg
+gov.mm
+gov.mn
+gov.mo
+gov.mt
+gov.mv
+gov.mw
+gov.my
+gov.ng
+gov.np
+gov.nr
+gov.om
+gov.ph
+gov.pk
+gov.pl
+gov.pr
+gov.ps
+gov.pt
+gov.py
+gov.qa
+gov.rs
+gov.ru
+gov.rw
+gov.sa
+gov.sb
+gov.sc
+gov.sd
+gov.sg
+gov.sh
+gov.sk
+gov.st
+gov.sy
+gov.tj
+gov.tn
+gov.to
+gov.tp
+gov.tr
+gov.tt
+gov.tv
+gov.tw
+gov.ua
+gov.uk
+gov.ve
+gov.vi
+gov.vn
+gov.ws
+gov.ye
+gov.za
+gov.zm
+gov.zw
+govt.nz
+gr.jp
+grajewo.pl
+greta.fr
+grozny.ru
+grp.lk
+gs.cn
+gsm.pl
+gub.uy
+guernsey.gg
+gunma.jp
+gv.ao
+gv.at
+gwangju.kr
+gx.cn
+gyeongbuk.kr
+gyeonggi.kr
+gyeongnam.kr
+gz.cn
+h.se
+ha.cn
+hb.cn
+he.cn
+health.vn
+herad.no
+hi.cn
+hi.us
+hiroshima.jp
+hk.cn
+hl.cn
+hn.cn
+hokkaido.jp
+hotel.hu
+hotel.lk
+hs.kr
+hu.com
+huissier-justice.fr
+hyogo.jp
+i.se
+ia.us
+ibaraki.jp
+icnet.uk
+id.au
+id.fj
+id.ir
+id.lv
+id.ly
+id.us
+idf.il
+idn.sg
+idrett.no
+idv.hk
+idv.tw
+if.ua
+il.us
+ilawa.pl
+imb.br
+in-addr.arpa
+in.rs
+in.th
+in.ua
+in.us
+incheon.kr
+ind.br
+ind.er
+ind.gg
+ind.gt
+ind.in
+ind.je
+ind.tn
+inf.br
+inf.cu
+info.au
+info.az
+info.bh
+info.co
+info.cu
+info.cy
+info.ec
+info.et
+info.fj
+info.ht
+info.hu
+info.mv
+info.nr
+info.pl
+info.pr
+info.ro
+info.sd
+info.tn
+info.tr
+info.tt
+info.ve
+info.vn
+ing.pa
+ingatlan.hu
+inima.al
+int.am
+int.ar
+int.az
+int.bo
+int.co
+int.lk
+int.mv
+int.mw
+int.pt
+int.ru
+int.rw
+int.tf
+int.tj
+int.tt
+int.ve
+int.vn
+intl.tn
+ip6.arpa
+iris.arpa
+irkutsk.ru
+isa.us
+ishikawa.jp
+isla.pr
+it.ao
+it.tt
+its.me
+ivano-frankivsk.ua
+ivanovo.ru
+iwate.jp
+iwi.nz
+iz.hr
+izhevsk.ru
+jamal.ru
+jar.ru
+jaworzno.pl
+jeju.kr
+jelenia-gora.pl
+jeonbuk.kr
+jeonnam.kr
+jersey.je
+jet.uk
+jgora.pl
+jl.cn
+jobs.tt
+jogasz.hu
+jor.br
+joshkar-ola.ru
+js.cn
+jx.cn
+k-uralsk.ru
+k.se
+k12.ec
+k12.il
+k12.tr
+kagawa.jp
+kagoshima.jp
+kalisz.pl
+kalmykia.ru
+kaluga.ru
+kamchatka.ru
+kanagawa.jp
+kanazawa.jp
+karelia.ru
+karpacz.pl
+kartuzy.pl
+kaszuby.pl
+katowice.pl
+kawasaki.jp
+kazan.ru
+kazimierz-dolny.pl
+kchr.ru
+kemerovo.ru
+kepno.pl
+ketrzyn.pl
+kg.kr
+kh.ua
+khabarovsk.ru
+khakassia.ru
+kharkov.ua
+kherson.ua
+khmelnitskiy.ua
+khv.ru
+kids.us
+kiev.ua
+kirov.ru
+kirovograd.ua
+kitakyushu.jp
+klodzko.pl
+km.ua
+kms.ru
+kobe.jp
+kobierzyce.pl
+kochi.jp
+koenig.ru
+kolobrzeg.pl
+komforb.se
+komi.ru
+kommunalforbund.se
+kommune.no
+komvux.se
+konin.pl
+konskowola.pl
+konyvelo.hu
+kostroma.ru
+kr.ua
+krakow.pl
+krasnoyarsk.ru
+ks.ua
+ks.us
+kuban.ru
+kumamoto.jp
+kurgan.ru
+kursk.ru
+kustanai.ru
+kutno.pl
+kuzbass.ru
+kv.ua
+ky.us
+kyonggi.kr
+kyoto.jp
+la.us
+lakas.hu
+lanarb.se
+lanbib.se
+lapy.pl
+law.pro
+law.za
+lebork.pl
+legnica.pl
+lel.br
+lezajsk.pl
+lg.jp
+lg.ua
+limanowa.pl
+lipetsk.ru
+lkd.co.im
+ln.cn
+lodz.pl
+lomza.pl
+lowicz.pl
+ltd.co.im
+ltd.cy
+ltd.gg
+ltd.gi
+ltd.je
+ltd.lk
+ltd.uk
+lubin.pl
+lublin.pl
+lugansk.ua
+lukow.pl
+lutsk.ua
+lviv.ua
+m.se
+ma.us
+magadan.ru
+magnitka.ru
+mail.pl
+malbork.pl
+malopolska.pl
+maori.nz
+mari-el.ru
+mari.ru
+marine.ru
+mat.br
+matsuyama.jp
+mazowsze.pl
+mazury.pl
+mb.ca
+md.us
+me.uk
+me.us
+med.br
+med.ec
+med.ee
+med.ht
+med.ly
+med.om
+med.pa
+med.pro
+med.sa
+med.sd
+medecin.fr
+media.hu
+media.pl
+mi.th
+mi.us
+miasta.pl
+mie.jp
+mielec.pl
+mielno.pl
+mil.ac
+mil.ae
+mil.am
+mil.ar
+mil.az
+mil.ba
+mil.bd
+mil.bo
+mil.br
+mil.by
+mil.co
+mil.do
+mil.ec
+mil.eg
+mil.er
+mil.fj
+mil.ge
+mil.gh
+mil.gt
+mil.gu
+mil.hn
+mil.id
+mil.in
+mil.io
+mil.jo
+mil.kg
+mil.kh
+mil.kr
+mil.kw
+mil.kz
+mil.lb
+mil.lt
+mil.lu
+mil.lv
+mil.mg
+mil.mv
+mil.my
+mil.no
+mil.np
+mil.nz
+mil.om
+mil.pe
+mil.ph
+mil.pl
+mil.ru
+mil.rw
+mil.se
+mil.sh
+mil.sk
+mil.st
+mil.tj
+mil.tr
+mil.tw
+mil.uk
+mil.uy
+mil.ve
+mil.ye
+mil.za
+miyagi.jp
+miyazaki.jp
+mk.ua
+mn.us
+mo.cn
+mo.us
+mob.nr
+mobi.tt
+mobil.nr
+mobile.nr
+mod.gi
+mod.om
+mod.uk
+mordovia.ru
+mosreg.ru
+mragowo.pl
+ms.kr
+ms.us
+msk.ru
+mt.us
+muni.il
+murmansk.ru
+mus.br
+museum.mn
+museum.mv
+museum.mw
+museum.no
+museum.om
+museum.tt
+music.mobi
+mytis.ru
+n.se
+nagano.jp
+nagasaki.jp
+nagoya.jp
+nakhodka.ru
+naklo.pl
+nalchik.ru
+name.ae
+name.az
+name.cy
+name.et
+name.fj
+name.hr
+name.mv
+name.my
+name.pr
+name.tj
+name.tr
+name.tt
+name.vn
+nara.jp
+nat.tn
+national-library-scotland.uk
+naturbruksgymn.se
+navy.mil
+nb.ca
+nc.us
+nd.us
+ne.jp
+ne.ke
+ne.kr
+ne.tz
+ne.ug
+ne.us
+nel.uk
+net.ac
+net.ae
+net.af
+net.ag
+net.ai
+net.al
+net.am
+net.an
+net.ar
+net.au
+net.az
+net.ba
+net.bb
+net.bd
+net.bh
+net.bm
+net.bn
+net.bo
+net.br
+net.bs
+net.bt
+net.bz
+net.cd
+net.ch
+net.ck
+net.cn
+net.co
+net.cu
+net.cy
+net.dm
+net.do
+net.dz
+net.ec
+net.eg
+net.er
+net.et
+net.fj
+net.fk
+net.ge
+net.gg
+net.gn
+net.gp
+net.gr
+net.gt
+net.gu
+net.hk
+net.hn
+net.ht
+net.id
+net.il
+net.im
+net.in
+net.io
+net.ir
+net.je
+net.jm
+net.jo
+net.jp
+net.kg
+net.kh
+net.ki
+net.kw
+net.ky
+net.kz
+net.la
+net.lb
+net.lc
+net.li
+net.lk
+net.lr
+net.lu
+net.lv
+net.ly
+net.ma
+net.me
+net.mm
+net.mo
+net.mt
+net.mu
+net.mv
+net.mw
+net.mx
+net.my
+net.na
+net.nc
+net.nf
+net.ng
+net.ni
+net.np
+net.nr
+net.nz
+net.om
+net.pa
+net.pe
+net.pg
+net.ph
+net.pk
+net.pl
+net.pr
+net.ps
+net.pt
+net.py
+net.qa
+net.ru
+net.rw
+net.sa
+net.sb
+net.sc
+net.sd
+net.sg
+net.sh
+net.st
+net.sy
+net.tf
+net.th
+net.tj
+net.tn
+net.tr
+net.tt
+net.tw
+net.ua
+net.uk
+net.uy
+net.uz
+net.vc
+net.ve
+net.vi
+net.vn
+net.vu
+net.ws
+net.ye
+net.za
+new.ke
+news.hu
+nf.ca
+ngo.lk
+ngo.ph
+ngo.pl
+ngo.za
+nh.us
+nhs.uk
+nic.im
+nic.in
+nic.tt
+nic.uk
+nieruchomosci.pl
+niigata.jp
+nikolaev.ua
+nj.us
+nkz.ru
+nl.ca
+nls.uk
+nm.cn
+nm.us
+nnov.ru
+no.com
+nom.ad
+nom.ag
+nom.br
+nom.co
+nom.es
+nom.fk
+nom.fr
+nom.mg
+nom.ni
+nom.pa
+nom.pe
+nom.pl
+nom.re
+nom.ro
+nom.ve
+nom.za
+nome.pt
+norilsk.ru
+not.br
+notaires.fr
+nov.ru
+novosibirsk.ru
+nowaruda.pl
+ns.ca
+nsk.ru
+nsn.us
+nsw.au
+nt.au
+nt.ca
+nt.ro
+ntr.br
+nu.ca
+nui.hu
+nv.us
+nx.cn
+ny.us
+nysa.pl
+o.se
+od.ua
+odessa.ua
+odo.br
+off.ai
+og.ao
+oh.us
+oita.jp
+ok.us
+okayama.jp
+okinawa.jp
+olawa.pl
+olecko.pl
+olkusz.pl
+olsztyn.pl
+omsk.ru
+on.ca
+opoczno.pl
+opole.pl
+or.at
+or.cr
+or.id
+or.jp
+or.ke
+or.kr
+or.th
+or.tz
+or.ug
+or.us
+orenburg.ru
+org.ac
+org.ae
+org.ag
+org.ai
+org.al
+org.am
+org.an
+org.ar
+org.au
+org.az
+org.ba
+org.bb
+org.bd
+org.bh
+org.bm
+org.bn
+org.bo
+org.br
+org.bs
+org.bt
+org.bw
+org.bz
+org.cd
+org.ch
+org.ck
+org.cn
+org.co
+org.cu
+org.cy
+org.dm
+org.do
+org.dz
+org.ec
+org.ee
+org.eg
+org.er
+org.es
+org.et
+org.fj
+org.fk
+org.ge
+org.gg
+org.gh
+org.gi
+org.gn
+org.gp
+org.gr
+org.gt
+org.gu
+org.hk
+org.hn
+org.ht
+org.hu
+org.il
+org.im
+org.in
+org.io
+org.ir
+org.je
+org.jm
+org.jo
+org.jp
+org.kg
+org.kh
+org.ki
+org.kw
+org.ky
+org.kz
+org.la
+org.lb
+org.lc
+org.li
+org.lk
+org.lr
+org.ls
+org.lu
+org.lv
+org.ly
+org.ma
+org.me
+org.mg
+org.mk
+org.mm
+org.mn
+org.mo
+org.mt
+org.mu
+org.mv
+org.mw
+org.mx
+org.my
+org.na
+org.nc
+org.ng
+org.ni
+org.np
+org.nr
+org.nz
+org.om
+org.pa
+org.pe
+org.pf
+org.ph
+org.pk
+org.pl
+org.pr
+org.ps
+org.pt
+org.py
+org.qa
+org.ro
+org.rs
+org.ru
+org.sa
+org.sb
+org.sc
+org.sd
+org.se
+org.sg
+org.sh
+org.st
+org.sv
+org.sy
+org.tj
+org.tn
+org.tr
+org.tt
+org.tw
+org.ua
+org.uk
+org.uy
+org.uz
+org.vc
+org.ve
+org.vi
+org.vn
+org.vu
+org.ws
+org.ye
+org.yu
+org.za
+org.zm
+org.zw
+oryol.ru
+osaka.jp
+oskol.ru
+ostroda.pl
+ostroleka.pl
+ostrowiec.pl
+ostrowwlkp.pl
+otc.au
+oz.au
+pa.us
+palana.ru
+parliament.cy
+parliament.uk
+parti.se
+pb.ao
+pc.pl
+pe.ca
+pe.kr
+penza.ru
+per.kh
+per.sg
+perm.ru
+perso.ht
+pharmacien.fr
+pila.pl
+pisz.pl
+pl.tf
+pl.ua
+plc.co.im
+plc.ly
+plc.uk
+plo.ps
+podhale.pl
+podlasie.pl
+pol.dz
+pol.ht
+pol.tr
+police.uk
+polkowice.pl
+poltava.ua
+pomorskie.pl
+pomorze.pl
+port.fr
+powiat.pl
+poznan.pl
+pp.az
+pp.ru
+pp.se
+ppg.br
+prd.fr
+prd.mg
+press.cy
+press.ma
+press.se
+presse.fr
+pri.ee
+principe.st
+priv.at
+priv.hu
+priv.me
+priv.no
+priv.pl
+pro.ae
+pro.br
+pro.cy
+pro.ec
+pro.fj
+pro.ht
+pro.mv
+pro.om
+pro.pr
+pro.tt
+pro.vn
+prochowice.pl
+pruszkow.pl
+przeworsk.pl
+psc.br
+psi.br
+pskov.ru
+ptz.ru
+pub.sa
+publ.pt
+pulawy.pl
+pvt.ge
+pyatigorsk.ru
+qc.ca
+qc.com
+qh.cn
+qld.au
+qsl.br
+radom.pl
+rawa-maz.pl
+re.kr
+realestate.pl
+rec.br
+rec.co
+rec.ro
+rec.ve
+red.sv
+reklam.hu
+rel.ht
+rel.pl
+res.in
+ri.us
+rnd.ru
+rnrt.tn
+rns.tn
+rnu.tn
+rovno.ua
+rs.ba
+ru.com
+ru.tf
+rubtsovsk.ru
+rv.ua
+ryazan.ru
+rybnik.pl
+rzeszow.pl
+s.se
+sa.au
+sa.com
+sa.cr
+saga.jp
+saitama.jp
+sakhalin.ru
+samara.ru
+sanok.pl
+saotome.st
+sapporo.jp
+saratov.ru
+sark.gg
+sc.cn
+sc.ke
+sc.kr
+sc.ug
+sc.us
+sch.ae
+sch.gg
+sch.id
+sch.ir
+sch.je
+sch.lk
+sch.ly
+sch.ng
+sch.om
+sch.sa
+sch.sd
+sch.uk
+sch.zm
+school.fj
+school.nz
+school.za
+sci.eg
+sd.cn
+sd.us
+se.com
+se.tt
+sebastopol.ua
+sec.ps
+sejny.pl
+sendai.jp
+seoul.kr
+sex.hu
+sex.pl
+sg.tf
+sh.cn
+shiga.jp
+shimane.jp
+shizuoka.jp
+shop.ht
+shop.hu
+shop.pl
+simbirsk.ru
+sk.ca
+sklep.pl
+skoczow.pl
+slask.pl
+sld.do
+sld.pa
+slg.br
+slupsk.pl
+smolensk.ru
+sn.cn
+snz.ru
+soc.lk
+soros.al
+sos.pl
+sosnowiec.pl
+spb.ru
+sport.hu
+srv.br
+sshn.se
+stalowa-wola.pl
+starachowice.pl
+stargard.pl
+stat.no
+stavropol.ru
+store.co
+store.ro
+store.st
+store.ve
+stv.ru
+suli.hu
+sumy.ua
+surgut.ru
+suwalki.pl
+swidnica.pl
+swiebodzin.pl
+swinoujscie.pl
+sx.cn
+syzran.ru
+szczecin.pl
+szczytno.pl
+szex.hu
+szkola.pl
+t.se
+takamatsu.jp
+tambov.ru
+targi.pl
+tarnobrzeg.pl
+tas.au
+tatarstan.ru
+te.ua
+tec.ve
+tel.no
+tel.nr
+tel.tr
+telecom.na
+telememo.au
+ternopil.ua
+test.ru
+tgory.pl
+tirana.al
+tj.cn
+tld.am
+tlf.nr
+tm.cy
+tm.fr
+tm.hu
+tm.mc
+tm.mg
+tm.mt
+tm.pl
+tm.ro
+tm.se
+tm.za
+tmp.br
+tn.us
+tochigi.jp
+tokushima.jp
+tokyo.jp
+tom.ru
+tomsk.ru
+torun.pl
+tottori.jp
+tourism.pl
+tourism.tn
+toyama.jp
+tozsde.hu
+travel.pl
+travel.tt
+trd.br
+tsaritsyn.ru
+tsk.ru
+tula.ru
+tur.br
+turek.pl
+turystyka.pl
+tuva.ru
+tv.bo
+tv.br
+tv.sd
+tver.ru
+tw.cn
+tx.us
+tychy.pl
+tyumen.ru
+u.se
+udm.ru
+udmurtia.ru
+uk.com
+uk.net
+uk.tt
+ulan-ude.ru
+ulsan.kr
+unam.na
+unbi.ba
+uniti.al
+unsa.ba
+upt.al
+uri.arpa
+urn.arpa
+us.com
+us.tf
+us.tt
+ustka.pl
+ut.us
+utazas.hu
+utsunomiya.jp
+uu.mt
+uy.com
+uz.ua
+uzhgorod.ua
+va.us
+vatican.va
+vdonsk.ru
+vet.br
+veterinaire.fr
+vgs.no
+vic.au
+video.hu
+vinnica.ua
+vladikavkaz.ru
+vladimir.ru
+vladivostok.ru
+vn.ua
+volgograd.ru
+vologda.ru
+voronezh.ru
+vrn.ru
+vt.us
+vyatka.ru
+w.se
+wa.au
+wa.us
+wakayama.jp
+walbrzych.pl
+warmia.pl
+warszawa.pl
+waw.pl
+weather.mobi
+web.co
+web.do
+web.id
+web.lk
+web.pk
+web.tj
+web.tr
+web.ve
+web.za
+wegrow.pl
+wi.us
+wielun.pl
+wlocl.pl
+wloclawek.pl
+wodzislaw.pl
+wolomin.pl
+wroc.pl
+wroclaw.pl
+wv.us
+www.ro
+wy.us
+x.se
+xj.cn
+xz.cn
+y.se
+yakutia.ru
+yamagata.jp
+yamaguchi.jp
+yamal.ru
+yamanashi.jp
+yaroslavl.ru
+yekaterinburg.ru
+yk.ca
+yn.cn
+yokohama.jp
+yuzhno-sakhalinsk.ru
+z.se
+za.com
+za.pl
+zachpomor.pl
+zagan.pl
+zaporizhzhe.ua
+zarow.pl
+zgora.pl
+zgorzelec.pl
+zgrad.ru
+zhitomir.ua
+zj.cn
+zlg.br
+zp.ua
+zt.ua
+++ /dev/null
-##
-## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-##
-
-# This is the main exim4 configuration file based on the 28.08.05 version by
-# ametzler
-# It is hand crafted, do not replace with anything generated by a config
-# tool!
-# It is installed as part of the debian.org package -- don't edit this file
-
-# The configuration file uses a set of macros and rules to generate an
-# acceptable mail environment for debian.org machines. It deviates
-# considerably from what could be considered a standard exim configuration.
-
-# This configuration file brings in the necessary information from
-# other databases stored in /etc/exim/ right now these are linear text
-# databases.
-
-# This file is independent of the local host, it should not be changed
-# per machine. primary_hostname is used in all places that require per-host
-# settings.
-
-# The configuration files in /etc/exim are as follows:
-# locals - This is a list of domains that are considered local. A local
-# domain is essential one that deliveries to /var/mail
-# will be attempted. The users available for local delivery
-# comes from /etc/passwd and /etc/aliases. Wildcards are not
-# permitted.
-# virtualdomains - This is a list of all virtual domains. A virtual domain
-# is much like a local domain, execpt that the delivery location
-# and allowed set of users is controlled by a virtual domain
-# alias file and not /etc/passwd. Wildcards are permitted
-# rcpthosts - recipient hosts or relay domains. This is a list of
-# all hosts that we mail exchange for. All domains that list
-# this host in their MX records should be listed here. Wildcards
-# are permitted.
-# relayhosts - Hostnames that can send any arbitarily addressed mail to
-# us. This is primarily only usefull for emergancy 'queue
-# flushing' operations, but should be populated with a list
-# of trusted machines. Wildcards are not permitted
-# mailhubdomains - Domains for which we are the MX, but the mail is relayed
-# elsewhere. This is designed for use with small volume or
-# restricted machines that need to use a smarthost for mail
-# traffic. We will relay for them based on ssl cert validation
-# but we need to teach exim how to route the mail to them. This is
-# that list.
-# The division of files is designed so that all hosts may share rcpthosts
-# and relayhosts, these could be replicated automatically if necessary.
-
-# Exim's wildcard mechanism is a bit odd in that to say "any address in
-# debian.org including debian.org" you must use two patterns,
-# *.debian.org
-# debian.org
-# Also you can only place a * before a . and as the first char in a string.
-# Wildcards always match last so they may be used as a catchall.
-
-# Further details can be found in each of the files.
-
-# Usefull exim commands:
-# exim4 -qf - Try sending all messages right now, including frozen ones
-# exim4 -bt foo@blah - Write what exim would do if it saw the address
-# Great for testing virtual domains and forward files
-
-# Special Features for users:
-# .forward-foo - is understood as an extension address for bar-foo@cow.com
-# .forward-default - is understood to be a catch all for bar-*@cow.com
-# .procmailrc - with no .forward file invokes procmail for delivery
-# automatically.
-
-# For virtual domains the first lookup is done against a linear text
-# database called 'aliases', then .forward files are consulted. Exim
-# filtering is available for these .forward files only. .forward-default
-# is the universal catch all for everything not handled.
-
-# Heuristic check (none bad enough to cause a hard reject, but in aggregate
-# will trigger things like rcpt to rate limiting or possibly a reject if
-# enough hits are triggered.
-#
-# value is stored in acl_c1
-
-######################################################################
-# MAIN CONFIGURATION SETTINGS #
-######################################################################
-
-# These options specify the Access Control Lists (ACLs) that
-# are used for incoming SMTP messages - after the RCPT and DATA
-# commands, respectively.
-
-acl_smtp_helo = check_helo
-acl_smtp_rcpt = ${if ={$interface_port}{587} {check_submission}{check_recipient}}
-acl_smtp_data = check_message
-
-# accept domain literal syntax in e-mail addresses. To actually make use of
-# this a router is also required
-allow_domain_literals = true
-
-# This setting defines a named domain list called
-# local_domains. It will be referenced
-# later on by the syntax "+local_domains".
-# Other domain and host lists may follow.
-# @ is the local FQDN, @[] matches the IP adress of any local interface.
-
-.include_if_exists /etc/exim4/local-auto.conf
-.include_if_exists /etc/exim4/local-settings.conf
-
-domainlist local_domains = @ : \
- @[] : \
- localhost : \
- ${if exists {/etc/exim4/locals}{lsearch;/etc/exim4/locals}}
-
-domainlist virtual_domains = partial-lsearch;/etc/exim4/virtualdomains
-
-domainlist submission_domains = ${if exists {/etc/exim4/submission-domains}{/etc/exim4/submission-domains}{}}
-
-domainlist handled_domains = +local_domains : +virtual_domains
-
-localpartlist local_only_users = lsearch;/etc/exim4/localusers
-
-# Domains we relay for; that is domains that aren't considered local but we
-# accept mail for them.
-domainlist rcpthosts = partial-lsearch;/etc/exim4/rcpthosts
-hostlist debianhosts = 127.0.0.1 : net-lsearch;/var/lib/misc/thishost/debianhosts
-domainlist mailhubdomains = lsearch;/etc/exim4/manualroute
-
-.ifndef RESERVEDADDRS
-RESERVEDADDRS = 0.0.0.0/8 : 127.0.0.0/8 : 10.0.0.0/8 : 169.254.0.0/16 : \
- 172.16.0.0/12 : 192.0.0.0/17 : 192.168.0.0/16 : \
- 224.0.0.0/4 : 240.0.0.0/5 : 248.0.0.0/5
-.endif
-
-hostlist reservedaddrs = RESERVEDADDRS
-
-.ifdef USE_TLS
-tls_certificate = /etc/exim4/ssl/thishost.crt
-tls_privatekey = /etc/exim4/ssl/thishost.key
-tls_try_verify_hosts = *
-tls_verify_certificates = /etc/exim4/ssl/ca.crt
-tls_crl = /etc/exim4/ssl/ca.crl
-.endif
-
-#system_filter = /etc/exim4/filter
-#system_filter_file_transport = address_file
-
-# The setting below causes Exim to do a reverse DNS lookup on all incoming
-# IP calls, in order to get the true host name. If you feel this is too
-# expensive, you can specify the networks for which a lookup is done, or
-# remove the setting entirely.
-host_lookup = *
-dns_ipv4_lookup = !localhost
-
-# If this option is set, then any process that is running as one of the
-# listed users may pass a message to Exim and specify the sender's
-# address using the "-f" command line option, without Exim's adding a
-# "Sender" header.
-
-#trusted_users = mail
-#trusted_users = mail : www-data : ${if exists{/home/qa}{qa}{}}
-untrusted_set_sender = *
-
-# Some operating systems use the "gecos" field in the system password file
-# to hold other information in addition to users' real names. Exim looks up
-# this field when it is creating "sender" and "from" headers. If these options
-# are set, exim uses "gecos_pattern" to parse the gecos field, and then
-# expands "gecos_name" as the user's name. $1 etc refer to sub-fields matched
-# by the pattern.
-
-gecos_pattern = ^([^,:]*)
-gecos_name = $1
-
-# This tells exim to immediately discard error messages (ie double bounces).
-ignore_bounce_errors_after = 0s
-auto_thaw = 1d
-timeout_frozen_after=14d
-
-message_size_limit = 100M
-message_logs = false
-smtp_accept_max = 300
-smtp_accept_max_per_host = ${if match_ip {$sender_host_address}{+debianhosts}{0}{7}}
-smtp_accept_queue = 200
-smtp_accept_queue_per_connection = 50
-smtp_accept_reserve = 25
-smtp_reserve_hosts = +debianhosts
-
-split_spool_directory = true
-check_spool_inodes = 200
-check_spool_space = 20M
-
-delay_warning =
-
-queue_run_max = 50
-deliver_queue_load_max = 50
-queue_only_load = 15
-queue_list_requires_admin = false
-
-.ifdef CLAMAV
-av_scanner = CLAMAV
-.endif
-
-.ifdef HAVE_USER_DEBBUGS MAIL_RELAY MAIL_IN_VIA_SUBMISSION
-daemon_smtp_ports = 25 : 587
-.else
-.ifdef MAIL_IN_VIA_2025
-daemon_smtp_ports = 25 : 2025
-.endif
-.endif
-
-admin_groups = adm
-remote_sort_domains = *.debian.org:*.debian.net
-
-pipelining_advertise_hosts = !*
-.ifdef USE_TLS
-tls_advertise_hosts = *
-.endif
-smtp_enforce_sync = true
-
-log_selector = +tls_cipher +tls_peerdn +queue_time +deliver_time +smtp_connection +smtp_incomplete_transaction +smtp_confirmation
-
-received_header_text = Received: ${if def:sender_rcvhost {from $sender_rcvhost\n\t}\
- {${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)\n\t}}}}\
- ${if and {{eq {$tls_certificate_verified}{1}}{def:tls_peerdn}}{from $tls_peerdn (verified)\n\t}}\
- by $primary_hostname ${if def:received_protocol {with $received_protocol}} ${if def:tls_cipher {($tls_cipher)\n\t}}\
- (Exim $version_number)\n\t\
- ${if def:sender_address {(envelope-from <$sender_address>)\n\t}}\
- id $message_exim_id${if def:received_for {\n\tfor $received_for}}
-
-# macro definitions.
-# Do not wrap!
-VDOMAINDATA = ${lookup{$domain}partial-lsearch{/etc/exim4/virtualdomains}{$value}}
-WHITELIST = ${if match_domain{$domain}{+virtual_domains}{\
- ${if exists {/srv/$domain/mail/whitelist}{\
- ${lookup{$local_part}lsearch{/srv/$domain/mail/whitelist}{$value}{}}\
- }{}}\
- }{${lookup{$local_part}lsearch{/etc/exim4/whitelist}{$value}{}} : ${lookup{$local_part}lsearch{/var/lib/misc/$primary_hostname/mail-whitelist}{$value}{}}}}
-GREYLIST_LOCAL_PARTS = ${if match_domain{$domain}{+virtual_domains}\
- {${if exists {${extract{directory}{VDOMAINDATA}{${value}/grey_users}}}\
- {${lookup{$local_part}lsearch*{${extract{directory}{VDOMAINDATA}{${value}/grey_users}}}{$local_part}{}}}{}}}\
- {${lookup{$local_part}lsearch{/etc/exim4/grey_users}{$local_part}{}} : \
- ${lookup{$local_part}lsearch{/var/lib/misc/$primary_hostname/mail-greylist}{$local_part}{}}}}
-RT_QUEUE_MAP = /srv/rt.debian.org/mail/rt_queue_map
-
-######################################################################
-# ACL CONFIGURATION #
-######################################################################
-begin acl
-
-check_helo:
-
- warn set acl_c1 = 0
- # These are in HELO acl so that they are only run once. They increment a counter,
- # so we don't want it to increment per rcpt to.
-
- warn dnslists = list.dnswl.org&0.0.0.3
- log_message = Hit on list.dnswl.org for $sender_host_address
- set acl_c1 = ${eval:$acl_c1-30}
-
- warn dnslists = list.dnswl.org&0.0.0.2
- log_message = Hit on list.dnswl.org for $sender_host_address
- set acl_c1 = ${eval:$acl_c1-20}
-
- warn dnslists = list.dnswl.org
- log_message = Hit on list.dnswl.org for $sender_host_address
- set acl_c1 = ${eval:$acl_c1-10}
-
- warn condition = ${if isip {$sender_helo_name}{true}{false}}
- log_message = remote host used IP address in HELO/EHLO greeting
- set acl_c1 = ${eval:$acl_c1+20}
-
- warn !hosts = +debianhosts
- condition = ${if eq{$host_lookup_failed}{1}}
- set acl_c1 = ${eval:$acl_c1+20}
-
- warn !hosts = +debianhosts
- condition = ${if eq{$host_lookup_failed}{0}}
- condition = ${if match{$sender_host_name}{\N(^[^\.]*[0-9]\-+[0-9]|^[^\.]*[0-9]{5,}[^\.]|^([^\.]+\.)?[0-9][^ \.]*\.[^\.]+\..+\.[a-z]|^[^\.]*[0-9]\.[^\.]*[0-9]-[0-9]|^(dyn|cable|dhcp|dialup|ppp|adsl)[^\.]*[0-9])\N}}
- set acl_c1 = ${eval:$acl_c1+20}
-
- warn !hosts = +debianhosts
- condition = ${if match{$sender_helo_name}{\N(^[^\.]*[0-9]\-+[0-9]|^[^\.]*[0-9]{5,}[^\.]|^([^\.]+\.)?[0-9][^ \.]*\.[^\.]+\..+\.[a-z]|^[^\.]*[0-9]\.[^\.]*[0-9]-[0-9]|^(dyn|cable|dhcp|dialup|ppp|adsl)[^\.]*[0-9])\N}}
- set acl_c1 = ${eval:$acl_c1+20}
-
- warn !hosts = +debianhosts
- dnslists = dul.dnsbl.sorbs.net
- set acl_c1 = ${eval:$acl_c1+15}
-
- # If the sender's helo name is empty, the message will be rejected later
- # because the helo is empty. If the rDNS lookup failed, we are already
- # going to greylist them, so no sense worrying about it here. Finally,
- # if rDNS does not match helo name (both lower cased first), greylist.
-
- warn !hosts = +debianhosts
- condition = ${if eq {$host_lookup_failed}{1}{no}{yes}}
- condition = ${if def:sender_helo_name {yes}{no}}
- condition = ${if eq {${lc:$sender_helo_name}}{${lc:$sender_host_name}}{no}{yes}}
- log_message = HELO doesn't match rDNS
- set acl_c1 = ${eval:$acl_c1+8}
-
- # Regexes of doom
- # matches 098325879 - looks fishy
-
- warn condition = ${if and { \
- { !match{$sender_helo_name}{\N^\[.+\]$\N} } \
- { !match{$sender_helo_name}{\N^(?i)((?=[^-])[a-z0-9-]*[a-z0-9]\.)+[a-z]{2,6}$\N} } \
- } \
- }
- log_message = non-FQDN HELO
- set acl_c1 = ${eval:$acl_c1+12}
-
- # Matches DOMAIN99.com - looks bad
-
- warn condition = ${if match {$sender_helo_name}{\N^[A-Z]+[A-Z0-9\-]+\.[A-Za-z0-9]+$\N}}
- log_message = SHOUTING HELO
- set acl_c1 = ${eval:$acl_c1+7}
-
- # Random HELO (run of 7 consonants) (constructed by viruses). We purposefully
- # skip matching on machines named .*smtp.*, since that's 4 already. This is a fairly
- # naive test, so it's not worth much
-
- warn condition = ${if match {${lc:$sender_helo_name}}{smtp}{no}{yes}}
- condition = ${if match {${lc:$sender_helo_name}}{\N^[a-z0-9]+\.[a-z]+$\N}}
- condition = ${if match {${lc:$sender_helo_name}}{\N.*[bcdfghjklmnpqrstvwxz]{7,}.*\.[a-z]+$\N}}
- log_message = random HELO
- set acl_c1 = ${eval:$acl_c1+5}
-
- # Implicit, but simpler to just say it
- accept
-
-#!!# ACL that is used after the RCPT command on the submission port
-check_submission:
-
- # Accept if the source is local SMTP (i.e. not over TCP/IP).
- # We do this by testing for an empty sending host field.
- accept hosts = : 127.0.0.1
- # Defer after too many bad RCPT TO's. Legit MTAs will retry later.
- # This is a rough pass at preventing addres harvesting or other mail blasts.
-
-.ifdef MAIL_RELAY
- accept verify = certificate
-.endif
-
- defer log_message = Too many bad recipients ${eval:$rcpt_fail_count} out of $rcpt_count
- message = Too many bad recipients, try again later
- condition = ${if > {${eval:$rcpt_fail_count}}{3}{yes}{no}}
-
- defer
- ratelimit = 5 / 60m / per_rcpt / $sender_host_address
- !hosts = +debianhosts
- message = sorry, only 5 reports per hour for submission
-
- accept domains = +local_domains
- hosts = +debianhosts
- endpass
- message = unknown user
- verify = recipient
-
- accept domains = +mailhubdomains
- endpass
- message = unknown user
- verify = recipient/callout=30s,defer_ok,use_sender,no_cache
-
- accept domains = +submission_domains
- endpass
- message = unknown user
- verify = recipient
-
- deny message = relay not permitted
-
-#!!# ACL that is used after the RCPT command
-check_recipient:
-
-.ifdef MAIL_RELAY
- accept verify = certificate
-.endif
-
- # Defer after too many bad RCPT TO's. Legit MTAs will retry later.
- # This is a rough pass at preventing addres harvesting or other mail blasts.
-
- defer log_message = Too many bad recipients ${eval:$rcpt_fail_count} out of $rcpt_count
- message = Too many bad recipients, try again later
- !hosts = +debianhosts
- condition = ${if > {${eval:$rcpt_fail_count}}{3}{yes}{no}}
-
- # Dump spambots that are so stupid they say helo as our IP address
-
- drop !hosts = +debianhosts
- condition = ${if eq {$sender_helo_name}{$interface_address}{yes}{no}}
- message = HELO mismatch Forged HELO for ($sender_helo_name)
-
- # Also for spambots that say helo as us or one of our domains
-
- drop !hosts = +debianhosts
- condition = ${if match_domain{$sender_helo_name}{$primary_hostname:+handled_domains}}
- condition = ${if !match{$sender_host_name}{${rxquote:$sender_helo_name}\N$\N}}
- message = HELO mismatch Forged HELO for ($sender_helo_name)
-
- # This logic gives you a list of commonly forged domains in helo to reject against
-
- warn set acl_m2 = ${lookup{$sender_helo_name} \
- nwildlsearch{/etc/exim4/helo-check} \
- {${if eq{$value}{}{$sender_helo_name}{$value}}}{}}
-
- # This is a failsafe in case DNS fails - we defer instead of hard reject if they
- # say helo as a name in the list but we can't look them up
-
- defer !hosts = +debianhosts
- condition = ${if eq{$acl_m2}{}{no}{yes}}
- condition = ${if eq{$sender_host_name}{}{yes}{no}}
- condition = ${if eq{$host_lookup_failed}{1}{no}{yes}}
- message = Access temporarily denied. Resolve failed PTR for $sender_host_address
-
- # If DNS works, go ahead and reject them
-
- drop !hosts = +debianhosts
- condition = ${if and { {!eq{$acl_m2}{}}{!match{$sender_host_name}{${rxquote:$acl_m2}\N$\N}}}{yes}{no}}
- message = HELO mismatch Forged HELO for ($sender_helo_name)
-
- # disabled accounts don't even get local mail.
- deny local_parts = lsearch;/var/lib/misc/$primary_hostname/mail-disable
- domains = +local_domains
- message = ${lookup{$local_part}lsearch{/var/lib/misc/$primary_hostname/mail-disable}{$value}}
-
- deny domains = +virtual_domains
- local_parts = ${if exists {${extract{directory}{VDOMAINDATA}{${value}/localonly}}}\
- {${extract{directory}{VDOMAINDATA}{${value}/localonly}}}\
- {}}
- hosts = !+debianhosts
- message = mail for <$local_part@$domain> only accepted from debian.org machines
- # Accept if the source is local SMTP (i.e. not over TCP/IP).
- # We do this by testing for an empty sending host field.
- accept hosts = :
-
- deny domains = +handled_domains
- local_parts = ^[.] : ^.*[@%!/|]
-
- deny domains = !+handled_domains
- local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
-
-# forwards mail to @d.o address, even if it's a bounce from master, no reply
-# from source address; rejecting all mail now.
- deny recipients = mendoza@debian.org
- hosts = 65.110.39.147 : 64.39.31.15
- message = <mendoza@kenny.linuxsis.net> cannot forward here while mailer-daemon mail is not caught
-
- deny condition = ${lookup{$sender_address_local_part}lsearch{/etc/exim4/localusers}{true}}
- sender_domains= +local_domains : debian.org : debian.net : debian.com
- hosts = !+debianhosts
- message = mail from <$sender_address> not allowed externally
-
- deny condition = ${if match_domain{$sender_address_domain}{+virtual_domains}{1}{0}}
- condition = ${if exists {${extract{directory}{VDOMAINDATA}{${value}/neversenders}}}{1}{0}}
- condition = ${if match_local_part {$sender_address_local_part}{${extract{directory}{VDOMAINDATA}{${value}/neversenders}}}{1}{0}}
- message = no mail should ever come from <$sender_address>
-
- deny local_parts = +local_only_users
- domains = +local_domains
- hosts = !+debianhosts
- message = mail for $local_part is only accepted internally
-
- deny message = address $sender_host_address is listed in $dnslist_domain; $dnslist_text
- hosts = !+debianhosts
- dnslists = rbl.debian.net : rbl.debian.net/$sender_address_domain
-
- deny !recipients = survey@popcon.debian.org
- !verify = sender
-
- defer !hosts = +debianhosts
- condition = ${if >{${eval:$acl_c1}}{0}}
- ratelimit = 10 / 60m / per_rcpt / $sender_host_address
- message = slow down (no reverse dns, mismatched ehlo, dialup, or in blacklists)
-
-.ifdef HAVE_POLICYD
- # Check with policyd-weight - this only works with a version after etch's,
- # sadly. etch's version attempts to hold the socket open, since that's what
- # postfix expects. Exim, on the other hand, expects the remote side to close
- # the socket when it's finished sending data, so it see each transaction as
- # an incomplete read. I'm sure there's a way we could force exim to do
- # something sick and clever to force either the interpretation or the socket
- # closure, but I'm fairly sure it's now worth it, since the backport of
- # policyd-weight is trivial.
- warn !hosts = +debianhosts
- set acl_m9 = ${readsocket{inet:127.0.0.1:12525}\
- {request=smtpd_access_policy\n\
- protocol_state=RCPT\n\
- protocol_name=${uc:$received_protocol}\n\
- helo_name=$sender_helo_name\n\
- queue_id=$message_exim_id\n\
- sender=$sender_address\n\
- recipient=$local_part@$domain\n\
- recipient_count=$rcpt_count\n\
- client_address=$sender_host_address\n\
- client_name=$sender_host_name\n\
- reverse_client_name=$sender_host_name\n\
- instance=$sender_host_address.$sender_address.$sender_helo_name\n\n}\
- {20s}{\n}{socket failure}}
-
- # Defer on socket error
- defer !hosts = +debianhosts
- condition = ${if eq{$acl_m9}{socket failure}{yes}{no}}
- message = Cannot connect to policyd-weight. Please try again later.
-
- # Set proposed action to $acl_m8 and message to $acl_m7
- warn !hosts = +debianhosts
- set acl_m8 = ${extract{action}{$acl_m9}}
- set acl_m7 = ${sg{$acl_m9}{\Naction=[^ ]+ (.*)\n\n\N}{\$1}}
-
- # Add X-policyd-weight header line to message
- warn !hosts = +debianhosts
- message = $acl_m7
- condition = ${if eq{$acl_m8}{PREPEND}{yes}{no}}
-
- # Write log message, if policyd-weight can't run checks
- warn !hosts = +debianhosts
- log_message = policyd-weight message: $acl_m7
- condition = ${if eq{$acl_m8}{DUNNO}{yes}{no}}
-
- # Deny mails which policyd-weight thinks are spam
- deny !hosts = +debianhosts
- message = policyd-weight said: $acl_m7
- condition = ${if eq{$acl_m8}{550}{yes}{no}}
-
- # Defer messages when policyd-weight suggests so.
- defer !hosts = +debianhosts
- message = policyd-weight said: $acl_m7
- condition = ${if eq{$acl_m8}{450}{yes}{no}}
-.endif
-
- warn recipients = survey@popcon.debian.org
- set acl_m1 = PopconMail
-
- warn domains = rt.debian.org
- set acl_m1 = RTMail
- set acl_m12 = ${if def:acl_m12 {$acl_m12} {${if or{{match{$local_part}{[^+]+\\+\\d+}}{match{$local_part}{[^+]+\\+new}}} {RTMailRecipientHasSubaddress}}}}
-
- warn domains = packages.qa.debian.org
- set acl_m1 = PTSMail
-
- warn recipients = owner@packages.qa.debian.org : postmaster@packages.qa.debian.org
- set acl_m1 = PTSOwner
-
- warn recipients = change@db.debian.org : changes@db.debian.org : chpasswd@db.debian.org : ping@db.debian.org : recommend@nm.debian.org
- set acl_m1 = DBSignedMail
-
- warn senders = :
- domains = packages.qa.debian.org
- condition = ${if match{$local_part}{\N^bounces+\N}}
- set acl_m1 = PTSListBounce
-
-.ifdef USE_GREYLISTING
-.ifdef HAVE_GREYLIST
- defer
- message = $sender_host_address is not yet authorized to deliver mail from <$sender_address> to <$local_part@$domain>.
- log_message = greylisted.
- local_parts = ${if match_domain{$domain}{+virtual_domains}\
- {${if exists {${extract{directory}{VDOMAINDATA}{${value}/grey_users}}}\
- {${lookup{$local_part}lsearch*{${extract{directory}{VDOMAINDATA}{${value}/grey_users}}}{$local_part}{}}}{}}}\
- {${lookup{$local_part}lsearch{/etc/exim4/grey_users}{$local_part}{}} : \
- ${lookup{$local_part}lsearch{/var/lib/misc/$primary_hostname/mail-greylist}{$local_part}{}}}}
- !senders = :
- !hosts = : +debianhosts : WHITELIST : \
- ${if exists {/etc/greylistd/whitelist-hosts}\
- {/etc/greylistd/whitelist-hosts}{}} : \
- ${if exists {/var/lib/greylistd/whitelist-hosts}\
- {/var/lib/greylistd/whitelist-hosts}{}}
- !authenticated = *
- domains = +handled_domains : +rcpthosts
- condition = ${readsocket{/var/run/greylistd/socket}\
- {--grey \
- $sender_host_address \
- $sender_address \
- $local_part@$domain}\
- {5s}{}{false}}
-.endif
-.ifdef HAVE_POSTGREY
- # next three are greylisting, inspired by http://www.bebt.de/blog/debian/archives/2006/07/30/T06_12_27/index.html
- # this adds acl_m4 if there isn't one (so unique per message)
- warn
- !senders = :
- !hosts = : +debianhosts : WHITELIST
- condition = ${if def:acl_m4 {no}{yes}}
- set acl_m4 = $pid.$tod_epoch.$sender_host_port
-
- # and defers the message if postgrey thinks it should be defered ...
- defer
- !senders = :
- !hosts = : +debianhosts : WHITELIST
- !authenticated = *
- domains = +handled_domains : +rcpthosts
- local_parts = GREYLIST_LOCAL_PARTS
- set acl_m3 = request=smtpd_access_policy\n\
- protocol_state=RCPT\n\
- protocol_name=${uc:$received_protocol}\n\
- instance=${acl_m4}\n\
- helo_name=${sender_helo_name}\n\
- client_address=${substr_-3:${mask:$sender_host_address/24}}\n\
- client_name=${sender_host_name}\n\
- sender=${sender_address}\n\
- recipient=$local_part@$domain\n\n
- set acl_m3 = ${sg{\
- ${readsocket{/var/run/postgrey/socket}{$acl_m3}\
- {5s}{}{action=DUNNO}}\
- }{action=}{}}
- message = ${sg{$acl_m3}{^\\w+\\s*}{}}
- log_message = greylisted.
- condition = ${if eq{${uc:${substr{0}{5}{$acl_m3}}}}{DEFER}}
-
- # ... or adds a header with information about how long the delay was
- warn
- !senders = :
- !hosts = : +debianhosts : WHITELIST
- !authenticated = *
- domains = +handled_domains : +rcpthosts
- local_parts = GREYLIST_LOCAL_PARTS
- condition = ${if eq{${uc:${substr_0_7:$acl_m3}}}{PREPEND}}
- message = ${sg{$acl_m3}{^\\w+\\s*}{}}
-.endif
-.endif
-
- accept local_parts = postmaster
- domains = +handled_domains : +rcpthosts
-
- deny log_message = <$sender_address> is blacklisted
- senders = ${if exists{/etc/exim4/blacklist}{/etc/exim4/blacklist}{}}
- message = We have blacklisted <$sender_address>. Please stop mailing us
-
- deny message = host $sender_host_address is listed in $dnslist_domain; see $dnslist_text
- dnslists = ${if match_domain{$domain}{+virtual_domains}\
- {${if exists {${extract{directory}{VDOMAINDATA}{${value}/rbllist}}}\
- {${lookup{$local_part}lsearch*{${extract{directory}{VDOMAINDATA}{${value}/rbllist}}}{$value}{}}}{}}}\
- {${lookup{$local_part}lsearch{/etc/exim4/rbllist}{$value}{}} : \
- ${lookup{$local_part}lsearch{/var/lib/misc/$primary_hostname/mail-rbl}{$value}{}}}}
- domains = +handled_domains : +rcpthosts
- !hosts = +debianhosts : WHITELIST
-
- deny message = domain $sender_address_domain is listed in $dnslist_domain; see $dnslist_text
- dnslists = ${if match_domain{$domain}{+virtual_domains}\
- {${if exists {${extract{directory}{VDOMAINDATA}{${value}/rhsbllist}}}\
- {${expand:${lookup{$local_part}lsearch*{${extract{directory}{VDOMAINDATA}{${value}/rhsbllist}}}{$value}{}}}}{}}}\
- {${expand:${lookup{$local_part}lsearch{/etc/exim4/rhsbllist}{$value}{}}} : \
- ${expand:${lookup{$local_part}lsearch{/var/lib/misc/$primary_hostname/mail-rhsbl}{$value}{}}}}}
- domains = +handled_domains : +rcpthosts
- !hosts = +debianhosts : WHITELIST
-
- deny domains = +handled_domains : +rcpthosts
- local_parts = ${if match_domain{$domain}{+virtual_domains}\
- {${if exists {${extract{directory}{VDOMAINDATA}{${value}/callout_users}}}\
- {${lookup{$local_part}lsearch*{${extract{directory}{VDOMAINDATA}{${value}/callout_users}}}{$local_part}{}}}{}}}\
- {${lookup{$local_part}lsearch{/etc/exim4/callout_users}{$local_part}{}} : \
- ${lookup{$local_part}lsearch{/var/lib/misc/$primary_hostname/mail-callout}{$local_part}{}}}}
- !hosts = +debianhosts : WHITELIST
- !verify = sender/callout
-
- accept domains = +mailhubdomains
- endpass
- message = unknown user
- verify = recipient/callout=30s,defer_ok,use_sender,no_cache
-
- accept domains = +handled_domains
- endpass
- message = unknown user
- verify = recipient/defer_ok
-
- accept domains = +rcpthosts
- endpass
- message = unrouteable address
- verify = recipient
-
- accept hosts = +debianhosts
-
- accept authenticated = *
-
- deny message = relay not permitted
-
-#!!# ACL that is used after the DATA command
-check_message:
- require verify = header_syntax
- message = Invalid syntax in the header
-
- deny condition = ${if eq {$acl_m1}{RTMail}}
- condition = ${if and{{!match {${lc:$rh_Subject:}} {debian rt}} \
- {!match {${lc:$rh_Subject:]}} {\\[rt.debian.org }} \
- {!match {$acl_m12}{RTMailRecipientHasSubaddress}}}}
- message = messages to the Request Tracker system require a subject tag or a subaddress
-
- deny !hosts = +debianhosts : 217.196.43.134
- condition = ${if eq {$acl_m1}{PTSMail}}
- condition = ${if def:h_X-PTS-Approved:{false}{true}}
- message = messages to the PTS require an X-PTS-Approved header
-
- deny condition = ${if match {$message_body}{\Nhttp:\/\/[a-z\.-]+\/video1?.exe\N}}
- message = Blackisted URI found in body
-
- deny condition = ${if eq {$acl_m1}{DBSignedMail}}
- condition = ${if and {{!match {$message_body}{PGP MESSAGE}} \
- {!match {$message_body}{PGP SIGNED MESSAGE}} \
- {!match {$message_body}{PGP SIGNATURE}} \
- {!match {$header_content-type:}{multipart/signed}} \
- {!match {$header_content-type:}{pgp}} \
- } \
- }
- message = Mail to this address needs to be PGP-signed
-
-# RFC 822 and 2822 say that headers must be ASCII. This kinda emulates
-# postfix's strict_7bit_headers option, but only checks a few common problem
-# headers, as there doesn't appear to be an easy way to check them all.
- deny
- condition = ${if or {{match {$rh_Subject:}{[\200-\377]}}\
- {match {$rh_To:}{[\200-\377]}}\
- {match {$rh_From:}{[\200-\377]}}\
- {match {$rh_Cc:}{[\200-\377]}}}{true}{false}}
- message = improper use of 8-bit data in message header: message rejected
-
- deny
- condition = ${if match {$rh_Subject:}{[^[:print:]]\{8\}}{true}{false}}
- message = Your mailer is not RFC 2047 compliant: message rejected
-
-.ifdef CLAMAV
- deny
- demime = *
- malware = */defer_ok
- message = malware detected: $malware_name: message rejected
-.endif
-
- deny spam = $value/defer_ok
- domains = +handled_domains : +rcpthosts
- message = message got a spam score of $spam_score
- local_parts = ${if exists {/etc/exim4/sa_users}\
- {${if match_domain{$domain}{+virtual_domains}\
- {${lookup{$local_part@$domain}nwildlsearch{/etc/exim4/sa_users}{$local_part}{}}}\
- {${lookup{$local_part}lsearch{/etc/exim4/sa_users}{$local_part}{}}}}}}
-
- # Check header_sender except for survey@popcon.d.o
- deny condition = ${if eq{$acl_m1}{PopconMail}{false}{true}}
- !verify = header_sender
- message = No valid sender found in the From:, Sender: and Reply-to: headers
-
- accept
-
-
-
-######################################################################
-# REWRITE CONFIGURATION #
-######################################################################
-
-
-
-begin rewrite
-
-\N^buildd_(.*)@ries\.debian\.org$\N buildd_$1@buildd.debian.org T
-\N^buildd_(.*)@klecker\.debian\.org$\N buildd_$1@buildd.debian.org T
-*@debian.org ${lookup{$1}cdb{/var/lib/misc/${primary_hostname}/mail-forward.cdb}{$value}fail} T
-*@people.debian.org ${lookup{$1}cdb{/var/lib/misc/${primary_hostname}/mail-forward.cdb}{$value}fail} T
-#*@${primary_hostname} "${if exists{/etc/exim4/email-addresses}{${lookup{$1}lsearch{/etc/exim4/email-addresses}{$value}fail}}fail}" fFs
-m68k@buildd.debian.org m68k-build@nocrew.org Ttrbc
-
-
-#!!#######################################################!!#
-#!!# Here follow routers created from the old routers, #!!#
-#!!# for handling non-local domains. #!!#
-#!!#######################################################!!#
-
-begin routers
-
-
-
-######################################################################
-# ROUTERS CONFIGURATION #
-# Specifies how addresses are handled #
-######################################################################
-# ORDER DOES MATTER #
-# An address is passed to each in turn until it is accepted. #
-######################################################################
-
-relay_manualroute:
- driver = manualroute
- domains = +mailhubdomains
- transport = remote_smtp
- route_data = ${lookup{$domain}lsearch{/etc/exim4/manualroute}}
- require_files = /etc/exim4/manualroute
-
-bsmtp:
- debug_print = "R: bsmtp for $local_part@$domain"
- driver = manualroute
- domains = !+local_domains
- require_files = /etc/exim4/bsmtp
- route_list = * ${extract{file}{\
- ${lookup{$domain}partial-lsearch{/etc/exim4/bsmtp}\
- {$value}fail}}}
- transport = bsmtp
-
-# This router routes to remote hosts over SMTP by explicit IP address,
-# given as a "domain literal" in the form [nnn.nnn.nnn.nnn]. The RFCs
-# require this facility, which is why it is enabled by default in Exim.
-ipliteral:
- debug_print = "R: ipliteral for $local_part@$domain"
- driver = ipliteral
- domains = !+handled_domains
- transport = remote_smtp
- ignore_target_hosts = +reservedaddrs
-
-.ifdef SMARTHOST
-smarthost:
- debug_print = "R: smarthost for $local_part@$domain"
- driver = manualroute
- domains = !+handled_domains
- transport = remote_smtp_smarthost
- route_list = * SMARTHOST
- host_find_failed = defer
- same_domain_copy_routing = yes
- no_more
-.endif
-# This router routes to remote hosts over SMTP using a DNS lookup.
-# Ignore reserved network responses, including localhost.
-dnslookup:
- debug_print = "R: dnslookup for $local_part@$domain"
- driver = dnslookup
- domains = !+handled_domains
- transport = remote_smtp
- ignore_target_hosts = +reservedaddrs
- no_more
-
-# This allows local delivery to be forced, avoiding alias files and
-# forwarding.
-
-#real_local:
-# debug_print = "R: real_local for $local_part@$domain"
-# driver = accept
-# check_local_user
-# domains = lsearch;/etc/exim4/locals
-# local_part_prefix = real-
-# transport = local_delivery
-
-# This router handles aliasing using a traditional /etc/aliases file.
-# If any of your aliases expand to pipes or files, you will need to set
-# up a user and a group for these deliveries to run under. You can do
-# this by uncommenting the "user" option below (changing the user name
-# as appropriate) and adding a "group" option if necessary.
-
-system_aliases:
- debug_print = "R: system_aliases for $local_part@$domain"
- driver = redirect
- allow_defer
- allow_fail
- data = ${lookup{$local_part}lsearch*{/etc/aliases}}
- domains = +local_domains
- file_transport = address_file
- headers_add = "Delivered-To: ${local_part}${local_part_suffix}@${domain}"
- pipe_transport = address_pipe
- retry_use_local_part
-
-# This router handles forwarding using traditional .forward files.
-# It also allows mail filtering when a forward file starts with the
-# string "# Exim filter": to disable filtering, uncomment the "filter"
-# option. The check_ancestor option means that if the forward file
-# generates an address that is an ancestor of the current one, the
-# current one gets passed on instead. This covers the case where A is
-# aliased to B and B has a .forward file pointing to A.
-
-# For standard debian setup of one group per user, it is acceptable---normal
-# even---for .forward to be group writable. If you have everyone in one
-# group, you should comment out the "modemask" line. Without it, the exim
-# default of 022 will apply, which is probably what you want.
-
-userforward_verify:
- debug_print = "R: userforward for $local_part${local_part_suffix}@$domain"
- driver = redirect
- check_ancestor
- user = Debian-exim
- no_check_local_user
- directory_transport = address_directory
- domains = +local_domains
- # filter - I have disabled filtering to force users to use .forward-foo files
- # or procmail. This will make it easier to move mailers in the future
- #
- # This bit does the qmailesque extension names, foo-bar@ is .forward-foo it
- # also checks if the .forward-bar exists, if not then it uses
- # .forward-default instead.
- file = $home/.forward\
- ${if eq{}{$local_part_suffix}{}{\
- ${if exists {${home}/.forward${local_part_suffix}} \
- {${local_part_suffix}}{-default}}\
- }\
- }
- file_transport = address_file
- headers_add = "Delivered-To: ${local_part}${local_part_suffix}@${domain}"
- local_part_suffix = -*
- local_part_suffix_optional
- modemask = 002
- pipe_transport = address_pipe
- reply_transport = address_reply
- require_files = $home
- router_home_directory = ${lookup passwd{$local_part}{${extract{5}{:}{$value}}}fail}
- verify_only
-
-userforward:
- debug_print = "R: userforward for $local_part${local_part_suffix}@$domain"
- driver = redirect
- check_ancestor
- check_local_user
- directory_transport = address_directory
- domains = +local_domains
- # filter - I have disabled filtering to force users to use .forward-foo files
- # or procmail. This will make it easier to move mailers in the future
- #
- # This bit does the qmailesque extension names, foo-bar@ is .forward-foo it
- # also checks if the .forward-bar exists, if not then it uses
- # .forward-default instead.
- file = $home/.forward\
- ${if eq{}{$local_part_suffix}{}{\
- ${if exists {${home}/.forward${local_part_suffix}} \
- {${local_part_suffix}}{-default}}\
- }\
- }
- file_transport = address_file
- headers_add = "Delivered-To: ${local_part}${local_part_suffix}@${domain}"
- local_part_suffix = -*
- local_part_suffix_optional
- modemask = 002
- pipe_transport = address_pipe
- reply_transport = address_reply
- require_files = $home
- no_verify
-
-# This delivers to procmail
-procmail:
- debug_print = "R: procmail for $local_part@$domain"
- driver = accept
- check_local_user
- domains = +local_domains
- headers_add = "Delivered-To: ${local_part}${local_part_suffix}@${domain}"
- no_verify
- no_expn
- require_files = $local_part:$home/.procmailrc
- transport = procmail_pipe
- transport_current_directory = $home
-
-# This driver delivers to the LDAP generated alias file.
-ldap_aliases:
- debug_print = "R: ldap_aliases for $local_part@$domain"
- driver = redirect
- allow_defer
- allow_fail
- data = ${if exists{/var/lib/misc/$primary_hostname/mail-forward.cdb}\
- {${lookup{$local_part}cdb\
- {/var/lib/misc/$primary_hostname/mail-forward.cdb}}}}
- domains = +local_domains
- file_transport = address_file
- headers_add = "Delivered-To: ${local_part}${local_part_suffix}@${domain}"
- pipe_transport = address_pipe
- retry_use_local_part
-
-# This director matches local user mailboxes.
-localuser:
- debug_print = "R: localuser for $local_part@$domain"
- driver = accept
- check_local_user
- domains = +local_domains
- headers_add = "Delivered-To: ${local_part}${local_part_suffix}@${domain}"
- # Disable if the user has never logged in
- require_files = $home
- transport = local_delivery
- no_more
-
-# Now we begin the Virtual Domain configuration
-# Everything before here should apply only to the local domains with a
-# domains= rule
-
-# exim4 fails the router if it can't change to the user/group for delivery
-# during verification. So we have to seperate the cases of verifying
-# the virts, and delivering to them. blah.
-
-# This router delivers for packages.d.o
-packages:
- debug_print = "R: packages for $local_part@$domain"
- driver = redirect
- file_transport = address_file
- pipe_transport = address_pipe
- domains = packages.debian.org
- require_files = /org/packages.debian.org/conf/maintainer
- data = ${lookup{$local_part}cdb{/org/packages.debian.org/conf/maintainer.cdb}}
- headers_add = "Delivered-To: ${local_part}${local_part_suffix}@${domain}"
- transport_home_directory = /org/packages.debian.org/mail
- transport_current_directory = /org/packages.debian.org/mail
- check_ancestor
- retry_use_local_part
- no_more
-
-.ifdef HAVE_USER_DEBBUGS
-# This router delivers for bugs.d.o
-bugs:
- debug_print = "R: bugs for $local_part@$domain"
- driver = accept
- transport = bugs_pipe
- domains = bugs.debian.org
- cannot_route_message = Unknown or archived bug
- require_files = /org/bugs.debian.org/mail/run-procmail
- no_more
- local_parts = ${if match\
- {$local_part}\
- {\N^(\d+)(\d{2})(?:-(?:(?:submit|maintonly|quiet|forwarded|done|close|request|submitter)|(?:unsubscribe|ignore|(?:sub(?:scribe|help|yes|approve|reject))|unsubyes|bounce|probe|approve|reject|setlistyes|setlistsilentyes).*))?$\N}\
- {${if exists{/org/bugs.debian.org/spool/db-h/$2/$1$2.summary}\
- {$local_part}fail}}fail}
-.endif
-
-# This router delivers for rt.d.o
-rt_force_new_verbose:
- debug_print = "R: rt for $local_part+new@$domain"
- driver = redirect
- domains = rt.debian.org
- require_files = /usr/bin/rt-mailgate : RT_QUEUE_MAP
- local_parts = ${lookup{${sg{$local_part}{-comment}{}}}lsearch{RT_QUEUE_MAP}{$local_part}{}}
- local_part_suffix = +new
- pipe_transport = rt_pipe
- data = "|/usr/bin/rt-mailgate --queue '${lookup{${sg{$local_part}{-comment}{}}}lsearch{RT_QUEUE_MAP}}' --url https://rt.debian.org/ --action ${if match{$local_part}{.*-comment.*}{comment}{correspond}}"
- headers_add = "Delivered-To: ${local_part}${local_part_suffix}@${domain}"
-
-# FIXME: figure out how to generalize this approach so that all of the following would work
-# - rt+NNNN@rt.debian.org : attach correspondence to ticket (verbose)
-# - rt+NNNN-quiesce@rt.debian.org : attach correspondence to ticket (quiesce)
-# - rt+NNNN-<action>@rt.debian.org : attach correspondence to ticket (some action)
-# requires modification to custom condition in 'scrips'
-rt_force_new_quiesce:
- debug_print = "R: rt for $local_part+new-quiesce@$domain"
- driver = redirect
- domains = rt.debian.org
- require_files = /usr/bin/rt-mailgate : RT_QUEUE_MAP
- local_parts = ${lookup{${sg{$local_part}{-comment}{}}}lsearch{RT_QUEUE_MAP}{$local_part}{}}
- local_part_suffix = +new-quiesce
- pipe_transport = rt_pipe
- data = "|/usr/bin/rt-mailgate --queue '${lookup{${sg{$local_part}{-comment}{}}}lsearch{RT_QUEUE_MAP}}' --url https://rt.debian.org/ --action ${if match{$local_part}{.*-comment.*}{comment}{correspond}}"
- headers_add = "Delivered-To: ${local_part}${local_part_suffix}@${domain}\nX-RT-Mode: quiesce"
-
-rt_otherwise:
- debug_print = "R: rt for $local_part@$domain"
- driver = redirect
- domains = rt.debian.org
- require_files = /usr/bin/rt-mailgate : RT_QUEUE_MAP
- local_parts = ${lookup{${sg{$local_part}{-comment}{}}}lsearch{RT_QUEUE_MAP}{$local_part}{}}
- local_part_suffix = +*
- local_part_suffix_optional
- pipe_transport = rt_pipe
- data = "|/usr/bin/rt-mailgate --queue '${lookup{${sg{$local_part}{-comment}{}}}lsearch{RT_QUEUE_MAP}}' --url https://rt.debian.org/ --extension ticket --action ${if match{$local_part}{.*-comment.*}{comment}{correspond}}"
- headers_add = "Delivered-To: ${local_part}${local_part_suffix}@${domain}"
-
-virt_alias_verify:
- debug_print = "R: virt_aliases for $local_part@$domain"
- driver = redirect
- data = ${if exists{\
- ${extract{directory}{VDOMAINDATA}{${value}/aliases}}}\
- {${lookup{$local_part}lsearch*{\
- ${extract{directory}{VDOMAINDATA}{$value/aliases}}\
- }}}}
- directory_transport = address_directory
- cannot_route_message = Unknown user
- domains = +virtual_domains
- file_transport = address_file
- pipe_transport = address_pipe
- qualify_preserve_domain
- retry_use_local_part
- transport_current_directory = ${extract{directory}{VDOMAINDATA}}
- transport_home_directory = ${extract{directory}{VDOMAINDATA}}
- verify_only
-
-virt_direct_verify:
- debug_print = "R: virt_direct for $local_part@$domain"
- driver = redirect
- no_check_local_user
- user = Debian-exim
- allow_filter
- modemask = 002
- directory_transport = address_directory
- domains = +virtual_domains
- file = $home/.forward-\
- ${if exists {${home}/.forward-${local_part}}{${local_part}}\
- {default}}
- file_transport = address_file
- pipe_transport = address_pipe
- reply_transport = address_reply
- retry_use_local_part
- router_home_directory = ${extract{directory}{VDOMAINDATA}}
- transport_current_directory = ${extract{directory}{VDOMAINDATA}}
- verify_only
-
-# This is a senmailesque alias file lookup
-virt_aliases:
- debug_print = "R: virt_aliases for $local_part@$domain"
- driver = redirect
- allow_defer
- allow_fail
- data = ${if exists{\
- ${extract{directory}{VDOMAINDATA}{${value}/aliases}}}\
- {${lookup{$local_part}lsearch*{\
- ${extract{directory}{VDOMAINDATA}{$value/aliases}}\
- }}}}
- directory_transport = address_directory
- domains = +virtual_domains
- file_transport = ${if eq {${extract{group_writable}{VDOMAINDATA}}}{true}{address_file_group}{address_file}}
- cannot_route_message = Unknown user
- group = ${extract{group}{VDOMAINDATA}}
- headers_add = "Delivered-To: ${local_part}${local_part_suffix}@${domain}"
- pipe_transport = address_pipe
- qualify_preserve_domain
- retry_use_local_part
- transport_current_directory = ${extract{directory}{VDOMAINDATA}}
- transport_home_directory = ${extract{directory}{VDOMAINDATA}}
- no_verify
- user = ${extract{user}{VDOMAINDATA}}
-
-# This is a qmailesque deliver into a directory of .forward files
-virt_direct:
- debug_print = "R: virt_direct for $local_part@$domain"
- driver = redirect
- allow_filter
- allow_fail
- allow_defer
- no_check_local_user
- directory_transport = address_directory
- domains = +virtual_domains
- file = $home/.forward-\
- ${if exists {${home}/.forward-${local_part}}{${local_part}}\
- {default}}
- file_transport = ${if eq {${extract{group_writable}{VDOMAINDATA}}}{true}{address_file_group}{address_file}}
- group = ${extract{group}{VDOMAINDATA}}
- headers_add = "Delivered-To: ${local_part}${local_part_suffix}@${domain}"
- modemask = 002
- pipe_transport = address_pipe
- reply_transport = address_reply
- retry_use_local_part
- router_home_directory = ${extract{directory}{VDOMAINDATA}}
- transport_current_directory = ${extract{directory}{VDOMAINDATA}}
- no_verify
- user = ${extract{user}{VDOMAINDATA}}
- #debug_print = .forward-${if exists {${home}/.forward-${local_part}} {${local_part}} {default}}
-
-######################################################################
-# TRANSPORTS CONFIGURATION #
-######################################################################
-# ORDER DOES NOT MATTER #
-# Only one appropriate transport is called for each delivery. #
-######################################################################
-
-
-begin transports
-
-# This transport is used for local delivery to user mailboxes. On debian
-# systems group mail is used so we can write to the /var/mail
-# directory. (The alternative, which most other unixes use, is to deliver
-# as the user's own group, into a sticky-bitted directory)
-local_delivery:
- driver = appendfile
- file = /var/mail/${local_part}
- group = mail
- mode = 0660
- no_mode_fail_narrower
- return_path_add
-
-# This transport is used for handling pipe addresses generated by alias
-# or .forward files. It has a conventional name, since it is not actually
-# mentioned elsewhere in this configuration file. (A different name *can*
-# be specified via the "address_pipe_transport" option if you really want
-# to.) If the pipe generates any standard output, it is returned to the sender
-# of the message as a delivery error. Set return_fail_output instead if you
-# want this to happen only when the pipe fails to complete normally.
-
-address_pipe:
- driver = pipe
- current_directory = ${home}
- environment = "EXTENSION=${substr_1:${local_part_suffix}}:\
- EXT=${substr_1:${local_part_suffix}}:\
- LOCAL=${local_part}${local_part_suffix}:\
- RECIPIENT=${local_part}${local_part_suffix}@${domain}"
- return_output
- return_path_add
-
-# This transport is used for handling file addresses generated by alias
-# or .forward files. It has a conventional name, since it is not actually
-# mentioned elsewhere in this configuration file.
-
-address_file:
- driver = appendfile
- return_path_add
-
-address_file_group:
- driver = appendfile
- return_path_add
- mode = 0660
- directory_mode = 0770
- mode_fail_narrower = false
-
-# This transport is used for handling file addresses generated by alias
-# or .forward files if the path ends in "/", which causes it to be treated
-# as a directory name rather than a file name. Each message is then delivered
-# to a unique file in the directory. If instead you want all such deliveries to
-# be in the "maildir" format that is used by some other mail software,
-# uncomment the final option below. If this is done, the directory specified
-# in the .forward or alias file is the base maildir directory.
-#
-# Should you want to be able to specify either maildir or non-maildir
-# directory-style deliveries, then you must set up yet another transport,
-# called address_directory2. This is used if the path ends in "//" so should
-# be the one used for maildir, as the double slash suggests another level
-# of directory. In the absence of address_directory2, paths ending in //
-# are passed to address_directory.
-
-address_directory:
- driver = appendfile
- check_string =
- maildir_format
- message_prefix = ""
- message_suffix = ""
- return_path_add
-
-# This transport is used for handling autoreplies generated by the filtering
-# option of the forwardfile director. It has a conventional name, since it
-# is not actually mentioned elsewhere in this configuration file.
-address_reply:
- driver = autoreply
-
-# This transport is used for delivering messages over SMTP connections.
-
-remote_smtp:
- driver = smtp
- connect_timeout = 1m
-.ifdef USE_TLS
- tls_certificate = /etc/exim4/ssl/thishost.crt
- tls_privatekey = /etc/exim4/ssl/thishost.key
-.endif
-
-remote_smtp_smarthost:
- debug_print = "T: remote_smtp_smarthost for $local_part@$domain"
- driver = smtp
-.ifdef SMARTHST_PORT
- port = SMARTHST_PORT
-.endif
-.ifdef USE_TLS
- tls_tempfail_tryclear = false
- tls_certificate = /etc/exim4/ssl/thishost.crt
- tls_privatekey = /etc/exim4/ssl/thishost.key
-.endif
-
-# Send the message to procmail
-procmail_pipe:
- driver = pipe
- command = /usr/bin/procmail -a ${substr_1:${local_part_suffix}}}
- return_path_add
- user = ${local_part}
-
-bsmtp:
- driver = appendfile
- batch_max = 100
- file = ${host}
- message_prefix =
- message_suffix =
- use_bsmtp
- user = ${extract{user}{\
- ${lookup{$domain}partial-lsearch{/etc/exim4/bsmtp}\
- {$value}fail}\
- }}
-
-.ifdef HAVE_USER_DEBBUGS
-bugs_pipe:
- driver = pipe
- command = /org/bugs.debian.org/mail/run-procmail
- environment = "EXTENSION=${substr_1:${local_part_suffix}}:\
- EXT=${substr_1:${local_part_suffix}}:\
- LOCAL=${local_part}${local_part_suffix}:\
- RECIPIENT=${local_part}${local_part_suffix}@${domain}"
- return_path_add
- return_output
- user = debbugs
-.endif
-
-rt_pipe:
- debug_print = "T: rt_pipe for $local_part${local_part_suffix}@$domain"
- driver = pipe
- return_fail_output
- environment = EXTENSION=${substr_1:${local_part_suffix}}
- allow_commands = /usr/bin/rt-mailgate
-
-
-######################################################################
-# RETRY CONFIGURATION #
-######################################################################
-
-# This single retry rule applies to all domains and all errors. It specifies
-# retries every 15 minutes for 2 hours, then increasing retry intervals,
-# starting at 2 hours and increasing each time by a factor of 1.5, up to 16
-# hours, then retries every 8 hours until 4 days have passed since the first
-# failed delivery.
-
-# Domain Error Retries
-# ------ ----- -------
-
-
-begin retry
-
-debian.org * F,2h,10m; G,16h,2h,1.5; F,14d,8h
-* * senders=: F,2h,10m
-* rcpt_4xx F,2h,5m; F,4h,10m; F,4d,15m
-* * F,2h,15m; G,16h,2h,1.5; F,4d,8h
-
-# End of Exim 4 configuration
--- /dev/null
+#
+# Copyright (c) 2006-2007 Erik Mugele. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+#
+# NOTES
+# -----
+#
+# 1. This script makes use of the Country Code Top Level
+# Domains (ccTLD) provided by the SURBL group at
+# http://spamcheck.freeapp.net/two-level-tlds
+# THE VARIABLE $cctld_file MUST BE SET TO THE FULL PATH AND
+# NAME OF THE FILE CONTAINING THE CCTLD LIST! (see below)
+#
+# 2. This script makes use of whitelisting of popular domains. The
+# source of the list can be found here:
+# http://spamassassin.apache.org/full/3.1.x/dist/rules/25_uribl.cf
+# These are domains that are whitelisted by the SURBL group so it
+# doesn't make sense to waste resources doing lookups on them.
+# THE VARIABLE $whitelist_file MUST BE SET TO THE FULL PATH AND
+# NAME OF THE FILE CONTAINING THE WHITE LIST! (see below)
+#
+# 3. Per the guidelines at http://www.surbl.org, if your site processes
+# more than 100,000 messages per day, you should NOT be using the
+# public SURBL name servers but should be rsync-ing from them and
+# running your own. See http://www3.surbl.org/rsync-signup.html
+#
+sub surblspamcheck
+{
+# Designed and written by Erik Mugele, 2004-2006
+# http://www.teuton.org/~ejm
+# Version 2.0
+
+ # The following variable is the full path to the file containing the
+ # list of Country Code Top Level Domains (ccTLD).
+ # ---------------------------------------------------------------------
+ # THIS VARIABLE MUST BE SET TO THE FULL PATH AND NAME OF THE FILE
+ # CONTAINING THE CCTLD LIST!
+ # ---------------------------------------------------------------------
+ my $cctld_file = "/etc/exim4/ccTLD.txt";
+
+ # The following variable is the full path to the file containing
+ # whitelist entries.
+ # ---------------------------------------------------------------------
+ # THIS VARIABLE MUST BE SET TO THE FULL PATH AND NAME OF THE FILE
+ # CONTAINING THE WHITELIST DOMAINS!
+ # ---------------------------------------------------------------------
+ my $whitelist_file = "/etc/exim4/surbl_whitelist.txt";
+
+ # This variable defines the maximum MIME file size that will be checked
+ # if this script is called by the MIME ACL. This is primarily to
+ # keep the load down on the server. Size is in bytes.
+ my $max_file_size = 50000;
+
+ # The following two variables enable or disable the SURBL and URIBL
+ # lookups. Set to 1 to enable and 0 to disable.
+ my $surbl_enable = 1;
+ my $uribl_enable = 1;
+
+ # Check to see if a decode MIME attachment is being checked or
+ # just a plain old text message with no attachments
+ my $exim_body = "";
+ my $mime_filename = Exim::expand_string('$mime_decoded_filename');
+ if ($mime_filename) {
+ # DEBUG Statement
+ #warn ("MIME FILENAME: $mime_filename\n");
+ # If the MIME file is too large, skip it.
+ if (-s $mime_filename <= $max_file_size) {
+ open(fh,"<$mime_filename");
+ binmode(fh);
+ while (read(fh,$buff,1024)) {
+ $exim_body .= $buff;
+ }
+ close (fh);
+ } else {
+ $exim_body = "";
+ }
+ } else {
+ $exim_body = Exim::expand_string('$message_body');
+ }
+
+ sub surbllookup {
+ # This subroutine does the actual DNS lookup and builds and returns
+ # the return message for the SURBL lookup.
+ my @params = @_;
+ my $surbldomain = ".multi.surbl.org";
+ @dnsbladdr=gethostbyname($params[0].$surbldomain);
+ # If gethostbyname() returned anything, build a return message.
+ $return_string = "";
+ if (scalar(@dnsbladdr) != 0) {
+ $return_string = "Blacklisted URL in message. (".$params[0].") in";
+ @surblipaddr = unpack('C4',($dnsbladdr[4])[0]);
+ if ($surblipaddr[3] & 64) {
+ $return_string .= " [jp]";
+ }
+ if ($surblipaddr[3] & 32) {
+ $return_string .= " [ab]";
+ }
+ if ($surblipaddr[3] & 16) {
+ $return_string .= " [ob]";
+ }
+ if ($surblipaddr[3] & 8) {
+ $return_string .= " [ph]";
+ }
+ if ($surblipaddr[3] & 4) {
+ $return_string .= " [ws]";
+ }
+ if ($surblipaddr[3] & 2) {
+ $return_string .= " [sc]";
+ }
+ $return_string .= ". See http://www.surbl.org/lists.html.";
+ }
+ return $return_string;
+ }
+
+ sub uribllookup {
+ # This subroutine does the actual DNS lookup and builds and returns
+ # the return message for the URIBL check.
+ my @params = @_;
+ my $surbldomain = ".black.uribl.com";
+ @dnsbladdr=gethostbyname($params[0].$surbldomain);
+ # If gethostbyname() returned anything, build a return message.
+ $return_string = "";
+ if (scalar(@dnsbladdr) != 0) {
+ $return_string = "Blacklisted URL in message. (".$params[0].") in";
+ @surblipaddr = unpack('C4',($dnsbladdr[4])[0]);
+ if ($surblipaddr[3] & 8) {
+ $return_string .= " [red]";
+ }
+ if ($surblipaddr[3] & 4) {
+ $return_string .= " [grey]";
+ }
+ if ($surblipaddr[3] & 2) {
+ $return_string .= " [black]";
+ }
+ $return_string .= ". See http://lookup.uribl.com.";
+ }
+ return $return_string;
+ }
+
+ sub converthex {
+ # This subroutin converts two hex characters to an ASCII character.
+ # It is called when ASCII obfuscation or Printed-Quatable characters
+ # are found (i.e. %AE or =AE).
+ # It should return a converted/plain address after splitting off
+ # everything that isn't part of the address portion of the URL.
+ my @ob_parts = @_;
+ my $address = $ob_parts[0];
+ for (my $j=1; $j < scalar(@ob_parts); $j++) {
+ $address .= chr(hex(substr($ob_parts[$j],0,2)));
+ $address .= substr($ob_parts[$j],2,);
+ }
+ $address = (split(/[^A-Za-z0-9._\-]/,$address))[0];
+ return $address
+ }
+
+ ################
+ # Main Program #
+ ################
+
+ if ($exim_body) {
+ # Find all the URLs in the message by finding the HTTP string
+ @parts = split /[hH][tT][tT][pP]:\/\//,$exim_body;
+ if (scalar(@parts) > 1) {
+ # Read the entries from the ccTLD file.
+ open (cctld_handle,$cctld_file) or die "Can't open $cctld_file.\n";
+ while (<cctld_handle>) {
+ next if (/^#/ || /^$/ || /^\s$/);
+ push(@cctlds,$_);
+ }
+ close (cctld_handle) or die "Close: $!\n";
+ # Read the entries from the whitelist file.
+ open (whitelist_handle,$whitelist_file) or die "Can't open $whitelist_file.\n";
+ while (<whitelist_handle>) {
+ next if (/^#/ || /^$/ || /^\s$/);
+ push(@whitelist,$_);
+ }
+ close (whitelist_handle) or die "Close: $!\n";
+ # Go through each of the HTTP parts that were found in the message
+ for ($i=1; $i < scalar(@parts); $i++) {
+ # Special case of Quoted Printable EOL marker
+ $parts[$i] =~ s/=\n//g;
+ # Split the parts and find the address portion of the URL.
+ # Address SHOULD be either a FQDN, IP address, or encoded address.
+ $address = (split(/[^A-Za-z0-9\._\-%=]/,$parts[$i]))[0];
+ # Check for an =. If it exists, we assume the URL is doing
+ # Quoted-Printable. Decode it and redine $address
+ if ($address =~ /=/) {
+ @ob_parts = split /=/,$address;
+ $address = converthex(@ob_parts);
+ }
+ # Check for a %. If it exists the URL is using % ASCII
+ # obfuscation. Decode it and redefine $address.
+ if ($address =~ /%/) {
+ @ob_parts = split /%/,$address;
+ $address = converthex(@ob_parts);
+ }
+ # Split the the address into the elements separated by periods.
+ @domain = split /\./,$address;
+ # Check the length of the domain name. If less then two elements
+ # at this point it is probably bogus or there is a bug in one of
+ # the decoding/converting routines above.
+ if (scalar(@domain) >= 2) {
+ $return_result="";
+ # By default, assume that the domain check is on a
+ # "standard" two level domain
+ $spamcheckdomain=$domain[-2].".".$domain[-1];
+ # Check for a two level domain
+ if (((scalar(@domain) == 2) || (scalar(@domain) >= 5)) &&
+ (grep(/^$spamcheckdomain$/i,@cctlds))) {
+ $return_result="cctld";
+ }
+ # Check for a three level domain
+ if (scalar(@domain) == 3) {
+ if (grep(/^$spamcheckdomain$/i,@cctlds)) {
+ $spamcheckdomain=$domain[-3].".".$spamcheckdomain;
+ if (grep(/^$spamcheckdomain$/,@cctlds)) {
+ $return_result="cctld";
+ }
+ }
+ }
+ # Check for a four level domain
+ if (scalar(@domain) == 4) {
+ # Check to see if the domain is an IP address
+ if ($domain[-1] =~ /[a-zA-Z]/) {
+ if (grep(/^$spamcheckdomain$/i,@cctlds)) {
+ $spamcheckdomain=$domain[-3].".".$spamcheckdomain;
+ if (grep(/^$spamcheckdomain$/i,@cctlds)) {
+ $spamcheckdomain=$domain[-4].".".$spamcheckdomain;
+ }
+ }
+ } else {
+ # Domain is an IP address
+ $spamcheckdomain=$domain[3].".".$domain[2].
+ ".".$domain[1].".".$domain[0];
+ }
+ }
+ # DEBUG statement
+ #warn ("FOUND DOMAIN ($mime_filename): $spamcheckdomain\n");
+ # If whitelisting is enabled check domain against the
+ # whitelist.
+ if ($whitelist_file ne "") {
+ foreach $whitelist_entry (@whitelist) {
+ chomp($whitelist_entry);
+ if ($spamcheckdomain =~ m/^$whitelist_entry$/i) {
+ $return_result="whitelisted";
+ last;
+ }
+ }
+ }
+ # If the domain is whitelisted or in the cctld skip adding
+ # it to the lookup list.
+ if ($return_result eq "") {
+ if (scalar(@lookupdomains) > 0) {
+ # Check so see if the domain already is in the list.
+ if (not grep(/^$spamcheckdomain$/i,@lookupdomains)) {
+ push(@lookupdomains,$spamcheckdomain);
+ }
+ } else {
+ push(@lookupdomains,$spamcheckdomain);
+ }
+ }
+ }
+ }
+ # If there are items in the lookupdomains list then
+ # perform lookups on them. If there are not, something is wrong
+ # and just return false. There should always be something in the list.
+ if (scalar(@lookupdomains) > 0) {
+ foreach $i (@lookupdomains) {
+ # DEBUG statement.
+ #warn ("CHECKING DOMAIN ($mime_filename): $i\n");
+ # If SURBL lookups are enabled do an SURBL lookup
+ if ($surbl_enable == 1) {
+ $return_result = surbllookup($i);
+ }
+ # If URIBL lookups are enabled and the SURBL lookup failed
+ # do a URIBL lookup
+ if (($uribl_enable == 1) && ($return_result eq "")) {
+ $return_result = uribllookup($i);
+ }
+ # If we got a hit return the result to Exim
+ if ($return_result ne "") {
+ undef @cctlds;
+ undef @whitelist;
+ return $return_result;
+ }
+ }
+ }
+ }
+ }
+ # We didn't find any URLs or the URLs we did find were not
+ # listed so return false.
+ undef @cctlds;
+ undef @whitelist;
+ return false;
+}
+
--- /dev/null
+example.com
+example.net
+example.org
+126.com
+163.com
+2o7.net
+4at1.com
+5iantlavalamp.com
+about.com
+adelphia.net
+adobe.com
+advertising.com
+agora-inc.com
+agoramedia.com
+akamai.net
+akamaitech.net
+amazon.com
+ancestry.com
+aol.com
+apache.org
+apple.com
+arcamax.com
+astrology.com
+atdmt.com
+att.net
+aweber.com
+bbc.co.uk
+bcentral.com
+beliefnet.com
+bellsouth.net
+bfi0.com
+blogspot.com
+bridgetrack.com
+cafe24.com
+charter.net
+chtah.com
+citibank.com
+citizensbank.com
+cjb.net
+classmates.com
+click-url.com
+clickbank.net
+cnet.com
+cnn.com
+com.com
+com.ne.kr
+comcast.net
+constantcontact.com
+corporate-ir.net
+cox.net
+cs.com
+custhelp.com
+daum.net
+dd.se
+debian.org
+dell.com
+directtrack.com
+domain.com
+doubleclick.net
+dsbl.org
+earthlink.net
+ebay.co.uk
+ebay.com
+ebayimg.com
+ebaystatic.com
+ed10.net
+ed4.net
+edgesuite.net
+ediets.com
+egroups.com
+emode.com
+exacttarget.com
+excite.com
+exct.net
+f-secure.com
+flowgo.com
+free.fr
+freebsd.org
+freelotto.com
+gentoo.org
+geocities.com
+gmail.com
+gmx.net
+go.com
+google.com
+googleadservices.com
+grisoft.com
+hallmark.com
+hinet.net
+hotbar.com
+hotmail.com
+hotpop.com
+hp.com
+ibm.com
+ientrymail.com
+incredimail.com
+investorplace.com
+ivillage.com
+joingevalia.com
+juno.com
+kernel.org
+livejournal.com
+lycos.com
+m0.net
+m7z.net
+mac.com
+macromedia.com
+mail.com
+mail.ru
+mailscanner.info
+marketwatch.com
+mcafee.com
+mchsi.com
+mediaplex.com
+messagelabs.com
+microsoft.com
+military.com
+mindspring.com
+mit.edu
+monster.com
+msn.com
+nate.com
+netatlantic.com
+netflix.com
+netscape.com
+netscape.net
+netzero.net
+norman.com
+nytimes.com
+optonline.net
+osdn.com
+overstock.com
+p0.com
+pacbell.net
+pandasoftware.com
+partner2profit.com
+paypal.com
+peoplepc.com
+plaxo.com
+pm0.net
+postdirect.com
+prodigy.net
+radaruol.com.br
+real.com
+redhat.com
+regions.com
+regionsnet.com
+rm04.net
+rogers.com
+rr.com
+rs6.net
+rsvp0.net
+sbcglobal.net
+sec.gov
+sf.net
+shaw.ca
+shockwave.com
+smileycentral.com
+smithbarney.com
+sourceforge.net
+spamcop.net
+speedera.net
+sportsline.com
+sun.com
+suntrust.com
+sympatico.ca
+t-online.de
+tails.nl
+telus.net
+terra.com.br
+ticketmaster.com
+tickle.com
+tinyurl.com
+tiscali.co.uk
+tom.com
+tone.co.nz
+topica.com
+tux.org
+uol.com.br
+ups.com
+verizon.net
+vistaprint.com
+w3.org
+wamu.com
+wanadoo.fr
+washingtonpost.com
+weatherbug.com
+web.de
+webshots.com
+webtv.net
+wsj.com
+xmr3.com
+yahoo.ca
+yahoo.co.kr
+yahoo.co.uk
+yahoo.com
+yahoo.com.br
+yahoogroups.com
+yimg.com
+yopi.de
+yourfreedvds.com
+yoursite.com
+zdnet.com
purge => true
;
"/etc/exim4/exim4.conf":
- source => [ "puppet:///exim/per-host/$fqdn/exim4.conf",
- "puppet:///exim/common/exim4.conf" ],
+ content => template("exim/eximconf.erb"),
require => Package["exim4-daemon-heavy"],
notify => Exec["exim4 reload"]
- ;
+ ;
"/etc/exim4/manualroute":
require => Package["exim4-daemon-heavy"],
source => [ "puppet:///exim/per-host/$fqdn/manualroute",
refreshonly => true,
}
}
-
-class eximmx inherits exim {
- include clamav
- include postgrey
-}
--- /dev/null
+class exim::mx inherits exim {
+ file {
+ "/etc/exim4/ccTLD.txt":
+ require => Package["exim4-daemon-heavy"],
+ source => [ "puppet:///exim/common/ccTLD.txt" ]
+ ;
+ "/etc/exim4/surbl_whitelist.txt":
+ require => Package["exim4-daemon-heavy"],
+ source => [ "puppet:///exim/common/surbl_whitelist.txt" ]
+ ;
+ "/etc/exim4/exim_surbl.pl":
+ require => Package["exim4-daemon-heavy"],
+ source => [ "puppet:///exim/common/exim_surbl.pl" ],
+ notify => Exec["exim4 restart"]
+ ;
+ }
+ exec { "exim4 restart":
+ path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
+ refreshonly => true,
+ }
+}
+
--- /dev/null
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
+# This is the main exim4 configuration file based on the 28.08.05 version by
+# ametzler
+
+# The configuration file uses a set of rules to generate an
+# acceptable mail environment for debian.org machines. It deviates
+# considerably from what could be considered a standard exim configuration.
+
+# This configuration file brings in the necessary information from
+# other databases stored in /etc/exim/ and the files distributed by ud-ldap
+
+# This file is independent of the local host, it should not be changed
+# per machine. primary_hostname is used in all places that require per-host
+# settings.
+
+# The configuration files in /etc/exim are as follows:
+# locals - This is a list of domains that are considered local. A local
+# domain is essential one that deliveries to /var/mail
+# will be attempted. The users available for local delivery
+# comes from /etc/passwd and /etc/aliases. Wildcards are not
+# permitted.
+# virtualdomains - This is a list of all virtual domains. A virtual domain
+# is much like a local domain, execpt that the delivery location
+# and allowed set of users is controlled by a virtual domain
+# alias file and not /etc/passwd. Wildcards are permitted
+# rcpthosts - recipient hosts or relay domains. This is a list of
+# all hosts that we mail exchange for. All domains that list
+# this host in their MX records should be listed here. Wildcards
+# are permitted.
+# relayhosts - Hostnames that can send any arbitarily addressed mail to
+# us. This is primarily only usefull for emergancy 'queue
+# flushing' operations, but should be populated with a list
+# of trusted machines. Wildcards are not permitted
+<%=
+out = ""
+if nodeinfo['mailrelay']
+ out = '
+# mailhubdomains - Domains for which we are the MX, but the mail is relayed
+# elsewhere. This is designed for use with small volume or
+# restricted machines that need to use a smarthost for mail
+# traffic. We will relay for them based on ssl cert validation
+# but we need to teach exim how to route the mail to them. This is
+# that list.
+'
+end
+out
+%>
+# Exim's wildcard mechanism is a bit odd in that to say "any address in
+# debian.org including debian.org" you must use two patterns,
+# *.debian.org
+# debian.org
+# Also you can only place a * before a . and as the first char in a string.
+# Wildcards always match last so they may be used as a catchall.
+
+# Further details can be found in each of the files.
+
+# Usefull exim commands:
+# exim4 -qf - Try sending all messages right now, including frozen ones
+# exim4 -bt foo@blah - Write what exim would do if it saw the address
+# Great for testing virtual domains and forward files
+
+# Special Features for users:
+# .forward-foo - is understood as an extension address for bar-foo@cow.com
+# .forward-default - is understood to be a catch all for bar-*@cow.com
+# .procmailrc - with no .forward file invokes procmail for delivery
+# automatically.
+
+# For virtual domains the first lookup is done against a linear text
+# database called 'aliases', then .forward files are consulted. Exim
+# filtering is available for these .forward files only. .forward-default
+# is the universal catch all for everything not handled.
+
+# Heuristic check (none bad enough to cause a hard reject, but in aggregate
+# will trigger things like rcpt to rate limiting or possibly a reject if
+# enough hits are triggered.
+#
+# value is stored in acl_c1
+
+######################################################################
+# MAIN CONFIGURATION SETTINGS #
+######################################################################
+
+<%=
+out=''
+if nodeinfo.has_key?('heavy_exim') and not nodeinfo['heavy_exim'].empty?
+ out = "
+perl_startup = do '/etc/exim4/exim_surbl.pl'
+"
+end
+out
+%>
+
+# These options specify the Access Control Lists (ACLs) that
+# are used for incoming SMTP messages - after the RCPT and DATA
+# commands, respectively.
+
+acl_smtp_helo = check_helo
+acl_smtp_rcpt = ${if ={$interface_port}{587} {check_submission}{check_recipient}}
+acl_smtp_data = check_message
+<%=
+out=''
+if nodeinfo.has_key?('heavy_exim') and not nodeinfo['heavy_exim'].empty?
+ out = "acl_smtp_mime = acl_check_mime"
+end
+out
+%>
+
+# accept domain literal syntax in e-mail addresses. To actually make use of
+# this a router is also required
+allow_domain_literals = true
+
+# This setting defines a named domain list called
+# local_domains. It will be referenced
+# later on by the syntax "+local_domains".
+# Other domain and host lists may follow.
+# @ is the local FQDN, @[] matches the IP adress of any local interface.
+
+.include_if_exists /etc/exim4/local-settings.conf
+
+domainlist local_domains = @ : \
+ @[] : \
+ localhost : \
+ ${if exists {/etc/exim4/locals}{lsearch;/etc/exim4/locals}}
+
+domainlist virtual_domains = partial-lsearch;/etc/exim4/virtualdomains
+
+domainlist submission_domains = ${if exists {/etc/exim4/submission-domains}{/etc/exim4/submission-domains}{}}
+
+domainlist handled_domains = +local_domains : +virtual_domains
+
+localpartlist local_only_users = lsearch;/etc/exim4/localusers
+
+# Domains we relay for; that is domains that aren't considered local but we
+# accept mail for them.
+domainlist rcpthosts = partial-lsearch;/etc/exim4/rcpthosts
+hostlist debianhosts = 127.0.0.1 : net-lsearch;/var/lib/misc/thishost/debianhosts
+<%=
+out = ""
+if nodeinfo['mailrelay']
+ out = '
+domainlist mailhubdomains = lsearch;/etc/exim4/manualroute
+'
+end
+out
+%>
+
+hostlist reservedaddrs = <%= nodeinfo['reservedaddrs'] %>
+
+<%= out = ""
+if has_variable?("exim_ssl_certs") && exim_ssl_certs == "true"
+out = "tls_certificate = /etc/exim4/ssl/thishost.crt
+tls_privatekey = /etc/exim4/ssl/thishost.key
+tls_try_verify_hosts = *
+tls_verify_certificates = /etc/exim4/ssl/ca.crt
+tls_crl = /etc/exim4/ssl/ca.crl"
+end
+out
+%>
+
+# The setting below causes Exim to do a reverse DNS lookup on all incoming
+# IP calls, in order to get the true host name. If you feel this is too
+# expensive, you can specify the networks for which a lookup is done, or
+# remove the setting entirely.
+host_lookup = *
+dns_ipv4_lookup = !localhost
+
+# If this option is set, then any process that is running as one of the
+# listed users may pass a message to Exim and specify the sender's
+# address using the "-f" command line option, without Exim's adding a
+# "Sender" header.
+
+untrusted_set_sender = *
+
+# Some operating systems use the "gecos" field in the system password file
+# to hold other information in addition to users' real names. Exim looks up
+# this field when it is creating "sender" and "from" headers. If these options
+# are set, exim uses "gecos_pattern" to parse the gecos field, and then
+# expands "gecos_name" as the user's name. $1 etc refer to sub-fields matched
+# by the pattern.
+
+gecos_pattern = ^([^,:]*)
+gecos_name = $1
+
+# This tells exim to immediately discard error messages (ie double bounces).
+ignore_bounce_errors_after = 0s
+auto_thaw = 1d
+timeout_frozen_after=14d
+
+message_size_limit = 100M
+message_logs = false
+smtp_accept_max = 300
+smtp_accept_max_per_host = ${if match_ip {$sender_host_address}{+debianhosts}{0}{7}}
+smtp_accept_queue = 200
+smtp_accept_queue_per_connection = 50
+smtp_accept_reserve = 25
+smtp_reserve_hosts = +debianhosts
+
+split_spool_directory = true
+check_spool_inodes = 200
+check_spool_space = 20M
+
+delay_warning =
+
+queue_run_max = 50
+deliver_queue_load_max = 50
+queue_only_load = 15
+queue_list_requires_admin = false
+
+<%= out = ""
+if has_variable?("clamd") && clamd == "true"
+ out = "av_scanner = clamd:/var/run/clamav/clamd.ctl"
+end
+out
+%>
+
+<%=
+ports = []
+out = "daemon_smtp_ports = "
+ports << 25
+
+if nodeinfo['bugsmaster']
+ ports << 587
+end
+
+if not nodeinfo['mail_port'].to_s.empty?
+ ports << nodeinfo['mail_port']
+end
+
+if nodeinfo['mailrelay']
+ ports << nodeinfo['smarthost_port']
+end
+
+out += ports.uniq.sort.join(" : ")
+out
+%>
+
+admin_groups = adm
+remote_sort_domains = *.debian.org:*.debian.net
+
+pipelining_advertise_hosts = !*
+<%= out = ""
+if has_variable?("exim_ssl_certs") && exim_ssl_certs == "true"
+out = 'tls_advertise_hosts = *'
+end
+out
+%>
+smtp_enforce_sync = true
+
+log_selector = +tls_cipher +tls_peerdn +queue_time +deliver_time +smtp_connection +smtp_incomplete_transaction +smtp_confirmation
+
+received_header_text = Received: ${if def:sender_rcvhost {from $sender_rcvhost\n\t}\
+ {${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)\n\t}}}}\
+ ${if and {{eq {$tls_certificate_verified}{1}}{def:tls_peerdn}}{from $tls_peerdn (verified)\n\t}}\
+ by $primary_hostname ${if def:received_protocol {with $received_protocol}} ${if def:tls_cipher {($tls_cipher)\n\t}}\
+ (Exim $version_number)\n\t\
+ ${if def:sender_address {(envelope-from <$sender_address>)\n\t}}\
+ id $message_exim_id${if def:received_for {\n\tfor $received_for}}
+
+# macro definitions.
+# Do not wrap!
+VDOMAINDATA = ${lookup{$domain}partial-lsearch{/etc/exim4/virtualdomains}{$value}}
+WHITELIST = ${if match_domain{$domain}{+virtual_domains}{\
+ ${if exists {/srv/$domain/mail/whitelist}{\
+ ${lookup{$local_part}lsearch{/srv/$domain/mail/whitelist}{$value}{}}\
+ }{}}\
+ }{${lookup{$local_part}lsearch{/etc/exim4/whitelist}{$value}{}} : ${lookup{$local_part}lsearch{/var/lib/misc/$primary_hostname/mail-whitelist}{$value}{}}}}
+GREYLIST_LOCAL_PARTS = ${if match_domain{$domain}{+virtual_domains}\
+ {${if exists {${extract{directory}{VDOMAINDATA}{${value}/grey_users}}}\
+ {${lookup{$local_part}lsearch*{${extract{directory}{VDOMAINDATA}{${value}/grey_users}}}{$local_part}{}}}{}}}\
+ {${lookup{$local_part}lsearch{/etc/exim4/grey_users}{$local_part}{}} : \
+ ${lookup{$local_part}lsearch{/var/lib/misc/$primary_hostname/mail-greylist}{$local_part}{}}}}
+RT_QUEUE_MAP = /srv/rt.debian.org/mail/rt_queue_map
+
+######################################################################
+# ACL CONFIGURATION #
+######################################################################
+begin acl
+
+check_helo:
+
+ warn set acl_c1 = 0
+
+<%=
+out = ""
+if nodeinfo['mailrelay']
+ out = " accept verify = certificate"
+end
+out
+%>
+
+ # These are in HELO acl so that they are only run once. They increment a counter,
+ # so we don't want it to increment per rcpt to.
+
+ warn dnslists = list.dnswl.org&0.0.0.3
+ log_message = Hit on list.dnswl.org for $sender_host_address
+ set acl_c1 = ${eval:$acl_c1-30}
+
+ warn dnslists = list.dnswl.org&0.0.0.2
+ log_message = Hit on list.dnswl.org for $sender_host_address
+ set acl_c1 = ${eval:$acl_c1-20}
+
+ warn dnslists = list.dnswl.org
+ log_message = Hit on list.dnswl.org for $sender_host_address
+ set acl_c1 = ${eval:$acl_c1-10}
+
+ warn condition = ${if isip {$sender_helo_name}{true}{false}}
+ log_message = remote host used IP address in HELO/EHLO greeting
+ set acl_c1 = ${eval:$acl_c1+20}
+
+ warn !hosts = +debianhosts
+ condition = ${if eq{$host_lookup_failed}{1}}
+ set acl_c1 = ${eval:$acl_c1+20}
+
+ warn !hosts = +debianhosts
+ condition = ${if eq{$host_lookup_failed}{0}}
+ condition = ${if match{$sender_host_name}{\N(^[^\.]*[0-9]\-+[0-9]|^[^\.]*[0-9]{5,}[^\.]|^([^\.]+\.)?[0-9][^ \.]*\.[^\.]+\..+\.[a-z]|^[^\.]*[0-9]\.[^\.]*[0-9]-[0-9]|^(dyn|cable|dhcp|dialup|ppp|adsl)[^\.]*[0-9])\N}}
+ set acl_c1 = ${eval:$acl_c1+20}
+
+ warn !hosts = +debianhosts
+ condition = ${if match{$sender_helo_name}{\N(^[^\.]*[0-9]\-+[0-9]|^[^\.]*[0-9]{5,}[^\.]|^([^\.]+\.)?[0-9][^ \.]*\.[^\.]+\..+\.[a-z]|^[^\.]*[0-9]\.[^\.]*[0-9]-[0-9]|^(dyn|cable|dhcp|dialup|ppp|adsl)[^\.]*[0-9])\N}}
+ set acl_c1 = ${eval:$acl_c1+20}
+
+ warn !hosts = +debianhosts
+ dnslists = dul.dnsbl.sorbs.net
+ set acl_c1 = ${eval:$acl_c1+15}
+
+ # If the sender's helo name is empty, the message will be rejected later
+ # because the helo is empty. If the rDNS lookup failed, we are already
+ # going to greylist them, so no sense worrying about it here. Finally,
+ # if rDNS does not match helo name (both lower cased first), greylist.
+
+ warn !hosts = +debianhosts
+ condition = ${if eq {$host_lookup_failed}{1}{no}{yes}}
+ condition = ${if def:sender_helo_name {yes}{no}}
+ condition = ${if eq {${lc:$sender_helo_name}}{${lc:$sender_host_name}}{no}{yes}}
+ log_message = HELO doesn't match rDNS
+ set acl_c1 = ${eval:$acl_c1+8}
+
+ # Regexes of doom
+ # matches 098325879 - looks fishy
+
+ warn condition = ${if and { \
+ { !match{$sender_helo_name}{\N^\[.+\]$\N} } \
+ { !match{$sender_helo_name}{\N^(?i)((?=[^-])[a-z0-9-]*[a-z0-9]\.)+[a-z]{2,6}$\N} } \
+ } \
+ }
+ log_message = non-FQDN HELO
+ set acl_c1 = ${eval:$acl_c1+12}
+
+ # Matches DOMAIN99.com - looks bad
+
+ warn condition = ${if match {$sender_helo_name}{\N^[A-Z]+[A-Z0-9\-]+\.[A-Za-z0-9]+$\N}}
+ log_message = SHOUTING HELO
+ set acl_c1 = ${eval:$acl_c1+7}
+
+ # Random HELO (run of 7 consonants) (constructed by viruses). We purposefully
+ # skip matching on machines named .*smtp.*, since that's 4 already. This is a fairly
+ # naive test, so it's not worth much
+
+ warn condition = ${if match {${lc:$sender_helo_name}}{smtp}{no}{yes}}
+ condition = ${if match {${lc:$sender_helo_name}}{\N^[a-z0-9]+\.[a-z]+$\N}}
+ condition = ${if match {${lc:$sender_helo_name}}{\N.*[bcdfghjklmnpqrstvwxz]{7,}.*\.[a-z]+$\N}}
+ log_message = random HELO
+ set acl_c1 = ${eval:$acl_c1+5}
+
+ # Implicit, but simpler to just say it
+ accept
+
+#!!# ACL that is used after the RCPT command on the submission port
+check_submission:
+
+ # Accept if the source is local SMTP (i.e. not over TCP/IP).
+ # We do this by testing for an empty sending host field.
+ accept hosts = : 127.0.0.1
+
+<%=
+out = ""
+if nodeinfo['mailrelay']
+ out = " accept verify = certificate"
+end
+out
+%>
+
+ # Defer after too many bad RCPT TO's. Legit MTAs will retry later.
+ # This is a rough pass at preventing addres harvesting or other mail blasts.
+
+ defer log_message = Too many bad recipients ${eval:$rcpt_fail_count} out of $rcpt_count
+ message = Too many bad recipients, try again later
+ condition = ${if > {${eval:$rcpt_fail_count}}{3}{yes}{no}}
+
+ defer
+ ratelimit = 5 / 60m / per_rcpt / $sender_host_address
+ !hosts = +debianhosts
+ message = sorry, only 5 reports per hour for submission
+
+ accept domains = +local_domains
+ hosts = +debianhosts
+ endpass
+ message = unknown user
+ verify = recipient
+
+<%=
+out = ""
+if nodeinfo['mailrelay']
+ out = '
+ accept domains = +mailhubdomains
+ endpass
+ message = unknown user
+ verify = recipient/callout=30s,defer_ok,use_sender,no_cache
+'
+end
+out
+%>
+
+ accept domains = +submission_domains
+ endpass
+ message = unknown user
+ verify = recipient
+
+ deny message = relay not permitted
+
+#!!# ACL that is used after the RCPT command
+check_recipient:
+
+<%=
+out = ""
+if nodeinfo['mailrelay']
+ out = " accept verify = certificate"
+end
+out
+%>
+
+ # Defer after too many bad RCPT TO's. Legit MTAs will retry later.
+ # This is a rough pass at preventing addres harvesting or other mail blasts.
+
+ defer log_message = Too many bad recipients ${eval:$rcpt_fail_count} out of $rcpt_count
+ message = Too many bad recipients, try again later
+ !hosts = +debianhosts
+ condition = ${if > {${eval:$rcpt_fail_count}}{3}{yes}{no}}
+
+ # Dump spambots that are so stupid they say helo as our IP address
+
+ drop !hosts = +debianhosts
+ condition = ${if eq {$sender_helo_name}{$interface_address}{yes}{no}}
+ message = HELO mismatch Forged HELO for ($sender_helo_name)
+
+ # Also for spambots that say helo as us or one of our domains
+
+ drop !hosts = +debianhosts
+ condition = ${if match_domain{$sender_helo_name}{$primary_hostname:+handled_domains}}
+ condition = ${if !match{$sender_host_name}{${rxquote:$sender_helo_name}\N$\N}}
+ message = HELO mismatch Forged HELO for ($sender_helo_name)
+
+ # This logic gives you a list of commonly forged domains in helo to reject against
+
+ warn set acl_m2 = ${lookup{$sender_helo_name} \
+ nwildlsearch{/etc/exim4/helo-check} \
+ {${if eq{$value}{}{$sender_helo_name}{$value}}}{}}
+
+ # This is a failsafe in case DNS fails - we defer instead of hard reject if they
+ # say helo as a name in the list but we can't look them up
+
+ defer !hosts = +debianhosts
+ condition = ${if eq{$acl_m2}{}{no}{yes}}
+ condition = ${if eq{$sender_host_name}{}{yes}{no}}
+ condition = ${if eq{$host_lookup_failed}{1}{no}{yes}}
+ message = Access temporarily denied. Resolve failed PTR for $sender_host_address
+
+ # If DNS works, go ahead and reject them
+
+ drop !hosts = +debianhosts
+ condition = ${if and { {!eq{$acl_m2}{}}{!match{$sender_host_name}{${rxquote:$acl_m2}\N$\N}}}{yes}{no}}
+ message = HELO mismatch Forged HELO for ($sender_helo_name)
+
+ # disabled accounts don't even get local mail.
+ deny local_parts = lsearch;/var/lib/misc/$primary_hostname/mail-disable
+ domains = +local_domains
+ message = ${lookup{$local_part}lsearch{/var/lib/misc/$primary_hostname/mail-disable}{$value}}
+
+ deny domains = +virtual_domains
+ local_parts = ${if exists {${extract{directory}{VDOMAINDATA}{${value}/localonly}}}\
+ {${extract{directory}{VDOMAINDATA}{${value}/localonly}}}\
+ {}}
+ hosts = !+debianhosts
+ message = mail for <$local_part@$domain> only accepted from debian.org machines
+ # Accept if the source is local SMTP (i.e. not over TCP/IP).
+ # We do this by testing for an empty sending host field.
+ accept hosts = :
+
+ deny domains = +handled_domains
+ local_parts = ^[.] : ^.*[@%!/|]
+
+ deny domains = !+handled_domains
+ local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
+
+# forwards mail to @d.o address, even if it's a bounce from master, no reply
+# from source address; rejecting all mail now.
+ deny recipients = mendoza@debian.org
+ hosts = 65.110.39.147 : 64.39.31.15
+ message = <mendoza@kenny.linuxsis.net> cannot forward here while mailer-daemon mail is not caught
+
+ deny condition = ${lookup{$sender_address_local_part}lsearch{/etc/exim4/localusers}{true}}
+ sender_domains= +local_domains : debian.org : debian.net : debian.com
+ hosts = !+debianhosts
+ message = mail from <$sender_address> not allowed externally
+
+ deny condition = ${if match_domain{$sender_address_domain}{+virtual_domains}{1}{0}}
+ condition = ${if exists {${extract{directory}{VDOMAINDATA}{${value}/neversenders}}}{1}{0}}
+ condition = ${if match_local_part {$sender_address_local_part}{${extract{directory}{VDOMAINDATA}{${value}/neversenders}}}{1}{0}}
+ message = no mail should ever come from <$sender_address>
+
+ deny local_parts = +local_only_users
+ domains = +local_domains
+ hosts = !+debianhosts
+ message = mail for $local_part is only accepted internally
+
+<%=
+out=''
+if 0 == 1:
+out='
+ deny message = address $sender_host_address is listed in $dnslist_domain; $dnslist_text
+ hosts = !+debianhosts
+ dnslists = rbl.debian.net : rbl.debian.net/$sender_address_domain
+'
+end
+out
+%>
+
+ deny !recipients = survey@popcon.debian.org
+ !verify = sender
+
+ defer !hosts = +debianhosts
+ condition = ${if >{${eval:$acl_c1}}{0}}
+ ratelimit = 10 / 60m / per_rcpt / $sender_host_address
+ message = slow down (no reverse dns, mismatched ehlo, dialup, or in blacklists)
+<%=
+out = ""
+if has_variable?("policydweight") && policydweight == "true"
+out = '
+ # Check with policyd-weight - this only works with a version after etch\'s,
+ # sadly. etch\'s version attempts to hold the socket open, since that\'s what
+ # postfix expects. Exim, on the other hand, expects the remote side to close
+ # the socket when it\'s finished sending data, so it see each transaction as
+ # an incomplete read. I\'m sure there\'s a way we could force exim to do
+ # something sick and clever to force either the interpretation or the socket
+ # closure, but I\'m fairly sure it\'s now worth it, since the backport of
+ # policyd-weight is trivial.
+ warn !hosts = +debianhosts
+ set acl_m9 = ${readsocket{inet:127.0.0.1:12525}\
+ {request=smtpd_access_policy\n\
+ protocol_state=RCPT\n\
+ protocol_name=${uc:$received_protocol}\n\
+ helo_name=$sender_helo_name\n\
+ queue_id=$message_exim_id\n\
+ sender=$sender_address\n\
+ recipient=$local_part@$domain\n\
+ recipient_count=$rcpt_count\n\
+ client_address=$sender_host_address\n\
+ client_name=$sender_host_name\n\
+ reverse_client_name=$sender_host_name\n\
+ instance=$sender_host_address.$sender_address.$sender_helo_name\n\n}\
+ {20s}{\n}{socket failure}}
+
+ # Defer on socket error
+ defer !hosts = +debianhosts
+ condition = ${if eq{$acl_m9}{socket failure}{yes}{no}}
+ message = Cannot connect to policyd-weight. Please try again later.
+
+ # Set proposed action to $acl_m8 and message to $acl_m7
+ warn !hosts = +debianhosts
+ set acl_m8 = ${extract{action}{$acl_m9}}
+ set acl_m7 = ${sg{$acl_m9}{\Naction=[^ ]+ (.*)\n\n\N}{\$1}}
+
+ # Add X-policyd-weight header line to message
+ warn !hosts = +debianhosts
+ message = $acl_m7
+ condition = ${if eq{$acl_m8}{PREPEND}{yes}{no}}
+
+ # Write log message, if policyd-weight can\'t run checks
+ warn !hosts = +debianhosts
+ log_message = policyd-weight message: $acl_m7
+ condition = ${if eq{$acl_m8}{DUNNO}{yes}{no}}
+
+ # Deny mails which policyd-weight thinks are spam
+ deny !hosts = +debianhosts
+ message = policyd-weight said: $acl_m7
+ condition = ${if eq{$acl_m8}{550}{yes}{no}}
+
+ # Defer messages when policyd-weight suggests so.
+ defer !hosts = +debianhosts
+ message = policyd-weight said: $acl_m7
+ condition = ${if eq{$acl_m8}{450}{yes}{no}}
+'
+end
+out
+%>
+ warn recipients = survey@popcon.debian.org
+ set acl_m1 = PopconMail
+
+<%=
+out=''
+if nodeinfo['rtmaster']
+ out='
+ warn domains = rt.debian.org
+ set acl_m1 = RTMail
+ set acl_m12 = ${if def:acl_m12 {$acl_m12} {${if or{{match{$local_part}{\N[^+]+\+\d+\N}}{match{$local_part}{\N[^+]+\+new\N}}} {RTMailRecipientHasSubaddress}}}}
+'
+end
+out
+%>
+<%=
+out=''
+if nodeinfo['packagesmaster']
+ out='
+ warn domains = packages.qa.debian.org
+ set acl_m1 = PTSMail
+
+ warn recipients = owner@packages.qa.debian.org : postmaster@packages.qa.debian.org
+ set acl_m1 = PTSOwner
+
+ warn senders = :
+ domains = packages.qa.debian.org
+ condition = ${if match{$local_part}{\N^bounces+\N}}
+ set acl_m1 = PTSListBounce
+'
+end
+out
+%>
+ warn recipients = change@db.debian.org : changes@db.debian.org : chpasswd@db.debian.org : ping@db.debian.org : recommend@nm.debian.org
+ set acl_m1 = DBSignedMail
+
+<%=
+out = ""
+if has_variable?("greylistd") && greylistd == "true"
+ out = '
+ defer
+ message = $sender_host_address is not yet authorized to deliver mail from <$sender_address> to <$local_part@$domain>.
+ log_message = greylisted.
+ local_parts = ${if match_domain{$domain}{+virtual_domains}\
+ {${if exists {${extract{directory}{VDOMAINDATA}{${value}/grey_users}}}\
+ {${lookup{$local_part}lsearch*{${extract{directory}{VDOMAINDATA}{${value}/grey_users}}}{$local_part}{}}}{}}}\
+ {${lookup{$local_part}lsearch{/etc/exim4/grey_users}{$local_part}{}} : \
+ ${lookup{$local_part}lsearch{/var/lib/misc/$primary_hostname/mail-greylist}{$local_part}{}}}}
+ !senders = :
+ !hosts = : +debianhosts : WHITELIST : \
+ ${if exists {/etc/greylistd/whitelist-hosts}\
+ {/etc/greylistd/whitelist-hosts}{}} : \
+ ${if exists {/var/lib/greylistd/whitelist-hosts}\
+ {/var/lib/greylistd/whitelist-hosts}{}}
+ !authenticated = *
+ domains = +handled_domains : +rcpthosts
+ condition = ${readsocket{/var/run/greylistd/socket}\
+ {--grey \
+ $sender_host_address \
+ $sender_address \
+ $local_part@$domain}\
+ {5s}{}{false}}
+'
+elsif has_variable?("postgrey") && postgrey == "true"
+ out = '
+ # next three are greylisting, inspired by http://www.bebt.de/blog/debian/archives/2006/07/30/T06_12_27/index.html
+ # this adds acl_m4 if there isn\'t one (so unique per message)
+ warn
+ !senders = :
+ !hosts = : +debianhosts : WHITELIST
+ condition = ${if def:acl_m4 {no}{yes}}
+ set acl_m4 = $pid.$tod_epoch.$sender_host_port
+
+ # and defers the message if postgrey thinks it should be defered ...
+ defer
+ !senders = :
+ !hosts = : +debianhosts : WHITELIST
+ !authenticated = *
+ domains = +handled_domains : +rcpthosts
+ local_parts = GREYLIST_LOCAL_PARTS
+ set acl_m3 = request=smtpd_access_policy\n\
+ protocol_state=RCPT\n\
+ protocol_name=${uc:$received_protocol}\n\
+ instance=${acl_m4}\n\
+ helo_name=${sender_helo_name}\n\
+ client_address=${substr_-3:${mask:$sender_host_address/24}}\n\
+ client_name=${sender_host_name}\n\
+ sender=${sender_address}\n\
+ recipient=$local_part@$domain\n\n
+ set acl_m3 = ${sg{\
+ ${readsocket{/var/run/postgrey/socket}{$acl_m3}\
+ {5s}{}{action=DUNNO}}\
+ }{action=}{}}
+ message = ${sg{$acl_m3}{^\\\\w+\\\\s*}{}}
+ log_message = greylisted.
+ condition = ${if eq{${uc:${substr{0}{5}{$acl_m3}}}}{DEFER}}
+
+ # ... or adds a header with information about how long the delay was
+ warn
+ !senders = :
+ !hosts = : +debianhosts : WHITELIST
+ !authenticated = *
+ domains = +handled_domains : +rcpthosts
+ local_parts = GREYLIST_LOCAL_PARTS
+ condition = ${if eq{${uc:${substr_0_7:$acl_m3}}}{PREPEND}}
+ message = ${sg{$acl_m3}{^\\\\w+\\\\s*}{}}
+'
+end
+out
+%>
+
+ accept local_parts = postmaster
+ domains = +handled_domains : +rcpthosts
+
+ deny log_message = <$sender_address> is blacklisted
+ senders = ${if exists{/etc/exim4/blacklist}{/etc/exim4/blacklist}{}}
+ message = We have blacklisted <$sender_address>. Please stop mailing us
+
+ deny message = host $sender_host_address is listed in $dnslist_domain; see $dnslist_text
+ dnslists = ${if match_domain{$domain}{+virtual_domains}\
+ {${if exists {${extract{directory}{VDOMAINDATA}{${value}/rbllist}}}\
+ {${lookup{$local_part}lsearch*{${extract{directory}{VDOMAINDATA}{${value}/rbllist}}}{$value}{}}}{}}}\
+ {${lookup{$local_part}lsearch{/etc/exim4/rbllist}{$value}{}} : \
+ ${lookup{$local_part}lsearch{/var/lib/misc/$primary_hostname/mail-rbl}{$value}{}}}}
+ domains = +handled_domains : +rcpthosts
+ !hosts = +debianhosts : WHITELIST
+
+ deny message = domain $sender_address_domain is listed in $dnslist_domain; see $dnslist_text
+ dnslists = ${if match_domain{$domain}{+virtual_domains}\
+ {${if exists {${extract{directory}{VDOMAINDATA}{${value}/rhsbllist}}}\
+ {${expand:${lookup{$local_part}lsearch*{${extract{directory}{VDOMAINDATA}{${value}/rhsbllist}}}{$value}{}}}}{}}}\
+ {${expand:${lookup{$local_part}lsearch{/etc/exim4/rhsbllist}{$value}{}}} : \
+ ${expand:${lookup{$local_part}lsearch{/var/lib/misc/$primary_hostname/mail-rhsbl}{$value}{}}}}}
+ domains = +handled_domains : +rcpthosts
+ !hosts = +debianhosts : WHITELIST
+
+ deny domains = +handled_domains : +rcpthosts
+ local_parts = ${if match_domain{$domain}{+virtual_domains}\
+ {${if exists {${extract{directory}{VDOMAINDATA}{${value}/callout_users}}}\
+ {${lookup{$local_part}lsearch*{${extract{directory}{VDOMAINDATA}{${value}/callout_users}}}{$local_part}{}}}{}}}\
+ {${lookup{$local_part}lsearch{/etc/exim4/callout_users}{$local_part}{}} : \
+ ${lookup{$local_part}lsearch{/var/lib/misc/$primary_hostname/mail-callout}{$local_part}{}}}}
+ !hosts = +debianhosts : WHITELIST
+ !verify = sender/callout
+
+<%=
+out = ""
+if nodeinfo['mailrelay']
+ out = '
+ accept domains = +mailhubdomains
+ endpass
+ message = unknown user
+ verify = recipient/callout=30s,defer_ok,use_sender,no_cache
+'
+end
+out
+%>
+ accept domains = +handled_domains
+ endpass
+ message = unknown user
+ verify = recipient/defer_ok
+
+ accept domains = +rcpthosts
+ endpass
+ message = unrouteable address
+ verify = recipient
+
+ accept hosts = +debianhosts
+
+ accept authenticated = *
+
+ deny message = relay not permitted
+
+<%=
+out=''
+if nodeinfo.has_key?('heavy_exim') and not nodeinfo['heavy_exim'].empty?
+out='
+acl_check_mime:
+
+ deny condition = ${if <{$message_size}{256000}}
+ set acl_m5 = ${perl{surblspamcheck}}
+ condition = ${if eq{$acl_m5}{false}{no}{yes}}
+ log_message = $acl_m5
+ message = $acl_m5
+
+ accept
+'
+end
+out
+%>
+
+#!!# ACL that is used after the DATA command
+check_message:
+ require verify = header_syntax
+ message = Invalid syntax in the header
+
+<%=
+out=''
+if nodeinfo['rtmaster']
+ out='
+ deny condition = ${if eq {$acl_m1}{RTMail}}
+ condition = ${if and{{!match {${lc:$rh_Subject:}} {debian rt}} \
+ {!match {${lc:$rh_Subject:]}} {\N\[rt.debian.org \N}} \
+ {!match {$acl_m12}{RTMailRecipientHasSubaddress}}}}
+ message = messages to the Request Tracker system require a subject tag or a subaddress
+'
+end
+out
+%>
+<%=
+out=''
+if nodeinfo['packagesmaster']
+ out='
+ deny !hosts = +debianhosts : 217.196.43.134
+ condition = ${if eq {$acl_m1}{PTSMail}}
+ condition = ${if def:h_X-PTS-Approved:{false}{true}}
+ message = messages to the PTS require an X-PTS-Approved header
+'
+end
+out
+%>
+ deny condition = ${if match {$message_body}{\Nhttp:\/\/[a-z\.-]+\/video1?.exe\N}}
+ message = Blackisted URI found in body
+
+ deny condition = ${if eq {$acl_m1}{DBSignedMail}}
+ condition = ${if and {{!match {$message_body}{PGP MESSAGE}} \
+ {!match {$message_body}{PGP SIGNED MESSAGE}} \
+ {!match {$message_body}{PGP SIGNATURE}} \
+ {!match {$header_content-type:}{multipart/signed}} \
+ {!match {$header_content-type:}{pgp}} \
+ } \
+ }
+ message = Mail to this address needs to be PGP-signed
+
+# RFC 822 and 2822 say that headers must be ASCII. This kinda emulates
+# postfix's strict_7bit_headers option, but only checks a few common problem
+# headers, as there doesn't appear to be an easy way to check them all.
+ deny
+ condition = ${if or {{match {$rh_Subject:}{[\200-\377]}}\
+ {match {$rh_To:}{[\200-\377]}}\
+ {match {$rh_From:}{[\200-\377]}}\
+ {match {$rh_Cc:}{[\200-\377]}}}{true}{false}}
+ message = improper use of 8-bit data in message header: message rejected
+
+ deny
+ condition = ${if match {$rh_Subject:}{[^[:print:]]\{8\}}{true}{false}}
+ message = Your mailer is not RFC 2047 compliant: message rejected
+
+<%=
+out = ""
+if has_variable?("clamd") && clamd == "true"
+out = '
+ deny
+ demime = *
+ malware = */defer_ok
+ message = malware detected: $malware_name: message rejected
+'
+end
+out
+%>
+
+ deny spam = $value/defer_ok
+ domains = +handled_domains : +rcpthosts
+ message = message got a spam score of $spam_score
+ local_parts = ${if exists {/etc/exim4/sa_users}\
+ {${if match_domain{$domain}{+virtual_domains}\
+ {${lookup{$local_part@$domain}nwildlsearch{/etc/exim4/sa_users}{$local_part}{}}}\
+ {${lookup{$local_part}lsearch{/etc/exim4/sa_users}{$local_part}{}}}}}}
+
+<%=
+out=''
+if nodeinfo.has_key?('heavy_exim') and not nodeinfo['heavy_exim'].empty?
+out='
+ deny condition = ${if <{$message_size}{256000}}
+ set acl_m5 = ${perl{surblspamcheck}}
+ condition = ${if eq{$acl_m5}{false}{no}{yes}}
+ log_message = $acl_m5
+'
+end
+out
+%>
+ # Check header_sender except for survey@popcon.d.o
+ deny condition = ${if eq{$acl_m1}{PopconMail}{false}{true}}
+ !verify = header_sender
+ message = No valid sender found in the From:, Sender: and Reply-to: headers
+
+ accept
+
+
+
+######################################################################
+# REWRITE CONFIGURATION #
+######################################################################
+
+
+
+begin rewrite
+
+\N^buildd_(.*)@ries\.debian\.org$\N buildd_$1@buildd.debian.org T
+\N^buildd_(.*)@klecker\.debian\.org$\N buildd_$1@buildd.debian.org T
+*@debian.org ${lookup{$1}cdb{/var/lib/misc/${primary_hostname}/mail-forward.cdb}{$value}fail} T
+*@people.debian.org ${lookup{$1}cdb{/var/lib/misc/${primary_hostname}/mail-forward.cdb}{$value}fail} T
+#*@${primary_hostname} "${if exists{/etc/exim4/email-addresses}{${lookup{$1}lsearch{/etc/exim4/email-addresses}{$value}fail}}fail}" fFs
+m68k@buildd.debian.org m68k-build@nocrew.org Ttrbc
+
+
+#!!#######################################################!!#
+#!!# Here follow routers created from the old routers, #!!#
+#!!# for handling non-local domains. #!!#
+#!!#######################################################!!#
+
+begin routers
+
+
+
+######################################################################
+# ROUTERS CONFIGURATION #
+# Specifies how addresses are handled #
+######################################################################
+# ORDER DOES MATTER #
+# An address is passed to each in turn until it is accepted. #
+######################################################################
+
+<%=
+out = ""
+if nodeinfo['mailrelay']
+ out = '
+relay_manualroute:
+ driver = manualroute
+ domains = +mailhubdomains
+ transport = remote_smtp
+ route_data = ${lookup{$domain}lsearch{/etc/exim4/manualroute}}
+ require_files = /etc/exim4/manualroute
+'
+end
+out
+%>
+
+bsmtp:
+ debug_print = "R: bsmtp for $local_part@$domain"
+ driver = manualroute
+ domains = !+local_domains
+ require_files = /etc/exim4/bsmtp
+ route_list = * ${extract{file}{\
+ ${lookup{$domain}partial-lsearch{/etc/exim4/bsmtp}\
+ {$value}fail}}}
+ transport = bsmtp
+
+# This router routes to remote hosts over SMTP by explicit IP address,
+# given as a "domain literal" in the form [nnn.nnn.nnn.nnn]. The RFCs
+# require this facility, which is why it is enabled by default in Exim.
+ipliteral:
+ debug_print = "R: ipliteral for $local_part@$domain"
+ driver = ipliteral
+ domains = !+handled_domains
+ transport = remote_smtp
+ ignore_target_hosts = +reservedaddrs
+
+<%=
+out = ""
+if not nodeinfo['smarthost'].empty?
+out = '
+smarthost:
+ debug_print = "R: smarthost for $local_part@$domain"
+ driver = manualroute
+ domains = !+handled_domains
+ transport = remote_smtp_smarthost
+ route_list = * ' + nodeinfo['smarthost'] + '
+ host_find_failed = defer
+ same_domain_copy_routing = yes
+ no_more
+'
+end
+out
+%>
+
+# This router routes to remote hosts over SMTP using a DNS lookup.
+# Ignore reserved network responses, including localhost.
+dnslookup:
+ debug_print = "R: dnslookup for $local_part@$domain"
+ driver = dnslookup
+ domains = !+handled_domains
+ transport = remote_smtp
+ ignore_target_hosts = +reservedaddrs
+ no_more
+
+# This router handles aliasing using a traditional /etc/aliases file.
+# If any of your aliases expand to pipes or files, you will need to set
+# up a user and a group for these deliveries to run under. You can do
+# this by uncommenting the "user" option below (changing the user name
+# as appropriate) and adding a "group" option if necessary.
+
+system_aliases:
+ debug_print = "R: system_aliases for $local_part@$domain"
+ driver = redirect
+ allow_defer
+ allow_fail
+ data = ${lookup{$local_part}lsearch*{/etc/aliases}}
+ domains = +local_domains
+ file_transport = address_file
+ headers_add = "Delivered-To: ${local_part}${local_part_suffix}@${domain}"
+ pipe_transport = address_pipe
+ retry_use_local_part
+
+# This router handles forwarding using traditional .forward files.
+# It also allows mail filtering when a forward file starts with the
+# string "# Exim filter": to disable filtering, uncomment the "filter"
+# option. The check_ancestor option means that if the forward file
+# generates an address that is an ancestor of the current one, the
+# current one gets passed on instead. This covers the case where A is
+# aliased to B and B has a .forward file pointing to A.
+
+# For standard debian setup of one group per user, it is acceptable---normal
+# even---for .forward to be group writable. If you have everyone in one
+# group, you should comment out the "modemask" line. Without it, the exim
+# default of 022 will apply, which is probably what you want.
+
+userforward_verify:
+ debug_print = "R: userforward for $local_part${local_part_suffix}@$domain"
+ driver = redirect
+ check_ancestor
+ user = Debian-exim
+ no_check_local_user
+ directory_transport = address_directory
+ domains = +local_domains
+ # filter - I have disabled filtering to force users to use .forward-foo files
+ # or procmail. This will make it easier to move mailers in the future
+ #
+ # This bit does the qmailesque extension names, foo-bar@ is .forward-foo it
+ # also checks if the .forward-bar exists, if not then it uses
+ # .forward-default instead.
+ file = $home/.forward\
+ ${if eq{}{$local_part_suffix}{}{\
+ ${if exists {${home}/.forward${local_part_suffix}} \
+ {${local_part_suffix}}{-default}}\
+ }\
+ }
+ file_transport = address_file
+ headers_add = "Delivered-To: ${local_part}${local_part_suffix}@${domain}"
+ local_part_suffix = -*
+ local_part_suffix_optional
+ modemask = 002
+ pipe_transport = address_pipe
+ reply_transport = address_reply
+ require_files = $home
+ router_home_directory = ${lookup passwd{$local_part}{${extract{5}{:}{$value}}}fail}
+ verify_only
+
+userforward:
+ debug_print = "R: userforward for $local_part${local_part_suffix}@$domain"
+ driver = redirect
+ check_ancestor
+ check_local_user
+ directory_transport = address_directory
+ domains = +local_domains
+ # filter - I have disabled filtering to force users to use .forward-foo files
+ # or procmail. This will make it easier to move mailers in the future
+ #
+ # This bit does the qmailesque extension names, foo-bar@ is .forward-foo it
+ # also checks if the .forward-bar exists, if not then it uses
+ # .forward-default instead.
+ file = $home/.forward\
+ ${if eq{}{$local_part_suffix}{}{\
+ ${if exists {${home}/.forward${local_part_suffix}} \
+ {${local_part_suffix}}{-default}}\
+ }\
+ }
+ file_transport = address_file
+ headers_add = "Delivered-To: ${local_part}${local_part_suffix}@${domain}"
+ local_part_suffix = -*
+ local_part_suffix_optional
+ modemask = 002
+ pipe_transport = address_pipe
+ reply_transport = address_reply
+ require_files = $home
+ no_verify
+
+# This delivers to procmail
+procmail:
+ debug_print = "R: procmail for $local_part@$domain"
+ driver = accept
+ check_local_user
+ domains = +local_domains
+ headers_add = "Delivered-To: ${local_part}${local_part_suffix}@${domain}"
+ no_verify
+ no_expn
+ require_files = $local_part:$home/.procmailrc
+ transport = procmail_pipe
+ transport_current_directory = $home
+
+# This driver delivers to the LDAP generated alias file.
+ldap_aliases:
+ debug_print = "R: ldap_aliases for $local_part@$domain"
+ driver = redirect
+ allow_defer
+ allow_fail
+ data = ${if exists{/var/lib/misc/$primary_hostname/mail-forward.cdb}\
+ {${lookup{$local_part}cdb\
+ {/var/lib/misc/$primary_hostname/mail-forward.cdb}}}}
+ domains = +local_domains
+ file_transport = address_file
+ headers_add = "Delivered-To: ${local_part}${local_part_suffix}@${domain}"
+ pipe_transport = address_pipe
+ retry_use_local_part
+
+# This director matches local user mailboxes.
+localuser:
+ debug_print = "R: localuser for $local_part@$domain"
+ driver = accept
+ check_local_user
+ domains = +local_domains
+ headers_add = "Delivered-To: ${local_part}${local_part_suffix}@${domain}"
+ # Disable if the user has never logged in
+ require_files = $home
+ transport = local_delivery
+ no_more
+
+# Now we begin the Virtual Domain configuration
+# Everything before here should apply only to the local domains with a
+# domains= rule
+
+# exim4 fails the router if it can't change to the user/group for delivery
+# during verification. So we have to seperate the cases of verifying
+# the virts, and delivering to them. blah.
+<%=
+out = ""
+if nodeinfo['packagesmaster']
+ out = '
+# This router delivers for packages.d.o
+packages:
+ debug_print = "R: packages for $local_part@$domain"
+ driver = redirect
+ file_transport = address_file
+ pipe_transport = address_pipe
+ domains = packages.debian.org
+ require_files = /org/packages.debian.org/conf/maintainer
+ data = ${lookup{$local_part}cdb{/org/packages.debian.org/conf/maintainer.cdb}}
+ headers_add = "Delivered-To: ${local_part}${local_part_suffix}@${domain}"
+ transport_home_directory = /org/packages.debian.org/mail
+ transport_current_directory = /org/packages.debian.org/mail
+ check_ancestor
+ retry_use_local_part
+ no_more
+'
+end
+out
+%>
+
+<%=
+out = ""
+if nodeinfo['bugsmaster']
+ out = '
+# This router delivers for bugs.d.o
+bugs:
+ debug_print = "R: bugs for $local_part@$domain"
+ driver = accept
+ transport = bugs_pipe
+ domains = bugs.debian.org
+ cannot_route_message = Unknown or archived bug
+ require_files = /org/bugs.debian.org/mail/run-procmail
+ no_more
+ local_parts = ${if match\
+ {$local_part}\
+ {\N^(\d+)(\d{2})(?:-(?:(?:submit|maintonly|quiet|forwarded|done|close|request|submitter)|(?:unsubscribe|ignore|(?:sub(?:scribe|help|yes|approve|reject))|unsubyes|bounce|probe|approve|reject|setlistyes|setlistsilentyes).*))?$\N}\
+ {${if exists{/org/bugs.debian.org/spool/db-h/$2/$1$2.summary}\
+ {$local_part}fail}}fail}
+'
+end
+out
+%>
+
+<%=
+out = ""
+if nodeinfo['rtmaster']
+ out = '
+# This router delivers for rt.d.o
+rt_force_new_verbose:
+ debug_print = "R: rt for $local_part+new@$domain"
+ driver = redirect
+ domains = rt.debian.org
+ require_files = /usr/bin/rt-mailgate : RT_QUEUE_MAP
+ local_parts = ${lookup{${sg{$local_part}{-comment}{}}}lsearch{RT_QUEUE_MAP}{$local_part}{}}
+ local_part_suffix = +new
+ pipe_transport = rt_pipe
+ data = "|/usr/bin/rt-mailgate --queue \'${lookup{${sg{$local_part}{-comment}{}}}lsearch{RT_QUEUE_MAP}}\' --url https://rt.debian.org/ --action ${if match{$local_part}{.*-comment.*}{comment}{correspond}}"
+ headers_add = "Delivered-To: ${local_part}${local_part_suffix}@${domain}"
+
+# FIXME: figure out how to generalize this approach so that all of the following would work
+# - rt+NNNN@rt.debian.org : attach correspondence to ticket (verbose)
+# - rt+NNNN-quiesce@rt.debian.org : attach correspondence to ticket (quiesce)
+# - rt+NNNN-<action>@rt.debian.org : attach correspondence to ticket (some action)
+# requires modification to custom condition in \'scrips\'
+rt_force_new_quiesce:
+ debug_print = "R: rt for $local_part+new-quiesce@$domain"
+ driver = redirect
+ domains = rt.debian.org
+ require_files = /usr/bin/rt-mailgate : RT_QUEUE_MAP
+ local_parts = ${lookup{${sg{$local_part}{-comment}{}}}lsearch{RT_QUEUE_MAP}{$local_part}{}}
+ local_part_suffix = +new-quiesce
+ pipe_transport = rt_pipe
+ data = "|/usr/bin/rt-mailgate --queue \'${lookup{${sg{$local_part}{-comment}{}}}lsearch{RT_QUEUE_MAP}}\' --url https://rt.debian.org/ --action ${if match{$local_part}{.*-comment.*}{comment}{correspond}}"
+ headers_add = "Delivered-To: ${local_part}${local_part_suffix}@${domain}\nX-RT-Mode: quiesce"
+
+rt_otherwise:
+ debug_print = "R: rt for $local_part@$domain"
+ driver = redirect
+ domains = rt.debian.org
+ require_files = /usr/bin/rt-mailgate : RT_QUEUE_MAP
+ local_parts = ${lookup{${sg{$local_part}{-comment}{}}}lsearch{RT_QUEUE_MAP}{$local_part}{}}
+ local_part_suffix = +*
+ local_part_suffix_optional
+ pipe_transport = rt_pipe
+ data = "|/usr/bin/rt-mailgate --queue \'${lookup{${sg{$local_part}{-comment}{}}}lsearch{RT_QUEUE_MAP}}\' --url https://rt.debian.org/ --extension ticket --action ${if match{$local_part}{.*-comment.*}{comment}{correspond}}"
+ headers_add = "Delivered-To: ${local_part}${local_part_suffix}@${domain}"
+'
+end
+out
+%>
+
+virt_alias_verify:
+ debug_print = "R: virt_aliases for $local_part@$domain"
+ driver = redirect
+ data = ${if exists{\
+ ${extract{directory}{VDOMAINDATA}{${value}/aliases}}}\
+ {${lookup{$local_part}lsearch*{\
+ ${extract{directory}{VDOMAINDATA}{$value/aliases}}\
+ }}}}
+ directory_transport = address_directory
+ cannot_route_message = Unknown user
+ domains = +virtual_domains
+ file_transport = address_file
+ pipe_transport = address_pipe
+ qualify_preserve_domain
+ retry_use_local_part
+ transport_current_directory = ${extract{directory}{VDOMAINDATA}}
+ transport_home_directory = ${extract{directory}{VDOMAINDATA}}
+ verify_only
+
+virt_direct_verify:
+ debug_print = "R: virt_direct for $local_part@$domain"
+ driver = redirect
+ no_check_local_user
+ user = Debian-exim
+ allow_filter
+ modemask = 002
+ directory_transport = address_directory
+ domains = +virtual_domains
+ file = $home/.forward-\
+ ${if exists {${home}/.forward-${local_part}}{${local_part}}\
+ {default}}
+ file_transport = address_file
+ pipe_transport = address_pipe
+ reply_transport = address_reply
+ retry_use_local_part
+ router_home_directory = ${extract{directory}{VDOMAINDATA}}
+ transport_current_directory = ${extract{directory}{VDOMAINDATA}}
+ verify_only
+
+# This is a senmailesque alias file lookup
+virt_aliases:
+ debug_print = "R: virt_aliases for $local_part@$domain"
+ driver = redirect
+ allow_defer
+ allow_fail
+ data = ${if exists{\
+ ${extract{directory}{VDOMAINDATA}{${value}/aliases}}}\
+ {${lookup{$local_part}lsearch*{\
+ ${extract{directory}{VDOMAINDATA}{$value/aliases}}\
+ }}}}
+ directory_transport = address_directory
+ domains = +virtual_domains
+ file_transport = ${if eq {${extract{group_writable}{VDOMAINDATA}}}{true}{address_file_group}{address_file}}
+ cannot_route_message = Unknown user
+ group = ${extract{group}{VDOMAINDATA}}
+ headers_add = "Delivered-To: ${local_part}${local_part_suffix}@${domain}"
+ pipe_transport = address_pipe
+ qualify_preserve_domain
+ retry_use_local_part
+ transport_current_directory = ${extract{directory}{VDOMAINDATA}}
+ transport_home_directory = ${extract{directory}{VDOMAINDATA}}
+ no_verify
+ user = ${extract{user}{VDOMAINDATA}}
+
+# This is a qmailesque deliver into a directory of .forward files
+virt_direct:
+ debug_print = "R: virt_direct for $local_part@$domain"
+ driver = redirect
+ allow_filter
+ allow_fail
+ allow_defer
+ no_check_local_user
+ directory_transport = address_directory
+ domains = +virtual_domains
+ file = $home/.forward-\
+ ${if exists {${home}/.forward-${local_part}}{${local_part}}\
+ {default}}
+ file_transport = ${if eq {${extract{group_writable}{VDOMAINDATA}}}{true}{address_file_group}{address_file}}
+ group = ${extract{group}{VDOMAINDATA}}
+ headers_add = "Delivered-To: ${local_part}${local_part_suffix}@${domain}"
+ modemask = 002
+ pipe_transport = address_pipe
+ reply_transport = address_reply
+ retry_use_local_part
+ router_home_directory = ${extract{directory}{VDOMAINDATA}}
+ transport_current_directory = ${extract{directory}{VDOMAINDATA}}
+ no_verify
+ user = ${extract{user}{VDOMAINDATA}}
+ #debug_print = .forward-${if exists {${home}/.forward-${local_part}} {${local_part}} {default}}
+
+######################################################################
+# TRANSPORTS CONFIGURATION #
+######################################################################
+# ORDER DOES NOT MATTER #
+# Only one appropriate transport is called for each delivery. #
+######################################################################
+
+
+begin transports
+
+# This transport is used for local delivery to user mailboxes. On debian
+# systems group mail is used so we can write to the /var/mail
+# directory. (The alternative, which most other unixes use, is to deliver
+# as the user's own group, into a sticky-bitted directory)
+local_delivery:
+ driver = appendfile
+ file = /var/mail/${local_part}
+ group = mail
+ mode = 0660
+ no_mode_fail_narrower
+ return_path_add
+
+# This transport is used for handling pipe addresses generated by alias
+# or .forward files. It has a conventional name, since it is not actually
+# mentioned elsewhere in this configuration file. (A different name *can*
+# be specified via the "address_pipe_transport" option if you really want
+# to.) If the pipe generates any standard output, it is returned to the sender
+# of the message as a delivery error. Set return_fail_output instead if you
+# want this to happen only when the pipe fails to complete normally.
+
+address_pipe:
+ driver = pipe
+ current_directory = ${home}
+ environment = "EXTENSION=${substr_1:${local_part_suffix}}:\
+ EXT=${substr_1:${local_part_suffix}}:\
+ LOCAL=${local_part}${local_part_suffix}:\
+ RECIPIENT=${local_part}${local_part_suffix}@${domain}"
+ return_output
+ return_path_add
+
+# This transport is used for handling file addresses generated by alias
+# or .forward files. It has a conventional name, since it is not actually
+# mentioned elsewhere in this configuration file.
+
+address_file:
+ driver = appendfile
+ return_path_add
+
+address_file_group:
+ driver = appendfile
+ return_path_add
+ mode = 0660
+ directory_mode = 0770
+ mode_fail_narrower = false
+
+# This transport is used for handling file addresses generated by alias
+# or .forward files if the path ends in "/", which causes it to be treated
+# as a directory name rather than a file name. Each message is then delivered
+# to a unique file in the directory. If instead you want all such deliveries to
+# be in the "maildir" format that is used by some other mail software,
+# uncomment the final option below. If this is done, the directory specified
+# in the .forward or alias file is the base maildir directory.
+#
+# Should you want to be able to specify either maildir or non-maildir
+# directory-style deliveries, then you must set up yet another transport,
+# called address_directory2. This is used if the path ends in "//" so should
+# be the one used for maildir, as the double slash suggests another level
+# of directory. In the absence of address_directory2, paths ending in //
+# are passed to address_directory.
+
+address_directory:
+ driver = appendfile
+ check_string =
+ maildir_format
+ message_prefix = ""
+ message_suffix = ""
+ return_path_add
+
+# This transport is used for handling autoreplies generated by the filtering
+# option of the forwardfile director. It has a conventional name, since it
+# is not actually mentioned elsewhere in this configuration file.
+address_reply:
+ driver = autoreply
+
+# This transport is used for delivering messages over SMTP connections.
+
+remote_smtp:
+ driver = smtp
+ connect_timeout = 1m
+<%=
+out = ""
+if has_variable?("exim_ssl_certs") && exim_ssl_certs == "true"
+ out = " tls_certificate = /etc/exim4/ssl/thishost.crt
+ tls_privatekey = /etc/exim4/ssl/thishost.key"
+end
+out
+%>
+
+<%=
+out = ""
+if not nodeinfo['smarthost'].empty?
+out = '
+remote_smtp_smarthost:
+ debug_print = "T: remote_smtp_smarthost for $local_part@$domain"
+ driver = smtp
+ port = '
+ out += nodeinfo['smarthost_port'].to_s + "\n"
+ if has_variable?("exim_ssl_certs") && exim_ssl_certs == "true"
+ out += ' tls_tempfail_tryclear = false
+ hosts_require_tls = ' + nodeinfo['smarthost'] + '
+ tls_certificate = /etc/exim4/ssl/thishost.crt
+ tls_privatekey = /etc/exim4/ssl/thishost.key
+'
+ end
+end
+out
+%>
+
+# Send the message to procmail
+procmail_pipe:
+ driver = pipe
+ command = /usr/bin/procmail -a ${substr_1:${local_part_suffix}}}
+ return_path_add
+ user = ${local_part}
+
+bsmtp:
+ driver = appendfile
+ batch_max = 100
+ file = ${host}
+ message_prefix =
+ message_suffix =
+ use_bsmtp
+ user = ${extract{user}{\
+ ${lookup{$domain}partial-lsearch{/etc/exim4/bsmtp}\
+ {$value}fail}\
+ }}
+
+<%=
+out = ""
+if nodeinfo['bugsmaster']
+ out = '
+bugs_pipe:
+ driver = pipe
+ command = /org/bugs.debian.org/mail/run-procmail
+ environment = "EXTENSION=${substr_1:${local_part_suffix}}:\
+ EXT=${substr_1:${local_part_suffix}}:\
+ LOCAL=${local_part}${local_part_suffix}:\
+ RECIPIENT=${local_part}${local_part_suffix}@${domain}"
+ return_path_add
+ return_output
+ user = debbugs
+'
+end
+out
+%>
+
+<%=
+out = ""
+if nodeinfo['rtmaster']
+ out = '
+rt_pipe:
+ debug_print = "T: rt_pipe for $local_part${local_part_suffix}@$domain"
+ driver = pipe
+ return_fail_output
+ environment = EXTENSION=${substr_1:${local_part_suffix}}
+ allow_commands = /usr/bin/rt-mailgate
+'
+end
+out
+%>
+
+######################################################################
+# RETRY CONFIGURATION #
+######################################################################
+
+# This single retry rule applies to all domains and all errors. It specifies
+# retries every 15 minutes for 2 hours, then increasing retry intervals,
+# starting at 2 hours and increasing each time by a factor of 1.5, up to 16
+# hours, then retries every 8 hours until 4 days have passed since the first
+# failed delivery.
+
+# Domain Error Retries
+# ------ ----- -------
+
+
+begin retry
+
+debian.org * F,2h,10m; G,16h,2h,1.5; F,14d,8h
+* * senders=: F,2h,10m
+* rcpt_4xx F,2h,5m; F,4h,10m; F,4d,15m
+* * F,2h,15m; G,16h,2h,1.5; F,4d,8h
+
+# End of Exim 4 configuration
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
/linux-image-.*/
/kernel-image-.*/
buildd
--- /dev/null
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
+/linux-image-.*/
+/kernel-image-.*/
+buildd
+sbuild
+
+amavisd-new
--- /dev/null
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
+/linux-image-.*/
+/kernel-image-.*/
+buildd
+sbuild
+
+postgresql-client-common
+postgresql-client-8.4
+postgresql-server-dev-8.4
+postgresql-8.4
+libpq5
+postgresql-common
+libpq-dev
+postgresql-8.4-debversion
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
/linux-image-.*/
/kernel-image-.*/
buildd
--- /dev/null
+//
+// THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+// USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+//
+
+// Slave domains, includ in bind.conf
+
+zone "debian.org" {
+ type slave;
+ notify no;
+ file "db.debian.org";
+ masters {
+ 82.195.75.106; // draghi
+ 2001:41b8:202:deb:216:36ff:fe40:3906; //draghi
+ };
+ allow-query { any; };
+ allow-transfer { };
+};
+
+zone "debian.net" {
+ type slave;
+ notify no;
+ file "db.debian.net";
+ masters {
+ 82.195.75.106; // draghi
+ 2001:41b8:202:deb:216:36ff:fe40:3906; //draghi
+ };
+ allow-query { any; };
+ allow-transfer { };
+};
+
+zone "mirror.debian.net" {
+ type slave;
+ notify no;
+ file "db.mirror.debian.net";
+ masters {
+ 82.195.75.106; // draghi
+ 2001:41b8:202:deb:216:36ff:fe40:3906; //draghi
+ };
+ allow-query { any; };
+ allow-transfer { };
+};
+
+zone "rbl.debian.net" {
+ type slave;
+ notify no;
+ file "db.rbl.debian.net";
+ masters {
+ 82.195.75.106; // draghi
+ 2001:41b8:202:deb:216:36ff:fe40:3906; //draghi
+ };
+ allow-query { any; };
+ allow-transfer { };
+};
+
+zone "debian.com" {
+ type slave;
+ notify no;
+ file "db.debian.com";
+ masters {
+ 82.195.75.106; // draghi
+ 2001:41b8:202:deb:216:36ff:fe40:3906; //draghi
+ };
+ allow-query { any; };
+ allow-transfer { };
+};
+
+zone "alioth.debian.org" {
+ type slave;
+ notify no;
+ file "db.alioth.debian.org";
+ masters {
+ 217.196.43.134;
+ };
+ allow-query { any; };
+ allow-transfer { };
+};
+
+
+// debian rack with sil.at
+zone "144-28.118.59.86.in-addr.arpa" {
+ type slave;
+ notify no;
+ file "db.86.59.118.144";
+ masters {
+ 82.195.75.106; // draghi
+ 2001:41b8:202:deb:216:36ff:fe40:3906; //draghi
+ };
+ allow-query { any; };
+ allow-transfer { };
+};
+
+// ipv6 at 1&1 - powell: 2001:08d8:0081:1520::/60
+zone "2.5.1.1.8.0.0.8.d.8.0.1.0.0.2.ip6.arpa" {
+ type slave;
+ notify no;
+ file "db.2001:08d8:0081:1520";
+ masters {
+ 82.195.75.106; // draghi
+ 2001:41b8:202:deb:216:36ff:fe40:3906; //draghi
+ };
+ allow-query { any; };
+ allow-transfer { };
+};
+// ipv6 at 1&1 - puccini 2001:08d8:0081:15a0::/60
+zone "a.5.1.1.8.0.0.8.d.8.0.1.0.0.2.ip6.arpa" {
+ type slave;
+ notify no;
+ file "db.2001:08d8:0081:15a0";
+ masters {
+ 82.195.75.106; // draghi
+ 2001:41b8:202:deb:216:36ff:fe40:3906; //draghi
+ };
+ allow-query { any; };
+ allow-transfer { };
+};
+// ipv6 at xs4all - klecker 2001:888:2000:12::/64
+zone "2.1.0.0.0.0.0.2.8.8.8.0.1.0.0.2.ip6.arpa" {
+ type slave;
+ notify no;
+ file "db.2001:888:2000:12";
+ masters {
+ 82.195.75.106; // draghi
+ 2001:41b8:202:deb:216:36ff:fe40:3906; //draghi
+ };
+ allow-query { any; };
+ allow-transfer { };
+};
+
+// vim:set syn=named:
--- /dev/null
+class named-secondary {
+ file { "/etc/bind/named.conf.debian-zones":
+ source => [ "puppet:///named-secondary/per-host/$fqdn/named.conf.debian-zones",
+ "puppet:///named-secondary/common/named.conf.debian-zones" ],
+ notify => Exec["bind9 reload"],
+ }
+
+ exec { "bind9 reload":
+ path => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
+ refreshonly => true,
+ }
+}
+
+++ /dev/null
-##
-## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-##
-
-#####################################################################
-#
-# Configuration file template for samhain.
-#
-#####################################################################
-#
-# -- empty lines and lines starting with '#', ';' or '//' are ignored
-# -- boolean options can be Yes/No or True/False or 1/0
-# -- you can PGP clearsign this file -- samhain will check (if compiled
-# with support) or otherwise ignore the signature
-# -- CHECK mail address
-#
-# To each log facility, you can assign a threshold severity. Only
-# reports with at least the threshold severity will be logged
-# to the respective facility (even further below).
-#
-#####################################################################
-#
-# SETUP for file system checking:
-#
-# (i) There are several policies, each has its own section. Put files
-# into the section for the appropriate policy (see below).
-# (ii) Section [EventSeverity]:
-# To each policy, you can assign a severity (further below).
-# (iii) Section [Log]:
-# To each log facility, you can assign a threshold severity. Only
-# reports with at least the threshold severity will be logged
-# to the respective facility (even further below).
-#
-#####################################################################
-
-#####################################################################
-#
-# Files are defined with: file = /absolute/path
-#
-# Directories are defined with: dir = /absolute/path
-# or with an optional recursion depth (N <= 99): dir = N/absolute/path
-#
-# Directory inodes are checked. If you only want to check files
-# in a directory, but not the directory inode itself, use (e.g.):
-#
-# [ReadOnly]
-# dir = /some/directory
-# [IgnoreAll]
-# file = /some/directory
-#
-# You can use shell-style globbing patterns, like: file = /path/foo*
-#
-######################################################################
-
-[Misc]
-##
-## Add or subtract tests from the policies
-## - if you want to change their definitions,
-## you need to do that before using the policies
-##
-# RedefReadOnly = (no default)
-# RedefAttributes=(no default)
-# RedefLogFiles=(no default)
-# RedefGrowingLogFiles=(no default)
-# RedefIgnoreAll=(no default)
-# RedefIgnoreNone=(no default)
-# RedefUser0=(no default)
-# RedefUser1=(no default)
-
-[Attributes]
-##
-## for these files, only changes in permissions and ownership are checked
-##
-file=/etc/mtab
-file=/etc/ssh_random_seed
-file=/etc/asound.conf
-file=/etc/resolv.conf
-file=/etc/localtime
-file=/etc/ioctl.save
-file=/etc/passwd.backup
-file=/etc/shadow.backup
-file=/etc/postfix/prng_exch
-file=/etc/adjtime
-file=/etc/lvm/.cache
-file=/etc/lvm/cache
-file=/etc/lvm/cache/.cache
-file=/etc/network/run/ifstate
-file=/var/state/samhain/samhain_file
-file=/etc/bind/db.debian.net
-file=/etc/exim4/bsmtp
-
-
-
-#
-# There are files in /etc that might change, thus changing the directory
-# timestamps. Put it here as 'file', and in the ReadOnly section as 'dir'.
-#
-file=/etc
-file=/etc/ssh
-file=/etc/network/run
-file=/etc/bind
-
-# These are the directories for the files we handle with puppet
-file=/etc/samhain
-file=/etc/munin
-file=/etc/exim4
-file=/etc/exim4/ssl
-file=/etc/apt
-file=/etc/apt/apt.conf.d
-file=/etc/apt/sources.list.d
-file=/etc/puppet
-file=/etc/default
-file=/etc/logrotate.d
-file=/etc/nagios
-file=/etc/nagios/nrpe.d
-file=/etc/cron.d
-file=/usr/lib/nagios/plugins
-file=/usr/sbin
-file=/etc/monit
-file=/etc/monit/monit.d
-file=/etc/pam.d
-
-
-[LogFiles]
-##
-## for these files, changes in signature, timestamps, and size are ignored
-##
-file=/var/run/utmp
-file=/etc/motd
-
-
-
-#####################################################################
-#
-# This would be the proper syntax for parts that should only be
-# included for certain hosts.
-# You may enclose anything in a @HOSTNAME/@end bracket, as long as the
-# result still has the proper syntax for the config file.
-# You may have any number of @HOSTNAME/@end brackets.
-# HOSTNAME should be the fully qualified 'official' name
-# (e.g. 'nixon.watergate.com', not 'nixon'), no aliases.
-# No IP number - except if samhain cannot determine the
-# fully qualified hostname.
-#
-# @HOSTNAME
-# file=/foo/bar
-# @end
-#
-# These are two examples for conditional inclusion/exclusion
-# of a machine based on the output from 'uname -srm'
-#
-# $Linux:2.*.7:i666
-# file=/foo/bar3
-# $end
-#
-# !$Linux:2.*.7:i686
-# file=/foo/bar2
-# $end
-#
-#####################################################################
-
-[GrowingLogFiles]
-##
-## for these files, changes in signature, timestamps, and increase in size
-## are ignored
-##
-file=/var/log/warn
-file=/var/log/messages
-file=/var/log/wtmp
-file=/var/log/faillog
-file=/var/log/auth.log
-file=/var/log/daemon.log
-file=/var/log/user.log
-file=/var/log/kern.log
-file=/var/log/syslog
-
-
-[IgnoreAll]
-##
-## for these files, no modifications are reported
-##
-## This file might be created or removed by the system sometimes.
-##
-file=/etc/resolv.conf.pcmcia.save
-file=/etc/nologin
-file=/etc/postfix/debian.db
-file=/etc/postfix/debian
-file=/etc/ssh/ssh_known_hosts
-file=/etc/ssh/ssh-rsa-shadow
-file=/var/lib/misc/ssh-rsa-shadow
-file=/etc/.da-backup.trace
-file=/etc/postfix/debianhosts
-file=/etc/postfix/debianhosts.db
-
-# We handle these files with puppet - please to not be bothering us
-file=/etc/timezone
-file=/etc/motd.tail
-file=/etc/samhain/samhainrc
-file=/etc/munin/munin-node.conf
-file=/etc/userdir-ldap.confc
-file=/etc/exim4/blacklist
-file=/etc/exim4/callout_users
-file=/etc/exim4/exim4.conf
-file=/etc/exim4/grey_users
-file=/etc/exim4/helo-check
-file=/etc/exim4/locals
-file=/etc/exim4/localusers
-file=/etc/exim4/manualroute
-file=/etc/exim4/rbllist
-file=/etc/exim4/rcpthosts
-file=/etc/exim4/rhsbllist
-file=/etc/exim4/virtualdomains
-file=/etc/exim4/whitelist
-file=/etc/exim4/local-auto.conf
-file=/etc/exim4/local-settings.conf
-file=/etc/exim4/ssl/ca.crt
-file=/etc/exim4/ssl/ca.crl
-file=/etc/exim4/ssl/thishost.crt
-file=/etc/exim4/ssl/thishost.key
-file=/etc/apt/preferences
-file=/etc/apt/sources.list.d/volatile.list
-file=/etc/apt/sources.list.d/security.list
-file=/etc/apt/sources.list.d/buildd.list
-file=/etc/apt/sources.list.d/debian.org.list
-file=/etc/apt/sources.list.d/debian.restricted.list
-file=/etc/apt/sources.list.d/debian.list
-file=/etc/apt/sources.list.d/backports.org.list
-file=/etc/apt/apt.conf.d/local-recommends
-file=/etc/apt/apt.conf.d/local-pdiffs
-file=/etc/puppet/puppet.conf
-file=/etc/default/puppet
-file=/etc/logrotate.d/exim4-paniclog
-file=/etc/logrotate.d/exim4-base
-file=/usr/sbin/dsa-update-apt-status
-file=/usr/sbin/dsa-update-samhain-status
-file=/etc/nagios/nrpe.d/nrpe_dsa.cfg
-file=/etc/nagios/nrpe.d/debianorg.cfg
-file=/etc/nagios/obsolete-packages-ignore
-file=/usr/lib/nagios/plugins/dsa-check-packages
-file=/usr/lib/nagios/plugins/dsa-check-soas
-file=/usr/lib/nagios/plugins/dsa-check-mirrorsync
-file=/usr/lib/nagios/plugins/dsa-check-samhain
-file=/usr/lib/nagios/plugins/dsa-check-statusfile
-file=/usr/lib/nagios/plugins/dsa-check-dabackup-server
-file=/usr/lib/nagios/plugins/dsa-check-config
-file=/usr/lib/nagios/plugins/dsa-check-hpacucli
-file=/usr/lib/nagios/plugins/dsa-check-raid-mpt
-file=/usr/lib/nagios/plugins/dsa-check-puppet
-file=/usr/lib/nagios/plugins/dsa-check-running-kernel
-file=/usr/lib/nagios/plugins/dsa-check-raid-3ware
-file=/usr/lib/nagios/plugins/dsa-check-dabackup
-file=/usr/lib/nagios/plugins/dsa-check-raid-dac960
-file=/usr/lib/nagios/plugins/dsa-check-udldap-freshness
-file=/usr/lib/nagios/plugins/dsa-check-raid-areca
-file=/usr/lib/nagios/plugins/dsa-check-raid-sw
-file=/usr/lib/nagios/plugins/dsa-update-samhain-status
-file=/etc/sudoers
-file=/etc/pam.d/sudo
-file=/etc/blkid.tab
-file=/etc/blkid.tab.old
-file=/etc/monit/monitrc
-file=/etc/monit/monit.d/01puppet
-file=/etc/monit/monit.d/00debian.org
-file=/etc/resolv.conf.dhclient-new
-
-[IgnoreNone]
-##
-## for these files, all modifications (even access time) are reported
-## - you may create some interesting-looking file (like /etc/safe_passwd),
-## just to watch whether someone will access it ...
-##
-
-[Prelink]
-##
-## Use for prelinked files or directories holding them
-##
-
-
-[ReadOnly]
-##
-## for these files, only access time is ignored
-##
-dir=/usr/bin
-dir=/bin
-dir=/boot
-#
-# SuSE (old) has the boot init scripts in /sbin/init.d/*,
-# so we go 3 levels deep
-#
-dir=3/sbin
-dir=/usr/sbin
-dir=/lib
-dir=3/usr/lib
-#
-# RedHat and Debian have the bootinit scripts in /etc/init.d/* or /etc/rc.d/*,
-# so we go 3 levels deep there too
-#
-dir=3/etc
-
-# Various directories / files that may include / be SUID/SGID binaries
-#
-#
-file=/usr/lib/pt_chown
-# X11, in Debian X7 this is now a symlink
-#dir=/usr/X11R6/bin
-#dir=/usr/X11R6/lib/X11/xmcd/bin
-# Apache:
-#file=/usr/lib/apache/suexec
-#file=/usr/lib/apache/suexec.disabled
-# Extra directories:
-#dir=/opt/gnome/bin
-#dir=/opt/kde/bin
-
-[User0]
-[User1]
-## User0 and User1 are sections for files/dirs with user-definable checking
-## (see the manual)
-
-
-[EventSeverity]
-##
-## Here you can assign severities to policy violations.
-## If this severity exceeds the treshold of a log facility (see below),
-## a policy violation will be logged to that facility.
-##
-## Severity for verification failures.
-##
-# SeverityReadOnly=crit
-# SeverityLogFiles=crit
-# SeverityGrowingLogs=crit
-# SeverityIgnoreNone=crit
-# SeverityAttributes=crit
-# SeverityUser0=crit
-# SeverityUser1=crit
-
-# Default behaviour
-SeverityReadOnly=crit
-SeverityLogFiles=crit
-SeverityGrowingLogs=warn
-SeverityIgnoreNone=crit
-SeverityAttributes=crit
-
-
-##
-## We have a file in IgnoreAll that might or might not be present.
-## Setting the severity to 'info' prevents messages about deleted/new file.
-##
-# SeverityIgnoreAll=crit
-SeverityIgnoreAll=info
-
-## Files : file access problems
-# SeverityFiles=crit
-
-## Dirs : directory access problems
-# SeverityDirs=crit
-
-## Names : suspect (non-printable) characters in a pathname
-# SeverityNames=crit
-
-# Default behaviour
-SeverityFiles=crit
-SeverityDirs=crit
-SeverityNames=warn
-
-
-[Log]
-##
-## Switch on/OFF log facilities and set their threshold severity
-##
-## Values: debug, info, notice, warn, mark, err, crit, alert, none.
-## 'mark' is used for timestamps.
-##
-##
-## Use 'none' to SWITCH OFF a log facility
-##
-## By default, everything equal to and above the threshold is logged.
-## The specifiers '*', '!', and '=' are interpreted as
-## 'all', 'all but', and 'only', respectively (like syslogd(8) does,
-## at least on Linux). Examples:
-## MailSeverity=*
-## MailSeverity=!warn
-## MailSeverity==crit
-
-## E-mail
-##
-# MailSeverity=none
-
-## Console
-##
-# PrintSeverity=info
-
-## Logfile
-##
-# LogSeverity=mark
-
-## Syslog
-##
-# SyslogSeverity=none
-
-## Remote server (yule)
-##
-# ExportSeverity=none
-
-## External script or program
-##
-# ExternalSeverity = none
-
-## Logging to a database
-##
-# DatabaseSeverity = none
-
-# Default behaviour
-MailSeverity=crit
-PrintSeverity=none
-LogSeverity=info
-SyslogSeverity=alert
-ExportSeverity=none
-
-
-
-
-
-#####################################################
-#
-# Optional modules
-#
-#####################################################
-
-# [SuidCheck]
-##
-## --- Check the filesystem for SUID/SGID binaries
-##
-
-## Switch on
-#
-# SuidCheckActive = yes
-
-## Interval for check (seconds)
-#
-# SuidCheckInterval = 7200
-
-## Alternative: crontab-like schedule
-#
-# SuidCheckSchedule = NULL
-
-## Directory to exclude
-#
-# SuidCheckExclude = NULL
-
-## Limit on files per second (0 == no limit)
-#
-# SuidCheckFps = 0
-
-## Alternative: yield after every file
-#
-# SuidCheckYield = no
-
-## Severity of a detection
-#
-# SeveritySuidCheck = crit
-
-## Quarantine SUID/SGID files if found
-#
-# SuidCheckQuarantineFiles = yes
-
-## Method for Quarantining files:
-# 0 - Delete or truncate the file.
-# 1 - Remove SUID/SGID permissions from file.
-# 2 - Move SUID/SGID file to quarantine dir.
-#
-# SuidCheckQuarantineMethod = 0
-
-## For method 1 and 3, really delete instead of truncating
-#
-# SuidCheckQuarantineDelete = yes
-
-# [Kernel]
-##
-## --- Check for loadable kernel module rootkits (Linux/FreeBSD only)
-##
-
-## Switch on/off
-#
-KernelCheckActive = True
-
-## Check interval (seconds); btw., the check is VERY fast
-#
-# KernelCheckInterval = 300
-
-## Severity
-#
-# SeverityKernel = crit
-
-
-# [Utmp]
-##
-## --- Logging of login/logout events
-##
-
-## Switch on/off
-#
-LoginCheckActive = True
-
-## Severity for logins, multiple logins, logouts
-#
-# SeverityLogin=info
-# SeverityLoginMulti=warn
-# SeverityLogout=info
-
-## Interval for login/logout checks
-#
-# LoginCheckInterval = 300
-
-
-# [Database]
-##
-## --- Logging to a relational database
-##
-
-## Database name
-#
-# SetDBName = samhain
-
-## Database table
-#
-# SetDBTable = log
-
-## Database user
-#
-# SetDBUser = samhain
-
-## Database password
-#
-# SetDBPassword = (default: none)
-
-## Database host
-#
-# SetDBHost = localhost
-
-## Log the server timestamp for received messages
-#
-# SetDBServerTstamp = True
-
-## Use a persistent connection
-#
-# UsePersistent = True
-
-# [External]
-##
-## Interface to call external scripts/programs for logging
-##
-
-## The absolute path to the command
-## - Each invocation of this directive will end the definition of the
-## preceding command, and start the definition of
-## an additional, new command
-#
-# OpenCommand = (no default)
-
-## Type (log or rv)
-## - log for log messages, srv for messages received by the server
-#
-# SetType = log
-
-## The command (full command line) to execute
-#
-# SetCommandLine = (no default)
-
-## The environment (KEY=value; repeat for more)
-#
-# SetEnviron = TZ=(your timezone)
-
-## The TIGER192 checksum (optional)
-#
-# SetChecksum = (no default)
-
-## User who runs the command
-#
-# SetCredentials = (default: samhain process uid)
-
-## Words not allowed in message
-#
-# SetFilterNot = (none)
-
-## Words required (ALL of them)
-#
-# SetFilterAnd = (none)
-
-## Words required (at least one)
-#
-# SetFilterOr = (none)
-
-## Deadtime between consecutive calls
-#
-# SetDeadtime = 0
-
-## Add default environment (HOME, PATH, SHELL)
-#
-# SetDefault = no
-
-
-#####################################################
-#
-# Miscellaneous configuration options
-#
-#####################################################
-
-[Misc]
-
-## whether to become a daemon process
-## (this is not honoured on database initialisation)
-#
-# Daemon = no
-Daemon = yes
-
-## whether to test signature of files (init/check/none)
-## - if 'none', then we have to decide this on the command line -
-#
-# ChecksumTest = none
-ChecksumTest=check
-
-## whether to drop linux capabilities that are not required
-## - will make a root process a 'mere mortal' in many respects
-#
-# UseCaps = yes
-
-## Set nice level (-19 to 19, see 'man nice'),
-## and I/O limit (kilobytes per second; 0 == off)
-## to reduce load on host.
-#
-# SetNiceLevel = 0
-# SetIOLimit = 0
-
-## The version string to embed in file signature databases
-#
-# VersionString = NULL
-
-## Interval between time stamp messages
-#
-# SetLoopTime = 60
-SetLoopTime = 600
-
-## Interval between file checks
-#
-# SetFileCheckTime = 600
-SetFileCheckTime = 7200
-
-## Alternative: crontab-like schedule
-#
-# FileCheckScheduleOne = NULL
-
-## Alternative: crontab-like schedule(2)
-#
-# FileCheckScheduleTwo = NULL
-
-## Report only once on modified fles
-## Setting this to 'FALSE' will generate a report for any policy
-## violation (old and new ones) each time the daemon checks the file system.
-#
-# ReportOnlyOnce = True
-
-## Report in full detail
-#
-# ReportFullDetail = False
-
-## Report file timestamps in local time rather than GMT
-#
-# UseLocalTime = No
-
-## The console device (can also be a file or named pipe)
-## - There are two console devices. Accordingly, you can use
-## this directive a second time to set the second console device.
-## If you have not defined the second device at compile time,
-## and you don't want to use it, then:
-## setting it to /dev/null is less effective than just leaving
-## it alone (setting to /dev/null will waste time by opening
-## /dev/null and writing to it)
-#
-# SetConsole = /dev/console
-
-## Activate the SysV IPC message queue
-#
-# MessageQueueActive = False
-
-
-## If false, skip reverse lookup when connecting to a host known
-## by name rather than IP address (i.e. trust the DNS)
-#
-# SetReverseLookup = True
-
-## --- E-Mail ---
-
-# Only highest-level (alert) reports will be mailed immediately,
-# others will be queued. Here you can define, when the queue will
-# be flushed (Note: the queue is automatically flushed after
-# completing a file check).
-#
-SetMailTime = 86400
-
-## Maximum number of mails to queue
-#
-SetMailNum = 10
-
-## Recipient (max. 8)
-#
-SetMailAddress=samhain-reports@debian.org
-
-## Mail relay (IP address)
-#
-SetMailRelay = master.debian.org
-
-## Custom subject format
-#
-MailSubject = [Samhain at %H] %T: %S
-
-## --- end E-Mail ---
-
-## Path to the prelink executable
-#
-# SetPrelinkPath = /usr/sbin/prelink
-
-## TIGER192 checksum of the prelink executable
-#
-# SetPrelinkChecksum = (no default)
-
-
-## Path to the executable. If set, will be checksummed after startup
-## and before exit.
-#
-# SamhainPath = (no default)
-
-
-## The IP address of the log server
-#
-# SetLogServer = (default: compiled-in)
-
-## The IP address of the time server
-#
-# SetTimeServer = (default: compiled-in)
-
-## Trusted Users (comma delimited list of user names)
-#
-# TrustedUser = (no default; this adds to the compiled-in list)
-
-## Path to the file signature database
-#
-# SetDatabasePath = (default: compiled-in)
-
-## Path to the log file
-#
-# SetLogfilePath = (default: compiled-in)
-
-## Path to the PID file
-#
-# SetLockPath = (default: compiled-in)
-
-
-## The digest/checksum/hash algorithm
-#
-# DigestAlgo = TIGER192
-
-
-## Custom format for message header.
-## CAREFUL if you use XML logfile format.
-##
-## %S severity
-## %T timestamp
-## %C class
-##
-## %F source file
-## %L source line
-#
-# MessageHeader="%S %T "
-
-
-## Don't log path to config/database file on startup
-#
-# HideSetup = False
-
-## The syslog facility, if you log to syslog
-#
-# SyslogFacility = LOG_AUTHPRIV
-SyslogFacility=LOG_LOCAL2
-
-## The message authentication method
-## - If you change this, you *must* change it
-## on client *and* server
-#
-# MACType = HMAC-TIGER
-
-
-## everything below is ignored
-[EOF]
-
-#####################################################################
-# This would be the proper syntax for parts that should only be
-# included for certain hosts.
-# You may enclose anything in a @HOSTNAME/@end bracket, as long as the
-# result still has the proper syntax for the config file.
-# You may have any number of @HOSTNAME/@end brackets.
-# HOSTNAME should be the fully qualified 'official' name
-# (e.g. 'nixon.watergate.com', not 'nixon'), no aliases.
-# No IP number - except if samhain cannot determine the
-# fully qualified hostname.
-#
-# @HOSTNAME
-# file=/foo/bar
-# @end
-#
-# These are two examples for conditional inclusion/exclusion
-# of a machine based on the output from 'uname -srm'
-# $Linux:2.*.7:i666
-# file=/foo/bar3
-# $end
-#
-# !$Linux:2.*.7:i686
-# file=/foo/bar2
-# $end
-#
-#####################################################################
+++ /dev/null
-##
-## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-##
-
-#####################################################################
-#
-# Configuration file template for samhain.
-#
-#####################################################################
-#
-# -- empty lines and lines starting with '#', ';' or '//' are ignored
-# -- boolean options can be Yes/No or True/False or 1/0
-# -- you can PGP clearsign this file -- samhain will check (if compiled
-# with support) or otherwise ignore the signature
-# -- CHECK mail address
-#
-# To each log facility, you can assign a threshold severity. Only
-# reports with at least the threshold severity will be logged
-# to the respective facility (even further below).
-#
-#####################################################################
-#
-# SETUP for file system checking:
-#
-# (i) There are several policies, each has its own section. Put files
-# into the section for the appropriate policy (see below).
-# (ii) Section [EventSeverity]:
-# To each policy, you can assign a severity (further below).
-# (iii) Section [Log]:
-# To each log facility, you can assign a threshold severity. Only
-# reports with at least the threshold severity will be logged
-# to the respective facility (even further below).
-#
-#####################################################################
-
-#####################################################################
-#
-# Files are defined with: file = /absolute/path
-#
-# Directories are defined with: dir = /absolute/path
-# or with an optional recursion depth (N <= 99): dir = N/absolute/path
-#
-# Directory inodes are checked. If you only want to check files
-# in a directory, but not the directory inode itself, use (e.g.):
-#
-# [ReadOnly]
-# dir = /some/directory
-# [IgnoreAll]
-# file = /some/directory
-#
-# You can use shell-style globbing patterns, like: file = /path/foo*
-#
-######################################################################
-
-[Misc]
-##
-## Add or subtract tests from the policies
-## - if you want to change their definitions,
-## you need to do that before using the policies
-##
-# RedefReadOnly = (no default)
-# RedefAttributes=(no default)
-# RedefLogFiles=(no default)
-# RedefGrowingLogFiles=(no default)
-# RedefIgnoreAll=(no default)
-# RedefIgnoreNone=(no default)
-# RedefUser0=(no default)
-# RedefUser1=(no default)
-
-[Attributes]
-##
-## for these files, only changes in permissions and ownership are checked
-##
-file=/etc/mtab
-file=/etc/ssh_random_seed
-file=/etc/asound.conf
-file=/etc/resolv.conf
-file=/etc/localtime
-file=/etc/ioctl.save
-file=/etc/passwd.backup
-file=/etc/shadow.backup
-file=/etc/postfix/prng_exch
-file=/etc/adjtime
-file=/etc/lvm/.cache
-file=/etc/lvm/cache
-file=/etc/lvm/cache/.cache
-file=/etc/network/run/ifstate
-file=/var/state/samhain/samhain_file
-file=/etc/bind/db.debian.net
-file=/etc/exim4/bsmtp
-
-
-
-#
-# There are files in /etc that might change, thus changing the directory
-# timestamps. Put it here as 'file', and in the ReadOnly section as 'dir'.
-#
-file=/etc
-file=/etc/ssh
-file=/etc/network/run
-file=/etc/bind
-
-# These are the directories for the files we handle with puppet
-file=/etc/samhain
-file=/etc/munin
-file=/etc/exim4
-file=/etc/exim4/ssl
-file=/etc/apt
-file=/etc/apt/apt.conf.d
-file=/etc/apt/sources.list.d
-file=/etc/default
-file=/etc/logrotate.d
-file=/etc/nagios
-file=/etc/nagios/nrpe.d
-file=/etc/cron.d
-file=/usr/lib/nagios/plugins
-file=/usr/sbin
-file=/etc/monit
-file=/etc/monit/monit.d
-file=/etc/pam.d
-
-[LogFiles]
-##
-## for these files, changes in signature, timestamps, and size are ignored
-##
-file=/var/run/utmp
-file=/etc/motd
-
-
-
-#####################################################################
-#
-# This would be the proper syntax for parts that should only be
-# included for certain hosts.
-# You may enclose anything in a @HOSTNAME/@end bracket, as long as the
-# result still has the proper syntax for the config file.
-# You may have any number of @HOSTNAME/@end brackets.
-# HOSTNAME should be the fully qualified 'official' name
-# (e.g. 'nixon.watergate.com', not 'nixon'), no aliases.
-# No IP number - except if samhain cannot determine the
-# fully qualified hostname.
-#
-# @HOSTNAME
-# file=/foo/bar
-# @end
-#
-# These are two examples for conditional inclusion/exclusion
-# of a machine based on the output from 'uname -srm'
-#
-# $Linux:2.*.7:i666
-# file=/foo/bar3
-# $end
-#
-# !$Linux:2.*.7:i686
-# file=/foo/bar2
-# $end
-#
-#####################################################################
-
-[GrowingLogFiles]
-##
-## for these files, changes in signature, timestamps, and increase in size
-## are ignored
-##
-file=/var/log/warn
-file=/var/log/messages
-file=/var/log/wtmp
-file=/var/log/faillog
-file=/var/log/auth.log
-file=/var/log/daemon.log
-file=/var/log/user.log
-file=/var/log/kern.log
-file=/var/log/syslog
-
-
-[IgnoreAll]
-##
-## for these files, no modifications are reported
-##
-## This file might be created or removed by the system sometimes.
-##
-file=/etc/resolv.conf.pcmcia.save
-file=/etc/nologin
-file=/etc/postfix/debian.db
-file=/etc/postfix/debian
-file=/etc/ssh/ssh_known_hosts
-file=/etc/ssh/ssh-rsa-shadow
-file=/var/lib/misc/ssh-rsa-shadow
-file=/etc/.da-backup.trace
-file=/etc/postfix/debianhosts
-file=/etc/postfix/debianhosts.db
-
-# We handle these files with puppet - please to not be bothering us
-file=/etc/timezone
-file=/etc/motd.tail
-file=/etc/samhain/samhainrc
-file=/etc/munin/munin-node.conf
-file=/etc/userdir-ldap.confc
-file=/etc/exim4/blacklist
-file=/etc/exim4/callout_users
-file=/etc/exim4/exim4.conf
-file=/etc/exim4/grey_users
-file=/etc/exim4/helo-check
-file=/etc/exim4/locals
-file=/etc/exim4/localusers
-file=/etc/exim4/manualroute
-file=/etc/exim4/rbllist
-file=/etc/exim4/rcpthosts
-file=/etc/exim4/rhsbllist
-file=/etc/exim4/virtualdomains
-file=/etc/exim4/whitelist
-file=/etc/exim4/local-auto.conf
-file=/etc/exim4/local-settings.conf
-file=/etc/exim4/ssl/ca.crt
-file=/etc/exim4/ssl/ca.crl
-file=/etc/exim4/ssl/thishost.crt
-file=/etc/exim4/ssl/thishost.key
-file=/etc/apt/preferences
-file=/etc/apt/sources.list.d/volatile.list
-file=/etc/apt/sources.list.d/security.list
-file=/etc/apt/sources.list.d/debian.org.list
-file=/etc/apt/sources.list.d/debian.restricted.list
-file=/etc/apt/sources.list.d/debian.list
-file=/etc/apt/sources.list.d/backports.org.list
-file=/etc/apt/apt.conf.d/local-recommends
-file=/etc/apt/apt.conf.d/local-pdiffs
-file=/etc/puppet/puppet.conf
-file=/etc/default/puppet
-file=/etc/logrotate.d/exim4-paniclog
-file=/etc/logrotate.d/exim4-base
-dir=8/etc/puppet
-file=/usr/sbin/dsa-update-apt-status
-file=/usr/sbin/dsa-update-samhain-status
-file=/etc/nagios/nrpe.d/nrpe_dsa.cfg
-file=/etc/nagios/nrpe.d/debianorg.cfg
-file=/etc/nagios/obsolete-packages-ignore
-file=/usr/lib/nagios/plugins/dsa-check-packages
-file=/usr/lib/nagios/plugins/dsa-check-soas
-file=/usr/lib/nagios/plugins/dsa-check-mirrorsync
-file=/usr/lib/nagios/plugins/dsa-check-samhain
-file=/usr/lib/nagios/plugins/dsa-check-statusfile
-file=/usr/lib/nagios/plugins/dsa-check-dabackup-server
-file=/usr/lib/nagios/plugins/dsa-check-config
-file=/usr/lib/nagios/plugins/dsa-check-hpacucli
-file=/usr/lib/nagios/plugins/dsa-check-raid-mpt
-file=/usr/lib/nagios/plugins/dsa-check-puppet
-file=/usr/lib/nagios/plugins/dsa-check-running-kernel
-file=/usr/lib/nagios/plugins/dsa-check-raid-3ware
-file=/usr/lib/nagios/plugins/dsa-check-dabackup
-file=/usr/lib/nagios/plugins/dsa-check-raid-dac960
-file=/usr/lib/nagios/plugins/dsa-check-udldap-freshness
-file=/usr/lib/nagios/plugins/dsa-check-raid-areca
-file=/usr/lib/nagios/plugins/dsa-check-raid-sw
-file=/usr/lib/nagios/plugins/dsa-update-samhain-status
-file=/etc/sudoers
-file=/etc/pam.d/sudo
-file=/etc/blkid.tab
-file=/etc/blkid.tab.old
-file=/etc/monit/monitrc
-file=/etc/monit/monit.d/01puppet
-file=/etc/monit/monit.d/00debian.org
-
-[IgnoreNone]
-##
-## for these files, all modifications (even access time) are reported
-## - you may create some interesting-looking file (like /etc/safe_passwd),
-## just to watch whether someone will access it ...
-##
-
-[Prelink]
-##
-## Use for prelinked files or directories holding them
-##
-
-
-[ReadOnly]
-##
-## for these files, only access time is ignored
-##
-dir=/usr/bin
-dir=/bin
-dir=/boot
-#
-# SuSE (old) has the boot init scripts in /sbin/init.d/*,
-# so we go 3 levels deep
-#
-dir=3/sbin
-dir=/usr/sbin
-dir=/lib
-dir=3/usr/lib
-#
-# RedHat and Debian have the bootinit scripts in /etc/init.d/* or /etc/rc.d/*,
-# so we go 3 levels deep there too
-#
-dir=3/etc
-
-# Various directories / files that may include / be SUID/SGID binaries
-#
-#
-file=/usr/lib/pt_chown
-# X11, in Debian X7 this is now a symlink
-#dir=/usr/X11R6/bin
-#dir=/usr/X11R6/lib/X11/xmcd/bin
-# Apache:
-#file=/usr/lib/apache/suexec
-#file=/usr/lib/apache/suexec.disabled
-# Extra directories:
-#dir=/opt/gnome/bin
-#dir=/opt/kde/bin
-
-[User0]
-[User1]
-## User0 and User1 are sections for files/dirs with user-definable checking
-## (see the manual)
-
-
-[EventSeverity]
-##
-## Here you can assign severities to policy violations.
-## If this severity exceeds the treshold of a log facility (see below),
-## a policy violation will be logged to that facility.
-##
-## Severity for verification failures.
-##
-# SeverityReadOnly=crit
-# SeverityLogFiles=crit
-# SeverityGrowingLogs=crit
-# SeverityIgnoreNone=crit
-# SeverityAttributes=crit
-# SeverityUser0=crit
-# SeverityUser1=crit
-
-# Default behaviour
-SeverityReadOnly=crit
-SeverityLogFiles=crit
-SeverityGrowingLogs=warn
-SeverityIgnoreNone=crit
-SeverityAttributes=crit
-
-
-##
-## We have a file in IgnoreAll that might or might not be present.
-## Setting the severity to 'info' prevents messages about deleted/new file.
-##
-# SeverityIgnoreAll=crit
-SeverityIgnoreAll=info
-
-## Files : file access problems
-# SeverityFiles=crit
-
-## Dirs : directory access problems
-# SeverityDirs=crit
-
-## Names : suspect (non-printable) characters in a pathname
-# SeverityNames=crit
-
-# Default behaviour
-SeverityFiles=crit
-SeverityDirs=crit
-SeverityNames=warn
-
-
-[Log]
-##
-## Switch on/OFF log facilities and set their threshold severity
-##
-## Values: debug, info, notice, warn, mark, err, crit, alert, none.
-## 'mark' is used for timestamps.
-##
-##
-## Use 'none' to SWITCH OFF a log facility
-##
-## By default, everything equal to and above the threshold is logged.
-## The specifiers '*', '!', and '=' are interpreted as
-## 'all', 'all but', and 'only', respectively (like syslogd(8) does,
-## at least on Linux). Examples:
-## MailSeverity=*
-## MailSeverity=!warn
-## MailSeverity==crit
-
-## E-mail
-##
-# MailSeverity=none
-
-## Console
-##
-# PrintSeverity=info
-
-## Logfile
-##
-# LogSeverity=mark
-
-## Syslog
-##
-# SyslogSeverity=none
-
-## Remote server (yule)
-##
-# ExportSeverity=none
-
-## External script or program
-##
-# ExternalSeverity = none
-
-## Logging to a database
-##
-# DatabaseSeverity = none
-
-# Default behaviour
-MailSeverity=crit
-PrintSeverity=none
-LogSeverity=info
-SyslogSeverity=alert
-ExportSeverity=none
-
-
-
-
-
-#####################################################
-#
-# Optional modules
-#
-#####################################################
-
-# [SuidCheck]
-##
-## --- Check the filesystem for SUID/SGID binaries
-##
-
-## Switch on
-#
-# SuidCheckActive = yes
-
-## Interval for check (seconds)
-#
-# SuidCheckInterval = 7200
-
-## Alternative: crontab-like schedule
-#
-# SuidCheckSchedule = NULL
-
-## Directory to exclude
-#
-# SuidCheckExclude = NULL
-
-## Limit on files per second (0 == no limit)
-#
-# SuidCheckFps = 0
-
-## Alternative: yield after every file
-#
-# SuidCheckYield = no
-
-## Severity of a detection
-#
-# SeveritySuidCheck = crit
-
-## Quarantine SUID/SGID files if found
-#
-# SuidCheckQuarantineFiles = yes
-
-## Method for Quarantining files:
-# 0 - Delete or truncate the file.
-# 1 - Remove SUID/SGID permissions from file.
-# 2 - Move SUID/SGID file to quarantine dir.
-#
-# SuidCheckQuarantineMethod = 0
-
-## For method 1 and 3, really delete instead of truncating
-#
-# SuidCheckQuarantineDelete = yes
-
-# [Kernel]
-##
-## --- Check for loadable kernel module rootkits (Linux/FreeBSD only)
-##
-
-## Switch on/off
-#
-KernelCheckActive = True
-
-## Check interval (seconds); btw., the check is VERY fast
-#
-# KernelCheckInterval = 300
-
-## Severity
-#
-# SeverityKernel = crit
-
-
-# [Utmp]
-##
-## --- Logging of login/logout events
-##
-
-## Switch on/off
-#
-LoginCheckActive = True
-
-## Severity for logins, multiple logins, logouts
-#
-# SeverityLogin=info
-# SeverityLoginMulti=warn
-# SeverityLogout=info
-
-## Interval for login/logout checks
-#
-# LoginCheckInterval = 300
-
-
-# [Database]
-##
-## --- Logging to a relational database
-##
-
-## Database name
-#
-# SetDBName = samhain
-
-## Database table
-#
-# SetDBTable = log
-
-## Database user
-#
-# SetDBUser = samhain
-
-## Database password
-#
-# SetDBPassword = (default: none)
-
-## Database host
-#
-# SetDBHost = localhost
-
-## Log the server timestamp for received messages
-#
-# SetDBServerTstamp = True
-
-## Use a persistent connection
-#
-# UsePersistent = True
-
-# [External]
-##
-## Interface to call external scripts/programs for logging
-##
-
-## The absolute path to the command
-## - Each invocation of this directive will end the definition of the
-## preceding command, and start the definition of
-## an additional, new command
-#
-# OpenCommand = (no default)
-
-## Type (log or rv)
-## - log for log messages, srv for messages received by the server
-#
-# SetType = log
-
-## The command (full command line) to execute
-#
-# SetCommandLine = (no default)
-
-## The environment (KEY=value; repeat for more)
-#
-# SetEnviron = TZ=(your timezone)
-
-## The TIGER192 checksum (optional)
-#
-# SetChecksum = (no default)
-
-## User who runs the command
-#
-# SetCredentials = (default: samhain process uid)
-
-## Words not allowed in message
-#
-# SetFilterNot = (none)
-
-## Words required (ALL of them)
-#
-# SetFilterAnd = (none)
-
-## Words required (at least one)
-#
-# SetFilterOr = (none)
-
-## Deadtime between consecutive calls
-#
-# SetDeadtime = 0
-
-## Add default environment (HOME, PATH, SHELL)
-#
-# SetDefault = no
-
-
-#####################################################
-#
-# Miscellaneous configuration options
-#
-#####################################################
-
-[Misc]
-
-## whether to become a daemon process
-## (this is not honoured on database initialisation)
-#
-# Daemon = no
-Daemon = yes
-
-## whether to test signature of files (init/check/none)
-## - if 'none', then we have to decide this on the command line -
-#
-# ChecksumTest = none
-ChecksumTest=check
-
-## whether to drop linux capabilities that are not required
-## - will make a root process a 'mere mortal' in many respects
-#
-# UseCaps = yes
-
-## Set nice level (-19 to 19, see 'man nice'),
-## and I/O limit (kilobytes per second; 0 == off)
-## to reduce load on host.
-#
-# SetNiceLevel = 0
-# SetIOLimit = 0
-
-## The version string to embed in file signature databases
-#
-# VersionString = NULL
-
-## Interval between time stamp messages
-#
-# SetLoopTime = 60
-SetLoopTime = 600
-
-## Interval between file checks
-#
-# SetFileCheckTime = 600
-SetFileCheckTime = 7200
-
-## Alternative: crontab-like schedule
-#
-# FileCheckScheduleOne = NULL
-
-## Alternative: crontab-like schedule(2)
-#
-# FileCheckScheduleTwo = NULL
-
-## Report only once on modified fles
-## Setting this to 'FALSE' will generate a report for any policy
-## violation (old and new ones) each time the daemon checks the file system.
-#
-# ReportOnlyOnce = True
-
-## Report in full detail
-#
-# ReportFullDetail = False
-
-## Report file timestamps in local time rather than GMT
-#
-# UseLocalTime = No
-
-## The console device (can also be a file or named pipe)
-## - There are two console devices. Accordingly, you can use
-## this directive a second time to set the second console device.
-## If you have not defined the second device at compile time,
-## and you don't want to use it, then:
-## setting it to /dev/null is less effective than just leaving
-## it alone (setting to /dev/null will waste time by opening
-## /dev/null and writing to it)
-#
-# SetConsole = /dev/console
-
-## Activate the SysV IPC message queue
-#
-# MessageQueueActive = False
-
-
-## If false, skip reverse lookup when connecting to a host known
-## by name rather than IP address (i.e. trust the DNS)
-#
-# SetReverseLookup = True
-
-## --- E-Mail ---
-
-# Only highest-level (alert) reports will be mailed immediately,
-# others will be queued. Here you can define, when the queue will
-# be flushed (Note: the queue is automatically flushed after
-# completing a file check).
-#
-SetMailTime = 86400
-
-## Maximum number of mails to queue
-#
-SetMailNum = 10
-
-## Recipient (max. 8)
-#
-SetMailAddress=samhain-reports@debian.org
-
-## Mail relay (IP address)
-#
-SetMailRelay = master.debian.org
-
-## Custom subject format
-#
-MailSubject = [Samhain at %H] %T: %S
-
-## --- end E-Mail ---
-
-## Path to the prelink executable
-#
-# SetPrelinkPath = /usr/sbin/prelink
-
-## TIGER192 checksum of the prelink executable
-#
-# SetPrelinkChecksum = (no default)
-
-
-## Path to the executable. If set, will be checksummed after startup
-## and before exit.
-#
-# SamhainPath = (no default)
-
-
-## The IP address of the log server
-#
-# SetLogServer = (default: compiled-in)
-
-## The IP address of the time server
-#
-# SetTimeServer = (default: compiled-in)
-
-## Trusted Users (comma delimited list of user names)
-#
-# TrustedUser = (no default; this adds to the compiled-in list)
-
-## Path to the file signature database
-#
-# SetDatabasePath = (default: compiled-in)
-
-## Path to the log file
-#
-# SetLogfilePath = (default: compiled-in)
-
-## Path to the PID file
-#
-# SetLockPath = (default: compiled-in)
-
-
-## The digest/checksum/hash algorithm
-#
-# DigestAlgo = TIGER192
-
-
-## Custom format for message header.
-## CAREFUL if you use XML logfile format.
-##
-## %S severity
-## %T timestamp
-## %C class
-##
-## %F source file
-## %L source line
-#
-# MessageHeader="%S %T "
-
-
-## Don't log path to config/database file on startup
-#
-# HideSetup = False
-
-## The syslog facility, if you log to syslog
-#
-# SyslogFacility = LOG_AUTHPRIV
-SyslogFacility=LOG_LOCAL2
-
-## The message authentication method
-## - If you change this, you *must* change it
-## on client *and* server
-#
-# MACType = HMAC-TIGER
-
-
-## everything below is ignored
-[EOF]
-
-#####################################################################
-# This would be the proper syntax for parts that should only be
-# included for certain hosts.
-# You may enclose anything in a @HOSTNAME/@end bracket, as long as the
-# result still has the proper syntax for the config file.
-# You may have any number of @HOSTNAME/@end brackets.
-# HOSTNAME should be the fully qualified 'official' name
-# (e.g. 'nixon.watergate.com', not 'nixon'), no aliases.
-# No IP number - except if samhain cannot determine the
-# fully qualified hostname.
-#
-# @HOSTNAME
-# file=/foo/bar
-# @end
-#
-# These are two examples for conditional inclusion/exclusion
-# of a machine based on the output from 'uname -srm'
-# $Linux:2.*.7:i666
-# file=/foo/bar3
-# $end
-#
-# !$Linux:2.*.7:i686
-# file=/foo/bar2
-# $end
-#
-#####################################################################
+++ /dev/null
-##
-## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-##
-
-#####################################################################
-#
-# Configuration file template for samhain.
-#
-#####################################################################
-#
-# -- empty lines and lines starting with '#', ';' or '//' are ignored
-# -- boolean options can be Yes/No or True/False or 1/0
-# -- you can PGP clearsign this file -- samhain will check (if compiled
-# with support) or otherwise ignore the signature
-# -- CHECK mail address
-#
-# To each log facility, you can assign a threshold severity. Only
-# reports with at least the threshold severity will be logged
-# to the respective facility (even further below).
-#
-#####################################################################
-#
-# SETUP for file system checking:
-#
-# (i) There are several policies, each has its own section. Put files
-# into the section for the appropriate policy (see below).
-# (ii) Section [EventSeverity]:
-# To each policy, you can assign a severity (further below).
-# (iii) Section [Log]:
-# To each log facility, you can assign a threshold severity. Only
-# reports with at least the threshold severity will be logged
-# to the respective facility (even further below).
-#
-#####################################################################
-
-#####################################################################
-#
-# Files are defined with: file = /absolute/path
-#
-# Directories are defined with: dir = /absolute/path
-# or with an optional recursion depth (N <= 99): dir = N/absolute/path
-#
-# Directory inodes are checked. If you only want to check files
-# in a directory, but not the directory inode itself, use (e.g.):
-#
-# [ReadOnly]
-# dir = /some/directory
-# [IgnoreAll]
-# file = /some/directory
-#
-# You can use shell-style globbing patterns, like: file = /path/foo*
-#
-######################################################################
-
-[Misc]
-##
-## Add or subtract tests from the policies
-## - if you want to change their definitions,
-## you need to do that before using the policies
-##
-# RedefReadOnly = (no default)
-# RedefAttributes=(no default)
-# RedefLogFiles=(no default)
-# RedefGrowingLogFiles=(no default)
-# RedefIgnoreAll=(no default)
-# RedefIgnoreNone=(no default)
-# RedefUser0=(no default)
-# RedefUser1=(no default)
-
-[Attributes]
-##
-## for these files, only changes in permissions and ownership are checked
-##
-file=/etc/mtab
-file=/etc/ssh_random_seed
-file=/etc/asound.conf
-file=/etc/resolv.conf
-file=/etc/localtime
-file=/etc/ioctl.save
-file=/etc/passwd.backup
-file=/etc/shadow.backup
-file=/etc/postfix/prng_exch
-file=/etc/adjtime
-file=/etc/lvm/.cache
-file=/etc/lvm/cache
-file=/etc/lvm/cache/.cache
-file=/etc/network/run/ifstate
-file=/var/state/samhain/samhain_file
-file=/etc/bind/db.debian.net
-file=/etc/exim4/bsmtp
-
-
-
-#
-# There are files in /etc that might change, thus changing the directory
-# timestamps. Put it here as 'file', and in the ReadOnly section as 'dir'.
-#
-file=/etc
-file=/etc/ssh
-file=/etc/network/run
-file=/etc/bind
-
-# These are the directories for the files we handle with puppet
-file=/etc/samhain
-file=/etc/munin
-file=/etc/exim4
-file=/etc/exim4/ssl
-file=/etc/apt
-file=/etc/apt/apt.conf.d
-file=/etc/apt/sources.list.d
-file=/etc/puppet
-file=/etc/default
-file=/etc/logrotate.d
-file=/etc/nagios
-file=/etc/nagios/nrpe.d
-file=/etc/nagios3/puppetconf.d
-file=/etc/cron.d
-file=/usr/lib/nagios/plugins
-file=/usr/sbin
-file=/etc/monit
-file=/etc/monit/monit.d
-file=/etc/pam.d
-
-[LogFiles]
-##
-## for these files, changes in signature, timestamps, and size are ignored
-##
-file=/var/run/utmp
-file=/etc/motd
-
-
-
-#####################################################################
-#
-# This would be the proper syntax for parts that should only be
-# included for certain hosts.
-# You may enclose anything in a @HOSTNAME/@end bracket, as long as the
-# result still has the proper syntax for the config file.
-# You may have any number of @HOSTNAME/@end brackets.
-# HOSTNAME should be the fully qualified 'official' name
-# (e.g. 'nixon.watergate.com', not 'nixon'), no aliases.
-# No IP number - except if samhain cannot determine the
-# fully qualified hostname.
-#
-# @HOSTNAME
-# file=/foo/bar
-# @end
-#
-# These are two examples for conditional inclusion/exclusion
-# of a machine based on the output from 'uname -srm'
-#
-# $Linux:2.*.7:i666
-# file=/foo/bar3
-# $end
-#
-# !$Linux:2.*.7:i686
-# file=/foo/bar2
-# $end
-#
-#####################################################################
-
-[GrowingLogFiles]
-##
-## for these files, changes in signature, timestamps, and increase in size
-## are ignored
-##
-file=/var/log/warn
-file=/var/log/messages
-file=/var/log/wtmp
-file=/var/log/faillog
-file=/var/log/auth.log
-file=/var/log/daemon.log
-file=/var/log/user.log
-file=/var/log/kern.log
-file=/var/log/syslog
-
-
-[IgnoreAll]
-##
-## for these files, no modifications are reported
-##
-## This file might be created or removed by the system sometimes.
-##
-file=/etc/resolv.conf.pcmcia.save
-file=/etc/nologin
-file=/etc/postfix/debian.db
-file=/etc/postfix/debian
-file=/etc/ssh/ssh_known_hosts
-file=/etc/ssh/ssh-rsa-shadow
-file=/var/lib/misc/ssh-rsa-shadow
-file=/etc/.da-backup.trace
-file=/etc/postfix/debianhosts
-file=/etc/postfix/debianhosts.db
-
-# We handle these files with puppet - please to not be bothering us
-file=/etc/timezone
-file=/etc/motd.tail
-file=/etc/samhain/samhainrc
-file=/etc/munin/munin-node.conf
-file=/etc/userdir-ldap.confc
-file=/etc/exim4/blacklist
-file=/etc/exim4/callout_users
-file=/etc/exim4/exim4.conf
-file=/etc/exim4/grey_users
-file=/etc/exim4/helo-check
-file=/etc/exim4/locals
-file=/etc/exim4/localusers
-file=/etc/exim4/manualroute
-file=/etc/exim4/rbllist
-file=/etc/exim4/rcpthosts
-file=/etc/exim4/rhsbllist
-file=/etc/exim4/virtualdomains
-file=/etc/exim4/whitelist
-file=/etc/exim4/local-auto.conf
-file=/etc/exim4/local-settings.conf
-file=/etc/exim4/ssl/ca.crt
-file=/etc/exim4/ssl/ca.crl
-file=/etc/exim4/ssl/thishost.crt
-file=/etc/exim4/ssl/thishost.key
-file=/etc/apt/preferences
-file=/etc/apt/sources.list.d/volatile.list
-file=/etc/apt/sources.list.d/security.list
-file=/etc/apt/sources.list.d/debian.org.list
-file=/etc/apt/sources.list.d/debian.restricted.list
-file=/etc/apt/sources.list.d/debian.list
-file=/etc/apt/sources.list.d/backports.org.list
-file=/etc/apt/apt.conf.d/local-recommends
-file=/etc/apt/apt.conf.d/local-pdiffs
-file=/etc/puppet/puppet.conf
-file=/etc/default/puppet
-file=/etc/logrotate.d/exim4-paniclog
-file=/etc/logrotate.d/exim4-base
-file=/usr/sbin/dsa-update-apt-status
-file=/usr/sbin/dsa-update-samhain-status
-file=/etc/nagios/nrpe.d/nrpe_dsa.cfg
-file=/etc/nagios/nrpe.d/debianorg.cfg
-file=/etc/nagios/obsolete-packages-ignore
-file=/etc/nagios3/puppetconf.d/auto-hostgroups.cfg
-file=/etc/nagios3/puppetconf.d/auto-hosts.cfg
-file=/etc/nagios3/puppetconf.d/auto-services.cfg
-file=/etc/nagios3/puppetconf.d/auto-dependencies.cfg
-file=/etc/nagios3/puppetconf.d/auto-hostextinfo.cfg
-file=/etc/nagios3/puppetconf.d/auto-serviceextinfo.cfg
-file=/usr/lib/nagios/plugins/dsa-check-packages
-file=/usr/lib/nagios/plugins/dsa-check-soas
-file=/usr/lib/nagios/plugins/dsa-check-mirrorsync
-file=/usr/lib/nagios/plugins/dsa-check-samhain
-file=/usr/lib/nagios/plugins/dsa-check-statusfile
-file=/usr/lib/nagios/plugins/dsa-check-dabackup-server
-file=/usr/lib/nagios/plugins/dsa-check-config
-file=/usr/lib/nagios/plugins/dsa-check-hpacucli
-file=/usr/lib/nagios/plugins/dsa-check-raid-mpt
-file=/usr/lib/nagios/plugins/dsa-check-puppet
-file=/usr/lib/nagios/plugins/dsa-check-running-kernel
-file=/usr/lib/nagios/plugins/dsa-check-raid-3ware
-file=/usr/lib/nagios/plugins/dsa-check-dabackup
-file=/usr/lib/nagios/plugins/dsa-check-raid-dac960
-file=/usr/lib/nagios/plugins/dsa-check-udldap-freshness
-file=/usr/lib/nagios/plugins/dsa-check-raid-areca
-file=/usr/lib/nagios/plugins/dsa-check-raid-sw
-file=/usr/lib/nagios/plugins/dsa-update-samhain-status
-file=/etc/sudoers
-file=/etc/pam.d/sudo
-file=/etc/blkid.tab
-file=/etc/blkid.tab.old
-file=/etc/monit/monitrc
-file=/etc/monit/monit.d/01puppet
-file=/etc/monit/monit.d/00debian.org
-
-[IgnoreNone]
-##
-## for these files, all modifications (even access time) are reported
-## - you may create some interesting-looking file (like /etc/safe_passwd),
-## just to watch whether someone will access it ...
-##
-
-[Prelink]
-##
-## Use for prelinked files or directories holding them
-##
-
-
-[ReadOnly]
-##
-## for these files, only access time is ignored
-##
-dir=/usr/bin
-dir=/bin
-dir=/boot
-#
-# SuSE (old) has the boot init scripts in /sbin/init.d/*,
-# so we go 3 levels deep
-#
-dir=3/sbin
-dir=/usr/sbin
-dir=/lib
-dir=3/usr/lib
-#
-# RedHat and Debian have the bootinit scripts in /etc/init.d/* or /etc/rc.d/*,
-# so we go 3 levels deep there too
-#
-dir=3/etc
-
-# Various directories / files that may include / be SUID/SGID binaries
-#
-#
-file=/usr/lib/pt_chown
-# X11, in Debian X7 this is now a symlink
-#dir=/usr/X11R6/bin
-#dir=/usr/X11R6/lib/X11/xmcd/bin
-# Apache:
-#file=/usr/lib/apache/suexec
-#file=/usr/lib/apache/suexec.disabled
-# Extra directories:
-#dir=/opt/gnome/bin
-#dir=/opt/kde/bin
-
-[User0]
-[User1]
-## User0 and User1 are sections for files/dirs with user-definable checking
-## (see the manual)
-
-
-[EventSeverity]
-##
-## Here you can assign severities to policy violations.
-## If this severity exceeds the treshold of a log facility (see below),
-## a policy violation will be logged to that facility.
-##
-## Severity for verification failures.
-##
-# SeverityReadOnly=crit
-# SeverityLogFiles=crit
-# SeverityGrowingLogs=crit
-# SeverityIgnoreNone=crit
-# SeverityAttributes=crit
-# SeverityUser0=crit
-# SeverityUser1=crit
-
-# Default behaviour
-SeverityReadOnly=crit
-SeverityLogFiles=crit
-SeverityGrowingLogs=warn
-SeverityIgnoreNone=crit
-SeverityAttributes=crit
-
-
-##
-## We have a file in IgnoreAll that might or might not be present.
-## Setting the severity to 'info' prevents messages about deleted/new file.
-##
-# SeverityIgnoreAll=crit
-SeverityIgnoreAll=info
-
-## Files : file access problems
-# SeverityFiles=crit
-
-## Dirs : directory access problems
-# SeverityDirs=crit
-
-## Names : suspect (non-printable) characters in a pathname
-# SeverityNames=crit
-
-# Default behaviour
-SeverityFiles=crit
-SeverityDirs=crit
-SeverityNames=warn
-
-
-[Log]
-##
-## Switch on/OFF log facilities and set their threshold severity
-##
-## Values: debug, info, notice, warn, mark, err, crit, alert, none.
-## 'mark' is used for timestamps.
-##
-##
-## Use 'none' to SWITCH OFF a log facility
-##
-## By default, everything equal to and above the threshold is logged.
-## The specifiers '*', '!', and '=' are interpreted as
-## 'all', 'all but', and 'only', respectively (like syslogd(8) does,
-## at least on Linux). Examples:
-## MailSeverity=*
-## MailSeverity=!warn
-## MailSeverity==crit
-
-## E-mail
-##
-# MailSeverity=none
-
-## Console
-##
-# PrintSeverity=info
-
-## Logfile
-##
-# LogSeverity=mark
-
-## Syslog
-##
-# SyslogSeverity=none
-
-## Remote server (yule)
-##
-# ExportSeverity=none
-
-## External script or program
-##
-# ExternalSeverity = none
-
-## Logging to a database
-##
-# DatabaseSeverity = none
-
-# Default behaviour
-MailSeverity=crit
-PrintSeverity=none
-LogSeverity=info
-SyslogSeverity=alert
-ExportSeverity=none
-
-
-
-
-
-#####################################################
-#
-# Optional modules
-#
-#####################################################
-
-# [SuidCheck]
-##
-## --- Check the filesystem for SUID/SGID binaries
-##
-
-## Switch on
-#
-# SuidCheckActive = yes
-
-## Interval for check (seconds)
-#
-# SuidCheckInterval = 7200
-
-## Alternative: crontab-like schedule
-#
-# SuidCheckSchedule = NULL
-
-## Directory to exclude
-#
-# SuidCheckExclude = NULL
-
-## Limit on files per second (0 == no limit)
-#
-# SuidCheckFps = 0
-
-## Alternative: yield after every file
-#
-# SuidCheckYield = no
-
-## Severity of a detection
-#
-# SeveritySuidCheck = crit
-
-## Quarantine SUID/SGID files if found
-#
-# SuidCheckQuarantineFiles = yes
-
-## Method for Quarantining files:
-# 0 - Delete or truncate the file.
-# 1 - Remove SUID/SGID permissions from file.
-# 2 - Move SUID/SGID file to quarantine dir.
-#
-# SuidCheckQuarantineMethod = 0
-
-## For method 1 and 3, really delete instead of truncating
-#
-# SuidCheckQuarantineDelete = yes
-
-# [Kernel]
-##
-## --- Check for loadable kernel module rootkits (Linux/FreeBSD only)
-##
-
-## Switch on/off
-#
-KernelCheckActive = True
-
-## Check interval (seconds); btw., the check is VERY fast
-#
-# KernelCheckInterval = 300
-
-## Severity
-#
-# SeverityKernel = crit
-
-
-# [Utmp]
-##
-## --- Logging of login/logout events
-##
-
-## Switch on/off
-#
-LoginCheckActive = True
-
-## Severity for logins, multiple logins, logouts
-#
-# SeverityLogin=info
-# SeverityLoginMulti=warn
-# SeverityLogout=info
-
-## Interval for login/logout checks
-#
-# LoginCheckInterval = 300
-
-
-# [Database]
-##
-## --- Logging to a relational database
-##
-
-## Database name
-#
-# SetDBName = samhain
-
-## Database table
-#
-# SetDBTable = log
-
-## Database user
-#
-# SetDBUser = samhain
-
-## Database password
-#
-# SetDBPassword = (default: none)
-
-## Database host
-#
-# SetDBHost = localhost
-
-## Log the server timestamp for received messages
-#
-# SetDBServerTstamp = True
-
-## Use a persistent connection
-#
-# UsePersistent = True
-
-# [External]
-##
-## Interface to call external scripts/programs for logging
-##
-
-## The absolute path to the command
-## - Each invocation of this directive will end the definition of the
-## preceding command, and start the definition of
-## an additional, new command
-#
-# OpenCommand = (no default)
-
-## Type (log or rv)
-## - log for log messages, srv for messages received by the server
-#
-# SetType = log
-
-## The command (full command line) to execute
-#
-# SetCommandLine = (no default)
-
-## The environment (KEY=value; repeat for more)
-#
-# SetEnviron = TZ=(your timezone)
-
-## The TIGER192 checksum (optional)
-#
-# SetChecksum = (no default)
-
-## User who runs the command
-#
-# SetCredentials = (default: samhain process uid)
-
-## Words not allowed in message
-#
-# SetFilterNot = (none)
-
-## Words required (ALL of them)
-#
-# SetFilterAnd = (none)
-
-## Words required (at least one)
-#
-# SetFilterOr = (none)
-
-## Deadtime between consecutive calls
-#
-# SetDeadtime = 0
-
-## Add default environment (HOME, PATH, SHELL)
-#
-# SetDefault = no
-
-
-#####################################################
-#
-# Miscellaneous configuration options
-#
-#####################################################
-
-[Misc]
-
-## whether to become a daemon process
-## (this is not honoured on database initialisation)
-#
-# Daemon = no
-Daemon = yes
-
-## whether to test signature of files (init/check/none)
-## - if 'none', then we have to decide this on the command line -
-#
-# ChecksumTest = none
-ChecksumTest=check
-
-## whether to drop linux capabilities that are not required
-## - will make a root process a 'mere mortal' in many respects
-#
-# UseCaps = yes
-
-## Set nice level (-19 to 19, see 'man nice'),
-## and I/O limit (kilobytes per second; 0 == off)
-## to reduce load on host.
-#
-# SetNiceLevel = 0
-# SetIOLimit = 0
-
-## The version string to embed in file signature databases
-#
-# VersionString = NULL
-
-## Interval between time stamp messages
-#
-# SetLoopTime = 60
-SetLoopTime = 600
-
-## Interval between file checks
-#
-# SetFileCheckTime = 600
-SetFileCheckTime = 7200
-
-## Alternative: crontab-like schedule
-#
-# FileCheckScheduleOne = NULL
-
-## Alternative: crontab-like schedule(2)
-#
-# FileCheckScheduleTwo = NULL
-
-## Report only once on modified fles
-## Setting this to 'FALSE' will generate a report for any policy
-## violation (old and new ones) each time the daemon checks the file system.
-#
-# ReportOnlyOnce = True
-
-## Report in full detail
-#
-# ReportFullDetail = False
-
-## Report file timestamps in local time rather than GMT
-#
-# UseLocalTime = No
-
-## The console device (can also be a file or named pipe)
-## - There are two console devices. Accordingly, you can use
-## this directive a second time to set the second console device.
-## If you have not defined the second device at compile time,
-## and you don't want to use it, then:
-## setting it to /dev/null is less effective than just leaving
-## it alone (setting to /dev/null will waste time by opening
-## /dev/null and writing to it)
-#
-# SetConsole = /dev/console
-
-## Activate the SysV IPC message queue
-#
-# MessageQueueActive = False
-
-
-## If false, skip reverse lookup when connecting to a host known
-## by name rather than IP address (i.e. trust the DNS)
-#
-# SetReverseLookup = True
-
-## --- E-Mail ---
-
-# Only highest-level (alert) reports will be mailed immediately,
-# others will be queued. Here you can define, when the queue will
-# be flushed (Note: the queue is automatically flushed after
-# completing a file check).
-#
-SetMailTime = 86400
-
-## Maximum number of mails to queue
-#
-SetMailNum = 10
-
-## Recipient (max. 8)
-#
-SetMailAddress=samhain-reports@debian.org
-
-## Mail relay (IP address)
-#
-SetMailRelay = master.debian.org
-
-## Custom subject format
-#
-MailSubject = [Samhain at %H] %T: %S
-
-## --- end E-Mail ---
-
-## Path to the prelink executable
-#
-# SetPrelinkPath = /usr/sbin/prelink
-
-## TIGER192 checksum of the prelink executable
-#
-# SetPrelinkChecksum = (no default)
-
-
-## Path to the executable. If set, will be checksummed after startup
-## and before exit.
-#
-# SamhainPath = (no default)
-
-
-## The IP address of the log server
-#
-# SetLogServer = (default: compiled-in)
-
-## The IP address of the time server
-#
-# SetTimeServer = (default: compiled-in)
-
-## Trusted Users (comma delimited list of user names)
-#
-# TrustedUser = (no default; this adds to the compiled-in list)
-
-## Path to the file signature database
-#
-# SetDatabasePath = (default: compiled-in)
-
-## Path to the log file
-#
-# SetLogfilePath = (default: compiled-in)
-
-## Path to the PID file
-#
-# SetLockPath = (default: compiled-in)
-
-
-## The digest/checksum/hash algorithm
-#
-# DigestAlgo = TIGER192
-
-
-## Custom format for message header.
-## CAREFUL if you use XML logfile format.
-##
-## %S severity
-## %T timestamp
-## %C class
-##
-## %F source file
-## %L source line
-#
-# MessageHeader="%S %T "
-
-
-## Don't log path to config/database file on startup
-#
-# HideSetup = False
-
-## The syslog facility, if you log to syslog
-#
-# SyslogFacility = LOG_AUTHPRIV
-SyslogFacility=LOG_LOCAL2
-
-## The message authentication method
-## - If you change this, you *must* change it
-## on client *and* server
-#
-# MACType = HMAC-TIGER
-
-
-## everything below is ignored
-[EOF]
-
-#####################################################################
-# This would be the proper syntax for parts that should only be
-# included for certain hosts.
-# You may enclose anything in a @HOSTNAME/@end bracket, as long as the
-# result still has the proper syntax for the config file.
-# You may have any number of @HOSTNAME/@end brackets.
-# HOSTNAME should be the fully qualified 'official' name
-# (e.g. 'nixon.watergate.com', not 'nixon'), no aliases.
-# No IP number - except if samhain cannot determine the
-# fully qualified hostname.
-#
-# @HOSTNAME
-# file=/foo/bar
-# @end
-#
-# These are two examples for conditional inclusion/exclusion
-# of a machine based on the output from 'uname -srm'
-# $Linux:2.*.7:i666
-# file=/foo/bar3
-# $end
-#
-# !$Linux:2.*.7:i686
-# file=/foo/bar2
-# $end
-#
-#####################################################################
package { samhain: ensure => installed }
file { "/etc/samhain/samhainrc":
- source => [ "puppet:///samhain/per-host/$fqdn/samhainrc",
- "puppet:///samhain/common/samhainrc" ],
+ content => template("samhain/samhainrc.erb"),
require => Package["samhain"],
notify => Exec["samhain reload"],
}
--- /dev/null
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
+#####################################################################
+#
+# Configuration file template for samhain.
+#
+#####################################################################
+#
+# -- empty lines and lines starting with '#', ';' or '//' are ignored
+# -- boolean options can be Yes/No or True/False or 1/0
+# -- you can PGP clearsign this file -- samhain will check (if compiled
+# with support) or otherwise ignore the signature
+# -- CHECK mail address
+#
+# To each log facility, you can assign a threshold severity. Only
+# reports with at least the threshold severity will be logged
+# to the respective facility (even further below).
+#
+#####################################################################
+#
+# SETUP for file system checking:
+#
+# (i) There are several policies, each has its own section. Put files
+# into the section for the appropriate policy (see below).
+# (ii) Section [EventSeverity]:
+# To each policy, you can assign a severity (further below).
+# (iii) Section [Log]:
+# To each log facility, you can assign a threshold severity. Only
+# reports with at least the threshold severity will be logged
+# to the respective facility (even further below).
+#
+#####################################################################
+
+#####################################################################
+#
+# Files are defined with: file = /absolute/path
+#
+# Directories are defined with: dir = /absolute/path
+# or with an optional recursion depth (N <= 99): dir = N/absolute/path
+#
+# Directory inodes are checked. If you only want to check files
+# in a directory, but not the directory inode itself, use (e.g.):
+#
+# [ReadOnly]
+# dir = /some/directory
+# [IgnoreAll]
+# file = /some/directory
+#
+# You can use shell-style globbing patterns, like: file = /path/foo*
+#
+######################################################################
+
+[Misc]
+##
+## Add or subtract tests from the policies
+## - if you want to change their definitions,
+## you need to do that before using the policies
+##
+# RedefReadOnly = (no default)
+# RedefAttributes=(no default)
+# RedefLogFiles=(no default)
+# RedefGrowingLogFiles=(no default)
+# RedefIgnoreAll=(no default)
+# RedefIgnoreNone=(no default)
+# RedefUser0=(no default)
+# RedefUser1=(no default)
+
+[Attributes]
+##
+## for these files, only changes in permissions and ownership are checked
+##
+file=/etc/mtab
+file=/etc/ssh_random_seed
+file=/etc/asound.conf
+file=/etc/resolv.conf
+file=/etc/localtime
+file=/etc/ioctl.save
+file=/etc/passwd.backup
+file=/etc/shadow.backup
+file=/etc/postfix/prng_exch
+file=/etc/adjtime
+file=/etc/lvm/.cache
+file=/etc/lvm/cache
+file=/etc/lvm/cache/.cache
+file=/etc/network/run/ifstate
+file=/var/state/samhain/samhain_file
+file=/etc/bind/zones/db.debian.net
+file=/etc/exim4/bsmtp
+
+
+
+#
+# There are files in /etc that might change, thus changing the directory
+# timestamps. Put it here as 'file', and in the ReadOnly section as 'dir'.
+#
+file=/etc
+file=/etc/ssh
+file=/etc/network/run
+file=/etc/bind/zones
+
+# These are the directories for the files we handle with puppet
+file=/etc/samhain
+file=/etc/munin
+file=/etc/exim4
+file=/etc/exim4/ssl
+file=/etc/apt
+file=/etc/apt/apt.conf.d
+file=/etc/apt/sources.list.d
+file=/etc/default
+file=/etc/logrotate.d
+file=/etc/nagios
+file=/etc/nagios/nrpe.d
+<%= extradir=""
+case fqdn
+when "spohr.debian.org": extradir="file=/etc/nagios3/puppetconf.d
+file=/etc/puppet"
+else extradir="file=/etc/puppet"
+end
+extradir
+%>
+file=/etc/cron.d
+file=/usr/lib/nagios/plugins
+file=/usr/sbin
+file=/etc/monit
+file=/etc/monit/monit.d
+file=/etc/pam.d
+file=/etc/syslog-ng
+
+
+[LogFiles]
+##
+## for these files, changes in signature, timestamps, and size are ignored
+##
+file=/var/run/utmp
+file=/etc/motd
+
+
+
+#####################################################################
+#
+# This would be the proper syntax for parts that should only be
+# included for certain hosts.
+# You may enclose anything in a @HOSTNAME/@end bracket, as long as the
+# result still has the proper syntax for the config file.
+# You may have any number of @HOSTNAME/@end brackets.
+# HOSTNAME should be the fully qualified 'official' name
+# (e.g. 'nixon.watergate.com', not 'nixon'), no aliases.
+# No IP number - except if samhain cannot determine the
+# fully qualified hostname.
+#
+# @HOSTNAME
+# file=/foo/bar
+# @end
+#
+# These are two examples for conditional inclusion/exclusion
+# of a machine based on the output from 'uname -srm'
+#
+# $Linux:2.*.7:i666
+# file=/foo/bar3
+# $end
+#
+# !$Linux:2.*.7:i686
+# file=/foo/bar2
+# $end
+#
+#####################################################################
+
+[GrowingLogFiles]
+##
+## for these files, changes in signature, timestamps, and increase in size
+## are ignored
+##
+file=/var/log/warn
+file=/var/log/messages
+file=/var/log/wtmp
+file=/var/log/faillog
+file=/var/log/auth.log
+file=/var/log/daemon.log
+file=/var/log/user.log
+file=/var/log/kern.log
+file=/var/log/syslog
+
+
+[IgnoreAll]
+##
+## for these files, no modifications are reported
+##
+## This file might be created or removed by the system sometimes.
+##
+file=/etc/resolv.conf.pcmcia.save
+file=/etc/nologin
+file=/etc/postfix/debian.db
+file=/etc/postfix/debian
+file=/etc/ssh/ssh_known_hosts
+file=/etc/ssh/ssh-rsa-shadow
+file=/var/lib/misc/ssh-rsa-shadow
+file=/etc/.da-backup.trace
+file=/etc/postfix/debianhosts
+file=/etc/postfix/debianhosts.db
+file=/etc/blkid.tab
+file=/etc/blkid.tab.old
+file=/etc/resolv.conf.dhclient-new
+
+# We handle these files with puppet - please to not be bothering us
+file=/etc/timezone
+file=/etc/motd.tail
+file=/etc/samhain/samhainrc
+file=/etc/munin/munin-node.conf
+file=/etc/userdir-ldap.confc
+file=/etc/exim4/blacklist
+file=/etc/exim4/callout_users
+file=/etc/exim4/exim4.conf
+file=/etc/exim4/grey_users
+file=/etc/exim4/helo-check
+file=/etc/exim4/locals
+file=/etc/exim4/localusers
+file=/etc/exim4/manualroute
+file=/etc/exim4/rbllist
+file=/etc/exim4/rcpthosts
+file=/etc/exim4/rhsbllist
+file=/etc/exim4/virtualdomains
+file=/etc/exim4/whitelist
+file=/etc/exim4/local-auto.conf
+file=/etc/exim4/local-settings.conf
+file=/etc/exim4/ssl/ca.crt
+file=/etc/exim4/ssl/ca.crl
+file=/etc/exim4/ssl/thishost.crt
+file=/etc/exim4/ssl/thishost.key
+<%=
+out=""
+if not nodeinfo['heavy_exim'].empty?
+ out = '
+file=/etc/exim4/surbl_whitelist.txt
+file=/etc/exim4/exim_surbl.pl
+file=/etc/exim4/ccTLD.txt
+'
+end
+out
+%>
+file=/etc/apt/preferences
+file=/etc/apt/sources.list.d/volatile.list
+file=/etc/apt/sources.list.d/security.list
+file=/etc/apt/sources.list.d/buildd.list
+file=/etc/apt/sources.list.d/debian.org.list
+file=/etc/apt/sources.list.d/debian.restricted.list
+file=/etc/apt/sources.list.d/debian.list
+file=/etc/apt/sources.list.d/backports.org.list
+file=/etc/apt/apt.conf.d/local-recommends
+file=/etc/apt/apt.conf.d/local-pdiffs
+file=/etc/puppet/puppet.conf
+file=/etc/default/puppet
+file=/etc/logrotate.d/exim4-paniclog
+file=/etc/logrotate.d/exim4-base
+file=/etc/logrotate.d/syslog-ng
+file=/etc/syslog-ng/syslog-ng.conf
+file=/usr/sbin/dsa-update-apt-status
+file=/usr/sbin/dsa-update-samhain-status
+file=/etc/nagios/nrpe.d/nrpe_dsa.cfg
+file=/etc/nagios/nrpe.d/debianorg.cfg
+file=/etc/nagios/obsolete-packages-ignore
+file=/usr/lib/nagios/plugins/dsa-check-packages
+file=/usr/lib/nagios/plugins/dsa-check-soas
+file=/usr/lib/nagios/plugins/dsa-check-mirrorsync
+file=/usr/lib/nagios/plugins/dsa-check-samhain
+file=/usr/lib/nagios/plugins/dsa-check-statusfile
+file=/usr/lib/nagios/plugins/dsa-check-dabackup-server
+file=/usr/lib/nagios/plugins/dsa-check-config
+file=/usr/lib/nagios/plugins/dsa-check-hpacucli
+file=/usr/lib/nagios/plugins/dsa-check-raid-mpt
+file=/usr/lib/nagios/plugins/dsa-check-puppet
+file=/usr/lib/nagios/plugins/dsa-check-running-kernel
+file=/usr/lib/nagios/plugins/dsa-check-raid-3ware
+file=/usr/lib/nagios/plugins/dsa-check-dabackup
+file=/usr/lib/nagios/plugins/dsa-check-raid-dac960
+file=/usr/lib/nagios/plugins/dsa-check-udldap-freshness
+file=/usr/lib/nagios/plugins/dsa-check-raid-areca
+file=/usr/lib/nagios/plugins/dsa-check-raid-sw
+file=/usr/lib/nagios/plugins/dsa-update-samhain-status
+file=/etc/sudoers
+file=/etc/pam.d/sudo
+file=/etc/monit/monitrc
+file=/etc/monit/monit.d/01puppet
+file=/etc/monit/monit.d/00debian.org
+<%= extrafiles=""
+case fqdn
+when "spohr.debian.org": extrafiles="file=/etc/nagios3/puppetconf.d/auto-hostgroups.cfg
+file=/etc/nagios3/puppetconf.d/auto-hosts.cfg
+file=/etc/nagios3/puppetconf.d/auto-services.cfg
+file=/etc/nagios3/puppetconf.d/auto-dependencies.cfg
+file=/etc/nagios3/puppetconf.d/auto-hostextinfo.cfg
+file=/etc/nagios3/puppetconf.d/auto-serviceextinfo.cfg"
+when "handel.debian.org": extrafiles="dir=8/etc/puppet"
+end
+extrafiles
+%>
+
+[IgnoreNone]
+##
+## for these files, all modifications (even access time) are reported
+## - you may create some interesting-looking file (like /etc/safe_passwd),
+## just to watch whether someone will access it ...
+##
+
+[Prelink]
+##
+## Use for prelinked files or directories holding them
+##
+
+
+[ReadOnly]
+##
+## for these files, only access time is ignored
+##
+dir=/usr/bin
+dir=/bin
+dir=/boot
+#
+# SuSE (old) has the boot init scripts in /sbin/init.d/*,
+# so we go 3 levels deep
+#
+dir=3/sbin
+dir=/usr/sbin
+dir=/lib
+dir=3/usr/lib
+#
+# RedHat and Debian have the bootinit scripts in /etc/init.d/* or /etc/rc.d/*,
+# so we go 3 levels deep there too
+#
+dir=3/etc
+
+# Various directories / files that may include / be SUID/SGID binaries
+#
+#
+file=/usr/lib/pt_chown
+# X11, in Debian X7 this is now a symlink
+#dir=/usr/X11R6/bin
+#dir=/usr/X11R6/lib/X11/xmcd/bin
+# Apache:
+#file=/usr/lib/apache/suexec
+#file=/usr/lib/apache/suexec.disabled
+# Extra directories:
+#dir=/opt/gnome/bin
+#dir=/opt/kde/bin
+
+[User0]
+[User1]
+## User0 and User1 are sections for files/dirs with user-definable checking
+## (see the manual)
+
+
+[EventSeverity]
+##
+## Here you can assign severities to policy violations.
+## If this severity exceeds the treshold of a log facility (see below),
+## a policy violation will be logged to that facility.
+##
+## Severity for verification failures.
+##
+# SeverityReadOnly=crit
+# SeverityLogFiles=crit
+# SeverityGrowingLogs=crit
+# SeverityIgnoreNone=crit
+# SeverityAttributes=crit
+# SeverityUser0=crit
+# SeverityUser1=crit
+
+# Default behaviour
+SeverityReadOnly=crit
+SeverityLogFiles=crit
+SeverityGrowingLogs=warn
+SeverityIgnoreNone=crit
+SeverityAttributes=crit
+
+
+##
+## We have a file in IgnoreAll that might or might not be present.
+## Setting the severity to 'info' prevents messages about deleted/new file.
+##
+# SeverityIgnoreAll=crit
+SeverityIgnoreAll=info
+
+## Files : file access problems
+# SeverityFiles=crit
+
+## Dirs : directory access problems
+# SeverityDirs=crit
+
+## Names : suspect (non-printable) characters in a pathname
+# SeverityNames=crit
+
+# Default behaviour
+SeverityFiles=crit
+SeverityDirs=crit
+SeverityNames=warn
+
+
+[Log]
+##
+## Switch on/OFF log facilities and set their threshold severity
+##
+## Values: debug, info, notice, warn, mark, err, crit, alert, none.
+## 'mark' is used for timestamps.
+##
+##
+## Use 'none' to SWITCH OFF a log facility
+##
+## By default, everything equal to and above the threshold is logged.
+## The specifiers '*', '!', and '=' are interpreted as
+## 'all', 'all but', and 'only', respectively (like syslogd(8) does,
+## at least on Linux). Examples:
+## MailSeverity=*
+## MailSeverity=!warn
+## MailSeverity==crit
+
+## E-mail
+##
+# MailSeverity=none
+
+## Console
+##
+# PrintSeverity=info
+
+## Logfile
+##
+# LogSeverity=mark
+
+## Syslog
+##
+# SyslogSeverity=none
+
+## Remote server (yule)
+##
+# ExportSeverity=none
+
+## External script or program
+##
+# ExternalSeverity = none
+
+## Logging to a database
+##
+# DatabaseSeverity = none
+
+# Default behaviour
+MailSeverity=crit
+PrintSeverity=none
+LogSeverity=info
+SyslogSeverity=alert
+ExportSeverity=none
+
+
+
+
+
+#####################################################
+#
+# Optional modules
+#
+#####################################################
+
+# [SuidCheck]
+##
+## --- Check the filesystem for SUID/SGID binaries
+##
+
+## Switch on
+#
+# SuidCheckActive = yes
+
+## Interval for check (seconds)
+#
+# SuidCheckInterval = 7200
+
+## Alternative: crontab-like schedule
+#
+# SuidCheckSchedule = NULL
+
+## Directory to exclude
+#
+# SuidCheckExclude = NULL
+
+## Limit on files per second (0 == no limit)
+#
+# SuidCheckFps = 0
+
+## Alternative: yield after every file
+#
+# SuidCheckYield = no
+
+## Severity of a detection
+#
+# SeveritySuidCheck = crit
+
+## Quarantine SUID/SGID files if found
+#
+# SuidCheckQuarantineFiles = yes
+
+## Method for Quarantining files:
+# 0 - Delete or truncate the file.
+# 1 - Remove SUID/SGID permissions from file.
+# 2 - Move SUID/SGID file to quarantine dir.
+#
+# SuidCheckQuarantineMethod = 0
+
+## For method 1 and 3, really delete instead of truncating
+#
+# SuidCheckQuarantineDelete = yes
+
+# [Kernel]
+##
+## --- Check for loadable kernel module rootkits (Linux/FreeBSD only)
+##
+
+## Switch on/off
+#
+KernelCheckActive = True
+
+## Check interval (seconds); btw., the check is VERY fast
+#
+# KernelCheckInterval = 300
+
+## Severity
+#
+# SeverityKernel = crit
+
+
+# [Utmp]
+##
+## --- Logging of login/logout events
+##
+
+## Switch on/off
+#
+LoginCheckActive = True
+
+## Severity for logins, multiple logins, logouts
+#
+# SeverityLogin=info
+# SeverityLoginMulti=warn
+# SeverityLogout=info
+
+## Interval for login/logout checks
+#
+# LoginCheckInterval = 300
+
+
+# [Database]
+##
+## --- Logging to a relational database
+##
+
+## Database name
+#
+# SetDBName = samhain
+
+## Database table
+#
+# SetDBTable = log
+
+## Database user
+#
+# SetDBUser = samhain
+
+## Database password
+#
+# SetDBPassword = (default: none)
+
+## Database host
+#
+# SetDBHost = localhost
+
+## Log the server timestamp for received messages
+#
+# SetDBServerTstamp = True
+
+## Use a persistent connection
+#
+# UsePersistent = True
+
+# [External]
+##
+## Interface to call external scripts/programs for logging
+##
+
+## The absolute path to the command
+## - Each invocation of this directive will end the definition of the
+## preceding command, and start the definition of
+## an additional, new command
+#
+# OpenCommand = (no default)
+
+## Type (log or rv)
+## - log for log messages, srv for messages received by the server
+#
+# SetType = log
+
+## The command (full command line) to execute
+#
+# SetCommandLine = (no default)
+
+## The environment (KEY=value; repeat for more)
+#
+# SetEnviron = TZ=(your timezone)
+
+## The TIGER192 checksum (optional)
+#
+# SetChecksum = (no default)
+
+## User who runs the command
+#
+# SetCredentials = (default: samhain process uid)
+
+## Words not allowed in message
+#
+# SetFilterNot = (none)
+
+## Words required (ALL of them)
+#
+# SetFilterAnd = (none)
+
+## Words required (at least one)
+#
+# SetFilterOr = (none)
+
+## Deadtime between consecutive calls
+#
+# SetDeadtime = 0
+
+## Add default environment (HOME, PATH, SHELL)
+#
+# SetDefault = no
+
+
+#####################################################
+#
+# Miscellaneous configuration options
+#
+#####################################################
+
+[Misc]
+
+## whether to become a daemon process
+## (this is not honoured on database initialisation)
+#
+# Daemon = no
+Daemon = yes
+
+## whether to test signature of files (init/check/none)
+## - if 'none', then we have to decide this on the command line -
+#
+# ChecksumTest = none
+ChecksumTest=check
+
+## whether to drop linux capabilities that are not required
+## - will make a root process a 'mere mortal' in many respects
+#
+# UseCaps = yes
+
+## Set nice level (-19 to 19, see 'man nice'),
+## and I/O limit (kilobytes per second; 0 == off)
+## to reduce load on host.
+#
+# SetNiceLevel = 0
+# SetIOLimit = 0
+
+## The version string to embed in file signature databases
+#
+# VersionString = NULL
+
+## Interval between time stamp messages
+#
+# SetLoopTime = 60
+SetLoopTime = 600
+
+## Interval between file checks
+#
+# SetFileCheckTime = 600
+SetFileCheckTime = 7200
+
+## Alternative: crontab-like schedule
+#
+# FileCheckScheduleOne = NULL
+
+## Alternative: crontab-like schedule(2)
+#
+# FileCheckScheduleTwo = NULL
+
+## Report only once on modified fles
+## Setting this to 'FALSE' will generate a report for any policy
+## violation (old and new ones) each time the daemon checks the file system.
+#
+# ReportOnlyOnce = True
+
+## Report in full detail
+#
+# ReportFullDetail = False
+
+## Report file timestamps in local time rather than GMT
+#
+# UseLocalTime = No
+
+## The console device (can also be a file or named pipe)
+## - There are two console devices. Accordingly, you can use
+## this directive a second time to set the second console device.
+## If you have not defined the second device at compile time,
+## and you don't want to use it, then:
+## setting it to /dev/null is less effective than just leaving
+## it alone (setting to /dev/null will waste time by opening
+## /dev/null and writing to it)
+#
+# SetConsole = /dev/console
+
+## Activate the SysV IPC message queue
+#
+# MessageQueueActive = False
+
+
+## If false, skip reverse lookup when connecting to a host known
+## by name rather than IP address (i.e. trust the DNS)
+#
+# SetReverseLookup = True
+
+## --- E-Mail ---
+
+# Only highest-level (alert) reports will be mailed immediately,
+# others will be queued. Here you can define, when the queue will
+# be flushed (Note: the queue is automatically flushed after
+# completing a file check).
+#
+SetMailTime = 86400
+
+## Maximum number of mails to queue
+#
+SetMailNum = 10
+
+## Recipient (max. 8)
+#
+SetMailAddress=samhain-reports@debian.org
+
+## Mail relay (IP address)
+<%=
+out=""
+if not nodeinfo['smarthost'].empty?
+ out = '
+SetMailRelay = localhost
+'
+else
+out = '
+SetMailRelay = master.debian.org
+'
+end
+out
+%>
+## Custom subject format
+#
+MailSubject = [Samhain at %H] %T: %S
+
+## --- end E-Mail ---
+
+## Path to the prelink executable
+#
+# SetPrelinkPath = /usr/sbin/prelink
+
+## TIGER192 checksum of the prelink executable
+#
+# SetPrelinkChecksum = (no default)
+
+
+## Path to the executable. If set, will be checksummed after startup
+## and before exit.
+#
+# SamhainPath = (no default)
+
+
+## The IP address of the log server
+#
+# SetLogServer = (default: compiled-in)
+
+## The IP address of the time server
+#
+# SetTimeServer = (default: compiled-in)
+
+## Trusted Users (comma delimited list of user names)
+#
+# TrustedUser = (no default; this adds to the compiled-in list)
+
+## Path to the file signature database
+#
+# SetDatabasePath = (default: compiled-in)
+
+## Path to the log file
+#
+# SetLogfilePath = (default: compiled-in)
+
+## Path to the PID file
+#
+# SetLockPath = (default: compiled-in)
+
+
+## The digest/checksum/hash algorithm
+#
+# DigestAlgo = TIGER192
+
+
+## Custom format for message header.
+## CAREFUL if you use XML logfile format.
+##
+## %S severity
+## %T timestamp
+## %C class
+##
+## %F source file
+## %L source line
+#
+# MessageHeader="%S %T "
+
+
+## Don't log path to config/database file on startup
+#
+# HideSetup = False
+
+## The syslog facility, if you log to syslog
+#
+# SyslogFacility = LOG_AUTHPRIV
+SyslogFacility=LOG_LOCAL2
+
+## The message authentication method
+## - If you change this, you *must* change it
+## on client *and* server
+#
+# MACType = HMAC-TIGER
+
+
+## everything below is ignored
+[EOF]
+
+#####################################################################
+# This would be the proper syntax for parts that should only be
+# included for certain hosts.
+# You may enclose anything in a @HOSTNAME/@end bracket, as long as the
+# result still has the proper syntax for the config file.
+# You may have any number of @HOSTNAME/@end brackets.
+# HOSTNAME should be the fully qualified 'official' name
+# (e.g. 'nixon.watergate.com', not 'nixon'), no aliases.
+# No IP number - except if samhain cannot determine the
+# fully qualified hostname.
+#
+# @HOSTNAME
+# file=/foo/bar
+# @end
+#
+# These are two examples for conditional inclusion/exclusion
+# of a machine based on the output from 'uname -srm'
+# $Linux:2.*.7:i666
+# file=/foo/bar3
+# $end
+#
+# !$Linux:2.*.7:i686
+# file=/foo/bar2
+# $end
+#
+#####################################################################
%forums ALL=(forums) ALL
%keyring ALL=(keyring) ALL
%lintian ALL=(lintian) ALL
+%listweb ALL=(listweb) ALL
+%list liszt=(list) ALL
%mirroradm ALL=(archvsync) ALL
%nm ALL=(nm) ALL
%piuparts ALL=(piupartsm) ALL
dak klecker=(archvsync) NOPASSWD: /home/archvsync/signal_security
# web stuff
debwww klecker=(archvsync) NOPASSWD: /home/archvsync/webmirrors/runmirrors
+# more list stuff
+%list liszt=(root) /usr/sbin/postfix reload
+%list liszt=(root) /usr/sbin/qshape, /usr/sbin/postsuper
+%list liszt=(root) /etc/init.d/spamassassin, /etc/init.d/amavis
+%list liszt=(amavis) NOPASSWD: /usr/bin/sa-learn
+%list liszt=(amavis) ALL
+++ /dev/null
-##
-## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-##
-
-# /etc/sudoers
-#
-# This file MUST be edited with the 'visudo' command as root.
-#
-# See the man page for details on how to write a sudoers file.
-#
-
-Defaults env_reset
-
-# Host alias specification
-
-# User alias specification
-
-# Cmnd alias specification
-
-# User privilege specification
-root ALL=(ALL) ALL
-%adm ALL=(ALL) ALL
-%adm ALL=(ALL) NOPASSWD: /usr/bin/apt-get update, /usr/bin/apt-get dist-upgrade, /usr/bin/apt-get clean, /usr/sbin/samhain -t check -i -p err -s none -l none -m none
-
-# Listmaster stuff
-%listweb ALL=(listweb) NOPASSWD: ALL
-%list ALL=(list) NOPASSWD: ALL
-
-%list ALL=(root) NOPASSWD: /usr/sbin/postfix reload
-%list ALL=(root) NOPASSWD: /usr/sbin/qshape
-%list ALL=(root) /usr/sbin/postsuper
-%list ALL=(root) /etc/init.d/spamassassin restart
-%list ALL=(root) /etc/init.d/amavisd
-%list ALL=(root) /usr/local/sbin/amavisd-new
-%list ALL=(amavis) NOPASSWD: ALL
-
-%apachectrl ALL=(root) /usr/sbin/apache2-vhost-update
-
-nagios ALL=(ALL) NOPASSWD: /usr/bin/arrayprobe ""
-nagios ALL=(ALL) NOPASSWD: /usr/lib/nagios/plugins/dsa-check-dabackup ""
-nagios ALL=(ALL) NOPASSWD: /usr/sbin/hpacucli controller all show
-nagios ALL=(ALL) NOPASSWD: /usr/sbin/hpacucli controller slot=0 pd all show
-nagios ALL=(ALL) NOPASSWD: /usr/sbin/hpacucli controller slot=0 pd [0-9]\:[0-9] show
-nagios ALL=(ALL) NOPASSWD: /usr/sbin/hpacucli controller slot=0 pd [0-9]I\:[0-9]\:[0-9] show
-nagios ALL=(ALL) NOPASSWD: /usr/sbin/hpacucli controller slot=0 show status
-nagios ALL=(ALL) NOPASSWD: /usr/sbin/samhain -t check --foreground -p err -s none -l none -m none
-
-
projects / mirror / dsa-puppet.git / commitdiff