X-Git-Url: https://git.adam-barratt.org.uk/?p=mirror%2Fdsa-puppet.git;a=blobdiff_plain;f=modules%2Fexim%2Ftemplates%2Feximconf.erb;h=af0e177a8d73d48ce1a0734597b09f315c7b723e;hp=a11e8d5de99b7f628ef9971ceafd8dcca8d973b7;hb=f50a3a803d19af29ca27e271b193cbddcad5f92e;hpb=b245fb07a6f516d223dd5285e4e650224267b760 diff --git a/modules/exim/templates/eximconf.erb b/modules/exim/templates/eximconf.erb index a11e8d5de..af0e177a8 100644 --- a/modules/exim/templates/eximconf.erb +++ b/modules/exim/templates/eximconf.erb @@ -45,8 +45,12 @@ # From /var/lib/misc / UD: # -# mail-forward.cdb - aliases for @d.o -# user-forward.cdb - aliases for @thishost.d.o +# mail-forward.db - aliases for @d.o +# user-forward.db - aliases for @thishost.d.o +# +# Note that the BDB files generated by ud-ldap use keys that are not +# null-terminated, so Exim needs to use the "dbmnz" lookup type, rather +# than "dbm". # Exim's wildcard mechanism is a bit odd in that to say "any address in # debian.org including debian.org" you must use two patterns, @@ -302,6 +306,7 @@ GREYLIST_LOCAL_PARTS = ${if match_domain{$domain}{+virtual_domains}\ {${lookup{$local_part}lsearch*{${extract{directory}{VDOMAINDATA}{${value}/grey_users}}}{$local_part}{}}}{}}}\ {${lookup{$local_part}lsearch{/etc/exim4/grey_users}{$local_part}{}}}} : \ ${lookup{$local_part}lsearch{/var/lib/misc/$primary_hostname/mail-greylist}{$local_part}{}} +HAS_DEFAULT_OPTIONS = ${if eq{${lookup{$local_part}dbmnz{/var/lib/misc/$primary_hostname/default-mail-options.db}{$value}{TRUE}}}{TRUE}} <%- if @is_rtmaster -%> # This subject rewrite is embedded in double-quoted strings. As such, some of # the items need more escaping than usual, otherwise \N becomes simply "N" and @@ -414,27 +419,27 @@ acl_getprofile: accept condition = ${if !eq {$acl_m_rprf}{}} warn domains = +virtual_domains - condition = ${if exists {${extract{directory}{VDOMAINDATA}{${value}/contentinspectionaction.cdb}}}} - condition = ${if eq{${lookup{$local_part}cdb{${extract{directory}{VDOMAINDATA}{${value}/contentinspectionaction.cdb}}}{$value}{}}}{markup}} + condition = ${if exists {${extract{directory}{VDOMAINDATA}{${value}/contentinspectionaction.db}}}} + condition = ${if eq{${lookup{$local_part}dbmnz{${extract{directory}{VDOMAINDATA}{${value}/contentinspectionaction.db}}}{$value}{}}}{markup}} set acl_m_rprf = markup accept condition = ${if !eq {$acl_m_rprf}{}} warn domains = +virtual_domains - condition = ${if exists {${extract{directory}{VDOMAINDATA}{${value}/contentinspectionaction.cdb}}}} - condition = ${if eq{${lookup{$local_part}cdb{${extract{directory}{VDOMAINDATA}{${value}/contentinspectionaction.cdb}}}{$value}{}}}{blackhole}} + condition = ${if exists {${extract{directory}{VDOMAINDATA}{${value}/contentinspectionaction.db}}}} + condition = ${if eq{${lookup{$local_part}dbmnz{${extract{directory}{VDOMAINDATA}{${value}/contentinspectionaction.db}}}{$value}{}}}{blackhole}} set acl_m_rprf = blackhole accept condition = ${if !eq {$acl_m_rprf}{}} warn domains = +local_domains - condition = ${if eq{${lookup{$local_part}cdb{/var/lib/misc/${primary_hostname}/mail-contentinspectionaction.cdb}{$value}{}}}{markup}} + condition = ${if eq{${lookup{$local_part}dbmnz{/var/lib/misc/${primary_hostname}/mail-contentinspectionaction.db}{$value}{}}}{markup}} set acl_m_rprf = markup accept condition = ${if !eq {$acl_m_rprf}{}} warn domains = +local_domains - condition = ${if eq{${lookup{$local_part}cdb{/var/lib/misc/${primary_hostname}/mail-contentinspectionaction.cdb}{$value}{}}}{blackhole}} + condition = ${if eq{${lookup{$local_part}dbmnz{/var/lib/misc/${primary_hostname}/mail-contentinspectionaction.db}{$value}{}}}{blackhole}} set acl_m_rprf = blackhole accept condition = ${if !eq {$acl_m_rprf}{}} @@ -596,6 +601,14 @@ check_recipient: message = Different profile, please retry log_message = Only one profile at a time, please + # Set a flag to indicate whether the current recipient + # has explicitly requested greylisting + warn set acl_m_grey_recip = 0 + + warn local_parts = GREYLIST_LOCAL_PARTS + domains = +handled_domains + set acl_m_grey_recip = 1 + # Defer after too many bad RCPT TO's. Legit MTAs will retry later. # This is a rough pass at preventing address harvesting or other mail blasts. @@ -687,6 +700,12 @@ check_recipient: condition = ${lookup{$sender_address_local_part}lsearch{${extract{directory}{VSENDERDOMAINDATA}{${value}/neversenders}}}{true}} message = no mail should ever come from <$sender_address> + deny domains = +virtual_domains + senders = : + condition = ${if exists {${extract{directory}{VDOMAINDATA}{${value}/neversenders}}}} + condition = ${lookup{$local_part}lsearch{${extract{directory}{VDOMAINDATA}{${value}/neversenders}}}{true}} + message = <$local_part@$domain> does not send mail; rejecting bogus NDR + warn condition = ${if eq{$acl_m_prf}{localonly}} set acl_m_lrc = ${if eq{$acl_m_lrc}{}{$local_part@$domain}{$acl_m_lrc, $local_part@$domain}} @@ -769,27 +788,25 @@ check_recipient: <%- end -%> <%- if @is_rtmaster -%> warn condition = ${if eq{$acl_m_prf}{RTMail}} - set acl_m12 = ${if def:acl_m12 {$acl_m12} {${if or{{match{$local_part}{\N[^+]+\+\d+\N}}{match{$local_part}{\N[^+]+\+new\N}}{match{$local_part}{3520}}{match{$local_part}{3645}}} {RTMailRecipientHasSubaddress}}}} - # temporary hack because weasel screwed up and gave people an rt-3520@ address, which doesn't really work normally. and rt-3645 - #set acl_m12 = ${if def:acl_m12 {$acl_m12} {${if or{{match{$local_part}{\N[^+]+\+\d+\N}}{match{$local_part}{\N[^+]+\+new\N}}} {RTMailRecipientHasSubaddress}}}} - + set acl_m12 = ${if def:acl_m12 {$acl_m12} {${if or{{match{$local_part}{\N[^+]+\+\d+\N}}{match{$local_part}{\N[^+]+\+new\N}}} {RTMailRecipientHasSubaddress}}}} <%- end -%> <%- if has_variable?("greylistd") && @greylistd -%> defer message = $sender_host_address is not yet authorized to deliver mail from <$sender_address> to <$local_part@$domain>. log_message = greylisted. - local_parts = ${if match_domain{$domain}{+virtual_domains}\ - {${if exists {${extract{directory}{VDOMAINDATA}{${value}/grey_users}}}\ - {${lookup{$local_part}lsearch*{${extract{directory}{VDOMAINDATA}{${value}/grey_users}}}{$local_part}{}}}{}}}\ - {${lookup{$local_part}lsearch{/etc/exim4/grey_users}{$local_part}{}} : \ - ${lookup{$local_part}lsearch{/var/lib/misc/$primary_hostname/mail-greylist}{$local_part}{}}}} + condition = ${if or { \ + {eq{$acl_m_grey_recip}{1}} \ + {bool_lax{HAS_DEFAULT_OPTIONS}} \ + } \ + } !senders = : !hosts = : +debianhosts : WHITELIST : \ ${if exists {/etc/greylistd/whitelist-hosts}\ {/etc/greylistd/whitelist-hosts}{}} : \ ${if exists {/var/lib/greylistd/whitelist-hosts}\ {/var/lib/greylistd/whitelist-hosts}{}} + !dnslists = list.dnswl.org&0.0.0.3 condition = ${if !eq {$acl_m_prf}{PopconMail}} !authenticated = * domains = +handled_domains @@ -806,6 +823,7 @@ check_recipient: warn !senders = : !hosts = : +debianhosts : WHITELIST + !dnslists = list.dnswl.org&0.0.0.3 condition = ${if !eq {$acl_m_prf}{PopconMail}} condition = ${if ! def:acl_m_grey} set acl_m_grey = $pid.$tod_epoch.$sender_host_port @@ -814,10 +832,15 @@ check_recipient: defer !senders = : !hosts = : +debianhosts : WHITELIST + !dnslists = list.dnswl.org&0.0.0.3 condition = ${if !eq {$acl_m_prf}{PopconMail}} !authenticated = * domains = +handled_domains - local_parts = GREYLIST_LOCAL_PARTS + condition = ${if or { \ + {eq{$acl_m_grey_recip}{1}} \ + {bool_lax{HAS_DEFAULT_OPTIONS}} \ + } \ + } set acl_m_pgr = request=smtpd_access_policy\n\ protocol_state=RCPT\n\ protocol_name=${uc:$received_protocol}\n\ @@ -839,10 +862,15 @@ check_recipient: warn !senders = : !hosts = : +debianhosts : WHITELIST + !dnslists = list.dnswl.org&0.0.0.3 condition = ${if !eq {$acl_m_prf}{PopconMail}} !authenticated = * domains = +handled_domains - local_parts = GREYLIST_LOCAL_PARTS + condition = ${if or { \ + {eq{$acl_m_grey_recip}{1}} \ + {bool_lax{HAS_DEFAULT_OPTIONS}} \ + } \ + } condition = ${if eq{${uc:${substr_0_7:$acl_m_pgr}}}{PREPEND}} message = ${sg{$acl_m_pgr}{\N^\w+\s*\N}{}} @@ -859,7 +887,7 @@ check_recipient: domains = +virtual_domains : +bsmtp_domains <%- unless @use_smarthost -%> - deny message = host $sender_host_address is listed in $dnslist_domain; see $dnslist_text + deny message = host $sender_host_address is listed in $dnslist_domain ($dnslist_value); see $dnslist_text dnslists = ${if match_domain{$domain}{+virtual_domains}\ {${if exists {${extract{directory}{VDOMAINDATA}{${value}/rbllist}}}\ {${lookup{$local_part}lsearch*{${extract{directory}{VDOMAINDATA}{${value}/rbllist}}}{$value}{}}}{}}}\ @@ -868,13 +896,19 @@ check_recipient: domains = +handled_domains !hosts = +debianhosts : WHITELIST - deny message = host $sender_host_address is listed in $dnslist_domain; see $dnslist_text + deny message = host $sender_host_address is listed in $dnslist_domain ($dnslist_value); see $dnslist_text dnslists = noserver.dnsbl.sorbs.net domains = +handled_domains !hosts = +debianhosts : WHITELIST + deny message = host $sender_host_address is listed in $dnslist_domain ($dnslist_value); see $dnslist_text + condition = ${if bool_lax{HAS_DEFAULT_OPTIONS}} + dnslists = relays.dnsbl.sorbs.net : xbl.spamhaus.org + domains = +handled_domains + !hosts = +debianhosts : WHITELIST + <%- end -%> - deny message = domain $sender_address_domain is listed in $dnslist_domain; see $dnslist_text + deny message = domain $sender_address_domain is listed in $dnslist_domain ($dnslist_value); see $dnslist_text dnslists = ${if match_domain{$domain}{+virtual_domains}\ {${if exists {${extract{directory}{VDOMAINDATA}{${value}/rhsbllist}}}\ {${expand:${lookup{$local_part}lsearch*{${extract{directory}{VDOMAINDATA}{${value}/rhsbllist}}}{$value}{}}}}{}}}\ @@ -883,11 +917,17 @@ check_recipient: domains = +handled_domains !hosts = +debianhosts : WHITELIST - deny message = domain $sender_address_domain is listed in $dnslist_domain; see $dnslist_text + deny message = domain $sender_address_domain is listed in $dnslist_domain ($dnslist_value); see $dnslist_text dnslists = nomail.rhsbl.sorbs.net/$sender_address_domain domains = +handled_domains !hosts = +debianhosts : WHITELIST + deny message = domain $sender_address_domain is listed in $dnslist_domain ($dnslist_value); see $dnslist_text + condition = ${if bool_lax{HAS_DEFAULT_OPTIONS}} + dnslists = dbl.spamhaus.org/$sender_address_domain + domains = +handled_domains + !hosts = +debianhosts : WHITELIST + <%- unless @use_smarthost -%> deny domains = +handled_domains local_parts = ${if match_domain{$domain}{+virtual_domains}\ @@ -1082,8 +1122,8 @@ check_message: begin rewrite \N^buildd_(.*)@fasolo\.debian\.org$\N buildd_$1@buildd.debian.org T -*@debian.org ${lookup{$1}cdb{/var/lib/misc/${primary_hostname}/mail-forward.cdb}{$value}fail} T -*@people.debian.org ${lookup{$1}cdb{/var/lib/misc/${primary_hostname}/mail-forward.cdb}{$value}fail} T +*@debian.org ${lookup{$1}dbmnz{/var/lib/misc/${primary_hostname}/mail-forward.db}{$value}fail} T +*@people.debian.org ${lookup{$1}dbmnz{/var/lib/misc/${primary_hostname}/mail-forward.db}{$value}fail} T #*@${primary_hostname} "${if exists{/etc/exim4/email-addresses}{${lookup{$1}lsearch{/etc/exim4/email-addresses}{$value}fail}}fail}" fFs @@ -1338,9 +1378,9 @@ ldap_aliases: driver = redirect allow_defer allow_fail - data = ${if exists{/var/lib/misc/$primary_hostname/user-forward.cdb}\ - {${lookup{$local_part}cdb\ - {/var/lib/misc/$primary_hostname/user-forward.cdb}}}} + data = ${if exists{/var/lib/misc/$primary_hostname/user-forward.db}\ + {${lookup{$local_part}dbmnz\ + {/var/lib/misc/$primary_hostname/user-forward.db}}}} domains = +local_domains file_transport = address_file local_part_suffix = -* @@ -1497,17 +1537,17 @@ virt_users: group = ${extract{group}{VDOMAINDATA}} # Manually construct the forwarding address, preserving the # local_part_suffix if the remote host is master. - data = ${if and {{exists{${extract{directory}{VDOMAINDATA}{${value}/mail-forward.cdb}}}}\ - {! eq {${lookup{$local_part}cdb\ - {${extract{directory}{VDOMAINDATA}{${value}/mail-forward.cdb}}}}}\ + data = ${if and {{exists{${extract{directory}{VDOMAINDATA}{${value}/mail-forward.db}}}}\ + {! eq {${lookup{$local_part}dbmnz\ + {${extract{directory}{VDOMAINDATA}{${value}/mail-forward.db}}}}}\ {}}}\ - {${local_part:${lookup{$local_part}cdb\ - {${extract{directory}{VDOMAINDATA}{${value}/mail-forward.cdb}}}}}\ - ${if eq {${domain:${lookup{$local_part}cdb\ - {${extract{directory}{VDOMAINDATA}{${value}/mail-forward.cdb}}}}}}{master.debian.org}{$local_part_suffix} {}}\ + {${local_part:${lookup{$local_part}dbmnz\ + {${extract{directory}{VDOMAINDATA}{${value}/mail-forward.db}}}}}\ + ${if eq {${domain:${lookup{$local_part}dbmnz\ + {${extract{directory}{VDOMAINDATA}{${value}/mail-forward.db}}}}}}{master.debian.org}{$local_part_suffix} {}}\ @\ - ${domain:${lookup{$local_part}cdb\ - {${extract{directory}{VDOMAINDATA}{${value}/mail-forward.cdb}}}}}}} + ${domain:${lookup{$local_part}dbmnz\ + {${extract{directory}{VDOMAINDATA}{${value}/mail-forward.db}}}}}}} domains = +virtual_domains file_transport = address_file headers_add = "Delivered-To: ${local_part}${local_part_suffix}@${domain}"