Merge branch 'fordsa' of https://git.adam-barratt.org.uk/git/mirror/dsa-puppet

diff --git a/modules/exim/files/common/exim_surbl.pl b/modules/exim/files/common/exim_surbl.pl
index d2d0825..6d3c3fd 100644 (file)
--- a/modules/exim/files/common/exim_surbl.pl
+++ b/modules/exim/files/common/exim_surbl.pl
@@ -67,7 +67,7 @@ sub surblspamcheck
     # lookups.  Set to 1 to enable and 0 to disable.
     my $surbl_enable = 1;
     my $uribl_enable = 1;
-    my $dbl_enable = 0;
+    my $dbl_enable = 1;
 
     # Check to see if a decode MIME attachment is being checked or 
     # just a plain old text message with no attachments

diff --git a/modules/exim/templates/eximconf.erb b/modules/exim/templates/eximconf.erb
index f8f927c..af0e177 100644 (file)
--- a/modules/exim/templates/eximconf.erb
+++ b/modules/exim/templates/eximconf.erb
@@ -306,7 +306,7 @@ GREYLIST_LOCAL_PARTS = ${if match_domain{$domain}{+virtual_domains}\
                        {${lookup{$local_part}lsearch*{${extract{directory}{VDOMAINDATA}{${value}/grey_users}}}{$local_part}{}}}{}}}\
                        {${lookup{$local_part}lsearch{/etc/exim4/grey_users}{$local_part}{}}}} : \
                        ${lookup{$local_part}lsearch{/var/lib/misc/$primary_hostname/mail-greylist}{$local_part}{}}
-HAS_DEFAULT_OPTIONS  = ${if eq{${lookup{$local_part}dbmnz{/var/lib/misc/$primary_hostname/default-mail-options.db}{$value}{FALSE}}}{TRUE}}
+HAS_DEFAULT_OPTIONS  = ${if eq{${lookup{$local_part}dbmnz{/var/lib/misc/$primary_hostname/default-mail-options.db}{$value}{TRUE}}}{TRUE}}
 <%- if @is_rtmaster -%>
 # This subject rewrite is embedded in double-quoted strings. As such, some of
 # the items need more escaping than usual, otherwise \N becomes simply "N" and
@@ -700,6 +700,12 @@ check_recipient:
           condition     = ${lookup{$sender_address_local_part}lsearch{${extract{directory}{VSENDERDOMAINDATA}{${value}/neversenders}}}{true}}
          message       = no mail should ever come from <$sender_address>
 
+  deny    domains       = +virtual_domains
+          senders       = :
+          condition     = ${if exists {${extract{directory}{VDOMAINDATA}{${value}/neversenders}}}}
+          condition     = ${lookup{$local_part}lsearch{${extract{directory}{VDOMAINDATA}{${value}/neversenders}}}{true}}
+          message       = <$local_part@$domain> does not send mail; rejecting bogus NDR
+
   warn    condition     = ${if eq{$acl_m_prf}{localonly}}
           set acl_m_lrc = ${if eq{$acl_m_lrc}{}{$local_part@$domain}{$acl_m_lrc, $local_part@$domain}}
 
@@ -881,7 +887,7 @@ check_recipient:
           domains       = +virtual_domains : +bsmtp_domains
 
 <%- unless @use_smarthost -%>
-  deny    message  = host $sender_host_address is listed in $dnslist_domain; see $dnslist_text
+  deny    message  = host $sender_host_address is listed in $dnslist_domain ($dnslist_value); see $dnslist_text
           dnslists = ${if match_domain{$domain}{+virtual_domains}\
                     {${if exists {${extract{directory}{VDOMAINDATA}{${value}/rbllist}}}\
                     {${lookup{$local_part}lsearch*{${extract{directory}{VDOMAINDATA}{${value}/rbllist}}}{$value}{}}}{}}}\
@@ -890,13 +896,19 @@ check_recipient:
          domains       = +handled_domains
          !hosts        = +debianhosts : WHITELIST
 
-  deny    message  = host $sender_host_address is listed in $dnslist_domain; see $dnslist_text
+  deny    message  = host $sender_host_address is listed in $dnslist_domain ($dnslist_value); see $dnslist_text
           dnslists = noserver.dnsbl.sorbs.net
           domains  = +handled_domains
           !hosts   = +debianhosts : WHITELIST
 
+  deny    message   = host $sender_host_address is listed in $dnslist_domain ($dnslist_value); see $dnslist_text
+          condition = ${if bool_lax{HAS_DEFAULT_OPTIONS}}
+          dnslists  = relays.dnsbl.sorbs.net : xbl.spamhaus.org
+          domains   = +handled_domains
+          !hosts    = +debianhosts : WHITELIST
+
 <%- end -%>
-  deny    message  = domain $sender_address_domain is listed in $dnslist_domain; see $dnslist_text
+  deny    message  = domain $sender_address_domain is listed in $dnslist_domain ($dnslist_value); see $dnslist_text
           dnslists = ${if match_domain{$domain}{+virtual_domains}\
                     {${if exists {${extract{directory}{VDOMAINDATA}{${value}/rhsbllist}}}\
                     {${expand:${lookup{$local_part}lsearch*{${extract{directory}{VDOMAINDATA}{${value}/rhsbllist}}}{$value}{}}}}{}}}\
@@ -905,11 +917,17 @@ check_recipient:
          domains       = +handled_domains
          !hosts        = +debianhosts : WHITELIST
 
-  deny    message  = domain $sender_address_domain is listed in $dnslist_domain; see $dnslist_text
+  deny    message  = domain $sender_address_domain is listed in $dnslist_domain ($dnslist_value); see $dnslist_text
           dnslists = nomail.rhsbl.sorbs.net/$sender_address_domain
           domains  = +handled_domains
           !hosts   = +debianhosts : WHITELIST
 
+  deny    message   = domain $sender_address_domain is listed in $dnslist_domain ($dnslist_value); see $dnslist_text
+          condition = ${if bool_lax{HAS_DEFAULT_OPTIONS}}
+          dnslists  = dbl.spamhaus.org/$sender_address_domain
+          domains   = +handled_domains
+          !hosts    = +debianhosts : WHITELIST
+
 <%- unless @use_smarthost -%>
   deny    domains  = +handled_domains
           local_parts = ${if match_domain{$domain}{+virtual_domains}\

diff --git a/modules/fail2ban/files/filter/dsa-exim-strict.conf b/modules/fail2ban/files/filter/dsa-exim-strict.conf
index 2dcdfb1..02eeb06 100644 (file)
--- a/modules/fail2ban/files/filter/dsa-exim-strict.conf
+++ b/modules/fail2ban/files/filter/dsa-exim-strict.conf
@@ -5,3 +5,4 @@ before = exim-common.conf
 
 [Definition]
 failregex = (?i)^%(pid)s SMTP protocol error in "AUTH LOGIN" %(host_info)sAUTH command used when not advertised$
+            ^%(pid)s %(host_info)sWarning: Sender rate \d{3,}.\d / [^ ]+ \(limit: \d\d?\)