From: Julien Cristau <jcristau@debian.org>
Date: Wed, 2 Oct 2019 20:00:13 +0000 (+0200)
Subject: Merge branch 'fordsa' of https://git.adam-barratt.org.uk/git/mirror/dsa-puppet
X-Git-Url: https://git.adam-barratt.org.uk/?p=mirror%2Fdsa-puppet.git;a=commitdiff_plain;h=f732459b9a99656573c0ac3e918e7aad890dc556;hp=eb1e819a61af91a8fd6586a1f0e5c07dcf00e225

Merge branch 'fordsa' of https://git.adam-barratt.org.uk/git/mirror/dsa-puppet
---

diff --git a/modules/exim/files/common/rhsbllist b/modules/exim/files/common/rhsbllist
index b6e303e44..52273c464 100644
--- a/modules/exim/files/common/rhsbllist
+++ b/modules/exim/files/common/rhsbllist
@@ -3,36 +3,36 @@
 ## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
 ##
 
-admin : bogusmx.rfc-ignorant.org/$sender_address_domain : dsn.rfc-ignorant.org/$sender_address_domain
-antiharassment : bogusmx.rfc-ignorant.org/$sender_address_domain : dsn.rfc-ignorant.org/$sender_address_domain
-books : bogusmx.rfc-ignorant.org/$sender_address_domain : dsn.rfc-ignorant.org/$sender_address_domain
-cdvendors : bogusmx.rfc-ignorant.org/$sender_address_domain : dsn.rfc-ignorant.org/$sender_address_domain
-cloudaccounts : bogusmx.rfc-ignorant.org/$sender_address_domain : dsn.rfc-ignorant.org/$sender_address_domain
-community : bogusmx.rfc-ignorant.org/$sender_address_domain : dsn.rfc-ignorant.org/$sender_address_domain
-consultants : bogusmx.rfc-ignorant.org/$sender_address_domain : dsn.rfc-ignorant.org/$sender_address_domain
-da-manager : bogusmx.rfc-ignorant.org/$sender_address_domain : dsn.rfc-ignorant.org/$sender_address_domain
-data-protection : bogusmx.rfc-ignorant.org/$sender_address_domain : dsn.rfc-ignorant.org/$sender_address_domain
-diversity : bogusmx.rfc-ignorant.org/$sender_address_domain : dsn.rfc-ignorant.org/$sender_address_domain
-events : bogusmx.rfc-ignorant.org/$sender_address_domain : dsn.rfc-ignorant.org/$sender_address_domain
-ftp-master : bogusmx.rfc-ignorant.org/$sender_address_domain : dsn.rfc-ignorant.org/$sender_address_domain
-ftpmaster : bogusmx.rfc-ignorant.org/$sender_address_domain : dsn.rfc-ignorant.org/$sender_address_domain
-hostmaster : bogusmx.rfc-ignorant.org/$sender_address_domain : dsn.rfc-ignorant.org/$sender_address_domain
-iana : bogusmx.rfc-ignorant.org/$sender_address_domain : dsn.rfc-ignorant.org/$sender_address_domain
-leader : bogusmx.rfc-ignorant.org/$sender_address_domain : dsn.rfc-ignorant.org/$sender_address_domain
-keyring-maint : bogusmx.rfc-ignorant.org/$sender_address_domain : dsn.rfc-ignorant.org/$sender_address_domain
-mailer-daemon : bogusmx.rfc-ignorant.org/$sender_address_domain : dsn.rfc-ignorant.org/$sender_address_domain
-merchandise : bogusmx.rfc-ignorant.org/$sender_address_domain : dsn.rfc-ignorant.org/$sender_address_domain
-mirrors : bogusmx.rfc-ignorant.org/$sender_address_domain : dsn.rfc-ignorant.org/$sender_address_domain
-nagios : bogusmx.rfc-ignorant.org/$sender_address_domain : dsn.rfc-ignorant.org/$sender_address_domain
-new-maintainer : bogusmx.rfc-ignorant.org/$sender_address_domain : dsn.rfc-ignorant.org/$sender_address_domain
-override-change : bogusmx.rfc-ignorant.org/$sender_address_domain : dsn.rfc-ignorant.org/$sender_address_domain
-partners : bogusmx.rfc-ignorant.org/$sender_address_domain : dsn.rfc-ignorant.org/$sender_address_domain
-patents : bogusmx.rfc-ignorant.org/$sender_address_domain : dsn.rfc-ignorant.org/$sender_address_domain
-preinstallvendors : bogusmx.rfc-ignorant.org/$sender_address_domain : dsn.rfc-ignorant.org/$sender_address_domain
-press : bogusmx.rfc-ignorant.org/$sender_address_domain : dsn.rfc-ignorant.org/$sender_address_domain
-treasurer : bogusmx.rfc-ignorant.org/$sender_address_domain : dsn.rfc-ignorant.org/$sender_address_domain
-trademark : bogusmx.rfc-ignorant.org/$sender_address_domain : dsn.rfc-ignorant.org/$sender_address_domain
-salsa-admin : bogusmx.rfc-ignorant.org/$sender_address_domain : dsn.rfc-ignorant.org/$sender_address_domain
-wat : bogusmx.rfc-ignorant.org/$sender_address_domain : dsn.rfc-ignorant.org/$sender_address_domain
-wbadm : bogusmx.rfc-ignorant.org/$sender_address_domain : dsn.rfc-ignorant.org/$sender_address_domain
-webmaster : bogusmx.rfc-ignorant.org/$sender_address_domain : dsn.rfc-ignorant.org/$sender_address_domain
+admin : bogusmx.rfc-clueless.org/$sender_address_domain
+antiharassment : bogusmx.rfc-clueless.org/$sender_address_domain
+books : bogusmx.rfc-clueless.org/$sender_address_domain
+cdvendors : bogusmx.rfc-clueless.org/$sender_address_domain
+cloudaccounts : bogusmx.rfc-clueless.org/$sender_address_domain
+community : bogusmx.rfc-clueless.org/$sender_address_domain
+consultants : bogusmx.rfc-clueless.org/$sender_address_domain
+da-manager : bogusmx.rfc-clueless.org/$sender_address_domain
+data-protection : bogusmx.rfc-clueless.org/$sender_address_domain
+diversity : bogusmx.rfc-clueless.org/$sender_address_domain
+events : bogusmx.rfc-clueless.org/$sender_address_domain
+ftp-master : bogusmx.rfc-clueless.org/$sender_address_domain
+ftpmaster : bogusmx.rfc-clueless.org/$sender_address_domain
+hostmaster : bogusmx.rfc-clueless.org/$sender_address_domain
+iana : bogusmx.rfc-clueless.org/$sender_address_domain
+leader : bogusmx.rfc-clueless.org/$sender_address_domain
+keyring-maint : bogusmx.rfc-clueless.org/$sender_address_domain
+mailer-daemon : bogusmx.rfc-clueless.org/$sender_address_domain
+merchandise : bogusmx.rfc-clueless.org/$sender_address_domain
+mirrors : bogusmx.rfc-clueless.org/$sender_address_domain
+nagios : bogusmx.rfc-clueless.org/$sender_address_domain
+new-maintainer : bogusmx.rfc-clueless.org/$sender_address_domain
+override-change : bogusmx.rfc-clueless.org/$sender_address_domain
+partners : bogusmx.rfc-clueless.org/$sender_address_domain
+patents : bogusmx.rfc-clueless.org/$sender_address_domain
+preinstallvendors : bogusmx.rfc-clueless.org/$sender_address_domain
+press : bogusmx.rfc-clueless.org/$sender_address_domain
+treasurer : bogusmx.rfc-clueless.org/$sender_address_domain
+trademark : bogusmx.rfc-clueless.org/$sender_address_domain
+salsa-admin : bogusmx.rfc-clueless.org/$sender_address_domain
+wat : bogusmx.rfc-clueless.org/$sender_address_domain
+wbadm : bogusmx.rfc-clueless.org/$sender_address_domain
+webmaster : bogusmx.rfc-clueless.org/$sender_address_domain
diff --git a/modules/exim/templates/eximconf.erb b/modules/exim/templates/eximconf.erb
index 7073f7475..6dc0a5960 100644
--- a/modules/exim/templates/eximconf.erb
+++ b/modules/exim/templates/eximconf.erb
@@ -450,14 +450,17 @@ check_helo:
   # These are in HELO acl so that they are only run once.  They increment a counter,
   # so we don't want it to increment per rcpt to.
 
+  # high trust
   warn    dnslists       = list.dnswl.org&0.0.0.3
           log_message    = Hit on list.dnswl.org for $sender_host_address
           set acl_c_scr  = ${eval:$acl_c_scr-30}
 
+  # >= medium trust
   warn    dnslists       = list.dnswl.org&0.0.0.2
           log_message    = Hit on list.dnswl.org for $sender_host_address
           set acl_c_scr  = ${eval:$acl_c_scr-20}
 
+  # any form of listing
   warn    dnslists       = list.dnswl.org
           log_message    = Hit on list.dnswl.org for $sender_host_address
           set acl_c_scr  = ${eval:$acl_c_scr-10}
@@ -470,15 +473,18 @@ check_helo:
           condition      = ${if eq{$host_lookup_failed}{1}}
           set acl_c_scr  = ${eval:$acl_c_scr+20}
 
+  # HELO looks like a dynamic address (with RDNS match)
   warn    !hosts         = +debianhosts
           condition      = ${if eq{$host_lookup_failed}{0}}
           condition      = ${if match{$sender_host_name}{\N(^[^\.]*[0-9]\-+[0-9]|^[^\.]*[0-9]{5,}[^\.]|^([^\.]+\.)?[0-9][^ \.]*\.[^\.]+\..+\.[a-z]|^[^\.]*[0-9]\.[^\.]*[0-9]-[0-9]|^(dyn|cable|dhcp|dialup|ppp|adsl)[^\.]*[0-9])\N}}
           set acl_c_scr  = ${eval:$acl_c_scr+20}
 
+  # HELO looks like a dynamic address
   warn    !hosts         = +debianhosts
           condition      = ${if match{$sender_helo_name}{\N(^[^\.]*[0-9]\-+[0-9]|^[^\.]*[0-9]{5,}[^\.]|^([^\.]+\.)?[0-9][^ \.]*\.[^\.]+\..+\.[a-z]|^[^\.]*[0-9]\.[^\.]*[0-9]-[0-9]|^(dyn|cable|dhcp|dialup|ppp|adsl)[^\.]*[0-9])\N}}
           set acl_c_scr  = ${eval:$acl_c_scr+20}
 
+  # mail from a dynamic IP address range
   warn    !hosts         = +debianhosts
           dnslists       = dul.dnsbl.sorbs.net
           set acl_c_scr  = ${eval:$acl_c_scr+15}
@@ -857,6 +863,11 @@ check_recipient:
 	  domains       = +handled_domains
 	  !hosts        = +debianhosts : WHITELIST
 
+  deny    message  = host $sender_host_address is listed in $dnslist_domain; see $dnslist_text
+          dnslists = noserver.dnsbl.sorbs.net
+          domains  = +handled_domains
+          !hosts   = +debianhosts : WHITELIST
+
 <%- end -%>
   deny    message  = domain $sender_address_domain is listed in $dnslist_domain; see $dnslist_text
           dnslists = ${if match_domain{$domain}{+virtual_domains}\
@@ -867,6 +878,11 @@ check_recipient:
 	  domains       = +handled_domains
 	  !hosts        = +debianhosts : WHITELIST
 
+  deny    message  = domain $sender_address_domain is listed in $dnslist_domain; see $dnslist_text
+          dnslists = nomail.rhsbl.sorbs.net/$sender_address_domain
+          domains  = +handled_domains
+          !hosts   = +debianhosts : WHITELIST
+
 <%- unless @use_smarthost -%>
   deny    domains  = +handled_domains
           local_parts = ${if match_domain{$domain}{+virtual_domains}\