msb/vmail-stack
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

remove ifdef GREYLIST_ENABLED, misc fixes and updates

Browse Source
This commit is contained in:
Matthew Saunders Brown 2022-12-12 08:31:14 -08:00
parent 38fe0ebe2d
commit 0703ab4cc4
2 changed files with 60 additions and 87 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

139
etc/exim4/exim4.conf
View File

@ -108,7 +108,6 @@ GREYLIST_BOUNCE_LIFETIME = 0 HOUR
GREYLIST_TABLE=vm_greylisting
GREYLIST_RESENDERS_TABLE=vm_greylisting_resenders
.ifdef GREYLIST_ENABLED
# database macros
GREYLIST_TEST = SELECT CASE \
WHEN now() > block_expires THEN "accepted" \
@ -167,7 +166,7 @@ GREYLIST_OK_BOUNCE = UPDATE GREYLIST_TABLE \
WHERE id = $acl_m9 AND type='AUTO'
GREYLIST_RESENDERS_UPDATE = REPLACE INTO GREYLIST_RESENDERS_TABLE SET hostname = '${quote_mysql:$acl_m_sender}'
.endif
# No deliveries will ever be run under the uids of these users (a colon-
# separated list). An attempt to do so causes a panic error to be logged, and
# the delivery to be deferred. This is a paranoic safety catch. Note that the
@ -235,7 +234,7 @@ begin acl
# since we use it inside a defer with acl = greylist_acl,
# accepting here makes the condition TRUE thus deferring,
# denying here makes the condition FALSE thus not deferring
.ifdef GREYLIST_ENABLED
#
greylist_acl:
# For regular deliveries, check greylist.
@ -278,21 +277,20 @@ greylist_acl:
deny
add_header = X-DNS-Greylist: mail from $sender_address to $local_part@$domain accepted by greylisting
condition = ${lookup mysql{GREYLIST_RESENDERS_UPDATE}}
.endif
# This access control list is used at the start of an incoming
# connection. The tests are run in order until the connection
# is either accepted or denied.
#
acl_connect:
# In this pass, we do not perform any checks here.
accept
# This access control list is used for the HELO or EHLO command in
# an incoming SMTP transaction. The tests are run in order until the
# greeting is either accepted or denied.
#
acl_helo:
# Early rejection of brute-force bots under the name 'ylmf-pc'
@ -306,7 +304,6 @@ acl_helo:
# incoming SMTP transaction. The tests are run in order until the
# sender address is either accepted or denied.
#
acl_mail_from:
# Accept the command.
@ -315,10 +312,10 @@ acl_mail_from:
# This access control list is used for every RCPT command in an
# incoming SMTP message. The tests are run in order until the
# recipient address is either accepted or denied.
#
acl_check_dkim:
######################################################################
######################################################################
# DomainKeys
######################################################################
@ -327,14 +324,14 @@ acl_check_dkim:
dkim_status = fail
logwrite = DKIM test failed: $dkim_verify_reason
add_header = X-DKIM-Status: fail: $dkim_verify_reason
add_header = X-Junk-Flag: YES
set acl_m_junk = yes
# DKIM invalid
accept
dkim_status = invalid
logwrite = DKIM test invalid: $dkim_verify_reason
add_header = X-DKIM-Status: invalid: $dkim_verify_reason
add_header = X-Junk-Flag: YES
set acl_m_junk = yes
# DKIM none
accept
@ -364,11 +361,6 @@ acl_rcpt_to:
accept
hosts = : +relay_from_hosts
# Accept if the message arrived over an authenticated connection,
# from any host. Again, these messages are usually from MUAs, so
# recipient verification is omitted.
#
# Get rate limit for user and log current rate.
# Hourly rate limit is extracted from db, multiplied by 10 to get daily rate limit.
# The idea being that the hourly rate limit should be a maximum, peak rate, not a sustained rate.
@ -401,20 +393,17 @@ acl_rcpt_to:
accept
authenticated = *
######################################################################
# Hello checks
######################################################################
# If the remote host greets with an IP address, then reject the mail.
#
deny
message = Message was delivered by ratware
log_message = remote host used IP address in HELO/EHLO greeting
condition = ${if isip {$sender_helo_name}{true}{false}}
# Likewise if the peer greets with one of our own names
#
deny
message = Message was delivered by ratware
log_message = remote host used our name in HELO/EHLO greeting.
@ -427,10 +416,7 @@ acl_rcpt_to:
log_message = remote host did not present HELO/EHLO greeting.
condition = ${if def:sender_helo_name {false}{true}}
# If HELO verification fails, we add a X-HELO-Warning: header in
# the message.
#
# If HELO verification fails, we add a X-HELO-Warning: header in the message.
warn
!verify = helo
message = X-HELO-Warning: Remote host $sender_host_address \
@ -515,7 +501,6 @@ acl_rcpt_to:
senders = : postmaster@*
condition = $recipients_count
# Reject the recipient address if it is not in a domain for
# which we are handling mail.
#
@ -523,7 +508,6 @@ acl_rcpt_to:
message = relay not permitted
!domains = +local_domains : +relay_to_domains
# Reject the recipient if it is not a valid mailbox.
# If the mailbox is not on our system (e.g. if we are a
# backup MX for the recipient domain), then perform a
@ -541,11 +525,7 @@ acl_rcpt_to:
condition = WHITELISTED
logwrite = From: $sender_address To: $local_part@$domain is whitelisted in sa_userpref
add_header = X-Whitelist-Flag: YES
# skip any further checks if the address is already marked Junk (by DKIM)
accept
condition = ${if eq {$header_X-Junk-Flag:}{YES}}
logwrite = Skipping SPF/DNSBL/Greylist checks as message already failed DKIM
set acl_m_whitelist = yes
######################################################################
# DNS checks
@ -570,33 +550,34 @@ acl_rcpt_to:
# add SPF header
accept
!senders = :
condition = ${run{/usr/bin/spfquery --scope mfrom \
--identity ${quote:$sender_address} \
--ip-address ${quote:$sender_host_address}} \
{no}{${if eq {$runrc}{1}{yes}{no}}}}
add_header = Received-SPF: fail
add_header = X-Junk-Flag: YES
## log_message = SPF check failed.
set acl_m_junk = yes
#log_message = SPF check failed.
warn
condition = ${if eq {$runrc}{0}{yes}{no}}
add_header = Received-SPF: pass
## log_message = SPF check: pass
#log_message = SPF check: pass
warn
condition = ${if eq {$runrc}{2}{yes}{no}}
add_header = Received-SPF: softfail
## log_message = SPF check: softfail
#log_message = SPF check: softfail
warn
condition = ${if eq {$runrc}{3}{yes}{no}}
add_header = Received-SPF: neutral
## log_message = SPF check: neutral
#log_message = SPF check: neutral
warn
condition = ${if eq {$runrc}{4}{yes}{no}}
add_header = Received-SPF: permerror
## log_message = SPF check: permerror
#log_message = SPF check: permerror
warn
condition = ${if eq {$runrc}{5}{yes}{no}}
@ -606,7 +587,7 @@ acl_rcpt_to:
warn
condition = ${if eq {$runrc}{6}{yes}{no}}
add_header = Received-SPF: none
## log_message = SPF check: none
#log_message = SPF check: none
warn
condition = ${if >{$runrc}{6}{yes}{no}}
@ -618,35 +599,37 @@ acl_rcpt_to:
dnslists = zen.spamhaus.org
logwrite = Warning: $sender_host_address is listed in DNSBL $dnslist_domain ${if def:dnslist_text {($dnslist_text)}}
add_header = X-DNS-Blacklist: $sender_host_address is listed in $dnslist_domain ${if def:dnslist_text {($dnslist_text)}}
add_header = X-Junk-Flag: YES
set acl_m_junk = yes
# will never get here if X-Whitelist-Flag or X-Junk-Flag (gets set with X-DNS-Blacklist) or X-DNS-Whitelist headers are set above
.ifdef GREYLIST_ENABLED
# if $sender_host_name is set use that.
# run command strips of leftmost subdomain if this is a third or higher level domain
# greylisting
# if $sender_host_name is set use that. run command strips of leftmost subdomain if this is a third or higher level domain
warn
condition = ${if def:sender_host_name}
set acl_m_sender = ${run{/bin/bash /etc/exim4/return-resender.sh $sender_host_name}{$value}{$sender_host_name}}
# if $sender_host_name is not set use $sender_helo_name
# if sender_helo_name not set email was already rejected (deny) earlier in this acl
# if $sender_host_name is not set use $sender_helo_name. if sender_helo_name not set email was already rejected (deny) earlier in this acl
warn
condition = ${if !def:sender_host_name}
set acl_m_sender = $sender_helo_name
# bypass greylisting if sender listed in skip_greylisting_hosts
accept
hosts = +skip_greylisting_hosts
log_message = skipping greylisting due to match in skip_greylisting_hosts
# bypass greylisting if the sending host is a known resender
accept
condition = ${lookup mysql{SELECT id FROM GREYLIST_RESENDERS_TABLE WHERE hostname = '${quote_mysql:$acl_m_sender}'}{yes}{no}}
condition = ${lookup mysql{UPDATE GREYLIST_RESENDERS_TABLE SET count=count+1, timestamp = NOW() WHERE hostname = '${quote_mysql:$acl_m_sender}'}{yes}{yes}}
add_header = X-DNS-Greylist: known resender
logwrite = skipping greylisting for $acl_m_sender due to match in GREYLIST_RESENDERS_TABLE
accept
hosts = +skip_greylisting_hosts
log_message = skipping greylisting due to match in skip_greylisting_hosts
# run greylisting acl
defer
!senders = : postmaster@*
!hosts = +skip_greylisting_hosts
acl = greylist_acl
message = greylisted - try again later
.endif
# Otherwise, the recipient address is OK.
#
@ -655,7 +638,7 @@ acl_rcpt_to:
# This access control list is used for message data received via
# SMTP. The tests are run in order until the recipient address
# is either accepted or denied.
#
acl_data:
# Add Message-ID if missing in messages received from our own hosts.
@ -665,9 +648,10 @@ acl_data:
message = Message-ID: <E$message_id@$primary_hostname>
# add domain keys status header
# warn
# message = DomainKey-Status: $dk_status
# !condition = ${if eq{$dk_status}{}{1}{0}}
#
#warn
# message = DomainKey-Status: $dk_status
# !condition = ${if eq{$dk_status}{}{1}{0}}
# Accept mail received over local SMTP (i.e. not over TCP/IP).
# We do this by testing for an empty sending host field.
@ -689,17 +673,11 @@ acl_data:
# MESSAGE_SIZE_LIMIT
# condition = ${if >{$message_size}{MESSAGE_SIZE_LIMIT}{true}{false}}
# skip any further checks if the address is already marked Junk
accept
condition = ${if eq {$header_X-Junk-Flag:}{YES}}
logwrite = Skipping header_syntax and header_sender checks as message already marked Junk
# Deny unless the address list header is syntactically correct.
# Check if the address list header is syntactically correct.
# Note that some specialized MTAs, such as certain mailing list
# servers, do not automatically generate a Message-ID for bounces.
# Thus, we add the check for a non-empty sender.
# (email feedback reports from aol fail this check)
#deny
accept
message = X-RFC2822-Error: Your message does not conform to RFC2822 standard
log_message = message header failed RFC2822 syntax check
@ -707,7 +685,7 @@ acl_data:
!senders = : postmaster@*
!verify = header_syntax
add_header = X-RFC2822-Error: Your message does not conform to RFC2822 standard
add_header = X-Junk-Flag: YES
set acl_m_junk = yes
# Warn unless there is a verifiable sender address in at least
# one of the "Sender:", "Reply-To:", or "From:" header lines.
@ -718,12 +696,12 @@ acl_data:
# Deny if the message contains a virus. Before enabling this check, you
# must install a virus scanner and set the av_scanner option above.
## accept
## condition = ${if ! def:header_X-Junk-Flag: }
## malware = */defer_ok
## log_message = This message contains a virus ($malware_name).
## add_header = X-Virus-Warning: This message contains a virus ($malware_name).
## add_header = X-Junk-Flag: YES
#
#accept
# malware = */defer_ok
# log_message = This message contains a virus ($malware_name).
# add_header = X-Virus-Warning: This message contains a virus ($malware_name).
# set acl_m_junk = yes
# Accept the message.
#
@ -805,29 +783,30 @@ virtual_alias:
domains = +local_domains
local_part_suffix = +*
local_part_suffix_optional = true
condition = ${if !eq {$received_protocol}{spam-scanned}}
## condition = ${if !eq {$received_protocol}{spam-scanned}}
data = ${lookup mysql{SELECT CONCAT(vm_aliases.mbox,'@','${domain}') FROM vm_mboxes, vm_aliases WHERE vm_mboxes.mbox=vm_aliases.mbox AND vm_mboxes.domain='${domain}' AND vm_mboxes.status > '0' AND vm_aliases.alias='${local_part}' AND vm_aliases.domain='${domain}'}}
junk_filter:
driver = accept
domains = +local_domains
condition = ${if eq{$acl_m_junk}{yes}}
condition = ${if !eq{$acl_m_whitelist}{yes}}
condition = ${if !eq {$received_protocol}{spam-scanned}}
local_part_suffix = +*
local_part_suffix_optional = true
local_parts = ${lookup mysql{SELECT vm_mboxes.mbox FROM vm_mboxes WHERE vm_mboxes.mbox='${local_part}' AND vm_mboxes.domain='${domain}' AND vm_mboxes.status > '0' AND vm_mboxes.filter > '0'}}
condition = ${if eq {$header_X-Junk-Flag:}{YES}}
condition = ${if !eq {$header_X-Whitelist-Flag:}{YES}}
condition = ${if !eq {$received_protocol}{spam-scanned}}
headers_add = X-Junk-Flag: YES
transport = junk_delivery
spam_filter:
driver = accept
domains = +local_domains
condition = ${if eq {$received_protocol}{spam-scanned}}
condition = ${if eq {$header_X-Spam-Flag:}{YES}}
## condition = ${if !eq {$header_X-Whitelist-Flag:}{YES}}
local_part_suffix = +*
local_part_suffix_optional = true
local_parts = ${lookup mysql{SELECT vm_mboxes.mbox FROM vm_mboxes WHERE vm_mboxes.mbox='${local_part}' AND vm_mboxes.domain='${domain}' AND vm_mboxes.status > '0' AND vm_mboxes.filter = '2'}}
condition = ${if eq {$received_protocol}{spam-scanned}}
condition = ${if eq {$header_X-Spam-Flag:}{YES}}
condition = ${if !eq {$header_X-Whitelist-Flag:}{YES}}
transport = junk_delivery
virtual_vacation:
@ -840,6 +819,7 @@ virtual_vacation:
# add options for start & end date fields to above query
# do not reply to errors or lists or spam-scanned messages, require vacation message in db
condition = ${if !match {$h_precedence:} {(?i)junk|bulk|list}}
condition = ${if !eq{$acl_m_junk}{yes}}
condition = ${if !eq {$received_protocol}{spam-scanned}}
condition = ${if !eq {$sender_address} {}}
no_expn
@ -864,6 +844,7 @@ virtual_autoresponder:
# add options for start & end date fields to above query
# do not reply to errors or lists or spam-scanned messages, require autoresponder message in db
condition = ${if !match {$h_precedence:} {(?i)junk|bulk|list}}
condition = ${if !eq{$acl_m_junk}{yes}}
condition = ${if !eq {$received_protocol}{spam-scanned}}
condition = ${if !eq {$sender_address} {}}
no_expn
@ -899,13 +880,13 @@ spamcheck_router:
# uncomment next line to bypass spamcheck when testing address routing with "exim -bt user@example.com"
#address_test = false
domains = +local_domains
local_part_suffix = +*
local_part_suffix_optional = true
local_parts = ${lookup mysql{SELECT vm_mboxes.mbox FROM vm_mboxes WHERE vm_mboxes.mbox='${local_part}' AND vm_mboxes.domain='${domain}' AND vm_mboxes.status > '0'}}
condition = ${if !eq {$received_protocol}{spam-scanned}}
condition = ${if !eq {$sender_address_domain}{$domain}}
condition = ${if !eq {$header_X-Whitelist-Flag:}{YES}}
condition = ${if !eq{$acl_m_whitelist}{yes}}
condition = ${if < {$message_size}{512k}}
local_part_suffix = +*
local_part_suffix_optional = true
local_parts = ${lookup mysql{SELECT vm_mboxes.mbox FROM vm_mboxes WHERE vm_mboxes.mbox='${local_part}' AND vm_mboxes.domain='${domain}' AND vm_mboxes.status > '0' AND vm_mboxes.filter = '2'}}
headers_remove = X-Spam-Checker-Version:X-Spam-Flag:X-Spam-Level:X-Spam-Status:X-Spam-Score:X-Spam-Report
transport = spamcheck
@ -939,7 +920,7 @@ lmtp_localuser:
virtual_alias_catchall:
driver = redirect
domains = +local_domains
condition = ${if !eq {$received_protocol}{spam-scanned}}
## condition = ${if !eq {$received_protocol}{spam-scanned}}
data = ${lookup mysql{SELECT CONCAT(vm_aliases.mbox,'@','${domain}') FROM vm_mboxes, vm_aliases WHERE vm_mboxes.mbox=vm_aliases.mbox AND vm_mboxes.domain='${domain}' AND vm_mboxes.status > '0' AND vm_aliases.alias='catchall' AND vm_aliases.domain='${domain}'}}
# This router handles aliasing using a linearly searched alias file with the

8
etc/exim4/exim_local.conf
View File

@ -2,14 +2,6 @@ qualify_domain = example.com
hide mysql_servers = localhost/vmail/vmail/password
# comment out to disable Greylisting
GREYLIST_ENABLED=
# only use 1 of the following at a time:
# disable for now as clamav is not currently enabled
#VIRUS_WARN=
#VIRUS_DENY=
# Uncomment and change values to override defaults already in main config
#smtp_accept_max = 50
#smtp_accept_max_per_host = 10