From 0703ab4cc4031168bcd1e5517d6cb06a01e7c40a Mon Sep 17 00:00:00 2001 From: Matthew Saunders Brown Date: Mon, 12 Dec 2022 08:31:14 -0800 Subject: [PATCH] remove ifdef GREYLIST_ENABLED, misc fixes and updates --- etc/exim4/exim4.conf | 139 ++++++++++++++++---------------------- etc/exim4/exim_local.conf | 8 --- 2 files changed, 60 insertions(+), 87 deletions(-) diff --git a/etc/exim4/exim4.conf b/etc/exim4/exim4.conf index 23eab54..e761590 100644 --- a/etc/exim4/exim4.conf +++ b/etc/exim4/exim4.conf @@ -108,7 +108,6 @@ GREYLIST_BOUNCE_LIFETIME = 0 HOUR GREYLIST_TABLE=vm_greylisting GREYLIST_RESENDERS_TABLE=vm_greylisting_resenders -.ifdef GREYLIST_ENABLED # database macros GREYLIST_TEST = SELECT CASE \ WHEN now() > block_expires THEN "accepted" \ @@ -167,7 +166,7 @@ GREYLIST_OK_BOUNCE = UPDATE GREYLIST_TABLE \ WHERE id = $acl_m9 AND type='AUTO' GREYLIST_RESENDERS_UPDATE = REPLACE INTO GREYLIST_RESENDERS_TABLE SET hostname = '${quote_mysql:$acl_m_sender}' -.endif + # No deliveries will ever be run under the uids of these users (a colon- # separated list). An attempt to do so causes a panic error to be logged, and # the delivery to be deferred. This is a paranoic safety catch. Note that the @@ -235,7 +234,7 @@ begin acl # since we use it inside a defer with acl = greylist_acl, # accepting here makes the condition TRUE thus deferring, # denying here makes the condition FALSE thus not deferring -.ifdef GREYLIST_ENABLED +# greylist_acl: # For regular deliveries, check greylist. @@ -278,21 +277,20 @@ greylist_acl: deny add_header = X-DNS-Greylist: mail from $sender_address to $local_part@$domain accepted by greylisting condition = ${lookup mysql{GREYLIST_RESENDERS_UPDATE}} -.endif + # This access control list is used at the start of an incoming # connection. The tests are run in order until the connection # is either accepted or denied. - +# acl_connect: # In this pass, we do not perform any checks here. accept - # This access control list is used for the HELO or EHLO command in # an incoming SMTP transaction. The tests are run in order until the # greeting is either accepted or denied. - +# acl_helo: # Early rejection of brute-force bots under the name 'ylmf-pc' @@ -306,7 +304,6 @@ acl_helo: # incoming SMTP transaction. The tests are run in order until the # sender address is either accepted or denied. # - acl_mail_from: # Accept the command. @@ -315,10 +312,10 @@ acl_mail_from: # This access control list is used for every RCPT command in an # incoming SMTP message. The tests are run in order until the # recipient address is either accepted or denied. - +# acl_check_dkim: - ###################################################################### + ###################################################################### # DomainKeys ###################################################################### @@ -327,14 +324,14 @@ acl_check_dkim: dkim_status = fail logwrite = DKIM test failed: $dkim_verify_reason add_header = X-DKIM-Status: fail: $dkim_verify_reason - add_header = X-Junk-Flag: YES + set acl_m_junk = yes # DKIM invalid accept dkim_status = invalid logwrite = DKIM test invalid: $dkim_verify_reason add_header = X-DKIM-Status: invalid: $dkim_verify_reason - add_header = X-Junk-Flag: YES + set acl_m_junk = yes # DKIM none accept @@ -364,11 +361,6 @@ acl_rcpt_to: accept hosts = : +relay_from_hosts - # Accept if the message arrived over an authenticated connection, - # from any host. Again, these messages are usually from MUAs, so - # recipient verification is omitted. - # - # Get rate limit for user and log current rate. # Hourly rate limit is extracted from db, multiplied by 10 to get daily rate limit. # The idea being that the hourly rate limit should be a maximum, peak rate, not a sustained rate. @@ -401,20 +393,17 @@ acl_rcpt_to: accept authenticated = * - ###################################################################### # Hello checks ###################################################################### # If the remote host greets with an IP address, then reject the mail. - # deny message = Message was delivered by ratware log_message = remote host used IP address in HELO/EHLO greeting condition = ${if isip {$sender_helo_name}{true}{false}} # Likewise if the peer greets with one of our own names - # deny message = Message was delivered by ratware log_message = remote host used our name in HELO/EHLO greeting. @@ -427,10 +416,7 @@ acl_rcpt_to: log_message = remote host did not present HELO/EHLO greeting. condition = ${if def:sender_helo_name {false}{true}} - - # If HELO verification fails, we add a X-HELO-Warning: header in - # the message. - # + # If HELO verification fails, we add a X-HELO-Warning: header in the message. warn !verify = helo message = X-HELO-Warning: Remote host $sender_host_address \ @@ -515,7 +501,6 @@ acl_rcpt_to: senders = : postmaster@* condition = $recipients_count - # Reject the recipient address if it is not in a domain for # which we are handling mail. # @@ -523,7 +508,6 @@ acl_rcpt_to: message = relay not permitted !domains = +local_domains : +relay_to_domains - # Reject the recipient if it is not a valid mailbox. # If the mailbox is not on our system (e.g. if we are a # backup MX for the recipient domain), then perform a @@ -541,11 +525,7 @@ acl_rcpt_to: condition = WHITELISTED logwrite = From: $sender_address To: $local_part@$domain is whitelisted in sa_userpref add_header = X-Whitelist-Flag: YES - - # skip any further checks if the address is already marked Junk (by DKIM) - accept - condition = ${if eq {$header_X-Junk-Flag:}{YES}} - logwrite = Skipping SPF/DNSBL/Greylist checks as message already failed DKIM + set acl_m_whitelist = yes ###################################################################### # DNS checks @@ -570,33 +550,34 @@ acl_rcpt_to: # add SPF header accept + !senders = : condition = ${run{/usr/bin/spfquery --scope mfrom \ --identity ${quote:$sender_address} \ --ip-address ${quote:$sender_host_address}} \ {no}{${if eq {$runrc}{1}{yes}{no}}}} add_header = Received-SPF: fail - add_header = X-Junk-Flag: YES -## log_message = SPF check failed. + set acl_m_junk = yes + #log_message = SPF check failed. warn condition = ${if eq {$runrc}{0}{yes}{no}} add_header = Received-SPF: pass -## log_message = SPF check: pass + #log_message = SPF check: pass warn condition = ${if eq {$runrc}{2}{yes}{no}} add_header = Received-SPF: softfail -## log_message = SPF check: softfail + #log_message = SPF check: softfail warn condition = ${if eq {$runrc}{3}{yes}{no}} add_header = Received-SPF: neutral -## log_message = SPF check: neutral + #log_message = SPF check: neutral warn condition = ${if eq {$runrc}{4}{yes}{no}} add_header = Received-SPF: permerror -## log_message = SPF check: permerror + #log_message = SPF check: permerror warn condition = ${if eq {$runrc}{5}{yes}{no}} @@ -606,7 +587,7 @@ acl_rcpt_to: warn condition = ${if eq {$runrc}{6}{yes}{no}} add_header = Received-SPF: none -## log_message = SPF check: none + #log_message = SPF check: none warn condition = ${if >{$runrc}{6}{yes}{no}} @@ -618,35 +599,37 @@ acl_rcpt_to: dnslists = zen.spamhaus.org logwrite = Warning: $sender_host_address is listed in DNSBL $dnslist_domain ${if def:dnslist_text {($dnslist_text)}} add_header = X-DNS-Blacklist: $sender_host_address is listed in $dnslist_domain ${if def:dnslist_text {($dnslist_text)}} - add_header = X-Junk-Flag: YES + set acl_m_junk = yes - # will never get here if X-Whitelist-Flag or X-Junk-Flag (gets set with X-DNS-Blacklist) or X-DNS-Whitelist headers are set above -.ifdef GREYLIST_ENABLED - # if $sender_host_name is set use that. - # run command strips of leftmost subdomain if this is a third or higher level domain + # greylisting + # if $sender_host_name is set use that. run command strips of leftmost subdomain if this is a third or higher level domain warn condition = ${if def:sender_host_name} set acl_m_sender = ${run{/bin/bash /etc/exim4/return-resender.sh $sender_host_name}{$value}{$sender_host_name}} - # if $sender_host_name is not set use $sender_helo_name - # if sender_helo_name not set email was already rejected (deny) earlier in this acl + + # if $sender_host_name is not set use $sender_helo_name. if sender_helo_name not set email was already rejected (deny) earlier in this acl warn condition = ${if !def:sender_host_name} set acl_m_sender = $sender_helo_name + + # bypass greylisting if sender listed in skip_greylisting_hosts + accept + hosts = +skip_greylisting_hosts + log_message = skipping greylisting due to match in skip_greylisting_hosts + # bypass greylisting if the sending host is a known resender accept condition = ${lookup mysql{SELECT id FROM GREYLIST_RESENDERS_TABLE WHERE hostname = '${quote_mysql:$acl_m_sender}'}{yes}{no}} condition = ${lookup mysql{UPDATE GREYLIST_RESENDERS_TABLE SET count=count+1, timestamp = NOW() WHERE hostname = '${quote_mysql:$acl_m_sender}'}{yes}{yes}} add_header = X-DNS-Greylist: known resender logwrite = skipping greylisting for $acl_m_sender due to match in GREYLIST_RESENDERS_TABLE - accept - hosts = +skip_greylisting_hosts - log_message = skipping greylisting due to match in skip_greylisting_hosts + + # run greylisting acl defer !senders = : postmaster@* !hosts = +skip_greylisting_hosts acl = greylist_acl message = greylisted - try again later -.endif # Otherwise, the recipient address is OK. # @@ -655,7 +638,7 @@ acl_rcpt_to: # This access control list is used for message data received via # SMTP. The tests are run in order until the recipient address # is either accepted or denied. - +# acl_data: # Add Message-ID if missing in messages received from our own hosts. @@ -665,9 +648,10 @@ acl_data: message = Message-ID: # add domain keys status header -# warn -# message = DomainKey-Status: $dk_status -# !condition = ${if eq{$dk_status}{}{1}{0}} + # + #warn + # message = DomainKey-Status: $dk_status + # !condition = ${if eq{$dk_status}{}{1}{0}} # Accept mail received over local SMTP (i.e. not over TCP/IP). # We do this by testing for an empty sending host field. @@ -689,17 +673,11 @@ acl_data: # MESSAGE_SIZE_LIMIT # condition = ${if >{$message_size}{MESSAGE_SIZE_LIMIT}{true}{false}} - # skip any further checks if the address is already marked Junk - accept - condition = ${if eq {$header_X-Junk-Flag:}{YES}} - logwrite = Skipping header_syntax and header_sender checks as message already marked Junk - - # Deny unless the address list header is syntactically correct. + # Check if the address list header is syntactically correct. # Note that some specialized MTAs, such as certain mailing list # servers, do not automatically generate a Message-ID for bounces. # Thus, we add the check for a non-empty sender. # (email feedback reports from aol fail this check) - #deny accept message = X-RFC2822-Error: Your message does not conform to RFC2822 standard log_message = message header failed RFC2822 syntax check @@ -707,7 +685,7 @@ acl_data: !senders = : postmaster@* !verify = header_syntax add_header = X-RFC2822-Error: Your message does not conform to RFC2822 standard - add_header = X-Junk-Flag: YES + set acl_m_junk = yes # Warn unless there is a verifiable sender address in at least # one of the "Sender:", "Reply-To:", or "From:" header lines. @@ -718,12 +696,12 @@ acl_data: # Deny if the message contains a virus. Before enabling this check, you # must install a virus scanner and set the av_scanner option above. -## accept -## condition = ${if ! def:header_X-Junk-Flag: } -## malware = */defer_ok -## log_message = This message contains a virus ($malware_name). -## add_header = X-Virus-Warning: This message contains a virus ($malware_name). -## add_header = X-Junk-Flag: YES + # + #accept + # malware = */defer_ok + # log_message = This message contains a virus ($malware_name). + # add_header = X-Virus-Warning: This message contains a virus ($malware_name). + # set acl_m_junk = yes # Accept the message. # @@ -805,29 +783,30 @@ virtual_alias: domains = +local_domains local_part_suffix = +* local_part_suffix_optional = true - condition = ${if !eq {$received_protocol}{spam-scanned}} +## condition = ${if !eq {$received_protocol}{spam-scanned}} data = ${lookup mysql{SELECT CONCAT(vm_aliases.mbox,'@','${domain}') FROM vm_mboxes, vm_aliases WHERE vm_mboxes.mbox=vm_aliases.mbox AND vm_mboxes.domain='${domain}' AND vm_mboxes.status > '0' AND vm_aliases.alias='${local_part}' AND vm_aliases.domain='${domain}'}} junk_filter: driver = accept domains = +local_domains + condition = ${if eq{$acl_m_junk}{yes}} + condition = ${if !eq{$acl_m_whitelist}{yes}} + condition = ${if !eq {$received_protocol}{spam-scanned}} local_part_suffix = +* local_part_suffix_optional = true local_parts = ${lookup mysql{SELECT vm_mboxes.mbox FROM vm_mboxes WHERE vm_mboxes.mbox='${local_part}' AND vm_mboxes.domain='${domain}' AND vm_mboxes.status > '0' AND vm_mboxes.filter > '0'}} - condition = ${if eq {$header_X-Junk-Flag:}{YES}} - condition = ${if !eq {$header_X-Whitelist-Flag:}{YES}} - condition = ${if !eq {$received_protocol}{spam-scanned}} + headers_add = X-Junk-Flag: YES transport = junk_delivery spam_filter: driver = accept domains = +local_domains + condition = ${if eq {$received_protocol}{spam-scanned}} + condition = ${if eq {$header_X-Spam-Flag:}{YES}} +## condition = ${if !eq {$header_X-Whitelist-Flag:}{YES}} local_part_suffix = +* local_part_suffix_optional = true local_parts = ${lookup mysql{SELECT vm_mboxes.mbox FROM vm_mboxes WHERE vm_mboxes.mbox='${local_part}' AND vm_mboxes.domain='${domain}' AND vm_mboxes.status > '0' AND vm_mboxes.filter = '2'}} - condition = ${if eq {$received_protocol}{spam-scanned}} - condition = ${if eq {$header_X-Spam-Flag:}{YES}} - condition = ${if !eq {$header_X-Whitelist-Flag:}{YES}} transport = junk_delivery virtual_vacation: @@ -840,6 +819,7 @@ virtual_vacation: # add options for start & end date fields to above query # do not reply to errors or lists or spam-scanned messages, require vacation message in db condition = ${if !match {$h_precedence:} {(?i)junk|bulk|list}} + condition = ${if !eq{$acl_m_junk}{yes}} condition = ${if !eq {$received_protocol}{spam-scanned}} condition = ${if !eq {$sender_address} {}} no_expn @@ -864,6 +844,7 @@ virtual_autoresponder: # add options for start & end date fields to above query # do not reply to errors or lists or spam-scanned messages, require autoresponder message in db condition = ${if !match {$h_precedence:} {(?i)junk|bulk|list}} + condition = ${if !eq{$acl_m_junk}{yes}} condition = ${if !eq {$received_protocol}{spam-scanned}} condition = ${if !eq {$sender_address} {}} no_expn @@ -899,13 +880,13 @@ spamcheck_router: # uncomment next line to bypass spamcheck when testing address routing with "exim -bt user@example.com" #address_test = false domains = +local_domains - local_part_suffix = +* - local_part_suffix_optional = true - local_parts = ${lookup mysql{SELECT vm_mboxes.mbox FROM vm_mboxes WHERE vm_mboxes.mbox='${local_part}' AND vm_mboxes.domain='${domain}' AND vm_mboxes.status > '0'}} condition = ${if !eq {$received_protocol}{spam-scanned}} condition = ${if !eq {$sender_address_domain}{$domain}} - condition = ${if !eq {$header_X-Whitelist-Flag:}{YES}} + condition = ${if !eq{$acl_m_whitelist}{yes}} condition = ${if < {$message_size}{512k}} + local_part_suffix = +* + local_part_suffix_optional = true + local_parts = ${lookup mysql{SELECT vm_mboxes.mbox FROM vm_mboxes WHERE vm_mboxes.mbox='${local_part}' AND vm_mboxes.domain='${domain}' AND vm_mboxes.status > '0' AND vm_mboxes.filter = '2'}} headers_remove = X-Spam-Checker-Version:X-Spam-Flag:X-Spam-Level:X-Spam-Status:X-Spam-Score:X-Spam-Report transport = spamcheck @@ -939,7 +920,7 @@ lmtp_localuser: virtual_alias_catchall: driver = redirect domains = +local_domains - condition = ${if !eq {$received_protocol}{spam-scanned}} +## condition = ${if !eq {$received_protocol}{spam-scanned}} data = ${lookup mysql{SELECT CONCAT(vm_aliases.mbox,'@','${domain}') FROM vm_mboxes, vm_aliases WHERE vm_mboxes.mbox=vm_aliases.mbox AND vm_mboxes.domain='${domain}' AND vm_mboxes.status > '0' AND vm_aliases.alias='catchall' AND vm_aliases.domain='${domain}'}} # This router handles aliasing using a linearly searched alias file with the diff --git a/etc/exim4/exim_local.conf b/etc/exim4/exim_local.conf index 8da0cbe..346cf60 100644 --- a/etc/exim4/exim_local.conf +++ b/etc/exim4/exim_local.conf @@ -2,14 +2,6 @@ qualify_domain = example.com hide mysql_servers = localhost/vmail/vmail/password -# comment out to disable Greylisting -GREYLIST_ENABLED= - -# only use 1 of the following at a time: -# disable for now as clamav is not currently enabled -#VIRUS_WARN= -#VIRUS_DENY= - # Uncomment and change values to override defaults already in main config #smtp_accept_max = 50 #smtp_accept_max_per_host = 10