change default DNSBLs, add options to turn features on and off

2024-12-17 15:24:05 -08:00 · 2024-12-17 15:24:05 -08:00 · 633bad9a30
commit 633bad9a30
parent d4c0a6fa6f
2 changed files with 46 additions and 12 deletions
--- a/etc/exim4/exim4.conf
+++ b/etc/exim4/exim4.conf
@ -9,12 +9,12 @@ add_environment = PATH=/usr/sbin:/usr/bin:/sbin:/bin
 smtp_enforce_sync = false
 bounce_message_file = /etc/exim4/bounce_message_text

+.include /etc/exim4/exim_local.conf
+
 smtp_accept_max = 50
 smtp_accept_max_per_host = 10
 smtp_accept_queue_per_connection = 50

-.include /etc/exim4/exim_local.conf
-
 tls_advertise_hosts = *
 tls_certificate = ${if exists{/etc/ssl/letsencrypt/${sg{${tls_sni}}{^smtp\.}{mail.}}.pem}{/etc/ssl/letsencrypt/${sg{${tls_sni}}{^smtp\.}{mail.}}.pem}}

@ -96,6 +96,7 @@ WHITELISTED = ${lookup mysql{\
              OR value = CONCAT('\*@','${quote_mysql:$sender_address_domain}')) \
              }{true}{false}}

+.ifdef GREYLIST_ENABLED
 # greylist options
 # these need to be valid as xxx in mysql's DATE_ADD(..,INTERVAL xxx)
 # not valid, for example, are plurals: "2 HOUR" instead of "2 HOURS"
@ -166,6 +167,7 @@ GREYLIST_OK_BOUNCE = UPDATE GREYLIST_TABLE \
                     WHERE id = $acl_m9 AND type='AUTO'

 GREYLIST_RESENDERS_UPDATE = REPLACE INTO GREYLIST_RESENDERS_TABLE SET hostname = '${quote_mysql:$acl_m_sender}'
+.endif

 # No deliveries will ever be run under the uids of these users (a colon-
 # separated list). An attempt to do so causes a panic error to be logged, and
@ -235,6 +237,7 @@ begin acl
 # accepting here makes the condition TRUE thus deferring,
 # denying here makes the condition FALSE thus not deferring
 #
+.ifdef GREYLIST_ENABLED
 greylist_acl:
  # For regular deliveries, check greylist.

@ -278,6 +281,8 @@ greylist_acl:
    add_header  = :at_start_rfc:X-DNS-Greylist: mail from $sender_address to $local_part@$domain accepted by greylisting
    condition = ${lookup mysql{GREYLIST_RESENDERS_UPDATE}}

+.endif
+
 # This access control list is used at the start of an incoming
 # connection.  The tests are run in order until the connection
 # is either accepted or denied.
@ -548,6 +553,7 @@ acl_rcpt_to:
 ##    logwrite    = $sender_host_address is whitelisted in $dnslist_domain ${if def:dnslist_text {($dnslist_text)}}, adding X-DNS-Whitelist header
 ##    add_header  = :at_start_rfc:X-DNS-Whitelist: $sender_host_address is listed in $dnslist_domain ${if def:dnslist_text {($dnslist_text)}}

+.ifdef SPF_ENABLED
  # Check SPF. Failures are marked as Junk and accepted - this skips further checks (e.g. DNSBL) and filters messages to the Junk folder
  accept
    spf = fail:softfail
@ -557,15 +563,25 @@ acl_rcpt_to:
  warn
    spf = pass:neutral:permerror
    add_header = :at_start_rfc:$spf_received
+.endif

+.ifdef DNSBL_JUNK
  # check DNSBL(s) and if found add header for filtering to Junk
  accept
    !condition = ${if eq {$header_X-Whitelist-Flag:}{YES}}
-    dnslists   = zen.spamhaus.org!&127.255.255.0
+    dnslists   = psbl.surriel.com : b.barracudacentral.org
    logwrite   = Warning: $sender_host_address is listed in DNSBL $dnslist_domain ${if def:dnslist_text {($dnslist_text)}}
    add_header = :at_start_rfc:X-DNS-Blacklist: $sender_host_address is listed in $dnslist_domain ${if def:dnslist_text {($dnslist_text)}}
    set acl_m_junk = yes
+.elifdef DNSBL_REJECT
+  # check DNSBL(s) and if found reject message
+  deny
+    !condition = ${if eq {$header_X-Whitelist-Flag:}{YES}}
+    dnslists   = psbl.surriel.com : b.barracudacentral.org
+    logwrite   = Warning: $sender_host_address is listed in DNSBL $dnslist_domain ${if def:dnslist_text {($dnslist_text)}}
+.endif

+.ifdef GREYLIST_ENABLED
  # greylisting
  # if $sender_host_name is set use that. run command strips of leftmost subdomain if this is a third or higher level domain
  warn
@ -595,6 +611,7 @@ acl_rcpt_to:
    !hosts   = +skip_greylisting_hosts
    acl      = greylist_acl
    message  = greylisted - try again later
+.endif

  # Otherwise, the recipient address is OK.
  #
@ -659,20 +676,29 @@ acl_data:
    log_message = No valid sender in message header
    add_header  = :at_start_rfc:X-Sender-Verify-Failed: No valid sender in message header

+.ifdef VIRUS_REJECT
  # Deny if the message contains a virus. Before enabling this check, you
  # must install a virus scanner and set the av_scanner option above.
  #
-  #accept
-  #  malware     = */defer_ok
-  #  log_message = This message contains a virus ($malware_name).
-  #  add_header  = :at_start_rfc:X-Virus-Warning: This message contains a virus ($malware_name).
-  #  set acl_m_junk = yes
+  deny
+    malware     = */defer_ok
+    log_message = This message contains a virus ($malware_name).
+.elifdef VIRUS_JUNK
+  # Filter virus messages as spam/junk
+  warn
+    malware     = */defer_ok
+    log_message = This message contains a virus ($malware_name).
+    add_header  = :at_start_rfc:X-Virus-Warning: This message contains a virus ($malware_name).
+    set acl_m_junk = yes
+.endif

  # Accept the message.
  #
  accept


+
+
 ######################################################################
 #                      ROUTERS CONFIGURATION                         #
 #               Specifies how addresses are handled                  #
--- a/etc/exim4/exim_local.conf
+++ b/etc/exim4/exim_local.conf
@ -3,7 +3,15 @@

 hide mysql_servers = localhost/vmail/vmail/password

-# Uncomment and change values to override defaults already in main config
-#smtp_accept_max = 50
-#smtp_accept_max_per_host = 10
-#smtp_accept_queue_per_connection = 50
+# Comment out to the following line(s) to disable the corresponding feature(s)
+GREYLIST_ENABLED=
+SPF_ENABLED=
+
+# Only use 1 of the following at a time:
+#DNSBL_REJECT=
+DNSBL_JUNK=
+
+# Before enabling one of the VIRUS options install a virus scanner and set the av_scanner option in exim4.conf
+# Only use 1 of the following at a time:
+#VIRUS_REJECT=
+#VIRUS_JUNK=