diff --git a/etc/exim4/exim4.conf b/etc/exim4/exim4.conf index 7303950..b2946bb 100644 --- a/etc/exim4/exim4.conf +++ b/etc/exim4/exim4.conf @@ -9,12 +9,12 @@ add_environment = PATH=/usr/sbin:/usr/bin:/sbin:/bin smtp_enforce_sync = false bounce_message_file = /etc/exim4/bounce_message_text +.include /etc/exim4/exim_local.conf + smtp_accept_max = 50 smtp_accept_max_per_host = 10 smtp_accept_queue_per_connection = 50 -.include /etc/exim4/exim_local.conf - tls_advertise_hosts = * tls_certificate = ${if exists{/etc/ssl/letsencrypt/${sg{${tls_sni}}{^smtp\.}{mail.}}.pem}{/etc/ssl/letsencrypt/${sg{${tls_sni}}{^smtp\.}{mail.}}.pem}} @@ -96,6 +96,7 @@ WHITELISTED = ${lookup mysql{\ OR value = CONCAT('\*@','${quote_mysql:$sender_address_domain}')) \ }{true}{false}} +.ifdef GREYLIST_ENABLED # greylist options # these need to be valid as xxx in mysql's DATE_ADD(..,INTERVAL xxx) # not valid, for example, are plurals: "2 HOUR" instead of "2 HOURS" @@ -166,6 +167,7 @@ GREYLIST_OK_BOUNCE = UPDATE GREYLIST_TABLE \ WHERE id = $acl_m9 AND type='AUTO' GREYLIST_RESENDERS_UPDATE = REPLACE INTO GREYLIST_RESENDERS_TABLE SET hostname = '${quote_mysql:$acl_m_sender}' +.endif # No deliveries will ever be run under the uids of these users (a colon- # separated list). An attempt to do so causes a panic error to be logged, and @@ -235,6 +237,7 @@ begin acl # accepting here makes the condition TRUE thus deferring, # denying here makes the condition FALSE thus not deferring # +.ifdef GREYLIST_ENABLED greylist_acl: # For regular deliveries, check greylist. @@ -278,6 +281,8 @@ greylist_acl: add_header = :at_start_rfc:X-DNS-Greylist: mail from $sender_address to $local_part@$domain accepted by greylisting condition = ${lookup mysql{GREYLIST_RESENDERS_UPDATE}} +.endif + # This access control list is used at the start of an incoming # connection. The tests are run in order until the connection # is either accepted or denied. @@ -548,6 +553,7 @@ acl_rcpt_to: ## logwrite = $sender_host_address is whitelisted in $dnslist_domain ${if def:dnslist_text {($dnslist_text)}}, adding X-DNS-Whitelist header ## add_header = :at_start_rfc:X-DNS-Whitelist: $sender_host_address is listed in $dnslist_domain ${if def:dnslist_text {($dnslist_text)}} +.ifdef SPF_ENABLED # Check SPF. Failures are marked as Junk and accepted - this skips further checks (e.g. DNSBL) and filters messages to the Junk folder accept spf = fail:softfail @@ -557,15 +563,25 @@ acl_rcpt_to: warn spf = pass:neutral:permerror add_header = :at_start_rfc:$spf_received +.endif +.ifdef DNSBL_JUNK # check DNSBL(s) and if found add header for filtering to Junk accept !condition = ${if eq {$header_X-Whitelist-Flag:}{YES}} - dnslists = zen.spamhaus.org!&127.255.255.0 + dnslists = psbl.surriel.com : b.barracudacentral.org logwrite = Warning: $sender_host_address is listed in DNSBL $dnslist_domain ${if def:dnslist_text {($dnslist_text)}} add_header = :at_start_rfc:X-DNS-Blacklist: $sender_host_address is listed in $dnslist_domain ${if def:dnslist_text {($dnslist_text)}} set acl_m_junk = yes +.elifdef DNSBL_REJECT + # check DNSBL(s) and if found reject message + deny + !condition = ${if eq {$header_X-Whitelist-Flag:}{YES}} + dnslists = psbl.surriel.com : b.barracudacentral.org + logwrite = Warning: $sender_host_address is listed in DNSBL $dnslist_domain ${if def:dnslist_text {($dnslist_text)}} +.endif +.ifdef GREYLIST_ENABLED # greylisting # if $sender_host_name is set use that. run command strips of leftmost subdomain if this is a third or higher level domain warn @@ -595,6 +611,7 @@ acl_rcpt_to: !hosts = +skip_greylisting_hosts acl = greylist_acl message = greylisted - try again later +.endif # Otherwise, the recipient address is OK. # @@ -659,20 +676,29 @@ acl_data: log_message = No valid sender in message header add_header = :at_start_rfc:X-Sender-Verify-Failed: No valid sender in message header +.ifdef VIRUS_REJECT # Deny if the message contains a virus. Before enabling this check, you # must install a virus scanner and set the av_scanner option above. # - #accept - # malware = */defer_ok - # log_message = This message contains a virus ($malware_name). - # add_header = :at_start_rfc:X-Virus-Warning: This message contains a virus ($malware_name). - # set acl_m_junk = yes + deny + malware = */defer_ok + log_message = This message contains a virus ($malware_name). +.elifdef VIRUS_JUNK + # Filter virus messages as spam/junk + warn + malware = */defer_ok + log_message = This message contains a virus ($malware_name). + add_header = :at_start_rfc:X-Virus-Warning: This message contains a virus ($malware_name). + set acl_m_junk = yes +.endif # Accept the message. # accept + + ###################################################################### # ROUTERS CONFIGURATION # # Specifies how addresses are handled # diff --git a/etc/exim4/exim_local.conf b/etc/exim4/exim_local.conf index 39b9cc7..1dee996 100644 --- a/etc/exim4/exim_local.conf +++ b/etc/exim4/exim_local.conf @@ -3,7 +3,15 @@ hide mysql_servers = localhost/vmail/vmail/password -# Uncomment and change values to override defaults already in main config -#smtp_accept_max = 50 -#smtp_accept_max_per_host = 10 -#smtp_accept_queue_per_connection = 50 +# Comment out to the following line(s) to disable the corresponding feature(s) +GREYLIST_ENABLED= +SPF_ENABLED= + +# Only use 1 of the following at a time: +#DNSBL_REJECT= +DNSBL_JUNK= + +# Before enabling one of the VIRUS options install a virus scanner and set the av_scanner option in exim4.conf +# Only use 1 of the following at a time: +#VIRUS_REJECT= +#VIRUS_JUNK=