change default DNSBLs, add options to turn features on and off

etc/exim4/exim4.conf

@@ -9,12 +9,12 @@ add_environment = PATH=/usr/sbin:/usr/bin:/sbin:/bin
 smtp_enforce_sync = false
 bounce_message_file = /etc/exim4/bounce_message_text
 
+.include /etc/exim4/exim_local.conf
+
 smtp_accept_max = 50
 smtp_accept_max_per_host = 10
 smtp_accept_queue_per_connection = 50
 
-.include /etc/exim4/exim_local.conf
-
 tls_advertise_hosts = *
 tls_certificate = ${if exists{/etc/ssl/letsencrypt/${sg{${tls_sni}}{^smtp\.}{mail.}}.pem}{/etc/ssl/letsencrypt/${sg{${tls_sni}}{^smtp\.}{mail.}}.pem}}
 
@@ -96,6 +96,7 @@ WHITELISTED = ${lookup mysql{\
               OR value = CONCAT('\*@','${quote_mysql:$sender_address_domain}')) \
               }{true}{false}}
 
+.ifdef GREYLIST_ENABLED
 # greylist options
 # these need to be valid as xxx in mysql's DATE_ADD(..,INTERVAL xxx)
 # not valid, for example, are plurals: "2 HOUR" instead of "2 HOURS"
@@ -166,6 +167,7 @@ GREYLIST_OK_BOUNCE = UPDATE GREYLIST_TABLE \
                      WHERE id = $acl_m9 AND type='AUTO'
 
 GREYLIST_RESENDERS_UPDATE = REPLACE INTO GREYLIST_RESENDERS_TABLE SET hostname = '${quote_mysql:$acl_m_sender}'
+.endif
 
 # No deliveries will ever be run under the uids of these users (a colon-
 # separated list). An attempt to do so causes a panic error to be logged, and
@@ -235,6 +237,7 @@ begin acl
 # accepting here makes the condition TRUE thus deferring,
 # denying here makes the condition FALSE thus not deferring
 #
+.ifdef GREYLIST_ENABLED
 greylist_acl:
   # For regular deliveries, check greylist.
 
@@ -278,6 +281,8 @@ greylist_acl:
     add_header  = :at_start_rfc:X-DNS-Greylist: mail from $sender_address to $local_part@$domain accepted by greylisting
     condition = ${lookup mysql{GREYLIST_RESENDERS_UPDATE}}
 
+.endif
+
 # This access control list is used at the start of an incoming
 # connection.  The tests are run in order until the connection
 # is either accepted or denied.
@@ -548,6 +553,7 @@ acl_rcpt_to:
 ##    logwrite    = $sender_host_address is whitelisted in $dnslist_domain ${if def:dnslist_text {($dnslist_text)}}, adding X-DNS-Whitelist header
 ##    add_header  = :at_start_rfc:X-DNS-Whitelist: $sender_host_address is listed in $dnslist_domain ${if def:dnslist_text {($dnslist_text)}}
 
+.ifdef SPF_ENABLED
   # Check SPF. Failures are marked as Junk and accepted - this skips further checks (e.g. DNSBL) and filters messages to the Junk folder
   accept
     spf = fail:softfail
@@ -557,15 +563,25 @@ acl_rcpt_to:
   warn
     spf = pass:neutral:permerror
     add_header = :at_start_rfc:$spf_received
+.endif
 
+.ifdef DNSBL_JUNK
   # check DNSBL(s) and if found add header for filtering to Junk
   accept
     !condition = ${if eq {$header_X-Whitelist-Flag:}{YES}}
-    dnslists   = zen.spamhaus.org!&127.255.255.0
+    dnslists   = psbl.surriel.com : b.barracudacentral.org
     logwrite   = Warning: $sender_host_address is listed in DNSBL $dnslist_domain ${if def:dnslist_text {($dnslist_text)}}
     add_header = :at_start_rfc:X-DNS-Blacklist: $sender_host_address is listed in $dnslist_domain ${if def:dnslist_text {($dnslist_text)}}
     set acl_m_junk = yes
+.elifdef DNSBL_REJECT
+  # check DNSBL(s) and if found reject message
+  deny
+    !condition = ${if eq {$header_X-Whitelist-Flag:}{YES}}
+    dnslists   = psbl.surriel.com : b.barracudacentral.org
+    logwrite   = Warning: $sender_host_address is listed in DNSBL $dnslist_domain ${if def:dnslist_text {($dnslist_text)}}
+.endif
 
+.ifdef GREYLIST_ENABLED
   # greylisting
   # if $sender_host_name is set use that. run command strips of leftmost subdomain if this is a third or higher level domain
   warn
@@ -595,6 +611,7 @@ acl_rcpt_to:
     !hosts   = +skip_greylisting_hosts
     acl      = greylist_acl
     message  = greylisted - try again later
+.endif
 
   # Otherwise, the recipient address is OK.
   #
@@ -659,20 +676,29 @@ acl_data:
     log_message = No valid sender in message header
     add_header  = :at_start_rfc:X-Sender-Verify-Failed: No valid sender in message header
 
+.ifdef VIRUS_REJECT
   # Deny if the message contains a virus. Before enabling this check, you
   # must install a virus scanner and set the av_scanner option above.
   #
-  #accept
+  deny
-  #  malware     = */defer_ok
+    malware     = */defer_ok
-  #  log_message = This message contains a virus ($malware_name).
+    log_message = This message contains a virus ($malware_name).
-  #  add_header  = :at_start_rfc:X-Virus-Warning: This message contains a virus ($malware_name).
+.elifdef VIRUS_JUNK
-  #  set acl_m_junk = yes
+  # Filter virus messages as spam/junk
+  warn
+    malware     = */defer_ok
+    log_message = This message contains a virus ($malware_name).
+    add_header  = :at_start_rfc:X-Virus-Warning: This message contains a virus ($malware_name).
+    set acl_m_junk = yes
+.endif
 
   # Accept the message.
   #
   accept
 
 
+
+
 ######################################################################
 #                      ROUTERS CONFIGURATION                         #
 #               Specifies how addresses are handled                  #

etc/exim4/exim_local.conf

@@ -3,7 +3,15 @@
 
 hide mysql_servers = localhost/vmail/vmail/password
 
-# Uncomment and change values to override defaults already in main config
+# Comment out to the following line(s) to disable the corresponding feature(s)
-#smtp_accept_max = 50
+GREYLIST_ENABLED=
-#smtp_accept_max_per_host = 10
+SPF_ENABLED=
-#smtp_accept_queue_per_connection = 50
+
+# Only use 1 of the following at a time:
+#DNSBL_REJECT=
+DNSBL_JUNK=
+
+# Before enabling one of the VIRUS options install a virus scanner and set the av_scanner option in exim4.conf
+# Only use 1 of the following at a time:
+#VIRUS_REJECT=
+#VIRUS_JUNK=