API tools faq
paste
Advertisement
Guest User

Untitled

a guest
May 10th, 2015
363
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 13.88 KB | None | 0 0
raw download clone embed print report
  1. DKIM_ENABLE = yes
  2. VIRUS_SCAN = yes
  3. SA_ENABLE = yes
  4. POSTGREY_SOCKET = /var/spool/postfix/postgrey/socket
  5. SA_SPAMD_USER = root
  6. SA_SCORE_REJECT = 50
  7. SA_ABUSE_ADDR = The System Administrator
  8. log_selector = \
  9. +all_parents \
  10. +lost_incoming_connection \
  11. +received_sender \
  12. +received_recipients \
  13. +tls_cipher +tls_peerdn \
  14. +smtp_confirmation \
  15. +smtp_syntax_error \
  16. +smtp_protocol_error
  17.  
  18. # TLS/SSL
  19. tls_advertise_hosts = *
  20. tls_certificate = /etc/exim/ssl/exim.crt
  21. tls_privatekey = /etc/exim/ssl/exim.key
  22. daemon_smtp_ports = 25 : 465 : 587
  23. tls_on_connect_ports = 465
  24.  
  25. .ifdef SA_ENABLE
  26. spamd_address = 127.0.0.1 783
  27. .endif
  28.  
  29. trusted_groups = mgrsecure
  30. trusted_users = apache
  31.  
  32. domainlist local_domains = lsearch;/etc/exim/domains
  33. domainlist dummy_domains =
  34. hostlist relay_from_hosts = 127.0.0.1 : IP_ADDRESS
  35.  
  36. domainlist relay_to_domains = lsearch;/etc/exim/domains
  37. exim_user = exim
  38. exim_group = exim
  39.  
  40. .ifdef VIRUS_SCAN
  41. av_scanner = clamd:/var/run/clamav/clamd.sock
  42. .endif
  43.  
  44. never_users = root
  45. host_lookup = *
  46. rfc1413_hosts = *
  47. rfc1413_query_timeout = 0s
  48. ignore_bounce_errors_after = 2d
  49. timeout_frozen_after = 7d
  50. acl_smtp_rcpt = acl_check_rcpt
  51. acl_smtp_data = acl_check_data
  52. acl_not_smtp = acl_check_not_smtp
  53. .ifdef DKIM_ENABLE
  54. acl_smtp_dkim = acl_check_dkim
  55. .endif
  56.  
  57. begin acl
  58.  
  59. acl_check_not_smtp:
  60. # check ratelimits by local user
  61. warn set acl_c9 = $sender_ident
  62. condition = ${if match_local_part{$sender_ident}{lsearch;/etc/exim/ratelimits} {yes}{no}}
  63. warn set acl_c9 = $sender_address_local_part
  64. condition = ${if match_local_part{$sender_address_local_part}{lsearch;/etc/exim/ratelimits} {yes}{no}}
  65. deny set acl_c8 = ${lookup{$acl_c9}lsearch*{/etc/exim/ratelimits}}
  66. ratelimit = $acl_c8 / 1h / strict / $acl_c9
  67. message = Sender rate overlimit - $sender_rate / $sender_rate_period / $acl_c9
  68. condition = ${if and{{!eq{$acl_c9}{}}{>{$acl_c8}{0}}}{yes}{no}}
  69. .ifdef DEFAULT_RATELIMIT
  70. # check ratelimits by default
  71. warn set acl_c7 = $sender_ident
  72. warn set acl_c7 = $sender_address_local_part
  73. condition = ${if eq{$acl_c7}{} {yes}{no}}
  74. deny ratelimit = DEFAULT_RATELIMIT / 1h / strict / $acl_c7
  75. message = Sender rate overlimit - $sender_rate / $sender_rate_period / $acl_c7
  76. condition = ${if and{{!eq{$acl_c7}{}}{eq{$acl_c8}{}}}{yes}{no}}
  77. .endif
  78.  
  79. accept
  80.  
  81. acl_check_rcpt:
  82.  
  83. .ifdef VIRUS_SCAN
  84. warn set acl_m3 = no
  85. warn
  86. condition = ${lookup{$domain}lsearch{/etc/clamav.whitelist} {yes}{no}}
  87. set acl_m3 = ok
  88. .endif
  89.  
  90. accept hosts = +relay_from_hosts
  91. set acl_m6 = whitelisted
  92.  
  93. accept domains = +local_domains : +relay_to_domains
  94. condition = ${lookup{$sender_address}wildlsearch{/etc/exim/whitelist}{yes}{no}}
  95. set acl_m6 = whitelisted
  96. logwrite = Accepted from $sender_address to $local_part@$domain by whitelist.
  97.  
  98. accept domains = +local_domains : +relay_to_domains
  99. hosts = net-lsearch;/etc/exim/whitelist
  100. set acl_m6 = whitelisted
  101. logwrite = Accepted from $sender_address to $local_part@$domain by whitelist.
  102.  
  103. deny condition = ${lookup{$sender_address}wildlsearch{/etc/exim/blacklist}{yes}{no}}
  104. set acl_m6 = blacklisted
  105. logwrite = Rejected from $sender_address to $local_part@$domain by blacklist.
  106.  
  107. deny hosts = net-lsearch;/etc/exim/blacklist
  108. set acl_m6 = blacklisted
  109. logwrite = Rejected from $sender_address to $local_part@$domain by blacklist.
  110.  
  111. deny message = Restricted characters in address
  112. domains = +local_domains
  113. local_parts = ^[.] : ^.*[@%!/|]
  114.  
  115. deny message = Restricted characters in address
  116. domains = !+local_domains
  117. local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
  118.  
  119. accept local_parts = postmaster
  120. verify = recipient
  121. domains = +local_domains
  122.  
  123. require verify = sender
  124.  
  125. # check ratelimits by emails
  126. warn authenticated = *
  127. set acl_c0 = group${extract{2}{:}{${lookup{$authenticated_id}lsearch{/etc/exim/passwd}}}}
  128. set acl_c1 = ${lookup{$authenticated_id}lsearch*{/etc/exim/ratelimits}}
  129. ratelimit = ${lookup{$acl_c0}lsearch*{/etc/exim/ratelimits}} / 1h / strict / $acl_c0
  130. ratelimit = $acl_c1 / 1h / strict / $authenticated_id
  131. log_message = Sender rate overlimit - $sender_rate / $sender_rate_period / $authenticated_id
  132. condition = ${if match_local_part{$authenticated_id}{lsearch;/etc/exim/ratelimits} {yes}{no}}
  133. deny authenticated = *
  134. set acl_c1 = ${lookup{$authenticated_id}lsearch*{/etc/exim/ratelimits}}
  135. ratelimit = $acl_c1 / 1h / leaky / $authenticated_id
  136. message = Sender rate overlimit - $sender_rate / $sender_rate_period / $authenticated_id
  137. condition = ${if match_local_part{$authenticated_id}{lsearch;/etc/exim/ratelimits} {yes}{no}}
  138. # check ratelimits by group
  139. warn authenticated = *
  140. set acl_c0 = group${extract{2}{:}{${lookup{$authenticated_id}lsearch{/etc/exim/passwd}}}}
  141. ratelimit = ${lookup{$acl_c0}lsearch*{/etc/exim/ratelimits}} / 1h / strict / $acl_c0
  142. log_message = Sender rate overlimit - $sender_rate / $sender_rate_period / $acl_c0
  143. condition = ${if match_local_part{$acl_c0}{lsearch;/etc/exim/ratelimits} {yes}{no}}
  144. deny authenticated = *
  145. set acl_c0 = group${extract{2}{:}{${lookup{$authenticated_id}lsearch{/etc/exim/passwd}}}}
  146. ratelimit = ${lookup{$acl_c0}lsearch*{/etc/exim/ratelimits}} / 1h / leaky / $acl_c0
  147. message = Sender rate overlimit - $sender_rate / $sender_rate_period / $acl_c0
  148. condition = ${if match_local_part{$acl_c0}{lsearch;/etc/exim/ratelimits} {yes}{no}}
  149. .ifdef DEFAULT_RATELIMIT
  150. # check ratelimits by default
  151. deny authenticated = *
  152. ratelimit = DEFAULT_RATELIMIT / 1h / strict / $authenticated_id
  153. message = Sender rate overlimit - $sender_rate / $sender_rate_period / $authenticated_id
  154. condition = ${if or{{eq{$acl_c1}{}}{eq{$acl_c0}{}}}{yes}{no}}
  155. .endif
  156.  
  157. accept hosts = +relay_from_hosts
  158. control = submission/sender_retain
  159.  
  160. accept authenticated = *
  161. condition = ${if eq{${extract{5}{:}{${lookup{$authenticated_id}lsearch{/etc/exim/passwd}}}}}{no} {yes}{no}}
  162. condition = ${if eq{${extract{3}{:}{${lookup{${domain:$authenticated_id}}lsearch{/etc/exim/domains}}}}}{no} {yes}{no}}
  163. control = submission/domain=
  164.  
  165. require message = relay not permitted
  166. domains = +local_domains : +relay_to_domains
  167.  
  168. require verify = recipient
  169.  
  170. .ifdef POSTGREY_SOCKET
  171. defer log_message = greylisted host $sender_host_address
  172. set acl_m0 = request=smtpd_access_policy\nprotocol_state=RCPT\nprotocol_name=${uc:$received_protocol}\nhelo_name=$sender_helo_name\nclient_address=$sender_host_address\nclient_name=$sender_host_name\nsender=$sender_address\nrecipient=$local_part@$domain\ninstance=$sender_host_address/$sender_address/$local_part@$domain\n\n
  173. set acl_m0 = ${sg{${readsocket{POSTGREY_SOCKET}{$acl_m0}{5s}{}{action=DUNNO}}}{action=}{}}
  174. message = ${sg{$acl_m0}{^\\w+\\s*}{}}
  175. condition = ${if eq{${uc:${substr{0}{5}{$acl_m0}}}}{DEFER}{true}{false}}
  176. .endif
  177.  
  178. accept
  179.  
  180. acl_check_data:
  181.  
  182. accept
  183. condition = ${if >{$load_average}{3000} {yes}{no}}
  184. logwrite = Accept message without spamd and antivirus check because LA > 3.
  185.  
  186. .ifdef VIRUS_SCAN
  187. accept
  188. condition = ${if or {\
  189. {<{$message_body_size}{1K}} \
  190. {>{$message_body_size}{2M}} \
  191. } {yes}{no}}
  192. logwrite = Accept message without antivirus check because body size $message_body_size not critical
  193.  
  194. warn
  195. condition = ${if eq{$acl_m3}{ok} {yes}{no}}
  196. add_header = X-Scanned-By: ${extract{1}{/}{${readsocket{/var/run/clamav/clamd.sock}{VERSION}{1s}{} {unscanned}}}}; $tod_full\n
  197.  
  198. deny
  199. message = This message contains virus ($malware_name)
  200. hosts = *
  201. demime = *
  202. malware = *
  203. log_message = Rejected: this message contains virus ($malware_name)
  204. condition = ${if eq{$acl_m3}{ok}{yes}{no}}
  205. .endif
  206. .ifdef SA_ENABLE
  207. warn
  208. !authenticated = *
  209. hosts = !127.0.0.1/24
  210. condition = ${if < {$message_size}{1K}}
  211. spam = SA_SPAMD_USER:true
  212. add_header = X-Spam_score: $spam_score\n\
  213. X-Spam_score_int: $spam_score_int\n\
  214. X-Spam_bar: $spam_bar\n\
  215. X-Spam_report: $spam_report
  216.  
  217. warn
  218. !authenticated = *
  219. hosts = !+relay_from_hosts
  220. spam = SA_SPAMD_USER:true/defer_ok
  221. add_header = X-Spam_score: $spam_score\n\
  222. X-Spam_score_int: $spam_score_int\n\
  223. X-Spam_bar: $spam_bar\n\
  224. X-Spam_report: $spam_report
  225. set acl_m4 = $spam_score_int
  226. condition = ${if and{{<{$message_size}{100K}}{<{$acl_m4}{SA_SCORE_REJECT}}} {yes}{no}}
  227. logwrite = From $sender_address to $recipients X-Spam_score: $acl_m4.
  228.  
  229. deny
  230. condition = ${if and{{!eq{$acl_m4}{}}{>{$acl_m4}{SA_SCORE_REJECT}}} {yes}{no}}
  231. message = Content analisis tool detect spam (from $sender_address to $recipients). Contact SA_ABUSE_ADDR.
  232. .endif
  233.  
  234. accept
  235.  
  236. .ifdef DKIM_ENABLE
  237. acl_check_dkim:
  238.  
  239. warn
  240. dkim_status = fail
  241. logwrite = DKIM test failed: $dkim_verify_reason
  242. add_header = X-DKIM-FAIL: DKIM test failed: (address=$sender_address domain=$dkim_cur_signer), signature is bad.
  243.  
  244. warn
  245. dkim_status = invalid
  246. add_header = :at_start:Authentication-Results: $dkim_cur_signer ($dkim_verify_status); $dkim_verify_reason
  247. logwrite = DKIM test passed (address=$sender_address domain=$dkim_cur_signer), but signature is invalid.
  248.  
  249. accept
  250. dkim_status = pass
  251. add_header = :at_start:Authentication-Results: dkim=$dkim_verify_status, header.i=@$dkim_cur_signer
  252. logwrite = DKIM test passed (address=$sender_address domain=$dkim_cur_signer), good signature.
  253.  
  254. accept
  255. .endif
  256.  
  257. begin routers
  258. dnslookup:
  259. driver = dnslookup
  260. domains = !+dummy_domains
  261. transport = remote_smtp
  262. ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
  263. self = pass
  264. no_more
  265.  
  266. disabled_domains:
  267. driver = redirect
  268. condition = ${extract{3}{:}{${lookup{$domain}lsearch{/etc/exim/domains}}}}
  269. allow_fail = yes
  270. data = :fail: Domain disabled
  271. no_more
  272.  
  273. disabled_users:
  274. driver = redirect
  275. condition = ${extract{5}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim/passwd}}}}
  276. allow_fail = yes
  277. data = :fail: User disabled
  278. no_more
  279.  
  280. local_domains:
  281. driver = redirect
  282. data = ${quote_local_part:$local_part}@${extract{1}{:}{${lookup{$domain}lsearch{/etc/exim/domains}}}}
  283. cannot_route_message = Unknown user
  284. redirect_router = dnslookup
  285. no_more
  286.  
  287. aliases:
  288. driver = redirect
  289. data = ${extract{1}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim/aliases}}}}
  290. condition = ${if exists{/etc/exim/aliases} {yes} {no} }
  291. redirect_router = dnslookup
  292. pipe_transport = address_pipe
  293.  
  294. procmail:
  295. no_verify
  296. driver = accept
  297. transport = dovecot_deliver_pipe
  298. transport_home_directory = ${extract{4}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim/passwd}}}}
  299. condition = ${lookup {$local_part@$domain} lsearch {/etc/exim/passwd} {yes} {no} }
  300.  
  301. local_users:
  302. driver = accept
  303. transport = local_delivery
  304. condition = ${lookup {$local_part@$domain} lsearch {/etc/exim/passwd} {yes} {no} }
  305.  
  306. catchall_for_domains:
  307. driver = redirect
  308. headers_add = X-redirected: yes
  309. data = ${extract{2}{:}{${lookup{$domain}lsearch{/etc/exim/domains}}}}
  310. file_transport = local_delivery
  311. redirect_router = dnslookup
  312.  
  313. unknown_users:
  314. driver = redirect
  315. allow_fail = yes
  316. data = :fail: Unknown user
  317. no_more
  318.  
  319. begin transports
  320.  
  321.  
  322.  
  323. DKIM_DOMAIN = ${lc:${domain:$h_from:}}
  324. DKIM_FILE = /etc/exim/${lc:${domain:$h_from:}}.key
  325. DKIM_PRIVATE_KEY = ${if exists{DKIM_FILE}{DKIM_FILE}{0}}
  326.  
  327.  
  328. remote_smtp:
  329. driver = smtp
  330.  
  331. dkim_domain = DKIM_DOMAIN
  332. dkim_selector = dkim
  333. dkim_private_key = DKIM_PRIVATE_KEY
  334.  
  335. interface = <;${lookup{$sender_address_domain}lsearch{/etc/exim/domainips}}
  336.  
  337.  
  338. local_delivery:
  339. driver = appendfile
  340. maildir_format = true
  341. maildir_use_size_file = true
  342. create_directory = true
  343. directory_mode = 700
  344. directory = ${extract{4}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim/passwd}}}}/.maildir
  345. delivery_date_add
  346. envelope_to_add
  347. return_path_add
  348. mode = 0660
  349. quota = ${extract{3}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim/passwd}}}}M
  350. quota_warn_threshold = 75%
  351. use_lockfile = no
  352. no_mode_fail_narrower
  353. user = ${extract{1}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim/passwd}}}}
  354. group = ${extract{2}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim/passwd}}}}
  355.  
  356. address_pipe:
  357. driver = pipe
  358. ignore_status
  359. return_output
  360. use_shell
  361.  
  362. dovecot_deliver_pipe:
  363. driver = pipe
  364. environment = "HOME=$home"
  365. command = "/usr/libexec/dovecot/dovecot-lda -d $local_part@$domain -f $sender_address"
  366. return_path_add
  367. delivery_date_add
  368. envelope_to_add
  369. check_string = "From "
  370. escape_string = ">From "
  371. user = ${extract{1}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim/passwd}}}}
  372. group = ${extract{2}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim/passwd}}}}
  373.  
  374. begin retry
  375. * * F,2h,15m; G,16h,1h,1.5; F,4d,6h
  376.  
  377. begin rewrite
  378.  
  379. begin authenticators
  380.  
  381.  
  382. auth_plain:
  383. driver = dovecot
  384. public_name = PLAIN
  385. server_socket = /var/run/dovecot/auth-client
  386. server_set_id = $auth1
  387.  
  388. auth_login:
  389. driver = dovecot
  390. public_name = LOGIN
  391. server_socket = /var/run/dovecot/auth-client
  392. server_set_id = $auth1
  393.  
  394. auth_cram_md5:
  395. driver = dovecot
  396. public_name = CRAM-MD5
  397. server_socket = /var/run/dovecot/auth-client
  398. server_set_id = $auth1
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!