API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jul 13th, 2017
603
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 14.85 KB | None | 0 0
raw download clone embed print report
  1. DKIM_ENABLE = yes
  2. SA_ENABLE = yes
  3. MAIN_TLS_ENABLE = yes
  4. POSTGREY_SOCKET = /var/run/postgrey.sock
  5. SA_SPAMD_USER = debian-spamd
  6. SA_SCORE_REJECT = 50
  7. SA_ABUSE_ADDR = The System Administrator
  8. log_selector = \
  9. +all_parents \
  10. +lost_incoming_connection \
  11. +received_sender \
  12. +received_recipients \
  13. +tls_cipher +tls_peerdn +tls_sni \
  14. +smtp_confirmation \
  15. +smtp_syntax_error \
  16. +smtp_protocol_error
  17.  
  18. received_header_text =
  19. # TLS/SSL
  20. tls_advertise_hosts = *
  21. tls_certificate = ${if exists{/etc/exim4/ssl/${tls_sni}.crt}{/etc/exim4/ssl/${tls_sni}.crt}{/etc/exim4/ssl/exim.crt}}
  22. tls_privatekey = ${if exists{/etc/exim4/ssl/${tls_sni}.key}{/etc/exim4/ssl/${tls_sni}.key}{/etc/exim4/ssl/exim.key}}
  23. daemon_smtp_ports = 25 : 465 : 587
  24. tls_on_connect_ports = 465
  25. tls_require_ciphers = NORMAL:!VERS-SSL3.0
  26.  
  27. .ifdef SA_ENABLE
  28. spamd_address = 127.0.0.1 783
  29. .endif
  30.  
  31. trusted_groups = mgrsecure
  32. trusted_users = www-data
  33.  
  34. keep_environment =
  35.  
  36. addresslist whitelist_senders = wildlsearch;/etc/exim_whitelist_senders
  37.  
  38. domainlist local_domains = lsearch;/etc/exim4/domains
  39. domainlist dummy_domains = lsearch;/etc/exim4/domains
  40. hostlist relay_from_hosts = 127.0.0.1 : __LOCAL_IP__ : 148.251.255.101
  41.  
  42. domainlist relay_to_domains = lsearch;/etc/exim4/domains
  43. exim_user = Debian-exim
  44. exim_group = Debian-exim
  45.  
  46. .ifdef VIRUS_SCAN
  47. av_scanner = clamd:__CLAMAV_SOCKET__
  48. .endif
  49.  
  50. never_users = root
  51. host_lookup = *
  52. rfc1413_hosts = *
  53. rfc1413_query_timeout = 0s
  54. ignore_bounce_errors_after = 2d
  55. timeout_frozen_after = 7d
  56. acl_smtp_rcpt = acl_check_rcpt
  57. acl_smtp_data = acl_check_data
  58. acl_not_smtp = acl_check_not_smtp
  59. .ifdef DKIM_ENABLE
  60. acl_smtp_dkim = acl_check_dkim
  61. .endif
  62.  
  63. begin acl
  64.  
  65. acl_check_not_smtp:
  66. # check ratelimits by local user
  67. warn condition = ${if match_local_part{$sender_ident}{lsearch;/etc/exim4/ratelimits} {yes}{no}}
  68. set acl_c9 = $sender_ident
  69. warn condition = ${if match_local_part{$sender_address}{lsearch;/etc/exim4/ratelimits} {yes}{no}}
  70. set acl_c9 = $sender_address
  71. deny condition = ${if and{{!eq{$acl_c9}{}}{>{$acl_c8}{0}}}{yes}{no}}
  72. set acl_c8 = ${lookup{$acl_c9}lsearch*{/etc/exim4/ratelimits}}
  73. ratelimit = $acl_c8 / 1h / strict / $acl_c9
  74. message = Sender rate overlimit - $sender_rate / $sender_rate_period / $acl_c9
  75. .ifdef DEFAULT_RATELIMIT
  76. # check ratelimits by default
  77. warn set acl_c7 = $sender_ident
  78. warn condition = ${if eq{$acl_c7}{} {yes}{no}}
  79. set acl_c7 = $sender_address
  80. deny condition = ${if and{{!eq{$acl_c7}{}}{eq{$acl_c8}{}}}{yes}{no}}
  81. ratelimit = DEFAULT_RATELIMIT / 1h / strict / $acl_c7
  82. message = Sender rate overlimit - $sender_rate / $sender_rate_period / $acl_c7
  83. .endif
  84.  
  85. accept
  86.  
  87. acl_check_rcpt:
  88.  
  89. .ifdef VIRUS_SCAN
  90. warn
  91. set acl_m3 = no
  92. warn
  93. condition = ${lookup{$domain}lsearch{__CLAMAV_WHITELIST__} {yes}{no}}
  94. set acl_m3 = ok
  95. .endif
  96.  
  97. accept hosts = +relay_from_hosts
  98. !authenticated = *
  99. set acl_m6 = whitelisted
  100.  
  101. accept domains = +local_domains : +relay_to_domains
  102. condition = ${lookup{$sender_address}wildlsearch{/etc/exim4/whitelist}{yes}{no}}
  103. set acl_m6 = whitelisted
  104. logwrite = Accepted from $sender_address to $local_part@$domain by whitelist.
  105.  
  106. accept domains = +local_domains : +relay_to_domains
  107. hosts = net-lsearch;/etc/exim4/whitelist
  108. set acl_m6 = whitelisted
  109. logwrite = Accepted from $sender_address to $local_part@$domain by whitelist.
  110.  
  111. deny condition = ${lookup{$sender_address}wildlsearch{/etc/exim4/blacklist}{yes}{no}}
  112. set acl_m6 = blacklisted
  113. logwrite = Rejected from $sender_address to $local_part@$domain by blacklist.
  114.  
  115. deny hosts = net-lsearch;/etc/exim4/blacklist
  116. set acl_m6 = blacklisted
  117. logwrite = Rejected from $sender_address to $local_part@$domain by blacklist.
  118.  
  119. deny message = Restricted characters in address
  120. domains = +local_domains
  121. local_parts = ^[.] : ^.*[@%!/|]
  122.  
  123. deny message = Restricted characters in address
  124. domains = !+local_domains
  125. local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
  126.  
  127. accept local_parts = postmaster
  128. verify = recipient
  129. domains = +local_domains
  130.  
  131. #require verify = sender
  132. !verify = sender/callout=30s,defer_ok,maxwait=60s
  133. !senders = +whitelist_senders
  134.  
  135. # check ratelimits by emails
  136. warn authenticated = *
  137. set acl_c0 = group${extract{2}{:}{${lookup{$authenticated_id}lsearch{/etc/exim4/passwd}}}}
  138. set acl_c1 = ${lookup{$authenticated_id}lsearch*{/etc/exim4/ratelimits}}
  139. ratelimit = ${lookup{$acl_c0}lsearch*{/etc/exim4/ratelimits}} / 1h / strict / $acl_c0
  140. ratelimit = $acl_c1 / 1h / strict / $authenticated_id
  141. log_message = Sender rate overlimit - $sender_rate / $sender_rate_period / $authenticated_id
  142. condition = ${if match_local_part{$authenticated_id}{lsearch;/etc/exim4/ratelimits} {yes}{no}}
  143. deny authenticated = *
  144. set acl_c1 = ${lookup{$authenticated_id}lsearch*{/etc/exim4/ratelimits}}
  145. ratelimit = $acl_c1 / 1h / leaky / $authenticated_id
  146. message = Sender rate overlimit - $sender_rate / $sender_rate_period / $authenticated_id
  147. condition = ${if match_local_part{$authenticated_id}{lsearch;/etc/exim4/ratelimits} {yes}{no}}
  148. # check ratelimits by group
  149. warn authenticated = *
  150. set acl_c0 = group${extract{2}{:}{${lookup{$authenticated_id}lsearch{/etc/exim4/passwd}}}}
  151. ratelimit = ${lookup{$acl_c0}lsearch*{/etc/exim4/ratelimits}} / 1h / strict / $acl_c0
  152. log_message = Sender rate overlimit - $sender_rate / $sender_rate_period / $acl_c0
  153. condition = ${if match_local_part{$acl_c0}{lsearch;/etc/exim4/ratelimits} {yes}{no}}
  154. deny authenticated = *
  155. set acl_c0 = group${extract{2}{:}{${lookup{$authenticated_id}lsearch{/etc/exim4/passwd}}}}
  156. ratelimit = ${lookup{$acl_c0}lsearch*{/etc/exim4/ratelimits}} / 1h / leaky / $acl_c0
  157. message = Sender rate overlimit - $sender_rate / $sender_rate_period / $acl_c0
  158. condition = ${if match_local_part{$acl_c0}{lsearch;/etc/exim4/ratelimits} {yes}{no}}
  159. .ifdef DEFAULT_RATELIMIT
  160. # check ratelimits by default
  161. deny authenticated = *
  162. ratelimit = DEFAULT_RATELIMIT / 1h / strict / $authenticated_id
  163. message = Sender rate overlimit - $sender_rate / $sender_rate_period / $authenticated_id
  164. condition = ${if or{{eq{$acl_c1}{}}{eq{$acl_c0}{}}}{yes}{no}}
  165. .endif
  166.  
  167. accept hosts = +relay_from_hosts
  168. !authenticated = *
  169. control = submission/sender_retain
  170.  
  171. accept authenticated = *
  172. condition = ${if eq{${extract{5}{:}{${lookup{$authenticated_id}lsearch{/etc/exim4/passwd}}}}}{no} {yes}{no}}
  173. condition = ${if eq{${extract{3}{:}{${lookup{${domain:$authenticated_id}}lsearch{/etc/exim4/domains}}}}}{no} {yes}{no}}
  174. control = submission/domain=
  175.  
  176. deny message = rejected because $sender_host_address is in a black list at $dnslist_domain\\n$dnslist_text
  177. dnslists = ${readfile {/etc/exim4/dnsbllist}{:}}
  178.  
  179. require message = relay not permitted
  180. domains = +local_domains : +relay_to_domains
  181.  
  182. require verify = recipient
  183.  
  184. .ifdef POSTGREY_SOCKET
  185. defer log_message = greylisted host $sender_host_address
  186. set acl_m0 = request=smtpd_access_policy\nprotocol_state=RCPT\nprotocol_name=${uc:$received_protocol}\nhelo_name=$sender_helo_name\nclient_address=$sender_host_address\nclient_name=$sender_host_name\nsender=$sender_address\nrecipient=$local_part@$domain\ninstance=$sender_host_address/$sender_address/$local_part@$domain\n\n
  187. set acl_m0 = ${sg{${readsocket{POSTGREY_SOCKET}{$acl_m0}{5s}{}{action=DUNNO}}}{action=}{}}
  188. message = ${sg{$acl_m0}{^\\w+\\s*}{}}
  189. condition = ${if eq{${uc:${substr{0}{5}{$acl_m0}}}}{DEFER}{true}{false}}
  190. .endif
  191.  
  192. accept
  193.  
  194. acl_check_data:
  195.  
  196. accept
  197. condition = ${if >{$load_average}{3000} {yes}{no}}
  198. logwrite = Accept message without spamd and antivirus check because LA > 3.
  199.  
  200. .ifdef VIRUS_SCAN
  201. accept
  202. condition = ${if >{$message_body_size}{2M} {yes}{no}}
  203. logwrite = Accept message without antivirus check because body size $message_body_size not critical
  204.  
  205. warn
  206. condition = ${if eq{$acl_m3}{no} {yes}{no}}
  207. add_header = X-Scanned-By: ${extract{1}{/}{${readsocket{__CLAMAV_SOCKET__}{VERSION}{1s}{} {unscanned}}}}; $tod_full\n
  208.  
  209. deny
  210. message = This message contains virus ($malware_name)
  211. hosts = *
  212. malware = *
  213. log_message = Rejected: this message contains virus ($malware_name)
  214. condition = ${if eq{$acl_m3}{no}{yes}{no}}
  215. .endif
  216. .ifdef SA_ENABLE
  217. warn
  218. !authenticated = *
  219. hosts = !127.0.0.1/24
  220. condition = ${if < {$message_size}{1K}}
  221. spam = SA_SPAMD_USER:true
  222. add_header = X-Spam_score: $spam_score\n\
  223. X-Spam_score_int: $spam_score_int\n\
  224. X-Spam_bar: $spam_bar\n\
  225. X-Spam_report: $spam_report
  226.  
  227. warn
  228. !authenticated = *
  229. hosts = !+relay_from_hosts
  230. spam = SA_SPAMD_USER:true/defer_ok
  231. add_header = X-Spam_score: $spam_score\n\
  232. X-Spam_score_int: $spam_score_int\n\
  233. X-Spam_bar: $spam_bar\n\
  234. X-Spam_report: $spam_report
  235. set acl_m4 = $spam_score_int
  236. condition = ${if and{{<{$message_size}{100K}}{<{$acl_m4}{SA_SCORE_REJECT}}} {yes}{no}}
  237. logwrite = From $sender_address to $recipients X-Spam_score: $acl_m4.
  238.  
  239. deny
  240. condition = ${if and{{>{$message_size}{10K}}{!eq{$acl_m4}{}}{>{$acl_m4}{SA_SCORE_REJECT}}} {yes}{no}}
  241. message = Content analisis tool detect spam (from $sender_address to $recipients). Contact SA_ABUSE_ADDR.
  242. .endif
  243.  
  244. accept
  245.  
  246. .ifdef DKIM_ENABLE
  247. acl_check_dkim:
  248.  
  249. warn
  250. dkim_status = fail
  251. logwrite = DKIM test failed: $dkim_verify_reason
  252. add_header = X-DKIM-FAIL: DKIM test failed: (address=$sender_address domain=$dkim_cur_signer), signature is bad.
  253.  
  254. warn
  255. dkim_status = invalid
  256. add_header = :at_start:Authentication-Results: $dkim_cur_signer ($dkim_verify_status); $dkim_verify_reason
  257. logwrite = DKIM test passed (address=$sender_address domain=$dkim_cur_signer), but signature is invalid.
  258.  
  259. accept
  260. dkim_status = pass
  261. add_header = :at_start:Authentication-Results: dkim=$dkim_verify_status, header.i=@$dkim_cur_signer
  262. logwrite = DKIM test passed (address=$sender_address domain=$dkim_cur_signer), good signature.
  263.  
  264. accept
  265. .endif
  266.  
  267. begin routers
  268. dnslookup:
  269. driver = dnslookup
  270. domains = !+dummy_domains
  271. transport = remote_smtp
  272. ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
  273. self = pass
  274. no_more
  275.  
  276. disabled_domains:
  277. driver = redirect
  278. condition = ${extract{3}{:}{${lookup{$domain}lsearch{/etc/exim4/domains}}}}
  279. allow_fail = yes
  280. data = :fail: Domain disabled
  281. no_more
  282.  
  283. disabled_users:
  284. driver = redirect
  285. condition = ${extract{5}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim4/passwd}}}}
  286. allow_fail = yes
  287. data = :fail: User disabled
  288. no_more
  289.  
  290. local_domains:
  291. driver = redirect
  292. condition = ${lookup{$local_part@$domain}lsearch{/etc/exim4/passwd}{no}{yes}}
  293. data = ${quote_local_part:$local_part}@${extract{1}{:}{${lookup{$domain}lsearch{/etc/exim4/domains}}}}
  294. cannot_route_message = Unknown user
  295. redirect_router = dnslookup
  296. #redirect_router = local_delivery
  297. no_more
  298. #no_verify
  299.  
  300. aliases:
  301. driver = redirect
  302. data = ${extract{1}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim4/aliases}}}}
  303. condition = ${if exists{/etc/exim4/aliases} {yes} {no} }
  304. redirect_router = dnslookup
  305. pipe_transport = address_pipe
  306.  
  307. procmail:
  308. no_verify
  309. driver = accept
  310. transport = dovecot_deliver_pipe
  311. transport_home_directory = ${extract{4}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim4/passwd}}}}
  312. condition = ${lookup {$local_part@$domain} lsearch {/etc/exim4/passwd} {yes} {no} }
  313.  
  314. local_users:
  315. driver = accept
  316. transport = local_delivery
  317. condition = ${lookup {$local_part@$domain} lsearch {/etc/exim4/passwd} {yes} {no} }
  318.  
  319. catchall_for_domains:
  320. driver = redirect
  321. headers_add = X-redirected: yes
  322. data = ${extract{2}{:}{${lookup{$domain}lsearch{/etc/exim4/domains}}}}
  323. file_transport = local_delivery
  324. redirect_router = dnslookup
  325.  
  326. unknown_users:
  327. driver = redirect
  328. allow_fail = yes
  329. data = :fail: Unknown user
  330. no_more
  331.  
  332. begin transports
  333.  
  334. remote_smtp:
  335. driver = smtp
  336.  
  337. .ifdef DKIM_ENABLE
  338. dkim_domain = $sender_address_domain
  339. dkim_selector = dkim
  340. dkim_private_key = ${if exists{/etc/exim4/ssl/$sender_address_domain.private}{/etc/exim4/ssl/$sender_address_domain.private}{0}}
  341. .endif
  342.  
  343. interface = <;${lookup{$sender_address_domain}lsearch{/etc/exim4/domainips}}
  344. headers_remove = "User-Agent:X-Mailer:X-MimeOLE:X-MSMail-Priority:X-Spam-Status:X-Spam-Level:X-Sanitizer:X-Originating-IP"
  345.  
  346. local_delivery:
  347. driver = appendfile
  348. maildir_format = true
  349. maildir_use_size_file = true
  350. create_directory = true
  351. directory_mode = 700
  352. directory = ${extract{4}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim4/passwd}}}}/.maildir
  353. delivery_date_add
  354. envelope_to_add
  355. return_path_add
  356. mode = 0660
  357. quota = ${extract{3}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim4/passwd}}}}M
  358. quota_warn_threshold = 75%
  359. use_lockfile = no
  360. no_mode_fail_narrower
  361. user = ${extract{1}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim4/passwd}}}}
  362. group = ${extract{2}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim4/passwd}}}}
  363.  
  364. address_pipe:
  365. driver = pipe
  366. ignore_status
  367. return_output
  368. use_shell
  369.  
  370. dovecot_deliver_pipe:
  371. driver = pipe
  372. environment = "HOME=$home"
  373. command = "/usr/lib/dovecot/dovecot-lda -d $local_part@$domain -f $sender_address"
  374. return_path_add
  375. delivery_date_add
  376. envelope_to_add
  377. check_string = "From "
  378. escape_string = ">From "
  379. user = ${extract{1}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim4/passwd}}}}
  380. group = ${extract{2}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim4/passwd}}}}
  381.  
  382. begin retry
  383. * * F,2h,15m; G,16h,1h,1.5; F,4d,6h
  384.  
  385. begin rewrite
  386.  
  387. begin authenticators
  388.  
  389.  
  390. auth_plain:
  391. driver = dovecot
  392. public_name = PLAIN
  393. server_socket = /var/run/dovecot/auth-client
  394. server_set_id = $auth1
  395.  
  396. auth_login:
  397. driver = dovecot
  398. public_name = LOGIN
  399. server_socket = /var/run/dovecot/auth-client
  400. server_set_id = $auth1
  401.  
  402. auth_cram_md5:
  403. driver = dovecot
  404. public_name = CRAM-MD5
  405. server_socket = /var/run/dovecot/auth-client
  406. server_set_id = $auth1
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!