Skip to content

Instantly share code, notes, and snippets.

@AD7six
Created Oct 23, 2013
Embed
What would you like to do?
Oct 23 11:35:20 [16314:655] INFO Request [95.39.225.107][root] 'func=spamassassin&operafake=825&clickstat=yes'
Oct 23 11:35:20 [16314:655] ../../src/mgr/core/mgrconf.cpp:166 TRACE Add config '/usr/local/ispmgr/var/userconf/ispmgr.root' for commit
Oct 23 11:35:20 [16314:655] ../../src/mgr/core/mgrconf.cpp:130 TRACE Save configs to pull up events
Oct 23 11:35:20 [16314:655] ../../src/mgr/core/mgrconf.cpp:133 TRACE MgrConfSave: file: /usr/local/ispmgr/var/userconf/ispmgr.root
Oct 23 11:35:20 [16314:655] ../../src/mgr/core/mgrconf.cpp:69 TRACE Commit configs
Oct 23 11:35:23 [16314:656] INFO Request [95.39.225.107][root] 'required_score=5&report_contact=spam%40example.com&func=spamassassin&elid=&sok=ok'
Oct 23 11:35:23 [16314:656] ../../src/mgr/core/tdata.cpp:1433 TRACE RecordSet::Post(edit) rsname='top' key='required_score'
Oct 23 11:35:23 [16314:656] ../../src/ispmgr/email/exim.cpp:92 DEBUG '
VIRUS_SCAN = yes
POSTGREY_SOCKET = inet:127.0.0.1:60000
SA_ENABLE = yes
LDA_ENABLE = yes
MAILDIR_ENABLE = yes
SA_SPAMD_USER = spamd
SA_SCORE_REJECT = 80
SA_ABUSE_ADDR = spam@example.com
log_selector = \
+all_parents \
+lost_incoming_connection \
+received_sender \
+received_recipients \
+tls_cipher +tls_peerdn \
+smtp_confirmation \
+smtp_syntax_error \
+smtp_protocol_error
# TLS/SSL
tls_advertise_hosts = *
tls_certificate = /etc/exim4/ssl/exim.crt
tls_privatekey = /etc/exim4/ssl/exim.key
daemon_smtp_ports = 25 : 465 : 587
tls_on_connect_ports = 465
.ifdef SA_ENABLE
spamd_address = 127.0.0.1 783
.endif
.ifdef MAILMAN_ENABLE
MAILMAN_HOME=__MAILMAN_HOME__
MAILMAN_WRAP=__MAILMAN_WRAP__
MAILMAN_USER=__MAILMAN_USER__
MAILMAN_GROUP=__MAILMAN_GROUP__
.endif
trusted_groups = mgrsecure
trusted_users = www-data
domainlist local_domains = lsearch;/etc/exim4/domains
domainlist dummy_domains =
hostlist relay_from_hosts = 127.0.0.1 : 146.185.148.177
domainlist relay_to_domains = lsearch;/etc/exim4/domains
exim_user = Debian-exim
exim_group = Debian-exim
.ifdef VIRUS_SCAN
av_scanner = clamd:/var/run/clamav/clamd.ctl
.endif
never_users = root
host_lookup = *
rfc1413_hosts = *
rfc1413_query_timeout = 0s
ignore_bounce_errors_after = 2d
timeout_frozen_after = 7d
acl_smtp_rcpt = acl_check_rcpt
acl_smtp_data = acl_check_data
acl_not_smtp = acl_check_not_smtp
.ifdef DKIM_ENABLE
acl_smtp_dkim = acl_check_dkim
.endif
begin acl
acl_check_not_smtp:
# check ratelimits by local user
warn set acl_c9 = $sender_ident
condition = ${if match_local_part{$sender_ident}{lsearch;/etc/exim4/ratelimits} {yes}{no}}
warn set acl_c9 = $sender_address_local_part
condition = ${if match_local_part{$sender_address_local_part}{lsearch;/etc/exim4/ratelimits} {yes}{no}}
deny set acl_c8 = ${lookup{$acl_c9}lsearch*{/etc/exim4/ratelimits}}
ratelimit = $acl_c8 / 1h / strict / $acl_c9
message = Sender rate overlimit - $sender_rate / $sender_rate_period / $acl_c9
condition = ${if and{{!eq{$acl_c9}{}}{>{$acl_c8}{0}}}{yes}{no}}
.ifdef DEFAULT_RATELIMIT
# check ratelimits by default
warn set acl_c7 = $sender_ident
warn set acl_c7 = $sender_address_local_part
condition = ${if eq{$acl_c7}{} {yes}{no}}
deny ratelimit = DEFAULT_RATELIMIT / 1h / strict / $acl_c7
message = Sender rate overlimit - $sender_rate / $sender_rate_period / $acl_c7
condition = ${if and{{!eq{$acl_c7}{}}{eq{$acl_c8}{}}}{yes}{no}}
.endif
accept
acl_check_rcpt:
accept hosts = +relay_from_hosts
set acl_m6 = whitelisted
accept domains = +local_domains : +relay_to_domains
condition = ${lookup{$sender_address}wildlsearch{/etc/exim4/whitelist}{yes}{no}}
set acl_m6 = whitelisted
logwrite = Accepted from $sender_address to $local_part@$domain by whitelist.
accept domains = +local_domains : +relay_to_domains
hosts = net-lsearch;/etc/exim4/whitelist
set acl_m6 = whitelisted
logwrite = Accepted from $sender_address to $local_part@$domain by whitelist.
deny condition = ${lookup{$sender_address}wildlsearch{/etc/exim4/blacklist}{yes}{no}}
set acl_m6 = blacklisted
logwrite = Rejected from $sender_address to $local_part@$domain by blacklist.
deny hosts = net-lsearch;/etc/exim4/blacklist
set acl_m6 = blacklisted
logwrite = Rejected from $sender_address to $local_part@$domain by blacklist.
deny message = Restricted characters in address
domains = +local_domains
local_parts = ^[.] : ^.*[@%!/|]
deny message = Restricted characters in address
domains = !+local_domains
local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
accept local_parts = postmaster
verify = recipient
domains = +local_domains
require verify = sender
# check ratelimits by emails
warn authenticated = *
set acl_c0 = group${extract{2}{:}{${lookup{$authenticated_id}lsearch{/etc/exim4/passwd}}}}
set acl_c1 = ${lookup{$authenticated_id}lsearch*{/etc/exim4/ratelimits}}
ratelimit = ${lookup{$acl_c0}lsearch*{/etc/exim4/ratelimits}} / 1h / strict / $acl_c0
ratelimit = $acl_c1 / 1h / strict / $authenticated_id
log_message = Sender rate overlimit - $sender_rate / $sender_rate_period / $authenticated_id
condition = ${if match_local_part{$authenticated_id}{lsearch;/etc/exim4/ratelimits} {yes}{no}}
deny authenticated = *
set acl_c1 = ${lookup{$authenticated_id}lsearch*{/etc/exim4/ratelimits}}
ratelimit = $acl_c1 / 1h / leaky / $authenticated_id
message = Sender rate overlimit - $sender_rate / $sender_rate_period / $authenticated_id
condition = ${if match_local_part{$authenticated_id}{lsearch;/etc/exim4/ratelimits} {yes}{no}}
# check ratelimits by group
warn authenticated = *
set acl_c0 = group${extract{2}{:}{${lookup{$authenticated_id}lsearch{/etc/exim4/passwd}}}}
ratelimit = ${lookup{$acl_c0}lsearch*{/etc/exim4/ratelimits}} / 1h / strict / $acl_c0
log_message = Sender rate overlimit - $sender_rate / $sender_rate_period / $acl_c0
condition = ${if match_local_part{$acl_c0}{lsearch;/etc/exim4/ratelimits} {yes}{no}}
deny authenticated = *
set acl_c0 = group${extract{2}{:}{${lookup{$authenticated_id}lsearch{/etc/exim4/passwd}}}}
ratelimit = ${lookup{$acl_c0}lsearch*{/etc/exim4/ratelimits}} / 1h / leaky / $acl_c0
message = Sender rate overlimit - $sender_rate / $sender_rate_period / $acl_c0
condition = ${if match_local_part{$acl_c0}{lsearch;/etc/exim4/ratelimits} {yes}{no}}
.ifdef DEFAULT_RATELIMIT
# check ratelimits by default
deny authenticated = *
ratelimit = DEFAULT_RATELIMIT / 1h / strict / $authenticated_id
message = Sender rate overlimit - $sender_rate / $sender_rate_period / $authenticated_id
condition = ${if or{{eq{$acl_c1}{}}{eq{$acl_c0}{}}}{yes}{no}}
.endif
.ifdef VIRUS_SCAN
warn set acl_m3 = no
warn set acl_m3 = ok
condition = ${lookup{$domain}nwildlsearch{/etc/clamav.whitelist} {no}{yes}}
.endif
accept hosts = +relay_from_hosts
control = submission/sender_retain
accept authenticated = *
condition = ${if eq{${extract{5}{:}{${lookup{$authenticated_id}lsearch{/etc/exim4/passwd}}}}}{no} {yes}{no}}
condition = ${if eq{${extract{3}{:}{${lookup{${domain:$authenticated_id}}lsearch{/etc/exim4/domains}}}}}{no} {yes}{no}}
control = submission/domain=
deny message = rejected because $sender_host_address is in a black list at $dnslist_domain\\n$dnslist_text
dnslists = ${readfile {/etc/exim4/dnsblists}{:}}
require message = relay not permitted
domains = +local_domains : +relay_to_domains
require verify = recipient
.ifdef POSTGREY_SOCKET
defer log_message = greylisted host $sender_host_address
set acl_m0 = request=smtpd_access_policy\nprotocol_state=RCPT\nprotocol_name=${uc:$received_protocol}\nhelo_name=$sender_helo_name\nclient_address=$sender_host_address\nclient_name=$sender_host_name\nsender=$sender_address\nrecipient=$local_part@$domain\ninstance=$sender_host_address/$sender_address/$local_part@$domain\n\n
set acl_m0 = ${sg{${readsocket{POSTGREY_SOCKET}{$acl_m0}{5s}{}{action=DUNNO}}}{action=}{}}
message = ${sg{$acl_m0}{^\\w+\\s*}{}}
condition = ${if eq{${uc:${substr{0}{5}{$acl_m0}}}}{DEFER}{true}{false}}
.endif
accept
acl_check_data:
accept
condition = ${if >{$load_average}{3000} {yes}{no}}
logwrite = Accept message without spamd and antivirus check because LA > 3.
.ifdef VIRUS_SCAN
accept
condition = ${if or {\
{<{$message_body_size}{1K}} \
{>{$message_body_size}{2M}} \
} {yes}{no}}
logwrite = Accept message without antivirus check because body size $message_body_size not critical
warn
condition = ${if eq{$acl_m3}{ok} {yes}{no}}
add_header = X-Scanned-By: ${extract{1}{/}{${readsocket{/var/run/clamav/clamd.ctl}{VERSION}{1s}{} {unscanned}}}}; $tod_full\n
deny
message = This message contains virus ($malware_name)
hosts = *
demime = *
malware = *
log_message = Rejected: this message contains virus ($malware_name)
condition = ${if eq{$acl_m3}{ok}{yes}{no}}
.endif
.ifdef SA_ENABLE
warn
!authenticated = *
hosts = !127.0.0.1/24
condition = ${if < {$message_size}{1K}}
spam = SA_SPAMD_USER:true
add_header = X-Spam_score: $spam_score\n\
X-Spam_score_int: $spam_score_int\n\
X-Spam_bar: $spam_bar\n\
X-Spam_report: $spam_report
warn
!authenticated = *
hosts = !+relay_from_hosts
spam = SA_SPAMD_USER:true/defer_ok
add_header = X-Spam_score: $spam_score\n\
X-Spam_score_int: $spam_score_int\n\
X-Spam_bar: $spam_bar\n\
X-Spam_report: $spam_report
set acl_m4 = $spam_score_int
condition = ${if and{{<{$message_size}{100K}}{<{$acl_m4}{SA_SCORE_REJECT}}} {yes}{no}}
logwrite = From $sender_address to $recipients X-Spam_score: $acl_m4.
deny
condition = ${if and{{!eq{$acl_m4}{}}{>{$acl_m4}{SA_SCORE_REJECT}}} {yes}{no}}
message = Content analisis tool detect spam (from $sender_address to $recipients). Contact SA_ABUSE_ADDR.
.endif
accept
.ifdef DKIM_ENABLE
acl_check_dkim:
warn
dkim_status = fail
logwrite = DKIM test failed: $dkim_verify_reason
add_header = X-DKIM-FAIL: DKIM test failed: (address=$sender_address domain=$dkim_cur_signer), signature is bad.
warn
dkim_status = invalid
add_header = :at_start:Authentication-Results: $dkim_cur_signer ($dkim_verify_status); $dkim_verify_reason
logwrite = DKIM test passed (address=$sender_address domain=$dkim_cur_signer), but signature is invalid.
accept
dkim_status = pass
add_header = :at_start:Authentication-Results: dkim=$dkim_verify_status, header.i=@$dkim_cur_signer
logwrite = DKIM test passed (address=$sender_address domain=$dkim_cur_signer), good signature.
accept
.endif
begin routers
dnslookup:
driver = dnslookup
domains = !+dummy_domains
transport = remote_smtp
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
self = pass
no_more
disabled_domains:
driver = redirect
condition = ${extract{3}{:}{${lookup{$domain}lsearch{/etc/exim4/domains}}}}
allow_fail = yes
data = :fail: Domain disabled
no_more
disabled_users:
driver = redirect
condition = ${extract{5}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim4/passwd}}}}
allow_fail = yes
data = :fail: User disabled
no_more
quota_check:
driver = redirect
domains = +local_domains
allow_defer
condition = ${if and{\
{exists{/usr/local/ispmgr/var/eximquota.pid}}\
{match{${readsocket{/usr/local/ispmgr/var/eximquota.sock}{$local_part@$domain:$message_size}}}{\Nover quota\N}}\
}{yes}{no}}
data = :defer: $local_part@$domain is over quota
local_domains:
driver = redirect
condition = ${lookup{$local_part@$domain}lsearch{/etc/exim4/passwd}{no}{yes}}
data = ${quote_local_part:$local_part}@${extract{1}{:}{${lookup{$domain}lsearch{/etc/exim4/domains}}}}
cannot_route_message = Unknown user
no_more
group_aliases:
driver = redirect
data = ${extract{1}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim4/aliases}}}}
condition = ${if and{\
{exists{/etc/exim4/aliases}}\
{eq {${extract{2}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim4/aliases}}}}} {group} }\
} {yes} {no} }
redirect_router = a_dnslookup
pipe_transport = address_pipe
aliases:
driver = redirect
data = ${extract{1}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim4/aliases}}}}
condition = ${if exists{/etc/exim4/aliases} {yes} {no} }
pipe_transport = address_pipe
local_users:
driver = redirect
condition = ${lookup {$local_part@$domain} lsearch {/etc/exim4/passwd} {yes} {no} }
data = $local_part@$domain
redirect_router = autoreplay
.ifdef MAILMAN_ENABLE
mailman:
driver = accept
require_files = MAILMAN_HOME/lists/$local_part/config.pck
local_part_suffix_optional
local_part_suffix = -bounces : -bounces+* : -confirm+* : -join : -leave : -owner : -request : -admin : -subscribe : -unsubscribe
transport = mailman
mailman_isp:
driver = accept
require_files = MAILMAN_HOME/lists/$local_part-$domain/config.pck
local_part_suffix_optional
local_part_suffix = -bounces : -bounces+* : -confirm+* : -join : -leave : -owner : -request : -admin : -subscribe : -unsubscribe
transport = mailman_isp
.endif
catchall_for_domains:
driver = redirect
headers_add = X-redirected: yes
data = ${extract{2}{:}{${lookup{$domain}lsearch{/etc/exim4/domains}}}}
file_transport = local_delivery
unknown_users:
driver = redirect
allow_fail = yes
data = :fail: Unknown user
no_more
autoreplay:
driver = accept
condition = ${lookup{$local_part@$domain}lsearch{/etc/exim4/vaclist}{yes}{no}}
retry_use_local_part
transport = address_reply
unseen
.ifdef LDA_ENABLE
procmail:
no_verify
driver = accept
transport = maildrop_pipe
# condition = ${if exists{${extract{4}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim4/passwd}}}}/.procmailrc} {yes} {no}}
transport_home_directory = ${extract{4}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim4/passwd}}}}
.endif
localuser:
driver = accept
transport = local_delivery
# Same routers without autoreplay
a_dnslookup:
driver = dnslookup
domains = !+dummy_domains
transport = remote_smtp
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
self = pass
no_more
a_disabled_domains:
driver = redirect
condition = ${extract{3}{:}{${lookup{$domain}lsearch{/etc/exim4/domains}}}}
allow_fail = yes
data = :fail: Domain disabled
no_more
a_disabled_users:
driver = redirect
condition = ${extract{5}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim4/passwd}}}}
allow_fail = yes
data = :fail: User disabled
no_more
a_local_domains:
driver = redirect
data = ${quote_local_part:$local_part}@${extract{1}{:}{${lookup{$domain}lsearch{/etc/exim4/domains}}}}
cannot_route_message = Unknown user
redirect_router = a_dnslookup
no_more
a_aliases:
driver = redirect
data = ${extract{1}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim4/aliases}}}}
condition = ${if exists{/etc/exim4/aliases} {yes} {no} }
redirect_router = a_dnslookup
pipe_transport = address_pipe
.ifdef LDA_ENABLE
a_procmail:
no_verify
driver = accept
transport = maildrop_pipe
# condition = ${if exists{${extract{4}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim4/passwd}}}}/.procmailrc} {yes} {no}}
transport_home_directory = ${extract{4}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim4/passwd}}}}
.endif
a_local_users:
driver = accept
transport = local_delivery
condition = ${lookup {$local_part@$domain} lsearch {/etc/exim4/passwd} {yes} {no} }
.ifdef MAILMAN_ENABLE
a_mailman:
driver = accept
require_files = MAILMAN_HOME/lists/$local_part/config.pck
local_part_suffix_optional
local_part_suffix = -bounces : -bounces+* : -confirm+* : -join : -leave : -owner : -request : -admin : -subscribe : -unsubscribe
transport = mailman
a_mailman_isp:
driver = accept
require_files = MAILMAN_HOME/lists/$local_part-$domain/config.pck
local_part_suffix_optional
local_part_suffix = -bounces : -bounces+* : -confirm+* : -join : -leave : -owner : -request : -admin : -subscribe : -unsubscribe
transport = mailman_isp
.endif
a_catchall_for_domains:
driver = redirect
headers_add = X-redirected: yes
data = ${extract{2}{:}{${lookup{$domain}lsearch{/etc/exim4/domains}}}}
file_transport = local_delivery
redirect_router = a_dnslookup
begin transports
remote_smtp:
driver = smtp
.ifdef DKIM_ENABLE
dkim_domain = $sender_address_domain
dkim_selector = dkim
dkim_private_key = ${if exists{__ISP_DKIM_KEYS__/$sender_address_domain.private}{__ISP_DKIM_KEYS__/$sender_address_domain.private}{0}}
.endif
interface = <;${lookup{$sender_address_domain}lsearch{/etc/exim4/domainips}}
local_delivery:
driver = appendfile
.ifdef MAILDIR_ENABLE
maildir_format = true
maildir_use_size_file = true
create_directory = true
directory_mode = 700
directory = ${extract{4}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim4/passwd}}}}/.maildir
.endif
.ifndef MAILDIR_ENABLE
file = ${extract{4}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim4/passwd}}}}/mbox
.endif
delivery_date_add
envelope_to_add
return_path_add
mode = 0660
quota = ${extract{3}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim4/passwd}}}}M
quota_warn_threshold = 75%
use_lockfile = no
no_mode_fail_narrower
user = ${extract{1}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim4/passwd}}}}
group = ${extract{2}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim4/passwd}}}}
address_pipe:
driver = pipe
ignore_status
return_output
use_shell
address_reply:
driver = autoreply
headers = ${readfile{${extract{4}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim4/passwd}}}}/vacation/message.txt}}
to = $sender_address
.ifdef MAILMAN_ENABLE
mailman_isp:
driver = pipe
command = MAILMAN_WRAP '${if def:local_part_suffix {${sg{$local_part_suffix}{-(\\w+)(\\+.*)?}{\$1}}} {post}}' $local_part-$domain
current_directory = MAILMAN_HOME
home_directory = MAILMAN_HOME
user = MAILMAN_USER
group = MAILMAN_GROUP
mailman:
driver = pipe
command = MAILMAN_WRAP '${if def:local_part_suffix {${sg{$local_part_suffix}{-(\\w+)(\\+.*)?}{\$1}}} {post}}' $local_part
current_directory = MAILMAN_HOME
home_directory = MAILMAN_HOME
user = MAILMAN_USER
group = MAILMAN_GROUP
.endif
.ifdef LDA_ENABLE
maildrop_pipe:
driver = pipe
environment = "HOME=$home"
command = "/usr/bin/maildrop"
return_path_add
delivery_date_add
envelope_to_add
check_string = "From "
escape_string = ">From "
user = ${extract{1}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim4/passwd}}}}
group = ${extract{2}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim4/passwd}}}}
.endif
begin retry
* * F,2h,15m; G,16h,1h,1.5; F,4d,6h
begin rewrite
.ifdef MAILMAN_ENABLE
\N^(.*<)?([^<]*)@([^>]*).*$\N "${if exists{MAILMAN_HOME/lists/${sg{$2}{-$3.*}{-$3}}/config.pck} {${sg{$0} {-$3} {}}} {$0} }" S
\N^(.*<)?([^<]*)@([^>]*).*$\N "${if exists{MAILMAN_HOME/lists/${sg{$2}{-$3.*}{-$3}}/config.pck} {${sg{$0} {-$3} {}}} {$0} }"
.endif
begin authenticators
cram:
driver = cyrus_sasl
public_name = CRAM-MD5
server_set_id = $1
plain:
driver = cyrus_sasl
public_name = PLAIN
server_set_id = $1
login:
driver = cyrus_sasl
public_name = LOGIN
server_set_id = $1
' 0 -1016826176
Oct 23 11:35:23 [16314:656] ../../src/ispmgr/email/exim.cpp:92 DEBUG '
VIRUS_SCAN = yes
POSTGREY_SOCKET = inet:127.0.0.1:60000
SA_ENABLE = yes
LDA_ENABLE = yes
MAILDIR_ENABLE = yes
SA_SPAMD_USER = spamd
SA_SCORE_REJECT = 50
SA_ABUSE_ADDR = spam@example.com
log_selector = \
+all_parents \
+lost_incoming_connection \
+received_sender \
+received_recipients \
+tls_cipher +tls_peerdn \
+smtp_confirmation \
+smtp_syntax_error \
+smtp_protocol_error
# TLS/SSL
tls_advertise_hosts = *
tls_certificate = /etc/exim4/ssl/exim.crt
tls_privatekey = /etc/exim4/ssl/exim.key
daemon_smtp_ports = 25 : 465 : 587
tls_on_connect_ports = 465
.ifdef SA_ENABLE
spamd_address = 127.0.0.1 783
.endif
.ifdef MAILMAN_ENABLE
MAILMAN_HOME=__MAILMAN_HOME__
MAILMAN_WRAP=__MAILMAN_WRAP__
MAILMAN_USER=__MAILMAN_USER__
MAILMAN_GROUP=__MAILMAN_GROUP__
.endif
trusted_groups = mgrsecure
trusted_users = www-data
domainlist local_domains = lsearch;/etc/exim4/domains
domainlist dummy_domains =
hostlist relay_from_hosts = 127.0.0.1 : 146.185.148.177
domainlist relay_to_domains = lsearch;/etc/exim4/domains
exim_user = Debian-exim
exim_group = Debian-exim
.ifdef VIRUS_SCAN
av_scanner = clamd:/var/run/clamav/clamd.ctl
.endif
never_users = root
host_lookup = *
rfc1413_hosts = *
rfc1413_query_timeout = 0s
ignore_bounce_errors_after = 2d
timeout_frozen_after = 7d
acl_smtp_rcpt = acl_check_rcpt
acl_smtp_data = acl_check_data
acl_not_smtp = acl_check_not_smtp
.ifdef DKIM_ENABLE
acl_smtp_dkim = acl_check_dkim
.endif
begin acl
acl_check_not_smtp:
# check ratelimits by local user
warn set acl_c9 = $sender_ident
condition = ${if match_local_part{$sender_ident}{lsearch;/etc/exim4/ratelimits} {yes}{no}}
warn set acl_c9 = $sender_address_local_part
condition = ${if match_local_part{$sender_address_local_part}{lsearch;/etc/exim4/ratelimits} {yes}{no}}
deny set acl_c8 = ${lookup{$acl_c9}lsearch*{/etc/exim4/ratelimits}}
ratelimit = $acl_c8 / 1h / strict / $acl_c9
message = Sender rate overlimit - $sender_rate / $sender_rate_period / $acl_c9
condition = ${if and{{!eq{$acl_c9}{}}{>{$acl_c8}{0}}}{yes}{no}}
.ifdef DEFAULT_RATELIMIT
# check ratelimits by default
warn set acl_c7 = $sender_ident
warn set acl_c7 = $sender_address_local_part
condition = ${if eq{$acl_c7}{} {yes}{no}}
deny ratelimit = DEFAULT_RATELIMIT / 1h / strict / $acl_c7
message = Sender rate overlimit - $sender_rate / $sender_rate_period / $acl_c7
condition = ${if and{{!eq{$acl_c7}{}}{eq{$acl_c8}{}}}{yes}{no}}
.endif
accept
acl_check_rcpt:
accept hosts = +relay_from_hosts
set acl_m6 = whitelisted
accept domains = +local_domains : +relay_to_domains
condition = ${lookup{$sender_address}wildlsearch{/etc/exim4/whitelist}{yes}{no}}
set acl_m6 = whitelisted
logwrite = Accepted from $sender_address to $local_part@$domain by whitelist.
accept domains = +local_domains : +relay_to_domains
hosts = net-lsearch;/etc/exim4/whitelist
set acl_m6 = whitelisted
logwrite = Accepted from $sender_address to $local_part@$domain by whitelist.
deny condition = ${lookup{$sender_address}wildlsearch{/etc/exim4/blacklist}{yes}{no}}
set acl_m6 = blacklisted
logwrite = Rejected from $sender_address to $local_part@$domain by blacklist.
deny hosts = net-lsearch;/etc/exim4/blacklist
set acl_m6 = blacklisted
logwrite = Rejected from $sender_address to $local_part@$domain by blacklist.
deny message = Restricted characters in address
domains = +local_domains
local_parts = ^[.] : ^.*[@%!/|]
deny message = Restricted characters in address
domains = !+local_domains
local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
accept local_parts = postmaster
verify = recipient
domains = +local_domains
require verify = sender
# check ratelimits by emails
warn authenticated = *
set acl_c0 = group${extract{2}{:}{${lookup{$authenticated_id}lsearch{/etc/exim4/passwd}}}}
set acl_c1 = ${lookup{$authenticated_id}lsearch*{/etc/exim4/ratelimits}}
ratelimit = ${lookup{$acl_c0}lsearch*{/etc/exim4/ratelimits}} / 1h / strict / $acl_c0
ratelimit = $acl_c1 / 1h / strict / $authenticated_id
log_message = Sender rate overlimit - $sender_rate / $sender_rate_period / $authenticated_id
condition = ${if match_local_part{$authenticated_id}{lsearch;/etc/exim4/ratelimits} {yes}{no}}
deny authenticated = *
set acl_c1 = ${lookup{$authenticated_id}lsearch*{/etc/exim4/ratelimits}}
ratelimit = $acl_c1 / 1h / leaky / $authenticated_id
message = Sender rate overlimit - $sender_rate / $sender_rate_period / $authenticated_id
condition = ${if match_local_part{$authenticated_id}{lsearch;/etc/exim4/ratelimits} {yes}{no}}
# check ratelimits by group
warn authenticated = *
set acl_c0 = group${extract{2}{:}{${lookup{$authenticated_id}lsearch{/etc/exim4/passwd}}}}
ratelimit = ${lookup{$acl_c0}lsearch*{/etc/exim4/ratelimits}} / 1h / strict / $acl_c0
log_message = Sender rate overlimit - $sender_rate / $sender_rate_period / $acl_c0
condition = ${if match_local_part{$acl_c0}{lsearch;/etc/exim4/ratelimits} {yes}{no}}
deny authenticated = *
set acl_c0 = group${extract{2}{:}{${lookup{$authenticated_id}lsearch{/etc/exim4/passwd}}}}
ratelimit = ${lookup{$acl_c0}lsearch*{/etc/exim4/ratelimits}} / 1h / leaky / $acl_c0
message = Sender rate overlimit - $sender_rate / $sender_rate_period / $acl_c0
condition = ${if match_local_part{$acl_c0}{lsearch;/etc/exim4/ratelimits} {yes}{no}}
.ifdef DEFAULT_RATELIMIT
# check ratelimits by default
deny authenticated = *
ratelimit = DEFAULT_RATELIMIT / 1h / strict / $authenticated_id
message = Sender rate overlimit - $sender_rate / $sender_rate_period / $authenticated_id
condition = ${if or{{eq{$acl_c1}{}}{eq{$acl_c0}{}}}{yes}{no}}
.endif
.ifdef VIRUS_SCAN
warn set acl_m3 = no
warn set acl_m3 = ok
condition = ${lookup{$domain}nwildlsearch{/etc/clamav.whitelist} {no}{yes}}
.endif
accept hosts = +relay_from_hosts
control = submission/sender_retain
accept authenticated = *
condition = ${if eq{${extract{5}{:}{${lookup{$authenticated_id}lsearch{/etc/exim4/passwd}}}}}{no} {yes}{no}}
condition = ${if eq{${extract{3}{:}{${lookup{${domain:$authenticated_id}}lsearch{/etc/exim4/domains}}}}}{no} {yes}{no}}
control = submission/domain=
deny message = rejected because $sender_host_address is in a black list at $dnslist_domain\\n$dnslist_text
dnslists = ${readfile {/etc/exim4/dnsblists}{:}}
require message = relay not permitted
domains = +local_domains : +relay_to_domains
require verify = recipient
.ifdef POSTGREY_SOCKET
defer log_message = greylisted host $sender_host_address
set acl_m0 = request=smtpd_access_policy\nprotocol_state=RCPT\nprotocol_name=${uc:$received_protocol}\nhelo_name=$sender_helo_name\nclient_address=$sender_host_address\nclient_name=$sender_host_name\nsender=$sender_address\nrecipient=$local_part@$domain\ninstance=$sender_host_address/$sender_address/$local_part@$domain\n\n
set acl_m0 = ${sg{${readsocket{POSTGREY_SOCKET}{$acl_m0}{5s}{}{action=DUNNO}}}{action=}{}}
message = ${sg{$acl_m0}{^\\w+\\s*}{}}
condition = ${if eq{${uc:${substr{0}{5}{$acl_m0}}}}{DEFER}{true}{false}}
.endif
accept
acl_check_data:
accept
condition = ${if >{$load_average}{3000} {yes}{no}}
logwrite = Accept message without spamd and antivirus check because LA > 3.
.ifdef VIRUS_SCAN
accept
condition = ${if or {\
{<{$message_body_size}{1K}} \
{>{$message_body_size}{2M}} \
} {yes}{no}}
logwrite = Accept message without antivirus check because body size $message_body_size not critical
warn
condition = ${if eq{$acl_m3}{ok} {yes}{no}}
add_header = X-Scanned-By: ${extract{1}{/}{${readsocket{/var/run/clamav/clamd.ctl}{VERSION}{1s}{} {unscanned}}}}; $tod_full\n
deny
message = This message contains virus ($malware_name)
hosts = *
demime = *
malware = *
log_message = Rejected: this message contains virus ($malware_name)
condition = ${if eq{$acl_m3}{ok}{yes}{no}}
.endif
.ifdef SA_ENABLE
warn
!authenticated = *
hosts = !127.0.0.1/24
condition = ${if < {$message_size}{1K}}
spam = SA_SPAMD_USER:true
add_header = X-Spam_score: $spam_score\n\
X-Spam_score_int: $spam_score_int\n\
X-Spam_bar: $spam_bar\n\
X-Spam_report: $spam_report
warn
!authenticated = *
hosts = !+relay_from_hosts
spam = SA_SPAMD_USER:true/defer_ok
add_header = X-Spam_score: $spam_score\n\
X-Spam_score_int: $spam_score_int\n\
X-Spam_bar: $spam_bar\n\
X-Spam_report: $spam_report
set acl_m4 = $spam_score_int
condition = ${if and{{<{$message_size}{100K}}{<{$acl_m4}{SA_SCORE_REJECT}}} {yes}{no}}
logwrite = From $sender_address to $recipients X-Spam_score: $acl_m4.
deny
condition = ${if and{{!eq{$acl_m4}{}}{>{$acl_m4}{SA_SCORE_REJECT}}} {yes}{no}}
message = Content analisis tool detect spam (from $sender_address to $recipients). Contact SA_ABUSE_ADDR.
.endif
accept
.ifdef DKIM_ENABLE
acl_check_dkim:
warn
dkim_status = fail
logwrite = DKIM test failed: $dkim_verify_reason
add_header = X-DKIM-FAIL: DKIM test failed: (address=$sender_address domain=$dkim_cur_signer), signature is bad.
warn
dkim_status = invalid
add_header = :at_start:Authentication-Results: $dkim_cur_signer ($dkim_verify_status); $dkim_verify_reason
logwrite = DKIM test passed (address=$sender_address domain=$dkim_cur_signer), but signature is invalid.
accept
dkim_status = pass
add_header = :at_start:Authentication-Results: dkim=$dkim_verify_status, header.i=@$dkim_cur_signer
logwrite = DKIM test passed (address=$sender_address domain=$dkim_cur_signer), good signature.
accept
.endif
begin routers
dnslookup:
driver = dnslookup
domains = !+dummy_domains
transport = remote_smtp
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
self = pass
no_more
disabled_domains:
driver = redirect
condition = ${extract{3}{:}{${lookup{$domain}lsearch{/etc/exim4/domains}}}}
allow_fail = yes
data = :fail: Domain disabled
no_more
disabled_users:
driver = redirect
condition = ${extract{5}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim4/passwd}}}}
allow_fail = yes
data = :fail: User disabled
no_more
quota_check:
driver = redirect
domains = +local_domains
allow_defer
condition = ${if and{\
{exists{/usr/local/ispmgr/var/eximquota.pid}}\
{match{${readsocket{/usr/local/ispmgr/var/eximquota.sock}{$local_part@$domain:$message_size}}}{\Nover quota\N}}\
}{yes}{no}}
data = :defer: $local_part@$domain is over quota
local_domains:
driver = redirect
condition = ${lookup{$local_part@$domain}lsearch{/etc/exim4/passwd}{no}{yes}}
data = ${quote_local_part:$local_part}@${extract{1}{:}{${lookup{$domain}lsearch{/etc/exim4/domains}}}}
cannot_route_message = Unknown user
no_more
group_aliases:
driver = redirect
data = ${extract{1}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim4/aliases}}}}
condition = ${if and{\
{exists{/etc/exim4/aliases}}\
{eq {${extract{2}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim4/aliases}}}}} {group} }\
} {yes} {no} }
redirect_router = a_dnslookup
pipe_transport = address_pipe
aliases:
driver = redirect
data = ${extract{1}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim4/aliases}}}}
condition = ${if exists{/etc/exim4/aliases} {yes} {no} }
pipe_transport = address_pipe
local_users:
driver = redirect
condition = ${lookup {$local_part@$domain} lsearch {/etc/exim4/passwd} {yes} {no} }
data = $local_part@$domain
redirect_router = autoreplay
.ifdef MAILMAN_ENABLE
mailman:
driver = accept
require_files = MAILMAN_HOME/lists/$local_part/config.pck
local_part_suffix_optional
local_part_suffix = -bounces : -bounces+* : -confirm+* : -join : -leave : -owner : -request : -admin : -subscribe : -unsubscribe
transport = mailman
mailman_isp:
driver = accept
require_files = MAILMAN_HOME/lists/$local_part-$domain/config.pck
local_part_suffix_optional
local_part_suffix = -bounces : -bounces+* : -confirm+* : -join : -leave : -owner : -request : -admin : -subscribe : -unsubscribe
transport = mailman_isp
.endif
catchall_for_domains:
driver = redirect
headers_add = X-redirected: yes
data = ${extract{2}{:}{${lookup{$domain}lsearch{/etc/exim4/domains}}}}
file_transport = local_delivery
unknown_users:
driver = redirect
allow_fail = yes
data = :fail: Unknown user
no_more
autoreplay:
driver = accept
condition = ${lookup{$local_part@$domain}lsearch{/etc/exim4/vaclist}{yes}{no}}
retry_use_local_part
transport = address_reply
unseen
.ifdef LDA_ENABLE
procmail:
no_verify
driver = accept
transport = maildrop_pipe
# condition = ${if exists{${extract{4}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim4/passwd}}}}/.procmailrc} {yes} {no}}
transport_home_directory = ${extract{4}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim4/passwd}}}}
.endif
localuser:
driver = accept
transport = local_delivery
# Same routers without autoreplay
a_dnslookup:
driver = dnslookup
domains = !+dummy_domains
transport = remote_smtp
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
self = pass
no_more
a_disabled_domains:
driver = redirect
condition = ${extract{3}{:}{${lookup{$domain}lsearch{/etc/exim4/domains}}}}
allow_fail = yes
data = :fail: Domain disabled
no_more
a_disabled_users:
driver = redirect
condition = ${extract{5}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim4/passwd}}}}
allow_fail = yes
data = :fail: User disabled
no_more
a_local_domains:
driver = redirect
data = ${quote_local_part:$local_part}@${extract{1}{:}{${lookup{$domain}lsearch{/etc/exim4/domains}}}}
cannot_route_message = Unknown user
redirect_router = a_dnslookup
no_more
a_aliases:
driver = redirect
data = ${extract{1}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim4/aliases}}}}
condition = ${if exists{/etc/exim4/aliases} {yes} {no} }
redirect_router = a_dnslookup
pipe_transport = address_pipe
.ifdef LDA_ENABLE
a_procmail:
no_verify
driver = accept
transport = maildrop_pipe
# condition = ${if exists{${extract{4}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim4/passwd}}}}/.procmailrc} {yes} {no}}
transport_home_directory = ${extract{4}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim4/passwd}}}}
.endif
a_local_users:
driver = accept
transport = local_delivery
condition = ${lookup {$local_part@$domain} lsearch {/etc/exim4/passwd} {yes} {no} }
.ifdef MAILMAN_ENABLE
a_mailman:
driver = accept
require_files = MAILMAN_HOME/lists/$local_part/config.pck
local_part_suffix_optional
local_part_suffix = -bounces : -bounces+* : -confirm+* : -join : -leave : -owner : -request : -admin : -subscribe : -unsubscribe
transport = mailman
a_mailman_isp:
driver = accept
require_files = MAILMAN_HOME/lists/$local_part-$domain/config.pck
local_part_suffix_optional
local_part_suffix = -bounces : -bounces+* : -confirm+* : -join : -leave : -owner : -request : -admin : -subscribe : -unsubscribe
transport = mailman_isp
.endif
a_catchall_for_domains:
driver = redirect
headers_add = X-redirected: yes
data = ${extract{2}{:}{${lookup{$domain}lsearch{/etc/exim4/domains}}}}
file_transport = local_delivery
redirect_router = a_dnslookup
begin transports
remote_smtp:
driver = smtp
.ifdef DKIM_ENABLE
dkim_domain = $sender_address_domain
dkim_selector = dkim
dkim_private_key = ${if exists{__ISP_DKIM_KEYS__/$sender_address_domain.private}{__ISP_DKIM_KEYS__/$sender_address_domain.private}{0}}
.endif
interface = <;${lookup{$sender_address_domain}lsearch{/etc/exim4/domainips}}
local_delivery:
driver = appendfile
.ifdef MAILDIR_ENABLE
maildir_format = true
maildir_use_size_file = true
create_directory = true
directory_mode = 700
directory = ${extract{4}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim4/passwd}}}}/.maildir
.endif
.ifndef MAILDIR_ENABLE
file = ${extract{4}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim4/passwd}}}}/mbox
.endif
delivery_date_add
envelope_to_add
return_path_add
mode = 0660
quota = ${extract{3}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim4/passwd}}}}M
quota_warn_threshold = 75%
use_lockfile = no
no_mode_fail_narrower
user = ${extract{1}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim4/passwd}}}}
group = ${extract{2}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim4/passwd}}}}
address_pipe:
driver = pipe
ignore_status
return_output
use_shell
address_reply:
driver = autoreply
headers = ${readfile{${extract{4}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim4/passwd}}}}/vacation/message.txt}}
to = $sender_address
.ifdef MAILMAN_ENABLE
mailman_isp:
driver = pipe
command = MAILMAN_WRAP '${if def:local_part_suffix {${sg{$local_part_suffix}{-(\\w+)(\\+.*)?}{\$1}}} {post}}' $local_part-$domain
current_directory = MAILMAN_HOME
home_directory = MAILMAN_HOME
user = MAILMAN_USER
group = MAILMAN_GROUP
mailman:
driver = pipe
command = MAILMAN_WRAP '${if def:local_part_suffix {${sg{$local_part_suffix}{-(\\w+)(\\+.*)?}{\$1}}} {post}}' $local_part
current_directory = MAILMAN_HOME
home_directory = MAILMAN_HOME
user = MAILMAN_USER
group = MAILMAN_GROUP
.endif
.ifdef LDA_ENABLE
maildrop_pipe:
driver = pipe
environment = "HOME=$home"
command = "/usr/bin/maildrop"
return_path_add
delivery_date_add
envelope_to_add
check_string = "From "
escape_string = ">From "
user = ${extract{1}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim4/passwd}}}}
group = ${extract{2}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim4/passwd}}}}
.endif
begin retry
* * F,2h,15m; G,16h,1h,1.5; F,4d,6h
begin rewrite
.ifdef MAILMAN_ENABLE
\N^(.*<)?([^<]*)@([^>]*).*$\N "${if exists{MAILMAN_HOME/lists/${sg{$2}{-$3.*}{-$3}}/config.pck} {${sg{$0} {-$3} {}}} {$0} }" S
\N^(.*<)?([^<]*)@([^>]*).*$\N "${if exists{MAILMAN_HOME/lists/${sg{$2}{-$3.*}{-$3}}/config.pck} {${sg{$0} {-$3} {}}} {$0} }"
.endif
begin authenticators
cram:
driver = cyrus_sasl
public_name = CRAM-MD5
server_set_id = $1
plain:
driver = cyrus_sasl
public_name = PLAIN
server_set_id = $1
login:
driver = cyrus_sasl
public_name = LOGIN
server_set_id = $1
' 0 -1016826272
Oct 23 11:35:25 [16314:656] EXTINFO Execute (/etc/init.d/exim4 restart) return=0 exited
Oct 23 11:35:27 [16314:656] EXTINFO Execute (/etc/init.d/spamassassin restart) return=0 exited
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment