Created
November 28, 2012 10:56
-
-
Save crashdump/4160500 to your computer and use it in GitHub Desktop.
Baruwa : Exim config "exim-listener.conf"
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
.include /usr/local/etc/exim/macros.conf | |
hide pgsql_servers = PGSQL_SERVERS | |
#primary_hostname = | |
domainlist local_domains = @ : localhost : localhost.localdomain | |
domainlist relay_sql_domains = RELAY_SQL_DOMAINS | |
domainlist relay_sql_smtp_domains = SMTP_SQL_DOMAINS | |
domainlist relay_sql_lmtp_domains = LMTP_SQL_DOMAINS | |
domainlist ldap_domains = LDAP_DOMAINS | |
domainlist smtp_callback_domains = SMTP_CALLBACK_DOMAINS | |
domainlist whitelisted_domains = WHITELISTED_DOMAINS | |
domainlist blacklisted_domains = BLACKLISTED_DOMAINS | |
addresslist whitelisted_addresses = WHITELISTED_ADDRESS | |
addresslist blacklisted_addresses = BLACKLISTED_ADDRESS | |
hostlist whitelisted_hosts = WHITELISTED_HOSTS | |
hostlist blacklisted_hosts = BLACKLISTED_HOSTS | |
hostlist relay_sql_hosts = RELAY_SQL_HOSTS | |
hostlist relay_from_hosts = localhost : localhost.localdomain | |
acl_smtp_rcpt = acl_check_rcpt | |
acl_smtp_data = acl_check_data | |
acl_smtp_mime = acl_check_mime | |
acl_smtp_connect = acl_check_connect | |
acl_smtp_helo = acl_check_helo | |
acl_smtp_dkim = acl_check_dkim | |
#queue_only = true | |
#queue_only_override = false | |
smtp_banner = Baruwa 2.0 $tod_full | |
smtp_active_hostname = ${if !eq{$sender_host_address}{$received_ip_address}{${lookup dnsdb{ptr=$received_ip_address}}}{$primary_hostname}} | |
smtp_accept_max_per_connection = 60 | |
smtp_accept_max = 0 | |
smtp_load_reserve = 15 | |
smtp_receive_timeout = 3m | |
smtp_accept_max_nonmail = 10 | |
smtp_max_unknown_commands = 1 | |
message_size_limit = 20M | |
spool_directory = /var/spool/exim.in | |
pipelining_advertise_hosts = 127.0.0.1 | |
process_log_path = /var/spool/exim/exim-process.info | |
#log_file_path=:syslog | |
#syslog_duplication=false | |
#syslog_timestamp=false | |
#log_selector = -rejected_header | |
received_header_text = Received: ${if def:sender_rcvhost {from $sender_rcvhost\n\t}{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)\n\t}}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} ${if def:tls_cipher {($tls_cipher)\n\t}}(Baruwa 2.0)\n\t${if def:sender_address {(envelope-from <$sender_address>)\n\t}}id $message_exim_id${if !eq {$received_protocol}{split} { ret-id none;}{}}${if def:received_for {\n\tfor $received_for}} | |
av_scanner = clamd:/var/run/clamav/clamd.sock | |
tls_advertise_hosts = * | |
tls_certificate = /usr/local/etc/baruwa/certs/baruwa.pem | |
tls_privatekey = /usr/local/etc/baruwa/certs/baruwa.key | |
tls_on_connect_ports = 465 | |
tls_require_ciphers = TLSv1+HIGH : !SSLv2 : RC4+MEDIUM : !aNULL : !eNULL : !3DES : !MD5 : !AES : !CAMELLIA : !PSK : !KRB5 : @STRENGTH | |
daemon_smtp_ports = 25 : 465 : 587 | |
exim_user = mailnull | |
exim_group = mail | |
never_users = root | |
rfc1413_hosts = * | |
rfc1413_query_timeout = 0s | |
ignore_bounce_errors_after = 1d | |
timeout_frozen_after = 3d | |
auth_advertise_hosts = ${if eq {$tls_cipher}{}{}{*}} | |
perl_startup = do '/usr/local/etc/exim/baruwa/exim-bcrypt.pl' | |
perl_at_start = true | |
begin acl | |
acl_check_rcpt: | |
accept hosts = : | |
control = submission | |
drop message = REJECTED - Sender $sender_address is banned | |
hosts = +blacklisted_hosts | |
drop message = REJECTED - Domain $sender_address_domain is banned | |
domains = +blacklisted_domains | |
drop message = Dictionary attack detected | |
condition = ${if >{$rcpt_fail_count}{3} {yes}{no}} | |
delay = 10m | |
drop message = Legitimate bounces are never sent to more than one recipient. | |
senders = : postmaster@* | |
condition = ${if >{$recipients_count}{1}{true}{false}} | |
drop message = Restricted characters in address | |
domains = +local_domains | |
local_parts = ^[.] : ^.*[@%!/|] | |
drop message = Restricted characters in address | |
domains = !+local_domains | |
local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./ | |
accept local_parts = postmaster | |
domains = +local_domains : +relay_sql_domains | |
accept hosts = +relay_from_hosts : +relay_sql_hosts | |
control = submission/sender_retain | |
accept authenticated = * | |
control = submission/sender_retain | |
require message = relay not permitted | |
domains = +local_domains : +relay_sql_domains | |
accept message = Authorized sender: $sender_address | |
senders = +whitelisted_addresses | |
accept message = Authorized sender: $sender_address_domain | |
domains = +whitelisted_domains | |
drop message = REJECTED - because $sender_host_address is in a black list spamhaus.org | |
dnslists = zen.spamhaus.org | |
ratelimit = 0 / 2h / strict / per_conn | |
drop message = REJECTED - because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text | |
dnslists = bl.spamcop.net : cbl.abuseat.org | |
ratelimit = 0 / 2h / strict / per_conn | |
drop message = REJECTED - $dnslist_text | |
dnslists = rbl.baruwa.net : rbl.baruwa.net/$sender_address_domain | |
drop message = REJECTED - We don't accept messages from hosts without reverse DNS | |
log_message = No reverse DNS | |
!verify = reverse_host_lookup | |
!verify = sender/no_details/callout=2m,defer_ok | |
!condition = ${if eq{$sender_verify_failure}{}} | |
drop message = REJECTED - Recipient Verification Failed - User Not Found | |
domains = +smtp_callback_domains | |
#!verify = recipient/success_on_redirect/callout=2m,defer_ok,use_sender | |
!verify = recipient/success_on_redirect/callout=2m,defer_ok | |
drop message = REJECTED - User Not Found | |
domains = +ldap_domains | |
condition = ${lookup ldap{${expand:LDAP_LOOKUP}}{0}{1}} | |
deny message = SPF_MSG | |
spf = fail | |
# deny message = $sender_host_address doesn't look trustworthy to me | |
# spf_guess = fail | |
accept | |
acl_check_data: | |
drop malware = * | |
message = This message contains a virus ($malware_name). | |
accept | |
acl_check_mime: | |
drop message = Blacklisted file extension detected | |
condition = ${if match \ | |
{${lc:$mime_filename}} \ | |
{\N(\.exe|\.pif|\.bat|\.scr|\.lnk|\.com)$\N} \ | |
{1}{0}} | |
accept | |
acl_check_connect: | |
accept hosts = : | |
drop message = REJECTED - because $sender_host_address is a banned sender | |
hosts = +blacklisted_hosts | |
accept message = Authorized sender: $sender_host_address | |
hosts = +whitelisted_hosts | |
defer ratelimit = 250 / 15m / strict | |
message = You can only send $sender_rate_limit msgs per $sender_rate_period | |
log_message = RATE: $sender_rate/$sender_rate_period (max $sender_rate_limit) | |
accept | |
acl_check_helo: | |
drop message = REJECTED - no HELO/EHLO greeting | |
log_message = remote host did not present greeting | |
condition = ${if def:sender_helo_name {false}{true}} | |
drop message = REJECTED - HELO is an IP address (See RFC2821 4.1.3) | |
condition = ${if isip{$sender_helo_name}} | |
accept | |
acl_check_dkim: | |
accept authenticated = * | |
accept hosts = : | |
accept hosts = +whitelisted_hosts | |
deny message = REJECTED - DKIM failure: $dkim_verify_reason | |
#dkim_status = none:invalid:fail | |
dkim_status = none:invalid | |
condition = ${if eq {$dkim_key_testing}{1} {no}{yes}} | |
warn add_header = X-DKIM: Status on $received_ip_address using Baruwa 2.0: dkim=$dkim_verify_status; \ | |
signing_identity="$dkim_cur_signer" | |
accept | |
begin routers | |
split: | |
driver = accept | |
domains = +relay_sql_domains | |
condition = ${if and {{!eq {$received_protocol}{split}}{gt {$recipients_count}{1}}}{yes}{no}} | |
transport = send_to_self | |
no_verify | |
no_address_test | |
message_checks: | |
driver = redirect | |
allow_defer | |
data = :defer: queued for message checks | |
no_verify | |
no_address_test | |
deliver_clean_smtp: | |
driver = manualroute | |
domains = +relay_sql_smtp_domains | |
transport = remote_smtp | |
route_data = ${lookup pgsql {ROUTE_QUERY}} | |
no_more | |
deliver_clean_lmtp: | |
driver = manualroute | |
domains = +relay_sql_lmtp_domains | |
transport = remote_lmtp | |
route_data = ${lookup pgsql {ROUTE_QUERY}} | |
no_more | |
dnslookup: | |
driver = dnslookup | |
domains = ! +local_domains : ! +relay_sql_domains | |
transport = remote_smtp | |
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 | |
no_more | |
system_aliases: | |
driver = redirect | |
allow_fail | |
allow_defer | |
domains = @ | |
data = ${lookup{$local_part}lsearch{/etc/aliases}} | |
file_transport = address_file | |
pipe_transport = address_pipe | |
localuser: | |
driver = accept | |
check_local_user | |
transport = local_delivery | |
cannot_route_message = Unknown user | |
begin transports | |
send_to_self: | |
driver = pipe | |
batch_max = 1 | |
use_bsmtp | |
command = /usr/sbin/exim -oMr split -bS | |
user = mailnull | |
remote_smtp: | |
driver = smtp | |
delay_after_cutoff = false | |
remote_lmtp: | |
driver = smtp | |
protocol = lmtp | |
delay_after_cutoff = false | |
port = 25 | |
local_delivery: | |
driver = appendfile | |
file = /var/mail/$local_part | |
delivery_date_add | |
envelope_to_add | |
return_path_add | |
group = mail | |
mode = 0660 | |
address_pipe: | |
driver = pipe | |
return_output | |
address_file: | |
driver = appendfile | |
delivery_date_add | |
envelope_to_add | |
return_path_add | |
begin retry | |
* * F,2h,15m; G,16h,1h,1.5; F,14d,6h | |
begin rewrite | |
begin authenticators | |
PLAIN: | |
driver = plaintext | |
server_prompts = : | |
server_condition = ${if and{ {!eq {$auth2}{}} {!eq {$auth3}{}}\ | |
{bool{${perl{check_password}\ | |
{${lookup pgsql {ORG_CHECK_PLAIN}{$value}}}\ | |
{$auth3}}}\ | |
}\ | |
}\ | |
{yes}{no}} | |
server_set_id = $2 | |
server_advertise_condition = ${if def:tls_cipher } | |
LOGIN: | |
driver = plaintext | |
server_prompts = "Username:: : Password::" | |
server_condition = ${if and{ {!eq {$auth1}{}} {!eq {$auth2}{}}\ | |
{bool{${perl{check_password}\ | |
{${lookup pgsql {ORG_CHECK_LOGIN}{$value}}}\ | |
{$auth2}}}}\ | |
}\ | |
{yes}{no}} | |
server_set_id = $1 | |
server_advertise_condition = ${if def:tls_cipher } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
.include /usr/local/etc/exim/macros.conf | |
hide pgsql_servers = PGSQL_SERVERS | |
#primary_hostname = | |
domainlist local_domains = @ : localhost : localhost.localdomain | |
domainlist relay_sql_rand_smtp = SMTP_RAND_DOMAINS | |
domainlist relay_sql_nonrand_smtp = SMTP_NONRAND_DOMAINS | |
domainlist relay_sql_rand_lmtp = LMTP_RAND_DOMAINS | |
domainlist relay_sql_nonrand_lmtp = LMTP_NONRAND_DOMAINS | |
domainlist relay_sql_domains = RELAY_SQL_DOMAINS | |
hostlist relay_from_hosts = | |
acl_smtp_rcpt = acl_check_rcpt | |
acl_smtp_data = acl_check_data | |
acl_smtp_mime = acl_check_mime | |
acl_smtp_connect = acl_check_connect | |
acl_smtp_helo = acl_check_helo | |
smtp_banner = Baruwa 2.0 $tod_full | |
#disable_ipv6 = true | |
smtp_load_reserve = 10 | |
tls_advertise_hosts = * | |
tls_certificate = /usr/local/etc/baruwa/certs/baruwa.pem | |
tls_privatekey = /usr/local/etc/baruwa/certs/baruwa.key | |
tls_require_ciphers = TLSv1+HIGH : !SSLv2 : RC4+MEDIUM : !aNULL : !eNULL : !3DES : !MD5 : !AES : !CAMELLIA : !PSK : !KRB5 : @STRENGTH | |
spool_directory = /var/spool/exim.out | |
daemon_smtp_ports = 25 | |
#log_file_path=:syslog | |
#syslog_duplication=false | |
#syslog_timestamp=false | |
exim_user = mailnull | |
exim_group = mail | |
never_users = root | |
rfc1413_hosts = * | |
rfc1413_query_timeout = 0s | |
ignore_bounce_errors_after = 3d | |
timeout_frozen_after = 7d | |
auth_advertise_hosts = | |
dbl_delivery_query = DELIVERY_QUERY | |
begin acl | |
acl_check_rcpt: | |
accept | |
acl_check_data: | |
accept | |
acl_check_mime: | |
accept | |
acl_check_connect: | |
accept | |
acl_check_helo: | |
accept | |
begin routers | |
deliver_clean_randomize: | |
driver = manualroute | |
domains = +relay_sql_rand_smtp | |
transport = remote_smtp | |
hosts_randomize = true | |
route_data = ${lookup pgsql {ROUTE_QUERY}} | |
deliver_clean_norandomized: | |
driver = manualroute | |
domains = +relay_sql_nonrand_smtp | |
transport = remote_smtp | |
hosts_randomize = false | |
route_data = ${lookup pgsql {ROUTE_QUERY}} | |
deliver_clean_randomize_lmtp: | |
driver = manualroute | |
domains = +relay_sql_rand_lmtp | |
transport = remote_lmtp | |
hosts_randomize = true | |
route_data = ${lookup pgsql {ROUTE_QUERY}} | |
deliver_clean_norandomized_lmtp: | |
driver = manualroute | |
domains = +relay_sql_nonrand_lmtp | |
transport = remote_lmtp | |
hosts_randomize = false | |
route_data = ${lookup pgsql {ROUTE_QUERY}} | |
dnslookup: | |
driver = dnslookup | |
domains = ! +local_domains : ! +relay_sql_domains | |
transport = remote_smtp | |
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 | |
no_more | |
system_aliases: | |
driver = redirect | |
allow_fail | |
allow_defer | |
data = ${lookup{$local_part}lsearch{/etc/aliases}} | |
file_transport = address_file | |
pipe_transport = address_pipe | |
localuser: | |
driver = accept | |
check_local_user | |
transport = local_delivery | |
cannot_route_message = Unknown user | |
begin transports | |
remote_smtp: | |
driver = smtp | |
dbl_host_defer_query = DEFER_QUERY | |
delay_after_cutoff = false | |
dkim_domain = ${if exists{/usr/local/etc/MailScanner/baruwa/dkim/${lc:$sender_address_domain}.pem}\ | |
{${lc:$sender_address_domain}}{}} | |
dkim_selector = baruwa | |
dkim_private_key = ${if exists{/usr/local/etc/MailScanner/baruwa/dkim/${lc:$sender_address_domain}.pem}\ | |
{/etc/MailScanner/baruwa/dkim/${lc:$sender_address_domain}.pem}{0}} | |
tls_require_ciphers = TLSv1+HIGH : !SSLv2 : RC4+MEDIUM : !aNULL : !eNULL : !3DES : !MD5 : !AES : !CAMELLIA : !PSK : !KRB5 : @STRENGTH | |
remote_lmtp: | |
driver = smtp | |
protocol = lmtp | |
port = 25 | |
dbl_host_defer_query = DEFER_QUERY | |
delay_after_cutoff = false | |
dkim_domain = ${if exists{/usr/local/etc/MailScanner/baruwa/dkim/${lc:$sender_address_domain}.pem}\ | |
{${lc:$sender_address_domain}}{}} | |
dkim_selector = baruwa | |
dkim_private_key = ${if exists{/usr/local/etc/MailScanner/baruwa/dkim/${lc:$sender_address_domain}.pem}\ | |
{/etc/MailScanner/baruwa/dkim/${lc:$sender_address_domain}.pem}{0}} | |
tls_require_ciphers = TLSv1+HIGH : !SSLv2 : RC4+MEDIUM : !aNULL : !eNULL : !3DES : !MD5 : !AES : !CAMELLIA : !PSK : !KRB5 : @STRENGTH | |
local_delivery: | |
driver = appendfile | |
file = /var/mail/$local_part | |
delivery_date_add | |
envelope_to_add | |
return_path_add | |
group = mail | |
mode = 0660 | |
address_pipe: | |
driver = pipe | |
return_output | |
address_file: | |
driver = appendfile | |
delivery_date_add | |
envelope_to_add | |
return_path_add | |
begin retry | |
* * F,2h,15m; G,16h,1h,1.5; F,14d,6h | |
begin rewrite | |
begin authenticators |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment