## Exim Konfiguration: ### Main zuerst: [[!format txt """ sudo aptitude install clamav spamassassin spamc greylistd adduser clamav Debian-exim adduser Debian-exim clamav """]] /etc/clamav/clamd.conf [[!format txt """ #Automatically Generated by clamav-base postinst #To reconfigure clamd run #dpkg-reconfigure clamav-base #Please read /usr/share/doc/clamav-base/README.Debian.gz for details LocalSocket /var/run/clamav/clamd.ctl FixStaleSocket User clamav AllowSupplementaryGroups ScanMail ScanArchive ArchiveMaxRecursion 5 ArchiveMaxFiles 1000 ArchiveMaxFileSize 10M ArchiveMaxCompressionRatio 250 ReadTimeout 180 MaxThreads 12 MaxConnectionQueueLength 15 LogFile /var/log/clamav/clamav.log LogTime LogFileMaxSize 0 PidFile /var/run/clamav/clamd.pid DatabaseDirectory /var/lib/clamav SelfCheck 3600 ScanOLE2 ScanPE DetectBrokenExecutables ScanHTML ArchiveBlockMax """]] /etc/exim4/conf.d/main/02_exim4-config_options [[!format txt """ ### main/02_exim4-config_options ################################# av_scanner = clamd:/var/run/clamav/clamd.ctl spamd_address = 127.0.0.1 783 ... """]] /etc/exim4/conf.d/acl/30_exim4-config_check_rcpt [[!format txt """ # This access control list is used for every RCPT command in an incoming # SMTP message. The tests are run in order until the address is either # accepted or denied. # acl_check_rcpt: # Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by # testing for an empty sending host field. accept hosts = : # Add missing Date and Message-ID header for relayed messages warn hosts = +relay_from_hosts control = submission/sender_retain # The following section of the ACL is concerned with local parts that contain # @ or % or ! or / or | or dots in unusual places. # # The characters other than dots are rarely found in genuine local parts, but # are often tried by people looking to circumvent relaying restrictions. # Therefore, although they are valid in local parts, these rules lock them # out, as a precaution. # # Empty components (two dots in a row) are not valid in RFC 2822, but Exim # allows them because they have been encountered. (Consider local parts # constructed as "firstinitial.secondinitial.familyname" when applied to # someone like me, who has no second initial.) However, a local part starting # with a dot or containing /../ can cause trouble if it is used as part of a # file name (e.g. for a mailing list). This is also true for local parts that # contain slashes. A pipe symbol can also be troublesome if the local part is # incorporated unthinkingly into a shell command line. # # Two different rules are used. The first one is stricter, and is applied to # messages that are addressed to one of the local domains handled by this # host. It blocks local parts that begin with a dot or contain @ % ! / or |. # If you have local accounts that include these characters, you will have to # modify this rule. deny domains = +local_domains local_parts = ^[.] : ^.*[@%!/|\'`#&?] message = restricted characters in address # The second rule applies to all other domains, and is less strict. This # allows your own users to send outgoing messages to sites that use slashes # and vertical bars in their local parts. It blocks local parts that begin # with a dot, slash, or vertical bar, but allows these characters within the # local part. However, the sequence /../ is barred. The use of @ % and ! is # blocked, as before. The motivation here is to prevent your users (or # your users' viruses) from mounting certain kinds of attack on remote sites. deny domains = !+local_domains local_parts = ^[./|] : ^.*[@%!\'`#&?] : ^.*/\\.\\./ message = restricted characters in address # Accept mail to postmaster in any local domain, regardless of the source, # and without verifying the sender. # accept local_parts = postmaster domains = +local_domains # deny bad senders (envelope sender) # CONFDIR/local_sender_blacklist holds a list of envelope senders that # should have their access denied to the local host. Incoming messages # with one of these senders are rejected at RCPT time. # # The explicit white lists are honored as well as negative items in # the black list. See /usr/share/doc/exim4-config/default_acl for details. deny message = sender envelope address $sender_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster !acl = acl_whitelist_local_deny senders = ${if exists{CONFDIR/local_sender_blacklist}\ {CONFDIR/local_sender_blacklist}\ {}} # deny bad sites (IP address) # CONFDIR/local_host_blacklist holds a list of host names, IP addresses # and networks (CIDR notation) that should have their access denied to # The local host. Messages coming in from a listed host will have all # RCPT statements rejected. # # The explicit white lists are honored as well as negative items in # the black list. See /usr/share/doc/exim4-config/default_acl for details. deny message = sender IP address $sender_host_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster !acl = acl_whitelist_local_deny hosts = ${if exists{CONFDIR/local_host_blacklist}\ {CONFDIR/local_host_blacklist}\ {}} # Deny unless the sender address can be verified. # # This is disabled by default so that DNSless systems don't break. If # your system can do DNS lookups without delay or cost, you might want # to enable the following line. #deny message = Sender verification failed # !acl = acl_whitelist_local_deny # !verify = sender # Warn if the sender host does not have valid reverse DNS. # # This is disabled by default so that DNSless systems don't break. If # your system can do DNS lookups without delay or cost, you might want # to enable the following lines. # If sender_host_address is defined, it's a remote call. If # sender_host_name is not defined, then reverse lookup failed. Use # this instead of !verify = reverse_host_lookup to catch deferrals # as well as outright failures. warn message = X-Host-Lookup-Failed: Reverse DNS lookup failed for $sender_host_address (${if eq{$host_lookup_failed}{1}{failed}{deferred}}) condition = ${if and{{def:sender_host_address}{!def:sender_host_name}}\ {yes}{no}} ############################################################################# # There are no checks on DNS "black" lists because the domains that contain # these lists are changing all the time. You can find examples of # how to use dnslists in /usr/share/doc/exim4-config/examples/acl ############################################################################# # Perform greylisting on incoming messages from remote hosts. # We do NOT greylist messages with no envelope sender, because that # would conflict with remote hosts doing callback verifications, and we # might not be able to send mail to such hosts for a while (until the # callback attempt is no longer greylisted, and then some). # # We also check the local whitelist to avoid greylisting mail from # hosts that are expected to forward mail here (such as backup MX hosts, # list servers, etc). # # Because the recipient address has not yet been verified, we do so # now and skip this statement for non-existing recipients. This is # in order to allow for a 550 (reject) response below. If the delivery # happens over a remote transport (such as "smtp"), recipient callout # verification is performed, with the original sender intact. # defer message = $sender_host_address is not yet authorized to deliver. \ Please try later. log_message = greylisted. !senders = : !hosts = : +relay_from_hosts : \ ${if exists {/etc/greylistd/whitelist-hosts}\ {/etc/greylistd/whitelist-hosts}{}} : \ ${if exists {/var/lib/greylistd/whitelist-hosts}\ {/var/lib/greylistd/whitelist-hosts}{}} !authenticated = * !acl = acl_whitelist_local_deny domains = +local_domains : +relay_to_domains : dsearch;/etc/exim4/virtual verify = recipient/callout=20s,use_sender,defer_ok condition = ${readsocket{/var/run/greylistd/socket}\ {--grey \ ${mask:$sender_host_address/24}} \ # $sender_address \ # $local_part@$domain}\ {5s}{}{false}} # Accept if the address is in a local domain, but only if the recipient can # be verified. Otherwise deny. The "endpass" line is the border between # passing on to the next ACL statement (if tests above it fail) or denying # access (if tests below it fail). # accept domains = +local_domains endpass message = unknown user verify = recipient accept domains = dsearch;/etc/exim4/virtual endpass message = unknown user verify = recipient # Accept if the address is in a domain for which we are relaying, but again, # only if the recipient can be verified. # accept domains = +relay_to_domains endpass message = unrouteable address verify = recipient # If control reaches this point, the domain is neither in +local_domains # nor in +relay_to_domains. # Accept if the message comes from one of the hosts for which we are an # outgoing relay. Recipient verification is omitted here, because in many # cases the clients are dumb MUAs that don't cope well with SMTP error # responses. If you are actually relaying out from MTAs, you should probably # add recipient verification here. # accept hosts = +relay_from_hosts # Accept if the message arrived over an authenticated connection, from # any host. Again, these messages are usually from MUAs, so recipient # verification is omitted. # accept authenticated = * # Reaching the end of the ACL causes a "deny", but we might as well give # an explicit message. # deny message = relay not permitted """]] /etc/exim4/conf.d/acl/40_exim4-config_check_data [[!format txt """ # 40_exim4-config_check_data acl_check_data: # greylistd(8) configuration follows. # This statement has been added by "greylistd-setup-exim4", # and can be removed by running "greylistd-setup-exim4 remove". # Any changes you make here will then be lost. # # Perform greylisting on incoming messages with no envelope sender here. # We did not subject these to greylisting after RCPT TO:, because that # would interfere with remote hosts doing sender callout verifications. # # Because there is no sender address, we supply only two data items: # - The remote host address # - The recipient address (normally, bounces have only one recipient) # # We also check the local whitelist to avoid greylisting mail from # hosts that are expected to forward mail here (such as backup MX hosts, # list servers, etc). # defer message = $sender_host_address is not yet authorized to deliver. \ Please try later. log_message = greylisted. senders = : !hosts = : +relay_from_hosts : \ ${if exists {/etc/greylistd/whitelist-hosts}\ {/etc/greylistd/whitelist-hosts}{}} : \ ${if exists {/var/lib/greylistd/whitelist-hosts}\ {/var/lib/greylistd/whitelist-hosts}{}} !authenticated = * !acl = acl_whitelist_local_deny condition = ${readsocket{/var/run/greylistd/socket}\ {--grey \ ${mask:$sender_host_address/24}} \ # $recipients}\ {5s}{}{false}} # Deny unless the address list headers are syntactically correct. # # This is disabled by default because it might reject legitimate mail. # If you want your system to insist on syntactically valid address # headers, you might want to enable the following lines. # deny message = Message headers fail syntax check # !acl = acl_whitelist_local_deny # !verify = header_syntax # require that there is a verifiable sender address in at least # one of the "Sender:", "Reply-To:", or "From:" header lines. # deny message = No verifiable sender address in message headers # !acl = acl_whitelist_local_deny # !verify = header_sender deny message = Serious MIME defect detected ($demime_reason) demime = * condition = ${if >{$demime_errorlevel}{2}{1}{0}} deny message = Blacklisted file extension detected condition = ${if match \ {${lc:$mime_filename}} \ {\N(\.bat|\.com|\.exe|\.pif|\.prf|\.scr|\.vbs)$\N} \ {1}{0}} deny message = This message contains malware ($malware_name) malware = * # Always put X-Spam-Score header in the message. # It looks like this: # X-Spam-Score: 6.6 (++++++) # When a MUA cannot match numbers, it can match for an # equivalent number of '+' signs. # The 'true' makes sure that the header is always put # in, no matter what the score. warn message = X-Spam-Score: $spam_score ($spam_bar) condition = ${if <{$message_size}{300k}{1}{0}} spam = spamassassin:true # Always put X-Spam-Report header in the message. # This is a multiline header that informs the user # which tests a message has "hit", and how much a # test has contributed to the score. warn message = X-Spam-Flag: YES condition = ${if <{$message_size}{300k}{1}{0}} spam = spamassassin:true condition = ${if >{$spam_score_int}{30}{1}{0}} deny message = Spam score too high ($spam_score) condition = ${if <{$message_size}{300k}{1}{0}} spam = spamassassin:true condition = ${if >{$spam_score_int}{100}{1}{0}} # accept otherwise accept """]] [[!tag CategoryCodeSnippets]] [[!tag CategoryTipsAndTricks]]