-== Exim Konfiguration: ==\r
-\r
-=== Main ===\r
-\r
-zuerst:\r
-{{{\r
-sudo aptitude install clamav spamassassin spamc greylistd\r
-\r
-adduser clamav Debian-exim\r
-adduser Debian-exim clamav\r
-}}}\r
-\r
-/etc/clamav/clamd.conf\r
-{{{\r
-#Automatically Generated by clamav-base postinst\r
-#To reconfigure clamd run #dpkg-reconfigure clamav-base\r
-#Please read /usr/share/doc/clamav-base/README.Debian.gz for details\r
-LocalSocket /var/run/clamav/clamd.ctl\r
-FixStaleSocket\r
-User clamav\r
-AllowSupplementaryGroups\r
-ScanMail\r
-ScanArchive\r
-ArchiveMaxRecursion 5\r
-ArchiveMaxFiles 1000\r
-ArchiveMaxFileSize 10M\r
-ArchiveMaxCompressionRatio 250\r
-ReadTimeout 180\r
-MaxThreads 12\r
-MaxConnectionQueueLength 15\r
-LogFile /var/log/clamav/clamav.log\r
-LogTime\r
-LogFileMaxSize 0\r
-PidFile /var/run/clamav/clamd.pid\r
-DatabaseDirectory /var/lib/clamav\r
-SelfCheck 3600\r
-ScanOLE2\r
-ScanPE\r
-DetectBrokenExecutables\r
-ScanHTML\r
-ArchiveBlockMax\r
-}}}\r
-\r
-\r
-/etc/exim4/conf.d/main/02_exim4-config_options\r
-{{{\r
-### main/02_exim4-config_options\r
-#################################\r
-\r
-av_scanner = clamd:/var/run/clamav/clamd.ctl\r
-spamd_address = 127.0.0.1 783\r
-\r
-...\r
-}}}\r
-\r
-/etc/exim4/conf.d/acl/30_exim4-config_check_rcpt\r
-{{{\r
-# This access control list is used for every RCPT command in an incoming\r
-# SMTP message. The tests are run in order until the address is either\r
-# accepted or denied.\r
-#\r
-acl_check_rcpt:\r
-\r
- # Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by\r
- # testing for an empty sending host field.\r
- accept hosts = :\r
-\r
- # Add missing Date and Message-ID header for relayed messages\r
- warn hosts = +relay_from_hosts\r
- control = submission/sender_retain\r
-\r
- # The following section of the ACL is concerned with local parts that contain\r
- # @ or % or ! or / or | or dots in unusual places.\r
- #\r
- # The characters other than dots are rarely found in genuine local parts, but\r
- # are often tried by people looking to circumvent relaying restrictions.\r
- # Therefore, although they are valid in local parts, these rules lock them\r
- # out, as a precaution.\r
- #\r
- # Empty components (two dots in a row) are not valid in RFC 2822, but Exim\r
- # allows them because they have been encountered. (Consider local parts\r
- # constructed as "firstinitial.secondinitial.familyname" when applied to\r
- # someone like me, who has no second initial.) However, a local part starting\r
- # with a dot or containing /../ can cause trouble if it is used as part of a\r
- # file name (e.g. for a mailing list). This is also true for local parts that\r
- # contain slashes. A pipe symbol can also be troublesome if the local part is\r
- # incorporated unthinkingly into a shell command line.\r
- #\r
- # Two different rules are used. The first one is stricter, and is applied to\r
- # messages that are addressed to one of the local domains handled by this\r
- # host. It blocks local parts that begin with a dot or contain @ % ! / or |.\r
- # If you have local accounts that include these characters, you will have to\r
- # modify this rule.\r
- deny domains = +local_domains\r
- local_parts = ^[.] : ^.*[@%!/|\'`#&?]\r
- message = restricted characters in address\r
-\r
- # The second rule applies to all other domains, and is less strict. This\r
- # allows your own users to send outgoing messages to sites that use slashes\r
- # and vertical bars in their local parts. It blocks local parts that begin\r
- # with a dot, slash, or vertical bar, but allows these characters within the\r
- # local part. However, the sequence /../ is barred. The use of @ % and ! is\r
- # blocked, as before. The motivation here is to prevent your users (or\r
- # your users' viruses) from mounting certain kinds of attack on remote sites.\r
-\r
- deny domains = !+local_domains\r
- local_parts = ^[./|] : ^.*[@%!\'`#&?] : ^.*/\\.\\./\r
- message = restricted characters in address\r
-\r
- # Accept mail to postmaster in any local domain, regardless of the source,\r
- # and without verifying the sender.\r
- #\r
- accept local_parts = postmaster\r
- domains = +local_domains\r
-\r
- # deny bad senders (envelope sender)\r
- # CONFDIR/local_sender_blacklist holds a list of envelope senders that\r
- # should have their access denied to the local host. Incoming messages\r
- # with one of these senders are rejected at RCPT time.\r
- #\r
- # The explicit white lists are honored as well as negative items in\r
- # the black list. See /usr/share/doc/exim4-config/default_acl for details.\r
- deny message = sender envelope address $sender_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster\r
- !acl = acl_whitelist_local_deny\r
- senders = ${if exists{CONFDIR/local_sender_blacklist}\\r
- {CONFDIR/local_sender_blacklist}\\r
- {}}\r
-\r
- # deny bad sites (IP address)\r
- # CONFDIR/local_host_blacklist holds a list of host names, IP addresses\r
- # and networks (CIDR notation) that should have their access denied to\r
- # The local host. Messages coming in from a listed host will have all\r
- # RCPT statements rejected.\r
- #\r
- # The explicit white lists are honored as well as negative items in\r
- # the black list. See /usr/share/doc/exim4-config/default_acl for details.\r
- deny message = sender IP address $sender_host_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster\r
- !acl = acl_whitelist_local_deny\r
- hosts = ${if exists{CONFDIR/local_host_blacklist}\\r
- {CONFDIR/local_host_blacklist}\\r
- {}}\r
-\r
-\r
-\r
- # Deny unless the sender address can be verified.\r
- #\r
- # This is disabled by default so that DNSless systems don't break. If\r
- # your system can do DNS lookups without delay or cost, you might want\r
- # to enable the following line.\r
- #deny message = Sender verification failed\r
- # !acl = acl_whitelist_local_deny\r
- # !verify = sender\r
-\r
- # Warn if the sender host does not have valid reverse DNS.\r
- # \r
- # This is disabled by default so that DNSless systems don't break. If\r
- # your system can do DNS lookups without delay or cost, you might want\r
- # to enable the following lines.\r
- # If sender_host_address is defined, it's a remote call. If\r
- # sender_host_name is not defined, then reverse lookup failed. Use\r
- # this instead of !verify = reverse_host_lookup to catch deferrals\r
- # as well as outright failures.\r
- warn message = X-Host-Lookup-Failed: Reverse DNS lookup failed for $sender_host_address (${if eq{$host_lookup_failed}{1}{failed}{deferred}})\r
- condition = ${if and{{def:sender_host_address}{!def:sender_host_name}}\\r
- {yes}{no}}\r
-\r
- #############################################################################\r
- # There are no checks on DNS "black" lists because the domains that contain\r
- # these lists are changing all the time. You can find examples of\r
- # how to use dnslists in /usr/share/doc/exim4-config/examples/acl\r
- #############################################################################\r
-\r
-\r
- # Perform greylisting on incoming messages from remote hosts.\r
- # We do NOT greylist messages with no envelope sender, because that\r
- # would conflict with remote hosts doing callback verifications, and we\r
- # might not be able to send mail to such hosts for a while (until the\r
- # callback attempt is no longer greylisted, and then some).\r
- #\r
- # We also check the local whitelist to avoid greylisting mail from\r
- # hosts that are expected to forward mail here (such as backup MX hosts,\r
- # list servers, etc).\r
- #\r
- # Because the recipient address has not yet been verified, we do so\r
- # now and skip this statement for non-existing recipients. This is\r
- # in order to allow for a 550 (reject) response below. If the delivery\r
- # happens over a remote transport (such as "smtp"), recipient callout\r
- # verification is performed, with the original sender intact.\r
- #\r
- defer\r
- message = $sender_host_address is not yet authorized to deliver. \\r
- Please try later.\r
- log_message = greylisted.\r
- !senders = :\r
- !hosts = : +relay_from_hosts : \\r
- ${if exists {/etc/greylistd/whitelist-hosts}\\r
- {/etc/greylistd/whitelist-hosts}{}} : \\r
- ${if exists {/var/lib/greylistd/whitelist-hosts}\\r
- {/var/lib/greylistd/whitelist-hosts}{}}\r
- !authenticated = *\r
- !acl = acl_whitelist_local_deny\r
- domains = +local_domains : +relay_to_domains : dsearch;/etc/exim4/virtual\r
- verify = recipient/callout=20s,use_sender,defer_ok\r
- condition = ${readsocket{/var/run/greylistd/socket}\\r
- {--grey \\r
- ${mask:$sender_host_address/24}} \\r
-# $sender_address \\r
-# $local_part@$domain}\\r
- {5s}{}{false}}\r
-\r
-\r
-\r
- # Accept if the address is in a local domain, but only if the recipient can\r
- # be verified. Otherwise deny. The "endpass" line is the border between\r
- # passing on to the next ACL statement (if tests above it fail) or denying\r
- # access (if tests below it fail).\r
- #\r
- accept domains = +local_domains\r
- endpass\r
- message = unknown user\r
- verify = recipient\r
-\r
- accept domains = dsearch;/etc/exim4/virtual\r
- endpass\r
- message = unknown user\r
- verify = recipient\r
-\r
- # Accept if the address is in a domain for which we are relaying, but again,\r
- # only if the recipient can be verified.\r
- #\r
- accept domains = +relay_to_domains\r
- endpass\r
- message = unrouteable address\r
- verify = recipient\r
-\r
- # If control reaches this point, the domain is neither in +local_domains\r
- # nor in +relay_to_domains.\r
-\r
- # Accept if the message comes from one of the hosts for which we are an\r
- # outgoing relay. Recipient verification is omitted here, because in many\r
- # cases the clients are dumb MUAs that don't cope well with SMTP error\r
- # responses. If you are actually relaying out from MTAs, you should probably\r
- # add recipient verification here.\r
- #\r
- accept hosts = +relay_from_hosts\r
-\r
- # Accept if the message arrived over an authenticated connection, from\r
- # any host. Again, these messages are usually from MUAs, so recipient\r
- # verification is omitted.\r
- #\r
- accept authenticated = *\r
-\r
- # Reaching the end of the ACL causes a "deny", but we might as well give\r
- # an explicit message.\r
- #\r
- deny message = relay not permitted\r
-\r
-\r
-}}}\r
-\r
-/etc/exim4/conf.d/acl/40_exim4-config_check_data\r
-{{{\r
-# 40_exim4-config_check_data\r
-\r
-acl_check_data:\r
- # greylistd(8) configuration follows.\r
- # This statement has been added by "greylistd-setup-exim4",\r
- # and can be removed by running "greylistd-setup-exim4 remove".\r
- # Any changes you make here will then be lost.\r
- # \r
- # Perform greylisting on incoming messages with no envelope sender here.\r
- # We did not subject these to greylisting after RCPT TO:, because that\r
- # would interfere with remote hosts doing sender callout verifications.\r
- #\r
- # Because there is no sender address, we supply only two data items:\r
- # - The remote host address\r
- # - The recipient address (normally, bounces have only one recipient)\r
- #\r
- # We also check the local whitelist to avoid greylisting mail from\r
- # hosts that are expected to forward mail here (such as backup MX hosts,\r
- # list servers, etc).\r
- #\r
- defer\r
- message = $sender_host_address is not yet authorized to deliver. \\r
- Please try later.\r
- log_message = greylisted.\r
- senders = :\r
- !hosts = : +relay_from_hosts : \\r
- ${if exists {/etc/greylistd/whitelist-hosts}\\r
- {/etc/greylistd/whitelist-hosts}{}} : \\r
- ${if exists {/var/lib/greylistd/whitelist-hosts}\\r
- {/var/lib/greylistd/whitelist-hosts}{}}\r
- !authenticated = *\r
- !acl = acl_whitelist_local_deny\r
- condition = ${readsocket{/var/run/greylistd/socket}\\r
- {--grey \\r
- ${mask:$sender_host_address/24}} \\r
-# $recipients}\\r
- {5s}{}{false}}\r
-\r
-\r
- # Deny unless the address list headers are syntactically correct.\r
- #\r
- # This is disabled by default because it might reject legitimate mail.\r
- # If you want your system to insist on syntactically valid address\r
- # headers, you might want to enable the following lines.\r
- # deny message = Message headers fail syntax check\r
- # !acl = acl_whitelist_local_deny\r
- # !verify = header_syntax\r
-\r
- # require that there is a verifiable sender address in at least\r
- # one of the "Sender:", "Reply-To:", or "From:" header lines.\r
- # deny message = No verifiable sender address in message headers\r
- # !acl = acl_whitelist_local_deny\r
- # !verify = header_sender\r
-\r
-\r
-deny message = Serious MIME defect detected ($demime_reason)\r
- demime = *\r
- condition = ${if >{$demime_errorlevel}{2}{1}{0}}\r
-\r
-deny message = Blacklisted file extension detected\r
- condition = ${if match \\r
- {${lc:$mime_filename}} \\r
- {\N(\.bat|\.com|\.exe|\.pif|\.prf|\.scr|\.vbs)$\N} \\r
- {1}{0}}\r
-\r
-deny message = This message contains malware ($malware_name)\r
- malware = *\r
- \r
-\r
-# Always put X-Spam-Score header in the message.\r
-# It looks like this:\r
-# X-Spam-Score: 6.6 (++++++)\r
-# When a MUA cannot match numbers, it can match for an\r
-# equivalent number of '+' signs.\r
-# The 'true' makes sure that the header is always put\r
-# in, no matter what the score.\r
-warn message = X-Spam-Score: $spam_score ($spam_bar)\r
- condition = ${if <{$message_size}{300k}{1}{0}}\r
- spam = spamassassin:true\r
-\r
-# Always put X-Spam-Report header in the message.\r
-# This is a multiline header that informs the user\r
-# which tests a message has "hit", and how much a\r
-# test has contributed to the score.\r
-warn message = X-Spam-Flag: YES\r
- condition = ${if <{$message_size}{300k}{1}{0}}\r
- spam = spamassassin:true\r
- condition = ${if >{$spam_score_int}{30}{1}{0}}\r
-\r
-\r
-deny message = Spam score too high ($spam_score)\r
- condition = ${if <{$message_size}{300k}{1}{0}}\r
- spam = spamassassin:true\r
- condition = ${if >{$spam_score_int}{100}{1}{0}}\r
-\r
-\r
- # accept otherwise\r
- accept\r
-}}}\r
-----\r
+== Exim Konfiguration: ==
+
+=== Main ===
+
+zuerst:
+{{{
+sudo aptitude install clamav spamassassin spamc greylistd
+
+adduser clamav Debian-exim
+adduser Debian-exim clamav
+}}}
+
+/etc/clamav/clamd.conf
+{{{
+#Automatically Generated by clamav-base postinst
+#To reconfigure clamd run #dpkg-reconfigure clamav-base
+#Please read /usr/share/doc/clamav-base/README.Debian.gz for details
+LocalSocket /var/run/clamav/clamd.ctl
+FixStaleSocket
+User clamav
+AllowSupplementaryGroups
+ScanMail
+ScanArchive
+ArchiveMaxRecursion 5
+ArchiveMaxFiles 1000
+ArchiveMaxFileSize 10M
+ArchiveMaxCompressionRatio 250
+ReadTimeout 180
+MaxThreads 12
+MaxConnectionQueueLength 15
+LogFile /var/log/clamav/clamav.log
+LogTime
+LogFileMaxSize 0
+PidFile /var/run/clamav/clamd.pid
+DatabaseDirectory /var/lib/clamav
+SelfCheck 3600
+ScanOLE2
+ScanPE
+DetectBrokenExecutables
+ScanHTML
+ArchiveBlockMax
+}}}
+
+
+/etc/exim4/conf.d/main/02_exim4-config_options
+{{{
+### main/02_exim4-config_options
+#################################
+
+av_scanner = clamd:/var/run/clamav/clamd.ctl
+spamd_address = 127.0.0.1 783
+
+...
+}}}
+
+/etc/exim4/conf.d/acl/30_exim4-config_check_rcpt
+{{{
+# This access control list is used for every RCPT command in an incoming
+# SMTP message. The tests are run in order until the address is either
+# accepted or denied.
+#
+acl_check_rcpt:
+
+ # Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by
+ # testing for an empty sending host field.
+ accept hosts = :
+
+ # Add missing Date and Message-ID header for relayed messages
+ warn hosts = +relay_from_hosts
+ control = submission/sender_retain
+
+ # The following section of the ACL is concerned with local parts that contain
+ # @ or % or ! or / or | or dots in unusual places.
+ #
+ # The characters other than dots are rarely found in genuine local parts, but
+ # are often tried by people looking to circumvent relaying restrictions.
+ # Therefore, although they are valid in local parts, these rules lock them
+ # out, as a precaution.
+ #
+ # Empty components (two dots in a row) are not valid in RFC 2822, but Exim
+ # allows them because they have been encountered. (Consider local parts
+ # constructed as "firstinitial.secondinitial.familyname" when applied to
+ # someone like me, who has no second initial.) However, a local part starting
+ # with a dot or containing /../ can cause trouble if it is used as part of a
+ # file name (e.g. for a mailing list). This is also true for local parts that
+ # contain slashes. A pipe symbol can also be troublesome if the local part is
+ # incorporated unthinkingly into a shell command line.
+ #
+ # Two different rules are used. The first one is stricter, and is applied to
+ # messages that are addressed to one of the local domains handled by this
+ # host. It blocks local parts that begin with a dot or contain @ % ! / or |.
+ # If you have local accounts that include these characters, you will have to
+ # modify this rule.
+ deny domains = +local_domains
+ local_parts = ^[.] : ^.*[@%!/|\'`#&?]
+ message = restricted characters in address
+
+ # The second rule applies to all other domains, and is less strict. This
+ # allows your own users to send outgoing messages to sites that use slashes
+ # and vertical bars in their local parts. It blocks local parts that begin
+ # with a dot, slash, or vertical bar, but allows these characters within the
+ # local part. However, the sequence /../ is barred. The use of @ % and ! is
+ # blocked, as before. The motivation here is to prevent your users (or
+ # your users' viruses) from mounting certain kinds of attack on remote sites.
+
+ deny domains = !+local_domains
+ local_parts = ^[./|] : ^.*[@%!\'`#&?] : ^.*/\\.\\./
+ message = restricted characters in address
+
+ # Accept mail to postmaster in any local domain, regardless of the source,
+ # and without verifying the sender.
+ #
+ accept local_parts = postmaster
+ domains = +local_domains
+
+ # deny bad senders (envelope sender)
+ # CONFDIR/local_sender_blacklist holds a list of envelope senders that
+ # should have their access denied to the local host. Incoming messages
+ # with one of these senders are rejected at RCPT time.
+ #
+ # The explicit white lists are honored as well as negative items in
+ # the black list. See /usr/share/doc/exim4-config/default_acl for details.
+ deny message = sender envelope address $sender_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster
+ !acl = acl_whitelist_local_deny
+ senders = ${if exists{CONFDIR/local_sender_blacklist}\
+ {CONFDIR/local_sender_blacklist}\
+ {}}
+
+ # deny bad sites (IP address)
+ # CONFDIR/local_host_blacklist holds a list of host names, IP addresses
+ # and networks (CIDR notation) that should have their access denied to
+ # The local host. Messages coming in from a listed host will have all
+ # RCPT statements rejected.
+ #
+ # The explicit white lists are honored as well as negative items in
+ # the black list. See /usr/share/doc/exim4-config/default_acl for details.
+ deny message = sender IP address $sender_host_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster
+ !acl = acl_whitelist_local_deny
+ hosts = ${if exists{CONFDIR/local_host_blacklist}\
+ {CONFDIR/local_host_blacklist}\
+ {}}
+
+
+
+ # Deny unless the sender address can be verified.
+ #
+ # This is disabled by default so that DNSless systems don't break. If
+ # your system can do DNS lookups without delay or cost, you might want
+ # to enable the following line.
+ #deny message = Sender verification failed
+ # !acl = acl_whitelist_local_deny
+ # !verify = sender
+
+ # Warn if the sender host does not have valid reverse DNS.
+ #
+ # This is disabled by default so that DNSless systems don't break. If
+ # your system can do DNS lookups without delay or cost, you might want
+ # to enable the following lines.
+ # If sender_host_address is defined, it's a remote call. If
+ # sender_host_name is not defined, then reverse lookup failed. Use
+ # this instead of !verify = reverse_host_lookup to catch deferrals
+ # as well as outright failures.
+ warn message = X-Host-Lookup-Failed: Reverse DNS lookup failed for $sender_host_address (${if eq{$host_lookup_failed}{1}{failed}{deferred}})
+ condition = ${if and{{def:sender_host_address}{!def:sender_host_name}}\
+ {yes}{no}}
+
+ #############################################################################
+ # There are no checks on DNS "black" lists because the domains that contain
+ # these lists are changing all the time. You can find examples of
+ # how to use dnslists in /usr/share/doc/exim4-config/examples/acl
+ #############################################################################
+
+
+ # Perform greylisting on incoming messages from remote hosts.
+ # We do NOT greylist messages with no envelope sender, because that
+ # would conflict with remote hosts doing callback verifications, and we
+ # might not be able to send mail to such hosts for a while (until the
+ # callback attempt is no longer greylisted, and then some).
+ #
+ # We also check the local whitelist to avoid greylisting mail from
+ # hosts that are expected to forward mail here (such as backup MX hosts,
+ # list servers, etc).
+ #
+ # Because the recipient address has not yet been verified, we do so
+ # now and skip this statement for non-existing recipients. This is
+ # in order to allow for a 550 (reject) response below. If the delivery
+ # happens over a remote transport (such as "smtp"), recipient callout
+ # verification is performed, with the original sender intact.
+ #
+ defer
+ message = $sender_host_address is not yet authorized to deliver. \
+ Please try later.
+ log_message = greylisted.
+ !senders = :
+ !hosts = : +relay_from_hosts : \
+ ${if exists {/etc/greylistd/whitelist-hosts}\
+ {/etc/greylistd/whitelist-hosts}{}} : \
+ ${if exists {/var/lib/greylistd/whitelist-hosts}\
+ {/var/lib/greylistd/whitelist-hosts}{}}
+ !authenticated = *
+ !acl = acl_whitelist_local_deny
+ domains = +local_domains : +relay_to_domains : dsearch;/etc/exim4/virtual
+ verify = recipient/callout=20s,use_sender,defer_ok
+ condition = ${readsocket{/var/run/greylistd/socket}\
+ {--grey \
+ ${mask:$sender_host_address/24}} \
+# $sender_address \
+# $local_part@$domain}\
+ {5s}{}{false}}
+
+
+
+ # Accept if the address is in a local domain, but only if the recipient can
+ # be verified. Otherwise deny. The "endpass" line is the border between
+ # passing on to the next ACL statement (if tests above it fail) or denying
+ # access (if tests below it fail).
+ #
+ accept domains = +local_domains
+ endpass
+ message = unknown user
+ verify = recipient
+
+ accept domains = dsearch;/etc/exim4/virtual
+ endpass
+ message = unknown user
+ verify = recipient
+
+ # Accept if the address is in a domain for which we are relaying, but again,
+ # only if the recipient can be verified.
+ #
+ accept domains = +relay_to_domains
+ endpass
+ message = unrouteable address
+ verify = recipient
+
+ # If control reaches this point, the domain is neither in +local_domains
+ # nor in +relay_to_domains.
+
+ # Accept if the message comes from one of the hosts for which we are an
+ # outgoing relay. Recipient verification is omitted here, because in many
+ # cases the clients are dumb MUAs that don't cope well with SMTP error
+ # responses. If you are actually relaying out from MTAs, you should probably
+ # add recipient verification here.
+ #
+ accept hosts = +relay_from_hosts
+
+ # Accept if the message arrived over an authenticated connection, from
+ # any host. Again, these messages are usually from MUAs, so recipient
+ # verification is omitted.
+ #
+ accept authenticated = *
+
+ # Reaching the end of the ACL causes a "deny", but we might as well give
+ # an explicit message.
+ #
+ deny message = relay not permitted
+
+
+}}}
+
+/etc/exim4/conf.d/acl/40_exim4-config_check_data
+{{{
+# 40_exim4-config_check_data
+
+acl_check_data:
+ # greylistd(8) configuration follows.
+ # This statement has been added by "greylistd-setup-exim4",
+ # and can be removed by running "greylistd-setup-exim4 remove".
+ # Any changes you make here will then be lost.
+ #
+ # Perform greylisting on incoming messages with no envelope sender here.
+ # We did not subject these to greylisting after RCPT TO:, because that
+ # would interfere with remote hosts doing sender callout verifications.
+ #
+ # Because there is no sender address, we supply only two data items:
+ # - The remote host address
+ # - The recipient address (normally, bounces have only one recipient)
+ #
+ # We also check the local whitelist to avoid greylisting mail from
+ # hosts that are expected to forward mail here (such as backup MX hosts,
+ # list servers, etc).
+ #
+ defer
+ message = $sender_host_address is not yet authorized to deliver. \
+ Please try later.
+ log_message = greylisted.
+ senders = :
+ !hosts = : +relay_from_hosts : \
+ ${if exists {/etc/greylistd/whitelist-hosts}\
+ {/etc/greylistd/whitelist-hosts}{}} : \
+ ${if exists {/var/lib/greylistd/whitelist-hosts}\
+ {/var/lib/greylistd/whitelist-hosts}{}}
+ !authenticated = *
+ !acl = acl_whitelist_local_deny
+ condition = ${readsocket{/var/run/greylistd/socket}\
+ {--grey \
+ ${mask:$sender_host_address/24}} \
+# $recipients}\
+ {5s}{}{false}}
+
+
+ # Deny unless the address list headers are syntactically correct.
+ #
+ # This is disabled by default because it might reject legitimate mail.
+ # If you want your system to insist on syntactically valid address
+ # headers, you might want to enable the following lines.
+ # deny message = Message headers fail syntax check
+ # !acl = acl_whitelist_local_deny
+ # !verify = header_syntax
+
+ # require that there is a verifiable sender address in at least
+ # one of the "Sender:", "Reply-To:", or "From:" header lines.
+ # deny message = No verifiable sender address in message headers
+ # !acl = acl_whitelist_local_deny
+ # !verify = header_sender
+
+
+deny message = Serious MIME defect detected ($demime_reason)
+ demime = *
+ condition = ${if >{$demime_errorlevel}{2}{1}{0}}
+
+deny message = Blacklisted file extension detected
+ condition = ${if match \
+ {${lc:$mime_filename}} \
+ {\N(\.bat|\.com|\.exe|\.pif|\.prf|\.scr|\.vbs)$\N} \
+ {1}{0}}
+
+deny message = This message contains malware ($malware_name)
+ malware = *
+
+
+# Always put X-Spam-Score header in the message.
+# It looks like this:
+# X-Spam-Score: 6.6 (++++++)
+# When a MUA cannot match numbers, it can match for an
+# equivalent number of '+' signs.
+# The 'true' makes sure that the header is always put
+# in, no matter what the score.
+warn message = X-Spam-Score: $spam_score ($spam_bar)
+ condition = ${if <{$message_size}{300k}{1}{0}}
+ spam = spamassassin:true
+
+# Always put X-Spam-Report header in the message.
+# This is a multiline header that informs the user
+# which tests a message has "hit", and how much a
+# test has contributed to the score.
+warn message = X-Spam-Flag: YES
+ condition = ${if <{$message_size}{300k}{1}{0}}
+ spam = spamassassin:true
+ condition = ${if >{$spam_score_int}{30}{1}{0}}
+
+
+deny message = Spam score too high ($spam_score)
+ condition = ${if <{$message_size}{300k}{1}{0}}
+ spam = spamassassin:true
+ condition = ${if >{$spam_score_int}{100}{1}{0}}
+
+
+ # accept otherwise
+ accept
+}}}
+----
CategoryCodeSnippets CategoryTipsAndTricks
\ No newline at end of file