-== Exim Konfiguration: ==
-
-=== Main ===
-
-zuerst:
-{{{
-sudo aptitude install clamav spamassassin spamc greylistd
-
-adduser clamav Debian-exim
-adduser Debian-exim clamav
-}}}
-
-/etc/clamav/clamd.conf
-{{{
-#Automatically Generated by clamav-base postinst
-#To reconfigure clamd run #dpkg-reconfigure clamav-base
-#Please read /usr/share/doc/clamav-base/README.Debian.gz for details
-LocalSocket /var/run/clamav/clamd.ctl
-FixStaleSocket
-User clamav
-AllowSupplementaryGroups
-ScanMail
-ScanArchive
-ArchiveMaxRecursion 5
-ArchiveMaxFiles 1000
-ArchiveMaxFileSize 10M
-ArchiveMaxCompressionRatio 250
-ReadTimeout 180
-MaxThreads 12
-MaxConnectionQueueLength 15
-LogFile /var/log/clamav/clamav.log
-LogTime
-LogFileMaxSize 0
-PidFile /var/run/clamav/clamd.pid
-DatabaseDirectory /var/lib/clamav
-SelfCheck 3600
-ScanOLE2
-ScanPE
-DetectBrokenExecutables
-ScanHTML
-ArchiveBlockMax
-}}}
-
-
-/etc/exim4/conf.d/main/02_exim4-config_options
-{{{
-### main/02_exim4-config_options
-#################################
-
-av_scanner = clamd:/var/run/clamav/clamd.ctl
-spamd_address = 127.0.0.1 783
-
-...
-}}}
-
-/etc/exim4/conf.d/acl/30_exim4-config_check_rcpt
-{{{
-# This access control list is used for every RCPT command in an incoming
-# SMTP message. The tests are run in order until the address is either
-# accepted or denied.
-#
-acl_check_rcpt:
-
- # Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by
- # testing for an empty sending host field.
- accept hosts = :
-
- # Add missing Date and Message-ID header for relayed messages
- warn hosts = +relay_from_hosts
- control = submission/sender_retain
-
- # The following section of the ACL is concerned with local parts that contain
- # @ or % or ! or / or | or dots in unusual places.
- #
- # The characters other than dots are rarely found in genuine local parts, but
- # are often tried by people looking to circumvent relaying restrictions.
- # Therefore, although they are valid in local parts, these rules lock them
- # out, as a precaution.
- #
- # Empty components (two dots in a row) are not valid in RFC 2822, but Exim
- # allows them because they have been encountered. (Consider local parts
- # constructed as "firstinitial.secondinitial.familyname" when applied to
- # someone like me, who has no second initial.) However, a local part starting
- # with a dot or containing /../ can cause trouble if it is used as part of a
- # file name (e.g. for a mailing list). This is also true for local parts that
- # contain slashes. A pipe symbol can also be troublesome if the local part is
- # incorporated unthinkingly into a shell command line.
- #
- # Two different rules are used. The first one is stricter, and is applied to
- # messages that are addressed to one of the local domains handled by this
- # host. It blocks local parts that begin with a dot or contain @ % ! / or |.
- # If you have local accounts that include these characters, you will have to
- # modify this rule.
- deny domains = +local_domains
- local_parts = ^[.] : ^.*[@%!/|\'`#&?]
- message = restricted characters in address
-
- # The second rule applies to all other domains, and is less strict. This
- # allows your own users to send outgoing messages to sites that use slashes
- # and vertical bars in their local parts. It blocks local parts that begin
- # with a dot, slash, or vertical bar, but allows these characters within the
- # local part. However, the sequence /../ is barred. The use of @ % and ! is
- # blocked, as before. The motivation here is to prevent your users (or
- # your users' viruses) from mounting certain kinds of attack on remote sites.
-
- deny domains = !+local_domains
- local_parts = ^[./|] : ^.*[@%!\'`#&?] : ^.*/\\.\\./
- message = restricted characters in address
-
- # Accept mail to postmaster in any local domain, regardless of the source,
- # and without verifying the sender.
- #
- accept local_parts = postmaster
- domains = +local_domains
-
- # deny bad senders (envelope sender)
- # CONFDIR/local_sender_blacklist holds a list of envelope senders that
- # should have their access denied to the local host. Incoming messages
- # with one of these senders are rejected at RCPT time.
- #
- # The explicit white lists are honored as well as negative items in
- # the black list. See /usr/share/doc/exim4-config/default_acl for details.
- deny message = sender envelope address $sender_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster
- !acl = acl_whitelist_local_deny
- senders = ${if exists{CONFDIR/local_sender_blacklist}\
- {CONFDIR/local_sender_blacklist}\
- {}}
-
- # deny bad sites (IP address)
- # CONFDIR/local_host_blacklist holds a list of host names, IP addresses
- # and networks (CIDR notation) that should have their access denied to
- # The local host. Messages coming in from a listed host will have all
- # RCPT statements rejected.
- #
- # The explicit white lists are honored as well as negative items in
- # the black list. See /usr/share/doc/exim4-config/default_acl for details.
- deny message = sender IP address $sender_host_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster
- !acl = acl_whitelist_local_deny
- hosts = ${if exists{CONFDIR/local_host_blacklist}\
- {CONFDIR/local_host_blacklist}\
- {}}
-
-
-
- # Deny unless the sender address can be verified.
- #
- # This is disabled by default so that DNSless systems don't break. If
- # your system can do DNS lookups without delay or cost, you might want
- # to enable the following line.
- #deny message = Sender verification failed
- # !acl = acl_whitelist_local_deny
- # !verify = sender
-
- # Warn if the sender host does not have valid reverse DNS.
- #
- # This is disabled by default so that DNSless systems don't break. If
- # your system can do DNS lookups without delay or cost, you might want
- # to enable the following lines.
- # If sender_host_address is defined, it's a remote call. If
- # sender_host_name is not defined, then reverse lookup failed. Use
- # this instead of !verify = reverse_host_lookup to catch deferrals
- # as well as outright failures.
- warn message = X-Host-Lookup-Failed: Reverse DNS lookup failed for $sender_host_address (${if eq{$host_lookup_failed}{1}{failed}{deferred}})
- condition = ${if and{{def:sender_host_address}{!def:sender_host_name}}\
- {yes}{no}}
-
- #############################################################################
- # There are no checks on DNS "black" lists because the domains that contain
- # these lists are changing all the time. You can find examples of
- # how to use dnslists in /usr/share/doc/exim4-config/examples/acl
- #############################################################################
-
-
- # Perform greylisting on incoming messages from remote hosts.
- # We do NOT greylist messages with no envelope sender, because that
- # would conflict with remote hosts doing callback verifications, and we
- # might not be able to send mail to such hosts for a while (until the
- # callback attempt is no longer greylisted, and then some).
- #
- # We also check the local whitelist to avoid greylisting mail from
- # hosts that are expected to forward mail here (such as backup MX hosts,
- # list servers, etc).
- #
- # Because the recipient address has not yet been verified, we do so
- # now and skip this statement for non-existing recipients. This is
- # in order to allow for a 550 (reject) response below. If the delivery
- # happens over a remote transport (such as "smtp"), recipient callout
- # verification is performed, with the original sender intact.
- #
- defer
- message = $sender_host_address is not yet authorized to deliver. \
- Please try later.
- log_message = greylisted.
- !senders = :
- !hosts = : +relay_from_hosts : \
- ${if exists {/etc/greylistd/whitelist-hosts}\
- {/etc/greylistd/whitelist-hosts}{}} : \
- ${if exists {/var/lib/greylistd/whitelist-hosts}\
- {/var/lib/greylistd/whitelist-hosts}{}}
- !authenticated = *
- !acl = acl_whitelist_local_deny
- domains = +local_domains : +relay_to_domains : dsearch;/etc/exim4/virtual
- verify = recipient/callout=20s,use_sender,defer_ok
- condition = ${readsocket{/var/run/greylistd/socket}\
- {--grey \
- ${mask:$sender_host_address/24}} \
-# $sender_address \
-# $local_part@$domain}\
- {5s}{}{false}}
-
-
-
- # Accept if the address is in a local domain, but only if the recipient can
- # be verified. Otherwise deny. The "endpass" line is the border between
- # passing on to the next ACL statement (if tests above it fail) or denying
- # access (if tests below it fail).
- #
- accept domains = +local_domains
- endpass
- message = unknown user
- verify = recipient
-
- accept domains = dsearch;/etc/exim4/virtual
- endpass
- message = unknown user
- verify = recipient
-
- # Accept if the address is in a domain for which we are relaying, but again,
- # only if the recipient can be verified.
- #
- accept domains = +relay_to_domains
- endpass
- message = unrouteable address
- verify = recipient
-
- # If control reaches this point, the domain is neither in +local_domains
- # nor in +relay_to_domains.
-
- # Accept if the message comes from one of the hosts for which we are an
- # outgoing relay. Recipient verification is omitted here, because in many
- # cases the clients are dumb MUAs that don't cope well with SMTP error
- # responses. If you are actually relaying out from MTAs, you should probably
- # add recipient verification here.
- #
- accept hosts = +relay_from_hosts
-
- # Accept if the message arrived over an authenticated connection, from
- # any host. Again, these messages are usually from MUAs, so recipient
- # verification is omitted.
- #
- accept authenticated = *
-
- # Reaching the end of the ACL causes a "deny", but we might as well give
- # an explicit message.
- #
- deny message = relay not permitted
-
-
-}}}
-
-/etc/exim4/conf.d/acl/40_exim4-config_check_data
-{{{
-# 40_exim4-config_check_data
-
-acl_check_data:
- # greylistd(8) configuration follows.
- # This statement has been added by "greylistd-setup-exim4",
- # and can be removed by running "greylistd-setup-exim4 remove".
- # Any changes you make here will then be lost.
- #
- # Perform greylisting on incoming messages with no envelope sender here.
- # We did not subject these to greylisting after RCPT TO:, because that
- # would interfere with remote hosts doing sender callout verifications.
- #
- # Because there is no sender address, we supply only two data items:
- # - The remote host address
- # - The recipient address (normally, bounces have only one recipient)
- #
- # We also check the local whitelist to avoid greylisting mail from
- # hosts that are expected to forward mail here (such as backup MX hosts,
- # list servers, etc).
- #
- defer
- message = $sender_host_address is not yet authorized to deliver. \
- Please try later.
- log_message = greylisted.
- senders = :
- !hosts = : +relay_from_hosts : \
- ${if exists {/etc/greylistd/whitelist-hosts}\
- {/etc/greylistd/whitelist-hosts}{}} : \
- ${if exists {/var/lib/greylistd/whitelist-hosts}\
- {/var/lib/greylistd/whitelist-hosts}{}}
- !authenticated = *
- !acl = acl_whitelist_local_deny
- condition = ${readsocket{/var/run/greylistd/socket}\
- {--grey \
- ${mask:$sender_host_address/24}} \
-# $recipients}\
- {5s}{}{false}}
-
-
- # Deny unless the address list headers are syntactically correct.
- #
- # This is disabled by default because it might reject legitimate mail.
- # If you want your system to insist on syntactically valid address
- # headers, you might want to enable the following lines.
- # deny message = Message headers fail syntax check
- # !acl = acl_whitelist_local_deny
- # !verify = header_syntax
-
- # require that there is a verifiable sender address in at least
- # one of the "Sender:", "Reply-To:", or "From:" header lines.
- # deny message = No verifiable sender address in message headers
- # !acl = acl_whitelist_local_deny
- # !verify = header_sender
-
-
-deny message = Serious MIME defect detected ($demime_reason)
- demime = *
- condition = ${if >{$demime_errorlevel}{2}{1}{0}}
-
-deny message = Blacklisted file extension detected
- condition = ${if match \
- {${lc:$mime_filename}} \
- {\N(\.bat|\.com|\.exe|\.pif|\.prf|\.scr|\.vbs)$\N} \
- {1}{0}}
-
-deny message = This message contains malware ($malware_name)
- malware = *
-
-
-# Always put X-Spam-Score header in the message.
-# It looks like this:
-# X-Spam-Score: 6.6 (++++++)
-# When a MUA cannot match numbers, it can match for an
-# equivalent number of '+' signs.
-# The 'true' makes sure that the header is always put
-# in, no matter what the score.
-warn message = X-Spam-Score: $spam_score ($spam_bar)
- condition = ${if <{$message_size}{300k}{1}{0}}
- spam = spamassassin:true
-
-# Always put X-Spam-Report header in the message.
-# This is a multiline header that informs the user
-# which tests a message has "hit", and how much a
-# test has contributed to the score.
-warn message = X-Spam-Flag: YES
- condition = ${if <{$message_size}{300k}{1}{0}}
- spam = spamassassin:true
- condition = ${if >{$spam_score_int}{30}{1}{0}}
-
-
-deny message = Spam score too high ($spam_score)
- condition = ${if <{$message_size}{300k}{1}{0}}
- spam = spamassassin:true
- condition = ${if >{$spam_score_int}{100}{1}{0}}
-
-
- # accept otherwise
- accept
-}}}
-----
-CategoryCodeSnippets CategoryTipsAndTricks
\ No newline at end of file