X-Git-Url: https://git.deb.at/?p=debienna.git;a=blobdiff_plain;f=RerunClamavSpamassGreylistd%2Findex.mdwn;h=5e4b76b652d98fbea7e7d4b955dbbe1109f8a919;hp=4c0de5612806bf34772ca69f446e461a6cd18519;hb=HEAD;hpb=1987a8a6713d85e7b26df584f69a177ce546e4ff diff --git a/RerunClamavSpamassGreylistd/index.mdwn b/RerunClamavSpamassGreylistd/index.mdwn deleted file mode 100644 index 4c0de56..0000000 --- a/RerunClamavSpamassGreylistd/index.mdwn +++ /dev/null @@ -1,364 +0,0 @@ - - -## Exim Konfiguration: - - -### Main - -zuerst: -[[!format txt """ -sudo aptitude install clamav spamassassin spamc greylistd - -adduser clamav Debian-exim -adduser Debian-exim clamav -"""]] -/etc/clamav/clamd.conf -[[!format txt """ -#Automatically Generated by clamav-base postinst -#To reconfigure clamd run #dpkg-reconfigure clamav-base -#Please read /usr/share/doc/clamav-base/README.Debian.gz for details -LocalSocket /var/run/clamav/clamd.ctl -FixStaleSocket -User clamav -AllowSupplementaryGroups -ScanMail -ScanArchive -ArchiveMaxRecursion 5 -ArchiveMaxFiles 1000 -ArchiveMaxFileSize 10M -ArchiveMaxCompressionRatio 250 -ReadTimeout 180 -MaxThreads 12 -MaxConnectionQueueLength 15 -LogFile /var/log/clamav/clamav.log -LogTime -LogFileMaxSize 0 -PidFile /var/run/clamav/clamd.pid -DatabaseDirectory /var/lib/clamav -SelfCheck 3600 -ScanOLE2 -ScanPE -DetectBrokenExecutables -ScanHTML -ArchiveBlockMax -"""]] -/etc/exim4/conf.d/main/02_exim4-config_options -[[!format txt """ -### main/02_exim4-config_options -################################# - -av_scanner = clamd:/var/run/clamav/clamd.ctl -spamd_address = 127.0.0.1 783 - -... -"""]] -/etc/exim4/conf.d/acl/30_exim4-config_check_rcpt -[[!format txt """ -# This access control list is used for every RCPT command in an incoming -# SMTP message. The tests are run in order until the address is either -# accepted or denied. -# -acl_check_rcpt: - - # Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by - # testing for an empty sending host field. - accept hosts = : - - # Add missing Date and Message-ID header for relayed messages - warn hosts = +relay_from_hosts - control = submission/sender_retain - - # The following section of the ACL is concerned with local parts that contain - # @ or % or ! or / or | or dots in unusual places. - # - # The characters other than dots are rarely found in genuine local parts, but - # are often tried by people looking to circumvent relaying restrictions. - # Therefore, although they are valid in local parts, these rules lock them - # out, as a precaution. - # - # Empty components (two dots in a row) are not valid in RFC 2822, but Exim - # allows them because they have been encountered. (Consider local parts - # constructed as "firstinitial.secondinitial.familyname" when applied to - # someone like me, who has no second initial.) However, a local part starting - # with a dot or containing /../ can cause trouble if it is used as part of a - # file name (e.g. for a mailing list). This is also true for local parts that - # contain slashes. A pipe symbol can also be troublesome if the local part is - # incorporated unthinkingly into a shell command line. - # - # Two different rules are used. The first one is stricter, and is applied to - # messages that are addressed to one of the local domains handled by this - # host. It blocks local parts that begin with a dot or contain @ % ! / or |. - # If you have local accounts that include these characters, you will have to - # modify this rule. - deny domains = +local_domains - local_parts = ^[.] : ^.*[@%!/|\'`#&?] - message = restricted characters in address - - # The second rule applies to all other domains, and is less strict. This - # allows your own users to send outgoing messages to sites that use slashes - # and vertical bars in their local parts. It blocks local parts that begin - # with a dot, slash, or vertical bar, but allows these characters within the - # local part. However, the sequence /../ is barred. The use of @ % and ! is - # blocked, as before. The motivation here is to prevent your users (or - # your users' viruses) from mounting certain kinds of attack on remote sites. - - deny domains = !+local_domains - local_parts = ^[./|] : ^.*[@%!\'`#&?] : ^.*/\\.\\./ - message = restricted characters in address - - # Accept mail to postmaster in any local domain, regardless of the source, - # and without verifying the sender. - # - accept local_parts = postmaster - domains = +local_domains - - # deny bad senders (envelope sender) - # CONFDIR/local_sender_blacklist holds a list of envelope senders that - # should have their access denied to the local host. Incoming messages - # with one of these senders are rejected at RCPT time. - # - # The explicit white lists are honored as well as negative items in - # the black list. See /usr/share/doc/exim4-config/default_acl for details. - deny message = sender envelope address $sender_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster - !acl = acl_whitelist_local_deny - senders = ${if exists{CONFDIR/local_sender_blacklist}\ - {CONFDIR/local_sender_blacklist}\ - {}} - - # deny bad sites (IP address) - # CONFDIR/local_host_blacklist holds a list of host names, IP addresses - # and networks (CIDR notation) that should have their access denied to - # The local host. Messages coming in from a listed host will have all - # RCPT statements rejected. - # - # The explicit white lists are honored as well as negative items in - # the black list. See /usr/share/doc/exim4-config/default_acl for details. - deny message = sender IP address $sender_host_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster - !acl = acl_whitelist_local_deny - hosts = ${if exists{CONFDIR/local_host_blacklist}\ - {CONFDIR/local_host_blacklist}\ - {}} - - - - # Deny unless the sender address can be verified. - # - # This is disabled by default so that DNSless systems don't break. If - # your system can do DNS lookups without delay or cost, you might want - # to enable the following line. - #deny message = Sender verification failed - # !acl = acl_whitelist_local_deny - # !verify = sender - - # Warn if the sender host does not have valid reverse DNS. - # - # This is disabled by default so that DNSless systems don't break. If - # your system can do DNS lookups without delay or cost, you might want - # to enable the following lines. - # If sender_host_address is defined, it's a remote call. If - # sender_host_name is not defined, then reverse lookup failed. Use - # this instead of !verify = reverse_host_lookup to catch deferrals - # as well as outright failures. - warn message = X-Host-Lookup-Failed: Reverse DNS lookup failed for $sender_host_address (${if eq{$host_lookup_failed}{1}{failed}{deferred}}) - condition = ${if and{{def:sender_host_address}{!def:sender_host_name}}\ - {yes}{no}} - - ############################################################################# - # There are no checks on DNS "black" lists because the domains that contain - # these lists are changing all the time. You can find examples of - # how to use dnslists in /usr/share/doc/exim4-config/examples/acl - ############################################################################# - - - # Perform greylisting on incoming messages from remote hosts. - # We do NOT greylist messages with no envelope sender, because that - # would conflict with remote hosts doing callback verifications, and we - # might not be able to send mail to such hosts for a while (until the - # callback attempt is no longer greylisted, and then some). - # - # We also check the local whitelist to avoid greylisting mail from - # hosts that are expected to forward mail here (such as backup MX hosts, - # list servers, etc). - # - # Because the recipient address has not yet been verified, we do so - # now and skip this statement for non-existing recipients. This is - # in order to allow for a 550 (reject) response below. If the delivery - # happens over a remote transport (such as "smtp"), recipient callout - # verification is performed, with the original sender intact. - # - defer - message = $sender_host_address is not yet authorized to deliver. \ - Please try later. - log_message = greylisted. - !senders = : - !hosts = : +relay_from_hosts : \ - ${if exists {/etc/greylistd/whitelist-hosts}\ - {/etc/greylistd/whitelist-hosts}{}} : \ - ${if exists {/var/lib/greylistd/whitelist-hosts}\ - {/var/lib/greylistd/whitelist-hosts}{}} - !authenticated = * - !acl = acl_whitelist_local_deny - domains = +local_domains : +relay_to_domains : dsearch;/etc/exim4/virtual - verify = recipient/callout=20s,use_sender,defer_ok - condition = ${readsocket{/var/run/greylistd/socket}\ - {--grey \ - ${mask:$sender_host_address/24}} \ -# $sender_address \ -# $local_part@$domain}\ - {5s}{}{false}} - - - - # Accept if the address is in a local domain, but only if the recipient can - # be verified. Otherwise deny. The "endpass" line is the border between - # passing on to the next ACL statement (if tests above it fail) or denying - # access (if tests below it fail). - # - accept domains = +local_domains - endpass - message = unknown user - verify = recipient - - accept domains = dsearch;/etc/exim4/virtual - endpass - message = unknown user - verify = recipient - - # Accept if the address is in a domain for which we are relaying, but again, - # only if the recipient can be verified. - # - accept domains = +relay_to_domains - endpass - message = unrouteable address - verify = recipient - - # If control reaches this point, the domain is neither in +local_domains - # nor in +relay_to_domains. - - # Accept if the message comes from one of the hosts for which we are an - # outgoing relay. Recipient verification is omitted here, because in many - # cases the clients are dumb MUAs that don't cope well with SMTP error - # responses. If you are actually relaying out from MTAs, you should probably - # add recipient verification here. - # - accept hosts = +relay_from_hosts - - # Accept if the message arrived over an authenticated connection, from - # any host. Again, these messages are usually from MUAs, so recipient - # verification is omitted. - # - accept authenticated = * - - # Reaching the end of the ACL causes a "deny", but we might as well give - # an explicit message. - # - deny message = relay not permitted - - -"""]] -/etc/exim4/conf.d/acl/40_exim4-config_check_data -[[!format txt """ -# 40_exim4-config_check_data - -acl_check_data: - # greylistd(8) configuration follows. - # This statement has been added by "greylistd-setup-exim4", - # and can be removed by running "greylistd-setup-exim4 remove". - # Any changes you make here will then be lost. - # - # Perform greylisting on incoming messages with no envelope sender here. - # We did not subject these to greylisting after RCPT TO:, because that - # would interfere with remote hosts doing sender callout verifications. - # - # Because there is no sender address, we supply only two data items: - # - The remote host address - # - The recipient address (normally, bounces have only one recipient) - # - # We also check the local whitelist to avoid greylisting mail from - # hosts that are expected to forward mail here (such as backup MX hosts, - # list servers, etc). - # - defer - message = $sender_host_address is not yet authorized to deliver. \ - Please try later. - log_message = greylisted. - senders = : - !hosts = : +relay_from_hosts : \ - ${if exists {/etc/greylistd/whitelist-hosts}\ - {/etc/greylistd/whitelist-hosts}{}} : \ - ${if exists {/var/lib/greylistd/whitelist-hosts}\ - {/var/lib/greylistd/whitelist-hosts}{}} - !authenticated = * - !acl = acl_whitelist_local_deny - condition = ${readsocket{/var/run/greylistd/socket}\ - {--grey \ - ${mask:$sender_host_address/24}} \ -# $recipients}\ - {5s}{}{false}} - - - # Deny unless the address list headers are syntactically correct. - # - # This is disabled by default because it might reject legitimate mail. - # If you want your system to insist on syntactically valid address - # headers, you might want to enable the following lines. - # deny message = Message headers fail syntax check - # !acl = acl_whitelist_local_deny - # !verify = header_syntax - - # require that there is a verifiable sender address in at least - # one of the "Sender:", "Reply-To:", or "From:" header lines. - # deny message = No verifiable sender address in message headers - # !acl = acl_whitelist_local_deny - # !verify = header_sender - - -deny message = Serious MIME defect detected ($demime_reason) - demime = * - condition = ${if >{$demime_errorlevel}{2}{1}{0}} - -deny message = Blacklisted file extension detected - condition = ${if match \ - {${lc:$mime_filename}} \ - {\N(\.bat|\.com|\.exe|\.pif|\.prf|\.scr|\.vbs)$\N} \ - {1}{0}} - -deny message = This message contains malware ($malware_name) - malware = * - - -# Always put X-Spam-Score header in the message. -# It looks like this: -# X-Spam-Score: 6.6 (++++++) -# When a MUA cannot match numbers, it can match for an -# equivalent number of '+' signs. -# The 'true' makes sure that the header is always put -# in, no matter what the score. -warn message = X-Spam-Score: $spam_score ($spam_bar) - condition = ${if <{$message_size}{300k}{1}{0}} - spam = spamassassin:true - -# Always put X-Spam-Report header in the message. -# This is a multiline header that informs the user -# which tests a message has "hit", and how much a -# test has contributed to the score. -warn message = X-Spam-Flag: YES - condition = ${if <{$message_size}{300k}{1}{0}} - spam = spamassassin:true - condition = ${if >{$spam_score_int}{30}{1}{0}} - - -deny message = Spam score too high ($spam_score) - condition = ${if <{$message_size}{300k}{1}{0}} - spam = spamassassin:true - condition = ${if >{$spam_score_int}{100}{1}{0}} - - - # accept otherwise - accept -"""]] - - ---- - - [[CategoryCodeSnippets|CategoryCodeSnippets]] [[CategoryTipsAndTricks|CategoryTipsAndTricks]]