1 == Exim Konfiguration: ==
7 sudo aptitude install clamav spamassassin spamc greylistd
9 adduser clamav Debian-exim
10 adduser Debian-exim clamav
13 /etc/clamav/clamd.conf
15 #Automatically Generated by clamav-base postinst
16 #To reconfigure clamd run #dpkg-reconfigure clamav-base
17 #Please read /usr/share/doc/clamav-base/README.Debian.gz for details
18 LocalSocket /var/run/clamav/clamd.ctl
21 AllowSupplementaryGroups
26 ArchiveMaxFileSize 10M
27 ArchiveMaxCompressionRatio 250
30 MaxConnectionQueueLength 15
31 LogFile /var/log/clamav/clamav.log
34 PidFile /var/run/clamav/clamd.pid
35 DatabaseDirectory /var/lib/clamav
39 DetectBrokenExecutables
45 /etc/exim4/conf.d/main/02_exim4-config_options
47 ### main/02_exim4-config_options
48 #################################
50 av_scanner = clamd:/var/run/clamav/clamd.ctl
51 spamd_address = 127.0.0.1 783
56 /etc/exim4/conf.d/acl/30_exim4-config_check_rcpt
58 # This access control list is used for every RCPT command in an incoming
59 # SMTP message. The tests are run in order until the address is either
64 # Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by
65 # testing for an empty sending host field.
68 # Add missing Date and Message-ID header for relayed messages
69 warn hosts = +relay_from_hosts
70 control = submission/sender_retain
72 # The following section of the ACL is concerned with local parts that contain
73 # @ or % or ! or / or | or dots in unusual places.
75 # The characters other than dots are rarely found in genuine local parts, but
76 # are often tried by people looking to circumvent relaying restrictions.
77 # Therefore, although they are valid in local parts, these rules lock them
78 # out, as a precaution.
80 # Empty components (two dots in a row) are not valid in RFC 2822, but Exim
81 # allows them because they have been encountered. (Consider local parts
82 # constructed as "firstinitial.secondinitial.familyname" when applied to
83 # someone like me, who has no second initial.) However, a local part starting
84 # with a dot or containing /../ can cause trouble if it is used as part of a
85 # file name (e.g. for a mailing list). This is also true for local parts that
86 # contain slashes. A pipe symbol can also be troublesome if the local part is
87 # incorporated unthinkingly into a shell command line.
89 # Two different rules are used. The first one is stricter, and is applied to
90 # messages that are addressed to one of the local domains handled by this
91 # host. It blocks local parts that begin with a dot or contain @ % ! / or |.
92 # If you have local accounts that include these characters, you will have to
94 deny domains = +local_domains
95 local_parts = ^[.] : ^.*[@%!/|\'`#&?]
96 message = restricted characters in address
98 # The second rule applies to all other domains, and is less strict. This
99 # allows your own users to send outgoing messages to sites that use slashes
100 # and vertical bars in their local parts. It blocks local parts that begin
101 # with a dot, slash, or vertical bar, but allows these characters within the
102 # local part. However, the sequence /../ is barred. The use of @ % and ! is
103 # blocked, as before. The motivation here is to prevent your users (or
104 # your users' viruses) from mounting certain kinds of attack on remote sites.
106 deny domains = !+local_domains
107 local_parts = ^[./|] : ^.*[@%!\'`#&?] : ^.*/\\.\\./
108 message = restricted characters in address
110 # Accept mail to postmaster in any local domain, regardless of the source,
111 # and without verifying the sender.
113 accept local_parts = postmaster
114 domains = +local_domains
116 # deny bad senders (envelope sender)
117 # CONFDIR/local_sender_blacklist holds a list of envelope senders that
118 # should have their access denied to the local host. Incoming messages
119 # with one of these senders are rejected at RCPT time.
121 # The explicit white lists are honored as well as negative items in
122 # the black list. See /usr/share/doc/exim4-config/default_acl for details.
123 deny message = sender envelope address $sender_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster
124 !acl = acl_whitelist_local_deny
125 senders = ${if exists{CONFDIR/local_sender_blacklist}\
126 {CONFDIR/local_sender_blacklist}\
129 # deny bad sites (IP address)
130 # CONFDIR/local_host_blacklist holds a list of host names, IP addresses
131 # and networks (CIDR notation) that should have their access denied to
132 # The local host. Messages coming in from a listed host will have all
133 # RCPT statements rejected.
135 # The explicit white lists are honored as well as negative items in
136 # the black list. See /usr/share/doc/exim4-config/default_acl for details.
137 deny message = sender IP address $sender_host_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster
138 !acl = acl_whitelist_local_deny
139 hosts = ${if exists{CONFDIR/local_host_blacklist}\
140 {CONFDIR/local_host_blacklist}\
145 # Deny unless the sender address can be verified.
147 # This is disabled by default so that DNSless systems don't break. If
148 # your system can do DNS lookups without delay or cost, you might want
149 # to enable the following line.
150 #deny message = Sender verification failed
151 # !acl = acl_whitelist_local_deny
154 # Warn if the sender host does not have valid reverse DNS.
156 # This is disabled by default so that DNSless systems don't break. If
157 # your system can do DNS lookups without delay or cost, you might want
158 # to enable the following lines.
159 # If sender_host_address is defined, it's a remote call. If
160 # sender_host_name is not defined, then reverse lookup failed. Use
161 # this instead of !verify = reverse_host_lookup to catch deferrals
162 # as well as outright failures.
163 warn message = X-Host-Lookup-Failed: Reverse DNS lookup failed for $sender_host_address (${if eq{$host_lookup_failed}{1}{failed}{deferred}})
164 condition = ${if and{{def:sender_host_address}{!def:sender_host_name}}\
167 #############################################################################
168 # There are no checks on DNS "black" lists because the domains that contain
169 # these lists are changing all the time. You can find examples of
170 # how to use dnslists in /usr/share/doc/exim4-config/examples/acl
171 #############################################################################
174 # Perform greylisting on incoming messages from remote hosts.
175 # We do NOT greylist messages with no envelope sender, because that
176 # would conflict with remote hosts doing callback verifications, and we
177 # might not be able to send mail to such hosts for a while (until the
178 # callback attempt is no longer greylisted, and then some).
180 # We also check the local whitelist to avoid greylisting mail from
181 # hosts that are expected to forward mail here (such as backup MX hosts,
182 # list servers, etc).
184 # Because the recipient address has not yet been verified, we do so
185 # now and skip this statement for non-existing recipients. This is
186 # in order to allow for a 550 (reject) response below. If the delivery
187 # happens over a remote transport (such as "smtp"), recipient callout
188 # verification is performed, with the original sender intact.
191 message = $sender_host_address is not yet authorized to deliver. \
193 log_message = greylisted.
195 !hosts = : +relay_from_hosts : \
196 ${if exists {/etc/greylistd/whitelist-hosts}\
197 {/etc/greylistd/whitelist-hosts}{}} : \
198 ${if exists {/var/lib/greylistd/whitelist-hosts}\
199 {/var/lib/greylistd/whitelist-hosts}{}}
201 !acl = acl_whitelist_local_deny
202 domains = +local_domains : +relay_to_domains : dsearch;/etc/exim4/virtual
203 verify = recipient/callout=20s,use_sender,defer_ok
204 condition = ${readsocket{/var/run/greylistd/socket}\
206 ${mask:$sender_host_address/24}} \
208 # $local_part@$domain}\
213 # Accept if the address is in a local domain, but only if the recipient can
214 # be verified. Otherwise deny. The "endpass" line is the border between
215 # passing on to the next ACL statement (if tests above it fail) or denying
216 # access (if tests below it fail).
218 accept domains = +local_domains
220 message = unknown user
223 accept domains = dsearch;/etc/exim4/virtual
225 message = unknown user
228 # Accept if the address is in a domain for which we are relaying, but again,
229 # only if the recipient can be verified.
231 accept domains = +relay_to_domains
233 message = unrouteable address
236 # If control reaches this point, the domain is neither in +local_domains
237 # nor in +relay_to_domains.
239 # Accept if the message comes from one of the hosts for which we are an
240 # outgoing relay. Recipient verification is omitted here, because in many
241 # cases the clients are dumb MUAs that don't cope well with SMTP error
242 # responses. If you are actually relaying out from MTAs, you should probably
243 # add recipient verification here.
245 accept hosts = +relay_from_hosts
247 # Accept if the message arrived over an authenticated connection, from
248 # any host. Again, these messages are usually from MUAs, so recipient
249 # verification is omitted.
251 accept authenticated = *
253 # Reaching the end of the ACL causes a "deny", but we might as well give
254 # an explicit message.
256 deny message = relay not permitted
261 /etc/exim4/conf.d/acl/40_exim4-config_check_data
263 # 40_exim4-config_check_data
266 # greylistd(8) configuration follows.
267 # This statement has been added by "greylistd-setup-exim4",
268 # and can be removed by running "greylistd-setup-exim4 remove".
269 # Any changes you make here will then be lost.
271 # Perform greylisting on incoming messages with no envelope sender here.
272 # We did not subject these to greylisting after RCPT TO:, because that
273 # would interfere with remote hosts doing sender callout verifications.
275 # Because there is no sender address, we supply only two data items:
276 # - The remote host address
277 # - The recipient address (normally, bounces have only one recipient)
279 # We also check the local whitelist to avoid greylisting mail from
280 # hosts that are expected to forward mail here (such as backup MX hosts,
281 # list servers, etc).
284 message = $sender_host_address is not yet authorized to deliver. \
286 log_message = greylisted.
288 !hosts = : +relay_from_hosts : \
289 ${if exists {/etc/greylistd/whitelist-hosts}\
290 {/etc/greylistd/whitelist-hosts}{}} : \
291 ${if exists {/var/lib/greylistd/whitelist-hosts}\
292 {/var/lib/greylistd/whitelist-hosts}{}}
294 !acl = acl_whitelist_local_deny
295 condition = ${readsocket{/var/run/greylistd/socket}\
297 ${mask:$sender_host_address/24}} \
302 # Deny unless the address list headers are syntactically correct.
304 # This is disabled by default because it might reject legitimate mail.
305 # If you want your system to insist on syntactically valid address
306 # headers, you might want to enable the following lines.
307 # deny message = Message headers fail syntax check
308 # !acl = acl_whitelist_local_deny
309 # !verify = header_syntax
311 # require that there is a verifiable sender address in at least
312 # one of the "Sender:", "Reply-To:", or "From:" header lines.
313 # deny message = No verifiable sender address in message headers
314 # !acl = acl_whitelist_local_deny
315 # !verify = header_sender
318 deny message = Serious MIME defect detected ($demime_reason)
320 condition = ${if >{$demime_errorlevel}{2}{1}{0}}
322 deny message = Blacklisted file extension detected
323 condition = ${if match \
324 {${lc:$mime_filename}} \
325 {\N(\.bat|\.com|\.exe|\.pif|\.prf|\.scr|\.vbs)$\N} \
328 deny message = This message contains malware ($malware_name)
332 # Always put X-Spam-Score header in the message.
333 # It looks like this:
334 # X-Spam-Score: 6.6 (++++++)
335 # When a MUA cannot match numbers, it can match for an
336 # equivalent number of '+' signs.
337 # The 'true' makes sure that the header is always put
338 # in, no matter what the score.
339 warn message = X-Spam-Score: $spam_score ($spam_bar)
340 condition = ${if <{$message_size}{300k}{1}{0}}
341 spam = spamassassin:true
343 # Always put X-Spam-Report header in the message.
344 # This is a multiline header that informs the user
345 # which tests a message has "hit", and how much a
346 # test has contributed to the score.
347 warn message = X-Spam-Flag: YES
348 condition = ${if <{$message_size}{300k}{1}{0}}
349 spam = spamassassin:true
350 condition = ${if >{$spam_score_int}{30}{1}{0}}
353 deny message = Spam score too high ($spam_score)
354 condition = ${if <{$message_size}{300k}{1}{0}}
355 spam = spamassassin:true
356 condition = ${if >{$spam_score_int}{100}{1}{0}}
363 CategoryCodeSnippets CategoryTipsAndTricks