1 == Exim Konfiguration: ==
\r
7 sudo aptitude install clamav spamassassin spamc greylistd
\r
9 adduser clamav Debian-exim
\r
10 adduser Debian-exim clamav
\r
13 /etc/clamav/clamd.conf
\r
15 #Automatically Generated by clamav-base postinst
\r
16 #To reconfigure clamd run #dpkg-reconfigure clamav-base
\r
17 #Please read /usr/share/doc/clamav-base/README.Debian.gz for details
\r
18 LocalSocket /var/run/clamav/clamd.ctl
\r
21 AllowSupplementaryGroups
\r
24 ArchiveMaxRecursion 5
\r
25 ArchiveMaxFiles 1000
\r
26 ArchiveMaxFileSize 10M
\r
27 ArchiveMaxCompressionRatio 250
\r
30 MaxConnectionQueueLength 15
\r
31 LogFile /var/log/clamav/clamav.log
\r
34 PidFile /var/run/clamav/clamd.pid
\r
35 DatabaseDirectory /var/lib/clamav
\r
39 DetectBrokenExecutables
\r
45 /etc/exim4/conf.d/main/02_exim4-config_options
\r
47 ### main/02_exim4-config_options
\r
48 #################################
\r
50 av_scanner = clamd:/var/run/clamav/clamd.ctl
\r
51 spamd_address = 127.0.0.1 783
\r
56 /etc/exim4/conf.d/acl/30_exim4-config_check_rcpt
\r
58 # This access control list is used for every RCPT command in an incoming
\r
59 # SMTP message. The tests are run in order until the address is either
\r
60 # accepted or denied.
\r
64 # Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by
\r
65 # testing for an empty sending host field.
\r
68 # Add missing Date and Message-ID header for relayed messages
\r
69 warn hosts = +relay_from_hosts
\r
70 control = submission/sender_retain
\r
72 # The following section of the ACL is concerned with local parts that contain
\r
73 # @ or % or ! or / or | or dots in unusual places.
\r
75 # The characters other than dots are rarely found in genuine local parts, but
\r
76 # are often tried by people looking to circumvent relaying restrictions.
\r
77 # Therefore, although they are valid in local parts, these rules lock them
\r
78 # out, as a precaution.
\r
80 # Empty components (two dots in a row) are not valid in RFC 2822, but Exim
\r
81 # allows them because they have been encountered. (Consider local parts
\r
82 # constructed as "firstinitial.secondinitial.familyname" when applied to
\r
83 # someone like me, who has no second initial.) However, a local part starting
\r
84 # with a dot or containing /../ can cause trouble if it is used as part of a
\r
85 # file name (e.g. for a mailing list). This is also true for local parts that
\r
86 # contain slashes. A pipe symbol can also be troublesome if the local part is
\r
87 # incorporated unthinkingly into a shell command line.
\r
89 # Two different rules are used. The first one is stricter, and is applied to
\r
90 # messages that are addressed to one of the local domains handled by this
\r
91 # host. It blocks local parts that begin with a dot or contain @ % ! / or |.
\r
92 # If you have local accounts that include these characters, you will have to
\r
94 deny domains = +local_domains
\r
95 local_parts = ^[.] : ^.*[@%!/|\'`#&?]
\r
96 message = restricted characters in address
\r
98 # The second rule applies to all other domains, and is less strict. This
\r
99 # allows your own users to send outgoing messages to sites that use slashes
\r
100 # and vertical bars in their local parts. It blocks local parts that begin
\r
101 # with a dot, slash, or vertical bar, but allows these characters within the
\r
102 # local part. However, the sequence /../ is barred. The use of @ % and ! is
\r
103 # blocked, as before. The motivation here is to prevent your users (or
\r
104 # your users' viruses) from mounting certain kinds of attack on remote sites.
\r
106 deny domains = !+local_domains
\r
107 local_parts = ^[./|] : ^.*[@%!\'`#&?] : ^.*/\\.\\./
\r
108 message = restricted characters in address
\r
110 # Accept mail to postmaster in any local domain, regardless of the source,
\r
111 # and without verifying the sender.
\r
113 accept local_parts = postmaster
\r
114 domains = +local_domains
\r
116 # deny bad senders (envelope sender)
\r
117 # CONFDIR/local_sender_blacklist holds a list of envelope senders that
\r
118 # should have their access denied to the local host. Incoming messages
\r
119 # with one of these senders are rejected at RCPT time.
\r
121 # The explicit white lists are honored as well as negative items in
\r
122 # the black list. See /usr/share/doc/exim4-config/default_acl for details.
\r
123 deny message = sender envelope address $sender_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster
\r
124 !acl = acl_whitelist_local_deny
\r
125 senders = ${if exists{CONFDIR/local_sender_blacklist}\
\r
126 {CONFDIR/local_sender_blacklist}\
\r
129 # deny bad sites (IP address)
\r
130 # CONFDIR/local_host_blacklist holds a list of host names, IP addresses
\r
131 # and networks (CIDR notation) that should have their access denied to
\r
132 # The local host. Messages coming in from a listed host will have all
\r
133 # RCPT statements rejected.
\r
135 # The explicit white lists are honored as well as negative items in
\r
136 # the black list. See /usr/share/doc/exim4-config/default_acl for details.
\r
137 deny message = sender IP address $sender_host_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster
\r
138 !acl = acl_whitelist_local_deny
\r
139 hosts = ${if exists{CONFDIR/local_host_blacklist}\
\r
140 {CONFDIR/local_host_blacklist}\
\r
145 # Deny unless the sender address can be verified.
\r
147 # This is disabled by default so that DNSless systems don't break. If
\r
148 # your system can do DNS lookups without delay or cost, you might want
\r
149 # to enable the following line.
\r
150 #deny message = Sender verification failed
\r
151 # !acl = acl_whitelist_local_deny
\r
154 # Warn if the sender host does not have valid reverse DNS.
\r
156 # This is disabled by default so that DNSless systems don't break. If
\r
157 # your system can do DNS lookups without delay or cost, you might want
\r
158 # to enable the following lines.
\r
159 # If sender_host_address is defined, it's a remote call. If
\r
160 # sender_host_name is not defined, then reverse lookup failed. Use
\r
161 # this instead of !verify = reverse_host_lookup to catch deferrals
\r
162 # as well as outright failures.
\r
163 warn message = X-Host-Lookup-Failed: Reverse DNS lookup failed for $sender_host_address (${if eq{$host_lookup_failed}{1}{failed}{deferred}})
\r
164 condition = ${if and{{def:sender_host_address}{!def:sender_host_name}}\
\r
167 #############################################################################
\r
168 # There are no checks on DNS "black" lists because the domains that contain
\r
169 # these lists are changing all the time. You can find examples of
\r
170 # how to use dnslists in /usr/share/doc/exim4-config/examples/acl
\r
171 #############################################################################
\r
174 # Perform greylisting on incoming messages from remote hosts.
\r
175 # We do NOT greylist messages with no envelope sender, because that
\r
176 # would conflict with remote hosts doing callback verifications, and we
\r
177 # might not be able to send mail to such hosts for a while (until the
\r
178 # callback attempt is no longer greylisted, and then some).
\r
180 # We also check the local whitelist to avoid greylisting mail from
\r
181 # hosts that are expected to forward mail here (such as backup MX hosts,
\r
182 # list servers, etc).
\r
184 # Because the recipient address has not yet been verified, we do so
\r
185 # now and skip this statement for non-existing recipients. This is
\r
186 # in order to allow for a 550 (reject) response below. If the delivery
\r
187 # happens over a remote transport (such as "smtp"), recipient callout
\r
188 # verification is performed, with the original sender intact.
\r
191 message = $sender_host_address is not yet authorized to deliver. \
\r
193 log_message = greylisted.
\r
195 !hosts = : +relay_from_hosts : \
\r
196 ${if exists {/etc/greylistd/whitelist-hosts}\
\r
197 {/etc/greylistd/whitelist-hosts}{}} : \
\r
198 ${if exists {/var/lib/greylistd/whitelist-hosts}\
\r
199 {/var/lib/greylistd/whitelist-hosts}{}}
\r
201 !acl = acl_whitelist_local_deny
\r
202 domains = +local_domains : +relay_to_domains : dsearch;/etc/exim4/virtual
\r
203 verify = recipient/callout=20s,use_sender,defer_ok
\r
204 condition = ${readsocket{/var/run/greylistd/socket}\
\r
206 ${mask:$sender_host_address/24}} \
\r
207 # $sender_address \
\r
208 # $local_part@$domain}\
\r
213 # Accept if the address is in a local domain, but only if the recipient can
\r
214 # be verified. Otherwise deny. The "endpass" line is the border between
\r
215 # passing on to the next ACL statement (if tests above it fail) or denying
\r
216 # access (if tests below it fail).
\r
218 accept domains = +local_domains
\r
220 message = unknown user
\r
223 accept domains = dsearch;/etc/exim4/virtual
\r
225 message = unknown user
\r
228 # Accept if the address is in a domain for which we are relaying, but again,
\r
229 # only if the recipient can be verified.
\r
231 accept domains = +relay_to_domains
\r
233 message = unrouteable address
\r
236 # If control reaches this point, the domain is neither in +local_domains
\r
237 # nor in +relay_to_domains.
\r
239 # Accept if the message comes from one of the hosts for which we are an
\r
240 # outgoing relay. Recipient verification is omitted here, because in many
\r
241 # cases the clients are dumb MUAs that don't cope well with SMTP error
\r
242 # responses. If you are actually relaying out from MTAs, you should probably
\r
243 # add recipient verification here.
\r
245 accept hosts = +relay_from_hosts
\r
247 # Accept if the message arrived over an authenticated connection, from
\r
248 # any host. Again, these messages are usually from MUAs, so recipient
\r
249 # verification is omitted.
\r
251 accept authenticated = *
\r
253 # Reaching the end of the ACL causes a "deny", but we might as well give
\r
254 # an explicit message.
\r
256 deny message = relay not permitted
\r
261 /etc/exim4/conf.d/acl/40_exim4-config_check_data
\r
263 # 40_exim4-config_check_data
\r
266 # greylistd(8) configuration follows.
\r
267 # This statement has been added by "greylistd-setup-exim4",
\r
268 # and can be removed by running "greylistd-setup-exim4 remove".
\r
269 # Any changes you make here will then be lost.
\r
271 # Perform greylisting on incoming messages with no envelope sender here.
\r
272 # We did not subject these to greylisting after RCPT TO:, because that
\r
273 # would interfere with remote hosts doing sender callout verifications.
\r
275 # Because there is no sender address, we supply only two data items:
\r
276 # - The remote host address
\r
277 # - The recipient address (normally, bounces have only one recipient)
\r
279 # We also check the local whitelist to avoid greylisting mail from
\r
280 # hosts that are expected to forward mail here (such as backup MX hosts,
\r
281 # list servers, etc).
\r
284 message = $sender_host_address is not yet authorized to deliver. \
\r
286 log_message = greylisted.
\r
288 !hosts = : +relay_from_hosts : \
\r
289 ${if exists {/etc/greylistd/whitelist-hosts}\
\r
290 {/etc/greylistd/whitelist-hosts}{}} : \
\r
291 ${if exists {/var/lib/greylistd/whitelist-hosts}\
\r
292 {/var/lib/greylistd/whitelist-hosts}{}}
\r
294 !acl = acl_whitelist_local_deny
\r
295 condition = ${readsocket{/var/run/greylistd/socket}\
\r
297 ${mask:$sender_host_address/24}} \
\r
302 # Deny unless the address list headers are syntactically correct.
\r
304 # This is disabled by default because it might reject legitimate mail.
\r
305 # If you want your system to insist on syntactically valid address
\r
306 # headers, you might want to enable the following lines.
\r
307 # deny message = Message headers fail syntax check
\r
308 # !acl = acl_whitelist_local_deny
\r
309 # !verify = header_syntax
\r
311 # require that there is a verifiable sender address in at least
\r
312 # one of the "Sender:", "Reply-To:", or "From:" header lines.
\r
313 # deny message = No verifiable sender address in message headers
\r
314 # !acl = acl_whitelist_local_deny
\r
315 # !verify = header_sender
\r
318 deny message = Serious MIME defect detected ($demime_reason)
\r
320 condition = ${if >{$demime_errorlevel}{2}{1}{0}}
\r
322 deny message = Blacklisted file extension detected
\r
323 condition = ${if match \
\r
324 {${lc:$mime_filename}} \
\r
325 {\N(\.bat|\.com|\.exe|\.pif|\.prf|\.scr|\.vbs)$\N} \
\r
328 deny message = This message contains malware ($malware_name)
\r
332 # Always put X-Spam-Score header in the message.
\r
333 # It looks like this:
\r
334 # X-Spam-Score: 6.6 (++++++)
\r
335 # When a MUA cannot match numbers, it can match for an
\r
336 # equivalent number of '+' signs.
\r
337 # The 'true' makes sure that the header is always put
\r
338 # in, no matter what the score.
\r
339 warn message = X-Spam-Score: $spam_score ($spam_bar)
\r
340 condition = ${if <{$message_size}{300k}{1}{0}}
\r
341 spam = spamassassin:true
\r
343 # Always put X-Spam-Report header in the message.
\r
344 # This is a multiline header that informs the user
\r
345 # which tests a message has "hit", and how much a
\r
346 # test has contributed to the score.
\r
347 warn message = X-Spam-Flag: YES
\r
348 condition = ${if <{$message_size}{300k}{1}{0}}
\r
349 spam = spamassassin:true
\r
350 condition = ${if >{$spam_score_int}{30}{1}{0}}
\r
353 deny message = Spam score too high ($spam_score)
\r
354 condition = ${if <{$message_size}{300k}{1}{0}}
\r
355 spam = spamassassin:true
\r
356 condition = ${if >{$spam_score_int}{100}{1}{0}}
\r
363 CategoryCodeSnippets CategoryTipsAndTricks