Re: [Exim] exim 4 subject line blocking

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: cami
Dátum:  
Címzett: exim-users
Tárgy: Re: [Exim] exim 4 subject line blocking
| lsearch (like all lookups) is a key-value thing. It isn't a pattern
| match like fgrep would be. That _does_ work, if the exact subject
| string is a key in the lsearch file, and if the lsearch file is a
| valid lsearch file.


well, this is what the files look like, perhaps someone could tell me what i'm doing wrong
because i cant figure it out and all tests i send fail..

[cipher][/usr/local/exim]# cat configure
######################################################################
#                    MAIN CONFIGURATION SETTINGS                     #
######################################################################
#
# Specify your host's canonical name here. This should normally be the
# fully qualified "official" name  of your host. If this option is not
# set, the uname() function is called to obtain the name.In many cases
# this does the right  thing and you need not set anything explicitly.
#
######################################################################
primary_hostname = net-152-28.mweb.co.za


######################################################################
#
#   domainlist local_domains = my.first.domain : my.second.domain
#
# You can use "@" to mean "the name  of the local host",  as in  the
# default  setting  above.  This is the  name  that  is specified by
# primary_hostname, as specified above (or defaulted). If you do not
# want to do any local deliveries,  remove the  "@" from the setting
# above. If you want to accept mail addressed to your host's literal
# IP address, for example, mail addressed to "user@???",
# you can add "@[]" as an item in the  local domains list.  You also
# need  to  uncomment  "allow_domain_literals"  below.  This  is not
# recommended for today's Internet.
#
######################################################################
domainlist local_domains    = @ : hack.co.za


######################################################################
#
# The second setting specifies domains for which your host is an
# incoming relay. If you are not doing any relaying, you should leave
# the list empty. However, if your host is an MX backup or gateway of
# some kind for some domains, you must set relay_to_domains to match
# those domains. For example:
#
# domainlist relay_to_domains = *.myco.com : my.friend.org
#
# This will allow any host to relay through your host to those domains.
# See the section of the manual entitled "Control of relaying" for more
# information
#
#####################################################################
domainlist relay_to_domains = @mx_any

######################################################################
#
# The third setting specifies hosts that can use your host as an
# outgoing relay to any other host on the Internet. Such a setting
# commonly refers to a complete local network as well as the localhost.
#
# For example:
#
# hostlist relay_from_hosts = 127.0.0.1 : 192.168.0.0/16
#
# The "/16" is a bit mask (CIDR notation), not a number of hosts. Note
# that you have to include 127.0.0.1 if you want to allow processes on
# your host to send SMTP mail by using the loopback address. A number
# of MUAs use this method of sending mail
#
#####################################################################
hostlist relay_from_hosts = "lsearch:/usr/local/exim/relay_hosts.txt"

#####################################################################
#
# smtp banner
#
# smtp_banner = " " -> will remove the banner..
# smtp_banner = ESMTP -> rfc compliant..
#
#####################################################################
smtp_banner = " "

#####################################################################
#
# If this option is set, incoming SMTP calls from the hosts listed
# are rejected as soon as the connection is made. This option is
# provided for use in unusual cases. Many host will just try again.
# Normally, it is better to use an ACL to reject incoming messages at
# a later stage, such as after RCPT commands. See chapter 37.
#
#####################################################################
host_reject_connection      = lsearch;/usr/local/exim/reject_host.txt


##############################################################
#
# helo_accept_junk_hosts
# Type: host list, expanded
# Default: unset
#
# Exim checks the syntax of HELO and EHLO commands for
# incoming SMTP mail, and gives an error response for
# invalid data. Unfortunately, there are some SMTP clients
# that send syntactic junk. They can be accommodated by
# setting this option. Note that this is a syntax check
# only. See helo_verify_hosts if you want to do semantic
# checking.
#
##############################################################
helo_accept_junk_hosts = *

#####################################################################
#
# By setting the log_selector global option, you can disable some of
# Exim's default logging, or you can request additional logging. The
# value of log_selector is made up of names preceded by plus or minus
# characters.
#
# For example:
#
#   log_selector = +arguments -retry_defer
#
# The list of optional log items is in the following table, with the
# default selection marked by asterisks:
#
#   address_rewrite    ->  address rewriting
#   all_parentsi       ->  all parents in => lines
#   arguments          ->  command line arguments
#  *connection_reject  ->  connection rejections
#  *delay_delivery     ->  immediate delivery delayed (message queued)
#   delivery_size      ->  add S=nnn to => lines
#  *dnslist_defer      ->  defers of DNS list (aka RBL) lookups
#  *etrn               ->  ETRN commands
#   incoming_interface ->  incoming interface on <= lines
#   incoming_port      ->  incoming port on <= lines
#  *lost_incoming_connection ->  as it says (includes timeouts)
#  *queue_run           ->  start and end queue runs
#   received_recipients ->  recipients on <= lines
#   received_sender     ->  sender on <= lines
#  *retry_defer         ->  ``retry time not reached''
#   sender_on_delivery  ->  add sender to => lines
#  *size_reject         ->  rejection because too big
#  *skip_delivery       ->  ``message is frozen'', ``spool file is locked''
#   smtp_confirmation   ->  SMTP confirmation on <= lines
#   smtp_connection     ->  SMTP connections
#   smtp_protocol_error ->  SMTP protocol errors
#   smtp_syntax_error   ->  SMTP syntax errors
#   subject             ->  contents of Subject: on <= lines
#  *tls_cipher          ->  TLS cipher on <= lines
#   tls_peerdn          ->  TLS peer DN on <= lines
#
#   all   all of the above
#
#####################################################################
log_selector = +all -arguments -queue_run -smtp_confirmation


#####################################################################
#
# acl_smtp_data:
#
# we use it to do subject header checking
#
#####################################################################
acl_smtp_data = check_subject

#####################################################################
#
# All three of these lists may contain many different kinds of item,
# including wildcarded names, regular expressions, and file lookups.
# See the reference manual for details. The lists above are used in
# the access control list for incoming messages.The name of this ACL
# is defined here:
#
#####################################################################
acl_smtp_rcpt = acl_check_rcpt

#####################################################################
#
# The following line must be uncommented if you want Exim to recognize
# addresses of the form "user@???" that is, with a "domain
# literal" (an IP address) instead of a named domain. The RFCs still
# require this form, but it makes little sense to permit mail to be
# sent to specific hosts by their IP address in the modern Internet.
# This ancient format has been used by those seeking to abuse hosts
# by using them for unwanted relaying. If you really do want to
# support domain literals, uncomment the following line, and see also
# the "domain_literal" router below.
#
#####################################################################
# allow_domain_literals

#####################################################################
#
# No deliveries will ever be run under the uids of these users
# (a colon-separated list). An attempt to do so causes a panic error
# to be logged, and the delivery to be deferred. This is a paranoic
# safety catch. Note that the default setting means you cannot deliver
# mail addressed to root as if it were a normal user. This isn't
# usually a problem, as most sites have an alias for root that
# redirects such mail to a human administrator.
#
#####################################################################
never_users = root

#####################################################################
#
# The setting below causes Exim to do a reverse DNS lookup on all
# incoming IP calls, in order to get the true host name. If you feel
# this is too expensive, you can specify the networks for which a
# lookup is done, or remove the setting entirely.
#
#####################################################################
host_lookup = *

#####################################################################
#
# The settings below, which are actually the same as the defaults in
# the code, cause Exim to make RFC 1413 (ident) callbacks for all
# incoming SMTP calls. You can limit the hosts to which these calls
# are made, and/or change the timeout that is used. If you set the
# timeout to zero, all RFC 1413 calls are disabled. RFC 1413 calls
# are cheap and can provide useful information for tracing problem
# messages, but some hosts and firewalls have problems with them.
# This can result in a timeout instead of an immediate refused
# connection, leading to delays on starting up an SMTP session.
#
#####################################################################
rfc1413_hosts = *
rfc1413_query_timeout = 0s

#####################################################################
#
# When Exim can neither deliver a message nor return it to sender, it
# "freezes" the delivery error message (aka "bounce message"). There
# are also other circumstances in which messages get frozen. They
# will stay on the queue for ever unless one of the following options
# is set.
#
# ignore_bounce_errors_after:
#
# This option unfreezes frozen bounce messages after two days,
# tries once more to deliver them, and ignores any delivery failures.
#
# timeout_frozen_after:
#
# This option cancels (removes) frozen messages that are older than
# X amount of days..
#
#####################################################################
ignore_bounce_errors_after = 2d
timeout_frozen_after = 1d

######################################################################
#                       ACL CONFIGURATION                            #
#         Specifies access control lists for incoming SMTP mail      #
######################################################################
begin acl


######################################################################
#
# This access control list is used for every RCPT command in an incoming
# SMTP message. The tests are run in order until the address is either
# accepted or denied.
#
######################################################################
acl_check_rcpt:

####################################################################
#
# Accept if the source is local SMTP (i.e. not over TCP/IP). We do
# this by testing for an empty sending host field.
#
####################################################################
accept hosts = :

  ####################################################################
  #
  # Deny if the local part contains @ or % or / or | or !. These are
  # rarely found in genuine local parts, but are often tried by people
  # looking to circumvent relaying restrictions.
  #
  ####################################################################
  deny    local_parts   = ^.*[@%!/|]


  ####################################################################
  #
  # Accept mail to postmaster in any local domain, regardless of the
  # source, and without verifying the sender.
  #
  ####################################################################
  accept  local_parts   = postmaster
          domains       = +local_domains


####################################################################
#
# Deny sender/spam domain(s)
#
####################################################################
deny sender_domains = lsearch;/usr/local/exim/reject_domain.txt

  ####################################################################
  #
  # Deny sender/spam email addresse(s)
  #
  ####################################################################
  deny    senders       = lsearch;/usr/local/exim/reject_email-from.txt


  ####################################################################
  #
  # Deny unless the sender address can be verified.
  #
  ####################################################################
  require verify        = sender


  ####################################################################
  #
  # Accept if the address is in a local domain, but only if the
  # recipient can be verified. Otherwise deny. The "endpass" line is
  # the border between passing on to the next ACL statement (if tests
  # above it fail) or denying access (if tests below it fail).
  #
  ####################################################################
  accept  domains       = +local_domains
          endpass
          message       = unknown user
          verify        = recipient


  ####################################################################
  #
  # Accept if the address is in a domain for which we are relaying,
  # but again,
  # only if the recipient can be verified.
  #
  ####################################################################
  accept  domains       = +relay_to_domains
          endpass
          message       = unrouteable address
          verify        = recipient


  ####################################################################
  #
  # If control reaches this point, the domain is neither in
  # +local_domains nor in +relay_to_domains.
  #
  # Accept if the message comes from one of the hosts for which we are
  # an outgoing relay. Recipient verification is omitted here, because
  # in many cases the clients are dumb MUAs that don't cope well with
  # SMTP error responses. If you are actually relaying out from MTAs,
  # you should probably add recipient verification here.
  #
  ####################################################################
  accept  hosts         = +relay_from_hosts


####################################################################
#
# Accept if the message arrived over an authenticated connection,
# from any host. Again, these messages are usually from MUAs, so
# recipient verification is omitted.
#
####################################################################
accept authenticated = *

  ####################################################################
  #
  # Reaching the end of the ACL causes a "deny", but we might as well
  # give an explicit message.
  ####################################################################
  deny    message       = relay not permitted


check_subject:
  deny condition = ${lookup {$h_Subject:} lsearch \
    {/usr/local/exim/reject_subject.txt}}
  message = "well, you asked!"
  accept


######################################################################
#                      ROUTERS CONFIGURATION                         #
#               Specifies how addresses are handled                  #
######################################################################
#     THE ORDER IN WHICH THE ROUTERS ARE DEFINED IS IMPORTANT!       #
# An address is passed to each router in turn until it is accepted.  #
######################################################################
begin routers


######################################################################
#
# This router routes addresses that are not in local domains by doing a DNS
# lookup on the domain name. Any domain that resolves to 0.0.0.0 or to a
# loopback interface address (127.0.0.0/8) is treated as if it had no DNS
# entry. Note that 0.0.0.0 is the same as 0.0.0.0/32, which is commonly treated
# as the local host inside the network stack. It is not 0.0.0.0/0, the default
# route. If the DNS lookup fails, no further routers are tried because of
# the no_more setting, and consequently the address is unrouteable.
#
######################################################################
dnslookup:
driver = dnslookup
domains = ! +local_domains
transport = remote_smtp
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
no_more

######################################################################
#
# This router handles aliasing using a traditional /etc/aliases file.
#
##### NB You must ensure that /etc/aliases exists. It used to be the case
##### NB that every Unix had that file, because it was the Sendmail default.
##### NB These days, there are systems that don't have it. Your aliases
##### NB file should at least contain an alias for "postmaster".
#
# If any of your aliases expand to pipes or files, you will need to
# set up a user and a group for these deliveries to run under. You
# can do this by uncommenting the "user" option below (changing the
# user name as appropriate) and adding a "group" option if necessary.
# Alternatively, you can specify "user" on the transports that are
# used. Note that the transports listed below are the same as are
# used for .forward files; you might want to set up different ones
# for pipe and file deliveries from aliases.
#
######################################################################
system_aliases:
driver = redirect
allow_fail
allow_defer
data = ${lookup{$local_part}lsearch{/etc/aliases}}
file_transport = address_file
pipe_transport = address_pipe

######################################################################
#
# This router matches local user mailboxes.
#
######################################################################
localuser:
driver = accept
check_local_user
transport = local_delivery

######################################################################
#                      TRANSPORTS CONFIGURATION                      #
######################################################################
#                       ORDER DOES NOT MATTER                        #
#     Only one appropriate transport is called for each delivery.    #
######################################################################
#
# A transport is used only when referenced from a router that
# successfully handles an address.
#
######################################################################
begin transports


######################################################################
#
# This transport is used for delivering messages over SMTP connections.
#
######################################################################
remote_smtp:
driver = smtp

######################################################################
#
# This transport is used for local delivery to user mailboxes in
# traditional BSD mailbox format. By default it will be run under the
# uid and gid of the local user, and requires the sticky bit to be set
# on the /var/mail directory. Some systems use the alternative approach
# of running mail deliveries under a particular group instead of using
# the sticky bit. The commented options below show how this can be done.
#
######################################################################
local_delivery:
driver = appendfile
file = /var/mail/$local_part
delivery_date_add
envelope_to_add

######################################################################
#
# This transport is used for handling pipe deliveries generated by
# alias or .forward files. If the pipe generates any standard output,
# it is returned to the sender of the message as a delivery error. Set
# return_fail_output instead of return_output if you want this to
# happen only when the pipe fails to complete normally. You can set
# different transports for aliases and forwards if you want to - see
# the references to address_pipe in the routers section above.
#
######################################################################
address_pipe:
driver = pipe
return_output

######################################################################
#
# This transport is used for handling deliveries directly to files
# that are generated by aliasing or forwarding.
#
######################################################################
address_file:
driver = appendfile
delivery_date_add
envelope_to_add
return_path_add

######################################################################
#
# This transport is used for handling autoreplies generated by the
# filtering option of the userforward router.
#
######################################################################
address_reply:
driver = autoreply

######################################################################
#                      RETRY CONFIGURATION                           #
######################################################################
begin retry


######################################################################
#
# This single retry rule applies to all domains and all errors. It
# specifies retries every 15 minutes for 2 hours, then increasing
# retry intervals, starting at 1 hour and increasing each time by a
# factor of 1.5, up to 16 hours, then retries every 6 hours until 4
# days have passed since the first failed delivery.
#
# Domain               Error       Retries
# ------               -----       -------
######################################################################
*                      *           F,2h,15m; G,16h,1h,1.5; F,4d,6h


######################################################################
#                      REWRITE CONFIGURATION                         #
######################################################################
#
# There are no rewriting specifications in this default configuration
# file.
#
######################################################################
begin rewrite


######################################################################
#                   AUTHENTICATION CONFIGURATION                     #
######################################################################
#
# There are no authenticator specifications in this default
# configuration file.
#
######################################################################
begin authenticators


# End of Exim configuration file

[cipher][/usr/local/exim]# cat reject_subject.txt
this is spam
well, i do like you
no more spam!