[Exim] RBL Configuration w/ Base Exim Config

Top Page
Delete this message
Reply to this message
Author: Mail List
Date:  
To: exim-users
Subject: [Exim] RBL Configuration w/ Base Exim Config
Greetings,

Please bare with me as I'm fairly new to Exim (switching from Qmail) -and
I've spent the last several days reading over much of the documentation and
I'm a little confused.. I've setup a new server/OS (Open NA Linux) using
Exim 4.12 as my MTA -the setup is using the OS's default exim config files
provided with the distro of the Exim software for the OS. I'm trying to
figure out the correct method to implement RBL checking, preferably through
ordb.org or mail-abuse.org. I've found the examples in the Exim
documentation that describe the process to implement this method of
checking, but I'm concerned that I may not currently have enough knowledge
regarding the details of the rest of my setup (exim.conf) -and I'm
concerned that I may open-up the MTA to something I don't want/intend to
do..<?> Basically as I understand it, to add RBL checking, I simply need
to add the following to the "main" section of my exim.conf file (correct)?

# reject messages whose sending host is in MAPS/RBL & MAP/DUL
# add warning to messages whose sending host is in RSS
rbl_domains = blackholes.mail-abuse.org/reject : \
         dialups.mail-abuse.org/reject : \
         relays.mail-abuse.org/warn
# check all hosts other than those on internal network
rbl_hosts = !192.168.0.0/24:0.0.0.0/0
# but allow mail to postmaster@??? even from rejected host
recipients_reject_except = postmaster@???
# change some logging actions (collect more data)
rbl_log_headers     # log headers of accepted RBLed messages
rbl_log_rcpt_count    # log recipient info of accepted RBLed messages


--------------

One of my concerns is -I'm not sure if the basic (out of the box) exim.conf
file provided with the distro of the OS is configured correctly to
implement RBL checking.. My setup is running with Amavis/Sophos and Spam
Assassin -so I'm also concerned about the routing section of my config
file. I'm seeking the assistance of people more knowledgeable in the
setup/config of this file for suggestions/review. Can anyone see any
potential issues, problems or concerns with my current setup<?>; I'd
certainly appreciate any feedback.. I'm simply attempting to implement a
secure configuration with RBL checking, alongside Amavis/Sophos and Spam
Assassin..

Thanks in advance for any help or assistance!

My current exim.conf file is as follows:
--------------------------------------------------
# /etc/exim/exim.conf: (last updated 2003 Jan 24)

######################################################################
#                    MAIN CONFIGURATION SETTINGS                     #
######################################################################


# Please change the following for your FQDN.
primary_hostname = atlantis.mydomain.com

acl_smtp_rcpt = check_recipient
acl_smtp_data = check_message

domainlist local_domains = @ : lsearch;/etc/exim/localdomains
hostlist relay_hosts = lsearch;/etc/exim/relaydomains
hostlist auth_relay_hosts = *

log_selector =  \
         +all_parents \
         +received_sender \
         +received_recipients \
         +smtp_confirmation \
         +smtp_syntax_error


allow_domain_literals = false
never_users = root:daemon:bin:sync:named
host_lookup = *
trusted_users = mail:amavis
gecos_pattern = ^([^,:]*)
gecos_name = $1
freeze_tell = postmaster
auto_thaw = 1h
ignore_bounce_errors_after = 30m
timeout_frozen_after = 7d

received_header_text = "Received: \
         ${if def:sender_rcvhost {from ${sender_rcvhost}\n\t}\
         {${if def:sender_ident {from ${sender_ident} }}\
         ${if def:sender_helo_name {(helo=${sender_helo_name})\n\t}}}}\
         by ${primary_hostname} \
         ${if def:received_protocol {with ${received_protocol}}} \
         (Exim ${version_number} #${compile_number})\n\t\
         id ${message_id}\
         ${if def:received_for {\n\tfor <$received_for>}}"


system_filter = /etc/exim/system-filter
message_body_visible = 5000
message_size_limit = 10M
smtp_accept_max = 2048
smtp_connect_backlog = 256
split_spool_directory
remote_max_parallel = 15
rfc1413_hosts = *
rfc1413_query_timeout = 0s

smtp_banner = "Welcome on our mail server!\n\
         This system does not accept Unsolicited \
         Commercial Email\nand will blacklist \
         offenders via our spam processor.\nHave a \
         nice day!\n\n${primary_hostname} ESMTP Exim \
         ${version_number} ${tod_full}"


####DO I ADD RBL CHECKING HERE####
# reject messages whose sending host is in MAPS/RBL & MAP/DUL
# add warning to messages whose sending host is in RSS
rbl_domains = blackholes.mail-abuse.org/reject : \
         dialups.mail-abuse.org/reject : \
         relays.mail-abuse.org/warn
# check all hosts other than those on internal network
rbl_hosts = !192.168.0.0/24:0.0.0.0/0
# but allow mail to postmaster@??? even from rejected host
recipients_reject_except = postmaster@???
# change some logging actions (collect more data)
rbl_log_headers     # log headers of accepted RBLed messages
rbl_log_rcpt_count    # log recipient info of accepted RBLed messages



######################################################################
#                       ACL CONFIGURATION                            #
#         Specifies access control lists for incoming SMTP mail      #
######################################################################


begin acl

check_recipient:
accept hosts = :

   deny    local_parts    = ^.*[@%!/|]


   deny    senders        = *@partial-dbm;/etc/exim/access.db : \
                           dbm;/etc/exim/access.db


   require verify         = sender


   deny    message        = unrouteable address
           hosts          = !127.0.0.1/8:0.0.0.0/0
          !verify         = recipient


   accept  domains        = +local_domains
           endpass
           message        = unknown user
           verify         = recipient


   accept  hosts          = +relay_hosts


   accept  hosts          = +auth_relay_hosts
           endpass
           message        = authentication required
           authenticated  = *


# Enable SSL support.
#  accept  hosts = +tls_relay_hosts
#          endpass
#          message = encryption required
#          encrypted = *


   deny    message       = relay not permitted



check_message:
accept


######################################################################
#                      ROUTERS CONFIGURATION                         #
#               Specifies how addresses are handled                  #
######################################################################
#     THE ORDER IN WHICH THE ROUTERS ARE DEFINED IS IMPORTANT!       #
# An address is passed to each router in turn until it is accepted.  #
######################################################################


begin routers

# Enable Anti-Virus support with AMaViS.
amavis_router:
driver = accept
condition = "${if or{ {eq {$received_protocol}{scanned-ok}} \
{eq {$received_protocol}{spam-scanned}} } {0}{1}}"
retry_use_local_part
transport = amavis

# Enable Anti-Spam support with SpamAssassin.
spamcheck_router:
no_verify
check_local_user
condition = "${if and { {!def:h_X-Spam-Flag:} \
{!eq {$received_protocol}{spam-scanned}}} {1}{0}}"
driver = accept
transport = spamcheck

dnslookup:
driver = dnslookup
domains = ! +local_domains
transport = remote_smtp
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
no_more

# Enable Virtual Hosts support.
virtual_domains:
driver = redirect
allow_defer
allow_fail
data =
${expand:${lookup{$local_part@$domain}dbm*@{/etc/exim/virtualdomains.db}}}
retry_use_local_part

system_aliases:
driver = redirect
allow_fail
allow_defer
data = ${lookup{$local_part}lsearch{/etc/exim/aliases}}
user = mail
file_transport = address_file
pipe_transport = address_pipe

userforward:
driver = redirect
check_local_user
file = $home/.forward
no_verify
no_expn
check_ancestor
allow_filter
modemask = 002
file_transport = address_file
pipe_transport = address_pipe
reply_transport = address_reply

localuser:
driver = accept
check_local_user
transport = local_delivery


######################################################################
#                      TRANSPORTS CONFIGURATION                      #
######################################################################
#                       ORDER DOES NOT MATTER                        #
#     Only one appropriate transport is called for each delivery.    #
######################################################################


begin transports

remote_smtp:
driver = smtp

# Enable Maildir format support (HIGHLY recommended).
local_delivery:
driver = appendfile
check_string = ""
create_directory
delivery_date_add
directory = ${home}/Maildir/
directory_mode = 700
envelope_to_add
group = mail
maildir_format
maildir_tag = ,S=$message_size
message_prefix = ""
message_suffix = ""
mode = 0600
quota = 10M
quota_size_regex = S=(\d+)$
quota_warn_threshold = 75%
return_path_add

address_pipe:
driver = pipe
return_output

address_file:
driver = appendfile
delivery_date_add
envelope_to_add
return_path_add

address_reply:
driver = autoreply

# Enable Anti-Spam support with SpamAssassin.
spamcheck:
driver = pipe
batch_max = 100
command = /usr/sbin/exim -oMr spam-scanned -bS
use_bsmtp = true
transport_filter = /usr/bin/spamc
home_directory = "/tmp"
current_directory = "/tmp"
user = mail
group = mail
log_output = true
return_fail_output = true
return_path_add = false
message_prefix =
message_suffix =

# Enable Anti-Virus support with AMaViS.
amavis:
driver = pipe
check_string =
command = /usr/sbin/amavis -f <${sender_address}> -d ${pipe_addresses}
current_directory = "/var/spool/amavis"
escape_string =
group = amavis
headers_add = "X-Virus-Scanned: by AMaViS"
message_prefix =
message_suffix =
path = "/bin:/sbin:/usr/bin:/usr/sbin"
no_return_output
no_return_path_add
user = amavis

######################################################################
#                      RETRY CONFIGURATION                           #
######################################################################


begin retry

# Domain               Error       Retries
# ------               -----       -------


*                      *           F,2h,15m; G,16h,1h,1.5; F,4d,6h


######################################################################
#                      REWRITE CONFIGURATION                         #
######################################################################


begin rewrite

######################################################################
#                   AUTHENTICATION CONFIGURATION                     #
######################################################################


begin authenticators

# AUTH PLAIN authentication method used by Netscape Messenger.
plain:
   driver = plaintext
   public_name = PLAIN
   server_condition = "${if and {{!eq{$2}{}}{!eq{$3}{}} \
         {crypteq{$3}{${extract{1}{:} \
         {${lookup{$2}lsearch{/etc/exim/exim.auth} \
         {$value}{*:*}}}}}}}{1}{0}}"


# AUTH LOGIN authentication method used by Outlook Express.
login:
   driver = plaintext
   public_name = LOGIN
   server_prompts = "Username:: : Password::"
   server_condition = "${if and {{!eq{$1}{}}{!eq{$2}{}} \
         {crypteq{$2}{${extract{1}{:} \
         {${lookup{$1}lsearch{/etc/exim/exim.auth} \
         {$value}{*:*}}}}}}}{1}{0}}"