Greetings,
Please bare with me as I'm fairly new to Exim (switching from Qmail) -and
I've spent the last several days reading over much of the documentation and
I'm a little confused.. I've setup a new server/OS (Open NA Linux) using
Exim 4.12 as my MTA -the setup is using the OS's default exim config files
provided with the distro of the Exim software for the OS. I'm trying to
figure out the correct method to implement RBL checking, preferably through
ordb.org or mail-abuse.org. I've found the examples in the Exim
documentation that describe the process to implement this method of
checking, but I'm concerned that I may not currently have enough knowledge
regarding the details of the rest of my setup (exim.conf) -and I'm
concerned that I may open-up the MTA to something I don't want/intend to
do..<?> Basically as I understand it, to add RBL checking, I simply need
to add the following to the "main" section of my exim.conf file (correct)?
# reject messages whose sending host is in MAPS/RBL & MAP/DUL
# add warning to messages whose sending host is in RSS
rbl_domains = blackholes.mail-abuse.org/reject : \
dialups.mail-abuse.org/reject : \
relays.mail-abuse.org/warn
# check all hosts other than those on internal network
rbl_hosts = !192.168.0.0/24:0.0.0.0/0
# but allow mail to postmaster@??? even from rejected host
recipients_reject_except = postmaster@???
# change some logging actions (collect more data)
rbl_log_headers # log headers of accepted RBLed messages
rbl_log_rcpt_count # log recipient info of accepted RBLed messages
--------------
One of my concerns is -I'm not sure if the basic (out of the box) exim.conf
file provided with the distro of the OS is configured correctly to
implement RBL checking.. My setup is running with Amavis/Sophos and Spam
Assassin -so I'm also concerned about the routing section of my config
file. I'm seeking the assistance of people more knowledgeable in the
setup/config of this file for suggestions/review. Can anyone see any
potential issues, problems or concerns with my current setup<?>; I'd
certainly appreciate any feedback.. I'm simply attempting to implement a
secure configuration with RBL checking, alongside Amavis/Sophos and Spam
Assassin..
Thanks in advance for any help or assistance!
My current exim.conf file is as follows:
--------------------------------------------------
# /etc/exim/exim.conf: (last updated 2003 Jan 24)
######################################################################
# MAIN CONFIGURATION SETTINGS #
######################################################################
# Please change the following for your FQDN.
primary_hostname = atlantis.mydomain.com
acl_smtp_rcpt = check_recipient
acl_smtp_data = check_message
domainlist local_domains = @ : lsearch;/etc/exim/localdomains
hostlist relay_hosts = lsearch;/etc/exim/relaydomains
hostlist auth_relay_hosts = *
log_selector = \
+all_parents \
+received_sender \
+received_recipients \
+smtp_confirmation \
+smtp_syntax_error
allow_domain_literals = false
never_users = root:daemon:bin:sync:named
host_lookup = *
trusted_users = mail:amavis
gecos_pattern = ^([^,:]*)
gecos_name = $1
freeze_tell = postmaster
auto_thaw = 1h
ignore_bounce_errors_after = 30m
timeout_frozen_after = 7d
received_header_text = "Received: \
${if def:sender_rcvhost {from ${sender_rcvhost}\n\t}\
{${if def:sender_ident {from ${sender_ident} }}\
${if def:sender_helo_name {(helo=${sender_helo_name})\n\t}}}}\
by ${primary_hostname} \
${if def:received_protocol {with ${received_protocol}}} \
(Exim ${version_number} #${compile_number})\n\t\
id ${message_id}\
${if def:received_for {\n\tfor <$received_for>}}"
system_filter = /etc/exim/system-filter
message_body_visible = 5000
message_size_limit = 10M
smtp_accept_max = 2048
smtp_connect_backlog = 256
split_spool_directory
remote_max_parallel = 15
rfc1413_hosts = *
rfc1413_query_timeout = 0s
smtp_banner = "Welcome on our mail server!\n\
This system does not accept Unsolicited \
Commercial Email\nand will blacklist \
offenders via our spam processor.\nHave a \
nice day!\n\n${primary_hostname} ESMTP Exim \
${version_number} ${tod_full}"
####DO I ADD RBL CHECKING HERE####
# reject messages whose sending host is in MAPS/RBL & MAP/DUL
# add warning to messages whose sending host is in RSS
rbl_domains = blackholes.mail-abuse.org/reject : \
dialups.mail-abuse.org/reject : \
relays.mail-abuse.org/warn
# check all hosts other than those on internal network
rbl_hosts = !192.168.0.0/24:0.0.0.0/0
# but allow mail to postmaster@??? even from rejected host
recipients_reject_except = postmaster@???
# change some logging actions (collect more data)
rbl_log_headers # log headers of accepted RBLed messages
rbl_log_rcpt_count # log recipient info of accepted RBLed messages
######################################################################
# ACL CONFIGURATION #
# Specifies access control lists for incoming SMTP mail #
######################################################################
begin acl
check_recipient:
accept hosts = :
deny local_parts = ^.*[@%!/|]
deny senders = *@partial-dbm;/etc/exim/access.db : \
dbm;/etc/exim/access.db
require verify = sender
deny message = unrouteable address
hosts = !127.0.0.1/8:0.0.0.0/0
!verify = recipient
accept domains = +local_domains
endpass
message = unknown user
verify = recipient
accept hosts = +relay_hosts
accept hosts = +auth_relay_hosts
endpass
message = authentication required
authenticated = *
# Enable SSL support.
# accept hosts = +tls_relay_hosts
# endpass
# message = encryption required
# encrypted = *
deny message = relay not permitted
check_message:
accept
######################################################################
# ROUTERS CONFIGURATION #
# Specifies how addresses are handled #
######################################################################
# THE ORDER IN WHICH THE ROUTERS ARE DEFINED IS IMPORTANT! #
# An address is passed to each router in turn until it is accepted. #
######################################################################
begin routers
# Enable Anti-Virus support with AMaViS.
amavis_router:
driver = accept
condition = "${if or{ {eq {$received_protocol}{scanned-ok}} \
{eq {$received_protocol}{spam-scanned}} } {0}{1}}"
retry_use_local_part
transport = amavis
# Enable Anti-Spam support with SpamAssassin.
spamcheck_router:
no_verify
check_local_user
condition = "${if and { {!def:h_X-Spam-Flag:} \
{!eq {$received_protocol}{spam-scanned}}} {1}{0}}"
driver = accept
transport = spamcheck
dnslookup:
driver = dnslookup
domains = ! +local_domains
transport = remote_smtp
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
no_more
# Enable Virtual Hosts support.
virtual_domains:
driver = redirect
allow_defer
allow_fail
data =
${expand:${lookup{$local_part@$domain}dbm*@{/etc/exim/virtualdomains.db}}}
retry_use_local_part
system_aliases:
driver = redirect
allow_fail
allow_defer
data = ${lookup{$local_part}lsearch{/etc/exim/aliases}}
user = mail
file_transport = address_file
pipe_transport = address_pipe
userforward:
driver = redirect
check_local_user
file = $home/.forward
no_verify
no_expn
check_ancestor
allow_filter
modemask = 002
file_transport = address_file
pipe_transport = address_pipe
reply_transport = address_reply
localuser:
driver = accept
check_local_user
transport = local_delivery
######################################################################
# TRANSPORTS CONFIGURATION #
######################################################################
# ORDER DOES NOT MATTER #
# Only one appropriate transport is called for each delivery. #
######################################################################
begin transports
remote_smtp:
driver = smtp
# Enable Maildir format support (HIGHLY recommended).
local_delivery:
driver = appendfile
check_string = ""
create_directory
delivery_date_add
directory = ${home}/Maildir/
directory_mode = 700
envelope_to_add
group = mail
maildir_format
maildir_tag = ,S=$message_size
message_prefix = ""
message_suffix = ""
mode = 0600
quota = 10M
quota_size_regex = S=(\d+)$
quota_warn_threshold = 75%
return_path_add
address_pipe:
driver = pipe
return_output
address_file:
driver = appendfile
delivery_date_add
envelope_to_add
return_path_add
address_reply:
driver = autoreply
# Enable Anti-Spam support with SpamAssassin.
spamcheck:
driver = pipe
batch_max = 100
command = /usr/sbin/exim -oMr spam-scanned -bS
use_bsmtp = true
transport_filter = /usr/bin/spamc
home_directory = "/tmp"
current_directory = "/tmp"
user = mail
group = mail
log_output = true
return_fail_output = true
return_path_add = false
message_prefix =
message_suffix =
# Enable Anti-Virus support with AMaViS.
amavis:
driver = pipe
check_string =
command = /usr/sbin/amavis -f <${sender_address}> -d ${pipe_addresses}
current_directory = "/var/spool/amavis"
escape_string =
group = amavis
headers_add = "X-Virus-Scanned: by AMaViS"
message_prefix =
message_suffix =
path = "/bin:/sbin:/usr/bin:/usr/sbin"
no_return_output
no_return_path_add
user = amavis
######################################################################
# RETRY CONFIGURATION #
######################################################################
begin retry
# Domain Error Retries
# ------ ----- -------
* * F,2h,15m; G,16h,1h,1.5; F,4d,6h
######################################################################
# REWRITE CONFIGURATION #
######################################################################
begin rewrite
######################################################################
# AUTHENTICATION CONFIGURATION #
######################################################################
begin authenticators
# AUTH PLAIN authentication method used by Netscape Messenger.
plain:
driver = plaintext
public_name = PLAIN
server_condition = "${if and {{!eq{$2}{}}{!eq{$3}{}} \
{crypteq{$3}{${extract{1}{:} \
{${lookup{$2}lsearch{/etc/exim/exim.auth} \
{$value}{*:*}}}}}}}{1}{0}}"
# AUTH LOGIN authentication method used by Outlook Express.
login:
driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
server_condition = "${if and {{!eq{$1}{}}{!eq{$2}{}} \
{crypteq{$2}{${extract{1}{:} \
{${lookup{$1}lsearch{/etc/exim/exim.auth} \
{$value}{*:*}}}}}}}{1}{0}}"
