This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Send mail to mime@??? for more info.
--
Hi,
I've been trying to set up exim 4.2 with exiscan and f-prot for the first
time. I've had a working plain-exim solution based on exim 4.10 for some time,
but the spam just gets worse :-(
I think I have spamassasin working... tests seem to indicate that much.
However, if I try to enable it for normal mail I get rejections for mail from
linux-kernel with no reason attached, and if I try exim -bS as root it says it
can't change to the delivery uid/gid.
From main log I get:
2003-05-25 22:10:02 19K2jf-0005qa-UI <= Ruth.Ivimey-Cook@??? U=root
P=local-bsmtp S=380
2003-05-25 22:10:02 19K2jf-0005qa-UI unable to set gid=500 or uid=500
(euid=15): userforward router (recipient is ruthc@???)
2003-05-25 22:10:02 19K2jf-0005qa-UI internal problem in userforward router
(recipient is ruthc@???): failure to transfer data from subprocess
2003-05-25 22:10:02 19K2jf-0005qa-UI == ruthc@??? <ruth@???>
R=userforward defer (-1): internal problem in userforward router (recipient is
ruthc@???): failure to transfer data from subprocess
and
2003-05-25 20:34:25 19K1G4-0005g5-QI H=gatemaster.ivimey.org [192.168.0.1]
F=<Ruth.Ivimey-Cook@???> temporarily rejected after DATA
2003-05-25 20:35:32 19K1HH-0005gl-T8 H=gatemaster.ivimey.org [192.168.0.1]
F=<Ruth.Ivimey-Cook@???> rejected after DATA
Associated with the latter:
2003-05-25 22:10:02 19K2jf-0005qa-UI internal problem in userforward router
(recipient is ruthc@???): failure to transfer data from subprocess
I don't understand these errors: however, reverting to 4.10 and the old config
file does fix things.
I've attached the config for 4.20 in the hope this helps.
Thanks
Ruth
--
Ruth Ivimey-Cook
Software engineer and technical writer.
--
Content-Description: exim 4.2 configuration
######################################################################
# Runtime configuration file for Exim #
######################################################################
# Exim configuration file
#
# gatemaster.ivimey.org
log_selector = \
-retry_defer \
-skip_delivery \
+lost_incoming_connection \
+smtp_syntax_error \
-delay_delivery \
+size_reject \
+smtp_confirmation
######################################################################
# MAIN CONFIGURATION SETTINGS #
######################################################################
# Specify your host's canonical name here. This should normally be the fully
primary_hostname = gatemaster.ivimey.org
# The next three settings create two lists of domains and one list of hosts.
# These lists are referred to later in this configuration using the syntax
# +local_domains, +relay_to_domains, and +relay_from_hosts, respectively. They
# are all colon-separated lists:
domainlist local_domains = ivimey.org : mail.ivimey.org : wotug.org : mail.wotug.org
domainlist relay_to_domains =
hostlist relay_from_hosts = 127.0.0.1 : 192.168.0.0/16
domainlist mailman_domains = mail.ivimey.org : mail.wotug.org
# All three of these lists may contain many different kinds of item, including
# wildcarded names, regular expressions, and file lookups. See the reference
# manual for details. The lists above are used in the access control list for
# incoming messages. The name of this ACL is defined here:
acl_smtp_rcpt = acl_check_rcpt
acl_smtp_data = acl_check_data
# You should not change that setting until you understand how ACLs work.
# Specify the domain you want to be added to all unqualified addresses
# here. An unqualified address is one that does not contain an "@" character
# followed by a domain.
qualify_domain = ivimey.org
# No deliveries will ever be run under the uids of these users (a colon-
# separated list). An attempt to do so causes a panic error to be logged, and
# the delivery to be deferred. This is a paranoic safety catch. Note that the
# default setting means you cannot deliver mail addressed to root as if it
# were a normal user. This isn't usually a problem, as most sites have an alias
# for root that redirects such mail to a human administrator.
never_users = root:bin:daemon:adm:lp:ftp:apache
trusted_users = ruthc
admin_groups = ruthc
# The setting below causes Exim to do a reverse DNS lookup on all incoming
# IP calls, in order to get the true host name. If you feel this is too
# expensive, you can specify the networks for which a lookup is done, or
# remove the setting entirely.
host_lookup = *
# The settings below, which are actually the same as the defaults in the
# code, cause Exim to make RFC 1413 (ident) callbacks for all incoming SMTP
# calls.
#rfc1413_hosts = *
#rfc1413_query_timeout = 4s
rfc1413_query_timeout=0s
# This option unfreezes frozen bounce messages after two days, tries
# once more to deliver them, and ignores any delivery failures.
ignore_bounce_errors_after = 2d
# This option cancels (removes) frozen messages that are older than a month.
timeout_frozen_after = 30d
# don't insist on delivering only a certain number of messages per connection
smtp_accept_queue_per_connection = 0
# reject huge messages
message_size_limit = 10M
# enable exiscan
av_scanner = cmdline:/usr/local/f-prot/f-prot %s:Infection\::Infection\: (.+)$
######################################################################
# ACL CONFIGURATION #
# Specifies access control lists for incoming SMTP mail #
######################################################################
begin acl
# This access control list is used for every RCPT command in an incoming
# SMTP message. The tests are run in order until the address is either
# accepted or denied.
acl_check_rcpt:
# Deny partial (MIME message/partial) messages, which can easily be
# used to circumvent content scanning.
deny message = message fragments administratively prohibited
condition = ${if match \
{$h_content-type:}{\N\bmessage/partial\b\N}{1}}
# Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by
# testing for an empty sending host field.
accept hosts = :
# Deny if the sender is <> and there are more than 1 recipients
#
# deny senders = :
# message = invalid use of null sender
# condition = ${if > {$recipient_count} {1} {1} }
# Deny if the local part contains @ or % or / or | or !. These are rarely
# found in genuine local parts, but are often tried by people looking to
# circumvent relaying restrictions.
deny local_parts = ^.*[@%!/|]
# Accept mail to postmaster in any local domain, regardless of the source,
# and without verifying the sender.
accept local_parts = postmaster
domains = +local_domains
# Deny unless the sender address can be verified.
require verify = sender
# Accept if the address is in a local domain, but only if the recipient can
# be verified. Otherwise deny. The "endpass" line is the border between
# passing on to the next ACL statement (if tests above it fail) or denying
# access (if tests below it fail).
accept domains = +local_domains
endpass
message = unknown user
verify = recipient
# Accept if the address is in a domain for which we are relaying, but again,
# only if the recipient can be verified.
accept domains = +relay_to_domains
endpass
message = unable to route address
verify = recipient
# If control reaches this point, the domain is neither in +local_domains
# nor in +relay_to_domains.
# Accept if the message comes from one of the hosts for which we are an
# outgoing relay. Recipient verification is omitted here, because in many
# cases the clients are dumb MUAs that don't cope well with SMTP error
# responses. If you are actually relaying out from MTAs, you should probably
# add recipient verification here.
accept hosts = +relay_from_hosts
deny hosts = /etc/exim/exim-spam-hosts
# Accept if the message arrived over an authenticated connection, from
# any host. Again, these messages are usually from MUAs, so recipient
# verification is omitted.
accept authenticated = *
# Reaching the end of the ACL causes a "deny", but we might as well give
# an explicit message.
deny message = relay not permitted
acl_check_data:
# Reject messages with serious MIME container errors
deny message = Found MIME error ($demime_reason).
demime = *
condition = ${if >{$demime_errorlevel}{2}{1}{0}}
# Reject known virus spreading file extensions.
# Accepting these is pretty much braindead.
deny message = contains $found_extension file (blacklisted).
demime = com:vbs:bat:pif:scr
# put headers in all messages (no matter if spam or not)
warn message = X-Spam-Score: $spam_score ($spam_bar)
spam = nobody:true
warn message = X-Spam-Report: $spam_report
spam = nobody:true
# add second subject line with *SPAM* marker when message
# is over threshold
warn message = Subject: *SPAM* $h_Subject
spam = nobody
# reject spam at high scores (> 12)
deny message = This message scored $spam_score spam points.
spam = nobody:true
condition = ${if >{$spam_score_int}{120}{1}{0}}
deny message = contains blacklisted regex ($regex_match_string)
regex = [Mm]ortgage : URGENT BUSINESS PROPOSAL
deny message = This message contains a Virus ($malware_name)
demime = *
malware = *
######################################################################
# ROUTERS CONFIGURATION #
# Specifies how addresses are handled #
######################################################################
# THE ORDER IN WHICH THE ROUTERS ARE DEFINED IS IMPORTANT! #
# An address is passed to each router in turn until it is accepted. #
######################################################################
begin routers
# This router routes addresses that are not in local domains by doing a DNS
# lookup on the domain name. Any domain that resolves to 0.0.0.0 or to a
# loopback interface address (127.0.0.0/8) is treated as if it had no DNS
# entry. Note that 0.0.0.0 is the same as 0.0.0.0/32, which is commonly treated
# as the local host inside the network stack. It is not 0.0.0.0/0, the default
# route. If the DNS lookup fails, no further routers are tried because of
# the no_more setting, and consequently the address is unrouteable.
dnslookup:
driver = dnslookup
domains = ! +local_domains
transport = remote_smtp
ignore_target_hosts = 0.0.0.0 : \
127.0.0.0/8 :\
10.0.0.0/8 :\
172.16.0.0/16 :\
192.168.0.0/16 :\
169.254.0.0/16
no_more
## List existence checks are done by seeing if the file
## MAILMAN_HOME/lists/*/config.db exists.
# Directors magic to support mailman lists without explicit aliases
# We want this router first in case we have a list named something like
# mailman-owner
mm21_main_route:
driver = accept
domains = +mailman_domains
local_parts = *
require_files = /var/mailman/lists/${lc::$local_part}/config.pck
transport = mm21_transport
mm21_special_route:
driver = accept
domains = +mailman_domains
local_parts = *
require_files = /var/mailman/lists/${lc::$local_part}/config.pck
local_part_suffix = "-bounces:-bounces+*:-confirm+*:-join:-leave:-owner:-request:-admin"
transport = mm21_transport
# The remaining routers handle addresses in the local domain(s).
wotug_users:
driver = redirect
allow_defer
allow_fail
data = ${lookup{$local_part}lsearch {/etc/exim/wotug-aliases} {$value} fail}
domains = wotug.org
retry_use_local_part
file_transport = wotug_file
no_rewrite
ivimey_users:
driver = redirect
allow_defer
allow_fail
data = ${lookup{$local_part}lsearch{/etc/exim/ivimey-aliases}}
domains = ivimey.org
forbid_file
forbid_pipe
retry_use_local_part
no_rewrite
# This router handles forwarding using traditional .forward files in users'
# home directories. If you want it also to allow mail filtering when a forward
# file starts with the string "# Exim filter", uncomment the "allow_filter"
# option.
# The three transports specified at the end are those that are used when
# forwarding generates a direct delivery to a file, or to a pipe, or sets
# up an auto-reply, respectively.
userforward:
driver = redirect
check_local_user
file = $home/.forward
no_verify
no_expn
check_ancestor
# allow_filter
file_transport = address_file
pipe_transport = address_pipe
reply_transport = address_reply
# This router matches local user mailboxes.
localuser:
driver = accept
check_local_user
transport = imap_delivery
######################################################################
# TRANSPORTS CONFIGURATION #
######################################################################
# ORDER DOES NOT MATTER #
# Only one appropriate transport is called for each delivery. #
######################################################################
# A transport is used only when referenced from a router that successfully
# handles an address.
begin transports
# This transport is used for delivering messages over SMTP connections.
remote_smtp:
driver = smtp
imap_delivery:
driver = pipe
command = "/usr/cyrus/bin/deliver -a ${local_part} -e ${local_part}"
delivery_date_add
envelope_to_add
user = cyrus
group = mail
initgroups
log_output
message_prefix =
message_suffix =
retry_use_local_part
return_output
return_path_add
current_directory = /tmp
## For Mailman 2.1, you only need one transport, albeit with an elaborate command...
mm21_transport:
driver = pipe
command = /var/mailman/mail/mailman "${if def:local_part_suffix{${substr_2:{${sg{${lc:$local_part_suffix}}{\\\\\+.*}{}}}}{post}}" ${lc:$local_part}
return_output
initgroups
current_directory = /var/mailman
home_directory = /var/mailman
user = mailman
group = mailman
# This transport is used for handling pipe deliveries generated by alias or
# .forward files. If the pipe generates any standard output, it is returned
# to the sender of the message as a delivery error. Set return_fail_output
# instead of return_output if you want this to happen only when the pipe fails
# to complete normally. You can set different transports for aliases and
# forwards if you want to - see the references to address_pipe in the routers
# section above.
address_pipe:
driver = pipe
return_output
# This transport is used for handling deliveries directly to files that are
# generated by aliasing or forwarding.
address_file:
driver = appendfile
delivery_date_add
envelope_to_add
return_path_add
wotug_file:
driver = appendfile
delivery_date_add
envelope_to_add
user = apache
group = webusers
# This transport is used for handling autoreplies generated by the filtering
# option of the userforward router.
address_reply:
driver = autoreply
######################################################################
# RETRY CONFIGURATION #
######################################################################
begin retry
# This single retry rule applies to all domains and all errors. It specifies
# retries every 15 minutes for 2 hours, then increasing retry intervals,
# starting at 1 hour and increasing each time by a factor of 1.5, up to 24
# hours, then retries every 18 hours until 30 days have passed since the first
# failed delivery.
# Domain Error Retries
# ------ ----- -------
* * F,2h,15m; G,24h,1h,1.5; F,30d,23h
######################################################################
# REWRITE CONFIGURATION #
######################################################################
begin rewrite
*@*.wotug.org ${local_part}@???
# don't rewrite addresses @mail...
*@mail.ivimey.org ${local_part}@${domain} q
*@mail.wotug.org ${local_part}@${domain} q
*@*.ivimey.org ${local_part}@???
*@localhost ${local_part}@???
#
*@ivimey.org "${lookup{$local_part}lsearch{/etc/exim/ivimey-translations}{$value}{$local_part}}@???" Ffrs
######################################################################
# AUTHENTICATION CONFIGURATION #
######################################################################
# There are no authenticator specifications in this default configuration file.
begin authenticators
# End of Exim configuration file
--
