[Exim] Help please! problems with exim/exiscan.

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Ruth Ivimey-Cook
Dátum:  
Címzett: exim-users
Tárgy: [Exim] Help please! problems with exim/exiscan.
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Send mail to mime@??? for more info.
--
Hi,

I've been trying to set up exim 4.2 with exiscan and f-prot for the first
time. I've had a working plain-exim solution based on exim 4.10 for some time,
but the spam just gets worse :-(

I think I have spamassasin working... tests seem to indicate that much.
However, if I try to enable it for normal mail I get rejections for mail from
linux-kernel with no reason attached, and if I try exim -bS as root it says it
can't change to the delivery uid/gid.

From main log I get:
2003-05-25 22:10:02 19K2jf-0005qa-UI <= Ruth.Ivimey-Cook@??? U=root
P=local-bsmtp S=380
2003-05-25 22:10:02 19K2jf-0005qa-UI unable to set gid=500 or uid=500
(euid=15): userforward router (recipient is ruthc@???)
2003-05-25 22:10:02 19K2jf-0005qa-UI internal problem in userforward router
(recipient is ruthc@???): failure to transfer data from subprocess
2003-05-25 22:10:02 19K2jf-0005qa-UI == ruthc@??? <ruth@???>
R=userforward defer (-1): internal problem in userforward router (recipient is
ruthc@???): failure to transfer data from subprocess

and

2003-05-25 20:34:25 19K1G4-0005g5-QI H=gatemaster.ivimey.org [192.168.0.1]
F=<Ruth.Ivimey-Cook@???> temporarily rejected after DATA
2003-05-25 20:35:32 19K1HH-0005gl-T8 H=gatemaster.ivimey.org [192.168.0.1]
F=<Ruth.Ivimey-Cook@???> rejected after DATA


Associated with the latter:
2003-05-25 22:10:02 19K2jf-0005qa-UI internal problem in userforward router
(recipient is ruthc@???): failure to transfer data from subprocess


I don't understand these errors: however, reverting to 4.10 and the old config
file does fix things.

I've attached the config for 4.20 in the hope this helps.

Thanks

Ruth

--
Ruth Ivimey-Cook
Software engineer and technical writer.

--
Content-Description: exim 4.2 configuration

######################################################################
#                  Runtime configuration file for Exim               #
######################################################################
# Exim configuration file
#
# gatemaster.ivimey.org


log_selector =  \
              -retry_defer \
              -skip_delivery \
              +lost_incoming_connection \
              +smtp_syntax_error \
              -delay_delivery \
              +size_reject \
              +smtp_confirmation


######################################################################
#                    MAIN CONFIGURATION SETTINGS                     #
######################################################################

# Specify your host's canonical name here. This should normally be the fully

primary_hostname = gatemaster.ivimey.org


# The next three settings create two lists of domains and one list of hosts.
# These lists are referred to later in this configuration using the syntax
# +local_domains, +relay_to_domains, and +relay_from_hosts, respectively. They
# are all colon-separated lists:

domainlist local_domains = ivimey.org : mail.ivimey.org : wotug.org : mail.wotug.org
domainlist relay_to_domains =

hostlist   relay_from_hosts = 127.0.0.1 : 192.168.0.0/16
domainlist mailman_domains = mail.ivimey.org : mail.wotug.org

# All three of these lists may contain many different kinds of item, including
# wildcarded names, regular expressions, and file lookups. See the reference
# manual for details. The lists above are used in the access control list for
# incoming messages. The name of this ACL is defined here:

acl_smtp_rcpt = acl_check_rcpt
acl_smtp_data = acl_check_data

# You should not change that setting until you understand how ACLs work.


# Specify the domain you want to be added to all unqualified addresses
# here. An unqualified address is one that does not contain an "@" character
# followed by a domain.

qualify_domain = ivimey.org


# No deliveries will ever be run under the uids of these users (a colon-
# separated list). An attempt to do so causes a panic error to be logged, and
# the delivery to be deferred. This is a paranoic safety catch. Note that the
# default setting means you cannot deliver mail addressed to root as if it
# were a normal user. This isn't usually a problem, as most sites have an alias
# for root that redirects such mail to a human administrator.

never_users = root:bin:daemon:adm:lp:ftp:apache
trusted_users = ruthc
admin_groups = ruthc

# The setting below causes Exim to do a reverse DNS lookup on all incoming
# IP calls, in order to get the true host name. If you feel this is too
# expensive, you can specify the networks for which a lookup is done, or
# remove the setting entirely.

host_lookup = *


# The settings below, which are actually the same as the defaults in the
# code, cause Exim to make RFC 1413 (ident) callbacks for all incoming SMTP
# calls.

#rfc1413_hosts = *
#rfc1413_query_timeout = 4s
rfc1413_query_timeout=0s


# This option unfreezes frozen bounce messages after two days, tries
# once more to deliver them, and ignores any delivery failures.

ignore_bounce_errors_after = 2d

# This option cancels (removes) frozen messages that are older than a month.
timeout_frozen_after = 30d

# don't insist on delivering only a certain number of messages per connection
smtp_accept_queue_per_connection = 0

# reject huge messages
message_size_limit = 10M

# enable exiscan

av_scanner = cmdline:/usr/local/f-prot/f-prot %s:Infection\::Infection\: (.+)$


######################################################################
#                       ACL CONFIGURATION                            #
#         Specifies access control lists for incoming SMTP mail      #
######################################################################

begin acl

# This access control list is used for every RCPT command in an incoming
# SMTP message. The tests are run in order until the address is either
# accepted or denied.

acl_check_rcpt:

  # Deny partial (MIME message/partial) messages, which can easily be
  # used to circumvent content scanning.

  deny    message       = message fragments administratively prohibited
          condition     = ${if match \
                          {$h_content-type:}{\N\bmessage/partial\b\N}{1}}

  # Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by
  # testing for an empty sending host field.

  accept  hosts = :

  # Deny if the sender is <> and there are more than 1 recipients
#
#  deny    senders       = :
#          message       = invalid use of null sender
#          condition     = ${if > {$recipient_count} {1} {1} }

  # Deny if the local part contains @ or % or / or | or !. These are rarely
  # found in genuine local parts, but are often tried by people looking to
  # circumvent relaying restrictions.

  deny    local_parts   = ^.*[@%!/|]


  # Accept mail to postmaster in any local domain, regardless of the source,
  # and without verifying the sender.

  accept  local_parts   = postmaster
          domains       = +local_domains

  # Deny unless the sender address can be verified.

  require verify        = sender

  # Accept if the address is in a local domain, but only if the recipient can
  # be verified. Otherwise deny. The "endpass" line is the border between
  # passing on to the next ACL statement (if tests above it fail) or denying
  # access (if tests below it fail).

  accept  domains       = +local_domains
          endpass
          message       = unknown user
          verify        = recipient

  # Accept if the address is in a domain for which we are relaying, but again,
  # only if the recipient can be verified.

  accept  domains       = +relay_to_domains
          endpass
          message       = unable to route address
          verify        = recipient

  # If control reaches this point, the domain is neither in +local_domains
  # nor in +relay_to_domains.

  # Accept if the message comes from one of the hosts for which we are an
  # outgoing relay. Recipient verification is omitted here, because in many
  # cases the clients are dumb MUAs that don't cope well with SMTP error
  # responses. If you are actually relaying out from MTAs, you should probably
  # add recipient verification here.

  accept  hosts         = +relay_from_hosts
  deny    hosts         = /etc/exim/exim-spam-hosts

  # Accept if the message arrived over an authenticated connection, from
  # any host. Again, these messages are usually from MUAs, so recipient
  # verification is omitted.

  accept  authenticated = *

  # Reaching the end of the ACL causes a "deny", but we might as well give
  # an explicit message.

  deny    message       = relay not permitted

acl_check_data:
  # Reject messages with serious MIME container errors
  deny  message = Found MIME error ($demime_reason).
    demime = *
    condition = ${if >{$demime_errorlevel}{2}{1}{0}}

  # Reject known virus spreading file extensions.
  # Accepting these is pretty much braindead.
  deny  message = contains $found_extension file (blacklisted).
    demime = com:vbs:bat:pif:scr

  # put headers in all messages (no matter if spam or not)
  warn  message = X-Spam-Score: $spam_score ($spam_bar)
    spam = nobody:true

  warn  message = X-Spam-Report: $spam_report
    spam = nobody:true

  # add second subject line with *SPAM* marker when message
  # is over threshold
  warn  message = Subject: *SPAM* $h_Subject
    spam = nobody

  # reject spam at high scores (> 12)
  deny  message = This message scored $spam_score spam points.
    spam = nobody:true
    condition = ${if >{$spam_score_int}{120}{1}{0}}

  deny  message = contains blacklisted regex ($regex_match_string)
        regex = [Mm]ortgage : URGENT BUSINESS PROPOSAL

  deny message = This message contains a Virus ($malware_name)
       demime = *
       malware = *


######################################################################
#                      ROUTERS CONFIGURATION                         #
#               Specifies how addresses are handled                  #
######################################################################
#     THE ORDER IN WHICH THE ROUTERS ARE DEFINED IS IMPORTANT!       #
# An address is passed to each router in turn until it is accepted.  #
######################################################################

begin routers

# This router routes addresses that are not in local domains by doing a DNS
# lookup on the domain name. Any domain that resolves to 0.0.0.0 or to a
# loopback interface address (127.0.0.0/8) is treated as if it had no DNS
# entry. Note that 0.0.0.0 is the same as 0.0.0.0/32, which is commonly treated
# as the local host inside the network stack. It is not 0.0.0.0/0, the default
# route. If the DNS lookup fails, no further routers are tried because of
# the no_more setting, and consequently the address is unrouteable.

dnslookup:
  driver = dnslookup
  domains = ! +local_domains
  transport = remote_smtp
  ignore_target_hosts = 0.0.0.0 : \
              127.0.0.0/8 :\
            10.0.0.0/8 :\
            172.16.0.0/16 :\
            192.168.0.0/16 :\
            169.254.0.0/16
  no_more


## List existence checks are done by seeing if the file
## MAILMAN_HOME/lists/*/config.db exists.

# Directors magic to support mailman lists without explicit aliases
# We want this router first in case we have a list named something like
# mailman-owner
mm21_main_route:
  driver = accept
  domains = +mailman_domains
  local_parts = *
  require_files = /var/mailman/lists/${lc::$local_part}/config.pck
  transport = mm21_transport

mm21_special_route:
  driver = accept
  domains = +mailman_domains
  local_parts = *
  require_files = /var/mailman/lists/${lc::$local_part}/config.pck
  local_part_suffix = "-bounces:-bounces+*:-confirm+*:-join:-leave:-owner:-request:-admin"
  transport = mm21_transport

# The remaining routers handle addresses in the local domain(s).

wotug_users:
  driver = redirect
  allow_defer
  allow_fail
  data = ${lookup{$local_part}lsearch {/etc/exim/wotug-aliases} {$value} fail}
  domains = wotug.org
  retry_use_local_part
  file_transport = wotug_file
  no_rewrite

ivimey_users:
  driver = redirect
  allow_defer
  allow_fail
  data = ${lookup{$local_part}lsearch{/etc/exim/ivimey-aliases}}
  domains = ivimey.org
  forbid_file
  forbid_pipe
  retry_use_local_part
  no_rewrite


# This router handles forwarding using traditional .forward files in users'
# home directories. If you want it also to allow mail filtering when a forward
# file starts with the string "# Exim filter", uncomment the "allow_filter"
# option.

# The three transports specified at the end are those that are used when
# forwarding generates a direct delivery to a file, or to a pipe, or sets
# up an auto-reply, respectively.

userforward:
  driver = redirect
  check_local_user
  file = $home/.forward
  no_verify
  no_expn
  check_ancestor
# allow_filter
  file_transport = address_file
  pipe_transport = address_pipe
  reply_transport = address_reply


# This router matches local user mailboxes.

localuser:
  driver = accept
  check_local_user
  transport = imap_delivery


######################################################################
#                      TRANSPORTS CONFIGURATION                      #
######################################################################
#                       ORDER DOES NOT MATTER                        #
#     Only one appropriate transport is called for each delivery.    #
######################################################################

# A transport is used only when referenced from a router that successfully
# handles an address.

begin transports

# This transport is used for delivering messages over SMTP connections.

remote_smtp:
  driver = smtp

imap_delivery:
  driver = pipe
  command = "/usr/cyrus/bin/deliver -a ${local_part} -e ${local_part}"
  delivery_date_add
  envelope_to_add
  user = cyrus
  group = mail
  initgroups
  log_output
  message_prefix =
  message_suffix =
  retry_use_local_part
  return_output
  return_path_add
  current_directory = /tmp

## For Mailman 2.1, you only need one transport, albeit with an elaborate command...

mm21_transport:
  driver = pipe
  command = /var/mailman/mail/mailman "${if def:local_part_suffix{${substr_2:{${sg{${lc:$local_part_suffix}}{\\\\\+.*}{}}}}{post}}" ${lc:$local_part}
  return_output
  initgroups
  current_directory = /var/mailman
  home_directory = /var/mailman
  user = mailman
  group = mailman


# This transport is used for handling pipe deliveries generated by alias or
# .forward files. If the pipe generates any standard output, it is returned
# to the sender of the message as a delivery error. Set return_fail_output
# instead of return_output if you want this to happen only when the pipe fails
# to complete normally. You can set different transports for aliases and
# forwards if you want to - see the references to address_pipe in the routers
# section above.

address_pipe:
  driver = pipe
  return_output


# This transport is used for handling deliveries directly to files that are
# generated by aliasing or forwarding.

address_file:
  driver = appendfile
  delivery_date_add
  envelope_to_add
  return_path_add

wotug_file:
  driver = appendfile
  delivery_date_add
  envelope_to_add
  user = apache
  group = webusers

# This transport is used for handling autoreplies generated by the filtering
# option of the userforward router.

address_reply:
  driver = autoreply


######################################################################
#                      RETRY CONFIGURATION                           #
######################################################################

begin retry

# This single retry rule applies to all domains and all errors. It specifies
# retries every 15 minutes for 2 hours, then increasing retry intervals,
# starting at 1 hour and increasing each time by a factor of 1.5, up to 24
# hours, then retries every 18 hours until 30 days have passed since the first
# failed delivery.

# Domain               Error       Retries
# ------               -----       -------

*                      *           F,2h,15m; G,24h,1h,1.5; F,30d,23h



######################################################################
#                      REWRITE CONFIGURATION                         #
######################################################################


begin rewrite

*@*.wotug.org        ${local_part}@???

# don't rewrite addresses @mail...
*@mail.ivimey.org    ${local_part}@${domain}     q
*@mail.wotug.org    ${local_part}@${domain}     q
*@*.ivimey.org        ${local_part}@???
*@localhost        ${local_part}@???

#
*@ivimey.org        "${lookup{$local_part}lsearch{/etc/exim/ivimey-translations}{$value}{$local_part}}@???"    Ffrs



######################################################################
#                   AUTHENTICATION CONFIGURATION                     #
######################################################################

# There are no authenticator specifications in this default configuration file.

begin authenticators


# End of Exim configuration file
--