I put this on my production server for a large organization which gets
hit far too much by spammers and the like. Some changes I made:
--1--
In the generic exim conf you said to add:
pipeline_advertise_hosts = :
...when it should be pipelining_advertise_hosts. I believe someone
mentioned this on the list already.
--2--
I commented out all the DNS blacklists...I don't trust them.
--3--
I replaced your SPF code using spfquery with the exiscan-ACL built in SPF:
# Sender Policy Framework
warn
spf = fail:neutral
set acl_m0 = $sender_host_address ($sender_helo_name) is not \
authorized to deliver mail for <$sender_address>.
set acl_m1 = SPF check failed ($spf_result).
--4--
Commented out the greylistd code
--5--
In the data ACL, I added the SPF header after you add a missing Message-ID:
# Always add SPF-Received header
warn
message = $spf_received
--6--
After that I added my X-Scan-Signature code to skip the rest of the
tests if we already did it on this or another trusted system:
# Accept if the message contains our cryptographic header
accept condition = ${if eq {${hmac{md5}\
{SECRET}\
{$body_linecount}}}\
{$h_X-Scan-Signature:} {1}{0}}
--7--
After you check for MESSAGE_SIZE_SPAM_MAX I added my malware check from
exiscan-ACL:
# Reject virus infested messages.
deny
message = This message contains a virus ($malware_name)
malware = *
--8--
I have a hardcoded system wide limit of 5.0 for SpamAssassin...so I
commented out all the SA code and used my old one:
# Reject spam messages with score over 5, using an extra condition.
deny
message = Message rejected as spam ($spam_score / 5.0)
spam = nobody:true
condition = ${if >{$spam_score_int}{50}{1}{0}}
--9--
Directly before the final accept I add my cryptographic header:
# Add the cryptographic header.
warn
message = X-Scan-Signature: ${hmac{md5}\
{SECRET}\
{$body_linecount}}
Seems to be working great so far. I see a ton of "unexpected
disconnection while reading SMTP command..." from DSL and cable hosts.
Thanks for a good doc.
Sam
