jvanasco@??? wrote:
>Would you mind sharing those lines from your .conf with the list?
>
>
>
>>First - I use the Exim ACL tricks that many people have published here.
>>The best ones include:
>>
>>Sender Callback Verification
>>Spamhaus Blacklist
>>No IP address in HELO
>>No pretending they are one of my domains in HELO
>>I nuke all viruses and windows executable attachments.
>>
>>This gets rid of 90% + of spam
>>
>>
No problem - here's my ACL
========================
# Various Domain Lists
domainlist system_domains = lsearch;/etc/exim/sdomains
domainlist virtual_local_domains = lsearch;/etc/exim/vdomains
domainlist preprocess_domains = lsearch;/etc/exim/preprocess
domainlist mx_backup_domains = lsearch;/etc/exim/mxbackup
domainlist domain_fallback = lsearch:/etc/exim/domainfallback
domainlist domain_aliases = lsearch:/etc/exim/domainaliases
domainlist no_verify = lsearch:/etc/exim/noverify
domainlist local_domains = +virtual_local_domains : +domain_fallback :
+domain_aliases : +system_domains
domainlist all_mail_handled_locally = +local_domains :
+mx_backup_domains : +preprocess_domains
hostlist relay_from_hosts = /etc/exim/relayfor : @[]
hostlist auth_relay_hosts = !+relay_from_hosts
dns_again_means_nonexist = !+all_mail_handled_locally
# Good info at
http://slett.net/spam-filtering-for-mx/
#########################################################
## This new section of the configuration contains ACLs ##
## (Access Control Lists) derived from the Exim 3 ##
## policy control options. ##
#########################################################
acl_smtp_connect = check_connect
acl_smtp_helo = check_helo
acl_smtp_mail = check_sender
acl_smtp_rcpt = check_recipient
acl_smtp_data = check_message
acl_smtp_mime = check_mime
begin acl
###########################################################
########## ACL that checks at CONNECT time
###########################################################
check_connect:
#######################################################################
# DNS checks
######################################################################
#
# The results of these checks are cached, so multiple recipients
# does not translate into multiple DNS lookups.
#
# If the connecting host is in one of a select few DNSbls, then
# reject the message. Be careful when selecting these lists; many
# would cause a large number of false postives, and/or have no
# clear removal policy.
drop dnslists = sbl-xbl.spamhaus.org
message = REJECTED - Host $sender_host_address is Blacklisted in
$dnslist_domain=$dnslist_value
# On backup servers stall them if things aren't quite right.
.ifdef NO_VDOMAINS
# This is run only on secondary mx spam filters
defer dnslists = dnsbl.sorbs.net : dnsbl.njabl.org : cbl.abuseat.org
: bl.spamcop.net
message = Host $sender_host_address is Blacklisted in
$dnslist_domain=$dnslist_value
defer message = Warning - Reverse DNS lookup failed for host
$sender_host_address.
!verify = reverse_host_lookup
.endif
# Otherwise ....
accept
###########################################################
########## ACL that checks HELO
###########################################################
check_helo:
# If the remote host greets with an IP address, then reject the mail.
drop message = REJECTED - Bad HELO - IP address not allowed
($sender_helo_name)
condition = ${if isip {$sender_helo_name}{true}{false}}
# Otherwise ....
accept
###########################################################
########## ACL that checks the SENDER ADDRESS
###########################################################
check_sender:
drop message = REJECTED - Sender Address in BLOCK LIST
senders = /etc/exim/sendersblocked
# Otherwise ....
accept
###########################################################
########## ACL that checks the RECIPIENTS
###########################################################
check_recipient:
# Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by
# testing for an empty sending host field.
accept hosts = :
require verify = sender
deny local_parts = ^.*[@%!/|] : ^\\.
message = REJECTED - Recipient address contains invalid characters
.ifndef NO_VDOMAINS
deny message = REJECTED - Unroutable Local Address
log_message = REJECTED
domains = +local_domains
!verify = recipient
.endif
drop recipients = lsearch;/etc/exim/deadaccounts
message = REJECTED - The account you are emailing is a Dead Account
accept hosts = 127.0.0.1 : 192.168.0.0/16
accept hosts = +relay_from_hosts
accept authenticated = *
####### HELO CHECKS
# Require fully qualified domain name in HELO
warn message = Bad HELO - single word rather than a Domain Name -
($sender_helo_name)
log_message = Bad HELO - single word rather than a Domain Name -
($sender_helo_name)
condition = ${if match {$sender_helo_name} {\.} {no}{yes}}
# No HELO
warn message = Bad HELO no greeting
log_message = Bad HELO no greeting
condition = ${if def:sender_helo_name {false}{true}}
accept condition = ${if
match_domain{$sender_helo_name}{localhost}{true}{false}}
log_message = HELO is Localhost
# Can't impersonate one of our domains
drop message = REJECTED - Bad HELO - Host impersonating
[$sender_helo_name]
condition = ${if match_domain{$sender_helo_name}\
{+all_mail_handled_locally}{true}{false}}
# If reverse DNS lookup of the sender's host fails (i.e. there is
# no rDNS entry, or a forward lookup of the resulting name does not
# match the original IP address), then warn abut the message.
warn dnslists = dnsbl.sorbs.net : dnsbl.njabl.org : cbl.abuseat.org :
bl.spamcop.net
message = Host $sender_host_address is Blacklisted in
$dnslist_domain=$dnslist_value
log_message = Host $sender_host_address is Blacklisted in
$dnslist_domain=$dnslist_value
warn message = Warning - Reverse DNS lookup failed for host
$sender_host_address.
log_message = Warning - Reverse DNS lookup failed for host
$sender_host_address
!verify = reverse_host_lookup
# Reject the recipient address if it is not in a domain for
# which we are handling mail.
drop message = REJECTED - Relay not Permitted
!domains = +all_mail_handled_locally
# Deny when sender and recipient match
warn message = Sender and Recipient are the Same
condition = ${if eq {$sender_address}{$local_part@$domain}{yes}{no}}
######################################################################
# Sender Address Checks
######################################################################
# If we cannot verify the sender address, deny the message.
#
# You may choose to remove the "callout" option. In particular,
# if you are sending outgoing mail through a smarthost, it will not
# give any useful information.
#
# Details regarding the failed callout verification attempt are
# included in the 550 response; to omit these, change
# "sender/callout" to "sender/callout,no_details".
#
accept senders = *eff.org
warn dnslists = dsn.rfc-ignorant.org/$sender_address_domain
message = Host $sender_host_address is RFC-IGNORANT listed
at http://rfc-ignorant.org/policy-dsn.php
log_message = Host $sender_host_address is RFC-IGNORANT
deny message = REJECTED - Sender Verify Failed\n\n\
The return address you are using for this email message <$sender_address>\
does not seem to be a working account.
!dnslists = dsn.rfc-ignorant.org/$sender_address_domain
!domains = +no_verify
!verify = sender/callout=2m,defer_ok
# Reject the recipient if it is not a valid mailbox.
# If the mailbox is not on our system (e.g. if we are a
# backup MX for the recipient domain), then perform a
# callout verification; but if the destination server is
# not responding, accept the recipient anyway.
deny message = REJECTED - Remote Recipient Verify Failed
domains = +all_mail_handled_locally
!verify = recipient/callout=2m,defer_ok,use_sender
# Drop the connection if the envelope sender is empty, but there is
# more than one recipient address. Legitimate DSNs are never sent
# to more than one address.
drop message = Legitimate bounces are never sent to more than one
recipient.
senders = :
condition = ${if >{$recipients_count}{1}{true}{false}}
# Deny if too many failed recipients
drop condition = ${if > {${eval:$rcpt_fail_count}}{3}{yes}{no}}
message = REJECTED - Too many failed recipients - count =
$rcpt_fail_count
# Otherwise ....
accept
###################################################
########## ACL that is used after the DATA command
###################################################
check_message:
# Executes ClamAV Virus Filter
drop message = REJECTED - Contains malware ($malware_name) addressed
to [$h_to:]
demime = *
malware = *
# Unpack MIME containers and reject file extensions
deny message = Your message contains a windows executable
\"\.$found_extension\" file which is prohobited on this system.
demime =
ade:adp:bas:bat:chm:cmd:com:cpl:crt:exe:hlp:hta:inf:ins:isp:js:jse:lnk:mdb:mde:msc:msi:msp:mst:pcd:pif:reg:scr:sct:shs:shb:url:vb:vbe:vbs:wsc:wsf:wsh:tmp:ADE:ADP:BAS:BAT:CHM:CMD:COM:CPL:CRT:EXE:HLP:HTA:INF:INS:ISP:JS:JSE:LNK:MDB:MDE:MSC:MSI:MSP:MST:PCD:PIF:REG:SCR:SCT:SHS:SHB:URL:VB:VBE:VBS:WSC:WSF:WSH:TMP
deny message = Your message contains a suspicious filename which is
prohobited on this system.
demime = attached.zip
drop message = REJECTED - Hiding of file extensions is not allowed!
regex =
^(?i)Content-Disposition::(.*?)filename=\\s*"+((\{[a-hA-H0-9-]{25,}\})|((.*?)\\s{10,}(.*?)))"+\$
# Unpack MIME containers and reject ZIP file extensions
#deny message = Your message contains a compressed
\"\.$found_extension\" file which is temporarilly prohobited on this
system to prevent the spread of a new virus. Please rename the file and
send it again.
#demime = zip:ZIP
# Reject messages that have serious MIME errors.
# This calls the demime condition again, but it
# will return cached results.
deny message = REJECTED - Serious MIME defect detected ($demime_reason)
demime = *
condition = ${if >{$demime_errorlevel}{2}{1}{0}}
# Warn if the address list headers are syntactically correct.
warn message = Does not conform to RFC2822 standard
!verify = header_syntax
# Otherwise ....
accept
###########################################################
########## ACL that is used for MIME decoding with exiscan
###########################################################
check_mime:
warn message = X-Attach-Beware: Be careful of compressed attached
file named \"$mime_filename\".
condition = ${if match {${lc:$mime_filename}}
{\N(\.zip|\.rar)$\N}{1}{0}}
warn message = X-Character-set: $mime_charset
condition = ${if eq{$mime_charset}{}{0}{1}}
# Otherwise ....
accept