Re: [exim] Anti SPAM Exim configuration

Top Page
Delete this message
Reply to this message
Author: Marc Perkel
Date:  
To: jvanasco, exim-users
CC: 
Subject: Re: [exim] Anti SPAM Exim configuration
jvanasco@??? wrote:

>Would you mind sharing those lines from your .conf with the list?
>
>
>
>>First - I use the Exim ACL tricks that many people have published here.
>>The best ones include:
>>
>>Sender Callback Verification
>>Spamhaus Blacklist
>>No IP address in HELO
>>No pretending they are one of my domains in HELO
>>I nuke all viruses and windows executable attachments.
>>
>>This gets rid of 90% + of spam
>>
>>


No problem - here's my ACL

========================

# Various Domain Lists

domainlist system_domains = lsearch;/etc/exim/sdomains
domainlist virtual_local_domains = lsearch;/etc/exim/vdomains
domainlist preprocess_domains = lsearch;/etc/exim/preprocess
domainlist mx_backup_domains = lsearch;/etc/exim/mxbackup
domainlist domain_fallback = lsearch:/etc/exim/domainfallback
domainlist domain_aliases = lsearch:/etc/exim/domainaliases
domainlist no_verify = lsearch:/etc/exim/noverify

domainlist local_domains = +virtual_local_domains : +domain_fallback :
+domain_aliases : +system_domains

domainlist all_mail_handled_locally = +local_domains :
+mx_backup_domains : +preprocess_domains


hostlist relay_from_hosts = /etc/exim/relayfor : @[]
hostlist auth_relay_hosts = !+relay_from_hosts

dns_again_means_nonexist = !+all_mail_handled_locally


# Good info at http://slett.net/spam-filtering-for-mx/


#########################################################
## This new section of the configuration contains ACLs ##
## (Access Control Lists) derived from the Exim 3      ##
## policy control options.                             ##
#########################################################


acl_smtp_connect = check_connect
acl_smtp_helo = check_helo
acl_smtp_mail = check_sender
acl_smtp_rcpt = check_recipient
acl_smtp_data = check_message
acl_smtp_mime = check_mime

begin acl

###########################################################
########## ACL that checks at CONNECT time
###########################################################

check_connect:

#######################################################################
# DNS checks
######################################################################
#
# The results of these checks are cached, so multiple recipients
# does not translate into multiple DNS lookups.
#
# If the connecting host is in one of a select few DNSbls, then
# reject the message. Be careful when selecting these lists; many
# would cause a large number of false postives, and/or have no
# clear removal policy.

drop    dnslists = sbl-xbl.spamhaus.org
        message = REJECTED - Host $sender_host_address is Blacklisted in 
$dnslist_domain=$dnslist_value


# On backup servers stall them if things aren't quite right.

.ifdef NO_VDOMAINS

# This is run only on secondary mx spam filters

defer    dnslists = dnsbl.sorbs.net : dnsbl.njabl.org : cbl.abuseat.org 
: bl.spamcop.net
        message = Host $sender_host_address is Blacklisted in 
$dnslist_domain=$dnslist_value


defer    message     = Warning - Reverse DNS lookup failed for host 
$sender_host_address.
    !verify     = reverse_host_lookup


.endif


# Otherwise ....
accept


###########################################################
########## ACL that checks HELO
###########################################################

check_helo:

# If the remote host greets with an IP address, then reject the mail.

drop    message = REJECTED - Bad HELO - IP address not allowed 
($sender_helo_name)
    condition = ${if isip {$sender_helo_name}{true}{false}}


# Otherwise ....
accept


###########################################################
########## ACL that checks the SENDER ADDRESS
###########################################################

check_sender:

drop    message = REJECTED - Sender Address in BLOCK LIST
    senders = /etc/exim/sendersblocked



# Otherwise ....
accept

###########################################################
########## ACL that checks the RECIPIENTS
###########################################################

check_recipient:

# Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by
# testing for an empty sending host field.

accept    hosts = :
require    verify = sender


deny    local_parts = ^.*[@%!/|] : ^\\.
    message = REJECTED - Recipient address contains invalid characters



.ifndef NO_VDOMAINS

deny    message   = REJECTED - Unroutable Local Address
    log_message   = REJECTED
    domains = +local_domains
    !verify   = recipient


.endif

drop    recipients = lsearch;/etc/exim/deadaccounts
    message = REJECTED - The account you are emailing is a Dead Account


accept    hosts = 127.0.0.1 : 192.168.0.0/16


accept hosts = +relay_from_hosts

accept    authenticated = *



####### HELO CHECKS

# Require fully qualified domain name in HELO

warn    message = Bad HELO - single word rather than a Domain Name - 
($sender_helo_name)
    log_message = Bad HELO - single word rather than a Domain Name - 
($sender_helo_name)
          condition = ${if match {$sender_helo_name} {\.} {no}{yes}}



# No HELO

warn    message = Bad HELO no greeting
    log_message = Bad HELO no greeting
    condition = ${if def:sender_helo_name {false}{true}}



accept  condition = ${if 
match_domain{$sender_helo_name}{localhost}{true}{false}}
        log_message = HELO is Localhost



# Can't impersonate one of our domains

drop    message = REJECTED - Bad HELO - Host impersonating 
[$sender_helo_name]
        condition = ${if match_domain{$sender_helo_name}\
                    {+all_mail_handled_locally}{true}{false}}



# If reverse DNS lookup of the sender's host fails (i.e. there is
# no rDNS entry, or a forward lookup of the resulting name does not
# match the original IP address), then warn abut the message.

warn    dnslists = dnsbl.sorbs.net : dnsbl.njabl.org : cbl.abuseat.org : 
bl.spamcop.net
        message     = Host $sender_host_address is Blacklisted in 
$dnslist_domain=$dnslist_value
        log_message = Host $sender_host_address is Blacklisted in 
$dnslist_domain=$dnslist_value


warn    message     = Warning - Reverse DNS lookup failed for host 
$sender_host_address.
        log_message = Warning - Reverse DNS lookup failed for host 
$sender_host_address
    !verify     = reverse_host_lookup



# Reject the recipient address if it is not in a domain for
# which we are handling mail.

drop    message = REJECTED - Relay not Permitted
    !domains = +all_mail_handled_locally



# Deny when sender and recipient match

warn    message = Sender and Recipient are the Same
        condition = ${if eq {$sender_address}{$local_part@$domain}{yes}{no}}




######################################################################
# Sender Address Checks
######################################################################

# If we cannot verify the sender address, deny the message.
#
# You may choose to remove the "callout" option. In particular,
# if you are sending outgoing mail through a smarthost, it will not
# give any useful information.
#
# Details regarding the failed callout verification attempt are
# included in the 550 response; to omit these, change
# "sender/callout" to "sender/callout,no_details".
#

accept senders = *eff.org

warn    dnslists = dsn.rfc-ignorant.org/$sender_address_domain
        message     = Host $sender_host_address is RFC-IGNORANT listed 
at http://rfc-ignorant.org/policy-dsn.php
        log_message = Host $sender_host_address is RFC-IGNORANT


deny    message = REJECTED - Sender Verify Failed\n\n\
The return address you are using for this email message <$sender_address>\
does not seem to be a working account.
        !dnslists = dsn.rfc-ignorant.org/$sender_address_domain
        !domains = +no_verify
        !verify = sender/callout=2m,defer_ok



# Reject the recipient if it is not a valid mailbox.
# If the mailbox is not on our system (e.g. if we are a
# backup MX for the recipient domain), then perform a
# callout verification; but if the destination server is
# not responding, accept the recipient anyway.

deny    message   = REJECTED - Remote Recipient Verify Failed
    domains = +all_mail_handled_locally
    !verify   = recipient/callout=2m,defer_ok,use_sender


# Drop the connection if the envelope sender is empty, but there is
# more than one recipient address. Legitimate DSNs are never sent
# to more than one address.

drop    message = Legitimate bounces are never sent to more than one 
recipient.
    senders = :
    condition = ${if >{$recipients_count}{1}{true}{false}}


# Deny if too many failed recipients

drop    condition = ${if > {${eval:$rcpt_fail_count}}{3}{yes}{no}}
        message = REJECTED - Too many failed recipients - count = 
$rcpt_fail_count



# Otherwise ....
accept



###################################################
########## ACL that is used after the DATA command
###################################################

check_message:

# Executes ClamAV Virus Filter

drop    message = REJECTED - Contains malware ($malware_name) addressed 
to [$h_to:]
    demime  = *
    malware = * 



# Unpack MIME containers and reject file extensions

deny     message = Your message contains a windows executable 
\"\.$found_extension\" file which is prohobited on this system.
    demime = 
ade:adp:bas:bat:chm:cmd:com:cpl:crt:exe:hlp:hta:inf:ins:isp:js:jse:lnk:mdb:mde:msc:msi:msp:mst:pcd:pif:reg:scr:sct:shs:shb:url:vb:vbe:vbs:wsc:wsf:wsh:tmp:ADE:ADP:BAS:BAT:CHM:CMD:COM:CPL:CRT:EXE:HLP:HTA:INF:INS:ISP:JS:JSE:LNK:MDB:MDE:MSC:MSI:MSP:MST:PCD:PIF:REG:SCR:SCT:SHS:SHB:URL:VB:VBE:VBS:WSC:WSF:WSH:TMP


deny    message = Your message contains a suspicious filename which is 
prohobited on this system.
    demime = attached.zip


drop     message = REJECTED - Hiding of file extensions is not allowed!
    regex = 
^(?i)Content-Disposition::(.*?)filename=\\s*"+((\{[a-hA-H0-9-]{25,}\})|((.*?)\\s{10,}(.*?)))"+\$




# Unpack MIME containers and reject ZIP file extensions

#deny message = Your message contains a compressed
\"\.$found_extension\" file which is temporarilly prohobited on this
system to prevent the spread of a new virus. Please rename the file and
send it again.
#demime = zip:ZIP


# Reject messages that have serious MIME errors.
# This calls the demime condition again, but it
# will return cached results.

deny    message = REJECTED - Serious MIME defect detected ($demime_reason)
    demime = *
    condition = ${if >{$demime_errorlevel}{2}{1}{0}}



# Warn if the address list headers are syntactically correct.

warn    message = Does not conform to RFC2822 standard
    !verify = header_syntax


# Otherwise ....
accept


###########################################################
########## ACL that is used for MIME decoding with exiscan
###########################################################

check_mime:


warn    message = X-Attach-Beware: Be careful of compressed attached 
file named \"$mime_filename\".
    condition = ${if match {${lc:$mime_filename}} 
{\N(\.zip|\.rar)$\N}{1}{0}}


warn    message = X-Character-set: $mime_charset
    condition = ${if eq{$mime_charset}{}{0}{1}}



# Otherwise ....
accept