Re: [exim] Serious Problems .. over 100,000 messages in the …

トップ ページ
このメッセージを削除
このメッセージに返信
著者: Andrew Rosolino
日付:  
To: exim-users
題目: Re: [exim] Serious Problems .. over 100,000 messages in the queue

  accept  hosts = *
          authenticated = *


There is two parts that have that.. wouldnt that allow relay?


Andrew Rosolino wrote:
>
> Thank you for your help so far =) I appreciate it so much!
>
>
> #!!# cPanel Exim 4 Config
>
>
> spamd_address = 127.0.0.1 783
>
> system_filter=/etc/cpanel_exim_system_filter
>
>
>
>
> #!!# These options specify the Access Control Lists (ACLs) that
> #!!# are used for incoming SMTP messages - after the RCPT and DATA
> #!!# commands, respectively.
>
> acl_smtp_rcpt = check_recipient
> acl_smtp_data = check_message
>
> #!!# This setting defines a named domain list called
> #!!# local_domains, created from the old options that
> #!!# referred to local domains. It will be referenced
> #!!# later on by the syntax "+local_domains".
> #!!# Other domain and host lists may follow.
>
> domainlist local_domains = lsearch;/etc/localdomains
>
> domainlist relay_domains = lsearch;/etc/localdomains : \
>     lsearch;/etc/secondarymx
> hostlist relay_hosts = lsearch;/etc/relayhosts : \
>     localhost
> hostlist auth_relay_hosts = *

>
> ######################################################################
> #                  Runtime configuration file for Exim               #
> ######################################################################

>
>
> # This is a default configuration file which will operate correctly in
> # uncomplicated installations. Please see the manual for a complete list
> # of all the runtime configuration options that can be included in a
> # configuration file. There are many more than are mentioned here. The
> # manual is in the file doc/spec.txt in the Exim distribution as a plain
> # ASCII file. Other formats (PostScript, Texinfo, HTML) are available from
> # the Exim ftp sites. The manual is also online via the Exim web sites.
>
>
> # This file is divided into several parts, all but the last of which are
> # terminated by a line containing the word "end". The parts must appear
> # in the correct order, and all must be present (even if some of them are
> # in fact empty). Blank lines, and lines starting with # are ignored.
>
>
>
> ######################################################################
> #                    MAIN CONFIGURATION SETTINGS                     #
> ######################################################################

>
> perl_startup = do '/etc/exim.pl'
>
> #dns_retry = 1
> #dns_retrans = 1s
>
> # Specify your host's canonical name here. This should normally be the
> fully
> # qualified "official" name of your host. If this option is not set, the
> # uname() function is called to obtain the name.
>
> smtp_banner = "--"
>
>
> #nobody as the sender seems to annoy people
> untrusted_set_sender = *
> local_from_check = false
>
> rfc1413_query_timeout = 2s
>
> split_spool_directory = yes
>
> smtp_connect_backlog = 50
> smtp_accept_max = 500
>
> # primary_hostname =
> queue_run_max = 15
> deliver_queue_load_max = 20
> auto_thaw = 1d
> ignore_bounce_errors_after = 2d
> timeout_frozen_after = 2d
> delay_warning = 100d
>
> # Specify the domain you want to be added to all unqualified addresses
> # here. An unqualified address is one that does not contain an "@"
> character
> # followed by a domain. For example, "caesar@???" is a fully qualified
> # address, but the string "caesar" (i.e. just a login name) is an
> unqualified
> # email address. Unqualified addresses are accepted only from local
> callers by
> # default. See the receiver_unqualified_{hosts,nets} options if you want
> # to permit unqualified addresses from remote sources. If this option is
> # not set, the primary_hostname value is used for qualification.
>
> # qualify_domain =
>
>
> # If you want unqualified recipient addresses to be qualified with a
> different
> # domain to unqualified sender addresses, specify the recipient domain
> here.
> # If this option is not set, the qualify_domain value is used.
>
> # qualify_recipient =
>
>
> # Specify your local domains as a colon-separated list here. If this
> option
> # is not set (i.e. not mentioned in the configuration file), the
> # qualify_recipient value is used as the only local domain. If you do not
> want
> # to do any local deliveries, uncomment the following line, but do not
> supply
> # any data for it. This sets local_domains to an empty string, which is
> not
> # the same as not mentioning it at all. An empty string specifies that
> there
> # are no local domains; not setting it at all causes the default value
> (the
> # setting of qualify_recipient) to be used.
>
>
>
> #!!# message_filter renamed system_filter
> message_body_visible = 5000
>
>
>
>
>
>
> # If you want to accept mail addressed to your host's literal IP address,
> for
> # example, mail addressed to "user@???", then uncomment the
> # following line, or supply the literal domain(s) as part of
> "local_domains"
> # above.
>
> # local_domains_include_host_literals
>
>
> # No local deliveries will ever be run under the uids of these users (a
> colon-
> # separated list). An attempt to do so gets changed so that it runs under
> the
> # uid of "nobody" instead. This is a paranoic safety catch. Note the
> default
> # setting means you cannot deliver mail addressed to root as if it were a
> # normal user. This isn't usually a problem, as most sites have an alias
> for
> # root that redirects such mail to a human administrator.
>
> never_users = root
>
>
> # The use of your host as a mail relay by any host, including the local
> host
> # calling its own SMTP port, is locked out by default. If you want to
> permit
> # relaying from the local host, you should set
> #
> # host_accept_relay = localhost
> #
> # If you want to permit relaying through your host from certain hosts or
> IP
> # networks, you need to set the option appropriately, for example
> #
> #
> #
> # If you are an MX backup or gateway of some kind for some domains, you
> must
> # set relay_domains to match those domains. This will allow any host to
> # relay through your host to those domains.
> #
> # See the section of the manual entitled "Control of relaying" for more
> # information.
>
> # The setting below causes Exim to do a reverse DNS lookup on all incoming
> # IP calls, in order to get the true host name. If you feel this is too
> # expensive, you can specify the networks for which a lookup is done, or
> # remove the setting entirely.
>
> #host_lookup = 0.0.0.0/0
>
>
> # By default, Exim expects all envelope addresses to be fully qualified,
> that
> # is, they must contain both a local part and a domain. If you want to
> accept
> # unqualified addresses (just a local part) from certain hosts, you can
> specify
> # these hosts by setting one or both of
> #
> # receiver_unqualified_hosts =
> # sender_unqualified_hosts =
> #
> # to control sender and receiver addresses, respectively. When this is
> done,
> # unqualified addresses are qualified using the settings of qualify_domain
> # and/or qualify_recipient (see above).
>
>
> # Exim contains support for the Realtime Blocking List (RBL) that is being
> # maintained as part of the DNS. See http://maps.vix.com/rbl/ for
> background.
> # Uncommenting the first line below will make Exim reject mail from any
> # host whose IP address is blacklisted in the RBL at maps.vix.com. Some
> # others have followed the RBL lead and have produced other lists: DUL is
> # a list of dial-up addresses, and ORBS is a list of open relay systems.
> The
> # second line below checks all three lists.
>
> # rbl_domains = rbl.maps.vix.com
> # rbl_domains = rbl.maps.vix.com
>
>
> # If you want Exim to support the "percent hack" for all your local
> domains,
> # uncomment the following line. This is the feature by which mail
> addressed
> # to x%y@z (where z is one of your local domains) is locally rerouted to
> # x@y and sent on. Otherwise x%y is treated as an ordinary local part.
>
> # percent_hack_domains = *
>
> #sender_host_accept = +include_unknown:*
> #sender_host_reject = +include_unknown:lsearch*;/etc/spammers
>
>
>
> tls_certificate = /etc/exim.crt
> tls_privatekey = /etc/exim.key
> tls_advertise_hosts = *
>
> helo_accept_junk_hosts = *
>
> smtp_enforce_sync = false
>
>
> #!!#######################################################!!#
> #!!# This new section of the configuration contains ACLs #!!#
> #!!# (Access Control Lists) derived from the Exim 3      #!!#
> #!!# policy control options.                             #!!#
> #!!#######################################################!!#

>
> #!!# These ACLs are crudely constructed from Exim 3 options.
> #!!# They are almost certainly not optimal. You should study
> #!!# them and rewrite as necessary.
>
> begin acl
>
>
>
>
>
> #!!# ACL that is used after the RCPT command
> check_recipient:
> # Exim 3 had no checking on -bs messages, so for compatibility
> # we accept if the source is local SMTP (i.e. not over TCP/IP).
> # We do this by testing for an empty sending host field.
> accept hosts = :
>
>
>   # Accept bounces to lists even if callbacks or other checks would fail
>   warn     message      = X-WhitelistedRCPT-nohdrfromcallback: Yes
>            condition    = \
>            ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
>                      {exists
> {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
>                 {yes}{no}}

>
>   accept   condition    = \
>            ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
>                      {exists
> {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
>                 {yes}{no}}

>
>
>   # Accept bounces to lists even if callbacks or other checks would fail
>   warn     message      = X-WhitelistedRCPT-nohdrfromcallback: Yes
>            condition    = \
>            ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
>                      {exists
> {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}}
> \
>                 {yes}{no}}

>
>   accept   condition    = \
>            ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
>                      {exists
> {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}}
> \
>                 {yes}{no}}

>
> #if it gets here it isn't mailman
>
>   accept  hosts = *
>           authenticated = *

>
>
>   #if they poped before smtp we just accept
>   accept  condition = ${if
> match_ip{$sender_host_address}{iplsearch;/etc/relayhosts}{1}{${if
> eq{$sender_host_address}{127.0.0.1}{1}{0}}}}
>         add_header = ${perl{popbeforesmtpwarn}{$sender_host_address}}
>   accept  hosts = +relay_hosts
>       add_header = ${perl{popbeforesmtpwarn}{$sender_host_address}}

>
>    #recipient verifications are now done after smtp auth and pop before
> smtp so the users get back bounces instead of 
>    # a clogged outbox in outlook

>
> #recipient verifications are required for all messages that are not sent
> to the local machine
> #this was done at multiple users requests
> require verify = recipient
>
>  deny message = JunkMail rejected - $sender_fullhost is in an RBL, see
> $dnslist_text
>      dnslists = zen.spamhaus.org : bl.spamcop.net

>
>
>
>
> require verify = sender
>
>
> # The only problem with this setup is that if the message is for multiple
> users on the same server
> # and they are on different unix accounts, the settings for the first
> recipient which has spamassassin enabled will be used.
> # This shouldn't be a problem 99.9% of the time, however its a very small
> price to pay for a massive speed increase.
>
>
>   warn  domains = ! ${primary_hostname} : +local_domains
>     condition = ${if eq
> {${acl_m0}}{1}{0}{${perl{acl_checksa_deliver}{$domain}{${extract{5}{:}{${lookup{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}lsearch{/etc/passwd}{$value}}}}}}}}
>     set acl_m0    = 1
>     set acl_m1    = ${lookup{$domain}lsearch*{/etc/userdomains}{$value}}

>
>   warn  domains = ${primary_hostname}
>     condition = ${if eq
> {${acl_m0}}{1}{0}{${perl{acl_checkusersa}{$local_part}{${extract{5}{:}{${lookup{$local_part}lsearch{/etc/passwd}{$value}}}}}}}}
>     set acl_m0    = 1
>     set acl_m1    = $local_part

>
>
> accept domains = +relay_domains
>
>   deny    message = $sender_fullhost is currently not permitted to \
>                         relay through this server. Perhaps you \
>                         have not logged into the pop/imap server in the \
>                         last 30 minutes or do not have SMTP Authentication
> turned on in your email client.

>
>
> #!!# ACL that is used after the DATA command
> check_message:
> # Enabling this will make the server non-rfc compliant
> # require verify = header_sender
> accept hosts = 127.0.0.1 : +relay_hosts
>
>   accept  hosts = *
>           authenticated = *

>
>   warn
>     condition = ${if eq {${acl_m0}}{1}{1}{0}}
>     spam =  ${acl_m1}/defer_ok
>     log_message = "SpamAssassin as ${acl_m1} detected message as spam"
>     add_header = X-Spam-Subject: ***SPAM*** $h_subject
>     add_header = X-Spam-Status: Yes, score=$spam_score
>     add_header = X-Spam-Score: $spam_score_int
>     add_header = X-Spam-Bar: $spam_bar
>     add_header = X-Spam-Report: $spam_report
>     add_header = X-Spam-Flag: YES
>     set acl_m2 = 1

>
>   warn
>   condition = ${if eq {${acl_m0}}{1}{${if eq {${acl_m2}}{1}{0}{1}}}{0}}
>   add_header = X-Spam-Status: No, score=$spam_score
>   add_header = X-Spam-Score: $spam_score_int
>   add_header = X-Spam-Bar: $spam_bar
>   add_header = X-Spam-Flag: NO
>     log_message = "SpamAssassin as ${acl_m1} detected message as NOT spam"

>
> deny
>     condition = ${if eq {${acl_m0}}{1}{${if
> >{$spam_score_int}{200}{1}{0}}}{0}}
>     log_message = "The mail server detected your message as spam and has
> prevented delivery (200)."
>     message = "The mail server detected your message as spam and has
> prevented delivery."

>
>
>
>
> accept
>
>
>
>
>
>
> begin authenticators
>
> fixed_plain:
> driver = plaintext
> public_name = PLAIN
> server_prompts = :
> server_condition = "${perl{checkuserpass}{$1}{$2}{$3}}"
> server_set_id = $2
>
> fixed_login:
> driver = plaintext
> public_name = LOGIN
> server_prompts = "Username:: : Password::"
> server_condition = "${perl{checkuserpass}{$1}{$2}}"
> server_set_id = $1
>
>
>
>
>
> ######################################################################
> #                      REWRITE CONFIGURATION                         #
> ######################################################################

>
> # There are no rewriting specifications in this default configuration
> file.
>
> begin rewrite
>
>
>
>
>
> #!!#######################################################!!#
> #!!# Here follow routers created from the old routers,   #!!#
> #!!# for handling non-local domains.                     #!!#
> #!!#######################################################!!#

>
> begin routers
>
>
> #!!# If we are trying to deliver to a remote mailman domain that is on the
> localhost
> #!!# let it go though even if its not in /etc/localdomains since mailman
> will eat
> #!!# up 100% of the cpu if we don't
>
> mailman_virtual_router:
>     driver = accept
>     require_files =
> /usr/local/cpanel/3rdparty/mailman/lists/${lc::$local_part}_${lc::$domain}/config.pck
>     local_part_suffix_optional
>     local_part_suffix = -admin     : \
>             -bounces   : -bounces+* : \
>                         -confirm   : -confirm+* : \
>             -join      : -leave     : \
>             -owner       : -request   : \
>             -subscribe : -unsubscribe
>     transport = mailman_virtual_transport

>
> mailman_virtual_router_nodns:
>     driver = accept
>     require_files =
> /usr/local/cpanel/3rdparty/mailman/lists/${lc::$local_part}/config.pck
>     condition    = \
>            ${if or {{match{$local_part}{.*_.*}} \
>                      {eq{$local_part}{mailman}}} \
>                 {1}{0}}
>     local_part_suffix_optional
>     local_part_suffix = -admin     : \
>             -bounces   : -bounces+* : \
>                         -confirm   : -confirm+* : \
>             -join      : -leave     : \
>             -owner       : -request   : \
>             -subscribe : -unsubscribe
>     domains = +local_domains
>     transport = mailman_virtual_transport_nodns

>
>
>
>
> ######################################################################
> #                      ROUTERS CONFIGURATION                         #
> #            Specifies how remote addresses are handled              #
> ######################################################################
> #                          ORDER DOES MATTER                         #
> #  A remote address is passed to each in turn until it is accepted.  #
> ######################################################################

>
> # Remote addresses are those with a domain that does not match any item
> # in the "local_domains" setting above.
>
> #
> # Demo Safety Router
> #
>
> democheck:
>     driver = redirect
>     condition = "${perl{democheck}}"
>     allow_fail
>     require_files = "+/etc/demousers"
>     data = :fail: demo accounts are not permitted to relay email

>
>
>
>
> # This router routes to remote hosts over SMTP using a DNS lookup with
> # default options.
>
> boxtrapper_autowhitelist:
> driver = accept
> condition = "${perl{checkbx_autowhitelist}{$authenticated_id}}"
> require_files = "+/usr/local/cpanel/bin/boxtrapper"
> transport = boxtrapper_autowhitelist
> unseen
>
> #
> # Handles nobody and webspam and mail trap checks in checkspam2 and gives
> a userful error
> #
>
> checkspam2:
>     condition = "${perl{checkspam2}}"
>     driver = redirect
>     domains = ! +local_domains
>     ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 64.94.110.0/24
>     allow_fail
>     data = "${perl{checkspam2_results}}"

>
> #
> # Lookup host router for remote smtp and ignores verisign site finder
> 'service'
> #
>
> lookuphost:
>     driver = dnslookup
>     domains = ! +local_domains
>     #ignore verisign to prevent waste of bandwidth
>     ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 64.94.110.0/24
>     headers_add = "${perl{mailtrapheaders}}"
>     transport = remote_smtp

>
> # This router routes to remote hosts over SMTP by explicit IP address,
> # given as a "domain literal" in the form [nnn.nnn.nnn.nnn]. The RFCs
> # require this facility, which is why it is enabled by default in Exim.
> # If you want to lock it out, set forbid_domain_literals in the main
> # configuration section above.
>
> #
> # Literal Transports .. ignores verisigns sitefinder service
> #
>
> literal:
>     driver = ipliteral
>     domains = ! +local_domains
>     headers_add = "${perl{mailtrapheaders}}"
>     ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 64.94.110.0/24
>     transport = remote_smtp

>
>
>
>
> #!!# This new router is put here to fail all domains that
> #!!# were not in local_domains in the Exim 3 configuration.
>
> #
> # Trap Failures to Remote Domain
> #
>
> fail_remote_domains:
> driver = redirect
> domains = ! +local_domains : ! localhost : ! localhost.localdomain
> allow_fail
> data = ":fail: The mail server could not deliver mail to
> $local_part@$domain. The account or domain may not exist, they may be
> blacklisted, or missing the proper dns entries."
>
>
>
>
>
> #!!#######################################################!!#
> #!!# Here follow routers created from the old directors, #!!#
> #!!# for handling local domains.                         #!!#
> #!!#######################################################!!#

>
>
>
> ######################################################################
> #                      DIRECTORS CONFIGURATION                       #
> #             Specifies how local addresses are handled              #
> ######################################################################
> #                          ORDER DOES MATTER                         #
> #   A local address is passed to each in turn until it is accepted.  #
> ######################################################################

>
> # Local addresses are those with a domain that matches some item in the
> # "local_domains" setting above, or those which are passed back from the
> # routers because of a "self=local" setting (not used in this
> configuration).
>
>
> # This director handles aliasing using a traditional /etc/aliases file.
> # If any of your aliases expand to pipes or files, you will need to set
> # up a user and a group for these deliveries to run under. You can do
> # this by uncommenting the "user" option below (changing the user name
> # as appropriate) and adding a "group" option if necessary. Alternatively,
> you
> # can specify "user" on the transports that are used. Note that those
> # listed below are the same as are used for .forward files; you might want
> # to set up different ones for pipe and file deliveries from aliases.
>
> #spam_filter:
> # driver = forwardfile
> # file = /etc/spam.filter
> # no_check_local_user
> # no_verify
> # filter
> # allow_system_actions
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> #
> # Account level filtering for everything but the main account
> #
>
> central_filter:
>     driver = redirect
>     allow_filter
>     no_check_local_user
>     file = /etc/vfilters/${domain}
>     file_transport = address_file
>     directory_transport = address_directory
>     domains = lsearch;/etc/userdomains
>     pipe_transport = virtual_address_pipe
>     reply_transport = address_reply
>     router_home_directory =
> ${extract{5}{:}{${lookup{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}lsearch{/etc/passwd}{$value}}}}
>     user = "${lookup{$domain}lsearch* {/etc/userdomains}{$value}}"
>     allow_fail
>     no_verify

>
> #
> # Account level filtering for the main account
> #
> # checks /etc/vfilters/maindomain if its a localuser (ie main acct)
> # 
> mainacct_central_user_filter:
>     driver = redirect  
>     allow_filter  
>     allow_fail
>     check_local_user
>     domains = ! lsearch;/etc/userdomains
>     condition = "${perl{hasfilterfile}{$local_part}}"
>     file = "${perl{getfilterfile}{$local_part}}"
>     file_transport = address_file  
>     pipe_transport = address_pipe
>     reply_transport = address_reply
>     retry_use_local_part  
>     no_verify

>
> #
> # User Level Filtering for the main account
> #
> central_user_filter:
>     driver = redirect
>     allow_filter
>     allow_fail
>     check_local_user
>     domains = ! lsearch;/etc/userdomains
>     file =
> "${extract{5}{:}{${lookup{$local_part}lsearch{/etc/passwd}{$value}}}}/etc/filter"
>     require_files =
> "+${extract{5}{::}{${lookup{$local_part}lsearch{/etc/passwd}{$value}}}}/etc/filter"
>     router_home_directory =
> ${extract{5}{:}{${lookup{$local_part}lsearch{/etc/passwd}{$value}}}}
>     directory_transport = address_directory
>     file_transport = address_file
>     pipe_transport = virtual_address_pipe
>     reply_transport = address_reply
>     retry_use_local_part
>     no_verify

>
> #
> # User Level Filtering for virtual users
> #
> virtual_user_filter:
>     driver = redirect
>     allow_filter
>     allow_fail
>     no_check_local_user
>     domains = lsearch;/etc/userdomains
>     file =
> "${extract{5}{:}{${lookup{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}lsearch{/etc/passwd}{$value}}}}/etc/$domain/$local_part/filter"
>     require_files =
> "+${extract{5}{::}{${lookup{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}lsearch{/etc/passwd}{$value}}}}/etc/$domain/$local_part/filter"
>     router_home_directory =
> ${extract{5}{:}{${lookup{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}lsearch{/etc/passwd}{$value}}}}
>     directory_transport = address_directory
>     file_transport = address_file
>     pipe_transport = virtual_address_pipe
>     reply_transport = address_reply
>     user = "${lookup{$domain}lsearch* {/etc/userdomains}{$value}}"
>     no_verify

>
> virtual_aliases_nostar:
> driver = redirect
> allow_defer
> allow_fail
> data = ${if
> exists{/etc/valiases/$domain}{${lookup{$local_part@$domain}lsearch{/etc/valiases/$domain}}}}
> file_transport = address_file
> group = mail
> pipe_transport = virtual_address_pipe
> retry_use_local_part
> domains = lsearch;/etc/localdomains
> unseen
>
> #
> # Virtual User Spam Boxes
> #
>
> virtual_user_spam:
>     driver = accept
>     require_files =
> "+${extract{5}{::}{${lookup{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}lsearch{/etc/passwd}{$value}}}}/.spamassassinboxenable"
>     condition = "${perl{check_deliver_spam}{$domain}{$local_part}}"
>     headers_remove="x-spam-exim"
>     domains = lsearch;/etc/userdomains
>     retry_use_local_part
>     transport = virtual_userdelivery_spam

>
>
> virtual_boxtrapper_user:
> driver = accept
> condition = "${perl{checkbx_deliver}{$domain}{$local_part}}"
> require_files = "+/usr/local/cpanel/bin/boxtrapper"
> domains = lsearch;/etc/userdomains
> retry_use_local_part
> transport = virtual_boxtrapper_userdelivery
> virtual_user:
> driver = accept
> condition = "${perl{check_deliver}{$domain}{$local_part}}"
> headers_remove="x-spam-exim"
> domains = lsearch;/etc/userdomains
> retry_use_local_part
> transport = virtual_userdelivery
>
>
> has_alias_but_no_mailbox_discarded_to_prevent_loop:
>     driver = redirect
>         condition = "${perl{checkvalias}{$domain}{$local_part}}"
>      domains = lsearch;/etc/localdomains
>     data="#Exim Filter\nseen finish"
>       group = "${lookup{$domain}lsearch* {/etc/userdomains}{$value}}"
>     user = "${lookup{$domain}lsearch* {/etc/userdomains}{$value}}"
>     allow_filter
>     disable_logging = true

>
> valias_domain_file:
> driver = redirect
> allow_defer
> allow_fail
> condition = ${lookup {$domain} lsearch
> {/etc/vdomainaliases/$domain}{yes}{no} }
> require_files = +/etc/vdomainaliases/$domain
> data = $local_part@${lookup {$domain} lsearch
> {/etc/vdomainaliases/$domain} }
> virtual_aliases:
> driver = redirect
> allow_defer
> allow_fail
> data = ${if
> exists{/etc/valiases/$domain}{${lookup{*}lsearch{/etc/valiases/$domain}}}}
> file_transport = address_file
> group = mail
> pipe_transport = virtual_address_pipe
> domains = lsearch;/etc/localdomains
> retry_use_local_part
>
>
>
>
>
>
> # This director handles forwarding using traditional .forward files.
> # If you want it also to allow mail filtering when a forward file
> # starts with the string "# Exim filter", uncomment the "filter" option.
> # The check_ancestor option means that if the forward file generates an
> # address that is an ancestor of the current one, the current one gets
> # passed on instead. This covers the case where A is aliased to B and B
> # has a .forward file pointing to A. The three transports specified at the
> # end are those that are used when forwarding generates a direct delivery
> # to a file, or to a pipe, or sets up an auto-reply, respectively.
>
> system_aliases:
> driver = redirect
> allow_defer
> allow_fail
> data = ${lookup{$local_part}lsearch{/etc/aliases}}
> file_transport = address_file
> pipe_transport = address_pipe
> retry_use_local_part
> # user = exim
>
>
> local_aliases:
> driver = redirect
> allow_defer
> allow_fail
> data = ${lookup{$local_part}lsearch{/etc/localaliases}}
> file_transport = address_file
> pipe_transport = address_pipe
> check_local_user
>
>
>
> userforward:
> #!!# filter renamed allow_filter
> driver = redirect
> allow_filter
> check_ancestor
> check_local_user
> domains = ! lsearch;/etc/userdomains
> no_expn
> file = $home/.forward
> file_transport = address_file
> pipe_transport = address_pipe
> reply_transport = address_reply
> no_verify
>
> #
> # Optimzied spambox router
> #
>
> localuser_spam:
>     driver = accept
>     headers_remove="x-spam-exim"
>     require_files = "+$home/.spamassassinboxenable"
>     condition = "${perl{checkuserspambox}{$local_part}}"
>     check_local_user
>     domains = ! lsearch;/etc/userdomains
>     transport = local_delivery_spam

>
> boxtrapper_localuser:
> driver = accept
> require_files =
> "+/usr/local/cpanel/bin/boxtrapper:+$home/etc/.boxtrapperenable"
> condition = "${perl{checkuserbx}{$local_part}}"
> check_local_user
> domains = ! lsearch;/etc/userdomains
> transport = local_boxtrapper_delivery
>
>
> localuser:
> driver = accept
> headers_remove="x-spam-exim"
> check_local_user
> domains = ! lsearch;/etc/userdomains
> transport = local_delivery
>
>
>
> # This director matches local user mailboxes.
>
>
>
>
>
>
>
> ######################################################################
> #                      TRANSPORTS CONFIGURATION                      #
> ######################################################################
> #                       ORDER DOES NOT MATTER                        #
> #     Only one appropriate transport is called for each delivery.    #
> ######################################################################

>
> # A transport is used only when referenced from a director or a router
> that
> # successfully handles an address.
>
>
> # This transport is used for delivering messages over SMTP connections.
>
> begin transports
>
>
>
>
>
> remote_smtp:
> driver = smtp
>
>
> # This transport is used for local delivery to user mailboxes. By default
> # it will be run under the uid and gid of the local user, and requires
> # the sticky bit to be set on the /var/mail directory. Some systems use
> # the alternative approach of running mail deliveries under a particular
> # group instead of using the sticky bit. The commented options below show
> # how this can be done.
>
> local_delivery:
> driver = appendfile
> delivery_date_add
> envelope_to_add
> directory =
> "${extract{5}{:}{${lookup{$local_part}lsearch{/etc/passwd}{$value}}}}/mail"
> maildir_use_size_file
> maildir_format
> group = mail
> mode = 0660
> return_path_add
> user = $local_part
>
> local_delivery_spam:
> driver = appendfile
> delivery_date_add
> envelope_to_add
> directory =
> "${extract{5}{:}{${lookup{$local_part}lsearch{/etc/passwd}{$value}}}}/mail/.spam"
> maildir_use_size_file
> maildir_format
> group = mail
> mode = 0660
> return_path_add
> user = $local_part
>
>
>
>
>
>
>
>
>
> # This transport is used for handling pipe deliveries generated by alias
> # or .forward files. If the pipe generates any standard output, it is
> returned
> # to the sender of the message as a delivery error. Set return_fail_output
> # instead of return_output if you want this to happen only when the pipe
> fails
> # to complete normally. You can set different transports for aliases and
> # forwards if you want to - see the references to address_pipe below.
>
> address_directory:
>     driver        = appendfile
>     maildir_format
> address_pipe:
>   driver = pipe
>   return_output

>
> virtual_address_pipe:
> driver = pipe
> group = "${lookup{$domain}lsearch* {/etc/userdomains}{$value}}"
> return_output
> user = "${lookup{$domain}lsearch* {/etc/userdomains}{$value}}"
>
> # This transport is used for handling deliveries directly to files that
> are
> # generated by aliassing or forwarding.
>
> address_file:
> driver = appendfile
> delivery_date_add
> envelope_to_add
> return_path_add
>
>
> # This transport is used for handling autoreplies generated by the
> filtering
> # option of the forwardfile director.
>
>
>
>
>
> virtual_userdelivery_spam:
> driver = appendfile
> delivery_date_add
> envelope_to_add
> directory =
> "${extract{5}{:}{${lookup{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}lsearch{/etc/passwd}{$value}}}}/mail/${domain}/${local_part}/.spam"
> maildir_use_size_file
> maildir_format
> group = mail
> mode = 0660
> quota = "${if
> exists{${extract{5}{:}{${lookup{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}lsearch{/etc/passwd}{$value}}}}/etc/${domain}/quota}
> {${lookup{$local_part}lsearch*{${extract{5}{:}{${lookup{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}lsearch{/etc/passwd}{$value}}}}/etc/${domain}/quota}{$value}}}
> {}}"
> quota_is_inclusive = false
> quota_directory =
> "${extract{5}{:}{${lookup{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}lsearch{/etc/passwd}{$value}}}}/mail/${domain}/${local_part}"
> return_path_add
> user = "${lookup{$domain}lsearch* {/etc/userdomains}{$value}}"
>
> boxtrapper_autowhitelist:
> driver = pipe
> headers_only
> command = /usr/local/cpanel/bin/boxtrapper --autowhitelist
> "${authenticated_id}"
> user = ${perl{getemailuser}{$authenticated_id}}
> group = mail
> log_output = true
> current_directory = "/tmp"
> return_fail_output = true
> return_path_add = false
>
> local_boxtrapper_delivery:
> driver = pipe
> command = /usr/local/cpanel/bin/boxtrapper "${local_part}"
> user = $local_part
> group = mail
> log_output = true
> current_directory = "/tmp"
> return_fail_output = true
> return_path_add = false
>
> virtual_boxtrapper_userdelivery:
> driver = pipe
> command = /usr/local/cpanel/bin/boxtrapper "${local_part}@${domain}"
> user = "${lookup{$domain}lsearch* {/etc/userdomains}{$value}}"
> group = mail
> log_output = true
> current_directory = "/tmp"
> return_fail_output = true
> return_path_add = false
> virtual_userdelivery:
> driver = appendfile
> delivery_date_add
> envelope_to_add
> directory =
> "${extract{5}{:}{${lookup{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}lsearch{/etc/passwd}{$value}}}}/mail/${domain}/${local_part}"
> maildir_use_size_file
> maildir_format
> group = mail
> mode = 0660
> quota = "${if
> exists{${extract{5}{:}{${lookup{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}lsearch{/etc/passwd}{$value}}}}/etc/${domain}/quota}
> {${lookup{$local_part}lsearch*{${extract{5}{:}{${lookup{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}lsearch{/etc/passwd}{$value}}}}/etc/${domain}/quota}{$value}}}
> {}}"
> quota_is_inclusive = false
> quota_directory =
> "${extract{5}{:}{${lookup{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}lsearch{/etc/passwd}{$value}}}}/mail/${domain}/${local_part}"
> return_path_add
> user = "${lookup{$domain}lsearch* {/etc/userdomains}{$value}}"
>
>
> address_reply:
> driver = autoreply
>
>
> mailman_virtual_transport:
>     driver = pipe
>     command = /usr/local/cpanel/3rdparty/mailman/mail/mailman \
>               '${if def:local_part_suffix \
>                     {${sg{$local_part_suffix}{-(\\w+)(\\+.*)?}{\$1}}} \
>                     {post}}' \
>               ${lc:$local_part}_${lc:$domain}
>     current_directory = /usr/local/cpanel/3rdparty/mailman
>     home_directory = /usr/local/cpanel/3rdparty/mailman
>     user = mailman
>     group = mailman

>
>
> mailman_virtual_transport_nodns:
>     driver = pipe
>     command = /usr/local/cpanel/3rdparty/mailman/mail/mailman \
>               '${if def:local_part_suffix \
>                     {${sg{$local_part_suffix}{-(\\w+)(\\+.*)?}{\$1}}} \
>                     {post}}' \
>               ${lc:$local_part}
>     current_directory = /usr/local/cpanel/3rdparty/mailman
>     home_directory = /usr/local/cpanel/3rdparty/mailman
>     user = mailman
>     group = mailman

>
>
>
>
>
>
>
>
>
> ######################################################################
> #                      RETRY CONFIGURATION                           #
> ######################################################################

>
> # This single retry rule applies to all domains and all errors. It
> specifies
> # retries every 15 minutes for 2 hours, then increasing retry intervals,
> # starting at 1 hour and increasing each time by a factor of 1.5, up to 16
> # hours, then retries every 8 hours until 4 days have passed since the
> first
> # failed delivery.
>
> # Domain               Error       Retries
> # ------               -----       -------

>
>
> begin retry
>
>
>
>
> *                      *           F,2h,15m; G,16h,1h,1.5; F,4d,8h

>
>
>
>
> # End of Exim 4 configuration
>
>
>
> Mike Cardwell-7 wrote:
>>
>> Andrew Rosolino wrote:
>>
>>> For some reason our queue has over 100,000 e-mail messages in at and
>>> they are
>>> as old as 48 days!!!
>>> I have these variables set:
>>> deliver_queue_load_max = 10
>>> auto_thaw = 1d
>>> ignore_bounce_errors_after = 2d
>>> timeout_frozen_after = 2d
>>>
>>> There is also a bigger problem.. most of those e-mails are all SPAM
>>> being
>>> sent from our server =(.. we are being badly abused!!!
>>>
>>> I have it set to delete SPAM messages and not deliver them but its not
>>> even
>>> deleting it.. I am using SpamAssasin by the way.. here is some headers
>>>
>>> Return-path: <nehpkbarnettsot@???>
>>> Received: from host83-206-dynamic.6-87-r.retail.telecomitalia.it
>>> ([87.6.206.83] helo=pcpiero)
>>>     by alpha2.shiftcode.com with esmtp (Exim 4.66)
>>>     (envelope-from <nehpkbarnettsot@???>)
>>>     id 1I15hM-0000EF-IO
>>>     for admin@???; Wed, 20 Jun 2007 15:18:37 -0400
>>> Received: from 67.28.113.14 (HELO mxvm3.mail.yahoo.com)
>>>      by cashmakerclicks.com with esmtp (;+P/J4/36A=: (:H1)
>>>      id R6,A-/-K(8G:0-L5
>>>      for admin@???; Wed, 20 Jun 2007 19:18:36 -0100
>>> Date:    Wed, 20 Jun 2007 19:18:36 -0100
>>> From:    "Timmy Key" <nehpkbarnettsot@???>
>>> X-Mailer: The Bat! (v3.71.14) Educational
>>> X-Priority: 3 (Normal)
>>> Message-ID: <943854241.15530397833888@???>
>>> To: admin@???
>>> Subject: Summer is almost here, be ready
>>> MIME-Version: 1.0
>>> Content-Type: multipart/alternative;
>>>   boundary="----------DAD329AD3293293"
>>> X-Spam: Not detected
>>> X-Spam-Subject: ***SPAM*** Summer is almost here, be ready
>>> X-Spam-Status: Yes, score=26.4
>>> X-Spam-Score: 264
>>> X-Spam-Bar: ++++++++++++++++++++++++++
>>> X-Spam-Report: Spam detection software, running on the system
>>> "alpha2.shiftcode.com", has
>>>     identified this incoming email as possible spam.  The original message
>>>     has been attached to this so you can view it (if it isn't spam) or
>>> label
>>>     similar future email.  If you have any questions, see
>>>     the administrator of that system for details.
>>>     Content preview:  Profit by your chance! – 4n4trim – The
>>> up-to-the-moment
>>> and
>>>     most exciting product for weighty people is now available – As told on
>>> Oprah
>>>     Can you retain all the times when you plead to yourself to do any thing
>>> for
>>>     being saved from this horrible number of lbs? Happily, now no major
>>> sacrifice
>>>     is demanded. With 4n4trim, the ground-breaking, you can get healthier
>>> mode
>>>     of life and a really slender figure. Notice what people say to us!
>>> [...] 
>>>     Content analysis details:   (26.4 points, 10.0 required)
>>>     pts rule name              description
>>>     ---- ----------------------
>>> --------------------------------------------------
>>>     3.5 BAYES_99               BODY: Bayesian spam probability is 99 to
>>> 100%
>>>     [score: 1.0000]
>>>     4.3 RCVD_FORGED_WROTE2     RCVD_FORGED_WROTE2
>>>     2.8 RCVD_BAD_ID            RCVD_BAD_ID
>>>     2.5 RCVD_FORGED_WROTE      Forged 'Received' header found ('wrote:'
>>> spam)
>>>     0.0 HS_INDEX_PARAM         URI: Link contains a common tracker pattern.
>>>     0.0 HTML_MESSAGE           BODY: HTML included in message
>>>     1.4 MIME_QP_LONG_LINE      RAW: Quoted-printable line longer than 76
>>> chars
>>>     1.9 URIBL_AB_SURBL         Contains an URL listed in the AB SURBL
>>> blocklist
>>>     [URIs: promfore.com]
>>>     1.5 URIBL_WS_SURBL         Contains an URL listed in the WS SURBL
>>> blocklist
>>>     [URIs: promfore.com]
>>>     1.5 URIBL_JP_SURBL         Contains an URL listed in the JP SURBL
>>> blocklist
>>>     [URIs: promfore.com]
>>>     1.5 URIBL_OB_SURBL         Contains an URL listed in the OB SURBL
>>> blocklist
>>>     [URIs: promfore.com]
>>>     0.5 URIBL_SC_SURBL         Contains an URL listed in the SC SURBL
>>> blocklist
>>>     [URIs: promfore.com]
>>>     1.1 URIBL_RHS_DOB          Contains an URI of a new domain (Day Old
>>> Bread)
>>>     [URIs: promfore.com]
>>>     0.9 RCVD_IN_PBL            RBL: Received via a relay in Spamhaus PBL
>>>     [87.6.206.83 listed in zen.spamhaus.org]
>>>     0.9 RCVD_IN_SORBS_DUL      RBL: SORBS: sent directly from dynamic IP
>>> address
>>>     [87.6.206.83 listed in dnsbl.sorbs.net]
>>>     1.5 URIBL_SBL              Contains an URL listed in the SBL blocklist
>>>     [URIs: promfore.com]
>>>     0.1 RDNS_DYNAMIC           Delivered to trusted network by host with
>>>     dynamic-looking rDNS
>>>     0.5 DYN_RDNS_SHORT_HELO_HTML Sent by dynamic rDNS, short HELO, and HTML
>>> X-Spam-Flag: YES

>>>
>>> alpha2.shiftcode.com is our server.. how can we stop this from happening
>>> =(
>>
>> Interestingly enough, this message was caught by clamav because of the
>> SaneSecurity signature:
>>
>> Email.Hdr.Sanesecurity.07041201
>>
>> root@clayman:~# grep Email.Hdr.Sanesecurity.07041201
>> /var/lib/clamav/scam.ndb
>> Email.Hdr.Sanesecurity.07041201:4:*:582d4d61696c65723a205468652042617421*582d5370616d3a204e6f74206465746563746564*416e617472696d
>>
>> root@clayman:~# perl -e 'foreach( @ARGV ){s/([a-fA-F0-9]{2})/chr(hex
>> $1)/eg;print "$_\n";}' 582d4d61696c65723a205468652042617421
>> 582d5370616d3a204e6f74206465746563746564 416e617472696d
>> X-Mailer: The Bat!
>> X-Spam: Not detected
>> 4n4trim
>>
>> I've obfuscated the word "4n4trim" at several places in this email with
>> '4' instead of 'A' to prevent it triggering the sanesecurity sig again.
>>
>> I wonder how many other people never saw your message. That's the first
>> "false positive" I've seen from their sigs. Anyway, back to the matter
>> at hand. That particular email is on your queue because you relay for
>> admin@???:
>>
>> root@clayman:~# telnet alpha2.shiftcode.com 25
>> Trying 74.53.5.197...
>> Connected to alpha2.shiftcode.com.
>> Escape character is '^]'.
>> 220 --
>> EHLO mailout.grepular.com
>> 250-alpha2.shiftcode.com Hello mailout.grepular.com [91.186.24.33]
>> 250-SIZE 52428800
>> 250-PIPELINING
>> 250-AUTH PLAIN LOGIN
>> 250-STARTTLS
>> 250 HELP
>> MAIL FROM:<>
>> 250 OK
>> RCPT TO:<admin@???>
>> 250 Accepted
>> RCPT TO:<random@???>
>> 550-The mail server could not deliver mail to random@???. The
>> account
>> 550-or domain may not exist, they may be blacklisted, or missing the
>> proper dns
>> 550 entries.
>>
>> As for why you relay mail for that address, I couldn't tell you without
>> seeing your config... Please show us it.
>>
>> Mike
>>
>> --
>> ## List details at http://lists.exim.org/mailman/listinfo/exim-users
>> ## Exim details at http://www.exim.org/
>> ## Please use the Wiki with this list - http://wiki.exim.org/
>>
>
>


--
View this message in context: http://www.nabble.com/Serious-Problems-..-over-100%2C000-messages-in-the-queue-tf4222242.html#a12059702
Sent from the Exim Users mailing list archive at Nabble.com.