[exim] acl_smtp_data scanning on outgoing mail

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Niles Ingalls
Dátum:  
Címzett: exim-users
Tárgy: [exim] acl_smtp_data scanning on outgoing mail
Hello,

I'm currently in the process of migrating my employer to Exim 4.69
from an Exchange server, and
I'm down to just a single issue. My mail server is scanning all of my
outgoing e-mails in addition to
the incoming e-mail, which is of course undesirable.
What I would like is for the ACL's to be skipped when the client uses
SMTP authentication, and this
appears to be working fine for the acl_check_rcpt, but not for the
data/mime sections.
Please advise if you have any insight on my issue.
Thanks
Niles



# $Cambridge: exim/exim-src/src/configure.default,v 1.12 2006/10/25  
08:42:57 ph10 Exp $
######################################################################
#                  Runtime configuration file for Exim               #
######################################################################


ldap_default_servers = 192.168.1.10::3268
perl_startup = do '/usr/exim/exim.pl'

.include /usr/exim/exim_ldap.conf

primary_hostname = exim.zionsville.lib.in.us
domainlist local_domains = @
domainlist relay_to_domains =

hostlist relay_from_hosts = 127.0.0.1
hostlist relay_hosts =
hostlist auth_relay_hosts = *

acl_smtp_rcpt = acl_check_rcpt
acl_smtp_data = acl_check_data
acl_smtp_mime = acl_check_mime

av_scanner = $acl_m0
spamd_address = /var/run/spamd_socket

auth_advertise_hosts = *
tls_advertise_hosts = *
tls_certificate = /usr/exim/zionsville.lib.in.us.crt
tls_privatekey = /usr/exim/zionsville.lib.in.us.key
tls_on_connect_ports = 465
daemon_smtp_ports = 25 : 465 : 587

untrusted_set_sender=*
never_users = root
host_lookup = *
rfc1413_hosts = *
rfc1413_query_timeout = 5s

ignore_bounce_errors_after = 2d
timeout_frozen_after = 7d

######################################################################
#                       ACL CONFIGURATION                            #
#         Specifies access control lists for incoming SMTP mail      #
######################################################################


begin acl
acl_check_rcpt:
  accept  hosts = :
  deny    message       = Restricted characters in address
          domains       = +local_domains
          local_parts   = ^[.] : ^.*[@%!/|]


  deny    message       = Restricted characters in address
          domains       = !+local_domains
          local_parts   = ^[./|] : ^.*[@%!] : ^.*/\\.\\./


  accept  local_parts   = postmaster:abuse
          domains       = +local_domains
  require verify        = sender


  accept  hosts         = +relay_from_hosts
          control       = submission


  accept  authenticated = *
          control       = submission
  require verify        = recipient


  warn    message       = X-blacklisted-at: $dnslist_domain
          dnslists      =  
dnsbl 
.njabl 
.org:cbl 
.abuseat.org:accredit.habeas.com:plus.bondedsender.org:iadb.isipp.com
  deny    dnslists      =  
sbl.spamhaus.org:bl.spamcop.net:cbl.abuseat.org


  warn    set acl_m1    = ${perl{Greylist::defercheck}{lc: 
$sender_address}{lc:$local_part@$domain}{$sender_host_address}}
  defer   domains       = +local_domains
          hosts         = !+relay_hosts
          condition     = ${if eq {$acl_m1}{0}{0}{1}}
          message       = You have been greylisted. This is part of  
our standard anti-spam measures and your mail system \
                          should automatically try again later. We  
will accept this mail from you in \
                          ${if >{$acl_m1}{119}{${eval:$acl_m1/60}  
minutes}{$acl_m1 seconds}}.


  require message       = relay not permitted
          domains       = +local_domains : +relay_to_domains
  accept


acl_check_data:
  warn    message       = X-Spam-Score: $spam_score ($spam_bar)
          spam          = nobody:true
  warn    message       = X-Spam-Report: $spam_report
          spam          = nobody:true


  # add second subject line with *SPAM* marker when message is over  
threshold
  warn    message       = Subject: *SPAM* $h_Subject:
          spam          = nobody


  # reject spam at high scores (> 12)
  deny    message       = This message scored $spam_score spam points.
          spam          = nobody:true
          condition     = ${if >{$spam_score_int}{120}{1}{0}}


  deny    message       = This message contains malware ($malware_name)
  set     acl_m0        = cmdline:/usr/local/bin/clamscan -i --unzip -- 
unrar --arj --unzoo --lha --tar --tgz %s:FOUND: :: (.+) FOUND
          malware       = */defer_ok
accept


acl_check_mime:
accept

begin routers

# Outgoing TMDA Router - sends all first run of outgoing mail for tmda
users to tmda-inject.
outgoing_tmda:
driver = accept
senders = *
domains = !+local_domains
condition = "${if !def:header_X-Delivery-Agent:{1}{0}}"
transport = outgoing_tmda_pipe

dnslookup:
driver = dnslookup
domains = ! +local_domains
transport = remote_smtp
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
no_more

system_aliases:
driver = redirect
allow_fail
allow_defer
data = ${lookup{$local_part}lsearch{/etc/aliases}}
file_transport = address_file
pipe_transport = address_pipe

ldap_aliases:
driver = redirect
allow_fail
allow_defer
data = ${lookup{$local_part}lsearch{/usr/exim/ldap_aliases}}
file_transport = address_file
pipe_transport = address_pipe

ldapuser:
driver = redirect
domains = exim.zionsville.lib.in.us
condition=${if match{${lookup ldap {LDAP_AD_MAIL_RCPT ldap:///
LDAP_AD_BASE_DN?sAMAccountName?sub?(&(sAMAccountName=$local_part))}}}
{$local_part}{yes}{no}}
data = /var/mail/${domain}/users/${local_part}
allow_fail
allow_defer
local_part_suffix = +* : -*
local_part_suffix_optional
file_transport = local_delivery
cannot_route_message = Unknown user

localuser:
driver = accept
check_local_user
transport = local_delivery
cannot_route_message = Unknown user

######################################################################
#                      TRANSPORTS CONFIGURATION                      #
######################################################################
#                       ORDER DOES NOT MATTER                        #
#     Only one appropriate transport is called for each delivery.    #
######################################################################


begin transports

remote_smtp:
driver = smtp

#hard-code the domain, to allow easy transition between testing &
going live.
local_delivery:
driver = appendfile
maildir_format = true
directory = /var/mail/zionsville.lib.in.us/users/${local_part}
maildirfolder_create_regex = /\.[^/]+$
delivery_date_add
envelope_to_add
return_path_add

# Outgoing tmda transport - pipes email in batch to tmda-inject
outgoing_tmda_pipe:
  driver = pipe
  batch_max = 1000
  home_directory = /var/mail/zionsville.lib.in.us/users/${lc: 
$sender_address_local_part}
  command = /usr/local/tmda/bin/tmda-inject $pipe_addresses
  user = exim
  group = exim
  environment = HOST=$sender_address_domain:\
                HOMEDIR=/var/mail/zionsville.lib.in.us/users/${lc: 
$sender_address_local_part}:\
                USER=$sender_address_local_part:\
                PASS_USER=$sender_address_local_part


address_pipe:
driver = pipe
return_fail_output
return_path_add
environment = EXTENSION=${substr_1:$local_part_suffix}; DOMAIN=$
{domain}; LOCAL=${local_part}

address_file:
driver = appendfile
delivery_date_add
envelope_to_add
return_path_add

address_reply:
driver = autoreply

######################################################################
#                      RETRY CONFIGURATION                           #
######################################################################


begin retry

*                      *           F,2h,15m; G,16h,1h,1.5; F,4d,6h


######################################################################
#                      REWRITE CONFIGURATION                         #
######################################################################


begin rewrite


######################################################################
#                   AUTHENTICATION CONFIGURATION                     #
######################################################################


begin authenticators

plain:
driver = plaintext
public_name = PLAIN
server_condition = ${perl{imapLogin}{localhost}{$auth2}{$auth3}}
server_set_id = $auth2

login:
driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
server_condition = ${perl{imapLogin}{localhost}{$auth1}{$auth2}}
server_set_id = $1

cram:
driver = cram_md5
public_name = CRAM-MD5
server_secret = ${perl{imapLogin}{$auth2}{$auth3}}
server_set_id = $auth2