[exim] Tighten the Spam Grip

Top Page
Delete this message
Reply to this message
Author: Grant Peel
Date:  
To: exim-users
Subject: [exim] Tighten the Spam Grip
Hi all,

Up until now, I have been accepting mail based on the acl below, and distributing it based on the router shown below. Since I have mail comming into the server from remote SMTPs and we need to send mail to remote SMTPs my question is two fold:

Can acls be used for incomming mail to determine if any of these criteria exist
-Virtual User must exist
-Virtual Alias must exist

and can the acl be used for sending mail out, as it is written now, considering the question above?

So, I suppose I am asking, can the acl be re written to:

check if incomming mail is from a local domain, and process it accorningly, or chek if mail is from a remote smtp and deny it (at RCPT time) if a virtual alias or virtual user does not exist?

TIA,

-Grant

######################################################################
#                    MAIN CONFIGURATION SETTINGS                     #
######################################################################
primary_hostname = mydomain.com
domainlist local_domains = /etc/virtual/domains
domainlist relay_to_domains =
hostlist relay_from_hosts = /etc/virtual/domains
hostlist blacklisted_domains = /etc/virtual/blacklist
acl_smtp_rcpt = acl_check_rcpt
trusted_users = mailnull:root:webmail:www
exim_user = mailnull
exim_group = mail
never_users =
host_lookup = *
rfc1413_hosts = *
rfc1413_query_timeout = 0s
ignore_bounce_errors_after = 0s
timeout_frozen_after = 1d
return_path_remove
untrusted_set_sender = *
helo_allow_chars = _
daemon_smtp_ports = 25 : 109
bounce_message_file = /usr/local/etc/exim/bounce_message_file
warn_message_file = /usr/local/etc/exim/warn_message_file
return_size_limit = 10000
bounce_return_message = false
delay_warning = 72h
log_selector = +incoming_interface
######################################################################
#                       ACL CONFIGURATION                            #
#         Specifies access control lists for incoming SMTP mail      #
######################################################################
begin acl
acl_check_rcpt:
  accept  hosts = :
  deny senders = :
        dnslists        = ips.backscatterer.org
        message         = This message looks like a bounce, and your server is listed at \
                ips.backscatterer.org, so I assume that this is "backscatter". \
                Please configure your mail server to not send "backscatter spam". \
                For advice, try http://www.dontbouncespam.org/
                log_message = ATTENTION BACKSCATTERER
  deny    local_parts   = ^.*[@%!/|] : ^\\.
  deny    senders = :
          condition     = ${if ! eq{$recipients_count}{1}{1}}
          message       = Bounces must have only a single recipient
          log_message   = Another denied due to backscatter-Single Recipient
# accept  local_parts   = postmaster
#          domains       = +local_domains
  require verify        = sender
  deny    message       = rejected because $sender_host_address was \
                          found in our blacklist
          log_message   = domain found in $blacklisted_domains
          hosts         = +blacklisted_domains
  accept  domains       = +local_domains
          endpass
          message       = unknown user
          verify        = recipient
  accept  domains       = +relay_to_domains
          endpass
          message       = unrouteable address
          verify        = recipient
  accept  hosts         = +relay_from_hosts
  accept  authenticated = *



######################################################################
#                      ROUTERS CONFIGURATION                         #
#               Specifies how addresses are handled                  #
######################################################################
#     THE ORDER IN WHICH THE ROUTERS ARE DEFINED IS IMPORTANT!       #
# An address is passed to each router in turn until it is accepted.  #
######################################################################
begin routers


dnslookup_owm:
driver = dnslookup
domains = ! +local_domains
condition = ${if eq {$sender_host_address}{127.0.0.1} {yes}{no}}
transport = remote_smtp_owm
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
no_more

dnslookup:
driver = dnslookup
domains = ! +local_domains
transport = remote_smtp
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
no_more

virtual_alias:
driver = redirect
allow_defer
allow_fail
data = ${lookup {$local_part} lsearch {/home/$domain/mail/aliases}}
domains = /etc/virtual/domains
require_files = /home/$domain/mail/aliases
condition = ${lookup {$local_part} lsearch {/home/$domain/mail/aliases} {yes}{no}}
qualify_preserve_domain
retry_use_local_part
check_ancestor
one_time
file_transport = address_file
pipe_transport = address_pipe
reply_transport = address_reply

spamcheck_router:
driver = accept
no_verify
condition = "${if and { {!def:h_X-Spam-Flag:} {!eq {$received_protocol}{spam-scanned}}} {1}{0}}"
transport = spamcheck

autoreply_router:
driver = accept
require_files = /home/$domain/mail/auto-replies/$local_part
transport = autoreply_transport
no_verify
unseen

virtual_localuser:
driver = accept
require_files = /etc/virtual/$domain/passwd
domains = /etc/virtual/domains
condition = ${lookup {$local_part} lsearch {/etc/virtual/$domain/passwd}{$value}}
transport = virtual_localdelivery

virtual_catchall:
driver = redirect
allow_defer
allow_fail
data = ${lookup {catchall} lsearch {/home/$domain/mail/aliases}}
domains = /etc/virtual/domains
require_files = /home/$domain/mail/aliases
condition = ${lookup {catchall}lsearch{/home/$domain/mail/aliases} {yes}{no}}
qualify_preserve_domain
retry_use_local_part
check_ancestor
one_time
file_transport = address_file
pipe_transport = address_pipe
reply_transport = address_reply

localuser:
driver = accept
check_local_user
condition = ${lookup {$sender_helo_name} lsearch {/etc/virtual/domains}{YES}{NO}}
transport = local_delivery

######################################################################
#                      TRANSPORTS CONFIGURATION                      #
######################################################################
#                       ORDER DOES NOT MATTER                        #
#     Only one appropriate transport is called for each delivery.    #
######################################################################
begin transports


remote_smtp_owm:
        driver = smtp
        helo_data       = $sender_address_domain
        interface       = ${lookup dnsdb{a=$sender_address_domain}}
        return_path_add = true
        debug_print = "XX T: remote_smtp for $local_part@$domain Sent VIA $interface_address XX"


remote_smtp:
        driver = smtp
        helo_data = ${lookup dnsdb{defer_never,ptr=$interface_address}{$value}{$primary_hostname}}
        interface = $interface_address
        return_path_add = true
        debug_print = "XX T: remote_smtp for $local_part@$domain Sent VIA $interface_address XX"


autoreply_transport:
driver = pipe
command = /usr/local/bin/autoreply.pl /home/$domain/mail/auto-replies/$local_part

spamcheck:
driver = pipe
command = /usr/local/sbin/exim -oMr spam-scanned -bS
use_bsmtp = true
transport_filter = /usr/local/bin/spamc -u ${lookup{$domain}lsearch{/etc/virtual/domains_users}}
home_directory = "/tmp"
current_directory = "/tmp"
# must use a privileged user to set $received_protocol on the way back in!
user = mailnull
group = mailnull
log_output = true
return_fail_output = false
return_path_add
message_prefix =
message_suffix =

virtual_localdelivery:
driver = appendfile
create_directory = true
directory_mode = 700
file = /var/spool/virtual/${domain}/${local_part}
headers_remove = "Bcc"
return_path_add
user = ${lookup{$domain}lsearch{/etc/virtual/domains_users}}
group = mail
mode = 660

local_delivery:
driver = appendfile
file = /$home/mail/$local_part
delivery_date_add
envelope_to_add
return_path_add
user = mailnull
group = mail
mode = 0660

address_pipe:
driver = pipe
return_output
user = thenetnow

address_file:
driver = appendfile
delivery_date_add
envelope_to_add
return_path_add

address_reply:
driver = autoreply

######################################################################
#                      RETRY CONFIGURATION                           #
######################################################################


begin retry

# Domain               Error       Retries
# ------               -----       -------
*                      quota_7d
*                      quota       F,72h,1h;
*                      *           F,12h,15m; F,24h,30m; F,36h,60m


######################################################################
#                      REWRITE CONFIGURATION                         #
######################################################################


# There are no rewriting specifications in this default configuration file.

begin rewrite

######################################################################
#                   AUTHENTICATION CONFIGURATION                     #
######################################################################


# There are no authenticator specifications in this default configuration file.

begin authenticators

# For Netscape/Mozilla
plain:
  driver = plaintext
  public_name = PLAIN
  server_condition = "${if and{ {!eq{$2}{}}{!eq{$3}{}} \
   {crypteq {$3} {${lookup {${local_part:$2}} lsearch \
                            {/etc/virtual/${domain:$2}/passwd}\
                            {$value} {*:*}}}} } {1}{0}}"
  server_set_id = $2


# For Outlook/Outlook Express
login:
  driver = plaintext
  public_name = LOGIN
  server_prompts = "Username:: : Password::"
  server_condition = "${if and{ {!eq{$1}{}}{!eq{$2}{}} \
   {crypteq {$2} {${lookup {${local_part:$1}} lsearch \
                            {/etc/virtual/${domain:$1}/passwd}\
                            {$value} {*:*}}}} } {1}{0}}"
  server_set_id = $1


# End of Exim configuration fileFrom juergen.edner@??? Sun Mar 30 18:05:26 2008
Envelope-to: exim-users@???
Received: from metis.intersales.de ([213.133.99.69]:34050)
    by tahini.csx.cam.ac.uk with esmtp (Exim 4.69)
    (envelope-from <juergen.edner@???>) id 1Jg0yA-0007so-MU
    for exim-users@???; Sun, 30 Mar 2008 18:05:26 +0100
Received: from p57b8b309.dip0.t-ipconnect.de ([87.184.179.9]
    heloÚil.telejeck.de) by metis.intersales.de with esmtpa (Exim 4.67)
    (envelope-from <juergen.edner@???>) id 1Jg0y7-0000OQ-7q
    for exim-users@???; Sun, 30 Mar 2008 19:05:19 +0200
Received: from intrepid.privatnet.lan ([192.168.1.80] helo±27.0.0.1])
    by mail.telejeck.de with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256)
    (Exim 4.68) (envelope-from <juergen.edner@???>)
    id 1Jg0y7-0007kB-WC; Sun, 30 Mar 2008 19:05:20 +0200
Date: Sun, 30 Mar 2008 19:04:58 +0200
From: Juergen Edner <juergen.edner@???>
Organization: privat
User-Agent: Thunderbird 2.0.0.12 (Windows/20080213)
MIME-Version: 1.0
To: Tom Kistner <tom@???>
References: <E1JeuOz-0008MV-Rw@???>    <47EBCEED.7030002@???>
    <E1Jevhv-0002nC-1Z@???>
    <47EBE379.3030003@???>
In-Reply-To: <47EBE379.3030003@???>
X-Enigmail-Version: 0.95.6
Content-Type: text/plain; charsetãO-8859-1; format\owed
Content-Transfer-Encoding: 7bit
X-Scan-Signature: bf3fc62b426a23a23281ac1a4ba6e116
Message-ID: <E1Jg0yA-0007so-MU@???>
X-Spam-Score: -1.5 (-)
X-Spam-Status: No, scoreÑ.5 required~0 tests÷LÐ.111, BAYES_00Ñ.5,
    FORGED_RCVD_HELO.135 autolearnO version^1.8
Cc: exim-users@???
Subject: Re: [exim] Exim v4.68 - clamd scans attachments twice
X-BeenThere: exim-users@???
X-Mailman-Version: 2.1.7
Precedence: list
List-Id: A user list for the exim MTA <exim-users.exim.org>
List-Unsubscribe: <http://lists.exim.org/mailman/listinfo/exim-users>,
    <mailto:exim-users-request@exim.org?subject¾subscribe>
List-Archive: <http://lists.exim.org/lurker/list/exim-users.html>
List-Post: <mailto:exim-users@exim.org>
List-Help: <mailto:exim-users-request@exim.org?subjectŽlp>
List-Subscribe: <http://lists.exim.org/mailman/listinfo/exim-users>,
    <mailto:exim-users-request@exim.org?subject¥bscribe>
X-List-Received-Date: Sun, 30 Mar 2008 17:05:26 -0000


Hello Tom,

>> I'm using MIME ACL.
>
> The "extra" files are probably generated there :) By default,
> only the .eml file is present in the temporary scan directory.


does this mean that not the .eml file name is parsed
to the malware scanner but the scan directory name?

If yes, I assume that there's no way to delete the
'other' files right after leaving the MIME ACL part?!

Regards,
Juergen
--
Mail: juergen.edner@???
GPG Key available