Re: [exim] exim config examples....

Top Page
Delete this message
Reply to this message
Author: W B Hacker
Date:  
To: exim users
Subject: Re: [exim] exim config examples....
Mark Elkins wrote:
> Hi Bill,
>
> some time ago in a posting on exim - you had...
>


... a reluctance to post the 'actual' config becasue it is overly convoluted,
and undergoing revision.

Ergo:

CAVEATS:

- 'warn' is used to set integers into acl_c variables that are acted on later.
This is what is in long-term production.

- Examples here, still may carry vestigial acl_c flgs settings we use for
steering. These are superfluous to the needs of others. Evaluate and strip those
to suit your own needs...

- Copious logwrites and log_message entries are 'switched on' for testing,
otherwise commented OFF to keep logs leaner. Most have been redacted here.

- clean-up the MUA-induced line wraps in my post. Most should be obvious

> + rDNS fail (hard score)


I do this in acl_smtp_connect, but only as the THIRD step.

- first I check to see if the arrival is one of my own users - who will
nearly-always be on PTR-less IP, some of which are even locally blacklisted as
well, arriving in submission mode. For us, that means port 587 and no other, so:

# For regular use
#
acl_r_connect:

   # CONNECT_1: Temporarily pass our own arriving MUA's.
   #
   accept
     condition   = ${if eq{$interface_port}{587}}
     set acl_c4  = 1
     log_message = C1 $acl_c3 with $received_protocol on port 587
   endpass


## Note the 'endpass' here ##

   # CONNECT_2: IF cross-box OR approved relays OR whitelist THEN accept NOW.
   #
   accept
     hosts       = : +relay_from_hosts
     set acl_c4  = 2
     log_message = C2A $acl_c3 is a local or relay_host
   endpass


## Note the 'endpass' here ##

   accept
     #logwrite   = C2B Checking filters/IP-white list


     condition   = 
${lookup{$sender_host_address}lsearch{/var/mail/filters/IP-white}{yes}{}}


     set acl_c4  = 3
     log_message = C2B $acl_c3 IP whitelisted = $acl_c4
    endpass


## Note the 'endpass' here ##


-IF any of the above appled, we have skipped out of acl_smtp_connect and gone
on to the next phase. 'endpass' did that for us.

OTHERWISE if none of the above apply we reach the third acl clause set:


# CONNECT_3: Tests for rDNS - delayed until here to allow prior whitelisting

   # CONNECT_3A first test for simple absence of a PTR RR
   # ** CAVEAT WBH change to ~/src/host.c required for this to work properly! **
   deny
     condition   = ${if eq{$interface_port}{25}}
     !hosts      = : +relay_from_hosts
     !condition  = ${if ge{$acl_c4}{1}}
     condition   = ${if match{$sender_host_name}{$sender_host_address}{yes}{no}}


     log_message = C3A no valid PTR RR for $sender_host_address $sender_address 
$sender_host_name


## IGNORE 3A unless you want to hack Exim source. All it does is reduce the
count of log lines by one line per rejection. 3B uses default source code to get
the same result, takes NO extra time to run, as it bails out immediately on PTR
RR fail *anyway*, but logs an extra line *as we configure log_selector*. IOW
'not necessarily'.


   # CONNECT_3B If a PTR RR was not found, we don't get this far.
   # If a PTR exists, test to see if it is of any *USE*
   #
   deny
     message     = Sender on $sender_address cannot be a mail server. \
                   DNS PTR RR fails to match to valid host name.\
     condition   = ${if eq{$interface_port}{25}}
     !hosts      = : +relay_from_hosts
     !condition  = ${if ge{$acl_c4}{1}}
     !verify     = reverse_host_lookup
     log_message = C3B reverse host lookup fail
     delay       = MAINDELAYs


> + dynamic-IP RBL hit (hard score)


This was being triggered very rarely, as reverse_host_lookup has already caught
nearly all such. With M. Sullivan's announcement as to the (probable) impending
demise of the SORBS dynamic IP BL we were using, I'll probably drop this test.
which was a part of the flowwing set:

   # CONNECT_4: Check Local IP Blacklists. IF bad THEN deny
   #
    deny
     log_message = C4 $acl_c3 blacklisted by IP
     hosts       = /var/mail/filters/IP-block
     log_message = C4 $acl_c3 LBL by IP
     delay       = MAINDELAYs


# CONNECT_5: Check Local Dynamic IP Brownlist. IF bad THEN deny
#
deny
(redacted) same as above, different local list checked

# CONNECT_6: Check for abusive provider IF bad THEN deny OR warn, score, delay
#
deny
(redacted) same as above, different local list checked

   # CONNECT_7: Check Dynamic/Portable Remote Blacklists. IF RBL's bad THEN deny
   #
   deny
     message     = \n Sender $sender_host_address using dynamic IP for MTA
     !hosts      = : +relay_from_hosts : /var/mail/filters/IP-pass
     !condition  = ${if eq{$acl_c4}{4}}
     dnslists    = dul.dnsbl.sorbs.net
     log_message = C7 $sender_host_address blacklisted in $dnslist_domain
     delay       = MAINDELAYs



> + HELO not matching to FQDN of connected IP (softer score)


Once again, give a pass to our own submission clients, as they will NOT pass
HELO checks. Port number and protocol are all you have. AUTH is just beginning,
has not yet completed. *CHECK THAT LATER* but DO check it.

Otherwise, as I have many complex tests here, I'd rather not confuse the reader.

Basically take Exim's 'stock' HELO verification test, use it with a 'warn' verb
instead of a 'deny', assign a 'demerit' score on fail in that 'warn' clause to
an acl_c variable.

On entering acl_smtp_rcpt, eval that score agaisnt per-user preferences, THEN
accept, deny, or flag for quarentine.

We seldom reject on HELO/FQDN mismatch, but often separate to a 'Suspect' IMAP
folder. As said 'per user' preference. Do this BEFORE entering DATA phase.

We DO hard-reject on certain patterns *other-than* simple HELO/FQDN mismatch,
such as the prefix 'ssl.' - but I am not ready to convey all the specifics yet.

Sufficeth to say some miscreants change the domain.tld in a forged HELO, but
keep a teltale prefix. Go figure.

> + 15s delay (zombots are impatient)


Already shown in many of those above, last line was:

delay = MAINDELAYs

Where 'MAINDELAY' was a systemwide MACRO, usually 15


> + Local & remote BL of hte hard-core


The 'usual suspects' as to public RBL's, but only after checking our own local
BL's we have built over the years.

Note that these are 'almost never' called, as PTR RR fail or reverse_host_lookup
fail has already nailed the blk of the offenders.

We also use several entire-network CIDR entries in ipfw2. These are hit *often*m
but place no load on Exim.

>
>
> Have you got your exim.config file available for others to look at
> anywhere? I'm still(always?) learning and it seems you have a few
> lessons/examples I can use. If your exim.conf is not public - can you
> let me see some of the interesting snippets you seem to be using -
> pretty please?
>


Nearly 100% of what I use was learned right here on this list.

But what is crucial is that you:

- recognize that each environment is different, and what works for one may not
for another

- keep in mind that code snippets, as with blood types, must match the overall
environment. You cannot safely assemble pieces from many different sources
without careful review and test of the whole.


> I think, otherwise, I'm waiting for 4.70 with DKIM included - when the
> Gentoo people roll it out all nice 'n easy to use..
>
> Thanks.


'nice 'n easy' == overly full of compromises in my book, but 'YMMV'


Bill