Hello,
I am having an Exim configuration running for years without any issues, but
lately I am seeing my server being abused as a relay.
A few things that are boggling my mind:
It is my understanding that the abuse happens after an SPA authentication
but the SPA authentication has failed. Normally I only allow authenticated
external users.
I don't understand this warning: Warning: ACL "warn" statement skipped:
condition test deferred: Could not complete sender verify callout
Would someone be so kind to take a look at my log and config, here below? I
don't understand very well why this abuse is happening.
Thank you!
Jan
This is an example of what I can find in my logfile. Mind the SPA:fail lines
and the ACL "warn" error.
2021-08-04 15:06:57 no host name found for IP address 93.122.252.1
2021-08-04 15:06:58 H=(213.233.88.90) [93.122.252.1] Warning: HELO
(213.233.88.90) is IP only (See RFC2821 4.1.3)
2021-08-04 15:06:58 H=(213.233.88.90) [93.122.252.1] Warning: HELO
(213.233.88.90) is IP only (See RFC2821 4.1.3)
2021-08-04 15:06:58 H=(213.233.88.90) [93.122.252.1] Warning: HELO
(213.233.88.90) is IP only (See RFC2821 4.1.3)
2021-08-04 15:06:58 H=(213.233.88.90) [93.122.252.1] sender verify fail for
<xfinity@???>: all relevant MX records point to non-existent
hosts
2021-08-04 15:06:58 H=(213.233.88.90) [93.122.252.1]
X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no F=<xfinity@???>
A=SPA:fail rejected RCPT <txbutterfly@???>: Sender verify failed
2021-08-04 15:06:58 unexpected disconnection while reading SMTP command from
(213.233.88.90) [93.122.252.1] D=1s
2021-08-04 15:06:58 no host name found for IP address 93.122.252.1
2021-08-04 15:07:00 H=(213.233.88.90) [93.122.252.1] Warning: HELO
(213.233.88.90) is IP only (See RFC2821 4.1.3)
2021-08-04 15:07:01 [66.96.140.174] SSL verify error (during S-verify for
[93.122.252.1]): depth=1 error=self signed certificate in certificate chain
cert=/C=US/O=Sample, Inc./OU=IT Team
20210129161416/OU=bosimpinc03.eigbox.net.eigbox.net/CN=CA
2021-08-04 15:07:01 [66.96.140.174] SSL verify error (during S-verify for
[93.122.252.1]): certificate name mismatch: DN="/C=US/O=Sample, Inc./OU=IT
Team
20210129161416/OU=bosimpinc03.eigbox.net.eigbox.net/CN=bosimpinc03.eigbox.ne
t.eigbox.net" H="mx.easygreenonions.com"
2021-08-04 15:07:02 H=(213.233.88.90) [93.122.252.1] Warning: Sender
(xfinity@???) could not be verified using callout: Sender
verify failed ()
2021-08-04 15:07:03 [103.141.97.82] SSL verify error (during S-verify for
[93.122.252.1]): certificate name mismatch: DN="/CN=*.xserver.jp"
H="tarochan06.com"
2021-08-04 15:07:03 [66.96.140.175] SSL verify error (during S-verify for
[93.122.252.1]): depth=1 error=self signed certificate in certificate chain
cert=/C=US/O=Sample, Inc./OU=IT Team
20210129161416/OU=bosimpinc03.eigbox.net.eigbox.net/CN=CA
2021-08-04 15:07:03 [66.96.140.175] SSL verify error (during S-verify for
[93.122.252.1]): certificate name mismatch: DN="/C=US/O=Sample, Inc./OU=IT
Team
20210129161416/OU=bosimpinc03.eigbox.net.eigbox.net/CN=bosimpinc03.eigbox.ne
t.eigbox.net" H="mx.easygreenonions.com"
2021-08-04 15:07:04 1mBGbw-000GYn-GT Header Message-ID:
<004e07ac4784aea09cc97fd430143e391254b0@???>
2021-08-04 15:07:04 1mBGbw-000GYn-GT Header From: Xfinity
<xfinity@???>\n
2021-08-04 15:07:04 1mBGbw-000GYn-GT Header Subject: Important Update\n
2021-08-04 15:07:04 1mBGbw-000GYn-GT Header To: jsstro@???
2021-08-04 15:07:04 1mBGbw-000GYn-GT <= xfinity@???
H=(213.233.88.90) [93.122.252.1] P=esmtpsa
X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no A=SPA:fail S=8666
id=004e07ac4784aea09cc97fd430143e391254b0@??? T="Important
Update" from <xfinity@???> for jsstro@???
2021-08-04 15:07:06 H=(213.233.88.90) [93.122.252.1] Warning: HELO
(213.233.88.90) is IP only (See RFC2821 4.1.3)
2021-08-04 15:07:07 H=(213.233.88.90) [93.122.252.1] Warning: ACL "warn"
statement skipped: condition test deferred: Could not complete sender verify
callout
2021-08-04 15:07:09 [103.141.97.82] SSL verify error (during S-verify for
[93.122.252.1]): certificate name mismatch: DN="/CN=*.xserver.jp"
H="tarochan06.com"
2021-08-04 15:07:10 H=(213.233.88.90) [93.122.252.1] Warning: ACL "warn"
statement skipped: condition test deferred: Could not complete sender verify
callout
2021-08-04 15:07:10 1mBGc2-000GYl-A5 Header Message-ID:
<26f831897db98d0a2986d0848f4b719ab91f403cfc@???>
2021-08-04 15:07:10 1mBGc2-000GYl-A5 Header From: Xfinity
<xfinity@???>\n
2021-08-04 15:07:10 1mBGc2-000GYl-A5 Header Subject: Important Update\n
2021-08-04 15:07:10 1mBGc2-000GYl-A5 Header To: tomnewsom@???
2021-08-04 15:07:10 1mBGc2-000GYl-A5 <= xfinity@???
H=(213.233.88.90) [93.122.252.1] P=esmtpsa
X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no A=SPA:fail S=8630
id=26f831897db98d0a2986d0848f4b719ab91f403cfc@??? T="Important
Update" from <xfinity@???> for tomnewsom@???
2021-08-04 15:07:10 1mBGbw-000GYn-GT => jsstro@??? R=dnslookup
T=remote_smtp H=mx2.comcast.net [68.87.20.5] TFO
X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=dane
DN="/C=US/postalCode=19103/ST=Pennsylvania/L=Philadelphia/street=1 Comcast
Center/O=Comcast Corporation/OU=Business Center/CN=mx2.comcast.net" C="250
2.0.0 BGbymNa8vcIgCBGc1mwY4F mail accepted for delivery"
2021-08-04 15:07:10 1mBGbw-000GYn-GT Completed
<cut some lines>
2021-08-04 15:07:22 1mBGc2-000GYl-A5 => tomnewsom@??? R=dnslookup
T=remote_smtp H=mx1.comcast.net [96.114.157.80] TFO
X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=dane
DN="/C=US/postalCode=19103/ST=Pennsylvania/L=Philadelphia/street=1 Comcast
Center/O=Comcast Corporation/OU=Business Center/CN=mx1.comcast.net" C="250
2.0.0 BGc3meFVNUMphBGc8mFklE mail accepted for delivery"
2021-08-04 15:07:22 1mBGc2-000GYl-A5 Completed
Config:
primary_hostname = my_local_domain.be
domainlist local_domains = @ : r420.my_local_domain.be : ${tr {${lookup
mysql {\
SELECT `domain` FROM `users` WHERE `domain` != '' &&
`domain` IS NOT NULL \
UNION \
SELECT `domain` FROM `alias` WHERE `domain` != '' &&
`domain` IS NOT NULL \
UNION \
SELECT `domain` FROM `catchall` WHERE `domain` != ''
&& `domain` IS NOT NULL \
}}} {"\n"} {:} }
domainlist relay_to_domains =
domainlist fwd_to_pxm_domains = pxm.fr : pxm.com
hostlist relay_from_hosts = localhost : 192.168.0.0/16
acl_not_smtp = acl_log_message_id
acl_smtp_rcpt = acl_check_rcpt
.ifdef _HAVE_PRDR
acl_smtp_data_prdr = acl_check_prdr
.endif
acl_smtp_data = acl_check_data
acl_smtp_dkim = acl_check_dkim
.ifndef MAIN_ACL_CHECK_MIME
MAIN_ACL_CHECK_MIME = acl_check_mime
.endif
acl_smtp_mime = MAIN_ACL_CHECK_MIME
av_scanner = $acl_m0
spamd_address = /var/run/spamd/spamd.sock
tls_advertise_hosts = *
tls_certificate = /etc/ssl/my_local_domain.be/exim/my_local_domain.be.pem
daemon_smtp_ports = 25 : 465 : 587
tls_on_connect_ports = 465
exim_user = mailnull
exim_group = mail
never_users = root
trusted_users = www : fetchmail : dovecot : spamd
host_lookup = *
dns_dnssec_ok = 1
.ifdef _HAVE_PRDR
prdr_enable = true
.endif
log_selector = +smtp_protocol_error +smtp_syntax_error \
+tls_certificate_verified +address_rewrite +subject \
+all_parents +received_recipients +received_sender
+tls_cipher \
+tls_peerdn
ignore_bounce_errors_after = 2d
timeout_frozen_after = 7d
message_size_limit = 100M
keep_environment = ^LDAP
add_environment =
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
hide srs_secrets = g9H__xxxxxxxxxxxxxxxxxxxx
CHECK_RCPT_SPF = true
dmarc_tld_file = /usr/local/etc/exim/public_suffix_list.dat
dmarc_history_file = /var/spool/exim/opendmarc.dat
dmarc_forensic_sender = do-not-reply@my_local_domain.be
SPAM_FILESIZE_LIMIT = 1M
VIRUS_FILESIZE_LIMIT = 5M
CHECK_RCPT_IP_DNSBLS =
cbl.abuseat.org:zen.spamhaus.org:psbl.surriel.com:b.barracudacentral.org:dns
bl.sorbs.net:spamsources.fabel.dk
begin acl
acl_log_message_id:
accept logwrite = Header Message-ID: $h_message-id:
logwrite = Header From: $rh_from:
logwrite = Header Subject: $rh_subject:
logwrite = Header To: $h_to:
acl_check_dkim:
deny message = DKIM fail?
sender_domains = *
dkim_signers = *
dkim_status = fail
deny message = DKIM fail?
sender_domains = gmail.com
dkim_signers = gmail.com
dkim_status = none:invalid:fail
accept
acl_check_rcpt:
accept hosts = :
control = dkim_disable_verify
control = dmarc_disable_verify
deny message = Sender claims to have a local address, but is
neither authenticated nor relayed (try using SMTP-AUTH!)
log_message = Forged Sender address (claims to be local user
[${sender_address}], but isn't authenticated)
!hosts = +relay_from_hosts
!authenticated = *
condition = ${if
match_domain{$sender_address_domain}{+local_domains}}
warn message = You cannot be localhost.localdomain in the
internet
log_message = HELO is faked as localhost.localdomain
condition = ${if
match{$sender_helo_name}{\Nlocalhost\.localdomain\N}}
warn message = X-Invalid-HELO: HELO is IP only (See RFC2821
4.1.3)
log_message = HELO ($sender_helo_name) is IP only (See RFC2821
4.1.3)
condition = ${if isip{$sender_helo_name}}
warn message = X-Invalid-HELO: HELO is no FQDN (contains no
dot) (See RFC2821 4.1.1.1)
log_message = HELO ($sender_helo_name) is no FQDN (contains no
dot) (See RFC2821 4.1.1.1)
condition = ${if match{$sender_helo_name}{\N^\[\N}{no}{yes}}
condition = ${if match{$sender_helo_name}{\N\.\N}{no}{yes}}
warn message = X-Invalid-HELO: HELO is no FQDN (ends in dot)
(See RFC2821 4.1.1.1)
log_message = HELO ($sender_helo_name) is no FQDN (ends in
dot) (See RFC2821 4.1.1.1)
condition = ${if match{$sender_helo_name}{\N\.$\N}}
warn message = X-Invalid-HELO: HELO is no FQDN (contains double
dot) (See RFC2821 4.1.1.1)
log_message = HELO ($sender_helo_name) is no FQDN (contains
double dot) (See RFC2821 4.1.1.1)
condition = ${if match{$sender_helo_name}{\N\.\.\N}}
warn message = X-Invalid-HELO: Host impersonating
[$primary_hostname]
log_message = HELO ($sender_helo_name) impersonating
[$primary_hostname]
!hosts = 127.0.0.1
condition = ${if
match{$sender_helo_name}{$primary_hostname}{yes}{no}}
warn message = X-Invalid-HELO: $interface_address is _my_
address
log_message = HELO ($sender_helo_name) uses _my_ address
($interface_address)
condition = ${if or{{\
eq{[$interface_address]}{$sender_helo_name}\
}{\
eq{$interface_address}{$sender_helo_name}\
}}}
warn message = X-Invalid-HELO: no HELO
log_message = no HELO ($sender_helo_name)
condition = ${if !def:sender_helo_name}
deny message = Restricted characters in address
domains = +local_domains
local_parts = ^[.] : ^.*[@%!/|]
deny message = Restricted characters in address
domains = !+local_domains
local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
accept local_parts = postmaster
domains = +local_domains
accept condition = ${lookup mysql{ \
SELECT CONCAT(`username`,'@',`domain`) AS
`email` \
FROM `alias` \
WHERE `username` =
'${quote_mysql:$local_part}' \
AND `domain` = '${quote_mysql:$domain}' \
AND `sendto` LIKE '|%' \
}{true}{false}}
control = dkim_disable_verify
control = dmarc_disable_verify
deny message = [SPF] $sender_host_address is not allowed to
send mail from $sender_address_domain
log_message = SPF check failed.
!authenticated = *
hosts = !+relay_from_hosts
spf = fail
warn message = $spf_received
require verify = sender
warn message = X-Sender-Verify: FAILED ($sender_verify_failure)
log_message = Sender ($sender_address) could not be verified
using callout: $acl_verify_message ($sender_verify_failure)
!verify = sender/callout=30s,random
warn message = X-Sender-Verify: SUCCEEDED (sender exists &
accepts mail)
verify = sender/callout=30s,random
accept authenticated = *
control = submission/sender_retain/domain=
control = dkim_disable_verify
control = dmarc_disable_verify
accept hosts = +relay_from_hosts
control = submission
control = dkim_disable_verify
control = dmarc_disable_verify
require message = nice hosts say HELO first
condition = ${if def:sender_helo_name}
require message = relay not permitted
domains = +local_domains : +relay_to_domains
require verify = recipient
deny message = ${sender_host_address} is listed at
${dnslist_domain}; See ${dnslist_text}
!hosts = +relay_from_hosts
!authenticated = *
dnslists = CHECK_RCPT_IP_DNSBLS
accept
.ifdef _HAVE_PRDR
acl_check_prdr:
warn set acl_m_did_prdr = y
.endif
accept
acl_check_mime:
deny
decode = default
condition = ${if > {$mime_anomaly_level}{2} \
{true}{false}}
message = This message contains a MIME error
($mime_anomaly_text)
log_message = DENY: MIME Error ($mime_anomaly_text)
deny
condition = ${if >{$mime_part_count}{1024}{yes}{no}}
message = MIME error: Too many parts (max 1024)
log_message = DENY: MIME Error (Too many MIME parts:
$mime_part_count)
deny
regex = ^.{8000}
message = MIME error: Line length in message or single header
exceeds 8000.
log_message = DENY: MIME Error (Maximum line length exceeded)
deny
condition = ${if eq
{$mime_content_type}{message/partial}{yes}{no}}
message = MIME error: MIME type message/partial not allowed here
log_message = DENY: MIME Error (MIME type message/partial found)
deny
condition = ${if >{${strlen:$mime_filename}}{255}{yes}{no}}
message = MIME error: Proposed filename exceeds 255 characters
log_message = DENY: MIME Error (Proposed filename too long)
deny
condition = ${if >{${strlen:$mime_boundary}}{1024}{yes}{no}}
message = MIME error: MIME boundary length exceed 1024
characters
log_message = DENY: MIME Error (Boundary length too long)
deny
condition = ${if match \
{${lc:$mime_filename}} \
{\N(\.bat|\.btm|\.cmd|\.com|\.cpl|\.dll|\.exe|\.lnk|\.msi|\.pif|\.prf|\.reg|
\.scr|\.vbs|\.url)$\N} \
{1}{0}}
message = Blacklisted file extension detected in
"$mime_filename". If you legitimately need to send these files please zip
them first.
log_message = DENY: Blacklisted extension ("$mime_filename")
accept
acl_check_data:
deny message = maximum allowed line length is 998 octets,
\
got $max_received_linelength
condition = ${if > {$max_received_linelength}{998}}
deny !verify = header_syntax
message = header syntax
log_message = header syntax ($acl_verify_message)
warn dmarc_status = accept : none : off
!authenticated = *
log_message = DMARC DEBUG: $dmarc_status for
$dmarc_used_domain
add_header = :at_start:${authresults
{$primary_hostname}}
warn dmarc_status = !accept
!authenticated = *
log_message = DMARC DEBUG: $dmarc_status for
$dmarc_used_domain
add_header = :at_start:${authresults
{$primary_hostname}}
warn dmarc_status = quarantine
!authenticated = *
log_message = DMARC DEBUG: $dmarc_status for
$dmarc_used_domain
add_header = :at_start:${authresults
{$primary_hostname}}
set acl_m_quarantine = 1
deny dmarc_status = reject
!authenticated = *
!hosts = +relay_from_hosts
message = Message from $dmarc_used_domain failed
sender's DMARC policy, REJECT
warn set acl_m0 = clamd:/var/run/clamav/clamd.sock
malware = *
message = This message contains a VIRUS
($malware_name) from $sender_address to $recipients (ClamAV)
log_message = warned about VIRUS ($malware_name) from
$sender_address to $recipients (ClamAV)
remove_header = Subject
add_header = Subject: ***VIRUS***$rh_subject:
set acl_m0 = clamd:/var/run/clamav/clamd.sock
condition = ${if <
{$message_size}{VIRUS_FILESIZE_LIMIT}}
warn message = X-Spam-Score: $spam_score\n\
X-Spam-Score-Int: $spam_score_int\n\
X-Spam-Bar: $spam_bar\n\
X-Spam-Report: $spam_report
log_message = spam scanned: $spam_score (Spamassassin)
!authenticated = *
condition = ${if <
{$message_size}{SPAM_FILESIZE_LIMIT}}
spam = spamd:true
warn add_header = X-Exim-Version: $version_number (build at
$compile_date)\n\
X-Date: $tod_log\n\
X-Connected-IP:
$sender_host_address:$sender_host_port
warn add_header = X-Message-Linecount: $message_linecount\n\
X-Body-Linecount: $body_linecount\n\
X-Message-Size: $message_size\n\
X-Body-Size: $message_body_size\n\
X-Received-Count: $received_count\n\
X-Recipient-Count: $recipients_count\n\
X-Local-Recipient-Count: $rcpt_count\n\
X-Local-Recipient-Defer-Count:
$rcpt_defer_count\n\
X-Local-Recipient-Fail-Count:
$rcpt_fail_count
accept logwrite = Header Message-ID: $h_message-id:
logwrite = Header From: $rh_from:
logwrite = Header Subject: $rh_subject:
logwrite = Header To: $h_to:
begin routers
fwd_to_pxm:
driver = manualroute
domains = +fwd_to_pxm_domains
transport = remote_smtp
route_list = * smtp.xxxxxxx.com
dnslookup:
driver = dnslookup
domains = ! +local_domains
transport = remote_smtp
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
dnssec_request_domains = *
no_more
mysql_all_domain_alias:
driver = redirect
domains = +local_domains
local_parts = alle
data = ${lookup mysql{ \
SELECT CONCAT(`username`,'@',`domain`) AS `sendto` \
FROM `users` \
WHERE `domain` = '${quote_mysql:$domain}' \
AND `SMTP_allowed` = 'YES' \
}}
condition = ${if or {{\
def:authenticated_id\
}{\
eq {$sender_host_address}{127.0.0.1}\
}}\
}
file_transport = address_file
pipe_transport = address_pipe
mysql_alias:
driver = redirect
domains = +local_domains
file_transport = address_file
pipe_transport = address_pipe
data = ${if or {{\
def:authenticated_id\
}{\
eq {$sender_host_address}{127.0.0.1}\
}}{\
${lookup mysql{ \
SELECT `sendto` \
FROM `alias` \
WHERE ( `username` =
'${quote_mysql:$local_part}' \
AND (`domain` =
'${quote_mysql:$domain}' OR `domain` = '') )}}\
} {\
${lookup mysql{ \
SELECT `sendto` \
FROM `alias` \
WHERE ( ( `username` =
'${quote_mysql:$local_part}' AND (`domain` = '${quote_mysql:$domain}' OR
`domain` = '') ) \
AND internal='NO' )}}\
}}
local_part_suffix = +*
local_part_suffix_optional
srs = forward
srs_dbinsert = ${lookup mysql{INSERT INTO `SRS` (`Key`, `Address`, `Time`)
VALUES ('${srs_db_key}', '${srs_db_address}', NOW())}}
headers_add = "X-SRS: Sender address rewritten from <$sender_address> by
$primary_hostname."
debug_print = "R: srs_forward for $local_part@$domain"
mysql_user_condition:
driver = accept
domains = +local_domains
caseful_local_part = true
condition = ${if and {{\
eq {${lookup mysql{ \
SELECT
CONCAT(`username`,'@',`domain`) AS `email` \
FROM `users` \
WHERE `username` =
'${quote_mysql:$local_part}' \
AND `domain` =
'${quote_mysql:$domain}' \
AND `SMTP_allowed` = 'YES' \
}{true}{false}}}{true}\
}{\
or {{\
and {{\
eq
{${sg{$local_part_suffix}{^#([^#]+)#[0-9]\{8\}\$}{\$1}}}{before}\
}{\
lt
{$tod_logfile}{${sg{$local_part_suffix}{^#[^#]+#([0-9]\{8\})\$}{\$1}}}\
}\
}\
}{\
and {{\
eq
{${sg{$local_part_suffix}{^#([^#]+)#.*\$}{\$1}}}{fromdomain}\
}{\
eq
{$sender_address_domain}{${sg{$local_part_suffix}{^#[^#]+#(.*)\$}{\$1}}}\
}\
}\
}{\
and {{\
eq
{${sg{$local_part_suffix}{^#([^#]+)#.*\$}{\$1}}}{b64from}\
}{\
eq
{${str2b64:$sender_address}}{${sg{$local_part_suffix}{^#[^#]+#(.*)\$}{\$1}}}
\
}\
}\
}\
}\
}\
}\
}
local_part_suffix = #*
transport = local_mysql_delivery
mysql_user:
driver = accept
domains = +local_domains
condition = ${lookup mysql{ \
SELECT CONCAT(`username`,'@',`domain`) AS
`email` \
FROM `users` \
WHERE `username` =
'${quote_mysql:$local_part}' \
AND `domain` = '${quote_mysql:$domain}' \
AND `SMTP_allowed` = 'YES' \
}{true}{false}}
local_part_suffix = +*
local_part_suffix_optional
transport = local_mysql_delivery
no_more
mysql_catchall:
driver = redirect
domains = +local_domains
file_transport = address_file
pipe_transport = address_pipe
data = ${lookup mysql{ \
SELECT `sendto` \
FROM `catchall` \
WHERE `domain` = '${quote_mysql:$domain}' \
}}
srs = forward
srs_dbinsert = ${lookup mysql{INSERT INTO `SRS` (`Key`, `Address`, `Time`)
VALUES ('${srs_db_key}', '${srs_db_address}', NOW())}}
headers_add = "X-SRS: Sender address rewritten from <$sender_address> by
$primary_hostname."
debug_print = "R: srs_forward for $local_part@$domain"
system_aliases:
driver = redirect
allow_fail
allow_defer
data = ${lookup{$local_part}lsearch{/etc/aliases}}
user = mailnull
group = mail
file_transport = address_file
pipe_transport = address_pipe
srs = forward
srs_dbinsert = ${lookup mysql{INSERT INTO `SRS` (`Key`, `Address`, `Time`)
VALUES ('${srs_db_key}', '${srs_db_address}', NOW())}}
headers_add = "X-SRS: Sender address rewritten from <$sender_address> by
$primary_hostname."
debug_print = "R: srs_forward for $local_part@$domain"
userforward:
driver = redirect
check_local_user
file = $home/.forward
no_verify
no_expn
check_ancestor
file_transport = address_file
pipe_transport = address_pipe
reply_transport = address_reply
condition = ${if exists{$home/.forward} {yes} {no}}
srs = forward
srs_dbinsert = ${lookup mysql{INSERT INTO `SRS` (`Key`, `Address`, `Time`)
VALUES ('${srs_db_key}', '${srs_db_address}', NOW())}}
headers_add = "X-SRS: Sender address rewritten from <$sender_address> by
$primary_hostname."
debug_print = "R: srs_forward for $local_part@$domain"
localuser:
driver = accept
check_local_user
transport = local_delivery
cannot_route_message = Unknown user
srs_router:
driver = redirect
srs = reverseandforward
srs_dbinsert = ${lookup mysql{INSERT INTO `SRS` (`Key`, `Address`, `Time`)
VALUES ('${srs_db_key}', '${srs_db_address}', NOW())}}
srs_dbselect = ${lookup mysql{SELECT `Address` FROM `SRS` WHERE `Key` =
'${srs_db_key}' AND `Time` > SUBDATE(NOW(), INTERVAL 1 month) LIMIT 1}}
data = ${srs_recipient}
begin transports
remote_smtp:
driver = smtp
message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
headers_remove = X-Spam-Flag : X-Spam-Score-Int : X-Spam-Score :
X-Spam-Bar : X-Spam-Report : X-Sender-Verify : X-Warning :
X-Message-Linecount : X-Body-Linecount : X-Message-Size : X-Body-Size :
X-Received-Count : X-Recipient-Count : X-Local-Recipient-Count :
X-Local-Recipient-Defer-Count : X-Local-Recipient-Fail-Count
dkim_domain =
${lookup{$sender_address_domain.private.pem}dsearch{/usr/local/etc/exim/dkim
_keys}{$sender_address_domain}{}}
dkim_private_key =
/usr/local/etc/exim/dkim_keys/${lookup{$sender_address_domain.private.pem}ds
earch{/usr/local/etc/exim/dkim_keys}}
dkim_selector = exim
dkim_canon = relaxed
dkim_strict = false
.ifdef _HAVE_DANE
dnssec_request_domains = *
hosts_try_dane = *
.endif
.ifdef _HAVE_PRDR
hosts_try_prdr = *
.endif
smarthost_smtp:
driver = smtp
message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
multi_domain
.ifdef _HAVE_TLS
hosts_require_tls = *
tls_verify_hosts = *
tls_try_verify_hosts = *
tls_sni = ROUTER_SMARTHOST
.ifdef _HAVE_OPENSSL
tls_require_ciphers = HIGH:!aNULL:@STRENGTH
.endif
.ifdef _HAVE_GNUTLS
tls_require_ciphers = SECURE192:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1
.endif
.endif
.ifdef _HAVE_PRDR
hosts_try_prdr = *
.endif
local_delivery:
driver = appendfile
file = /var/mail/$local_part
delivery_date_add
envelope_to_add
return_path_add
group = mail
user = $local_part
mode = 0660
no_mode_fail_narrower
address_pipe:
driver = pipe
return_output
address_file:
driver = appendfile
delivery_date_add
envelope_to_add
return_path_add
address_reply:
driver = autoreply
local_mysql_delivery:
debug_print = "T: dovecot LMTP for $local_part@$domain"
driver = lmtp
socket = /var/run/dovecot/lmtp
batch_max = 200
headers_remove = Subject : X-Spam-Flag : X-Spam-Score-Int : X-Spam-Score :
X-Spam-Bar : X-Spam-Report
headers_add = "X-Spam-Threshold: ${lookup mysql{ \
SELECT spam_threshold \
FROM users \
WHERE username='${quote_mysql:$local_part}' \
AND domain='${quote_mysql:$domain}' \
AND SMTP_allowed='YES' \
}{$value}{ERROR}}\n\
X-Spam-Score: $header_X-Spam-Score:\n\
X-Spam-Score-Int: $header_X-Spam-Score-Int:\n\
X-Spam-Bar: $header_X-Spam-Bar:\n\
X-Spam-Report: $header_X-Spam-Report:\n\
X-Spam-Flag: ${if def:header_X-Spam-Score-Int:{\
${if >={$header_X-Spam-Score-Int:}\
{${lookup mysql{ \
SELECT spam_threshold*10 \
FROM users \
WHERE username='${quote_mysql:$local_part}' \
AND domain='${quote_mysql:$domain}' \
AND SMTP_allowed='YES' \
}{$value}{ERROR}}}{YES}{NO}}\
}{\
UNKNOWN\
}}\n\
Subject: ${if def:header_X-Spam-Score-Int:{\
${if >={$header_X-Spam-Score-Int:}\
{${lookup mysql{ \
SELECT spam_threshold*10 \
FROM users \
WHERE username='${quote_mysql:$local_part}' \
AND domain='${quote_mysql:$domain}' \
AND SMTP_allowed='YES' \
}{$value}{ERROR}}}{${lookup mysql{ \
SELECT spam_tag \
FROM users \
WHERE
username='${quote_mysql:$local_part}' \
AND domain='${quote_mysql:$domain}' \
AND SMTP_allowed='YES' \
}{$value}{ERROR}}$rh_subject:}{$rh_subject:}}\
}{$rh_subject:}}\n\
X-Delivered-To: $original_local_part@$original_domain
($local_part@$domain)\n\
X-Message-Age: $message_age"
begin retry
* * F,2h,15m; G,16h,1h,1.5; F,4d,6h
begin rewrite
begin authenticators
PLAIN:
driver = plaintext
public_name = PLAIN
server_prompts = :
server_advertise_condition = ${if def:tls_cipher}
server_condition = ${if eq {$auth3}{${lookup mysql{ SELECT
`password` FROM `users` WHERE CONCAT_WS('@', `username`, `domain`) =
'${quote_mysql:$auth2}' AND `SMTPAUTH_allowed` = 'YES'}}}{yes}{no}}
server_set_id = $auth2
server_debug_print = "Running PLAIN auth: $auth2 | $auth3"
LOGIN:
driver = plaintext
public_name = LOGIN
server_prompts = <| Username: | Password:
server_advertise_condition = ${if def:tls_cipher}
server_condition = ${if eq {$auth2}{${lookup mysql{SELECT
`password` FROM `users` WHERE CONCAT_WS('@', `username`, `domain`) =
'${quote_mysql:$auth1}' AND `SMTPAUTH_allowed` = 'YES'}}}{yes}{no}}
server_set_id = $auth1
server_debug_print = "Running LOGIN auth: $auth1 | $auth2"
CRAM:
driver = cram_md5
public_name = CRAM-MD5
server_secret = ${lookup mysql{SELECT `password` FROM `users` WHERE
CONCAT_WS('@', `username`, `domain`) = '${quote_mysql:$auth1}' AND
`SMTPAUTH_allowed` = 'YES';}{$value}{fail}}
server_set_id = $auth1
server_debug_print = "Running CRAM-MD5 auth: $auth1"
SPA:
driver = spa
public_name = NTLM
server_password = ${lookup mysql{SELECT `password` FROM `users` WHERE
CONCAT_WS('@', `username`, `domain`) = '${quote_mysql:$auth1}' AND
`SMTPAUTH_allowed` = 'YES' AND '${quote_mysql:$auth1}' !=
'';}{$value}{fail}}
server_set_id = $auth1
server_debug_print = "Running SPA auth: $auth1"
