Wiki

User Tools

Site Tools

Trace: perform_a_tcp_null_scan_to_fool_a_firewall find_and_delete_files_after_a_certain_time identifying_if_c_code_is_for_windows_or_linux
exim4:configuration_file

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
exim4:configuration_file [2016/11/02 10:14] – created peterexim4:configuration_file [2020/07/15 09:30] (current) – external edit 127.0.0.1
Line 1: Line 1:
 ====== Exim4 - Configuration File ====== ====== Exim4 - Configuration File ======
 +
 +<WRAP todo>
 +http://alex.mamchenkov.net/2010/06/24/exim-dovecot-and-mysql/
 +http://t-machine.org/index.php/2014/06/27/webmail-on-your-debian-server-exim4-dovecot-roundcube/
 +http://www1.alx.pl/w/linux/exim-sql.conf
 +https://weijl.org/virtual-domains-with-exim4-dovecot-dspam-and-mysql/
 +</WRAP>
 +
 +
 +The context is a host server with a public IP (5.42.134.35, www.sharewiz.net), which is also used as local mail server:
 +
 +<file>
 +######################################################################
 +#                    MAIN CONFIGURATION SETTINGS                     #
 +######################################################################
 +
 +# If exim is used localy in batch mode (exim4 -bs) then "$host" is empty, the ": :" adds the empty string.
 +hostlist   own_hosts = 127.0.0.1 : : 192.168.0.2 : 192.168.0.3 : 5.42.134.35
 +domainlist public_domains = sharewiz.net
 +</file>
 +
 +
 +
 +
 +===== ACLs =====
  
 Here is the ACL section of my Exim configuration file Here is the ACL section of my Exim configuration file
Line 78: Line 103:
  
 # deny so-called "legal" spammers" # deny so-called "legal" spammers"
-  deny message = Email blocked by LBL - to unblock see http://www.example.com/+  deny message = Email blocked by RBL - to unblock see http://www.example.com/
        # only for domains that do want to be tested against RBLs        # only for domains that do want to be tested against RBLs
        domains = +use_rbl_domains        domains = +use_rbl_domains
Line 198: Line 223:
 </file> </file>
  
 +
 +===== Another config =====
 +
 +<file>
 +######################################################################
 +#                    MAIN CONFIGURATION SETTINGS                     #
 +######################################################################
 +
 +hostlist   own_hosts = 127.0.0.1 : 192.168.1.2 : 192.168.1.3 : 5.42.134.35
 +domainlist public_domains = sharewiz.net
 + . . . 
 +# Mandatory to use  "verify = helo"
 +helo_try_verify_hosts = !+own_hosts
 +
 +av_scanner = clamd:/var/run/clamd.ctl
 +spamd_address = 127.0.0.1 783
 +
 +acl_smtp_rcpt = acl_check_rcpt
 +acl_smtp_mail = acl_check_sender
 +acl_smtp_connect = acl_check_host
 +acl_smtp_data = acl_check_data
 +acl_smtp_helo = acl_check_helo
 +
 +
 + . . . 
 +######################################################################
 +#                          ACL CONFIGURATION                         #
 +######################################################################
 +acl_check_host:
 +        accept
 +                hosts = +own_hosts : /etc/exim4/filters/host_white.list
 +
 +        deny    
 +                log_message = match host_reject.list
 +                hosts = /etc/exim4/filters/host_reject.list
 +
 +        accept
 +
 +acl_check_helo:
 +        accept  hosts = +own_hosts
 +
 + # If the HELO pretend to be this host
 + deny condition = ${if or { \
 + {eq {${lc:$sender_helo_name}}{sharewiz.net}} \
 + {eq {${lc:$sender_helo_name}}{5.42.134.35}} \
 +     } {true}{false} }
 +
 +        # by default we accept
 +        accept
 +
 +acl_check_sender:
 +        deny    senders = /etc/exim4/filters/sender_reject.list
 +        accept
 +
 +# ACL "subroutine" used by acl_check_rcpt below.
 +# Return ok if the HELO argument correspond to the connected HOST and 
 +# if the HELO argument does not contain an IP in decimal or hexa.
 +# I have created this ACL subroutine because we can't do a list of "or" 
 +# in ACL (it's a list of "and"), so I use a negation of "and": 
 +# no (no A and no B) = A or B.
 +acl_clean_helo:
 +        accept
 +                verify     = helo
 +                condition  = ${if match{$sender_helo_name}{\N(\d{1,3}[.-]\d{1,3}[.-]\d{1,3}[.-]\d{1,3})|([0-9a-f]{8})|([0-9A-F]{8})\N}{false}{true}}
 +
 +
 +acl_check_rcpt:
 +        # refuse if the recipient string is a hack, 
 +        # see exim file example C043.txt.gz
 +        deny    
 +                local_parts = ^.*[@%!/|] : ^\\.
 +
 +        # Relaying with no more check for my own hosts.
 +        accept  
 +                hosts = +own_hosts
 +
 +        # For the rest, the domain of the recipient address
 +        # must be my public domain. (no relay) 
 +        require
 +                log_message = no relay.
 +                domains     = +public_domains
 +
 +        # Reffuse all the message if the recipient is only used by spammers.
 +        drop
 +                log_message   = match recipients_drop.list.
 +                recipients = /etc/exim4/filters/recipients_drop.list
 +
 +        drop
 +                log_message = match sbl-xbl.spamhaus.org
 +                dnslists = sbl-xbl.spamhaus.org
 +
 +        # Greylisting, if the HELO argument seems bad or 
 +        # a dialin name (with IP included in the name). Some hosts from big
 +        # providers are in a white list to avoid testing. When there is no
 +        # sender then it is a bounce message, so no greylist.
 +        defer
 +                message = Please try later.
 +                !hosts      = /etc/exim4/filters/host_white.list
 +                !senders    = :
 +                !acl        = acl_clean_helo
 +                log_message = greylisted.
 +                set acl_m9  = ${mask:$sender_host_address/24} $sender_address $local_part@$domain
 +                set acl_m9  = ${readsocket{/var/run/greylistd/socket}{$acl_m9}{5s}{}{}}
 +                condition   = ${if eq {$acl_m9}{grey}{true}{false}}
 +
 +        # Default rule: accept except if recipient address is unrouteable.
 +        accept  
 +                message = unrouteable address
 +                verify = recipient
 +
 +
 +acl_check_data:
 +
 +        accept  hosts = +own_hosts
 +
 +        # if there is a windows executable as attachment then we reject
 +        deny    message = This message contains an attachment of a type which we do not accept (.$found_extension) 
 +                demime = bat:btm:cmd:com:cpl:dll:exe:lnk:msi:pif:prf:reg:scr:vbs:url
 +
 +        # clamav
 +        deny    message = This message contains a virus or other harmful content ($malware_name)
 +                demime = * 
 +                malware = *
 +        
 +        ## spamassassin, spams are never big and spamassassin can die on big emails, so we
 +        ## limit its use under 500k.
 +        accept  condition = ${if >={$message_size}{500k}{yes}{no}}
 +        warn    message = X-SA-Score: $spam_score 
 +                spam = nobody:true 
 +        warn    message = X-SA-Report: $spam_report 
 +                spam = nobody:true
 +                condition = ${if >{$spam_score_int}{0}{true}{false}}
 +        warn    message = X-SA-Status: Yes 
 +                spam = nobody:true
 +                condition = ${if >{$spam_score_int}{50}{true}{false}}
 +        deny    message = This message scored $spam_score spam points. 
 +                spam = nobody:true 
 +                condition = ${if >{$spam_score_int}{70}{true}{false}}
 +
 +        # accept by default
 +        accept
 +</file>
 +
 +
 +===== A Basic config =====
 +
 +<file bash /etc/exim4/exim4.conf>
 +local_scan_path = /usr/lib/exim4/local_scan/sa-exim.so
 +
 +hide pgsql_servers = localhost::5433/authdb/poczta/poczta1
 +
 +primary_hostname = czarny06.aklin
 +
 +domainlist local_domains = @ : czarny06.aklin : poczta.czarny06.aklin
 +domainlist relay_to_domains = czarny02.aklin : czarny04.aklin
 +hostlist   relay_from_hosts = 127.0.0.1 : 10.0.3.67
 +domainlist exdomains = fiw.local 
 +
 +acl_smtp_rcpt = acl_check_rcpt
 +acl_smtp_data = acl_check_data
 +acl_not_smtp  = wiadomosci_z_sendmaila
 +
 +av_scanner = clamd:/var/run/clamav/clamd.ctl
 +
 +tls_advertise_hosts = *
 +
 +tls_certificate = /etc/exim4/mail.crt
 +tls_privatekey = /etc/exim4/mail.key
 +
 +daemon_smtp_ports = 25 : 465 : 587
 +tls_on_connect_ports = 465
 +
 +never_users = root
 +
 +host_lookup = *
 +
 +rfc1413_hosts = !10.0.2.0/24
 +rfc1413_query_timeout = 5s
 +
 +ignore_bounce_errors_after = 2d
 +
 +timeout_frozen_after = 7d
 +
 +begin acl
 +
 +wiadomosci_z_sendmaila:
 +
 +  accept  add_header    = X-SA-Nie-Uruchamiaj-Mnie: 9787be32e0cb6ae2b4e06f57c6461893
 +
 +acl_check_rcpt:
 +
 +
 +  warn local_parts = pracownicy
 +  domains = +local_domains
 +  add_header = Reply-To: pracownicy@czarny06.aklin
 +
 +  warn  hosts = czarny02.aklin : czarny04.aklin
 +  add_header    = X-SA-Nie-Uruchamiaj-Mnie: 9787be32e0cb6ae2b4e06f57c6461893
 +
 +  accept  hosts = :
 +    add_header    = X-SA-Nie-Uruchamiaj-Mnie: 9787be32e0cb6ae2b4e06f57c6461893
 +
 +  deny    message       = Restricted characters in address
 +          domains       = +local_domains
 +          local_parts   = ^[.] : ^.*[@%!/|]
 +
 +  deny    message       = Restricted characters in address
 +          domains       = !+local_domains
 +          local_parts   = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
 +
 +  accept  local_parts   = postmaster
 +          domains       = +local_domains
 +
 +  require verify        = sender
 +
 +  accept  hosts         = +relay_from_hosts
 +    add_header    = X-SA-Nie-Uruchamiaj-Mnie: 9787be32e0cb6ae2b4e06f57c6461893
 +          control       = submission
 +
 +  accept  authenticated = *
 +   add_header = X-SA-Nie-Uruchamiaj-Mnie: 9787be32e0cb6ae2b4e06f57c6461893
 +          control       = submission
 +
 +  require message = relay not permitted
 +          domains = +local_domains : +relay_to_domains : +exdomains
 +
 +  require verify = recipient
 +
 +  accept
 +
 +acl_check_data:
 +
 +  deny    malware    = *
 +          message    = This message contains a virus ($malware_name).
 +
 +  accept
 +
 +begin routers
 +
 +dnslookup:
 +  driver = dnslookup
 +  domains = ! +local_domains : ! +exdomains
 +  transport = remote_smtp
 +  ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
 +  no_more
 +
 +aliases_poczta_czarny_06_aklin:
 +  driver = redirect
 +  allow_fail
 +  allow_defer
 +  domains = poczta.czarny06.aklin
 +  data = ${lookup{$local_part}lsearch{/etc/aliases-poczta}}
 +  file_transport = address_file
 +  pipe_transport = address_pipe
 +
 +system_aliases:
 +  driver = redirect
 +  allow_fail
 +  allow_defer
 +  data = ${lookup pgsql{select goto from alias where address = '${local_part}'}{$value}}
 +  file_transport = address_file
 +  pipe_transport = address_pipe
 +
 +userforward:
 +  driver = redirect
 +  check_local_user
 +  file = $home/.forward
 +  no_verify
 +  no_expn
 +  check_ancestor
 +  file_transport = address_file
 +  pipe_transport = address_pipe
 +  reply_transport = address_reply
 +
 +localuser_spam_flag:
 +  driver = accept
 +  condition = ${lookup pgsql{select count(account_id) from account where username = '${local_part}'}{$value}}
 +  condition = ${if eq {$h_X-Spam-Flag}{YES} {1}{0}}
 +  transport = local_delivery_spam
 +
 +localuser:
 +  driver = accept
 +  condition = ${lookup pgsql{select count(account_id) from account where username = '${local_part}'}{$value}}
 +  transport = local_delivery
 +  cannot_route_message = Unknown user
 +
 +begin transports
 +
 +remote_smtp:
 +  driver = smtp
 +  headers_remove = X-SA-Nie-Uruchamiaj-Mnie : X-SA-Exim-Connect-IP : X-SA-Exim-Rcpt-To : X-SA-Exim-Mail-From
 +
 +remote_smtp_ex:
 +  driver = smtp
 +  headers_remove = X-SA-Nie-Uruchamiaj-Mnie : X-SA-Exim-Connect-IP : X-SA-Exim-Rcpt-To : X-SA-Exim-Mail-From
 +  hosts_avoid_tls = *
 +
 +local_delivery:
 +  driver = appendfile
 +  maildir_format
 +  directory = ${lookup pgsql{SELECT maildir FROM account WHERE username = '$local_part'}{$value}}
 + # file = /var/mail/$local_part
 +  delivery_date_add
 +  envelope_to_add
 +  return_path_add
 +  group = mail
 +  mode = 0660
 +  headers_remove = X-SA-Nie-Uruchamiaj-Mnie : X-SA-Exim-Connect-IP : X-SA-Exim-Rcpt-To : X-SA-Exim-Mail-From
 +  user = dovecot
 +
 +local_delivery_spam:
 +  driver = appendfile
 +  maildir_format
 +  directory = ${lookup pgsql{SELECT maildir FROM account WHERE username = '$local_part'}{$value}}/.spam
 + # file = /var/mail/$local_part
 +  delivery_date_add
 +  envelope_to_add
 +  return_path_add
 +  group = mail
 +  mode = 0660
 +  headers_remove = X-SA-Nie-Uruchamiaj-Mnie : X-SA-Exim-Connect-IP : X-SA-Exim-Rcpt-To : X-SA-Exim-Mail-From
 +  user = dovecot
 +
 +address_pipe:
 +  driver = pipe
 +  return_output
 +
 +address_file:
 +  driver = appendfile
 +  delivery_date_add
 +  envelope_to_add
 +  return_path_add
 +
 +address_reply:
 +  driver = autoreply
 +
 +begin retry
 +
 +*                      *           F,2h,15m; G,16h,1h,1.5; F,4d,6h
 +
 +begin rewrite
 +
 +begin authenticators
 +
 +PLAIN:
 +  driver                     = plaintext
 +  server_set_id              = $auth2
 +  server_prompts             = :
 +  server_condition           = ${lookup pgsql{select count(account_id) from account where username = '$2' and password = '$3'}{$value}}
 +  server_advertise_condition = ${if def:tls_cipher }
 +
 +LOGIN:
 +  driver                     = plaintext
 +  server_set_id              = $auth1
 +  server_prompts             = <| Username: | Password:
 +  server_condition           = ${lookup pgsql{select count(account_id) from account where username = '$1' and password = '$2'}{$value}}
 +  server_advertise_condition = ${if def:tls_cipher }
 +</file>
exim4/configuration_file.1478081687.txt.gz · Last modified: 2020/07/15 09:30 (external edit)
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki