config mail: ===> apt-get install exim4-daemon-heavy libmail-spf-query-perl greylistd python-dns ldap-utils 1. Добавить clamav в группу Debian-exim 2. aliases: root->root@prodo.ru 3. Обслуживаемые MS Exchange домены не надо добавлять в relay_domains === domainquery.py === import sys import DNS DNS.DiscoverNameServers() IP=sys.argv[1] domain=sys.argv[2] #print IP, domain if domain[0]=="[" and domain[-1]=="]": if IP==domain[1:-1]: sys.exit(0) else: sys.exit(1) A=DNS.Request(name=domain, qtype="A") MX=DNS.Request(name=domain, qtype="MX") for X in A.req().answers: if IP==X['data']: sys.exit(0) for X in MX.req().answers: AX=DNS.Request(name=X['data'][1], qtype="A") for Y in AX.req().answers: if IP==Y['data']: sys.exit(0) sys.exit(1) === ad_check.py === #!/usr/bin/python import sys import os h=sys.argv[1] # GC server u=sys.argv[2] # e-mail ok=False err=False ci, co, ce = os.popen3('ldapsearch -h %s -p 3268 -x -D "cn=linux,cn=users,dc=planeta-m,dc=ru" -w Asdfghj0 -LLL "(proxyAddresses=smtp:%s)" objectClass userAccountControl'%(h,u)) for l in co: # print "stdout:", l, l=l.strip() if l[:20]=="userAccountControl: ": if not (int(l[20:]) & 2): ok=True if l[:13]=="objectClass: ": #print `l[13:]` if l[13:]=="group" or l[13:]=="publicFolder": ok=True for l in ce: # print "stderr:", l, err=True if ok: sys.exit(0) # recipient found if err: sys.exit(2) # ldap error else: sys.exit(1) # recipient not found === data_acl === deny message = Serious MIME defect detected ($demime_reason) demime = * condition = ${if >{$demime_errorlevel}{2}{1}{0}} deny message = This domain has a policy of not accepting certain types \ of attachments in mail as they may contain a virus. \ \ This mail has a file with a .$found_extension attachment and \ is not accepted. \ \ If you have a legitimate need to send this attachment, send it \ in a compressed archive, and it will then be forwarded to the \ recipient. demime = vbs:bat:com:exe:pif:prf:scr:cmd:js:lnk deny message = This message contains a virus ($malware_name) and has been rejected malware = * === exim4.conf.template ============= av_scanner = clamd:/var/run/clamav/clamd.ctl CHECK_DATA_LOCAL_ACL_FILE=/etc/exim4/data_acl rfc1413_query_timeout = 7s MAIN_IGNORE_BOUNCE_ERRORS_AFTER = 2d ---// acls //--- # acl_m0 SPF query result # m1 domain verification result # m2 AD check result # m3 0 if message is from local users/network acl_check_rcpt: # Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by # testing for an empty sending host field. accept hosts = : set acl_m3 = 0 warn # suppose not local source set acl_m3 = 1 # Add missing Date and Message-ID header for relayed messages warn hosts = +relay_from_hosts set acl_m3 = 0 control = submission/sender_retain warn authenticated = * set acl_m3 = 0 control = submission/sender_retain # Bad characters check .ifdef CHECK_RCPT_LOCAL_LOCALPARTS deny domains = +local_domains local_parts = CHECK_RCPT_LOCAL_LOCALPARTS message = restricted characters in address .endif # The second rule applies to all other domains, and its default is # considerably less strict. .ifdef CHECK_RCPT_REMOTE_LOCALPARTS deny domains = !+local_domains local_parts = CHECK_RCPT_REMOTE_LOCALPARTS message = restricted characters in address .endif # deny bad senders (envelope sender) # CONFDIR/local_sender_blacklist holds a list of envelope senders that # should have their access denied to the local host. Incoming messages # with one of these senders are rejected at RCPT time. # # The explicit white lists are honored as well as negative items in # the black list. See /usr/share/doc/exim4-config/default_acl for details. deny message = sender envelope address $sender_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster !acl = acl_whitelist_local_deny !local_parts = postmaster senders = ${if exists{CONFDIR/local_sender_blacklist}\ {CONFDIR/local_sender_blacklist}\ {}} # deny bad sites (IP address) # CONFDIR/local_host_blacklist holds a list of host names, IP addresses # and networks (CIDR notation) that should have their access denied to # The local host. Messages coming in from a listed host will have all # RCPT statements rejected. # # The explicit white lists are honored as well as negative items in # the black list. See /usr/share/doc/exim4-config/default_acl for details. deny message = sender IP address $sender_host_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster !acl = acl_whitelist_local_deny !local_parts = postmaster hosts = ${if exists{CONFDIR/local_host_blacklist}\ {CONFDIR/local_host_blacklist}\ {}} # --- locally sourced mail accept condition = ${if ={$acl_m3}{0}} endpass verify = recipient #/defer_ok/callout=no_cache,65s - may cause bounces blocking in # crazy mailers like postfix # --- from here external sourced mail is treated # bad IP's drop dnslists = zen.spamhaus.org !acl = acl_whitelist_local_deny !local_parts = postmaster message = Blacklisted at spamhaus.org. drop dnslists = psbl.surriel.com !acl = acl_whitelist_local_deny !local_parts = postmaster message = Blacklisted at psbl.surriel.com. deny message = Sender verification failed !acl = acl_whitelist_local_deny !local_parts = postmaster !verify = sender #/callout=65s ### if mail to spamtrap: save IP, drop connection # assert SPF warn # SPF test set acl_m0 = ${run{/usr/bin/spfquery -ipv4 $sender_host_address -sender $sender_address -helo $sender_helo_name}{}}$runrc warn hosts = EXTERNAL_RELAYS set acl_m0 = 0 drop condition = ${if ={$acl_m0}{1}} !senders = : !local_parts = postmaster message = SPF fail ### save IP deny condition = ${if ={$acl_m0}{2}} !senders = : !local_parts = postmaster message = SPF softfail: please contact postmaster defer condition =${if ={$acl_m0}{4}} !senders = : !local_parts = postmaster message = SPF unknown, deferring defer condition =${if ={$acl_m0}{5}} !senders = : !local_parts = postmaster message = SPF error, deferring # 0 pass, 3 neutral, 6 none - continue # if SPF none/neutral, verify A/MX warn # MX test condition = ${if !={$acl_m0}{0}} !senders = : set acl_m1 = ${run{/usr/bin/python /etc/exim4/domainquery.py $sender_host_address $sender_address_domain}{}}$runrc warn # MX test condition = ${if !={$acl_m0}{0}} senders = : set acl_m1 = ${run{/usr/bin/python /etc/exim4/domainquery.py $sender_host_address $sender_helo_name}{}}$runrc # if not pass nor by SPF, nor by A/MX then defer defer message = You are nor SPF-approved sender nor A or MX of sender's domain. So I will defer you message for a while and greylist you. !condition = ${if ={$acl_m0}{0}} !condition = ${if ={$acl_m1}{0}} !local_parts = postmaster condition = ${readsocket{/var/run/greylistd/socket}\ {--grey $sender_host_address $sender_address $local_part@$domain}{5s}{}{false}} # end tests warn message = X-Host-Lookup-Failed: Reverse DNS lookup failed for $sender_host_address (${if eq{$host_lookup_failed}{1}{failed}{deferred}}) condition = ${if and{{def:sender_host_address}{!def:sender_host_name}}\ {yes}{no}} # warn # message = X-Warning: $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text) # log_message = $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text) # dnslists = CHECK_RCPT_IP_DNSBLS # warn # message = X-Warning: $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text) # log_message = $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text) # !senders = ${if exists{CONFDIR/local_domain_dnsbl_whitelist}\ # {CONFDIR/local_domain_dnsbl_whitelist}\ # {}} # dnslists = CHECK_RCPT_DOMAIN_DNSBLS/$sender_address_domain # --- now delivering # local accept domains = +local_domains endpass message = unknown user verify = recipient # relayed accept domains = +relay_to_domains endpass message = ${if eq{$acl_verify_message}{Unrouteable address}{unknown user}{$acl_verify_message}} verify = recipient/callout # MS Exchange organisation warn set acl_m2 = ${run{/usr/bin/python /etc/exim4/ad_check.py 172.16.16.10 $local_part@$domain}{}}$runrc warn condition = ${if ={$acl_m2}{2}} set acl_m2 = ${run{/usr/bin/python /etc/exim4/ad_check.py 172.16.16.11 $local_part@$domain}{}}$runrc warn condition = ${if ={$acl_m2}{2}} set acl_m2 = ${run{/usr/bin/python /etc/exim4/ad_check.py 172.16.16.8 $local_part@$domain}{}}$runrc warn condition = ${if ={$acl_m2}{2}} set acl_m2 = ${run{/usr/bin/python /etc/exim4/ad_check.py 172.16.16.9 $local_part@$domain}{}}$runrc defer condition = ${if ={$acl_m2}{2}} message = AD GC unavailable, please try later accept condition = ${if ={$acl_m2}{0}} log_message = AD recipient deny message = this e-mail address is not serviced here ---// routers //--- ->dnslookup: ! ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 169.254.0.0/16 post_grab: driver = redirect condition = ${if !={$acl_m3}{0}} local_parts = postmaster data = postmaster@prodo.ru =========================== ?Машрутизаторы: local_domains поместить до hubbed_hosts === update.exim4.conf === dc_eximconfig_configtype='internet' dc_other_hostnames='' dc_local_interfaces='' dc_readhost='' dc_relay_domains='fidoman.ru:*.fidoman.ru' dc_minimaldns='false' dc_relay_nets='10.0.0.0/8:172.16.0.0/12:192.168.0.0/16' dc_smarthost='' CFILEMODE='644' dc_use_split_config='false' dc_hide_mailname='' dc_mailname_in_oh='true' =========================