Конфигурационный файл Exim
Разбор конфигурационного файла Exim
Приведен пример конфигурационного файла Exim на Debian. Строки влючения SpamAssassin, ClamAV, OpenDKIM, Postgrey:
SA_ENABLE = yes VIRUS_SCAN = yes DKIM_ENABLE = yes POSTGREY_SOCKET = /var/run/postgrey.sock
секция acl_check_rcpt
Если ClamAV включен в секции acl_check_rcpt проверяем не находится ли домен в WhiteList ClamAV:
.ifdef VIRUS_SCAN
warn set acl_m3 = no
warn
condition = ${lookup{$domain}lsearch{/etc/clamav.whitelist} {yes}{no}}
set acl_m3 = ok
.endif
Проверяем отправителя в вайтлистах и блэклистах:
accept domains = +local_domains : +relay_to_domains
condition = ${lookup{$sender_address}wildlsearch{/etc/exim4/whitelist}{yes}{no}}
set acl_m6 = whitelisted
logwrite = Accepted from $sender_address to $local_part@$domain by whitelist.
accept domains = +local_domains : +relay_to_domains
hosts = net-lsearch;/etc/exim4/whitelist
set acl_m6 = whitelisted
logwrite = Accepted from $sender_address to $local_part@$domain by whitelist.
deny condition = ${lookup{$sender_address}wildlsearch{/etc/exim4/blacklist}{yes}{no}}
set acl_m6 = blacklisted
logwrite = Rejected from $sender_address to $local_part@$domain by blacklist.
deny hosts = net-lsearch;/etc/exim4/blacklist
set acl_m6 = blacklisted
logwrite = Rejected from $sender_address to $local_part@$domain by blacklist.
Проверяем отправителя грейлистингом:
.ifdef POSTGREY_SOCKET
defer log_message = greylisted host $sender_host_address
set acl_m0 = request=smtpd_access_policy\nprotocol_state=RCPT\nprotocol_name=${uc:$received_protocol}\nhelo_name=$sender_helo_name\nclient_address=$sender_host_address\nclient_name=$sender_host_name\nsender=$sender_address\nrecipient=$local_part@$domain\ninstance=$sender_host_address/$sender_address/$local_part@$domain\n\n
set acl_m0 = ${sg{${readsocket{POSTGREY_SOCKET}{$acl_m0}{5s}{}{action=DUNNO}}}{action=}{}}
message = ${sg{$acl_m0}{^\\w+\\s*}{}}
condition = ${if eq{${uc:${substr{0}{5}{$acl_m0}}}}{DEFER}{true}{false}}
.endif
секция acl_check_data
при высокой загрузке сервера принимаем письмо без проверок:
accept
condition = ${if >{$load_average}{3000} {yes}{no}}
logwrite = Accept message without spamd and antivirus check because LA > 3.
если письмо больше 1кб и меньше 2мб проверяем ClamAV'ом, acl_m3 содержит no если домен в WhiteList ClamAV:
.ifdef VIRUS_SCAN
accept
condition = ${if or {\
{<{$message_body_size}{1K}} \
{>{$message_body_size}{2M}} \
} {yes}{no}}
logwrite = Accept message without antivirus check because body size $message_body_size not critical
warn
condition = ${if eq{$acl_m3}{ok} {yes}{no}}
add_header = X-Scanned-By: ${extract{1}{/}{${readsocket{/var/run/clamav/clamd.ctl}{VERSION}{1s}{} {unscanned}}}}; $tod_full\n
deny
message = This message contains virus ($malware_name)
hosts = *
demime = *
malware = *
log_message = Rejected: this message contains virus ($malware_name)
condition = ${if eq{$acl_m3}{ok}{yes}{no}}
.endif
Проверка SpamAssassin:
.ifdef SA_ENABLE
warn
!authenticated = *
hosts = !127.0.0.1/24
condition = ${if < {$message_size}{1K}}
spam = SA_SPAMD_USER:true
add_header = X-Spam_score: $spam_score\n\
X-Spam_score_int: $spam_score_int\n\
X-Spam_bar: $spam_bar\n\
X-Spam_report: $spam_report
warn
!authenticated = *
hosts = !+relay_from_hosts
spam = SA_SPAMD_USER:true/defer_ok
add_header = X-Spam_score: $spam_score\n\
X-Spam_score_int: $spam_score_int\n\
X-Spam_bar: $spam_bar\n\
X-Spam_report: $spam_report
set acl_m4 = $spam_score_int
condition = ${if and{{<{$message_size}{100K}}{<{$acl_m4}{SA_SCORE_REJECT}}} {yes}{no}}
logwrite = From $sender_address to $recipients X-Spam_score: $acl_m4.
deny
condition = ${if and{{!eq{$acl_m4}{}}{>{$acl_m4}{SA_SCORE_REJECT}}} {yes}{no}}
message = Content analisis tool detect spam (from $sender_address to $recipients). Contact SA_ABUSE_ADDR.
.endif
секция acl_check_dkim
Если dkim включен — проверяем dkim заголовки
.ifdef DKIM_ENABLE
acl_check_dkim:
warn
dkim_status = fail
logwrite = DKIM test failed: $dkim_verify_reason
add_header = X-DKIM-FAIL: DKIM test failed: (address=$sender_address domain=$dkim_cur_signer), signature is bad.
warn
dkim_status = invalid
add_header = :at_start:Authentication-Results: $dkim_cur_signer ($dkim_verify_status); $dkim_verify_reason
logwrite = DKIM test passed (address=$sender_address domain=$dkim_cur_signer), but signature is invalid.
accept
dkim_status = pass
add_header = :at_start:Authentication-Results: dkim=$dkim_verify_status, header.i=@$dkim_cur_signer
logwrite = DKIM test passed (address=$sender_address domain=$dkim_cur_signer), good signature.
accept
.endif
Секция роутеров
Проверяем что домен не отключен:
disabled_domains:
driver = redirect
condition = ${extract{3}{:}{${lookup{$domain}lsearch{/etc/exim4/domains}}}}
allow_fail = yes
data = :fail: Domain disabled
no_more
Проверяем что пользователь владелец домена не отключен:
disabled_users:
driver = redirect
condition = ${extract{5}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim4/passwd}}}}
allow_fail = yes
data = :fail: User disabled
no_more
Проверяем присутствует ли такой домен на сервере:
local_domains:
driver = redirect
data = ${quote_local_part:$local_part}@${extract{1}{:}{${lookup{$domain}lsearch{/etc/exim4/domains}}}}
cannot_route_message = Unknown user
redirect_router = dnslookup
no_more
Проверяем если почтовый ящик псевдоним:
aliases:
driver = redirect
data = ${extract{1}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim4/aliases}}}}
condition = ${if exists{/etc/exim4/aliases} {yes} {no} }
redirect_router = dnslookup
pipe_transport = address_pipe
Доставляем почту в ящик, если такой есть в exim-passwd:
procmail:
no_verify
driver = accept
transport = dovecot_deliver_pipe
transport_home_directory = ${extract{4}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim4/passwd}}}}
Производим действие по умолчанию для домена, если такого ящика нет:
catchall_for_domains:
driver = redirect
headers_add = X-redirected: yes
data = ${extract{2}{:}{${lookup{$domain}lsearch{/etc/exim4/domains}}}}
file_transport = local_delivery
redirect_router = dnslookup
Или отдаем сообщения, что такого ящика на сервере нет:
unknown_users: driver = redirect allow_fail = yes data = :fail: Unknown user no_more
Включаем субадресацию почты:
userforward: local_part_suffix = +* local_part_suffix_optional
Субадресация позволяет автоматически распределять входящие сообщения по папкам пользователя. Для этого в адресе получателя должна быть указана комбинация "почтовый ящик+имя папки". Например, если у пользователя user@example.com на IMAP-сервере есть папка “bill”, то письма для user+bill@example.com будут автоматически помещаться в эту папку.
Секция транспортов
Траснпорт доставки почтового сообщения в maildir посредством доставщика dovecot-lda:
dovecot_deliver_pipe:
driver = pipe
environment = "HOME=$home"
command = "/usr/lib/dovecot/dovecot-lda -d $local_part@$domain -f $sender_address"
return_path_add
delivery_date_add
envelope_to_add
check_string = "From "
escape_string = ">From "
user = ${extract{1}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim4/passwd}}}}
group = ${extract{2}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim4/passwd}}}}
Секция аутентификации
Если при установке выбрана авторизация через dovecot:
auth_plain: driver = dovecot public_name = PLAIN server_socket = /var/run/dovecot/auth-client server_set_id = $auth1
auth_login: driver = dovecot public_name = LOGIN server_socket = /var/run/dovecot/auth-client server_set_id = $auth1
auth_cram_md5: driver = dovecot public_name = CRAM-MD5 server_socket = /var/run/dovecot/auth-client server_set_id = $auth1
Если авторизация через sasldb:
cram: driver = cyrus_sasl public_name = CRAM-MD5 server_set_id = $1 plain: driver = cyrus_sasl public_name = PLAIN server_set_id = $1
login: driver = cyrus_sasl public_name = LOGIN server_set_id = $1