I'm running PLD's patched exim, which has SA-Exim and Exiscan-ACL patches.
GREYLIST_TEST = SELECT CASE \
WHEN now() - block_expires > 0 THEN 2 \
ELSE 1 \
END \
FROM exim_greylist \
WHERE relay_ip = '${quote_mysql:$sender_host_address}' \
AND from_domain = '${quote_mysql:$sender_address_domain}'
GREYLIST_ADD = INSERT INTO exim_greylist (relay_ip, from_domain, \
block_expires, record_expires, create_time) \
VALUES ( '${quote_mysql:$sender_host_address}', \
'${quote_mysql:$sender_address_domain}', \
DATE_ADD(now(), INTERVAL 5 MINUTE), \
DATE_ADD(now(), INTERVAL 7 DAY), \
now())
hide mysql_servers = localhost/nbtsc/exim/password
local_interfaces = <; ::0.25; ::0.587; 0.0.0.0.25; 0.0.0.0.587; 0.0.0.0.26
# The next three settings create two lists of domains and one list of hosts.
# These lists are referred to later in this configuration using the syntax
# +local_domains, +relay_to_domains, and +relay_from_hosts, respectively. They
# are all colon-separated lists:
domainlist local_domains = dsearch;/etc/mail/virtual:@
domainlist relay_to_domains = +local_domains
#domainlist blacklist_domains = yahoo.com:yahoogroups.com:groups.yahoo.com: \
# rishashay.com:fastmail.fm
domainlist blacklist_domains =
domainlist trouble_domains =
hostlist relay_from_hosts = 127.0.0.1:206.168.119.0/25:172.16.0.0/16
tls_certificate = /var/lib/openssl/certs/mail.nbtsc.org.crt
tls_privatekey = /var/lib/openssl/private/mail.nbtsc.org.key
tls_advertise_hosts = *
# If You wish to enable support for clam antyvirus, uncomment the following
# lines here, and search for 'acl' section of this file (look for 'begin acl'
# keyword). This will require clamav package to be installed and configured.
# Other antyvirus engines are also supported. Read
# /usr/share/doc/exim-*/exiscan-acl-spec.txt.gz for more info.
av_scanner = clamd:/var/lib/clamav/clamd.socket
system_filter = /etc/mail/system.filter
system_filter_user = exim
acl_smtp_data = acl_check_data
acl_smtp_rcpt = acl_check_rcpt
begin acl
# This access control list is used for every message after DATA command in
# incoming SMTP connection. It's used mainly for malware (viruses) scanning.
# Uncomment it, 'av_scanner' and 'acl_smtp_data' to enable support for
# antyvirus software. Read /usr/share/doc/exim-*/exiscan-acl-spec.txt.gz
# for detailed instructions. Also remember to change 'mysecret' to
# something else. This will add cryptographic "checks done" header that
# will prevent re-scanning when the message re-visits one of your mail
# servers, and the body size did not change.
acl_check_data:
accept condition = ${if eq {${hmac{md5}{mysecret}{$body_linecount}}}
{$h_X-Scan-Signature:} {1}{0}}
deny message = $found_extension files are not accepted here
demime = com:vbs:bat:pif:scr
warn message = X-MIME-Warning: Serious MIME defect detected ($demime_reason)
demime = *
condition = ${if >{$demime_errorlevel}{2}{1}{0}}
deny message = Virus found :$malware_name
demime = *
malware = *
warn message = X-Scan-Signature: ${hmac{md5}{mysecret}{$body_linecount}}
# -------- SPAM ----------------
# put headers in all messages (no matter if spam or not)
#warn message = X-Spam-Score: $spam_score ($spam_bar)
# spam = nobody:true
#warn message = X-Spam-Report: $spam_report
# spam = nobody
# add second subject line with *SPAM* marker when message
# is over threshold
#warn message = X-New-Subject: *SPAM* $h_subject:
# spam = nobody
# condition = ${lookup {$local_part} \
# lsearch{/etc/mail/unfilteredusers}{false}{true}}
# reject spam at high scores (> 15)
#deny message = This message scored $spam_score spam points.
# spam = nobody:true
# condition = ${if >{$spam_score_int}{150}{1}{0}}
# -------- ACCEPT --------------
accept
# This access control list is used for every RCPT command in an incoming
# SMTP message. The tests are run in order until the address is either
# accepted or denied.
acl_check_rcpt:
# Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by
# testing for an empty sending host field.
accept hosts = :
# Accept mail to postmaster in any local domain, regardless of the source,
# and without verifying the sender.
accept local_parts = postmaster
domains = +local_domains
warn
set acl_m0 = ${lookup mysql{GREYLIST_TEST}{$value}{0}}
# Deny if the local part contains @ or % or / or | or !. These are rarely
# found in genuine local parts, but are often tried by people looking to
# circumvent relaying restrictions.
deny local_parts = ^.*[@%!/|]
# Deny unless the sender address can be verified.
require verify = sender
# Accept if the message comes from one of the hosts for which we are an
# outgoing relay. Recipient verification is omitted here, because in many
# cases the clients are dumb MUAs that don't cope well with SMTP error
# responses. If you are actually relaying out from MTAs, you should probably
# add recipient verification here.
accept hosts = +relay_from_hosts
# Accept if the message arrived over an authenticated connection, from
# any host. Again, these messages are usually from MUAs, so recipient
# verification is omitted.
accept authenticated = *
#############################################################################
# There are no checks on DNS "black" lists because the domains that contain
# these lists are changing all the time. However, here are two examples of
# how you could get Exim to perform a DNS black list lookup at this point.
# The first one denies, while the second just warns.
#
# deny message = rejected because $sender_host_address is in a \
# black list at $dnslist_domain\n$dnslist_text
# dnslists = black.list.example
#
# warn message = X-Warning: $sender_host_address is in a black list \
# at $dnslist_domain
# log_message = found in $dnslist_domain
# dnslists = black.list.example
#############################################################################
defer message = Greylisted - please try again a little later.
condition = ${if eq{$acl_m0}{0}{1}}
condition = ${lookup mysql{GREYLIST_ADD}{yes}{no}}
defer message = Greylisted - please try again shortly.
condition = ${if eq{$acl_m0}{1}{1}}
# Accept if the address is in a local domain, but only if the recipient can
# be verified. Otherwise deny. The "endpass" line is the border between
# passing on to the next ACL statement (if tests above it fail) or denying
# access (if tests below it fail).
accept domains = +local_domains
endpass
message = unknown user
verify = recipient
# Accept if the address is in a domain for which we are relaying, but again,
# only if the recipient can be verified.
accept domains = +relay_to_domains
endpass
message = unrouteable address
verify = recipient
# If control reaches this point, the domain is neither in +local_domains
# nor in +relay_to_domains.
# Reaching the end of the ACL causes a "deny", but we might as well give
# an explicit message.
deny message = relay not permitted
begin routers
evade_blacklist:
driver = manualroute
domains = +blacklist_domains
transport = remote_smtp
route_list = * procyon.theinternetco.net
evade_trouble:
driver = manualroute
domains = +trouble_domains
transport = remote_smtp
route_list = * procyon.theinternetco.net
dnslookup:
#driver = manualroute
driver = dnslookup
domains = ! +local_domains
transport = remote_smtp
#route_list = * mail.ouraynet.com
ignore_target_hosts = 127.0.0.0/8
no_more
virtual:
driver = redirect
domains = dsearch;/etc/mail/virtual
data = ${lookup{$local_part}lsearch{/etc/mail/virtual/$domain}}
pipe_transport = address_pipe
user = exim
# no_more # removed to fall through to system
system_aliases:
driver = redirect
allow_fail
allow_defer
data = ${lookup{$local_part}lsearch{/etc/mail/aliases}}
# user = exim
file_transport = address_file
pipe_transport = address_pipe
userforward:
driver = redirect
check_local_user
file = $home/.forward
no_verify
no_expn
check_ancestor
allow_filter
file_transport = address_file
pipe_transport = address_pipe
reply_transport = address_reply
user_vacation:
driver = accept
check_local_user
require_files = $local_part:$home/.vacation/message
no_verify
senders = !^.*-request@.* : !^owner-.*@.* : !^postmaster@.* : \
! ^listmaster@.* : !^mailer-daemon@.*
transport = vacation_reply
unseen
localuser:
driver = accept
check_local_user
transport = local_delivery
This isn't all of them -- just my modified ones.
begin transports
vacation_reply:
driver = autoreply
file = $home/.vacation/message
file_expand
log = $home/.vacation/vacation.log
once = $home/.vacation/vacation.db
from = $local_part@nbtsc.org
to = $sender_address
subject = "Re: $h_subject"
text = "\
Dear $h_from:\n\n\
This is an automatic reply. Feel free to send additional\n\
mail, as only this one notice will be generated. The following\n\
is a prerecorded message, sent for $local_part@yourdomain.org:\n\
====================================================\n\n\
"
begin authenticators
# Uncomment lines below to enable SMTP AUTH support. Be aware that this
# requires cyrus-sasl-saslauthd package to be installed.
plain:
driver = plaintext
public_name = PLAIN
server_condition = ${if saslauthd{{$2}{$3}{smtp}}{1}{0}}
server_set_id = $2
login:
driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
server_condition = ${if saslauthd{{$1}{$2}{smtp}}{1}{0}}
server_set_id = $1