Verify local senders, block senders using spamhaus, enforce SPF

Local sender verification is warn only for the time being since many
web apps are currently sending messages from invalid
addresses (e.g. moin uses noreply@$domain).

diff --git a/conf.d/acl/30_exim4-config_check_rcpt b/conf.d/acl/30_exim4-config_check_rcpt
index b5050d5..9f8a189 100644 (file)
--- a/conf.d/acl/30_exim4-config_check_rcpt
+++ b/conf.d/acl/30_exim4-config_check_rcpt
@@ -118,9 +118,12 @@ acl_check_rcpt:
   # 39.31 with the added information that a smarthost/satellite setup
   # routes all non-local e-mail to the smarthost.
   .ifdef CHECK_RCPT_VERIFY_SENDER
-  deny
-    message = Sender verification failed
-    !acl = acl_whitelist_local_deny
+  # hcoop-change: warn so that we can track down webapps sending
+  # without a valid return user, but not break the many web apps that
+  # do so. Fix.
+  warn
+    log_message = Sender verification failed
+    !acl = acl_local_deny_exceptions
     !verify = sender
   .endif
 
@@ -318,7 +321,8 @@ acl_check_rcpt:
   # Check against classic DNS "black" lists (DNSBLs) which list
   # sender IP addresses
   .ifdef CHECK_RCPT_IP_DNSBLS
-  warn
+  # hcoop-change: drop connection instead of warning
+  drop
     message = X-Warning: $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
     log_message = $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
     dnslists = CHECK_RCPT_IP_DNSBLS

diff --git a/conf.d/main/01_exim4-config_listmacrosdefs b/conf.d/main/01_exim4-config_listmacrosdefs
index 4e10add..c02cd3b 100644 (file)
--- a/conf.d/main/01_exim4-config_listmacrosdefs
+++ b/conf.d/main/01_exim4-config_listmacrosdefs
@@ -116,3 +116,9 @@ MAILDIR_HOME_MAILDIR_LOCATION = /afs/hcoop.net/common/email
 
 # hcoop-change: enable TLS
 MAIN_TLS_ENABLE = yes
+
+# hcoop-change: enabled sender verification
+CHECK_RCPT_VERIFY_SENDER = true
+CHECK_RCPT_IP_DNSBLS = zen.spamhaus.org
+CHECK_RCPT_REVERSE_DNS = true
+CHECK_RCPT_SPF = true