From 7b83f2a34b7c9cd42f4cc52bc3948e8714046871 Mon Sep 17 00:00:00 2001 From: Clinton Ebadi Date: Sun, 9 Aug 2020 01:03:50 -0400 Subject: [PATCH] Integrate changes from 4.92 Biggest change is enabling DNSSEC --- conf.d/acl/30_exim4-config_check_mail | 1 + conf.d/acl/30_exim4-config_check_rcpt | 31 +++++++--- conf.d/acl/40_exim4-config_check_data | 41 ++++++++----- conf.d/auth/30_exim4-config_examples | 59 +------------------ conf.d/main/01_exim4-config_listmacrosdefs | 30 +--------- conf.d/main/02_exim4-config_options | 8 ++- conf.d/retry/30_exim4-config | 2 +- conf.d/router/200_exim4-config_primary | 2 + conf.d/transport/30_exim4-config_remote_smtp | 4 ++ .../30_exim4-config_remote_smtp_smarthost | 3 +- 10 files changed, 66 insertions(+), 115 deletions(-) diff --git a/conf.d/acl/30_exim4-config_check_mail b/conf.d/acl/30_exim4-config_check_mail index dbb1728..f8c53d6 100644 --- a/conf.d/acl/30_exim4-config_check_mail +++ b/conf.d/acl/30_exim4-config_check_mail @@ -7,4 +7,5 @@ # accepted or denied. # acl_check_mail: + accept diff --git a/conf.d/acl/30_exim4-config_check_rcpt b/conf.d/acl/30_exim4-config_check_rcpt index c426f60..2578a5f 100644 --- a/conf.d/acl/30_exim4-config_check_rcpt +++ b/conf.d/acl/30_exim4-config_check_rcpt @@ -2,6 +2,19 @@ ### acl/30_exim4-config_check_rcpt ################################# +# define macros to be used below in this file to check recipient +# local parts for strange characters. Documentation below. +# This blocks local parts that begin with a dot or contain a quite +# broad range of non-alphanumeric characters. + +.ifndef CHECK_RCPT_LOCAL_LOCALPARTS +CHECK_RCPT_LOCAL_LOCALPARTS = ^[.] : ^.*[@%!/|`#&?] +.endif + +.ifndef CHECK_RCPT_REMOTE_LOCALPARTS +CHECK_RCPT_REMOTE_LOCALPARTS = ^[./|] : ^.*[@%!`#&?] : ^.*/\\.\\./ +.endif + # This access control list is used for every RCPT command in an incoming # SMTP message. The tests are run in order until the address is either # accepted or denied. @@ -46,7 +59,7 @@ acl_check_rcpt: # incorporated unthinkingly into a shell command line. # # These ACL components will block recipient addresses that are valid - # from an RFC2822 point of view. We chose to have them blocked by + # from an RFC5322 point of view. We chose to have them blocked by # default for security reasons. # # If you feel that your site should have less strict recipient @@ -58,11 +71,8 @@ acl_check_rcpt: # default, and is applied to messages that are addressed to one of the # local domains handled by this host. - # The default value of CHECK_RCPT_LOCAL_LOCALPARTS is defined in - # main/01_exim4-config_listmacrosdefs: - # CHECK_RCPT_LOCAL_LOCALPARTS = ^[.] : ^.*[@%!/|`#&?] - # This blocks local parts that begin with a dot or contain a quite - # broad range of non-alphanumeric characters. + # The default value of CHECK_RCPT_LOCAL_LOCALPARTS is defined + # at the top of this file. .ifdef CHECK_RCPT_LOCAL_LOCALPARTS deny domains = +local_domains : +unix_domains @@ -113,9 +123,10 @@ acl_check_rcpt: # to enable this feature. # # This feature does not work in smarthost and satellite setups as - # with these setups all domains pass verification. See spec.txt chapter - # 39.31 with the added information that a smarthost/satellite setup - # routes all non-local e-mail to the smarthost. + # with these setups all domains pass verification. See spec.txt section + # "Access control lists" subsection "Address verification" with the added + # information that a smarthost/satellite setup routes all non-local e-mail + # to the smarthost. .ifdef CHECK_RCPT_VERIFY_SENDER # hcoop-change: warn so that we can track down webapps sending # without a valid return user, but not break the many web apps that @@ -234,6 +245,7 @@ acl_check_rcpt: # the black list. See exim4-config_files(5) for details. deny message = sender envelope address $sender_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster + log_message = sender envelope address is locally blacklisted. !acl = acl_local_deny_exceptions senders = ${if exists{CONFDIR/local_sender_blacklist}\ {CONFDIR/local_sender_blacklist}\ @@ -250,6 +262,7 @@ acl_check_rcpt: # the black list. See exim4-config_files(5) for details. deny message = sender IP address $sender_host_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster + log_message = sender IP address is locally blacklisted. !acl = acl_local_deny_exceptions hosts = ${if exists{CONFDIR/local_host_blacklist}\ {CONFDIR/local_host_blacklist}\ diff --git a/conf.d/acl/40_exim4-config_check_data b/conf.d/acl/40_exim4-config_check_data index abfa164..5b5c099 100644 --- a/conf.d/acl/40_exim4-config_check_data +++ b/conf.d/acl/40_exim4-config_check_data @@ -17,14 +17,14 @@ acl_check_data: condition = ${if > {$max_received_linelength}{998}} .endif - # Deny unless the address list headers are syntactically correct. + # Deny if the headers contain badly-formed addresses. # - # If you enable this, you might reject legitimate mail. - .ifdef CHECK_DATA_VERIFY_HEADER_SYNTAX + .ifndef NO_CHECK_DATA_VERIFY_HEADER_SYNTAX deny - message = Message headers fail syntax check !acl = acl_local_deny_exceptions !verify = header_syntax + message = header syntax + log_message = header syntax ($acl_verify_message) .endif @@ -50,25 +50,36 @@ acl_check_data: # Add headers to a message if it is judged to be spam. Before enabling this, - # you must install SpamAssassin. You also need to set the spamd_address + # you must install SpamAssassin. You may also need to set the spamd_address # option in the main configuration. # # exim4-daemon-heavy must be used for this section to work. # - # Please note that this is only suiteable as an example. There are - # multiple issues with this configuration method. For example, if you go - # this way, you'll give your spamassassin daemon write access to the - # entire exim spool which might be a security issue in case of a - # spamassassin exploit. + # Please note that this is only suiteable as an example. See + # /usr/share/doc/exim4-base/README.Debian.gz # # See the exim docs and the exim wiki for more suitable examples. # + # # Remove internal headers # warn - # spam = Debian-exim:true - # add_header = X-Spam_score: $spam_score\n\ - # X-Spam_score_int: $spam_score_int\n\ - # X-Spam_bar: $spam_bar\n\ - # X-Spam_report: $spam_report + # remove_header = X-Spam_score: X-Spam_score_int : X-Spam_bar : \ + # X-Spam_report + # + # warn + # condition = ${if <{$message_size}{120k}{1}{0}} + # # ":true" to add headers/acl variables even if not spam + # spam = nobody:true + # add_header = X-Spam_score: $spam_score + # add_header = X-Spam_bar: $spam_bar + # # Do not enable this unless you have shorted SpamAssassin's report + # #add_header = X-Spam_report: $spam_report + # + # Reject spam messages (score >15.0). + # This breaks mailing list and forward messages. + # deny + # message = Classified as spam (score $spam_score) + # condition = ${if <{$message_size}{120k}{1}{0}} + # condition = ${if >{$spam_score_int}{150}{true}{false}} # This hook allows you to hook in your own ACLs without having to diff --git a/conf.d/auth/30_exim4-config_examples b/conf.d/auth/30_exim4-config_examples index a934a11..f1de5d4 100644 --- a/conf.d/auth/30_exim4-config_examples +++ b/conf.d/auth/30_exim4-config_examples @@ -99,7 +99,7 @@ # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS # server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}} # .endif -# +# # digest_md5_sasl_server: # driver = cyrus_sasl # public_name = DIGEST-MD5 @@ -204,63 +204,6 @@ # You can set AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS to allow unencrypted # clear text password authentication on all connections. -# cram_md5: -# driver = cram_md5 -# public_name = CRAM-MD5 -# client_name = ${extract{1}{:}{${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}}} -# client_secret = ${extract{2}{:}{${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}}} - -# # this returns the matching line from passwd.client and doubles all ^ -# PASSWDLINE=${sg{\ -# ${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}\ -# }\ -# {\\N[\\^]\\N}\ -# {^^}\ -# } - -# # this returns the matching line from passwd.client and doubles all ^ -# PASSWDLINE=${sg{\ -# ${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}\ -# }\ -# {\\N[\\^]\\N}\ -# {^^}\ -# } - -# plain: -# driver = plaintext -# public_name = PLAIN -# .ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS -# client_send = "<; ${if !eq{$tls_out_cipher}{}\ -# {^${extract{1}{:}{PASSWDLINE}}\ -# ^${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}\ -# }fail}" -# .else -# client_send = "<; ^${extract{1}{:}{PASSWDLINE}}\ -# ^${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}" -# .endif - -# login: -# driver = plaintext -# public_name = LOGIN -# .ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS -# # Return empty string if not non-TLS AND looking up $host in passwd-file -# # yields a non-empty string; fail otherwise. -# client_send = "<; ${if and{\ -# {!eq{$tls_out_cipher}{}}\ -# {!eq{PASSWDLINE}{}}\ -# }\ -# {}fail}\ -# ; ${extract{1}{::}{PASSWDLINE}}\ -# ; ${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}" -# .else -# # Return empty string if looking up $host in passwd-file yields a -# # non-empty string; fail otherwise. -# client_send = "<; ${if !eq{PASSWDLINE}{}\ -# {}fail}\ -# ; ${extract{1}{::}{PASSWDLINE}}\ -# ; ${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}" -# .endif - # hcoop-change: auth against sasld hcoop_plain: driver = plaintext diff --git a/conf.d/main/01_exim4-config_listmacrosdefs b/conf.d/main/01_exim4-config_listmacrosdefs index f1e4268..01214de 100644 --- a/conf.d/main/01_exim4-config_listmacrosdefs +++ b/conf.d/main/01_exim4-config_listmacrosdefs @@ -82,37 +82,11 @@ LOCAL_DELIVERY=mail_spool gecos_pattern = ^([^,:]*) gecos_name = $1 -# define macros to be used in acl/30_exim4-config_check_rcpt to check -# recipient local parts for strange characters. - -# This macro definition really should be in -# acl/30_exim4-config_check_rcpt but cannot be there due to -# http://www.exim.org/bugzilla/show_bug.cgi?id=101 as of exim 4.62. - -# These macros are documented in acl/30_exim4-config_check_rcpt, -# can be changed here or overridden by a locally added configuration -# file as described in README.Debian section "Using Exim Macros to control -# the configuration". - -.ifndef CHECK_RCPT_LOCAL_LOCALPARTS -CHECK_RCPT_LOCAL_LOCALPARTS = ^[.] : ^.*[@%!/|`#&?] -.endif - -.ifndef CHECK_RCPT_REMOTE_LOCALPARTS -CHECK_RCPT_REMOTE_LOCALPARTS = ^[./|] : ^.*[@%!`#&?] : ^.*/\\.\\./ -.endif - -# always log tls_peerdn as we use TLS for outgoing connects by default -.ifndef MAIN_LOG_SELECTOR -MAIN_LOG_SELECTOR = +smtp_protocol_error +smtp_syntax_error +tls_certificate_verified +tls_peerdn -.endif - # always log tls_peerdn as we use TLS for outgoing connects by default -# hcoop-change: add +tls_ciper +# hcoop-change: add +tls_cipher .ifndef MAIN_LOG_SELECTOR -MAIN_LOG_SELECTOR = +tls_cipher +tls_peerdn +MAIN_LOG_SELECTOR = +smtp_protocol_error +smtp_syntax_error +tls_certificate_verified +tls_peerdn +tls_cipher .endif - # hcoop-change: use file_transport = address_file for /etc/aliases # delivery, as per old configuration SYSTEM_ALIASES_FILE_TRANSPORT = address_file diff --git a/conf.d/main/02_exim4-config_options b/conf.d/main/02_exim4-config_options index 47c8782..600d54a 100644 --- a/conf.d/main/02_exim4-config_options +++ b/conf.d/main/02_exim4-config_options @@ -84,6 +84,10 @@ MAIN_HOST_LOOKUP = * host_lookup = MAIN_HOST_LOOKUP .endif +# The setting below causes Exim to try to initialize the system resolver +# library with DNSSEC support. It has no effect if your library lacks +# DNSSEC support. +dns_dnssec_ok = 1 # In a minimaldns setup, update-exim4.conf guesses the hostname and # dumps it here to avoid DNS lookups being done at Exim run time. @@ -102,8 +106,8 @@ primary_hostname = MAIN_HARDCODE_PRIMARY_HOSTNAME # (The default was reduced from 30s to 5s for release 4.61. and to # disabled for release 4.86) # -#rfc1413_hosts = -#rfc1413_query_timeout = 0s +#rfc1413_hosts = * +#rfc1413_query_timeout = 5s # Enable an efficiency feature. We advertise the feature; clients diff --git a/conf.d/retry/30_exim4-config b/conf.d/retry/30_exim4-config index 047175a..73822ef 100644 --- a/conf.d/retry/30_exim4-config +++ b/conf.d/retry/30_exim4-config @@ -27,5 +27,5 @@ hcoop.net * F,10m,1m; F,30m,5m; G,6h,10m,1.2; G,1d,1h,1.5 gmail.com data_4xx G,2d,30m,1.5 # Default -* * F,4h,10m; G,16h,1h,1.5; F,4d,6h +* * F,2h,15m; G,16h,1h,1.5; F,4d,6h diff --git a/conf.d/router/200_exim4-config_primary b/conf.d/router/200_exim4-config_primary index 8ed2236..68237aa 100644 --- a/conf.d/router/200_exim4-config_primary +++ b/conf.d/router/200_exim4-config_primary @@ -19,6 +19,7 @@ dnslookup_relay_to_domains: domains = ! +local_domains : ! +unix_domains : +relay_to_domains transport = remote_smtp same_domain_copy_routing = yes + dnssec_request_domains = * no_more # deliver mail directly to the recipient. This router is only reached @@ -36,6 +37,7 @@ dnslookup: ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 192.168.0.0/16 :\ 172.16.0.0/12 : 10.0.0.0/8 : 169.254.0.0/16 :\ 255.255.255.255 + dnssec_request_domains = * no_more .endif diff --git a/conf.d/transport/30_exim4-config_remote_smtp b/conf.d/transport/30_exim4-config_remote_smtp index 7534101..8430577 100644 --- a/conf.d/transport/30_exim4-config_remote_smtp +++ b/conf.d/transport/30_exim4-config_remote_smtp @@ -54,3 +54,7 @@ tls_certificate = REMOTE_SMTP_TLS_CERTIFICATE .ifdef REMOTE_SMTP_PRIVATEKEY tls_privatekey = REMOTE_SMTP_PRIVATEKEY .endif +.ifndef REMOTE_SMTP_DISABLE_DANE +dnssec_request_domains = * +hosts_try_dane = * +.endif diff --git a/conf.d/transport/30_exim4-config_remote_smtp_smarthost b/conf.d/transport/30_exim4-config_remote_smtp_smarthost index c5d0df2..8c6b757 100644 --- a/conf.d/transport/30_exim4-config_remote_smtp_smarthost +++ b/conf.d/transport/30_exim4-config_remote_smtp_smarthost @@ -12,11 +12,10 @@ remote_smtp_smarthost: debug_print = "T: remote_smtp_smarthost for $local_part@$domain" driver = smtp - + multi_domain .ifndef IGNORE_SMTP_LINE_LENGTH_LIMIT message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}} .endif - hosts_try_auth = <; ${if exists{CONFDIR/passwd.client} \ {\ ${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$host_address}}\ -- 2.20.1