Home Explore Help
Register Sign In
rivimey
/
ansible-exim
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 58fdbfaf04
Branches Tags
ansible-exim
/
files
/
exim-greylist.conf.inc

exim-greylist.conf.inc 6.4 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125 
  1. # $Id: acl-greylist-sqlite,v 1.3 2007/11/25 19:17:28 dwmw2 Exp $
    2. 

  2. 

  3. GREYDB=/var/spool/exim4/db/greylist.db
    4. 

  4. 

  5. # ACL for greylisting. Place reason(s) for greylisting into a variable named
    6. 

  6. # $acl_m_greylistreasons before invoking with 'require acl = greylist_mail'.
    7. 

  7. # The reasons should be separate lines of text, and will be reported in
    8. 

  8. # the SMTP rejection message as well as the log message.
    9. 

  9. #
    10. 

  10. # When a suspicious mail is seen, we temporarily reject it and wait to see
    11. 

  11. # if the sender tries again. Most spam robots won't bother. Real mail hosts
    12. 

  12. # _will_ retry, and we'll accept it the second time. For hosts which are
    13. 

  13. # observed to retry, we don't bother greylisting again in the future --
    14. 

  14. # it's obviously pointless. We remember such hosts, or 'known resenders',
    15. 

  15. # by a tuple of their IP address and the name they used in HELO.
    16. 

  16. #
    17. 

  17. # We also include the time of listing for 'known resenders', just in case
    18. 

  18. # someone wants to expire them after a certain amount of time. So the 
    19. 

  19. # database table for these 'known resenders' looks like this:
    20. 

  20. #
    21. 

  21. # CREATE TABLE resenders (
    22. 

  22. #        host            TEXT,
    23. 

  23. #        helo            TEXT,
    24. 

  24. #        time            INTEGER,
    25. 

  25. #    PRIMARY KEY (host, helo) );
    26. 

  26. #
    27. 

  27. # To remember mail we've rejected, we create an 'identity' from its sender
    28. 

  28. # and recipient addresses and its Message-ID: header. We don't include the
    29. 

  29. # sending IP address in the identity, because sometimes the second and 
    30. 

  30. # subsequent attempts may come from a different IP address to the original.
    31. 

  31. #
    32. 

  32. # We do record the original IP address and HELO name though, because if
    33. 

  33. # the message _is_ retried from another machine, it's the _first_ one we
    34. 

  34. # want to record as a 'known resender'; not just its backup path.
    35. 

  35. #
    36. 

  36. # Obviously we record the time too, so the main table of greylisted mail
    37. 

  37. # looks like this:
    38. 

  38. #
    39. 

  39. # CREATE TABLE greylist (
    40. 

  40. #        id              TEXT,
    41. 

  41. #        expire          INTEGER,
    42. 

  42. #        host            TEXT,
    43. 

  43. #        helo            TEXT);
    44. 

  44. #
    45. 

  45. 

  46. greylist_mail:
    47. 

  47.   # First, accept if it there's absolutely nothing suspicious about it...
    48. 

  48.   accept condition = ${if eq{$acl_m_greylistreasons}{} {1}}
    49. 

  49.   # ... or if it was generated locally or by authenticated clients.
    50. 

  50.   accept hosts = :
    51. 

  51.   accept authenticated = *
    52. 

  52. 

  53.   # Secondly, there's _absolutely_ no point in greylisting mail from
    54. 

  54.   # hosts which are known to resend their mail. Just accept it.
    55. 

  55.   accept condition = ${lookup sqlite {GREYDB SELECT host from resenders \
    56. 

  56. 			       WHERE helo='${quote_sqlite:$sender_helo_name}' \
    57. 

  57. 			       AND host='$sender_host_address';} {1}}
    58. 

  58. 

  59.   # Generate a hashed 'identity' for the mail, as described above.
    60. 

  60.   warn set acl_m_greyident = ${hash{20}{62}{$sender_address$recipients$h_message-id:}}
    61. 

  61. 

  62.   # Attempt to look up this mail in the greylist database. If it's there,
    63. 

  63.   # remember the expiry time for it; we need to make sure they've waited
    64. 

  64.   # long enough.
    65. 

  65.   warn set acl_m_greyexpiry = ${lookup sqlite {GREYDB SELECT expire FROM greylist \
    66. 

  66. 				WHERE id='${quote_sqlite:$acl_m_greyident}';}{$value}}
    67. 

  67.         logwrite = greylist lookup returned "$acl_m_greyexpiry"
    68. 

  68. 

  69.   # If the mail isn't already the database -- i.e. if the $acl_m_greyexpiry
    70. 

  70.   # variable we just looked up is empty -- then try to add it now. This is 
    71. 

  71.   # where the 2 minute timeout is set ($tod_epoch + 120), should you wish
    72. 

  72.   # to change it.
    73. 

  73.   warn  condition = ${if eq {$acl_m_greyexpiry}{} {1}}
    74. 

  74. 	set acl_m_dontcare = ${lookup sqlite {GREYDB INSERT INTO greylist \
    75. 

  75. 					VALUES ( '$acl_m_greyident', \
    76. 

  76. 						 '${eval10:$tod_epoch+120}', \
    77. 

  77. 						 '$sender_host_address', \
    78. 

  78. 						 '${quote_sqlite:$sender_helo_name}' );}}
    79. 

  79. 

  80.   # Be paranoid, and check if the insertion succeeded (by doing another lookup).
    81. 

  81.   # Otherwise, if there's a database error we might end up deferring for ever.
    82. 

  82.   defer condition = ${if eq {$acl_m_greyexpiry}{} {1}}
    83. 

  83.         condition = ${lookup sqlite {GREYDB SELECT expire FROM greylist \
    84. 

  84. 				WHERE id='${quote_sqlite:$acl_m_greyident}';} {1}}
    85. 

  85.         logwrite = Your mail was considered suspicious for the following reason(s):\n$acl_m_greylistreasons
    86. 

  86.         message = Your mail was considered suspicious for the following reason(s):\n$acl_m_greylistreasons \
    87. 

  87. 		  The mail has been greylisted for 5 minutes, after which it should be accepted. \
    88. 

  88. 		  We apologise for the inconvenience. Your mail system should keep the mail on \
    89. 

  89. 		  its queue and retry. When that happens, your system will be added to the list \
    90. 

  90. 		  genuine mail systems, and mail from it should not be greylisted any more. \
    91. 

  91. 		  In the event of problems, please contact postmaster@$qualify_domain
    92. 

  92. 	log_message = Greylisted <$h_message-id:> from <$sender_address> for offences: ${sg {$acl_m_greylistreasons}{\n}{,}}
    93. 

  93. 

  94.   # Handle the error case (which should never happen, but would be bad if it did).
    95. 

  95.   # First by whining about it in the logs, so the admin can deal with it...
    96. 

  96.   warn   condition = ${if eq {$acl_m_greyexpiry}{} {1}}
    97. 

  97.          log_message = Greylist insertion failed. Bypassing greylist.
    98. 

  98.   # ... and then by just accepting the message.
    99. 

  99.   accept condition = ${if eq {$acl_m_greyexpiry}{} {1}}
    100. 

  100. 

  101.   # OK, we've dealt with the "new" messages. Now we deal with messages which
    102. 

  102.   # _were_ already in the database...
    103. 

  103. 

  104.   # If the message was already listed but its time hasn't yet expired, keep rejecting it
    105. 

  105.   defer condition = ${if > {$acl_m_greyexpiry}{$tod_epoch}}
    106. 

  106. 	logwrite = Your mail was previously greylisted and the time has not yet expired.\n\
    107. 

  107. 		  You should wait another ${eval10:$acl_m_greyexpiry-$tod_epoch} seconds.\n\
    108. 

  108. 		  Reason(s) for greylisting: \n$acl_m_greylistreasons
    109. 

  109. 	message = Your mail was previously greylisted and the time has not yet expired.\n\
    110. 

  110. 		  You should wait another ${eval10:$acl_m_greyexpiry-$tod_epoch} seconds.\n\
    111. 

  111. 		  Reason(s) for greylisting: \n$acl_m_greylistreasons
    112. 

  112. 

  113.   # The message was listed but it's been more than five minutes. Accept it now and whitelist
    114. 

  114.   # the _original_ sending host by its { IP, HELO } so that we don't delay its mail again.
    115. 

  115.   warn set acl_m_orighost = ${lookup sqlite {GREYDB SELECT host FROM greylist \
    116. 

  116. 				WHERE id='${quote_sqlite:$acl_m_greyident}';}{$value}}
    117. 

  117.        set acl_m_orighelo = ${lookup sqlite {GREYDB SELECT helo FROM greylist \
    118. 

  118. 				WHERE id='${quote_sqlite:$acl_m_greyident}';}{$value}}
    119. 

  119.        set acl_m_dontcare = ${lookup sqlite {GREYDB INSERT INTO resenders \
    120. 

  120. 				VALUES ( '$acl_m_orighost', \
    121. 

  121. 					 '${quote_sqlite:$acl_m_orighelo}', \
    122. 

  122. 					 '$tod_epoch' ); }}
    123. 

  123.        logwrite = Added host $acl_m_orighost with HELO '$acl_m_orighelo' to known resenders
    124. 

  124. 

  125.   accept
    126.