Документация ispmanager 6 business

Конфигурационный файл Exim

 

Разбор конфигурационного файла Exim

Приведен пример конфигурационного файла Exim на Debian. Строки влючения SpamAssassin, ClamAV, OpenDKIM, Postgrey:

 SA_ENABLE = yes
 VIRUS_SCAN = yes
 DKIM_ENABLE = yes
 POSTGREY_SOCKET = /var/run/postgrey.sock

секция acl_check_rcpt

Если ClamAV включен в секции acl_check_rcpt проверяем не находится ли домен в WhiteList ClamAV:

 .ifdef VIRUS_SCAN
               warn set acl_m3 = no
               warn
                       condition        = ${lookup{$domain}lsearch{/etc/clamav.whitelist} {yes}{no}}
                       set acl_m3 = ok
 .endif

Проверяем отправителя в вайтлистах и блэклистах:

               accept  domains = +local_domains : +relay_to_domains
                               condition = ${lookup{$sender_address}wildlsearch{/etc/exim4/whitelist}{yes}{no}}
                               set acl_m6 = whitelisted
                               logwrite = Accepted from $sender_address to $local_part@$domain by whitelist.
               accept  domains = +local_domains : +relay_to_domains
                               hosts = net-lsearch;/etc/exim4/whitelist
                               set acl_m6 = whitelisted
                               logwrite = Accepted from $sender_address to $local_part@$domain by whitelist.
               deny    condition = ${lookup{$sender_address}wildlsearch{/etc/exim4/blacklist}{yes}{no}}
                               set acl_m6 = blacklisted
                               logwrite = Rejected from $sender_address to $local_part@$domain by blacklist.
               deny    hosts = net-lsearch;/etc/exim4/blacklist
                               set acl_m6 = blacklisted
                               logwrite = Rejected from $sender_address to $local_part@$domain by blacklist.

Проверяем отправителя грейлистингом:

 .ifdef POSTGREY_SOCKET
               defer log_message = greylisted host $sender_host_address
                       set acl_m0  = request=smtpd_access_policy\nprotocol_state=RCPT\nprotocol_name=${uc:$received_protocol}\nhelo_name=$sender_helo_name\nclient_address=$sender_host_address\nclient_name=$sender_host_name\nsender=$sender_address\nrecipient=$local_part@$domain\ninstance=$sender_host_address/$sender_address/$local_part@$domain\n\n
                       set acl_m0  = ${sg{${readsocket{POSTGREY_SOCKET}{$acl_m0}{5s}{}{action=DUNNO}}}{action=}{}}
                       message     = ${sg{$acl_m0}{^\\w+\\s*}{}}
                       condition   = ${if eq{${uc:${substr{0}{5}{$acl_m0}}}}{DEFER}{true}{false}}
 .endif

секция acl_check_data

при высокой загрузке сервера принимаем письмо без проверок:

           accept
               condition = ${if >{$load_average}{3000} {yes}{no}}
               logwrite = Accept message without spamd and antivirus check because LA > 3.

если письмо больше 1кб и меньше 2мб проверяем ClamAV'ом, acl_m3 содержит no если домен в WhiteList ClamAV:

 .ifdef VIRUS_SCAN
       accept
           condition = ${if or {\
              {<{$message_body_size}{1K}} \
              {>{$message_body_size}{2M}} \
              } {yes}{no}}
           logwrite = Accept message without antivirus check because body size $message_body_size not critical
       warn
           condition = ${if eq{$acl_m3}{ok} {yes}{no}}
           add_header = X-Scanned-By: ${extract{1}{/}{${readsocket{/var/run/clamav/clamd.ctl}{VERSION}{1s}{} {unscanned}}}}; $tod_full\n
       deny
           message = This message contains virus ($malware_name)
           hosts   = *
           demime  = *
           malware = *
           log_message = Rejected: this message contains virus ($malware_name)
           condition = ${if eq{$acl_m3}{ok}{yes}{no}}
 .endif

Проверка SpamAssassin:

 .ifdef SA_ENABLE
       warn
           !authenticated = *
           hosts = !127.0.0.1/24
           condition = ${if < {$message_size}{1K}}
           spam       = SA_SPAMD_USER:true
           add_header = X-Spam_score: $spam_score\n\
                  X-Spam_score_int: $spam_score_int\n\
                  X-Spam_bar: $spam_bar\n\
                  X-Spam_report: $spam_report
       warn
           !authenticated = *
           hosts = !+relay_from_hosts
           spam       = SA_SPAMD_USER:true/defer_ok
           add_header = X-Spam_score: $spam_score\n\
                   X-Spam_score_int: $spam_score_int\n\
                   X-Spam_bar: $spam_bar\n\
                   X-Spam_report: $spam_report
           set acl_m4 = $spam_score_int
           condition = ${if and{{<{$message_size}{100K}}{<{$acl_m4}{SA_SCORE_REJECT}}} {yes}{no}}
           logwrite = From $sender_address to $recipients X-Spam_score: $acl_m4.
       deny
       	condition = ${if and{{!eq{$acl_m4}{}}{>{$acl_m4}{SA_SCORE_REJECT}}} {yes}{no}}
           message = Content analisis tool detect spam (from $sender_address to $recipients). Contact SA_ABUSE_ADDR.
 .endif

секция acl_check_dkim

Если dkim включен — проверяем dkim заголовки

 .ifdef DKIM_ENABLE

acl_check_dkim:

       warn
           dkim_status = fail
           logwrite = DKIM test failed: $dkim_verify_reason
           add_header = X-DKIM-FAIL: DKIM test failed: (address=$sender_address domain=$dkim_cur_signer), signature is bad.
       warn
           dkim_status = invalid
           add_header = :at_start:Authentication-Results: $dkim_cur_signer ($dkim_verify_status); $dkim_verify_reason
           logwrite = DKIM test passed (address=$sender_address domain=$dkim_cur_signer), but signature is invalid.
       accept
           dkim_status = pass
           add_header = :at_start:Authentication-Results: dkim=$dkim_verify_status, header.i=@$dkim_cur_signer
           logwrite = DKIM test passed (address=$sender_address domain=$dkim_cur_signer), good signature.

accept
 .endif

Секция роутеров

Проверяем что домен не отключен:

 	disabled_domains:
 		driver = redirect
 		condition = ${extract{3}{:}{${lookup{$domain}lsearch{/etc/exim4/domains}}}}
 		allow_fail = yes
 		data = :fail: Domain disabled
 		no_more

Проверяем что пользователь владелец домена не отключен:

 	disabled_users:
 		driver = redirect
 		condition = ${extract{5}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim4/passwd}}}}
 		allow_fail = yes
 		data = :fail: User disabled
 		no_more

Проверяем присутствует ли такой домен на сервере:

 	local_domains:
 		driver = redirect
 		data = ${quote_local_part:$local_part}@${extract{1}{:}{${lookup{$domain}lsearch{/etc/exim4/domains}}}}
  		cannot_route_message = Unknown user
 		redirect_router = dnslookup
 		no_more

Проверяем если почтовый ящик псевдоним:

 	aliases:
 		driver = redirect
 		data = ${extract{1}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim4/aliases}}}}
 		condition = ${if exists{/etc/exim4/aliases} {yes} {no} }
 		redirect_router = dnslookup
 		pipe_transport = address_pipe

Доставляем почту в ящик, если такой есть в exim-passwd:

 	procmail:
 		no_verify
 		driver = accept
 		transport = dovecot_deliver_pipe
 		transport_home_directory = ${extract{4}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim4/passwd}}}}

Производим действие по умолчанию для домена, если такого ящика нет:

 	catchall_for_domains:
 		driver = redirect
 		headers_add = X-redirected: yes
 		data = ${extract{2}{:}{${lookup{$domain}lsearch{/etc/exim4/domains}}}}
 		file_transport = local_delivery
 		redirect_router = dnslookup

Или отдаем сообщения, что такого ящика на сервере нет:

 	unknown_users:
 		driver = redirect
 		allow_fail = yes
 		data = :fail: Unknown user
 		no_more

Включаем субадресацию почты:

 	userforward:
 		local_part_suffix = +* 
		local_part_suffix_optional

Субадресация позволяет автоматически распределять входящие сообщения по папкам пользователя. Для этого в адресе получателя должна быть указана комбинация "почтовый ящик+имя папки". Например, если у пользователя user@example.com на IMAP-сервере есть папка “bill”, то письма для user+bill@example.com будут автоматически помещаться в эту папку.

Секция транспортов

Траснпорт доставки почтового сообщения в maildir посредством доставщика dovecot-lda:

 	dovecot_deliver_pipe:
 		driver = pipe
 		environment = "HOME=$home"
 		command = "/usr/lib/dovecot/dovecot-lda -d $local_part@$domain  -f $sender_address"
 		return_path_add
 		delivery_date_add
 		envelope_to_add
 		check_string = "From "
 		escape_string = ">From "
 		user = ${extract{1}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim4/passwd}}}}
 		group = ${extract{2}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim4/passwd}}}}

Секция аутентификации

Если при установке выбрана авторизация через dovecot:

 	auth_plain:
 		driver = dovecot
 		public_name = PLAIN
 		server_socket = /var/run/dovecot/auth-client
 		server_set_id = $auth1
 	auth_login:
 		driver = dovecot
 		public_name = LOGIN
 		server_socket = /var/run/dovecot/auth-client
 		server_set_id = $auth1
 	auth_cram_md5:
 		driver = dovecot
 		public_name = CRAM-MD5
 		server_socket = /var/run/dovecot/auth-client
 		server_set_id = $auth1

Если авторизация через sasldb:

 	cram:
 		driver = cyrus_sasl
 		public_name = CRAM-MD5
 		server_set_id = $1

plain:
 		driver = cyrus_sasl
 		public_name = PLAIN
 		server_set_id = $1
 	login:
 		driver = cyrus_sasl
 		public_name = LOGIN
 		server_set_id = $1