Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19
Calling all mail server admins
Results 1 to 5 of 5

Thread: Calling all mail server admins

Hybrid View

  1. #1
    Senior Member
    Join Date
    Sep 2002
    Posts
    421

    Calling all mail server admins

    Hey there.

    I need all the help I can get on this:
    I have to implement a working mail server solution for ~500 users in 5 different subdomains including decent spam and virus protection. My experience on mail servers is limited to a fall back host I have running for one of these domains that never really has to do much cause the main server worked pretty reliably until now.

    I want to use the following software:
    exim (with the acl and sa-exim patch)
    clamav for virus scanning
    spamassassin and
    dcc for spam control
    possibly procmail for further filtering

    Apart from using exim as the MTA I'm open to other solutions.

    The system will be a mail hub so the user's mailboxes don't reside on the same machine. I expect some 5000 mails/day or maybe more. What would the hardware requirements be when scanning for virii and spam is done at smtp rctp time so that anything that fails the scan is rejected right away before it even enters the system?
    Can somebody point me to tested spamassassin configurations that minimize false positives? (I'm well aware that I will have to do some tweaking of the configuration but I just need something I can start up with.) Any experiences with virus scanners on a mail gateway? I'm not set on using clamav. I need a system for which new virus definitions are provided quickly cause our workstations are windows only and our users are exceptionally dumb in spotting virii in their inbox. Also has anyone experiences with dcc. That's the part I'm least familiar with but I thought it sounds like a neat idea. Any links to docs and shared experience with similar systems are greatly appreciated.

    Thanks, demian

  2. #2
    Mentor
    Join Date
    Jun 2001
    Posts
    1,672

    Re:Calling all mail server admins

    For starters, here is my exim 4.30 configuration. You might want to change a couple of options to you taste.

    Code:
    ######################################################################
    #                  Runtime configuration file for Exim               #
    ######################################################################
    
    
    # This is a default configuration file which will operate correctly in
    # uncomplicated installations. Please see the manual for a complete list
    # of all the runtime configuration options that can be included in a
    # configuration file. There are many more than are mentioned here. The
    # manual is in the file doc/spec.txt in the Exim distribution as a plain
    # ASCII file. Other formats (PostScript, Texinfo, HTML, PDF) are available
    # from the Exim ftp sites. The manual is also online at the Exim web sites.
    
    
    # This file is divided into several parts, all but the first of which are
    # headed by a line starting with the word "begin". Only those parts that
    # are required need to be present. Blank lines, and lines starting with #
    # are ignored.
    
    
    ########### IMPORTANT ########## IMPORTANT ########### IMPORTANT ###########
    #                                                                          #
    # Whenever you change Exim's configuration file, you *must* remember to    #
    # HUP the Exim daemon, because it will not pick up the new configuration   #
    # until you do. However, any other Exim processes that are started, for    #
    # example, a process started by an MUA in order to send a message, will    #
    # see the new configuration as soon as it is in place.                     #
    #                                                                          #
    # You do not need to HUP the daemon for changes in auxiliary files that    #
    # are referenced from this file. They are read every time they are used.   #
    #                                                                          #
    # It is usually a good idea to test a new configuration for syntactic      #
    # correctness before installing it (for example, by running the command    #
    # "exim -C /config/file.new -bV").                                         #
    #                                                                          #
    ########### IMPORTANT ########## IMPORTANT ########### IMPORTANT ###########
    
    
    
    ######################################################################
    #                    MAIN CONFIGURATION SETTINGS                     #
    ######################################################################
    system_filter = /etc/exim/system_filter.exim
    system_filter_user = mail
    
    # Specify your host's canonical name here. This should normally be the fully
    # qualified "official" name of your host. If this option is not set, the
    # uname() function is called to obtain the name. In many cases this does
    # the right thing and you need not set anything explicitly.
    
    # primary_hostname =
    
    
    # The next three settings create two lists of domains and one list of hosts.
    # These lists are referred to later in this configuration using the syntax
    # +local_domains, +relay_to_domains, and +relay_from_hosts, respectively. They
    # are all colon-separated lists:
    
    domainlist local_domains = bogus.com : morebogus.com
    domainlist relay_to_domains =
    hostlist   relay_from_hosts = 127.0.0.1
    
    # Most straightforward access control requirements can be obtained by
    # appropriate settings of the above options. In more complicated situations, you
    # may need to modify the Access Control List (ACL) which appears later in this
    # file.
    
    # The first setting specifies your local domains, for example:
    #
    #   domainlist local_domains = my.first.domain : my.second.domain
    #
    # You can use "@" to mean "the name of the local host", as in the default
    # setting above. This is the name that is specified by primary_hostname,
    # as specified above (or defaulted). If you do not want to do any local
    # deliveries, remove the "@" from the setting above. If you want to accept mail
    # addressed to your host's literal IP address, for example, mail addressed to
    # "user@[192.168.23.44]", you can add "@[]" as an item in the local domains
    # list. You also need to uncomment "allow_domain_literals" below. This is not
    # recommended for today's Internet.
    
    # The second setting specifies domains for which your host is an incoming relay.
    # If you are not doing any relaying, you should leave the list empty. However,
    # if your host is an MX backup or gateway of some kind for some domains, you
    # must set relay_to_domains to match those domains. For example:
    #
    # domainlist relay_to_domains = *.myco.com : my.friend.org
    #
    # This will allow any host to relay through your host to those domains.
    # See the section of the manual entitled "Control of relaying" for more
    # information.
    
    # The third setting specifies hosts that can use your host as an outgoing relay
    # to any other host on the Internet. Such a setting commonly refers to a
    # complete local network as well as the localhost. For example:
    #
    # hostlist relay_from_hosts = 127.0.0.1 : 192.168.0.0/16
    #
    # The "/16" is a bit mask (CIDR notation), not a number of hosts. Note that you
    # have to include 127.0.0.1 if you want to allow processes on your host to send
    # SMTP mail by using the loopback address. A number of MUAs use this method of
    # sending mail.
    
    
    # All three of these lists may contain many different kinds of item, including
    # wildcarded names, regular expressions, and file lookups. See the reference
    # manual for details. The lists above are used in the access control list for
    # incoming messages. The name of this ACL is defined here:
    
    acl_smtp_rcpt = acl_check_rcpt
    
    # You should not change that setting until you understand how ACLs work.
    
    # The following ACL entries are used if you want to do content scanning with
    # the exiscan-acl patch. When you uncomment one of these lines, you must also
    # review the respective entries in the ACL section further below.
    
    acl_smtp_mime = acl_check_mime
    acl_smtp_data = acl_check_content
    
    # This configuration variable defines the virus scanner that is used with
    # the 'malware' ACL condition of the exiscan acl-patch. If you do not use
    # virus scanning, leave it commented. Please read doc/exiscan-acl-readme.txt
    # for a list of supported scanners.
    
    # av_scanner = sophie:/var/run/sophie
    
    # The following setting is only needed if you use the 'spam' ACL condition
    # of the exiscan-acl patch. It specifies on which host and port the SpamAssassin
    # "spamd" daemon is listening. If you do not use this condition, or you use
    # the default of "127.0.0.1 783", you can omit this option.
    
    # spamd_address = 127.0.0.1 783
    
    # Specify the domain you want to be added to all unqualified addresses
    # here. An unqualified address is one that does not contain an "@" character
    # followed by a domain. For example, "caesar@rome.example" is a fully qualified
    # address, but the string "caesar" (i.e. just a login name) is an unqualified
    # email address. Unqualified addresses are accepted only from local callers by
    # default. See the recipient_unqualified_hosts option if you want to permit
    # unqualified addresses from remote sources. If this option is not set, the
    # primary_hostname value is used for qualification.
    
    # qualify_domain =
    
    
    # If you want unqualified recipient addresses to be qualified with a different
    # domain to unqualified sender addresses, specify the recipient domain here.
    # If this option is not set, the qualify_domain value is used.
    
    # qualify_recipient =
    
    
    # The following line must be uncommented if you want Exim to recognize
    # addresses of the form "user@[10.11.12.13]" that is, with a "domain literal"
    # (an IP address) instead of a named domain. The RFCs still require this form,
    # but it makes little sense to permit mail to be sent to specific hosts by
    # their IP address in the modern Internet. This ancient format has been used
    # by those seeking to abuse hosts by using them for unwanted relaying. If you
    # really do want to support domain literals, uncomment the following line, and
    # see also the "domain_literal" router below.
    
    # allow_domain_literals
    
    
    # No deliveries will ever be run under the uids of these users (a colon-
    # separated list). An attempt to do so causes a panic error to be logged, and
    # the delivery to be deferred. This is a paranoic safety catch. There is an
    # even stronger safety catch in the form of the FIXED_NEVER_USERS setting
    # in the configuration for building Exim. The list of users that it specifies
    # is built into the binary, and cannot be changed. The option below just adds
    # additional users to the list. The default for FIXED_NEVER_USERS is "root",
    # but just to be absolutely sure, the default here is also "root".
    
    # Note that the default setting means you cannot deliver mail addressed to root
    # as if it were a normal user. This isn't usually a problem, as most sites have
    # an alias for root that redirects such mail to a human administrator.
    
    never_users = root
    
    
    # The setting below causes Exim to do a reverse DNS lookup on all incoming
    # IP calls, in order to get the true host name. If you feel this is too
    # expensive, you can specify the networks for which a lookup is done, or
    # remove the setting entirely.
    
    host_lookup = *
    
    
    # The settings below, which are actually the same as the defaults in the
    # code, cause Exim to make RFC 1413 (ident) callbacks for all incoming SMTP
    # calls. You can limit the hosts to which these calls are made, and/or change
    # the timeout that is used. If you set the timeout to zero, all RFC 1413 calls
    # are disabled. RFC 1413 calls are cheap and can provide useful information
    # for tracing problem messages, but some hosts and firewalls have problems
    # with them. This can result in a timeout instead of an immediate refused
    # connection, leading to delays on starting up an SMTP session.
    
    rfc1413_hosts = *
    rfc1413_query_timeout = 5s
    
    
    # By default, Exim expects all envelope addresses to be fully qualified, that
    # is, they must contain both a local part and a domain. If you want to accept
    # unqualified addresses (just a local part) from certain hosts, you can specify
    # these hosts by setting one or both of
    #
    # sender_unqualified_hosts =
    # recipient_unqualified_hosts =
    #
    # to control sender and recipient addresses, respectively. When this is done,
    # unqualified addresses are qualified using the settings of qualify_domain
    # and/or qualify_recipient (see above).
    
    
    # If you want Exim to support the "percent hack" for certain domains,
    # uncomment the following line and provide a list of domains. The "percent
    # hack" is the feature by which mail addressed to x%y@z (where z is one of
    # the domains listed) is locally rerouted to x@y and sent on. If z is not one
    # of the "percent hack" domains, x%y is treated as an ordinary local part. This
    # hack is rarely needed nowadays; you should not enable it unless you are sure
    # that you really need it.
    #
    # percent_hack_domains =
    #
    # As well as setting this option you will also need to remove the test
    # for local parts containing % in the ACL definition below.
    
    
    # When Exim can neither deliver a message nor return it to sender, it "freezes"
    # the delivery error message (aka "bounce message"). There are also other
    # circumstances in which messages get frozen. They will stay on the queue for
    # ever unless one of the following options is set.
    
    # This option unfreezes frozen bounce messages after two days, tries
    # once more to deliver them, and ignores any delivery failures.
    
    ignore_bounce_errors_after = 2d
    
    # This option cancels (removes) frozen messages that are older than a week.
    
    timeout_frozen_after = 1d
    
    
    ######################################################################
    #                       ACL CONFIGURATION                            #
    #         Specifies access control lists for incoming SMTP mail      #
    ######################################################################
    
    begin acl
    
    # This access control list is used for every RCPT command in an incoming
    # SMTP message. The tests are run in order until the address is either
    # accepted or denied.
    
    acl_check_rcpt:
    
      # Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by
      # testing for an empty sending host field.
    
      accept  hosts = :
    
      #############################################################################
      # The following section of the ACL is concerned with local parts that contain
      # @ or % or ! or / or | or dots in unusual places.
      #
      # The characters other than dots are rarely found in genuine local parts, but
      # are often tried by people looking to circumvent relaying restrictions.
      # Therefore, although they are valid in local parts, these rules lock them
      # out, as a precaution.
      #
      # Empty components (two dots in a row) are not valid in RFC 2822, but Exim
      # allows them because they have been encountered. (Consider local parts
      # constructed as "firstinitial.secondinitial.familyname" when applied to
      # someone like me, who has no second initial.) However, a local part starting
      # with a dot or containing /../ can cause trouble if it is used as part of a
      # file name (e.g. for a mailing list). This is also true for local parts that
      # contain slashes. A pipe symbol can also be troublesome if the local part is
      # incorporated unthinkingly into a shell command line.
      #
      # Two different rules are used. The first one is stricter, and is applied to
      # messages that are addressed to one of the local domains handled by this
      # host. It blocks local parts that begin with a dot or contain @ % ! / or |.
      # If you have local accounts that include these characters, you will have to
      # modify this rule.
    
      deny    domains       = +local_domains
              local_parts   = ^[.] : ^.*[@%!/|]
    
      # The second rule applies to all other domains, and is less strict. This
      # allows your own users to send outgoing messages to sites that use slashes
      # and vertical bars in their local parts. It blocks local parts that begin
      # with a dot, slash, or vertical bar, but allows these characters within the
      # local part. However, the sequence /../ is barred. The use of @ % and ! is
      # blocked, as before. The motivation here is to prevent your users (or
      # your users' viruses) from mounting certain kinds of attack on remote sites.
    
      deny    domains       = !+local_domains
              local_parts   = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
      #############################################################################
    
      # Accept mail to postmaster in any local domain, regardless of the source,
      # and without verifying the sender.
    
      accept  local_parts   = postmaster
              domains       = +local_domains
    
      # Deny unless the sender address can be verified.
    
      # require verify        = sender
    
      #############################################################################
      # There are no checks on DNS "black" lists because the domains that contain
      # these lists are changing all the time. However, here are two examples of
      # how you could get Exim to perform a DNS black list lookup at this point.
      # The first one denies, while the second just warns.
      #
      # deny    message       = rejected because $sender_host_address is in a black
    list at $dnslist_domain\n$dnslist_text
      #         dnslists      = black.list.example
      #
      # warn    message       = X-Warning: $sender_host_address is in a black list a
    t $dnslist_domain
      #         log_message   = found in $dnslist_domain
      #         dnslists      = black.list.example
      #############################################################################
    
      # Accept if the address is in a local domain, but only if the recipient can
      # be verified. Otherwise deny. The "endpass" line is the border between
      # passing on to the next ACL statement (if tests above it fail) or denying
      # access (if tests below it fail).
    
      accept  domains       = +local_domains
              endpass
              verify        = recipient
    
      # Accept if the address is in a domain for which we are relaying, but again,
      # only if the recipient can be verified.
    
      accept  domains       = +relay_to_domains
              endpass
              verify        = recipient
    
      # If control reaches this point, the domain is neither in +local_domains
      # nor in +relay_to_domains.
    
      # Accept if the message comes from one of the hosts for which we are an
      # outgoing relay. Recipient verification is omitted here, because in many
      # cases the clients are dumb MUAs that don't cope well with SMTP error
      # responses. If you are actually relaying out from MTAs, you should probably
      # add recipient verification here.
    
      accept  hosts         = +relay_from_hosts
    
      # Accept if the message arrived over an authenticated connection, from
      # any host. Again, these messages are usually from MUAs, so recipient
      # verification is omitted.
    
      accept  authenticated = *
    
      # Reaching the end of the ACL causes a "deny", but we might as well give
      # an explicit message.
    
      deny    message       = relay not permitted
    
    
    # These access control lists are used for content scanning with the exiscan-acl
    # patch. You must also uncomment the entries for acl_smtp_data and acl_smtp_mime
    # (scroll up), otherwise the ACLs will not be used. IMPORTANT: the default entri
    es here
    # should be treated as EXAMPLES. You MUST read the file doc/exiscan-acl-spec.txt
    # to fully understand what you are doing ...
    
    acl_check_mime:
    
      # Decode MIME parts to disk. This will support virus scanners later.
      warn decode = default
    
      # File extension filtering.
    #  deny message = Blacklisted file extension detected
    #       condition = ${if match \
    #                        {${lc:$mime_filename}} \
    #                        {\N(\.exe|\.pif|\.bat|\.scr|\.lnk|\.com)$\N} \
    #                     {1}{0}}
    
      # Reject messages that carry chinese character sets.
      # WARNING: This is an EXAMPLE.
      deny message = Sorry, noone speaks chinese here
           condition = ${if eq{$mime_charset}{gb2312}{1}{0}}
    
      accept
    
    acl_check_content:
    
      # Reject virus infested messages.
    #  deny  message = This message contains malware ($malware_name)
    #        malware = *
    
      # Always add X-Spam-Score and X-Spam-Report headers, using SA system-wide sett
    ings
      # (user "nobody"), no matter if over threshold or not.
    #  warn  message = X-Spam-Score: $spam_score ($spam_bar)
    #        spam = nobody:true
    #  warn  message = X-Spam-Status: $h_x-spam_status
    #        spam = nobody:true
    
      # Add X-Spam-Flag if spam is over system-wide threshold
    #  warn message = X-Spam-Flag: YES
    #       spam = nobody
    
      # Reject spam messages with score over 10, using an extra condition.
    #  deny  message = I do not accept spam. This message scored $spam_score spam po
    ints. Congratulations!
    #        spam = nobody:true
    #        condition = ${if >{$spam_score_int}{100}{1}{0}}
    
      # finally accept all the rest
      accept
    
    
    ######################################################################
    #                      ROUTERS CONFIGURATION                         #
    #               Specifies how addresses are handled                  #
    ######################################################################
    #     THE ORDER IN WHICH THE ROUTERS ARE DEFINED IS IMPORTANT!       #
    # An address is passed to each router in turn until it is accepted.  #
    ######################################################################
    
    begin routers
    
    # This router routes to remote hosts over SMTP by explicit IP address,
    # when an email address is given in "domain literal" form, for example,
    # <user@[192.168.35.64]>. The RFCs require this facility. However, it is
    # little-known these days, and has been exploited by evil people seeking
    # to abuse SMTP relays. Consequently it is commented out in the default
    # configuration. If you uncomment this router, you also need to uncomment
    # allow_domain_literals above, so that Exim can recognize the syntax of
    # domain literal addresses.
    
    # domain_literal:
    #   driver = ipliteral
    #   domains = ! +local_domains
    #   transport = remote_smtp
    
    
    # This router routes addresses that are not in local domains by doing a DNS
    # lookup on the domain name. Any domain that resolves to 0.0.0.0 or to a
    # loopback interface address (127.0.0.0/8) is treated as if it had no DNS
    # entry. Note that 0.0.0.0 is the same as 0.0.0.0/32, which is commonly treated
    # as the local host inside the network stack. It is not 0.0.0.0/0, the default
    # route. If the DNS lookup fails, no further routers are tried because of
    # the no_more setting, and consequently the address is unrouteable.
    
    dnslookup:
      driver = dnslookup
      domains = ! +local_domains
      transport = remote_smtp
      ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
      no_more
    
    # The remaining routers handle addresses in the local domain(s).
    
    # Spam Assassin
    spamcheck_router:
      # do not use this router when verifying a local-part at SMTP-time
      no_verify
      check_local_user
      # When to scan a message :
      #   -   it isn't already flagged as spam
      #   -   it isn't already scanned
      #   -   it didn't originate locally (as long as I don't harbor spammers :-))
    
      condition = "${if and { {!def:h_X-Spam-Flag:} {!eq {$received_protocol}{spam-s
    canned}}{!eq {$received_protocol}{local}} } {1}{0}}"
      driver = accept
      transport = spamcheck
    
    
    # This router handles aliasing using a linearly searched alias file with the
    # name /etc/aliases. When this configuration is installed automatically,
    # the name gets inserted into this file from whatever is set in Exim's
    # build-time configuration. The default path is the traditional /etc/aliases.
    # If you install this configuration by hand, you need to specify the correct
    # path in the "data" setting below.
    #
    ##### NB  You must ensure that the alias file exists. It used to be the case
    ##### NB  that every Unix had that file, because it was the Sendmail default.
    ##### NB  These days, there are systems that don't have it. Your aliases
    ##### NB  file should at least contain an alias for "postmaster".
    #
    # If any of your aliases expand to pipes or files, you will need to set
    # up a user and a group for these deliveries to run under. You can do
    # this by uncommenting the "user" option below (changing the user name
    # as appropriate) and adding a "group" option if necessary. Alternatively, you
    # can specify "user" on the transports that are used. Note that the transports
    # listed below are the same as are used for .forward files; you might want
    # to set up different ones for pipe and file deliveries from aliases.
    
    system_aliases:
      driver = redirect
      allow_fail
      allow_defer
      data = ${lookup{$local_part}lsearch{/etc/aliases}}
    # user = exim
      file_transport = address_file
      pipe_transport = address_pipe
    
    # This router handles forwarding using traditional .forward files in users'
    # home directories. If you want it also to allow mail filtering when a forward
    # file starts with the string "# Exim filter", uncomment the "allow_filter"
    # option.
    
    # The no_verify setting means that this router is skipped when Exim is
    # verifying addresses. Similarly, no_expn means that this router is skipped if
    # Exim is processing an EXPN command.
    
    # The check_ancestor option means that if the forward file generates an
    # address that is an ancestor of the current one, the current one gets
    # passed on instead. This covers the case where A is aliased to B and B
    # has a .forward file pointing to A.
    
    # The three transports specified at the end are those that are used when
    # forwarding generates a direct delivery to a file, or to a pipe, or sets
    # up an auto-reply, respectively.
    
    userforward:
      driver = redirect
      check_local_user
      file = $home/.forward
      no_verify
      no_expn
      check_ancestor
      directory_transport = forward_delivery
    #  allow_filter
      file_transport = address_file
      pipe_transport = address_pipe
      reply_transport = address_reply
    
    
    # This router matches local user mailboxes. If the router fails, the error
    # message is "Unknown user".
    
    localuser:
      driver = accept
      check_local_user
      transport = local_delivery
      cannot_route_message = Unknown user
    
    
    ######################################################################
    #                      TRANSPORTS CONFIGURATION                      #
    ######################################################################
    #                       ORDER DOES NOT MATTER                        #
    #     Only one appropriate transport is called for each delivery.    #
    ######################################################################
    
    # A transport is used only when referenced from a router that successfully
    # handles an address.
    
    begin transports
    
    # Spam Assassin
    spamcheck:
        driver = pipe
        command = /usr/sbin/exim -oMr spam-scanned -bS
        use_bsmtp = true
        transport_filter = /usr/bin/spamc
        home_directory = "/tmp"
        current_directory = "/tmp"
        # must use a privileged user to set $received_protocol on the way back in!
        user = mail
        group = mail
        log_output = true
        return_fail_output = true
        return_path_add = false
        message_prefix =
        message_suffix =
    
    
    # This transport is used for delivering messages over SMTP connections.
    
    remote_smtp:
      driver = smtp
    
    
    # This transport is used for local delivery to user mailboxes in traditional
    # BSD mailbox format. By default it will be run under the uid and gid of the
    # local user, and requires the sticky bit to be set on the /var/mail directory.
    # Some systems use the alternative approach of running mail deliveries under a
    # particular group instead of using the sticky bit. The commented options below
    # show how this can be done.
    
    local_delivery:
      driver = appendfile
      file = /var/mail/$local_part
      delivery_date_add
      envelope_to_add
      return_path_add
    # group = mail
    # mode = 0660
    
    
    # This transport is used for handling pipe deliveries generated by alias or
    # .forward files. If the pipe generates any standard output, it is returned
    # to the sender of the message as a delivery error. Set return_fail_output
    # instead of return_output if you want this to happen only when the pipe fails
    # to complete normally. You can set different transports for aliases and
    # forwards if you want to - see the references to address_pipe in the routers
    # section above.
    
    address_pipe:
      driver = pipe
      return_output
    
    
    # This transport is used for handling deliveries directly to files that are
    # generated by aliasing or forwarding.
    
    address_file:
      driver = appendfile
      delivery_date_add
      envelope_to_add
      return_path_add
    
    
    # This transport is used for handling autoreplies generated by the filtering
    # option of the userforward router.
    
    address_reply:
      driver = autoreply
    
    
    ######################################################################
    #                      RETRY CONFIGURATION                           #
    ######################################################################
    
    begin retry
    
    # This single retry rule applies to all domains and all errors. It specifies
    # retries every 15 minutes for 2 hours, then increasing retry intervals,
    # starting at 1 hour and increasing each time by a factor of 1.5, up to 16
    # hours, then retries every 6 hours until 4 days have passed since the first
    # failed delivery.
    
    # Address or Domain    Error       Retries
    # -----------------    -----       -------
    
    *                      *           F,2h,15m; G,16h,1h,1.5; F,4d,6h
    
    
    
    ######################################################################
    #                      REWRITE CONFIGURATION                         #
    ######################################################################
    
    # There are no rewriting specifications in this default configuration file.
    
    begin rewrite
    
    
    
    ######################################################################
    #                   AUTHENTICATION CONFIGURATION                     #
    ######################################################################
    
    # There are no authenticator specifications in this default configuration file.
    
    begin authenticators
    
    plain:
     driver = plaintext
     public_name = PLAIN
     server_condition = \
     ${if and {{eq{$2}{yourusername}}{eq{$3}{yourpassword}}}{yes}{no}}
     server_set_id = $2
    
    cram:
     driver = cram_md5
     public_name = CRAM-MD5
     server_secret = ${if eq{$1}{yourusername}{yourpassword}fail}
     client_name = ph10
     client_secret = secret2
    
    fixed_login:
     driver = plaintext
     public_name = LOGIN
     server_prompts = "Username:: : Password::"
     server_condition = \
     ${if and {{eq{$1}{yourusername}}{eq{$2}{yourpassword}}}{yes}{no}}
     server_set_id = $1
    
    
    ######################################################################
    #                   CONFIGURATION FOR local_scan()                   #
    ######################################################################
    
    # If you have built Exim to include a local_scan() function that contains
    # tables for private options, you can define those options here. Remember to
    # uncomment the "begin" line. It is commented by default because it provokes
    # an error with Exim binaries that are not built with LOCAL_SCAN_HAS_OPTIONS
    # set in the Local/Makefile.
    
    # begin local_scan
    
    
    # End of Exim configuration file
    This is my system-filter.exim file:
    Code:
    # Exim filter
    ## Version: 0.17
    #       $Id: system_filter.exim,v 1.11 2001/09/19 11:27:56 nigel Exp $
    
    ## Exim system filter to refuse potentially harmful payloads in
    ## mail messages
    ## (c) 2000-2001 Nigel Metheringham <nigel@exim.org>
    ##
    ##     This program is free software; you can redistribute it and/or modify
    ##    it under the terms of the GNU General Public License as published by
    ##    the Free Software Foundation; either version 2 of the License, or
    ##    (at your option) any later version.
    ##
    ##    This program is distributed in the hope that it will be useful,
    ##    but WITHOUT ANY WARRANTY; without even the implied warranty of
    ##    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    ##    GNU General Public License for more details.
    ##
    ##    You should have received a copy of the GNU General Public License
    ##    along with this program; if not, write to the Free Software
    ##    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
    ## -A copy of the GNU General Public License is distributed with exim itself
    
    ## -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
    ## If you haven't worked with exim filters before, read
    ## the install notes at the end of this file.
    ## The install notes are not a replacement for the exim documentation
    ## -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
    
    
    ## -----------------------------------------------------------------------
    # Only run any of this stuff on the first pass through the
    # filter - this is an optomisation for messages that get
    # queued and have several delivery attempts
    #
    # we express this in reverse so we can just bail out
    # on inappropriate messages
    #
    if not first_delivery
    then
      finish
    endif
    
    #Don't run filter on these domains, addresses, they are trusted
    if $header_from: matches "(domain1|domain2|addy@domain2)"
    then
            finish
    endif
    
    
    #Spam detected. Reject it, and send a copy to filter@bogus.com
    if $h_X-Spam-Flag: contains "YES"
    then
            logfile /var/log/exim/spamlog
            logwrite "$tod_log From: $h_From: Subject: $h_Subject: \n \t X-Spam-Stat
    us: $h_X-Spam-Status: Sender: $sender_address"
            if $h_From: is not ""
            then
                    deliver filter@bogus.com
                    fail text "Your mail appears to be unsolicited spam.\n\
    If you intended to contact the person at this email address for legitimate reaso
    ns, then our apologies. Please would you resend to the same address but change t
    he subject line and/or the message by removing words and phrases often used by s
    pammers.\n\
    \n\
    Thank you"
            endif
            seen finish
    endif
    
    
    ## -----------------------------------------------------------------------
    # Check for MS buffer overruns as per BUGTRAQ.
    # http://www.securityfocus.com/frames/...html%3Fid%3D61
    # This could happen in error messages, hence its placing
    # here...
    # We substract the first n characters of the date header
    # and test if its the same as the date header... which
    # is a lousy way of checking if the date is longer than
    # n chars long
    if ${length_80:$header_date:} is not $header_date:
    then
      deliver filter@bogus.com
      fail text "This message has been rejected because it has\n\
                 an overlength date field which can be used\n\
                 to subvert Microsoft mail programs\n\
                 The following URL has further information\n\
                 http://www.securityfocus.com/frames/...es/article.htm
    l%3Fid%3D61"
      seen finish
    endif
    
    ## -----------------------------------------------------------------------
    # These messages are now being sent with a <> envelope sender, but
    # blocking all error messages that pattern match prevents
    # bounces getting back.... so we fudge it somewhat and check for known
    # header signatures.  Other bounces are allowed through.
    if $header_from: contains "@sexyfun.net"
    then
      deliver filter@bogus.com
      fail text "This message has been rejected since it has\n\
                 the signature of a known virus in the header."
      seen finish
    endif
    if error_message and $header_from: contains "Mailer-Daemon@"
    then
      # looks like a real error message - just ignore it
      finish
    endif
    
    
    if $header_from: matches "(gossipflash|gotlaughs|gradfinder|flowgo\
    |dailyripple|cdsteals|repairclinic|e-recruiters|ssprd2|rosienews|caramail\
    |bargain|special|mates.com|ssprd|optinllc|reunion|bounce|cramsession|agamma\
    |exactis|error|emza|outblaze|ambroseek)"
    then
      deliver filter@bogus.com
      fail text "This message has been rejected since it came from\n\
                 an address known to be the source of unsolicited emails."
      seen finish
    endif
    if error_message and $header_from: contains "Mailer-Daemon@"
    then
       # looks like a real error message - just ignore it
       finish
    endif
    
    ## -----------------------------------------------------------------------
    # Look for single part MIME messages with suspicious name extensions
    # Check Content-Type header using quoted filename [content_type_quoted_fn_match]
    if $header_content-type: matches "(?:file)?name=(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|c
    hm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|r
    eg|scr|sct|shs|url|vb[se]|ws[fhc])\")"
    then
      deliver filter@bogus.com
      fail text "This message has been rejected because it has\n\
                 potentially executable content $1\n\
                 This form of attachment has been used by\n\
                 recent viruses or other malware.\n\
                 If you meant to send this file then please\n\
                 package it up as a zip file and resend it."
      seen finish
    endif
    # same again using unquoted filename [content_type_unquoted_fn_match]
    if $header_content-type: matches "(?:file)?name=(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm
    |cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg
    |scr|sct|shs|url|vb[se]|ws[fhc]))"
    then
      deliver filter@bogus.com
      fail text "This message has been rejected because it has\n\
                 potentially executable content $1\n\
                 This form of attachment has been used by\n\
                 recent viruses or other malware.\n\
                 If you meant to send this file then please\n\
                 package it up as a zip file and resend it."
      seen finish
    endif
    
    
    ## -----------------------------------------------------------------------
    # Attempt to catch embedded VBS attachments
    # in emails.   These were used as the basis for
    # the ILOVEYOU virus and its variants - many many varients
    # Quoted filename - [body_quoted_fn_match]
    if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Dispo
    sition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(
    ?>\\\\s+))(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[
    fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")[
    \\\\s;]"
    then
      deliver filter@bogus.com
      fail text "This message has been rejected because it has\n\
                 a potentially executable attachment $1\n\
                 This form of attachment has been used by\n\
                 recent viruses or other malware.\n\
                 If you meant to send this file then please\n\
                 package it up as a zip file and resend it."
      seen finish
    endif
    # same again using unquoted filename [body_unquoted_fn_match]
    if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Dispo
    sition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[0-7]{3,4}(
    ?>\\\\s+))(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs
    ]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))[\\\\
    s;]"
    then
      deliver filter@bogus.com
      fail text "This message has been rejected because it has\n\
                 a potentially executable attachment $1\n\
                 This form of attachment has been used by\n\
                 recent viruses or other malware.\n\
                 If you meant to send this file then please\n\
                 package it up as a zip file and resend it."
      seen finish
    endif
    ## -----------------------------------------------------------------------
    
    
    #### Version history
    #
    # 0.01 5 May 2000
    #       Initial release
    # 0.02 8 May 2000
    #       Widened list of content-types accepted, added WSF extension
    # 0.03 8 May 2000
    #       Embedded the install notes in for those that don't do manuals
    # 0.04 9 May 2000
    #       Check global content-type header.  Efficiency mods to REs
    # 0.05 9 May 2000
    #       More minor efficiency mods, doc changes
    # 0.06 20 June 2000
    #       Added extension handling - thx to Douglas Gray Stephens & Jeff Carnahan
    # 0.07 19 July 2000
    #       Latest MS Outhouse bug catching
    # 0.08 19 July 2000
    #       Changed trigger length to 80 chars, fixed some spelling
    # 0.09 29 September 2000
    #       More extensions... its getting so we should just allow 2 or 3 through
    # 0.10 18 January 2001
    #       Removed exclusion for error messages - this is a little nasty
    #       since it has other side effects, hence we do still exclude
    #       on unix like error messages
    # 0.11 20 March, 2001
    #       Added CMD extension, tidied docs slightly, added RCS tag
    #       ** Missed changing version number at top of file :-(
    # 0.12 10 May, 2001
    #       Added HTA extension
    # 0.13 22 May, 2001
    #       Reformatted regexps and code to build them so that they are
    #       shorter than the limits on pre exim 3.20 filters.  This will
    #       make them significantly less efficient, but I am getting so
    #       many queries about this that requiring 3.2x appears unsupportable.
    # 0.14 15 August,2001
    #       Added .lnk extension - most requested item :-)
    #       Reformatted everything so its now built from a set of short
    #       library files, cutting down on manual duplication.
    #       Changed \w in filename detection to . - dodges locale problems
    #       Explicit application of GPL after queries on license status
    # 0.15 17 August, 2001
    #       Changed the . in filename detect to \S (stops it going mad)
    # 0.16 19 September, 2001
    #       Pile of new extensions including the eml in current use
    # 0.17 19 September, 2001
    #       Syntax fix
    #
    #### Install Notes
    #
    # Exim filters run the exim filter language - a very primitive
    # scripting language - in place of a user .forward file, or on
    # a per system basis (on all messages passing through).
    # The filtering capability is documented in the main set of manuals
    # a copy of which can be found on the exim web site
    #       http://www.exim.org/
    #
    # To install, copy the filter file (with appropriate permissions)
    # to /etc/exim/system_filter.exim and add to your exim config file
    # [location is installation depedant - typicaly /etc/exim/config ]
    # in the first section the line:-
    #       message_filter = /etc/exim/system_filter.exim
    #       message_body_visible = 5000
    #
    # You may also want to set the message_filter_user & message_filter_group
    # options, but they default to the standard exim user and so can
    # be left untouched.  The other message_filter_* options are only
    # needed if you modify this to do other functions such as deliveries.
    # The main exim documentation is quite thorough and so I see no need
    # to expand it here...
    #
    # Any message that matches the filter will then be bounced.
    # If you wish you can change the error message by editing it
    # in the section above - however be careful you don't break it.
    #
    # After install exim should be restarted - a kill -HUP to the
    # daemon will do this.
    #
    #### LIMITATIONS
    #
    # This filter tries to parse MIME with a regexp... that doesn't
    # work too well.  It will also only see the amount of the body
    # specified in message_body_visible
    #
    #### BASIS
    #
    # The regexp that is used to pickup MIME/uuencoded body parts with
    # quoted filenames is replicated below (in perl format).
    # You need to remember that exim converts newlines to spaces in
    # the message_body variable.
    #
    #         (?:Content-                                   # start of content heade
    r
    #         (?:Type: (?>\s*)                              # rest of c/t header
    #           [\w-]+/[\w-]+                               # content-type (any)
    #           |Disposition: (?>\s*)                       # content-disposition hd
    r
    #           attachment)                                 # content-disposition
    #         ;(?>\s*)                                      # ; space or newline
    #         (?:file)?name=                                # filename=/name=
    #         |begin (?>\s+) [0-7]{3,4} (?>\s+))            # begin octal-mode
    #         (\"[^\"]+\.                                   # quoted filename.
    #               (?:ad[ep]                               # list of extns
    #               |ba[st]
    #               |chm
    #               |cmd
    #               |com
    #               |cpl
    #               |crt
    #               |eml
    #               |exe
    #               |hlp
    #               |hta
    #               |in[fs]
    #               |isp
    #               |jse?
    #               |lnk
    #               |md[be]
    #               |ms[cipt]
    #               |pcd
    #               |pif
    #               |reg
    #               |scr
    #               |sct
    #               |shs
    #               |url
    #               |vb[se]
    #               |ws[fhc])
    #         \"                                            # end quote
    #         )                                             # end of filename captur
    e
    #         [\s;]                                         # trailing ;/space/newli
    ne
    
    #
    #
    ### [End]

  3. #3
    Mentor
    Join Date
    Jun 2001
    Posts
    1,672

    Re:Calling all mail server admins

    Couple of notes:

    1.) I don't run a virus scanner, I just flat out reject any Windows executable.
    2.) I forward all rejected email to a dedicated email address, this way it can be retrieved in case it was a false positive.
    3.) If you want less false positives from spamassassin, just increase the required score. However, more real spam will slip by.

  4. #4

    Re:Calling all mail server admins

    Maybe this can help some! I saw this back in Feb. and kept the link.

    SpamAssassin-ClamAV-Procmail-Howto

    http://www.falkotimme.com/howtos/spa...mail/index.php



  5. #5
    Senior Member
    Join Date
    Sep 2002
    Posts
    421

    Re:Calling all mail server admins

    Thanks a bunch. That filter file sure is helpful. Man, exim's come a long way since 3.35 (not that's the version I want to use but that's the last version I used to be half-way familiar with).

    I'd still need virus scanning. Even tough I'm gonna filter out most of the attachment that are listed in the above file there's still zip archives for instance. If it's something you can click on our users will. No matter how weird the message maybe ("But I thought we have a firewall that blocks the viruses" : )

    But that seems doable: After all these obviously unwanted attachments are rejected the scanner probably doesn't have that much to do.
    We have a spare box which I think is an XP 2000+ w/ 512MB DDR RAM. Any chance this will do?

    And thankls, saptech for that link. I will check it out.

    edit:
    I don't think I have to worry about the hardware requirements. I just found this: (from http://www.net-security.org/article.php?id=676)

    On our network, CPU utilization on a temporary filtering box (a 2.4GHz P4 single proc w/1 GB of RAM) consistently floats between 60-80% with antivirus turned off, but we have high traffic. I have not (yet) found a good traffic monitor, but some simple command line scripts to parse logs show we bounce an average of 7500-8500 messages per hour each day.
    They _bounce_ 7-8k message per _hour_ Then I gues my 5000 regular messages a day is piece of cake for that machine.

Similar Threads

  1. Replies: 1
    Last Post: 01-21-2011, 12:06 AM
  2. Problems sending mail to users on my mail server
    By Ed McCorduck in forum Linux - Software, Applications & Programming
    Replies: 8
    Last Post: 06-23-2004, 10:18 AM
  3. Mail Server
    By Artimus in forum Linux - Software, Applications & Programming
    Replies: 2
    Last Post: 03-08-2003, 12:56 AM
  4. Set up a mail server
    By kornp in forum Linux - Hardware, Networking & Security
    Replies: 3
    Last Post: 12-04-2002, 04:06 PM
  5. Q for Sys admins: Blocking P2P
    By Blaqb0x in forum Linux - Hardware, Networking & Security
    Replies: 14
    Last Post: 10-17-2002, 06:39 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •