[packages/exim] Rel 4; more from upstream default config; fix local_delivery that was using tainted data (and thus p
arekm
arekm at pld-linux.org
Tue Jun 22 09:09:33 CEST 2021
commit 324d5d7cb72b411be08a85aee01ed953a531b8fb
Author: Arkadiusz Miśkiewicz <arekm at maven.pl>
Date: Tue Jun 22 09:09:09 2021 +0200
Rel 4; more from upstream default config; fix local_delivery that was using tainted data (and thus preventing mail delivery)
exim.spec | 2 +-
exim4.conf | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++---
2 files changed, 85 insertions(+), 4 deletions(-)
---
diff --git a/exim.spec b/exim.spec
index 1b9814c..d03f5b1 100644
--- a/exim.spec
+++ b/exim.spec
@@ -24,7 +24,7 @@ Summary(pl.UTF-8): Agent Transferu Poczty Uniwersytetu w Cambridge
Summary(pt_BR.UTF-8): Servidor de correio eletrônico exim
Name: exim
Version: 4.94.2
-Release: 3
+Release: 4
Epoch: 2
License: GPL v2+
Group: Networking/Daemons/SMTP
diff --git a/exim4.conf b/exim4.conf
index ff7c908..7ac4944 100644
--- a/exim4.conf
+++ b/exim4.conf
@@ -108,6 +108,7 @@ hostlist relay_from_hosts = localhost
# checking incoming messages. The names of these ACLs are defined here:
acl_smtp_rcpt = acl_check_rcpt
+acl_smtp_data_prdr = acl_check_prdr
acl_smtp_data = acl_check_data
# You should not change those settings until you understand how ACLs work.
@@ -154,6 +155,9 @@ tls_advertise_hosts =
# tls_certificate = /etc/ssl/exim.crt
# tls_privatekey = /etc/ssl/exim.pem
+# For OpenSSL, prefer EC- over RSA-authenticated ciphers
+# tls_require_ciphers = ECDSA:RSA:!COMPLEMENTOFDEFAULT
+
# In order to support roaming users who wish to send email from anywhere,
# you may want to make Exim listen on other ports as well as port 25, in
# case these users need to send email from a network that blocks port 25.
@@ -230,11 +234,16 @@ commandline_checks_require_admin = true
host_lookup = *
-
# Advertise DSN for these hosts
#
dsn_advertise_hosts = *
+# The setting below causes Exim to try to initialize the system resolver
+# library with DNSSEC support. It has no effect if your library lacks
+# DNSSEC support.
+
+dns_dnssec_ok = 1
+
# The settings below cause Exim to make RFC 1413 (ident) callbacks
# for all incoming SMTP calls. You can limit the hosts to which these
# calls are made, and/or change the timeout that is used. If you set
@@ -253,6 +262,11 @@ dsn_advertise_hosts = *
# Enable an efficiency feature. We advertise the feature; clients
# may request to use it. For multi-recipient mails we then can
# reject or accept per-user after the message is received.
+# This supports recipient-dependent content filtering; without it
+# you have to temp-reject any recipients after the first that have
+# incompatible filtering, and do the filtering in the data ACL.
+# Even with this enabled, you must support the old style for peers
+# not flagging support for PRDR (visible via $prdr_requested).
#
prdr_enable = true
@@ -429,6 +443,20 @@ acl_check_rcpt:
require verify = sender
+ # Reject all RCPT commands after too many bad recipients
+ # This is partly a defense against spam abuse and partly attacker abuse.
+ # Real senders should manage, by the time they get to 10 RCPT directives,
+ # to have had at least half of them be real addresses.
+ #
+ # This is a lightweight check and can protect you against repeated
+ # invocations of more heavy-weight checks which would come after it.
+
+ deny condition = ${if and {\
+ {>{$rcpt_count}{10}}\
+ {<{$recipients_count}{${eval:$rcpt_count/2}}} }}
+ message = Rejected for too many bad recipients
+ logwrite = REJECT [$sender_host_address]: bad recipient count high [${eval:$rcpt_count-$recipients_count}]
+
# Accept if the message comes from one of the hosts for which we are an
# outgoing relay. It is assumed that such hosts are most likely to be MUAs,
# so we set control=submission to make Exim treat the message as a
@@ -506,11 +534,42 @@ acl_check_rcpt:
# require verify = csa
#############################################################################
+ #############################################################################
+ # If doing per-user content filtering then recipients with filters different
+ # to the first recipient must be deferred unless the sender talks PRDR.
+ #
+ # defer !condition = $prdr_requested
+ # condition = ${if > {0}{$receipients_count}}
+ # condition = ${if !eq {$acl_m_content_filter} \
+ # {${lookup PER_RCPT_CONTENT_FILTER}}}
+ # warn !condition = $prdr_requested
+ # condition = ${if > {0}{$receipients_count}}
+ # set acl_m_content_filter = ${lookup PER_RCPT_CONTENT_FILTER}
+ #############################################################################
+
# At this point, the address has passed all the checks that have been
# configured, so we accept it unconditionally.
accept
+# This ACL is used once per recipient, for multi-recipient messages, if
+# we advertised PRDR. It can be used to perform receipient-dependent
+# header- and body- based filtering and rejections.
+# We set a variable to record that PRDR was active used, so that checking
+# in the data ACL can be skipped.
+
+acl_check_prdr:
+ warn set acl_m_did_prdr = y
+
+ #############################################################################
+ # do lookup on filtering, with $local_part@$domain, deny on filter match
+ #
+ # deny set acl_m_content_filter = ${lookup PER_RCPT_CONTENT_FILTER}
+ # condition = ...
+ #############################################################################
+
+ accept
+
# This ACL is used after the contents of a message have been received. This
# is the ACL in which you can test a message's headers or body, and in
@@ -526,6 +585,14 @@ acl_check_data:
# we should never receive one such via SMTP.
#
deny condition = ${if > {$max_received_linelength}{998}}
+ message = maximum allowed line length is 998 octets, \
+ got $max_received_linelength
+
+ # Deny if the headers contain badly-formed addresses.
+ #
+ deny !verify = header_syntax
+ message = header syntax
+ log_message = header syntax ($acl_verify_message)
# Deny if the message contains a virus. Before enabling this check, you
# must install a virus scanner and set the av_scanner option above.
@@ -543,6 +610,20 @@ acl_check_data:
# X-Spam_bar: $spam_bar\n\
# X-Spam_report: $spam_report
+ #############################################################################
+ # No more tests if PRDR was actively used.
+ # accept condition = ${if def:acl_m_did_prdr}
+ #
+ # To get here, all message recipients must have identical per-user
+ # content filtering (enforced by RCPT ACL). Do lookup for filter
+ # and deny on match.
+ #
+ # deny set acl_m_content_filter = ${lookup PER_RCPT_CONTENT_FILTER}
+ # condition = ...
+ #############################################################################
+
+
+
# Accept the message.
accept
@@ -735,7 +816,7 @@ begin transports
remote_smtp:
driver = smtp
-# message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
+ message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
# This transport is used for local delivery to user mailboxes in traditional
@@ -747,7 +828,7 @@ remote_smtp:
local_delivery:
driver = appendfile
- file = /var/mail/$local_part
+ file = /var/mail/$local_part_data
delivery_date_add
envelope_to_add
return_path_add
================================================================
---- gitweb:
http://git.pld-linux.org/gitweb.cgi/packages/exim.git/commitdiff/324d5d7cb72b411be08a85aee01ed953a531b8fb
More information about the pld-cvs-commit
mailing list