Exim Konfiguration:
Main
zuerst:
sudo aptitude install clamav spamassassin spamc greylistd adduser clamav Debian-exim adduser Debian-exim clamav
/etc/clamav/clamd.conf
#Automatically Generated by clamav-base postinst #To reconfigure clamd run #dpkg-reconfigure clamav-base #Please read /usr/share/doc/clamav-base/README.Debian.gz for details LocalSocket /var/run/clamav/clamd.ctl FixStaleSocket User clamav AllowSupplementaryGroups ScanMail ScanArchive ArchiveMaxRecursion 5 ArchiveMaxFiles 1000 ArchiveMaxFileSize 10M ArchiveMaxCompressionRatio 250 ReadTimeout 180 MaxThreads 12 MaxConnectionQueueLength 15 LogFile /var/log/clamav/clamav.log LogTime LogFileMaxSize 0 PidFile /var/run/clamav/clamd.pid DatabaseDirectory /var/lib/clamav SelfCheck 3600 ScanOLE2 ScanPE DetectBrokenExecutables ScanHTML ArchiveBlockMax
/etc/exim4/conf.d/main/02_exim4-config_options
### main/02_exim4-config_options ################################# av_scanner = clamd:/var/run/clamav/clamd.ctl spamd_address = 127.0.0.1 783 ...
/etc/exim4/conf.d/acl/30_exim4-config_check_rcpt
# This access control list is used for every RCPT command in an incoming
# SMTP message. The tests are run in order until the address is either
# accepted or denied.
#
acl_check_rcpt:
# Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by
# testing for an empty sending host field.
accept hosts = :
# Add missing Date and Message-ID header for relayed messages
warn hosts = +relay_from_hosts
control = submission/sender_retain
# The following section of the ACL is concerned with local parts that contain
# @ or % or ! or / or | or dots in unusual places.
#
# The characters other than dots are rarely found in genuine local parts, but
# are often tried by people looking to circumvent relaying restrictions.
# Therefore, although they are valid in local parts, these rules lock them
# out, as a precaution.
#
# Empty components (two dots in a row) are not valid in RFC 2822, but Exim
# allows them because they have been encountered. (Consider local parts
# constructed as "firstinitial.secondinitial.familyname" when applied to
# someone like me, who has no second initial.) However, a local part starting
# with a dot or containing /../ can cause trouble if it is used as part of a
# file name (e.g. for a mailing list). This is also true for local parts that
# contain slashes. A pipe symbol can also be troublesome if the local part is
# incorporated unthinkingly into a shell command line.
#
# Two different rules are used. The first one is stricter, and is applied to
# messages that are addressed to one of the local domains handled by this
# host. It blocks local parts that begin with a dot or contain @ % ! / or |.
# If you have local accounts that include these characters, you will have to
# modify this rule.
deny domains = +local_domains
local_parts = ^[.] : ^.*[@%!/|\'`#&?]
message = restricted characters in address
# The second rule applies to all other domains, and is less strict. This
# allows your own users to send outgoing messages to sites that use slashes
# and vertical bars in their local parts. It blocks local parts that begin
# with a dot, slash, or vertical bar, but allows these characters within the
# local part. However, the sequence /../ is barred. The use of @ % and ! is
# blocked, as before. The motivation here is to prevent your users (or
# your users' viruses) from mounting certain kinds of attack on remote sites.
deny domains = !+local_domains
local_parts = ^[./|] : ^.*[@%!\'`#&?] : ^.*/\\.\\./
message = restricted characters in address
# Accept mail to postmaster in any local domain, regardless of the source,
# and without verifying the sender.
#
accept local_parts = postmaster
domains = +local_domains
# deny bad senders (envelope sender)
# CONFDIR/local_sender_blacklist holds a list of envelope senders that
# should have their access denied to the local host. Incoming messages
# with one of these senders are rejected at RCPT time.
#
# The explicit white lists are honored as well as negative items in
# the black list. See /usr/share/doc/exim4-config/default_acl for details.
deny message = sender envelope address $sender_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster
!acl = acl_whitelist_local_deny
senders = ${if exists{CONFDIR/local_sender_blacklist}\
{CONFDIR/local_sender_blacklist}\
{}}
# deny bad sites (IP address)
# CONFDIR/local_host_blacklist holds a list of host names, IP addresses
# and networks (CIDR notation) that should have their access denied to
# The local host. Messages coming in from a listed host will have all
# RCPT statements rejected.
#
# The explicit white lists are honored as well as negative items in
# the black list. See /usr/share/doc/exim4-config/default_acl for details.
deny message = sender IP address $sender_host_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster
!acl = acl_whitelist_local_deny
hosts = ${if exists{CONFDIR/local_host_blacklist}\
{CONFDIR/local_host_blacklist}\
{}}
# Deny unless the sender address can be verified.
#
# This is disabled by default so that DNSless systems don't break. If
# your system can do DNS lookups without delay or cost, you might want
# to enable the following line.
#deny message = Sender verification failed
# !acl = acl_whitelist_local_deny
# !verify = sender
# Warn if the sender host does not have valid reverse DNS.
#
# This is disabled by default so that DNSless systems don't break. If
# your system can do DNS lookups without delay or cost, you might want
# to enable the following lines.
# If sender_host_address is defined, it's a remote call. If
# sender_host_name is not defined, then reverse lookup failed. Use
# this instead of !verify = reverse_host_lookup to catch deferrals
# as well as outright failures.
warn message = X-Host-Lookup-Failed: Reverse DNS lookup failed for $sender_host_address (${if eq{$host_lookup_failed}{1}{failed}{deferred}})
condition = ${if and{{def:sender_host_address}{!def:sender_host_name}}\
{yes}{no}}
#############################################################################
# There are no checks on DNS "black" lists because the domains that contain
# these lists are changing all the time. You can find examples of
# how to use dnslists in /usr/share/doc/exim4-config/examples/acl
#############################################################################
# Perform greylisting on incoming messages from remote hosts.
# We do NOT greylist messages with no envelope sender, because that
# would conflict with remote hosts doing callback verifications, and we
# might not be able to send mail to such hosts for a while (until the
# callback attempt is no longer greylisted, and then some).
#
# We also check the local whitelist to avoid greylisting mail from
# hosts that are expected to forward mail here (such as backup MX hosts,
# list servers, etc).
#
# Because the recipient address has not yet been verified, we do so
# now and skip this statement for non-existing recipients. This is
# in order to allow for a 550 (reject) response below. If the delivery
# happens over a remote transport (such as "smtp"), recipient callout
# verification is performed, with the original sender intact.
#
defer
message = $sender_host_address is not yet authorized to deliver. \
Please try later.
log_message = greylisted.
!senders = :
!hosts = : +relay_from_hosts : \
${if exists {/etc/greylistd/whitelist-hosts}\
{/etc/greylistd/whitelist-hosts}{}} : \
${if exists {/var/lib/greylistd/whitelist-hosts}\
{/var/lib/greylistd/whitelist-hosts}{}}
!authenticated = *
!acl = acl_whitelist_local_deny
domains = +local_domains : +relay_to_domains : dsearch;/etc/exim4/virtual
verify = recipient/callout=20s,use_sender,defer_ok
condition = ${readsocket{/var/run/greylistd/socket}\
{--grey \
${mask:$sender_host_address/24}} \
# $sender_address \
# $local_part@$domain}\
{5s}{}{false}}
# Accept if the address is in a local domain, but only if the recipient can
# be verified. Otherwise deny. The "endpass" line is the border between
# passing on to the next ACL statement (if tests above it fail) or denying
# access (if tests below it fail).
#
accept domains = +local_domains
endpass
message = unknown user
verify = recipient
accept domains = dsearch;/etc/exim4/virtual
endpass
message = unknown user
verify = recipient
# Accept if the address is in a domain for which we are relaying, but again,
# only if the recipient can be verified.
#
accept domains = +relay_to_domains
endpass
message = unrouteable address
verify = recipient
# If control reaches this point, the domain is neither in +local_domains
# nor in +relay_to_domains.
# Accept if the message comes from one of the hosts for which we are an
# outgoing relay. Recipient verification is omitted here, because in many
# cases the clients are dumb MUAs that don't cope well with SMTP error
# responses. If you are actually relaying out from MTAs, you should probably
# add recipient verification here.
#
accept hosts = +relay_from_hosts
# Accept if the message arrived over an authenticated connection, from
# any host. Again, these messages are usually from MUAs, so recipient
# verification is omitted.
#
accept authenticated = *
# Reaching the end of the ACL causes a "deny", but we might as well give
# an explicit message.
#
deny message = relay not permitted
/etc/exim4/conf.d/acl/40_exim4-config_check_data
# 40_exim4-config_check_data
acl_check_data:
# greylistd(8) configuration follows.
# This statement has been added by "greylistd-setup-exim4",
# and can be removed by running "greylistd-setup-exim4 remove".
# Any changes you make here will then be lost.
#
# Perform greylisting on incoming messages with no envelope sender here.
# We did not subject these to greylisting after RCPT TO:, because that
# would interfere with remote hosts doing sender callout verifications.
#
# Because there is no sender address, we supply only two data items:
# - The remote host address
# - The recipient address (normally, bounces have only one recipient)
#
# We also check the local whitelist to avoid greylisting mail from
# hosts that are expected to forward mail here (such as backup MX hosts,
# list servers, etc).
#
defer
message = $sender_host_address is not yet authorized to deliver. \
Please try later.
log_message = greylisted.
senders = :
!hosts = : +relay_from_hosts : \
${if exists {/etc/greylistd/whitelist-hosts}\
{/etc/greylistd/whitelist-hosts}{}} : \
${if exists {/var/lib/greylistd/whitelist-hosts}\
{/var/lib/greylistd/whitelist-hosts}{}}
!authenticated = *
!acl = acl_whitelist_local_deny
condition = ${readsocket{/var/run/greylistd/socket}\
{--grey \
${mask:$sender_host_address/24}} \
# $recipients}\
{5s}{}{false}}
# Deny unless the address list headers are syntactically correct.
#
# This is disabled by default because it might reject legitimate mail.
# If you want your system to insist on syntactically valid address
# headers, you might want to enable the following lines.
# deny message = Message headers fail syntax check
# !acl = acl_whitelist_local_deny
# !verify = header_syntax
# require that there is a verifiable sender address in at least
# one of the "Sender:", "Reply-To:", or "From:" header lines.
# deny message = No verifiable sender address in message headers
# !acl = acl_whitelist_local_deny
# !verify = header_sender
deny message = Serious MIME defect detected ($demime_reason)
demime = *
condition = ${if >{$demime_errorlevel}{2}{1}{0}}
deny message = Blacklisted file extension detected
condition = ${if match \
{${lc:$mime_filename}} \
{\N(\.bat|\.com|\.exe|\.pif|\.prf|\.scr|\.vbs)$\N} \
{1}{0}}
deny message = This message contains malware ($malware_name)
malware = *
# Always put X-Spam-Score header in the message.
# It looks like this:
# X-Spam-Score: 6.6 (++++++)
# When a MUA cannot match numbers, it can match for an
# equivalent number of '+' signs.
# The 'true' makes sure that the header is always put
# in, no matter what the score.
warn message = X-Spam-Score: $spam_score ($spam_bar)
condition = ${if <{$message_size}{300k}{1}{0}}
spam = spamassassin:true
# Always put X-Spam-Report header in the message.
# This is a multiline header that informs the user
# which tests a message has "hit", and how much a
# test has contributed to the score.
warn message = X-Spam-Flag: YES
condition = ${if <{$message_size}{300k}{1}{0}}
spam = spamassassin:true
condition = ${if >{$spam_score_int}{30}{1}{0}}
deny message = Spam score too high ($spam_score)
condition = ${if <{$message_size}{300k}{1}{0}}
spam = spamassassin:true
condition = ${if >{$spam_score_int}{100}{1}{0}}
# accept otherwise
accept