Bug#272870: /usr/sbin/exim4: exim4-daemon-heavy: More modular structure (integrating other tools)
Jari Aalto
Jari Aalto <jari.aalto@poboxes.com>, 272870@bugs.debian.org
Wed, 22 Sep 2004 16:20:37 +0300
Package: exim4-daemon-heavy
Version: 4.34-4
Severity: wishlist
File: /usr/sbin/exim4
INTRODUCTION - SUPPORT 3RD PROGRAMS BETTER
I'm not sure where I should propose this, in Exim development
or here, but I take a shot.
The current slit configuration is excellent for management, but
it could be improved even more with 'include' directives. The problem
with the current implementation is that the 3rd party developers
cannot easily integrate their tools to Exim. The 3rd party
packages contain separate "instruction" file which contains either
an example code or coimplete replacement for the RCPT part of
standard exim installation.
That could be improved. IF exim used include file more heavily,
intgerating various features would be easier.
I'm concentrating on Spam prevention in this message, because it has
been for me the most important aspect to configure Exim for.
PROPOSAL - MAKE ACL RCPT CHECKS MODULAR
File /etc/exim4/conf.d/acl/30_exim4-config_check_rcpt is the heart
of stopping intruders and spammers to the mail system, but manually
editing that file creates conflicts when Exim 4 is updated.
There are several good checks already and in newsgroups I have
found more checks to include to ACL RCPT file. Why not make these
all "standard" and ship with Exim. The user can selectively
enable those features that he wants. This can be accomplished
by
a) defining a feature variable in simewhere
/etc/exim4/conf.d/main (I use separate 30_exim4_my_main )
b) Putting "features" under separate directory with
properl .ifdef FEATURE ... .endif block
c) including features from /etc/exim4/conf.d/acl files.
A demonstration:
/etc/exim4/conf.d/main/20_exim4_features includes something
like this (possibly commented out in default installation):
ENABLE_ACL_RCPT_HELO_MANDATE = yes
ENABLE_ACL_RCPT_HELO_FORGED = yes
ENABLE_ACL_RCPT_GREYLISTD = yes
ENABLE_ACL_RCPT_DNSBL = yes
ENABLE_ACL_RCPT_SPF_SPFQUERY = yes
ENABLE_ACL_RCPT_SENDER_IDENT = yes
# ENABLE_ACL_RCPT_SENDER_VERIFY = yes
ENABLE_ACL_DATA_DEMIME_ERROR = yes
ENABLE_ACL_DATA_FILE_EXTENSION = yes
ENABLE_ACL_DATA_RECIPIENT_COUNT = yes
ENABLE_ACL_DATA_SA_SPAM = yes
And /etc/exim4/conf.d/acl/30_exim4-config_check_rcpt is broken
into smaller parts, so that it can include several files. Here
I have listed some of the possibilities that I use:
.include /etc/exim4/conf.d/acl/include/rcpt/helo_mandate
.include /etc/exim4/conf.d/acl/include/rcpt/helo_forged
.include /etc/exim4/conf.d/acl/include/rcpt/sender_ident
.include /etc/exim4/conf.d/acl/include/rcpt/spf_spfquery
.include /etc/exim4/conf.d/acl/include/rcpt/dnsbl
.include /etc/exim4/conf.d/acl/include/rcpt/sender_verify
.include /etc/exim4/conf.d/acl/include/rcpt/greylistd
Likewise /etc/exim4/conf.d/acl/include/rcpt is a new directory
that implements these features. Here is the helo_mandate check:
.ifdef ENABLE_ACL_RCPT_HELO_MANDATE
deny message = RFCs mandate HELO/EHLO before mail can be sent
condition = ${if or{ { ! def:sender_helo_name } \
{ eq {$sender_helo_name} {} } } \
{yes} \
{no} }
.endif
And HELO forged check:
.ifdef ENABLE_ACL_RCPT_HELO_FORGED
# Forged HELOs
deny message = Forged hostname detected in HELO
log_message = Forged HELO detected
hosts = ! +relay_from_hosts
condition = ${if \
eq { {${lc:$sender_helo_name}} {${lc:$primary_hostname}} {1}{0} }
deny message = Forged IP detected in HELO
log_message = Forged IP detected in HELO: $sender_helo_name
hosts = ! +relay_from_hosts
condition = ${if \
eq {$sender_helo_name} {$interface_address} {yes}{no} }
.endif
A demontration of 3rd party package integration: take for example a
Debian package 'greylistd' which is very good at preventing spam.
# Fiile /etc/exim4/conf.d/acl/include/rcpt/greylistd
.ifdef ENABLE_ACL_RCPT_GREYLISTD
# greylistd(8) configuration follows
#
# Accept mail from the following hosts without subjecting them to
# greylisting. This may be needed for large ISPs and other entities
# that use a pool of outbound mail servers for sending mail.
accept domains = +local_domains : +relay_to_domains
hosts = ${if exists{/etc/greylistd/whitelist-hosts} \
{/etc/greylistd/whitelist-hosts} \
{} }
# Consult "greylistd" to obtain greylisting status for this particular
# peer/sender/recipient triplet.
#
# Note that we do not greylist messages with NULL sender, because
# sender callout verification would break (and we might not be able
# to send mail to a host that performs callouts).
#
# Also note that because the recipient address has not yet been
# verified. If you do not want to perform greylisting for non-existing
# recipients, but rather skip this statement to allow for a 550 (reject)
# response below, uncomment the "verify = recipient..." condition.
defer message = $sender_host_address is not yet greylist authorized \
to deliver mail from <$sender_address> to \
<$local_part@$domain>. Please try later.
log_message = greylisted.
!senders = : postmaster@*
domains = +local_domains : +relay_to_domains
# verify = recipient/callout=20s,defer_ok
set acl_m9 = $sender_host_address $sender_address $local_part@$domain
set acl_m9 = ${readsocket{/var/run/greylistd/socket}{$acl_m9}{5s}{}{}}
condition = ${if eq {$acl_m9}{grey} {true}{false} }
.endif
And so forth for all other "features". Each external package could
install new "feature" into the include directory and suggest user
to turn on that feature in /etc/exim4/conf.d/main/20_exim4_features
Another example, the SPF integration to Exim 4 using Debian
package 'spfquery'.
# File /etc/exim4/conf.d/acl/include/rcpt/spf_spfquery
.ifdef ENABLE_ACL_RCPT_SPF_SPFQUERY
# Copied from http://slett.net/spam-filtering-for-mx/exim-spf.html
# Use "spfquery" to obtain SPF status for this particular sender/host.
# If the return code of that command is 1, this is an unauthorized sender.
#
deny
message = [SPF] $sender_host_address is not allowed to send mail \
from $sender_address_domain.
log_message = SPF check failed.
set acl_m9 = -ipv4=$sender_host_address \
-sender=$sender_address \
-helo=$sender_helo_name
set acl_m9 = ${run{/usr/bin/spfquery $acl_m9} }
condition = ${if eq{$runrc}{1} {true}{false} }
.endif
-- Package-specific info:
Exim version 4.34 #1 built 27-Jul-2004 18:08:18
Copyright (c) University of Cambridge 2004
Berkeley DB: Sleepycat Software: Berkeley DB 3.2.9: (May 26, 2004)
Support for: iconv() IPv6 PAM Perl GnuTLS
Lookups: lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmnz dnsdb dsearch ldap ldapdn ldapm mysql nis nis0 passwd pgsql
Authenticators: cram_md5 plaintext spa
Routers: accept dnslookup ipliteral iplookup manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Fixed never_users: 0
Contains exiscan-acl patch revision 21 (c) Tom Kistner [http://duncanthrax.net/exiscan/]
Configuration file is /var/lib/exim4/config.autogenerated
# /etc/exim4/update-exim4.conf.conf
#
# Edit this file and /etc/mailname by hand and execute update-exim4.conf
# yourself or use 'dpkg-reconfigure exim4-config'
dc_eximconfig_configtype='smarthost'
dc_other_hostnames='cante.net'
dc_local_interfaces=''
dc_readhost=''
dc_relay_domains=''
dc_minimaldns='false'
dc_relay_nets='192.168.1.0/24 : 127.0.0.1'
dc_smarthost='smtp.sooninternet.net'
CFILEMODE='644'
dc_use_split_config='true'
dc_hide_mailname='false'
mailname:bongo.cante.net
-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.4.26-1-386
Locale: LANG=C, LC_CTYPE=C (ignored: LC_ALL set to en_US)
Versions of packages exim4-daemon-heavy depends on:
ii exim4-base 4.34-4 EXperimental Internal Mailer -- a
ii libc6 2.3.2.ds1-13 GNU C Library: Shared libraries an
ii libdb3 3.2.9-20 Berkeley v3 Database Libraries [ru
ii libgnutls10 1.0.4-3 GNU TLS library - runtime library
ii libldap2 2.1.30-3 OpenLDAP libraries
ii libmysqlclient10 3.23.56-2 LGPL-licensed client library for M
ii libpam0g 0.76-22 Pluggable Authentication Modules l
ii libpcre3 4.5-1.1 Perl 5 Compatible Regular Expressi
ii libperl5.8 5.8.4-2 Shared Perl library.
ii libpq3 7.4.3-3 Shared library libpq.so.3 for Post
-- debconf-show failed