Penguin
Recent Changes
Blame: EximMailFilter
EditPageHistoryDiffInfoLikePages
Annotated edit history of EximMailFilter version 24, including all changes. View license author blame.
Rev Author # Line
23 CraigBox 1 !!!How to make your Debian or Ubuntu machine an amazing [Exim] 4 mail filter
18 IanMcDonald 2
3 This is how I've set up a new exim4 installation to do all the filtering I used to do with MailScanner or amavis. It's much less CPU intensive to use the daemon mode of SpamAssassin and have your MTA do all the work instead of a big perl script.
4
5 There are a number of changes that aren't immediately apparent between using exim3 and exim4 on Debian: the configuration system is completely different. You either have a large configuration template file or a number of small files, but either way, the live config isn't updated until you run __update-exim4.conf__. Running an /etc/init.d/exim4 restart will run this command for you.
6
7 !!Get exim4
8
23 CraigBox 9 !Sarge/Dapper
18 IanMcDonald 10
23 CraigBox 11 =apt-get install exim4-daemon-heavy clamav-daemon clamav-freshclam spamassassin= (add more or less as required.)
18 IanMcDonald 12
13 !Woody
23 CraigBox 14
15 You can only go as far as Exim 4.34, so you should really consider moving to Sarge.
18 IanMcDonald 16
17 Add these lines to your apt sources.list:
18
19 <pre>
20 deb http://www.linux.org.au/backports.org/debian woody exim4
21 deb http://www.linux.org.au/backports.org/debian woody gnutls11
22 </pre>
23
24 apt-get install exim4-daemon-heavy. You might like to purge exim3 at this point too else your ex<tab> completion will pick exim instead of exim4. At this point I assume you're running clamav-daemon, spamassassin 3.03 and have recent versions of libnet-perl-dns etc, but I'll deal to those later.
25
26 !!Configure exim4
27
28 Configure exim4 to use the small config files.
29
30 Note: I use '[itp|ItPartners]' to signify my changes. You will want to use your own tag.
31
32 Most of the snippets below go into the 'acl_smtp_data' [ACL], which has the potential to accept or deny a message at [SMTP] DATA time. When putting them in, realise that the order of 'warn' entries is irrelevant, but if you hit a 'deny' the message is denied and further processing is stopped. Therefore the 'drop messages that are obviously spam' sits nicely before the 'redirect messages that -might- be spam' rule. Don't accidentally lose the 'accept' at the bottom of the file either.
33
34 !!Get [ClamAV] working
35
36 Change into /etc/exim4/conf.d/main. Copy 02_exim4-config_options to 02_exim4-config_options.rul and add these lines:
37
38 <pre>
39 # itp: set ClamAV path
40 #
41 av_scanner = clamd:/var/run/clamav/clamd.ctl
42 </pre>
43
44 Now change into /etc/exim4/conf.d/acl. Copy 40_exim4-config_check_data to 40_exim4-config_check_data.rul and add these lines:
45
46 <pre>
47 # itp: Reject messages containing malware.
48 deny message = This message contains malware ($malware_name)
49 demime = *
50 malware = *
51 </pre>
52
53 just above "# accept otherwise".
54
55 Also add the clamav user to group `Debian-exim': =usermod -G Debian-exim clamav=
56 and make sure that /etc/clamav/clamd.conf contains `User clamav' and `~AllowSupplementaryGroups'.
57 This is so clamav can access the /var/spool/exim4 dir.
58
59 To restart exim4, use =invoke-rc.d exim4 restart= which builds the config file from the templates.
60
61 Restart clamav daemon, user =invoke-rc.d clamav-daemon restart= which makes the new security work.
62
63 Test it:
64
65 <verbatim>
66 telnet localhost 25
67 220 firewall.test ESMTP Exim 4.34 Tue, 14 Dec 2004 14:20:28 +1300
68 HELO test.co.nz
69 250 firewall.test Hello localhost [127.0.0.1]
70 MAIL FROM: sdg@adfgsdg.co.nz
71 250 OK
72 RCPT TO: foo@foo.co.nz
73 250 Accepted
74 DATA
75 354 Enter message, ending with "." on a line by itself
76 X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
77 .
78 550 This message contains malware (Eicar-Test-Signature)
79 </verbatim>
80
81 !!Get spamassasin working
82
83 Get spamassassin 3.0 from backports.org. Edit /etc/default/spamassassin to enable spamd, but make sure you're happy with the risks.
84
85 We need to teach Exim how to talk to spamd. To your main/02_exim4-config_options.rul, add:
86
87 <pre>
88 # itp: set SpamAssassin path
89 #
90 spamd_address = 127.0.0.1 783
21 JamieCurtis 91 </pre>
92
93 If you are running SpamAssassin on the local machine and don't like the idea of opening any more TCP sockets than you have to, add the following to the /etc/default/spamassassin OPTIONS line:
94 <pre>
95 --socketpath=/var/run/spamd.ctl
96 </pre>
97
98 and set exim's configuration to read:
99
100 <pre>
101 # itp: set SpamAssassin path
102 #
103 spamd_address = /var/run/spamd.ctl
18 IanMcDonald 104 </pre>
105
106 !Really spammy stuff
107
108 Now, we'll add an ACL to automatically drop anything that scores over a certain threshold that is obviously spam. To your acl/40_exim4-config_check_data.rul, add:
109
110 <pre>
111 # itp: reject spam at high scores (> 15)
112 deny message = Message scored $spam_score spam points.
113 condition = ${if <{$message_size}{100k}{1}{0}}
114 spam = nobody:true
115 condition = ${if >{$spam_score_int}{150}{1}{0}}
116 </pre>
117
118 Restart and test like so:
119
120 <verbatim>
121 MAIL FROM: me@them.co.nz
122 250 OK
123 RCPT TO: foo@bar.com
124 250 Accepted
125 DATA
126 354 Enter message, ending with "." on a line by itself
127 XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X
128 .
129 550 This message scored 998.8 spam points.
130 QUIT
131 </verbatim>
132
133 !Less spammy stuff
134
135 In a corporate mail filter I don't want to send users any spam - there is a body that exists to filter what little spam is left after the above rule, but we need to get it to another mailbox. We do this by adding an X- header to any messages that are over the spam level as defined in spamassassin's local.cf (if you don't set it there, it defaults to 5), and use a router to rewrite them to that address.
136
137 Drop a file called 050_exim4-config_spam_redirect in /etc/exim4/conf.d/router, containing something very much like this:
138
139 <verbatim>
140 # itp: Spam redirection router
141 # Modified from http://duncanthrax.net/exiscan-acl/exiscan-acl-examples.txt,
142 # and with changes made by RafalJankowski on the WLUG Wiki, this router takes
143 # any message tagged as spam and redirects it to the redirect user.
144
145 spam_redirect:
146 debug_print = "R: scan_redirect for $domain"
147 driver = redirect
148 condition = ${if def:acl_m1 {1}{0}}
149 headers_add = X-Original-Recipient: $local_part@$domain
150 data = $acl_m1
151 redirect_router = hubbed_hosts
152 </verbatim>
153
154 This sits just before the hubbed_hosts router, which was previously the first router in the queue. Set the redirect router to whichever router you want to process your message next.
155
156 Now, to have the redirect headers written on your messages, in our acl/40_exim4-config_check_data.rul:
157
158 <verbatim>
159 # itp: put a spam warning on all messages
160 # and redirect messages over the SA threshold to quarantine
161 warn message = X-Spam-Score: $spam_score {$spam_bar}
162 condition = ${if <{$message_size}{100k}{1}{0}}
163 spam = nobody:true
164
165 warn message = X-Spam-Report: $spam_report
166 condition = ${if <{$message_size}{100k}{1}{0}}
167 spam = nobody:true
168
169 accept
170 condition = ${if <{$message_size}{100k}{1}{0}}
171 spam = nobody
24 CraigBox 172 set acl_m1 = "postmaster@yoursite.co.nz"
18 IanMcDonald 173 #delay = 60s
174 control = fakereject
175 logwrite = :main,reject: This message scored $spam_score spam points. Please contact postmaster
176 </verbatim>
177
178 "nobody:true" matches everyone (the nobody is the user to call SpamAssassin as; as we're always using the same one the result is cached per message). Make sure you always check the message size before calling "spam" else you will end up passing huge messages to SA.
24 CraigBox 179
180 Change the acl_m1 to refer to your postmaster. Strangely, [not everyone|http://www.mynetcomng.com/] picks up on this.
18 IanMcDonald 181
182 In order to get a small sensible spam report instead of the huge default SpamAssassin one, put this in your /etc/spamassassin/local.cf:
183
184 <pre>
185 clear_report_template
186 report "_YESNO_, hits=_HITS_ required=_REQD_ tests=_TESTS_ autolearn=_AUTOLEARN_
187 version=_VERSION_"
188 </pre>
189
190 !!MIME errors & file attachments
23 CraigBox 191
192 ! Pre-Exim 4.50
18 IanMcDonald 193
194 Noone wants to receive executable file attachments: in acl/40_exim4-config_check_data.rul
195
196 <pre>
197 # itp: Unpack MIME containers and reject file extensions used by worms.
198 # This calls the demime condition again, but it will return cached results.
199 deny message = We do not accept ".$found_extension" attachments here. If you \
200 legitimately need to send these files please zip them first.
201 demime = bat:btm:cmd:com:cpl:dll:exe:lnk:msi:pif:prf:reg:scr:vbs:url
202 </pre>
203
204 And for MIME errors:
205
206 <pre>
207 # itp: Reject messages that have serious MIME errors.
208 deny message = Serious MIME defect detected ($demime_reason)
209 demime = *
210 condition = ${if >{$demime_errorlevel}{2}{1}{0}}
211 </pre>
23 CraigBox 212
213 ! Exim 4.50 and higher
18 IanMcDonald 214
215 Recent exiscans (including the one included with Exim 4.50) have deprecated demime, instead adding a acl_smtp_mime ACL. This is more powerful than the precvious demime, but as always, is more complex to get the above features.
216
23 CraigBox 217 This example was originally built from [an acl_smtp_mime thread on exim-users|http://www.exim.org/mail-archives/exim-users/Week-of-Mon-20050523/msg00117.html], but many typos have been corrected.
218
219 Add something like the following:
220
221 In main/02_exim4-config_options.rul:
18 IanMcDonald 222
223 <pre>
23 CraigBox 224 # itp: define MIME ACL
225 #
226 .ifndef MAIN_ACL_CHECK_MIME
227 MAIN_ACL_CHECK_MIME = acl_check_mime
228 .endif
229 acl_smtp_mime = MAIN_ACL_CHECK_MIME
230 </pre>
231
232 Create acl/50_exim4-config_check_mime:
233
234 <pre>
235 ### acl/50_exim4-config_check_mime
236 ##################################
237
238 acl_check_mime:
239
18 IanMcDonald 240 # Decode MIME parts to disk. This will support virus scanners later.
241 deny
242 decode = default
243 condition = ${if > {$mime_anomaly_level}{2} \
244 {true}{false}}
245 message = This message contains a MIME error ($mime_anomaly_text)
246 log_message = DENY: MIME Error ($mime_anomaly_text)
247
248 # Too many MIME parts
249 #
250 deny
251 condition = ${if >{$mime_part_count}{1024}{yes}{no}}
252 message = MIME error: Too many parts (max 1024)
253 log_message = DENY: MIME Error (Too many MIME parts: $mime_part_count)
254
255 # Excessive line length
256 #
23 CraigBox 257 # BEWARE: Exim 4.50 has a bug that means regex's don't work in the MIME ACL.
258 # Don't use in that case! It works fine in Exim 4.60.
18 IanMcDonald 259 deny
23 CraigBox 260 regex = ^.{8000}
261 message = MIME error: Line length in message or single header exceeds 8000.
18 IanMcDonald 262 log_message = DENY: MIME Error (Maximum line length exceeded)
263
264 # Partial message
265 #
266 deny
267 condition = ${if eq {$mime_content_type}{message/partial}{yes}{no}}
268 message = MIME error: MIME type message/partial not allowed here
269 log_message = DENY: MIME Error (MIME type message/partial found)
270
271 # Filename length too long (> 255 characters)
272 #
273 deny
19 JamieCurtis 274 condition = ${if >{${strlen:$mime_filename}}{255}{yes}{no}}
18 IanMcDonald 275 message = MIME error: Proposed filename exceeds 255 characters
276 log_message = DENY: MIME Error (Proposed filename too long)
277
278 # MIME boundary length too long (> 1024)
279 #
280 deny
19 JamieCurtis 281 condition = ${if >{${strlen:$mime_boundary}}{1024}{yes}{no}}
18 IanMcDonald 282 message = MIME error: MIME boundary length exceed 1024 characters
283 log_message = DENY: MIME Error (Boundary length too long)
284
285 # File extension filtering.
286 deny
287 condition = ${if match \
288 {${lc:$mime_filename}} \
289 {\N(\.bat|\.btm|\.cmd|\.com|\.cpl|\.dll|\.exe|\.lnk|\.msi|\.pif|\.prf|\.reg|\.scr|\.vbs|\.url)$\N} \
290 {1}{0}}
291 message = Blacklisted file extension detected in "$mime_filename". If you legitimately need to send these files please zip them first.
292 log_message = DENY: Blacklisted extension ("$mime_filename")
22 CraigBox 293
294 # accept otherwise
295 accept
18 IanMcDonald 296 </pre>
297
23 CraigBox 298 Unfortunately, because of [a bug in Exim 4.50|http://www.exim.org/mail-archives/exim-users/Week-of-Mon-20050307/msg00131.html], you may see "cannot test regex condition in MIME ACL". This stops you doing the Line Length check. Enable that section only for Exim 4.6.
18 IanMcDonald 299
23 CraigBox 300 You can tweak the values for Proposed Filename, MIME boundary length and Line Length to work for your users Some mailers conform more strictly to the MIME spec than others.

PHP Warning

lib/blame.php:177: Warning: Invalid argument supplied for foreach() (...repeated 2 times)