Данные acl’ы я насобирал на просторах интернета. Заметка будет пополняться.
Предварительная подготовка
acl_smtp_rcpt = acl_check_rcpt
acl_smtp_data = acl_check_content
acl_smtp_helo = acl_check_helo
А вот собственно и сами acl’ы. Замечу, что здесь только запрещающие acl’ы.
acl_check_helo:
accept hosts = +relay_from_hosts
drop condition = ${if match{$sender_helo_name}{MY_IP}{yes}{no} }
message = "Dropped spammer pretending to be us"
drop condition = ${if match{$sender_helo_name}{^[0-9]\.[0-9]\.[0-9]\.[0-9]}{yes}{no} }
message = "Dropped IP-only or IP-starting helo"
deny message = "Broken HELO/EHLO"
condition = ${if eq{$sender_helo_name}{}{yes}{no}}
acl_check_rcpt:
deny local_parts = ^.*[@%!/|] : ^\\.
message = "incorrect symbol in address"
deny message = "incorrect symbol in address"
domains = !+local_domains
local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
accept domains = +local_domains : +relay_from_domains : +relay_to_domains
endpass
verify = recipient
deny message = You are not allow send email becouse you <$sender_address> has authenticated as $authenticated_id
authenticated = *
condition = ${if eq {$authenticated_id}{$sender_address} {no}{yes}}
deny message = Only one recipient accepted for NULL sender
senders = :
condition = ${if >{$rcpt_count}{1} {1}}
deny condition = ${if match_domain{$sender_helo_name}{$primary_hostname:+local_domains:+relay_to_domains}{true}{false}}
hosts = !127.0.0.1:!localhost:!*
message = Message was delivered by ratware - own
log_message = remote host used our name in HELO/EHLO.
delay = 30s
deny message = "HELO/EHLO require by SMTP RFC"
condition = ${if eq{$sender_helo_name}{}{yes}{no}}
deny message = "IP in HELO!"
hosts = *:!+relay_from_hosts:!+relay_from_domains
condition = ${if eq{$sender_helo_name}{$sender_host_address}{true}{false}}
deny condition = ${if eq{$sender_helo_name}{$interface_address}{yes}{no}}
hosts = !127.0.0.1 : !localhost : *
message = "Wy my IP in your HELO"
deny condition = ${if match{$sender_helo_name}{\N^\d+$\N}{yes}{no}}
hosts = !127.0.0.1:!localhost:*
deny message = DNSBL listed at $dnslist_domain\n$dnslist_text
hosts = !127.0.0.1 : !+relay_from_hosts : $sender_host_address
domains = !+local_domains : !+relay_from_domains
dnslists = bl.spamcop.net : dnsbl.sorbs.net : sbl.spamhaus.org : pbl.spamhaus.org : xbl.spamhaus.org : db.wpbl.info : virbl.dnsbl.bit.nl : ix.dnsbl.manitu.net : dnsbl.njabl.org : cbl.abuseat.org
deny message = Invalid address
senders = \N^\.|\.@\N
acl_check_content: # Include Vexim specific rcpt ACLs .include /etc/exim/vexim-acl-check-content.conf
Содержимое /etc/exim/vexim-acl-check-content.conf
deny message = This message contains a MIME error ($demime_reason)
demime = *
condition = ${if >{$demime_errorlevel}{2}{1}{0}}
# Reject typically wormish file extensions. There is almost no
# sense in sending such files by email.
deny message = This message contains an unwanted file extension ($found_extension)
demime = scr:vbs:bat:lnk:pif:bz2
deny message = Possible CMD file attack ($found_extension)
demime = cmd
deny message = Possible COM file attack ($found_extension)
demime = com
deny message = Possible Microsoft JScript attack ($found_extension)
demime = js
deny message = Possible Windows registry attack ($found_extension)
demime = reg
deny message = Possible compiled Help file-base virus ($found_extension)
demime = chm
deny message = Possible SpeedDial attack ($found_extension)
demime = cnf
deny message = Possible Micrsoft HTML archive attack ($found_extension)
demime = hta
deny message = Possible Microsoft Internet Settings attack ($found_extension)
demime = ins
deny message = Possible Windows Explorer Command attack ($found_extension)
demime = scf
deny message = Possible Microsoft Windows Script attack ($found_extension)
demime = sct
deny message = Possible Microsoft VBScript attack ($found_extension)
demime = vbs:vbe
deny message = Possible Microsoft Script Host attack ($found_extension)
demime = wsc:wsf:wsh
deny message = Possible Exchange Shortcut attack ($found_extension)
demime = xnk
deny message = Possible Microsoft Access Shortcut attack ($found_extension)
demime = mad:maf:mag:mam:maq:mar:mas:mat:mav:maw
# Reject virus infested messages.
warn message = This message contains malware ($malware_name)
malware = *
log_message = This message contains malware ($malware_name)
2 коментарі “[exim] Защита от спама”
У меня в блоке acl_check_rcpt:
есть такое:
deny message = [SPF] $sender_host_address is not allowed to send mail from $sender_address_domain.
log_message = SPF check failed.
# set acl_m9 = –ip-address=$sender_host_address –mfrom=$sender_address –helo=$sender_helo_name
set acl_m9 = –scope mfrom –id $sender_address –ip $sender_host_address
set acl_m9 = ${run{/usr/bin/spfquery $acl_m9}}
condition = ${if eq {$runrc}{1}{true}{false}}
!hosts = +relay_from_hosts
В hostlist-е relay_from_hosts есть в том числе и 127.0.0.1.
Не подскажет ли глубокоуважаемый автор, почему в логе я вижу такое:
2017-02-20 16:15:02 H=localhost.localdomain (xxxxxx.net.ua) [127.0.0.1] F= rejected RCPT : SPF check failed.
Ведь, по-идее, когда exim дергается с локалхоста, эта SPF-проверка не должна срабатывать….
Либо всё-таки relay_from_hosts не содержит 127.0.0.1, либо где-то ещё есть ACL с тем же лог-сообщением, либо конфиг на диске и конфиг запущенного exim’a отличаются, по крайней мере, на этот ACL. Других вариантов нет.