[exim] Защита от спама

Данные acl’ы я насобирал на просторах интернета. Заметка будет пополняться.

Предварительная подготовка

acl_smtp_rcpt = acl_check_rcpt
acl_smtp_data = acl_check_content
acl_smtp_helo = acl_check_helo

А вот собственно и сами acl’ы. Замечу, что здесь только запрещающие acl’ы.

acl_check_helo:

  accept hosts = +relay_from_hosts

  drop condition = ${if match{$sender_helo_name}{MY_IP}{yes}{no} }
       message   = "Dropped spammer pretending to be us"

  drop condition = ${if match{$sender_helo_name}{^[0-9]\.[0-9]\.[0-9]\.[0-9]}{yes}{no} }
       message   = "Dropped IP-only or IP-starting helo"

  deny    message         = "Broken HELO/EHLO"
          condition       = ${if eq{$sender_helo_name}{}{yes}{no}}
acl_check_rcpt:

  deny    local_parts   = ^.*[@%!/|] : ^\\.
          message       = "incorrect symbol in address"

  deny    message       = "incorrect symbol in address"
          domains       = !+local_domains
          local_parts   = ^[./|] : ^.*[@%!] : ^.*/\\.\\./

  accept  domains       = +local_domains : +relay_from_domains : +relay_to_domains
          endpass
          verify        = recipient

  deny    message         = You are not allow send email becouse you <$sender_address> has authenticated as $authenticated_id
          authenticated   = *
          condition       = ${if eq {$authenticated_id}{$sender_address} {no}{yes}}

  deny message        = Only one recipient accepted for NULL sender
          senders        = :
          condition      = ${if >{$rcpt_count}{1} {1}}

  deny    condition       = ${if match_domain{$sender_helo_name}{$primary_hostname:+local_domains:+relay_to_domains}{true}{false}}
          hosts           = !127.0.0.1:!localhost:!*
          message         = Message was delivered by ratware - own
          log_message     = remote host used our name in HELO/EHLO.
          delay           = 30s

  deny    message       = "HELO/EHLO require by SMTP RFC"
          condition     = ${if eq{$sender_helo_name}{}{yes}{no}}

  deny    message        = "IP in HELO!"
          hosts          =  *:!+relay_from_hosts:!+relay_from_domains
          condition      = ${if eq{$sender_helo_name}{$sender_host_address}{true}{false}}

  deny    condition       = ${if eq{$sender_helo_name}{$interface_address}{yes}{no}}
          hosts           = !127.0.0.1 : !localhost : *
          message         = "Wy my IP in your HELO"

  deny    condition       = ${if match{$sender_helo_name}{\N^\d+$\N}{yes}{no}}
          hosts           = !127.0.0.1:!localhost:*

  deny    message       = DNSBL listed at $dnslist_domain\n$dnslist_text
          hosts           = !127.0.0.1 : !+relay_from_hosts : $sender_host_address
          domains         = !+local_domains : !+relay_from_domains
          dnslists      = bl.spamcop.net : dnsbl.sorbs.net : sbl.spamhaus.org : pbl.spamhaus.org : xbl.spamhaus.org : db.wpbl.info : virbl.dnsbl.bit.nl : ix.dnsbl.manitu.net : dnsbl.njabl.org : cbl.abuseat.org

  deny    message =       Invalid address
          senders =       \N^\.|\.@\N
acl_check_content:
# Include Vexim specific rcpt ACLs
.include /etc/exim/vexim-acl-check-content.conf

Содержимое /etc/exim/vexim-acl-check-content.conf

  deny  message         = This message contains a MIME error ($demime_reason)
        demime          = *
        condition       = ${if >{$demime_errorlevel}{2}{1}{0}}

  # Reject typically wormish file extensions. There is almost no
  # sense in sending such files by email.
  deny  message         = This message contains an unwanted file extension ($found_extension)
        demime          = scr:vbs:bat:lnk:pif:bz2

  deny  message = Possible CMD file attack ($found_extension)
        demime = cmd

  deny  message = Possible COM file attack ($found_extension)
        demime = com

  deny  message = Possible Microsoft JScript attack ($found_extension)
        demime = js

  deny  message = Possible Windows registry attack ($found_extension)
        demime = reg

  deny  message = Possible compiled Help file-base virus ($found_extension)
        demime = chm

  deny  message = Possible SpeedDial attack ($found_extension)
        demime = cnf

  deny  message = Possible Micrsoft HTML archive attack ($found_extension)
        demime = hta

  deny  message = Possible Microsoft Internet Settings attack ($found_extension)
        demime = ins

  deny  message = Possible Windows Explorer Command attack ($found_extension)
        demime = scf

  deny  message = Possible Microsoft Windows Script attack ($found_extension)
        demime = sct

  deny  message = Possible Microsoft VBScript attack ($found_extension)
        demime = vbs:vbe

  deny  message = Possible Microsoft Script Host attack ($found_extension)
        demime = wsc:wsf:wsh

  deny  message = Possible Exchange Shortcut attack ($found_extension)
        demime = xnk

  deny  message = Possible Microsoft Access Shortcut attack ($found_extension)
        demime = mad:maf:mag:mam:maq:mar:mas:mat:mav:maw

  # Reject virus infested messages.
  warn  message         = This message contains malware ($malware_name)
        malware         = *
        log_message     = This message contains malware ($malware_name)

[exim] Защита от спама: 2 комментария

  1. сисадмин

    У меня в блоке acl_check_rcpt:

    есть такое:

    deny message = [SPF] $sender_host_address is not allowed to send mail from $sender_address_domain.
    log_message = SPF check failed.
    # set acl_m9 = —ip-address=$sender_host_address —mfrom=$sender_address —helo=$sender_helo_name
    set acl_m9 = —scope mfrom —id $sender_address —ip $sender_host_address
    set acl_m9 = ${run{/usr/bin/spfquery $acl_m9}}
    condition = ${if eq {$runrc}{1}{true}{false}}
    !hosts = +relay_from_hosts

    В hostlist-е relay_from_hosts есть в том числе и 127.0.0.1.

    Не подскажет ли глубокоуважаемый автор, почему в логе я вижу такое:

    2017-02-20 16:15:02 H=localhost.localdomain (xxxxxx.net.ua) [127.0.0.1] F= rejected RCPT : SPF check failed.

    Ведь, по-идее, когда exim дергается с локалхоста, эта SPF-проверка не должна срабатывать….

    1. skeletor Автор записи

      Либо всё-таки relay_from_hosts не содержит 127.0.0.1, либо где-то ещё есть ACL с тем же лог-сообщением, либо конфиг на диске и конфиг запущенного exim’a отличаются, по крайней мере, на этот ACL. Других вариантов нет.

Добавить комментарий

Ваш e-mail не будет опубликован. Обязательные поля помечены *