Exim system filter sample config
Posted On 2007年6月26日 星期二 at 於 下午5:09 by Lani# Exim filter
### Precautions, precautions...
# Drop out if the message is an error message.
if error_message then finish endif
### Assorted spam filtering stuff follows
## My users are trustworthy (because they're me!) - don't check locally sent mail.
if "arkane.demon.co.uk:arkane.net:arkane.co.uk" contains $sender_address_domain then
finish
endif
## Arrange log file
logfile /exim/filterlog
## First, handle the white list
# These are the blessed mail addresses which don't get filtered.
# And always allow postmaster mail through.
if "${lookup {${lc:$sender_address}}dbm{/etc/filters/whitelist} {white} {grey}}" is white or
$header_to: contains "postmaster@" then
finish
endif
## If they've used the magic word, let the mail go through.
if $header_subject: contains "DELETED FOR PUBLIC CONSUMPTION" then
finish
endif
## Then, handle the black list.
# Bounce all mail from these sites or addresses with a nasty message.
if "${lookup {${lc:$sender_address_domain}}dbm{/etc/filters/blacklist} {black} {grey}}" is black or
"${lookup {${lc:$sender_address}}dbm{/etc/filters/blacklist} {black} {grey}}" is black then
fail
finish
endif
## Heuristic spam filtering
# Tell-tale spam headers - X-UIDL, X-PMFLAGS, X-Advertisement
if "${if def:header_x-uidl: {spam}}" is spam then
log "message $message_id from $header_from: to $header_to: failed.\n\
x-uidl header indicates probable spam.\n\
------------------------------------------------------------------------------"
fail
finish
endif
if "${if def:header_x-1: {spam}}" is spam then
log "message $message_id from $header_from: to $header_to: failed.\n\
x-1 header indicates probable spam.\n\
------------------------------------------------------------------------------"
fail
finish
endif
if "${if def:header_x-pmflags: {spam}}" is spam then
log "message $message_id from $header_from: to $header_to: failed.\n\
x-pmflags header indicates probable spam.\n\
------------------------------------------------------------------------------"
fail
finish
endif
if "${if def:header_x-advertisment: {spam}}" is spam then
log "message $message_id from $header_from: to $header_to: failed.\n\
x-advertisement header indicates probable spam.\n\
------------------------------------------------------------------------------"
fail
finish
endif
# Authenticated sender, and not from pegasus
if "$h_comments" contains "authenticated sender" and
"$h_x-mailer" does not contain "pegasus" then
log "message $message_id from $header_from: to $header_to: failed.\n\
authenticated sender (not from pegasus) indicates probable spam.\n\
------------------------------------------------------------------------------"
fail
finish
endif
# Claims to be from hotmail.com
if "$h_from" contains "hotmail.com" and
"${if !def:header_x-originating-ip {nospam}}" is nospam then
log "message $message_id from $header_from: to $header_to: failed.\n\
claimed to be from hotmail, but not verifiable - probable spam.\n\
------------------------------------------------------------------------------"
fail
finish
endif
# claims to be from juno.com
if "$h_from" contains "juno.com" and
"${if def:header_x-mailer {juno} {spam}}" is spam then
log "message $message_id from $header_from: to $header_to: failed.\n\
claimed to be from juno, but not verifiable - probable spam.\n\
------------------------------------------------------------------------------"
fail
finish
endif
# Broken message-IDs
if $header_message-id does not contain "@" then
log "message $message_id from $header_from: to $header_to: failed.\n\
Message-ID does not contain '@' - probable spam.\n\
------------------------------------------------------------------------------"
fail
finish
endif
# Is the host (From||To) numeric?
if "$header_from: $header_to:" contains "@\\\\d+\\." then
log "message $message_id from $header_from: to $header_to: failed.\n\
From: or To: header contains numeric hostname - probable spam.\n\
------------------------------------------------------------------------------"
fail
finish
endif
# Is the local-part numeric and 8 digits?
if $local_part matches "^\\\\d{8}\\$" then
log "message $message_id from $header_from: to $header_to: failed.\n\
Local part is an 8 digit numeric - probable spam.\n\
------------------------------------------------------------------------------"
fail
finish
endif
# Is the To: address contained in the From: address?
if ( $header_from: contains $header_to: )
and ( "${if def:header_to: {present}}" is present ) then
log "message $message_id from $header_from: to $header_to: failed.\n\
From: contains To: which indicates probable spam.\n\
------------------------------------------------------------------------------"
fail
finish
endif
# Is neither a To: nor a Cc: header present?
if ( "${if def:header_to: {present}}" is not present )
and ( "${if def:header_cc: {present}}" is not present ) then
log "message $message_id from $header_from: to $header_to: failed.\n\
Neither To: nor Cc: headers present - probable spam.\n\
------------------------------------------------------------------------------"
fail
finish
endif
# Other funny Received headers?
if $header_received: contains "[000.000.000.000]" then
log "message $message_id from $header_from: to $header_to: failed.\n\
Received: included the invalid IP [000.000.000.000] - probable spam.\n\
------------------------------------------------------------------------------"
fail
finish
endif
if $header_received: contains "-0600 (EST)" then
log "message $message_id from $header_from: to $header_to: failed.\n\
Received: included the dubious time zone setting -0600 (EST) - probable spam.\n\
------------------------------------------------------------------------------"
fail
finish
endif
if $header_received: contains "CLOAKED" then
log "message $message_id from $header_from: to $header_to: failed.\n\
Received: included the string 'CLOAKED' - probable spam.\n\
------------------------------------------------------------------------------"
fail
finish
endif
# Bcc'ed to public addresses?
if ( $header_bcc: contains "-usenet" ) or
( $header_bcc: contains "-sig" ) then
log "message $message_id from $header_from: to $header_to: failed.\n\
Bcc'ed to a public address (-usenet or -sig) - probable spam.\n\
------------------------------------------------------------------------------"
fail
finish
endif
# Bogus To: headers.
if $header_to: contains "Friend@" then
log "message $message_id from $header_from: to $header_to: failed.\n\
To: header included bogus local-part 'Friend' - probable spam.\n\
------------------------------------------------------------------------------"
fail
finish
endif
if $header_to: contains "you@" then
log "message $message_id from $header_from: to $header_to: failed.\n\
To: header included bogus local-part 'you' - probable spam.\n\
------------------------------------------------------------------------------"
fail
finish
endif
### That's it!
Exim ACL Spam Filters Config
Posted On at 於 下午2:01 by LaniStopping Spam in the ACL
Exim ACL Spam Filters
This is a mirror of http://vamos-wentworth.org/exim-tricks.html (With a few very minor ammendments)
I have been unable to get to the site since september so I decided to mirror the above URL, It was very useful information for me when I first started out with exim hence my sharing it.
All credit goes to the original author, THIS IS NOT A DOCUMENT WRITTEN BY MYSELF so all rights go to the original author. rossz-work [at] vamos-wentworth [dot] org as well.
These antispam tips are for Exim 4.x. If you don't know how to modify the helo, rcpt, and data ACLs, then these suggestions won't do you much good.
###############################################################################
HELO ACL
###############################################################################
You can block a lot of spammers right after they say HELO. They have a tendency to lie but, fortunately, it's often easy to catch them in their lie.
The first thing a remote system is supposed to do when it connects is to say "HELO domain.com". It is legal to use an ip address with the HELO, but losing acceptance. A spammer might try to HELO with your own ip address. There is absolutely no legitimate reason for someone else to use your ip address here. Plug your own ip address in here where it says ##.##.##.##. Repeat this for each IP address you handle.
deny message = HELO/EHLO with my ip address. You are not me.
log_message = HELO/EHLO my.ip
condition = ${if eq {$sender_helo_name}{##.##.##.##} {yes}{no}}
Basically the same thing as the previous filter, but using your domain name instead of your ip address. You should repeat this filter for each domain you control.
deny message = HELO/EHLO with my domain name. You are not me.
log_message = HELO/EHLO my.domain
condition = ${if match {$sender_helo_name}{your-domain.com} {yes}{no}}
Giving a domain name of 'none' isn't valid, so tell them to bugger off. This filter can be left out since the "period" filter below will catch it.
deny message = No HELO/EHLO name specified.
log_message = HELO/EHLO none
condition = ${if match {$sender_helo_name}{none} {yes}{no}}
A remote system saying they are localhost? Sure they are. This filter can also be omitted if you use the "period" filter below.
deny message = You are not localhost.
log_message = HELO/EHLO localhost
condition = ${if match {$sender_helo_name}{localhost} {yes}{no}}
A proper domain will contain at least one period. A good percentage of spam worms HELO with random characters without a period.
deny message = Invalid HELO/EHLO. You are either spam/a virus, or your system administrator has incorrectly configured your network.
condition = ${if match{$sender_helo_name}{\\.}{no}{yes}}
###############################################################################
RCPT ACL
###############################################################################
Spammers like to forge some big names when they send you email. We can't easily check all of them, not until Sender Permitted From (SPF) is widely used. At least we can check for some of the most commonly abused domains, Yahoo, Hotmail, MSN, and AOL. These four filters will reject email with forged From: addresses containing the "big four" domains.
#Fake Yahoo
deny message = Suspected Faked Yahoo Account, E-mail Rejected.
log_message = Fake Yahoo
senders = *@yahoo.com
condition = ${if match{$sender_host_name}{\Nyahoo.com$\N}{no}{yes}}
#Fake Hotmail
deny message = Suspected Faked Hotmail Account, E-mail Rejected.
log_message = Fake hotmail
senders = *@hotmail.com
condition = ${if match {$sender_host_name}{\Nhotmail.com$\N}{no}{yes}}
#Fake MSN
deny message = Suspected Faked MSN Account, E-mail Rejected.
log_message = Fake MSN
senders = *@msn.com
condition = ${if match {$sender_host_name}{\N(hotmail|msn).com$\N}{no}{yes}}
# Fake AOL
deny message = Suspected Faked AOL Account, E-mail Rejected.
log_message = Fake AOL
senders = *@aol.com
condition = ${if match {$sender_host_name}{\Nmx.aol.com$\N}{no}{yes}}
Of course, using a few good blacklists is a good idea. I put my blacklist checks immediately after the big four filters.
###############################################################################
DATA ACL
###############################################################################
A valid email should have a message id. Spamming software (and viruses) often don't. So refuse them. Note, this filter has been known to break the rare email sent from a highly customized Qmail server. Personally, I dont' care.
deny condition = ${if !def:h_Message-ID: {1}}
message = Message SHOULD have Message-ID: but does not
Email should have a proper date. So goodbye if it doesn't.
deny condition = ${if !def:h_Date: {1}}
message = Message SHOULD have Date: but does not
You'll need the Exiscan patch for the mime handling to work.
Required to do any mime handling, plus, a broken mime attachment might be an attempt to infect or break into your system.
deny message = Serious MIME defect detected ($demime_reason)
log_message = Broken MIME ($mime_reason)
demime = *
condition = ${if >{$demime_errorlevel}{2}{1}{0}}
Refuse dangerous attachments. This gets a large number of viruses. It also catches a lot of spam with hidden surprises.
deny message = $found_extension files are not accepted here
log_message = Dangerous extension ($found_extension)
demime = com:vbs:bat:pif:scr:exe
For Windows clients, Microsoft has included a lovely little surprise. It is possible to attach a file with a CLSID in the name which causes Windows to hide the file extension. This is entirely independent of the "Hide file extensions for known file types" folder option. This is extremely dangerous, so lets just refuse the bastards.
deny message = Hiding of file extensions is not allowed!
log_message = Dangerous extension (CLSID hidden)
regex = ^(?i)Content-Disposition::(.*?)filename=\\s*"+((\{[a-hA-H0-9-]{25,}\})|((.*?)\\s{10,}(.*?)))"+\$
http://vamos-wentworth.org/exim-tricks.html
http://www.carbonstudios.co.uk/site/44/180.html
Apache 壓力測試
Posted On at 於 上午10:01 by Lani在 apache 本身的套件中, 有個叫 ab(ApacheBench) 的程式.
ApacheBench 主要是用來測試 apache 執行效率.
ab 參數:
Usage: /usr/sbin/ab [options] [http[s]://]hostname[:port]/path
Options are:
-n requests Number of requests to perform
-c concurrency Number of multiple requests to make
-t timelimit Seconds to max. wait for responses
-p postfile File containg data to POST
-T content-type Content-type header for POSTing
-v verbosity How much troubleshooting info to print
-w Print out results in HTML tables
-i Use HEAD instead of GET
-x attributes String to insert as table attributes
-y attributes String to insert as tr attributes
-z attributes String to insert as td or th attributes
-C attribute Add cookie, eg. 'Apache=1234' (repeatable)
-H attribute Add Arbitrary header line, eg. 'Accept-Encoding: zop'
Inserted after all normal header lines. (repeatable)
-A attribute Add Basic WWW Authentication, the attributes
are a colon separated username and password.
-P attribute Add Basic Proxy Authentication, the attributes
are a colon separated username and password.
-X proxy:port Proxyserver and port number to use
-V Print version number and exit
-k Use HTTP KeepAlive feature
-d Do not show percentiles served table.
-S Do not show confidence estimators and warnings.
-g filename Output collected data to gnuplot format file.
-e filename Output CSV file with percentages served
-s Use httpS instead of HTTP (SSL)
-h Display usage information (this message)
ex: 要執行 1000 次的 connection, 20 次的 concurrent (並行, 同時).
語法: ab -n 1000 -c 20 http://localhost/abc.php
產生出來的結果. 主要要注意的是以下幾個.
Time taken for tests: 總共執行花了多久的時間.(以上 1000 次共多久)
Requests per second: 每秒平均可以處理多少個 connection.
源自:http://blog.longwin.com.tw/archives/000513.html
Php5.idv.tw
Posted On 2007年6月25日 星期一 at 於 下午5:25 by LaniMLB》台灣球員史上第一轟 郭泓志
Posted On 2007年6月14日 星期四 at 於 上午8:48 by Lani測試SMTPS or POP3S 主機服務正常。
Posted On 2007年6月8日 星期五 at 於 上午10:37 by Laniopenssl s_client -connect servername:465
smtps 465/tcp #smtp protocol over TLS/SSL (was ssmtp)
openssl s_client -connect servername:995
pop3s 995/tcp spop3 # pop3 protocol over TLS/SSL
Openwebmail 錯誤訊息
Posted On 2007年6月5日 星期二 at 於 上午11:37 by Laniopenwebmail 登入速度變慢
加入排程
/pathto/cgi-bin/openwebmail/openwebmail-tool.pl -q -a -p -i > /dev/null 2>&1
遇到openwebmail錯誤訊息
使用者欲連上openwebmail
出現session 錯誤xxxoooxxx
原因: quota 限制已到
解法:edquota -u user
查看目前連線至本機的ip 及數量(Debian)
netstat -nta | fgrep "ESTABLISHED" | cut -b 43-75 | cut -d ':' -f1 | sort | uniq -c |sort -n -r --key=1,7 | head -25
netstat -nta | fgrep "SYN_RECV" | cut -b 43-75 | cut -d ':' -f1 | sort | uniq -c | sort -n -r --key=1,7 | head -25
Exim 停用實體帳戶
Posted On at 於 上午11:36 by Lani由於exim 本身configure 並沒辦法定義某些實體帳戶暫時停用後, 也不收到信 這邊依exim-user 提供的方法並測試已成功,備忘紀錄一下
vi /usr/exim/configure
於begin routers 加入
block_expired_accounts:
driver = redirect
domains = +local_domains
local_parts = /usr/exim/blocked/accounts
data = :fail: account closed
allow_fail
echo id > /usr/exim/blocked/accounts
chown exim /usr/exim/blocked/accounts
/etc/init.d/exim restart
Exim 安裝並使用Sasl
Posted On at 於 上午11:34 by Laniwget exim-xxx.tgz
tar -zxvf exim-xxx.tgz
cd exim-xxxx
cp src/EDITME Local/Makefile
vi Local/Makefile
需修改的地方
EXIM_USER=exim (如果要使用exim 此user執行,記得先新增)
#EXIM_MONITOR=eximon.bin
AUTH_CRAM_MD5=yes
AUTH_CYRUS_SASL=yes
AUTH_PLAINTEXT=yes
AUTH_LIBS=-lsasl2
SUPPORT_TLS=yes
TLS_LIBS=-lssl -lcrypto
TLS_LIBS=-L/usr/local/openssl/lib -lssl -lcrypto
TLS_INCLUDE=-I/usr/local/openssl/include/
CYRUS_PWCHECK_SOCKET=/var/pwcheck/pwcheck
CYRUS_SASLAUTHD_SOCKET=/var/run/saslauthd/mux
以上是支援sasl認證需unmark 的部份 預設是mark的
LOG_FILE_PATH=/var/log/exim_%slog
wq
useradd -s /sbin/nologin exim
touch /var/log/exim_mainlog
^mainlog^paniclog
^paniclog^rejectlog
chown exim:exim /var/log/exim_*
make
make install
vi /usr/exim/configure
primary_hostname = yourdomain
hostlist relay_from_hosts = allow relay ip/submask
#host_lookup = *
begin authenticators 區段加入
plain:
driver = plaintext
public_name = PLAIN
server_condition = ${if saslauthd{{$2}{$3}}{1}{0}}
login:
driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
server_condition = ${if saslauthd{{$1}{$2}}{1}{0}}
/usr/exim/bin/exim –bd –q 15m 啟動exim
Exim 常用參數 指令
Posted On at 於 上午11:33 by Lani/usr/exim/bin/ (以我安裝路徑為例)
-M 強迫傳送
-Mar 增加接收者
-Meb 修改信件內容
-Mes 修改傳送者
-Mf 凍結
-Mmad 標記所有queue 的信件為已傳送
-Mmd 標記為已傳送
-Mt 解除凍結
移除queue
/usr/exim/bin/exim -Mrm 移除spool內信件但不會出現回應訊息
-Mg 移除並回應訊息
檢查信件
/usr/exim/bin/exim -Mvb 檢查body
/usr/exim/bin/exim -Mvl 檢查log
/usr/exim/ibn/exim -Mvh 檢查header
檢閱參數
/usr/exim/bin/exim -bv 確認exim binary 可使用且成功讀取configure
/usr/exim/bin/exim -bP 所有exim設定的參數值 (配合grep找出需要檢查的地方)
/usr/exim/bin/exim -bp 所有在queue 內的信件
/usr/exim/bin/exim -brt 查詢針對某些網域的重試規則
原廠資料:http://www.exim.org/exim-html-current/doc/html/spec_html/ch05.html