Lani's Study Books

The rewrite flag ``S'' specifies a rewrite of incoming envelope addresses at SMTP time, as soon as an address is received in a MAIL or RCPT command, and before any other processing

參考資料：
31.8. Flags specifying which headers and envelope addresses to rewrite
31.9. The SMTP-time rewriting flag

######################################################################
# REWRITE CONFIGURATION #
######################################################################

參數如下：
begin rewrite

\N^(.*)@(.*)$\N "${lookup mysql {SELECT pridomain FROM multidomaindb WHERE secdomain='$2'}{$1@$value}fail}" SE

S The SMTP-time rewriting flag
E rewrite all envelope fields

建構想法：
1、不影嚮原主機架構
2、快速建置符合需求
3、決定使用rewrite方式

新增一個資料表 multidomain，新增兩欄位 Pridomain & Secdomain。

Pridomain：為主要Domain
Secdomain：為次要Domain 或第三筆、第四筆Domain

修改 Exim configure rewrite 區
######################################################################
# REWRITE CONFIGURATION #
######################################################################

參數如下：
begin rewrite
*@* "${lookup mysql {SELECT pridomain FROM multidomaindb WHERE secdomain='$2'}{$1@$value}fail}" Tbct

其中使用到 Tbct 表示意義如下：
T rewrite the envelope To field
b rewrite the Bcc: header
c rewrite the Cc: header
t rewrite the To: header

參數用意：
將進來的emailaddress，凡有第二筆Domain以上，皆置換為主要Domain後，送往後端主機。

測試結論，rewrite 在acl check之後，所以必須克服此問題。

Exim system filter

測試指令：

#exim -f abc@oio.idv.tw -bfl cde -bfd ezbuy.idv.tw -bF system_filter < testmail.message

測試結果：
Sender = abc@oio.idv.tw
Recipient = cde@oio.idv.tw
Testing Exim filter file /usr/exim4/system_filter

Logfile /var/log/exim4/exim_filterlog
Filtering did not set up a significant delivery.
Normal delivery will occur.


指令說明：
-f

Exim 4.14以前的版本

在Acl Check 中，使用正規表式法，會造成主機誤判。

### Gmail Check Start ###

deny message = Your are not Gmail Server
senders = *@gmail.com
condition = ${if match {$sender_host_name}{\Ngoogle.com$\N}{no}{yes}}

### Gmail Check End ###

### Hotmail Check Start ###

deny message = Your are not Hotmail Server
senders = *@hotmail.com
condition = ${if match {$sender_host_name}{\Nhotmail.com$\N}{no}{yes}}

### Hotmail Check End ###

今天測試結果：
Gmail reject count = 3893
Hotmail reject count = 3967

兩大郵件供應商，在網路上，非來自其各自主機的數量看起來是一樣多的。
表示Spammer使用其作業fake email addree是蠻平均的。

39.25 Data returned by DNS lists

DNS lists are constructed using address records in the DNS. The original RBL just used the address 127.0.0.1 on the right hand side of each record, but the RBL+ list and some other lists use a number of values with different meanings. The values used on the RBL+ list are:

127.1.0.1 RBL
127.1.0.2 DUL
127.1.0.3 DUL and RBL
127.1.0.4 RSS
127.1.0.5 RSS and RBL
127.1.0.6 RSS and DUL
127.1.0.7 RSS and DUL and RBL

Some DNS lists may return more than one address record.

http://www.exim.org/exim-html-4.50/doc/html/spec.html

Exim 設定
cyrus-sasl2-saslauthd 安裝
cyrus-imapd 安裝設定


1.安裝 cyrus-sasl2-saslauthd

cd /usr/ports/security/cyrus-sasl2-saslauthd
make 都不選
make install

vi /etc/rc.conf
saslauthd_enable="YES"


2.安裝 cyrus-imapd2

cd /usr/ports/mail/cyrus-imapd2
make
make install

vi /etc/rc.conf
cyrus_imapd_enable="YES"


Configuring IMAP:
1) Create /var/imap and /var/spool/imap

#mkdir /var/imap /var/spool/imap
#chown cyrus:mail /var/imap /var/spool/imap
#chmod 750 /var/imap /var/spool/imap


2) Edit /usr/local/etc/imapd.conf

Make sure you have the following:

admins: cyrus
allowanonymouslogin: no
sasl_pwcheck_method: saslauthd

3) Change to user cyrus and execute this

# su cyrus
% /usr/local/cyrus/bin/mkimap

This should create all the required directories with proper permission.

4) Make sure you have the following in /etc/services
pop3 110/tcp
imap 143/tcp
imsp 406/tcp
acap 674/tcp
imaps 993/tcp
pop3s 995/tcp
kpop 1109/tcp
sieve 2000/tcp
lmtp 2003/tcp
fud 4201/udp


5) Remove any imap, imaps, pop3, pop3s, kpop, lmtp and sieve lines from /etc/inetd.conf


6) Add the following lines to the end of /etc/syslog.conf
local6.debug /var/log/imapd.log

kill -HUP `cat /var/run/syslog.pid `


7) Create the files by

# touch /var/log/imapd.log


8) Start the saslauthd server by doing

#/usr/local/etc/rc.d/saslauthd.sh start


9) Start the IMAPD server (copy imapd.sh.sample to imapd.sh)

#/usr/local/etc/rc.d/imapd.sh start


10) Set the passwd for user cyrus

#saslpasswd2 cyrus
Enter the passwd:


11) Now su as cyrus and test the IMAP server

#su cyrus
%imtest -m login -p imap localhost

Enter the password, if you see OK. User logged in.. then the server is working..Press . logout to exit..

12) Add user mailboxes by logging using cyradm

%cyradm localhost
localhost@xxxx>cm user.lani
localhost@xxxx>quit
%exit
#

the step is create user mailbox


13) Now set passwd for lani using saslpasswd2 (as root)

#saslpasswd2 lani
EnterPasswd:


13.1) cyrus 設定方式：

建立cyrus 連線
cyradm -user cyrus localhost
Password:
localhost.oio.idv.tw>

建立mailbox
localhost.oio.idv.tw>createmailbox user.lani
localhost.oio.idv.tw> listmailbox
user.lani (\HasNoChildren)

設定 mailbox quota
localhost.oio.idv.tw> setquota user.lani 50000
quota:50000

列出 mailbox quota
localhost.oio.idv.tw> listquota user.lani
STORAGE 0/50000 (0%)

刪帳號
localhost.oio.idv.tw> setaclmailbox user.lani cyrus c
localhost.oio.idv.tw> listaclmailbox user.lani
lani lrswipcda
cyrus c
localhost.oio.idv.tw> deletemailbox user.lani

13.2) 認証方式

修改 /usr/local/etc/imapd.conf
# The mechanism used by the server to verify plaintext passwords. Possible
# values include "auxprop" or "saslauthd"
#
#sasl_pwcheck_method: auxprop # auth by sasldb
#sasl_pwcheck_method: saslauthd # auth by saslauthd
sasl_pwcheck_method: saslauthd


13.2.a) 使用sasldb認証

修改 /usr/local/etc/rc.d/saslauthd ，

#saslauthd_flags=${saslauthd_flags:-"-a pam"} # Flags to saslauthd program 預設 pam
saslauthd_flags=${saslauthd_flags:-"-a sasldb"} # Flags to saslauthd program ## sasldb

sasldb
Authenticate against the SASL authentication database.

Now set passwd for lani using saslpasswd2 (as root)
建立lani passwd 於 sasldb

設定帳號lani 於 sasldb密碼
#saslpasswd2 lani
EnterPasswd:

13.2.b) 使用localhost passwd file

修改 /usr/local/etc/rc.d/saslauthd ，

#saslauthd_flags=${saslauthd_flags:-"-a pam"} # Flags to saslauthd program 預設 pam
saslauthd_flags=${saslauthd_flags:-"-a getpwent"} # Flags to saslauthd program ## localhost passwd

getpwent
Authenticate using the getpwent() library function. Typically this authenticates against the local password file.

設定系統密碼
#passwd lani
EnterPasswd:


14) Woohoo that's it... Test from someother machine by doing a telnet to imap port and see if you get something similar to this..

# telnet 127.0.0.1 imap
Trying 127.0.0.1...
Connected to localhost.oio.idv.tw.
Escape character is '^]'.
* OK oio.idv.tw Cyrus IMAP4 v2.1.18 server ready
. logout
* BYE LOGOUT received
. OK Completed
Connection closed by foreign host.



Exim 設定

vi /usr/local/etc/cyrus.conf

SERVICES {
...
lmtp cmd="lmtpd -a" listen="127.0.0.1:lmtp" prefork=0
}

/usr/local/etc/rc.d/imapd restart

netstat -an | grep LIST |grep 127.0.0.1
tcp4 0 0 127.0.0.1.2003 *.* LISTEN


## ROUTERS CONFIGURATION ##

localuser:
driver = accept
check_local_user
# local_part_suffix = +* : -*
# local_part_suffix_optional
transport = local_delivery
cannot_route_message = Unknown user


change transpot

transport = cyrus_lmtp

## TRANSPORTS CONFIGURATION ##

cyrus_lmtp:
driver = smtp
protocol = lmtp
hosts = 127.0.0.1
allow_localhost
port = 2003


測試寄信：

Exim log

2007-08-12 03:38:21 message accepted: sender= recipients count=(1) H=localhost (.) [127.0.0.1]
2007-08-12 03:38:22 1IJwmz-000Jm9-QG <= test@oio.idv.tw H=localhost (.) [127.0.0.1] P=smtp S=317
2007-08-12 03:38:23 1IJwmz-000Jm9-QG => test@oio.idv.tw R=localuser T=cyrus_lmtp H=127.0.0.1 [127.0.0.1]
2007-08-12 03:38:23 1IJwmz-000Jm9-QG Completed


測試收信：

tail -f /var/log/imapd.log

Aug 12 03:47:35 oio.idv.tw master[76073]: about to exec /usr/local/cyrus/bin/pop3d
Aug 12 03:47:35 oio.idv.tw pop3[76073]: executed
Aug 12 03:47:35 oio.idv.tw pop3d[76073]: accepted connection
Aug 12 03:47:44 oio.idv.tw pop3d[76073]: login: localhost.oio.idv.tw[127.0.0.1] test plaintext
Aug 12 03:53:18 oio.idv.tw master[76069]: process 76073 exited, status 0



Configuring with ssl

Create a server key and certificate (we're wrapping both of this into one file, although splitting would be possible)
#su - cyrus
#openssl req -new -x509 -nodes -out /var/imap/server.pem -keyout /var/imap/server.pem -days 3650

Generating a 1024 bit RSA private key
....++++++
.....++++++
unable to write 'random state'
writing new private key to '/var/imap/server.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:TW
State or Province Name (full name) [Some-State]:Taiwan
Locality Name (eg, city) []:Taipei
Organization Name (eg, company) [Internet Widgits Pty Ltd]:oio.idv.tw
Organizational Unit Name (eg, section) []:Se
Common Name (eg, YOUR name) []:Lani
Email Address []:se@oio.idv.tw



Make sure the following options exist in /usr/local/etc/imapd.conf

sasl_pwcheck_method: auxprop # this should be the default, anyway
tls_key_file: /var/imap/server.pem
tls_ca_file: /var/imap/server.pem
tls_cert_file: /var/imap/server.pem


restart imapd

#/usr/local/etc/rc.d/imapd restart

howto test pop3s：
#openssl s_client -connect localhost:995



參考資料：
Cyrus-IMAP：http://www.soe.ucsc.edu/~venkat/tutorial1.html
Exim Tranfer LMTP：http://wiki.exim.org/CyrusImap?highlight=%28cyrus%29

一、運作原理：
網域認證鑰匙 如何運作

網域認證鑰匙 如何運作 - 寄信伺服器
首先，網域認證鑰匙將先進行兩道設定措施：
1.設定鑰匙：網域在寄信時產生兩組「鑰匙」，公開鑰匙以及非公開鑰匙。公開鑰匙將在寄信的過程中被存入「網域名稱伺服器（DNS）」中，而非公開鑰匙將暫時存在寄信伺服器中。即右圖寄信流程中的步驟 "A"。此時虛擬的網域將在第一時間被系統排除。
2.傳送鑰匙：當網域經過認證後，此時系統會根據非公開鑰匙而自動產生一組數位認證簽名檔，此簽名檔將會依附在寄出信件的標頭中，並且傳送到收件者的郵件伺服器裡。即右圖寄信流程中的步驟 "B"。

網域認證鑰匙 如何運作 - 收信伺服器
接下來，網域認證鑰匙將採取三道確認過程：
1.蒐集鑰匙：在網域認證鑰匙運作下，收信伺服器將收到夾帶在寄出信件裡的非公開鑰匙以及自動擷取「網域名稱伺服器（DNS）」裡的公開鑰匙。即右圖寄信流程中的步驟 "C"。
2.比對鑰匙：系統將開始比對兩組鑰匙，比對信件的寄件者名稱是否符合此網域，一旦發現兩組鑰匙不相符，代表著這封信是偽造他人網域而寄出信件，很有可能就是垃圾信或是詐騙信。
3.確定傳送：在比對結束後，比對成功的信件將被順地地寄到收件者的信箱中，而比對失敗的信件將會被系統阻擋、加上標記或是被系統隔離。即右圖寄信流程中的步驟 "D"。


二、安裝方法：
1、安裝Libdomainkey module，直接使用ports安裝libdomainkeys-0.68.tar.gz
cd /usr/ports/mail/libdomainkeys
make
make install

2、重新編譯Exim4，將以下三行，加入Exim Local/Makefile內，重新編譯即可。
EXPERIMENTAL_DOMAINKEYS=yes
CFLAGS += -I/usr/local/include
LDFLAGS += -ldomainkeys -L/usr/local/lib


三、設定方法：
1、產生Public key / Private key
執行下列指令：
執令列 網域名稱 位元組
/usr/ports/mail/libdomainkeys/work/libdomainkeys-0.68/dknewkey rbl.oio.idv.tw 1024
執行後，會自動產生Public key 於dns須設定的txt record。
rbl.oio.idv.tw._domainkey IN TXT "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDIz9mdp6hZJaMQcmKjxZvimLyJkUHOyZCAqcZJw3EJne/nnqsi6Fae9BkGn8PDWJFGY5z2C4Zoo7D6WvVuVXhWoUfbmTo1bCb8XeICLwQlH0Ou42PUsiQaD4ZY10bBqtRwizrFv+RrJdCXdH+Jp6vdP4cfe+JzBVbF5ksaoM+ExQIDAQAB"
只需將rbl.oio.idv.tw._domainkey 異動為private._domainkey.rbl.oio.idv，設定即可生效。

同時自動產生rbl.oio.idv.tw的檔案，內容如下為Private key。
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDIz9mdp6hZJaMQcmKjxZvimLyJkUHOyZCAqcZJw3EJne/nnqsi
6Fae9BkGn8PDWJFGY5z2C4Zoo7D6WvVuVXhWoUfbmTo1bCb8XeICLwQlH0Ou42PU
siQaD4ZY10bBqtRwizrFv+RrJdCXdH+Jp6vdP4cfe+JzBVbF5ksaoM+ExQIDAQAB
AoGBALNPpen5A4JW8TyGZz4F/iRgbjoI0tJrefTppH3JXu5PcSFJtVb+UBqvrIkV
sCCGvXI1ELtDn0lgoW9sOSvEdiaORO1wfmFMe6tfp7I0JopP7cGxDyoaml9ZaQgO
jWKMRcKlWdJaVWd9r/us+ybN8vXgr8+mc1bdE7q6y8/L5cUBAkEA+Lt4iiZZesAx
zsNlDvV5rA6xipYmSMqMmL3dKvQCeLZE27byIF8G8i/KPVbTvqdDUgtJ5suTGmqc
UMbs2o3rXQJBAM6t7rTf6pgRikpxX1/aUlIHqXcbUyrua2VRdAuzOkWBLkMBiSHZ
cfoPoTzwR4+p+negFtvN6yZV2lu1VnEV0IkCQH2b7tuVUkqzFHQeKMLNJIzHPtGF
0f+gii/4ceBnKXhcU5nBYbUHSDK1/6PKXVRCk7SzDrcGx1rny9jfHG2ijeECQFF6
KByOGYGRiJ8ISr0S6FkGRDx8PTEzhIsQrVrfcR1ta7tmo5UAj/owpzPK1atBK0h1
iA1nBEi8l7SHrGgwXWECQAT4idmoGF7H3CCFLg/4LXDxpJzjZVy2goJZMyk/X49W
zkzF9wkzHh6qNrwwr+8DHn/HxramKf+7Zb0D851LcIQ=
-----END RSA PRIVATE KEY-----


2、Exim Configure
Outgoing Mail：

## ROUTERS Configuration ##
dnslookup:
driver = dnslookup
domains = ! +local_domains
# transport = remote_smtp
transport = dk_smtp
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
no_more

## TRANSPORTS Configuration ##
dk_smtp:
driver = smtp
dk_private_key = /usr/exim/dk/rbl.oio.idv.tw ## private key
dk_selector = private
dk_domain = rbl.oio.idv.tw
dk_canon = nofws
#dk_canon = simple

##### to yahoo mail header #####
From xxx@rbl.oio.idv.tw Wed Jul 25 17:56:27 2007
Return-Path:
Authentication-Results: mta194.mail.tp2.yahoo.com from=rbl.oio.idv.tw; domainkeys=pass (ok)
Received: from 210.68.43.7 (EHLO rbl.oio.idv.tw) (210.68.43.7)
by mta194.mail.tp2.yahoo.com with SMTP; Wed, 25 Jul 2007 17:56:27 +0800
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=private; d=rbl.oio.idv.tw;
h=Received:subject:from:rcpt:DomainKeys-Status;
b=XkyCN9f/bymGRW8tZejjxBbRxkQyNc5iXd2jv9pz7XyI1Pq8M5JCm2SethinzoVVbrSsgJcEq3dYyISUkap2tQ==;
Received: from localhost ([127.0.0.1] helo=.)
by rbl.oio.idv.tw with smtp (Exim 4.67)
(envelope-from )
id 1IDdbQ-0003cL-Sz
for xxxx@yahoo.com.tw; Wed, 25 Jul 2007 17:56:46 +0800
subject:test
from:xxxx@rbl.oio.idv.tw
rcpt:xxxx@yahoo.com.tw
DomainKeys-Status: no signature


Incoming Mail：

## ACL Configuration ##
rcpt acl:
warn control = dk_verify ## dk function enable

data acl:
warn message = DomainKeys-Status: $dk_status
log_message = DK status: $dk_status testing: $dk_testing signall: $dk_signsall
deny message = DomainKeys signature did not verify.
condition = ${if eq{$dk_testing}{0}{1}{0}}


測試結果：
1、data acl check 未帶signature而reject的log
2007-07-30 18:20:53 1IFSMv-0008QW-Fj H=rbl.oio.idv.tw (rbl.oio.idv.tw) [210.68.43.7] Warning: DK status: no signature testing: 0 signall: 0
2007-07-30 18:20:53 1IFSMv-0008QW-Fj H=rbl.oio.idv.tw (rbl.oio.idv.tw) [210.68.43.7] F= rejected after DATA: DomainKeys signature did not verify.

2、data acl check 有帶signature而pass的log
2007-07-30 18:22:01 1IFSO1-0008QZ-3I H=web72805.mail.tp2.yahoo.com [203.188.200.195] Warning: DK status: good testing: 1 signall: 0
2007-07-30 18:22:01 1IFSO1-0008QZ-3I <= xx@yahoo.com.tw H=web72805.mail.tp2.yahoo.com [203.188.200.195] P=smtp S=2304 id=869287.96999.qm@web72805.mail.tp2.yahoo.com 2007-07-30 18:22:01 1IFSO1-0008QZ-3I => xxx R=localuser T=local_delivery
2007-07-30 18:22:01 1IFSO1-0008QZ-3I Completed


四、參考資料：
Libdomainkey下載點：http://sourceforge.net/projects/domainkeys/
http://domainkeys.sourceforge.net/
Exim wiki http://wiki.exim.org/DomainKeys
Yahoo 中文說明：http://tw.promo.yahoo.com/antispam/domainkeys.html
Yahoo 英文說明：http://antispam.yahoo.com/domainkeys

# Exim filter

### Precautions, precautions...

# Drop out if the message is an error message.

if error_message then finish endif

### Assorted spam filtering stuff follows

## My users are trustworthy (because they're me!) - don't check locally sent mail.
if "arkane.demon.co.uk:arkane.net:arkane.co.uk" contains $sender_address_domain then
finish
endif

## Arrange log file
logfile /exim/filterlog

## First, handle the white list
# These are the blessed mail addresses which don't get filtered.
# And always allow postmaster mail through.

if "${lookup {${lc:$sender_address}}dbm{/etc/filters/whitelist} {white} {grey}}" is white or
$header_to: contains "postmaster@" then
finish
endif

## If they've used the magic word, let the mail go through.
if $header_subject: contains "DELETED FOR PUBLIC CONSUMPTION" then
finish
endif

## Then, handle the black list.
# Bounce all mail from these sites or addresses with a nasty message.

if "${lookup {${lc:$sender_address_domain}}dbm{/etc/filters/blacklist} {black} {grey}}" is black or
"${lookup {${lc:$sender_address}}dbm{/etc/filters/blacklist} {black} {grey}}" is black then
fail
finish
endif

## Heuristic spam filtering

# Tell-tale spam headers - X-UIDL, X-PMFLAGS, X-Advertisement

if "${if def:header_x-uidl: {spam}}" is spam then
log "message $message_id from $header_from: to $header_to: failed.\n\
x-uidl header indicates probable spam.\n\
------------------------------------------------------------------------------"
fail
finish
endif

if "${if def:header_x-1: {spam}}" is spam then
log "message $message_id from $header_from: to $header_to: failed.\n\
x-1 header indicates probable spam.\n\
------------------------------------------------------------------------------"
fail
finish
endif

if "${if def:header_x-pmflags: {spam}}" is spam then
log "message $message_id from $header_from: to $header_to: failed.\n\
x-pmflags header indicates probable spam.\n\
------------------------------------------------------------------------------"
fail
finish
endif

if "${if def:header_x-advertisment: {spam}}" is spam then
log "message $message_id from $header_from: to $header_to: failed.\n\
x-advertisement header indicates probable spam.\n\
------------------------------------------------------------------------------"
fail
finish
endif

# Authenticated sender, and not from pegasus

if "$h_comments" contains "authenticated sender" and
"$h_x-mailer" does not contain "pegasus" then
log "message $message_id from $header_from: to $header_to: failed.\n\
authenticated sender (not from pegasus) indicates probable spam.\n\
------------------------------------------------------------------------------"
fail
finish
endif

# Claims to be from hotmail.com
if "$h_from" contains "hotmail.com" and
"${if !def:header_x-originating-ip {nospam}}" is nospam then
log "message $message_id from $header_from: to $header_to: failed.\n\
claimed to be from hotmail, but not verifiable - probable spam.\n\
------------------------------------------------------------------------------"
fail
finish
endif

# claims to be from juno.com

if "$h_from" contains "juno.com" and
"${if def:header_x-mailer {juno} {spam}}" is spam then
log "message $message_id from $header_from: to $header_to: failed.\n\
claimed to be from juno, but not verifiable - probable spam.\n\
------------------------------------------------------------------------------"
fail
finish
endif

# Broken message-IDs

if $header_message-id does not contain "@" then
log "message $message_id from $header_from: to $header_to: failed.\n\
Message-ID does not contain '@' - probable spam.\n\
------------------------------------------------------------------------------"
fail
finish
endif

# Is the host (From||To) numeric?

if "$header_from: $header_to:" contains "@\\\\d+\\." then
log "message $message_id from $header_from: to $header_to: failed.\n\
From: or To: header contains numeric hostname - probable spam.\n\
------------------------------------------------------------------------------"
fail
finish
endif

# Is the local-part numeric and 8 digits?

if $local_part matches "^\\\\d{8}\\$" then
log "message $message_id from $header_from: to $header_to: failed.\n\
Local part is an 8 digit numeric - probable spam.\n\
------------------------------------------------------------------------------"
fail
finish
endif

# Is the To: address contained in the From: address?
if ( $header_from: contains $header_to: )
and ( "${if def:header_to: {present}}" is present ) then
log "message $message_id from $header_from: to $header_to: failed.\n\
From: contains To: which indicates probable spam.\n\
------------------------------------------------------------------------------"
fail
finish
endif

# Is neither a To: nor a Cc: header present?
if ( "${if def:header_to: {present}}" is not present )
and ( "${if def:header_cc: {present}}" is not present ) then
log "message $message_id from $header_from: to $header_to: failed.\n\
Neither To: nor Cc: headers present - probable spam.\n\
------------------------------------------------------------------------------"
fail
finish
endif

# Other funny Received headers?
if $header_received: contains "[000.000.000.000]" then
log "message $message_id from $header_from: to $header_to: failed.\n\
Received: included the invalid IP [000.000.000.000] - probable spam.\n\
------------------------------------------------------------------------------"
fail
finish
endif

if $header_received: contains "-0600 (EST)" then
log "message $message_id from $header_from: to $header_to: failed.\n\
Received: included the dubious time zone setting -0600 (EST) - probable spam.\n\
------------------------------------------------------------------------------"
fail
finish
endif

if $header_received: contains "CLOAKED" then
log "message $message_id from $header_from: to $header_to: failed.\n\
Received: included the string 'CLOAKED' - probable spam.\n\
------------------------------------------------------------------------------"
fail
finish
endif

# Bcc'ed to public addresses?
if ( $header_bcc: contains "-usenet" ) or
( $header_bcc: contains "-sig" ) then
log "message $message_id from $header_from: to $header_to: failed.\n\
Bcc'ed to a public address (-usenet or -sig) - probable spam.\n\
------------------------------------------------------------------------------"
fail
finish
endif

# Bogus To: headers.
if $header_to: contains "Friend@" then
log "message $message_id from $header_from: to $header_to: failed.\n\
To: header included bogus local-part 'Friend' - probable spam.\n\
------------------------------------------------------------------------------"
fail
finish
endif

if $header_to: contains "you@" then
log "message $message_id from $header_from: to $header_to: failed.\n\
To: header included bogus local-part 'you' - probable spam.\n\
------------------------------------------------------------------------------"
fail
finish
endif

### That's it!

Stopping Spam in the ACL

Exim ACL Spam Filters

This is a mirror of http://vamos-wentworth.org/exim-tricks.html (With a few very minor ammendments)
I have been unable to get to the site since september so I decided to mirror the above URL, It was very useful information for me when I first started out with exim hence my sharing it.

All credit goes to the original author, THIS IS NOT A DOCUMENT WRITTEN BY MYSELF so all rights go to the original author. rossz-work [at] vamos-wentworth [dot] org as well.

These antispam tips are for Exim 4.x. If you don't know how to modify the helo, rcpt, and data ACLs, then these suggestions won't do you much good.

###############################################################################
HELO ACL
###############################################################################

You can block a lot of spammers right after they say HELO. They have a tendency to lie but, fortunately, it's often easy to catch them in their lie.

The first thing a remote system is supposed to do when it connects is to say "HELO domain.com". It is legal to use an ip address with the HELO, but losing acceptance. A spammer might try to HELO with your own ip address. There is absolutely no legitimate reason for someone else to use your ip address here. Plug your own ip address in here where it says ##.##.##.##. Repeat this for each IP address you handle.

deny message = HELO/EHLO with my ip address. You are not me.
log_message = HELO/EHLO my.ip
condition = ${if eq {$sender_helo_name}{##.##.##.##} {yes}{no}}

Basically the same thing as the previous filter, but using your domain name instead of your ip address. You should repeat this filter for each domain you control.

deny message = HELO/EHLO with my domain name. You are not me.
log_message = HELO/EHLO my.domain
condition = ${if match {$sender_helo_name}{your-domain.com} {yes}{no}}

Giving a domain name of 'none' isn't valid, so tell them to bugger off. This filter can be left out since the "period" filter below will catch it.

deny message = No HELO/EHLO name specified.
log_message = HELO/EHLO none
condition = ${if match {$sender_helo_name}{none} {yes}{no}}

A remote system saying they are localhost? Sure they are. This filter can also be omitted if you use the "period" filter below.

deny message = You are not localhost.
log_message = HELO/EHLO localhost
condition = ${if match {$sender_helo_name}{localhost} {yes}{no}}

A proper domain will contain at least one period. A good percentage of spam worms HELO with random characters without a period.

deny message = Invalid HELO/EHLO. You are either spam/a virus, or your system administrator has incorrectly configured your network.
condition = ${if match{$sender_helo_name}{\\.}{no}{yes}}

###############################################################################
RCPT ACL
###############################################################################

Spammers like to forge some big names when they send you email. We can't easily check all of them, not until Sender Permitted From (SPF) is widely used. At least we can check for some of the most commonly abused domains, Yahoo, Hotmail, MSN, and AOL. These four filters will reject email with forged From: addresses containing the "big four" domains.

#Fake Yahoo
deny message = Suspected Faked Yahoo Account, E-mail Rejected.
log_message = Fake Yahoo
senders = *@yahoo.com
condition = ${if match{$sender_host_name}{\Nyahoo.com$\N}{no}{yes}}

#Fake Hotmail
deny message = Suspected Faked Hotmail Account, E-mail Rejected.
log_message = Fake hotmail
senders = *@hotmail.com
condition = ${if match {$sender_host_name}{\Nhotmail.com$\N}{no}{yes}}

#Fake MSN
deny message = Suspected Faked MSN Account, E-mail Rejected.
log_message = Fake MSN
senders = *@msn.com
condition = ${if match {$sender_host_name}{\N(hotmail|msn).com$\N}{no}{yes}}

# Fake AOL
deny message = Suspected Faked AOL Account, E-mail Rejected.
log_message = Fake AOL
senders = *@aol.com
condition = ${if match {$sender_host_name}{\Nmx.aol.com$\N}{no}{yes}}

Of course, using a few good blacklists is a good idea. I put my blacklist checks immediately after the big four filters.

###############################################################################
DATA ACL
###############################################################################
A valid email should have a message id. Spamming software (and viruses) often don't. So refuse them. Note, this filter has been known to break the rare email sent from a highly customized Qmail server. Personally, I dont' care.

deny condition = ${if !def:h_Message-ID: {1}}
message = Message SHOULD have Message-ID: but does not

Email should have a proper date. So goodbye if it doesn't.

deny condition = ${if !def:h_Date: {1}}
message = Message SHOULD have Date: but does not

You'll need the Exiscan patch for the mime handling to work.

Required to do any mime handling, plus, a broken mime attachment might be an attempt to infect or break into your system.

deny message = Serious MIME defect detected ($demime_reason)
log_message = Broken MIME ($mime_reason)
demime = *
condition = ${if >{$demime_errorlevel}{2}{1}{0}}

Refuse dangerous attachments. This gets a large number of viruses. It also catches a lot of spam with hidden surprises.

deny message = $found_extension files are not accepted here
log_message = Dangerous extension ($found_extension)
demime = com:vbs:bat:pif:scr:exe

For Windows clients, Microsoft has included a lovely little surprise. It is possible to attach a file with a CLSID in the name which causes Windows to hide the file extension. This is entirely independent of the "Hide file extensions for known file types" folder option. This is extremely dangerous, so lets just refuse the bastards.

deny message = Hiding of file extensions is not allowed!
log_message = Dangerous extension (CLSID hidden)
regex = ^(?i)Content-Disposition::(.*?)filename=\\s*"+((\{[a-hA-H0-9-]{25,}\})|((.*?)\\s{10,}(.*?)))"+\$

http://vamos-wentworth.org/exim-tricks.html
http://www.carbonstudios.co.uk/site/44/180.html

openwebmail 登入速度變慢
加入排程
/pathto/cgi-bin/openwebmail/openwebmail-tool.pl -q -a -p -i > /dev/null 2>&1
遇到openwebmail錯誤訊息
使用者欲連上openwebmail
出現session 錯誤xxxoooxxx
原因: quota 限制已到
解法:edquota -u user

查看目前連線至本機的ip 及數量(Debian)
netstat -nta | fgrep "ESTABLISHED" | cut -b 43-75 | cut -d ':' -f1 | sort | uniq -c |sort -n -r --key=1,7 | head -25
netstat -nta | fgrep "SYN_RECV" | cut -b 43-75 | cut -d ':' -f1 | sort | uniq -c | sort -n -r --key=1,7 | head -25

由於exim 本身configure 並沒辦法定義某些實體帳戶暫時停用後, 也不收到信 這邊依exim-user 提供的方法並測試已成功,備忘紀錄一下
vi /usr/exim/configure

於begin routers 加入

block_expired_accounts:
driver = redirect
domains = +local_domains
local_parts = /usr/exim/blocked/accounts
data = :fail: account closed
allow_fail

echo id > /usr/exim/blocked/accounts

chown exim /usr/exim/blocked/accounts

/etc/init.d/exim restart

wget exim-xxx.tgz
tar -zxvf exim-xxx.tgz
cd exim-xxxx
cp src/EDITME Local/Makefile
vi Local/Makefile
需修改的地方
EXIM_USER=exim (如果要使用exim 此user執行,記得先新增)
#EXIM_MONITOR=eximon.bin
AUTH_CRAM_MD5=yes
AUTH_CYRUS_SASL=yes
AUTH_PLAINTEXT=yes
AUTH_LIBS=-lsasl2
SUPPORT_TLS=yes
TLS_LIBS=-lssl -lcrypto
TLS_LIBS=-L/usr/local/openssl/lib -lssl -lcrypto
TLS_INCLUDE=-I/usr/local/openssl/include/
CYRUS_PWCHECK_SOCKET=/var/pwcheck/pwcheck
CYRUS_SASLAUTHD_SOCKET=/var/run/saslauthd/mux
以上是支援sasl認證需unmark 的部份 預設是mark的
LOG_FILE_PATH=/var/log/exim_%slog
wq
useradd -s /sbin/nologin exim
touch /var/log/exim_mainlog
^mainlog^paniclog
^paniclog^rejectlog
chown exim:exim /var/log/exim_*
make
make install
vi /usr/exim/configure
primary_hostname = yourdomain
hostlist relay_from_hosts = allow relay ip/submask
#host_lookup = *
begin authenticators 區段加入

plain:
driver = plaintext
public_name = PLAIN
server_condition = ${if saslauthd{{$2}{$3}}{1}{0}}

login:
driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
server_condition = ${if saslauthd{{$1}{$2}}{1}{0}}

/usr/exim/bin/exim –bd –q 15m 啟動exim

/usr/exim/bin/ (以我安裝路徑為例)
-M 強迫傳送
-Mar 增加接收者
-Meb 修改信件內容
-Mes 修改傳送者
-Mf 凍結
-Mmad 標記所有queue 的信件為已傳送
-Mmd 標記為已傳送
-Mt 解除凍結

移除queue
/usr/exim/bin/exim -Mrm 移除spool內信件但不會出現回應訊息
-Mg 移除並回應訊息

檢查信件
/usr/exim/bin/exim -Mvb 檢查body
/usr/exim/bin/exim -Mvl 檢查log
/usr/exim/ibn/exim -Mvh 檢查header

檢閱參數

/usr/exim/bin/exim -bv 確認exim binary 可使用且成功讀取configure
/usr/exim/bin/exim -bP 所有exim設定的參數值 (配合grep找出需要檢查的地方)
/usr/exim/bin/exim -bp 所有在queue 內的信件
/usr/exim/bin/exim -brt 查詢針對某些網域的重試規則

原廠資料：http://www.exim.org/exim-html-current/doc/html/spec_html/ch05.html

Exim 設置smart host

透過exim configure router sector 設置smarthost

於configure 內 begin router 區段加入

smart_msa:
condition = {${lookup{$domain} lsearch{/usr/exim/smarthost_multiple} {$value} fail}}

driver = manualroute
domains = !+local_domains
transport = remote_smtp
route_list = "* ms25.hinet.net" #hinet提供的mx
no_more

設置/usr/exim/configure 加入符合條件就使用上層isp 提供的smtp server 幫忙寄送

smart_sonet:
condition = ${if match {${lc:$domain}} {yahoo.com.tw} {true} fail}
by 寄出的目的地
#condition = {${lookup{$domain} lsearch{/usr/exim/smarthost_multiple} {$value} fail}}
by 檔案
# condition = ${if match {${lc:$sender_address}} {usnei@oio.idv.tw} {true} fail}
by 寄信的本機使用者
driver = manualroute
domains = !+local_domains
transport = remote_smtp
route_list = * so-net.net.tw #sonet 提供的mx

smart_directly:
condition = ${if match {${lc:$domain}} {yahoo.com.tw} {true} fail}
driver = manualroute
domains = !+local_domains
transport = remote_smtp
route_list = * seed.net.tw #seednet 提供的mx

引用：funnyd.idv.tw