exim/exim-4.90.1-greylist-conf.patch

diff --git a/src/configure.default b/src/configure.default
index 72675be..30ffc8c 100644
--- a/src/configure.default
+++ b/src/configure.default
@@ -107,6 +107,7 @@ hostlist   relay_from_hosts = localhost
 # manual for details. The lists above are used in the access control lists for
 # checking incoming messages. The names of these ACLs are defined here:
 
+acl_smtp_mail = acl_check_mail
 acl_smtp_rcpt = acl_check_rcpt
 acl_smtp_data = acl_check_data
 acl_smtp_mime = acl_check_mime
@@ -371,6 +372,29 @@ timeout_frozen_after = 7d
 
 begin acl
 
+
+# This access control list is used for the MAIL command in an incoming
+# SMTP message.
+
+acl_check_mail:
+
+  # Hosts are required to say HELO (or EHLO) before sending mail.
+  # So don't allow them to use the MAIL command if they haven't
+  # done so.
+
+  deny condition = ${if eq{$sender_helo_name}{} {1}}
+       message = Nice boys say HELO first
+
+  # Use the lack of reverse DNS to trigger greylisting. Some people
+  # even reject for it but that would be a little excessive.
+
+  warn condition = ${if eq{$sender_host_name}{} {1}}
+       set acl_m_greylistreasons = Host $sender_host_address lacks reverse DNS\n$acl_m_greylistreasons
+
+  accept
+
+
+
 # This access control list is used for every RCPT command in an incoming
 # SMTP message. The tests are run in order until the address is either
 # accepted or denied.
@@ -496,7 +520,8 @@ acl_check_rcpt:
   # There are no default checks on DNS black lists because the domains that
   # contain these lists are changing all the time. However, here are two
   # examples of how you can get Exim to perform a DNS black list lookup at this
-  # point. The first one denies, whereas the second just warns.
+  # point. The first one denies, whereas the second just warns. The third
+  # triggers greylisting for any host in the blacklist.
   #
   # deny    message       = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
   #         dnslists      = black.list.example
@@ -504,6 +529,10 @@ acl_check_rcpt:
   # warn    dnslists      = black.list.example
   #         add_header    = X-Warning: $sender_host_address is in a black list at $dnslist_domain
   #         log_message   = found in $dnslist_domain
+  #
+  # warn    dnslists      = black.list.example
+  #         set acl_m_greylistreasons = Host found in $dnslist_domain\n$acl_m_greylistreasons
+  #
   #############################################################################
 
   #############################################################################
@@ -517,6 +546,10 @@ acl_check_rcpt:
   # require verify = csa
   #############################################################################
 
+  # Alternatively, greylist for it:
+  # warn !verify = csa
+  #      set acl_m_greylistreasons = Host failed CSA check\n$acl_m_greylistreasons
+
   # At this point, the address has passed all the checks that have been
   # configured, so we accept it unconditionally.
 
@@ -549,6 +582,12 @@ acl_check_data:
   # deny    condition  = ${if !def:h_Message-ID: {1}}
   #         message    = RFC2822 says that all mail SHOULD have a Message-ID header.\n\
   #                      Most messages without it are spam, so your mail has been rejected.
+  #
+  # Alternatively if we're feeling more lenient we could just use it to
+  # trigger greylisting instead:
+
+  warn    condition  = ${if !def:h_Message-ID: {1}}
+          set acl_m_greylistreasons = Message lacks Message-Id: header. Consult RFC2822.\n$acl_m_greylistreasons
 
   # Deny if the message contains a virus. Before enabling this check, you
   # must install a virus scanner and set the av_scanner option above.
@@ -583,8 +622,30 @@ acl_check_data:
   #         message   = Your message scored $spam_score SpamAssassin point. Report follows:\n\
   #  	    	        $spam_report
 
+  # Trigger greylisting (if enabled) if the SpamAssassin score is greater than 0.5
+  #
+  # warn    condition = ${if >{$spam_score_int}{5} {1}}
+  #         set acl_m_greylistreasons = Message has $spam_score SpamAssassin points\n$acl_m_greylistreasons
+
+
+  # If you want to greylist _all_ mail rather than only mail which looks like there
+  # might be something wrong with it, then you can do this...
+  #
+  # warn set acl_m_greylistreasons = We greylist all mail\n$acl_m_greylistreasons
+
+  # Now, invoke the greylisting. For this you need to have installed the exim-greylist
+  # package which contains this subroutine, and you need to uncomment the bit below
+  # which includes it too. Whenever the $acl_m_greylistreasons variable is non-empty,
+  # greylisting will kick in and will defer the mail to check if the sender is a
+  # proper mail which which retries, or whether it's a zombie. For more details, see
+  # the exim-greylist.conf.inc file itself.
+  #
+  # require acl = greylist_mail
+
   accept
 
+# To enable the greylisting, also uncomment this line:
+# .include /etc/exim/exim-greylist.conf.inc
 
 acl_check_mime:
New version Resolves: rhbz#1024196 - Fixed bogus dates in the changelog (best effort) - De-fuzzified patches - Fixed double packaging of mailq.1.gz 2013-10-29 17:42:20 +00:00			`diff --git a/src/configure.default b/src/configure.default`
New version Resolves: rhbz#1527710 Fixed buffer overflow in utility function Resolves: CVE-2018-6789 Updated and defuzzified patches Dropped mariadb-macro-fix patch (not needed) Dropped CVE-2017-1000369, calloutsize, CVE-2017-16943, CVE-2017-16944 patches (all upstreamed) 2018-02-14 12:28:19 +00:00			`index 72675be..30ffc8c 100644`
New version Resolves: rhbz#1024196 - Fixed bogus dates in the changelog (best effort) - De-fuzzified patches - Fixed double packaging of mailq.1.gz 2013-10-29 17:42:20 +00:00			`--- a/src/configure.default`
			`+++ b/src/configure.default`
New version Resolves: rhbz#1325557 2016-04-10 21:30:22 +00:00			`@@ -107,6 +107,7 @@ hostlist relay_from_hosts = localhost`
require helo, show how to greylist for no rdns 2007-02-08 10:32:13 +00:00			`# manual for details. The lists above are used in the access control lists for`
			`# checking incoming messages. The names of these ACLs are defined here:`

			`+acl_smtp_mail = acl_check_mail`
			`acl_smtp_rcpt = acl_check_rcpt`
			`acl_smtp_data = acl_check_data`
			`acl_smtp_mime = acl_check_mime`
New version Resolves: rhbz#1527710 Fixed buffer overflow in utility function Resolves: CVE-2018-6789 Updated and defuzzified patches Dropped mariadb-macro-fix patch (not needed) Dropped CVE-2017-1000369, calloutsize, CVE-2017-16943, CVE-2017-16944 patches (all upstreamed) 2018-02-14 12:28:19 +00:00			`@@ -371,6 +372,29 @@ timeout_frozen_after = 7d`
require helo, show how to greylist for no rdns 2007-02-08 10:32:13 +00:00
			`begin acl`

			`+`
			`+# This access control list is used for the MAIL command in an incoming`
			`+# SMTP message.`
			`+`
			`+acl_check_mail:`
			`+`
			`+ # Hosts are required to say HELO (or EHLO) before sending mail.`
			`+ # So don't allow them to use the MAIL command if they haven't`
			`+ # done so.`
			`+`
			`+ deny condition = ${if eq{$sender_helo_name}{} {1}}`
			`+ message = Nice boys say HELO first`
			`+`
			`+ # Use the lack of reverse DNS to trigger greylisting. Some people`
			`+ # even reject for it but that would be a little excessive.`
New version Resolves: rhbz#1024196 - Fixed bogus dates in the changelog (best effort) - De-fuzzified patches - Fixed double packaging of mailq.1.gz 2013-10-29 17:42:20 +00:00			`+`
require helo, show how to greylist for no rdns 2007-02-08 10:32:13 +00:00			`+ warn condition = ${if eq{$sender_host_name}{} {1}}`
			`+ set acl_m_greylistreasons = Host $sender_host_address lacks reverse DNS\n$acl_m_greylistreasons`
New version Resolves: rhbz#1024196 - Fixed bogus dates in the changelog (best effort) - De-fuzzified patches - Fixed double packaging of mailq.1.gz 2013-10-29 17:42:20 +00:00			`+`
require helo, show how to greylist for no rdns 2007-02-08 10:32:13 +00:00			`+ accept`
			`+`
			`+`
			`+`
			`# This access control list is used for every RCPT command in an incoming`
			`# SMTP message. The tests are run in order until the address is either`
			`# accepted or denied.`
New version Resolves: rhbz#1527710 Fixed buffer overflow in utility function Resolves: CVE-2018-6789 Updated and defuzzified patches Dropped mariadb-macro-fix patch (not needed) Dropped CVE-2017-1000369, calloutsize, CVE-2017-16943, CVE-2017-16944 patches (all upstreamed) 2018-02-14 12:28:19 +00:00			`@@ -496,7 +520,8 @@ acl_check_rcpt:`
greylisting patch to make conf file 2007-02-07 12:57:15 +00:00			`# There are no default checks on DNS black lists because the domains that`
			`# contain these lists are changing all the time. However, here are two`
			`# examples of how you can get Exim to perform a DNS black list lookup at this`
			`- # point. The first one denies, whereas the second just warns.`
			`+ # point. The first one denies, whereas the second just warns. The third`
			`+ # triggers greylisting for any host in the blacklist.`
			`#`
			`# deny message = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text`
			`# dnslists = black.list.example`
New version Resolves: rhbz#1527710 Fixed buffer overflow in utility function Resolves: CVE-2018-6789 Updated and defuzzified patches Dropped mariadb-macro-fix patch (not needed) Dropped CVE-2017-1000369, calloutsize, CVE-2017-16943, CVE-2017-16944 patches (all upstreamed) 2018-02-14 12:28:19 +00:00			`@@ -504,6 +529,10 @@ acl_check_rcpt:`
greylisting patch to make conf file 2007-02-07 12:57:15 +00:00			`# warn dnslists = black.list.example`
			`# add_header = X-Warning: $sender_host_address is in a black list at $dnslist_domain`
			`# log_message = found in $dnslist_domain`
			`+ #`
			`+ # warn dnslists = black.list.example`
			`+ # set acl_m_greylistreasons = Host found in $dnslist_domain\n$acl_m_greylistreasons`
			`+ #`
			`#############################################################################`

			`#############################################################################`
New version Resolves: rhbz#1527710 Fixed buffer overflow in utility function Resolves: CVE-2018-6789 Updated and defuzzified patches Dropped mariadb-macro-fix patch (not needed) Dropped CVE-2017-1000369, calloutsize, CVE-2017-16943, CVE-2017-16944 patches (all upstreamed) 2018-02-14 12:28:19 +00:00			`@@ -517,6 +546,10 @@ acl_check_rcpt:`
greylisting patch to make conf file 2007-02-07 12:57:15 +00:00			`# require verify = csa`
			`#############################################################################`

			`+ # Alternatively, greylist for it:`
			`+ # warn !verify = csa`
			`+ # set acl_m_greylistreasons = Host failed CSA check\n$acl_m_greylistreasons`
			`+`
			`# At this point, the address has passed all the checks that have been`
			`# configured, so we accept it unconditionally.`

New version Resolves: rhbz#1527710 Fixed buffer overflow in utility function Resolves: CVE-2018-6789 Updated and defuzzified patches Dropped mariadb-macro-fix patch (not needed) Dropped CVE-2017-1000369, calloutsize, CVE-2017-16943, CVE-2017-16944 patches (all upstreamed) 2018-02-14 12:28:19 +00:00			`@@ -549,6 +582,12 @@ acl_check_data:`
greylisting patch to make conf file 2007-02-07 12:57:15 +00:00			`# deny condition = ${if !def:h_Message-ID: {1}}`
			`# message = RFC2822 says that all mail SHOULD have a Message-ID header.\n\`
			`# Most messages without it are spam, so your mail has been rejected.`
			`+ #`
New version Resolves: rhbz#1024196 - Fixed bogus dates in the changelog (best effort) - De-fuzzified patches - Fixed double packaging of mailq.1.gz 2013-10-29 17:42:20 +00:00			`+ # Alternatively if we're feeling more lenient we could just use it to`
greylisting patch to make conf file 2007-02-07 12:57:15 +00:00			`+ # trigger greylisting instead:`
			`+`
			`+ warn condition = ${if !def:h_Message-ID: {1}}`
			`+ set acl_m_greylistreasons = Message lacks Message-Id: header. Consult RFC2822.\n$acl_m_greylistreasons`

			`# Deny if the message contains a virus. Before enabling this check, you`
			`# must install a virus scanner and set the av_scanner option above.`
New version Resolves: rhbz#1527710 Fixed buffer overflow in utility function Resolves: CVE-2018-6789 Updated and defuzzified patches Dropped mariadb-macro-fix patch (not needed) Dropped CVE-2017-1000369, calloutsize, CVE-2017-16943, CVE-2017-16944 patches (all upstreamed) 2018-02-14 12:28:19 +00:00			`@@ -583,8 +622,30 @@ acl_check_data:`
greylisting patch to make conf file 2007-02-07 12:57:15 +00:00			`# message = Your message scored $spam_score SpamAssassin point. Report follows:\n\`
			`# $spam_report`

			`+ # Trigger greylisting (if enabled) if the SpamAssassin score is greater than 0.5`
			`+ #`
			`+ # warn condition = ${if >{$spam_score_int}{5} {1}}`
			`+ # set acl_m_greylistreasons = Message has $spam_score SpamAssassin points\n$acl_m_greylistreasons`
			`+`
			`+`
			`+ # If you want to greylist _all_ mail rather than only mail which looks like there`
			`+ # might be something wrong with it, then you can do this...`
			`+ #`
			`+ # warn set acl_m_greylistreasons = We greylist all mail\n$acl_m_greylistreasons`
			`+`
			`+ # Now, invoke the greylisting. For this you need to have installed the exim-greylist`
			`+ # package which contains this subroutine, and you need to uncomment the bit below`
			`+ # which includes it too. Whenever the $acl_m_greylistreasons variable is non-empty,`
			`+ # greylisting will kick in and will defer the mail to check if the sender is a`
			`+ # proper mail which which retries, or whether it's a zombie. For more details, see`
			`+ # the exim-greylist.conf.inc file itself.`
			`+ #`
			`+ # require acl = greylist_mail`
			`+`
			`accept`

New version Resolves: rhbz#1024196 - Fixed bogus dates in the changelog (best effort) - De-fuzzified patches - Fixed double packaging of mailq.1.gz 2013-10-29 17:42:20 +00:00			`+# To enable the greylisting, also uncomment this line:`
greylisting patch to make conf file 2007-02-07 12:57:15 +00:00			`+# .include /etc/exim/exim-greylist.conf.inc`

			`acl_check_mime:`