exim/exim-4.90.1-spamdconf.patch
Jaroslav Škarvada 9d61e8c48a New version
Resolves: rhbz#1527710
Fixed buffer overflow in utility function
  Resolves: CVE-2018-6789
Updated and defuzzified patches
Dropped mariadb-macro-fix patch (not needed)
Dropped CVE-2017-1000369, calloutsize, CVE-2017-16943,
  CVE-2017-16944 patches (all upstreamed)
2018-02-14 16:56:48 +01:00

105 lines
4.0 KiB
Diff

diff --git a/src/configure.default b/src/configure.default
index 0675b40..8b4575c 100644
--- a/src/configure.default
+++ b/src/configure.default
@@ -109,6 +109,7 @@ hostlist relay_from_hosts = localhost
acl_smtp_rcpt = acl_check_rcpt
acl_smtp_data = acl_check_data
+acl_smtp_mime = acl_check_mime
# You should not change those settings until you understand how ACLs work.
@@ -121,7 +122,7 @@ acl_smtp_data = acl_check_data
# of what to set for other virus scanners. The second modification is in the
# acl_check_data access control list (see below).
-# av_scanner = clamd:/tmp/clamd
+av_scanner = clamd:/var/run/clamd.exim/clamd.sock
# For spam scanning, there is a similar option that defines the interface to
@@ -434,7 +435,8 @@ acl_check_rcpt:
accept local_parts = postmaster
domains = +local_domains
- # Deny unless the sender address can be verified.
+ # Deny unless the sender address can be routed. For proper verification of the
+ # address, read the documentation on callouts and add the /callout modifier.
require verify = sender
@@ -538,27 +540,63 @@ acl_check_data:
got $max_received_linelength
condition = ${if > {$max_received_linelength}{998}}
+ # Put simple tests first. A good one is to check for the presence of a
+ # Message-Id: header, which RFC2822 says SHOULD be present. Some broken
+ # or misconfigured mailer software occasionally omits this from genuine
+ # messages too, though -- although it's not hard for the offender to fix
+ # after they receive a bounce because of it.
+ #
+ # deny condition = ${if !def:h_Message-ID: {1}}
+ # message = RFC2822 says that all mail SHOULD have a Message-ID header.\n\
+ # Most messages without it are spam, so your mail has been rejected.
+
# Deny if the message contains a virus. Before enabling this check, you
# must install a virus scanner and set the av_scanner option above.
#
# deny malware = *
# message = This message contains a virus ($malware_name).
- # Add headers to a message if it is judged to be spam. Before enabling this,
- # you must install SpamAssassin. You may also need to set the spamd_address
- # option above.
+ # Bypass SpamAssassin checks if the message is too large.
#
- # warn spam = nobody
- # add_header = X-Spam_score: $spam_score\n\
- # X-Spam_score_int: $spam_score_int\n\
- # X-Spam_bar: $spam_bar\n\
- # X-Spam_report: $spam_report
+ # accept condition = ${if >={$message_size}{100000} {1}}
+ # add_header = X-Spam-Note: SpamAssassin run bypassed due to message size
- # Accept the message.
+ # Run SpamAssassin, but allow for it to fail or time out. Add a warning message
+ # and accept the mail if that happens. Add an X-Spam-Flag: header if the SA
+ # score exceeds the SA system threshold.
+ #
+ # warn spam = nobody/defer_ok
+ # add_header = X-Spam-Flag: YES
+ #
+ # accept condition = ${if !def:spam_score_int {1}}
+ # add_header = X-Spam-Note: SpamAssassin invocation failed
+ #
+
+ # Unconditionally add score and report headers
+ #
+ # warn add_header = X-Spam-Score: $spam_score ($spam_bar)\n\
+ # X-Spam-Report: $spam_report
+
+ # And reject if the SpamAssassin score is greater than ten
+ #
+ # deny condition = ${if >{$spam_score_int}{100} {1}}
+ # message = Your message scored $spam_score SpamAssassin point. Report follows:\n\
+ # $spam_report
accept
+acl_check_mime:
+
+ # File extension filtering.
+ deny message = Blacklisted file extension detected
+ condition = ${if match \
+ {${lc:$mime_filename}} \
+ {\N(\.exe|\.pif|\.bat|\.scr|\.lnk|\.com)$\N} \
+ {1}{0}}
+
+ accept
+
######################################################################
# ROUTERS CONFIGURATION #