The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

exim and clamav

Discussion in 'Security' started by sahostking, Aug 16, 2012.

  1. sahostking

    sahostking Well-Known Member

    Joined:
    May 15, 2012
    Messages:
    300
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Cape Town, South Africa
    cPanel Access Level:
    Root Administrator
    hi

    I need some guidance on how to implement clamav to scan every email that comes in and out of server. read a lot of posts and tried a few things with issues coming out of each change. usng centos

    my exim file is as below:

    Code:
    #!!# cPanel Exim 4 Config
    
    local_from_check = true
    
    hostlist loopback = <; 127.0.0.0/8 ; 0.0.0.0 ; ::1 ; 0000:0000:0000:0000:0000:ffff:7f00:0000/8
    
    hostlist senderverifybypass_hosts = net-iplsearch;/etc/senderverifybypasshosts
    
    hostlist skipsmtpcheck_hosts = net-iplsearch;/etc/skipsmtpcheckhosts
    
    hostlist spammeripblocks = net-iplsearch;/etc/spammeripblocks
    
    hostlist backupmx_hosts = lsearch;/etc/backupmxhosts
    
    hostlist trustedmailhosts = lsearch;/etc/trustedmailhosts
    
    hostlist relay_hosts = net-iplsearch;/etc/relayhosts
    
    domainlist user_domains = ${if exists{/etc/userdomains} {lsearch;/etc/userdomains} fail}
    
    remote_max_parallel = 10
    
    smtp_receive_timeout = 165s
    
    ignore_bounce_errors_after = 3d
    
    rfc1413_query_timeout = 0s
    
    timeout_frozen_after = 5d
    
    auto_thaw = 7d
    
    callout_domain_negative_expire = 1h
    
    callout_negative_expire = 1h
    
    acl_smtp_connect = acl_smtp_connect
    
    acl_smtp_data = acl_smtp_data
    
    acl_smtp_mail = acl_smtp_mail
    
    acl_smtp_quit = acl_smtp_quit    
    
    acl_smtp_notquit = acl_smtp_notquit
    
    acl_smtp_rcpt = acl_smtp_rcpt
    
    message_body_newlines = true
    
    perl_at_start = true
    
    deliver_queue_load_max = 6
    
    queue_only_load = 12
    
    daemon_smtp_ports = 25 : 465 : 587
    
    tls_on_connect_ports = 465
    
    system_filter_user = cpaneleximfilter
    
    system_filter_group = cpaneleximfilter
    
    tls_require_ciphers = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
    
    av_scanner = clamd:/var/clamd
    
    spamd_address = 127.0.0.1 783
    
    # +incoming_port, +smtp_connection are needed for cPanel email tracking.
    # -retry_defer, +subject, +arguments, +received_recipients are suggested settings that may be disabled.
    log_selector = +incoming_port +smtp_connection -retry_defer +subject +arguments +received_recipients
    
    
    system_filter = /etc/cpanel_exim_system_filter
    
    
    
    
    #!!# These options specify the Access Control Lists (ACLs) that
    #!!# are used for incoming SMTP messages - after the RCPT and DATA
    #!!# commands, respectively.
    
    
    #!!# This setting defines a named domain list called
    #!!# local_domains, created from the old options that
    #!!# referred to local domains. It will be referenced
    #!!# later on by the syntax "+local_domains".
    #!!# Other domain and host lists may follow.
    
    domainlist local_domains = lsearch;/etc/localdomains
    
    domainlist relay_domains = lsearch;/etc/localdomains : \
        lsearch;/etc/secondarymx
    hostlist auth_relay_hosts = *
    
    ######################################################################
    #                  Runtime configuration file for Exim               #
    ######################################################################
    
    
    # This is a default configuration file which will operate correctly in
    # uncomplicated installations. Please see the manual for a complete list
    # of all the runtime configuration options that can be included in a
    # configuration file. There are many more than are mentioned here. The
    # manual is in the file doc/spec.txt in the Exim distribution as a plain
    # ASCII file. Other formats (PostScript, Texinfo, HTML) are available from
    # the Exim ftp sites. The manual is also online via the Exim web sites.
    
    
    # This file is divided into several parts, all but the last of which are
    # terminated by a line containing the word "end". The parts must appear
    # in the correct order, and all must be present (even if some of them are
    # in fact empty). Blank lines, and lines starting with # are ignored.
    
    
    
    ######################################################################
    #                    MAIN CONFIGURATION SETTINGS                     #
    ######################################################################
    
    perl_startup = do '/etc/exim.pl'
    
    #dns_retry = 1
    #dns_retrans = 1s
    
    # Specify your host's canonical name here. This should normally be the fully
    # qualified "official" name of your host. If this option is not set, the
    # uname() function is called to obtain the name.
    
    smtp_banner = "${primary_hostname} ESMTP Exim ${version_number} \
    \#${compile_number} ${tod_full} \n\
      We do not authorize the use of this system to transport unsolicited, \n\
      and/or bulk e-mail."
    
    
    #nobody as the sender seems to annoy people
    untrusted_set_sender = *
    
    
    
    split_spool_directory = yes
    
    smtp_connect_backlog = 50
    smtp_accept_max = 100
    
    # primary_hostname =
    
    # Specify the domain you want to be added to all unqualified addresses
    # here. An unqualified address is one that does not contain an "@" character
    # followed by a domain. For example, "caesar@rome.ex" is a fully qualified
    # address, but the string "caesar" (i.e. just a login name) is an unqualified
    # email address. Unqualified addresses are accepted only from local callers by
    # default. See the receiver_unqualified_{hosts,nets} options if you want
    # to permit unqualified addresses from remote sources. If this option is
    # not set, the primary_hostname value is used for qualification.
    
    # qualify_domain =
    
    
    # If you want unqualified recipient addresses to be qualified with a different
    # domain to unqualified sender addresses, specify the recipient domain here.
    # If this option is not set, the qualify_domain value is used.
    
    # qualify_recipient =
    
    
    # Specify your local domains as a colon-separated list here. If this option
    # is not set (i.e. not mentioned in the configuration file), the
    # qualify_recipient value is used as the only local domain. If you do not want
    # to do any local deliveries, uncomment the following line, but do not supply
    # any data for it. This sets local_domains to an empty string, which is not
    # the same as not mentioning it at all. An empty string specifies that there
    # are no local domains; not setting it at all causes the default value (the
    # setting of qualify_recipient) to be used.
    
    
    
    #!!# message_filter renamed system_filter
    message_body_visible = 5000
    
    
    
    
    
    
    # If you want to accept mail addressed to your host's literal IP address, for
    # example, mail addressed to "user@[111.111.111.111]", then uncomment the
    # following line, or supply the literal domain(s) as part of "local_domains"
    # above.
    
    # local_domains_include_host_literals
    
    
    # No local deliveries will ever be run under the uids of these users (a colon-
    # separated list). An attempt to do so gets changed so that it runs under the
    # uid of "nobody" instead. This is a paranoic safety catch. Note the default
    # setting means you cannot deliver mail addressed to root as if it were a
    # normal user. This isn't usually a problem, as most sites have an alias for
    # root that redirects such mail to a human administrator.
    
    never_users = root
    
    
    # The use of your host as a mail relay by any host, including the local host
    # calling its own SMTP port, is locked out by default. If you want to permit
    # relaying from the local host, you should set
    #
    # host_accept_relay = localhost
    #
    # If you want to permit relaying through your host from certain hosts or IP
    # networks, you need to set the option appropriately, for example
    #
    #
    #
    # If you are an MX backup or gateway of some kind for some domains, you must
    # set relay_domains to match those domains. This will allow any host to
    # relay through your host to those domains.
    #
    # See the section of the manual entitled "Control of relaying" for more
    # information.
    
    # The setting below causes Exim to do a reverse DNS lookup on all incoming
    # IP calls, in order to get the true host name. If you feel this is too
    # expensive, you can specify the networks for which a lookup is done, or
    # remove the setting entirely.
    
    #host_lookup = 0.0.0.0/0
    
    
    # By default, Exim expects all envelope addresses to be fully qualified, that
    # is, they must contain both a local part and a domain. If you want to accept
    # unqualified addresses (just a local part) from certain hosts, you can specify
    # these hosts by setting one or both of
    #
    # receiver_unqualified_hosts =
    # sender_unqualified_hosts =
    #
    # to control sender and receiver addresses, respectively. When this is done,
    # unqualified addresses are qualified using the settings of qualify_domain
    # and/or qualify_recipient (see above).
    
    
    # Exim contains support for the Realtime Blocking List (RBL) that is being
    # maintained as part of the DNS. See [url]http://maps.vix.com/rbl/[/url] for background.
    # Uncommenting the first line below will make Exim reject mail from any
    # host whose IP address is blacklisted in the RBL at maps.vix.com. Some
    # others have followed the RBL lead and have produced other lists: DUL is
    # a list of dial-up addresses, and ORBS is a list of open relay systems. The
    # second line below checks all three lists.
    
    # rbl_domains = rbl.maps.vix.com
    # rbl_domains = rbl.maps.vix.com
    
    
    # If you want Exim to support the "percent hack" for all your local domains,
    # uncomment the following line. This is the feature by which mail addressed
    # to x%y@z (where z is one of your local domains) is locally rerouted to
    # x@y and sent on. Otherwise x%y is treated as an ordinary local part.
    
    # percent_hack_domains = *
    
    #sender_host_accept = +include_unknown:*
    #sender_host_reject = +include_unknown:lsearch*;/etc/spammers
    
    
    
    
    
    tls_certificate = /etc/exim.crt
    tls_privatekey = /etc/exim.key
    tls_advertise_hosts = *
    
    helo_accept_junk_hosts = *
    
    smtp_enforce_sync = false
    
    
    #!!#######################################################!!#
    #!!# This new section of the configuration contains ACLs #!!#
    #!!# (Access Control Lists) derived from the Exim 3      #!!#
    #!!# policy control options.                             #!!#
    #!!#######################################################!!#
    
    #!!# These ACLs are crudely constructed from Exim 3 options.
    #!!# They are almost certainly not optimal. You should study
    #!!# them and rewrite as necessary.
    
    begin acl
    
    
    ########################################################################################
    # DO NOT ALTER THIS BLOCK
    ########################################################################################
    #
    # cPanel Default ACL Template Version: 10.16
    # Template: universal.dist
    #
    ########################################################################################
    # DO NOT ALTER THIS BLOCK
    ########################################################################################
    
    acl_not_smtp:
    
    #BEGIN ACL_NOT_SMTP_BLOCK
    
    #END ACL_NOT_SMTP_BLOCK
    
    acl_not_smtp_mime:
    
    #BEGIN ACL_NOT_SMTP_MIME_BLOCK
    
    #END ACL_NOT_SMTP_MIME_BLOCK
    
    acl_not_smtp_start:
    
    #BEGIN ACL_NOT_SMTP_START_BLOCK
    
    #END ACL_NOT_SMTP_START_BLOCK
    
    acl_smtp_auth:
    
    #BEGIN ACL_SMTP_AUTH_BLOCK
    
    #END ACL_SMTP_AUTH_BLOCK
    
    acl_smtp_connect:
    
    #BEGIN ACL_CONNECT_BLOCK
    # BEGIN INSERT ratelimit
    
        accept
            hosts = +trustedmailhosts
    
        accept
            condition = ${if match_ip{$sender_host_address}{iplsearch;/etc/trustedmailhosts}{1}{0}}
    
    
    # ignore pop before smtp 
        accept
            hosts = +relay_hosts : +loopback
    
        accept
            hosts = +relay_hosts : +backupmx_hosts
    
    #only rate limit port 25
        accept 
            condition = ${if eq {$interface_port}{25}{no}{yes}}
    
        defer 
            message = The server has reached its limit for processing requests from your host.  Please try again later.
            log_message = "Host is ratelimited ($sender_rate/$sender_rate_period max:$sender_rate_limit)"
            ratelimit = 1.2 / 1h / strict / per_conn / noupdate
    
    
    # END INSERT ratelimit
    # BEGIN INSERT slow_fail_block
       warn
            # host had a success in the last hour 
            ratelimit = 1 / 1h / noupdate / per_conn / slow_fail_accept_$sender_host_address
            set acl_m4 = 1
    
       defer 
            condition = ${if eq {${acl_m4}}{1}{0}{1}}
            log_message = "Host is ratelimited due to multiple failure only connections ($sender_rate/$sender_rate_period max:$sender_rate_limit)"
            ratelimit = 5 / 1h / noupdate / per_conn / slow_fail_block_$sender_host_address
    
    
    # END INSERT slow_fail_block
    # BEGIN INSERT spammerlist
    
    
    drop
        message = Your host is not allowed to connect to this server.
        log_message = Host is banned
        hosts = +spammeripblocks
    
    
    # END INSERT spammerlist
    
    #END ACL_CONNECT_BLOCK
    
    #BEGIN ACL_CONNECT_POST_BLOCK
    # BEGIN INSERT default_connect_post
    
    # do not change the comment in the line below, it is required for /usr/local/cpanel/bin/check_exim_config
    #acl_smtp_notquit is required for this to work (exim 4.68)
        accept
    
    
    # END INSERT default_connect_post
    
    #END ACL_CONNECT_POST_BLOCK
    
    acl_smtp_data:
    
    #BEGIN ACL_CHECK_MESSAGE_PRE_BLOCK
    # BEGIN INSERT default_check_message_pre
    
    #  Enabling this will make the server non-rfc compliant
    #  require verify = header_sender
     accept  hosts = +loopback : +relay_hosts
    
      accept  hosts = *
              authenticated = *
    
        accept
            hosts = +trustedmailhosts
    
        accept
            condition = ${if match_ip{$sender_host_address}{iplsearch;/etc/trustedmailhosts}{1}{0}}
    
    
    
    # END INSERT default_check_message_pre
    
    #END ACL_CHECK_MESSAGE_PRE_BLOCK
    
    #BEGIN ACL_PRE_SPAM_SCAN
    # BEGIN INSERT mailproviders
    # Research in Motion - Blackberry white list
     accept 
         condition = ${if exists {/etc/mailproviders/rim/ips}{${if match_ip{$sender_host_address}{iplsearch;/etc/mailproviders/rim/ips}{1}{0}}}{0}}
    
    # END INSERT mailproviders
    
    #END ACL_PRE_SPAM_SCAN
    
    #BEGIN ACL_SPAM_SCAN_BLOCK
    # BEGIN INSERT default_spam_scan
    
    
      warn
        condition = ${if eq {${acl_m0}}{1}{1}{0}}
        spam =  ${acl_m1}/defer_ok
        log_message = "SpamAssassin as ${acl_m1} detected message as spam ($spam_score)"
        add_header = X-Spam-Subject: ***SPAM*** $h_subject
        add_header = X-Spam-Status: Yes, score=$spam_score
        add_header = X-Spam-Score: $spam_score_int
        add_header = X-Spam-Bar: $spam_bar
        add_header = X-Spam-Report: $spam_report
        add_header = X-Spam-Flag: YES
        set acl_m2 = 1
    
      warn
          condition =  ${if eq {$spam_score_int}{}{0}{${if <= {${spam_score_int}}{8000}{${if >= {${spam_score_int}}{50}{${perl{store_spam}{$sender_host_address}{$spam_score}}}{0}}}{0}}}}
    
      warn
      condition = ${if eq {${acl_m0}}{1}{${if eq {${acl_m2}}{1}{0}{1}}}{0}}
      add_header = X-Spam-Status: No, score=$spam_score
      add_header = X-Spam-Score: $spam_score_int
      add_header = X-Spam-Bar: $spam_bar
      add_header = X-Ham-Report: $spam_report
      add_header = X-Spam-Flag: NO
      log_message = "SpamAssassin as ${acl_m1} detected message as NOT spam ($spam_score)"
    
    
    
    # END INSERT default_spam_scan
    
    #END ACL_SPAM_SCAN_BLOCK
    # exiscan only
    
    #BEGIN ACL_EXISCAN_BLOCK
    # BEGIN INSERT default_exiscan
    
    	deny message = This message contains a virus or other harmful content ($malware_name)
    	    malware = */defer_ok
    	    demime = *
    
    # END INSERT default_exiscan
    
    #END ACL_EXISCAN_BLOCK
    # exiscan only
    
    #BEGIN ACL_RATELIMIT_SPAM_BLOCK
    
    #END ACL_RATELIMIT_SPAM_BLOCK
    
    #BEGIN ACL_SPAM_BLOCK
    
    #END ACL_SPAM_BLOCK
    
    #BEGIN ACL_CHECK_MESSAGE_POST_BLOCK
    # BEGIN INSERT default_check_message_post
    
     accept
    
    # END INSERT default_check_message_post
    
    #END ACL_CHECK_MESSAGE_POST_BLOCK
    
    acl_smtp_etrn:
    
    #BEGIN ACL_SMTP_ETRN_BLOCK
    
    #END ACL_SMTP_ETRN_BLOCK
    
    acl_smtp_helo:
    
    #BEGIN ACL_SMTP_HELO_BLOCK
    
    #END ACL_SMTP_HELO_BLOCK
    
    acl_smtp_mail:
    
    #BEGIN ACL_MAIL_PRE_BLOCK
    # BEGIN INSERT default_mail_pre
    
        warn
            condition = ${if match_ip{$sender_host_address}{+loopback}{${perl{identify_local_connection}{$sender_host_address}{$sender_host_port}{1}}}{0}}
            set acl_c_authenticated_local_user = ${perl{get_identified_local_connection_user}}
    
        # ignore authenticated hosts
        accept
            authenticated = *
    
        # ignore pop before smtp 
        accept
            hosts = +loopback : +relay_hosts
    
    
    
    # END INSERT default_mail_pre
    
    #END ACL_MAIL_PRE_BLOCK
    
    #BEGIN ACL_MAIL_BLOCK
    # BEGIN INSERT requirehelo
    
    deny
        condition = ${if eq{$sender_helo_name}{}}
        message   = HELO required before MAIL
    
    
    # END INSERT requirehelo
    # BEGIN INSERT requirehelonoforge
    
    
    drop  
        condition = ${if match{$sender_helo_name}{^$primary_hostname\$}}
        message   = "REJECTED - Bad HELO - Host impersonating [$sender_helo_name]"
    
    
    drop 
        condition = ${if eq{[$interface_address]}{$sender_helo_name}}
        message   = "REJECTED - Interface: $interface_address is _my_ address"
    
    # END INSERT requirehelonoforge
    # BEGIN INSERT requirehelosyntax
    
    drop
        condition   = ${if isip{$sender_helo_name}}
        message     = Access denied - Invalid HELO name (See RFC2821 4.1.3)
    
    drop
        # Required because "[IPv6:<address>]" will have no .s
        condition   = ${if match{$sender_helo_name}{\N^\[\N}{no}{yes}}
        condition   = ${if match{$sender_helo_name}{\N\.\N}{no}{yes}}
        message     = Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
    
    drop
        condition   = ${if match{$sender_helo_name}{\N\.$\N}}
        message     = Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
        
    drop
        condition   = ${if match{$sender_helo_name}{\N\.\.\N}}
        message     = Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
    
    # END INSERT requirehelosyntax
    
    #END ACL_MAIL_BLOCK
    
    #BEGIN ACL_MAIL_POST_BLOCK
    # BEGIN INSERT default_mail_post
    
        accept
    
    
    # END INSERT default_mail_post
    
    #END ACL_MAIL_POST_BLOCK
    
    acl_smtp_mailauth:
    
    #BEGIN ACL_SMTP_MAILAUTH_BLOCK
    
    #END ACL_SMTP_MAILAUTH_BLOCK
    
    acl_smtp_mime:
    
    #BEGIN ACL_SMTP_MIME_BLOCK
    
    #END ACL_SMTP_MIME_BLOCK
    
    acl_smtp_notquit:
    
    #BEGIN ACL_NOTQUIT_BLOCK
    # BEGIN INSERT ratelimit
    
    # ignore authenticated hosts
    accept authenticated = *
    
    # ignore pop before smtp 
    accept hosts = +relay_hosts : +loopback
    
    #only rate limit port 25
    accept condition = ${if eq {$interface_port}{25}{no}{yes}}
    
    warn condition = ${if match {$smtp_notquit_reason}{command}{yes}{no}}
        log_message = "Connection Ratelimit - $sender_fullhost because of notquit: $smtp_notquit_reason ($sender_rate/$sender_rate_period max:$sender_rate_limit)"    
        ratelimit = 1.2 / 1h / strict / per_conn
    
    
    # END INSERT ratelimit
    
    #END ACL_NOTQUIT_BLOCK
    
    acl_smtp_predata:
    
    #BEGIN ACL_SMTP_PREDATA_BLOCK
    
    #END ACL_SMTP_PREDATA_BLOCK
    
    acl_smtp_quit:
    
    #BEGIN ACL_SMTP_QUIT_BLOCK
    # BEGIN INSERT slow_fail_block
    
      warn
        log_message = "Detected session with all messages failed"
        condition = ${if >= {${eval:$rcpt_count}}{1}{${if == {${eval:$rcpt_fail_count}}{${eval:$rcpt_count}}{yes}{no}}}{no}}
        set acl_m6 = 1
    
      warn
        condition = ${if eq {${acl_m6}}{1}{1}{0}}
        ratelimit = 0 / 1h / strict / per_conn / slow_fail_block_$sender_host_address 
        log_message = "Increment slow_fail_block Ratelimit - $sender_fullhost because of all messages failed"
    
      warn
        ratelimit = 1 / 1h / noupdate / per_conn / slow_fail_block_$sender_host_address 
        condition = ${if >= {${eval:$rcpt_count}}{1}{${if < {${eval:$rcpt_fail_count}}{${eval:$rcpt_count}}{yes}{no}}}{no}}
        set acl_m5 = 1
        log_message = "Detected session with ok message that previous had all failed"
    
      warn
        condition = ${if eq {${acl_m5}}{1}{1}{0}}
        ratelimit = 0 / 1h / strict / per_conn / slow_fail_accept_$sender_host_address 
        log_message = "Decrement slow_fail_lock Ratelimit - $sender_fullhost because one message was successful"
    
    
    
    # END INSERT slow_fail_block
    
    #END ACL_SMTP_QUIT_BLOCK
    
    acl_smtp_rcpt:
    
    #BEGIN ACL_RATELIMIT_BLOCK
    
    #END ACL_RATELIMIT_BLOCK
    
    #BEGIN ACL_PRE_RECIPIENT_BLOCK
    # BEGIN INSERT dkim_disable
    
     warn
       control = dkim_disable_verify
    
    
    # END INSERT dkim_disable
    
    #END ACL_PRE_RECIPIENT_BLOCK
    
    #BEGIN ACL_RECIPIENT_BLOCK
    # BEGIN INSERT default_recipient
      accept  hosts = :
    
      accept hosts = +skipsmtpcheck_hosts
    
    
    
    # END INSERT default_recipient
    
    #END ACL_RECIPIENT_BLOCK
    #mailman only
    
    #BEGIN ACL_RECIPIENT_MAILMAN_BLOCK
    # BEGIN INSERT default_recipient_mailman
      
     # Accept bounces to lists even if callbacks or other checks would fail
      warn     message      = X-WhitelistedRCPT-nohdrfromcallback: Yes
               condition    = \
               ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                         {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
                    {yes}{no}}
    
      accept   condition    = \
               ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                         {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
                    {yes}{no}}
    
    
      # Accept bounces to lists even if callbacks or other checks would fail
      warn     message      = X-WhitelistedRCPT-nohdrfromcallback: Yes
               condition    = \
               ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                         {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}} \
                    {yes}{no}}
    
      accept   condition    = \
               ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                         {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}} \
                    {yes}{no}}
    
      #if it gets here it isn't mailman
    
    
    # END INSERT default_recipient_mailman
    
    #END ACL_RECIPIENT_MAILMAN_BLOCK
    #mailman only
    
    #BEGIN ACL_IDENTIFY_SENDER_BLOCK
    # BEGIN INSERT default_identify_sender
    
    # deny must be on the same line as hosts so it will get removed by buildeximconf if turned off
       deny  hosts = ! +senderverifybypass_hosts
            ! verify = sender
    
      accept  hosts = *
              authenticated = *
    
      # if they used "pop before smtp" and its not bound for a localdomain we remember the relayhosts_domain
      warn  hosts = +relay_hosts
            domains = ! +local_domains
            set acl_c_relayhosts_domain = ${perl{get_relayhosts_domain}{1}}
            add_header = ${if exists{/etc/eximpopbeforesmtpwarning}{${perl{popbeforesmtpwarn}{$sender_host_address}}{}}
    
      # if they used "pop before smtp" then we just accept
      accept  hosts = +relay_hosts
    
      # we need to check alwaysrelay since we don't require antirelayd to be enabled
      warn
        condition = ${if exists {/etc/alwaysrelay}{${lookup{$sender_host_address}iplsearch{/etc/alwaysrelay}{1}{0}}}{0}}
        set acl_c_relayhosts_domain = ${perl{get_relayhosts_domain}{1}}
        set acl_c_alwaysrelay = 1
    
      accept
        condition = $acl_c_alwaysrelay
    
      #recipient verifications are now done after smtp auth and pop before smtp so the users get back bounces instead of 
      # a clogged outbox in outlook
    
      # drop connections to localhost that are from demo accounts (required for manual connnections)
      drop
           condition = ${if and {{match_ip{$sender_host_address}{+loopback}} \
                                 {def:acl_c_authenticated_local_user}} \
                          {${lookup{$acl_c_authenticated_local_user}lsearch{/etc/demousers}{yes}{no}}}{no}}
           message   = Demo accounts may not send mail
    
      # drop connections to localhost that fail auth (required for Horde)
      drop
           condition = ${if and {{match_ip{$sender_host_address}{+loopback}} \
                                 {def:authentication_failed}} \
                          {$authentication_failed}{no}}
           message   = Authentication failed
    
      # we learned this in the acl_smtp_mail block
      accept
        condition = ${if def:acl_c_authenticated_local_user {yes}{no}}
     
    
    
    # END INSERT default_identify_sender
    # BEGIN INSERT default_message_submission
    
    # Reject unauthenticated relay on port 587
     drop 
        condition = ${if eq{$interface_port}{587}{1}{0}}
        message = SMTP AUTH is required for message submission on port 587
    
    # END INSERT default_message_submission
    
    #END ACL_IDENTIFY_SENDER_BLOCK
    
    
    
    #BEGIN ACL_RECP_VERIFY_BLOCK
    # BEGIN INSERT default_recp_verify
       #recipient verifications are required for all messages that are not sent to the local machine    #this was done at multiple users requests
        require verify = recipient
    
    
    
    # END INSERT default_recp_verify
    
    #END ACL_RECP_VERIFY_BLOCK
    
    #BEGIN ACL_POST_RECP_VERIFY_BLOCK
    # BEGIN INSERT dictionary_attack
    
    
      warn
        log_message = "Detected Dictionary Attack (Let $rcpt_fail_count bad recipients though before engaging)"
        condition = ${if > {${eval:$rcpt_fail_count}}{4}{yes}{no}}
        set acl_m7 = 1
    
      warn
        condition = ${if eq {${acl_m7}}{1}{1}{0}}
        ratelimit = 0 / 1h / strict / per_conn
        log_message = "Increment Connection Ratelimit - $sender_fullhost because of Dictionary Attack"
    
      drop 
        condition = ${if eq {${acl_m7}}{1}{1}{0}}
        message = "Number of failed recipients exceeded.  Come back in a few hours."
    
    
    # END INSERT dictionary_attack
    
    #END ACL_POST_RECP_VERIFY_BLOCK
    
    #BEGIN ACL_TRUSTEDLIST_BLOCK
    # BEGIN INSERT trustedmailhosts
     accept
        hosts = +trustedmailhosts
     
     accept
         condition = ${if match_ip{$sender_host_address}{iplsearch;/etc/trustedmailhosts}{1}{0}}
    
    # END INSERT trustedmailhosts
    
    #END ACL_TRUSTEDLIST_BLOCK
    
    #BEGIN ACL_RBL_BLOCK
    # BEGIN INSERT abuseat_rbl
     
     deny message = JunkMail rejected - $sender_fullhost is in an RBL, see $dnslist_text
         dnslists = abuseatcbl.abuseat.org
         hosts = +backupmx_hosts 
    
     warn
         
         dnslists = abuseatcbl.abuseat.org
         set acl_m8 = 1
         set acl_m9 = "JunkMail rejected - $sender_fullhost is in an RBL, see $dnslist_text"
    
     warn
         condition = ${if eq {${acl_m8}}{1}{1}{0}}
         ratelimit = 0 / 1h / strict / per_conn
         log_message = "Increment Connection Ratelimit - $sender_fullhost because of RBL match"
    
     drop
         condition = ${if eq {${acl_m8}}{1}{1}{0}}
         message = ${acl_m9}
    
    
    # END INSERT abuseat_rbl
    # BEGIN INSERT barracudab_rbl
     
     deny message = JunkMail rejected - $sender_fullhost is in an RBL, see $dnslist_text
         dnslists = barracudab.barracudacentral.org
         hosts = +backupmx_hosts 
    
     warn
         
         dnslists = barracudab.barracudacentral.org
         set acl_m8 = 1
         set acl_m9 = "JunkMail rejected - $sender_fullhost is in an RBL, see $dnslist_text"
    
     warn
         condition = ${if eq {${acl_m8}}{1}{1}{0}}
         ratelimit = 0 / 1h / strict / per_conn
         log_message = "Increment Connection Ratelimit - $sender_fullhost because of RBL match"
    
     drop
         condition = ${if eq {${acl_m8}}{1}{1}{0}}
         message = ${acl_m9}
    
    
    # END INSERT barracudab_rbl
    # BEGIN INSERT spameatingmonkey_rbl
     
     deny message = JunkMail rejected - $sender_fullhost is in an RBL, see $dnslist_text
         dnslists = spameatingmonkeybl.spameatingmonkey.net
         hosts = +backupmx_hosts 
    
     warn
         
         dnslists = spameatingmonkeybl.spameatingmonkey.net
         set acl_m8 = 1
         set acl_m9 = "JunkMail rejected - $sender_fullhost is in an RBL, see $dnslist_text"
    
     warn
         condition = ${if eq {${acl_m8}}{1}{1}{0}}
         ratelimit = 0 / 1h / strict / per_conn
         log_message = "Increment Connection Ratelimit - $sender_fullhost because of RBL match"
    
     drop
         condition = ${if eq {${acl_m8}}{1}{1}{0}}
         message = ${acl_m9}
    
    
    # END INSERT spameatingmonkey_rbl
    # BEGIN INSERT spamhaus_rbl
     
     deny message = JunkMail rejected - $sender_fullhost is in an RBL, see $dnslist_text
         dnslists = zen.spamhaus.org
         hosts = +backupmx_hosts 
    
     warn
         
         dnslists = zen.spamhaus.org
         set acl_m8 = 1
         set acl_m9 = "JunkMail rejected - $sender_fullhost is in an RBL, see $dnslist_text"
    
     warn
         condition = ${if eq {${acl_m8}}{1}{1}{0}}
         ratelimit = 0 / 1h / strict / per_conn
         log_message = "Increment Connection Ratelimit - $sender_fullhost because of RBL match"
    
     drop
         condition = ${if eq {${acl_m8}}{1}{1}{0}}
         message = ${acl_m9}
    
    
    # END INSERT spamhaus_rbl
    
    #END ACL_RBL_BLOCK
    
    #BEGIN ACL_MAILAUTH_BLOCK
    
    #END ACL_MAILAUTH_BLOCK
    
    #BEGIN ACL_RCPT_HARD_LIMIT_BLOCK
    
    #END ACL_RCPT_HARD_LIMIT_BLOCK
    
    #BEGIN ACL_RCPT_SOFT_LIMIT_BLOCK
    
    #END ACL_RCPT_SOFT_LIMIT_BLOCK
    
    #BEGIN ACL_SPAM_SCAN_CHECK_BLOCK
    # BEGIN INSERT default_spam_scan_check
    
        # The only problem with this setup is that if the message is for multiple users on the same server
        # and they are on different unix accounts, the settings for the first recipient which has spamassassin enabled will be used.
        # This shouldn't be a problem 99.9% of the time, however its a very small price to pay for a massive speed increase.
    
    
      warn  domains = ! ${primary_hostname} : +local_domains
             condition = ${if <= {$message_size}{200K}{${if eq {${acl_m0}}{1}{0}{${if exists{/etc/global_spamassassin_enable}{1}{${if exists{${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/.spamassassinenable}{1}{0}}}}}}}{0}}
             set acl_m0    = 1
             set acl_m1    = ${lookup{$domain}lsearch*{/etc/userdomains}{$value}}
    
      warn  domains = ${primary_hostname}
              condition = ${if <= {$message_size}{200K}{${if eq {${acl_m0}}{1}{0}{${if exists{/etc/global_spamassassin_enable}{1}{${if exists{${extract{5}{:}{${lookup passwd{$local_part}{$value}}}}/.spamassassinenable}{1}{0}}}}}}}{0}}
              set acl_m0    = 1
              set acl_m1    = $local_part
    
    
    
    # END INSERT default_spam_scan_check
    
    #END ACL_SPAM_SCAN_CHECK_BLOCK
    
    #BEGIN ACL_POST_SPAM_SCAN_CHECK_BLOCK
    # BEGIN INSERT mailproviders
    # Research in Motion - Blackberry white list
     warn
         condition = ${if exists {/etc/mailproviders/rim/ips}{${if match_ip{$sender_host_address}{iplsearch;/etc/mailproviders/rim/ips}{1}{0}}}{0}}
         set acl_m0 = 0
    
    # END INSERT mailproviders
    
    #END ACL_POST_SPAM_SCAN_CHECK_BLOCK
    
    #BEGIN ACL_RECIPIENT_POST_BLOCK
    # BEGIN INSERT default_recipient_post
    
    
    
      accept  domains = +relay_domains
    
      deny    message = ${expand:${lookup{host_accept_relay}lsearch{/etc/eximrejects}{$value}}}
    
    
    
    # END INSERT default_recipient_post
    
    #END ACL_RECIPIENT_POST_BLOCK
    
    acl_smtp_starttls:
    
    #BEGIN ACL_SMTP_STARTTLS_BLOCK
    
    #END ACL_SMTP_STARTTLS_BLOCK
    
    acl_smtp_vrfy:
    
    #BEGIN ACL_SMTP_SMTP_VRFY_BLOCK
    
    #END ACL_SMTP_SMTP_VRFY_BLOCK
    
    acl_smtp_dkim:
    
    #BEGIN ACL_SMTP_DKIM_BLOCK
    
    #END ACL_SMTP_DKIM_BLOCK
    
    
    
    
    
    begin authenticators
    
    
    dovecot_plain:
        driver = dovecot
        public_name = PLAIN
        server_socket = /var/run/dovecot/auth-client
        server_set_id = $auth1
        server_condition = ${if and {{!match {$auth1}{\N[/]\N}}{eq{${if match {$auth1}{\N[+%:@]\N}{${lookup{${extract{2}{+%:@}{$auth1}}}lsearch{/etc/demodomains}{yes}}}{${lookup{$auth1}lsearch{/etc/demousers}{yes}}}}}{}}}{true}{false}}
    
    
    
    dovecot_login:
      driver = dovecot
      public_name = LOGIN
      server_socket = /var/run/dovecot/auth-client
      server_set_id = $auth1
      server_condition = ${if and {{!match {$auth1}{\N[/]\N}}{eq{${if match {$auth1}{\N[+%:@]\N}{${lookup{${extract{2}{+%:@}{$auth1}}}lsearch{/etc/demodomains}{yes}}}{${lookup{$auth1}lsearch{/etc/demousers}{yes}}}}}{}}}{true}{false}}
    
    
    
    
    
    
    ######################################################################
    #                      REWRITE CONFIGURATION                         #
    ######################################################################
    
    # There are no rewriting specifications in this default configuration file.
    
    begin rewrite
    
    
    
    
    #!!#######################################################!!#
    #!!# Here follow routers created from the old routers,   #!!#
    #!!# for handling non-local domains.                     #!!#
    #!!#######################################################!!#
    
    begin routers
    
    
    
    
    ######################################################################
    #                      ROUTERS CONFIGURATION                         #
    #            Specifies how remote addresses are handled              #
    ######################################################################
    #                          ORDER DOES MATTER                         #
    #  A remote address is passed to each in turn until it is accepted.  #
    ######################################################################
    
    # Remote addresses are those with a domain that does not match any item
    # in the "local_domains" setting above.
    
    
    
    
    
    mailman_virtual_router:
        driver = accept
        require_files = /usr/local/cpanel/3rdparty/mailman/mail/mailman : /usr/local/cpanel/3rdparty/mailman/lists/${lc::$local_part}_${lc::$domain}/config.pck
        local_part_suffix_optional
        local_part_suffix = -admin     : \
                -bounces   : -bounces+* : \
                            -confirm   : -confirm+* : \
                -join      : -leave     : \
                -owner     : -request   : \
                -subscribe : -unsubscribe
        transport = mailman_virtual_transport
    
    
    
    mailman_virtual_router_nodns:
        driver = accept
        require_files = /usr/local/cpanel/3rdparty/mailman/mail/mailman : /usr/local/cpanel/3rdparty/mailman/lists/${lc::$local_part}/config.pck
        condition    = \
               ${if or {{match{$local_part}{.*_.*}} \
                         {eq{$local_part}{mailman}}} \
                    {1}{0}}
        local_part_suffix_optional
        local_part_suffix = -admin     : \
                -bounces   : -bounces+* : \
                            -confirm   : -confirm+* : \
                -join      : -leave     : \
                -owner     : -request   : \
                -subscribe : -unsubscribe
        domains = +local_domains
        transport = mailman_virtual_transport_nodns
    
    democheck:
        driver = redirect
        require_files = "+/etc/demouids"
        condition = "${if eq {${lookup {$originator_uid} lsearch {/etc/demouids} {$value}}}{}{false}{true}}"
        allow_fail
        data = :fail: demo accounts are not permitted to relay email
    
    
    
    
    
    #
    # Handles identification of messages, nobody and webspam and mail trap checks 
    # in check_mail_permissions and notifies if we are defering a message
    #
    
    check_mail_permissions:
        domains = ! +local_domains
        condition = "${perl{check_mail_permissions}}"
        driver = redirect
        ignore_target_hosts = +loopback : 64.94.110.0/24
        allow_filter
        reply_transport = address_reply
        user = mailnull
        expn = false
        data = "${perl{check_mail_permissions_results}}"
    
    #
    # If check_mail_permissions needs to defer or fail a message it is done here
    #
    enforce_mail_permissions:
        domains = ! +local_domains
        condition = "${perl{enforce_mail_permissions}}"
        driver = redirect
        ignore_target_hosts = +loopback : 64.94.110.0/24
        allow_fail
        allow_defer
        expn = false
        data = "${perl{enforce_mail_permissions_results}}"
    
    #
    # Increments max emails per hour if needed
    #
    increment_max_emails_per_hour_if_needed:
        domains = ! +local_domains
        condition = "${perl{increment_max_emails_per_hour_if_needed}}"
        driver = redirect
        ignore_target_hosts = +loopback : 64.94.110.0/24
        allow_fail
        no_verify
        one_time
        expn = false
        data = ":unknown:"
    
    
    
    
    
    
    dkim_lookuphost:
        driver = dnslookup
        domains = ! +local_domains
        #ignore verisign to prevent waste of bandwidth
        ignore_target_hosts = +loopback : 64.94.110.0/24
        require_files = "+/var/cpanel/domain_keys/private/${sender_address_domain}" 
        headers_add = "${perl{mailtrapheaders}}"
        transport = dkim_remote_smtp
    
    #
    # Lookup host router for remote smtp and ignores verisign site finder 'service'
    # This matches lookup exactly except we look for X-Boxtrapper: so we can determine
    # what is a boxtrapper generated message in the log.  Note: there is nothing to 
    # prevent X-Boxtrapper from being added to non-boxtrapper messages so this is for
    # logging reasons only
    #
    
    
    lookuphost:
        driver = dnslookup
        domains = ! +local_domains
        #ignore verisign to prevent waste of bandwidth
        ignore_target_hosts = +loopback : 64.94.110.0/24
        headers_add = "${perl{mailtrapheaders}}"
        transport = remote_smtp
    
    
    # This router routes to remote hosts over SMTP by explicit IP address,
    # given as a "domain literal" in the form [nnn.nnn.nnn.nnn]. The RFCs
    # require this facility, which is why it is enabled by default in Exim.
    # If you want to lock it out, set forbid_domain_literals in the main
    # configuration section above.
    
    
    #
    # Literal Transports .. ignores verisigns sitefinder service
    #
    
    literal:
        driver = ipliteral
        domains = ! +local_domains
        headers_add = "${perl{mailtrapheaders}}"
        ignore_target_hosts = +loopback : 64.94.110.0/24
        transport = remote_smtp
    
    
    
    
    
    
    #!!# This new router is put here to fail all domains that
    #!!# were not in local_domains in the Exim 3 configuration.
    
    
    #
    # Trap Failures to Remote Domain
    #
    
    fail_remote_domains:
      driver = redirect
      domains = ! +local_domains : ! localhost : ! localhost.localdomain
      allow_fail
      data = ":fail: The mail server could not deliver mail to $local_part@$domain.  The account or domain may not exist, they may be blacklisted, or missing the proper dns entries."
    
    
    
    
    
    
    #!!#######################################################!!#
    #!!# Here follow routers created from the old directors, #!!#
    #!!# for handling local domains.                         #!!#
    #!!#######################################################!!#
    
    
    
    ######################################################################
    #                      DIRECTORS CONFIGURATION                       #
    #             Specifies how local addresses are handled              #
    ######################################################################
    #                          ORDER DOES MATTER                         #
    #   A local address is passed to each in turn until it is accepted.  #
    ######################################################################
    
    # Local addresses are those with a domain that matches some item in the
    # "local_domains" setting above, or those which are passed back from the
    # routers because of a "self=local" setting (not used in this configuration).
    
    
    # This director handles aliasing using a traditional /etc/aliases file.
    # If any of your aliases expand to pipes or files, you will need to set
    # up a user and a group for these deliveries to run under. You can do
    # this by uncommenting the "user" option below (changing the user name
    # as appropriate) and adding a "group" option if necessary. Alternatively, you
    # can specify "user" on the transports that are used. Note that those
    # listed below are the same as are used for .forward files; you might want
    # to set up different ones for pipe and file deliveries from aliases.
    
    #spam_filter:
    #  driver = forwardfile
    #  file = /etc/spam.filter
    #  no_check_local_user
    #  no_verify
    #  filter
    #  allow_system_actions
    
    
    
    
    
    
    
    #
    # Optimized spamassassin router (not used if acl spam management is enabled)
    #
    
    
    
    virtual_user_maildir_overquota:
      driver = redirect
      domains = +user_domains
      router_home_directory = ${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch{/etc/userdomains}{$value}}}{$value}}}}
      require_files = $home/etc/$domain
      condition = "${if exists {$home/etc/$domain/quota}{${if > {${lookup{$local_part}lsearch{$home/etc/$domain/quota}{$value}{0}}}{0}{${if eq {${if exists {$home/mail/$domain/$local_part/maildirsize}{1}{0}}}{0}{${if > {${run {/usr/local/cpanel/bin/eximwrap GETDISKUSED $local_part $domain}}}{${lookup{$local_part}lsearch{$home/etc/$domain/quota}{$value}{0}}}{true}{false}}}{${perl{checkuserquota}{$domain}{$local_part}{$message_size}{${lookup{$local_part}lsearch{$home/etc/$domain/quota}{$value}}}{$home/mail/$domain/$local_part/maildirsize}}}}}{false}}}{false}}"
      user = "${lookup{$domain}lsearch* {/etc/userdomains}{$value}}"
      data = :fail:Mailbox quota exceeded
      allow_fail
    
    
    
            
    
    
    
    
    #
    # Optimized spamassasin router (not used if acl spam management is enabled)
    #
    
    
    
            
    
    
    
    
    
    
    
    
    #
    # Account level filtering for everything but the main account
    #
    
    central_filter:
        driver = redirect
        allow_filter
        no_check_local_user
        file = /etc/vfilters/${domain}
        file_transport = address_file
        directory_transport = address_directory
        domains = +user_domains
        pipe_transport = virtual_address_pipe
        reply_transport = address_reply
        router_home_directory = ${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}
        user = "${lookup{$domain}lsearch* {/etc/userdomains}{$value}}"
        allow_fail
        no_verify
    
    
    
    #
    # Account level filtering for the main account
    #
    # checks /etc/vfilters/maindomain if its a localuser (ie main acct)
    # 
    mainacct_central_user_filter:
        driver = redirect  
        allow_filter  
        allow_fail
        check_local_user
        domains = ! +user_domains
        condition = ${if eq {${lookup{$local_part}lsearch{/etc/domainusers}{$value}}}{}{0}{${if exists {/etc/vfilters/${lookup{$local_part}lsearch{/etc/domainusers}{$value}}}{1}{0}}}}
        file = "/etc/vfilters/${lookup{$local_part}lsearch{/etc/domainusers}{$value}}"
        directory_transport = address_directory
        file_transport = address_file  
        pipe_transport = address_pipe
        reply_transport = address_reply
        retry_use_local_part  
        no_verify
    
    #
    # User Level Filtering for the main account
    #
    
    
    central_user_filter:
        driver = redirect
        allow_filter
        allow_fail
        check_local_user
        domains = ! +user_domains
        file = "${extract{5}{:}{${lookup passwd{$local_part}{$value}}}}/etc/filter"
        require_files = "+${extract{5}{::}{${lookup passwd{$local_part}{$value}}}}/etc/filter"
        router_home_directory = ${extract{5}{:}{${lookup passwd{$local_part}{$value}}}}
        directory_transport = address_directory
        file_transport = address_file
        pipe_transport = virtual_address_pipe
        reply_transport = address_reply
        retry_use_local_part
        no_verify
    
    #
    # User Level Filtering for virtual users
    #
    
    
    virtual_user_filter:
        driver = redirect
        allow_filter
        allow_fail
        no_check_local_user
        domains = +user_domains
        require_files = "+${extract{5}{::}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/etc/$domain/$local_part/filter"
        file = "${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/etc/$domain/$local_part/filter"
        router_home_directory = ${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}
        directory_transport = address_directory
        file_transport = address_file
        pipe_transport = virtual_address_pipe
        reply_transport = address_reply
        user = "${lookup{$domain}lsearch* {/etc/userdomains}{$value}}"
        retry_use_local_part
        no_verify
    
    
    
    
    
    
    virtual_aliases_nostar:
      driver = redirect
      allow_defer
      allow_fail
      require_files = "+/etc/valiases/$domain"
      data = ${lookup{$local_part@$domain}lsearch{/etc/valiases/$domain}}
      file_transport = address_file
      group = mail
      pipe_transport = virtual_address_pipe
      retry_use_local_part
      unseen
    
    
    
    
    
    
    #
    # Virtual User Spam Boxes
    #
    
    virtual_user_spam:
        driver = accept
        domains = +user_domains
        require_files = "+${extract{5}{::}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/.spamassassinboxenable:+${extract{5}{::}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/etc/$domain/passwd"
        condition = ${if eq {${lookup {$local_part} lsearch {${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/etc/$domain/passwd}}}{}{false}{${if match{$h_X-Spam-Status:}{\N^Yes\N}{true}{false}}}}
        headers_remove="x-spam-exim"
        transport = virtual_userdelivery_spam
        
    
    
    
    
    virtual_user:
      driver = accept
      headers_remove="x-spam-exim"
      domains = +user_domains
      require_files = "+${extract{5}{::}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/etc/$domain/passwd"
      condition = ${if eq {${lookup {$local_part} lsearch {${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/etc/$domain/passwd}}}{} {false}{true}}
      transport = virtual_userdelivery
    
    
    
    
    
    
    has_alias_but_no_mailbox_discarded_to_prevent_loop:
            driver = redirect
            require_files = "+/etc/valiases/$domain"
            domains = +user_domains
            condition = "${perl{checkvalias}{$domain}{$local_part}}"
            data="#Exim Filter\nseen finish"
            group = "${lookup{$domain}lsearch* {/etc/userdomains}{$value}}"
            user = "${lookup{$domain}lsearch* {/etc/userdomains}{$value}}"
            allow_filter
            disable_logging = true
    
    
    
    
    
    
    
    valias_domain_file:
      driver = redirect
      allow_defer
      allow_fail
      require_files = +/etc/vdomainaliases/$domain
      condition = ${lookup {$domain} lsearch {/etc/vdomainaliases/$domain}{yes}{no} }
      data = $local_part@${lookup {$domain} lsearch {/etc/vdomainaliases/$domain} }
    
    virtual_aliases:
        driver = redirect
        allow_defer
        allow_fail
        require_files = "+/etc/valiases/$domain"
        data = ${lookup{*}lsearch{/etc/valiases/$domain}}
        file_transport = address_file
        group = mail
        pipe_transport = virtual_address_pipe
    
    
    
    
    
    
    
    # This director handles forwarding using traditional .forward files.
    # If you want it also to allow mail filtering when a forward file
    # starts with the string "# Exim filter", uncomment the "filter" option.
    # The check_ancestor option means that if the forward file generates an
    # address that is an ancestor of the current one, the current one gets
    # passed on instead. This covers the case where A is aliased to B and B
    # has a .forward file pointing to A. The three transports specified at the
    # end are those that are used when forwarding generates a direct delivery
    # to a file, or to a pipe, or sets up an auto-reply, respectively.
    
    system_aliases:
      driver = redirect
      allow_defer
      allow_fail
      data = ${lookup{$local_part}lsearch{/etc/aliases}}
      file_transport = address_file
      pipe_transport = address_pipe
      retry_use_local_part
    # user = exim
    
                                                                                                                                                                                                                                                           
    local_aliases:
      driver = redirect
      allow_defer
      allow_fail
      data = ${lookup{$local_part}lsearch{/etc/localaliases}}
      file_transport = address_file
      pipe_transport = address_pipe
      check_local_user
                                                                                                                                                                                                                                                           
    
    
    
    
    userforward:
      driver = redirect
      allow_filter
      check_ancestor
      check_local_user
      domains = ! +user_domains
      no_expn
      file = $home/.forward
      file_transport = address_file
      pipe_transport = address_pipe
      reply_transport = address_reply
      directory_transport = address_directory
      no_verify
    
    
    
    
    
    
    #
    # Optimzied spambox router
    #
    
    localuser_spam:
        driver = accept
        headers_remove="x-spam-exim"
        domains = ! +user_domains
        require_files = "+$home/.spamassassinboxenable"
        condition = ${if match{$h_X-Spam-Status:}{\N^Yes\N}{true}{false}}
        check_local_user
        transport = local_delivery_spam
    
    
    
    localuser:
        driver = accept
        headers_remove="x-spam-exim"
        check_local_user
        domains = ! +user_domains
        transport = local_delivery
    
    
    
    
    # This director matches local user mailboxes.
    
    
    
    
    
    
    
    ######################################################################
    #                      TRANSPORTS CONFIGURATION                      #
    ######################################################################
    #                       ORDER DOES NOT MATTER                        #
    #     Only one appropriate transport is called for each delivery.    #
    ######################################################################
    
    # A transport is used only when referenced from a director or a router that
    # successfully handles an address.
    
    
    # This transport is used for delivering messages over SMTP connections.
    
    begin transports
    
    
    
    
    
    
    mailman_virtual_transport:
        driver = pipe
        command = /usr/local/cpanel/3rdparty/mailman/mail/mailman \
                  '${if def:local_part_suffix \
                        {${sg{$local_part_suffix}{-(\\w+)(\\+.*)?}{\$1}}} \
                        {post}}' \
                  ${lc:$local_part}_${lc:$domain}
        current_directory = /usr/local/cpanel/3rdparty/mailman
        home_directory = /usr/local/cpanel/3rdparty/mailman
        user = mailman
        group = mailman
    
    
    
    
    mailman_virtual_transport_nodns:
        driver = pipe
        command = /usr/local/cpanel/3rdparty/mailman/mail/mailman \
                  '${if def:local_part_suffix \
                        {${sg{$local_part_suffix}{-(\\w+)(\\+.*)?}{\$1}}} \
                        {post}}' \
                  ${lc:$local_part}
        current_directory = /usr/local/cpanel/3rdparty/mailman
        home_directory = /usr/local/cpanel/3rdparty/mailman
        user = mailman
        group = mailman
    
    
    remote_smtp:
      driver = smtp
      interface = ${if exists {/etc/mailips}{${lookup{$original_domain}lsearch{/etc/mailips}{$value}{${lookup{$sender_address_domain}lsearch{/etc/mailips}{$value}{${lookup{${perl{get_sender_from_uid}}}lsearch*{/etc/mailips}{$value}{}}}}}}}}
      helo_data = ${if exists {/etc/mailhelo}{${lookup{$original_domain}lsearch{/etc/mailhelo}{$value}{${lookup{$sender_address_domain}lsearch{/etc/mailhelo}{$value}{${lookup{${perl{get_sender_from_uid}}}lsearch*{/etc/mailhelo}{$value}{$primary_hostname}}}}}}}{$primary_hostname}}
    
    
    
    dkim_remote_smtp:
      driver = smtp
      interface = ${if exists {/etc/mailips}{${lookup{$original_domain}lsearch{/etc/mailips}{$value}{${lookup{$sender_address_domain}lsearch{/etc/mailips}{$value}{${lookup{${perl{get_sender_from_uid}}}lsearch*{/etc/mailips}{$value}{}}}}}}}}
      helo_data = ${if exists {/etc/mailhelo}{${lookup{$original_domain}lsearch{/etc/mailhelo}{$value}{${lookup{$sender_address_domain}lsearch{/etc/mailhelo}{$value}{${lookup{${perl{get_sender_from_uid}}}lsearch*{/etc/mailhelo}{$value}{$primary_hostname}}}}}}}{$primary_hostname}}
      dkim_domain = $sender_address_domain
      dkim_selector = default
      dkim_private_key = "/var/cpanel/domain_keys/private/${dkim_domain}"
      dkim_canon = relaxed
    
    
    
    # This transport is used for local delivery to user mailboxes. By default
    # it will be run under the uid and gid of the local user, and requires
    # the sticky bit to be set on the /var/mail directory. Some systems use
    # the alternative approach of running mail deliveries under a particular
    # group instead of using the sticky bit. The commented options below show
    # how this can be done.
    
    
    
    local_delivery:
        driver = appendfile
        delivery_date_add
        envelope_to_add
        directory = "${extract{5}{:}{${lookup passwd{$local_part}{$value}}}}/mail"
        maildir_use_size_file
        maildir_quota_directory_regex = ^(?:cur|new|\.(?!Trash$)[^\@]+)$
        maildir_format
        maildir_tag = ,S=$message_size
        quota_size_regex = ,S=(\d+)
        mode = 0660
        return_path_add
        group = ${extract{3}{:}{${lookup passwd{$local_part}{$value}}}}
        user = $local_part
        shadow_condition = ${if exists {${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/.cpanel/rim/bis/$local_part}{1}{0}}
        shadow_transport = rim_bis_notifier_local_user
    
    
    
    rim_bis_notifier_local_user:
        driver = pipe
        headers_only
        command = /usr/local/cpanel/bin/rim_bis_notifier "${local_part}"
        group = ${extract{3}{:}{${lookup passwd{$local_part}{$value}}}}
        user = $local_part
        log_output = true
        current_directory = "/tmp"
        return_fail_output = true
        return_path_add = false
    
    
    
    local_delivery_spam:
      driver = appendfile
      delivery_date_add
      envelope_to_add
      directory = "${extract{5}{:}{${lookup passwd{$local_part}{$value}}}}/mail/.spam"
      maildir_use_size_file
      maildir_quota_directory_regex = ^(?:cur|new|\.(?!Trash$)[^\@]+)$
      maildir_format
      maildir_tag = ,S=$message_size
      quota_size_regex = ,S=(\d+)
      group = ${extract{3}{:}{${lookup passwd{$local_part}{$value}}}}
      mode = 0660
      return_path_add
      user = $local_part
    
    
    
    
            
    
    
    
    
    
    
    # This transport is used for handling pipe deliveries generated by alias
    # or .forward files. If the pipe generates any standard output, it is returned
    # to the sender of the message as a delivery error. Set return_fail_output
    # instead of return_output if you want this to happen only when the pipe fails
    # to complete normally. You can set different transports for aliases and
    # forwards if you want to - see the references to address_pipe below.
    
    
    address_directory:
        driver        = appendfile
        maildir_tag = ,S=$message_size
        quota_size_regex = ,S=(\d+)
        maildir_format
        maildir_use_size_file
        maildir_quota_directory_regex = ^(?:cur|new|\.(?!Trash$)[^\@]+)$
        mode = 0660
        delivery_date_add
        envelope_to_add
        return_path_add
    
    address_pipe:
      driver = pipe
      return_output
    
    virtual_address_pipe:
      driver = pipe
      group = "${lookup{$domain}lsearch* {/etc/userdomains}{$value}}"
      return_output
      user = "${lookup{$domain}lsearch* {/etc/userdomains}{$value}}"
    
    # This transport is used for handling deliveries directly to files that are
    # generated by aliassing or forwarding.
    
    address_file:
      driver = appendfile
      delivery_date_add
      envelope_to_add
      return_path_add
    
    
    # This transport is used for handling autoreplies generated by the filtering
    # option of the forwardfile director.
    
    
    
            
    
    
    
    virtual_userdelivery_spam:
      driver = appendfile
      delivery_date_add
      envelope_to_add
      directory = "${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/mail/${domain}/${local_part}/.spam"
      maildir_use_size_file
      maildir_quota_directory_regex = ^(?:cur|new|\.(?!Trash$)[^\@]+)$
      maildir_format
      maildir_tag = ,S=$message_size
      quota_size_regex = ,S=(\d+)
      mode = 0660
      quota = "${if exists{${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/etc/${domain}/quota} {${lookup{$local_part}lsearch*{${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/etc/${domain}/quota}{$value}}} {}}"
      quota_is_inclusive = false
      quota_directory = "${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/mail/${domain}/${local_part}"
      return_path_add
      user = "${lookup{$domain}lsearch* {/etc/userdomains}{$value}}"
      group = ${extract{3}{:}{${lookup passwd{${lookup{$domain}lsearch* {/etc/userdomains}{$value}}}{$value}}}}
    
    
    
    
    
    virtual_userdelivery:
      driver = appendfile
      delivery_date_add
      envelope_to_add
      directory = "${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/mail/${domain}/${local_part}"
      maildir_use_size_file
      maildir_quota_directory_regex = ^(?:cur|new|\.(?!Trash$)[^\@]+)$
      maildir_format
      maildir_tag = ,S=$message_size
      quota_size_regex = ,S=(\d+)
      mode = 0660
      quota = "${if exists{${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/etc/${domain}/quota} {${lookup{$local_part}lsearch*{${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/etc/${domain}/quota}{$value}}} {}}"
      quota_is_inclusive = false
      quota_directory = "${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/mail/${domain}/${local_part}"
      return_path_add
      user = "${lookup{$domain}lsearch* {/etc/userdomains}{$value}}"
      group = ${extract{3}{:}{${lookup passwd{${lookup{$domain}lsearch* {/etc/userdomains}{$value}}}{$value}}}}
      shadow_condition = ${if exists {${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/.cpanel/rim/bis/$local_part@$domain}{1}{0}}
      shadow_transport = rim_bis_notifier_virtual_user
    
    
    
    rim_bis_notifier_virtual_user:
      driver = pipe
      headers_only
      command = /usr/local/cpanel/bin/rim_bis_notifier "${local_part}@${domain}"
      user = "${lookup{$domain}lsearch* {/etc/userdomains}{$value}}"
      group = ${extract{3}{:}{${lookup passwd{${lookup{$domain}lsearch* {/etc/userdomains}{$value}}}{$value}}}}
      log_output = true
      current_directory = "/tmp"
      return_fail_output = true
      return_path_add = false
    
    
    
    address_reply:
      driver = autoreply
    
    
    
    
    
    
    
    ######################################################################
    #                      RETRY CONFIGURATION                           #
    ######################################################################
    
    # This single retry rule applies to all domains and all errors. It specifies
    # retries every 15 minutes for 2 hours, then increasing retry intervals,
    # starting at 1 hour and increasing each time by a factor of 1.5, up to 16
    # hours, then retries every 8 hours until 4 days have passed since the first
    # failed delivery.
    
    # Domain               Error       Retries
    # ------               -----       -------
    
    
    begin retry
    
    *			quota
    
    
    
    *                      *           F,2h,15m; G,16h,1h,1.5; F,4d,8h
    
    
    
    
    # End of Exim 4 configuration
     
    #1 sahostking, Aug 16, 2012
    Last edited: Aug 16, 2012
  2. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Please detail what changes you've done. What you've tried and hasn't worked. Posting your entire exim.conf file will not provide the details on what changes you've implemented.
     
  3. sahostking

    sahostking Well-Known Member

    Joined:
    May 15, 2012
    Messages:
    300
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Cape Town, South Africa
    cPanel Access Level:
    Root Administrator
    Well I tried everything on every google post I can find:
    ClamAV - How To
    How to install clamav in centos [Archive] - DirectAdmin Forums
    plus more.

    Reason I ask is that when I search for check_message: I never seem to find it. So I've placed it below:

    #BEGIN ACL_EXISCAN_BLOCK
    # BEGIN INSERT default_exiscan

    deny message = This message contains a virus or other harmful content ($malware_name)
    malware = */defer_ok
    demime = *

    [here]

    With it still not working so removed it. Any ideas?
     
Loading...

Share This Page