The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Exim Config

Discussion in 'E-mail Discussions' started by efoiv, Dec 21, 2007.

  1. efoiv

    efoiv Member

    Joined:
    Dec 19, 2007
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Hi everyone I'm looking for some exim assistance...

    I made some changes the other day and my spam scores have more than doubled - this is a good thing... I added Razor2 and DCC and I've always used SARE rules.

    My CPANEL is
    WHM 11.11.0 cPanel 11.16.0-R18450
    CENTOS Enterprise 4.5 i686 on virtuozzo - WHM X v3.1.0

    I used some of the info from the guide located at this address
    http://www.rvskin.com/index.php?page=public/antispam


    While I've gone from scores between 10 and 19 to scores mostly above 20 - 60 1 or 2 rather obvious spams have come through. I find it odd that my scoring is much better now yet for some reason an obvious spam came through. (I'll provide the spam source if anyone would like to run it through their sa setup to see what score they get)

    Maybe some exim master out there can look over what I have below and see if anything is wrong or could be better.... I'm not an expert.

    Thanks in advance!
    Edward


    In my ACL section I now have the following everything else is standard --------

    Code:
    ########################################################################################
    # DO NOT ALTER THIS BLOCK
    ########################################################################################
    #
    # cPanel Default ACL Template Version: 3.0 
    # Template: mailman2.exiscan.dist
    #
    ########################################################################################
    # DO NOT ALTER THIS BLOCK
    ########################################################################################
    
    acl_connect:
    [% ACL_CONNECT_BLOCK %]
    
    # do not change the comment in the line below, it is required for /usr/local/cpanel/bin/check_exim_config
    #acl_smtp_notquit is required for this to work (exim 4.68)
    
        accept
    
    acl_notquit:
    [% ACL_NOTQUIT_BLOCK %]
    
    
    #!!# ACL that is used after the RCPT command
    check_recipient:
      # Exim 3 had no checking on -bs messages, so for compatibility
      # we accept if the source is local SMTP (i.e. not over TCP/IP).
      # We do this by testing for an empty sending host field.
    
    [% ACL_RATELIMIT_BLOCK %]
    
      accept  hosts = :
    
    
      # Accept bounces to lists even if callbacks or other checks would fail
      warn     message      = X-WhitelistedRCPT-nohdrfromcallback: Yes
               condition    = \
               ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                         {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
                    {yes}{no}}
    
      accept   condition    = \
               ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                         {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
                    {yes}{no}}
    
    
      # Accept bounces to lists even if callbacks or other checks would fail
      warn     message      = X-WhitelistedRCPT-nohdrfromcallback: Yes
               condition    = \
               ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                         {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}} \
                    {yes}{no}}
    
      accept   condition    = \
               ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                         {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}} \
                    {yes}{no}}
    
      #if it gets here it isn't mailman
      require verify = sender/callout=60s
    
      accept  hosts = *
              authenticated = *
    
      #if they poped before smtp we just accept
      accept  condition = ${if match_ip{$sender_host_address}{iplsearch;/etc/relayhosts}{1}{${if eq{$sender_host_address}{127.0.0.1}{1}{0}}}}
              add_header = ${if exists{/etc/eximpopbeforesmtpwarning}{${perl{popbeforesmtpwarn}{$sender_host_address}}{}}
      
      accept  hosts = +relay_hosts
              add_header = ${if exists{/etc/eximpopbeforesmtpwarning}{${perl{popbeforesmtpwarn}{$sender_host_address}}{}}
    
    
    
    [% ACL_WHITELIST_BLOCK %]
    
    [% ACL_RBL_BLOCK %]
    
    [% ACL_TRUSTEDLIST_BLOCK %]
    
    [% ACL_PRE_RECP_VERIFY_BLOCK %]
    
    #recipient verifications are required for all messages that are not sent to the local machine
                            #this was done at multiple users requests
                            require verify = recipient 
    
    
      # The only problem with this setup is that if the message is for multiple users on the same server
      # and they are on different unix accounts, the settings for the first recipient which has spamassassin enabled will be used.
      # This shouldn't be a problem 99.9% of the time, however its a very small price to pay for a massive speed increase.
      warn  domains = ! ${primary_hostname} : +local_domains
             condition = ${if <= {$message_size}{[% ACL_MAX_SPAM_SCAN_SIZE %]K}{${if eq {${acl_m0}}{1}{0}{${if exists{/etc/global_spamassassin_enable}{1}{${if exists{${extract{5}{:}{${lookup{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}lsearch{/etc/passwd}{$value}}}}/.spamassassinenable}{1}{0}}}}}}}{0}}
             set acl_m0    = 1
             set acl_m1    = ${lookup{$domain}lsearch*{/etc/userdomains}{$value}}
    
      warn  domains = ${primary_hostname}
              condition = ${if <= {$message_size}{[% ACL_MAX_SPAM_SCAN_SIZE %]K}{${if eq {${acl_m0}}{1}{0}{${if exists{/etc/global_spamassassin_enable}{1}{${if exists{${extract{5}{:}{${lookup{$local_part}lsearch{/etc/passwd}{$value}}}}/.spamassassinenable}{1}{0}}}}}}}{0}}
              set acl_m0    = 1
              set acl_m1    = $local_part
    
      accept  domains = +relay_domains
    
      deny    message = $sender_fullhost is currently not permitted to \
                            relay through this server. Perhaps you \
                            have not logged into the pop/imap server in the \
                            last 30 minutes or do not have SMTP Authentication turned on in your email client.
    
    
    #!!# ACL that is used after the DATA command
    check_message:
    #  Enabling this will make the server non-rfc compliant
    #  require verify = header_sender
     accept  hosts = 127.0.0.1 : +relay_hosts
    
    
    ##
    # Reject messages with serious MIME container errors
    ##
    deny message = This message contains malformed MIME ($demime_reason).
    demime = *
    condition = ${if >{$demime_errorlevel}{2}{1}{0}}
    
    ##
    # Reject messages attach attach a file with a CLSID in the name 
    # which causes Windows to hide the file extension.
    ## 
    deny message = Hiding of file extensions(CLSID hidden) is not allowed.
    regex = ^(?i)Content-Disposition::(.*?)filename=\\s*"+((\{[a-hA-H0-9-]{25,}\})|((.*?)\\s{10,}(.*?)))"+\$
    
    ##
    # Reject messages attach illegal extension files
    ##
    deny message = We do not accept ".$found_extension" attachments here. If you meant to send this file then please package it up as a zip file and resend it.
    # You might need to remove some of these extensions if you want to allow your user get these files
    demime = ade:adp:bas:bat:chm:cmd:com:cpl:crt:eml:exe:hlp:hta:inf:ins:isp:jse:lnk:mdb:mde:msc:msi:msp:pcd:pif:reg:scr:sct:shs:url:vbs:vbe:wsf:wsh:wsc
    
    ##
    # Reject email contains Virus
    ##
    deny message = This message contains a virus or other harmful content ($malware_name)
    demime = *
    malware = */defer_ok
    
    ##
    # Add X-Scanned Header
    ##
    warn message = X-Antivirus-Scanner: Clean mail though you should still use an Antivirus
    
    
    
      accept  hosts = *
              authenticated = *
    
      warn
        condition = ${if eq {${acl_m0}}{1}{1}{0}}
        spam =  ${acl_m1}/defer_ok
        log_message = "SpamAssassin as ${acl_m1} detected message as spam ($spam_score)"
        add_header = X-Spam-Subject: [% ACL_SPAM_HEADER %] $h_subject
        add_header = X-Spam-Status: Yes, score=$spam_score
        add_header = X-Spam-Score: $spam_score_int
        add_header = X-Spam-Bar: $spam_bar
        add_header = X-Spam-Report: $spam_report
        add_header = X-Spam-Flag: YES
        set acl_m2 = 1
    
      warn 
          condition =  ${if eq {$spam_score_int}{}{0}{${if <= {${spam_score_int}}{8000}{${if >= {${spam_score_int}}{50}{${perl{store_spam}{$sender_host_address}{$spam_score}}}{0}}}{0}}}}
    
      warn
         condition = ${if eq {${acl_m0}}{1}{${if eq {${acl_m2}}{1}{0}{1}}}{0}}
         add_header = X-Spam-Status: No, score=$spam_score
         add_header = X-Spam-Score: $spam_score_int
         add_header = X-Spam-Bar: $spam_bar
         add_header = X-Spam-Flag: NO
     
  2. efoiv

    efoiv Member

    Joined:
    Dec 19, 2007
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Here are sample spam msg source that sa missed

    The following are some raw sources of spams that slipped through for your testing


    Code:
    Return-path: <hulkage.engle@hotmail.com>
    Envelope-to: efo@jupitermultimedia.com
    Delivery-date: Fri, 21 Dec 2007 15:04:54 -0500
    Received: from blu139-omc3-s4.blu139.hotmail.com ([65.55.175.204]:53107)
    	by host2.jupitermultimedia.com with esmtp (Exim 4.68)
    	(envelope-from <hulkage.engle@hotmail.com>)
    	id 1J5o72-0005Gh-HU
    	for efo@jupitermultimedia.com; Fri, 21 Dec 2007 15:04:54 -0500
    Received: from BLU112-W42 ([65.55.162.187]) by blu139-omc3-s4.blu139.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959);
    	 Fri, 21 Dec 2007 12:04:47 -0800
    Message-ID: <BLU112-W42ABB50BD77FAC9ED5934DFD5E0@phx.gbl>
    X-Originating-IP: [91.76.157.157]
    From: glossorrhaphy Dickey <hulkage.Engle@hotmail.com>
    Sender: <hulkage.engle@hotmail.com>
    To: <alkwakeb@hotmail.com>
    Subject: Womens Naturaul SOFTOTABS.
    Date: Fri, 21 Dec 2007 20:04:47 +0000
    Importance: Normal
    Content-Type: text/plain; charset="iso-8859-1"
    Content-Transfer-Encoding: quoted-printable
    MIME-Version: 1.0
    X-OriginalArrivalTime: 21 Dec 2007 20:04:47.0757 (UTC) FILETIME=[BCC7DBD0:01C8440C]
    X-Antivirus-Scanner: Clean mail though you should still use an Antivirus
    X-Spam-Status: No, score=1.1
    X-Spam-Score: 11
    X-Spam-Bar: +
    X-Spam-Flag: NO
    
    LEVIVTRA Cheawpest Prbicees and 100r% Satnisfaoction Giuaraknteecd.=0A=
    =0A=
    http://margueritebrattonug.googlepages.com/=0A=
    =0A=
    As soon as they had passed the=0A=
    fence they all spread out evenly and quietly, without noise or talk,=0A=
    along the road and field leading to the Otradnoe covert. The horses stepped=
     over the field as over a thick carpet, now and=0A=
    then splashing into puddles as they crossed a road. The misty sky=0A=
    still seemed to descend evenly and imperceptibly toward the earth, the=0A=
    air was still, warm, and silent. Occasionally the whistle of a=0A=
    huntsman, the snort of a horse, the crack of a whip, or the whine of a=0A=
    straggling hound could be heard. When they had gone a little less than a mi=
    le, five more riders=0A=
    with dogs appeared out of the mist, approaching the Rostovs. In=0A=
    front rode a fresh-looking, handsome old man with a large gray=0A=
    mustache. Good morning, Uncle. said Nicholas, when the old man drew near. T=
    hats it.
    _________________________________________________________________
    Don't get caught with egg on your face. Play Chicktionary!
    http://club.live.com/chicktionary.aspx?icid=3Dchick_wlhmtextlink1_dec=


    Code:
    Return-path: <griffithappendicocaecostomy_1960@hotmail.com>
    Envelope-to: efo@jupitermultimedia.com
    Delivery-date: Thu, 20 Dec 2007 22:32:30 -0500
    Received: from bay0-omc2-s26.bay0.hotmail.com ([65.54.246.162]:64074)
    	by host2.jupitermultimedia.com with esmtp (Exim 4.68)
    	(envelope-from <griffithappendicocaecostomy_1960@hotmail.com>)
    	id 1J5Ycf-0000wC-L2
    	for efo@jupitermultimedia.com; Thu, 20 Dec 2007 22:32:30 -0500
    Received: from BAY123-W4 ([207.46.11.39]) by bay0-omc2-s26.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959);
    	 Thu, 20 Dec 2007 19:32:28 -0800
    Message-ID: <BAY123-W4D66A12639121F026B2E7EB5E0@phx.gbl>
    X-Originating-IP: [200.121.85.114]
    From: beadlet Lucero <Griffithappendicocaecostomy_1960@hotmail.com>
    Sender: <griffithappendicocaecostomy_1960@hotmail.com>
    To: <datalyl@hotmail.com>
    Subject: Prescriptrions Fed X 1 Day CIAELIS.
    Date: Fri, 21 Dec 2007 03:32:27 +0000
    Importance: Normal
    Content-Type: text/plain; charset="Windows-1252"
    Content-Transfer-Encoding: quoted-printable
    MIME-Version: 1.0
    X-OriginalArrivalTime: 21 Dec 2007 03:32:28.0812 (UTC) FILETIME=[1CCDD4C0:01C84382]
    X-Antivirus-Scanner: Clean mail though you should still use an Antivirus
    X-Spam-Status: No, score=-0.7
    X-Spam-Score: -6
    X-Spam-Bar: /
    X-Spam-Flag: NO
    
    Canajda VIAGRFA.=0A=
    =0A=
    http://chrystaltutsonou.googlepages.com/=0A=
    =0A=
    Then she added, as though a little ashamed, but Aunt=0A=
    Josephine can be awfully jolly whenshe forgets. Forgets what, child. Oh, th=
    atthat shes soso rich. Keineth stammered. John Randolph laughed. Well have =
    her part of the time and maybe we=0A=
    can make herforget. You have decided, you are very sure. he asked after a m=
    oment, and he=0A=
    swept his hand toward the nearby buildings of the city as though to=0A=
    remind her of the interesting life that might lie there.
    _________________________________________________________________
    i=92m is proud to present Cause Effect, a series about real people making a=
     difference.
    http://im.live.com/Messenger/IM/MTV/?source=3Dtext_Cause_Effect=
    
     
Loading...

Share This Page