The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to: Spam+Virus Protection for cPanel server using Exiscan+Clamav+RBL+Spamassassin

Discussion in 'cPanel Developers' started by rvskin, Nov 2, 2004.

  1. rvskin

    rvskin Well-Known Member
    PartnerNOC

    Joined:
    Feb 19, 2003
    Messages:
    400
    Likes Received:
    1
    Trophy Points:
    18
    Since cPanel drop the support for Mailscanner, we are forced to use the existing cPanel mail system to avoid further conflict. In the beginning, I am quite upset cPanel drop it, but since we have tested the Exim+Exiscan and configure server-wide Spam+Virus Protection, its performance increase a lots. I suggest that avoid MailScanner if possible.

    The Instruction separate to 6 sections, use it at your own risk:-
    1. Install required software and scripts
    2. Virus Protection
    2.1. Configure Exim to reject virus at SMTP time
    2.2. Configure Exim to reject virus + sender whitelist + receiver whitelist
    3. RBL and blacklists
    3.1. Sender blacklist and remote mail server blacklist
    3.2. RBL setting + sender whitelist + receiver whitelist + remote mail server whitelist
    4. Spam Protection
    5. Integrate into user's cPanel allowing user enable/disable server-wide Virus and Spam Protection
    6. Testing
    ...
    ...
    Full documnet is here:
    http://www.rvskin.com/index.php?page=public/antispam

    More questions please go to http://forums.rvskin.com/index.php?showforum=7
     
    #1 rvskin, Nov 2, 2004
    Last edited: Nov 2, 2004
  2. Christleo

    Christleo Well-Known Member

    Joined:
    Mar 13, 2003
    Messages:
    64
    Likes Received:
    0
    Trophy Points:
    6
    root@nss-4 [~/EXIM/razor-agents-2.61]# make install
    make[1]: Entering directory `/root/EXIM/razor-agents-2.61/Razor2-Preproc-deHTMLxs'
    make[1]: Leaving directory `/root/EXIM/razor-agents-2.61/Razor2-Preproc-deHTMLxs'
    /usr/bin/perl -we '%m=@ARGV;for (keys %m){' -e 'next if -e $m{$_} && -M $m{$_} < -M $_ && -M $m{$_} < -M "Makefile";' -e 'print "Manifying $m{$_}\n";' -e 'system(q[/usr/bin/perl /usr/bin/pod2man ].qq[$_>$m{$_}])==0 or warn "Couldn\047t install $m{$_}\n";' -e 'chmod(oct(644), $m{$_}) or warn "chmod 644 $m{$_}: $!\n";}' \
    docs/razor-agent.conf.pod \
    blib/man5/razor-agent.conf.5 \
    docs/razor-agents.pod \
    blib/man5/razor-agents.5 \
    docs/razor-whitelist.pod \
    blib/man5/razor-whitelist.5
    Files found in blib/arch: installing files in blib/lib into architecture dependent library tree
    Writing /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/razor-agents/.packlist
    Appending installation info to /usr/lib/perl5/5.8.0/i386-linux-thread-multi/perllocal.pod
    blib/script/razor-client
    Digest::SHA1 object version 2.01 does not match bootstrap parameter 2.10 at /usr/lib/perl5/5.8.0/i386-linux-thread-multi/DynaLoader.pm line 249.
    Compilation failed in require at lib/Razor2/String.pm line 4.
    BEGIN failed--compilation aborted at lib/Razor2/String.pm line 4.
    Compilation failed in require at (eval 7) line 3.
    ...propagated at /usr/lib/perl5/5.8.0/base.pm line 64.
    BEGIN failed--compilation aborted at lib/Razor2/Client/Core.pm line 22.
    Compilation failed in require at (eval 4) line 3.
    ...propagated at /usr/lib/perl5/5.8.0/base.pm line 64.
    BEGIN failed--compilation aborted at lib/Razor2/Client/Agent.pm line 18.
    Compilation failed in require at blib/script/razor-client line 21.
    BEGIN failed--compilation aborted at blib/script/razor-client line 21.
    make: *** [install_razor_agents] Error 2

    root@nss-4 [~/EXIM/razor-agents-2.61]#
     
  3. rvskin

    rvskin Well-Known Member
    PartnerNOC

    Joined:
    Feb 19, 2003
    Messages:
    400
    Likes Received:
    1
    Trophy Points:
    18
  4. anup123

    anup123 Well-Known Member

    Joined:
    Mar 29, 2004
    Messages:
    897
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    This Planet
    Nice documentation.
    However, i have following to add wrt SA 3.X

    Score Bumping already takes place for RBL Listed IP's/Host (Multiple Network Digest -- Network Tests are enabled by default on SA 3.x), at least the check for everything except rfc-ignorant.org can be safely removed. SA already does the same. This score BUMPING gets more SPAM blocked (in case Admin choses to block above a given score).

    In your already nice documentation, if you could include ACL check for Forged HELO/EHLO it would also reduce the usage of spamd and clamd and hence average load levels perhaps. Practically i have found that half of SPAM is with forged HELO/EHLO prsenting local ip/domains in HELO/EHLO. This meant lesser load on server as spam/av check was never reached for those messages. In addition, the number of Virus Infected mails dropped by about 70% (signifying the obvious)

    Something like following::

    ###HELO CHECK START

    # No HELO/EHLO

    deny
    condition = ${if eq{$sender_helo_name}{}{yes}{no}}
    message = Polite hosts say HELO first\n\
    Please see RFC 2821 section 4.1.1.1
    log_message = Bad HELO: Empty HELO

    #Modified Forged HELO (our ip/hostname)

    deny
    condition = ${if eq{$sender_helo_name}{$interface_address}{yes}{no}}
    message = Forged HELO: you are not $sender_helo_name as that is our IP Address and you are not allowed to use it in HELO/EHLO as per RFC Standards. Please Contact Your Sys Admin
    log_message = Forged HELO: is our interface address

    deny
    condition = ${if match_domain{$sender_helo_name}{+local_domains}{yes}{no}}
    message = Forged HELO AS PER RFC STANDARDS: you are not $sender_helo_name our local domain and you are not allowed to use as per RFC Standards. Please Contact Your Sys Admin
    log_message = Forged HELO: $sender_helo_name is one of our local domains

    #Modified End

    # Forged HELO (IP address does not match)

    deny
    condition = ${if isip{$sender_helo_name}{yes}{no}}
    condition = ${if eq{$sender_helo_name}{$sender_host_address}{no}{yes}}
    message = Forged HELO: you are not $sender_helo_name
    log_message = Forged HELO: ip does not match

    # Hacked HELO (DOMAIN.com) (constructed by viruses)

    deny
    condition = ${if match \
    {$sender_helo_name}{\N^[A-Z0-9]+\.[a-z]+$\N}{yes}{no}}
    condition = ${if match \
    {$sender_helo_name}{\N^[0-9]+\.[a-z]+$\N}{no}{yes}}
    message = Hacked HELO: you are not $sender_helo_name
    log_message = Hacked HELO: constructed by viruses

    # Tipical unexistant domains

    deny
    condition = ${if match {$sender_helo_name}\
    {(backup.lst|localhost.localdomain)}\
    {yes}{no}}
    message = Bad HELO: $sender_helo_name does not exist\n\
    Please see RFC 2821 section 4.1.1.1

    ##HELO CHK END ##

    Also Check For MISSING Date:

    #Date Check
    deny condition = ${if !def:h_Date: {1}}
    message = Message SHOULD have Date: but does not
    log_message = No Date In Mail So Cannot Accept



    ###CLSID ATTACHMENT

    deny message = Hiding of file extensions is not allowed!
    log_message = Dangerous extension (CLSID hidden)
    regex = ^(?i)Content-Disposition::(.*?)filename=\\s*"+((\{[a-hA-H0-9-]{25,}\})|((.*?)\\s{10,}(.*?)))"+\$



    I think the above should be ok??


    Anup
     
  5. rvskin

    rvskin Well-Known Member
    PartnerNOC

    Joined:
    Feb 19, 2003
    Messages:
    400
    Likes Received:
    1
    Trophy Points:
    18
    Thanks for suggestion. HELO ACL was added to the document with a bit modifying.
     
    #5 rvskin, Nov 8, 2004
    Last edited: Nov 9, 2004
  6. TheSpidre

    TheSpidre Active Member

    Joined:
    Mar 10, 2003
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    6
    Could you explain us what the difference is between those two reject/filter methods:

    2.1. Configure Exim to reject virus at SMTP time
    2.2. Configure Exim to reject virus + sender whitelist + receiver whitelist


    Also, what is done in step 3.1/3.2, how does the blacklisting work? Does it have anything to do with SARE, Razor and DCC?

    3.1. Sender blacklist and remote mail server blacklist
    3.2. RBL setting + sender whitelist + receiver whitelist + remote mail server whitelist

    Thank you for the excellent How to and the excellent service (@RVSkin;)
     
  7. rvskin

    rvskin Well-Known Member
    PartnerNOC

    Joined:
    Feb 19, 2003
    Messages:
    400
    Likes Received:
    1
    Trophy Points:
    18
    2.1 will block virus immediatly if virus or harmful content detected, this way you cannot do receiver whitelist.
    2.2 will block virus but you can do whitelist.

     
  8. damainman

    damainman Well-Known Member

    Joined:
    Nov 13, 2003
    Messages:
    515
    Likes Received:
    0
    Trophy Points:
    16
    Anyone else using this with no problems?

    I would like to implement it with my server, but don't want nothing to break lol. Is there any chance a cpanel update might conflict with this config and break something?

    RHE server

    Thank you in advance.
     
  9. fusioncroc

    fusioncroc Well-Known Member

    Joined:
    Sep 28, 2004
    Messages:
    261
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    U.K.
    nothing broke on my server i installed the full set of spam tools
     
  10. fusioncroc

    fusioncroc Well-Known Member

    Joined:
    Sep 28, 2004
    Messages:
    261
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    U.K.
    also its centos 3.3
     
  11. erick_paper

    erick_paper Well-Known Member

    Joined:
    Apr 19, 2005
    Messages:
    245
    Likes Received:
    0
    Trophy Points:
    16
    Hello rvskin, sounds like a neat tool (suggested by Anup in another thread). My question is, many entries for the exim conf make references to rv_<this>, rv_<that>. Does this mean I *need* to install rvskin for these instructions to work?

    Thanks, .ep
     
  12. anup123

    anup123 Well-Known Member

    Joined:
    Mar 29, 2004
    Messages:
    897
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    This Planet
    I don't use rvskin.

    Anup
     
  13. erick_paper

    erick_paper Well-Known Member

    Joined:
    Apr 19, 2005
    Messages:
    245
    Likes Received:
    0
    Trophy Points:
    16
    Thanks Anup. I have edited my exim.conf.

    However, it doesn't seem to be working as desired. I want all email that slips through my RBLs to go through the HELO check. But that doesn't seem to be happening.

    Can you or Chirpy please confirm if my exim.conf code is correct, thanks so much! --

    Code:
    #!!# ACL that is used after the RCPT command
    check_recipient:
      # Exim 3 had no checking on -bs messages, so for compatibility
      # we accept if the source is local SMTP (i.e. not over TCP/IP).
      # We do this by testing for an empty sending host field.
      accept  hosts = :
    
    ### LWBlacklist v0.02
    deny  !sender_domains = lsearch;/etc/localdomains
          !hosts = +relay_hosts
          !authenticated = *
          message = rejected because the sending host $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
          dnslists      = whitelist.MYDOMAIN.com!=127.0.0.13 : \
                          rhsbl.ahbl.org/$sender_address_domain : \
                          list.dsbl.org : \
                          dnsbl.ahbl.org : \
                          sbl-xbl.spamhaus.org : \
                          bl.spamcop.net : \
                          relays.ordb.org : \
                          rbl.MYDOMAIN.com
    
      ##--------------------------------------------------------------------
      ##-- Added Chirpy's dictionary attack protection
      ##-- From http://www.configserver.com/free/eximdeny.html
      ##-- [ERICK_P May 29 2005]
      ##--------------------------------------------------------------------
      drop hosts = /etc/exim_deny
            message = Connection denied after dictionary attack
            log_message = Connection denied from $sender_host_address after dictionary attack
    
        drop message = Appears to be a dictionary attack
            log_message = Dictionary attack (after $rcpt_fail_count failures)
            condition = ${if > {${eval:$rcpt_fail_count}}{3}{yes}{no}}
            condition = ${run{/etc/exim_deny.pl $sender_host_address }{yes}{no}}
            !verify = recipient
      ##--------------------------------------------------------------------
    
      # Accept bounces to lists even if callbacks or other checks would fail
      warn     message      = X-WhitelistedRCPT-nohdrfromcallback: Yes
               condition    = \
               ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                         {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
                    {yes}{no}}
    
      accept   condition    = \
               ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                         {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
                    {yes}{no}}
    
    
      # Accept bounces to lists even if callbacks or other checks would fail
      warn     message      = X-WhitelistedRCPT-nohdrfromcallback: Yes
               condition    = \
               ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                         {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}} \
                    {yes}{no}}
    
      accept   condition    = \
               ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                         {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}} \
                    {yes}{no}}
    
      #if it gets here it isn't mailman
                                                                                                                                               
      #sender verifications are required for all messages that are not sent to lists
                                                                                                                                               
    
      #--------- [ERICK_P MAY 29 2005] HELO VERIFICATION ---------------------
      # BE POLITE AND SAY HELO. REJECT ANYTHING FROM HOSTS THAT HAVN'T GIVEN
      # A VALID HELO/EHLO TO US.
      #---------------------------------------------------------------------
      deny message = Bad HELO: Empty HELO, please see RFC 2821 section 4.1.1.1
       condition = ${if eq{$sender_helo_name}{}{yes}{no}}
      delay = 3s
      
      #---------------------------------------------------------------------
      # FORGED HOSTNAME -HELOS AS ONE OF MY OWN IPS
      # FORGED HELO (OUR IP/HOSTNAME)
      #---------------------------------------------------------------------
      deny message = Forged HELO: you are not $sender_helo_name as that is our IP Address and you are not allowed to use it in HELO/EHLO as per RFC Standards.
      !hosts = @[]
      !hosts = +rv_relay_hosts
      !authenticated = *
      condition = ${if eq{$sender_helo_name}{$interface_address}{yes}{no}}
      delay = 3s
      
      #---------------------------------------------------------------------
      # FORGED HOSTNAME - HELOS AS MY OWN HOSTNAME OR DOMAIN
      #---------------------------------------------------------------------
      deny message = Forged HELO: you are not $sender_helo_name our local domain and you are not allowed to use as per RFC Standards.
      #---------------------------------------------------------------------
      # ACCEPT HELO WHICH IS IN LOCAL_DOMAIN IF WE RELAY OR HAD SMTP AUTH
      #---------------------------------------------------------------------
      !hosts = @[]
      !hosts = +rv_relay_hosts
      !authenticated = *
      condition = ${if match_domain{$sender_helo_name}{+local_domains}{yes}{no}}
      delay = 3s
      
      #---------------------------------------------------------------------
      # HACKED HELO (DOMAIN.COM) (CONSTRUCTED BY VIRUSES)
      #---------------------------------------------------------------------
      deny message = Hacked HELO: you are not $sender_helo_name
      condition = ${if match {$sender_helo_name}{\N^[A-Z0-9]+\.[a-z]+$\N}{yes}{no}}
      condition = ${if match {$sender_helo_name}{\N^[0-9]+\.[a-z]+$\N}{no}{yes}}
      !hosts = @[]
      !hosts = +rv_relay_hosts
      !authenticated = *
      delay = 3s
    
    #-------------------- END OF HELO CHECK --------------------------------
    
    
      require verify = sender
        accept  domains = +local_domains
      endpass
                                                                                                                                               
      #recipient verifications are required for all messages that are not sent to the local machine
      #this was done at multiple users requests
                                                                                                                                               
      message = "The recipient cannot be verified. $acl_verify_message"
      verify = recipient
                                                                                                                                               
      accept  domains = +relay_domains
    
    
      warn  message = ${perl{popbeforesmtpwarn}{$sender_host_name}}
            hosts = +relay_hosts
      accept  hosts = +relay_hosts
                                                                                    
      warn  message = ${perl{popbeforesmtpwarn}{$sender_host_address}}
            condition = ${perl{checkrelayhost}{$sender_host_address}}
      accept  condition = ${perl{checkrelayhost}{$sender_host_address}}
    
      accept  hosts = +auth_relay_hosts
              endpass
              message = $sender_fullhost is currently not permitted to \
                            relay through this server. Perhaps you \
                            have not logged into the pop/imap server in the \
                            last 30 minutes or do not have SMTP Authentication turned on in your email client.
              authenticated = *
    
      deny    message = $sender_fullhost is currently not permitted to \
                            relay through this server. Perhaps you \
                            have not logged into the pop/imap server in the \
                            last 30 minutes or do not have SMTP Authentication turned on in your email client.
    
    
    #!!# ACL that is used after the DATA command
    check_message:
      require verify = header_sender
    ## clamav ACL, reject virus infected mails with proper error
    
    deny message = This message contains malformed MIME ($demime_reason).
    demime = *
    condition = ${if >{$demime_errorlevel}{2}{1}{0}}
    
    deny message = This message contains a virus or other harmful content \
    ($malware_name)
    demime = *
    malware = *
    
    deny message = Potentially executable content. If you meant to send this file \
    then please package it up as a zip file and resend it.
    demime = ###ade:adp:bas:bat:chm:cmd:com:cpl:crt:eml:exe:hlp:hta:inf:ins:isp:jse:lnk:mdb:mde:msc:msi:msp:pcd:reg:scr:sct:shs:url:vbs:vbe:wsf:wsh:wsc
    
    # Add X-Scanned Header
    
    warn message = X-Antivirus-Scanner: Clean mail though you should still use an Antivirus
    
    ## end clamav ACL
    accept
    
    Should I put the HELO checking code before the DNSLISTs for instance?
     
  14. anup123

    anup123 Well-Known Member

    Joined:
    Mar 29, 2004
    Messages:
    897
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    This Planet
    Here's My Relevant Portion of exim.conf edited thru WHM

    check_recipient:
    # Exim 3 had no checking on -bs messages, so for compatibility
    # we accept if the source is local SMTP (i.e. not over TCP/IP).
    # We do this by testing for an empty sending host field.
    accept hosts = :

    deny
    local_parts = ^.*[@%!/|] : ^\\.
    log_message = invalid local part

    # deny condition = ${if eq {$sender_address}{$local_part@$domain}{yes}{no}}
    # hosts = !+relay_from_hosts
    # message = This Seems To Be SPAM Attempt. Contact postmaster in case you feel this is in error.
    # log_message = Spam from sender $sender_address at $sender_fullhost

    deny
    message = Legitimate bounces are never sent to more than one recipient.
    senders = : postmaster@*
    condition = $recipients_count

    ##Section Added For Dictioanry Attack
    ##Valid For Accounts With Default Set to :fail:
    drop hosts = /etc/exim_deny
    message = Connection denied after dictionary attack
    log_message = Connection denied from $sender_host_address after dictionary attack

    drop message = Appears to be a dictionary attack
    log_message = Dictionary attack (after $rcpt_fail_count failures)
    condition = ${if > {${eval:$rcpt_fail_count}}{3}{yes}{no}}
    condition = ${run{/etc/exim_deny.pl $sender_host_address }{yes}{no}}
    !verify = recipient
    ##Dictionary Attack Customization End

    ###HELO CHECK START


    # No HELO/EHLO

    deny
    condition = ${if eq{$sender_helo_name}{}{yes}{no}}
    message = Polite hosts say HELO first\n\
    Please see RFC 2821 section 4.1.1.1
    log_message = Bad HELO: Empty HELO

    # Forged HELO (IP address does not match)

    deny
    condition = ${if isip{$sender_helo_name}{yes}{no}}
    condition = ${if eq{$sender_helo_name}{$sender_host_address}{no}{yes}}
    message = Forged HELO: you are not $sender_helo_name
    log_message = Forged HELO: ip does not match

    # Hacked HELO (DOMAIN.com) (constructed by viruses)

    deny
    condition = ${if match \
    {$sender_helo_name}{\N^[A-Z0-9]+\.[a-z]+$\N}{yes}{no}}
    condition = ${if match \
    {$sender_helo_name}{\N^[0-9]+\.[a-z]+$\N}{no}{yes}}
    message = Hacked HELO: you are not $sender_helo_name
    log_message = Hacked HELO: constructed by viruses

    # Typical unexistant domains

    deny
    condition = ${if match {$sender_helo_name}\
    {(backup.lst|localhost.localdomain)}\
    {yes}{no}}
    message = Bad HELO: $sender_helo_name does not exist\n\
    Please see RFC 2821 section 4.1.1.1

    #Modified Forged HELO (our ip/hostname)

    # deny
    # condition = ${if eq{$sender_helo_name}{$interface_address}{yes}{no}}
    # message = Forged HELO: you are not $sender_helo_name as that is our IP Address and you #are not allowed to use it in HELO/EHLO as per RFC Standards. Please Contact Your Sys Admin
    # log_message = Forged HELO: is our interface address

    deny
    condition = ${if match_domain{$sender_helo_name}{+local_domains}{yes}{no}}
    message = Forged HELO AS PER RFC STANDARDS: you are not $sender_helo_name our local domain and you are not allowed to use as per RFC Standards. Please Contact Your Sys Admin
    log_message = Forged HELO: $sender_helo_name is one of our local domains


    ##Modified End

    ##HELO CHK END ##

    #**#Section Added For RBL Integration
    #**# RBL List Begin
    #**#
    #
    # Always accept mail to postmaster & abuse for any local domain
    #
    accept
    domains = +local_domains
    local_parts = postmaster:abuse

    ##Test Addn
    endpass
    message = unknown user
    verify = recipient

    ###Test End
    #
    # Check sending hosts against DNS black lists.
    # Reject message if address listed in blacklist.

    deny message = Message rejected because $sender_fullhost \
    is blacklisted at $dnslist_domain see $dnslist_text

    dnslists = dsn.rfc-ignorant.org
    # RBL Bypass Local Domain List
    !domains = +rbl_bypass
    # RBL Whitelist incoming hosts
    !hosts = +rbl_whitelist
    #**#
    #**# RBL List End
    #**#

    As i mentioned, i do not do RBL stuff in exim.conf except for rfc-ignorant.org as SA 3 is already doing it.

    Play with it carefully one thing at a time :)

    Anup

    [edit]
    Chirpy@Jonnathan repeatedly educated me not to use delay = x m so ultimately i got rid of all delay = xm in my exim.conf
    [/edit]
     
    #14 anup123, May 29, 2005
    Last edited: May 29, 2005
  15. erick_paper

    erick_paper Well-Known Member

    Joined:
    Apr 19, 2005
    Messages:
    245
    Likes Received:
    0
    Trophy Points:
    16
    Thanks for that anup. But I have many things in mine that you don't. My intention is not to replicate your settings (although I'm very grateful to you for sharing!)

    S my simple question is: does the order of these commands matter? If I put my DNSLIST call at the very end, would it make a difference? I would like ALL these tests to be undertaken before a message is delivered.

    With my current setup, even though a message passes the RBL check, it should be getting caught by the faulty HELP check, but it is not. Hence the question. It seems all these tests are not being undertaken. How can I make sure they are, and in the order I specify?

    My full new code is below. Before I enter it in, just wanted to see if this is correct. Thanks for your thoughts!

    Code:
    #!!# ACL that is used after the RCPT command
    check_recipient:
      # Exim 3 had no checking on -bs messages, so for compatibility
      # we accept if the source is local SMTP (i.e. not over TCP/IP).
      # We do this by testing for an empty sending host field.
      accept  hosts = :
    
      #---------------------------------------------------------------------
      # First, deny all that have malformed addresses 
      #---------------------------------------------------------------------
      deny    domains       = !+local_domains
              local_parts   = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
              log_message   = Invalid local part
    
      ##--------------------------------------------------------------------
      ##-- Added Chirpy's dictionary attack protection
      ##-- From http://www.configserver.com/free/eximdeny.html
      ##-- [ERICK_P May 29 2005]
      ##--------------------------------------------------------------------
      drop hosts = /etc/exim_deny
            message = Connection denied after dictionary attack
            log_message = Connection denied from $sender_host_address after dictionary attack
    
      drop message = Appears to be a dictionary attack
            log_message = Dictionary attack (after $rcpt_fail_count failures)
            condition = ${if > {${eval:$rcpt_fail_count}}{3}{yes}{no}}
            condition = ${run{/etc/exim_deny.pl $sender_host_address }{yes}{no}}
            !verify = recipient
      ##--------------------------------------------------------------------
    
      #--------- [ERICK_P MAY 29 2005] HELO VERIFICATION ---------------------
      # BE POLITE AND SAY HELO. REJECT ANYTHING FROM HOSTS THAT HAVN'T GIVEN
      # A VALID HELO/EHLO TO US.
      #---------------------------------------------------------------------
      deny 
        message = Bad HELO: Empty HELO, Polite hosts say HELO first. Please see RFC 2821 section 4.1.1.1.
        condition = ${if eq{$sender_helo_name}{}{yes}{no}}
      
      #---------------------------------------------------------------------
      # FORGED HOSTNAME -HELOS AS ONE OF MY OWN IPS
      # FORGED HELO (OUR IP/HOSTNAME)
      #---------------------------------------------------------------------
      deny message = Forged HELO: You are not $sender_helo_name as you claim. You are not allowed to use it in HELO/EHLO as per RFC Standards.
       !hosts = @[]
       !hosts = +rv_relay_hosts
       !authenticated = *
       condition = ${if eq{$sender_helo_name}{$interface_address}{yes}{no}}
      
      #---------------------------------------------------------------------
      # FORGED HOSTNAME - HELOS AS MY OWN HOSTNAME OR DOMAIN
      #---------------------------------------------------------------------
      deny message = Forged HELO: you are not $sender_helo_name our local domain and you are not allowed to use as per RFC Standards.
      #---------------------------------------------------------------------
      # ACCEPT HELO WHICH IS IN LOCAL_DOMAIN IF WE RELAY OR HAD SMTP AUTH
      #---------------------------------------------------------------------
      !hosts = @[]
      !hosts = +rv_relay_hosts
      !authenticated = *
      condition = ${if match_domain{$sender_helo_name}{+local_domains}{yes}{no}}
    
      #---------------------------------------------------------------------
      # HACKED HELO (DOMAIN.COM) (CONSTRUCTED BY VIRUSES)
      #---------------------------------------------------------------------
      deny message = Hacked HELO: you are not $sender_helo_name
      condition = ${if match {$sender_helo_name}{\N^[A-Z0-9]+\.[a-z]+$\N}{yes}{no}}
      condition = ${if match {$sender_helo_name}{\N^[0-9]+\.[a-z]+$\N}{no}{yes}}
      !hosts = @[]
      !hosts = +rv_relay_hosts
      !authenticated = *
    
      #---------------------------------------------------------------------
      # MAILMAN STUFF: 
      # Accept bounces to lists even if callbacks or other checks would fail
      #---------------------------------------------------------------------
      warn     message   = X-WhitelistedRCPT-nohdrfromcallback: Yes
               condition = \
               ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                         {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
                    {yes}{no}}
    
      accept   condition = \
               ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                         {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
                    {yes}{no}}
    
    
      # Accept bounces to lists even if callbacks or other checks would fail
      warn     message      = X-WhitelistedRCPT-nohdrfromcallback: Yes
               condition    = \
               ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                         {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}} \
                    {yes}{no}}
    
      accept   condition    = \
               ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                         {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}} \
                    {yes}{no}}
    
      #---------------------------------------------------------------------
      # If it gets until here it isn't mailman
      # Sender verifications are required for all messages 
      # that are not sent to lists.
      #---------------------------------------------------------------------
     
      require verify = sender
      accept  local_parts   = postmaster
              domains       = +local_domains
      endpass
     
      message = "The recipient cannot be verified. $acl_verify_message"
      verify = recipient
     
      accept  domains = +relay_domains
    
      warn  message = ${perl{popbeforesmtpwarn}{$sender_host_name}}
            hosts = +relay_hosts
      accept  hosts = +relay_hosts
                                                                                    
      warn  message = ${perl{popbeforesmtpwarn}{$sender_host_address}}
            condition = ${perl{checkrelayhost}{$sender_host_address}}
      accept  condition = ${perl{checkrelayhost}{$sender_host_address}}
    
      accept  hosts = +auth_relay_hosts
              endpass
              message = $sender_fullhost is currently not permitted to \
                            relay through this server. Perhaps you \
                            have not logged into the pop/imap server in the \
                            last 30 minutes or do not have SMTP Authentication turned on in your email client.
              authenticated = *
    
      deny    message = $sender_fullhost is currently not permitted to \
                            relay through this server. Perhaps you \
                            have not logged into the pop/imap server in the \
                            last 30 minutes or do not have SMTP Authentication turned on in your email client.
    
    #-----------------------------------------------------------------------
    # Only deny the RFC-Ignorant ones, as remaining are checked by 
    # SpamAssassin anyway
    #  -- Modified LWBlacklist v0.02 on May 29, 2005 [ERICK_P]
    #-----------------------------------------------------------------------
    deny  !sender_domains = lsearch;/etc/localdomains
          !hosts = +relay_hosts
          !authenticated = *
          message = Rejected because the sending host $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
          dnslists      = dsn.rfc-ignorant.org/$sender_address_domain : \
                          postmaster.rfc-ignorant.org/$sender_address_domain 
    
    warn  message = X-Warning: Should be rejected because the sending host $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
          dnslists      = whitelist.MYDOMAIN.com!=127.0.0.13 : \
                          rhsbl.ahbl.org/$sender_address_domain : \
                          list.dsbl.org : \
                          dnsbl.ahbl.org : \
                          sbl-xbl.spamhaus.org : \
                          bl.spamcop.net : \
                          relays.ordb.org : \
                          rbl.MYDOMAIN.com
    
    #!!# ACL that is used after the DATA command
    check_message:
      require verify = header_sender
      ## clamav ACL, reject virus infected mails with proper error
    
      deny message = This message contains malformed MIME ($demime_reason).
      demime = *
      condition = ${if >{$demime_errorlevel}{2}{1}{0}}
    
      deny message = This message contains a virus or other harmful content \
      ($malware_name)
      demime = *
      malware = *
    
      deny message = Potentially executable content. If you meant to send this file \
      then please package it up as a zip file and resend it.
      demime = ###ade:adp:bas:bat:chm:cmd:com:cpl:crt:eml:exe:hlp:hta:inf:ins:isp:jse:lnk:mdb:mde:msc:msi:msp:pcd:reg:scr:sct:shs:url:vbs:vbe:wsf:wsh:wsc
    
      # Add X-Scanned Header
      warn message = X-Antivirus-Scanner: Clean mail though you should still use an Antivirus
    
      ## end clamav ACL
    accept
    
     
    #15 erick_paper, May 29, 2005
    Last edited: May 29, 2005
  16. anup123

    anup123 Well-Known Member

    Joined:
    Mar 29, 2004
    Messages:
    897
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    This Planet
    As far as what i have learnt first things first. HELO is the first Thing to happen so that should be checked for first, followed by Dictionary Attack, Followed By RBL's and so on....

    I do not use much of RBL because that's already being doen by SA3.x and i would not want clients to be blocked out from sending mails using SMTP just coz their IP is listed somewhere.

    Put in one thing at a time and watch the logs... till you have done almost everything that satisfies your set up.

    Here is the documentation on RBL on cpanel... that's what i referred to when i used it in SA 2.5 days but no more now.

    http://www.webhostgear.com/175.html
    Anup
     
    #16 anup123, May 29, 2005
    Last edited: May 29, 2005
  17. rvskin

    rvskin Well-Known Member
    PartnerNOC

    Joined:
    Feb 19, 2003
    Messages:
    400
    Likes Received:
    1
    Trophy Points:
    18
    No. It is not necessary. It just the way I reference to the variable list.

    erick_paper; For the quick review, it is ok. I would suggest you change the line

    malware = *

    to

    malware = */defer_ok

    This will prevent your EXIM reject all emails when clamd fail.
     
  18. KMK Enterprises

    KMK Enterprises Well-Known Member

    Joined:
    Feb 7, 2005
    Messages:
    53
    Likes Received:
    0
    Trophy Points:
    6
    I've found that this section:

    Code:
    deny
       condition = ${if match_domain{$sender_helo_name}{+local_domains}{yes}{no}}
       message = Forged HELO AS PER RFC STANDARDS: you are not $sender_helo_name our local domain and you are not allowed to use as per RFC Standards. Please Contact Your Sys Admin
       log_message = Forged HELO: $sender_helo_name is one of our local domains
    seems to stop mailman list messages originating from the server. If anyone could provide an alternate check which doesn't have this effect, it would be great.
     
    #18 KMK Enterprises, May 31, 2005
    Last edited: May 31, 2005
  19. Solokron

    Solokron Well-Known Member

    Joined:
    Aug 8, 2003
    Messages:
    849
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle
    cPanel Access Level:
    DataCenter Provider
    Great howto!

    I have some concerns with the following options. The way it is worded one would think they have the ability to turn off the anti-virus on the entire server. The other would be how does users enabling and disabling options effect the load?

    To allow user enable/disable server-wide spam protection

    touch /usr/local/cpanel/base/eximacl/.rvspam

    To allow user enable/disable server-wide virus protection (You have to configure Exim to reject virus + sender whitelist + receiver whitelist as describe in section 2ii in the instruction.)

    touch /usr/local/cpanel/base/eximacl/.rvvirus
    touch /usr/local/cpanel/base/eximacl/.rvfiletype

    To allow user enable/disable RBL checking

    touch /usr/local/cpanel/base/eximacl/.rvrbl


     
  20. Solokron

    Solokron Well-Known Member

    Joined:
    Aug 8, 2003
    Messages:
    849
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle
    cPanel Access Level:
    DataCenter Provider
    I have also noticed when a user clicks disable is stays enabled.

    *Found the problem. Disregard.*
     
    #20 Solokron, Jun 15, 2005
    Last edited: Jun 15, 2005

Share This Page