ReadMe-SpamBlockerVersion4exim.conf.txt

This is the readme file for:
DirectAdmin SpamBlockerTechnology* Version 4.2.3 powered exim.conf
July 08, 2014

Exim configuration file for DirectAdmin requires the latest
(at time of installation) exim.pl as distributed by DirectAdmin here:

http://files.directadmin.com/services/exim.pl

Includes SpamBlockerTechnology blocklists and optimizations:
http://www.nobaloney.net/downloads/spamblocker/

ClamAV optional
SpamAssassin optional
Dovecot/IMAP required

*SpamBlockerTechnology is a Trademark of NoBaloney Internet Services:
http://www.nobaloney.net

WARNING! Be sure to back up your previous exim.conf file before
making any changes or switches to a new file.

WARNING! This exim.conf file does not allow host literal addressing
such as username@12.34.56.78
If you need to allow host literals you're on your own.

WARNING! Do NOT use the Exim configuration file coverred by this ReadMe
file unless you make the required modifications to your Exim configuration
following the instructions in this ReadMe file.

WARNING: The following files must exist and have the same ownership
and permisssions as your /etc/virtual/domains file.

/etc/virtual/bad_sender_hosts
/etc/virtual/bad_sender_hosts_ip
/etc/virtual/blacklist_domains
/etc/virtual/blacklist_senders
/etc/virtual/whitelist_domains
/etc/virtual/whitelist_hosts
/etc/virtual/whitelist_hosts_ip
/etc/virtual/whitelist_senders
/etc/virtual/use_rbl_domains
/etc/virtual/skip_av_domains
/etc/virtual/skip_rbl_domains

Some of the above files may already exist and be populated.
If you have a prepopulated bad_sender_hosts file and if
it's populated with listings which consist of IP#s, then those
listings must be moved out of the bad_sender_hosts file and
into the bad_sender_hosts_ip file.

If you have a prepopulated whitelist_hosts file and if it's
populated with listings which consist of IP#s, then those
listings must be moved out of the whitelist_hosts file and
into the whitelist_hosts_ip file.

NOTE: This SpamBlockerTechnology powered exim.conf file may be set up
to default to block spam for all domains and use an administrator-
maintained list of domains to exclude from spamblocking

or

to default to allow spam for all domains and use an administrator-
maintaned list of domains for which to perform spamblocking

INSTRUCTIONS for setting up SpamBlockerTechnology defaults:

BLOCK SPAM FOR ALL DOMAINS NOT IN EXCLUSION LIST:
Instead of a file at /etc/virtual/use_rbl_domains, create a
symbolic link from /etc/virtual/use_rbl_domains to /etc/virtual/domains
and
Populate the file at /etc/virtual/skip_rbl_domains as an exclusion
list, copying the domain names as they appear in /etc/virtual/domains
to /etc/virtual/skip_rbl_domains

BLOCK SPAM ONLY FOR DOMAINS IN INCLUSION LIST:
Maintain a file at /etc/virtual/use_rbl_domains, copying the domain
names as they appear in /etc/virtual/domains to
 /etc/virtual/use_rbl_domains

NOTE: No management tools are included in DirectAdmin to manage
the whitelists, blacklists or list of domains using the RBLs.
The DirectAdmin admin-level File Manager may be set to allow editing
of these lists.  Additionally, commercial tools may be available;
search the DirectAdmin Forums.

More information about NoBaloney Internet Services may be found at:
http://www.nobaloney.net/

More information about DirectAdmin may be found at:
http://www.directadmin.com/

More information about the SpamBlockerTechnology Version 4 exim.conf file
may be found on the DirectAdmin forums:
http://www.directadmin.com/forum/forumdisplay.php?f=57
and at the NoBaloney Internet Services site:
http://www.nobaloney.net/downloads/spamblocker/DirectAdminSpamBlocker4/

Th Exim configuration file covered by this README.txt file has been
modified from the original exim.conf file distributed with Exim 4.  The
modifications have been made by:

NoBaloney Internet Services
Qnito Incorporated
848 North Rainbow Blvd., Suite #3789
Las Vegas, NV 89107-1103
+1 702 359-5120
spamblocker -at- nobaloney.net

The original exim.conf file distributed with Exim 4, includes the
following copyright notice:

Copyright (C) 2002 University of Cambridge, Cambridge, UK

Portions of the file are taken from the exim.conf file as
distributed with DirectAdmin (http://www.directadmin.com/)

Copyright (C) 2003-2011 JBMC Software, St Albert, AB, Canada

Portions of this file are written by NoBaloney Internet Services
and are copyright as follows:

Copyright (C) 2004-2014 Qnito Incorporated, Las Vegas, NV, USA

The entire Exim 4 distribution, including the exim.conf file, is
distributed under the GNU GENERAL PUBLIC LICENSE, Version 2,
June 1991. If you do not have a copy of the GNU GENERAL PUBLIC LICENSE
you may download it, in it's entirety, from the website at:

http://www.nobaloney.net/exim/gnu-gpl-v2.txt

Thanks to all the members of the DirectAdmin community and of the exim
community who have given their much needed and appreciated help.

The most recent version of this file may always downloaded from the website
at: http://www.nobaloney.net/downloads/spamblocker

IMPORTANT NOTICE:

Whenever you change Exim's configuration file, you *must* remember
to HUP the Exim daemon, because it will not pick up the new
configuration until you do. However, any other Exim processes that
are already running, for example, a process started by an MUA in order
to send a message, will see the new configuration as soon as it is in
place.

You do not need to HUP the daemon for changes in auxiliary files
that are referenced from this file. They are read every time they
are used.
It is usually a good idea to test a new configuration for
syntactic correctness before installing it (for example, by
running the command "exim -C /config/file.new -bV").

MODIFICATION INSTRUCTIONS

YOU MUST MAKE CERTAIN CHANGES TO THIS SpamBlocker exim.conf file as
documented in this README file.

Though some changes are marked as optional, they may still be required
in your configuration.

The README file for this version is named:
README-SpamBlockerVersion4exim.conf.txt

Note that EDIT and COMMENT points in the SpamBlocker Technology-powered
exim.conf file are numbered inline; so you may find, for example,
EDIT#45:
followed by:
COMMENT#46:

Here are the edit points and comments:

EDIT#1:
Specify your host's canonical name here. This should normally be the
fully qualified "official" name of your host. If this option is not
set, the uname() function is called to obtain the name. In many cases
this does the right thing and you need not set anything explicitly.

However we recommend setting the hostname here.

EDIT#2-CLAMAV
If you use ClamAv, then uncomment one of the av_scanner lines and edit as
necessary so it points to your ClamAV socket or port, depending on your
ClamAV configuration.
NOTE: See also EDIT#15 and EDIT#28, below.

EDIT#3:
Specify the domain you want to be added to all unqualified addresses
here.  An unqualified address is one that does not contain an "@" character
followed by a domain. For example, "caesar@rome.ex" is a fully qualified
address, but the string "caesar" (i.e. just a login name) is an unqualified
email address. Unqualified addresses are accepted only from local senders by
default. See the receiver_unqualified_{hosts,nets} options if you want
to permit unqualified addresses from remote sources. The default is
not set; the primary_hostname value is used for qualification.

EDIT#4:
The location of the exim.pl file supplied with DirectAdmin.
Must be dated 28-Mar-2008 or later, from the DirectAdmin site:
http://files.directadmin.com/services/exim.pl

EDIT#5:
The location of the system_filter.exim file supplied by DirectAdmin.
This should work with the default entry. The file located on the
DirectAdmin website as of this writing:
http://files.directadmin.com/services/system_filter.exim
is dated 26-Oct-2011, but yours may include customizations.

EDIT#6:
This setting allows untrusted users to set the sender; to allow
php to set senders in exim.  Commenting it causes exim to not
allow php and other untrusted users to set senders in exim

EDIT#7:
This setting enables the incoming email submission port 587
as well as the standard email receipt port 25.
You may add additional ports if required. If you do, be sure to
see also check_recipient ACL port 587 ruleset and add rules for
other ports if required.  See Also EDIT#26 and make changes/additions
as necessary

EDIT#8:
Removing or commenting this setting (not recommended) will tell exim
to use a Sender header which will result in some email clients showing
From to be the username and the Sender to be From name set in PHP.

EDIT#9:
These settings work on our tested systems; you may want to make changes
to some or all of these settings to work well in your environment.

EDIT#10:
Domains shouldn't use the underscore character "_" but some may.  Because
the late John Postel, one of the architects of the Internet, said "Be liberal
in what you accept and conservative in what you transmit, we choose to allow
underscore in email domain names so we can receive email from domains which
use them. If you comment out this setting your system won't accept email
from domains which includes the underscore character in their name.

EDIT#11:
We weren't happy with the default Exim logging behavior through
syslog; it didn't give us enough information.  So we turned off
syslog behavior and changed the logging behavior to give us what we
felt was more helpful information.  You may choose to delete or modify
this section.

EDIT#12:
setting this selection to true will cause duplication of many lines in
both the main exim logs and the rejectlog.

EDIT#13:
These options specify the Access Control Lists (ACLs) that
are used for incoming SMTP messages - after the CONNECT, HELO, RCPT and DATA
commands, respectively.
If you make changes here then you must make changes to the ACLs themselves,
further down in the file.

EDIT#14:
These lists are used in the ACLs. Documenting their use is beyond the
scope of this file. Look them up in the exim documentation if necessary
to change them.
For these to work the files listed above in this documentation must
exist as files or Symbolic Links as described above. OR EXIM WILL NOT RUN.

EDIT#15:
If you run ClamAv then a file /etc/virtual/skip_av_domains must exist
and you must uncomment the next line. Copy domain names from the
/etc/virtual/domains file for any domains that should NOT use ClamAv.
NOTE: See also EDIT#2 above, and EDIT#28, below.

EDIT#16:
By default, we do not allow 127.0.0.1 as a relay host, so any php, cgi
scripts, etc., whixh  send email via smtp muar uaw authentication.
To allow unauthenticated local smtp make change in EDIT#14 section above, and
also make change immediately below.

EDIT#17:
By default we do not allow email to be delivered to the root user
as doing so would require that exim run as root. We don't allow this
as we believe it to be a security issue to allow exim to run as root.
Instead you should create an alias file in the /root directory to
redirect email sent to the root user.
You may add other users to the never_users setting (in a colon-
delimited list) if required, but the default is generally perfect.

EDIT#18:
This setting causes Exim to do a reverse DNS lookup on all
incoming IP email, in order to get the true host name for both email
headers and logfiles.  If you feel this is too time-consuming, and
don't need the information, comment out the next line.

EDIT#19:
Exim may be set to make RFC 1413 (ident) callbacks for all incoming
SMTP calls. You can limit the hosts to which these calls are made,
and/or change the timeout that is used.
Callbacks are cheap and can provide useful information for tracing
problem messages, but some hosts and firewalls have problems with
them, so by default we disable callbacks for all incoming SMTP
sessions, by using a timeout of 0 seconds for all hosts,
You may change rfc1413_query_timeout to 30s or some other positive
number of seconds to enable callbacks for incoming SMTP calls.

EDIT#20:
These settings modify how and when exim queue-runners run on your
server. These defaults work for us and should work for you, but you
should change them if/as necessary for your environment.
You should always restart exim after any changes to the exim.conf file.

EDIT#21:
These settings modfiy how long exim will retry messages before timing
out their delivery.

EDIT#22:
Exim uses the concept of trusted users, who are allowed certain
liberties with changes to headers. For more information, see:
http://www.exim.org/exim-html-4.00/doc/html/spec_5.html#SECT5.2
if you must add additional trusted users, do so here, continuing the
colon-delimited list.

EDIT#23:
These settings control how exim runs authenticated sessions.  The defaults
should work.

EDIT#24:
acl_connect Access Control List:
We don't use the acl_connect ACL, but we reserve space for it so you
can use it if you require it.  Except as documented herein do NOT make
changes to Access Control Lists unless you know precisely what you
are doing and why.

EDIT#25:
acl_check_helo Access Control List:
These checks have been selected for maximum spam control with minimum
disruption of good email.
Except as documented herein do NOT make changes to Access Control Lists
unless you know precisely what you are doing and why.

EDIT#26:
acl_check_recipient Access Control List:

Various checks on after we've been told the email recipient.
See especially EDIT#7 above.

This section disallows sending email for various reasons:

Blocks wmails if the sending server tries several well known exploits
with 'funny' characters in local parts of email addresses.

Disallows sending all email to any user after the user has hit its
daily limit.

Blocks emails which pretend to be bounces but are sent to
more than one recipient, as they aren't really bounces.

Bloocks emails which are sent to too many failing recipients
as these emails are likely spam.

Except as documented herein do NOT make changes to Access Control Lists
unless you know precisely what you are doing and why.

EDIT#27:
Some of these tests may cause problems for some/most/many remote users
not already using port 587 if their outlook or similar MUA doesn't
use a fully qualified domain name (FQDN) in the helo/ehlo statement.
When we added these tests all senders needed
to use plain text authentication on port 587 to relay email through our
servers. Nevertheless we believe these tests should be used and senders
should be taught to send email properly on port 587 or to use
their ISP for outgoing email.

Except as documented herein do NOT make changes to Access Control Lists
unless you know precisely what you are doing and why.

EDIT#28:
If you use ClamAV you must uncomment the two lines below to set acl_m0
to use later in the data acl to implement ClamAV for all domains not
listed in skip_av_domains.
See also EDIT#2, and EDIT#15, above
Except as documented herein do NOT make changes to Access Control Lists
unless you know precisely what you are doing and why.

EDIT#29:
These settings check for certain sequences in the local parts of
email addresses, and forbid ougoing messages to addresses:

which begin with a dot, slash, or vertical bar (but allows
 those characters within local parts

which include the sequence \..\

which use @, %, and ! in their local parts.

to prevent users (and/or their viruses from mounting certain
kinds of attacks on remote sites.
Except as documented herein do NOT make changes to Access Control Lists
unless you know precisely what you are doing and why.

EDIT#30:
Accept email for relay if the source is local SMTP (i.e. not over TCP/IP).
Test for this by testing for an empty sending host field.
See also EDIT#16.
Except as documented herein do NOT make changes to Access Control Lists
unless you know precisely what you are doing and why.

EDIT#31:
Accept email for relay if sender domains, hosts, or envelope senders
are in whitelist.
Warning: if you whitelist domains on this server then anyone can
use the server to relay, and you'll eventually be listed as a spammer.
Except as documented herein do NOT make changes to Access Control Lists
unless you know precisely what you are doing and why.

EDIT#32:
Edit deny message to point to your own unblock page if required.
Deny email for relay if sender is in local blocklist.
Except as documented herein do NOT make changes to Access Control Lists
unless you know precisely what you are doing and why.

EDIT#33:
Edit deny message to point to your own unblock page if required.
Deny email for relay if sender's host name is in local blocklist.
Except as documented herein do NOT make changes to Access Control Lists
unless you know precisely what you are doing and why.

EDIT#34:
Edit deny message to point to your own unblock page if required.
Deny email for relay if sender's host IPis in local blocklist.
Except as documented herein do NOT make changes to Access Control Lists
unless you know precisely what you are doing and why.

EDIT#35:
dnswl.org is a DNS-based list of offial ISP mailservers you'll probably
want to whitelist. While these may cost some spam, the ISPs will take
action on your request, and using this whitelist will eliminate some
complaints.
You may comment out all three lines if you don't want to use this
whitelist.
Except as documented herein do NOT make changes to Access Control Lists
unless you know precisely what you are doing and why.

EDIT#36:
hostkarma.junkemailfilter.com is a DNS-based list of mailservers
which can be used as a whitelist.  Using this whitelist will eliminate
some complaints but by default it's turned off as it tends to allow
signifcant spam from time to time. To use it, uncomment all three lines.
Using the hostkarma.junkemailfilter.com may require payment; you should
check with the host company's website and make your own determination.
Except as documented herein do NOT make changes to Access Control Lists
unless you know precisely what you are doing and why.

EDIT#37:
If the page you're using to notify senders of blocked email of how
to get their address unblocked will use a web form to send you email so
you'll know to unblock those senders, then you may leave these lines
commented out.  However, for example, if you'll be telling your
senders of blocked email to send an email to (for example)
whitelist@example.com
then you should replace "whitelist" with the local part (left side) of
the email address you'll be using, and "example.com" with the domain
(right side) of the email address and then uncomment these two lines.
Doing this will mean anyone can send email to this specific address,
even if they're at a blocked domain, and even if your domain is using
blocklists.
Except as documented herein do NOT make changes to Access Control Lists
unless you know precisely what you are doing and why.

EDIT#38:
Sender verification denies incoming email unless the domain of
the sender address can be verified.  By default we do not require
sender verification.  This is a change from some previous versions.

If you do want to require sender verification, i.e., that the
domain of the sending address is routable and mail can be delivered
to it, then uncomment this line.

Except as documented herein do NOT make changes to Access Control Lists
unless you know precisely what you are doing and why.

EDIT#39:
Deny incoming email from domains in your local blocklist.
Edit deny message to point to your own unblock page if required.
Except as documented herein do NOT make changes to Access Control Lists
unless you know precisely what you are doing and why.

EDIT#40:
This section was originally included to block mail which said
it was from PayPal but wasn't sent by PayPal servers. It was
removed because PayPal doesn't always use these servers, and also
because this section breaks forwarding.

Instead use SpamAssasin to score on SPF and DKIM.

Except as documented herein do NOT make changes to Access Control Lists
unless you know precisely what you are doing and why.

EDIT#41:
Deny email using various DNS-based blocklists.
You may remove any of the lists in the lines following the line:
dnslists = \
but remember that every list except the last must be followed by
: \
and that the last must not be followed by anything.

Note that b.barracudacentral.org may require registration and that
zen.spamhaus.org and hostkarma.junkemailfilter.com may require
payment; you should check with their host companies' websites
and make your own determination.
Edit deny message to point to your own unblock page if required.
Except as documented herein do NOT make changes to Access Control Lists
unless you know precisely what you are doing and why.

EDIT#42:
Deny email using various name-based blocklists.

You may remove any of the lists in the lines following the line:
dnslists = \
but remember that every list except the last must be followed by
: \
and that the last must not be followed by anything.

We comment out the entire section because we find that the one list in this
section causes too many false positives.

Edit deny message to point to your own unblock page if required.

Except as documented herein do NOT make changes to Access Control Lists
unless you know precisely what you are doing and why.

COMMENT#43:
This is the section of the ACL which accepts email for delivery.

COMMENT#44:
For domains for which we relay, we don't message back "Unknown User".

EDIT#45:
This section will accept messages coming from a host for which we are
an outgoing relay.
Recipient verification is omitted because many MUA clients don't cope
well with SMTP error responses.
However:
If you are actually relaying from MTAs then you should probably
add recipient verify here

EDIT#46:COMMENT
Uncomment the entire ClamAV section (except the comment lines beginning
with "##", when implementing ClamAV.

each subsection begins with "##". You should leave at least one of
the comment (#) marks at the beginning of these lines.

You may comment out entire MIME header section if you do not want to
deny based on malformed MIME header.
You may comment out entire attachment type section if you do not want
to block any attachment types, or you may make changes to the list of
attachment types you don't want to accept.
By default we only scan messages under 1000K. You can change that
size by changing the condition line in the line:
"condition = ${if >={$message_size}{1000k} {1}{0}}"
and optionally the same number in the comment two lines above.
Warning: do NOT comment out the "accept" line at the bottom of the
acl_check_message acl (The last line in the ClamAV section) or all incoming
email will be rejected.
Except as documented herein do NOT make changes to ClamAV section
unless you know precisely what you are doing and why.

EDIT#47:
REWRITE CONFIGURATION
There is no rewriting specification in this exim.conf file. If your
configuration requires one, it would go in this section.
Except as documented herein do NOT make changes to the rewrite
section unless you know precisely what you are doing and why.

EDIT#48:
ROUTERS CONFIGURATION
This section specifies how remote addresses are handled.
Remote addresses are those with a domain that does not match any item
in the "local_domains" setting above.
We specify two routers, but only one or the other may be used.
If this server routes its own remote email, then the lookuphost
router should be uncommented and the smarthost driver should be commented.
If this exim configuration sends all remote email to a smarthost,
then the lookuphost router should be commented, the smarthost driver
should be uncommented, AND THE HOSTNAME OR IPMUST BE INCLUDED
IN THE SMARTHOST ROUTER
By default this exim.conf file presumes this server will route its own
remote email.
Except as documented herein do NOT make changes to Routers Configuration
section unless you know precisely what you are doing and why.

COMMENT#49:
The Directors Configuration determines how local addresses are
handled. Order does matter; a local address is passed to each in
turn until it is accepted.

Local addresses are those with a domain that matches some item in
the local_domains setting above.


EDIT#50:
The entire spamcheck_director section must be uncommented to
use SpamAssassin.

Note that this director will skip SpamAssassin if the header
X-Spam-Flag:
is already defined in the incoming email. If you want to rescan
(some spammers put the line in to avoid detection by SpamAssassin)
you'll need to add code to remove the header before entering this
section. That code is NOT addressed in this version of the SpamBlocker
Technology Version 4.2.3 powered exim.conf file.

Except as documented herein do NOT make changes to this section
unless you know precisely what you are doing and why.

COMMENT#51:
The drop_solo_alias will drop the email (because the first alias
is unseen (so that you can forward the email as well as save it).
The save part is "seen" (virtual_user), but the forward before it isn't.  This
will be the spot where we "see" the email so that it doesn't send a bounce if
we have an alias but no pop.

COMMENT#52:
The userforward director handles forwarding using traditional .forward
files.

This  director will allow use of the exim filter if the .forward
file (in the user's home directory) starts with a separate line at
the top with the following string (including the #):
Exim filter
To turn off the exim filter without having to edit all the .forward
files, simply comment out the line in this transport:
allow_filter
The check_ancestor option means that if the forward file generates an
address that is an ancestor of the current one, the current one gets
passed on instead. This covers the case where A is aliased to B and B
has a .forward file pointing to A. The three transports specified at the
end are those that are used when forwarding generates a direct delivery
to a file, or to a pipe, or sets up an auto-reply, respectively.

COMMENT#53:
TRANSPORTS CONFIGURATION
Order of transports doesn't matter; only one appropriate transport will
be called for each delivery.
A transport is used only when referenced from a director or a router
which successfully handles an address.

COMMENT#54:
The spamcheck transport (used by SpamAssassin need not be commented
out if you don't use SpamAssassin; in that case it won't ever be called.
The user named in the last line of the spamcheck router must be a
privileged user to be able to set $received_protocal when reinjecting
email into exim.

COMMENT#55:
The majordomo_pipe transport is used for delivery to majordomo.

COMMENT#56:
The local_delivery transport is used for local delivery to user
mailboxes in Maildir format, in the user's local Maildir Direcory as
defined by DirectAdmin.

COMMENT #57:
The virtual_localdelivery transport is for delivering virtual domain
 users' email to their own mail spool.

EDIT#58:
The uservacation transport includes a serverwide message to be sent
with each vacation message when a user has set a vacation message.
You may edit this message but remember to hardcode the linefeeds as
shown in the sample text.

COMMENT#59:
The userautoreply transport delivers an autreply message when
set by the user.

COMMENT#60:
The devnull transport delivers email destined to /dev/null.

COMMENT#61:
This remote_smtp transport delivers all email being sent over SMTP.

EDIT#62:
The address pipe transports handle pipe deliveries generated by alias
or .forward files.
If the pipe generates any standard output, it is returned to the
message sender as a delivery error.
If you want this sent only when the pipe fails to complete normally
then replace the line
return_output
with return_fail_output
Except as documented herein do NOT make changes to this section
unless you know precisely what you are doing and why.

COMMENT#63:
The address_file transport is used for handling deliveries directly
to files generated by aliasing or forwarding.

COMMENT#64:
The address-reply transport is used for handling autoreplies generated
by the filtering option of the forwardfile director.

EDIT#65:
RETRY CONFIGURATION
This single retry rule applies to all domains and all errors. It specifies
retries every 15 minutes for 2 hours, then increasing retry intervals,
starting at 1 hour and increasing each time by a factor of 1.5, up to 16
hours, then retries every 8 hours until 4 days have passed since the first
failed delivery.
You may optionally make changes to these times.
Except as documented herein do NOT make changes to this section
unless you know precisely what you are doing and why.

End of Exim 4 configuration