# HG changeset patch # User Heiko Schlittermann (JUMPER) # Date 1399647318 -7200 # Node ID 0f80f11be2791308f2287a5996ee8fe48a5c81c9 # Parent 234207b61f7c3e2b324d125f3eb73dd3bacecb24 [snapshot] diff -r 234207b61f7c -r 0f80f11be279 .hgsubstate --- a/.hgsubstate Fri May 09 13:36:29 2014 +0200 +++ b/.hgsubstate Fri May 09 16:55:18 2014 +0200 @@ -1,2 +1,2 @@ -d284a1beb267de3a87c9d766bea7c7360a01fda1 emig -327049f04783e46ded8c8cc5ad62fd6927aba594 smart-config +04b3ed996d32a360a3f680391d4b265ea3b9e7dc emig +947cbd7e455c104678e33af49ada30e3f9fb47a3 smart-config diff -r 234207b61f7c -r 0f80f11be279 Makefile --- a/Makefile Fri May 09 13:36:29 2014 +0200 +++ b/Makefile Fri May 09 16:55:18 2014 +0200 @@ -3,7 +3,7 @@ DIA = $(wildcard dia/*.dia) TT = $(wildcard *.tt) -CONF = $(wildcard *.conf) +CONF = $(wildcard conf/*.conf) FRAMES = $(wildcard frames/*tex) IMAGES = $(notdir $(DIA:.dia=.pdf)) @@ -12,7 +12,7 @@ all: $(ALL) clean: rubber -d --clean mk2014.tex - -rm -f *.vrb $(PDF) + -rm -f *.vrb $(IMAGES) mk2014.pdf: mk2014.tex $(IMAGES) $(FRAMES) $(TT) $(CONF) diff -r 234207b61f7c -r 0f80f11be279 acl.conf --- a/acl.conf Fri May 09 13:36:29 2014 +0200 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,39 +0,0 @@ -begin acl - - acl_check_connect: - - deny ratelimit = 10/1m - log_message = $sender_rate/$sender_rate_period > $sender_rate_limit - - accept - - acl_check_rcpt: - - accept domains = +local_domains - local_parts = postmaster - - require message = sender verification failed - verify = sender - - accept authenticated = * - - require message = relaying denied - domains = +local_domains - - require message = recipient verification failed - verify = recipient - - accept - - acl_check_data: - - deny message = sorry, $malware_name - malware = * - - deny message = sorry, filtered - spam = nobody - condition = ${if >={$spam_score_int}{60}} - - accept - - diff -r 234207b61f7c -r 0f80f11be279 conf/acl.conf --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/conf/acl.conf Fri May 09 16:55:18 2014 +0200 @@ -0,0 +1,39 @@ +begin acl + + acl_check_connect: + + deny ratelimit = 10/1m + log_message = $sender_rate/$sender_rate_period > $sender_rate_limit + + accept + + acl_check_rcpt: + + accept domains = +local_domains + local_parts = postmaster + + require message = sender verification failed + verify = sender + + accept authenticated = * + + require message = relaying denied + domains = +local_domains + + require message = recipient verification failed + verify = recipient + + accept + + acl_check_data: + + deny message = sorry, $malware_name + malware = * + + deny message = sorry, filtered + spam = nobody + condition = ${if >={$spam_score_int}{60}} + + accept + + diff -r 234207b61f7c -r 0f80f11be279 conf/emig-transport.conf --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/conf/emig-transport.conf Fri May 09 16:55:18 2014 +0200 @@ -0,0 +1,6 @@ +begin transports + + remote_smtp: + driver = smtp + hosts_require_tls = dsearch;/etc/exim4/emig.d/certs + tls_verify_certificates = /etc/exim4/emig.d/certs/$host diff -r 234207b61f7c -r 0f80f11be279 conf/global.conf --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/conf/global.conf Fri May 09 16:55:18 2014 +0200 @@ -0,0 +1,2 @@ +ALIASES = /etc/aliases +domainlist local_domains = localhost : @[] diff -r 234207b61f7c -r 0f80f11be279 conf/minimal.conf --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/conf/minimal.conf Fri May 09 16:55:18 2014 +0200 @@ -0,0 +1,26 @@ +begin routers + + remote: + driver = dnslookup + domains = !+local_domains + transport = remote_smtp + more = no + + alias: + driver = redirect + require_files = ALIASES + data = ${lookup{$local_part}lsearch{ALIASES}} + + mbox: + driver = accept + check_local_user + transport = mbox + +begin transports + + remote_smtp: + driver = smtp + + mbox: + driver = appendfile + file = /var/mail/$local_part diff -r 234207b61f7c -r 0f80f11be279 conf/routers.conf --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/conf/routers.conf Fri May 09 16:55:18 2014 +0200 @@ -0,0 +1,18 @@ + +begin routers + + remote: + driver = dnslookup + domains = !+local_domains + transport = remote_smtp + more = no + + alias: + driver = redirect + require_files = ALIASES + data = ${lookup{$local_part}lsearch{ALIASES}} + + mbox: + driver = accept + check_local_user = yes + transport = local_mbox diff -r 234207b61f7c -r 0f80f11be279 conf/transports.conf --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/conf/transports.conf Fri May 09 16:55:18 2014 +0200 @@ -0,0 +1,8 @@ +begin transports + + remote_smtp: + driver = smtp + + local_mbox: + driver = appendfile + file = /var/mail/$local_part diff -r 234207b61f7c -r 0f80f11be279 frames/emig.tex --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/frames/emig.tex Fri May 09 16:55:18 2014 +0200 @@ -0,0 +1,18 @@ +\subsection{EmiG} +\begin{frame}[<+->][fragile]{Beispiel}{Emig} +\begin{block}{Aufgabenstellung} +Es existiere ein JSON-File, in dem je MX-Host die +SSL-Zertifikatsinformation liegt. Nun soll Exim, wenn er sich mit einem +dieser Hosts verbindet, prüfen, ob das korrekte Zertifikat präsentiert +wird. +\end{block} +\begin{block}{Lösung} +\begin{itemize} + \item Perl-Script generiert aus dem mxinfra.json-File eine Ordnerstruktur + mit Zertifikaten \verb=emig.d/certs/= + \item Transport prüft das Zertifikat zum aktuellen Ziel-Host + \verbatiminput{conf/emig-transport.conf} +\item Bitte? Ja, ich glaube, das ist Very Poor Mans DANE. +\end{itemize} +\end{block} +\end{frame} diff -r 234207b61f7c -r 0f80f11be279 frames/emil.tex diff -r 234207b61f7c -r 0f80f11be279 frames/konfiguration.tex --- a/frames/konfiguration.tex Fri May 09 13:36:29 2014 +0200 +++ b/frames/konfiguration.tex Fri May 09 16:55:18 2014 +0200 @@ -8,9 +8,9 @@ \item Beispiel-Konfig \verb=example.conf.gz= als Ausgangspunkt \item \verb=exim -bV= listet die verwendete Konfigurationsdatei und einkompilierte Features - \begin{scriptsize} + \begin{small} \ttinput{exim_bV.tt} - \end{scriptsize} + \end{small} \end{itemize} \end{frame} @@ -21,7 +21,7 @@ miteinander verlinkt (Router referenziert Tranports, globaler Teil referenziert ACL) \pause -\begin{scriptsize} +\begin{small} \begin{verbatim} … begin acl @@ -29,7 +29,8 @@ begin routers … \end{verbatim} -\end{scriptsize} +\end{small} +\pause \begin{description} \item[global] knapp 240 allgemeine Direktiven \item[acl] Access Control Lists für SMTP @@ -44,7 +45,7 @@ \subsection{Syntax} \begin{frame}[fragile]{Konfiguration}{Syntax} -\begin{exampleblock}{Macros, Kommentar, lange Zeilen} +\begin{block}{Macros, Kommentar, lange Zeilen} \begin{verbatim} # Super! CF = /etc/exim4/ @@ -55,7 +56,7 @@ … def:received_for {\n\tfor $received_for}} \end{verbatim} -\end{exampleblock} +\end{block} \pause Der Rest ist einfach :) \begin{alltt} @@ -83,8 +84,8 @@ \item[Operatoren] \verb=${md5:$local_part}=, \verb=${uc:$domain}= \item[Manipulation] \verb=${sg{$local_part}{.laus}{XXX}}= \item[Bedingungen] \verb=${if eq{$local_part}{x}{~/mbox}{~/.mail}}= -\item[Lookup/Key] \verb=${lookup{$local_part}lsearch{/etc/aliases}}= -\item[Lookup/Query] \verb+${lookup dnsdb{mx=example.com}}+ +\item[Key-Lookup] \verb=${lookup{$local_part}lsearch{/etc/aliases}}= +\item[Query-Lookup] \verb+${lookup dnsdb{mx=example.com}}+ \end{description} \end{frame} @@ -98,7 +99,7 @@ ${perl{}[{}…]} \end{verbatim} \pause -\begin{exampleblock}{Greylisting} +\begin{block}{Greylisting} \begin{verbatim} GREYKEY = $sender_address/$local_part@$domain perl_startup = do '/etc/exim4/exim-exigrey.pl' @@ -110,7 +111,7 @@ defer condition = ${perl{unseen}{GREYKEY}{1d}} … \end{verbatim} -\end{exampleblock} +\end{block} \end{frame} diff -r 234207b61f7c -r 0f80f11be279 frames/routing.tex --- a/frames/routing.tex Fri May 09 13:36:29 2014 +0200 +++ b/frames/routing.tex Fri May 09 16:55:18 2014 +0200 @@ -36,8 +36,8 @@ host example.com [2606:2800:220:6d:26bf:1447:1097:aa7] host example.com [93.184.216.119] \pause -\begin{scriptsize} +\scriptsize{ \input{routingremote.tt} -\end{scriptsize} +} \end{alltt} \end{frame} diff -r 234207b61f7c -r 0f80f11be279 frames/smart.tex --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/frames/smart.tex Fri May 09 16:55:18 2014 +0200 @@ -0,0 +1,92 @@ +\subsection{Viele Smarthosts} + +\begin{frame}[<+->][fragile]{Beispiel}{Smarthost - Vorversuche} +\begin{block}{Aufgabe} +Wir haben mehrere Smarthosts und müssen je nach Sender-Adresse über +einen anderen Smarthost versenden. +\end{block} +\begin{scriptsize} +\verbatiminput{smart-config/smarthosts.example} +\end{scriptsize} +\begin{block}{Lösung} +Wir müssen beim Routing die Sender-Adresse als Kriterium verwenden, nicht die Zieladresse! +\begin{alltt} + $ exim -be\pause + > $\{lookup\{foo@example.org\}lsearch*@\{smarthosts\}\{$value\}\} + smtp.km21.com km433221 zecrit\pause + > $\{sg\{smtp.km21.com km433221 zecrit\}\{\BS\BS{}s+\}\{\BS{}t\}\} + smtp.km21.com km433221 secrit\pause + > $\{extract\{1\}\{\BS{}t\}\{smtp.km21.com km433221 secrit\}\} + smtp.km21.com\pause +\pause +\end{alltt} +\end{block} +\end{frame} + +\begin{frame}[<+->][fragile]{Beispiel}{Viele Smarthosts - Config} +Das kann jetzt schön in Macros verpackt werden, damit es übersichtlich +wird: +\begin{verbatim} + ADDRESS_DATA = ${lookup{foo@example.org}\ + lsearch*@{smarthosts}\ + {${sg{$value}{\\s+}{\t}}}} + SMARTHOST = ${extract{1}{\t}{$address_data}} + USER = ${extract{2}{\t}{$address_data}} + PASS = ${extract{3}{\t}{$address_data}} +\end{verbatim} +\end{frame} + +\begin{frame}[<+->][fragile]{Beispiel}{Viele Smarthosts - Config 2} +\begin{small} +\begin{verbatim} + begin routers + + smarthosts: + driver = manualroute + address_data = ADDRESS_DATA + route_data = SMARTHOST + transport = smtpa + no_more + + begin transports + + smtpa: + driver = smtp + port = submission + hosts_require_auth = * + + begin authenticators + + plain: + driver = plaintext + public_name = PLAIN + client_send = ^USER^PASS +\end{verbatim} +\end{small} +\end{frame} + +\begin{frame}[<+->][fragile]{Beispiel}{Viele Smarthosts - Test} +Das Routing können wir wieder relativ einfach testen: +\pause +\begin{alltt} +$ exim -f hans@example.com -t nobody@discworld.com +nobody@discworld.com + router = smarthosts, transport = smtpa + host mx.freenet.de [2001:748:100:40::8:112] port=25 + host mx.freenet.de [195.4.92.212] port=25 +\pause +$ exim -f fred@example.com -t … +nobody@nowhere + router = smarthosts, transport = smtpa + host ssl.schlittermann.de [212.80.235.130] +\pause +$ exim -f fred@foobar.com -t … +nobody@nowhere + router = smarthosts, transport = smtpa + host smtp.km21.com [54.209.129.218] +\end{alltt} + +Und natürlich haben wir die ganzen Debug-Optionen noch, für +Expansion, DNS, … + +\end{frame} diff -r 234207b61f7c -r 0f80f11be279 frames/smarthost.tex --- a/frames/smarthost.tex Fri May 09 13:36:29 2014 +0200 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,65 +0,0 @@ -\section{Beispiel} -\subsection{Viele Smarthosts} - -\begin{frame}{Beispiel}{Smarthost} -\begin{block}{Aufgabe} -Wir haben mehrere Smarthosts und müssen je nach Sender-Adresse über -einen anderen Smarthost versenden. -\end{block} -\begin{scriptsize} -\verbatiminput{smart-config/smarthosts.example} -\end{scriptsize} - -\begin{block}{Routing} -Wir müssen beim Routing die Sender-Adresse als Kriterium -verwenden, nicht die Zieladresse! -\end{block} -\end{frame} - - -# some macros to ease the understanding -ADDRESS_DATA = ${sg{${lookup{$sender_address}lsearch*@{SMARTHOSTS}}}{\\s+}{\t}} -SMARTHOST = ${extract{1}{\t}{$address_data}} -USER = ${extract{2}{\t}{$address_data}} -PASS = ${extract{3}{\t}{$address_data}} - -domainlist local_domains = @ - -begin router - -# the first router routes according the sender_address -smarthosts: - driver = manualroute - address_data = ADDRESS_DATA - route_data = SMARTHOST - transport = smtp_auth - -# in case you don't have a '*' line in your smarthosts file - -dnslookup: - driver = dnslookup - domains = !+local_domains - transport = smtp - no_more - -begin transport - -smtp_auth: - driver = smtp - port = submission - hosts_require_auth = * - -smtp: - driver = smtp - -begin authenticators - -plain: - driver = plaintext - public_name = PLAIN - client_send = ^USER^PASS - -login: - driver = plaintext - public_name = LOGIN - client_send = :USER:PASS diff -r 234207b61f7c -r 0f80f11be279 global.conf --- a/global.conf Fri May 09 13:36:29 2014 +0200 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,6 +0,0 @@ -ALIASES = /etc/aliases -domainlist local_domains = localhost : @[] - -acl_smtp_connect = acl_check_connect -acl_smtp_rcpt = acl_check_rcpt -acl_smtp_data = acl_check_data diff -r 234207b61f7c -r 0f80f11be279 minimal.conf --- a/minimal.conf Fri May 09 13:36:29 2014 +0200 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,26 +0,0 @@ -begin routers - - remote: - driver = dnslookup - domains = !+local_domains - transport = remote_smtp - more = no - - alias: - driver = redirect - require_files = ALIASES - data = ${lookup{$local_part}lsearch{ALIASES}} - - mbox: - driver = accept - check_local_user - transport = mbox - -begin transports - - remote_smtp: - driver = smtp - - mbox: - driver = appendfile - file = /var/mail/$local_part diff -r 234207b61f7c -r 0f80f11be279 mk2014.tex --- a/mk2014.tex Fri May 09 13:36:29 2014 +0200 +++ b/mk2014.tex Fri May 09 16:55:18 2014 +0200 @@ -12,6 +12,7 @@ \author[H. Schlittermann]{Heiko Schlittermann} \institute{schlittermann - internet \& unix support, Dresden} +\newcommand{\BS}{$\backslash$} \newcommand{\B}{$\hookleftarrow$} \newcommand{\ttinput}[1]{% \begin{alltt}% @@ -48,7 +49,9 @@ % \input{frames/acl.tex} % -- Example Emil -\input{frames/emil.tex} +\section{Beispiele} +\input{frames/emig.tex} +\input{frames/smart.tex} % -- Example multiple smarthosts % \input{frames/smarthost.tex} diff -r 234207b61f7c -r 0f80f11be279 routers.conf --- a/routers.conf Fri May 09 13:36:29 2014 +0200 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,18 +0,0 @@ - -begin routers - - remote: - driver = dnslookup - domains = !+local_domains - transport = remote_smtp - more = no - - alias: - driver = redirect - require_files = ALIASES - data = ${lookup{$local_part}lsearch{ALIASES}} - - mbox: - driver = accept - check_local_user = yes - transport = local_mbox diff -r 234207b61f7c -r 0f80f11be279 transports.conf --- a/transports.conf Fri May 09 13:36:29 2014 +0200 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,8 +0,0 @@ -begin transports - - remote_smtp: - driver = smtp - - local_mbox: - driver = appendfile - file = /var/mail/$local_part