Exim4 Config for lkcl.net

Cyrus22, Virtual Domains and Spam and Virus Free exim4 config

I've spent about four years trying to track down issues to get this
configuration right.  Finally I have solved the one thing that has been
bugging me: messages from the <> "bounce" address from spammers
to random addresses on my cyrus server causing me grief.

The issue is, I believe, that there is a bug in exim4 (which the developers
will not acknowledge as I pissed them off) in the LMTP transport, which
will, I believe, affect every single exim4 system in existence that uses
LMTP to deliver to the mailboxes (cyrus, courier etc.)

This bug stops you from being able to use LMTP for sender-verification,
as anything that is attempted to be delivered (or tested/verified)
returns immediately, and any errors, such as 550 mailbox nonexistent,
are ignored.  The logical result of this is that spammers can send you
email to any address, and it will be accepted by exim4 into its queues,
but then it cannot be delivered!

Finally, with the excellent 'virtual domains' concept, by steve
I moved even my main domain lkcl.net into this, and made the exim4
"standard" configuration responsible only for localhost.  Any email addresses
e.g. lkcl@lkcl.net are now listed as entries "lkcl: lkcl@localhost" which
is the only way that email will get into the cyrus22 server - addresses
to localhost.

Now, i have had to create entries for postmaster: postmaster@localhost
as well, and root, and webmaster, which is a bit of a pain, but there you go.
But it's still... it's the last irritating thing that i've had to fix.

The rest of my configuration is a probably-quite-extreme-and-probably-broken
sa-exim setup, which is so extreme low spam settings that virtually nothing
gets through.  certainly, it's pretty hit-and-miss as to whether hotmail
users, with their insistence on sending HTML by default, will get through
spamassassin (which has both razor and pyzor _and_ dcc _and_ clamav
to back it up).

Razor and Pyzor are very good distributed real-time spam checking programs.
DCC is a fuzzy spam checker that I found randomly and thought it might
be nice to try.  I added the testmsg-whitelist which I found on the
dcc client web site, because treating test messages as spam is kinda
rude.

Exim4 with anti-virus was easy because i'm using exim4 4.64: see
main/20_clamav and also see acl/40_exim4-config-check-data near the end,
the 'This message contains a virus:....'  This is absolutely brilliant
because the only opportunity to correctly inform people that they have
a virus on their system is at MTA time.  anything else is risky, and you
shouldn't do it (send to the 'From:' address after receiving the email)
- as you can pretty much guarantee that it's going to be faked up.

Also, i installed greylistd.  greylistd for debian has a script
that automatically reconfigures the ACLs in your exim4 config to make
it do greylisting.  Unfortunately, there's a bug in the maintainer's
config, which turns off greylisting for anything that comes from <>
which is the key source of problems that I earlier encountered.

Of course, it's very _sensible_ to disable greylisting for <>
addresses (if you do not do proper distinction about where the incoming
message should to be sent) because if you get two servers doing
sender-verification using the <> "bounce" address, you end up
in a 'please try later' bun-fight over which nobody wins... :)

but here's the thing: only local mailboxes should be told
'please try later', whereas messages which are forwarded on to another
SMTP server should not be rejected at this stage.

so, I commented out the '!senders = :' line in acl/30_exim4-config_check_rcpt
and i hope like hell it was the right thing to do :)

Overall, this is an extremely sophisticated setup, where, especially
since I installed dcc, I am literally receiving no spam whatsoever.
Prior to dcc being in the mix, I would occasionally get three to four
spam messages in one go, every few days.

At the moment, I'm receiving about 1,500 spam and virus delivery attempts
per day: with the combination of dcc, pyzor, razor, spamassassin,
greylisting and clamav, absolutely none of them get through.

Here's the exim4 config files