[exim-config] / config.m4

### -*-m4-*-
###
### Basic configuration settings for distorted.org.uk Exim configuration
###
### (c) 2012 Mark Wooding
###

###----- Licensing notice ---------------------------------------------------
###
### This program is free software; you can redistribute it and/or modify
### it under the terms of the GNU General Public License as published by
### the Free Software Foundation; either version 2 of the License, or
### (at your option) any later version.
###
### This program is distributed in the hope that it will be useful,
### but WITHOUT ANY WARRANTY; without even the implied warranty of
### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
### GNU General Public License for more details.
###
### You should have received a copy of the GNU General Public License
### along with this program; if not, write to the Free Software Foundation,
### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.

## Master domain name.
DEFCONF(master_domain, distorted.org.uk)

## List of home-system mail domain names.  This can be empty if we only
## provide service for special-purpose domains.
DEFCONF(sysdomains, CONF_master_domain)

## The magic token for local header names.
DEFCONF(header_token, Distorted)

## The smarthost for satellite hosts.
DEFCONF(smarthost, mail.distorted.org.uk)

## The user who runs verification filters.
DEFCONF(filter_user, Debian-exim)

## Administrative groups.
DEFCONF(admin_groups, root : adm)
DEFCONF(trusted_groups, root : adm)

## Where the spam filter is.
DEFCONF(spamd_address, 172.29.199.179)
DEFCONF(spamd_port, 783)

## Default spam limit for incoming mail (multiplied by ten).
DEFCONF(spam_max, 50)

## Userv stuff for debugging.
DEFCONF(userv_opts, )

## Which interfaces to listen on.  Exim checks for the literal string `::0'
## when setting things up: don't use `::', or we'll be tripped up by Linux's
## demented non-`IPV6_V6ONLY' behaviour.
DEFCONF(interfaces, m4_ifelse(MODE, satellite, 127.0.0.1 ; ::1,
			      0.0.0.0 ; ::0))

## Main and submission port numbers.  (This is sometimes tweaked for
## testing.)
DEFCONF(smtp_port, 25)
DEFCONF(submission_port, 587)

## Locations of other configuration files.
DEFCONF(sysconf_dir, /etc/mail)
DEFCONF(userconf_dir, $home/.mail)
DEFCONF(alias_file, /etc/aliases)
DEFCONF(ca_dir, /etc/ca)

## User address suffix handling.
DEFCONF(user_suffix_list, +* : -*)
DEFCONF(user_extaddr_fixup, ${sg {$local_part_suffix}{^[-+]}{}})

## Other hosts allowed to relay mail through us.
DEFCONF(relay_clients, <m4_dnl
; +trusted m4_dnl
; 172.31.80.8 m4_dnl chiark (VPN)
; 172.29.198.161 ; 2001:ba8:1d9:a000::1:1 m4_dnl national
)

## TLS certificate list.
DEFCONF(certlist,
<:m4_ifelse(t, m4_ifelse(MODE, hub, nil, MODE, srv, nil, t),
<:CONF_sysconf_dir/server.certlist:>,
<:CONF_sysconf_dir/${if ={$received_port}{CONF_submission_port}{server}\
			{${if match_ip{$sender_host_address}{+trusted} \
				      {server}{letsencrypt}}}}.certlist:>):>)

## TLS-related settings.  We're assuming GNUTLS here, rather than OpenSSL.
## For local connections we are very strict.  For random clients, we try
## fairly hard to encourage any kind of crypto on the grounds that probably
## nobody can verify our certificate anyway.
DEFCONF(good_ciphers, NONE<::>m4_dnl
:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0<::>m4_dnl
:+ECDHE-RSA:+ECDHE-ECDSA:+DHE-RSA:+DHE-DSS<::>m4_dnl
:+CHACHA20-POLY1305<::>m4_dnl
:+AES-256-GCM:+AES-128-GCM:+AES-256-CBC:+AES-128-CBC<::>m4_dnl
:+AEAD:+SHA256:+SHA384:+SHA512<::>m4_dnl
:+SIGN-RSA-SHA512:+SIGN-RSA-SHA384:+SIGN-RSA-SHA256<::>m4_dnl
:+SIGN-ECDSA-SHA512:+SIGN-ECDSA-SHA384:+SIGN-ECDSA-SHA256<::>m4_dnl
:+SIGN-DSA-SHA256<::>m4_dnl
:+CURVE-X25519:+CURVE-SECP256R1:+CURVE-SECP521R1:+CURVE-SECP384R1<::>m4_dnl
:+CTYPE-X.509<::>m4_dnl
:+COMP-NULL<::>m4_dnl
)
DEFCONF(acceptable_ciphers, NONE<::>m4_dnl
:+VERS-TLS-ALL<::>m4_dnl
:+ECDHE-RSA:+ECDHE-ECDSA<::>m4_dnl
:+KX-ALL<::>m4_dnl
:+SIGN-ALL<::>m4_dnl
:+CTYPE-ALL<::>m4_dnl
:+CHACHA20-POLY1305<::>m4_dnl
:+AES-256-GCM:+AES-128-GCM<::>m4_dnl
:+CIPHER-ALL<::>m4_dnl
:+CURVE-X25519<::>m4_dnl
:+CURVE-ALL<::>m4_dnl
:+AEAD<::>m4_dnl
:+MAC-ALL<::>m4_dnl
:+COMP-NULL<::>m4_dnl
:-MD5<::>m4_dnl
)

###----- That's all, folks --------------------------------------------------
Commit	Line	Data
185b5456 MW	1	### --m4--
	2	###
	3	### Basic configuration settings for distorted.org.uk Exim configuration
	4	###
	5	### (c) 2012 Mark Wooding
	6	###
	7
	8	###----- Licensing notice ---------------------------------------------------
	9	###
	10	### This program is free software; you can redistribute it and/or modify
	11	### it under the terms of the GNU General Public License as published by
	12	### the Free Software Foundation; either version 2 of the License, or
	13	### (at your option) any later version.
	14	###
	15	### This program is distributed in the hope that it will be useful,
	16	### but WITHOUT ANY WARRANTY; without even the implied warranty of
	17	### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	18	### GNU General Public License for more details.
	19	###
	20	### You should have received a copy of the GNU General Public License
	21	### along with this program; if not, write to the Free Software Foundation,
	22	### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
	23
	24	## Master domain name.
	25	DEFCONF(master_domain, distorted.org.uk)
	26
e913c999	27	## List of home-system mail domain names. This can be empty if we only
945da4ac	28	## provide service for special-purpose domains.
e913c999 MW	29	DEFCONF(sysdomains, CONF_master_domain)
e913c999 MW	30
945da4ac MW	31	## The magic token for local header names.
	32	DEFCONF(header_token, Distorted)
	33
185b5456 MW	34	## The smarthost for satellite hosts.
	35	DEFCONF(smarthost, mail.distorted.org.uk)
	36
	37	## The user who runs verification filters.
	38	DEFCONF(filter_user, Debian-exim)
	39
b1d083dd MW	40	## Administrative groups.
b1d083dd MW	41	DEFCONF(admin_groups, root : adm)
e8fc7835	42	DEFCONF(trusted_groups, root : adm)
b1d083dd	43
185b5456 MW	44	## Where the spam filter is.
	45	DEFCONF(spamd_address, 172.29.199.179)
	46	DEFCONF(spamd_port, 783)
	47
	48	## Default spam limit for incoming mail (multiplied by ten).
	49	DEFCONF(spam_max, 50)
	50
ea823544 MW	51	## Userv stuff for debugging.
	52	DEFCONF(userv_opts, )
	53
185b5456 MW	54	## Which interfaces to listen on. Exim checks for the literal string `::0'
	55	## when setting things up: don't use `::', or we'll be tripped up by Linux's
	56	## demented non-`IPV6_V6ONLY' behaviour.
	57	DEFCONF(interfaces, m4_ifelse(MODE, satellite, 127.0.0.1 ; ::1,
	58	0.0.0.0 ; ::0))
	59
d411be33 MW	60	## Main and submission port numbers. (This is sometimes tweaked for
	61	## testing.)
	62	DEFCONF(smtp_port, 25)
185b5456 MW	63	DEFCONF(submission_port, 587)
	64
	65	## Locations of other configuration files.
	66	DEFCONF(sysconf_dir, /etc/mail)
	67	DEFCONF(userconf_dir, $home/.mail)
	68	DEFCONF(alias_file, /etc/aliases)
	69	DEFCONF(ca_dir, /etc/ca)
	70
	71	## User address suffix handling.
025eb2ed	72	DEFCONF(user_suffix_list, +* : -*)
185b5456 MW	73	DEFCONF(user_extaddr_fixup, ${sg {$local_part_suffix}{^[-+]}{}})
	74
	75	## Other hosts allowed to relay mail through us.
2f2fc64d MW	76	DEFCONF(relay_clients, <m4_dnl
	77	; +trusted m4_dnl
	78	; 172.31.80.8 m4_dnl chiark (VPN)
83476109	79	; 172.29.198.161 ; 2001:ba8:1d9:a000::1:1 m4_dnl national
2f2fc64d	80	)
185b5456	81
1dda4df9	82	## TLS certificate list.
8afec898 MW	83	DEFCONF(certlist,
	84	<:m4_ifelse(t, m4_ifelse(MODE, hub, nil, MODE, srv, nil, t),
	85	<:CONF_sysconf_dir/server.certlist:>,
5013c11c MW	86	<:CONF_sysconf_dir/${if ={$received_port}{CONF_submission_port}{server}\
	87	{${if match_ip{$sender_host_address}{+trusted} \
	88	{server}{letsencrypt}}}}.certlist:>):>)
1dda4df9	89
185b5456 MW	90	## TLS-related settings. We're assuming GNUTLS here, rather than OpenSSL.
	91	## For local connections we are very strict. For random clients, we try
	92	## fairly hard to encourage any kind of crypto on the grounds that probably
	93	## nobody can verify our certificate anyway.
	94	DEFCONF(good_ciphers, NONE<::>m4_dnl
b6d74252	95	:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0<::>m4_dnl
2d3b825d MW	96	:+ECDHE-RSA:+ECDHE-ECDSA:+DHE-RSA:+DHE-DSS<::>m4_dnl
	97	:+CHACHA20-POLY1305<::>m4_dnl
	98	:+AES-256-GCM:+AES-128-GCM:+AES-256-CBC:+AES-128-CBC<::>m4_dnl
	99	:+AEAD:+SHA256:+SHA384:+SHA512<::>m4_dnl
	100	:+SIGN-RSA-SHA512:+SIGN-RSA-SHA384:+SIGN-RSA-SHA256<::>m4_dnl
	101	:+SIGN-ECDSA-SHA512:+SIGN-ECDSA-SHA384:+SIGN-ECDSA-SHA256<::>m4_dnl
	102	:+SIGN-DSA-SHA256<::>m4_dnl
	103	:+CURVE-X25519:+CURVE-SECP256R1:+CURVE-SECP521R1:+CURVE-SECP384R1<::>m4_dnl
185b5456 MW	104	:+CTYPE-X.509<::>m4_dnl
	105	:+COMP-NULL<::>m4_dnl
	106	)
2d3b825d	107	DEFCONF(acceptable_ciphers, NONE<::>m4_dnl
09c2d8d8	108	:+VERS-TLS-ALL<::>m4_dnl
2d3b825d	109	:+ECDHE-RSA:+ECDHE-ECDSA<::>m4_dnl
09c2d8d8 MW	110	:+KX-ALL<::>m4_dnl
	111	:+SIGN-ALL<::>m4_dnl
	112	:+CTYPE-ALL<::>m4_dnl
2d3b825d MW	113	:+CHACHA20-POLY1305<::>m4_dnl
2d3b825d MW	114	:+AES-256-GCM:+AES-128-GCM<::>m4_dnl
09c2d8d8	115	:+CIPHER-ALL<::>m4_dnl
2d3b825d	116	:+CURVE-X25519<::>m4_dnl
09c2d8d8	117	:+CURVE-ALL<::>m4_dnl
2d3b825d	118	:+AEAD<::>m4_dnl
09c2d8d8 MW	119	:+MAC-ALL<::>m4_dnl
09c2d8d8 MW	120	:+COMP-NULL<::>m4_dnl
185b5456 MW	121	:-MD5<::>m4_dnl
	122	)
	123
	124	###----- That's all, folks --------------------------------------------------