Commit | Line | Data |
---|---|---|
185b5456 MW |
1 | ### -*-m4-*- |
2 | ### | |
3 | ### Basic configuration settings for distorted.org.uk Exim configuration | |
4 | ### | |
5 | ### (c) 2012 Mark Wooding | |
6 | ### | |
7 | ||
8 | ###----- Licensing notice --------------------------------------------------- | |
9 | ### | |
10 | ### This program is free software; you can redistribute it and/or modify | |
11 | ### it under the terms of the GNU General Public License as published by | |
12 | ### the Free Software Foundation; either version 2 of the License, or | |
13 | ### (at your option) any later version. | |
14 | ### | |
15 | ### This program is distributed in the hope that it will be useful, | |
16 | ### but WITHOUT ANY WARRANTY; without even the implied warranty of | |
17 | ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
18 | ### GNU General Public License for more details. | |
19 | ### | |
20 | ### You should have received a copy of the GNU General Public License | |
21 | ### along with this program; if not, write to the Free Software Foundation, | |
22 | ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. | |
23 | ||
24 | ## Master domain name. | |
25 | DEFCONF(master_domain, distorted.org.uk) | |
26 | ||
e913c999 | 27 | ## List of home-system mail domain names. This can be empty if we only |
945da4ac | 28 | ## provide service for special-purpose domains. |
e913c999 MW |
29 | DEFCONF(sysdomains, CONF_master_domain) |
30 | ||
945da4ac MW |
31 | ## The magic token for local header names. |
32 | DEFCONF(header_token, Distorted) | |
33 | ||
185b5456 MW |
34 | ## The smarthost for satellite hosts. |
35 | DEFCONF(smarthost, mail.distorted.org.uk) | |
36 | ||
37 | ## The user who runs verification filters. | |
38 | DEFCONF(filter_user, Debian-exim) | |
39 | ||
b1d083dd MW |
40 | ## Administrative groups. |
41 | DEFCONF(admin_groups, root : adm) | |
e8fc7835 | 42 | DEFCONF(trusted_groups, root : adm) |
b1d083dd | 43 | |
185b5456 | 44 | ## Where the spam filter is. |
75153790 | 45 | DEFCONF(spamd_address, 172.29.199.8) |
185b5456 MW |
46 | DEFCONF(spamd_port, 783) |
47 | ||
48 | ## Default spam limit for incoming mail (multiplied by ten). | |
49 | DEFCONF(spam_max, 50) | |
50 | ||
ea823544 MW |
51 | ## Userv stuff for debugging. |
52 | DEFCONF(userv_opts, ) | |
53 | ||
185b5456 MW |
54 | ## Which interfaces to listen on. Exim checks for the literal string `::0' |
55 | ## when setting things up: don't use `::', or we'll be tripped up by Linux's | |
56 | ## demented non-`IPV6_V6ONLY' behaviour. | |
57 | DEFCONF(interfaces, m4_ifelse(MODE, satellite, 127.0.0.1 ; ::1, | |
58 | 0.0.0.0 ; ::0)) | |
59 | ||
d411be33 MW |
60 | ## Main and submission port numbers. (This is sometimes tweaked for |
61 | ## testing.) | |
62 | DEFCONF(smtp_port, 25) | |
185b5456 MW |
63 | DEFCONF(submission_port, 587) |
64 | ||
65 | ## Locations of other configuration files. | |
66 | DEFCONF(sysconf_dir, /etc/mail) | |
67 | DEFCONF(userconf_dir, $home/.mail) | |
68 | DEFCONF(alias_file, /etc/aliases) | |
69 | DEFCONF(ca_dir, /etc/ca) | |
30fee27e | 70 | DEFCONF(dkim_keys_dir, /var/lib/dkim-keys) |
185b5456 MW |
71 | |
72 | ## User address suffix handling. | |
025eb2ed | 73 | DEFCONF(user_suffix_list, +* : -*) |
185b5456 MW |
74 | DEFCONF(user_extaddr_fixup, ${sg {$local_part_suffix}{^[-+]}{}}) |
75 | ||
76 | ## Other hosts allowed to relay mail through us. | |
2f2fc64d | 77 | DEFCONF(relay_clients, <m4_dnl |
bd3b3374 | 78 | ; +allnets m4_dnl |
2f2fc64d | 79 | ; 172.31.80.8 m4_dnl chiark (VPN) |
2f2fc64d | 80 | ) |
185b5456 | 81 | |
30fee27e | 82 | ## DKIM headers list. |
1724717c | 83 | ## Surprise! Internal whitespace isn't allowed here. |
cc17d19e MW |
84 | DEFCONF(dkim_headers, m4_dnl |
85 | References : In-Reply-To : Subject : To : Date : Message-ID : m4_dnl | |
86 | From : Sender : Reply-To : Cc : m4_dnl | |
87 | Content-Transfer-Encoding : Content-Type : MIME-Version : m4_dnl | |
88 | Content-ID : Content-Description m4_dnl | |
89 | ) | |
30fee27e | 90 | |
1dda4df9 | 91 | ## TLS certificate list. |
8afec898 MW |
92 | DEFCONF(certlist, |
93 | <:m4_ifelse(t, m4_ifelse(MODE, hub, nil, MODE, srv, nil, t), | |
94 | <:CONF_sysconf_dir/server.certlist:>, | |
5013c11c MW |
95 | <:CONF_sysconf_dir/${if ={$received_port}{CONF_submission_port}{server}\ |
96 | {${if match_ip{$sender_host_address}{+trusted} \ | |
97 | {server}{letsencrypt}}}}.certlist:>):>) | |
1dda4df9 | 98 | |
185b5456 MW |
99 | ## TLS-related settings. We're assuming GNUTLS here, rather than OpenSSL. |
100 | ## For local connections we are very strict. For random clients, we try | |
101 | ## fairly hard to encourage any kind of crypto on the grounds that probably | |
102 | ## nobody can verify our certificate anyway. | |
103 | DEFCONF(good_ciphers, NONE<::>m4_dnl | |
b6d74252 | 104 | :+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0<::>m4_dnl |
2d3b825d MW |
105 | :+ECDHE-RSA:+ECDHE-ECDSA:+DHE-RSA:+DHE-DSS<::>m4_dnl |
106 | :+CHACHA20-POLY1305<::>m4_dnl | |
107 | :+AES-256-GCM:+AES-128-GCM:+AES-256-CBC:+AES-128-CBC<::>m4_dnl | |
108 | :+AEAD:+SHA256:+SHA384:+SHA512<::>m4_dnl | |
109 | :+SIGN-RSA-SHA512:+SIGN-RSA-SHA384:+SIGN-RSA-SHA256<::>m4_dnl | |
110 | :+SIGN-ECDSA-SHA512:+SIGN-ECDSA-SHA384:+SIGN-ECDSA-SHA256<::>m4_dnl | |
111 | :+SIGN-DSA-SHA256<::>m4_dnl | |
112 | :+CURVE-X25519:+CURVE-SECP256R1:+CURVE-SECP521R1:+CURVE-SECP384R1<::>m4_dnl | |
185b5456 MW |
113 | :+CTYPE-X.509<::>m4_dnl |
114 | :+COMP-NULL<::>m4_dnl | |
115 | ) | |
2d3b825d | 116 | DEFCONF(acceptable_ciphers, NONE<::>m4_dnl |
09c2d8d8 | 117 | :+VERS-TLS-ALL<::>m4_dnl |
2d3b825d | 118 | :+ECDHE-RSA:+ECDHE-ECDSA<::>m4_dnl |
09c2d8d8 MW |
119 | :+KX-ALL<::>m4_dnl |
120 | :+SIGN-ALL<::>m4_dnl | |
121 | :+CTYPE-ALL<::>m4_dnl | |
2d3b825d MW |
122 | :+CHACHA20-POLY1305<::>m4_dnl |
123 | :+AES-256-GCM:+AES-128-GCM<::>m4_dnl | |
09c2d8d8 | 124 | :+CIPHER-ALL<::>m4_dnl |
2d3b825d | 125 | :+CURVE-X25519<::>m4_dnl |
09c2d8d8 | 126 | :+CURVE-ALL<::>m4_dnl |
2d3b825d | 127 | :+AEAD<::>m4_dnl |
09c2d8d8 MW |
128 | :+MAC-ALL<::>m4_dnl |
129 | :+COMP-NULL<::>m4_dnl | |
185b5456 MW |
130 | :-MD5<::>m4_dnl |
131 | ) | |
132 | ||
133 | ###----- That's all, folks -------------------------------------------------- |