[exim-config] / base.m4

### -*-m4-*-
###
### Basic settings for distorted.org.uk Exim configuration
###
### (c) 2012 Mark Wooding
###

###----- Licensing notice ---------------------------------------------------
###
### This program is free software; you can redistribute it and/or modify
### it under the terms of the GNU General Public License as published by
### the Free Software Foundation; either version 2 of the License, or
### (at your option) any later version.
###
### This program is distributed in the hope that it will be useful,
### but WITHOUT ANY WARRANTY; without even the implied warranty of
### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
### GNU General Public License for more details.
###
### You should have received a copy of the GNU General Public License
### along with this program; if not, write to the Free Software Foundation,
### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.

###--------------------------------------------------------------------------
### Global settings.

SECTION(global, priv)m4_dnl
prod_requires_admin = false

SECTION(global, logging)m4_dnl
log_file_path = : syslog
log_selector = \
	+smtp_confirmation \
	+tls_peerdn
log_timezone = true
syslog_duplication = false
syslog_timestamp = false

SECTION(global, daemon)m4_dnl
local_interfaces = <; CONF_interfaces
extra_local_interfaces = <; 0.0.0.0 ; ::

SECTION(global, resource)m4_dnl
deliver_queue_load_max = 8
queue_only_load = 12
smtp_accept_max = 16
smtp_accept_queue = 32
smtp_accept_reserve = 4
smtp_load_reserve = 10
smtp_reserve_hosts = +trusted

SECTION(global, policy)m4_dnl
host_lookup = *

SECTION(global, users)m4_dnl
gecos_name = $1
gecos_pattern = ([^,:]*)

SECTION(global, incoming)m4_dnl
received_header_text = Received: \
	${if def:sender_rcvhost {from $sender_rcvhost\n\t} \
	     {${if def:sender_ident \
		   {from ${quote_local_part:$sender_ident} }}\
	      ${if def:sender_helo_name \
		   {(helo=$sender_helo_name)\n\t}}}}\
	by $primary_hostname \
	${if def:received_protocol \
	     {with $received_protocol \
	      ${if def:tls_cipher {(cipher=$tls_cipher)\n\t}}}}\
	(Exim $version_number)\n\t\
	${if def:sender_address \
	     {(envelope-from <$sender_address>\
	      ${if def:authenticated_id \
		   {; auth=$authenticated_id}})\n\t}}\
	id $message_exim_id\
	${if def:received_for {\n\tfor $received_for}}

SECTION(global, smtp)m4_dnl
smtp_return_error_details = true
accept_8bitmime = true

SECTION(global, process)m4_dnl
extract_addresses_remove_arguments = false
headers_charset = utf-8
qualify_domain = CONF_master_domain

SECTION(global, bounce)m4_dnl
delay_warning = 1h : 24h : 2d

DIVERT(null)
###--------------------------------------------------------------------------
### Access control lists.

SECTION(global, acl-after)
SECTION(global, acl)m4_dnl
acl_smtp_helo = helo
SECTION(acl, misc)m4_dnl
helo:
	require	 message = The other one has bells on
		 verify = helo

	accept

SECTION(global, acl)m4_dnl
acl_smtp_mail = mail
SECTION(acl, mail)m4_dnl
mail:

	## Always allow the empty sender, so that we can receive bounces.
	accept	 senders = :

	## Ensure that the sender is routable.  This is important to prevent
	## undeliverable bounces.
	require	 message = Invalid sender; \
			($sender_verify_failure; $acl_verify_message)
		 verify = sender

	## If this is directly from a client then hack on it for a while.
	warn	 condition = ${if eq{$acl_c_mode}{submission}}
		 control = submission

SECTION(acl, mail-tail)m4_dnl
	## And we're done.
	accept

SECTION(global, acl)m4_dnl
acl_smtp_connect = connect
SECTION(acl, connect)m4_dnl
connect:
SECTION(acl, connect-tail)m4_dnl
	warn	 acl = check_submission
	accept

check_submission:
	## See whether this message needs hacking on.
	accept	!hosts = +localnet
		!condition = ${if ={$received_port}{CONF_submission_port}}
		 set acl_c_mode = relay

	## Remember to apply submission controls.
	warn	 set acl_c_mode = submission

	## Done.
	accept

SECTION(global, acl)m4_dnl
acl_smtp_rcpt = rcpt
SECTION(acl, rcpt)m4_dnl
rcpt:

	## Reject if the client isn't allowed to relay and the recipient
	## isn't in one of our known domains.
	deny	 message = Relaying not permitted
		!hosts = CONF_relay_clients
		!authenticated = *
		!domains = +known

	## Ensure that the recipient is routable.
	require	 message = Invalid recipient \
			($recipient_verify_failure; $acl_verify_message)
		 verify = recipient

SECTION(acl, rcpt-tail)m4_dnl
	## Everything checks out OK: let this one go through.
	accept

SECTION(global, acl)m4_dnl
acl_smtp_data = data
SECTION(acl, data)m4_dnl
data:

SECTION(acl, data-tail)m4_dnl
	accept

SECTION(global, acl)m4_dnl
acl_smtp_expn = expn_vrfy
acl_smtp_vrfy = expn_vrfy
SECTION(acl)m4_dnl
expn_vrfy:
	accept	 hosts = +trusted
	deny	 message = Suck it and see

DIVERT(null)
###--------------------------------------------------------------------------
### Common options for forwarding routers.

## We're pretty permissive here.
m4_define(<:FILTER_BASE:>,
	<:driver = redirect
	modemask = 002
	check_owner = false
	check_group = false
	allow_filter = true
	allow_defer = true
	allow_fail = true
	forbid_blackhole = false
	check_ancestor = true:>)

## Common options for forwarding routers at verification time.
m4_define(<:FILTER_VERIFY:>,
	<:verify_only = true
	user = CONF_filter_user
	forbid_filter_dlfunc = true
	forbid_filter_logwrite = true
	forbid_filter_perl = true
	forbid_filter_readsocket = true
	forbid_filter_run = true
	file_transport = dummy
	directory_transport = dummy
	pipe_transport = dummy
	reply_transport = dummy:>)

## Transports for redirection filters.
m4_define(<:FILTER_TRANSPORTS:>,
	<:file_transport = mailbox
	directory_transport = maildir
	pipe_transport = pipe
	reply_transport = reply:>)

DIVERT(null)
###--------------------------------------------------------------------------
### Some standard transports.

m4_define(<:USER_DELIVERY:>,
	<:delivery_date_add = true
	envelope_to_add = true
	return_path_add = true:>)

SECTION(transports)m4_dnl
## A standard transport for remote delivery.  Try to do TLS, and don't worry
## too much if it's not very secure: the alternative is sending in plaintext
## anyway.
smtp:
	driver = smtp
	tls_require_ciphers = CONF_acceptable_ciphers
	tls_dh_min_bits = 1020
	tls_tempfail_tryclear = true

## Transport to a local SMTP server; use TLS and perform client
## authentication.
smtp_local:
	driver = smtp
	hosts_require_tls = *
	tls_certificate = CONF_sysconf_dir/client.cert
	tls_privatekey = CONF_sysconf_dir/client.key
	tls_verify_certificates = CONF_ca_dir/ca.cert
	tls_require_ciphers = CONF_good_ciphers
	tls_dh_min_bits = 3070
	tls_tempfail_tryclear = false
	authenticated_sender = ${if def:authenticated_id \
				    ${authenticated_id@CONF_master_domain} \
				    fail}

## A standard transport for local delivery.
deliver:
	driver = appendfile
	file = /var/mail/$local_part
	USER_DELIVERY

## Transports for user filters.
mailbox:
	driver = appendfile
	USER_DELIVERY

maildir:
	driver = appendfile
	maildir_format = true
	USER_DELIVERY

pipe:
	driver = pipe
	return_output = true

## A special dummy transport for use during address verification.
dummy:
	driver = appendfile
	file = /dev/null

DIVERT(null)
###--------------------------------------------------------------------------
### Retry configuration.

SECTION(retry, default)m4_dnl
## Default.
*					* \
	F,2h,15m; G,16h,2h,1.5; F,4d,6h

DIVERT(null)
###----- That's all, folks --------------------------------------------------
Commit	Line	Data
185b5456 MW	1	### --m4--
	2	###
	3	### Basic settings for distorted.org.uk Exim configuration
	4	###
	5	### (c) 2012 Mark Wooding
	6	###
	7
	8	###----- Licensing notice ---------------------------------------------------
	9	###
	10	### This program is free software; you can redistribute it and/or modify
	11	### it under the terms of the GNU General Public License as published by
	12	### the Free Software Foundation; either version 2 of the License, or
	13	### (at your option) any later version.
	14	###
	15	### This program is distributed in the hope that it will be useful,
	16	### but WITHOUT ANY WARRANTY; without even the implied warranty of
	17	### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	18	### GNU General Public License for more details.
	19	###
	20	### You should have received a copy of the GNU General Public License
	21	### along with this program; if not, write to the Free Software Foundation,
	22	### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
	23
	24	###--------------------------------------------------------------------------
	25	### Global settings.
	26
	27	SECTION(global, priv)m4_dnl
	28	prod_requires_admin = false
	29
	30	SECTION(global, logging)m4_dnl
	31	log_file_path = : syslog
	32	log_selector = \
	33	+smtp_confirmation \
	34	+tls_peerdn
	35	log_timezone = true
	36	syslog_duplication = false
	37	syslog_timestamp = false
	38
	39	SECTION(global, daemon)m4_dnl
	40	local_interfaces = <; CONF_interfaces
	41	extra_local_interfaces = <; 0.0.0.0 ; ::
	42
	43	SECTION(global, resource)m4_dnl
	44	deliver_queue_load_max = 8
	45	queue_only_load = 12
	46	smtp_accept_max = 16
	47	smtp_accept_queue = 32
	48	smtp_accept_reserve = 4
	49	smtp_load_reserve = 10
	50	smtp_reserve_hosts = +trusted
	51
	52	SECTION(global, policy)m4_dnl
	53	host_lookup = *
	54
	55	SECTION(global, users)m4_dnl
	56	gecos_name = $1
	57	gecos_pattern = ([^,:]*)
	58
	59	SECTION(global, incoming)m4_dnl
	60	received_header_text = Received: \
	61	${if def:sender_rcvhost {from $sender_rcvhost\n\t} \
	62	{${if def:sender_ident \
	63	{from ${quote_local_part:$sender_ident} }}\
	64	${if def:sender_helo_name \
65	{(helo=$sender_helo_name)\n\t}}}}\
66	by $primary_hostname \
67	${if def:received_protocol \
68	{with $received_protocol \
69	${if def:tls_cipher {(cipher=$tls_cipher)\n\t}}}}\
70	(Exim $version_number)\n\t\
71	${if def:sender_address \
72	{(envelope-from <$sender_address>\
73	${if def:authenticated_id \
74	{; auth=$authenticated_id}})\n\t}}\
75	id $message_exim_id\
76	${if def:received_for {\n\tfor $received_for}}
77
78	SECTION(global, smtp)m4_dnl
79	smtp_return_error_details = true
80	accept_8bitmime = true
81
82	SECTION(global, process)m4_dnl
83	extract_addresses_remove_arguments = false
84	headers_charset = utf-8
85	qualify_domain = CONF_master_domain
86
87	SECTION(global, bounce)m4_dnl
88	delay_warning = 1h : 24h : 2d
89
90	DIVERT(null)
91	###--------------------------------------------------------------------------
92	### Access control lists.
93
94	SECTION(global, acl-after)
95	SECTION(global, acl)m4_dnl
96	acl_smtp_helo = helo
97	SECTION(acl, misc)m4_dnl
98	helo:
99	require message = The other one has bells on
100	verify = helo
101
102	accept
103
104	SECTION(global, acl)m4_dnl
105	acl_smtp_mail = mail
106	SECTION(acl, mail)m4_dnl
107	mail:
108
109	## Always allow the empty sender, so that we can receive bounces.
110	accept senders = :
111
112	## Ensure that the sender is routable. This is important to prevent
113	## undeliverable bounces.
114	require message = Invalid sender; \
115	($sender_verify_failure; $acl_verify_message)
116	verify = sender
117
118	## If this is directly from a client then hack on it for a while.
119	warn condition = ${if eq{$acl_c_mode}{submission}}
120	control = submission
121
122	SECTION(acl, mail-tail)m4_dnl
123	## And we're done.
124	accept
125
126	SECTION(global, acl)m4_dnl
127	acl_smtp_connect = connect
128	SECTION(acl, connect)m4_dnl
129	connect:
130	SECTION(acl, connect-tail)m4_dnl
131	warn acl = check_submission
132	accept
133
134	check_submission:
135	## See whether this message needs hacking on.
136	accept !hosts = +localnet
137	!condition = ${if ={$received_port}{CONF_submission_port}}
138	set acl_c_mode = relay
139
140	## Remember to apply submission controls.
141	warn set acl_c_mode = submission
142
143	## Done.
144	accept
145
146	SECTION(global, acl)m4_dnl
147	acl_smtp_rcpt = rcpt
148	SECTION(acl, rcpt)m4_dnl
149	rcpt:
150
151	## Reject if the client isn't allowed to relay and the recipient
152	## isn't in one of our known domains.
153	deny message = Relaying not permitted
154	!hosts = CONF_relay_clients
155	!authenticated = *
156	!domains = +known
157
158	## Ensure that the recipient is routable.
159	require message = Invalid recipient \
160	($recipient_verify_failure; $acl_verify_message)
161	verify = recipient
162
163	SECTION(acl, rcpt-tail)m4_dnl
164	## Everything checks out OK: let this one go through.
165	accept
166
167	SECTION(global, acl)m4_dnl
168	acl_smtp_data = data
169	SECTION(acl, data)m4_dnl
170	data:
171
172	SECTION(acl, data-tail)m4_dnl
173	accept
174
175	SECTION(global, acl)m4_dnl
176	acl_smtp_expn = expn_vrfy
177	acl_smtp_vrfy = expn_vrfy
178	SECTION(acl)m4_dnl
179	expn_vrfy:
180	accept hosts = +trusted
181	deny message = Suck it and see
182
183	DIVERT(null)
184	###--------------------------------------------------------------------------
185	### Common options for forwarding routers.
186
187	## We're pretty permissive here.
188	m4_define(<:FILTER_BASE:>,
189	<:driver = redirect
190	modemask = 002
191	check_owner = false
192	check_group = false
193	allow_filter = true
194	allow_defer = true
195	allow_fail = true
196	forbid_blackhole = false
197	check_ancestor = true:>)
198
199	## Common options for forwarding routers at verification time.
200	m4_define(<:FILTER_VERIFY:>,
201	<:verify_only = true
202	user = CONF_filter_user
203	forbid_filter_dlfunc = true
204	forbid_filter_logwrite = true
205	forbid_filter_perl = true
206	forbid_filter_readsocket = true
207	forbid_filter_run = true
208	file_transport = dummy
209	directory_transport = dummy
210	pipe_transport = dummy
211	reply_transport = dummy:>)
212
213	## Transports for redirection filters.
214	m4_define(<:FILTER_TRANSPORTS:>,
215	<:file_transport = mailbox
216	directory_transport = maildir
217	pipe_transport = pipe
218	reply_transport = reply:>)
219
220	DIVERT(null)
221	###--------------------------------------------------------------------------
222	### Some standard transports.
223
224	m4_define(<:USER_DELIVERY:>,
225	<:delivery_date_add = true
226	envelope_to_add = true
227	return_path_add = true:>)
228
229	SECTION(transports)m4_dnl
230	## A standard transport for remote delivery. Try to do TLS, and don't worry
231	## too much if it's not very secure: the alternative is sending in plaintext
232	## anyway.
233	smtp:
234	driver = smtp
235	tls_require_ciphers = CONF_acceptable_ciphers
236	tls_dh_min_bits = 1020
237	tls_tempfail_tryclear = true
238
239	## Transport to a local SMTP server; use TLS and perform client
240	## authentication.
241	smtp_local:
242	driver = smtp
243	hosts_require_tls = *
244	tls_certificate = CONF_sysconf_dir/client.cert
245	tls_privatekey = CONF_sysconf_dir/client.key
246	tls_verify_certificates = CONF_ca_dir/ca.cert
247	tls_require_ciphers = CONF_good_ciphers
248	tls_dh_min_bits = 3070
249	tls_tempfail_tryclear = false
250	authenticated_sender = ${if def:authenticated_id \
251	${authenticated_id@CONF_master_domain} \
252	fail}
253
254	## A standard transport for local delivery.
255	deliver:
256	driver = appendfile
257	file = /var/mail/$local_part
258	USER_DELIVERY
259
260	## Transports for user filters.
261	mailbox:
262	driver = appendfile
263	USER_DELIVERY
264
265	maildir:
266	driver = appendfile
267	maildir_format = true
268	USER_DELIVERY
269
270	pipe:
271	driver = pipe
272	return_output = true
273
274	## A special dummy transport for use during address verification.
275	dummy:
276	driver = appendfile
277	file = /dev/null
278
279	DIVERT(null)
280	###--------------------------------------------------------------------------
281	### Retry configuration.
282
283	SECTION(retry, default)m4_dnl
284	## Default.
285	* * \
286	F,2h,15m; G,16h,2h,1.5; F,4d,6h
287
288	DIVERT(null)
289	###----- That's all, folks --------------------------------------------------