3 ### Basic settings for distorted.org.uk Exim configuration
5 ### (c) 2012 Mark Wooding
8 ###----- Licensing notice ---------------------------------------------------
10 ### This program is free software; you can redistribute it and/or modify
11 ### it under the terms of the GNU General Public License as published by
12 ### the Free Software Foundation; either version 2 of the License, or
13 ### (at your option) any later version.
15 ### This program is distributed in the hope that it will be useful,
16 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
17 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 ### GNU General Public License for more details.
20 ### You should have received a copy of the GNU General Public License
21 ### along with this program; if not, write to the Free Software Foundation,
22 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
24 ###--------------------------------------------------------------------------
27 SECTION(global, priv)m4_dnl
28 admin_groups = CONF_admin_groups
29 trusted_groups = CONF_trusted_groups
30 prod_requires_admin = false
32 SECTION(global, logging)m4_dnl
33 log_file_path = : syslog
38 syslog_duplication = false
39 syslog_timestamp = false
41 SECTION(global, daemon)m4_dnl
42 local_interfaces = <; CONF_interfaces
43 extra_local_interfaces = <; 0.0.0.0 ; ::0
45 SECTION(global, resource)m4_dnl
46 deliver_queue_load_max = 8
49 smtp_accept_queue = 32
50 smtp_accept_reserve = 4
51 smtp_load_reserve = 10
52 smtp_reserve_hosts = +trusted
54 SECTION(global, policy)m4_dnl
57 SECTION(global, users)m4_dnl
59 gecos_pattern = ([^,:]*)
61 SECTION(global, incoming)m4_dnl
62 received_header_text = Received: \
63 ${if def:sender_rcvhost \
64 {from $sender_rcvhost\n\t} \
65 {${if def:sender_ident \
66 {from ${quote_local_part:$sender_ident} }}}}\
67 by $primary_hostname \
68 (Exim $version_number)\
69 ${if def:tls_cipher {\n\t} { }}\
70 ${if def:received_protocol \
71 {with $received_protocol \
72 ${if def:tls_cipher {(cipher=$tls_cipher)}}}}\n\t\
73 ${if def:sender_address \
74 {(envelope-from $sender_address\
75 ${if def:authenticated_id \
76 {; auth=$authenticated_id}})\n\t}}\
78 ${if def:received_for {\n\tfor $received_for}}
80 SECTION(global, smtp)m4_dnl
81 smtp_return_error_details = true
82 accept_8bitmime = true
84 SECTION(global, process)m4_dnl
85 extract_addresses_remove_arguments = false
86 headers_charset = utf-8
87 qualify_domain = CONF_master_domain
88 untrusted_set_sender = *
90 SECTION(global, bounce)m4_dnl
91 delay_warning = 1h : 24h : 2d
93 SECTION(global, tls)m4_dnl
94 tls_certificate = CONF_sysconf_dir/server.certlist
95 tls_privatekey = CONF_sysconf_dir/server.key
96 tls_advertise_hosts = ${if exists {CONF_sysconf_dir/server.key} {*}{}}
97 tls_dhparam = CONF_ca_dir/dh-param-2048.pem
98 tls_require_ciphers = ${if or {{={$received_port}{CONF_submission_port}} \
99 {match_ip {$sender_host_address}{+trusted}}} \
100 {CONF_good_ciphers} \
101 {CONF_acceptable_ciphers}}
102 tls_verify_certificates = CONF_ca_dir/ca.cert
103 tls_verify_hosts = ${if eq{$acl_c_mode}{submission} {} {+allnets}}
106 ###--------------------------------------------------------------------------
107 ### Access control lists.
109 SECTION(global, acl-after)
110 SECTION(global, acl)m4_dnl
112 SECTION(acl, misc)m4_dnl
114 ## Check that the caller's claimed identity is actually plausible.
115 ## This seems like it's a fairly effective filter on spamminess, but
116 ## it's too blunt a tool. Rather than reject, add a warning header.
117 ## Only we can't do this the easy way, so save it up for use in MAIL.
118 ## Also, we're liable to get a subsequent HELO (e.g., after STARTTLS)
119 ## and we should only care about the most recent one.
120 warn set acl_c_helo_warning = false
122 ${if and {{match_ip {$sender_host_address} \
123 {<; 127.0.0.0/8 ; ::1}} \
124 {match_domain {$sender_helo_name} \
125 {localhost : +thishost}}}}
127 ${if exists {CONF_sysconf_dir/helo.conf} \
128 {${lookup {$sender_helo_name} \
130 {CONF_sysconf_dir/helo.conf} \
132 {$sender_host_address} \
135 set acl_c_helo_warning = true
139 SECTION(global, acl)m4_dnl
140 acl_not_smtp_start = not_smtp_start
141 SECTION(acl, misc)m4_dnl
143 ## Record the user's name.
144 warn set acl_c_user = $sender_ident
149 SECTION(global, acl)m4_dnl
151 SECTION(acl, mail)m4_dnl
154 ## If we stashed a warning header about HELO from earlier, we should
156 warn condition = $acl_c_helo_warning
157 add_header = :after_received:X-Distorted-Warning: \
159 Client's HELO doesn't match its IP address.\n\t\
160 helo-name=$sender_helo_name \
161 address=$sender_host_address
163 ## Always allow the empty sender, so that we can receive bounces.
166 ## Ensure that the sender looks valid.
167 require acl = mail_check_sender
169 ## If this is directly from a client then hack on it for a while.
170 warn condition = ${if eq{$acl_c_mode}{submission}}
171 control = submission/sender_retain
173 ## Insist that a local client connect through TLS.
174 deny message = Hosts within CONF_master_domain must use TLS
175 !condition = ${if eq{$acl_c_mode}{submission}}
179 ## Check that a submitted message's sender address is allowable.
180 require acl = mail_check_auth
182 SECTION(acl, mail-tail)m4_dnl
186 SECTION(acl, misc)m4_dnl
189 ## See whether there's a special exception for this sender domain.
190 accept senders = ${LOOKUP_DOMAIN($sender_address_domain,
191 {KV(senders, {$value}{})},
194 ## Ensure that the sender is routable. This is important to prevent
195 ## undeliverable bounces.
196 require message = Invalid sender; \
197 ($sender_verify_failure; $acl_verify_message)
203 SECTION(global, acl)m4_dnl
204 acl_smtp_connect = connect
205 SECTION(acl, connect)m4_dnl
207 SECTION(acl, connect-tail)m4_dnl
208 ## Configure variables according to the submission mode.
209 warn acl = check_submission
215 ## See whether this message needs hacking on.
216 accept !hosts = +thishost
217 !condition = ${if ={$received_port}{CONF_submission_port}}
218 set acl_c_mode = relay
220 ## Remember to apply submission controls.
221 warn set acl_c_mode = submission
226 SECTION(global, acl)m4_dnl
228 SECTION(acl, rcpt)m4_dnl
231 ## Reject if the client isn't allowed to relay and the recipient
232 ## isn't in one of our known domains.
233 require message = Relaying not permitted
236 ## Ensure that the recipient is routable.
237 require message = Invalid recipient \
238 ($recipient_verify_failure; $acl_verify_message)
241 SECTION(acl, misc)m4_dnl
243 ## Accept either if the client is allowed to relay through us, or if
244 ## we're the correct place to send this mail.
246 ## Known clients and authenticated users are OK.
247 accept hosts = CONF_relay_clients
248 accept authenticated = *
250 ## Known domains are OK.
251 accept domains = +public
253 ## Finally, domains in our table are OK, unless they say they aren't.
255 ${if exists{CONF_sysconf_dir/domains.conf} \
256 {partial0-lsearch; CONF_sysconf_dir/domains.conf}}
257 condition = DOMKV(service, {$value}{true})
259 ## Nope, that's not allowed.
262 SECTION(acl, rcpt-tail)m4_dnl
263 ## Everything checks out OK: let this one go through.
266 SECTION(global, acl)m4_dnl
268 SECTION(acl, data)m4_dnl
271 SECTION(acl, data-tail)m4_dnl
274 SECTION(global, acl)m4_dnl
275 acl_smtp_expn = expn_vrfy
276 acl_smtp_vrfy = expn_vrfy
277 SECTION(acl, misc)m4_dnl
279 accept hosts = +trusted
280 deny message = Suck it and see
283 ###--------------------------------------------------------------------------
284 ### Verification of sender address.
286 SECTION(acl, misc)m4_dnl
289 ## If this isn't a submission then it doesn't need checking.
290 accept condition = ${if !eq{$acl_c_mode}{submission}}
292 ## If the caller hasn't formally authenticated, but this is a
293 ## loopback connection, then we can trust identd to tell us the right
294 ## answer. So we should stash the right name somewhere consistent.
295 warn set acl_c_user = $authenticated_id
298 condition = ${if def:sender_ident}
299 set acl_c_user = $sender_ident
301 ## User must be authenticated by now.
302 deny message = Sender not authenticated
303 condition = ${if !def:acl_c_user}
309 ###--------------------------------------------------------------------------
310 ### Common options for forwarding routers.
312 ## We're pretty permissive here.
313 m4_define(<:FILTER_BASE:>,
321 forbid_blackhole = false
322 check_ancestor = true:>)
324 ## Common options for forwarding routers at verification time.
325 m4_define(<:FILTER_VERIFY:>,
327 user = CONF_filter_user
328 forbid_filter_dlfunc = true
329 forbid_filter_logwrite = true
330 forbid_filter_perl = true
331 forbid_filter_readsocket = true
332 forbid_filter_run = true
333 file_transport = dummy
334 directory_transport = dummy
335 pipe_transport = dummy
336 reply_transport = dummy:>)
338 ## Transports for redirection filters.
339 m4_define(<:FILTER_TRANSPORTS:>,
340 <:file_transport = mailbox
341 directory_transport = maildir
342 pipe_transport = pipe
343 reply_transport = reply:>)
345 m4_define(<:FILTER_ROUTER:>,
352 FILTER_TRANSPORTS<::>$4:>)
355 ###--------------------------------------------------------------------------
358 SECTION(routers, alias)m4_dnl
359 ## Look up the local part in the address map.
364 user = CONF_filter_user
366 local_parts = nwildlsearch; CONF_alias_file
367 data = ${expand:$local_part_data}
368 SECTION(routers, alias-opts)m4_dnl
371 ###--------------------------------------------------------------------------
372 ### Some standard transports.
374 m4_define(<:USER_DELIVERY:>,
375 <:delivery_date_add = true
376 envelope_to_add = true
377 return_path_add = true:>)
379 SECTION(transports)m4_dnl
380 ## A standard transport for remote delivery. By default, try to do TLS, and
381 ## don't worry too much if it's not very secure: the alternative is sending
382 ## in plaintext anyway. But all of this can be overridden from the
383 ## `domains.conf' file. Annoyingly, the `tls_dh_min_bits' setting isn't
384 ## expanded before use, so we can't set it the obvious way. Instead, encode
385 ## it into the transport name. This is very unpleasant, of course.
388 tls_require_ciphers = CONF_acceptable_ciphers
389 tls_dh_min_bits = 1020
390 tls_tempfail_tryclear = true
392 m4_define(<:SMTP_TRANS_DHBITS:>,
395 hosts_require_tls = DOMKV(tls-peer-ca, {*}{})
396 hosts_require_auth = \
397 ${if bool {DOMKV(require-auth, {$value}{false})} {*}{}}
398 tls_certificate = DOMKV(tls-certificate, {${expand:$value}}fail)
399 tls_privatekey = DOMKV(tls-private-key, {${expand:$value}}fail)
400 tls_verify_certificates = DOMKV(tls-peer-ca, {${expand:$value}}fail)
401 tls_require_ciphers = \
403 {${extract {${expand:$value}} \
404 { good = CONF_good_ciphers \
405 any = CONF_acceptable_ciphers } \
407 {${expand:$value}}}} \
408 {CONF_acceptable_ciphers})
410 tls_tempfail_tryclear = true:>)m4_dnl
412 SMTP_TRANS_DHBITS(1020)
414 SMTP_TRANS_DHBITS(2046)
416 ## Transport to a local SMTP server; use TLS and perform client
420 hosts_require_tls = *
421 tls_certificate = CONF_sysconf_dir/client.certlist
422 tls_privatekey = CONF_sysconf_dir/client.key
423 tls_verify_certificates = CONF_ca_dir/ca.cert
424 tls_require_ciphers = CONF_good_ciphers
425 tls_dh_min_bits = 2046
426 tls_tempfail_tryclear = false
427 authenticated_sender = ${if def:authenticated_id \
428 {$authenticated_id@CONF_master_domain} \
431 ## A standard transport for local delivery.
434 file = /var/mail/$local_part
437 mode_fail_narrower = false
440 ## Transports for user filters.
448 maildir_format = true
454 path = ${if and {{def:home} {exists{$home/bin}}} {$home/bin:} {}}\
455 /usr/local/bin:/usr/local/sbin:\
456 /usr/bin:/usr/sbin:/bin:/sbin
459 return_fail_output = true
462 ## A special dummy transport for use during address verification.
468 ###--------------------------------------------------------------------------
469 ### Retry configuration.
471 SECTION(retry, default)m4_dnl
474 F,2h,15m; G,16h,2h,1.5; F,4d,6h
477 ###----- That's all, folks --------------------------------------------------