chiark - git - mdw - exim-config/blob - base.m4

   1 ### -*-m4-*-
   2 ###
   3 ### Basic settings for distorted.org.uk Exim configuration
   4 ###
   5 ### (c) 2012 Mark Wooding
   6 ###
   7
   8 ###----- Licensing notice ---------------------------------------------------
   9 ###
  10 ### This program is free software; you can redistribute it and/or modify
  11 ### it under the terms of the GNU General Public License as published by
  12 ### the Free Software Foundation; either version 2 of the License, or
  13 ### (at your option) any later version.
  14 ###
  15 ### This program is distributed in the hope that it will be useful,
  16 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
  17 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18 ### GNU General Public License for more details.
  19 ###
  20 ### You should have received a copy of the GNU General Public License
  21 ### along with this program; if not, write to the Free Software Foundation,
  22 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
  23
  24 ###--------------------------------------------------------------------------
  25 ### Global settings.
  26
  27 SECTION(global, priv)m4_dnl
  28 admin_groups = CONF_admin_groups
  29 prod_requires_admin = false
  30
  31 SECTION(global, logging)m4_dnl
  32 log_file_path = : syslog
  33 log_selector = \
  34         +smtp_confirmation \
  35         +tls_peerdn
  36 log_timezone = true
  37 syslog_duplication = false
  38 syslog_timestamp = false
  39
  40 SECTION(global, daemon)m4_dnl
  41 local_interfaces = <; CONF_interfaces
  42 extra_local_interfaces = <; 0.0.0.0 ; ::
  43
  44 SECTION(global, resource)m4_dnl
  45 deliver_queue_load_max = 8
  46 queue_only_load = 12
  47 smtp_accept_max = 16
  48 smtp_accept_queue = 32
  49 smtp_accept_reserve = 4
  50 smtp_load_reserve = 10
  51 smtp_reserve_hosts = +trusted
  52
  53 SECTION(global, policy)m4_dnl
  54 host_lookup = *
  55
  56 SECTION(global, users)m4_dnl
  57 gecos_name = $1
  58 gecos_pattern = ([^,:]*)
  59
  60 SECTION(global, incoming)m4_dnl
  61 received_header_text = Received: \
  62         ${if def:sender_rcvhost \
  63              {from $sender_rcvhost\
  64               ${if def:sender_helo_name \
  65                    { (helo=$sender_helo_name)}}\n\t} \
  66              {${if def:sender_ident \
  67                    {from ${quote_local_part:$sender_ident} }}}}\
  68         by $primary_hostname \
  69         (Exim $version_number)\
  70         ${if def:tls_cipher {\n\t} { }}\
  71         ${if def:received_protocol \
  72              {with $received_protocol \
  73               ${if def:tls_cipher {(cipher=$tls_cipher)}}}}\n\t\
  74         ${if def:sender_address \
  75              {(envelope-from $sender_address\
  76               ${if def:authenticated_id \
  77                    {; auth=$authenticated_id}})\n\t}}\
  78         id $message_exim_id\
  79         ${if def:received_for {\n\tfor $received_for}}
  80
  81 SECTION(global, smtp)m4_dnl
  82 smtp_return_error_details = true
  83 accept_8bitmime = true
  84
  85 SECTION(global, process)m4_dnl
  86 extract_addresses_remove_arguments = false
  87 headers_charset = utf-8
  88 qualify_domain = CONF_master_domain
  89
  90 SECTION(global, bounce)m4_dnl
  91 delay_warning = 1h : 24h : 2d
  92
  93 DIVERT(null)
  94 ###--------------------------------------------------------------------------
  95 ### Access control lists.
  96
  97 SECTION(global, acl-after)
  98 SECTION(global, acl)m4_dnl
  99 acl_smtp_helo = helo
 100 SECTION(acl, misc)m4_dnl
 101 helo:
 102         ## Check that the caller's claimed identity is actually plausible.
 103         ## This seems like it's a fairly effective filter on spamminess, but
 104         ## it's too blunt a tool.  Rather than reject, add a warning header.
 105         ## Only we can't do this the easy way, so save it up for use in MAIL.
 106         ## Also, we're liable to get a subsequent HELO (e.g., after STARTTLS)
 107         ## and we should only care about the most recent one.
 108         warn     set acl_c_helo_warning = false
 109                 !condition = \
 110                         ${if exists {CONF_sysconf_dir/helo.conf} \
 111                              {${lookup {$sender_helo_name} \
 112                                        partial0-lsearch \
 113                                        {CONF_sysconf_dir/helo.conf} \
 114                                        {${if match_ip \
 115                                              {$sender_host_address} \
 116                                              {$value}}}}}}
 117                 !verify = helo
 118                  set acl_c_helo_warning = true
 119
 120         accept
 121
 122 SECTION(global, acl)m4_dnl
 123 acl_smtp_mail = mail
 124 SECTION(acl, mail)m4_dnl
 125 mail:
 126
 127         ## If we stashed a warning header about HELO from earlier, we should
 128         ## add it now.
 129         warn     condition = $acl_c_helo_warning
 130                  add_header = :after_received:X-Distorted-Warning: \
 131                         BADHELO \
 132                         Client's HELO doesn't match its IP address.\n\t\
 133                         HELO name = $sender_helo_name, \
 134                         address = $sender_host_address
 135
 136         ## Always allow the empty sender, so that we can receive bounces.
 137         accept   senders = :
 138
 139         ## Ensure that the sender is routable.  This is important to prevent
 140         ## undeliverable bounces.
 141         require  message = Invalid sender; \
 142                         ($sender_verify_failure; $acl_verify_message)
 143                  verify = sender
 144
 145         ## If this is directly from a client then hack on it for a while.
 146         warn     condition = ${if eq{$acl_c_mode}{submission}}
 147                  control = submission
 148
 149 SECTION(acl, mail-tail)m4_dnl
 150         ## And we're done.
 151         accept
 152
 153 SECTION(global, acl)m4_dnl
 154 acl_smtp_connect = connect
 155 SECTION(acl, connect)m4_dnl
 156 connect:
 157 SECTION(acl, connect-tail)m4_dnl
 158         ## Configure variables according to the submission mode.
 159         warn     acl = check_submission
 160
 161         ## Done.
 162         accept
 163
 164 check_submission:
 165         ## See whether this message needs hacking on.
 166         accept  !hosts = +localnet
 167                 !condition = ${if ={$received_port}{CONF_submission_port}}
 168                  set acl_c_mode = relay
 169
 170         ## Remember to apply submission controls.
 171         warn     set acl_c_mode = submission
 172
 173         ## Done.
 174         accept
 175
 176 SECTION(global, acl)m4_dnl
 177 acl_smtp_rcpt = rcpt
 178 SECTION(acl, rcpt)m4_dnl
 179 rcpt:
 180
 181         ## Reject if the client isn't allowed to relay and the recipient
 182         ## isn't in one of our known domains.
 183         deny     message = Relaying not permitted
 184                 !hosts = CONF_relay_clients
 185                 !authenticated = *
 186                 !domains = +known
 187
 188         ## Ensure that the recipient is routable.
 189         require  message = Invalid recipient \
 190                         ($recipient_verify_failure; $acl_verify_message)
 191                  verify = recipient
 192
 193 SECTION(acl, rcpt-tail)m4_dnl
 194         ## Everything checks out OK: let this one go through.
 195         accept
 196
 197 SECTION(global, acl)m4_dnl
 198 acl_smtp_data = data
 199 SECTION(acl, data)m4_dnl
 200 data:
 201
 202 SECTION(acl, data-tail)m4_dnl
 203         accept
 204
 205 SECTION(global, acl)m4_dnl
 206 acl_smtp_expn = expn_vrfy
 207 acl_smtp_vrfy = expn_vrfy
 208 SECTION(acl)m4_dnl
 209 expn_vrfy:
 210         accept   hosts = +trusted
 211         deny     message = Suck it and see
 212
 213 DIVERT(null)
 214 ###--------------------------------------------------------------------------
 215 ### Common options for forwarding routers.
 216
 217 ## We're pretty permissive here.
 218 m4_define(<:FILTER_BASE:>,
 219         <:driver = redirect
 220         modemask = 002
 221         check_owner = false
 222         check_group = false
 223         allow_filter = true
 224         allow_defer = true
 225         allow_fail = true
 226         forbid_blackhole = false
 227         check_ancestor = true:>)
 228
 229 ## Common options for forwarding routers at verification time.
 230 m4_define(<:FILTER_VERIFY:>,
 231         <:verify_only = true
 232         user = CONF_filter_user
 233         forbid_filter_dlfunc = true
 234         forbid_filter_logwrite = true
 235         forbid_filter_perl = true
 236         forbid_filter_readsocket = true
 237         forbid_filter_run = true
 238         file_transport = dummy
 239         directory_transport = dummy
 240         pipe_transport = dummy
 241         reply_transport = dummy:>)
 242
 243 ## Transports for redirection filters.
 244 m4_define(<:FILTER_TRANSPORTS:>,
 245         <:verify = false
 246         file_transport = mailbox
 247         directory_transport = maildir
 248         pipe_transport = pipe
 249         reply_transport = reply:>)
 250
 251 DIVERT(null)
 252 ###--------------------------------------------------------------------------
 253 ### Some standard transports.
 254
 255 m4_define(<:USER_DELIVERY:>,
 256         <:delivery_date_add = true
 257         envelope_to_add = true
 258         return_path_add = true:>)
 259
 260 SECTION(transports)m4_dnl
 261 ## A standard transport for remote delivery.  Try to do TLS, and don't worry
 262 ## too much if it's not very secure: the alternative is sending in plaintext
 263 ## anyway.
 264 smtp:
 265         driver = smtp
 266         tls_require_ciphers = CONF_acceptable_ciphers
 267         tls_dh_min_bits = 1020
 268         tls_tempfail_tryclear = true
 269
 270 ## Transport to a local SMTP server; use TLS and perform client
 271 ## authentication.
 272 smtp_local:
 273         driver = smtp
 274         hosts_require_tls = *
 275         tls_certificate = CONF_sysconf_dir/client.cert
 276         tls_privatekey = CONF_sysconf_dir/client.key
 277         tls_verify_certificates = CONF_ca_dir/ca.cert
 278         tls_require_ciphers = CONF_good_ciphers
 279         tls_dh_min_bits = 2046
 280         tls_tempfail_tryclear = false
 281         authenticated_sender = ${if def:authenticated_id \
 282                                     {$authenticated_id@CONF_master_domain} \
 283                                     fail}
 284
 285 ## A standard transport for local delivery.
 286 deliver:
 287         driver = appendfile
 288         file = /var/mail/$local_part
 289         group = mail
 290         mode = 0600
 291         mode_fail_narrower = false
 292         USER_DELIVERY
 293
 294 ## Transports for user filters.
 295 mailbox:
 296         driver = appendfile
 297         initgroups = true
 298         USER_DELIVERY
 299
 300 maildir:
 301         driver = appendfile
 302         maildir_format = true
 303         initgroups = true
 304         USER_DELIVERY
 305
 306 pipe:
 307         driver = pipe
 308         path = ${if and {{def:home} {exists{$home/bin}}} {$home/bin:} {}}\
 309                 /usr/local/bin:/usr/local/sbin:\
 310                 /usr/bin:/usr/sbin:/bin:/sbin
 311         initgroups = true
 312         umask = 002
 313         return_fail_output = true
 314         log_output = true
 315
 316 ## A special dummy transport for use during address verification.
 317 dummy:
 318         driver = appendfile
 319         file = /dev/null
 320
 321 DIVERT(null)
 322 ###--------------------------------------------------------------------------
 323 ### Retry configuration.
 324
 325 SECTION(retry, default)m4_dnl
 326 ## Default.
 327 *                                       * \
 328         F,2h,15m; G,16h,2h,1.5; F,4d,6h
 329
 330 DIVERT(null)
 331 ###----- That's all, folks --------------------------------------------------