[exim-config] / config.m4

### -*-m4-*-
###
### Basic configuration settings for distorted.org.uk Exim configuration
###
### (c) 2012 Mark Wooding
###

###----- Licensing notice ---------------------------------------------------
###
### This program is free software; you can redistribute it and/or modify
### it under the terms of the GNU General Public License as published by
### the Free Software Foundation; either version 2 of the License, or
### (at your option) any later version.
###
### This program is distributed in the hope that it will be useful,
### but WITHOUT ANY WARRANTY; without even the implied warranty of
### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
### GNU General Public License for more details.
###
### You should have received a copy of the GNU General Public License
### along with this program; if not, write to the Free Software Foundation,
### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.

## Master domain name.
DEFCONF(master_domain, distorted.org.uk)

## List of home-system mail domain names.  This can be empty if we only
## provide service for special-purpose domains.
DEFCONF(sysdomains, CONF_master_domain)

## The magic token for local header names.
DEFCONF(header_token, Distorted)

## The smarthost for satellite hosts.
DEFCONF(smarthost, mail.distorted.org.uk)

## The user who runs verification filters.
DEFCONF(filter_user, Debian-exim)

## Administrative groups.
DEFCONF(admin_groups, root : adm)
DEFCONF(trusted_groups, root : adm)

## Where the spam filter is.
DEFCONF(spamd_address, 172.29.199.8)
DEFCONF(spamd_port, 783)

## Default spam limit for incoming mail (multiplied by ten).
DEFCONF(spam_max, 50)

## Userv stuff for debugging.
DEFCONF(userv_opts, )

## Which interfaces to listen on.  Exim checks for the literal string `::0'
## when setting things up: don't use `::', or we'll be tripped up by Linux's
## demented non-`IPV6_V6ONLY' behaviour.
DEFCONF(interfaces, m4_ifelse(MODE, satellite, 127.0.0.1 ; ::1,
			      0.0.0.0 ; ::0))

## Main and submission port numbers.  (This is sometimes tweaked for
## testing.)
DEFCONF(smtp_port, 25)
DEFCONF(submission_port, 587)

## Locations of other configuration files.
DEFCONF(sysconf_dir, /etc/mail)
DEFCONF(userconf_dir, $home/.mail)
DEFCONF(alias_file, /etc/aliases)
DEFCONF(ca_dir, /etc/ca)
DEFCONF(dkim_keys_dir, /var/lib/dkim-keys)

## User address suffix handling.
DEFCONF(user_suffix_list, +* : -*)
DEFCONF(user_extaddr_fixup, ${sg {$local_part_suffix}{^[-+]}{}})

## Other hosts allowed to relay mail through us.
DEFCONF(relay_clients, <m4_dnl
; +trusted m4_dnl
; 172.31.80.8 m4_dnl chiark (VPN)
; 172.29.198.161 ; 2001:8b0:c92:a000::1:1 m4_dnl national
)

## DKIM headers list.
## Surprise!  Internal whitespace isn't allowed here.
DEFCONF(dkim_headers, m4_dnl
References : In-Reply-To : Subject : To : Date : Message-ID : m4_dnl
From : Sender : Reply-To : Cc : m4_dnl
Content-Transfer-Encoding : Content-Type : MIME-Version : m4_dnl
Content-ID : Content-Description m4_dnl
)

## TLS certificate list.
DEFCONF(certlist,
<:m4_ifelse(t, m4_ifelse(MODE, hub, nil, MODE, srv, nil, t),
<:CONF_sysconf_dir/server.certlist:>,
<:CONF_sysconf_dir/${if ={$received_port}{CONF_submission_port}{server}\
			{${if match_ip{$sender_host_address}{+trusted} \
				      {server}{letsencrypt}}}}.certlist:>):>)

## TLS-related settings.  We're assuming GNUTLS here, rather than OpenSSL.
## For local connections we are very strict.  For random clients, we try
## fairly hard to encourage any kind of crypto on the grounds that probably
## nobody can verify our certificate anyway.
DEFCONF(good_ciphers, NONE<::>m4_dnl
:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0<::>m4_dnl
:+ECDHE-RSA:+ECDHE-ECDSA:+DHE-RSA:+DHE-DSS<::>m4_dnl
:+CHACHA20-POLY1305<::>m4_dnl
:+AES-256-GCM:+AES-128-GCM:+AES-256-CBC:+AES-128-CBC<::>m4_dnl
:+AEAD:+SHA256:+SHA384:+SHA512<::>m4_dnl
:+SIGN-RSA-SHA512:+SIGN-RSA-SHA384:+SIGN-RSA-SHA256<::>m4_dnl
:+SIGN-ECDSA-SHA512:+SIGN-ECDSA-SHA384:+SIGN-ECDSA-SHA256<::>m4_dnl
:+SIGN-DSA-SHA256<::>m4_dnl
:+CURVE-X25519:+CURVE-SECP256R1:+CURVE-SECP521R1:+CURVE-SECP384R1<::>m4_dnl
:+CTYPE-X.509<::>m4_dnl
:+COMP-NULL<::>m4_dnl
)
DEFCONF(acceptable_ciphers, NONE<::>m4_dnl
:+VERS-TLS-ALL<::>m4_dnl
:+ECDHE-RSA:+ECDHE-ECDSA<::>m4_dnl
:+KX-ALL<::>m4_dnl
:+SIGN-ALL<::>m4_dnl
:+CTYPE-ALL<::>m4_dnl
:+CHACHA20-POLY1305<::>m4_dnl
:+AES-256-GCM:+AES-128-GCM<::>m4_dnl
:+CIPHER-ALL<::>m4_dnl
:+CURVE-X25519<::>m4_dnl
:+CURVE-ALL<::>m4_dnl
:+AEAD<::>m4_dnl
:+MAC-ALL<::>m4_dnl
:+COMP-NULL<::>m4_dnl
:-MD5<::>m4_dnl
)

###----- That's all, folks --------------------------------------------------
Commit	Line	Data
185b5456 MW	1	### --m4--
	2	###
	3	### Basic configuration settings for distorted.org.uk Exim configuration
	4	###
	5	### (c) 2012 Mark Wooding
	6	###
	7
	8	###----- Licensing notice ---------------------------------------------------
	9	###
	10	### This program is free software; you can redistribute it and/or modify
	11	### it under the terms of the GNU General Public License as published by
	12	### the Free Software Foundation; either version 2 of the License, or
	13	### (at your option) any later version.
	14	###
	15	### This program is distributed in the hope that it will be useful,
	16	### but WITHOUT ANY WARRANTY; without even the implied warranty of
	17	### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	18	### GNU General Public License for more details.
	19	###
	20	### You should have received a copy of the GNU General Public License
	21	### along with this program; if not, write to the Free Software Foundation,
	22	### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
	23
	24	## Master domain name.
	25	DEFCONF(master_domain, distorted.org.uk)
	26
e913c999	27	## List of home-system mail domain names. This can be empty if we only
945da4ac	28	## provide service for special-purpose domains.
e913c999 MW	29	DEFCONF(sysdomains, CONF_master_domain)
e913c999 MW	30
945da4ac MW	31	## The magic token for local header names.
	32	DEFCONF(header_token, Distorted)
	33
185b5456 MW	34	## The smarthost for satellite hosts.
	35	DEFCONF(smarthost, mail.distorted.org.uk)
	36
	37	## The user who runs verification filters.
	38	DEFCONF(filter_user, Debian-exim)
	39
b1d083dd MW	40	## Administrative groups.
b1d083dd MW	41	DEFCONF(admin_groups, root : adm)
e8fc7835	42	DEFCONF(trusted_groups, root : adm)
b1d083dd	43
185b5456	44	## Where the spam filter is.
75153790	45	DEFCONF(spamd_address, 172.29.199.8)
185b5456 MW	46	DEFCONF(spamd_port, 783)
	47
	48	## Default spam limit for incoming mail (multiplied by ten).
	49	DEFCONF(spam_max, 50)
	50
ea823544 MW	51	## Userv stuff for debugging.
	52	DEFCONF(userv_opts, )
	53
185b5456 MW	54	## Which interfaces to listen on. Exim checks for the literal string `::0'
	55	## when setting things up: don't use `::', or we'll be tripped up by Linux's
	56	## demented non-`IPV6_V6ONLY' behaviour.
	57	DEFCONF(interfaces, m4_ifelse(MODE, satellite, 127.0.0.1 ; ::1,
	58	0.0.0.0 ; ::0))
	59
d411be33 MW	60	## Main and submission port numbers. (This is sometimes tweaked for
	61	## testing.)
	62	DEFCONF(smtp_port, 25)
185b5456 MW	63	DEFCONF(submission_port, 587)
	64
	65	## Locations of other configuration files.
	66	DEFCONF(sysconf_dir, /etc/mail)
	67	DEFCONF(userconf_dir, $home/.mail)
	68	DEFCONF(alias_file, /etc/aliases)
	69	DEFCONF(ca_dir, /etc/ca)
30fee27e	70	DEFCONF(dkim_keys_dir, /var/lib/dkim-keys)
185b5456 MW	71
185b5456 MW	72	## User address suffix handling.
025eb2ed	73	DEFCONF(user_suffix_list, +* : -*)
185b5456 MW	74	DEFCONF(user_extaddr_fixup, ${sg {$local_part_suffix}{^[-+]}{}})
	75
	76	## Other hosts allowed to relay mail through us.
2f2fc64d MW	77	DEFCONF(relay_clients, <m4_dnl
	78	; +trusted m4_dnl
	79	; 172.31.80.8 m4_dnl chiark (VPN)
9b920601	80	; 172.29.198.161 ; 2001:8b0:c92:a000::1:1 m4_dnl national
2f2fc64d	81	)
185b5456	82
30fee27e	83	## DKIM headers list.
1724717c	84	## Surprise! Internal whitespace isn't allowed here.
cc17d19e MW	85	DEFCONF(dkim_headers, m4_dnl
	86	References : In-Reply-To : Subject : To : Date : Message-ID : m4_dnl
	87	From : Sender : Reply-To : Cc : m4_dnl
	88	Content-Transfer-Encoding : Content-Type : MIME-Version : m4_dnl
	89	Content-ID : Content-Description m4_dnl
	90	)
30fee27e	91
1dda4df9	92	## TLS certificate list.
8afec898 MW	93	DEFCONF(certlist,
	94	<:m4_ifelse(t, m4_ifelse(MODE, hub, nil, MODE, srv, nil, t),
	95	<:CONF_sysconf_dir/server.certlist:>,
5013c11c MW	96	<:CONF_sysconf_dir/${if ={$received_port}{CONF_submission_port}{server}\
	97	{${if match_ip{$sender_host_address}{+trusted} \
	98	{server}{letsencrypt}}}}.certlist:>):>)
1dda4df9	99
185b5456 MW	100	## TLS-related settings. We're assuming GNUTLS here, rather than OpenSSL.
	101	## For local connections we are very strict. For random clients, we try
	102	## fairly hard to encourage any kind of crypto on the grounds that probably
	103	## nobody can verify our certificate anyway.
	104	DEFCONF(good_ciphers, NONE<::>m4_dnl
b6d74252	105	:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0<::>m4_dnl
2d3b825d MW	106	:+ECDHE-RSA:+ECDHE-ECDSA:+DHE-RSA:+DHE-DSS<::>m4_dnl
	107	:+CHACHA20-POLY1305<::>m4_dnl
	108	:+AES-256-GCM:+AES-128-GCM:+AES-256-CBC:+AES-128-CBC<::>m4_dnl
	109	:+AEAD:+SHA256:+SHA384:+SHA512<::>m4_dnl
	110	:+SIGN-RSA-SHA512:+SIGN-RSA-SHA384:+SIGN-RSA-SHA256<::>m4_dnl
	111	:+SIGN-ECDSA-SHA512:+SIGN-ECDSA-SHA384:+SIGN-ECDSA-SHA256<::>m4_dnl
	112	:+SIGN-DSA-SHA256<::>m4_dnl
	113	:+CURVE-X25519:+CURVE-SECP256R1:+CURVE-SECP521R1:+CURVE-SECP384R1<::>m4_dnl
185b5456 MW	114	:+CTYPE-X.509<::>m4_dnl
	115	:+COMP-NULL<::>m4_dnl
	116	)
2d3b825d	117	DEFCONF(acceptable_ciphers, NONE<::>m4_dnl
09c2d8d8	118	:+VERS-TLS-ALL<::>m4_dnl
2d3b825d	119	:+ECDHE-RSA:+ECDHE-ECDSA<::>m4_dnl
09c2d8d8 MW	120	:+KX-ALL<::>m4_dnl
	121	:+SIGN-ALL<::>m4_dnl
	122	:+CTYPE-ALL<::>m4_dnl
2d3b825d MW	123	:+CHACHA20-POLY1305<::>m4_dnl
2d3b825d MW	124	:+AES-256-GCM:+AES-128-GCM<::>m4_dnl
09c2d8d8	125	:+CIPHER-ALL<::>m4_dnl
2d3b825d	126	:+CURVE-X25519<::>m4_dnl
09c2d8d8	127	:+CURVE-ALL<::>m4_dnl
2d3b825d	128	:+AEAD<::>m4_dnl
09c2d8d8 MW	129	:+MAC-ALL<::>m4_dnl
09c2d8d8 MW	130	:+COMP-NULL<::>m4_dnl
185b5456 MW	131	:-MD5<::>m4_dnl
	132	)
	133
	134	###----- That's all, folks --------------------------------------------------