| 1 | ### -*-m4-*- |
| 2 | ### |
| 3 | ### Basic settings for distorted.org.uk Exim configuration |
| 4 | ### |
| 5 | ### (c) 2012 Mark Wooding |
| 6 | ### |
| 7 | |
| 8 | ###----- Licensing notice --------------------------------------------------- |
| 9 | ### |
| 10 | ### This program is free software; you can redistribute it and/or modify |
| 11 | ### it under the terms of the GNU General Public License as published by |
| 12 | ### the Free Software Foundation; either version 2 of the License, or |
| 13 | ### (at your option) any later version. |
| 14 | ### |
| 15 | ### This program is distributed in the hope that it will be useful, |
| 16 | ### but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 17 | ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| 18 | ### GNU General Public License for more details. |
| 19 | ### |
| 20 | ### You should have received a copy of the GNU General Public License |
| 21 | ### along with this program; if not, write to the Free Software Foundation, |
| 22 | ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. |
| 23 | |
| 24 | ###-------------------------------------------------------------------------- |
| 25 | ### Global settings. |
| 26 | |
| 27 | SECTION(global, priv)m4_dnl |
| 28 | admin_groups = CONF_admin_groups |
| 29 | prod_requires_admin = false |
| 30 | |
| 31 | SECTION(global, logging)m4_dnl |
| 32 | log_file_path = : syslog |
| 33 | log_selector = \ |
| 34 | +smtp_confirmation \ |
| 35 | +tls_peerdn |
| 36 | log_timezone = true |
| 37 | syslog_duplication = false |
| 38 | syslog_timestamp = false |
| 39 | |
| 40 | SECTION(global, daemon)m4_dnl |
| 41 | local_interfaces = <; CONF_interfaces |
| 42 | extra_local_interfaces = <; 0.0.0.0 ; :: |
| 43 | |
| 44 | SECTION(global, resource)m4_dnl |
| 45 | deliver_queue_load_max = 8 |
| 46 | queue_only_load = 12 |
| 47 | smtp_accept_max = 16 |
| 48 | smtp_accept_queue = 32 |
| 49 | smtp_accept_reserve = 4 |
| 50 | smtp_load_reserve = 10 |
| 51 | smtp_reserve_hosts = +trusted |
| 52 | |
| 53 | SECTION(global, policy)m4_dnl |
| 54 | host_lookup = * |
| 55 | |
| 56 | SECTION(global, users)m4_dnl |
| 57 | gecos_name = $1 |
| 58 | gecos_pattern = ([^,:]*) |
| 59 | |
| 60 | SECTION(global, incoming)m4_dnl |
| 61 | received_header_text = Received: \ |
| 62 | ${if def:sender_rcvhost {from $sender_rcvhost\n\t} \ |
| 63 | {${if def:sender_ident \ |
| 64 | {from ${quote_local_part:$sender_ident} }}\ |
| 65 | ${if def:sender_helo_name \ |
| 66 | {(helo=$sender_helo_name)\n\t}}}}\ |
| 67 | by $primary_hostname \ |
| 68 | (Exim $version_number)\ |
| 69 | ${if def:tls_cipher {\n\t} { }}\ |
| 70 | ${if def:received_protocol \ |
| 71 | {with $received_protocol \ |
| 72 | ${if def:tls_cipher {(cipher=$tls_cipher)}}}}\n\t\ |
| 73 | ${if def:sender_address \ |
| 74 | {(envelope-from <$sender_address>\ |
| 75 | ${if def:authenticated_id \ |
| 76 | {; auth=$authenticated_id}})\n\t}}\ |
| 77 | id $message_exim_id\ |
| 78 | ${if def:received_for {\n\tfor $received_for}} |
| 79 | |
| 80 | SECTION(global, smtp)m4_dnl |
| 81 | smtp_return_error_details = true |
| 82 | accept_8bitmime = true |
| 83 | |
| 84 | SECTION(global, process)m4_dnl |
| 85 | extract_addresses_remove_arguments = false |
| 86 | headers_charset = utf-8 |
| 87 | qualify_domain = CONF_master_domain |
| 88 | |
| 89 | SECTION(global, bounce)m4_dnl |
| 90 | delay_warning = 1h : 24h : 2d |
| 91 | |
| 92 | DIVERT(null) |
| 93 | ###-------------------------------------------------------------------------- |
| 94 | ### Access control lists. |
| 95 | |
| 96 | SECTION(global, acl-after) |
| 97 | SECTION(global, acl)m4_dnl |
| 98 | acl_smtp_helo = helo |
| 99 | SECTION(acl, misc)m4_dnl |
| 100 | helo: |
| 101 | require message = The other one has bells on |
| 102 | verify = helo |
| 103 | |
| 104 | accept |
| 105 | |
| 106 | SECTION(global, acl)m4_dnl |
| 107 | acl_smtp_mail = mail |
| 108 | SECTION(acl, mail)m4_dnl |
| 109 | mail: |
| 110 | |
| 111 | ## Always allow the empty sender, so that we can receive bounces. |
| 112 | accept senders = : |
| 113 | |
| 114 | ## Ensure that the sender is routable. This is important to prevent |
| 115 | ## undeliverable bounces. |
| 116 | require message = Invalid sender; \ |
| 117 | ($sender_verify_failure; $acl_verify_message) |
| 118 | verify = sender |
| 119 | |
| 120 | ## If this is directly from a client then hack on it for a while. |
| 121 | warn condition = ${if eq{$acl_c_mode}{submission}} |
| 122 | control = submission |
| 123 | |
| 124 | SECTION(acl, mail-tail)m4_dnl |
| 125 | ## And we're done. |
| 126 | accept |
| 127 | |
| 128 | SECTION(global, acl)m4_dnl |
| 129 | acl_smtp_connect = connect |
| 130 | SECTION(acl, connect)m4_dnl |
| 131 | connect: |
| 132 | SECTION(acl, connect-tail)m4_dnl |
| 133 | ## Configure variables according to the submission mode. |
| 134 | warn acl = check_submission |
| 135 | |
| 136 | ## Done. |
| 137 | accept |
| 138 | |
| 139 | check_submission: |
| 140 | ## See whether this message needs hacking on. |
| 141 | accept !hosts = +localnet |
| 142 | !condition = ${if ={$received_port}{CONF_submission_port}} |
| 143 | set acl_c_mode = relay |
| 144 | |
| 145 | ## Remember to apply submission controls. |
| 146 | warn set acl_c_mode = submission |
| 147 | |
| 148 | ## Done. |
| 149 | accept |
| 150 | |
| 151 | SECTION(global, acl)m4_dnl |
| 152 | acl_smtp_rcpt = rcpt |
| 153 | SECTION(acl, rcpt)m4_dnl |
| 154 | rcpt: |
| 155 | |
| 156 | ## Reject if the client isn't allowed to relay and the recipient |
| 157 | ## isn't in one of our known domains. |
| 158 | deny message = Relaying not permitted |
| 159 | !hosts = CONF_relay_clients |
| 160 | !authenticated = * |
| 161 | !domains = +known |
| 162 | |
| 163 | ## Ensure that the recipient is routable. |
| 164 | require message = Invalid recipient \ |
| 165 | ($recipient_verify_failure; $acl_verify_message) |
| 166 | verify = recipient |
| 167 | |
| 168 | SECTION(acl, rcpt-tail)m4_dnl |
| 169 | ## Everything checks out OK: let this one go through. |
| 170 | accept |
| 171 | |
| 172 | SECTION(global, acl)m4_dnl |
| 173 | acl_smtp_data = data |
| 174 | SECTION(acl, data)m4_dnl |
| 175 | data: |
| 176 | |
| 177 | SECTION(acl, data-tail)m4_dnl |
| 178 | accept |
| 179 | |
| 180 | SECTION(global, acl)m4_dnl |
| 181 | acl_smtp_expn = expn_vrfy |
| 182 | acl_smtp_vrfy = expn_vrfy |
| 183 | SECTION(acl)m4_dnl |
| 184 | expn_vrfy: |
| 185 | accept hosts = +trusted |
| 186 | deny message = Suck it and see |
| 187 | |
| 188 | DIVERT(null) |
| 189 | ###-------------------------------------------------------------------------- |
| 190 | ### Common options for forwarding routers. |
| 191 | |
| 192 | ## We're pretty permissive here. |
| 193 | m4_define(<:FILTER_BASE:>, |
| 194 | <:driver = redirect |
| 195 | modemask = 002 |
| 196 | check_owner = false |
| 197 | check_group = false |
| 198 | allow_filter = true |
| 199 | allow_defer = true |
| 200 | allow_fail = true |
| 201 | forbid_blackhole = false |
| 202 | check_ancestor = true:>) |
| 203 | |
| 204 | ## Common options for forwarding routers at verification time. |
| 205 | m4_define(<:FILTER_VERIFY:>, |
| 206 | <:verify_only = true |
| 207 | user = CONF_filter_user |
| 208 | forbid_filter_dlfunc = true |
| 209 | forbid_filter_logwrite = true |
| 210 | forbid_filter_perl = true |
| 211 | forbid_filter_readsocket = true |
| 212 | forbid_filter_run = true |
| 213 | file_transport = dummy |
| 214 | directory_transport = dummy |
| 215 | pipe_transport = dummy |
| 216 | reply_transport = dummy:>) |
| 217 | |
| 218 | ## Transports for redirection filters. |
| 219 | m4_define(<:FILTER_TRANSPORTS:>, |
| 220 | <:file_transport = mailbox |
| 221 | directory_transport = maildir |
| 222 | pipe_transport = pipe |
| 223 | reply_transport = reply:>) |
| 224 | |
| 225 | DIVERT(null) |
| 226 | ###-------------------------------------------------------------------------- |
| 227 | ### Some standard transports. |
| 228 | |
| 229 | m4_define(<:USER_DELIVERY:>, |
| 230 | <:delivery_date_add = true |
| 231 | envelope_to_add = true |
| 232 | return_path_add = true:>) |
| 233 | |
| 234 | SECTION(transports)m4_dnl |
| 235 | ## A standard transport for remote delivery. Try to do TLS, and don't worry |
| 236 | ## too much if it's not very secure: the alternative is sending in plaintext |
| 237 | ## anyway. |
| 238 | smtp: |
| 239 | driver = smtp |
| 240 | tls_require_ciphers = CONF_acceptable_ciphers |
| 241 | tls_dh_min_bits = 1020 |
| 242 | tls_tempfail_tryclear = true |
| 243 | |
| 244 | ## Transport to a local SMTP server; use TLS and perform client |
| 245 | ## authentication. |
| 246 | smtp_local: |
| 247 | driver = smtp |
| 248 | hosts_require_tls = * |
| 249 | tls_certificate = CONF_sysconf_dir/client.cert |
| 250 | tls_privatekey = CONF_sysconf_dir/client.key |
| 251 | tls_verify_certificates = CONF_ca_dir/ca.cert |
| 252 | tls_require_ciphers = CONF_good_ciphers |
| 253 | tls_dh_min_bits = 2046 |
| 254 | tls_tempfail_tryclear = false |
| 255 | authenticated_sender = ${if def:authenticated_id \ |
| 256 | {$authenticated_id@CONF_master_domain} \ |
| 257 | fail} |
| 258 | |
| 259 | ## A standard transport for local delivery. |
| 260 | deliver: |
| 261 | driver = appendfile |
| 262 | file = /var/mail/$local_part |
| 263 | group = mail |
| 264 | mode = 0600 |
| 265 | mode_fail_narrower = false |
| 266 | USER_DELIVERY |
| 267 | |
| 268 | ## Transports for user filters. |
| 269 | mailbox: |
| 270 | driver = appendfile |
| 271 | initgroups = true |
| 272 | USER_DELIVERY |
| 273 | |
| 274 | maildir: |
| 275 | driver = appendfile |
| 276 | maildir_format = true |
| 277 | initgroups = true |
| 278 | USER_DELIVERY |
| 279 | |
| 280 | pipe: |
| 281 | driver = pipe |
| 282 | path = ${if and {{def:home} {exists{$home/bin}}} {$home/bin:} {}}\ |
| 283 | /usr/local/bin:/usr/local/sbin:\ |
| 284 | /usr/bin:/usr/sbin:/bin:/sbin |
| 285 | initgroups = true |
| 286 | umask = 002 |
| 287 | return_fail_output = true |
| 288 | log_output = true |
| 289 | |
| 290 | ## A special dummy transport for use during address verification. |
| 291 | dummy: |
| 292 | driver = appendfile |
| 293 | file = /dev/null |
| 294 | |
| 295 | DIVERT(null) |
| 296 | ###-------------------------------------------------------------------------- |
| 297 | ### Retry configuration. |
| 298 | |
| 299 | SECTION(retry, default)m4_dnl |
| 300 | ## Default. |
| 301 | * * \ |
| 302 | F,2h,15m; G,16h,2h,1.5; F,4d,6h |
| 303 | |
| 304 | DIVERT(null) |
| 305 | ###----- That's all, folks -------------------------------------------------- |