chiark - git - mdw - exim-config/blob - base.m4

   1 ### -*-m4-*-
   2 ###
   3 ### Basic settings for distorted.org.uk Exim configuration
   4 ###
   5 ### (c) 2012 Mark Wooding
   6 ###
   7
   8 ###----- Licensing notice ---------------------------------------------------
   9 ###
  10 ### This program is free software; you can redistribute it and/or modify
  11 ### it under the terms of the GNU General Public License as published by
  12 ### the Free Software Foundation; either version 2 of the License, or
  13 ### (at your option) any later version.
  14 ###
  15 ### This program is distributed in the hope that it will be useful,
  16 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
  17 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18 ### GNU General Public License for more details.
  19 ###
  20 ### You should have received a copy of the GNU General Public License
  21 ### along with this program; if not, write to the Free Software Foundation,
  22 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
  23
  24 ###--------------------------------------------------------------------------
  25 ### Global settings.
  26
  27 SECTION(global, priv)m4_dnl
  28 prod_requires_admin = false
  29
  30 SECTION(global, logging)m4_dnl
  31 log_file_path = : syslog
  32 log_selector = \
  33         +smtp_confirmation \
  34         +tls_peerdn
  35 log_timezone = true
  36 syslog_duplication = false
  37 syslog_timestamp = false
  38
  39 SECTION(global, daemon)m4_dnl
  40 local_interfaces = <; CONF_interfaces
  41 extra_local_interfaces = <; 0.0.0.0 ; ::
  42
  43 SECTION(global, resource)m4_dnl
  44 deliver_queue_load_max = 8
  45 queue_only_load = 12
  46 smtp_accept_max = 16
  47 smtp_accept_queue = 32
  48 smtp_accept_reserve = 4
  49 smtp_load_reserve = 10
  50 smtp_reserve_hosts = +trusted
  51
  52 SECTION(global, policy)m4_dnl
  53 host_lookup = *
  54
  55 SECTION(global, users)m4_dnl
  56 gecos_name = $1
  57 gecos_pattern = ([^,:]*)
  58
  59 SECTION(global, incoming)m4_dnl
  60 received_header_text = Received: \
  61         ${if def:sender_rcvhost {from $sender_rcvhost\n\t} \
  62              {${if def:sender_ident \
  63                    {from ${quote_local_part:$sender_ident} }}\
  64               ${if def:sender_helo_name \
  65                    {(helo=$sender_helo_name)\n\t}}}}\
  66         by $primary_hostname \
  67         ${if def:received_protocol \
  68              {with $received_protocol \
  69               ${if def:tls_cipher {(cipher=$tls_cipher)\n\t}}}}\
  70         (Exim $version_number)\n\t\
  71         ${if def:sender_address \
  72              {(envelope-from <$sender_address>\
  73               ${if def:authenticated_id \
  74                    {; auth=$authenticated_id}})\n\t}}\
  75         id $message_exim_id\
  76         ${if def:received_for {\n\tfor $received_for}}
  77
  78 SECTION(global, smtp)m4_dnl
  79 smtp_return_error_details = true
  80 accept_8bitmime = true
  81
  82 SECTION(global, process)m4_dnl
  83 extract_addresses_remove_arguments = false
  84 headers_charset = utf-8
  85 qualify_domain = CONF_master_domain
  86
  87 SECTION(global, bounce)m4_dnl
  88 delay_warning = 1h : 24h : 2d
  89
  90 DIVERT(null)
  91 ###--------------------------------------------------------------------------
  92 ### Access control lists.
  93
  94 SECTION(global, acl-after)
  95 SECTION(global, acl)m4_dnl
  96 acl_smtp_helo = helo
  97 SECTION(acl, misc)m4_dnl
  98 helo:
  99         require  message = The other one has bells on
 100                  verify = helo
 101
 102         accept
 103
 104 SECTION(global, acl)m4_dnl
 105 acl_smtp_mail = mail
 106 SECTION(acl, mail)m4_dnl
 107 mail:
 108
 109         ## Always allow the empty sender, so that we can receive bounces.
 110         accept   senders = :
 111
 112         ## Ensure that the sender is routable.  This is important to prevent
 113         ## undeliverable bounces.
 114         require  message = Invalid sender; \
 115                         ($sender_verify_failure; $acl_verify_message)
 116                  verify = sender
 117
 118         ## If this is directly from a client then hack on it for a while.
 119         warn     condition = ${if eq{$acl_c_mode}{submission}}
 120                  control = submission
 121
 122 SECTION(acl, mail-tail)m4_dnl
 123         ## And we're done.
 124         accept
 125
 126 SECTION(global, acl)m4_dnl
 127 acl_smtp_connect = connect
 128 SECTION(acl, connect)m4_dnl
 129 connect:
 130 SECTION(acl, connect-tail)m4_dnl
 131         ## Configure variables according to the submission mode.
 132         warn     acl = check_submission
 133
 134         ## Done.
 135         accept
 136
 137 check_submission:
 138         ## See whether this message needs hacking on.
 139         accept  !hosts = +localnet
 140                 !condition = ${if ={$received_port}{CONF_submission_port}}
 141                  set acl_c_mode = relay
 142
 143         ## Remember to apply submission controls.
 144         warn     set acl_c_mode = submission
 145
 146         ## Done.
 147         accept
 148
 149 SECTION(global, acl)m4_dnl
 150 acl_smtp_rcpt = rcpt
 151 SECTION(acl, rcpt)m4_dnl
 152 rcpt:
 153
 154         ## Reject if the client isn't allowed to relay and the recipient
 155         ## isn't in one of our known domains.
 156         deny     message = Relaying not permitted
 157                 !hosts = CONF_relay_clients
 158                 !authenticated = *
 159                 !domains = +known
 160
 161         ## Ensure that the recipient is routable.
 162         require  message = Invalid recipient \
 163                         ($recipient_verify_failure; $acl_verify_message)
 164                  verify = recipient
 165
 166 SECTION(acl, rcpt-tail)m4_dnl
 167         ## Everything checks out OK: let this one go through.
 168         accept
 169
 170 SECTION(global, acl)m4_dnl
 171 acl_smtp_data = data
 172 SECTION(acl, data)m4_dnl
 173 data:
 174
 175 SECTION(acl, data-tail)m4_dnl
 176         accept
 177
 178 SECTION(global, acl)m4_dnl
 179 acl_smtp_expn = expn_vrfy
 180 acl_smtp_vrfy = expn_vrfy
 181 SECTION(acl)m4_dnl
 182 expn_vrfy:
 183         accept   hosts = +trusted
 184         deny     message = Suck it and see
 185
 186 DIVERT(null)
 187 ###--------------------------------------------------------------------------
 188 ### Common options for forwarding routers.
 189
 190 ## We're pretty permissive here.
 191 m4_define(<:FILTER_BASE:>,
 192         <:driver = redirect
 193         modemask = 002
 194         check_owner = false
 195         check_group = false
 196         allow_filter = true
 197         allow_defer = true
 198         allow_fail = true
 199         forbid_blackhole = false
 200         check_ancestor = true:>)
 201
 202 ## Common options for forwarding routers at verification time.
 203 m4_define(<:FILTER_VERIFY:>,
 204         <:verify_only = true
 205         user = CONF_filter_user
 206         forbid_filter_dlfunc = true
 207         forbid_filter_logwrite = true
 208         forbid_filter_perl = true
 209         forbid_filter_readsocket = true
 210         forbid_filter_run = true
 211         file_transport = dummy
 212         directory_transport = dummy
 213         pipe_transport = dummy
 214         reply_transport = dummy:>)
 215
 216 ## Transports for redirection filters.
 217 m4_define(<:FILTER_TRANSPORTS:>,
 218         <:file_transport = mailbox
 219         directory_transport = maildir
 220         pipe_transport = pipe
 221         reply_transport = reply:>)
 222
 223 DIVERT(null)
 224 ###--------------------------------------------------------------------------
 225 ### Some standard transports.
 226
 227 m4_define(<:USER_DELIVERY:>,
 228         <:delivery_date_add = true
 229         envelope_to_add = true
 230         return_path_add = true:>)
 231
 232 SECTION(transports)m4_dnl
 233 ## A standard transport for remote delivery.  Try to do TLS, and don't worry
 234 ## too much if it's not very secure: the alternative is sending in plaintext
 235 ## anyway.
 236 smtp:
 237         driver = smtp
 238         tls_require_ciphers = CONF_acceptable_ciphers
 239         tls_dh_min_bits = 1020
 240         tls_tempfail_tryclear = true
 241
 242 ## Transport to a local SMTP server; use TLS and perform client
 243 ## authentication.
 244 smtp_local:
 245         driver = smtp
 246         hosts_require_tls = *
 247         tls_certificate = CONF_sysconf_dir/client.cert
 248         tls_privatekey = CONF_sysconf_dir/client.key
 249         tls_verify_certificates = CONF_ca_dir/ca.cert
 250         tls_require_ciphers = CONF_good_ciphers
 251         tls_dh_min_bits = 3070
 252         tls_tempfail_tryclear = false
 253         authenticated_sender = ${if def:authenticated_id \
 254                                     ${authenticated_id@CONF_master_domain} \
 255                                     fail}
 256
 257 ## A standard transport for local delivery.
 258 deliver:
 259         driver = appendfile
 260         file = /var/mail/$local_part
 261         USER_DELIVERY
 262
 263 ## Transports for user filters.
 264 mailbox:
 265         driver = appendfile
 266         USER_DELIVERY
 267
 268 maildir:
 269         driver = appendfile
 270         maildir_format = true
 271         USER_DELIVERY
 272
 273 pipe:
 274         driver = pipe
 275         return_output = true
 276
 277 ## A special dummy transport for use during address verification.
 278 dummy:
 279         driver = appendfile
 280         file = /dev/null
 281
 282 DIVERT(null)
 283 ###--------------------------------------------------------------------------
 284 ### Retry configuration.
 285
 286 SECTION(retry, default)m4_dnl
 287 ## Default.
 288 *                                       * \
 289         F,2h,15m; G,16h,2h,1.5; F,4d,6h
 290
 291 DIVERT(null)
 292 ###----- That's all, folks --------------------------------------------------