chiark - git - mdw - exim-config/blob - base.m4

   1 ### -*-m4-*-
   2 ###
   3 ### Basic settings for distorted.org.uk Exim configuration
   4 ###
   5 ### (c) 2012 Mark Wooding
   6 ###
   7
   8 ###----- Licensing notice ---------------------------------------------------
   9 ###
  10 ### This program is free software; you can redistribute it and/or modify
  11 ### it under the terms of the GNU General Public License as published by
  12 ### the Free Software Foundation; either version 2 of the License, or
  13 ### (at your option) any later version.
  14 ###
  15 ### This program is distributed in the hope that it will be useful,
  16 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
  17 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18 ### GNU General Public License for more details.
  19 ###
  20 ### You should have received a copy of the GNU General Public License
  21 ### along with this program; if not, write to the Free Software Foundation,
  22 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
  23
  24 ###--------------------------------------------------------------------------
  25 ### Global settings.
  26
  27 SECTION(global, priv)m4_dnl
  28 admin_groups = CONF_admin_groups
  29 prod_requires_admin = false
  30
  31 SECTION(global, logging)m4_dnl
  32 log_file_path = : syslog
  33 log_selector = \
  34         +smtp_confirmation \
  35         +tls_peerdn
  36 log_timezone = true
  37 syslog_duplication = false
  38 syslog_timestamp = false
  39
  40 SECTION(global, daemon)m4_dnl
  41 local_interfaces = <; CONF_interfaces
  42 extra_local_interfaces = <; 0.0.0.0 ; ::
  43
  44 SECTION(global, resource)m4_dnl
  45 deliver_queue_load_max = 8
  46 queue_only_load = 12
  47 smtp_accept_max = 16
  48 smtp_accept_queue = 32
  49 smtp_accept_reserve = 4
  50 smtp_load_reserve = 10
  51 smtp_reserve_hosts = +trusted
  52
  53 SECTION(global, policy)m4_dnl
  54 host_lookup = *
  55
  56 SECTION(global, users)m4_dnl
  57 gecos_name = $1
  58 gecos_pattern = ([^,:]*)
  59
  60 SECTION(global, incoming)m4_dnl
  61 received_header_text = Received: \
  62         ${if def:sender_rcvhost {from $sender_rcvhost\n\t} \
  63              {${if def:sender_ident \
  64                    {from ${quote_local_part:$sender_ident} }}\
  65               ${if def:sender_helo_name \
  66                    {(helo=$sender_helo_name)\n\t}}}}\
  67         by $primary_hostname \
  68         (Exim $version_number)\
  69         ${if def:tls_cipher {\n\t} { }}\
  70         ${if def:received_protocol \
  71              {with $received_protocol \
  72               ${if def:tls_cipher {(cipher=$tls_cipher)}}}}\n\t\
  73         ${if def:sender_address \
  74              {(envelope-from <$sender_address>\
  75               ${if def:authenticated_id \
  76                    {; auth=$authenticated_id}})\n\t}}\
  77         id $message_exim_id\
  78         ${if def:received_for {\n\tfor $received_for}}
  79
  80 SECTION(global, smtp)m4_dnl
  81 smtp_return_error_details = true
  82 accept_8bitmime = true
  83
  84 SECTION(global, process)m4_dnl
  85 extract_addresses_remove_arguments = false
  86 headers_charset = utf-8
  87 qualify_domain = CONF_master_domain
  88
  89 SECTION(global, bounce)m4_dnl
  90 delay_warning = 1h : 24h : 2d
  91
  92 DIVERT(null)
  93 ###--------------------------------------------------------------------------
  94 ### Access control lists.
  95
  96 SECTION(global, acl-after)
  97 SECTION(global, acl)m4_dnl
  98 acl_smtp_helo = helo
  99 SECTION(acl, misc)m4_dnl
 100 helo:
 101         ## Check that the caller's claimed identity is actually plausible.
 102         ## This seems like it's a fairly effective filter on spamminess, but
 103         ## it's too blunt a tool.  Rather than reject, add a warning header.
 104         ## Only we can't do this the easy way, so save it up for use in MAIL.
 105         ## Also, we're liable to get a subsequent HELO (e.g., after STARTTLS)
 106         ## and we should only care about the most recent one.
 107         warn     set acl_c_helo_warning = false
 108                 !condition = \
 109                         ${if exists {CONF_sysconf_dir/helo.conf} \
 110                              {${lookup {$sender_helo_name} \
 111                                        partial0-lsearch \
 112                                        {CONF_sysconf_dir/helo.conf} \
 113                                        {${if match_ip \
 114                                              {$sender_host_address} \
 115                                              {$value}}}}}}
 116                 !verify = helo
 117                  set acl_c_helo_warning = true
 118
 119         accept
 120
 121 SECTION(global, acl)m4_dnl
 122 acl_smtp_mail = mail
 123 SECTION(acl, mail)m4_dnl
 124 mail:
 125
 126         ## If we stashed a warning header about HELO from earlier, we should
 127         ## add it now.
 128         warn     condition = $acl_c_helo_warning
 129                  add_header = :after_received:X-Distorted-Warning: \
 130                         BADHELO \
 131                         Client's HELO doesn't match its IP address.\n\t\
 132                         HELO name = $sender_helo_name, \
 133                         address = $sender_host_address
 134
 135         ## Always allow the empty sender, so that we can receive bounces.
 136         accept   senders = :
 137
 138         ## Ensure that the sender is routable.  This is important to prevent
 139         ## undeliverable bounces.
 140         require  message = Invalid sender; \
 141                         ($sender_verify_failure; $acl_verify_message)
 142                  verify = sender
 143
 144         ## If this is directly from a client then hack on it for a while.
 145         warn     condition = ${if eq{$acl_c_mode}{submission}}
 146                  control = submission
 147
 148 SECTION(acl, mail-tail)m4_dnl
 149         ## And we're done.
 150         accept
 151
 152 SECTION(global, acl)m4_dnl
 153 acl_smtp_connect = connect
 154 SECTION(acl, connect)m4_dnl
 155 connect:
 156 SECTION(acl, connect-tail)m4_dnl
 157         ## Configure variables according to the submission mode.
 158         warn     acl = check_submission
 159
 160         ## Done.
 161         accept
 162
 163 check_submission:
 164         ## See whether this message needs hacking on.
 165         accept  !hosts = +localnet
 166                 !condition = ${if ={$received_port}{CONF_submission_port}}
 167                  set acl_c_mode = relay
 168
 169         ## Remember to apply submission controls.
 170         warn     set acl_c_mode = submission
 171
 172         ## Done.
 173         accept
 174
 175 SECTION(global, acl)m4_dnl
 176 acl_smtp_rcpt = rcpt
 177 SECTION(acl, rcpt)m4_dnl
 178 rcpt:
 179
 180         ## Reject if the client isn't allowed to relay and the recipient
 181         ## isn't in one of our known domains.
 182         deny     message = Relaying not permitted
 183                 !hosts = CONF_relay_clients
 184                 !authenticated = *
 185                 !domains = +known
 186
 187         ## Ensure that the recipient is routable.
 188         require  message = Invalid recipient \
 189                         ($recipient_verify_failure; $acl_verify_message)
 190                  verify = recipient
 191
 192 SECTION(acl, rcpt-tail)m4_dnl
 193         ## Everything checks out OK: let this one go through.
 194         accept
 195
 196 SECTION(global, acl)m4_dnl
 197 acl_smtp_data = data
 198 SECTION(acl, data)m4_dnl
 199 data:
 200
 201 SECTION(acl, data-tail)m4_dnl
 202         accept
 203
 204 SECTION(global, acl)m4_dnl
 205 acl_smtp_expn = expn_vrfy
 206 acl_smtp_vrfy = expn_vrfy
 207 SECTION(acl)m4_dnl
 208 expn_vrfy:
 209         accept   hosts = +trusted
 210         deny     message = Suck it and see
 211
 212 DIVERT(null)
 213 ###--------------------------------------------------------------------------
 214 ### Common options for forwarding routers.
 215
 216 ## We're pretty permissive here.
 217 m4_define(<:FILTER_BASE:>,
 218         <:driver = redirect
 219         modemask = 002
 220         check_owner = false
 221         check_group = false
 222         allow_filter = true
 223         allow_defer = true
 224         allow_fail = true
 225         forbid_blackhole = false
 226         check_ancestor = true:>)
 227
 228 ## Common options for forwarding routers at verification time.
 229 m4_define(<:FILTER_VERIFY:>,
 230         <:verify_only = true
 231         user = CONF_filter_user
 232         forbid_filter_dlfunc = true
 233         forbid_filter_logwrite = true
 234         forbid_filter_perl = true
 235         forbid_filter_readsocket = true
 236         forbid_filter_run = true
 237         file_transport = dummy
 238         directory_transport = dummy
 239         pipe_transport = dummy
 240         reply_transport = dummy:>)
 241
 242 ## Transports for redirection filters.
 243 m4_define(<:FILTER_TRANSPORTS:>,
 244         <:file_transport = mailbox
 245         directory_transport = maildir
 246         pipe_transport = pipe
 247         reply_transport = reply:>)
 248
 249 DIVERT(null)
 250 ###--------------------------------------------------------------------------
 251 ### Some standard transports.
 252
 253 m4_define(<:USER_DELIVERY:>,
 254         <:delivery_date_add = true
 255         envelope_to_add = true
 256         return_path_add = true:>)
 257
 258 SECTION(transports)m4_dnl
 259 ## A standard transport for remote delivery.  Try to do TLS, and don't worry
 260 ## too much if it's not very secure: the alternative is sending in plaintext
 261 ## anyway.
 262 smtp:
 263         driver = smtp
 264         tls_require_ciphers = CONF_acceptable_ciphers
 265         tls_dh_min_bits = 1020
 266         tls_tempfail_tryclear = true
 267
 268 ## Transport to a local SMTP server; use TLS and perform client
 269 ## authentication.
 270 smtp_local:
 271         driver = smtp
 272         hosts_require_tls = *
 273         tls_certificate = CONF_sysconf_dir/client.cert
 274         tls_privatekey = CONF_sysconf_dir/client.key
 275         tls_verify_certificates = CONF_ca_dir/ca.cert
 276         tls_require_ciphers = CONF_good_ciphers
 277         tls_dh_min_bits = 2046
 278         tls_tempfail_tryclear = false
 279         authenticated_sender = ${if def:authenticated_id \
 280                                     {$authenticated_id@CONF_master_domain} \
 281                                     fail}
 282
 283 ## A standard transport for local delivery.
 284 deliver:
 285         driver = appendfile
 286         file = /var/mail/$local_part
 287         group = mail
 288         mode = 0600
 289         mode_fail_narrower = false
 290         USER_DELIVERY
 291
 292 ## Transports for user filters.
 293 mailbox:
 294         driver = appendfile
 295         initgroups = true
 296         USER_DELIVERY
 297
 298 maildir:
 299         driver = appendfile
 300         maildir_format = true
 301         initgroups = true
 302         USER_DELIVERY
 303
 304 pipe:
 305         driver = pipe
 306         path = ${if and {{def:home} {exists{$home/bin}}} {$home/bin:} {}}\
 307                 /usr/local/bin:/usr/local/sbin:\
 308                 /usr/bin:/usr/sbin:/bin:/sbin
 309         initgroups = true
 310         umask = 002
 311         return_fail_output = true
 312         log_output = true
 313
 314 ## A special dummy transport for use during address verification.
 315 dummy:
 316         driver = appendfile
 317         file = /dev/null
 318
 319 DIVERT(null)
 320 ###--------------------------------------------------------------------------
 321 ### Retry configuration.
 322
 323 SECTION(retry, default)m4_dnl
 324 ## Default.
 325 *                                       * \
 326         F,2h,15m; G,16h,2h,1.5; F,4d,6h
 327
 328 DIVERT(null)
 329 ###----- That's all, folks --------------------------------------------------