chiark - git - mdw - exim-config/blob - config.m4

   1 ### -*-m4-*-
   2 ###
   3 ### Basic configuration settings for distorted.org.uk Exim configuration
   4 ###
   5 ### (c) 2012 Mark Wooding
   6 ###
   7
   8 ###----- Licensing notice ---------------------------------------------------
   9 ###
  10 ### This program is free software; you can redistribute it and/or modify
  11 ### it under the terms of the GNU General Public License as published by
  12 ### the Free Software Foundation; either version 2 of the License, or
  13 ### (at your option) any later version.
  14 ###
  15 ### This program is distributed in the hope that it will be useful,
  16 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
  17 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18 ### GNU General Public License for more details.
  19 ###
  20 ### You should have received a copy of the GNU General Public License
  21 ### along with this program; if not, write to the Free Software Foundation,
  22 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
  23
  24 ## Master domain name.
  25 DEFCONF(master_domain, distorted.org.uk)
  26
  27 ## List of home-system mail domain names.  This can be empty if we only
  28 ## provide service for special-purpose domains.
  29 DEFCONF(sysdomains, CONF_master_domain)
  30
  31 ## The magic token for local header names.
  32 DEFCONF(header_token, Distorted)
  33
  34 ## The smarthost for satellite hosts.
  35 DEFCONF(smarthost, mail.distorted.org.uk)
  36
  37 ## The user who runs verification filters.
  38 DEFCONF(filter_user, Debian-exim)
  39
  40 ## Administrative groups.
  41 DEFCONF(admin_groups, root : adm)
  42 DEFCONF(trusted_groups, root : adm)
  43
  44 ## Where the spam filter is.
  45 DEFCONF(spamd_address, 172.29.199.8)
  46 DEFCONF(spamd_port, 783)
  47
  48 ## Default spam limit for incoming mail (multiplied by ten).
  49 DEFCONF(spam_max, 50)
  50
  51 ## Userv stuff for debugging.
  52 DEFCONF(userv_opts, )
  53
  54 ## Which interfaces to listen on.  Exim checks for the literal string `::0'
  55 ## when setting things up: don't use `::', or we'll be tripped up by Linux's
  56 ## demented non-`IPV6_V6ONLY' behaviour.
  57 DEFCONF(interfaces, m4_ifelse(MODE, satellite, 127.0.0.1 ; ::1,
  58                               0.0.0.0 ; ::0))
  59
  60 ## Main and submission port numbers.  (This is sometimes tweaked for
  61 ## testing.)
  62 DEFCONF(smtp_port, 25)
  63 DEFCONF(submission_port, 587)
  64
  65 ## Locations of other configuration files.
  66 DEFCONF(sysconf_dir, /etc/mail)
  67 DEFCONF(userconf_dir, $home/.mail)
  68 DEFCONF(alias_file, /etc/aliases)
  69 DEFCONF(ca_dir, /etc/ca)
  70 DEFCONF(dkim_keys_dir, /var/lib/dkim-keys)
  71
  72 ## User address suffix handling.
  73 DEFCONF(user_suffix_list, +* : -*)
  74 DEFCONF(user_extaddr_fixup, ${sg {$local_part_suffix}{^[-+]}{}})
  75
  76 ## Other hosts allowed to relay mail through us.
  77 DEFCONF(relay_clients, <m4_dnl
  78 ; +trusted m4_dnl
  79 ; 172.31.80.8 m4_dnl chiark (VPN)
  80 ; 172.29.198.161 ; 2001:8b0:c92:a000::1:1 m4_dnl national
  81 )
  82
  83 ## DKIM headers list.
  84 ## Surprise!  Internal whitespace isn't allowed here.
  85 DEFCONF(dkim_headers, m4_dnl
  86 References : In-Reply-To : Subject : To : Date : Message-ID : m4_dnl
  87 From : Sender : Reply-To : Cc : m4_dnl
  88 Content-Transfer-Encoding : Content-Type : MIME-Version : m4_dnl
  89 Content-ID : Content-Description m4_dnl
  90 )
  91
  92 ## TLS certificate list.
  93 DEFCONF(certlist,
  94 <:m4_ifelse(t, m4_ifelse(MODE, hub, nil, MODE, srv, nil, t),
  95 <:CONF_sysconf_dir/server.certlist:>,
  96 <:CONF_sysconf_dir/${if ={$received_port}{CONF_submission_port}{server}\
  97                         {${if match_ip{$sender_host_address}{+trusted} \
  98                                       {server}{letsencrypt}}}}.certlist:>):>)
  99
 100 ## TLS-related settings.  We're assuming GNUTLS here, rather than OpenSSL.
 101 ## For local connections we are very strict.  For random clients, we try
 102 ## fairly hard to encourage any kind of crypto on the grounds that probably
 103 ## nobody can verify our certificate anyway.
 104 DEFCONF(good_ciphers, NONE<::>m4_dnl
 105 :+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0<::>m4_dnl
 106 :+ECDHE-RSA:+ECDHE-ECDSA:+DHE-RSA:+DHE-DSS<::>m4_dnl
 107 :+CHACHA20-POLY1305<::>m4_dnl
 108 :+AES-256-GCM:+AES-128-GCM:+AES-256-CBC:+AES-128-CBC<::>m4_dnl
 109 :+AEAD:+SHA256:+SHA384:+SHA512<::>m4_dnl
 110 :+SIGN-RSA-SHA512:+SIGN-RSA-SHA384:+SIGN-RSA-SHA256<::>m4_dnl
 111 :+SIGN-ECDSA-SHA512:+SIGN-ECDSA-SHA384:+SIGN-ECDSA-SHA256<::>m4_dnl
 112 :+SIGN-DSA-SHA256<::>m4_dnl
 113 :+CURVE-X25519:+CURVE-SECP256R1:+CURVE-SECP521R1:+CURVE-SECP384R1<::>m4_dnl
 114 :+CTYPE-X.509<::>m4_dnl
 115 :+COMP-NULL<::>m4_dnl
 116 )
 117 DEFCONF(acceptable_ciphers, NONE<::>m4_dnl
 118 :+VERS-TLS-ALL<::>m4_dnl
 119 :+ECDHE-RSA:+ECDHE-ECDSA<::>m4_dnl
 120 :+KX-ALL<::>m4_dnl
 121 :+SIGN-ALL<::>m4_dnl
 122 :+CTYPE-ALL<::>m4_dnl
 123 :+CHACHA20-POLY1305<::>m4_dnl
 124 :+AES-256-GCM:+AES-128-GCM<::>m4_dnl
 125 :+CIPHER-ALL<::>m4_dnl
 126 :+CURVE-X25519<::>m4_dnl
 127 :+CURVE-ALL<::>m4_dnl
 128 :+AEAD<::>m4_dnl
 129 :+MAC-ALL<::>m4_dnl
 130 :+COMP-NULL<::>m4_dnl
 131 :-MD5<::>m4_dnl
 132 )
 133
 134 ###----- That's all, folks --------------------------------------------------