Commit | Line | Data |
---|---|---|
185b5456 MW |
1 | ### -*-m4-*- |
2 | ### | |
3 | ### Basic settings for distorted.org.uk Exim configuration | |
4 | ### | |
5 | ### (c) 2012 Mark Wooding | |
6 | ### | |
7 | ||
8 | ###----- Licensing notice --------------------------------------------------- | |
9 | ### | |
10 | ### This program is free software; you can redistribute it and/or modify | |
11 | ### it under the terms of the GNU General Public License as published by | |
12 | ### the Free Software Foundation; either version 2 of the License, or | |
13 | ### (at your option) any later version. | |
14 | ### | |
15 | ### This program is distributed in the hope that it will be useful, | |
16 | ### but WITHOUT ANY WARRANTY; without even the implied warranty of | |
17 | ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
18 | ### GNU General Public License for more details. | |
19 | ### | |
20 | ### You should have received a copy of the GNU General Public License | |
21 | ### along with this program; if not, write to the Free Software Foundation, | |
22 | ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. | |
23 | ||
24 | ###-------------------------------------------------------------------------- | |
25 | ### Global settings. | |
26 | ||
27 | SECTION(global, priv)m4_dnl | |
28 | prod_requires_admin = false | |
29 | ||
30 | SECTION(global, logging)m4_dnl | |
31 | log_file_path = : syslog | |
32 | log_selector = \ | |
33 | +smtp_confirmation \ | |
34 | +tls_peerdn | |
35 | log_timezone = true | |
36 | syslog_duplication = false | |
37 | syslog_timestamp = false | |
38 | ||
39 | SECTION(global, daemon)m4_dnl | |
40 | local_interfaces = <; CONF_interfaces | |
41 | extra_local_interfaces = <; 0.0.0.0 ; :: | |
42 | ||
43 | SECTION(global, resource)m4_dnl | |
44 | deliver_queue_load_max = 8 | |
45 | queue_only_load = 12 | |
46 | smtp_accept_max = 16 | |
47 | smtp_accept_queue = 32 | |
48 | smtp_accept_reserve = 4 | |
49 | smtp_load_reserve = 10 | |
50 | smtp_reserve_hosts = +trusted | |
51 | ||
52 | SECTION(global, policy)m4_dnl | |
53 | host_lookup = * | |
54 | ||
55 | SECTION(global, users)m4_dnl | |
56 | gecos_name = $1 | |
57 | gecos_pattern = ([^,:]*) | |
58 | ||
59 | SECTION(global, incoming)m4_dnl | |
60 | received_header_text = Received: \ | |
61 | ${if def:sender_rcvhost {from $sender_rcvhost\n\t} \ | |
62 | {${if def:sender_ident \ | |
63 | {from ${quote_local_part:$sender_ident} }}\ | |
64 | ${if def:sender_helo_name \ | |
65 | {(helo=$sender_helo_name)\n\t}}}}\ | |
66 | by $primary_hostname \ | |
67 | ${if def:received_protocol \ | |
68 | {with $received_protocol \ | |
69 | ${if def:tls_cipher {(cipher=$tls_cipher)\n\t}}}}\ | |
70 | (Exim $version_number)\n\t\ | |
71 | ${if def:sender_address \ | |
72 | {(envelope-from <$sender_address>\ | |
73 | ${if def:authenticated_id \ | |
74 | {; auth=$authenticated_id}})\n\t}}\ | |
75 | id $message_exim_id\ | |
76 | ${if def:received_for {\n\tfor $received_for}} | |
77 | ||
78 | SECTION(global, smtp)m4_dnl | |
79 | smtp_return_error_details = true | |
80 | accept_8bitmime = true | |
81 | ||
82 | SECTION(global, process)m4_dnl | |
83 | extract_addresses_remove_arguments = false | |
84 | headers_charset = utf-8 | |
85 | qualify_domain = CONF_master_domain | |
86 | ||
87 | SECTION(global, bounce)m4_dnl | |
88 | delay_warning = 1h : 24h : 2d | |
89 | ||
90 | DIVERT(null) | |
91 | ###-------------------------------------------------------------------------- | |
92 | ### Access control lists. | |
93 | ||
94 | SECTION(global, acl-after) | |
95 | SECTION(global, acl)m4_dnl | |
96 | acl_smtp_helo = helo | |
97 | SECTION(acl, misc)m4_dnl | |
98 | helo: | |
99 | require message = The other one has bells on | |
100 | verify = helo | |
101 | ||
102 | accept | |
103 | ||
104 | SECTION(global, acl)m4_dnl | |
105 | acl_smtp_mail = mail | |
106 | SECTION(acl, mail)m4_dnl | |
107 | mail: | |
108 | ||
109 | ## Always allow the empty sender, so that we can receive bounces. | |
110 | accept senders = : | |
111 | ||
112 | ## Ensure that the sender is routable. This is important to prevent | |
113 | ## undeliverable bounces. | |
114 | require message = Invalid sender; \ | |
115 | ($sender_verify_failure; $acl_verify_message) | |
116 | verify = sender | |
117 | ||
118 | ## If this is directly from a client then hack on it for a while. | |
119 | warn condition = ${if eq{$acl_c_mode}{submission}} | |
120 | control = submission | |
121 | ||
122 | SECTION(acl, mail-tail)m4_dnl | |
123 | ## And we're done. | |
124 | accept | |
125 | ||
126 | SECTION(global, acl)m4_dnl | |
127 | acl_smtp_connect = connect | |
128 | SECTION(acl, connect)m4_dnl | |
129 | connect: | |
130 | SECTION(acl, connect-tail)m4_dnl | |
131 | warn acl = check_submission | |
132 | accept | |
133 | ||
134 | check_submission: | |
135 | ## See whether this message needs hacking on. | |
136 | accept !hosts = +localnet | |
137 | !condition = ${if ={$received_port}{CONF_submission_port}} | |
138 | set acl_c_mode = relay | |
139 | ||
140 | ## Remember to apply submission controls. | |
141 | warn set acl_c_mode = submission | |
142 | ||
143 | ## Done. | |
144 | accept | |
145 | ||
146 | SECTION(global, acl)m4_dnl | |
147 | acl_smtp_rcpt = rcpt | |
148 | SECTION(acl, rcpt)m4_dnl | |
149 | rcpt: | |
150 | ||
151 | ## Reject if the client isn't allowed to relay and the recipient | |
152 | ## isn't in one of our known domains. | |
153 | deny message = Relaying not permitted | |
154 | !hosts = CONF_relay_clients | |
155 | !authenticated = * | |
156 | !domains = +known | |
157 | ||
158 | ## Ensure that the recipient is routable. | |
159 | require message = Invalid recipient \ | |
160 | ($recipient_verify_failure; $acl_verify_message) | |
161 | verify = recipient | |
162 | ||
163 | SECTION(acl, rcpt-tail)m4_dnl | |
164 | ## Everything checks out OK: let this one go through. | |
165 | accept | |
166 | ||
167 | SECTION(global, acl)m4_dnl | |
168 | acl_smtp_data = data | |
169 | SECTION(acl, data)m4_dnl | |
170 | data: | |
171 | ||
172 | SECTION(acl, data-tail)m4_dnl | |
173 | accept | |
174 | ||
175 | SECTION(global, acl)m4_dnl | |
176 | acl_smtp_expn = expn_vrfy | |
177 | acl_smtp_vrfy = expn_vrfy | |
178 | SECTION(acl)m4_dnl | |
179 | expn_vrfy: | |
180 | accept hosts = +trusted | |
181 | deny message = Suck it and see | |
182 | ||
183 | DIVERT(null) | |
184 | ###-------------------------------------------------------------------------- | |
185 | ### Common options for forwarding routers. | |
186 | ||
187 | ## We're pretty permissive here. | |
188 | m4_define(<:FILTER_BASE:>, | |
189 | <:driver = redirect | |
190 | modemask = 002 | |
191 | check_owner = false | |
192 | check_group = false | |
193 | allow_filter = true | |
194 | allow_defer = true | |
195 | allow_fail = true | |
196 | forbid_blackhole = false | |
197 | check_ancestor = true:>) | |
198 | ||
199 | ## Common options for forwarding routers at verification time. | |
200 | m4_define(<:FILTER_VERIFY:>, | |
201 | <:verify_only = true | |
202 | user = CONF_filter_user | |
203 | forbid_filter_dlfunc = true | |
204 | forbid_filter_logwrite = true | |
205 | forbid_filter_perl = true | |
206 | forbid_filter_readsocket = true | |
207 | forbid_filter_run = true | |
208 | file_transport = dummy | |
209 | directory_transport = dummy | |
210 | pipe_transport = dummy | |
211 | reply_transport = dummy:>) | |
212 | ||
213 | ## Transports for redirection filters. | |
214 | m4_define(<:FILTER_TRANSPORTS:>, | |
215 | <:file_transport = mailbox | |
216 | directory_transport = maildir | |
217 | pipe_transport = pipe | |
218 | reply_transport = reply:>) | |
219 | ||
220 | DIVERT(null) | |
221 | ###-------------------------------------------------------------------------- | |
222 | ### Some standard transports. | |
223 | ||
224 | m4_define(<:USER_DELIVERY:>, | |
225 | <:delivery_date_add = true | |
226 | envelope_to_add = true | |
227 | return_path_add = true:>) | |
228 | ||
229 | SECTION(transports)m4_dnl | |
230 | ## A standard transport for remote delivery. Try to do TLS, and don't worry | |
231 | ## too much if it's not very secure: the alternative is sending in plaintext | |
232 | ## anyway. | |
233 | smtp: | |
234 | driver = smtp | |
235 | tls_require_ciphers = CONF_acceptable_ciphers | |
236 | tls_dh_min_bits = 1020 | |
237 | tls_tempfail_tryclear = true | |
238 | ||
239 | ## Transport to a local SMTP server; use TLS and perform client | |
240 | ## authentication. | |
241 | smtp_local: | |
242 | driver = smtp | |
243 | hosts_require_tls = * | |
244 | tls_certificate = CONF_sysconf_dir/client.cert | |
245 | tls_privatekey = CONF_sysconf_dir/client.key | |
246 | tls_verify_certificates = CONF_ca_dir/ca.cert | |
247 | tls_require_ciphers = CONF_good_ciphers | |
248 | tls_dh_min_bits = 3070 | |
249 | tls_tempfail_tryclear = false | |
250 | authenticated_sender = ${if def:authenticated_id \ | |
251 | ${authenticated_id@CONF_master_domain} \ | |
252 | fail} | |
253 | ||
254 | ## A standard transport for local delivery. | |
255 | deliver: | |
256 | driver = appendfile | |
257 | file = /var/mail/$local_part | |
258 | USER_DELIVERY | |
259 | ||
260 | ## Transports for user filters. | |
261 | mailbox: | |
262 | driver = appendfile | |
263 | USER_DELIVERY | |
264 | ||
265 | maildir: | |
266 | driver = appendfile | |
267 | maildir_format = true | |
268 | USER_DELIVERY | |
269 | ||
270 | pipe: | |
271 | driver = pipe | |
272 | return_output = true | |
273 | ||
274 | ## A special dummy transport for use during address verification. | |
275 | dummy: | |
276 | driver = appendfile | |
277 | file = /dev/null | |
278 | ||
279 | DIVERT(null) | |
280 | ###-------------------------------------------------------------------------- | |
281 | ### Retry configuration. | |
282 | ||
283 | SECTION(retry, default)m4_dnl | |
284 | ## Default. | |
285 | * * \ | |
286 | F,2h,15m; G,16h,2h,1.5; F,4d,6h | |
287 | ||
288 | DIVERT(null) | |
289 | ###----- That's all, folks -------------------------------------------------- |