[exim-config] / base.m4

### -*-m4-*-
###
### Basic settings for distorted.org.uk Exim configuration
###
### (c) 2012 Mark Wooding
###

###----- Licensing notice ---------------------------------------------------
###
### This program is free software; you can redistribute it and/or modify
### it under the terms of the GNU General Public License as published by
### the Free Software Foundation; either version 2 of the License, or
### (at your option) any later version.
###
### This program is distributed in the hope that it will be useful,
### but WITHOUT ANY WARRANTY; without even the implied warranty of
### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
### GNU General Public License for more details.
###
### You should have received a copy of the GNU General Public License
### along with this program; if not, write to the Free Software Foundation,
### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.

###--------------------------------------------------------------------------
### Global settings.

SECTION(global, priv)m4_dnl
admin_groups = CONF_admin_groups
prod_requires_admin = false

SECTION(global, logging)m4_dnl
log_file_path = : syslog
log_selector = \
	+smtp_confirmation \
	+tls_peerdn
log_timezone = true
syslog_duplication = false
syslog_timestamp = false

SECTION(global, daemon)m4_dnl
local_interfaces = <; CONF_interfaces
extra_local_interfaces = <; 0.0.0.0 ; ::

SECTION(global, resource)m4_dnl
deliver_queue_load_max = 8
queue_only_load = 12
smtp_accept_max = 16
smtp_accept_queue = 32
smtp_accept_reserve = 4
smtp_load_reserve = 10
smtp_reserve_hosts = +trusted

SECTION(global, policy)m4_dnl
host_lookup = *

SECTION(global, users)m4_dnl
gecos_name = $1
gecos_pattern = ([^,:]*)

SECTION(global, incoming)m4_dnl
received_header_text = Received: \
	${if def:sender_rcvhost \
	     {from $sender_rcvhost\
	      ${if def:sender_helo_name \
		   { (helo=$sender_helo_name)}}\n\t} \
	     {${if def:sender_ident \
		   {from ${quote_local_part:$sender_ident} }}}}\
	by $primary_hostname \
	(Exim $version_number)\
	${if def:tls_cipher {\n\t} { }}\
	${if def:received_protocol \
	     {with $received_protocol \
	      ${if def:tls_cipher {(cipher=$tls_cipher)}}}}\n\t\
	${if def:sender_address \
	     {(envelope-from $sender_address\
	      ${if def:authenticated_id \
		   {; auth=$authenticated_id}})\n\t}}\
	id $message_exim_id\
	${if def:received_for {\n\tfor $received_for}}

SECTION(global, smtp)m4_dnl
smtp_return_error_details = true
accept_8bitmime = true

SECTION(global, process)m4_dnl
extract_addresses_remove_arguments = false
headers_charset = utf-8
qualify_domain = CONF_master_domain

SECTION(global, bounce)m4_dnl
delay_warning = 1h : 24h : 2d

DIVERT(null)
###--------------------------------------------------------------------------
### Access control lists.

SECTION(global, acl-after)
SECTION(global, acl)m4_dnl
acl_smtp_helo = helo
SECTION(acl, misc)m4_dnl
helo:
	## Check that the caller's claimed identity is actually plausible.
	## This seems like it's a fairly effective filter on spamminess, but
	## it's too blunt a tool.  Rather than reject, add a warning header.
	## Only we can't do this the easy way, so save it up for use in MAIL.
	## Also, we're liable to get a subsequent HELO (e.g., after STARTTLS)
	## and we should only care about the most recent one.
	warn	 set acl_c_helo_warning = false
		!condition = \
			${if exists {CONF_sysconf_dir/helo.conf} \
			     {${lookup {$sender_helo_name} \
				       partial0-lsearch \
				       {CONF_sysconf_dir/helo.conf} \
				       {${if match_ip \
					     {$sender_host_address} \
					     {$value}}}}}}
		!verify = helo
		 set acl_c_helo_warning = true

	accept

SECTION(global, acl)m4_dnl
acl_not_smtp_start = not_smtp_start
SECTION(acl, misc)m4_dnl
not_smtp_start:
	## Record the user's name.
	warn	 set acl_c_user = $sender_ident

	## Done.
	accept

SECTION(global, acl)m4_dnl
acl_smtp_mail = mail
SECTION(acl, mail)m4_dnl
mail:

	## If we stashed a warning header about HELO from earlier, we should
	## add it now.
	warn	 condition = $acl_c_helo_warning
		 add_header = :after_received:X-Distorted-Warning: \
			BADHELO \
			Client's HELO doesn't match its IP address.\n\t\
			HELO name=$sender_helo_name, \
			address=$sender_host_address

	## Always allow the empty sender, so that we can receive bounces.
	accept	 senders = :

	## Ensure that the sender is routable.  This is important to prevent
	## undeliverable bounces.
	require	 message = Invalid sender; \
			($sender_verify_failure; $acl_verify_message)
		 verify = sender

	## If this is directly from a client then hack on it for a while.
	warn	 condition = ${if eq{$acl_c_mode}{submission}}
		 control = submission

	## Insist that a local client connect through TLS.
	deny	 message = Hosts within CONF_master_domain must use TLS
		!condition = ${if eq{$acl_c_mode}{submission}}
		 hosts = +allnets
		!encrypted = *

	## Check that a submitted message's sender address is allowable.
	require	 acl = mail_check_auth

SECTION(acl, mail-tail)m4_dnl
	## And we're done.
	accept

SECTION(global, acl)m4_dnl
acl_smtp_connect = connect
SECTION(acl, connect)m4_dnl
connect:
SECTION(acl, connect-tail)m4_dnl
	## Configure variables according to the submission mode.
	warn	 acl = check_submission

	## Done.
	accept

check_submission:
	## See whether this message needs hacking on.
	accept	!hosts = +localnet
		!condition = ${if ={$received_port}{CONF_submission_port}}
		 set acl_c_mode = relay

	## Remember to apply submission controls.
	warn	 set acl_c_mode = submission

	## Done.
	accept

SECTION(global, acl)m4_dnl
acl_smtp_rcpt = rcpt
SECTION(acl, rcpt)m4_dnl
rcpt:

	## Reject if the client isn't allowed to relay and the recipient
	## isn't in one of our known domains.
	deny	 message = Relaying not permitted
		!hosts = CONF_relay_clients
		!authenticated = *
		!domains = +known

	## Ensure that the recipient is routable.
	require	 message = Invalid recipient \
			($recipient_verify_failure; $acl_verify_message)
		 verify = recipient

SECTION(acl, rcpt-tail)m4_dnl
	## Everything checks out OK: let this one go through.
	accept

SECTION(global, acl)m4_dnl
acl_smtp_data = data
SECTION(acl, data)m4_dnl
data:

SECTION(acl, data-tail)m4_dnl
	accept

SECTION(global, acl)m4_dnl
acl_smtp_expn = expn_vrfy
acl_smtp_vrfy = expn_vrfy
SECTION(acl)m4_dnl
expn_vrfy:
	accept	 hosts = +trusted
	deny	 message = Suck it and see

DIVERT(null)
###--------------------------------------------------------------------------
### Verification of sender address.

SECTION(acl, misc)m4_dnl
mail_check_auth:

	## If this isn't a submission then it doesn't need checking.
	accept	 condition = ${if !eq{$acl_c_mode}{submission}}

	## If the caller hasn't formally authenticated, but this is a
	## loopback connection, then we can trust identd to tell us the right
	## answer.  So we should stash the right name somewhere consistent.
	warn	 set acl_c_user = $authenticated_id
		 hosts = +localnet
		!authenticated = *
		 set acl_c_user = $sender_ident

	## User must be authenticated.
	deny	 message = Sender not authenticated
		!hosts = +localnet
		!authenticated = *

	## Make sure that the local part is one that the authenticated sender
	## is allowed to claim.
	deny	 message = Sender address forbidden to calling user
		!condition = ${LOOKUP_DOMAIN($sender_address_domain,
			       {${if and {{match_local_part \
					    {$acl_c_user} \
					    {+dom_users}} \
					  {match_local_part \
					    {$sender_address_local_part} \
					    {+dom_locals}}}}},
			       {${if and {{match_local_part \
					    {$sender_address_local_part} \
					    {+user_extaddr}} \
					  {or {{eq {$sender_address_domain} \
						   {}} \
					       {match_domain \
						 {$sender_address_domain} \
						 {+public}}}}}}})}

	## All done.
	accept

DIVERT(null)
###--------------------------------------------------------------------------
### Common options for forwarding routers.

## We're pretty permissive here.
m4_define(<:FILTER_BASE:>,
	<:driver = redirect
	modemask = 002
	check_owner = false
	check_group = false
	allow_filter = true
	allow_defer = true
	allow_fail = true
	forbid_blackhole = false
	check_ancestor = true:>)

## Common options for forwarding routers at verification time.
m4_define(<:FILTER_VERIFY:>,
	<:verify_only = true
	user = CONF_filter_user
	forbid_filter_dlfunc = true
	forbid_filter_logwrite = true
	forbid_filter_perl = true
	forbid_filter_readsocket = true
	forbid_filter_run = true
	file_transport = dummy
	directory_transport = dummy
	pipe_transport = dummy
	reply_transport = dummy:>)

## Transports for redirection filters.
m4_define(<:FILTER_TRANSPORTS:>,
	<:file_transport = mailbox
	directory_transport = maildir
	pipe_transport = pipe
	reply_transport = reply:>)

m4_define(<:FILTER_ROUTER:>,
<:$1_vrf:
	$2
	FILTER_VERIFY<::>$3
$1:
	$2
	verify = no
	FILTER_TRANSPORTS<::>$4:>)

DIVERT(null)
###--------------------------------------------------------------------------
### Some standard transports.

m4_define(<:USER_DELIVERY:>,
	<:delivery_date_add = true
	envelope_to_add = true
	return_path_add = true:>)

SECTION(transports)m4_dnl
## A standard transport for remote delivery.  Try to do TLS, and don't worry
## too much if it's not very secure: the alternative is sending in plaintext
## anyway.
smtp:
	driver = smtp
	tls_require_ciphers = CONF_acceptable_ciphers
	tls_dh_min_bits = 1020
	tls_tempfail_tryclear = true

## Transport to a local SMTP server; use TLS and perform client
## authentication.
smtp_local:
	driver = smtp
	hosts_require_tls = *
	tls_certificate = CONF_sysconf_dir/client.cert
	tls_privatekey = CONF_sysconf_dir/client.key
	tls_verify_certificates = CONF_ca_dir/ca.cert
	tls_require_ciphers = CONF_good_ciphers
	tls_dh_min_bits = 2046
	tls_tempfail_tryclear = false
	authenticated_sender = ${if def:authenticated_id \
				    {$authenticated_id@CONF_master_domain} \
				    fail}

## A standard transport for local delivery.
deliver:
	driver = appendfile
	file = /var/mail/$local_part
	group = mail
	mode = 0600
	mode_fail_narrower = false
	USER_DELIVERY

## Transports for user filters.
mailbox:
	driver = appendfile
	initgroups = true
	USER_DELIVERY

maildir:
	driver = appendfile
	maildir_format = true
	initgroups = true
	USER_DELIVERY

pipe:
	driver = pipe
	path = ${if and {{def:home} {exists{$home/bin}}} {$home/bin:} {}}\
		/usr/local/bin:/usr/local/sbin:\
		/usr/bin:/usr/sbin:/bin:/sbin
	initgroups = true
	umask = 002
	return_fail_output = true
	log_output = true

## A special dummy transport for use during address verification.
dummy:
	driver = appendfile
	file = /dev/null

DIVERT(null)
###--------------------------------------------------------------------------
### Retry configuration.

SECTION(retry, default)m4_dnl
## Default.
*					* \
	F,2h,15m; G,16h,2h,1.5; F,4d,6h

DIVERT(null)
###----- That's all, folks --------------------------------------------------
Commit	Line	Data
185b5456 MW	1	### --m4--
	2	###
	3	### Basic settings for distorted.org.uk Exim configuration
	4	###
	5	### (c) 2012 Mark Wooding
	6	###
	7
	8	###----- Licensing notice ---------------------------------------------------
	9	###
	10	### This program is free software; you can redistribute it and/or modify
	11	### it under the terms of the GNU General Public License as published by
	12	### the Free Software Foundation; either version 2 of the License, or
	13	### (at your option) any later version.
	14	###
	15	### This program is distributed in the hope that it will be useful,
	16	### but WITHOUT ANY WARRANTY; without even the implied warranty of
	17	### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	18	### GNU General Public License for more details.
	19	###
	20	### You should have received a copy of the GNU General Public License
	21	### along with this program; if not, write to the Free Software Foundation,
	22	### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
	23
	24	###--------------------------------------------------------------------------
	25	### Global settings.
	26
	27	SECTION(global, priv)m4_dnl
b1d083dd	28	admin_groups = CONF_admin_groups
185b5456 MW	29	prod_requires_admin = false
	30
	31	SECTION(global, logging)m4_dnl
	32	log_file_path = : syslog
	33	log_selector = \
	34	+smtp_confirmation \
	35	+tls_peerdn
	36	log_timezone = true
	37	syslog_duplication = false
	38	syslog_timestamp = false
	39
	40	SECTION(global, daemon)m4_dnl
	41	local_interfaces = <; CONF_interfaces
	42	extra_local_interfaces = <; 0.0.0.0 ; ::
	43
	44	SECTION(global, resource)m4_dnl
	45	deliver_queue_load_max = 8
	46	queue_only_load = 12
	47	smtp_accept_max = 16
	48	smtp_accept_queue = 32
	49	smtp_accept_reserve = 4
	50	smtp_load_reserve = 10
	51	smtp_reserve_hosts = +trusted
	52
	53	SECTION(global, policy)m4_dnl
	54	host_lookup = *
	55
	56	SECTION(global, users)m4_dnl
	57	gecos_name = $1
	58	gecos_pattern = ([^,:]*)
	59
	60	SECTION(global, incoming)m4_dnl
	61	received_header_text = Received: \
2cf9db84 MW	62	${if def:sender_rcvhost \
2cf9db84 MW	63	{from $sender_rcvhost\
185b5456	64	${if def:sender_helo_name \
2cf9db84 MW	65	{ (helo=$sender_helo_name)}}\n\t} \
	66	{${if def:sender_ident \
	67	{from ${quote_local_part:$sender_ident} }}}}\
185b5456	68	by $primary_hostname \
b92689d6 MW	69	(Exim $version_number)\
b92689d6 MW	70	${if def:tls_cipher {\n\t} { }}\
185b5456 MW	71	${if def:received_protocol \
185b5456 MW	72	{with $received_protocol \
b92689d6	73	${if def:tls_cipher {(cipher=$tls_cipher)}}}}\n\t\
185b5456	74	${if def:sender_address \
43e6fc69	75	{(envelope-from $sender_address\
185b5456 MW	76	${if def:authenticated_id \
	77	{; auth=$authenticated_id}})\n\t}}\
	78	id $message_exim_id\
	79	${if def:received_for {\n\tfor $received_for}}
	80
	81	SECTION(global, smtp)m4_dnl
	82	smtp_return_error_details = true
	83	accept_8bitmime = true
	84
	85	SECTION(global, process)m4_dnl
	86	extract_addresses_remove_arguments = false
	87	headers_charset = utf-8
	88	qualify_domain = CONF_master_domain
	89
	90	SECTION(global, bounce)m4_dnl
	91	delay_warning = 1h : 24h : 2d
	92
	93	DIVERT(null)
	94	###--------------------------------------------------------------------------
	95	### Access control lists.
	96
	97	SECTION(global, acl-after)
	98	SECTION(global, acl)m4_dnl
	99	acl_smtp_helo = helo
	100	SECTION(acl, misc)m4_dnl
	101	helo:
fe8f2338 MW	102	## Check that the caller's claimed identity is actually plausible.
	103	## This seems like it's a fairly effective filter on spamminess, but
	104	## it's too blunt a tool. Rather than reject, add a warning header.
	105	## Only we can't do this the easy way, so save it up for use in MAIL.
	106	## Also, we're liable to get a subsequent HELO (e.g., after STARTTLS)
	107	## and we should only care about the most recent one.
	108	warn set acl_c_helo_warning = false
	109	!condition = \
	110	${if exists {CONF_sysconf_dir/helo.conf} \
	111	{${lookup {$sender_helo_name} \
	112	partial0-lsearch \
	113	{CONF_sysconf_dir/helo.conf} \
	114	{${if match_ip \
	115	{$sender_host_address} \
	116	{$value}}}}}}
	117	!verify = helo
	118	set acl_c_helo_warning = true
185b5456 MW	119
	120	accept
	121
	122	SECTION(global, acl)m4_dnl
284c9d7e MW	123	acl_not_smtp_start = not_smtp_start
	124	SECTION(acl, misc)m4_dnl
	125	not_smtp_start:
	126	## Record the user's name.
	127	warn set acl_c_user = $sender_ident
	128
	129	## Done.
	130	accept
	131
	132	SECTION(global, acl)m4_dnl
185b5456 MW	133	acl_smtp_mail = mail
	134	SECTION(acl, mail)m4_dnl
	135	mail:
	136
fe8f2338 MW	137	## If we stashed a warning header about HELO from earlier, we should
	138	## add it now.
	139	warn condition = $acl_c_helo_warning
	140	add_header = :after_received:X-Distorted-Warning: \
	141	BADHELO \
	142	Client's HELO doesn't match its IP address.\n\t\
d70f6d53 MW	143	HELO name=$sender_helo_name, \
d70f6d53 MW	144	address=$sender_host_address
fe8f2338	145
185b5456 MW	146	## Always allow the empty sender, so that we can receive bounces.
	147	accept senders = :
	148
	149	## Ensure that the sender is routable. This is important to prevent
	150	## undeliverable bounces.
	151	require message = Invalid sender; \
	152	($sender_verify_failure; $acl_verify_message)
	153	verify = sender
	154
	155	## If this is directly from a client then hack on it for a while.
	156	warn condition = ${if eq{$acl_c_mode}{submission}}
	157	control = submission
	158
284c9d7e MW	159	## Insist that a local client connect through TLS.
	160	deny message = Hosts within CONF_master_domain must use TLS
	161	!condition = ${if eq{$acl_c_mode}{submission}}
	162	hosts = +allnets
	163	!encrypted = *
	164
	165	## Check that a submitted message's sender address is allowable.
	166	require acl = mail_check_auth
	167
185b5456 MW	168	SECTION(acl, mail-tail)m4_dnl
	169	## And we're done.
	170	accept
	171
	172	SECTION(global, acl)m4_dnl
	173	acl_smtp_connect = connect
	174	SECTION(acl, connect)m4_dnl
	175	connect:
	176	SECTION(acl, connect-tail)m4_dnl
e12c9586	177	## Configure variables according to the submission mode.
185b5456	178	warn acl = check_submission
e12c9586 MW	179
e12c9586 MW	180	## Done.
185b5456 MW	181	accept
	182
	183	check_submission:
	184	## See whether this message needs hacking on.
	185	accept !hosts = +localnet
	186	!condition = ${if ={$received_port}{CONF_submission_port}}
	187	set acl_c_mode = relay
	188
	189	## Remember to apply submission controls.
	190	warn set acl_c_mode = submission
	191
	192	## Done.
	193	accept
	194
	195	SECTION(global, acl)m4_dnl
	196	acl_smtp_rcpt = rcpt
	197	SECTION(acl, rcpt)m4_dnl
	198	rcpt:
	199
	200	## Reject if the client isn't allowed to relay and the recipient
	201	## isn't in one of our known domains.
	202	deny message = Relaying not permitted
	203	!hosts = CONF_relay_clients
	204	!authenticated = *
	205	!domains = +known
	206
	207	## Ensure that the recipient is routable.
	208	require message = Invalid recipient \
	209	($recipient_verify_failure; $acl_verify_message)
	210	verify = recipient
	211
	212	SECTION(acl, rcpt-tail)m4_dnl
	213	## Everything checks out OK: let this one go through.
	214	accept
	215
	216	SECTION(global, acl)m4_dnl
	217	acl_smtp_data = data
	218	SECTION(acl, data)m4_dnl
	219	data:
	220
	221	SECTION(acl, data-tail)m4_dnl
	222	accept
	223
	224	SECTION(global, acl)m4_dnl
	225	acl_smtp_expn = expn_vrfy
	226	acl_smtp_vrfy = expn_vrfy
	227	SECTION(acl)m4_dnl
	228	expn_vrfy:
	229	accept hosts = +trusted
	230	deny message = Suck it and see
	231
	232	DIVERT(null)
	233	###--------------------------------------------------------------------------
284c9d7e MW	234	### Verification of sender address.
	235
	236	SECTION(acl, misc)m4_dnl
	237	mail_check_auth:
	238
	239	## If this isn't a submission then it doesn't need checking.
	240	accept condition = ${if !eq{$acl_c_mode}{submission}}
	241
	242	## If the caller hasn't formally authenticated, but this is a
	243	## loopback connection, then we can trust identd to tell us the right
	244	## answer. So we should stash the right name somewhere consistent.
	245	warn set acl_c_user = $authenticated_id
	246	hosts = +localnet
	247	!authenticated = *
	248	set acl_c_user = $sender_ident
	249
	250	## User must be authenticated.
	251	deny message = Sender not authenticated
	252	!hosts = +localnet
	253	!authenticated = *
	254
	255	## Make sure that the local part is one that the authenticated sender
	256	## is allowed to claim.
	257	deny message = Sender address forbidden to calling user
	258	!condition = ${LOOKUP_DOMAIN($sender_address_domain,
	259	{${if and {{match_local_part \
	260	{$acl_c_user} \
	261	{+dom_users}} \
	262	{match_local_part \
	263	{$sender_address_local_part} \
	264	{+dom_locals}}}}},
	265	{${if and {{match_local_part \
	266	{$sender_address_local_part} \
	267	{+user_extaddr}} \
	268	{or {{eq {$sender_address_domain} \
	269	{}} \
	270	{match_domain \
	271	{$sender_address_domain} \
	272	{+public}}}}}}})}
	273
	274	## All done.
	275	accept
	276
	277	DIVERT(null)
	278	###--------------------------------------------------------------------------
185b5456 MW	279	### Common options for forwarding routers.
	280
	281	## We're pretty permissive here.
	282	m4_define(<:FILTER_BASE:>,
	283	<:driver = redirect
	284	modemask = 002
	285	check_owner = false
	286	check_group = false
	287	allow_filter = true
	288	allow_defer = true
	289	allow_fail = true
	290	forbid_blackhole = false
	291	check_ancestor = true:>)
	292
	293	## Common options for forwarding routers at verification time.
	294	m4_define(<:FILTER_VERIFY:>,
	295	<:verify_only = true
	296	user = CONF_filter_user
	297	forbid_filter_dlfunc = true
	298	forbid_filter_logwrite = true
	299	forbid_filter_perl = true
	300	forbid_filter_readsocket = true
	301	forbid_filter_run = true
	302	file_transport = dummy
	303	directory_transport = dummy
	304	pipe_transport = dummy
	305	reply_transport = dummy:>)
	306
	307	## Transports for redirection filters.
	308	m4_define(<:FILTER_TRANSPORTS:>,
7ab75d6f	309	<:file_transport = mailbox
185b5456 MW	310	directory_transport = maildir
	311	pipe_transport = pipe
	312	reply_transport = reply:>)
	313
7ab75d6f MW	314	m4_define(<:FILTER_ROUTER:>,
	315	<:$1_vrf:
	316	$2
	317	FILTER_VERIFY<::>$3
	318	$1:
	319	$2
	320	verify = no
	321	FILTER_TRANSPORTS<::>$4:>)
	322
185b5456 MW	323	DIVERT(null)
	324	###--------------------------------------------------------------------------
	325	### Some standard transports.
	326
	327	m4_define(<:USER_DELIVERY:>,
	328	<:delivery_date_add = true
	329	envelope_to_add = true
	330	return_path_add = true:>)
	331
	332	SECTION(transports)m4_dnl
	333	## A standard transport for remote delivery. Try to do TLS, and don't worry
	334	## too much if it's not very secure: the alternative is sending in plaintext
	335	## anyway.
	336	smtp:
	337	driver = smtp
	338	tls_require_ciphers = CONF_acceptable_ciphers
	339	tls_dh_min_bits = 1020
	340	tls_tempfail_tryclear = true
	341
	342	## Transport to a local SMTP server; use TLS and perform client
	343	## authentication.
	344	smtp_local:
	345	driver = smtp
	346	hosts_require_tls = *
	347	tls_certificate = CONF_sysconf_dir/client.cert
	348	tls_privatekey = CONF_sysconf_dir/client.key
	349	tls_verify_certificates = CONF_ca_dir/ca.cert
	350	tls_require_ciphers = CONF_good_ciphers
b6d74252	351	tls_dh_min_bits = 2046
185b5456 MW	352	tls_tempfail_tryclear = false
185b5456 MW	353	authenticated_sender = ${if def:authenticated_id \
0bed9b7f	354	{$authenticated_id@CONF_master_domain} \
185b5456 MW	355	fail}
	356
	357	## A standard transport for local delivery.
	358	deliver:
	359	driver = appendfile
	360	file = /var/mail/$local_part
8f6af4ae MW	361	group = mail
	362	mode = 0600
	363	mode_fail_narrower = false
185b5456 MW	364	USER_DELIVERY
	365
	366	## Transports for user filters.
	367	mailbox:
	368	driver = appendfile
8f6af4ae	369	initgroups = true
185b5456 MW	370	USER_DELIVERY
	371
	372	maildir:
	373	driver = appendfile
	374	maildir_format = true
8f6af4ae	375	initgroups = true
185b5456 MW	376	USER_DELIVERY
	377
	378	pipe:
	379	driver = pipe
8f6af4ae MW	380	path = ${if and {{def:home} {exists{$home/bin}}} {$home/bin:} {}}\
	381	/usr/local/bin:/usr/local/sbin:\
	382	/usr/bin:/usr/sbin:/bin:/sbin
	383	initgroups = true
	384	umask = 002
	385	return_fail_output = true
	386	log_output = true
185b5456 MW	387
	388	## A special dummy transport for use during address verification.
	389	dummy:
	390	driver = appendfile
	391	file = /dev/null
	392
	393	DIVERT(null)
	394	###--------------------------------------------------------------------------
	395	### Retry configuration.
	396
	397	SECTION(retry, default)m4_dnl
	398	## Default.
	399	* * \
	400	F,2h,15m; G,16h,2h,1.5; F,4d,6h
	401
	402	DIVERT(null)
	403	###----- That's all, folks --------------------------------------------------