[exim-config] / base.m4

### -*-m4-*-
###
### Basic settings for distorted.org.uk Exim configuration
###
### (c) 2012 Mark Wooding
###

###----- Licensing notice ---------------------------------------------------
###
### This program is free software; you can redistribute it and/or modify
### it under the terms of the GNU General Public License as published by
### the Free Software Foundation; either version 2 of the License, or
### (at your option) any later version.
###
### This program is distributed in the hope that it will be useful,
### but WITHOUT ANY WARRANTY; without even the implied warranty of
### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
### GNU General Public License for more details.
###
### You should have received a copy of the GNU General Public License
### along with this program; if not, write to the Free Software Foundation,
### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.

###--------------------------------------------------------------------------
### Global settings.

SECTION(global, priv)m4_dnl
admin_groups = CONF_admin_groups
trusted_groups = CONF_trusted_groups
prod_requires_admin = false

SECTION(global, logging)m4_dnl
log_file_path = : syslog
log_selector = \
	+smtp_confirmation \
	+tls_peerdn
log_timezone = true
syslog_duplication = false
syslog_timestamp = false

SECTION(global, daemon)m4_dnl
local_interfaces = <; CONF_interfaces
extra_local_interfaces = <; 0.0.0.0 ; ::0

SECTION(global, resource)m4_dnl
deliver_queue_load_max = 8
message_size_limit = 500M
queue_only_load = 12
smtp_accept_max = 16
smtp_accept_queue = 32
smtp_accept_reserve = 4
smtp_load_reserve = 10
smtp_reserve_hosts = +trusted

SECTION(global, policy)m4_dnl
host_lookup = *

SECTION(global, users)m4_dnl
gecos_name = $1
gecos_pattern = ([^,:]*)

SECTION(global, incoming)m4_dnl
rfc1413_hosts = *
rfc1413_query_timeout = 10s
received_header_text = Received: \
	${if def:sender_rcvhost \
	     {from $sender_rcvhost\n\t} \
	     {${if def:sender_ident \
		   {from ${quote_local_part:$sender_ident} }}}}\
	by $primary_hostname \
	(Exim $version_number)\
	${if def:tls_cipher {\n\t} { }}\
	${if def:received_protocol \
	     {with $received_protocol \
	      ${if def:tls_cipher {(cipher=$tls_cipher)}}}}\n\t\
	${if def:sender_address \
	     {(envelope-from $sender_address\
	      ${if def:authenticated_id \
		   {; auth=${quote_local_part:$authenticated_id}} \
		   {${if and {{def:authenticated_sender} \
			      {match_address{$authenticated_sender} \
					    {*@CONF_master_domain}}} \
			 {; auth=${quote_local_part:\
				    ${local_part:\
				      $authenticated_sender}}}}}})\n\t}}\
	id $message_exim_id\
	${if def:received_for {\n\tfor $received_for}}

SECTION(global, smtp)m4_dnl
smtp_return_error_details = true
accept_8bitmime = true
chunking_advertise_hosts =

SECTION(global, env)m4_dnl
keep_environment =

SECTION(global, process)m4_dnl
extract_addresses_remove_arguments = false
headers_charset = utf-8
qualify_domain = CONF_master_domain
untrusted_set_sender = *
local_from_check = false
local_sender_retain = true

SECTION(global, bounce)m4_dnl
delay_warning = 1h : 24h : 2d

SECTION(global, tls)m4_dnl
tls_certificate = CONF_certlist
tls_privatekey = CONF_sysconf_dir/server.key
tls_advertise_hosts = ${if exists {CONF_sysconf_dir/server.key} {*}{}}
tls_dhparam = CONF_ca_dir/dh-param-2048.pem
tls_require_ciphers = ${if or {{={$received_port}{CONF_submission_port}} \
			       {match_ip {$sender_host_address}{+trusted}}} \
			   {CONF_good_ciphers} \
			   {CONF_acceptable_ciphers}}
tls_verify_certificates = CONF_ca_dir/ca.cert
tls_verify_hosts = ${if eq{$acl_c_mode}{submission} {} {+allnets}}

DIVERT(null)
###--------------------------------------------------------------------------
### Access control lists.

SECTION(global, acl-after)
SECTION(global, acl)m4_dnl
acl_smtp_helo = helo
SECTION(acl, misc)m4_dnl
helo:
	## Don't worry if this is local submission.  MUAs won't necessarily
	## have a clear idea of their hostnames.  (For some reason.)
	accept	 condition = ${if !eq{$acl_c_mode}{submission}}

	## Check that the caller's claimed identity is actually plausible.
	## This seems like it's a fairly effective filter on spamminess, but
	## it's too blunt a tool.  Rather than reject, add a warning header.
	## Only we can't do this the easy way, so save it up for use in MAIL.
	## Also, we're liable to get a subsequent HELO (e.g., after STARTTLS)
	## and we should only care about the most recent one.
	warn	 set acl_c_helo_warning = false
		!condition = \
			${if and {{match_ip {$sender_host_address} \
					    {<; 127.0.0.0/8 ; ::1}} \
				  {match_domain {$sender_helo_name} \
						{localhost : +thishost}}}}
		!condition = \
			${if exists {CONF_sysconf_dir/helo.conf} \
			     {${lookup {$sender_helo_name} \
				       partial0-lsearch \
				       {CONF_sysconf_dir/helo.conf} \
				       {${if match_ip \
					     {$sender_host_address} \
					     {<; $value}}}}}}
		!verify = helo
		 set acl_c_helo_warning = true

	accept

SECTION(global, acl)m4_dnl
acl_not_smtp_start = not_smtp_start
SECTION(acl, misc)m4_dnl
not_smtp_start:
	## Record the user's name.
	warn	 set acl_c_user = $sender_ident
		 set acl_m_user = $sender_ident

	## Done.
	accept

SECTION(global, acl)m4_dnl
acl_smtp_mail = mail
SECTION(acl, mail)m4_dnl
mail:

	## If we stashed a warning header about HELO from earlier, we should
	## add it now.  Only don't bother if the client has authenticated
	## successfully for submission (because we can't expect mobile
	## clients to be properly set up knowing their names), or it's one of
	## our own satellites (because they're either properly set up anyway,
	## or satellites using us as a smarthost).
	warn	 condition = $acl_c_helo_warning
		!condition = ${if eq{$acl_c_mode}{submission}}
		!hosts = +allnets
		 WARNING_HEADER(BADHELO,
				<:Client's HELO doesn't match its IP address.\n\t\
				  helo-name=$sender_helo_name \
				  address=$sender_host_address:>)

	## Always allow the empty sender, so that we can receive bounces.
	accept	 senders = :

	## Ensure that the sender looks valid.
	require	 acl = mail_check_sender

	## If this is directly from a client then hack on it for a while.
	warn	 condition = ${if eq{$acl_c_mode}{submission}}
		 control = submission/sender_retain

	## Insist that a local client connect through TLS.
	deny	 message = Hosts within CONF_master_domain must use TLS
		!condition = ${if eq{$acl_c_mode}{submission}}
		 hosts = +allnets
		!encrypted = *

	## Check that a submitted message's sender address is allowable.
	require	 acl = mail_check_auth

SECTION(acl, mail-tail)m4_dnl
	## And we're done.
	accept

SECTION(acl, misc)m4_dnl
mail_check_sender:

	## See whether there's a special exception for this sender domain.
	accept	 senders = ${LOOKUP_DOMAIN($sender_address_domain,
			     {KV(senders, {$value}{})},
			     {})}

	## Ensure that the sender is routable.  This is important to prevent
	## undeliverable bounces.
	require	 message = Invalid sender; \
			($sender_verify_failure; $acl_verify_message)
		 verify = sender

	## We're good, then.
	accept

SECTION(global, acl)m4_dnl
acl_smtp_connect = connect
SECTION(acl, connect)m4_dnl
connect:
SECTION(acl, connect-tail)m4_dnl
	## Configure variables according to the submission mode.
	warn	 acl = check_submission

	## Done.
	accept

check_submission:
	## See whether this message needs hacking on.
	accept	!hosts = +thishost
		!condition = ${if ={$received_port}{CONF_submission_port}}
		 set acl_c_mode = relay

	## Remember to apply submission controls.
	warn	 set acl_c_mode = submission
		 control = no_enforce_sync

	## Done.
	accept

SECTION(global, acl)m4_dnl
acl_smtp_rcpt = rcpt
SECTION(acl, rcpt)m4_dnl
rcpt:

	## Reject if the client isn't allowed to relay and the recipient
	## isn't in one of our known domains.
	require	 message = Relaying not permitted
		 acl = check_relay

	## Ensure that the recipient is routable.
	require	 message = Invalid recipient \
			($recipient_verify_failure; $acl_verify_message)
		 verify = recipient

SECTION(acl, misc)m4_dnl
check_relay:
	## Accept either if the client is allowed to relay through us, or if
	## we're the correct place to send this mail.

	## Known clients and authenticated users are OK.
	accept	 hosts = CONF_relay_clients
	accept	 authenticated = *

	## Known domains are OK.
	accept	 domains = +public

	## Finally, domains in our table are OK, unless they say they aren't.
	accept	 domains = \
		 ${if exists{CONF_sysconf_dir/domains.conf} \
		     {partial0-lsearch;	CONF_sysconf_dir/domains.conf}}
		 condition = DOMKV(service, {$value}{true})

	## Nope, that's not allowed.
	deny

SECTION(acl, rcpt-tail)m4_dnl
	## Everything checks out OK: let this one go through.
	accept

SECTION(global, acl)m4_dnl
acl_smtp_data = data
SECTION(acl, data)m4_dnl
data:
	## Don't accept messages with overly-long lines.
	deny	 message = line length exceeds SMTP permitted maximum: \
			$max_received_linelength > 998
		 condition = ${if >{$max_received_linelength}{998}}

SECTION(acl, data-tail)m4_dnl
	accept

SECTION(global, acl)m4_dnl
acl_smtp_expn = expn_vrfy
acl_smtp_vrfy = expn_vrfy
SECTION(acl, misc)m4_dnl
expn_vrfy:
	accept	 hosts = +trusted
	deny	 message = Suck it and see

DIVERT(null)
###--------------------------------------------------------------------------
### Verification of sender address.

SECTION(acl, misc)m4_dnl
mail_check_auth:

	## If this isn't a submission then it doesn't need checking.
	accept	 condition = ${if !eq{$acl_c_mode}{submission}}

	## If the caller hasn't formally authenticated, but this is a
	## loopback connection, then we can trust identd to tell us the right
	## answer.  So we should stash the right name somewhere consistent.
	warn	 set acl_c_user = $authenticated_id
		 hosts = +thishost
		!authenticated = *
		 condition = ${if def:sender_ident}
		 set acl_c_user = $sender_ident

	## User must be authenticated by now.
	deny	 message = Sender not authenticated
		 condition = ${if !def:acl_c_user}

	## Set the per-message authentication flag, since we now know that
	## there's a sensible value.
	warn	 set acl_m_user = $acl_c_user

	## All done.
	accept

DIVERT(null)
###--------------------------------------------------------------------------
### Common options for forwarding routers.

## We're pretty permissive here.
m4_define(<:FILTER_BASE:>,
	<:driver = redirect
	modemask = 002
	check_owner = false
	check_group = false
	allow_filter = true
	allow_defer = true
	allow_fail = true
	forbid_blackhole = false
	check_ancestor = true:>)

## Common options for forwarding routers at verification time.
m4_define(<:FILTER_VERIFY:>,
	<:verify_only = true
	user = CONF_filter_user
	forbid_filter_dlfunc = true
	forbid_filter_logwrite = true
	forbid_filter_perl = true
	forbid_filter_readsocket = true
	forbid_filter_run = true
	file_transport = dummy
	directory_transport = dummy
	pipe_transport = dummy
	reply_transport = dummy:>)

## Transports for redirection filters.
m4_define(<:FILTER_TRANSPORTS:>,
	<:file_transport = mailbox
	directory_transport = maildir
	pipe_transport = pipe
	reply_transport = reply:>)

m4_define(<:FILTER_ROUTER:>,
<:$1_vrf:
	$2
	FILTER_VERIFY<::>$3
$1:
	$2
	verify = no
	FILTER_TRANSPORTS<::>$4:>)

DIVERT(null)
###--------------------------------------------------------------------------
### Common routers.

SECTION(routers, alias)m4_dnl
## Look up the local part in the address map.
alias:
	driver = redirect
	allow_fail = true
	allow_defer = true
	user = CONF_filter_user
	FILTER_TRANSPORTS
	local_parts = nwildlsearch; CONF_alias_file
	data = ${expand:$local_part_data}
SECTION(routers, alias-opts)m4_dnl

DIVERT(null)
###--------------------------------------------------------------------------
### Some standard transports.

m4_define(<:USER_DELIVERY:>,
	<:delivery_date_add = true
	envelope_to_add = true
	return_path_add = true:>)

m4_define(<:APPLY_HEADER_CHANGES:>,
	<:headers_add = m4_ifelse(<:$1:>, <::>,
		<:$acl_m_hdradd:>,
		<:${if def:acl_m_hdradd{$acl_m_hdradd\n}}\
		$1:>)
	headers_remove = m4_ifelse(<:$2:>, <::>,
		<:$acl_m_hdrrm:>,
		<:${if def:acl_m_hdrrm{$acl_m_hdrrm:}}\
		$2:>):>)

m4_define(<:SMTP_DELIVERY:>,
	<:## Prevent sending messages with overly long lines.  The use of
	## `message_size_limit' here is somewhat misleading.
	message_size_limit = ${if >{$max_received_linelength}{998}{1}{0}}:>)

SECTION(transports)m4_dnl
## A standard transport for remote delivery.  By default, try to do TLS, and
## don't worry too much if it's not very secure: the alternative is sending
## in plaintext anyway.  But all of this can be overridden from the
## `domains.conf' file.  Annoyingly, the `tls_dh_min_bits' setting isn't
## expanded before use, so we can't set it the obvious way.  Instead, encode
## it into the transport name.  This is very unpleasant, of course.
smtp:
	driver = smtp
	APPLY_HEADER_CHANGES
	tls_require_ciphers = CONF_acceptable_ciphers
	tls_dh_min_bits = 508
	tls_tempfail_tryclear = true

m4_define(<:SMTP_TRANS_DHBITS:>,
	<:driver = smtp
	SMTP_DELIVERY
	APPLY_HEADER_CHANGES
	hosts_try_auth = *
	hosts_require_tls = DOMKV(tls-peer-ca, {*}{})
	hosts_require_auth = \
		${if bool {DOMKV(require-auth, {$value}{false})} {*}{}}
	tls_certificate = DOMKV(tls-certificate, {${expand:$value}}fail)
	tls_privatekey = DOMKV(tls-private-key, {${expand:$value}}fail)
	tls_verify_certificates = DOMKV(tls-peer-ca, {${expand:$value}}fail)
	tls_require_ciphers = \
		DOMKV(tls-ciphers,
		      {${extract {${expand:$value}} \
				 { good = CONF_good_ciphers \
				   any = CONF_acceptable_ciphers } \
				 {$value} \
				 {${expand:$value}}}} \
		      {CONF_acceptable_ciphers})
	tls_dh_min_bits = $1
	tls_tempfail_tryclear = true:>)m4_dnl
smtp_dhbits_512:
	SMTP_TRANS_DHBITS(508)
smtp_dhbits_768:
	SMTP_TRANS_DHBITS(764)
smtp_dhbits_1024:
	SMTP_TRANS_DHBITS(1020)
smtp_dhbits_2048:
	SMTP_TRANS_DHBITS(2044)

## Transport to a local SMTP server; use TLS and perform client
## authentication.
smtp_local:
	driver = smtp
	SMTP_DELIVERY
	APPLY_HEADER_CHANGES
	hosts_require_tls = *
	tls_certificate = CONF_sysconf_dir/client.certlist
	tls_privatekey = CONF_sysconf_dir/client.key
	tls_verify_certificates = CONF_ca_dir/ca.cert
	tls_require_ciphers = CONF_good_ciphers
	tls_dh_min_bits = 2046
	tls_tempfail_tryclear = false
	authenticated_sender_force = true
	authenticated_sender = \
		${if def:acl_m_user {$acl_m_user@CONF_master_domain} \
		     {${if def:authenticated_sender {$authenticated_sender} \
			   fail}}}

## A standard transport for local delivery.
deliver:
	driver = appendfile
	APPLY_HEADER_CHANGES
	file = /var/mail/$local_part
	group = mail
	mode = 0600
	mode_fail_narrower = false
	USER_DELIVERY

## Transports for user filters.
mailbox:
	driver = appendfile
	APPLY_HEADER_CHANGES
	initgroups = true
	USER_DELIVERY

maildir:
	driver = appendfile
	APPLY_HEADER_CHANGES
	maildir_format = true
	initgroups = true
	USER_DELIVERY

pipe:
	driver = pipe
	APPLY_HEADER_CHANGES
	path = ${if and {{def:home} {exists{$home/bin}}} {$home/bin:} {}}\
		/usr/local/bin:/usr/local/sbin:\
		/usr/bin:/usr/sbin:/bin:/sbin
	initgroups = true
	umask = 002
	return_fail_output = true
	log_output = true

## A special dummy transport for use during address verification.
dummy:
	driver = appendfile
	file = /dev/null

DIVERT(null)
###--------------------------------------------------------------------------
### Retry configuration.

SECTION(retry, default)m4_dnl
## Be persistent when sending to the site relay.  It ought to work, but
## particularly satellites such as laptops often encounter annoying temporary
## failures due to network unavailability, and the usual gradual policy can
## leave mail building up for no good reason.
CONF_smarthost				* \
	F,4d,15m

## Default.
*					* \
	F,2h,15m; G,16h,2h,1.5; F,4d,6h

DIVERT(null)
###----- That's all, folks --------------------------------------------------
Commit	Line	Data
185b5456 MW	1	### --m4--
	2	###
	3	### Basic settings for distorted.org.uk Exim configuration
	4	###
	5	### (c) 2012 Mark Wooding
	6	###
	7
	8	###----- Licensing notice ---------------------------------------------------
	9	###
	10	### This program is free software; you can redistribute it and/or modify
	11	### it under the terms of the GNU General Public License as published by
	12	### the Free Software Foundation; either version 2 of the License, or
	13	### (at your option) any later version.
	14	###
	15	### This program is distributed in the hope that it will be useful,
	16	### but WITHOUT ANY WARRANTY; without even the implied warranty of
	17	### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	18	### GNU General Public License for more details.
	19	###
	20	### You should have received a copy of the GNU General Public License
	21	### along with this program; if not, write to the Free Software Foundation,
	22	### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
	23
	24	###--------------------------------------------------------------------------
	25	### Global settings.
	26
	27	SECTION(global, priv)m4_dnl
b1d083dd	28	admin_groups = CONF_admin_groups
e8fc7835	29	trusted_groups = CONF_trusted_groups
185b5456 MW	30	prod_requires_admin = false
	31
	32	SECTION(global, logging)m4_dnl
	33	log_file_path = : syslog
	34	log_selector = \
	35	+smtp_confirmation \
	36	+tls_peerdn
	37	log_timezone = true
	38	syslog_duplication = false
	39	syslog_timestamp = false
	40
	41	SECTION(global, daemon)m4_dnl
	42	local_interfaces = <; CONF_interfaces
ad4e4191	43	extra_local_interfaces = <; 0.0.0.0 ; ::0
185b5456 MW	44
	45	SECTION(global, resource)m4_dnl
	46	deliver_queue_load_max = 8
5ac82fb4	47	message_size_limit = 500M
185b5456 MW	48	queue_only_load = 12
	49	smtp_accept_max = 16
	50	smtp_accept_queue = 32
	51	smtp_accept_reserve = 4
	52	smtp_load_reserve = 10
	53	smtp_reserve_hosts = +trusted
	54
	55	SECTION(global, policy)m4_dnl
	56	host_lookup = *
	57
	58	SECTION(global, users)m4_dnl
	59	gecos_name = $1
	60	gecos_pattern = ([^,:]*)
	61
	62	SECTION(global, incoming)m4_dnl
ceb81bc4 MW	63	rfc1413_hosts = *
ceb81bc4 MW	64	rfc1413_query_timeout = 10s
185b5456	65	received_header_text = Received: \
2cf9db84	66	${if def:sender_rcvhost \
9384ef4f	67	{from $sender_rcvhost\n\t} \
2cf9db84 MW	68	{${if def:sender_ident \
2cf9db84 MW	69	{from ${quote_local_part:$sender_ident} }}}}\
185b5456	70	by $primary_hostname \
b92689d6 MW	71	(Exim $version_number)\
b92689d6 MW	72	${if def:tls_cipher {\n\t} { }}\
185b5456 MW	73	${if def:received_protocol \
185b5456 MW	74	{with $received_protocol \
b92689d6	75	${if def:tls_cipher {(cipher=$tls_cipher)}}}}\n\t\
185b5456	76	${if def:sender_address \
43e6fc69	77	{(envelope-from $sender_address\
185b5456	78	${if def:authenticated_id \
8fa6a843 MW	79	{; auth=${quote_local_part:$authenticated_id}} \
	80	{${if and {{def:authenticated_sender} \
	81	{match_address{$authenticated_sender} \
	82	{*@CONF_master_domain}}} \
	83	{; auth=${quote_local_part:\
	84	${local_part:\
	85	$authenticated_sender}}}}}})\n\t}}\
185b5456 MW	86	id $message_exim_id\
	87	${if def:received_for {\n\tfor $received_for}}
	88
	89	SECTION(global, smtp)m4_dnl
	90	smtp_return_error_details = true
	91	accept_8bitmime = true
e3c9c427	92	chunking_advertise_hosts =
185b5456	93
5918499b MW	94	SECTION(global, env)m4_dnl
	95	keep_environment =
	96
185b5456 MW	97	SECTION(global, process)m4_dnl
	98	extract_addresses_remove_arguments = false
	99	headers_charset = utf-8
	100	qualify_domain = CONF_master_domain
12d3b444	101	untrusted_set_sender = *
75c86bd1 MW	102	local_from_check = false
75c86bd1 MW	103	local_sender_retain = true
185b5456 MW	104
	105	SECTION(global, bounce)m4_dnl
	106	delay_warning = 1h : 24h : 2d
	107
6aae076f	108	SECTION(global, tls)m4_dnl
1dda4df9	109	tls_certificate = CONF_certlist
6aae076f MW	110	tls_privatekey = CONF_sysconf_dir/server.key
	111	tls_advertise_hosts = ${if exists {CONF_sysconf_dir/server.key} {*}{}}
	112	tls_dhparam = CONF_ca_dir/dh-param-2048.pem
	113	tls_require_ciphers = ${if or {{={$received_port}{CONF_submission_port}} \
	114	{match_ip {$sender_host_address}{+trusted}}} \
	115	{CONF_good_ciphers} \
	116	{CONF_acceptable_ciphers}}
	117	tls_verify_certificates = CONF_ca_dir/ca.cert
	118	tls_verify_hosts = ${if eq{$acl_c_mode}{submission} {} {+allnets}}
	119
185b5456 MW	120	DIVERT(null)
	121	###--------------------------------------------------------------------------
	122	### Access control lists.
	123
	124	SECTION(global, acl-after)
	125	SECTION(global, acl)m4_dnl
	126	acl_smtp_helo = helo
	127	SECTION(acl, misc)m4_dnl
	128	helo:
a891f462 MW	129	## Don't worry if this is local submission. MUAs won't necessarily
	130	## have a clear idea of their hostnames. (For some reason.)
	131	accept condition = ${if !eq{$acl_c_mode}{submission}}
	132
fe8f2338 MW	133	## Check that the caller's claimed identity is actually plausible.
	134	## This seems like it's a fairly effective filter on spamminess, but
	135	## it's too blunt a tool. Rather than reject, add a warning header.
	136	## Only we can't do this the easy way, so save it up for use in MAIL.
	137	## Also, we're liable to get a subsequent HELO (e.g., after STARTTLS)
	138	## and we should only care about the most recent one.
	139	warn set acl_c_helo_warning = false
	140	!condition = \
4ff4ad42 MW	141	${if and {{match_ip {$sender_host_address} \
	142	{<; 127.0.0.0/8 ; ::1}} \
	143	{match_domain {$sender_helo_name} \
	144	{localhost : +thishost}}}}
	145	!condition = \
fe8f2338 MW	146	${if exists {CONF_sysconf_dir/helo.conf} \
	147	{${lookup {$sender_helo_name} \
	148	partial0-lsearch \
	149	{CONF_sysconf_dir/helo.conf} \
	150	{${if match_ip \
	151	{$sender_host_address} \
4587a704	152	{<; $value}}}}}}
fe8f2338 MW	153	!verify = helo
fe8f2338 MW	154	set acl_c_helo_warning = true
185b5456 MW	155
	156	accept
	157
	158	SECTION(global, acl)m4_dnl
284c9d7e MW	159	acl_not_smtp_start = not_smtp_start
	160	SECTION(acl, misc)m4_dnl
	161	not_smtp_start:
	162	## Record the user's name.
	163	warn set acl_c_user = $sender_ident
e9015968	164	set acl_m_user = $sender_ident
284c9d7e MW	165
	166	## Done.
	167	accept
	168
	169	SECTION(global, acl)m4_dnl
185b5456 MW	170	acl_smtp_mail = mail
	171	SECTION(acl, mail)m4_dnl
	172	mail:
	173
fe8f2338	174	## If we stashed a warning header about HELO from earlier, we should
2f0841ce MW	175	## add it now. Only don't bother if the client has authenticated
	176	## successfully for submission (because we can't expect mobile
	177	## clients to be properly set up knowing their names), or it's one of
	178	## our own satellites (because they're either properly set up anyway,
	179	## or satellites using us as a smarthost).
fe8f2338	180	warn condition = $acl_c_helo_warning
2f0841ce MW	181	!condition = ${if eq{$acl_c_mode}{submission}}
2f0841ce MW	182	!hosts = +allnets
61295d9c MW	183	WARNING_HEADER(BADHELO,
	184	<:Client's HELO doesn't match its IP address.\n\t\
	185	helo-name=$sender_helo_name \
	186	address=$sender_host_address:>)
fe8f2338	187
185b5456 MW	188	## Always allow the empty sender, so that we can receive bounces.
	189	accept senders = :
	190
5051a30f MW	191	## Ensure that the sender looks valid.
5051a30f MW	192	require acl = mail_check_sender
185b5456 MW	193
	194	## If this is directly from a client then hack on it for a while.
	195	warn condition = ${if eq{$acl_c_mode}{submission}}
12d3b444	196	control = submission/sender_retain
185b5456	197
284c9d7e MW	198	## Insist that a local client connect through TLS.
	199	deny message = Hosts within CONF_master_domain must use TLS
	200	!condition = ${if eq{$acl_c_mode}{submission}}
	201	hosts = +allnets
	202	!encrypted = *
	203
	204	## Check that a submitted message's sender address is allowable.
	205	require acl = mail_check_auth
	206
185b5456 MW	207	SECTION(acl, mail-tail)m4_dnl
	208	## And we're done.
	209	accept
	210
5051a30f MW	211	SECTION(acl, misc)m4_dnl
	212	mail_check_sender:
	213
	214	## See whether there's a special exception for this sender domain.
	215	accept senders = ${LOOKUP_DOMAIN($sender_address_domain,
	216	{KV(senders, {$value}{})},
	217	{})}
	218
	219	## Ensure that the sender is routable. This is important to prevent
	220	## undeliverable bounces.
	221	require message = Invalid sender; \
	222	($sender_verify_failure; $acl_verify_message)
	223	verify = sender
	224
	225	## We're good, then.
	226	accept
	227
185b5456 MW	228	SECTION(global, acl)m4_dnl
	229	acl_smtp_connect = connect
	230	SECTION(acl, connect)m4_dnl
	231	connect:
	232	SECTION(acl, connect-tail)m4_dnl
e12c9586	233	## Configure variables according to the submission mode.
185b5456	234	warn acl = check_submission
e12c9586 MW	235
e12c9586 MW	236	## Done.
185b5456 MW	237	accept
	238
	239	check_submission:
	240	## See whether this message needs hacking on.
4ff4ad42	241	accept !hosts = +thishost
185b5456 MW	242	!condition = ${if ={$received_port}{CONF_submission_port}}
	243	set acl_c_mode = relay
	244
	245	## Remember to apply submission controls.
	246	warn set acl_c_mode = submission
54341a70	247	control = no_enforce_sync
185b5456 MW	248
	249	## Done.
	250	accept
	251
	252	SECTION(global, acl)m4_dnl
	253	acl_smtp_rcpt = rcpt
	254	SECTION(acl, rcpt)m4_dnl
	255	rcpt:
	256
	257	## Reject if the client isn't allowed to relay and the recipient
	258	## isn't in one of our known domains.
e4666f2d MW	259	require message = Relaying not permitted
e4666f2d MW	260	acl = check_relay
185b5456 MW	261
	262	## Ensure that the recipient is routable.
	263	require message = Invalid recipient \
	264	($recipient_verify_failure; $acl_verify_message)
	265	verify = recipient
	266
e4666f2d MW	267	SECTION(acl, misc)m4_dnl
	268	check_relay:
	269	## Accept either if the client is allowed to relay through us, or if
	270	## we're the correct place to send this mail.
	271
	272	## Known clients and authenticated users are OK.
a0375fd9 MW	273	accept hosts = CONF_relay_clients
a0375fd9 MW	274	accept authenticated = *
e4666f2d MW	275
e4666f2d MW	276	## Known domains are OK.
a0375fd9	277	accept domains = +public
e4666f2d MW	278
e4666f2d MW	279	## Finally, domains in our table are OK, unless they say they aren't.
a0375fd9 MW	280	accept domains = \
a0375fd9 MW	281	${if exists{CONF_sysconf_dir/domains.conf} \
e4666f2d	282	{partial0-lsearch; CONF_sysconf_dir/domains.conf}}
a0375fd9	283	condition = DOMKV(service, {$value}{true})
e4666f2d MW	284
	285	## Nope, that's not allowed.
	286	deny
	287
185b5456 MW	288	SECTION(acl, rcpt-tail)m4_dnl
	289	## Everything checks out OK: let this one go through.
	290	accept
	291
	292	SECTION(global, acl)m4_dnl
	293	acl_smtp_data = data
	294	SECTION(acl, data)m4_dnl
	295	data:
5d2f8b65 MW	296	## Don't accept messages with overly-long lines.
	297	deny message = line length exceeds SMTP permitted maximum: \
	298	$max_received_linelength > 998
	299	condition = ${if >{$max_received_linelength}{998}}
185b5456 MW	300
	301	SECTION(acl, data-tail)m4_dnl
	302	accept
	303
	304	SECTION(global, acl)m4_dnl
	305	acl_smtp_expn = expn_vrfy
	306	acl_smtp_vrfy = expn_vrfy
e4fe8925	307	SECTION(acl, misc)m4_dnl
185b5456 MW	308	expn_vrfy:
	309	accept hosts = +trusted
	310	deny message = Suck it and see
	311
	312	DIVERT(null)
	313	###--------------------------------------------------------------------------
284c9d7e MW	314	### Verification of sender address.
	315
	316	SECTION(acl, misc)m4_dnl
	317	mail_check_auth:
	318
	319	## If this isn't a submission then it doesn't need checking.
	320	accept condition = ${if !eq{$acl_c_mode}{submission}}
	321
	322	## If the caller hasn't formally authenticated, but this is a
	323	## loopback connection, then we can trust identd to tell us the right
	324	## answer. So we should stash the right name somewhere consistent.
	325	warn set acl_c_user = $authenticated_id
4ff4ad42	326	hosts = +thishost
284c9d7e	327	!authenticated = *
ff4c943d	328	condition = ${if def:sender_ident}
284c9d7e MW	329	set acl_c_user = $sender_ident
284c9d7e MW	330
ff4c943d	331	## User must be authenticated by now.
284c9d7e	332	deny message = Sender not authenticated
ff4c943d	333	condition = ${if !def:acl_c_user}
284c9d7e	334
e9015968 MW	335	## Set the per-message authentication flag, since we now know that
	336	## there's a sensible value.
	337	warn set acl_m_user = $acl_c_user
	338
284c9d7e MW	339	## All done.
	340	accept
	341
	342	DIVERT(null)
	343	###--------------------------------------------------------------------------
185b5456 MW	344	### Common options for forwarding routers.
	345
	346	## We're pretty permissive here.
	347	m4_define(<:FILTER_BASE:>,
	348	<:driver = redirect
	349	modemask = 002
	350	check_owner = false
	351	check_group = false
	352	allow_filter = true
	353	allow_defer = true
	354	allow_fail = true
	355	forbid_blackhole = false
	356	check_ancestor = true:>)
	357
	358	## Common options for forwarding routers at verification time.
	359	m4_define(<:FILTER_VERIFY:>,
	360	<:verify_only = true
	361	user = CONF_filter_user
	362	forbid_filter_dlfunc = true
	363	forbid_filter_logwrite = true
	364	forbid_filter_perl = true
	365	forbid_filter_readsocket = true
	366	forbid_filter_run = true
	367	file_transport = dummy
	368	directory_transport = dummy
	369	pipe_transport = dummy
	370	reply_transport = dummy:>)
	371
	372	## Transports for redirection filters.
	373	m4_define(<:FILTER_TRANSPORTS:>,
7ab75d6f	374	<:file_transport = mailbox
185b5456 MW	375	directory_transport = maildir
	376	pipe_transport = pipe
	377	reply_transport = reply:>)
	378
7ab75d6f MW	379	m4_define(<:FILTER_ROUTER:>,
	380	<:$1_vrf:
	381	$2
	382	FILTER_VERIFY<::>$3
	383	$1:
	384	$2
	385	verify = no
	386	FILTER_TRANSPORTS<::>$4:>)
	387
185b5456 MW	388	DIVERT(null)
185b5456 MW	389	###--------------------------------------------------------------------------
3e031e77 MW	390	### Common routers.
	391
	392	SECTION(routers, alias)m4_dnl
	393	## Look up the local part in the address map.
	394	alias:
	395	driver = redirect
	396	allow_fail = true
	397	allow_defer = true
	398	user = CONF_filter_user
	399	FILTER_TRANSPORTS
	400	local_parts = nwildlsearch; CONF_alias_file
	401	data = ${expand:$local_part_data}
	402	SECTION(routers, alias-opts)m4_dnl
	403
	404	DIVERT(null)
	405	###--------------------------------------------------------------------------
185b5456 MW	406	### Some standard transports.
	407
	408	m4_define(<:USER_DELIVERY:>,
	409	<:delivery_date_add = true
	410	envelope_to_add = true
	411	return_path_add = true:>)
	412
1e5ccd7c MW	413	m4_define(<:APPLY_HEADER_CHANGES:>,
	414	<:headers_add = m4_ifelse(<:$1:>, <::>,
	415	<:$acl_m_hdradd:>,
	416	<:${if def:acl_m_hdradd{$acl_m_hdradd\n}}\
	417	$1:>)
	418	headers_remove = m4_ifelse(<:$2:>, <::>,
	419	<:$acl_m_hdrrm:>,
	420	<:${if def:acl_m_hdrrm{$acl_m_hdrrm:}}\
	421	$2:>):>)
	422
5d2f8b65 MW	423	m4_define(<:SMTP_DELIVERY:>,
	424	<:## Prevent sending messages with overly long lines. The use of
	425	## `message_size_limit' here is somewhat misleading.
	426	message_size_limit = ${if >{$max_received_linelength}{998}{1}{0}}:>)
	427
185b5456	428	SECTION(transports)m4_dnl
fa5a92c6 MW	429	## A standard transport for remote delivery. By default, try to do TLS, and
	430	## don't worry too much if it's not very secure: the alternative is sending
	431	## in plaintext anyway. But all of this can be overridden from the
beb15dae MW	432	## `domains.conf' file. Annoyingly, the `tls_dh_min_bits' setting isn't
	433	## expanded before use, so we can't set it the obvious way. Instead, encode
	434	## it into the transport name. This is very unpleasant, of course.
534d411b MW	435	smtp:
534d411b MW	436	driver = smtp
1e5ccd7c	437	APPLY_HEADER_CHANGES
534d411b	438	tls_require_ciphers = CONF_acceptable_ciphers
7b50997d	439	tls_dh_min_bits = 508
534d411b MW	440	tls_tempfail_tryclear = true
534d411b MW	441
beb15dae MW	442	m4_define(<:SMTP_TRANS_DHBITS:>,
beb15dae MW	443	<:driver = smtp
5d2f8b65	444	SMTP_DELIVERY
1e5ccd7c	445	APPLY_HEADER_CHANGES
ae9744ce	446	hosts_try_auth = *
fa5a92c6	447	hosts_require_tls = DOMKV(tls-peer-ca, {*}{})
ae9744ce MW	448	hosts_require_auth = \
ae9744ce MW	449	${if bool {DOMKV(require-auth, {$value}{false})} {*}{}}
fa5a92c6 MW	450	tls_certificate = DOMKV(tls-certificate, {${expand:$value}}fail)
	451	tls_privatekey = DOMKV(tls-private-key, {${expand:$value}}fail)
	452	tls_verify_certificates = DOMKV(tls-peer-ca, {${expand:$value}}fail)
	453	tls_require_ciphers = \
	454	DOMKV(tls-ciphers,
	455	{${extract {${expand:$value}} \
	456	{ good = CONF_good_ciphers \
	457	any = CONF_acceptable_ciphers } \
	458	{$value} \
	459	{${expand:$value}}}} \
	460	{CONF_acceptable_ciphers})
beb15dae MW	461	tls_dh_min_bits = $1
beb15dae MW	462	tls_tempfail_tryclear = true:>)m4_dnl
7b50997d MW	463	smtp_dhbits_512:
	464	SMTP_TRANS_DHBITS(508)
	465	smtp_dhbits_768:
	466	SMTP_TRANS_DHBITS(764)
beb15dae MW	467	smtp_dhbits_1024:
	468	SMTP_TRANS_DHBITS(1020)
	469	smtp_dhbits_2048:
7b50997d	470	SMTP_TRANS_DHBITS(2044)
185b5456 MW	471
	472	## Transport to a local SMTP server; use TLS and perform client
	473	## authentication.
	474	smtp_local:
	475	driver = smtp
5d2f8b65	476	SMTP_DELIVERY
1e5ccd7c	477	APPLY_HEADER_CHANGES
185b5456	478	hosts_require_tls = *
163774f0	479	tls_certificate = CONF_sysconf_dir/client.certlist
185b5456 MW	480	tls_privatekey = CONF_sysconf_dir/client.key
	481	tls_verify_certificates = CONF_ca_dir/ca.cert
	482	tls_require_ciphers = CONF_good_ciphers
b6d74252	483	tls_dh_min_bits = 2046
185b5456	484	tls_tempfail_tryclear = false
10c331d7 MW	485	authenticated_sender_force = true
	486	authenticated_sender = \
	487	${if def:acl_m_user {$acl_m_user@CONF_master_domain} \
	488	{${if def:authenticated_sender {$authenticated_sender} \
	489	fail}}}
185b5456 MW	490
	491	## A standard transport for local delivery.
	492	deliver:
	493	driver = appendfile
1e5ccd7c	494	APPLY_HEADER_CHANGES
185b5456	495	file = /var/mail/$local_part
8f6af4ae MW	496	group = mail
	497	mode = 0600
	498	mode_fail_narrower = false
185b5456 MW	499	USER_DELIVERY
	500
	501	## Transports for user filters.
	502	mailbox:
	503	driver = appendfile
1e5ccd7c	504	APPLY_HEADER_CHANGES
8f6af4ae	505	initgroups = true
185b5456 MW	506	USER_DELIVERY
	507
	508	maildir:
	509	driver = appendfile
1e5ccd7c	510	APPLY_HEADER_CHANGES
185b5456	511	maildir_format = true
8f6af4ae	512	initgroups = true
185b5456 MW	513	USER_DELIVERY
	514
	515	pipe:
	516	driver = pipe
1e5ccd7c	517	APPLY_HEADER_CHANGES
8f6af4ae MW	518	path = ${if and {{def:home} {exists{$home/bin}}} {$home/bin:} {}}\
	519	/usr/local/bin:/usr/local/sbin:\
	520	/usr/bin:/usr/sbin:/bin:/sbin
	521	initgroups = true
	522	umask = 002
	523	return_fail_output = true
	524	log_output = true
185b5456 MW	525
	526	## A special dummy transport for use during address verification.
	527	dummy:
	528	driver = appendfile
	529	file = /dev/null
	530
	531	DIVERT(null)
	532	###--------------------------------------------------------------------------
	533	### Retry configuration.
	534
	535	SECTION(retry, default)m4_dnl
af4b4ca8 MW	536	## Be persistent when sending to the site relay. It ought to work, but
	537	## particularly satellites such as laptops often encounter annoying temporary
	538	## failures due to network unavailability, and the usual gradual policy can
	539	## leave mail building up for no good reason.
	540	CONF_smarthost * \
	541	F,4d,15m
	542
185b5456 MW	543	## Default.
	544	* * \
	545	F,2h,15m; G,16h,2h,1.5; F,4d,6h
	546
	547	DIVERT(null)
	548	###----- That's all, folks --------------------------------------------------