| 1 | ### -*-m4-*- |
| 2 | ### |
| 3 | ### Basic configuration settings for distorted.org.uk Exim configuration |
| 4 | ### |
| 5 | ### (c) 2012 Mark Wooding |
| 6 | ### |
| 7 | |
| 8 | ###----- Licensing notice --------------------------------------------------- |
| 9 | ### |
| 10 | ### This program is free software; you can redistribute it and/or modify |
| 11 | ### it under the terms of the GNU General Public License as published by |
| 12 | ### the Free Software Foundation; either version 2 of the License, or |
| 13 | ### (at your option) any later version. |
| 14 | ### |
| 15 | ### This program is distributed in the hope that it will be useful, |
| 16 | ### but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 17 | ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| 18 | ### GNU General Public License for more details. |
| 19 | ### |
| 20 | ### You should have received a copy of the GNU General Public License |
| 21 | ### along with this program; if not, write to the Free Software Foundation, |
| 22 | ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. |
| 23 | |
| 24 | ## Master domain name. |
| 25 | DEFCONF(master_domain, distorted.org.uk) |
| 26 | |
| 27 | ## List of home-system mail domain names. This can be empty if we only |
| 28 | ## provide service for special-purpose domains. |
| 29 | DEFCONF(sysdomains, CONF_master_domain) |
| 30 | |
| 31 | ## The magic token for local header names. |
| 32 | DEFCONF(header_token, Distorted) |
| 33 | |
| 34 | ## The smarthost for satellite hosts. |
| 35 | DEFCONF(smarthost, mail.distorted.org.uk) |
| 36 | |
| 37 | ## The user who runs verification filters. |
| 38 | DEFCONF(filter_user, Debian-exim) |
| 39 | |
| 40 | ## Administrative groups. |
| 41 | DEFCONF(admin_groups, root : adm) |
| 42 | DEFCONF(trusted_groups, root : adm) |
| 43 | |
| 44 | ## Where the spam filter is. |
| 45 | DEFCONF(spamd_address, 172.29.199.8) |
| 46 | DEFCONF(spamd_port, 783) |
| 47 | |
| 48 | ## Default spam limit for incoming mail (multiplied by ten). |
| 49 | DEFCONF(spam_max, 50) |
| 50 | |
| 51 | ## Userv stuff for debugging. |
| 52 | DEFCONF(userv_opts, ) |
| 53 | |
| 54 | ## Which interfaces to listen on. Exim checks for the literal string `::0' |
| 55 | ## when setting things up: don't use `::', or we'll be tripped up by Linux's |
| 56 | ## demented non-`IPV6_V6ONLY' behaviour. |
| 57 | DEFCONF(interfaces, m4_ifelse(MODE, satellite, 127.0.0.1 ; ::1, |
| 58 | 0.0.0.0 ; ::0)) |
| 59 | |
| 60 | ## Main and submission port numbers. (This is sometimes tweaked for |
| 61 | ## testing.) |
| 62 | DEFCONF(smtp_port, 25) |
| 63 | DEFCONF(submission_port, 587) |
| 64 | |
| 65 | ## Locations of other configuration files. |
| 66 | DEFCONF(sysconf_dir, /etc/mail) |
| 67 | DEFCONF(userconf_dir, $home/.mail) |
| 68 | DEFCONF(alias_file, /etc/aliases) |
| 69 | DEFCONF(ca_dir, /etc/ca) |
| 70 | |
| 71 | ## User address suffix handling. |
| 72 | DEFCONF(user_suffix_list, +* : -*) |
| 73 | DEFCONF(user_extaddr_fixup, ${sg {$local_part_suffix}{^[-+]}{}}) |
| 74 | |
| 75 | ## Other hosts allowed to relay mail through us. |
| 76 | DEFCONF(relay_clients, <m4_dnl |
| 77 | ; +trusted m4_dnl |
| 78 | ; 172.31.80.8 m4_dnl chiark (VPN) |
| 79 | ; 172.29.198.161 ; 2001:ba8:1d9:a000::1:1 m4_dnl national |
| 80 | ) |
| 81 | |
| 82 | ## TLS certificate list. |
| 83 | DEFCONF(certlist, |
| 84 | <:m4_ifelse(t, m4_ifelse(MODE, hub, nil, MODE, srv, nil, t), |
| 85 | <:CONF_sysconf_dir/server.certlist:>, |
| 86 | <:CONF_sysconf_dir/${if ={$received_port}{CONF_submission_port}{server}\ |
| 87 | {${if match_ip{$sender_host_address}{+trusted} \ |
| 88 | {server}{letsencrypt}}}}.certlist:>):>) |
| 89 | |
| 90 | ## TLS-related settings. We're assuming GNUTLS here, rather than OpenSSL. |
| 91 | ## For local connections we are very strict. For random clients, we try |
| 92 | ## fairly hard to encourage any kind of crypto on the grounds that probably |
| 93 | ## nobody can verify our certificate anyway. |
| 94 | DEFCONF(good_ciphers, NONE<::>m4_dnl |
| 95 | :+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0<::>m4_dnl |
| 96 | :+ECDHE-RSA:+ECDHE-ECDSA:+DHE-RSA:+DHE-DSS<::>m4_dnl |
| 97 | :+CHACHA20-POLY1305<::>m4_dnl |
| 98 | :+AES-256-GCM:+AES-128-GCM:+AES-256-CBC:+AES-128-CBC<::>m4_dnl |
| 99 | :+AEAD:+SHA256:+SHA384:+SHA512<::>m4_dnl |
| 100 | :+SIGN-RSA-SHA512:+SIGN-RSA-SHA384:+SIGN-RSA-SHA256<::>m4_dnl |
| 101 | :+SIGN-ECDSA-SHA512:+SIGN-ECDSA-SHA384:+SIGN-ECDSA-SHA256<::>m4_dnl |
| 102 | :+SIGN-DSA-SHA256<::>m4_dnl |
| 103 | :+CURVE-X25519:+CURVE-SECP256R1:+CURVE-SECP521R1:+CURVE-SECP384R1<::>m4_dnl |
| 104 | :+CTYPE-X.509<::>m4_dnl |
| 105 | :+COMP-NULL<::>m4_dnl |
| 106 | ) |
| 107 | DEFCONF(acceptable_ciphers, NONE<::>m4_dnl |
| 108 | :+VERS-TLS-ALL<::>m4_dnl |
| 109 | :+ECDHE-RSA:+ECDHE-ECDSA<::>m4_dnl |
| 110 | :+KX-ALL<::>m4_dnl |
| 111 | :+SIGN-ALL<::>m4_dnl |
| 112 | :+CTYPE-ALL<::>m4_dnl |
| 113 | :+CHACHA20-POLY1305<::>m4_dnl |
| 114 | :+AES-256-GCM:+AES-128-GCM<::>m4_dnl |
| 115 | :+CIPHER-ALL<::>m4_dnl |
| 116 | :+CURVE-X25519<::>m4_dnl |
| 117 | :+CURVE-ALL<::>m4_dnl |
| 118 | :+AEAD<::>m4_dnl |
| 119 | :+MAC-ALL<::>m4_dnl |
| 120 | :+COMP-NULL<::>m4_dnl |
| 121 | :-MD5<::>m4_dnl |
| 122 | ) |
| 123 | |
| 124 | ###----- That's all, folks -------------------------------------------------- |