~mdw / exim-config / blame_incremental
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (non-incremental) | history | HEAD
base.m4 (DKIM_SIGN_P): Check that the sending domain is actually listed.
[exim-config] / base.m4
... / ...
CommitLineData
1### -*-m4-*-
2###
3### Basic settings for distorted.org.uk Exim configuration
4###
5### (c) 2012 Mark Wooding
6###
7
8###----- Licensing notice ---------------------------------------------------
9###
10### This program is free software; you can redistribute it and/or modify
11### it under the terms of the GNU General Public License as published by
12### the Free Software Foundation; either version 2 of the License, or
13### (at your option) any later version.
14###
15### This program is distributed in the hope that it will be useful,
16### but WITHOUT ANY WARRANTY; without even the implied warranty of
17### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18### GNU General Public License for more details.
19###
20### You should have received a copy of the GNU General Public License
21### along with this program; if not, write to the Free Software Foundation,
22### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
23
24###--------------------------------------------------------------------------
25### Global settings.
26
27SECTION(global, priv)m4_dnl
28admin_groups = CONF_admin_groups
29trusted_groups = CONF_trusted_groups
30prod_requires_admin = false
31
32SECTION(global, logging)m4_dnl
33log_file_path = : syslog
34log_selector = \
35 +smtp_confirmation \
36 +tls_peerdn
37log_timezone = true
38syslog_duplication = false
39syslog_timestamp = false
40
41SECTION(global, daemon)m4_dnl
42local_interfaces = <; CONF_interfaces
43extra_local_interfaces = <; 0.0.0.0 ; ::0
44
45SECTION(global, resource)m4_dnl
46deliver_queue_load_max = 8
47message_size_limit = 500M
48queue_only_load = 12
49smtp_accept_max = 16
50smtp_accept_queue = 32
51smtp_accept_reserve = 4
52smtp_load_reserve = 10
53smtp_reserve_hosts = +trusted
54
55SECTION(global, policy)m4_dnl
56host_lookup = *
57
58SECTION(global, users)m4_dnl
59gecos_name = $1
60gecos_pattern = ([^,:]*)
61
62SECTION(global, incoming)m4_dnl
63rfc1413_hosts = *
64rfc1413_query_timeout = 10s
65received_header_text = Received: \
66 ${if def:sender_rcvhost \
67 {from $sender_rcvhost\n\t} \
68 {${if def:sender_ident \
69 {from ${quote_local_part:$sender_ident} }}}}\
70 by $primary_hostname \
71 (Exim $version_number)\
72 ${if def:tls_cipher {\n\t} { }}\
73 ${if def:received_protocol \
74 {with $received_protocol \
75 ${if def:tls_cipher {(cipher=$tls_cipher)}}}}\n\t\
76 ${if def:sender_address \
77 {(envelope-from $sender_address\
78 ${if def:authenticated_id \
79 {; auth=${quote_local_part:$authenticated_id}} \
80 {${if and {{def:authenticated_sender} \
81 {match_address{$authenticated_sender} \
82 {*@CONF_master_domain}}} \
83 {; auth=${quote_local_part:\
84 ${local_part:\
85 $authenticated_sender}}}}}})\n\t}}\
86 id $message_exim_id\
87 ${if def:received_for {\n\tfor $received_for}}
88
89SECTION(global, smtp)m4_dnl
90smtp_return_error_details = true
91accept_8bitmime = true
92chunking_advertise_hosts =
93
94SECTION(global, env)m4_dnl
95keep_environment =
96
97SECTION(global, process)m4_dnl
98extract_addresses_remove_arguments = false
99headers_charset = utf-8
100qualify_domain = CONF_master_domain
101untrusted_set_sender = *
102local_from_check = false
103local_sender_retain = true
104
105SECTION(global, bounce)m4_dnl
106delay_warning = 1h : 24h : 2d
107
108SECTION(global, tls)m4_dnl
109tls_certificate = CONF_certlist
110tls_privatekey = CONF_sysconf_dir/server.key
111tls_advertise_hosts = ${if exists {CONF_sysconf_dir/server.key} {*}{}}
112tls_dhparam = CONF_ca_dir/dh-param-2048.pem
113tls_require_ciphers = ${if or {{={$received_port}{CONF_submission_port}} \
114 {match_ip {$sender_host_address}{+trusted}}} \
115 {CONF_good_ciphers} \
116 {CONF_acceptable_ciphers}}
117tls_verify_certificates = CONF_ca_dir/ca.cert
118tls_verify_hosts = ${if eq{$acl_c_mode}{submission} {} {+allnets}}
119
120DIVERT(null)
121###--------------------------------------------------------------------------
122### Access control lists.
123
124SECTION(global, acl-after)
125SECTION(global, acl)m4_dnl
126acl_smtp_helo = helo
127SECTION(acl, misc)m4_dnl
128helo:
129 ## Don't worry if this is local submission. MUAs won't necessarily
130 ## have a clear idea of their hostnames. (For some reason.)
131 accept condition = ${if eq{$acl_c_mode}{submission}}
132
133 ## Check that the caller's claimed identity is actually plausible.
134 ## This seems like it's a fairly effective filter on spamminess, but
135 ## it's too blunt a tool. Rather than reject, add a warning header.
136 ## Only we can't do this the easy way, so save it up for use in MAIL.
137 ## Also, we're liable to get a subsequent HELO (e.g., after STARTTLS)
138 ## and we should only care about the most recent one.
139 warn set acl_c_helo_warning = false
140 !condition = \
141 ${if and {{match_ip {$sender_host_address} \
142 {<; 127.0.0.0/8 ; ::1}} \
143 {match_domain {$sender_helo_name} \
144 {localhost : +thishost}}}}
145 !condition = \
146 ${if exists {CONF_sysconf_dir/helo.conf} \
147 {${lookup {$sender_helo_name} \
148 partial0-lsearch \
149 {CONF_sysconf_dir/helo.conf} \
150 {${if match_ip \
151 {$sender_host_address} \
152 {<; $value}}}}}}
153 !verify = helo
154 set acl_c_helo_warning = true
155
156 accept
157
158SECTION(global, acl)m4_dnl
159acl_not_smtp_start = not_smtp_start
160SECTION(acl, misc)m4_dnl
161not_smtp_start:
162 ## Record the user's name.
163 warn set acl_c_user = $sender_ident
164 set acl_m_user = $sender_ident
165
166 ## Done.
167 accept
168
169SECTION(global, acl)m4_dnl
170acl_smtp_mail = mail
171SECTION(acl, mail)m4_dnl
172mail:
173
174 ## If we stashed a warning header about HELO from earlier, we should
175 ## add it now. Only don't bother if the client has authenticated
176 ## successfully for submission (because we can't expect mobile
177 ## clients to be properly set up knowing their names), or it's one of
178 ## our own satellites (because they're either properly set up anyway,
179 ## or satellites using us as a smarthost).
180 warn condition = $acl_c_helo_warning
181 !condition = ${if eq{$acl_c_mode}{submission}}
182 !hosts = +allnets
183 WARNING_HEADER(BADHELO,
184 <:Client's HELO doesn't match its IP address.\n\t\
185 helo-name=$sender_helo_name \
186 address=$sender_host_address:>)
187
188 ## Always allow the empty sender, so that we can receive bounces.
189 accept senders = :
190
191 ## Ensure that the sender looks valid.
192 require acl = mail_check_sender
193
194 ## If this is directly from a client then hack on it for a while.
195 warn condition = ${if eq{$acl_c_mode}{submission}}
196 control = submission/sender_retain
197
198 ## Insist that a local client connect through TLS.
199 deny message = Hosts within CONF_master_domain must use TLS
200 !condition = ${if eq{$acl_c_mode}{submission}}
201 hosts = +allnets
202 !encrypted = *
203
204 ## Check that a submitted message's sender address is allowable.
205 require acl = mail_check_auth
206
207SECTION(acl, mail-tail)m4_dnl
208 ## And we're done.
209 accept
210
211SECTION(acl, misc)m4_dnl
212mail_check_sender:
213
214 ## See whether there's a special exception for this sender domain.
215 accept senders = ${LOOKUP_DOMAIN($sender_address_domain,
216 {KV(senders)})}
217
218 ## Ensure that the sender is routable. This is important to prevent
219 ## undeliverable bounces.
220 require message = Invalid sender; \
221 ($sender_verify_failure; $acl_verify_message)
222 verify = sender
223
224 ## We're good, then.
225 accept
226
227SECTION(global, acl)m4_dnl
228acl_smtp_connect = connect
229SECTION(acl, connect)m4_dnl
230connect:
231SECTION(acl, connect-tail)m4_dnl
232 ## Configure variables according to the submission mode.
233 warn acl = check_submission
234
235 ## Done.
236 accept
237
238check_submission:
239 ## See whether this message needs hacking on.
240 accept !hosts = +thishost
241 !condition = ${if ={$received_port}{CONF_submission_port}}
242 set acl_c_mode = relay
243
244 ## Remember to apply submission controls.
245 warn set acl_c_mode = submission
246 control = no_enforce_sync
247
248 ## Done.
249 accept
250
251SECTION(global, acl)m4_dnl
252acl_smtp_rcpt = rcpt
253SECTION(acl, rcpt)m4_dnl
254rcpt:
255
256 ## Reject if the client isn't allowed to relay and the recipient
257 ## isn't in one of our known domains.
258 require message = Relaying not permitted
259 acl = check_relay
260
261 ## Ensure that the recipient is routable.
262 require message = Invalid recipient \
263 ($recipient_verify_failure; $acl_verify_message)
264 verify = recipient
265
266SECTION(acl, misc)m4_dnl
267check_relay:
268 ## Accept either if the client is allowed to relay through us, or if
269 ## we're the correct place to send this mail.
270
271 ## Known clients and authenticated users are OK.
272 accept hosts = CONF_relay_clients
273 accept authenticated = *
274
275 ## Known domains are OK.
276 accept domains = +public
277
278 ## Finally, domains in our table are OK, unless they say they aren't.
279 accept domains = \
280 ${if exists{CONF_sysconf_dir/domains.conf} \
281 {partial0-lsearch; CONF_sysconf_dir/domains.conf}}
282 condition = DOMKV(service, {$value}{true})
283
284 ## Nope, that's not allowed.
285 deny
286
287SECTION(acl, rcpt-tail)m4_dnl
288 ## Everything checks out OK: let this one go through.
289 accept
290
291SECTION(global, acl)m4_dnl
292acl_smtp_data = data
293SECTION(acl, data)m4_dnl
294data:
295 ## Don't accept messages with overly-long lines.
296 deny message = line length exceeds SMTP permitted maximum: \
297 $max_received_linelength > 998
298 condition = ${if >{$max_received_linelength}{998}}
299
300SECTION(acl, data-tail)m4_dnl
301 accept
302
303SECTION(global, acl)m4_dnl
304acl_smtp_expn = expn_vrfy
305acl_smtp_vrfy = expn_vrfy
306SECTION(acl, misc)m4_dnl
307expn_vrfy:
308 accept hosts = +trusted
309 deny message = Suck it and see
310
311DIVERT(null)
312###--------------------------------------------------------------------------
313### Verification of sender address.
314
315SECTION(acl, misc)m4_dnl
316mail_check_auth:
317
318 ## If this isn't a submission then it doesn't need checking.
319 accept condition = ${if !eq{$acl_c_mode}{submission}}
320
321 ## If the caller hasn't formally authenticated, but this is a
322 ## loopback connection, then we can trust identd to tell us the right
323 ## answer. So we should stash the right name somewhere consistent.
324 warn set acl_c_user = $authenticated_id
325 hosts = +thishost
326 !authenticated = *
327 condition = ${if def:sender_ident}
328 set acl_c_user = $sender_ident
329
330 ## User must be authenticated by now.
331 deny message = Sender not authenticated
332 condition = ${if !def:acl_c_user}
333
334 ## Set the per-message authentication flag, since we now know that
335 ## there's a sensible value.
336 warn set acl_m_user = $acl_c_user
337
338 ## All done.
339 accept
340
341DIVERT(null)
342###--------------------------------------------------------------------------
343### Common options for forwarding routers.
344
345## We're pretty permissive here.
346m4_define(<:FILTER_BASE:>,
347 <:driver = redirect
348 modemask = 002
349 check_owner = false
350 check_group = false
351 allow_filter = true
352 allow_defer = true
353 allow_fail = true
354 forbid_blackhole = false
355 check_ancestor = true:>)
356
357## Common options for forwarding routers at verification time.
358m4_define(<:FILTER_VERIFY:>,
359 <:verify_only = true
360 user = CONF_filter_user
361 forbid_filter_dlfunc = true
362 forbid_filter_logwrite = true
363 forbid_filter_perl = true
364 forbid_filter_readsocket = true
365 forbid_filter_run = true
366 file_transport = dummy
367 directory_transport = dummy
368 pipe_transport = dummy
369 reply_transport = dummy:>)
370
371## Transports for redirection filters.
372m4_define(<:FILTER_TRANSPORTS:>,
373 <:file_transport = mailbox
374 directory_transport = maildir
375 pipe_transport = pipe
376 reply_transport = reply:>)
377
378m4_define(<:FILTER_ROUTER:>,
379<:$1_vrf:
380 $2
381 FILTER_VERIFY<::>$3
382$1:
383 $2
384 verify = no
385 FILTER_TRANSPORTS<::>$4:>)
386
387DIVERT(null)
388###--------------------------------------------------------------------------
389### Common routers.
390
391SECTION(routers, alias)m4_dnl
392## Look up the local part in the address map.
393alias:
394 driver = redirect
395 allow_fail = true
396 allow_defer = true
397 user = CONF_filter_user
398 FILTER_TRANSPORTS
399 local_parts = nwildlsearch; CONF_alias_file
400 data = ${expand:$local_part_data}
401SECTION(routers, alias-opts)m4_dnl
402
403DIVERT(null)
404###--------------------------------------------------------------------------
405### Some standard transports.
406
407m4_define(<:USER_DELIVERY:>,
408 <:delivery_date_add = true
409 envelope_to_add = true
410 return_path_add = true:>)
411
412m4_define(<:APPLY_HEADER_CHANGES:>,
413 <:headers_add = m4_ifelse(<:$1:>, <::>,
414 <:$acl_m_hdradd:>,
415 <:${if def:acl_m_hdradd{$acl_m_hdradd\n}}\
416 $1:>)
417 headers_remove = m4_ifelse(<:$2:>, <::>,
418 <:$acl_m_hdrrm:>,
419 <:${if def:acl_m_hdrrm{$acl_m_hdrrm:}}\
420 $2:>):>)
421
422m4_define(<:DKIM_SIGN_P:>,
423 <:and {{exists{CONF_sysconf_dir/dkim-sign.conf}} \
424 {!def:h_DKIM-Signature:} \
425 {!def:h_List-ID:} \
426 {or {{def:authenticated_id} \
427 {def:authenticated_sender}}} \
428 {bool {DKIM_KEYS_INSTANCE(<:{true}:>, <:{false}:>)}}}:>)
429
430m4_define(<:DKIM_KEYS_INSTANCE:>,
431 <:${lookup {${domain:$h_From:}} partial0-lsearch \
432 {CONF_sysconf_dir/dkim-sign.conf} \
433 _LOOKUP_ARGS(<:$1:>, <:$2:>)}:>)
434m4_define(<:DKIM_KEYS_STATE:>, <:${lookup {$1} lsearch \
435 {DKIM_KEYS_INSTANCE(<:{CONF_dkim_keys_dir/$value/active/dkim-keys.state}:>)} \
436 _LOOKUP_ARGS(<:$2:>, <:$3:>, <:fail:>)}:>)
437m4_define(<:DKIM_KEYS_INFO:>, <:DKIM_KEYS_STATE(<:params:>,
438 <:{${if and {{>={$tod_epoch}{KV(t0)}} \
439 {<{$tod_epoch}{${eval:KV(t0) + KV(n)*KV(step)}}}} \
440 {DKIM_KEYS_STATE(<:info.${eval:($tod_epoch - KV(t0))/KV(step)}:>,
441 <:$1:>, <:$2:>)} \
442 m4_ifelse(<:$2:>, <::>, <:fail:>, <:$2:>)}}:>,
443 m4_ifelse(<:$2:>, <::>, <:fail:>, <:$2:>)):>)
444
445m4_define(<:DKIM_SIGN:>,
446 <:dkim_domain = \
447 ${if DKIM_SIGN_P \
448 {DKIM_KEYS_INSTANCE({${domain:$h_From:}})}}
449 dkim_selector = DKIM_KEYS_INFO(<:{KV(k)}:>)
450 dkim_private_key = \
451 DKIM_KEYS_INSTANCE(<:m4_dnl
452 {CONF_dkim_keys_dir/$value/active/$dkim_selector.priv}:>)
453 dkim_canon = relaxed
454 dkim_strict = true
455 ## The following ridiculous stunt does two important jobs. Firstly,
456 ## and more obviously, it arranges to include one more copy of each
457 ## header name than the message actually contains, thereby causing
458 ## the signature to fail if another header with the same name is
459 ## added. And secondly, and far more subtly, it also trims the
460 ## spaces from the header names so that they're in the format that
461 ## the signing machinery secretly wants.
462 dkim_sign_headers = \
463 ${sg {${map {CONF_dkim_headers : \
464 X-CONF_header_token-DKIM-Key-Publication} \
465 {$item${sg {${expand:\$h_$item:}\n} \
466 {((?:[^\n]+|\n\\s+)*)\n} \
467 {:$item}}}}} \
468 {::}{:}}
469 headers_add = \
470 ${if DKIM_SIGN_P \
471 {DKIM_KEYS_INFO(<:m4_dnl
472 {X-CONF_header_token-DKIM-Key-Publication: \
473 DKIM signature not suitable \
474 as evidence after delivery;\n\t\
475 DKIM private key KV(k) will be \
476 published\n\t\
477 at KV(u)\n\t\
478 on or before KV(tpub)}:>)}}:>)
479
480
481m4_define(<:SMTP_DELIVERY:>,
482 <:## Prevent sending messages with overly long lines. The use of
483 ## `message_size_limit' here is somewhat misleading.
484 message_size_limit = ${if >{$max_received_linelength}{998}{1}{0}}:>)
485
486SECTION(transports)m4_dnl
487## A standard transport for remote delivery. By default, try to do TLS, and
488## don't worry too much if it's not very secure: the alternative is sending
489## in plaintext anyway. But all of this can be overridden from the
490## `domains.conf' file. Annoyingly, the `tls_dh_min_bits' setting isn't
491## expanded before use, so we can't set it the obvious way. Instead, encode
492## it into the transport name. This is very unpleasant, of course.
493smtp:
494 driver = smtp
495 SMTP_DELIVERY
496 APPLY_HEADER_CHANGES
497 DKIM_SIGN
498 tls_require_ciphers = CONF_acceptable_ciphers
499 tls_dh_min_bits = 508
500 tls_tempfail_tryclear = true
501
502m4_define(<:SMTP_TRANS_DHBITS:>,
503 <:driver = smtp
504 SMTP_DELIVERY
505 APPLY_HEADER_CHANGES
506 DKIM_SIGN
507 hosts_try_auth = *
508 hosts_require_tls = DOMKV(tls-peer-ca, {*}{})
509 hosts_require_auth = \
510 ${if bool {DOMKV(require-auth, {$value}{false})} {*}{}}
511 tls_certificate = DOMKV(tls-certificate, {${expand:$value}}fail)
512 tls_privatekey = DOMKV(tls-private-key, {${expand:$value}}fail)
513 tls_verify_certificates = DOMKV(tls-peer-ca, {${expand:$value}}fail)
514 tls_require_ciphers = \
515 DOMKV(tls-ciphers,
516 {${extract {${expand:$value}} \
517 { good = CONF_good_ciphers \
518 any = CONF_acceptable_ciphers } \
519 {$value} \
520 {${expand:$value}}}} \
521 {CONF_acceptable_ciphers})
522 tls_dh_min_bits = $1
523 tls_tempfail_tryclear = true:>)m4_dnl
524smtp_dhbits_512:
525 SMTP_TRANS_DHBITS(508)
526smtp_dhbits_768:
527 SMTP_TRANS_DHBITS(764)
528smtp_dhbits_1024:
529 SMTP_TRANS_DHBITS(1020)
530smtp_dhbits_2048:
531 SMTP_TRANS_DHBITS(2044)
532
533## Transport to a local SMTP server; use TLS and perform client
534## authentication.
535smtp_local:
536 driver = smtp
537 SMTP_DELIVERY
538 APPLY_HEADER_CHANGES
539 hosts_require_tls = *
540 tls_certificate = CONF_sysconf_dir/client.certlist
541 tls_privatekey = CONF_sysconf_dir/client.key
542 tls_verify_certificates = CONF_ca_dir/ca.cert
543 tls_require_ciphers = CONF_good_ciphers
544 tls_dh_min_bits = 2046
545 tls_tempfail_tryclear = false
546 authenticated_sender_force = true
547 authenticated_sender = \
548 ${if def:acl_m_user {$acl_m_user@CONF_master_domain} \
549 {${if def:authenticated_sender {$authenticated_sender} \
550 fail}}}
551
552## A standard transport for local delivery.
553deliver:
554 driver = appendfile
555 APPLY_HEADER_CHANGES
556 file = /var/mail/$local_part
557 group = mail
558 mode = 0600
559 mode_fail_narrower = false
560 USER_DELIVERY
561
562## Transports for user filters.
563mailbox:
564 driver = appendfile
565 APPLY_HEADER_CHANGES
566 initgroups = true
567 USER_DELIVERY
568
569maildir:
570 driver = appendfile
571 APPLY_HEADER_CHANGES
572 maildir_format = true
573 initgroups = true
574 USER_DELIVERY
575
576pipe:
577 driver = pipe
578 APPLY_HEADER_CHANGES
579 path = ${if and {{def:home} {exists{$home/bin}}} {$home/bin:} {}}\
580 /usr/local/bin:/usr/local/sbin:\
581 /usr/bin:/usr/sbin:/bin:/sbin
582 initgroups = true
583 umask = 002
584 return_fail_output = true
585 log_output = true
586
587## A special dummy transport for use during address verification.
588dummy:
589 driver = appendfile
590 file = /dev/null
591
592DIVERT(null)
593###--------------------------------------------------------------------------
594### Retry configuration.
595
596SECTION(retry, default)m4_dnl
597## Be persistent when sending to the site relay. It ought to work, but
598## particularly satellites such as laptops often encounter annoying temporary
599## failures due to network unavailability, and the usual gradual policy can
600## leave mail building up for no good reason.
601CONF_smarthost * \
602 F,4d,15m
603
604## Default.
605* * \
606 F,2h,15m; G,16h,2h,1.5; F,4d,6h
607
608DIVERT(null)
609###----- That's all, folks --------------------------------------------------
The distorted.org.uk Exim configuration.