~mdw / exim-config / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
spam.m4: Capture extracting a field from `$address_data' in a macro.
[exim-config] / base.m4
1 ### -*-m4-*-
2 ###
3 ### Basic settings for distorted.org.uk Exim configuration
4 ###
5 ### (c) 2012 Mark Wooding
6 ###
7
8 ###----- Licensing notice ---------------------------------------------------
9 ###
10 ### This program is free software; you can redistribute it and/or modify
11 ### it under the terms of the GNU General Public License as published by
12 ### the Free Software Foundation; either version 2 of the License, or
13 ### (at your option) any later version.
14 ###
15 ### This program is distributed in the hope that it will be useful,
16 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
17 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 ### GNU General Public License for more details.
19 ###
20 ### You should have received a copy of the GNU General Public License
21 ### along with this program; if not, write to the Free Software Foundation,
22 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
23
24 ###--------------------------------------------------------------------------
25 ### Global settings.
26
27 SECTION(global, priv)m4_dnl
28 admin_groups = CONF_admin_groups
29 trusted_groups = CONF_trusted_groups
30 prod_requires_admin = false
31
32 SECTION(global, logging)m4_dnl
33 log_file_path = : syslog
34 log_selector = \
35 +smtp_confirmation \
36 +tls_peerdn
37 log_timezone = true
38 syslog_duplication = false
39 syslog_timestamp = false
40
41 SECTION(global, daemon)m4_dnl
42 local_interfaces = <; CONF_interfaces
43 extra_local_interfaces = <; 0.0.0.0 ; ::0
44
45 SECTION(global, resource)m4_dnl
46 deliver_queue_load_max = 8
47 queue_only_load = 12
48 smtp_accept_max = 16
49 smtp_accept_queue = 32
50 smtp_accept_reserve = 4
51 smtp_load_reserve = 10
52 smtp_reserve_hosts = +trusted
53
54 SECTION(global, policy)m4_dnl
55 host_lookup = *
56
57 SECTION(global, users)m4_dnl
58 gecos_name = $1
59 gecos_pattern = ([^,:]*)
60
61 SECTION(global, incoming)m4_dnl
62 received_header_text = Received: \
63 ${if def:sender_rcvhost \
64 {from $sender_rcvhost\n\t} \
65 {${if def:sender_ident \
66 {from ${quote_local_part:$sender_ident} }}}}\
67 by $primary_hostname \
68 (Exim $version_number)\
69 ${if def:tls_cipher {\n\t} { }}\
70 ${if def:received_protocol \
71 {with $received_protocol \
72 ${if def:tls_cipher {(cipher=$tls_cipher)}}}}\n\t\
73 ${if def:sender_address \
74 {(envelope-from $sender_address\
75 ${if def:authenticated_id \
76 {; auth=$authenticated_id}})\n\t}}\
77 id $message_exim_id\
78 ${if def:received_for {\n\tfor $received_for}}
79
80 SECTION(global, smtp)m4_dnl
81 smtp_return_error_details = true
82 accept_8bitmime = true
83
84 SECTION(global, env)m4_dnl
85 keep_environment =
86
87 SECTION(global, process)m4_dnl
88 extract_addresses_remove_arguments = false
89 headers_charset = utf-8
90 qualify_domain = CONF_master_domain
91 untrusted_set_sender = *
92 local_from_check = false
93 local_sender_retain = true
94
95 SECTION(global, bounce)m4_dnl
96 delay_warning = 1h : 24h : 2d
97
98 SECTION(global, tls)m4_dnl
99 tls_certificate = CONF_sysconf_dir/server.certlist
100 tls_privatekey = CONF_sysconf_dir/server.key
101 tls_advertise_hosts = ${if exists {CONF_sysconf_dir/server.key} {*}{}}
102 tls_dhparam = CONF_ca_dir/dh-param-2048.pem
103 tls_require_ciphers = ${if or {{={$received_port}{CONF_submission_port}} \
104 {match_ip {$sender_host_address}{+trusted}}} \
105 {CONF_good_ciphers} \
106 {CONF_acceptable_ciphers}}
107 tls_verify_certificates = CONF_ca_dir/ca.cert
108 tls_verify_hosts = ${if eq{$acl_c_mode}{submission} {} {+allnets}}
109
110 DIVERT(null)
111 ###--------------------------------------------------------------------------
112 ### Access control lists.
113
114 SECTION(global, acl-after)
115 SECTION(global, acl)m4_dnl
116 acl_smtp_helo = helo
117 SECTION(acl, misc)m4_dnl
118 helo:
119 ## Check that the caller's claimed identity is actually plausible.
120 ## This seems like it's a fairly effective filter on spamminess, but
121 ## it's too blunt a tool. Rather than reject, add a warning header.
122 ## Only we can't do this the easy way, so save it up for use in MAIL.
123 ## Also, we're liable to get a subsequent HELO (e.g., after STARTTLS)
124 ## and we should only care about the most recent one.
125 warn set acl_c_helo_warning = false
126 !condition = \
127 ${if and {{match_ip {$sender_host_address} \
128 {<; 127.0.0.0/8 ; ::1}} \
129 {match_domain {$sender_helo_name} \
130 {localhost : +thishost}}}}
131 !condition = \
132 ${if exists {CONF_sysconf_dir/helo.conf} \
133 {${lookup {$sender_helo_name} \
134 partial0-lsearch \
135 {CONF_sysconf_dir/helo.conf} \
136 {${if match_ip \
137 {$sender_host_address} \
138 {<; $value}}}}}}
139 !verify = helo
140 set acl_c_helo_warning = true
141
142 accept
143
144 SECTION(global, acl)m4_dnl
145 acl_not_smtp_start = not_smtp_start
146 SECTION(acl, misc)m4_dnl
147 not_smtp_start:
148 ## Record the user's name.
149 warn set acl_c_user = $sender_ident
150
151 ## Done.
152 accept
153
154 SECTION(global, acl)m4_dnl
155 acl_smtp_mail = mail
156 SECTION(acl, mail)m4_dnl
157 mail:
158
159 ## If we stashed a warning header about HELO from earlier, we should
160 ## add it now. Only don't bother if the client has authenticated
161 ## successfully for submission (because we can't expect mobile
162 ## clients to be properly set up knowing their names), or it's one of
163 ## our own satellites (because they're either properly set up anyway,
164 ## or satellites using us as a smarthost).
165 warn condition = $acl_c_helo_warning
166 !condition = ${if eq{$acl_c_mode}{submission}}
167 !hosts = +allnets
168 WARNING_HEADER(BADHELO,
169 <:Client's HELO doesn't match its IP address.\n\t\
170 helo-name=$sender_helo_name \
171 address=$sender_host_address:>)
172
173 ## Always allow the empty sender, so that we can receive bounces.
174 accept senders = :
175
176 ## Ensure that the sender looks valid.
177 require acl = mail_check_sender
178
179 ## If this is directly from a client then hack on it for a while.
180 warn condition = ${if eq{$acl_c_mode}{submission}}
181 control = submission/sender_retain
182
183 ## Insist that a local client connect through TLS.
184 deny message = Hosts within CONF_master_domain must use TLS
185 !condition = ${if eq{$acl_c_mode}{submission}}
186 hosts = +allnets
187 !encrypted = *
188
189 ## Check that a submitted message's sender address is allowable.
190 require acl = mail_check_auth
191
192 SECTION(acl, mail-tail)m4_dnl
193 ## And we're done.
194 accept
195
196 SECTION(acl, misc)m4_dnl
197 mail_check_sender:
198
199 ## See whether there's a special exception for this sender domain.
200 accept senders = ${LOOKUP_DOMAIN($sender_address_domain,
201 {KV(senders, {$value}{})},
202 {})}
203
204 ## Ensure that the sender is routable. This is important to prevent
205 ## undeliverable bounces.
206 require message = Invalid sender; \
207 ($sender_verify_failure; $acl_verify_message)
208 verify = sender
209
210 ## We're good, then.
211 accept
212
213 SECTION(global, acl)m4_dnl
214 acl_smtp_connect = connect
215 SECTION(acl, connect)m4_dnl
216 connect:
217 SECTION(acl, connect-tail)m4_dnl
218 ## Configure variables according to the submission mode.
219 warn acl = check_submission
220
221 ## Done.
222 accept
223
224 check_submission:
225 ## See whether this message needs hacking on.
226 accept !hosts = +thishost
227 !condition = ${if ={$received_port}{CONF_submission_port}}
228 set acl_c_mode = relay
229
230 ## Remember to apply submission controls.
231 warn set acl_c_mode = submission
232
233 ## Done.
234 accept
235
236 SECTION(global, acl)m4_dnl
237 acl_smtp_rcpt = rcpt
238 SECTION(acl, rcpt)m4_dnl
239 rcpt:
240
241 ## Reject if the client isn't allowed to relay and the recipient
242 ## isn't in one of our known domains.
243 require message = Relaying not permitted
244 acl = check_relay
245
246 ## Ensure that the recipient is routable.
247 require message = Invalid recipient \
248 ($recipient_verify_failure; $acl_verify_message)
249 verify = recipient
250
251 SECTION(acl, misc)m4_dnl
252 check_relay:
253 ## Accept either if the client is allowed to relay through us, or if
254 ## we're the correct place to send this mail.
255
256 ## Known clients and authenticated users are OK.
257 accept hosts = CONF_relay_clients
258 accept authenticated = *
259
260 ## Known domains are OK.
261 accept domains = +public
262
263 ## Finally, domains in our table are OK, unless they say they aren't.
264 accept domains = \
265 ${if exists{CONF_sysconf_dir/domains.conf} \
266 {partial0-lsearch; CONF_sysconf_dir/domains.conf}}
267 condition = DOMKV(service, {$value}{true})
268
269 ## Nope, that's not allowed.
270 deny
271
272 SECTION(acl, rcpt-tail)m4_dnl
273 ## Everything checks out OK: let this one go through.
274 accept
275
276 SECTION(global, acl)m4_dnl
277 acl_smtp_data = data
278 SECTION(acl, data)m4_dnl
279 data:
280
281 SECTION(acl, data-tail)m4_dnl
282 accept
283
284 SECTION(global, acl)m4_dnl
285 acl_smtp_expn = expn_vrfy
286 acl_smtp_vrfy = expn_vrfy
287 SECTION(acl, misc)m4_dnl
288 expn_vrfy:
289 accept hosts = +trusted
290 deny message = Suck it and see
291
292 DIVERT(null)
293 ###--------------------------------------------------------------------------
294 ### Verification of sender address.
295
296 SECTION(acl, misc)m4_dnl
297 mail_check_auth:
298
299 ## If this isn't a submission then it doesn't need checking.
300 accept condition = ${if !eq{$acl_c_mode}{submission}}
301
302 ## If the caller hasn't formally authenticated, but this is a
303 ## loopback connection, then we can trust identd to tell us the right
304 ## answer. So we should stash the right name somewhere consistent.
305 warn set acl_c_user = $authenticated_id
306 hosts = +thishost
307 !authenticated = *
308 condition = ${if def:sender_ident}
309 set acl_c_user = $sender_ident
310
311 ## User must be authenticated by now.
312 deny message = Sender not authenticated
313 condition = ${if !def:acl_c_user}
314
315 ## All done.
316 accept
317
318 DIVERT(null)
319 ###--------------------------------------------------------------------------
320 ### Common options for forwarding routers.
321
322 ## We're pretty permissive here.
323 m4_define(<:FILTER_BASE:>,
324 <:driver = redirect
325 modemask = 002
326 check_owner = false
327 check_group = false
328 allow_filter = true
329 allow_defer = true
330 allow_fail = true
331 forbid_blackhole = false
332 check_ancestor = true:>)
333
334 ## Common options for forwarding routers at verification time.
335 m4_define(<:FILTER_VERIFY:>,
336 <:verify_only = true
337 user = CONF_filter_user
338 forbid_filter_dlfunc = true
339 forbid_filter_logwrite = true
340 forbid_filter_perl = true
341 forbid_filter_readsocket = true
342 forbid_filter_run = true
343 file_transport = dummy
344 directory_transport = dummy
345 pipe_transport = dummy
346 reply_transport = dummy:>)
347
348 ## Transports for redirection filters.
349 m4_define(<:FILTER_TRANSPORTS:>,
350 <:file_transport = mailbox
351 directory_transport = maildir
352 pipe_transport = pipe
353 reply_transport = reply:>)
354
355 m4_define(<:FILTER_ROUTER:>,
356 <:$1_vrf:
357 $2
358 FILTER_VERIFY<::>$3
359 $1:
360 $2
361 verify = no
362 FILTER_TRANSPORTS<::>$4:>)
363
364 DIVERT(null)
365 ###--------------------------------------------------------------------------
366 ### Common routers.
367
368 SECTION(routers, alias)m4_dnl
369 ## Look up the local part in the address map.
370 alias:
371 driver = redirect
372 allow_fail = true
373 allow_defer = true
374 user = CONF_filter_user
375 FILTER_TRANSPORTS
376 local_parts = nwildlsearch; CONF_alias_file
377 data = ${expand:$local_part_data}
378 SECTION(routers, alias-opts)m4_dnl
379
380 DIVERT(null)
381 ###--------------------------------------------------------------------------
382 ### Some standard transports.
383
384 m4_define(<:USER_DELIVERY:>,
385 <:delivery_date_add = true
386 envelope_to_add = true
387 return_path_add = true:>)
388
389 m4_define(<:APPLY_HEADER_CHANGES:>,
390 <:headers_add = m4_ifelse(<:$1:>, <::>,
391 <:$acl_m_hdradd:>,
392 <:${if def:acl_m_hdradd{$acl_m_hdradd\n}}\
393 $1:>)
394 headers_remove = m4_ifelse(<:$2:>, <::>,
395 <:$acl_m_hdrrm:>,
396 <:${if def:acl_m_hdrrm{$acl_m_hdrrm:}}\
397 $2:>):>)
398
399 SECTION(transports)m4_dnl
400 ## A standard transport for remote delivery. By default, try to do TLS, and
401 ## don't worry too much if it's not very secure: the alternative is sending
402 ## in plaintext anyway. But all of this can be overridden from the
403 ## `domains.conf' file. Annoyingly, the `tls_dh_min_bits' setting isn't
404 ## expanded before use, so we can't set it the obvious way. Instead, encode
405 ## it into the transport name. This is very unpleasant, of course.
406 smtp:
407 driver = smtp
408 APPLY_HEADER_CHANGES
409 tls_require_ciphers = CONF_acceptable_ciphers
410 tls_dh_min_bits = 1020
411 tls_tempfail_tryclear = true
412
413 m4_define(<:SMTP_TRANS_DHBITS:>,
414 <:driver = smtp
415 APPLY_HEADER_CHANGES
416 hosts_try_auth = *
417 hosts_require_tls = DOMKV(tls-peer-ca, {*}{})
418 hosts_require_auth = \
419 ${if bool {DOMKV(require-auth, {$value}{false})} {*}{}}
420 tls_certificate = DOMKV(tls-certificate, {${expand:$value}}fail)
421 tls_privatekey = DOMKV(tls-private-key, {${expand:$value}}fail)
422 tls_verify_certificates = DOMKV(tls-peer-ca, {${expand:$value}}fail)
423 tls_require_ciphers = \
424 DOMKV(tls-ciphers,
425 {${extract {${expand:$value}} \
426 { good = CONF_good_ciphers \
427 any = CONF_acceptable_ciphers } \
428 {$value} \
429 {${expand:$value}}}} \
430 {CONF_acceptable_ciphers})
431 tls_dh_min_bits = $1
432 tls_tempfail_tryclear = true:>)m4_dnl
433 smtp_dhbits_1024:
434 SMTP_TRANS_DHBITS(1020)
435 smtp_dhbits_2048:
436 SMTP_TRANS_DHBITS(2046)
437
438 ## Transport to a local SMTP server; use TLS and perform client
439 ## authentication.
440 smtp_local:
441 driver = smtp
442 APPLY_HEADER_CHANGES
443 hosts_require_tls = *
444 tls_certificate = CONF_sysconf_dir/client.certlist
445 tls_privatekey = CONF_sysconf_dir/client.key
446 tls_verify_certificates = CONF_ca_dir/ca.cert
447 tls_require_ciphers = CONF_good_ciphers
448 tls_dh_min_bits = 2046
449 tls_tempfail_tryclear = false
450 authenticated_sender = ${if def:authenticated_id \
451 {$authenticated_id@CONF_master_domain} \
452 fail}
453
454 ## A standard transport for local delivery.
455 deliver:
456 driver = appendfile
457 APPLY_HEADER_CHANGES
458 file = /var/mail/$local_part
459 group = mail
460 mode = 0600
461 mode_fail_narrower = false
462 USER_DELIVERY
463
464 ## Transports for user filters.
465 mailbox:
466 driver = appendfile
467 APPLY_HEADER_CHANGES
468 initgroups = true
469 USER_DELIVERY
470
471 maildir:
472 driver = appendfile
473 APPLY_HEADER_CHANGES
474 maildir_format = true
475 initgroups = true
476 USER_DELIVERY
477
478 pipe:
479 driver = pipe
480 APPLY_HEADER_CHANGES
481 path = ${if and {{def:home} {exists{$home/bin}}} {$home/bin:} {}}\
482 /usr/local/bin:/usr/local/sbin:\
483 /usr/bin:/usr/sbin:/bin:/sbin
484 initgroups = true
485 umask = 002
486 return_fail_output = true
487 log_output = true
488
489 ## A special dummy transport for use during address verification.
490 dummy:
491 driver = appendfile
492 file = /dev/null
493
494 DIVERT(null)
495 ###--------------------------------------------------------------------------
496 ### Retry configuration.
497
498 SECTION(retry, default)m4_dnl
499 ## Default.
500 * * \
501 F,2h,15m; G,16h,2h,1.5; F,4d,6h
502
503 DIVERT(null)
504 ###----- That's all, folks --------------------------------------------------
The distorted.org.uk Exim configuration.