~mdw / exim-config / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
auth.m4, base.m4, exchange.m4: Make sender-address checking universal.
[exim-config] / base.m4
1 ### -*-m4-*-
2 ###
3 ### Basic settings for distorted.org.uk Exim configuration
4 ###
5 ### (c) 2012 Mark Wooding
6 ###
7
8 ###----- Licensing notice ---------------------------------------------------
9 ###
10 ### This program is free software; you can redistribute it and/or modify
11 ### it under the terms of the GNU General Public License as published by
12 ### the Free Software Foundation; either version 2 of the License, or
13 ### (at your option) any later version.
14 ###
15 ### This program is distributed in the hope that it will be useful,
16 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
17 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 ### GNU General Public License for more details.
19 ###
20 ### You should have received a copy of the GNU General Public License
21 ### along with this program; if not, write to the Free Software Foundation,
22 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
23
24 ###--------------------------------------------------------------------------
25 ### Global settings.
26
27 SECTION(global, priv)m4_dnl
28 admin_groups = CONF_admin_groups
29 prod_requires_admin = false
30
31 SECTION(global, logging)m4_dnl
32 log_file_path = : syslog
33 log_selector = \
34 +smtp_confirmation \
35 +tls_peerdn
36 log_timezone = true
37 syslog_duplication = false
38 syslog_timestamp = false
39
40 SECTION(global, daemon)m4_dnl
41 local_interfaces = <; CONF_interfaces
42 extra_local_interfaces = <; 0.0.0.0 ; ::
43
44 SECTION(global, resource)m4_dnl
45 deliver_queue_load_max = 8
46 queue_only_load = 12
47 smtp_accept_max = 16
48 smtp_accept_queue = 32
49 smtp_accept_reserve = 4
50 smtp_load_reserve = 10
51 smtp_reserve_hosts = +trusted
52
53 SECTION(global, policy)m4_dnl
54 host_lookup = *
55
56 SECTION(global, users)m4_dnl
57 gecos_name = $1
58 gecos_pattern = ([^,:]*)
59
60 SECTION(global, incoming)m4_dnl
61 received_header_text = Received: \
62 ${if def:sender_rcvhost \
63 {from $sender_rcvhost\
64 ${if def:sender_helo_name \
65 { (helo=$sender_helo_name)}}\n\t} \
66 {${if def:sender_ident \
67 {from ${quote_local_part:$sender_ident} }}}}\
68 by $primary_hostname \
69 (Exim $version_number)\
70 ${if def:tls_cipher {\n\t} { }}\
71 ${if def:received_protocol \
72 {with $received_protocol \
73 ${if def:tls_cipher {(cipher=$tls_cipher)}}}}\n\t\
74 ${if def:sender_address \
75 {(envelope-from $sender_address\
76 ${if def:authenticated_id \
77 {; auth=$authenticated_id}})\n\t}}\
78 id $message_exim_id\
79 ${if def:received_for {\n\tfor $received_for}}
80
81 SECTION(global, smtp)m4_dnl
82 smtp_return_error_details = true
83 accept_8bitmime = true
84
85 SECTION(global, process)m4_dnl
86 extract_addresses_remove_arguments = false
87 headers_charset = utf-8
88 qualify_domain = CONF_master_domain
89
90 SECTION(global, bounce)m4_dnl
91 delay_warning = 1h : 24h : 2d
92
93 DIVERT(null)
94 ###--------------------------------------------------------------------------
95 ### Access control lists.
96
97 SECTION(global, acl-after)
98 SECTION(global, acl)m4_dnl
99 acl_smtp_helo = helo
100 SECTION(acl, misc)m4_dnl
101 helo:
102 ## Check that the caller's claimed identity is actually plausible.
103 ## This seems like it's a fairly effective filter on spamminess, but
104 ## it's too blunt a tool. Rather than reject, add a warning header.
105 ## Only we can't do this the easy way, so save it up for use in MAIL.
106 ## Also, we're liable to get a subsequent HELO (e.g., after STARTTLS)
107 ## and we should only care about the most recent one.
108 warn set acl_c_helo_warning = false
109 !condition = \
110 ${if exists {CONF_sysconf_dir/helo.conf} \
111 {${lookup {$sender_helo_name} \
112 partial0-lsearch \
113 {CONF_sysconf_dir/helo.conf} \
114 {${if match_ip \
115 {$sender_host_address} \
116 {$value}}}}}}
117 !verify = helo
118 set acl_c_helo_warning = true
119
120 accept
121
122 SECTION(global, acl)m4_dnl
123 acl_not_smtp_start = not_smtp_start
124 SECTION(acl, misc)m4_dnl
125 not_smtp_start:
126 ## Record the user's name.
127 warn set acl_c_user = $sender_ident
128
129 ## Done.
130 accept
131
132 SECTION(global, acl)m4_dnl
133 acl_smtp_mail = mail
134 SECTION(acl, mail)m4_dnl
135 mail:
136
137 ## If we stashed a warning header about HELO from earlier, we should
138 ## add it now.
139 warn condition = $acl_c_helo_warning
140 add_header = :after_received:X-Distorted-Warning: \
141 BADHELO \
142 Client's HELO doesn't match its IP address.\n\t\
143 HELO name=$sender_helo_name, \
144 address=$sender_host_address
145
146 ## Always allow the empty sender, so that we can receive bounces.
147 accept senders = :
148
149 ## Ensure that the sender is routable. This is important to prevent
150 ## undeliverable bounces.
151 require message = Invalid sender; \
152 ($sender_verify_failure; $acl_verify_message)
153 verify = sender
154
155 ## If this is directly from a client then hack on it for a while.
156 warn condition = ${if eq{$acl_c_mode}{submission}}
157 control = submission
158
159 ## Insist that a local client connect through TLS.
160 deny message = Hosts within CONF_master_domain must use TLS
161 !condition = ${if eq{$acl_c_mode}{submission}}
162 hosts = +allnets
163 !encrypted = *
164
165 ## Check that a submitted message's sender address is allowable.
166 require acl = mail_check_auth
167
168 SECTION(acl, mail-tail)m4_dnl
169 ## And we're done.
170 accept
171
172 SECTION(global, acl)m4_dnl
173 acl_smtp_connect = connect
174 SECTION(acl, connect)m4_dnl
175 connect:
176 SECTION(acl, connect-tail)m4_dnl
177 ## Configure variables according to the submission mode.
178 warn acl = check_submission
179
180 ## Done.
181 accept
182
183 check_submission:
184 ## See whether this message needs hacking on.
185 accept !hosts = +localnet
186 !condition = ${if ={$received_port}{CONF_submission_port}}
187 set acl_c_mode = relay
188
189 ## Remember to apply submission controls.
190 warn set acl_c_mode = submission
191
192 ## Done.
193 accept
194
195 SECTION(global, acl)m4_dnl
196 acl_smtp_rcpt = rcpt
197 SECTION(acl, rcpt)m4_dnl
198 rcpt:
199
200 ## Reject if the client isn't allowed to relay and the recipient
201 ## isn't in one of our known domains.
202 deny message = Relaying not permitted
203 !hosts = CONF_relay_clients
204 !authenticated = *
205 !domains = +known
206
207 ## Ensure that the recipient is routable.
208 require message = Invalid recipient \
209 ($recipient_verify_failure; $acl_verify_message)
210 verify = recipient
211
212 SECTION(acl, rcpt-tail)m4_dnl
213 ## Everything checks out OK: let this one go through.
214 accept
215
216 SECTION(global, acl)m4_dnl
217 acl_smtp_data = data
218 SECTION(acl, data)m4_dnl
219 data:
220
221 SECTION(acl, data-tail)m4_dnl
222 accept
223
224 SECTION(global, acl)m4_dnl
225 acl_smtp_expn = expn_vrfy
226 acl_smtp_vrfy = expn_vrfy
227 SECTION(acl)m4_dnl
228 expn_vrfy:
229 accept hosts = +trusted
230 deny message = Suck it and see
231
232 DIVERT(null)
233 ###--------------------------------------------------------------------------
234 ### Verification of sender address.
235
236 SECTION(acl, misc)m4_dnl
237 mail_check_auth:
238
239 ## If this isn't a submission then it doesn't need checking.
240 accept condition = ${if !eq{$acl_c_mode}{submission}}
241
242 ## If the caller hasn't formally authenticated, but this is a
243 ## loopback connection, then we can trust identd to tell us the right
244 ## answer. So we should stash the right name somewhere consistent.
245 warn set acl_c_user = $authenticated_id
246 hosts = +localnet
247 !authenticated = *
248 set acl_c_user = $sender_ident
249
250 ## User must be authenticated.
251 deny message = Sender not authenticated
252 !hosts = +localnet
253 !authenticated = *
254
255 ## Make sure that the local part is one that the authenticated sender
256 ## is allowed to claim.
257 deny message = Sender address forbidden to calling user
258 !condition = ${LOOKUP_DOMAIN($sender_address_domain,
259 {${if and {{match_local_part \
260 {$acl_c_user} \
261 {+dom_users}} \
262 {match_local_part \
263 {$sender_address_local_part} \
264 {+dom_locals}}}}},
265 {${if and {{match_local_part \
266 {$sender_address_local_part} \
267 {+user_extaddr}} \
268 {or {{eq {$sender_address_domain} \
269 {}} \
270 {match_domain \
271 {$sender_address_domain} \
272 {+public}}}}}}})}
273
274 ## All done.
275 accept
276
277 DIVERT(null)
278 ###--------------------------------------------------------------------------
279 ### Common options for forwarding routers.
280
281 ## We're pretty permissive here.
282 m4_define(<:FILTER_BASE:>,
283 <:driver = redirect
284 modemask = 002
285 check_owner = false
286 check_group = false
287 allow_filter = true
288 allow_defer = true
289 allow_fail = true
290 forbid_blackhole = false
291 check_ancestor = true:>)
292
293 ## Common options for forwarding routers at verification time.
294 m4_define(<:FILTER_VERIFY:>,
295 <:verify_only = true
296 user = CONF_filter_user
297 forbid_filter_dlfunc = true
298 forbid_filter_logwrite = true
299 forbid_filter_perl = true
300 forbid_filter_readsocket = true
301 forbid_filter_run = true
302 file_transport = dummy
303 directory_transport = dummy
304 pipe_transport = dummy
305 reply_transport = dummy:>)
306
307 ## Transports for redirection filters.
308 m4_define(<:FILTER_TRANSPORTS:>,
309 <:file_transport = mailbox
310 directory_transport = maildir
311 pipe_transport = pipe
312 reply_transport = reply:>)
313
314 m4_define(<:FILTER_ROUTER:>,
315 <:$1_vrf:
316 $2
317 FILTER_VERIFY<::>$3
318 $1:
319 $2
320 verify = no
321 FILTER_TRANSPORTS<::>$4:>)
322
323 DIVERT(null)
324 ###--------------------------------------------------------------------------
325 ### Some standard transports.
326
327 m4_define(<:USER_DELIVERY:>,
328 <:delivery_date_add = true
329 envelope_to_add = true
330 return_path_add = true:>)
331
332 SECTION(transports)m4_dnl
333 ## A standard transport for remote delivery. Try to do TLS, and don't worry
334 ## too much if it's not very secure: the alternative is sending in plaintext
335 ## anyway.
336 smtp:
337 driver = smtp
338 tls_require_ciphers = CONF_acceptable_ciphers
339 tls_dh_min_bits = 1020
340 tls_tempfail_tryclear = true
341
342 ## Transport to a local SMTP server; use TLS and perform client
343 ## authentication.
344 smtp_local:
345 driver = smtp
346 hosts_require_tls = *
347 tls_certificate = CONF_sysconf_dir/client.cert
348 tls_privatekey = CONF_sysconf_dir/client.key
349 tls_verify_certificates = CONF_ca_dir/ca.cert
350 tls_require_ciphers = CONF_good_ciphers
351 tls_dh_min_bits = 2046
352 tls_tempfail_tryclear = false
353 authenticated_sender = ${if def:authenticated_id \
354 {$authenticated_id@CONF_master_domain} \
355 fail}
356
357 ## A standard transport for local delivery.
358 deliver:
359 driver = appendfile
360 file = /var/mail/$local_part
361 group = mail
362 mode = 0600
363 mode_fail_narrower = false
364 USER_DELIVERY
365
366 ## Transports for user filters.
367 mailbox:
368 driver = appendfile
369 initgroups = true
370 USER_DELIVERY
371
372 maildir:
373 driver = appendfile
374 maildir_format = true
375 initgroups = true
376 USER_DELIVERY
377
378 pipe:
379 driver = pipe
380 path = ${if and {{def:home} {exists{$home/bin}}} {$home/bin:} {}}\
381 /usr/local/bin:/usr/local/sbin:\
382 /usr/bin:/usr/sbin:/bin:/sbin
383 initgroups = true
384 umask = 002
385 return_fail_output = true
386 log_output = true
387
388 ## A special dummy transport for use during address verification.
389 dummy:
390 driver = appendfile
391 file = /dev/null
392
393 DIVERT(null)
394 ###--------------------------------------------------------------------------
395 ### Retry configuration.
396
397 SECTION(retry, default)m4_dnl
398 ## Default.
399 * * \
400 F,2h,15m; G,16h,2h,1.5; F,4d,6h
401
402 DIVERT(null)
403 ###----- That's all, folks --------------------------------------------------
The distorted.org.uk Exim configuration.