~mdw / exim-config / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
auth.m4, base.m4, lists.m4: Allow local submission to port 25.
[exim-config] / base.m4
1 ### -*-m4-*-
2 ###
3 ### Basic settings for distorted.org.uk Exim configuration
4 ###
5 ### (c) 2012 Mark Wooding
6 ###
7
8 ###----- Licensing notice ---------------------------------------------------
9 ###
10 ### This program is free software; you can redistribute it and/or modify
11 ### it under the terms of the GNU General Public License as published by
12 ### the Free Software Foundation; either version 2 of the License, or
13 ### (at your option) any later version.
14 ###
15 ### This program is distributed in the hope that it will be useful,
16 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
17 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 ### GNU General Public License for more details.
19 ###
20 ### You should have received a copy of the GNU General Public License
21 ### along with this program; if not, write to the Free Software Foundation,
22 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
23
24 ###--------------------------------------------------------------------------
25 ### Global settings.
26
27 SECTION(global, priv)m4_dnl
28 admin_groups = CONF_admin_groups
29 prod_requires_admin = false
30
31 SECTION(global, logging)m4_dnl
32 log_file_path = : syslog
33 log_selector = \
34 +smtp_confirmation \
35 +tls_peerdn
36 log_timezone = true
37 syslog_duplication = false
38 syslog_timestamp = false
39
40 SECTION(global, daemon)m4_dnl
41 local_interfaces = <; CONF_interfaces
42 extra_local_interfaces = <; 0.0.0.0 ; ::
43
44 SECTION(global, resource)m4_dnl
45 deliver_queue_load_max = 8
46 queue_only_load = 12
47 smtp_accept_max = 16
48 smtp_accept_queue = 32
49 smtp_accept_reserve = 4
50 smtp_load_reserve = 10
51 smtp_reserve_hosts = +trusted
52
53 SECTION(global, policy)m4_dnl
54 host_lookup = *
55
56 SECTION(global, users)m4_dnl
57 gecos_name = $1
58 gecos_pattern = ([^,:]*)
59
60 SECTION(global, incoming)m4_dnl
61 received_header_text = Received: \
62 ${if def:sender_rcvhost \
63 {from $sender_rcvhost\n\t} \
64 {${if def:sender_ident \
65 {from ${quote_local_part:$sender_ident} }}}}\
66 by $primary_hostname \
67 (Exim $version_number)\
68 ${if def:tls_cipher {\n\t} { }}\
69 ${if def:received_protocol \
70 {with $received_protocol \
71 ${if def:tls_cipher {(cipher=$tls_cipher)}}}}\n\t\
72 ${if def:sender_address \
73 {(envelope-from $sender_address\
74 ${if def:authenticated_id \
75 {; auth=$authenticated_id}})\n\t}}\
76 id $message_exim_id\
77 ${if def:received_for {\n\tfor $received_for}}
78
79 SECTION(global, smtp)m4_dnl
80 smtp_return_error_details = true
81 accept_8bitmime = true
82
83 SECTION(global, process)m4_dnl
84 extract_addresses_remove_arguments = false
85 headers_charset = utf-8
86 qualify_domain = CONF_master_domain
87
88 SECTION(global, bounce)m4_dnl
89 delay_warning = 1h : 24h : 2d
90
91 DIVERT(null)
92 ###--------------------------------------------------------------------------
93 ### Access control lists.
94
95 SECTION(global, acl-after)
96 SECTION(global, acl)m4_dnl
97 acl_smtp_helo = helo
98 SECTION(acl, misc)m4_dnl
99 helo:
100 ## Check that the caller's claimed identity is actually plausible.
101 ## This seems like it's a fairly effective filter on spamminess, but
102 ## it's too blunt a tool. Rather than reject, add a warning header.
103 ## Only we can't do this the easy way, so save it up for use in MAIL.
104 ## Also, we're liable to get a subsequent HELO (e.g., after STARTTLS)
105 ## and we should only care about the most recent one.
106 warn set acl_c_helo_warning = false
107 !condition = \
108 ${if and {{match_ip {$sender_host_address} \
109 {<; 127.0.0.0/8 ; ::1}} \
110 {match_domain {$sender_helo_name} \
111 {localhost : +thishost}}}}
112 !condition = \
113 ${if exists {CONF_sysconf_dir/helo.conf} \
114 {${lookup {$sender_helo_name} \
115 partial0-lsearch \
116 {CONF_sysconf_dir/helo.conf} \
117 {${if match_ip \
118 {$sender_host_address} \
119 {$value}}}}}}
120 !verify = helo
121 set acl_c_helo_warning = true
122
123 accept
124
125 SECTION(global, acl)m4_dnl
126 acl_not_smtp_start = not_smtp_start
127 SECTION(acl, misc)m4_dnl
128 not_smtp_start:
129 ## Record the user's name.
130 warn set acl_c_user = $sender_ident
131
132 ## Done.
133 accept
134
135 SECTION(global, acl)m4_dnl
136 acl_smtp_mail = mail
137 SECTION(acl, mail)m4_dnl
138 mail:
139
140 ## If we stashed a warning header about HELO from earlier, we should
141 ## add it now.
142 warn condition = $acl_c_helo_warning
143 add_header = :after_received:X-Distorted-Warning: \
144 BADHELO \
145 Client's HELO doesn't match its IP address.\n\t\
146 HELO name=$sender_helo_name, \
147 address=$sender_host_address
148
149 ## Always allow the empty sender, so that we can receive bounces.
150 accept senders = :
151
152 ## Ensure that the sender is routable. This is important to prevent
153 ## undeliverable bounces.
154 require message = Invalid sender; \
155 ($sender_verify_failure; $acl_verify_message)
156 verify = sender
157
158 ## If this is directly from a client then hack on it for a while.
159 warn condition = ${if eq{$acl_c_mode}{submission}}
160 control = submission
161
162 ## Insist that a local client connect through TLS.
163 deny message = Hosts within CONF_master_domain must use TLS
164 !condition = ${if eq{$acl_c_mode}{submission}}
165 hosts = +allnets
166 !encrypted = *
167
168 ## Check that a submitted message's sender address is allowable.
169 require acl = mail_check_auth
170
171 SECTION(acl, mail-tail)m4_dnl
172 ## And we're done.
173 accept
174
175 SECTION(global, acl)m4_dnl
176 acl_smtp_connect = connect
177 SECTION(acl, connect)m4_dnl
178 connect:
179 SECTION(acl, connect-tail)m4_dnl
180 ## Configure variables according to the submission mode.
181 warn acl = check_submission
182
183 ## Done.
184 accept
185
186 check_submission:
187 ## See whether this message needs hacking on.
188 accept !hosts = +thishost
189 !condition = ${if ={$received_port}{CONF_submission_port}}
190 set acl_c_mode = relay
191
192 ## Remember to apply submission controls.
193 warn set acl_c_mode = submission
194
195 ## Done.
196 accept
197
198 SECTION(global, acl)m4_dnl
199 acl_smtp_rcpt = rcpt
200 SECTION(acl, rcpt)m4_dnl
201 rcpt:
202
203 ## Reject if the client isn't allowed to relay and the recipient
204 ## isn't in one of our known domains.
205 deny message = Relaying not permitted
206 !hosts = CONF_relay_clients
207 !authenticated = *
208 !domains = +known
209
210 ## Ensure that the recipient is routable.
211 require message = Invalid recipient \
212 ($recipient_verify_failure; $acl_verify_message)
213 verify = recipient
214
215 SECTION(acl, rcpt-tail)m4_dnl
216 ## Everything checks out OK: let this one go through.
217 accept
218
219 SECTION(global, acl)m4_dnl
220 acl_smtp_data = data
221 SECTION(acl, data)m4_dnl
222 data:
223
224 SECTION(acl, data-tail)m4_dnl
225 accept
226
227 SECTION(global, acl)m4_dnl
228 acl_smtp_expn = expn_vrfy
229 acl_smtp_vrfy = expn_vrfy
230 SECTION(acl)m4_dnl
231 expn_vrfy:
232 accept hosts = +trusted
233 deny message = Suck it and see
234
235 DIVERT(null)
236 ###--------------------------------------------------------------------------
237 ### Verification of sender address.
238
239 SECTION(acl, misc)m4_dnl
240 mail_check_auth:
241
242 ## If this isn't a submission then it doesn't need checking.
243 accept condition = ${if !eq{$acl_c_mode}{submission}}
244
245 ## If the caller hasn't formally authenticated, but this is a
246 ## loopback connection, then we can trust identd to tell us the right
247 ## answer. So we should stash the right name somewhere consistent.
248 warn set acl_c_user = $authenticated_id
249 hosts = +thishost
250 !authenticated = *
251 set acl_c_user = $sender_ident
252
253 ## User must be authenticated.
254 deny message = Sender not authenticated
255 !hosts = +thishost
256 !authenticated = *
257
258 ## Make sure that the local part is one that the authenticated sender
259 ## is allowed to claim.
260 deny message = Sender address forbidden to calling user
261 !condition = ${LOOKUP_DOMAIN($sender_address_domain,
262 {${if and {{match_local_part \
263 {$acl_c_user} \
264 {+dom_users}} \
265 {match_local_part \
266 {$sender_address_local_part} \
267 {+dom_locals}}}}},
268 {${if and {{match_local_part \
269 {$sender_address_local_part} \
270 {+user_extaddr}} \
271 {or {{eq {$sender_address_domain} \
272 {}} \
273 {match_domain \
274 {$sender_address_domain} \
275 {+public}}}}}}})}
276
277 ## All done.
278 accept
279
280 DIVERT(null)
281 ###--------------------------------------------------------------------------
282 ### Common options for forwarding routers.
283
284 ## We're pretty permissive here.
285 m4_define(<:FILTER_BASE:>,
286 <:driver = redirect
287 modemask = 002
288 check_owner = false
289 check_group = false
290 allow_filter = true
291 allow_defer = true
292 allow_fail = true
293 forbid_blackhole = false
294 check_ancestor = true:>)
295
296 ## Common options for forwarding routers at verification time.
297 m4_define(<:FILTER_VERIFY:>,
298 <:verify_only = true
299 user = CONF_filter_user
300 forbid_filter_dlfunc = true
301 forbid_filter_logwrite = true
302 forbid_filter_perl = true
303 forbid_filter_readsocket = true
304 forbid_filter_run = true
305 file_transport = dummy
306 directory_transport = dummy
307 pipe_transport = dummy
308 reply_transport = dummy:>)
309
310 ## Transports for redirection filters.
311 m4_define(<:FILTER_TRANSPORTS:>,
312 <:file_transport = mailbox
313 directory_transport = maildir
314 pipe_transport = pipe
315 reply_transport = reply:>)
316
317 m4_define(<:FILTER_ROUTER:>,
318 <:$1_vrf:
319 $2
320 FILTER_VERIFY<::>$3
321 $1:
322 $2
323 verify = no
324 FILTER_TRANSPORTS<::>$4:>)
325
326 DIVERT(null)
327 ###--------------------------------------------------------------------------
328 ### Some standard transports.
329
330 m4_define(<:USER_DELIVERY:>,
331 <:delivery_date_add = true
332 envelope_to_add = true
333 return_path_add = true:>)
334
335 SECTION(transports)m4_dnl
336 ## A standard transport for remote delivery. Try to do TLS, and don't worry
337 ## too much if it's not very secure: the alternative is sending in plaintext
338 ## anyway.
339 smtp:
340 driver = smtp
341 tls_require_ciphers = CONF_acceptable_ciphers
342 tls_dh_min_bits = 1020
343 tls_tempfail_tryclear = true
344
345 ## Transport to a local SMTP server; use TLS and perform client
346 ## authentication.
347 smtp_local:
348 driver = smtp
349 hosts_require_tls = *
350 tls_certificate = CONF_sysconf_dir/client.cert
351 tls_privatekey = CONF_sysconf_dir/client.key
352 tls_verify_certificates = CONF_ca_dir/ca.cert
353 tls_require_ciphers = CONF_good_ciphers
354 tls_dh_min_bits = 2046
355 tls_tempfail_tryclear = false
356 authenticated_sender = ${if def:authenticated_id \
357 {$authenticated_id@CONF_master_domain} \
358 fail}
359
360 ## A standard transport for local delivery.
361 deliver:
362 driver = appendfile
363 file = /var/mail/$local_part
364 group = mail
365 mode = 0600
366 mode_fail_narrower = false
367 USER_DELIVERY
368
369 ## Transports for user filters.
370 mailbox:
371 driver = appendfile
372 initgroups = true
373 USER_DELIVERY
374
375 maildir:
376 driver = appendfile
377 maildir_format = true
378 initgroups = true
379 USER_DELIVERY
380
381 pipe:
382 driver = pipe
383 path = ${if and {{def:home} {exists{$home/bin}}} {$home/bin:} {}}\
384 /usr/local/bin:/usr/local/sbin:\
385 /usr/bin:/usr/sbin:/bin:/sbin
386 initgroups = true
387 umask = 002
388 return_fail_output = true
389 log_output = true
390
391 ## A special dummy transport for use during address verification.
392 dummy:
393 driver = appendfile
394 file = /dev/null
395
396 DIVERT(null)
397 ###--------------------------------------------------------------------------
398 ### Retry configuration.
399
400 SECTION(retry, default)m4_dnl
401 ## Default.
402 * * \
403 F,2h,15m; G,16h,2h,1.5; F,4d,6h
404
405 DIVERT(null)
406 ###----- That's all, folks --------------------------------------------------
The distorted.org.uk Exim configuration.