~mdw / exim-config / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
lists.m4: Update the IP address lists following server move.
[exim-config] / base.m4
1 ### -*-m4-*-
2 ###
3 ### Basic settings for distorted.org.uk Exim configuration
4 ###
5 ### (c) 2012 Mark Wooding
6 ###
7
8 ###----- Licensing notice ---------------------------------------------------
9 ###
10 ### This program is free software; you can redistribute it and/or modify
11 ### it under the terms of the GNU General Public License as published by
12 ### the Free Software Foundation; either version 2 of the License, or
13 ### (at your option) any later version.
14 ###
15 ### This program is distributed in the hope that it will be useful,
16 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
17 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 ### GNU General Public License for more details.
19 ###
20 ### You should have received a copy of the GNU General Public License
21 ### along with this program; if not, write to the Free Software Foundation,
22 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
23
24 ###--------------------------------------------------------------------------
25 ### Global settings.
26
27 SECTION(global, priv)m4_dnl
28 admin_groups = CONF_admin_groups
29 trusted_groups = CONF_trusted_groups
30 prod_requires_admin = false
31
32 SECTION(global, logging)m4_dnl
33 log_file_path = : syslog
34 log_selector = \
35 +smtp_confirmation \
36 +tls_peerdn
37 log_timezone = true
38 syslog_duplication = false
39 syslog_timestamp = false
40
41 SECTION(global, daemon)m4_dnl
42 local_interfaces = <; CONF_interfaces
43 extra_local_interfaces = <; 0.0.0.0 ; ::0
44
45 SECTION(global, resource)m4_dnl
46 deliver_queue_load_max = 8
47 message_size_limit = 500M
48 queue_only_load = 12
49 smtp_accept_max = 16
50 smtp_accept_queue = 32
51 smtp_accept_reserve = 4
52 smtp_load_reserve = 10
53 smtp_reserve_hosts = +trusted
54
55 SECTION(global, policy)m4_dnl
56 host_lookup = *
57
58 SECTION(global, users)m4_dnl
59 gecos_name = $1
60 gecos_pattern = ([^,:]*)
61
62 SECTION(global, incoming)m4_dnl
63 rfc1413_hosts = *
64 rfc1413_query_timeout = 10s
65 received_header_text = Received: \
66 ${if def:sender_rcvhost \
67 {from $sender_rcvhost\n\t} \
68 {${if def:sender_ident \
69 {from ${quote_local_part:$sender_ident} }}}}\
70 by $primary_hostname \
71 (Exim $version_number)\
72 ${if def:tls_cipher {\n\t} { }}\
73 ${if def:received_protocol \
74 {with $received_protocol \
75 ${if def:tls_cipher {(cipher=$tls_cipher)}}}}\n\t\
76 ${if def:sender_address \
77 {(envelope-from $sender_address\
78 ${if def:authenticated_id \
79 {; auth=${quote_local_part:$authenticated_id}} \
80 {${if and {{def:authenticated_sender} \
81 {match_address{$authenticated_sender} \
82 {*@CONF_master_domain}}} \
83 {; auth=${quote_local_part:\
84 ${local_part:\
85 $authenticated_sender}}}}}})\n\t}}\
86 id $message_exim_id\
87 ${if def:received_for {\n\tfor $received_for}}
88
89 SECTION(global, smtp)m4_dnl
90 smtp_return_error_details = true
91 accept_8bitmime = true
92 chunking_advertise_hosts =
93
94 SECTION(global, env)m4_dnl
95 keep_environment =
96
97 SECTION(global, process)m4_dnl
98 extract_addresses_remove_arguments = false
99 headers_charset = utf-8
100 qualify_domain = CONF_master_domain
101 untrusted_set_sender = *
102 local_from_check = false
103 local_sender_retain = true
104
105 SECTION(global, bounce)m4_dnl
106 delay_warning = 1h : 24h : 2d
107
108 SECTION(global, tls)m4_dnl
109 tls_certificate = CONF_certlist
110 tls_privatekey = CONF_sysconf_dir/server.key
111 tls_advertise_hosts = ${if exists {CONF_sysconf_dir/server.key} {*}{}}
112 tls_dhparam = CONF_ca_dir/dh-param-2048.pem
113 tls_require_ciphers = ${if or {{={$received_port}{CONF_submission_port}} \
114 {match_ip {$sender_host_address}{+trusted}}} \
115 {CONF_good_ciphers} \
116 {CONF_acceptable_ciphers}}
117 tls_verify_certificates = CONF_ca_dir/ca.cert
118 tls_verify_hosts = ${if eq{$acl_c_mode}{submission} {} {+allnets}}
119
120 DIVERT(null)
121 ###--------------------------------------------------------------------------
122 ### Access control lists.
123
124 SECTION(global, acl-after)
125 SECTION(global, acl)m4_dnl
126 acl_smtp_helo = helo
127 SECTION(acl, misc)m4_dnl
128 helo:
129 ## Don't worry if this is local submission. MUAs won't necessarily
130 ## have a clear idea of their hostnames. (For some reason.)
131 accept condition = ${if !eq{$acl_c_mode}{submission}}
132
133 ## Check that the caller's claimed identity is actually plausible.
134 ## This seems like it's a fairly effective filter on spamminess, but
135 ## it's too blunt a tool. Rather than reject, add a warning header.
136 ## Only we can't do this the easy way, so save it up for use in MAIL.
137 ## Also, we're liable to get a subsequent HELO (e.g., after STARTTLS)
138 ## and we should only care about the most recent one.
139 warn set acl_c_helo_warning = false
140 !condition = \
141 ${if and {{match_ip {$sender_host_address} \
142 {<; 127.0.0.0/8 ; ::1}} \
143 {match_domain {$sender_helo_name} \
144 {localhost : +thishost}}}}
145 !condition = \
146 ${if exists {CONF_sysconf_dir/helo.conf} \
147 {${lookup {$sender_helo_name} \
148 partial0-lsearch \
149 {CONF_sysconf_dir/helo.conf} \
150 {${if match_ip \
151 {$sender_host_address} \
152 {<; $value}}}}}}
153 !verify = helo
154 set acl_c_helo_warning = true
155
156 accept
157
158 SECTION(global, acl)m4_dnl
159 acl_not_smtp_start = not_smtp_start
160 SECTION(acl, misc)m4_dnl
161 not_smtp_start:
162 ## Record the user's name.
163 warn set acl_c_user = $sender_ident
164 set acl_m_user = $sender_ident
165
166 ## Done.
167 accept
168
169 SECTION(global, acl)m4_dnl
170 acl_smtp_mail = mail
171 SECTION(acl, mail)m4_dnl
172 mail:
173
174 ## If we stashed a warning header about HELO from earlier, we should
175 ## add it now. Only don't bother if the client has authenticated
176 ## successfully for submission (because we can't expect mobile
177 ## clients to be properly set up knowing their names), or it's one of
178 ## our own satellites (because they're either properly set up anyway,
179 ## or satellites using us as a smarthost).
180 warn condition = $acl_c_helo_warning
181 !condition = ${if eq{$acl_c_mode}{submission}}
182 !hosts = +allnets
183 WARNING_HEADER(BADHELO,
184 <:Client's HELO doesn't match its IP address.\n\t\
185 helo-name=$sender_helo_name \
186 address=$sender_host_address:>)
187
188 ## Always allow the empty sender, so that we can receive bounces.
189 accept senders = :
190
191 ## Ensure that the sender looks valid.
192 require acl = mail_check_sender
193
194 ## If this is directly from a client then hack on it for a while.
195 warn condition = ${if eq{$acl_c_mode}{submission}}
196 control = submission/sender_retain
197
198 ## Insist that a local client connect through TLS.
199 deny message = Hosts within CONF_master_domain must use TLS
200 !condition = ${if eq{$acl_c_mode}{submission}}
201 hosts = +allnets
202 !encrypted = *
203
204 ## Check that a submitted message's sender address is allowable.
205 require acl = mail_check_auth
206
207 SECTION(acl, mail-tail)m4_dnl
208 ## And we're done.
209 accept
210
211 SECTION(acl, misc)m4_dnl
212 mail_check_sender:
213
214 ## See whether there's a special exception for this sender domain.
215 accept senders = ${LOOKUP_DOMAIN($sender_address_domain,
216 {KV(senders, {$value}{})},
217 {})}
218
219 ## Ensure that the sender is routable. This is important to prevent
220 ## undeliverable bounces.
221 require message = Invalid sender; \
222 ($sender_verify_failure; $acl_verify_message)
223 verify = sender
224
225 ## We're good, then.
226 accept
227
228 SECTION(global, acl)m4_dnl
229 acl_smtp_connect = connect
230 SECTION(acl, connect)m4_dnl
231 connect:
232 SECTION(acl, connect-tail)m4_dnl
233 ## Configure variables according to the submission mode.
234 warn acl = check_submission
235
236 ## Done.
237 accept
238
239 check_submission:
240 ## See whether this message needs hacking on.
241 accept !hosts = +thishost
242 !condition = ${if ={$received_port}{CONF_submission_port}}
243 set acl_c_mode = relay
244
245 ## Remember to apply submission controls.
246 warn set acl_c_mode = submission
247 control = no_enforce_sync
248
249 ## Done.
250 accept
251
252 SECTION(global, acl)m4_dnl
253 acl_smtp_rcpt = rcpt
254 SECTION(acl, rcpt)m4_dnl
255 rcpt:
256
257 ## Reject if the client isn't allowed to relay and the recipient
258 ## isn't in one of our known domains.
259 require message = Relaying not permitted
260 acl = check_relay
261
262 ## Ensure that the recipient is routable.
263 require message = Invalid recipient \
264 ($recipient_verify_failure; $acl_verify_message)
265 verify = recipient
266
267 SECTION(acl, misc)m4_dnl
268 check_relay:
269 ## Accept either if the client is allowed to relay through us, or if
270 ## we're the correct place to send this mail.
271
272 ## Known clients and authenticated users are OK.
273 accept hosts = CONF_relay_clients
274 accept authenticated = *
275
276 ## Known domains are OK.
277 accept domains = +public
278
279 ## Finally, domains in our table are OK, unless they say they aren't.
280 accept domains = \
281 ${if exists{CONF_sysconf_dir/domains.conf} \
282 {partial0-lsearch; CONF_sysconf_dir/domains.conf}}
283 condition = DOMKV(service, {$value}{true})
284
285 ## Nope, that's not allowed.
286 deny
287
288 SECTION(acl, rcpt-tail)m4_dnl
289 ## Everything checks out OK: let this one go through.
290 accept
291
292 SECTION(global, acl)m4_dnl
293 acl_smtp_data = data
294 SECTION(acl, data)m4_dnl
295 data:
296 ## Don't accept messages with overly-long lines.
297 deny message = line length exceeds SMTP permitted maximum: \
298 $max_received_linelength > 998
299 condition = ${if >{$max_received_linelength}{998}}
300
301 SECTION(acl, data-tail)m4_dnl
302 accept
303
304 SECTION(global, acl)m4_dnl
305 acl_smtp_expn = expn_vrfy
306 acl_smtp_vrfy = expn_vrfy
307 SECTION(acl, misc)m4_dnl
308 expn_vrfy:
309 accept hosts = +trusted
310 deny message = Suck it and see
311
312 DIVERT(null)
313 ###--------------------------------------------------------------------------
314 ### Verification of sender address.
315
316 SECTION(acl, misc)m4_dnl
317 mail_check_auth:
318
319 ## If this isn't a submission then it doesn't need checking.
320 accept condition = ${if !eq{$acl_c_mode}{submission}}
321
322 ## If the caller hasn't formally authenticated, but this is a
323 ## loopback connection, then we can trust identd to tell us the right
324 ## answer. So we should stash the right name somewhere consistent.
325 warn set acl_c_user = $authenticated_id
326 hosts = +thishost
327 !authenticated = *
328 condition = ${if def:sender_ident}
329 set acl_c_user = $sender_ident
330
331 ## User must be authenticated by now.
332 deny message = Sender not authenticated
333 condition = ${if !def:acl_c_user}
334
335 ## Set the per-message authentication flag, since we now know that
336 ## there's a sensible value.
337 warn set acl_m_user = $acl_c_user
338
339 ## All done.
340 accept
341
342 DIVERT(null)
343 ###--------------------------------------------------------------------------
344 ### Common options for forwarding routers.
345
346 ## We're pretty permissive here.
347 m4_define(<:FILTER_BASE:>,
348 <:driver = redirect
349 modemask = 002
350 check_owner = false
351 check_group = false
352 allow_filter = true
353 allow_defer = true
354 allow_fail = true
355 forbid_blackhole = false
356 check_ancestor = true:>)
357
358 ## Common options for forwarding routers at verification time.
359 m4_define(<:FILTER_VERIFY:>,
360 <:verify_only = true
361 user = CONF_filter_user
362 forbid_filter_dlfunc = true
363 forbid_filter_logwrite = true
364 forbid_filter_perl = true
365 forbid_filter_readsocket = true
366 forbid_filter_run = true
367 file_transport = dummy
368 directory_transport = dummy
369 pipe_transport = dummy
370 reply_transport = dummy:>)
371
372 ## Transports for redirection filters.
373 m4_define(<:FILTER_TRANSPORTS:>,
374 <:file_transport = mailbox
375 directory_transport = maildir
376 pipe_transport = pipe
377 reply_transport = reply:>)
378
379 m4_define(<:FILTER_ROUTER:>,
380 <:$1_vrf:
381 $2
382 FILTER_VERIFY<::>$3
383 $1:
384 $2
385 verify = no
386 FILTER_TRANSPORTS<::>$4:>)
387
388 DIVERT(null)
389 ###--------------------------------------------------------------------------
390 ### Common routers.
391
392 SECTION(routers, alias)m4_dnl
393 ## Look up the local part in the address map.
394 alias:
395 driver = redirect
396 allow_fail = true
397 allow_defer = true
398 user = CONF_filter_user
399 FILTER_TRANSPORTS
400 local_parts = nwildlsearch; CONF_alias_file
401 data = ${expand:$local_part_data}
402 SECTION(routers, alias-opts)m4_dnl
403
404 DIVERT(null)
405 ###--------------------------------------------------------------------------
406 ### Some standard transports.
407
408 m4_define(<:USER_DELIVERY:>,
409 <:delivery_date_add = true
410 envelope_to_add = true
411 return_path_add = true:>)
412
413 m4_define(<:APPLY_HEADER_CHANGES:>,
414 <:headers_add = m4_ifelse(<:$1:>, <::>,
415 <:$acl_m_hdradd:>,
416 <:${if def:acl_m_hdradd{$acl_m_hdradd\n}}\
417 $1:>)
418 headers_remove = m4_ifelse(<:$2:>, <::>,
419 <:$acl_m_hdrrm:>,
420 <:${if def:acl_m_hdrrm{$acl_m_hdrrm:}}\
421 $2:>):>)
422
423 m4_define(<:SMTP_DELIVERY:>,
424 <:## Prevent sending messages with overly long lines. The use of
425 ## `message_size_limit' here is somewhat misleading.
426 message_size_limit = ${if >{$max_received_linelength}{998}{1}{0}}:>)
427
428 SECTION(transports)m4_dnl
429 ## A standard transport for remote delivery. By default, try to do TLS, and
430 ## don't worry too much if it's not very secure: the alternative is sending
431 ## in plaintext anyway. But all of this can be overridden from the
432 ## `domains.conf' file. Annoyingly, the `tls_dh_min_bits' setting isn't
433 ## expanded before use, so we can't set it the obvious way. Instead, encode
434 ## it into the transport name. This is very unpleasant, of course.
435 smtp:
436 driver = smtp
437 APPLY_HEADER_CHANGES
438 tls_require_ciphers = CONF_acceptable_ciphers
439 tls_dh_min_bits = 508
440 tls_tempfail_tryclear = true
441
442 m4_define(<:SMTP_TRANS_DHBITS:>,
443 <:driver = smtp
444 SMTP_DELIVERY
445 APPLY_HEADER_CHANGES
446 hosts_try_auth = *
447 hosts_require_tls = DOMKV(tls-peer-ca, {*}{})
448 hosts_require_auth = \
449 ${if bool {DOMKV(require-auth, {$value}{false})} {*}{}}
450 tls_certificate = DOMKV(tls-certificate, {${expand:$value}}fail)
451 tls_privatekey = DOMKV(tls-private-key, {${expand:$value}}fail)
452 tls_verify_certificates = DOMKV(tls-peer-ca, {${expand:$value}}fail)
453 tls_require_ciphers = \
454 DOMKV(tls-ciphers,
455 {${extract {${expand:$value}} \
456 { good = CONF_good_ciphers \
457 any = CONF_acceptable_ciphers } \
458 {$value} \
459 {${expand:$value}}}} \
460 {CONF_acceptable_ciphers})
461 tls_dh_min_bits = $1
462 tls_tempfail_tryclear = true:>)m4_dnl
463 smtp_dhbits_512:
464 SMTP_TRANS_DHBITS(508)
465 smtp_dhbits_768:
466 SMTP_TRANS_DHBITS(764)
467 smtp_dhbits_1024:
468 SMTP_TRANS_DHBITS(1020)
469 smtp_dhbits_2048:
470 SMTP_TRANS_DHBITS(2044)
471
472 ## Transport to a local SMTP server; use TLS and perform client
473 ## authentication.
474 smtp_local:
475 driver = smtp
476 SMTP_DELIVERY
477 APPLY_HEADER_CHANGES
478 hosts_require_tls = *
479 tls_certificate = CONF_sysconf_dir/client.certlist
480 tls_privatekey = CONF_sysconf_dir/client.key
481 tls_verify_certificates = CONF_ca_dir/ca.cert
482 tls_require_ciphers = CONF_good_ciphers
483 tls_dh_min_bits = 2046
484 tls_tempfail_tryclear = false
485 authenticated_sender_force = true
486 authenticated_sender = \
487 ${if def:acl_m_user {$acl_m_user@CONF_master_domain} \
488 {${if def:authenticated_sender {$authenticated_sender} \
489 fail}}}
490
491 ## A standard transport for local delivery.
492 deliver:
493 driver = appendfile
494 APPLY_HEADER_CHANGES
495 file = /var/mail/$local_part
496 group = mail
497 mode = 0600
498 mode_fail_narrower = false
499 USER_DELIVERY
500
501 ## Transports for user filters.
502 mailbox:
503 driver = appendfile
504 APPLY_HEADER_CHANGES
505 initgroups = true
506 USER_DELIVERY
507
508 maildir:
509 driver = appendfile
510 APPLY_HEADER_CHANGES
511 maildir_format = true
512 initgroups = true
513 USER_DELIVERY
514
515 pipe:
516 driver = pipe
517 APPLY_HEADER_CHANGES
518 path = ${if and {{def:home} {exists{$home/bin}}} {$home/bin:} {}}\
519 /usr/local/bin:/usr/local/sbin:\
520 /usr/bin:/usr/sbin:/bin:/sbin
521 initgroups = true
522 umask = 002
523 return_fail_output = true
524 log_output = true
525
526 ## A special dummy transport for use during address verification.
527 dummy:
528 driver = appendfile
529 file = /dev/null
530
531 DIVERT(null)
532 ###--------------------------------------------------------------------------
533 ### Retry configuration.
534
535 SECTION(retry, default)m4_dnl
536 ## Be persistent when sending to the site relay. It ought to work, but
537 ## particularly satellites such as laptops often encounter annoying temporary
538 ## failures due to network unavailability, and the usual gradual policy can
539 ## leave mail building up for no good reason.
540 CONF_smarthost * \
541 F,4d,15m
542
543 ## Default.
544 * * \
545 F,2h,15m; G,16h,2h,1.5; F,4d,6h
546
547 DIVERT(null)
548 ###----- That's all, folks --------------------------------------------------
The distorted.org.uk Exim configuration.