mdw@git.distorted.org.uk Git - exim-config/blob - base.m4

   1 ### -*-m4-*-
   2 ###
   3 ### Basic settings for distorted.org.uk Exim configuration
   4 ###
   5 ### (c) 2012 Mark Wooding
   6 ###
   7
   8 ###----- Licensing notice ---------------------------------------------------
   9 ###
  10 ### This program is free software; you can redistribute it and/or modify
  11 ### it under the terms of the GNU General Public License as published by
  12 ### the Free Software Foundation; either version 2 of the License, or
  13 ### (at your option) any later version.
  14 ###
  15 ### This program is distributed in the hope that it will be useful,
  16 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
  17 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18 ### GNU General Public License for more details.
  19 ###
  20 ### You should have received a copy of the GNU General Public License
  21 ### along with this program; if not, write to the Free Software Foundation,
  22 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
  23
  24 ###--------------------------------------------------------------------------
  25 ### Global settings.
  26
  27 SECTION(global, priv)m4_dnl
  28 admin_groups = root : adm
  29 prod_requires_admin = false
  30
  31 SECTION(global, logging)m4_dnl
  32 log_file_path = : syslog
  33 log_selector = \
  34         +smtp_confirmation \
  35         +tls_peerdn
  36 log_timezone = true
  37 syslog_duplication = false
  38 syslog_timestamp = false
  39
  40 SECTION(global, daemon)m4_dnl
  41 local_interfaces = <; CONF_interfaces
  42 extra_local_interfaces = <; 0.0.0.0 ; ::
  43
  44 SECTION(global, resource)m4_dnl
  45 deliver_queue_load_max = 8
  46 queue_only_load = 12
  47 smtp_accept_max = 16
  48 smtp_accept_queue = 32
  49 smtp_accept_reserve = 4
  50 smtp_load_reserve = 10
  51 smtp_reserve_hosts = +trusted
  52
  53 SECTION(global, policy)m4_dnl
  54 host_lookup = *
  55
  56 SECTION(global, users)m4_dnl
  57 gecos_name = $1
  58 gecos_pattern = ([^,:]*)
  59
  60 SECTION(global, incoming)m4_dnl
  61 received_header_text = Received: \
  62         ${if def:sender_rcvhost {from $sender_rcvhost\n\t} \
  63              {${if def:sender_ident \
  64                    {from ${quote_local_part:$sender_ident} }}\
  65               ${if def:sender_helo_name \
  66                    {(helo=$sender_helo_name)\n\t}}}}\
  67         by $primary_hostname \
  68         ${if def:received_protocol \
  69              {with $received_protocol \
  70               ${if def:tls_cipher {(cipher=$tls_cipher)\n\t}}}}\
  71         (Exim $version_number)\n\t\
  72         ${if def:sender_address \
  73              {(envelope-from <$sender_address>\
  74               ${if def:authenticated_id \
  75                    {; auth=$authenticated_id}})\n\t}}\
  76         id $message_exim_id\
  77         ${if def:received_for {\n\tfor $received_for}}
  78
  79 SECTION(global, smtp)m4_dnl
  80 smtp_return_error_details = true
  81 accept_8bitmime = true
  82
  83 SECTION(global, process)m4_dnl
  84 extract_addresses_remove_arguments = false
  85 headers_charset = utf-8
  86 qualify_domain = CONF_master_domain
  87
  88 SECTION(global, bounce)m4_dnl
  89 delay_warning = 1h : 24h : 2d
  90
  91 DIVERT(null)
  92 ###--------------------------------------------------------------------------
  93 ### Access control lists.
  94
  95 SECTION(global, acl-after)
  96 SECTION(global, acl)m4_dnl
  97 acl_smtp_helo = helo
  98 SECTION(acl, misc)m4_dnl
  99 helo:
 100         require  message = The other one has bells on
 101                  verify = helo
 102
 103         accept
 104
 105 SECTION(global, acl)m4_dnl
 106 acl_smtp_mail = mail
 107 SECTION(acl, mail)m4_dnl
 108 mail:
 109
 110         ## Always allow the empty sender, so that we can receive bounces.
 111         accept   senders = :
 112
 113         ## Ensure that the sender is routable.  This is important to prevent
 114         ## undeliverable bounces.
 115         require  message = Invalid sender; \
 116                         ($sender_verify_failure; $acl_verify_message)
 117                  verify = sender
 118
 119         ## If this is directly from a client then hack on it for a while.
 120         warn     condition = ${if eq{$acl_c_mode}{submission}}
 121                  control = submission
 122
 123 SECTION(acl, mail-tail)m4_dnl
 124         ## And we're done.
 125         accept
 126
 127 SECTION(global, acl)m4_dnl
 128 acl_smtp_connect = connect
 129 SECTION(acl, connect)m4_dnl
 130 connect:
 131 SECTION(acl, connect-tail)m4_dnl
 132         ## Configure variables according to the submission mode.
 133         warn     acl = check_submission
 134
 135         ## Done.
 136         accept
 137
 138 check_submission:
 139         ## See whether this message needs hacking on.
 140         accept  !hosts = +localnet
 141                 !condition = ${if ={$received_port}{CONF_submission_port}}
 142                  set acl_c_mode = relay
 143
 144         ## Remember to apply submission controls.
 145         warn     set acl_c_mode = submission
 146
 147         ## Done.
 148         accept
 149
 150 SECTION(global, acl)m4_dnl
 151 acl_smtp_rcpt = rcpt
 152 SECTION(acl, rcpt)m4_dnl
 153 rcpt:
 154
 155         ## Reject if the client isn't allowed to relay and the recipient
 156         ## isn't in one of our known domains.
 157         deny     message = Relaying not permitted
 158                 !hosts = CONF_relay_clients
 159                 !authenticated = *
 160                 !domains = +known
 161
 162         ## Ensure that the recipient is routable.
 163         require  message = Invalid recipient \
 164                         ($recipient_verify_failure; $acl_verify_message)
 165                  verify = recipient
 166
 167 SECTION(acl, rcpt-tail)m4_dnl
 168         ## Everything checks out OK: let this one go through.
 169         accept
 170
 171 SECTION(global, acl)m4_dnl
 172 acl_smtp_data = data
 173 SECTION(acl, data)m4_dnl
 174 data:
 175
 176 SECTION(acl, data-tail)m4_dnl
 177         accept
 178
 179 SECTION(global, acl)m4_dnl
 180 acl_smtp_expn = expn_vrfy
 181 acl_smtp_vrfy = expn_vrfy
 182 SECTION(acl)m4_dnl
 183 expn_vrfy:
 184         accept   hosts = +trusted
 185         deny     message = Suck it and see
 186
 187 DIVERT(null)
 188 ###--------------------------------------------------------------------------
 189 ### Common options for forwarding routers.
 190
 191 ## We're pretty permissive here.
 192 m4_define(<:FILTER_BASE:>,
 193         <:driver = redirect
 194         modemask = 002
 195         check_owner = false
 196         check_group = false
 197         allow_filter = true
 198         allow_defer = true
 199         allow_fail = true
 200         forbid_blackhole = false
 201         check_ancestor = true:>)
 202
 203 ## Common options for forwarding routers at verification time.
 204 m4_define(<:FILTER_VERIFY:>,
 205         <:verify_only = true
 206         user = CONF_filter_user
 207         forbid_filter_dlfunc = true
 208         forbid_filter_logwrite = true
 209         forbid_filter_perl = true
 210         forbid_filter_readsocket = true
 211         forbid_filter_run = true
 212         file_transport = dummy
 213         directory_transport = dummy
 214         pipe_transport = dummy
 215         reply_transport = dummy:>)
 216
 217 ## Transports for redirection filters.
 218 m4_define(<:FILTER_TRANSPORTS:>,
 219         <:file_transport = mailbox
 220         directory_transport = maildir
 221         pipe_transport = pipe
 222         reply_transport = reply:>)
 223
 224 DIVERT(null)
 225 ###--------------------------------------------------------------------------
 226 ### Some standard transports.
 227
 228 m4_define(<:USER_DELIVERY:>,
 229         <:delivery_date_add = true
 230         envelope_to_add = true
 231         return_path_add = true:>)
 232
 233 SECTION(transports)m4_dnl
 234 ## A standard transport for remote delivery.  Try to do TLS, and don't worry
 235 ## too much if it's not very secure: the alternative is sending in plaintext
 236 ## anyway.
 237 smtp:
 238         driver = smtp
 239         tls_require_ciphers = CONF_acceptable_ciphers
 240         tls_dh_min_bits = 1020
 241         tls_tempfail_tryclear = true
 242
 243 ## Transport to a local SMTP server; use TLS and perform client
 244 ## authentication.
 245 smtp_local:
 246         driver = smtp
 247         hosts_require_tls = *
 248         tls_certificate = CONF_sysconf_dir/client.cert
 249         tls_privatekey = CONF_sysconf_dir/client.key
 250         tls_verify_certificates = CONF_ca_dir/ca.cert
 251         tls_require_ciphers = CONF_good_ciphers
 252         tls_dh_min_bits = 3070
 253         tls_tempfail_tryclear = false
 254         authenticated_sender = ${if def:authenticated_id \
 255                                     ${authenticated_id@CONF_master_domain} \
 256                                     fail}
 257
 258 ## A standard transport for local delivery.
 259 deliver:
 260         driver = appendfile
 261         file = /var/mail/$local_part
 262         group = mail
 263         mode = 0600
 264         mode_fail_narrower = false
 265         USER_DELIVERY
 266
 267 ## Transports for user filters.
 268 mailbox:
 269         driver = appendfile
 270         initgroups = true
 271         USER_DELIVERY
 272
 273 maildir:
 274         driver = appendfile
 275         maildir_format = true
 276         initgroups = true
 277         USER_DELIVERY
 278
 279 pipe:
 280         driver = pipe
 281         path = ${if and {{def:home} {exists{$home/bin}}} {$home/bin:} {}}\
 282                 /usr/local/bin:/usr/local/sbin:\
 283                 /usr/bin:/usr/sbin:/bin:/sbin
 284         initgroups = true
 285         umask = 002
 286         return_fail_output = true
 287         log_output = true
 288
 289 ## A special dummy transport for use during address verification.
 290 dummy:
 291         driver = appendfile
 292         file = /dev/null
 293
 294 DIVERT(null)
 295 ###--------------------------------------------------------------------------
 296 ### Retry configuration.
 297
 298 SECTION(retry, default)m4_dnl
 299 ## Default.
 300 *                                       * \
 301         F,2h,15m; G,16h,2h,1.5; F,4d,6h
 302
 303 DIVERT(null)
 304 ###----- That's all, folks --------------------------------------------------