~mdw / exim-config / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
base.m4, vhost.m4: Very hacky DH field-size limitation.
[exim-config] / base.m4
1 ### -*-m4-*-
2 ###
3 ### Basic settings for distorted.org.uk Exim configuration
4 ###
5 ### (c) 2012 Mark Wooding
6 ###
7
8 ###----- Licensing notice ---------------------------------------------------
9 ###
10 ### This program is free software; you can redistribute it and/or modify
11 ### it under the terms of the GNU General Public License as published by
12 ### the Free Software Foundation; either version 2 of the License, or
13 ### (at your option) any later version.
14 ###
15 ### This program is distributed in the hope that it will be useful,
16 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
17 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 ### GNU General Public License for more details.
19 ###
20 ### You should have received a copy of the GNU General Public License
21 ### along with this program; if not, write to the Free Software Foundation,
22 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
23
24 ###--------------------------------------------------------------------------
25 ### Global settings.
26
27 SECTION(global, priv)m4_dnl
28 admin_groups = CONF_admin_groups
29 prod_requires_admin = false
30
31 SECTION(global, logging)m4_dnl
32 log_file_path = : syslog
33 log_selector = \
34 +smtp_confirmation \
35 +tls_peerdn
36 log_timezone = true
37 syslog_duplication = false
38 syslog_timestamp = false
39
40 SECTION(global, daemon)m4_dnl
41 local_interfaces = <; CONF_interfaces
42 extra_local_interfaces = <; 0.0.0.0 ; ::
43
44 SECTION(global, resource)m4_dnl
45 deliver_queue_load_max = 8
46 queue_only_load = 12
47 smtp_accept_max = 16
48 smtp_accept_queue = 32
49 smtp_accept_reserve = 4
50 smtp_load_reserve = 10
51 smtp_reserve_hosts = +trusted
52
53 SECTION(global, policy)m4_dnl
54 host_lookup = *
55
56 SECTION(global, users)m4_dnl
57 gecos_name = $1
58 gecos_pattern = ([^,:]*)
59
60 SECTION(global, incoming)m4_dnl
61 received_header_text = Received: \
62 ${if def:sender_rcvhost \
63 {from $sender_rcvhost\n\t} \
64 {${if def:sender_ident \
65 {from ${quote_local_part:$sender_ident} }}}}\
66 by $primary_hostname \
67 (Exim $version_number)\
68 ${if def:tls_cipher {\n\t} { }}\
69 ${if def:received_protocol \
70 {with $received_protocol \
71 ${if def:tls_cipher {(cipher=$tls_cipher)}}}}\n\t\
72 ${if def:sender_address \
73 {(envelope-from $sender_address\
74 ${if def:authenticated_id \
75 {; auth=$authenticated_id}})\n\t}}\
76 id $message_exim_id\
77 ${if def:received_for {\n\tfor $received_for}}
78
79 SECTION(global, smtp)m4_dnl
80 smtp_return_error_details = true
81 accept_8bitmime = true
82
83 SECTION(global, process)m4_dnl
84 extract_addresses_remove_arguments = false
85 headers_charset = utf-8
86 qualify_domain = CONF_master_domain
87
88 SECTION(global, bounce)m4_dnl
89 delay_warning = 1h : 24h : 2d
90
91 SECTION(global, tls)m4_dnl
92 tls_certificate = CONF_sysconf_dir/server.cert
93 tls_privatekey = CONF_sysconf_dir/server.key
94 tls_advertise_hosts = ${if exists {CONF_sysconf_dir/server.key} {*}{}}
95 tls_dhparam = CONF_ca_dir/dh-param-2048.pem
96 tls_require_ciphers = ${if or {{={$received_port}{CONF_submission_port}} \
97 {match_ip {$sender_host_address}{+trusted}}} \
98 {CONF_good_ciphers} \
99 {CONF_acceptable_ciphers}}
100 tls_verify_certificates = CONF_ca_dir/ca.cert
101 tls_verify_hosts = ${if eq{$acl_c_mode}{submission} {} {+allnets}}
102
103 DIVERT(null)
104 ###--------------------------------------------------------------------------
105 ### Access control lists.
106
107 SECTION(global, acl-after)
108 SECTION(global, acl)m4_dnl
109 acl_smtp_helo = helo
110 SECTION(acl, misc)m4_dnl
111 helo:
112 ## Check that the caller's claimed identity is actually plausible.
113 ## This seems like it's a fairly effective filter on spamminess, but
114 ## it's too blunt a tool. Rather than reject, add a warning header.
115 ## Only we can't do this the easy way, so save it up for use in MAIL.
116 ## Also, we're liable to get a subsequent HELO (e.g., after STARTTLS)
117 ## and we should only care about the most recent one.
118 warn set acl_c_helo_warning = false
119 !condition = \
120 ${if and {{match_ip {$sender_host_address} \
121 {<; 127.0.0.0/8 ; ::1}} \
122 {match_domain {$sender_helo_name} \
123 {localhost : +thishost}}}}
124 !condition = \
125 ${if exists {CONF_sysconf_dir/helo.conf} \
126 {${lookup {$sender_helo_name} \
127 partial0-lsearch \
128 {CONF_sysconf_dir/helo.conf} \
129 {${if match_ip \
130 {$sender_host_address} \
131 {$value}}}}}}
132 !verify = helo
133 set acl_c_helo_warning = true
134
135 accept
136
137 SECTION(global, acl)m4_dnl
138 acl_not_smtp_start = not_smtp_start
139 SECTION(acl, misc)m4_dnl
140 not_smtp_start:
141 ## Record the user's name.
142 warn set acl_c_user = $sender_ident
143
144 ## Done.
145 accept
146
147 SECTION(global, acl)m4_dnl
148 acl_smtp_mail = mail
149 SECTION(acl, mail)m4_dnl
150 mail:
151
152 ## If we stashed a warning header about HELO from earlier, we should
153 ## add it now.
154 warn condition = $acl_c_helo_warning
155 add_header = :after_received:X-Distorted-Warning: \
156 BADHELO \
157 Client's HELO doesn't match its IP address.\n\t\
158 helo-name=$sender_helo_name \
159 address=$sender_host_address
160
161 ## Always allow the empty sender, so that we can receive bounces.
162 accept senders = :
163
164 ## Ensure that the sender is routable. This is important to prevent
165 ## undeliverable bounces.
166 require message = Invalid sender; \
167 ($sender_verify_failure; $acl_verify_message)
168 verify = sender
169
170 ## If this is directly from a client then hack on it for a while.
171 warn condition = ${if eq{$acl_c_mode}{submission}}
172 control = submission
173
174 ## Insist that a local client connect through TLS.
175 deny message = Hosts within CONF_master_domain must use TLS
176 !condition = ${if eq{$acl_c_mode}{submission}}
177 hosts = +allnets
178 !encrypted = *
179
180 ## Check that a submitted message's sender address is allowable.
181 require acl = mail_check_auth
182
183 SECTION(acl, mail-tail)m4_dnl
184 ## And we're done.
185 accept
186
187 SECTION(global, acl)m4_dnl
188 acl_smtp_connect = connect
189 SECTION(acl, connect)m4_dnl
190 connect:
191 SECTION(acl, connect-tail)m4_dnl
192 ## Configure variables according to the submission mode.
193 warn acl = check_submission
194
195 ## Done.
196 accept
197
198 check_submission:
199 ## See whether this message needs hacking on.
200 accept !hosts = +thishost
201 !condition = ${if ={$received_port}{CONF_submission_port}}
202 set acl_c_mode = relay
203
204 ## Remember to apply submission controls.
205 warn set acl_c_mode = submission
206
207 ## Done.
208 accept
209
210 SECTION(global, acl)m4_dnl
211 acl_smtp_rcpt = rcpt
212 SECTION(acl, rcpt)m4_dnl
213 rcpt:
214
215 ## Reject if the client isn't allowed to relay and the recipient
216 ## isn't in one of our known domains.
217 deny message = Relaying not permitted
218 !hosts = CONF_relay_clients
219 !authenticated = *
220 !domains = +known
221
222 ## Ensure that the recipient is routable.
223 require message = Invalid recipient \
224 ($recipient_verify_failure; $acl_verify_message)
225 verify = recipient
226
227 SECTION(acl, rcpt-tail)m4_dnl
228 ## Everything checks out OK: let this one go through.
229 accept
230
231 SECTION(global, acl)m4_dnl
232 acl_smtp_data = data
233 SECTION(acl, data)m4_dnl
234 data:
235
236 SECTION(acl, data-tail)m4_dnl
237 accept
238
239 SECTION(global, acl)m4_dnl
240 acl_smtp_expn = expn_vrfy
241 acl_smtp_vrfy = expn_vrfy
242 SECTION(acl)m4_dnl
243 expn_vrfy:
244 accept hosts = +trusted
245 deny message = Suck it and see
246
247 DIVERT(null)
248 ###--------------------------------------------------------------------------
249 ### Verification of sender address.
250
251 SECTION(acl, misc)m4_dnl
252 mail_check_auth:
253
254 ## If this isn't a submission then it doesn't need checking.
255 accept condition = ${if !eq{$acl_c_mode}{submission}}
256
257 ## If the caller hasn't formally authenticated, but this is a
258 ## loopback connection, then we can trust identd to tell us the right
259 ## answer. So we should stash the right name somewhere consistent.
260 warn set acl_c_user = $authenticated_id
261 hosts = +thishost
262 !authenticated = *
263 set acl_c_user = $sender_ident
264
265 ## User must be authenticated.
266 deny message = Sender not authenticated
267 !hosts = +thishost
268 !authenticated = *
269
270 ## Make sure that the local part is one that the authenticated sender
271 ## is allowed to claim.
272 deny message = Sender address forbidden to calling user
273 !condition = ${LOOKUP_DOMAIN($sender_address_domain,
274 {${if and {{match_local_part \
275 {$acl_c_user} \
276 {+dom_users}} \
277 {match_local_part \
278 {$sender_address_local_part} \
279 {+dom_locals}}}}},
280 {${if and {{match_local_part \
281 {$sender_address_local_part} \
282 {+user_extaddr}} \
283 {or {{eq {$sender_address_domain} \
284 {}} \
285 {match_domain \
286 {$sender_address_domain} \
287 {+public}}}}}}})}
288
289 ## All done.
290 accept
291
292 DIVERT(null)
293 ###--------------------------------------------------------------------------
294 ### Common options for forwarding routers.
295
296 ## We're pretty permissive here.
297 m4_define(<:FILTER_BASE:>,
298 <:driver = redirect
299 modemask = 002
300 check_owner = false
301 check_group = false
302 allow_filter = true
303 allow_defer = true
304 allow_fail = true
305 forbid_blackhole = false
306 check_ancestor = true:>)
307
308 ## Common options for forwarding routers at verification time.
309 m4_define(<:FILTER_VERIFY:>,
310 <:verify_only = true
311 user = CONF_filter_user
312 forbid_filter_dlfunc = true
313 forbid_filter_logwrite = true
314 forbid_filter_perl = true
315 forbid_filter_readsocket = true
316 forbid_filter_run = true
317 file_transport = dummy
318 directory_transport = dummy
319 pipe_transport = dummy
320 reply_transport = dummy:>)
321
322 ## Transports for redirection filters.
323 m4_define(<:FILTER_TRANSPORTS:>,
324 <:file_transport = mailbox
325 directory_transport = maildir
326 pipe_transport = pipe
327 reply_transport = reply:>)
328
329 m4_define(<:FILTER_ROUTER:>,
330 <:$1_vrf:
331 $2
332 FILTER_VERIFY<::>$3
333 $1:
334 $2
335 verify = no
336 FILTER_TRANSPORTS<::>$4:>)
337
338 DIVERT(null)
339 ###--------------------------------------------------------------------------
340 ### Some standard transports.
341
342 m4_define(<:USER_DELIVERY:>,
343 <:delivery_date_add = true
344 envelope_to_add = true
345 return_path_add = true:>)
346
347 SECTION(transports)m4_dnl
348 ## A standard transport for remote delivery. By default, try to do TLS, and
349 ## don't worry too much if it's not very secure: the alternative is sending
350 ## in plaintext anyway. But all of this can be overridden from the
351 ## `domains.conf' file. Annoyingly, the `tls_dh_min_bits' setting isn't
352 ## expanded before use, so we can't set it the obvious way. Instead, encode
353 ## it into the transport name. This is very unpleasant, of course.
354 m4_define(<:SMTP_TRANS_DHBITS:>,
355 <:driver = smtp
356 hosts_try_auth = *
357 hosts_require_tls = DOMKV(tls-peer-ca, {*}{})
358 hosts_require_auth = \
359 ${if bool {DOMKV(require-auth, {$value}{false})} {*}{}}
360 tls_certificate = DOMKV(tls-certificate, {${expand:$value}}fail)
361 tls_privatekey = DOMKV(tls-private-key, {${expand:$value}}fail)
362 tls_verify_certificates = DOMKV(tls-peer-ca, {${expand:$value}}fail)
363 tls_require_ciphers = \
364 DOMKV(tls-ciphers,
365 {${extract {${expand:$value}} \
366 { good = CONF_good_ciphers \
367 any = CONF_acceptable_ciphers } \
368 {$value} \
369 {${expand:$value}}}} \
370 {CONF_acceptable_ciphers})
371 tls_dh_min_bits = $1
372 tls_tempfail_tryclear = true:>)m4_dnl
373 smtp:
374 SMTP_TRANS_DHBITS(1020)
375 smtp_dhbits_1024:
376 SMTP_TRANS_DHBITS(1020)
377 smtp_dhbits_2048:
378 SMTP_TRANS_DHBITS(2046)
379
380 ## Transport to a local SMTP server; use TLS and perform client
381 ## authentication.
382 smtp_local:
383 driver = smtp
384 hosts_require_tls = *
385 tls_certificate = CONF_sysconf_dir/client.cert
386 tls_privatekey = CONF_sysconf_dir/client.key
387 tls_verify_certificates = CONF_ca_dir/ca.cert
388 tls_require_ciphers = CONF_good_ciphers
389 tls_dh_min_bits = 2046
390 tls_tempfail_tryclear = false
391 authenticated_sender = ${if def:authenticated_id \
392 {$authenticated_id@CONF_master_domain} \
393 fail}
394
395 ## A standard transport for local delivery.
396 deliver:
397 driver = appendfile
398 file = /var/mail/$local_part
399 group = mail
400 mode = 0600
401 mode_fail_narrower = false
402 USER_DELIVERY
403
404 ## Transports for user filters.
405 mailbox:
406 driver = appendfile
407 initgroups = true
408 USER_DELIVERY
409
410 maildir:
411 driver = appendfile
412 maildir_format = true
413 initgroups = true
414 USER_DELIVERY
415
416 pipe:
417 driver = pipe
418 path = ${if and {{def:home} {exists{$home/bin}}} {$home/bin:} {}}\
419 /usr/local/bin:/usr/local/sbin:\
420 /usr/bin:/usr/sbin:/bin:/sbin
421 initgroups = true
422 umask = 002
423 return_fail_output = true
424 log_output = true
425
426 ## A special dummy transport for use during address verification.
427 dummy:
428 driver = appendfile
429 file = /dev/null
430
431 DIVERT(null)
432 ###--------------------------------------------------------------------------
433 ### Retry configuration.
434
435 SECTION(retry, default)m4_dnl
436 ## Default.
437 * * \
438 F,2h,15m; G,16h,2h,1.5; F,4d,6h
439
440 DIVERT(null)
441 ###----- That's all, folks --------------------------------------------------
The distorted.org.uk Exim configuration.