~mdw / exim-config / blob
? search:


c0dd8921d4b953532eda24b19c7d7bdd6410b5ff
[exim-config] / base.m4
1 ### -*-m4-*-
2 ###
3 ### Basic settings for distorted.org.uk Exim configuration
4 ###
5 ### (c) 2012 Mark Wooding
6 ###
7
8 ###----- Licensing notice ---------------------------------------------------
9 ###
10 ### This program is free software; you can redistribute it and/or modify
11 ### it under the terms of the GNU General Public License as published by
12 ### the Free Software Foundation; either version 2 of the License, or
13 ### (at your option) any later version.
14 ###
15 ### This program is distributed in the hope that it will be useful,
16 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
17 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 ### GNU General Public License for more details.
19 ###
20 ### You should have received a copy of the GNU General Public License
21 ### along with this program; if not, write to the Free Software Foundation,
22 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
23
24 ###--------------------------------------------------------------------------
25 ### Global settings.
26
27 SECTION(global, priv)m4_dnl
28 admin_groups = CONF_admin_groups
29 trusted_groups = CONF_trusted_groups
30 prod_requires_admin = false
31
32 SECTION(global, logging)m4_dnl
33 log_file_path = : syslog
34 log_selector = \
35 +smtp_confirmation \
36 +tls_peerdn
37 log_timezone = true
38 syslog_duplication = false
39 syslog_timestamp = false
40
41 SECTION(global, daemon)m4_dnl
42 local_interfaces = <; CONF_interfaces
43 extra_local_interfaces = <; 0.0.0.0 ; ::0
44
45 SECTION(global, resource)m4_dnl
46 deliver_queue_load_max = 8
47 queue_only_load = 12
48 smtp_accept_max = 16
49 smtp_accept_queue = 32
50 smtp_accept_reserve = 4
51 smtp_load_reserve = 10
52 smtp_reserve_hosts = +trusted
53
54 SECTION(global, policy)m4_dnl
55 host_lookup = *
56
57 SECTION(global, users)m4_dnl
58 gecos_name = $1
59 gecos_pattern = ([^,:]*)
60
61 SECTION(global, incoming)m4_dnl
62 rfc1413_hosts = *
63 rfc1413_query_timeout = 10s
64 received_header_text = Received: \
65 ${if def:sender_rcvhost \
66 {from $sender_rcvhost\n\t} \
67 {${if def:sender_ident \
68 {from ${quote_local_part:$sender_ident} }}}}\
69 by $primary_hostname \
70 (Exim $version_number)\
71 ${if def:tls_cipher {\n\t} { }}\
72 ${if def:received_protocol \
73 {with $received_protocol \
74 ${if def:tls_cipher {(cipher=$tls_cipher)}}}}\n\t\
75 ${if def:sender_address \
76 {(envelope-from $sender_address\
77 ${if def:authenticated_id \
78 {; auth=${quote_local_part:$authenticated_id}} \
79 {${if and {{def:authenticated_sender} \
80 {match_address{$authenticated_sender} \
81 {*@CONF_master_domain}}} \
82 {; auth=${quote_local_part:\
83 ${local_part:\
84 $authenticated_sender}}}}}})\n\t}}\
85 id $message_exim_id\
86 ${if def:received_for {\n\tfor $received_for}}
87
88 SECTION(global, smtp)m4_dnl
89 smtp_return_error_details = true
90 accept_8bitmime = true
91 chunking_advertise_hosts =
92
93 SECTION(global, env)m4_dnl
94 keep_environment =
95
96 SECTION(global, process)m4_dnl
97 extract_addresses_remove_arguments = false
98 headers_charset = utf-8
99 qualify_domain = CONF_master_domain
100 untrusted_set_sender = *
101 local_from_check = false
102 local_sender_retain = true
103
104 SECTION(global, bounce)m4_dnl
105 delay_warning = 1h : 24h : 2d
106
107 SECTION(global, tls)m4_dnl
108 tls_certificate = CONF_certlist
109 tls_privatekey = CONF_sysconf_dir/server.key
110 tls_advertise_hosts = ${if exists {CONF_sysconf_dir/server.key} {*}{}}
111 tls_dhparam = CONF_ca_dir/dh-param-2048.pem
112 tls_require_ciphers = ${if or {{={$received_port}{CONF_submission_port}} \
113 {match_ip {$sender_host_address}{+trusted}}} \
114 {CONF_good_ciphers} \
115 {CONF_acceptable_ciphers}}
116 tls_verify_certificates = CONF_ca_dir/ca.cert
117 tls_verify_hosts = ${if eq{$acl_c_mode}{submission} {} {+allnets}}
118
119 DIVERT(null)
120 ###--------------------------------------------------------------------------
121 ### Access control lists.
122
123 SECTION(global, acl-after)
124 SECTION(global, acl)m4_dnl
125 acl_smtp_helo = helo
126 SECTION(acl, misc)m4_dnl
127 helo:
128 ## Check that the caller's claimed identity is actually plausible.
129 ## This seems like it's a fairly effective filter on spamminess, but
130 ## it's too blunt a tool. Rather than reject, add a warning header.
131 ## Only we can't do this the easy way, so save it up for use in MAIL.
132 ## Also, we're liable to get a subsequent HELO (e.g., after STARTTLS)
133 ## and we should only care about the most recent one.
134 warn set acl_c_helo_warning = false
135 !condition = \
136 ${if and {{match_ip {$sender_host_address} \
137 {<; 127.0.0.0/8 ; ::1}} \
138 {match_domain {$sender_helo_name} \
139 {localhost : +thishost}}}}
140 !condition = \
141 ${if exists {CONF_sysconf_dir/helo.conf} \
142 {${lookup {$sender_helo_name} \
143 partial0-lsearch \
144 {CONF_sysconf_dir/helo.conf} \
145 {${if match_ip \
146 {$sender_host_address} \
147 {<; $value}}}}}}
148 !verify = helo
149 set acl_c_helo_warning = true
150
151 accept
152
153 SECTION(global, acl)m4_dnl
154 acl_not_smtp_start = not_smtp_start
155 SECTION(acl, misc)m4_dnl
156 not_smtp_start:
157 ## Record the user's name.
158 warn set acl_c_user = $sender_ident
159 set acl_m_user = $sender_ident
160
161 ## Done.
162 accept
163
164 SECTION(global, acl)m4_dnl
165 acl_smtp_mail = mail
166 SECTION(acl, mail)m4_dnl
167 mail:
168
169 ## If we stashed a warning header about HELO from earlier, we should
170 ## add it now. Only don't bother if the client has authenticated
171 ## successfully for submission (because we can't expect mobile
172 ## clients to be properly set up knowing their names), or it's one of
173 ## our own satellites (because they're either properly set up anyway,
174 ## or satellites using us as a smarthost).
175 warn condition = $acl_c_helo_warning
176 !condition = ${if eq{$acl_c_mode}{submission}}
177 !hosts = +allnets
178 WARNING_HEADER(BADHELO,
179 <:Client's HELO doesn't match its IP address.\n\t\
180 helo-name=$sender_helo_name \
181 address=$sender_host_address:>)
182
183 ## Always allow the empty sender, so that we can receive bounces.
184 accept senders = :
185
186 ## Ensure that the sender looks valid.
187 require acl = mail_check_sender
188
189 ## If this is directly from a client then hack on it for a while.
190 warn condition = ${if eq{$acl_c_mode}{submission}}
191 control = submission/sender_retain
192
193 ## Insist that a local client connect through TLS.
194 deny message = Hosts within CONF_master_domain must use TLS
195 !condition = ${if eq{$acl_c_mode}{submission}}
196 hosts = +allnets
197 !encrypted = *
198
199 ## Check that a submitted message's sender address is allowable.
200 require acl = mail_check_auth
201
202 SECTION(acl, mail-tail)m4_dnl
203 ## And we're done.
204 accept
205
206 SECTION(acl, misc)m4_dnl
207 mail_check_sender:
208
209 ## See whether there's a special exception for this sender domain.
210 accept senders = ${LOOKUP_DOMAIN($sender_address_domain,
211 {KV(senders, {$value}{})},
212 {})}
213
214 ## Ensure that the sender is routable. This is important to prevent
215 ## undeliverable bounces.
216 require message = Invalid sender; \
217 ($sender_verify_failure; $acl_verify_message)
218 verify = sender
219
220 ## We're good, then.
221 accept
222
223 SECTION(global, acl)m4_dnl
224 acl_smtp_connect = connect
225 SECTION(acl, connect)m4_dnl
226 connect:
227 SECTION(acl, connect-tail)m4_dnl
228 ## Configure variables according to the submission mode.
229 warn acl = check_submission
230
231 ## Done.
232 accept
233
234 check_submission:
235 ## See whether this message needs hacking on.
236 accept !hosts = +thishost
237 !condition = ${if ={$received_port}{CONF_submission_port}}
238 set acl_c_mode = relay
239
240 ## Remember to apply submission controls.
241 warn set acl_c_mode = submission
242
243 ## Done.
244 accept
245
246 SECTION(global, acl)m4_dnl
247 acl_smtp_rcpt = rcpt
248 SECTION(acl, rcpt)m4_dnl
249 rcpt:
250
251 ## Reject if the client isn't allowed to relay and the recipient
252 ## isn't in one of our known domains.
253 require message = Relaying not permitted
254 acl = check_relay
255
256 ## Ensure that the recipient is routable.
257 require message = Invalid recipient \
258 ($recipient_verify_failure; $acl_verify_message)
259 verify = recipient
260
261 SECTION(acl, misc)m4_dnl
262 check_relay:
263 ## Accept either if the client is allowed to relay through us, or if
264 ## we're the correct place to send this mail.
265
266 ## Known clients and authenticated users are OK.
267 accept hosts = CONF_relay_clients
268 accept authenticated = *
269
270 ## Known domains are OK.
271 accept domains = +public
272
273 ## Finally, domains in our table are OK, unless they say they aren't.
274 accept domains = \
275 ${if exists{CONF_sysconf_dir/domains.conf} \
276 {partial0-lsearch; CONF_sysconf_dir/domains.conf}}
277 condition = DOMKV(service, {$value}{true})
278
279 ## Nope, that's not allowed.
280 deny
281
282 SECTION(acl, rcpt-tail)m4_dnl
283 ## Everything checks out OK: let this one go through.
284 accept
285
286 SECTION(global, acl)m4_dnl
287 acl_smtp_data = data
288 SECTION(acl, data)m4_dnl
289 data:
290 ## Don't accept messages with overly-long lines.
291 deny message = line length exceeds SMTP permitted maximum: \
292 $max_received_linelength > 998
293 condition = ${if >{$max_received_linelength}{998}}
294
295 SECTION(acl, data-tail)m4_dnl
296 accept
297
298 SECTION(global, acl)m4_dnl
299 acl_smtp_expn = expn_vrfy
300 acl_smtp_vrfy = expn_vrfy
301 SECTION(acl, misc)m4_dnl
302 expn_vrfy:
303 accept hosts = +trusted
304 deny message = Suck it and see
305
306 DIVERT(null)
307 ###--------------------------------------------------------------------------
308 ### Verification of sender address.
309
310 SECTION(acl, misc)m4_dnl
311 mail_check_auth:
312
313 ## If this isn't a submission then it doesn't need checking.
314 accept condition = ${if !eq{$acl_c_mode}{submission}}
315
316 ## If the caller hasn't formally authenticated, but this is a
317 ## loopback connection, then we can trust identd to tell us the right
318 ## answer. So we should stash the right name somewhere consistent.
319 warn set acl_c_user = $authenticated_id
320 hosts = +thishost
321 !authenticated = *
322 condition = ${if def:sender_ident}
323 set acl_c_user = $sender_ident
324
325 ## User must be authenticated by now.
326 deny message = Sender not authenticated
327 condition = ${if !def:acl_c_user}
328
329 ## Set the per-message authentication flag, since we now know that
330 ## there's a sensible value.
331 warn set acl_m_user = $acl_c_user
332
333 ## All done.
334 accept
335
336 DIVERT(null)
337 ###--------------------------------------------------------------------------
338 ### Common options for forwarding routers.
339
340 ## We're pretty permissive here.
341 m4_define(<:FILTER_BASE:>,
342 <:driver = redirect
343 modemask = 002
344 check_owner = false
345 check_group = false
346 allow_filter = true
347 allow_defer = true
348 allow_fail = true
349 forbid_blackhole = false
350 check_ancestor = true:>)
351
352 ## Common options for forwarding routers at verification time.
353 m4_define(<:FILTER_VERIFY:>,
354 <:verify_only = true
355 user = CONF_filter_user
356 forbid_filter_dlfunc = true
357 forbid_filter_logwrite = true
358 forbid_filter_perl = true
359 forbid_filter_readsocket = true
360 forbid_filter_run = true
361 file_transport = dummy
362 directory_transport = dummy
363 pipe_transport = dummy
364 reply_transport = dummy:>)
365
366 ## Transports for redirection filters.
367 m4_define(<:FILTER_TRANSPORTS:>,
368 <:file_transport = mailbox
369 directory_transport = maildir
370 pipe_transport = pipe
371 reply_transport = reply:>)
372
373 m4_define(<:FILTER_ROUTER:>,
374 <:$1_vrf:
375 $2
376 FILTER_VERIFY<::>$3
377 $1:
378 $2
379 verify = no
380 FILTER_TRANSPORTS<::>$4:>)
381
382 DIVERT(null)
383 ###--------------------------------------------------------------------------
384 ### Common routers.
385
386 SECTION(routers, alias)m4_dnl
387 ## Look up the local part in the address map.
388 alias:
389 driver = redirect
390 allow_fail = true
391 allow_defer = true
392 user = CONF_filter_user
393 FILTER_TRANSPORTS
394 local_parts = nwildlsearch; CONF_alias_file
395 data = ${expand:$local_part_data}
396 SECTION(routers, alias-opts)m4_dnl
397
398 DIVERT(null)
399 ###--------------------------------------------------------------------------
400 ### Some standard transports.
401
402 m4_define(<:USER_DELIVERY:>,
403 <:delivery_date_add = true
404 envelope_to_add = true
405 return_path_add = true:>)
406
407 m4_define(<:APPLY_HEADER_CHANGES:>,
408 <:headers_add = m4_ifelse(<:$1:>, <::>,
409 <:$acl_m_hdradd:>,
410 <:${if def:acl_m_hdradd{$acl_m_hdradd\n}}\
411 $1:>)
412 headers_remove = m4_ifelse(<:$2:>, <::>,
413 <:$acl_m_hdrrm:>,
414 <:${if def:acl_m_hdrrm{$acl_m_hdrrm:}}\
415 $2:>):>)
416
417 m4_define(<:SMTP_DELIVERY:>,
418 <:## Prevent sending messages with overly long lines. The use of
419 ## `message_size_limit' here is somewhat misleading.
420 message_size_limit = ${if >{$max_received_linelength}{998}{1}{0}}:>)
421
422 SECTION(transports)m4_dnl
423 ## A standard transport for remote delivery. By default, try to do TLS, and
424 ## don't worry too much if it's not very secure: the alternative is sending
425 ## in plaintext anyway. But all of this can be overridden from the
426 ## `domains.conf' file. Annoyingly, the `tls_dh_min_bits' setting isn't
427 ## expanded before use, so we can't set it the obvious way. Instead, encode
428 ## it into the transport name. This is very unpleasant, of course.
429 smtp:
430 driver = smtp
431 APPLY_HEADER_CHANGES
432 tls_require_ciphers = CONF_acceptable_ciphers
433 tls_dh_min_bits = 508
434 tls_tempfail_tryclear = true
435
436 m4_define(<:SMTP_TRANS_DHBITS:>,
437 <:driver = smtp
438 SMTP_DELIVERY
439 APPLY_HEADER_CHANGES
440 hosts_try_auth = *
441 hosts_require_tls = DOMKV(tls-peer-ca, {*}{})
442 hosts_require_auth = \
443 ${if bool {DOMKV(require-auth, {$value}{false})} {*}{}}
444 tls_certificate = DOMKV(tls-certificate, {${expand:$value}}fail)
445 tls_privatekey = DOMKV(tls-private-key, {${expand:$value}}fail)
446 tls_verify_certificates = DOMKV(tls-peer-ca, {${expand:$value}}fail)
447 tls_require_ciphers = \
448 DOMKV(tls-ciphers,
449 {${extract {${expand:$value}} \
450 { good = CONF_good_ciphers \
451 any = CONF_acceptable_ciphers } \
452 {$value} \
453 {${expand:$value}}}} \
454 {CONF_acceptable_ciphers})
455 tls_dh_min_bits = $1
456 tls_tempfail_tryclear = true:>)m4_dnl
457 smtp_dhbits_512:
458 SMTP_TRANS_DHBITS(508)
459 smtp_dhbits_768:
460 SMTP_TRANS_DHBITS(764)
461 smtp_dhbits_1024:
462 SMTP_TRANS_DHBITS(1020)
463 smtp_dhbits_2048:
464 SMTP_TRANS_DHBITS(2044)
465
466 ## Transport to a local SMTP server; use TLS and perform client
467 ## authentication.
468 smtp_local:
469 driver = smtp
470 SMTP_DELIVERY
471 APPLY_HEADER_CHANGES
472 hosts_require_tls = *
473 tls_certificate = CONF_sysconf_dir/client.certlist
474 tls_privatekey = CONF_sysconf_dir/client.key
475 tls_verify_certificates = CONF_ca_dir/ca.cert
476 tls_require_ciphers = CONF_good_ciphers
477 tls_dh_min_bits = 2046
478 tls_tempfail_tryclear = false
479 authenticated_sender_force = true
480 authenticated_sender = \
481 ${if def:acl_m_user {$acl_m_user@CONF_master_domain} \
482 {${if def:authenticated_sender {$authenticated_sender} \
483 fail}}}
484
485 ## A standard transport for local delivery.
486 deliver:
487 driver = appendfile
488 APPLY_HEADER_CHANGES
489 file = /var/mail/$local_part
490 group = mail
491 mode = 0600
492 mode_fail_narrower = false
493 USER_DELIVERY
494
495 ## Transports for user filters.
496 mailbox:
497 driver = appendfile
498 APPLY_HEADER_CHANGES
499 initgroups = true
500 USER_DELIVERY
501
502 maildir:
503 driver = appendfile
504 APPLY_HEADER_CHANGES
505 maildir_format = true
506 initgroups = true
507 USER_DELIVERY
508
509 pipe:
510 driver = pipe
511 APPLY_HEADER_CHANGES
512 path = ${if and {{def:home} {exists{$home/bin}}} {$home/bin:} {}}\
513 /usr/local/bin:/usr/local/sbin:\
514 /usr/bin:/usr/sbin:/bin:/sbin
515 initgroups = true
516 umask = 002
517 return_fail_output = true
518 log_output = true
519
520 ## A special dummy transport for use during address verification.
521 dummy:
522 driver = appendfile
523 file = /dev/null
524
525 DIVERT(null)
526 ###--------------------------------------------------------------------------
527 ### Retry configuration.
528
529 SECTION(retry, default)m4_dnl
530 ## Default.
531 * * \
532 F,2h,15m; G,16h,2h,1.5; F,4d,6h
533
534 DIVERT(null)
535 ###----- That's all, folks --------------------------------------------------
The distorted.org.uk Exim configuration.