~mdw / exim-config / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
base.m4: Re-enable RFC1413 (ident) requests.
[exim-config] / base.m4
1 ### -*-m4-*-
2 ###
3 ### Basic settings for distorted.org.uk Exim configuration
4 ###
5 ### (c) 2012 Mark Wooding
6 ###
7
8 ###----- Licensing notice ---------------------------------------------------
9 ###
10 ### This program is free software; you can redistribute it and/or modify
11 ### it under the terms of the GNU General Public License as published by
12 ### the Free Software Foundation; either version 2 of the License, or
13 ### (at your option) any later version.
14 ###
15 ### This program is distributed in the hope that it will be useful,
16 ### but WITHOUT ANY WARRANTY; without even the implied warranty of
17 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 ### GNU General Public License for more details.
19 ###
20 ### You should have received a copy of the GNU General Public License
21 ### along with this program; if not, write to the Free Software Foundation,
22 ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
23
24 ###--------------------------------------------------------------------------
25 ### Global settings.
26
27 SECTION(global, priv)m4_dnl
28 admin_groups = CONF_admin_groups
29 trusted_groups = CONF_trusted_groups
30 prod_requires_admin = false
31
32 SECTION(global, logging)m4_dnl
33 log_file_path = : syslog
34 log_selector = \
35 +smtp_confirmation \
36 +tls_peerdn
37 log_timezone = true
38 syslog_duplication = false
39 syslog_timestamp = false
40
41 SECTION(global, daemon)m4_dnl
42 local_interfaces = <; CONF_interfaces
43 extra_local_interfaces = <; 0.0.0.0 ; ::0
44
45 SECTION(global, resource)m4_dnl
46 deliver_queue_load_max = 8
47 queue_only_load = 12
48 smtp_accept_max = 16
49 smtp_accept_queue = 32
50 smtp_accept_reserve = 4
51 smtp_load_reserve = 10
52 smtp_reserve_hosts = +trusted
53
54 SECTION(global, policy)m4_dnl
55 host_lookup = *
56
57 SECTION(global, users)m4_dnl
58 gecos_name = $1
59 gecos_pattern = ([^,:]*)
60
61 SECTION(global, incoming)m4_dnl
62 rfc1413_hosts = *
63 rfc1413_query_timeout = 10s
64 received_header_text = Received: \
65 ${if def:sender_rcvhost \
66 {from $sender_rcvhost\n\t} \
67 {${if def:sender_ident \
68 {from ${quote_local_part:$sender_ident} }}}}\
69 by $primary_hostname \
70 (Exim $version_number)\
71 ${if def:tls_cipher {\n\t} { }}\
72 ${if def:received_protocol \
73 {with $received_protocol \
74 ${if def:tls_cipher {(cipher=$tls_cipher)}}}}\n\t\
75 ${if def:sender_address \
76 {(envelope-from $sender_address\
77 ${if def:authenticated_id \
78 {; auth=${quote_local_part:$authenticated_id}} \
79 {${if and {{def:authenticated_sender} \
80 {match_address{$authenticated_sender} \
81 {*@CONF_master_domain}}} \
82 {; auth=${quote_local_part:\
83 ${local_part:\
84 $authenticated_sender}}}}}})\n\t}}\
85 id $message_exim_id\
86 ${if def:received_for {\n\tfor $received_for}}
87
88 SECTION(global, smtp)m4_dnl
89 smtp_return_error_details = true
90 accept_8bitmime = true
91
92 SECTION(global, env)m4_dnl
93 keep_environment =
94
95 SECTION(global, process)m4_dnl
96 extract_addresses_remove_arguments = false
97 headers_charset = utf-8
98 qualify_domain = CONF_master_domain
99 untrusted_set_sender = *
100 local_from_check = false
101 local_sender_retain = true
102
103 SECTION(global, bounce)m4_dnl
104 delay_warning = 1h : 24h : 2d
105
106 SECTION(global, tls)m4_dnl
107 tls_certificate = CONF_sysconf_dir/server.certlist
108 tls_privatekey = CONF_sysconf_dir/server.key
109 tls_advertise_hosts = ${if exists {CONF_sysconf_dir/server.key} {*}{}}
110 tls_dhparam = CONF_ca_dir/dh-param-2048.pem
111 tls_require_ciphers = ${if or {{={$received_port}{CONF_submission_port}} \
112 {match_ip {$sender_host_address}{+trusted}}} \
113 {CONF_good_ciphers} \
114 {CONF_acceptable_ciphers}}
115 tls_verify_certificates = CONF_ca_dir/ca.cert
116 tls_verify_hosts = ${if eq{$acl_c_mode}{submission} {} {+allnets}}
117
118 DIVERT(null)
119 ###--------------------------------------------------------------------------
120 ### Access control lists.
121
122 SECTION(global, acl-after)
123 SECTION(global, acl)m4_dnl
124 acl_smtp_helo = helo
125 SECTION(acl, misc)m4_dnl
126 helo:
127 ## Check that the caller's claimed identity is actually plausible.
128 ## This seems like it's a fairly effective filter on spamminess, but
129 ## it's too blunt a tool. Rather than reject, add a warning header.
130 ## Only we can't do this the easy way, so save it up for use in MAIL.
131 ## Also, we're liable to get a subsequent HELO (e.g., after STARTTLS)
132 ## and we should only care about the most recent one.
133 warn set acl_c_helo_warning = false
134 !condition = \
135 ${if and {{match_ip {$sender_host_address} \
136 {<; 127.0.0.0/8 ; ::1}} \
137 {match_domain {$sender_helo_name} \
138 {localhost : +thishost}}}}
139 !condition = \
140 ${if exists {CONF_sysconf_dir/helo.conf} \
141 {${lookup {$sender_helo_name} \
142 partial0-lsearch \
143 {CONF_sysconf_dir/helo.conf} \
144 {${if match_ip \
145 {$sender_host_address} \
146 {<; $value}}}}}}
147 !verify = helo
148 set acl_c_helo_warning = true
149
150 accept
151
152 SECTION(global, acl)m4_dnl
153 acl_not_smtp_start = not_smtp_start
154 SECTION(acl, misc)m4_dnl
155 not_smtp_start:
156 ## Record the user's name.
157 warn set acl_c_user = $sender_ident
158 set acl_m_user = $sender_ident
159
160 ## Done.
161 accept
162
163 SECTION(global, acl)m4_dnl
164 acl_smtp_mail = mail
165 SECTION(acl, mail)m4_dnl
166 mail:
167
168 ## If we stashed a warning header about HELO from earlier, we should
169 ## add it now. Only don't bother if the client has authenticated
170 ## successfully for submission (because we can't expect mobile
171 ## clients to be properly set up knowing their names), or it's one of
172 ## our own satellites (because they're either properly set up anyway,
173 ## or satellites using us as a smarthost).
174 warn condition = $acl_c_helo_warning
175 !condition = ${if eq{$acl_c_mode}{submission}}
176 !hosts = +allnets
177 WARNING_HEADER(BADHELO,
178 <:Client's HELO doesn't match its IP address.\n\t\
179 helo-name=$sender_helo_name \
180 address=$sender_host_address:>)
181
182 ## Always allow the empty sender, so that we can receive bounces.
183 accept senders = :
184
185 ## Ensure that the sender looks valid.
186 require acl = mail_check_sender
187
188 ## If this is directly from a client then hack on it for a while.
189 warn condition = ${if eq{$acl_c_mode}{submission}}
190 control = submission/sender_retain
191
192 ## Insist that a local client connect through TLS.
193 deny message = Hosts within CONF_master_domain must use TLS
194 !condition = ${if eq{$acl_c_mode}{submission}}
195 hosts = +allnets
196 !encrypted = *
197
198 ## Check that a submitted message's sender address is allowable.
199 require acl = mail_check_auth
200
201 SECTION(acl, mail-tail)m4_dnl
202 ## And we're done.
203 accept
204
205 SECTION(acl, misc)m4_dnl
206 mail_check_sender:
207
208 ## See whether there's a special exception for this sender domain.
209 accept senders = ${LOOKUP_DOMAIN($sender_address_domain,
210 {KV(senders, {$value}{})},
211 {})}
212
213 ## Ensure that the sender is routable. This is important to prevent
214 ## undeliverable bounces.
215 require message = Invalid sender; \
216 ($sender_verify_failure; $acl_verify_message)
217 verify = sender
218
219 ## We're good, then.
220 accept
221
222 SECTION(global, acl)m4_dnl
223 acl_smtp_connect = connect
224 SECTION(acl, connect)m4_dnl
225 connect:
226 SECTION(acl, connect-tail)m4_dnl
227 ## Configure variables according to the submission mode.
228 warn acl = check_submission
229
230 ## Done.
231 accept
232
233 check_submission:
234 ## See whether this message needs hacking on.
235 accept !hosts = +thishost
236 !condition = ${if ={$received_port}{CONF_submission_port}}
237 set acl_c_mode = relay
238
239 ## Remember to apply submission controls.
240 warn set acl_c_mode = submission
241
242 ## Done.
243 accept
244
245 SECTION(global, acl)m4_dnl
246 acl_smtp_rcpt = rcpt
247 SECTION(acl, rcpt)m4_dnl
248 rcpt:
249
250 ## Reject if the client isn't allowed to relay and the recipient
251 ## isn't in one of our known domains.
252 require message = Relaying not permitted
253 acl = check_relay
254
255 ## Ensure that the recipient is routable.
256 require message = Invalid recipient \
257 ($recipient_verify_failure; $acl_verify_message)
258 verify = recipient
259
260 SECTION(acl, misc)m4_dnl
261 check_relay:
262 ## Accept either if the client is allowed to relay through us, or if
263 ## we're the correct place to send this mail.
264
265 ## Known clients and authenticated users are OK.
266 accept hosts = CONF_relay_clients
267 accept authenticated = *
268
269 ## Known domains are OK.
270 accept domains = +public
271
272 ## Finally, domains in our table are OK, unless they say they aren't.
273 accept domains = \
274 ${if exists{CONF_sysconf_dir/domains.conf} \
275 {partial0-lsearch; CONF_sysconf_dir/domains.conf}}
276 condition = DOMKV(service, {$value}{true})
277
278 ## Nope, that's not allowed.
279 deny
280
281 SECTION(acl, rcpt-tail)m4_dnl
282 ## Everything checks out OK: let this one go through.
283 accept
284
285 SECTION(global, acl)m4_dnl
286 acl_smtp_data = data
287 SECTION(acl, data)m4_dnl
288 data:
289
290 SECTION(acl, data-tail)m4_dnl
291 accept
292
293 SECTION(global, acl)m4_dnl
294 acl_smtp_expn = expn_vrfy
295 acl_smtp_vrfy = expn_vrfy
296 SECTION(acl, misc)m4_dnl
297 expn_vrfy:
298 accept hosts = +trusted
299 deny message = Suck it and see
300
301 DIVERT(null)
302 ###--------------------------------------------------------------------------
303 ### Verification of sender address.
304
305 SECTION(acl, misc)m4_dnl
306 mail_check_auth:
307
308 ## If this isn't a submission then it doesn't need checking.
309 accept condition = ${if !eq{$acl_c_mode}{submission}}
310
311 ## If the caller hasn't formally authenticated, but this is a
312 ## loopback connection, then we can trust identd to tell us the right
313 ## answer. So we should stash the right name somewhere consistent.
314 warn set acl_c_user = $authenticated_id
315 hosts = +thishost
316 !authenticated = *
317 condition = ${if def:sender_ident}
318 set acl_c_user = $sender_ident
319
320 ## User must be authenticated by now.
321 deny message = Sender not authenticated
322 condition = ${if !def:acl_c_user}
323
324 ## Set the per-message authentication flag, since we now know that
325 ## there's a sensible value.
326 warn set acl_m_user = $acl_c_user
327
328 ## All done.
329 accept
330
331 DIVERT(null)
332 ###--------------------------------------------------------------------------
333 ### Common options for forwarding routers.
334
335 ## We're pretty permissive here.
336 m4_define(<:FILTER_BASE:>,
337 <:driver = redirect
338 modemask = 002
339 check_owner = false
340 check_group = false
341 allow_filter = true
342 allow_defer = true
343 allow_fail = true
344 forbid_blackhole = false
345 check_ancestor = true:>)
346
347 ## Common options for forwarding routers at verification time.
348 m4_define(<:FILTER_VERIFY:>,
349 <:verify_only = true
350 user = CONF_filter_user
351 forbid_filter_dlfunc = true
352 forbid_filter_logwrite = true
353 forbid_filter_perl = true
354 forbid_filter_readsocket = true
355 forbid_filter_run = true
356 file_transport = dummy
357 directory_transport = dummy
358 pipe_transport = dummy
359 reply_transport = dummy:>)
360
361 ## Transports for redirection filters.
362 m4_define(<:FILTER_TRANSPORTS:>,
363 <:file_transport = mailbox
364 directory_transport = maildir
365 pipe_transport = pipe
366 reply_transport = reply:>)
367
368 m4_define(<:FILTER_ROUTER:>,
369 <:$1_vrf:
370 $2
371 FILTER_VERIFY<::>$3
372 $1:
373 $2
374 verify = no
375 FILTER_TRANSPORTS<::>$4:>)
376
377 DIVERT(null)
378 ###--------------------------------------------------------------------------
379 ### Common routers.
380
381 SECTION(routers, alias)m4_dnl
382 ## Look up the local part in the address map.
383 alias:
384 driver = redirect
385 allow_fail = true
386 allow_defer = true
387 user = CONF_filter_user
388 FILTER_TRANSPORTS
389 local_parts = nwildlsearch; CONF_alias_file
390 data = ${expand:$local_part_data}
391 SECTION(routers, alias-opts)m4_dnl
392
393 DIVERT(null)
394 ###--------------------------------------------------------------------------
395 ### Some standard transports.
396
397 m4_define(<:USER_DELIVERY:>,
398 <:delivery_date_add = true
399 envelope_to_add = true
400 return_path_add = true:>)
401
402 m4_define(<:APPLY_HEADER_CHANGES:>,
403 <:headers_add = m4_ifelse(<:$1:>, <::>,
404 <:$acl_m_hdradd:>,
405 <:${if def:acl_m_hdradd{$acl_m_hdradd\n}}\
406 $1:>)
407 headers_remove = m4_ifelse(<:$2:>, <::>,
408 <:$acl_m_hdrrm:>,
409 <:${if def:acl_m_hdrrm{$acl_m_hdrrm:}}\
410 $2:>):>)
411
412 SECTION(transports)m4_dnl
413 ## A standard transport for remote delivery. By default, try to do TLS, and
414 ## don't worry too much if it's not very secure: the alternative is sending
415 ## in plaintext anyway. But all of this can be overridden from the
416 ## `domains.conf' file. Annoyingly, the `tls_dh_min_bits' setting isn't
417 ## expanded before use, so we can't set it the obvious way. Instead, encode
418 ## it into the transport name. This is very unpleasant, of course.
419 smtp:
420 driver = smtp
421 APPLY_HEADER_CHANGES
422 tls_require_ciphers = CONF_acceptable_ciphers
423 tls_dh_min_bits = 508
424 tls_tempfail_tryclear = true
425
426 m4_define(<:SMTP_TRANS_DHBITS:>,
427 <:driver = smtp
428 APPLY_HEADER_CHANGES
429 hosts_try_auth = *
430 hosts_require_tls = DOMKV(tls-peer-ca, {*}{})
431 hosts_require_auth = \
432 ${if bool {DOMKV(require-auth, {$value}{false})} {*}{}}
433 tls_certificate = DOMKV(tls-certificate, {${expand:$value}}fail)
434 tls_privatekey = DOMKV(tls-private-key, {${expand:$value}}fail)
435 tls_verify_certificates = DOMKV(tls-peer-ca, {${expand:$value}}fail)
436 tls_require_ciphers = \
437 DOMKV(tls-ciphers,
438 {${extract {${expand:$value}} \
439 { good = CONF_good_ciphers \
440 any = CONF_acceptable_ciphers } \
441 {$value} \
442 {${expand:$value}}}} \
443 {CONF_acceptable_ciphers})
444 tls_dh_min_bits = $1
445 tls_tempfail_tryclear = true:>)m4_dnl
446 smtp_dhbits_512:
447 SMTP_TRANS_DHBITS(508)
448 smtp_dhbits_768:
449 SMTP_TRANS_DHBITS(764)
450 smtp_dhbits_1024:
451 SMTP_TRANS_DHBITS(1020)
452 smtp_dhbits_2048:
453 SMTP_TRANS_DHBITS(2044)
454
455 ## Transport to a local SMTP server; use TLS and perform client
456 ## authentication.
457 smtp_local:
458 driver = smtp
459 APPLY_HEADER_CHANGES
460 hosts_require_tls = *
461 tls_certificate = CONF_sysconf_dir/client.certlist
462 tls_privatekey = CONF_sysconf_dir/client.key
463 tls_verify_certificates = CONF_ca_dir/ca.cert
464 tls_require_ciphers = CONF_good_ciphers
465 tls_dh_min_bits = 2046
466 tls_tempfail_tryclear = false
467 authenticated_sender_force = true
468 authenticated_sender = \
469 ${if def:acl_m_user {$acl_m_user@CONF_master_domain} \
470 {${if def:authenticated_sender {$authenticated_sender} \
471 fail}}}
472
473 ## A standard transport for local delivery.
474 deliver:
475 driver = appendfile
476 APPLY_HEADER_CHANGES
477 file = /var/mail/$local_part
478 group = mail
479 mode = 0600
480 mode_fail_narrower = false
481 USER_DELIVERY
482
483 ## Transports for user filters.
484 mailbox:
485 driver = appendfile
486 APPLY_HEADER_CHANGES
487 initgroups = true
488 USER_DELIVERY
489
490 maildir:
491 driver = appendfile
492 APPLY_HEADER_CHANGES
493 maildir_format = true
494 initgroups = true
495 USER_DELIVERY
496
497 pipe:
498 driver = pipe
499 APPLY_HEADER_CHANGES
500 path = ${if and {{def:home} {exists{$home/bin}}} {$home/bin:} {}}\
501 /usr/local/bin:/usr/local/sbin:\
502 /usr/bin:/usr/sbin:/bin:/sbin
503 initgroups = true
504 umask = 002
505 return_fail_output = true
506 log_output = true
507
508 ## A special dummy transport for use during address verification.
509 dummy:
510 driver = appendfile
511 file = /dev/null
512
513 DIVERT(null)
514 ###--------------------------------------------------------------------------
515 ### Retry configuration.
516
517 SECTION(retry, default)m4_dnl
518 ## Default.
519 * * \
520 F,2h,15m; G,16h,2h,1.5; F,4d,6h
521
522 DIVERT(null)
523 ###----- That's all, folks --------------------------------------------------
The distorted.org.uk Exim configuration.