## Master domain name.
DEFCONF(master_domain, distorted.org.uk)
+## List of home-system mail domain names. This can be empty if we only
+## provide service for special-purpose domains.
+DEFCONF(sysdomains, CONF_master_domain)
+
+## The magic token for local header names.
+DEFCONF(header_token, Distorted)
+
## The smarthost for satellite hosts.
DEFCONF(smarthost, mail.distorted.org.uk)
## The user who runs verification filters.
DEFCONF(filter_user, Debian-exim)
+## Administrative groups.
+DEFCONF(admin_groups, root : adm)
+DEFCONF(trusted_groups, root : adm)
+
## Where the spam filter is.
-DEFCONF(spamd_address, 172.29.199.179)
+DEFCONF(spamd_address, 172.29.199.8)
DEFCONF(spamd_port, 783)
## Default spam limit for incoming mail (multiplied by ten).
DEFCONF(spam_max, 50)
+## Userv stuff for debugging.
+DEFCONF(userv_opts, )
+
## Which interfaces to listen on. Exim checks for the literal string `::0'
## when setting things up: don't use `::', or we'll be tripped up by Linux's
## demented non-`IPV6_V6ONLY' behaviour.
DEFCONF(userconf_dir, $home/.mail)
DEFCONF(alias_file, /etc/aliases)
DEFCONF(ca_dir, /etc/ca)
+DEFCONF(dkim_keys_dir, /var/lib/dkim-keys)
## User address suffix handling.
DEFCONF(user_suffix_list, +* : -*)
-DEFCONF(user_extaddr_regexp, $acl_c_user([-+@]|\$))
DEFCONF(user_extaddr_fixup, ${sg {$local_part_suffix}{^[-+]}{}})
## Other hosts allowed to relay mail through us.
-DEFCONF(relay_clients, +trusted)
+DEFCONF(relay_clients, <m4_dnl
+; +allnets m4_dnl
+; 172.31.80.8 m4_dnl chiark (VPN)
+)
+
+## DKIM headers list.
+## Surprise! Internal whitespace isn't allowed here.
+DEFCONF(dkim_headers, m4_dnl
+References : In-Reply-To : Subject : To : Date : Message-ID : m4_dnl
+From : Sender : Reply-To : Cc : m4_dnl
+Content-Transfer-Encoding : Content-Type : MIME-Version : m4_dnl
+Content-ID : Content-Description m4_dnl
+)
+
+## TLS certificate list.
+DEFCONF(certlist,
+<:m4_ifelse(t, m4_ifelse(MODE, hub, nil, MODE, srv, nil, t),
+<:CONF_sysconf_dir/server.certlist:>,
+<:CONF_sysconf_dir/${if ={$received_port}{CONF_submission_port}{server}\
+ {${if match_ip{$sender_host_address}{+trusted} \
+ {server}{letsencrypt}}}}.certlist:>):>)
## TLS-related settings. We're assuming GNUTLS here, rather than OpenSSL.
## For local connections we are very strict. For random clients, we try
## nobody can verify our certificate anyway.
DEFCONF(good_ciphers, NONE<::>m4_dnl
:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0<::>m4_dnl
-:+DHE-RSA:+DHE-DSS<::>m4_dnl
-:+AES-256-CBC:+AES-128-CBC<::>m4_dnl
-:+SHA256:+SHA384:+SHA512:+SHA1<::>m4_dnl
-:+SIGN-RSA-SHA512:+SIGN-RSA-SHA384:+SIGN-RSA-SHA256:+SIGN-DSA-SHA256<::>m4_dnl
+:+ECDHE-RSA:+ECDHE-ECDSA:+DHE-RSA:+DHE-DSS<::>m4_dnl
+:+CHACHA20-POLY1305<::>m4_dnl
+:+AES-256-GCM:+AES-128-GCM:+AES-256-CBC:+AES-128-CBC<::>m4_dnl
+:+AEAD:+SHA256:+SHA384:+SHA512<::>m4_dnl
+:+SIGN-RSA-SHA512:+SIGN-RSA-SHA384:+SIGN-RSA-SHA256<::>m4_dnl
+:+SIGN-ECDSA-SHA512:+SIGN-ECDSA-SHA384:+SIGN-ECDSA-SHA256<::>m4_dnl
+:+SIGN-DSA-SHA256<::>m4_dnl
+:+CURVE-X25519:+CURVE-SECP256R1:+CURVE-SECP521R1:+CURVE-SECP384R1<::>m4_dnl
:+CTYPE-X.509<::>m4_dnl
:+COMP-NULL<::>m4_dnl
)
-DEFCONF(acceptable_ciphers, NORMAL<::>m4_dnl
+DEFCONF(acceptable_ciphers, NONE<::>m4_dnl
+:+VERS-TLS-ALL<::>m4_dnl
+:+ECDHE-RSA:+ECDHE-ECDSA<::>m4_dnl
+:+KX-ALL<::>m4_dnl
+:+SIGN-ALL<::>m4_dnl
+:+CTYPE-ALL<::>m4_dnl
+:+CHACHA20-POLY1305<::>m4_dnl
+:+AES-256-GCM:+AES-128-GCM<::>m4_dnl
+:+CIPHER-ALL<::>m4_dnl
+:+CURVE-X25519<::>m4_dnl
+:+CURVE-ALL<::>m4_dnl
+:+AEAD<::>m4_dnl
+:+MAC-ALL<::>m4_dnl
+:+COMP-NULL<::>m4_dnl
:-MD5<::>m4_dnl
)
~mdw / exim-config / blobdiff