~mdw / exim-config / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
config.m4: Fiddle with the ciphersuite settings.
[exim-config] / config.m4
diff --git a/config.m4 b/config.m4
index 5901edc..1731d59 100644 (file)
--- a/config.m4
+++ b/config.m4
@@ -24,12 +24,23 @@
 ## Master domain name.
 DEFCONF(master_domain, distorted.org.uk)
 
+## List of home-system mail domain names.  This can be empty if we only
+## provide service for special-purpose domains.
+DEFCONF(sysdomains, CONF_master_domain)
+
+## The magic token for local header names.
+DEFCONF(header_token, Distorted)
+
 ## The smarthost for satellite hosts.
 DEFCONF(smarthost, mail.distorted.org.uk)
 
 ## The user who runs verification filters.
 DEFCONF(filter_user, Debian-exim)
 
+## Administrative groups.
+DEFCONF(admin_groups, root : adm)
+DEFCONF(trusted_groups, root : adm)
+
 ## Where the spam filter is.
 DEFCONF(spamd_address, 172.29.199.179)
 DEFCONF(spamd_port, 783)
@@ -37,13 +48,18 @@ DEFCONF(spamd_port, 783)
 ## Default spam limit for incoming mail (multiplied by ten).
 DEFCONF(spam_max, 50)
 
+## Userv stuff for debugging.
+DEFCONF(userv_opts, )
+
 ## Which interfaces to listen on.  Exim checks for the literal string `::0'
 ## when setting things up: don't use `::', or we'll be tripped up by Linux's
 ## demented non-`IPV6_V6ONLY' behaviour.
 DEFCONF(interfaces, m4_ifelse(MODE, satellite, 127.0.0.1 ; ::1,
                              0.0.0.0 ; ::0))
 
-## Submission port number.  (This is sometimes tweaked for testing.)
+## Main and submission port numbers.  (This is sometimes tweaked for
+## testing.)
+DEFCONF(smtp_port, 25)
 DEFCONF(submission_port, 587)
 
 ## Locations of other configuration files.
@@ -53,27 +69,40 @@ DEFCONF(alias_file, /etc/aliases)
 DEFCONF(ca_dir, /etc/ca)
 
 ## User address suffix handling.
-DEFCONF(user_suffix_list, -* : +*)
-DEFCONF(user_extaddr_regexp, $acl_c_user([-+@]|\$))
+DEFCONF(user_suffix_list, +* : -*)
 DEFCONF(user_extaddr_fixup, ${sg {$local_part_suffix}{^[-+]}{}})
 
 ## Other hosts allowed to relay mail through us.
-DEFCONF(relay_clients, +trusted)
+DEFCONF(relay_clients, <m4_dnl
+; +trusted m4_dnl
+; 172.31.80.8 m4_dnl chiark (VPN)
+; 172.29.198.161 ; 2001:ba8:1d9:a000::1:1 m4_dnl national
+)
 
 ## TLS-related settings.  We're assuming GNUTLS here, rather than OpenSSL.
 ## For local connections we are very strict.  For random clients, we try
 ## fairly hard to encourage any kind of crypto on the grounds that probably
 ## nobody can verify our certificate anyway.
 DEFCONF(good_ciphers, NONE<::>m4_dnl
-:+VERS-TLS1.2:+VERS-TLS1.1<::>m4_dnl
-:+DHE-RSA:+DHE-DSS<::>m4_dnl
-:+AES-256-CBC:+AES-128-CBC<::>m4_dnl
-:+SHA256<::>m4_dnl
-:+SIGN-RSA-SHA512:+SIGN-RSA-SHA384:+SIGN-RSA-SHA256:+SIGN-DSA-SHA256<::>m4_dnl
+:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0<::>m4_dnl
+:+ECDHE-RSA:+ECDHE-ECDSA:+DHE-RSA:+DHE-DSS<::>m4_dnl
+:+CHACHA20-POLY1305<::>m4_dnl
+:+AES-256-GCM:+AES-128-GCM:+AES-256-CBC:+AES-128-CBC<::>m4_dnl
+:+AEAD:+SHA256:+SHA384:+SHA512<::>m4_dnl
+:+SIGN-RSA-SHA512:+SIGN-RSA-SHA384:+SIGN-RSA-SHA256<::>m4_dnl
+:+SIGN-ECDSA-SHA512:+SIGN-ECDSA-SHA384:+SIGN-ECDSA-SHA256<::>m4_dnl
+:+SIGN-DSA-SHA256<::>m4_dnl
+:+CURVE-X25519:+CURVE-SECP256R1:+CURVE-SECP521R1:+CURVE-SECP384R1<::>m4_dnl
 :+CTYPE-X.509<::>m4_dnl
 :+COMP-NULL<::>m4_dnl
 )
-DEFCONF(acceptable_ciphers, NORMAL<::>m4_dnl
+DEFCONF(acceptable_ciphers, NONE<::>m4_dnl
+:+ECDHE-RSA:+ECDHE-ECDSA<::>m4_dnl
+:+CHACHA20-POLY1305<::>m4_dnl
+:+AES-256-GCM:+AES-128-GCM<::>m4_dnl
+:+CURVE-X25519<::>m4_dnl
+:+AEAD<::>m4_dnl
+:+NORMAL<::>m4_dnl
 :-MD5<::>m4_dnl
 )
 
The distorted.org.uk Exim configuration.