X-Git-Url: https://git.distorted.org.uk/~mdw/exim-config/blobdiff_plain/e3c9c42730981542c7697a34f59cc95cd6281fec..HEAD:/base.m4 diff --git a/base.m4 b/base.m4 index 9e07bf7..d64b88b 100644 --- a/base.m4 +++ b/base.m4 @@ -44,6 +44,7 @@ extra_local_interfaces = <; 0.0.0.0 ; ::0 SECTION(global, resource)m4_dnl deliver_queue_load_max = 8 +message_size_limit = 500M queue_only_load = 12 smtp_accept_max = 16 smtp_accept_queue = 32 @@ -105,7 +106,7 @@ SECTION(global, bounce)m4_dnl delay_warning = 1h : 24h : 2d SECTION(global, tls)m4_dnl -tls_certificate = CONF_sysconf_dir/server.certlist +tls_certificate = CONF_certlist tls_privatekey = CONF_sysconf_dir/server.key tls_advertise_hosts = ${if exists {CONF_sysconf_dir/server.key} {*}{}} tls_dhparam = CONF_ca_dir/dh-param-2048.pem @@ -125,6 +126,10 @@ SECTION(global, acl)m4_dnl acl_smtp_helo = helo SECTION(acl, misc)m4_dnl helo: + ## Don't worry if this is local submission. MUAs won't necessarily + ## have a clear idea of their hostnames. (For some reason.) + accept condition = ${if eq{$acl_c_mode}{submission}} + ## Check that the caller's claimed identity is actually plausible. ## This seems like it's a fairly effective filter on spamminess, but ## it's too blunt a tool. Rather than reject, add a warning header. @@ -208,8 +213,7 @@ mail_check_sender: ## See whether there's a special exception for this sender domain. accept senders = ${LOOKUP_DOMAIN($sender_address_domain, - {KV(senders, {$value}{})}, - {})} + {KV(senders)})} ## Ensure that the sender is routable. This is important to prevent ## undeliverable bounces. @@ -239,6 +243,7 @@ check_submission: ## Remember to apply submission controls. warn set acl_c_mode = submission + control = no_enforce_sync ## Done. accept @@ -264,17 +269,17 @@ check_relay: ## we're the correct place to send this mail. ## Known clients and authenticated users are OK. - accept hosts = CONF_relay_clients - accept authenticated = * + accept hosts = CONF_relay_clients + accept authenticated = * ## Known domains are OK. - accept domains = +public + accept domains = +public ## Finally, domains in our table are OK, unless they say they aren't. - accept domains = \ - ${if exists{CONF_sysconf_dir/domains.conf} \ + accept domains = \ + ${if exists{CONF_sysconf_dir/domains.conf} \ {partial0-lsearch; CONF_sysconf_dir/domains.conf}} - condition = DOMKV(service, {$value}{true}) + condition = DOMKV(service, {$value}{true}) ## Nope, that's not allowed. deny @@ -287,6 +292,10 @@ SECTION(global, acl)m4_dnl acl_smtp_data = data SECTION(acl, data)m4_dnl data: + ## Don't accept messages with overly-long lines. + deny message = line length exceeds SMTP permitted maximum: \ + $max_received_linelength > 998 + condition = ${if >{$max_received_linelength}{998}} SECTION(acl, data-tail)m4_dnl accept @@ -410,6 +419,71 @@ m4_define(<:APPLY_HEADER_CHANGES:>, <:${if def:acl_m_hdrrm{$acl_m_hdrrm:}}\ $2:>):>) +m4_define(<:DKIM_SIGN_P:>, + <:and {{exists{CONF_sysconf_dir/dkim-sign.conf}} \ + {!def:h_DKIM-Signature:} \ + {!def:h_List-ID:} \ + {or {{def:authenticated_id} \ + {def:authenticated_sender}}} \ + {bool {DKIM_KEYS_INSTANCE(<:{true}:>, <:{false}:>)}}}:>) + +m4_define(<:DKIM_KEYS_INSTANCE:>, + <:${lookup {${domain:$h_From:}} partial0-lsearch \ + {CONF_sysconf_dir/dkim-sign.conf} \ + _LOOKUP_ARGS(<:$1:>, <:$2:>)}:>) +m4_define(<:DKIM_KEYS_STATE:>, <:${lookup {$1} lsearch \ + {DKIM_KEYS_INSTANCE(<:{CONF_dkim_keys_dir/$value/active/dkim-keys.state}:>)} \ + _LOOKUP_ARGS(<:$2:>, <:$3:>, <:fail:>)}:>) +m4_define(<:DKIM_KEYS_INFO:>, <:DKIM_KEYS_STATE(<:params:>, + <:{${if and {{>={$tod_epoch}{KV(t0)}} \ + {<{$tod_epoch}{${eval:KV(t0) + KV(n)*KV(step)}}}} \ + {DKIM_KEYS_STATE(<:info.${eval:($tod_epoch - KV(t0))/KV(step)}:>, + <:$1:>, <:$2:>)} \ + m4_ifelse(<:$2:>, <::>, <:fail:>, <:$2:>)}}:>, + m4_ifelse(<:$2:>, <::>, <:fail:>, <:$2:>)):>) + +m4_define(<:DKIM_SIGN:>, + <:dkim_domain = \ + ${if DKIM_SIGN_P \ + {DKIM_KEYS_INSTANCE({${domain:$h_From:}})}} + dkim_selector = DKIM_KEYS_INFO(<:{KV(k)}:>) + ##dkim_timestamps = m4_eval(<:7*24*60*60:>) + dkim_private_key = \ + DKIM_KEYS_INSTANCE(<:m4_dnl + {CONF_dkim_keys_dir/$value/active/$dkim_selector.priv}:>) + dkim_canon = relaxed + dkim_strict = true + ## The following ridiculous stunt does two important jobs. Firstly, + ## and more obviously, it arranges to include one more copy of each + ## header name than the message actually contains, thereby causing + ## the signature to fail if another header with the same name is + ## added. And secondly, and far more subtly, it also trims the + ## spaces from the header names so that they're in the format that + ## the signing machinery secretly wants. + dkim_sign_headers = \ + ${sg {${map {CONF_dkim_headers : \ + X-CONF_header_token-DKIM-Key-Publication} \ + {$item${sg {${expand:\$h_$item:}\n} \ + {((?:[^\n]+|\n\\s+)*)\n} \ + {:$item}}}}} \ + {::}{:}} + headers_add = \ + ${if DKIM_SIGN_P \ + {DKIM_KEYS_INFO(<:m4_dnl + {X-CONF_header_token-DKIM-Key-Publication: \ + DKIM signature not suitable \ + as evidence after delivery;\n\t\ + DKIM private key KV(k) will be \ + published\n\t\ + at KV(u)\n\t\ + on or before KV(tpub)}:>)}}:>) + + +m4_define(<:SMTP_DELIVERY:>, + <:## Prevent sending messages with overly long lines. The use of + ## `message_size_limit' here is somewhat misleading. + message_size_limit = ${if >{$max_received_linelength}{998}{1}{0}}:>) + SECTION(transports)m4_dnl ## A standard transport for remote delivery. By default, try to do TLS, and ## don't worry too much if it's not very secure: the alternative is sending @@ -419,14 +493,18 @@ SECTION(transports)m4_dnl ## it into the transport name. This is very unpleasant, of course. smtp: driver = smtp + SMTP_DELIVERY APPLY_HEADER_CHANGES + DKIM_SIGN tls_require_ciphers = CONF_acceptable_ciphers tls_dh_min_bits = 508 tls_tempfail_tryclear = true m4_define(<:SMTP_TRANS_DHBITS:>, <:driver = smtp + SMTP_DELIVERY APPLY_HEADER_CHANGES + DKIM_SIGN hosts_try_auth = * hosts_require_tls = DOMKV(tls-peer-ca, {*}{}) hosts_require_auth = \ @@ -457,6 +535,7 @@ smtp_dhbits_2048: ## authentication. smtp_local: driver = smtp + SMTP_DELIVERY APPLY_HEADER_CHANGES hosts_require_tls = * tls_certificate = CONF_sysconf_dir/client.certlist @@ -516,6 +595,13 @@ DIVERT(null) ### Retry configuration. SECTION(retry, default)m4_dnl +## Be persistent when sending to the site relay. It ought to work, but +## particularly satellites such as laptops often encounter annoying temporary +## failures due to network unavailability, and the usual gradual policy can +## leave mail building up for no good reason. +CONF_smarthost * \ + F,4d,15m + ## Default. * * \ F,2h,15m; G,16h,2h,1.5; F,4d,6h