+### -*-m4-*-
+###
+### Basic settings for distorted.org.uk Exim configuration
+###
+### (c) 2012 Mark Wooding
+###
+
+###----- Licensing notice ---------------------------------------------------
+###
+### This program is free software; you can redistribute it and/or modify
+### it under the terms of the GNU General Public License as published by
+### the Free Software Foundation; either version 2 of the License, or
+### (at your option) any later version.
+###
+### This program is distributed in the hope that it will be useful,
+### but WITHOUT ANY WARRANTY; without even the implied warranty of
+### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+### GNU General Public License for more details.
+###
+### You should have received a copy of the GNU General Public License
+### along with this program; if not, write to the Free Software Foundation,
+### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+
+###--------------------------------------------------------------------------
+### Global settings.
+
+SECTION(global, priv)m4_dnl
+prod_requires_admin = false
+
+SECTION(global, logging)m4_dnl
+log_file_path = : syslog
+log_selector = \
+ +smtp_confirmation \
+ +tls_peerdn
+log_timezone = true
+syslog_duplication = false
+syslog_timestamp = false
+
+SECTION(global, daemon)m4_dnl
+local_interfaces = <; CONF_interfaces
+extra_local_interfaces = <; 0.0.0.0 ; ::
+
+SECTION(global, resource)m4_dnl
+deliver_queue_load_max = 8
+queue_only_load = 12
+smtp_accept_max = 16
+smtp_accept_queue = 32
+smtp_accept_reserve = 4
+smtp_load_reserve = 10
+smtp_reserve_hosts = +trusted
+
+SECTION(global, policy)m4_dnl
+host_lookup = *
+
+SECTION(global, users)m4_dnl
+gecos_name = $1
+gecos_pattern = ([^,:]*)
+
+SECTION(global, incoming)m4_dnl
+received_header_text = Received: \
+ ${if def:sender_rcvhost {from $sender_rcvhost\n\t} \
+ {${if def:sender_ident \
+ {from ${quote_local_part:$sender_ident} }}\
+ ${if def:sender_helo_name \
+ {(helo=$sender_helo_name)\n\t}}}}\
+ by $primary_hostname \
+ ${if def:received_protocol \
+ {with $received_protocol \
+ ${if def:tls_cipher {(cipher=$tls_cipher)\n\t}}}}\
+ (Exim $version_number)\n\t\
+ ${if def:sender_address \
+ {(envelope-from <$sender_address>\
+ ${if def:authenticated_id \
+ {; auth=$authenticated_id}})\n\t}}\
+ id $message_exim_id\
+ ${if def:received_for {\n\tfor $received_for}}
+
+SECTION(global, smtp)m4_dnl
+smtp_return_error_details = true
+accept_8bitmime = true
+
+SECTION(global, process)m4_dnl
+extract_addresses_remove_arguments = false
+headers_charset = utf-8
+qualify_domain = CONF_master_domain
+
+SECTION(global, bounce)m4_dnl
+delay_warning = 1h : 24h : 2d
+
+DIVERT(null)
+###--------------------------------------------------------------------------
+### Access control lists.
+
+SECTION(global, acl-after)
+SECTION(global, acl)m4_dnl
+acl_smtp_helo = helo
+SECTION(acl, misc)m4_dnl
+helo:
+ require message = The other one has bells on
+ verify = helo
+
+ accept
+
+SECTION(global, acl)m4_dnl
+acl_smtp_mail = mail
+SECTION(acl, mail)m4_dnl
+mail:
+
+ ## Always allow the empty sender, so that we can receive bounces.
+ accept senders = :
+
+ ## Ensure that the sender is routable. This is important to prevent
+ ## undeliverable bounces.
+ require message = Invalid sender; \
+ ($sender_verify_failure; $acl_verify_message)
+ verify = sender
+
+ ## If this is directly from a client then hack on it for a while.
+ warn condition = ${if eq{$acl_c_mode}{submission}}
+ control = submission
+
+SECTION(acl, mail-tail)m4_dnl
+ ## And we're done.
+ accept
+
+SECTION(global, acl)m4_dnl
+acl_smtp_connect = connect
+SECTION(acl, connect)m4_dnl
+connect:
+SECTION(acl, connect-tail)m4_dnl
+ warn acl = check_submission
+ accept
+
+check_submission:
+ ## See whether this message needs hacking on.
+ accept !hosts = +localnet
+ !condition = ${if ={$received_port}{CONF_submission_port}}
+ set acl_c_mode = relay
+
+ ## Remember to apply submission controls.
+ warn set acl_c_mode = submission
+
+ ## Done.
+ accept
+
+SECTION(global, acl)m4_dnl
+acl_smtp_rcpt = rcpt
+SECTION(acl, rcpt)m4_dnl
+rcpt:
+
+ ## Reject if the client isn't allowed to relay and the recipient
+ ## isn't in one of our known domains.
+ deny message = Relaying not permitted
+ !hosts = CONF_relay_clients
+ !authenticated = *
+ !domains = +known
+
+ ## Ensure that the recipient is routable.
+ require message = Invalid recipient \
+ ($recipient_verify_failure; $acl_verify_message)
+ verify = recipient
+
+SECTION(acl, rcpt-tail)m4_dnl
+ ## Everything checks out OK: let this one go through.
+ accept
+
+SECTION(global, acl)m4_dnl
+acl_smtp_data = data
+SECTION(acl, data)m4_dnl
+data:
+
+SECTION(acl, data-tail)m4_dnl
+ accept
+
+SECTION(global, acl)m4_dnl
+acl_smtp_expn = expn_vrfy
+acl_smtp_vrfy = expn_vrfy
+SECTION(acl)m4_dnl
+expn_vrfy:
+ accept hosts = +trusted
+ deny message = Suck it and see
+
+DIVERT(null)
+###--------------------------------------------------------------------------
+### Common options for forwarding routers.
+
+## We're pretty permissive here.
+m4_define(<:FILTER_BASE:>,
+ <:driver = redirect
+ modemask = 002
+ check_owner = false
+ check_group = false
+ allow_filter = true
+ allow_defer = true
+ allow_fail = true
+ forbid_blackhole = false
+ check_ancestor = true:>)
+
+## Common options for forwarding routers at verification time.
+m4_define(<:FILTER_VERIFY:>,
+ <:verify_only = true
+ user = CONF_filter_user
+ forbid_filter_dlfunc = true
+ forbid_filter_logwrite = true
+ forbid_filter_perl = true
+ forbid_filter_readsocket = true
+ forbid_filter_run = true
+ file_transport = dummy
+ directory_transport = dummy
+ pipe_transport = dummy
+ reply_transport = dummy:>)
+
+## Transports for redirection filters.
+m4_define(<:FILTER_TRANSPORTS:>,
+ <:file_transport = mailbox
+ directory_transport = maildir
+ pipe_transport = pipe
+ reply_transport = reply:>)
+
+DIVERT(null)
+###--------------------------------------------------------------------------
+### Some standard transports.
+
+m4_define(<:USER_DELIVERY:>,
+ <:delivery_date_add = true
+ envelope_to_add = true
+ return_path_add = true:>)
+
+SECTION(transports)m4_dnl
+## A standard transport for remote delivery. Try to do TLS, and don't worry
+## too much if it's not very secure: the alternative is sending in plaintext
+## anyway.
+smtp:
+ driver = smtp
+ tls_require_ciphers = CONF_acceptable_ciphers
+ tls_dh_min_bits = 1020
+ tls_tempfail_tryclear = true
+
+## Transport to a local SMTP server; use TLS and perform client
+## authentication.
+smtp_local:
+ driver = smtp
+ hosts_require_tls = *
+ tls_certificate = CONF_sysconf_dir/client.cert
+ tls_privatekey = CONF_sysconf_dir/client.key
+ tls_verify_certificates = CONF_ca_dir/ca.cert
+ tls_require_ciphers = CONF_good_ciphers
+ tls_dh_min_bits = 3070
+ tls_tempfail_tryclear = false
+ authenticated_sender = ${if def:authenticated_id \
+ ${authenticated_id@CONF_master_domain} \
+ fail}
+
+## A standard transport for local delivery.
+deliver:
+ driver = appendfile
+ file = /var/mail/$local_part
+ USER_DELIVERY
+
+## Transports for user filters.
+mailbox:
+ driver = appendfile
+ USER_DELIVERY
+
+maildir:
+ driver = appendfile
+ maildir_format = true
+ USER_DELIVERY
+
+pipe:
+ driver = pipe
+ return_output = true
+
+## A special dummy transport for use during address verification.
+dummy:
+ driver = appendfile
+ file = /dev/null
+
+DIVERT(null)
+###--------------------------------------------------------------------------
+### Retry configuration.
+
+SECTION(retry, default)m4_dnl
+## Default.
+* * \
+ F,2h,15m; G,16h,2h,1.5; F,4d,6h
+
+DIVERT(null)
+###----- That's all, folks --------------------------------------------------