Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!!# cPanel Exim 4 Config
- hostlist loopback = <; 127.0.0.0/8 ; 0.0.0.0 ; ::1 ; 0000:0000:0000:0000:0000:ffff:7f00:0000/8
- hostlist senderverifybypass_hosts = net-iplsearch;/etc/senderverifybypasshosts
- hostlist skipsmtpcheck_hosts = net-iplsearch;/etc/skipsmtpcheckhosts
- hostlist spammeripblocks = net-iplsearch;/etc/spammeripblocks
- hostlist backupmx_hosts = lsearch;/etc/backupmxhosts
- hostlist trustedmailhosts = lsearch;/etc/trustedmailhosts
- hostlist relay_hosts = net-iplsearch;/etc/relayhosts
- domainlist user_domains = ${if exists{/etc/userdomains} {lsearch;/etc/userdomains} fail}
- smtp_accept_queue_per_connection = 30
- remote_max_parallel = 10
- smtp_receive_timeout = 165s
- ignore_bounce_errors_after = 1d
- rfc1413_query_timeout = 0s
- timeout_frozen_after = 5d
- auto_thaw = 7d
- callout_domain_negative_expire = 1h
- callout_negative_expire = 1h
- acl_not_smtp = acl_not_smtp
- acl_smtp_connect = acl_smtp_connect
- acl_smtp_data = acl_smtp_data
- acl_smtp_mail = acl_smtp_mail
- acl_smtp_quit = acl_smtp_quit
- acl_smtp_notquit = acl_smtp_notquit
- acl_smtp_rcpt = acl_smtp_rcpt
- acl_smtp_dkim = acl_smtp_dkim
- message_body_newlines = true
- deliver_queue_load_max = 6
- queue_only_load = 12
- daemon_smtp_ports = 25 : 465 : 587
- tls_on_connect_ports = 465
- system_filter_user = cpaneleximfilter
- system_filter_group = cpaneleximfilter
- tls_require_ciphers = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
- spamd_address = 127.0.0.1 783
- # +incoming_port, +smtp_connection are needed for cPanel email tracking.
- # -retry_defer, +subject, +arguments, +received_recipients are suggested settings that may be disabled.
- log_selector = +incoming_port +smtp_connection -retry_defer +subject +arguments +received_recipients
- system_filter = /etc/cpanel_exim_system_filter
- #!!# These options specify the Access Control Lists (ACLs) that
- #!!# are used for incoming SMTP messages - after the RCPT and DATA
- #!!# commands, respectively.
- #!!# This setting defines a named domain list called
- #!!# local_domains, created from the old options that
- #!!# referred to local domains. It will be referenced
- #!!# later on by the syntax "+local_domains".
- #!!# Other domain and host lists may follow.
- domainlist local_domains = lsearch;/etc/localdomains
- domainlist outside_jail_domains = lsearch;/etc/outside_jail_domains
- domainlist relay_domains = lsearch;/etc/localdomains : \
- lsearch;/etc/secondarymx
- hostlist auth_relay_hosts = *
- ######################################################################
- # Runtime configuration file for Exim #
- ######################################################################
- # This is a default configuration file which will operate correctly in
- # uncomplicated installations. Please see the manual for a complete list
- # of all the runtime configuration options that can be included in a
- # configuration file. There are many more than are mentioned here. The
- # manual is in the file doc/spec.txt in the Exim distribution as a plain
- # ASCII file. Other formats (PostScript, Texinfo, HTML) are available from
- # the Exim ftp sites. The manual is also online via the Exim web sites.
- # This file is divided into several parts, all but the last of which are
- # terminated by a line containing the word "end". The parts must appear
- # in the correct order, and all must be present (even if some of them are
- # in fact empty). Blank lines, and lines starting with # are ignored.
- ######################################################################
- # MAIN CONFIGURATION SETTINGS #
- ######################################################################
- perl_startup = do '/etc/exim.pl'
- #dns_retry = 1
- #dns_retrans = 1s
- # Specify your host's canonical name here. This should normally be the fully
- # qualified "official" name of your host. If this option is not set, the
- # uname() function is called to obtain the name.
- smtp_banner = "${primary_hostname} ESMTP Exim ${version_number} \
- \#${compile_number} ${tod_full} \n\
- We do not authorize the use of this system to transport unsolicited, \n\
- and/or bulk e-mail."
- #nobody as the sender seems to annoy people
- untrusted_set_sender = *
- local_from_check = false
- split_spool_directory = yes
- smtp_connect_backlog = 50
- smtp_accept_max = 100
- # primary_hostname =
- # Specify the domain you want to be added to all unqualified addresses
- # here. An unqualified address is one that does not contain an "@" character
- # followed by a domain. For example, "caesar@rome.ex" is a fully qualified
- # address, but the string "caesar" (i.e. just a login name) is an unqualified
- # email address. Unqualified addresses are accepted only from local callers by
- # default. See the receiver_unqualified_{hosts,nets} options if you want
- # to permit unqualified addresses from remote sources. If this option is
- # not set, the primary_hostname value is used for qualification.
- # qualify_domain =
- # If you want unqualified recipient addresses to be qualified with a different
- # domain to unqualified sender addresses, specify the recipient domain here.
- # If this option is not set, the qualify_domain value is used.
- # qualify_recipient =
- # Specify your local domains as a colon-separated list here. If this option
- # is not set (i.e. not mentioned in the configuration file), the
- # qualify_recipient value is used as the only local domain. If you do not want
- # to do any local deliveries, uncomment the following line, but do not supply
- # any data for it. This sets local_domains to an empty string, which is not
- # the same as not mentioning it at all. An empty string specifies that there
- # are no local domains; not setting it at all causes the default value (the
- # setting of qualify_recipient) to be used.
- #!!# message_filter renamed system_filter
- message_body_visible = 5000
- # If you want to accept mail addressed to your host's literal IP address, for
- # example, mail addressed to "user@[111.111.111.111]", then uncomment the
- # following line, or supply the literal domain(s) as part of "local_domains"
- # above.
- # local_domains_include_host_literals
- # No local deliveries will ever be run under the uids of these users (a colon-
- # separated list). An attempt to do so gets changed so that it runs under the
- # uid of "nobody" instead. This is a paranoic safety catch. Note the default
- # setting means you cannot deliver mail addressed to root as if it were a
- # normal user. This isn't usually a problem, as most sites have an alias for
- # root that redirects such mail to a human administrator.
- never_users = root
- # The use of your host as a mail relay by any host, including the local host
- # calling its own SMTP port, is locked out by default. If you want to permit
- # relaying from the local host, you should set
- #
- # host_accept_relay = localhost
- #
- # If you want to permit relaying through your host from certain hosts or IP
- # networks, you need to set the option appropriately, for example
- #
- #
- #
- # If you are an MX backup or gateway of some kind for some domains, you must
- # set relay_domains to match those domains. This will allow any host to
- # relay through your host to those domains.
- #
- # See the section of the manual entitled "Control of relaying" for more
- # information.
- # The setting below causes Exim to do a reverse DNS lookup on all incoming
- # IP calls, in order to get the true host name. If you feel this is too
- # expensive, you can specify the networks for which a lookup is done, or
- # remove the setting entirely.
- #host_lookup = 0.0.0.0/0
- # By default, Exim expects all envelope addresses to be fully qualified, that
- # is, they must contain both a local part and a domain. If you want to accept
- # unqualified addresses (just a local part) from certain hosts, you can specify
- # these hosts by setting one or both of
- #
- # receiver_unqualified_hosts =
- # sender_unqualified_hosts =
- #
- # to control sender and receiver addresses, respectively. When this is done,
- # unqualified addresses are qualified using the settings of qualify_domain
- # and/or qualify_recipient (see above).
- # Exim contains support for the Realtime Blocking List (RBL) that is being
- # maintained as part of the DNS. See http://maps.vix.com/rbl/ for background.
- # Uncommenting the first line below will make Exim reject mail from any
- # host whose IP address is blacklisted in the RBL at maps.vix.com. Some
- # others have followed the RBL lead and have produced other lists: DUL is
- # a list of dial-up addresses, and ORBS is a list of open relay systems. The
- # second line below checks all three lists.
- # rbl_domains = rbl.maps.vix.com
- # rbl_domains = rbl.maps.vix.com
- # If you want Exim to support the "percent hack" for all your local domains,
- # uncomment the following line. This is the feature by which mail addressed
- # to x%y@z (where z is one of your local domains) is locally rerouted to
- # x@y and sent on. Otherwise x%y is treated as an ordinary local part.
- # percent_hack_domains = *
- #sender_host_accept = +include_unknown:*
- #sender_host_reject = +include_unknown:lsearch*;/etc/spammers
- tls_certificate = /etc/exim.crt
- tls_privatekey = /etc/exim.key
- tls_advertise_hosts = *
- helo_accept_junk_hosts = *
- smtp_enforce_sync = false
- #!!#######################################################!!#
- #!!# This new section of the configuration contains ACLs #!!#
- #!!# (Access Control Lists) derived from the Exim 3 #!!#
- #!!# policy control options. #!!#
- #!!#######################################################!!#
- #!!# These ACLs are crudely constructed from Exim 3 options.
- #!!# They are almost certainly not optimal. You should study
- #!!# them and rewrite as necessary.
- begin acl
- ########################################################################################
- # DO NOT ALTER THIS BLOCK
- ########################################################################################
- #
- # cPanel Default ACL Template Version: 10.34
- # Template: universal.dist
- #
- ########################################################################################
- # DO NOT ALTER THIS BLOCK
- ########################################################################################
- acl_not_smtp:
- #BEGIN ACL_OUTGOING_NOTSMTP_CHECKALL_BLOCK
- # BEGIN INSERT resolve_vhost_owner
- warn
- condition = ${if eq{$originator_uid}{${perl{user2uid}{nobody}}}{1}{0}}
- set acl_c_vhost_owner = ${perl{resolve_vhost_owner}}
- # END INSERT resolve_vhost_owner
- # BEGIN INSERT end_default_outgoing_notsmtp_checkall
- accept
- # END INSERT end_default_outgoing_notsmtp_checkall
- #END ACL_OUTGOING_NOTSMTP_CHECKALL_BLOCK
- #BEGIN ACL_NOT_SMTP_BLOCK
- #END ACL_NOT_SMTP_BLOCK
- acl_not_smtp_mime:
- #BEGIN ACL_NOT_SMTP_MIME_BLOCK
- #END ACL_NOT_SMTP_MIME_BLOCK
- acl_not_smtp_start:
- #BEGIN ACL_NOT_SMTP_START_BLOCK
- #END ACL_NOT_SMTP_START_BLOCK
- acl_smtp_auth:
- #BEGIN ACL_SMTP_AUTH_BLOCK
- #END ACL_SMTP_AUTH_BLOCK
- acl_smtp_connect:
- #BEGIN ACL_CONNECT_BLOCK
- # BEGIN INSERT ratelimit
- accept
- hosts = +trustedmailhosts
- accept
- condition = ${if match_ip{$sender_host_address}{iplsearch;/etc/trustedmailhosts}{1}{0}}
- # ignore pop before smtp
- accept
- hosts = +relay_hosts : +loopback
- accept
- hosts = +relay_hosts : +backupmx_hosts
- #only rate limit port 25
- accept
- condition = ${if eq {$interface_port}{25}{no}{yes}}
- defer
- message = The server has reached its limit for processing requests from your host. Please try again later.
- log_message = "Host is ratelimited ($sender_rate/$sender_rate_period max:$sender_rate_limit)"
- ratelimit = 1.2 / 1h / strict / per_conn / noupdate
- # END INSERT ratelimit
- # BEGIN INSERT slow_fail_block
- warn
- # host had a success in the last hour
- ratelimit = 1 / 1h / noupdate / per_conn / slow_fail_accept_$sender_host_address
- set acl_m4 = 1
- defer
- condition = ${if eq {${acl_m4}}{1}{0}{1}}
- log_message = "Host is ratelimited due to multiple failure only connections ($sender_rate/$sender_rate_period max:$sender_rate_limit)"
- ratelimit = 5 / 1h / noupdate / per_conn / slow_fail_block_$sender_host_address
- # END INSERT slow_fail_block
- # BEGIN INSERT spammerlist
- drop
- message = Your host is not allowed to connect to this server.
- log_message = Host is banned
- hosts = +spammeripblocks
- # END INSERT spammerlist
- #END ACL_CONNECT_BLOCK
- #BEGIN ACL_CONNECT_POST_BLOCK
- # BEGIN INSERT default_connect_post
- # do not change the comment in the line below, it is required for /usr/local/cpanel/bin/check_exim_config
- #acl_smtp_notquit is required for this to work (exim 4.68)
- accept
- # END INSERT default_connect_post
- #END ACL_CONNECT_POST_BLOCK
- acl_smtp_data:
- # exiscan only
- # exiscan only
- #BEGIN ACL_OUTGOING_SMTP_CHECKALL_BLOCK
- #END ACL_OUTGOING_SMTP_CHECKALL_BLOCK
- #BEGIN ACL_CHECK_MESSAGE_PRE_BLOCK
- # BEGIN INSERT default_check_message_pre
- #
- # Enabling this will make the server non-rfc compliant
- # require verify = header_sender
- #
- accept hosts = +loopback : +relay_hosts
- accept hosts = *
- authenticated = *
- accept hosts = +trustedmailhosts
- accept
- condition = ${if match_ip{$sender_host_address}{iplsearch;/etc/trustedmailhosts}{1}{0}}
- # END INSERT default_check_message_pre
- #END ACL_CHECK_MESSAGE_PRE_BLOCK
- #BEGIN ACL_PRE_SPAM_SCAN
- # BEGIN INSERT mailproviders
- # Research in Motion - Blackberry white list
- accept
- condition = ${if exists {/etc/mailproviders/rim/ips}{${if match_ip{$sender_host_address}{iplsearch;/etc/mailproviders/rim/ips}{1}{0}}}{0}}
- # END INSERT mailproviders
- #END ACL_PRE_SPAM_SCAN
- #BEGIN ACL_SPAM_SCAN_BLOCK
- # BEGIN INSERT default_spam_scan
- warn
- condition = ${if eq {${acl_m0}}{1}{1}{0}}
- spam = ${acl_m1}/defer_ok
- log_message = "SpamAssassin as ${acl_m1} detected message as spam ($spam_score)"
- add_header = X-Spam-Subject: ***SPAM*** $h_subject
- add_header = X-Spam-Status: Yes, score=$spam_score
- add_header = X-Spam-Score: $spam_score_int
- add_header = X-Spam-Bar: $spam_bar
- add_header = X-Spam-Report: $spam_report
- add_header = X-Spam-Flag: YES
- set acl_m2 = 1
- warn
- condition = ${if eq {$spam_score_int}{}{0}{${if <= {${spam_score_int}}{8000}{${if >= {${spam_score_int}}{50}{${perl{store_spam}{$sender_host_address}{$spam_score}}}{0}}}{0}}}}
- warn
- condition = ${if eq {${acl_m0}}{1}{${if eq {${acl_m2}}{1}{0}{1}}}{0}}
- add_header = X-Spam-Status: No, score=$spam_score
- add_header = X-Spam-Score: $spam_score_int
- add_header = X-Spam-Bar: $spam_bar
- add_header = X-Ham-Report: $spam_report
- add_header = X-Spam-Flag: NO
- log_message = "SpamAssassin as ${acl_m1} detected message as NOT spam ($spam_score)"
- # END INSERT default_spam_scan
- #END ACL_SPAM_SCAN_BLOCK
- # exiscan only
- # exiscan only
- #BEGIN ACL_RATELIMIT_SPAM_BLOCK
- #END ACL_RATELIMIT_SPAM_BLOCK
- #BEGIN ACL_SPAM_BLOCK
- #END ACL_SPAM_BLOCK
- #BEGIN ACL_CHECK_MESSAGE_POST_BLOCK
- # BEGIN INSERT default_check_message_post
- accept
- # END INSERT default_check_message_post
- #END ACL_CHECK_MESSAGE_POST_BLOCK
- acl_smtp_etrn:
- #BEGIN ACL_SMTP_ETRN_BLOCK
- #END ACL_SMTP_ETRN_BLOCK
- acl_smtp_helo:
- #BEGIN ACL_SMTP_HELO_BLOCK
- #END ACL_SMTP_HELO_BLOCK
- acl_smtp_mail:
- #BEGIN ACL_MAIL_PRE_BLOCK
- # BEGIN INSERT default_mail_pre
- # ignore authenticated hosts
- accept
- authenticated = *
- warn
- condition = ${if match_ip{$sender_host_address}{+loopback}{${perl{identify_local_connection}{$sender_host_address}{$sender_host_port}{$received_ip_address}{$received_port}{1}}}{0}}
- set acl_c_authenticated_local_user = ${perl{get_identified_local_connection_user}}
- # ignore pop before smtp
- accept
- hosts = +loopback : +relay_hosts
- # END INSERT default_mail_pre
- #END ACL_MAIL_PRE_BLOCK
- #BEGIN ACL_MAIL_BLOCK
- # BEGIN INSERT requirehelo
- deny
- condition = ${if eq{$sender_helo_name}{}}
- message = HELO required before MAIL
- # END INSERT requirehelo
- # BEGIN INSERT requirehelonoforge
- drop
- # if ($sender_helo_name eq $primary_hostname) {
- # if (defined $sender_host_address) {
- # return is_loopback($sender_host_address) ? 0 : 1; #ok from localhost
- # } else {
- # return 0; #exim -bs
- # }
- # } else {
- # return 0;
- # }
- condition = ${if eq{${lc:$sender_helo_name}}{${lc:$primary_hostname}}{${if def:sender_host_address {${if match_ip{$sender_host_address}{+loopback}{0}{1}}}{0}}}{0}}
- message = "REJECTED - Bad HELO - Host impersonating [$sender_helo_name]"
- drop
- condition = ${if eq{[$interface_address]}{$sender_helo_name}}
- message = "REJECTED - Interface: $interface_address is _my_ address"
- # END INSERT requirehelonoforge
- # BEGIN INSERT requirehelosyntax
- drop
- condition = ${if isip{$sender_helo_name}}
- message = Access denied - Invalid HELO name (See RFC2821 4.1.3)
- drop
- # Required because "[IPv6:<address>]" will have no .s
- condition = ${if match{$sender_helo_name}{\N^\[\N}{no}{yes}}
- condition = ${if match{$sender_helo_name}{\N\.\N}{no}{yes}}
- message = Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
- drop
- condition = ${if match{$sender_helo_name}{\N\.$\N}}
- message = Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
- drop
- condition = ${if match{$sender_helo_name}{\N\.\.\N}}
- message = Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
- # END INSERT requirehelosyntax
- #END ACL_MAIL_BLOCK
- #BEGIN ACL_MAIL_POST_BLOCK
- # BEGIN INSERT default_mail_post
- accept
- # END INSERT default_mail_post
- #END ACL_MAIL_POST_BLOCK
- acl_smtp_mailauth:
- #BEGIN ACL_SMTP_MAILAUTH_BLOCK
- #END ACL_SMTP_MAILAUTH_BLOCK
- acl_smtp_mime:
- #BEGIN ACL_SMTP_MIME_BLOCK
- #END ACL_SMTP_MIME_BLOCK
- acl_smtp_notquit:
- #BEGIN ACL_NOTQUIT_BLOCK
- # BEGIN INSERT ratelimit
- # ignore authenticated hosts
- accept authenticated = *
- # ignore pop before smtp
- accept hosts = +relay_hosts : +loopback
- #only rate limit port 25
- accept condition = ${if eq {$interface_port}{25}{no}{yes}}
- warn condition = ${if match {$smtp_notquit_reason}{command}{yes}{no}}
- log_message = "Connection Ratelimit - $sender_fullhost because of notquit: $smtp_notquit_reason ($sender_rate/$sender_rate_period max:$sender_rate_limit)"
- ratelimit = 1.2 / 1h / strict / per_conn
- # END INSERT ratelimit
- #END ACL_NOTQUIT_BLOCK
- acl_smtp_predata:
- #BEGIN ACL_SMTP_PREDATA_BLOCK
- #END ACL_SMTP_PREDATA_BLOCK
- acl_smtp_quit:
- #BEGIN ACL_SMTP_QUIT_BLOCK
- # BEGIN INSERT slow_fail_block
- warn
- log_message = "Detected session with all messages failed"
- condition = ${if >= {${eval:$rcpt_count}}{1}{${if == {${eval:$rcpt_fail_count}}{${eval:$rcpt_count}}{yes}{no}}}{no}}
- set acl_m6 = 1
- warn
- condition = ${if eq {${acl_m6}}{1}{1}{0}}
- ratelimit = 0 / 1h / strict / per_conn / slow_fail_block_$sender_host_address
- log_message = "Increment slow_fail_block Ratelimit - $sender_fullhost because of all messages failed"
- warn
- ratelimit = 1 / 1h / noupdate / per_conn / slow_fail_block_$sender_host_address
- condition = ${if >= {${eval:$rcpt_count}}{1}{${if < {${eval:$rcpt_fail_count}}{${eval:$rcpt_count}}{yes}{no}}}{no}}
- set acl_m5 = 1
- log_message = "Detected session with ok message that previous had all failed"
- warn
- condition = ${if eq {${acl_m5}}{1}{1}{0}}
- ratelimit = 0 / 1h / strict / per_conn / slow_fail_accept_$sender_host_address
- log_message = "Decrement slow_fail_lock Ratelimit - $sender_fullhost because one message was successful"
- # END INSERT slow_fail_block
- #END ACL_SMTP_QUIT_BLOCK
- acl_smtp_rcpt:
- #BEGIN ACL_RATELIMIT_BLOCK
- #END ACL_RATELIMIT_BLOCK
- #BEGIN ACL_PRE_RECIPIENT_BLOCK
- #END ACL_PRE_RECIPIENT_BLOCK
- #BEGIN ACL_RECIPIENT_BLOCK
- # BEGIN INSERT default_recipient
- accept hosts = :
- accept hosts = +skipsmtpcheck_hosts
- # END INSERT default_recipient
- #END ACL_RECIPIENT_BLOCK
- #mailman only
- #BEGIN ACL_RECIPIENT_MAILMAN_BLOCK
- # BEGIN INSERT default_recipient_mailman
- # Accept bounces to lists even if callbacks or other checks would fail
- warn message = X-WhitelistedRCPT-nohdrfromcallback: Yes
- condition = \
- ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
- {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
- {yes}{no}}
- accept condition = \
- ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
- {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
- {yes}{no}}
- # Accept bounces to lists even if callbacks or other checks would fail
- warn message = X-WhitelistedRCPT-nohdrfromcallback: Yes
- condition = \
- ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
- {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}} \
- {yes}{no}}
- accept condition = \
- ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
- {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}} \
- {yes}{no}}
- #if it gets here it isn't mailman
- # END INSERT default_recipient_mailman
- #END ACL_RECIPIENT_MAILMAN_BLOCK
- #mailman only
- #BEGIN ACL_IDENTIFY_SENDER_BLOCK
- # BEGIN INSERT default_identify_sender
- # deny must be on the same line as hosts so it will get removed by buildeximconf if turned off
- deny hosts = ! +senderverifybypass_hosts
- ! verify = sender
- accept hosts = *
- authenticated = *
- # if they used "pop before smtp" and its not bound for a localdomain we remember the relayhosts_domain
- warn hosts = +relay_hosts
- domains = ! +local_domains
- set acl_c_relayhosts_text_entry = ${perl{get_relayhosts_text_entry}{1}}
- add_header = ${if exists{/etc/eximpopbeforesmtpwarning}{${perl{popbeforesmtpwarn}{$sender_host_address}}{}}
- # if they used "pop before smtp" then we just accept
- accept hosts = +relay_hosts
- # we need to check alwaysrelay since we don't require antirelayd to be enabled
- warn
- condition = ${if eq {$acl_c_relayhosts_text_entry}{}{${if exists {/etc/alwaysrelay}{${lookup{$sender_host_address}iplsearch{/etc/alwaysrelay}{1}{0}}}{0}}}{0}}
- set acl_c_relayhosts_text_entry = ${perl{get_relayhosts_text_entry}{1}}
- set acl_c_alwaysrelay = 1
- accept
- condition = $acl_c_alwaysrelay
- #recipient verifications are now done after smtp auth and pop before smtp so the users get back bounces instead of
- # a clogged outbox in outlook
- # If we skipped identifying the sender in acl_smtp_mail (ie !def:acl_c_authenticated_local_user)
- # We need to do it here before we can test the two drops
- warn
- condition = ${if def:acl_c_authenticated_local_user {0}{${if match_ip{$sender_host_address}{+loopback}{${perl{identify_local_connection}{$sender_host_address}{$sender_host_port}{$received_ip_address}{$received_port}{1}}}{0}}}}
- set acl_c_authenticated_local_user = ${perl{get_identified_local_connection_user}}
- # drop connections to localhost that are from demo accounts (required for manual connections)
- drop
- condition = ${if and {{match_ip{$sender_host_address}{+loopback}} \
- {def:acl_c_authenticated_local_user}} \
- {${lookup{$acl_c_authenticated_local_user}lsearch{/etc/demousers}{yes}{no}}}{no}}
- message = Demo accounts may not send mail
- # drop connections to localhost that fail auth (required for Horde)
- drop
- condition = ${if and {{match_ip{$sender_host_address}{+loopback}} \
- {def:authentication_failed}} \
- {$authentication_failed}{no}}
- message = Authentication failed
- # we learned this in the acl_smtp_mail block
- accept
- condition = ${if def:acl_c_authenticated_local_user {yes}{no}}
- # END INSERT default_identify_sender
- # BEGIN INSERT default_message_submission
- # Reject unauthenticated relay on port 587
- drop
- condition = ${if eq{$interface_port}{587}{1}{0}}
- message = SMTP AUTH is required for message submission on port 587
- # END INSERT default_message_submission
- #END ACL_IDENTIFY_SENDER_BLOCK
- #BEGIN ACL_RECP_VERIFY_BLOCK
- # BEGIN INSERT default_recp_verify
- #recipient verifications are required for all messages that are not sent to the local machine #this was done at multiple users requests
- require verify = recipient
- # END INSERT default_recp_verify
- #END ACL_RECP_VERIFY_BLOCK
- #BEGIN ACL_POST_RECP_VERIFY_BLOCK
- # BEGIN INSERT dictionary_attack
- warn
- log_message = "Detected Dictionary Attack (Let $rcpt_fail_count bad recipients though before engaging)"
- condition = ${if > {${eval:$rcpt_fail_count}}{4}{yes}{no}}
- set acl_m7 = 1
- warn
- condition = ${if eq {${acl_m7}}{1}{1}{0}}
- ratelimit = 0 / 1h / strict / per_conn
- log_message = "Increment Connection Ratelimit - $sender_fullhost because of Dictionary Attack"
- drop
- condition = ${if eq {${acl_m7}}{1}{1}{0}}
- message = "Number of failed recipients exceeded. Come back in a few hours."
- # END INSERT dictionary_attack
- #END ACL_POST_RECP_VERIFY_BLOCK
- #BEGIN ACL_TRUSTEDLIST_BLOCK
- # BEGIN INSERT trustedmailhosts
- accept
- hosts = +trustedmailhosts
- accept
- condition = ${if match_ip{$sender_host_address}{iplsearch;/etc/trustedmailhosts}{1}{0}}
- # END INSERT trustedmailhosts
- #END ACL_TRUSTEDLIST_BLOCK
- #BEGIN ACL_RBL_BLOCK
- # BEGIN INSERT spamcop_rbl
- deny message = JunkMail rejected - $sender_fullhost is in an RBL, see $dnslist_text
- hosts = +backupmx_hosts
- dnslists = bl.spamcop.net
- warn
- dnslists = bl.spamcop.net
- set acl_m8 = 1
- set acl_m9 = "JunkMail rejected - $sender_fullhost is in an RBL, see $dnslist_text"
- warn
- condition = ${if eq {${acl_m8}}{1}{1}{0}}
- ratelimit = 0 / 1h / strict / per_conn
- log_message = "Increment Connection Ratelimit - $sender_fullhost because of RBL match"
- drop
- condition = ${if eq {${acl_m8}}{1}{1}{0}}
- message = ${acl_m9}
- # END INSERT spamcop_rbl
- # BEGIN INSERT spamhaus_rbl
- deny message = JunkMail rejected - $sender_fullhost is in an RBL, see $dnslist_text
- hosts = +backupmx_hosts
- dnslists = zen.spamhaus.org
- warn
- dnslists = zen.spamhaus.org
- set acl_m8 = 1
- set acl_m9 = "JunkMail rejected - $sender_fullhost is in an RBL, see $dnslist_text"
- warn
- condition = ${if eq {${acl_m8}}{1}{1}{0}}
- ratelimit = 0 / 1h / strict / per_conn
- log_message = "Increment Connection Ratelimit - $sender_fullhost because of RBL match"
- drop
- condition = ${if eq {${acl_m8}}{1}{1}{0}}
- message = ${acl_m9}
- # END INSERT spamhaus_rbl
- #END ACL_RBL_BLOCK
- #BEGIN ACL_MAILAUTH_BLOCK
- #END ACL_MAILAUTH_BLOCK
- #BEGIN ACL_RCPT_HARD_LIMIT_BLOCK
- #END ACL_RCPT_HARD_LIMIT_BLOCK
- #BEGIN ACL_RCPT_SOFT_LIMIT_BLOCK
- #END ACL_RCPT_SOFT_LIMIT_BLOCK
- #BEGIN ACL_SPAM_SCAN_CHECK_BLOCK
- # BEGIN INSERT default_spam_scan_check
- # The only problem with this setup is that if the message is for multiple users on the same server
- # and they are on different unix accounts, the settings for the first recipient which has spamassassin enabled will be used.
- # This shouldn't be a problem 99.9% of the time, however its a very small price to pay for a massive speed increase.
- warn domains = ! ${primary_hostname} : +local_domains
- condition = ${if <= {$message_size}{200K}{${if eq {${acl_m0}}{1}{0}{${if exists{/etc/global_spamassassin_enable}{1}{${if exists{${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/.spamassassinenable}{1}{0}}}}}}}{0}}
- set acl_m0 = 1
- set acl_m1 = ${lookup{$domain}lsearch*{/etc/userdomains}{$value}}
- warn domains = ${primary_hostname}
- condition = ${if <= {$message_size}{200K}{${if eq {${acl_m0}}{1}{0}{${if exists{/etc/global_spamassassin_enable}{1}{${if exists{${extract{5}{:}{${lookup passwd{$local_part}{$value}}}}/.spamassassinenable}{1}{0}}}}}}}{0}}
- set acl_m0 = 1
- set acl_m1 = $local_part
- # END INSERT default_spam_scan_check
- #END ACL_SPAM_SCAN_CHECK_BLOCK
- #BEGIN ACL_POST_SPAM_SCAN_CHECK_BLOCK
- # BEGIN INSERT mailproviders
- # Research in Motion - Blackberry white list
- warn
- condition = ${if exists {/etc/mailproviders/rim/ips}{${if match_ip{$sender_host_address}{iplsearch;/etc/mailproviders/rim/ips}{1}{0}}}{0}}
- set acl_m0 = 0
- # END INSERT mailproviders
- #END ACL_POST_SPAM_SCAN_CHECK_BLOCK
- #BEGIN ACL_RECIPIENT_POST_BLOCK
- # BEGIN INSERT default_recipient_post
- accept domains = +relay_domains
- deny message = ${expand:${lookup{host_accept_relay}lsearch{/etc/eximrejects}{$value}}}
- # END INSERT default_recipient_post
- #END ACL_RECIPIENT_POST_BLOCK
- acl_smtp_starttls:
- #BEGIN ACL_SMTP_STARTTLS_BLOCK
- #END ACL_SMTP_STARTTLS_BLOCK
- acl_smtp_vrfy:
- #BEGIN ACL_SMTP_SMTP_VRFY_BLOCK
- #END ACL_SMTP_SMTP_VRFY_BLOCK
- acl_smtp_dkim:
- #BEGIN ACL_SMTP_DKIM_BLOCK
- # BEGIN INSERT dkim_bl
- deny message = DKIM: encountered the following problem validating $dkim_cur_signer: $dkim_verify_reason
- dkim_status = invalid:fail
- accept
- # END INSERT dkim_bl
- #END ACL_SMTP_DKIM_BLOCK
- begin authenticators
- dovecot_plain:
- driver = dovecot
- public_name = PLAIN
- server_socket = /var/run/dovecot/auth-client
- server_set_id = $auth1
- server_condition = ${if and {{!match {$auth1}{\N[/]\N}}{eq{${if match {$auth1}{\N[+%:@]\N}{${lookup{${extract{2}{+%:@}{$auth1}}}lsearch{/etc/demodomains}{yes}}}{${lookup{$auth1}lsearch{/etc/demousers}{yes}}}}}{}}}{true}{false}}
- dovecot_login:
- driver = dovecot
- public_name = LOGIN
- server_socket = /var/run/dovecot/auth-client
- server_set_id = $auth1
- server_condition = ${if and {{!match {$auth1}{\N[/]\N}}{eq{${if match {$auth1}{\N[+%:@]\N}{${lookup{${extract{2}{+%:@}{$auth1}}}lsearch{/etc/demodomains}{yes}}}{${lookup{$auth1}lsearch{/etc/demousers}{yes}}}}}{}}}{true}{false}}
- ######################################################################
- # REWRITE CONFIGURATION #
- ######################################################################
- # There are no rewriting specifications in this default configuration file.
- begin rewrite
- #!!#######################################################!!#
- #!!# Here follow routers created from the old routers, #!!#
- #!!# for handling non-local domains. #!!#
- #!!#######################################################!!#
- begin routers
- ######################################################################
- # ROUTERS CONFIGURATION #
- # Specifies how remote addresses are handled #
- ######################################################################
- # ORDER DOES MATTER #
- # A remote address is passed to each in turn until it is accepted. #
- ######################################################################
- # Remote addresses are those with a domain that does not match any item
- # in the "local_domains" setting above.
- mailman_virtual_router:
- driver = accept
- require_files = /usr/local/cpanel/3rdparty/mailman/mail/mailman : /usr/local/cpanel/3rdparty/mailman/lists/${lc::$local_part}_${lc::$domain}/config.pck
- local_part_suffix_optional
- local_part_suffix = -admin : \
- -bounces : -bounces+* : \
- -confirm : -confirm+* : \
- -join : -leave : \
- -owner : -request : \
- -subscribe : -unsubscribe
- transport = mailman_virtual_transport
- mailman_virtual_router_nodns:
- driver = accept
- require_files = /usr/local/cpanel/3rdparty/mailman/mail/mailman : /usr/local/cpanel/3rdparty/mailman/lists/${lc::$local_part}/config.pck
- condition = \
- ${if or {{match{$local_part}{.*_.*}} \
- {eq{$local_part}{mailman}}} \
- {1}{0}}
- local_part_suffix_optional
- local_part_suffix = -admin : \
- -bounces : -bounces+* : \
- -confirm : -confirm+* : \
- -join : -leave : \
- -owner : -request : \
- -subscribe : -unsubscribe
- domains = +local_domains
- transport = mailman_virtual_transport_nodns
- democheck:
- driver = redirect
- require_files = "+/etc/demouids"
- condition = "${if eq {${lookup {$originator_uid} lsearch {/etc/demouids} {$value}}}{}{false}{true}}"
- allow_fail
- data = :fail: demo accounts are not permitted to relay email
- # cPanel Mail Archiving is disabled
- #
- # Handles identification of messages, nobody and webspam and mail trap checks
- # in check_mail_permissions and notifies if we are defering a message
- #
- boxtrapper_autowhitelist:
- driver = accept
- condition = ${if eq {$authenticated_id}{}{0}{${if eq {$sender_address}{$local_part@$domain}{0}{${if match{$received_protocol}{\N^e?smtps?a$\N}{${perl{checkbx_autowhitelist}{$authenticated_id}}}{${if eq{$received_protocol}{local}{${perl{checkbx_autowhitelist}{$sender_ident}}}{0}}}}}}}}
- require_files = "+/usr/local/cpanel/bin/boxtrapper"
- transport = boxtrapper_autowhitelist
- no_verify
- unseen
- check_mail_permissions:
- domains = ! +local_domains
- condition = "${perl{check_mail_permissions}}"
- driver = redirect
- ignore_target_hosts = +loopback : 64.94.110.0/24
- allow_filter
- reply_transport = address_reply
- user = mailnull
- expn = false
- data = "${perl{check_mail_permissions_results}}"
- #
- # discover_sender_information is not included
- # because from_rewrites are not enabled
- #
- #
- # If check_mail_permissions needs to defer or fail a message it is done here
- #
- enforce_mail_permissions:
- domains = ! +local_domains
- condition = "${perl{enforce_mail_permissions}}"
- driver = redirect
- ignore_target_hosts = +loopback : 64.94.110.0/24
- allow_fail
- allow_defer
- expn = false
- data = "${perl{enforce_mail_permissions_results}}"
- #
- # Increments max emails per hour if needed
- #
- increment_max_emails_per_hour_if_needed:
- domains = ! +local_domains
- condition = "${perl{increment_max_emails_per_hour_if_needed}}"
- driver = redirect
- ignore_target_hosts = +loopback : 64.94.110.0/24
- allow_fail
- no_verify
- one_time
- expn = false
- data = ":unknown:"
- #
- # Lookup host router for remote smtp and ignores verisign site finder 'service'
- # and uses domain keys
- # This matches lookup exactly except we look for X-Boxtrapper: so we can determine
- # what is a boxtrapper generated message in the log. Note: there is nothing to
- # prevent X-Boxtrapper from being added to non-boxtrapper messages so this is for
- # logging reasons only
- #
- boxtrapper_verify_dkim_lookuphost:
- driver = dnslookup
- domains = ! +local_domains
- condition = "${if eq {$h_X-Boxtrapper:}{}{0}{1}}"
- #ignore verisign to prevent waste of bandwidth
- ignore_target_hosts = +loopback : 64.94.110.0/24
- require_files = "+/var/cpanel/domain_keys/private/${sender_address_domain}"
- headers_add = "${perl{mailtrapheaders}}"
- transport = dkim_remote_smtp
- #
- # Lookup host router for remote smtp and ignores verisign site finder 'service' and uses domain keys
- #
- dkim_lookuphost:
- driver = dnslookup
- domains = ! +local_domains
- #ignore verisign to prevent waste of bandwidth
- ignore_target_hosts = +loopback : 64.94.110.0/24
- require_files = "+/var/cpanel/domain_keys/private/${sender_address_domain}"
- headers_add = "${perl{mailtrapheaders}}"
- transport = dkim_remote_smtp
- #
- # Lookup host router for remote smtp and ignores verisign site finder 'service'
- # This matches lookup exactly except we look for X-Boxtrapper: so we can determine
- # what is a boxtrapper generated message in the log. Note: there is nothing to
- # prevent X-Boxtrapper from being added to non-boxtrapper messages so this is for
- # logging reasons only
- #
- boxtrapper_verify_lookuphost:
- driver = dnslookup
- domains = ! +local_domains
- condition = "${if eq {$h_X-Boxtrapper:}{}{0}{1}}"
- #ignore verisign to prevent waste of bandwidth
- ignore_target_hosts = +loopback : 64.94.110.0/24
- headers_add = "${perl{mailtrapheaders}}"
- transport = remote_smtp
- #
- # Lookup host router for remote smtp and ignores verisign site finder 'service'
- #
- lookuphost:
- driver = dnslookup
- domains = ! +local_domains
- #ignore verisign to prevent waste of bandwidth
- ignore_target_hosts = +loopback : 64.94.110.0/24
- headers_add = "${perl{mailtrapheaders}}"
- transport = remote_smtp
- # This router routes to remote hosts over SMTP by explicit IP address,
- # given as a "domain literal" in the form [nnn.nnn.nnn.nnn]. The RFCs
- # require this facility, which is why it is enabled by default in Exim.
- # If you want to lock it out, set forbid_domain_literals in the main
- # configuration section above.
- #
- # Literal Transports .. ignores verisigns sitefinder service
- #
- literal:
- driver = ipliteral
- domains = ! +local_domains
- headers_add = "${perl{mailtrapheaders}}"
- ignore_target_hosts = +loopback : 64.94.110.0/24
- transport = remote_smtp
- #!!# This new router is put here to fail all domains that
- #!!# were not in local_domains in the Exim 3 configuration.
- #
- # Trap Failures to Remote Domain
- #
- fail_remote_domains:
- driver = redirect
- domains = ! +local_domains : ! localhost : ! localhost.localdomain
- allow_fail
- data = ":fail: The mail server could not deliver mail to $local_part@$domain. The account or domain may not exist, they may be blacklisted, or missing the proper dns entries."
- #!!#######################################################!!#
- #!!# Here follow routers created from the old directors, #!!#
- #!!# for handling local domains. #!!#
- #!!#######################################################!!#
- deliver_local_outside_jail:
- driver = manualroute
- domains = +outside_jail_domains
- # users outside the jail will not be in /etc/passwd => We need to check if $local_part is in /jail_owner
- # we can't just check to see if they exist
- # because we still want to be able to mail root
- condition = ${if exists {/jail_owner}{${if eq {$domain}{$primary_hostname}{${if eq {${readfile{/jail_owner}}}{$local_part}{0}{1}}}{1}}}{0}}
- transport = remote_smtp
- route_list = "* 127.0.0.1"
- # self = send allows us to send outside the jail
- # we make sure /home/virtfs does not exist before we get here
- # to be safe
- self = send
- ######################################################################
- # DIRECTORS CONFIGURATION #
- # Specifies how local addresses are handled #
- ######################################################################
- # ORDER DOES MATTER #
- # A local address is passed to each in turn until it is accepted. #
- ######################################################################
- # Local addresses are those with a domain that matches some item in the
- # "local_domains" setting above, or those which are passed back from the
- # routers because of a "self=local" setting (not used in this configuration).
- # This director handles aliasing using a traditional /etc/aliases file.
- # If any of your aliases expand to pipes or files, you will need to set
- # up a user and a group for these deliveries to run under. You can do
- # this by uncommenting the "user" option below (changing the user name
- # as appropriate) and adding a "group" option if necessary. Alternatively, you
- # can specify "user" on the transports that are used. Note that those
- # listed below are the same as are used for .forward files; you might want
- # to set up different ones for pipe and file deliveries from aliases.
- #spam_filter:
- # driver = forwardfile
- # file = /etc/spam.filter
- # no_check_local_user
- # no_verify
- # filter
- # allow_system_actions
- #
- # Optimized spamassassin router (not used if acl spam management is enabled)
- #
- virtual_user_maildir_overquota:
- driver = redirect
- domains = +user_domains
- router_home_directory = ${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch{/etc/userdomains}{$value}}}{$value}}}}
- require_files = $home/etc/$domain
- condition = "${if exists {$home/etc/$domain/quota}{${if > {${lookup{$local_part}lsearch{$home/etc/$domain/quota}{$value}{0}}}{0}{${perl{checkuserquota}{$domain}{$local_part}{$message_size}{${lookup{$local_part}lsearch{$home/etc/$domain/quota}{$value}{0}}}{$home/mail/$domain/$local_part/maildirsize}}}{false}}}{false}}"
- user = "${lookup{$domain}lsearch* {/etc/userdomains}{$value}}"
- data = :fail:Mailbox quota exceeded
- allow_fail
- #
- # Optimized spamassasin router (not used if acl spam management is enabled)
- #
- #
- # Account level filtering for everything but the main account
- #
- central_filter:
- driver = redirect
- allow_filter
- allow_fail
- forbid_filter_run
- forbid_filter_perl
- forbid_filter_lookup
- forbid_filter_readfile
- forbid_filter_readsocket
- no_check_local_user
- require_files = "+/etc/vfilters/${domain}"
- condition = "${extract{size}{${stat:/etc/vfilters/${domain}}}}"
- file = /etc/vfilters/${domain}
- file_transport = address_file
- directory_transport = address_directory
- domains = +user_domains
- pipe_transport = ${if forall{/bin/cagefs_enter:/usr/sbin/cagefsctl}{exists{$item}}{cagefs_virtual_address_pipe}{${if match{${extract{6}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}}{\N(jail|no)shell\N}{jailed_virtual_address_pipe}{virtual_address_pipe}}}}
- reply_transport = address_reply
- router_home_directory = ${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}
- user = "${lookup{$domain}lsearch* {/etc/userdomains}{$value}}"
- no_verify
- #
- # Account level filtering for the main account
- #
- # checks /etc/vfilters/maindomain if its a localuser (ie main acct)
- #
- mainacct_central_user_filter:
- driver = redirect
- allow_filter
- allow_fail
- forbid_filter_run
- forbid_filter_perl
- forbid_filter_lookup
- forbid_filter_readfile
- forbid_filter_readsocket
- check_local_user
- domains = ! +user_domains
- condition = ${if eq {${lookup{$local_part}lsearch{/etc/domainusers}{$value}}}{}{0}{${if exists {/etc/vfilters/${lookup{$local_part}lsearch{/etc/domainusers}{$value}}}{${extract{size}{${stat:/etc/vfilters/${lookup{$local_part}lsearch{/etc/domainusers}{$value}}}}}}{0}}}}
- file = "/etc/vfilters/${lookup{$local_part}lsearch{/etc/domainusers}{$value}}"
- directory_transport = address_directory
- file_transport = address_file
- pipe_transport = ${if forall{/bin/cagefs_enter:/usr/sbin/cagefsctl}{exists{$item}}{cagefs_address_pipe}{${if match{${extract{6}{:}{${lookup passwd{$local_part}{$value}}}}}{\N(jail|no)shell\N}{jailed_address_pipe}{address_pipe}}}}
- reply_transport = address_reply
- retry_use_local_part
- no_verify
- #
- # User Level Filtering for the main account
- #
- central_user_filter:
- driver = redirect
- allow_filter
- allow_fail
- forbid_filter_run
- forbid_filter_perl
- forbid_filter_lookup
- forbid_filter_readfile
- forbid_filter_readsocket
- check_local_user
- domains = ! +user_domains
- require_files = "+${extract{5}{::}{${lookup passwd{$local_part}{$value}}}}/etc/filter"
- condition = "${extract{size}{${stat:${extract{5}{:}{${lookup passwd{$local_part}{$value}}}}/etc/filter}}}"
- file = "${extract{5}{:}{${lookup passwd{$local_part}{$value}}}}/etc/filter"
- router_home_directory = ${extract{5}{:}{${lookup passwd{$local_part}{$value}}}}
- directory_transport = address_directory
- file_transport = address_file
- pipe_transport = ${if forall{/bin/cagefs_enter:/usr/sbin/cagefsctl}{exists{$item}}{cagefs_virtual_address_pipe}{${if match{${extract{6}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}}{\N(jail|no)shell\N}{jailed_virtual_address_pipe}{virtual_address_pipe}}}}
- reply_transport = address_reply
- retry_use_local_part
- no_verify
- #
- # User Level Filtering for virtual users
- #
- virtual_user_filter:
- driver = redirect
- allow_filter
- allow_fail
- forbid_filter_run
- forbid_filter_perl
- forbid_filter_lookup
- forbid_filter_readfile
- forbid_filter_readsocket
- no_check_local_user
- domains = +user_domains
- require_files = "+${extract{5}{::}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/etc/$domain/$local_part/filter"
- condition = "${extract{size}{${stat:${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/etc/$domain/$local_part/filter}}}"
- file = "${extract{5}{::}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/etc/$domain/$local_part/filter"
- router_home_directory = ${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}
- directory_transport = address_directory
- file_transport = address_file
- pipe_transport = ${if forall{/bin/cagefs_enter:/usr/sbin/cagefsctl}{exists{$item}}{cagefs_virtual_address_pipe}{${if match{${extract{6}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}}{\N(jail|no)shell\N}{jailed_virtual_address_pipe}{virtual_address_pipe}}}}
- reply_transport = address_reply
- user = "${lookup{$domain}lsearch* {/etc/userdomains}{$value}}"
- retry_use_local_part
- no_verify
- virtual_aliases_nostar:
- driver = redirect
- allow_defer
- allow_fail
- require_files = "+/etc/valiases/$domain"
- data = ${lookup{$local_part@$domain}lsearch{/etc/valiases/$domain}}
- file_transport = address_file
- group = mail
- pipe_transport = ${if forall{/bin/cagefs_enter:/usr/sbin/cagefsctl}{exists{$item}}{cagefs_virtual_address_pipe}{${if match{${extract{6}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}}{\N(jail|no)shell\N}{jailed_virtual_address_pipe}{virtual_address_pipe}}}}
- retry_use_local_part
- unseen
- #
- # Virtual User Spam Boxes
- #
- virtual_user_spam:
- driver = accept
- domains = +user_domains
- require_files = "+${extract{5}{::}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/.spamassassinboxenable:+${extract{5}{::}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/etc/$domain/passwd"
- condition = ${if eq {${lookup {$local_part} lsearch {${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/etc/$domain/passwd}}}{}{false}{${if match{$h_X-Spam-Status:}{\N^Yes\N}{true}{false}}}}
- headers_remove="x-spam-exim"
- transport = virtual_userdelivery_spam
- virtual_boxtrapper_user:
- driver = accept
- domains = +user_domains
- require_files = "+/usr/local/cpanel/bin/boxtrapper:+${extract{5}{::}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/etc/$domain/passwd"
- condition = ${if eq {${lookup {$local_part} lsearch {${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/etc/$domain/passwd}}}{} {false}{${if exists {${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/etc/$domain/$local_part/.boxtrapperenable} {true} {false}}}}
- retry_use_local_part
- transport = virtual_boxtrapper_userdelivery
- virtual_user:
- driver = accept
- headers_remove="x-spam-exim"
- domains = +user_domains
- require_files = "+${extract{5}{::}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/etc/$domain/passwd"
- condition = ${if eq {${lookup {$local_part} lsearch {${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/etc/$domain/passwd}}}{} {false}{true}}
- transport = virtual_userdelivery
- has_alias_but_no_mailbox_discarded_to_prevent_loop:
- driver = redirect
- require_files = "+/etc/valiases/$domain"
- domains = +user_domains
- condition = "${perl{checkvalias}{$domain}{$local_part}}"
- data="#Exim Filter\nseen finish"
- group = "${lookup{$domain}lsearch* {/etc/userdomains}{$value}}"
- user = "${lookup{$domain}lsearch* {/etc/userdomains}{$value}}"
- allow_filter
- disable_logging = true
- valias_domain_file:
- driver = redirect
- allow_defer
- allow_fail
- require_files = +/etc/vdomainaliases/$domain
- condition = ${lookup {$domain} lsearch {/etc/vdomainaliases/$domain}{yes}{no} }
- data = $local_part@${lookup {$domain} lsearch {/etc/vdomainaliases/$domain} }
- virtual_aliases:
- driver = redirect
- allow_defer
- allow_fail
- require_files = "+/etc/valiases/$domain"
- data = ${lookup{*}lsearch{/etc/valiases/$domain}}
- file_transport = address_file
- group = mail
- pipe_transport = ${if forall{/bin/cagefs_enter:/usr/sbin/cagefsctl}{exists{$item}}{cagefs_virtual_address_pipe}{${if match{${extract{6}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}}{\N(jail|no)shell\N}{jailed_virtual_address_pipe}{virtual_address_pipe}}}}
- # This director handles forwarding using traditional .forward files.
- # If you want it also to allow mail filtering when a forward file
- # starts with the string "# Exim filter", uncomment the "filter" option.
- # The check_ancestor option means that if the forward file generates an
- # address that is an ancestor of the current one, the current one gets
- # passed on instead. This covers the case where A is aliased to B and B
- # has a .forward file pointing to A. The three transports specified at the
- # end are those that are used when forwarding generates a direct delivery
- # to a file, or to a pipe, or sets up an auto-reply, respectively.
- system_aliases:
- driver = redirect
- allow_defer
- allow_fail
- data = ${lookup{$local_part}lsearch{/etc/aliases}}
- file_transport = address_file
- pipe_transport = address_pipe
- retry_use_local_part
- # user = exim
- local_aliases:
- driver = redirect
- allow_defer
- allow_fail
- data = ${lookup{$local_part}lsearch{/etc/localaliases}}
- file_transport = address_file
- pipe_transport = address_pipe
- check_local_user
- userforward:
- driver = redirect
- allow_filter
- allow_fail
- forbid_filter_run
- forbid_filter_perl
- forbid_filter_lookup
- forbid_filter_readfile
- forbid_filter_readsocket
- check_ancestor
- check_local_user
- domains = ! +user_domains
- no_expn
- require_files = "+$home/.forward"
- condition = "${extract{size}{${stat:$home/.forward}}}"
- file = $home/.forward
- file_transport = address_file
- pipe_transport = ${if forall{/bin/cagefs_enter:/usr/sbin/cagefsctl}{exists{$item}}{cagefs_address_pipe}{${if match{${extract{6}{:}{${lookup passwd{$local_part}{$value}}}}}{\N(jail|no)shell\N}{jailed_address_pipe}{address_pipe}}}}
- reply_transport = address_reply
- directory_transport = address_directory
- no_verify
- #
- # Optimzied spambox router
- #
- localuser_spam:
- driver = accept
- headers_remove="x-spam-exim"
- domains = ! +user_domains
- require_files = "+$home/.spamassassinboxenable"
- condition = ${if match{$h_X-Spam-Status:}{\N^Yes\N}{true}{false}}
- check_local_user
- transport = local_delivery_spam
- boxtrapper_localuser:
- driver = accept
- require_files = "+/usr/local/cpanel/bin/boxtrapper:+$home/etc/.boxtrapperenable"
- check_local_user
- domains = ! +user_domains
- transport = local_boxtrapper_delivery
- localuser:
- driver = accept
- headers_remove="x-spam-exim"
- check_local_user
- domains = ! +user_domains
- transport = local_delivery
- # This director matches local user mailboxes.
- ######################################################################
- # TRANSPORTS CONFIGURATION #
- ######################################################################
- # ORDER DOES NOT MATTER #
- # Only one appropriate transport is called for each delivery. #
- ######################################################################
- # A transport is used only when referenced from a director or a router that
- # successfully handles an address.
- # This transport is used for delivering messages over SMTP connections.
- begin transports
- mailman_virtual_transport:
- driver = pipe
- command = /usr/local/cpanel/3rdparty/mailman/mail/mailman \
- '${if def:local_part_suffix \
- {${sg{$local_part_suffix}{-(\\w+)(\\+.*)?}{\$1}}} \
- {post}}' \
- ${lc:$local_part}_${lc:$domain}
- current_directory = /usr/local/cpanel/3rdparty/mailman
- home_directory = /usr/local/cpanel/3rdparty/mailman
- user = mailman
- group = mailman
- mailman_virtual_transport_nodns:
- driver = pipe
- command = /usr/local/cpanel/3rdparty/mailman/mail/mailman \
- '${if def:local_part_suffix \
- {${sg{$local_part_suffix}{-(\\w+)(\\+.*)?}{\$1}}} \
- {post}}' \
- ${lc:$local_part}
- current_directory = /usr/local/cpanel/3rdparty/mailman
- home_directory = /usr/local/cpanel/3rdparty/mailman
- user = mailman
- group = mailman
- remote_smtp:
- driver = smtp
- interface = ${if exists {/etc/mailips}{${lookup{$original_domain}lsearch{/etc/mailips}{$value}{${lookup{$sender_address_domain}lsearch{/etc/mailips}{$value}{${lookup{${perl{get_sender_from_uid}}}lsearch*{/etc/mailips}{$value}{}}}}}}}}
- helo_data = ${if exists {/etc/mailhelo}{${lookup{$original_domain}lsearch{/etc/mailhelo}{$value}{${lookup{$sender_address_domain}lsearch{/etc/mailhelo}{$value}{${lookup{${perl{get_sender_from_uid}}}lsearch*{/etc/mailhelo}{$value}{$primary_hostname}}}}}}}{$primary_hostname}}
- dkim_remote_smtp:
- driver = smtp
- interface = ${if exists {/etc/mailips}{${lookup{$original_domain}lsearch{/etc/mailips}{$value}{${lookup{$sender_address_domain}lsearch{/etc/mailips}{$value}{${lookup{${perl{get_sender_from_uid}}}lsearch*{/etc/mailips}{$value}{}}}}}}}}
- helo_data = ${if exists {/etc/mailhelo}{${lookup{$original_domain}lsearch{/etc/mailhelo}{$value}{${lookup{$sender_address_domain}lsearch{/etc/mailhelo}{$value}{${lookup{${perl{get_sender_from_uid}}}lsearch*{/etc/mailhelo}{$value}{$primary_hostname}}}}}}}{$primary_hostname}}
- dkim_domain = $sender_address_domain
- dkim_selector = default
- dkim_private_key = "/var/cpanel/domain_keys/private/${dkim_domain}"
- dkim_canon = relaxed
- # This transport is used for local delivery to user mailboxes. By default
- # it will be run under the uid and gid of the local user, and requires
- # the sticky bit to be set on the /var/mail directory. Some systems use
- # the alternative approach of running mail deliveries under a particular
- # group instead of using the sticky bit. The commented options below show
- # how this can be done.
- local_delivery:
- driver = appendfile
- delivery_date_add
- envelope_to_add
- directory = "${extract{5}{:}{${lookup passwd{$local_part}{$value}}}}/mail"
- maildir_use_size_file
- maildir_quota_directory_regex = ^(?:cur|new|\.(?!Trash$)[^\@]+)$
- maildir_format
- maildir_tag = ,S=$message_size
- quota_size_regex = ,S=(\d+)
- mode = 0660
- return_path_add
- group = ${extract{3}{:}{${lookup passwd{$local_part}{$value}}}}
- user = $local_part
- shadow_condition = ${if exists {${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/.cpanel/rim/bis/$local_part}{1}{0}}
- shadow_transport = rim_bis_notifier_local_user
- rim_bis_notifier_local_user:
- driver = pipe
- headers_only
- command = /usr/local/cpanel/bin/rim_bis_notifier "${local_part}"
- group = ${extract{3}{:}{${lookup passwd{$local_part}{$value}}}}
- user = $local_part
- log_output = true
- current_directory = "/tmp"
- return_fail_output = true
- return_path_add = false
- local_delivery_spam:
- driver = appendfile
- delivery_date_add
- envelope_to_add
- directory = "${extract{5}{:}{${lookup passwd{$local_part}{$value}}}}/mail/.spam"
- maildir_use_size_file
- maildir_quota_directory_regex = ^(?:cur|new|\.(?!Trash$)[^\@]+)$
- maildir_format
- maildir_tag = ,S=$message_size
- quota_size_regex = ,S=(\d+)
- group = ${extract{3}{:}{${lookup passwd{$local_part}{$value}}}}
- mode = 0660
- return_path_add
- user = $local_part
- # This transport is used for handling pipe deliveries generated by alias
- # or .forward files. If the pipe generates any standard output, it is returned
- # to the sender of the message as a delivery error. Set return_fail_output
- # instead of return_output if you want this to happen only when the pipe fails
- # to complete normally. You can set different transports for aliases and
- # forwards if you want to - see the references to address_pipe below.
- address_directory:
- driver = appendfile
- maildir_tag = ,S=$message_size
- quota_size_regex = ,S=(\d+)
- maildir_format
- maildir_use_size_file
- maildir_quota_directory_regex = ^(?:cur|new|\.(?!Trash$)[^\@]+)$
- mode = 0660
- delivery_date_add
- envelope_to_add
- return_path_add
- address_pipe:
- driver = pipe
- return_output
- virtual_address_pipe:
- driver = pipe
- group = "${lookup{$domain}lsearch* {/etc/userdomains}{$value}}"
- return_output
- user = "${lookup{$domain}lsearch* {/etc/userdomains}{$value}}"
- jailed_address_pipe:
- driver = pipe
- force_command
- command = /usr/local/cpanel/bin/jailexec $address_pipe
- return_output
- jailed_virtual_address_pipe:
- driver = pipe
- force_command
- command = /usr/local/cpanel/bin/jailexec $address_pipe
- user = "${lookup{$domain}lsearch* {/etc/userdomains}{$value}}"
- group = "${lookup{$domain}lsearch* {/etc/userdomains}{$value}}"
- return_output
- cagefs_address_pipe:
- driver = pipe
- force_command
- command = /bin/cagefs_enter $address_pipe
- return_output
- cagefs_virtual_address_pipe:
- driver = pipe
- force_command
- command = /bin/cagefs_enter $address_pipe
- user = "${lookup{$domain}lsearch* {/etc/userdomains}{$value}}"
- group = "${lookup{$domain}lsearch* {/etc/userdomains}{$value}}"
- return_output
- # This transport is used for handling deliveries directly to files that are
- # generated by aliassing or forwarding.
- address_file:
- driver = appendfile
- delivery_date_add
- envelope_to_add
- return_path_add
- # This transport is used for handling autoreplies generated by the filtering
- # option of the forwardfile director.
- virtual_userdelivery_spam:
- driver = appendfile
- delivery_date_add
- envelope_to_add
- directory = "${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/mail/${domain}/${local_part}/.spam"
- maildir_use_size_file
- maildir_quota_directory_regex = ^(?:cur|new|\.(?!Trash$)[^\@]+)$
- maildir_format
- maildir_tag = ,S=$message_size
- quota_size_regex = ,S=(\d+)
- mode = 0660
- quota = "${if exists{${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/etc/${domain}/quota} {${lookup{$local_part}lsearch*{${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/etc/${domain}/quota}{$value}}} {}}"
- quota_is_inclusive = false
- quota_directory = "${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/mail/${domain}/${local_part}"
- return_path_add
- user = "${lookup{$domain}lsearch* {/etc/userdomains}{$value}}"
- group = ${extract{3}{:}{${lookup passwd{${lookup{$domain}lsearch* {/etc/userdomains}{$value}}}{$value}}}}
- boxtrapper_autowhitelist:
- driver = pipe
- headers_only
- command = /usr/local/cpanel/bin/boxtrapper --autowhitelist "${authenticated_id}"
- user = ${perl{getemailuser}{$authenticated_id}{$received_protocol}{$sender_ident}}
- group = ${extract{3}{:}{${lookup passwd{${perl{getemailuser}{$authenticated_id}{$received_protocol}{$sender_ident}}}{$value}}}}
- log_output = true
- current_directory = "/tmp"
- return_fail_output = true
- return_path_add = false
- local_boxtrapper_delivery:
- driver = pipe
- command = /usr/local/cpanel/bin/boxtrapper "${local_part}" $home
- user = $local_part
- group = ${extract{3}{:}{${lookup passwd{$local_part}{$value}}}}
- log_output = true
- current_directory = "/tmp"
- return_fail_output = true
- return_path_add = false
- virtual_boxtrapper_userdelivery:
- driver = pipe
- command = /usr/local/cpanel/bin/boxtrapper "${local_part}@${domain}" $home
- user = "${lookup{$domain}lsearch* {/etc/userdomains}{$value}}"
- group = ${extract{3}{:}{${lookup passwd{${lookup{$domain}lsearch* {/etc/userdomains}{$value}}}{$value}}}}
- log_output = true
- current_directory = "/tmp"
- return_fail_output = true
- return_path_add = false
- virtual_userdelivery:
- driver = appendfile
- delivery_date_add
- envelope_to_add
- directory = "${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/mail/${domain}/${local_part}"
- maildir_use_size_file
- maildir_quota_directory_regex = ^(?:cur|new|\.(?!Trash$)[^\@]+)$
- maildir_format
- maildir_tag = ,S=$message_size
- quota_size_regex = ,S=(\d+)
- mode = 0660
- quota = "${if exists{${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/etc/${domain}/quota} {${lookup{$local_part}lsearch*{${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/etc/${domain}/quota}{$value}}} {}}"
- quota_is_inclusive = false
- quota_directory = "${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/mail/${domain}/${local_part}"
- return_path_add
- user = "${lookup{$domain}lsearch* {/etc/userdomains}{$value}}"
- group = ${extract{3}{:}{${lookup passwd{${lookup{$domain}lsearch* {/etc/userdomains}{$value}}}{$value}}}}
- shadow_condition = ${if exists {${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/.cpanel/rim/bis/$local_part@$domain}{1}{0}}
- shadow_transport = rim_bis_notifier_virtual_user
- rim_bis_notifier_virtual_user:
- driver = pipe
- headers_only
- command = /usr/local/cpanel/bin/rim_bis_notifier "${local_part}@${domain}"
- user = "${lookup{$domain}lsearch* {/etc/userdomains}{$value}}"
- group = ${extract{3}{:}{${lookup passwd{${lookup{$domain}lsearch* {/etc/userdomains}{$value}}}{$value}}}}
- log_output = true
- current_directory = "/tmp"
- return_fail_output = true
- return_path_add = false
- address_reply:
- driver = autoreply
- # cPanel Mail Archiving is disabled
- ######################################################################
- # RETRY CONFIGURATION #
- ######################################################################
- # This single retry rule applies to all domains and all errors. It specifies
- # retries every 15 minutes for 2 hours, then increasing retry intervals,
- # starting at 1 hour and increasing each time by a factor of 1.5, up to 16
- # hours, then retries every 8 hours until 4 days have passed since the first
- # failed delivery.
- # Domain Error Retries
- # ------ ----- -------
- begin retry
- * quota
- * * F,2h,15m; G,16h,1h,1.5; F,4d,8h
- # End of Exim 4 configuration
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement