#!!# cPanel Exim 4 Config hostlist loopback = <; 127.0.0.0/8 ; 0.0.0.0 ; ::1 ; 0000:0000:0000:0000:0000:ffff:7f00:0000/8 hostlist senderverifybypass_hosts = net-iplsearch;/etc/senderverifybypasshosts hostlist skipsmtpcheck_hosts = net-iplsearch;/etc/skipsmtpcheckhosts hostlist spammeripblocks = net-iplsearch;/etc/spammeripblocks hostlist backupmx_hosts = lsearch;/etc/backupmxhosts hostlist trustedmailhosts = lsearch;/etc/trustedmailhosts domainlist user_domains = ${if exists{/etc/userdomains} {lsearch;/etc/userdomains} fail} smtp_receive_timeout = 165s ignore_bounce_errors_after = 3d timeout_frozen_after = 5d auto_thaw = 7d callout_domain_negative_expire = 1h callout_negative_expire = 1h daemon_smtp_ports = 25 : 465 tls_on_connect_ports = 465 system_filter_user = cpaneleximfilter system_filter_group = cpaneleximfilter tls_require_ciphers = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP acl_smtp_connect = acl_connect acl_smtp_mail = acl_mail acl_smtp_notquit = acl_notquit spamd_address = 127.0.0.1 783 #!!# These options specify the Access Control Lists (ACLs) that #!!# are used for incoming SMTP messages - after the RCPT and DATA #!!# commands, respectively. acl_smtp_rcpt = check_recipient acl_smtp_data = check_message #!!# This setting defines a named domain list called #!!# local_domains, created from the old options that #!!# referred to local domains. It will be referenced #!!# later on by the syntax "+local_domains". #!!# Other domain and host lists may follow. domainlist local_domains = lsearch;/etc/localdomains domainlist relay_domains = lsearch;/etc/localdomains : \ lsearch;/etc/secondarymx hostlist relay_hosts = lsearch;/etc/relayhosts : \ localhost hostlist auth_relay_hosts = * ###################################################################### # Runtime configuration file for Exim # ###################################################################### # This is a default configuration file which will operate correctly in # uncomplicated installations. Please see the manual for a complete list # of all the runtime configuration options that can be included in a # configuration file. There are many more than are mentioned here. The # manual is in the file doc/spec.txt in the Exim distribution as a plain # ASCII file. Other formats (PostScript, Texinfo, HTML) are available from # the Exim ftp sites. The manual is also online via the Exim web sites. # This file is divided into several parts, all but the last of which are # terminated by a line containing the word "end". The parts must appear # in the correct order, and all must be present (even if some of them are # in fact empty). Blank lines, and lines starting with # are ignored. ###################################################################### # MAIN CONFIGURATION SETTINGS # ###################################################################### perl_startup = do '/etc/exim.pl' #dns_retry = 1 #dns_retrans = 1s # Specify your host's canonical name here. This should normally be the fully # qualified "official" name of your host. If this option is not set, the # uname() function is called to obtain the name. smtp_banner = "${primary_hostname} ESMTP Exim ${version_number} \ \#${compile_number} ${tod_full} \n\ We do not authorize the use of this system to transport unsolicited, \n\ and/or bulk e-mail." #nobody as the sender seems to annoy people untrusted_set_sender = * local_from_check = false rfc1413_query_timeout = 2s split_spool_directory = yes smtp_connect_backlog = 50 smtp_accept_max = 100 # primary_hostname = deliver_queue_load_max = 3 # Specify the domain you want to be added to all unqualified addresses # here. An unqualified address is one that does not contain an "@" character # followed by a domain. For example, "caesar@rome.ex" is a fully qualified # address, but the string "caesar" (i.e. just a login name) is an unqualified # email address. Unqualified addresses are accepted only from local callers by # default. See the receiver_unqualified_{hosts,nets} options if you want # to permit unqualified addresses from remote sources. If this option is # not set, the primary_hostname value is used for qualification. # qualify_domain = # If you want unqualified recipient addresses to be qualified with a different # domain to unqualified sender addresses, specify the recipient domain here. # If this option is not set, the qualify_domain value is used. # qualify_recipient = # Specify your local domains as a colon-separated list here. If this option # is not set (i.e. not mentioned in the configuration file), the # qualify_recipient value is used as the only local domain. If you do not want # to do any local deliveries, uncomment the following line, but do not supply # any data for it. This sets local_domains to an empty string, which is not # the same as not mentioning it at all. An empty string specifies that there # are no local domains; not setting it at all causes the default value (the # setting of qualify_recipient) to be used. #!!# message_filter renamed system_filter message_body_visible = 5000 # If you want to accept mail addressed to your host's literal IP address, for # example, mail addressed to "user@[111.111.111.111]", then uncomment the # following line, or supply the literal domain(s) as part of "local_domains" # above. # local_domains_include_host_literals # No local deliveries will ever be run under the uids of these users (a colon- # separated list). An attempt to do so gets changed so that it runs under the # uid of "nobody" instead. This is a paranoic safety catch. Note the default # setting means you cannot deliver mail addressed to root as if it were a # normal user. This isn't usually a problem, as most sites have an alias for # root that redirects such mail to a human administrator. never_users = root # The use of your host as a mail relay by any host, including the local host # calling its own SMTP port, is locked out by default. If you want to permit # relaying from the local host, you should set # # host_accept_relay = localhost # # If you want to permit relaying through your host from certain hosts or IP # networks, you need to set the option appropriately, for example # # # # If you are an MX backup or gateway of some kind for some domains, you must # set relay_domains to match those domains. This will allow any host to # relay through your host to those domains. # # See the section of the manual entitled "Control of relaying" for more # information. # The setting below causes Exim to do a reverse DNS lookup on all incoming # IP calls, in order to get the true host name. If you feel this is too # expensive, you can specify the networks for which a lookup is done, or # remove the setting entirely. #host_lookup = 0.0.0.0/0 # By default, Exim expects all envelope addresses to be fully qualified, that # is, they must contain both a local part and a domain. If you want to accept # unqualified addresses (just a local part) from certain hosts, you can specify # these hosts by setting one or both of # # receiver_unqualified_hosts = # sender_unqualified_hosts = # # to control sender and receiver addresses, respectively. When this is done, # unqualified addresses are qualified using the settings of qualify_domain # and/or qualify_recipient (see above). # Exim contains support for the Realtime Blocking List (RBL) that is being # maintained as part of the DNS. See http://maps.vix.com/rbl/ for background. # Uncommenting the first line below will make Exim reject mail from any # host whose IP address is blacklisted in the RBL at maps.vix.com. Some # others have followed the RBL lead and have produced other lists: DUL is # a list of dial-up addresses, and ORBS is a list of open relay systems. The # second line below checks all three lists. # rbl_domains = rbl.maps.vix.com # rbl_domains = rbl.maps.vix.com # If you want Exim to support the "percent hack" for all your local domains, # uncomment the following line. This is the feature by which mail addressed # to x%y@z (where z is one of your local domains) is locally rerouted to # x@y and sent on. Otherwise x%y is treated as an ordinary local part. # percent_hack_domains = * #sender_host_accept = +include_unknown:* #sender_host_reject = +include_unknown:lsearch*;/etc/spammers tls_certificate = /etc/exim.crt tls_privatekey = /etc/exim.key tls_advertise_hosts = * helo_accept_junk_hosts = * smtp_enforce_sync = false #!!#######################################################!!# #!!# This new section of the configuration contains ACLs #!!# #!!# (Access Control Lists) derived from the Exim 3 #!!# #!!# policy control options. #!!# #!!#######################################################!!# #!!# These ACLs are crudely constructed from Exim 3 options. #!!# They are almost certainly not optimal. You should study #!!# them and rewrite as necessary. begin acl ######################################################################################## # DO NOT ALTER THIS BLOCK ######################################################################################## # # cPanel Default ACL Template Version: 8.2 # Template: mailman2.dist # ######################################################################################## # DO NOT ALTER THIS BLOCK ######################################################################################## acl_mail: # ignore authenticated hosts accept authenticated = * # drop connections to localhost that fail auth (required for Horde) drop condition = ${if and {{match_ip{$sender_host_address}{+loopback}} \ {def:authentication_failed}} \ {yes}{no}} condition = $authentication_failed message = Authentication failed # ignore pop before smtp accept condition = ${if match_ip{$sender_host_address}{iplsearch;/etc/relayhosts}{1}{${if eq{$sender_host_address}{127.0.0.1}{1}{0}}}} accept hosts = +relay_hosts #BEGIN ACL_MAIL_BLOCK deny condition = ${if eq{$sender_helo_name}{}} message = HELO required before MAIL drop condition = ${if match{$sender_helo_name}{^$primary_hostname\$}} message = "REJECTED - Bad HELO - Host impersonating [$sender_helo_name]" drop condition = ${if eq{[$interface_address]}{$sender_helo_name}} message = "REJECTED - Interface: $interface_address is _my_ address" drop condition = ${if isip{$sender_helo_name}} message = Access denied - Invalid HELO name (See RFC2821 4.1.3) drop # Required because "[IPv6:
]" will have no .s condition = ${if match{$sender_helo_name}{\N^\[\N}{no}{yes}} condition = ${if match{$sender_helo_name}{\N\.\N}{no}{yes}} message = Access denied - Invalid HELO name (See RFC2821 4.1.1.1) drop condition = ${if match{$sender_helo_name}{\N\.$\N}} message = Access denied - Invalid HELO name (See RFC2821 4.1.1.1) drop condition = ${if match{$sender_helo_name}{\N\.\.\N}} message = Access denied - Invalid HELO name (See RFC2821 4.1.1.1) #END ACL_MAIL_BLOCK accept acl_connect: #BEGIN ACL_CONNECT_BLOCK accept hosts = +trustedmailhosts accept condition = ${if match_ip{$sender_host_address}{iplsearch;/etc/trustedmailhosts}{1}{0}} # ignore pop before smtp accept condition = ${if match_ip{$sender_host_address}{iplsearch;/etc/relayhosts}{1}{${if eq{$sender_host_address}{127.0.0.1}{1}{0}}}} accept hosts = +relay_hosts : +backupmx_hosts #only rate limit port 25 accept condition = ${if eq {$interface_port}{25}{no}{yes}} defer message = The server has reached its limit for processing requests from your host. Please try again later. log_message = "Host is ratelimited ($sender_rate/$sender_rate_period max:$sender_rate_limit)" ratelimit = 1.2 / 1h / strict / per_conn / noupdate drop message = Your host is not allowed to connect to this server. log_message = Host is banned hosts = +spammeripblocks #END ACL_CONNECT_BLOCK # do not change the comment in the line below, it is required for /usr/local/cpanel/bin/check_exim_config #acl_smtp_notquit is required for this to work (exim 4.68) accept acl_notquit: #BEGIN ACL_NOTQUIT_BLOCK # ignore authenticated hosts accept authenticated = * # ignore pop before smtp accept condition = ${if match_ip{$sender_host_address}{iplsearch;/etc/relayhosts}{1}{${if eq{$sender_host_address}{127.0.0.1}{1}{0}}}} accept hosts = +relay_hosts #only rate limit port 25 accept condition = ${if eq {$interface_port}{25}{no}{yes}} warn condition = ${if match {$smtp_notquit_reason}{command}{yes}{no}} log_message = "Connection Ratelimit - $sender_fullhost because of notquit: $smtp_notquit_reason ($sender_rate/$sender_rate_period max:$sender_rate_limit)" ratelimit = 1.2 / 1h / strict / per_conn #END ACL_NOTQUIT_BLOCK #!!# ACL that is used after the RCPT command check_recipient: # Exim 3 had no checking on -bs messages, so for compatibility # we accept if the source is local SMTP (i.e. not over TCP/IP). # We do this by testing for an empty sending host field. #BEGIN ACL_RATELIMIT_BLOCK # Log all senders' rates warn ratelimit = 0 / 1h / strict log_message = Sender rate $sender_rate / $sender_rate_period #END ACL_RATELIMIT_BLOCK accept hosts = : accept hosts = +skipsmtpcheck_hosts # Accept bounces to lists even if callbacks or other checks would fail warn message = X-WhitelistedRCPT-nohdrfromcallback: Yes condition = \ ${if and {{match{$local_part}{(.*)-bounces\+.*}} \ {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \ {yes}{no}} accept condition = \ ${if and {{match{$local_part}{(.*)-bounces\+.*}} \ {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \ {yes}{no}} # Accept bounces to lists even if callbacks or other checks would fail warn message = X-WhitelistedRCPT-nohdrfromcallback: Yes condition = \ ${if and {{match{$local_part}{(.*)-bounces\+.*}} \ {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}} \ {yes}{no}} accept condition = \ ${if and {{match{$local_part}{(.*)-bounces\+.*}} \ {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}} \ {yes}{no}} #if it gets here it isn't mailman # deny must be on the same line as hosts so it will get removed by buildeximconf if turned off deny hosts = ! +senderverifybypass_hosts ! verify = sender accept hosts = * authenticated = * # if they used "pop before smtp" then we just accept accept condition = ${if match_ip{$sender_host_address}{iplsearch;/etc/relayhosts}{1}{${if eq{$sender_host_address}{127.0.0.1}{1}{0}}}} add_header = ${if exists{/etc/eximpopbeforesmtpwarning}{${perl{popbeforesmtpwarn}{$sender_host_address}}{}} accept hosts = +relay_hosts add_header = ${if exists{/etc/eximpopbeforesmtpwarning}{${perl{popbeforesmtpwarn}{$sender_host_address}}{}} #recipient verifications are now done after smtp auth and pop before smtp so the users get back bounces instead of # a clogged outbox in outlook #recipient verifications are required for all messages that are not sent to the local machine #this was done at multiple users requests require verify = recipient #BEGIN ACL_POST_RECP_VERIFY_BLOCK warn log_message = "Detected Dictionary Attack (Let $rcpt_fail_count bad recipients though before engaging)" condition = ${if > {${eval:$rcpt_fail_count}}{4}{yes}{no}} set acl_m7 = 1 warn condition = ${if eq {${acl_m7}}{1}{1}{0}} ratelimit = 0 / 1h / strict / per_conn log_message = "Increment Connection Ratelimit - $sender_fullhost because of Dictionary Attack" drop condition = ${if eq {${acl_m7}}{1}{1}{0}} message = "Number of failed recipients exceeded. Come back in a few hours." #END ACL_POST_RECP_VERIFY_BLOCK #BEGIN ACL_TRUSTEDLIST_BLOCK accept hosts = +trustedmailhosts accept condition = ${if match_ip{$sender_host_address}{iplsearch;/etc/trustedmailhosts}{1}{0}} #END ACL_TRUSTEDLIST_BLOCK # The only problem with this setup is that if the message is for multiple users on the same server # and they are on different unix accounts, the settings for the first recipient which has spamassassin enabled will be used. # This shouldn't be a problem 99.9% of the time, however its a very small price to pay for a massive speed increase. warn domains = ! ${primary_hostname} : +local_domains condition = ${if <= {$message_size}{200K}{${if eq {${acl_m0}}{1}{0}{${if exists{/etc/global_spamassassin_enable}{1}{${if exists{${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/.spamassassinenable}{1}{0}}}}}}}{0}} set acl_m0 = 1 set acl_m1 = ${lookup{$domain}lsearch*{/etc/userdomains}{$value}} warn domains = ${primary_hostname} condition = ${if <= {$message_size}{200K}{${if eq {${acl_m0}}{1}{0}{${if exists{/etc/global_spamassassin_enable}{1}{${if exists{${extract{5}{:}{${lookup passwd{$local_part}{$value}}}}/.spamassassinenable}{1}{0}}}}}}}{0}} set acl_m0 = 1 set acl_m1 = $local_part #BEGIN ACL_POST_SPAM_SCAN_CHECK_BLOCK # Research in Motion - Blackberry white list warn condition = ${if exists {/etc/mailproviders/rim/ips}{${if match_ip{$sender_host_address}{iplsearch;/etc/mailproviders/rim/ips}{1}{0}}}{0}} set acl_m0 = 0 #END ACL_POST_SPAM_SCAN_CHECK_BLOCK accept domains = +relay_domains deny message = $sender_fullhost is currently not permitted to \ relay through this server. Perhaps you \ have not logged into the pop/imap server in the \ last 30 minutes or do not have SMTP Authentication turned on in your email client. #!!# ACL that is used after the DATA command check_message: # Enabling this will make the server non-rfc compliant # require verify = header_sender accept hosts = 127.0.0.1 : +relay_hosts accept hosts = * authenticated = * accept hosts = +trustedmailhosts accept condition = ${if match_ip{$sender_host_address}{iplsearch;/etc/trustedmailhosts}{1}{0}} #BEGIN ACL_PRE_SPAM_SCAN # Research in Motion - Blackberry white list accept condition = ${if exists {/etc/mailproviders/rim/ips}{${if match_ip{$sender_host_address}{iplsearch;/etc/mailproviders/rim/ips}{1}{0}}}{0}} #END ACL_PRE_SPAM_SCAN warn condition = ${if eq {${acl_m0}}{1}{1}{0}} spam = ${acl_m1}/defer_ok log_message = "SpamAssassin as ${acl_m1} detected message as spam ($spam_score)" add_header = X-Spam-Subject: $h_subject add_header = X-Spam-Status: Yes, score=$spam_score add_header = X-Spam-Score: $spam_score_int add_header = X-Spam-Bar: $spam_bar add_header = X-Spam-Report: $spam_report add_header = X-Spam-Flag: YES set acl_m2 = 1 warn condition = ${if eq {$spam_score_int}{}{0}{${if <= {${spam_score_int}}{8000}{${if >= {${spam_score_int}}{50}{${perl{store_spam}{$sender_host_address}{$spam_score}}}{0}}}{0}}}} warn condition = ${if eq {${acl_m0}}{1}{${if eq {${acl_m2}}{1}{0}{1}}}{0}} add_header = X-Spam-Status: No, score=$spam_score add_header = X-Spam-Score: $spam_score_int add_header = X-Spam-Bar: $spam_bar add_header = X-Ham-Report: $spam_report add_header = X-Spam-Flag: NO log_message = "SpamAssassin as ${acl_m1} detected message as NOT spam ($spam_score)" accept begin authenticators dovecot_plain: driver = dovecot public_name = PLAIN server_socket = /var/run/dovecot/auth-client server_set_id = $auth1 server_condition = ${if and {{!match {$auth1}{\N[/]\N}}{eq{${if match {$auth1}{\N[+%:@]\N}{${lookup{${extract{2}{+%:@}{$auth1}}}lsearch{/etc/demodomains}{yes}}}{${lookup{$auth1}lsearch{/etc/demousers}{yes}}}}}{}}}{true}{false}} dovecot_login: driver = dovecot public_name = LOGIN server_socket = /var/run/dovecot/auth-client server_set_id = $auth1 server_condition = ${if and {{!match {$auth1}{\N[/]\N}}{eq{${if match {$auth1}{\N[+%:@]\N}{${lookup{${extract{2}{+%:@}{$auth1}}}lsearch{/etc/demodomains}{yes}}}{${lookup{$auth1}lsearch{/etc/demousers}{yes}}}}}{}}}{true}{false}} ###################################################################### # REWRITE CONFIGURATION # ###################################################################### # There are no rewriting specifications in this default configuration file. begin rewrite #!!#######################################################!!# #!!# Here follow routers created from the old routers, #!!# #!!# for handling non-local domains. #!!# #!!#######################################################!!# begin routers #!!# If we are trying to deliver to a remote mailman domain that is on the localhost #!!# let it go though even if its not in /etc/localdomains since mailman will eat #!!# up 100% of the cpu if we don't mailman_virtual_router: driver = accept require_files = /usr/local/cpanel/3rdparty/mailman/lists/${lc::$local_part}_${lc::$domain}/config.pck local_part_suffix_optional local_part_suffix = -admin : \ -bounces : -bounces+* : \ -confirm : -confirm+* : \ -join : -leave : \ -owner : -request : \ -subscribe : -unsubscribe transport = mailman_virtual_transport mailman_virtual_router_nodns: driver = accept require_files = /usr/local/cpanel/3rdparty/mailman/lists/${lc::$local_part}/config.pck condition = \ ${if or {{match{$local_part}{.*_.*}} \ {eq{$local_part}{mailman}}} \ {1}{0}} local_part_suffix_optional local_part_suffix = -admin : \ -bounces : -bounces+* : \ -confirm : -confirm+* : \ -join : -leave : \ -owner : -request : \ -subscribe : -unsubscribe domains = +local_domains transport = mailman_virtual_transport_nodns ###################################################################### # ROUTERS CONFIGURATION # # Specifies how remote addresses are handled # ###################################################################### # ORDER DOES MATTER # # A remote address is passed to each in turn until it is accepted. # ###################################################################### # Remote addresses are those with a domain that does not match any item # in the "local_domains" setting above. # # Demo Safety Router # democheck: driver = redirect require_files = "+/etc/demouids" condition = "${if eq {${lookup {$originator_uid} lsearch {/etc/demouids} {$value}}}{}{false}{true}}" allow_fail data = :fail: demo accounts are not permitted to relay email # This router routes to remote hosts over SMTP using a DNS lookup with # default options. boxtrapper_autowhitelist: driver = accept condition = ${if eq {$authenticated_id}{}{0}{${if eq {$sender_address}{$local_part@$domain}{0}{${if match{$received_protocol}{local}{${perl{checkbx_autowhitelist}{$authenticated_id}}}{${if match{$received_protocol}{\N^e?smtps?a$\N}{${perl{checkbx_autowhitelist}{$authenticated_id}}}{0}}}}}}}} require_files = "+/usr/local/cpanel/bin/boxtrapper" transport = boxtrapper_autowhitelist unseen # # Handles nobody and webspam and mail trap checks in checkspam2 and gives a userful error # checkspam2: domains = ! +local_domains condition = "${perl{checkspam2}}" driver = redirect ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 64.94.110.0/24 allow_fail data = "${perl{checkspam2_results}}" # # Handles nobody and webspam and mail trap checks in checkspam2 and gives a userful error # trackbandwidth: domains = ! +local_domains condition = "${perl{trackbandwidth}}" driver = redirect ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 64.94.110.0/24 allow_fail verify = false data = "${perl{trackbandwidth_results}}" # # Lookup host router for remote smtp and ignores verisign site finder 'service' and uses domain keys # dk_lookuphost: driver = dnslookup domains = ! +local_domains #ignore verisign to prevent waste of bandwidth ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 64.94.110.0/24 require_files = "+/var/cpanel/domain_keys/private/${sender_address_domain}" headers_add = "${perl{mailtrapheaders}}" transport = dk_remote_smtp # # Lookup host router for remote smtp and ignores verisign site finder 'service' # lookuphost: driver = dnslookup domains = ! +local_domains #ignore verisign to prevent waste of bandwidth ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 64.94.110.0/24 headers_add = "${perl{mailtrapheaders}}" transport = remote_smtp # This router routes to remote hosts over SMTP by explicit IP address, # given as a "domain literal" in the form [nnn.nnn.nnn.nnn]. The RFCs # require this facility, which is why it is enabled by default in Exim. # If you want to lock it out, set forbid_domain_literals in the main # configuration section above. # # Literal Transports .. ignores verisigns sitefinder service # literal: driver = ipliteral domains = ! +local_domains headers_add = "${perl{mailtrapheaders}}" ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 64.94.110.0/24 transport = remote_smtp #!!# This new router is put here to fail all domains that #!!# were not in local_domains in the Exim 3 configuration. # # Trap Failures to Remote Domain # fail_remote_domains: driver = redirect domains = ! +local_domains : ! localhost : ! localhost.localdomain allow_fail data = ":fail: The mail server could not deliver mail to $local_part@$domain. The account or domain may not exist, they may be blacklisted, or missing the proper dns entries." #!!#######################################################!!# #!!# Here follow routers created from the old directors, #!!# #!!# for handling local domains. #!!# #!!#######################################################!!# ###################################################################### # DIRECTORS CONFIGURATION # # Specifies how local addresses are handled # ###################################################################### # ORDER DOES MATTER # # A local address is passed to each in turn until it is accepted. # ###################################################################### # Local addresses are those with a domain that matches some item in the # "local_domains" setting above, or those which are passed back from the # routers because of a "self=local" setting (not used in this configuration). # This director handles aliasing using a traditional /etc/aliases file. # If any of your aliases expand to pipes or files, you will need to set # up a user and a group for these deliveries to run under. You can do # this by uncommenting the "user" option below (changing the user name # as appropriate) and adding a "group" option if necessary. Alternatively, you # can specify "user" on the transports that are used. Note that those # listed below are the same as are used for .forward files; you might want # to set up different ones for pipe and file deliveries from aliases. #spam_filter: # driver = forwardfile # file = /etc/spam.filter # no_check_local_user # no_verify # filter # allow_system_actions virtual_user_maildir_overquota: driver = redirect domains = +user_domains router_home_directory = ${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch{/etc/userdomains}{$value}}}{$value}}}} require_files = $home/etc/$domain condition = "${if exists {$home/etc/$domain/quota}{${if > {${lookup{$local_part}lsearch{$home/etc/$domain/quota}{$value}{0}}}{0}{${if eq {${if exists {$home/mail/$domain/$local_part/maildirsize}{1}{0}}}{0}{${if > {${run {/usr/local/cpanel/bin/eximwrap GETDISKUSED $local_part $domain}}}{${lookup{$local_part}lsearch{$home/etc/$domain/quota}{$value}{0}}}{true}{false}}}{${perl{checkuserquota}{$domain}{$local_part}{$message_size}{${lookup{$local_part}lsearch{$home/etc/$domain/quota}{$value}}}{$home/mail/$domain/$local_part/maildirsize}}}}}{false}}}{false}}" user = "${lookup{$domain}lsearch* {/etc/userdomains}{$value}}" data = :fail:Mailbox quota exceeded allow_fail # # Account level filtering for everything but the main account # central_filter: driver = redirect allow_filter no_check_local_user file = /etc/vfilters/${domain} file_transport = address_file directory_transport = address_directory domains = +user_domains pipe_transport = virtual_address_pipe reply_transport = address_reply router_home_directory = ${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}} user = "${lookup{$domain}lsearch* {/etc/userdomains}{$value}}" allow_fail no_verify # # Account level filtering for the main account # # checks /etc/vfilters/maindomain if its a localuser (ie main acct) # mainacct_central_user_filter: driver = redirect allow_filter allow_fail check_local_user domains = ! +user_domains condition = ${if eq {${lookup{$local_part}lsearch{/etc/domainusers}{$value}}}{}{0}{${if exists {/etc/vfilters/${lookup{$local_part}lsearch{/etc/domainusers}{$value}}}{1}{0}}}} file = "/etc/vfilters/${lookup{$local_part}lsearch{/etc/domainusers}{$value}}" directory_transport = address_directory file_transport = address_file pipe_transport = address_pipe reply_transport = address_reply retry_use_local_part no_verify # # User Level Filtering for the main account # central_user_filter: driver = redirect allow_filter allow_fail check_local_user domains = ! +user_domains file = "${extract{5}{:}{${lookup passwd{$local_part}{$value}}}}/etc/filter" require_files = "+${extract{5}{::}{${lookup passwd{$local_part}{$value}}}}/etc/filter" router_home_directory = ${extract{5}{:}{${lookup passwd{$local_part}{$value}}}} directory_transport = address_directory file_transport = address_file pipe_transport = virtual_address_pipe reply_transport = address_reply retry_use_local_part no_verify # # User Level Filtering for virtual users # virtual_user_filter: driver = redirect allow_filter allow_fail no_check_local_user domains = +user_domains require_files = "+${extract{5}{::}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/etc/$domain/$local_part/filter" file = "${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/etc/$domain/$local_part/filter" router_home_directory = ${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}} directory_transport = address_directory file_transport = address_file pipe_transport = virtual_address_pipe reply_transport = address_reply user = "${lookup{$domain}lsearch* {/etc/userdomains}{$value}}" no_verify virtual_aliases_nostar: driver = redirect allow_defer allow_fail require_files = "+/etc/valiases/$domain" data = ${lookup{$local_part@$domain}lsearch{/etc/valiases/$domain}} file_transport = address_file group = mail pipe_transport = virtual_address_pipe retry_use_local_part unseen # # Virtual User Spam Boxes # virtual_user_spam: driver = accept domains = +user_domains require_files = "+${extract{5}{::}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/.spamassassinboxenable:+${extract{5}{::}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/etc/$domain/passwd" condition = ${if eq {${lookup {$local_part} lsearch {${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/etc/$domain/passwd}}}{}{false}{${if match{$h_X-Spam-Status:}{\N^Yes\N}{true}{false}}}} headers_remove="x-spam-exim" transport = virtual_userdelivery_spam virtual_boxtrapper_user: driver = accept domains = +user_domains require_files = "+/usr/local/cpanel/bin/boxtrapper:+${extract{5}{::}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/etc/$domain/passwd" condition = ${if eq {${lookup {$local_part} lsearch {${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/etc/$domain/passwd}}}{} {false}{${if exists {${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/etc/$domain/$local_part/.boxtrapperenable} {true} {false}}}} retry_use_local_part transport = virtual_boxtrapper_userdelivery virtual_user: driver = accept headers_remove="x-spam-exim" domains = +user_domains require_files = "+${extract{5}{::}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/etc/$domain/passwd" condition = ${if eq {${lookup {$local_part} lsearch {${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/etc/$domain/passwd}}}{} {false}{true}} transport = virtual_userdelivery has_alias_but_no_mailbox_discarded_to_prevent_loop: driver = redirect require_files = "+/etc/valiases/$domain" domains = +user_domains condition = "${perl{checkvalias}{$domain}{$local_part}}" data="#Exim Filter\nseen finish" group = "${lookup{$domain}lsearch* {/etc/userdomains}{$value}}" user = "${lookup{$domain}lsearch* {/etc/userdomains}{$value}}" allow_filter disable_logging = true valias_domain_file: driver = redirect allow_defer allow_fail require_files = +/etc/vdomainaliases/$domain condition = ${lookup {$domain} lsearch {/etc/vdomainaliases/$domain}{yes}{no} } data = $local_part@${lookup {$domain} lsearch {/etc/vdomainaliases/$domain} } virtual_aliases: driver = redirect allow_defer allow_fail require_files = "+/etc/valiases/$domain" data = ${lookup{*}lsearch{/etc/valiases/$domain}} file_transport = address_file group = mail pipe_transport = virtual_address_pipe # This director handles forwarding using traditional .forward files. # If you want it also to allow mail filtering when a forward file # starts with the string "# Exim filter", uncomment the "filter" option. # The check_ancestor option means that if the forward file generates an # address that is an ancestor of the current one, the current one gets # passed on instead. This covers the case where A is aliased to B and B # has a .forward file pointing to A. The three transports specified at the # end are those that are used when forwarding generates a direct delivery # to a file, or to a pipe, or sets up an auto-reply, respectively. system_aliases: driver = redirect allow_defer allow_fail data = ${lookup{$local_part}lsearch{/etc/aliases}} file_transport = address_file pipe_transport = address_pipe retry_use_local_part # user = exim local_aliases: driver = redirect allow_defer allow_fail data = ${lookup{$local_part}lsearch{/etc/localaliases}} file_transport = address_file pipe_transport = address_pipe check_local_user userforward: driver = redirect allow_filter check_ancestor check_local_user domains = ! +user_domains no_expn file = $home/.forward file_transport = address_file pipe_transport = address_pipe reply_transport = address_reply directory_transport = address_directory no_verify # # Optimzied spambox router # localuser_spam: driver = accept headers_remove="x-spam-exim" domains = ! +user_domains require_files = "+$home/.spamassassinboxenable" condition = ${if match{$h_X-Spam-Status:}{\N^Yes\N}{true}{false}} check_local_user transport = local_delivery_spam boxtrapper_localuser: driver = accept require_files = "+/usr/local/cpanel/bin/boxtrapper:+$home/etc/.boxtrapperenable" check_local_user domains = ! +user_domains transport = local_boxtrapper_delivery localuser: driver = accept headers_remove="x-spam-exim" check_local_user domains = ! +user_domains transport = local_delivery # This director matches local user mailboxes. ###################################################################### # TRANSPORTS CONFIGURATION # ###################################################################### # ORDER DOES NOT MATTER # # Only one appropriate transport is called for each delivery. # ###################################################################### # A transport is used only when referenced from a director or a router that # successfully handles an address. # This transport is used for delivering messages over SMTP connections. begin transports remote_smtp: driver = smtp interface = ${if exists {/etc/mailips}{${lookup{$sender_address_domain}lsearch*{/etc/mailips}{$value}{}}}{}} helo_data = ${if exists {/etc/mailhelo}{${lookup{$sender_address_domain}lsearch*{/etc/mailhelo}{$value}{$primary_hostname}}}{$primary_hostname}} dk_remote_smtp: driver = smtp interface = ${if exists {/etc/mailips}{${lookup{$sender_address_domain}lsearch*{/etc/mailips}{$value}{}}}{}} helo_data = ${if exists {/etc/mailhelo}{${lookup{$sender_address_domain}lsearch*{/etc/mailhelo}{$value}{$primary_hostname}}}{$primary_hostname}} dk_private_key = "/var/cpanel/domain_keys/private/${dk_domain}" dk_canon = nofws dk_selector = default # This transport is used for local delivery to user mailboxes. By default # it will be run under the uid and gid of the local user, and requires # the sticky bit to be set on the /var/mail directory. Some systems use # the alternative approach of running mail deliveries under a particular # group instead of using the sticky bit. The commented options below show # how this can be done. local_delivery: driver = appendfile delivery_date_add envelope_to_add directory = "${extract{5}{:}{${lookup passwd{$local_part}{$value}}}}/mail" maildir_use_size_file maildir_quota_directory_regex = ^(?:cur|new|\.(?!Trash$)[^\@]+)$ maildir_format maildir_tag = ,S=$message_size quota_size_regex = ,S=(\d+) mode = 0660 return_path_add group = ${extract{3}{:}{${lookup passwd{$local_part}{$value}}}} user = $local_part shadow_condition = ${if exists {${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/.cpanel/rim/bis/$local_part}{1}{0}} shadow_transport = rim_bis_notifier_local_user rim_bis_notifier_local_user: driver = pipe headers_only command = /usr/local/cpanel/bin/rim_bis_notifier "${local_part}" group = ${extract{3}{:}{${lookup passwd{$local_part}{$value}}}} user = $local_part log_output = true current_directory = "/tmp" return_fail_output = true return_path_add = false local_delivery_spam: driver = appendfile delivery_date_add envelope_to_add directory = "${extract{5}{:}{${lookup passwd{$local_part}{$value}}}}/mail/.spam" maildir_use_size_file maildir_quota_directory_regex = ^(?:cur|new|\.(?!Trash$)[^\@]+)$ maildir_format maildir_tag = ,S=$message_size quota_size_regex = ,S=(\d+) group = ${extract{3}{:}{${lookup passwd{$local_part}{$value}}}} mode = 0660 return_path_add user = $local_part # This transport is used for handling pipe deliveries generated by alias # or .forward files. If the pipe generates any standard output, it is returned # to the sender of the message as a delivery error. Set return_fail_output # instead of return_output if you want this to happen only when the pipe fails # to complete normally. You can set different transports for aliases and # forwards if you want to - see the references to address_pipe below. address_directory: driver = appendfile maildir_tag = ,S=$message_size quota_size_regex = ,S=(\d+) maildir_format maildir_use_size_file maildir_quota_directory_regex = ^(?:cur|new|\.(?!Trash$)[^\@]+)$ mode = 0660 delivery_date_add envelope_to_add return_path_add address_pipe: driver = pipe return_output virtual_address_pipe: driver = pipe group = "${lookup{$domain}lsearch* {/etc/userdomains}{$value}}" return_output user = "${lookup{$domain}lsearch* {/etc/userdomains}{$value}}" # This transport is used for handling deliveries directly to files that are # generated by aliassing or forwarding. address_file: driver = appendfile delivery_date_add envelope_to_add return_path_add # This transport is used for handling autoreplies generated by the filtering # option of the forwardfile director. virtual_userdelivery_spam: driver = appendfile delivery_date_add envelope_to_add directory = "${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/mail/${domain}/${local_part}/.spam" maildir_use_size_file maildir_quota_directory_regex = ^(?:cur|new|\.(?!Trash$)[^\@]+)$ maildir_format maildir_tag = ,S=$message_size quota_size_regex = ,S=(\d+) mode = 0660 quota = "${if exists{${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/etc/${domain}/quota} {${lookup{$local_part}lsearch*{${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/etc/${domain}/quota}{$value}}} {}}" quota_is_inclusive = false quota_directory = "${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/mail/${domain}/${local_part}" return_path_add user = "${lookup{$domain}lsearch* {/etc/userdomains}{$value}}" group = ${extract{3}{:}{${lookup passwd{${lookup{$domain}lsearch* {/etc/userdomains}{$value}}}{$value}}}} boxtrapper_autowhitelist: driver = pipe headers_only command = /usr/local/cpanel/bin/boxtrapper --autowhitelist "${authenticated_id}" user = ${perl{getemailuser}{$authenticated_id}} group = ${extract{3}{:}{${lookup passwd{${perl{getemailuser}{$authenticated_id}}}{$value}}}} log_output = true current_directory = "/tmp" return_fail_output = true return_path_add = false local_boxtrapper_delivery: driver = pipe command = /usr/local/cpanel/bin/boxtrapper "${local_part}" $home user = $local_part group = ${extract{3}{:}{${lookup passwd{$local_part}{$value}}}} log_output = true current_directory = "/tmp" return_fail_output = true return_path_add = false virtual_boxtrapper_userdelivery: driver = pipe command = /usr/local/cpanel/bin/boxtrapper "${local_part}@${domain}" $home user = "${lookup{$domain}lsearch* {/etc/userdomains}{$value}}" group = ${extract{3}{:}{${lookup passwd{${lookup{$domain}lsearch* {/etc/userdomains}{$value}}}{$value}}}} log_output = true current_directory = "/tmp" return_fail_output = true return_path_add = false virtual_userdelivery: driver = appendfile delivery_date_add envelope_to_add directory = "${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/mail/${domain}/${local_part}" maildir_use_size_file maildir_quota_directory_regex = ^(?:cur|new|\.(?!Trash$)[^\@]+)$ maildir_format maildir_tag = ,S=$message_size quota_size_regex = ,S=(\d+) mode = 0660 quota = "${if exists{${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/etc/${domain}/quota} {${lookup{$local_part}lsearch*{${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/etc/${domain}/quota}{$value}}} {}}" quota_is_inclusive = false quota_directory = "${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/mail/${domain}/${local_part}" return_path_add user = "${lookup{$domain}lsearch* {/etc/userdomains}{$value}}" group = ${extract{3}{:}{${lookup passwd{${lookup{$domain}lsearch* {/etc/userdomains}{$value}}}{$value}}}} shadow_condition = ${if exists {${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}{$value}}}}/.cpanel/rim/bis/$local_part@$domain}{1}{0}} shadow_transport = rim_bis_notifier_virtual_user rim_bis_notifier_virtual_user: driver = pipe headers_only command = /usr/local/cpanel/bin/rim_bis_notifier "${local_part}@${domain}" user = "${lookup{$domain}lsearch* {/etc/userdomains}{$value}}" group = ${extract{3}{:}{${lookup passwd{${lookup{$domain}lsearch* {/etc/userdomains}{$value}}}{$value}}}} log_output = true current_directory = "/tmp" return_fail_output = true return_path_add = false address_reply: driver = autoreply mailman_virtual_transport: driver = pipe command = /usr/local/cpanel/3rdparty/mailman/mail/mailman \ '${if def:local_part_suffix \ {${sg{$local_part_suffix}{-(\\w+)(\\+.*)?}{\$1}}} \ {post}}' \ ${lc:$local_part}_${lc:$domain} current_directory = /usr/local/cpanel/3rdparty/mailman home_directory = /usr/local/cpanel/3rdparty/mailman user = mailman group = mailman mailman_virtual_transport_nodns: driver = pipe command = /usr/local/cpanel/3rdparty/mailman/mail/mailman \ '${if def:local_part_suffix \ {${sg{$local_part_suffix}{-(\\w+)(\\+.*)?}{\$1}}} \ {post}}' \ ${lc:$local_part} current_directory = /usr/local/cpanel/3rdparty/mailman home_directory = /usr/local/cpanel/3rdparty/mailman user = mailman group = mailman ###################################################################### # RETRY CONFIGURATION # ###################################################################### # This single retry rule applies to all domains and all errors. It specifies # retries every 15 minutes for 2 hours, then increasing retry intervals, # starting at 1 hour and increasing each time by a factor of 1.5, up to 16 # hours, then retries every 8 hours until 4 days have passed since the first # failed delivery. # Domain Error Retries # ------ ----- ------- begin retry * quota * * F,2h,15m; G,16h,1h,1.5; F,4d,8h # End of Exim 4 configuration