Advertisement
MinasFilm

exim

Dec 28th, 2013
773
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 82.01 KB | None | 0 0
  1. #####################################################
  2. ### main/01_exim4-config_listmacrosdefs
  3. #####################################################
  4. ######################################################################
  5. # Runtime configuration file for Exim 4 (Debian Packaging) #
  6. ######################################################################
  7.  
  8. ######################################################################
  9. # /etc/exim4/exim4.conf.template is only used with the non-split
  10. # configuration scheme.
  11. # /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs is only used
  12. # with the split configuration scheme.
  13. # If you find this comment anywhere else, somebody copied it there.
  14. # Documentation about the Debian exim4 configuration scheme can be
  15. # found in /usr/share/doc/exim4-base/README.Debian.gz.
  16. ######################################################################
  17.  
  18. ######################################################################
  19. # MAIN CONFIGURATION SETTINGS #
  20. ######################################################################
  21.  
  22. # Just for reference and scripts.
  23. # On Debian systems, the main binary is installed as exim4 to avoid
  24. # conflicts with the exim 3 packages.
  25. exim_path = /usr/sbin/exim4
  26.  
  27. # Macro defining the main configuration directory.
  28. # We do not use absolute paths.
  29. .ifndef CONFDIR
  30. CONFDIR = /etc/exim4
  31. .endif
  32.  
  33. # debconf-driven macro definitions get inserted after this line
  34. UPEX4CmacrosUPEX4C = 1
  35.  
  36.  
  37. hide mysql_servers = localhost/exim/sqlmail/пароль
  38.  
  39. # Create domain and host lists for relay control
  40. # '@' refers to 'the name of the local host'
  41.  
  42. # List of domains considered local for exim. Domains not listed here
  43. # need to be deliverable remotely.
  44. domainlist local_domains = ${lookup mysql{SELECT domain FROM domains \
  45. WHERE domain='${domain}' AND \
  46. (type='LOCAL' OR type='VIRTUAL')}}
  47.  
  48. # List of recipient domains to relay _to_. Use this list if you're -
  49. # for example - fallback MX or mail gateway for domains.
  50. domainlist relay_to_domains = ${lookup mysql{SELECT domain FROM domains \
  51. WHERE domain='${domain}' AND type='RELAY'}}
  52.  
  53. # List of sender networks (IP addresses) to _unconditionally_ relay
  54. # _for_. If you intend to be SMTP AUTH server, you do not need to enter
  55. # anything here.
  56. hostlist relay_from_hosts = 127.0.0.1 : 192.168.10.0/24
  57. auth_advertise_hosts = *
  58.  
  59. daemon_smtp_ports = 25 : 465
  60. tls_on_connect_ports = 465
  61.  
  62.  
  63. # Decide which domain to use to add to all unqualified addresses.
  64. # If MAIN_PRIMARY_HOSTNAME_AS_QUALIFY_DOMAIN is defined, the primary
  65. # hostname is used. If not, but MAIN_QUALIFY_DOMAIN is set, the value
  66. # of MAIN_QUALIFY_DOMAIN is used. If both macros are not defined,
  67. # the first line of /etc/mailname is used.
  68. .ifndef MAIN_PRIMARY_HOSTNAME_AS_QUALIFY_DOMAIN
  69. .ifndef MAIN_QUALIFY_DOMAIN
  70. qualify_domain = meniac.ua
  71. .else
  72. qualify_domain = MAIN_QUALIFY_DOMAIN
  73. .endif
  74. .endif
  75.  
  76. # listen on all all interfaces?
  77. .ifdef MAIN_LOCAL_INTERFACES
  78. local_interfaces = MAIN_LOCAL_INTERFACES
  79. .endif
  80.  
  81. .ifndef LOCAL_DELIVERY
  82. # The default transport, set in /etc/exim4/update-exim4.conf.conf,
  83. # defaulting to mail_spool. See CONFDIR/conf.d/transport/ for possibilities
  84. LOCAL_DELIVERY=mail_spool
  85. .endif
  86.  
  87. # The gecos field in /etc/passwd holds not only the name. see passwd(5).
  88. gecos_pattern = ^([^,:]*)
  89. gecos_name = $1
  90.  
  91. # define macros to be used in acl/30_exim4-config_check_rcpt to check
  92. # recipient local parts for strange characters.
  93.  
  94. # This macro definition really should be in
  95. # acl/30_exim4-config_check_rcpt but cannot be there due to
  96. # http://www.exim.org/bugzilla/show_bug.cgi?id=101 as of exim 4.62.
  97.  
  98. # These macros are documented in acl/30_exim4-config_check_rcpt,
  99. # can be changed here or overridden by a locally added configuration
  100. # file as described in README.Debian chapter 2.1.2
  101.  
  102. .ifndef CHECK_RCPT_LOCAL_LOCALPARTS
  103. CHECK_RCPT_LOCAL_LOCALPARTS = ^[.] : ^.*[@%!/|`#&?]
  104. .endif
  105.  
  106. .ifndef CHECK_RCPT_REMOTE_LOCALPARTS
  107. CHECK_RCPT_REMOTE_LOCALPARTS = ^[./|] : ^.*[@%!`#&?] : ^.*/\\.\\./
  108. .endif
  109.  
  110. # always log tls_peerdn as we use TLS for outgoing connects by default
  111. .ifndef MAIN_LOG_SELECTOR
  112. MAIN_LOG_SELECTOR = +tls_peerdn \
  113. +all_parents \
  114. +lost_incoming_connection \
  115. +received_sender \
  116. +received_recipients \
  117. +smtp_confirmation \
  118. +smtp_syntax_error \
  119. +smtp_protocol_error \
  120. -queue_run
  121. .endif
  122.  
  123. #####################################################
  124. ### end main/01_exim4-config_listmacrosdefs
  125. #####################################################
  126. #####################################################
  127. ### main/02_exim4-config_options
  128. #####################################################
  129.  
  130. ### main/02_exim4-config_options
  131. #################################
  132.  
  133.  
  134. # Defines the access control list that is run when an
  135. # SMTP MAIL command is received.
  136. #
  137. .ifndef MAIN_ACL_CHECK_MAIL
  138. MAIN_ACL_CHECK_MAIL = acl_check_mail
  139. .endif
  140. acl_smtp_mail = MAIN_ACL_CHECK_MAIL
  141.  
  142.  
  143. # Defines the access control list that is run when an
  144. # SMTP RCPT command is received.
  145. #
  146. .ifndef MAIN_ACL_CHECK_RCPT
  147. MAIN_ACL_CHECK_RCPT = acl_check_rcpt
  148. .endif
  149. acl_smtp_rcpt = MAIN_ACL_CHECK_RCPT
  150.  
  151. acl_smtp_mime = acl_check_mime
  152.  
  153.  
  154. # Defines the access control list that is run when an
  155. # SMTP DATA command is received.
  156. #
  157. .ifndef MAIN_ACL_CHECK_DATA
  158. MAIN_ACL_CHECK_DATA = acl_check_data
  159. .endif
  160. acl_smtp_data = MAIN_ACL_CHECK_DATA
  161.  
  162.  
  163. acl_smtp_connect = acl_check_connect
  164.  
  165.  
  166. # Message size limit. The default (used when MESSAGE_SIZE_LIMIT
  167. # is unset) is 50 MB
  168. MESSAGE_SIZE_LIMIT = 25M
  169. .ifdef MESSAGE_SIZE_LIMIT
  170. message_size_limit = MESSAGE_SIZE_LIMIT
  171. .endif
  172.  
  173. smtp_accept_max = 100
  174. smtp_accept_max_per_connection = 5
  175. smtp_accept_max_per_host = 2
  176. split_spool_directory = true
  177.  
  178. remote_max_parallel = 15
  179.  
  180. # If you are running exim4-daemon-heavy or a custom version of Exim that
  181. # was compiled with the content-scanning extension, you can cause incoming
  182. # messages to be automatically scanned for viruses. You have to modify the
  183. # configuration in two places to set this up. The first of them is here,
  184. # where you define the interface to your scanner. This example is typical
  185. # for ClamAV; see the manual for details of what to set for other virus
  186. # scanners. The second modification is in the acl_check_data access
  187. # control list.
  188.  
  189. # av_scanner = clamd:/var/run/clamav/clamd.ctl
  190.  
  191.  
  192. # For spam scanning, there is a similar option that defines the interface to
  193. # SpamAssassin. You do not need to set this if you are using the default, which
  194. # is shown in this commented example. As for virus scanning, you must also
  195. # modify the acl_check_data access control list to enable spam scanning.
  196.  
  197. # spamd_address = 127.0.0.1 783
  198.  
  199. # Domain used to qualify unqualified recipient addresses
  200. # If this option is not set, the qualify_domain value is used.
  201. # qualify_recipient = <value of qualify_domain>
  202.  
  203.  
  204. # Allow Exim to recognize addresses of the form "user@[10.11.12.13]",
  205. # where the domain part is a "domain literal" (an IP address) instead
  206. # of a named domain. The RFCs require this facility, but it is disabled
  207. # in the default config since it is seldomly used and frequently abused.
  208. # Domain literal support also needs a special router, which is automatically
  209. # enabled if you use the enable macro MAIN_ALLOW_DOMAIN_LITERALS.
  210. # Additionally, you might want to make your local IP addresses (or @[])
  211. # local domains.
  212. ##.ifdef MAIN_ALLOW_DOMAIN_LITERALS
  213. ##allow_domain_literals
  214. ##.endif
  215. allow_domain_literals=false
  216. never_users = root
  217.  
  218. # Do a reverse DNS lookup on all incoming IP calls, in order to get the
  219. # true host name. If you feel this is too expensive, the networks for
  220. # which a lookup is done can be listed here.
  221. .ifndef DC_minimaldns
  222. .ifndef MAIN_HOST_LOOKUP
  223. MAIN_HOST_LOOKUP = *
  224. .endif
  225. host_lookup = MAIN_HOST_LOOKUP
  226. .endif
  227.  
  228. rfc1413_hosts = *
  229. rfc1413_query_timeout = 0s
  230.  
  231. # In a minimaldns setup, update-exim4.conf guesses the hostname and
  232. # dumps it here to avoid DNS lookups being done at Exim run time.
  233. #.ifdef MAIN_HARDCODE_PRIMARY_HOSTNAME
  234. primary_hostname = meniac.ua
  235. #.endif
  236.  
  237. # The settings below, which are actually the same as the defaults in the
  238. # code, cause Exim to make RFC 1413 (ident) callbacks for all incoming SMTP
  239. # calls. You can limit the hosts to which these calls are made, and/or change
  240. # the timeout that is used. If you set the timeout to zero, all RFC 1413 calls
  241. # are disabled. RFC 1413 calls are cheap and can provide useful information
  242. # for tracing problem messages, but some hosts and firewalls are
  243. # misconfigured to drop the requests instead of either answering or
  244. # rejecting them. This can result in a timeout instead of an immediate refused
  245. # connection, leading to delays on starting up SMTP sessions. (The default was
  246. # reduced from 30s to 5s for release 4.61.)
  247. # rfc1413_hosts = *
  248. # rfc1413_query_timeout = 5s
  249.  
  250. # When using an external relay tester (such as rt.njabl.org and/or the
  251. # currently defunct relay-test.mail-abuse.org, the test may be aborted
  252. # since exim complains about "too many nonmail commands". If you want
  253. # the test to complete, add the host from where "your" relay tester
  254. # connects from to the MAIN_SMTP_ACCEPT_MAX_NOMAIL_HOSTS macro.
  255. # Please note that a non-empty setting may cause extra DNS lookups to
  256. # happen, which is the reason why this option is commented out in the
  257. # default settings.
  258. # MAIN_SMTP_ACCEPT_MAX_NOMAIL_HOSTS = !rt.njabl.org
  259. .ifdef MAIN_SMTP_ACCEPT_MAX_NOMAIL_HOSTS
  260. smtp_accept_max_nonmail_hosts = MAIN_SMTP_ACCEPT_MAX_NOMAIL_HOSTS
  261. .endif
  262.  
  263. # By default, exim forces a Sender: header containing the local
  264. # account name at the local host name in all locally submitted messages
  265. # that don't have the local account name at the local host name in the
  266. # From: header, deletes any Sender: header present in the submitted
  267. # message and forces the envelope sender of all locally submitted
  268. # messages to the local account name at the local host name.
  269. # The following settings allow local users to specify their own envelope sender
  270. # in a locally submitted message. Sender: headers existing in a locally
  271. # submitted message are not removed, and no automatic Sender: headers
  272. # are added. These settings are fine for most hosts.
  273. # If you run exim on a classical multi-user systems where all users
  274. # have local mailboxes that can be reached via SMTP from the Internet
  275. # with the local FQDN as the domain part of the address, you might want
  276. # to disable the following three lines for traceability reasons.
  277. .ifndef MAIN_FORCE_SENDER
  278. local_from_check = false
  279. local_sender_retain = true
  280. untrusted_set_sender = *
  281. .endif
  282.  
  283.  
  284. # By default, Exim expects all envelope addresses to be fully qualified, that
  285. # is, they must contain both a local part and a domain. Configure exim
  286. # to accept unqualified addresses from certain hosts. When this is done,
  287. # unqualified addresses are qualified using the settings of qualify_domain
  288. # and/or qualify_recipient (see above).
  289. # sender_unqualified_hosts = <unset>
  290. # recipient_unqualified_hosts = <unset>
  291.  
  292.  
  293. # Configure Exim to support the "percent hack" for certain domains.
  294. # The "percent hack" is the feature by which mail addressed to x%y@z
  295. # (where z is one of the domains listed) is locally rerouted to x@y
  296. # and sent on. If z is not one of the "percent hack" domains, x%y is
  297. # treated as an ordinary local part. The percent hack is rarely needed
  298. # nowadays but frequently abused. You should not enable it unless you
  299. # are sure that you really need it.
  300. # percent_hack_domains = <unset>
  301.  
  302.  
  303. # Bounce handling
  304. .ifndef MAIN_IGNORE_BOUNCE_ERRORS_AFTER
  305. MAIN_IGNORE_BOUNCE_ERRORS_AFTER = 30m
  306. .endif
  307. ignore_bounce_errors_after = MAIN_IGNORE_BOUNCE_ERRORS_AFTER
  308.  
  309. .ifndef MAIN_TIMEOUT_FROZEN_AFTER
  310. MAIN_TIMEOUT_FROZEN_AFTER = 3d
  311. .endif
  312. timeout_frozen_after = MAIN_TIMEOUT_FROZEN_AFTER
  313.  
  314. .ifndef MAIN_FREEZE_TELL
  315. MAIN_FREEZE_TELL = postmaster
  316. .endif
  317. freeze_tell = MAIN_FREEZE_TELL
  318.  
  319.  
  320. # Define spool directory
  321. .ifndef SPOOLDIR
  322. SPOOLDIR = /var/spool/exim4
  323. .endif
  324. spool_directory = SPOOLDIR
  325.  
  326.  
  327. # trusted users can set envelope-from to arbitrary values
  328. .ifndef MAIN_TRUSTED_USERS
  329. MAIN_TRUSTED_USERS = uucp
  330. .endif
  331. trusted_users = MAIN_TRUSTED_USERS
  332. .ifdef MAIN_TRUSTED_GROUPS
  333. trusted_groups = MAIN_TRUSTED_GROUPS
  334. .endif
  335.  
  336.  
  337. # users in admin group can do many other things
  338. # admin_groups = <unset>
  339.  
  340.  
  341. # SMTP Banner. The example includes the Debian version in the SMTP dialog
  342. # MAIN_SMTP_BANNER = "${primary_hostname} ESMTP Exim ${version_number} (Debian package MAIN_PACKAGE_VERSION) ${tod_full}"
  343. # smtp_banner = $smtp_active_hostname ESMTP Exim $version_number $tod_full
  344. smtp_banner = "Welcome on our mail server!\n\
  345. This system does not accept Unsolicited \
  346. Commercial Email\nand will blacklist \
  347. offenders via our spam processor.\nHave a \
  348. nice day!\n\n${primary_hostname} ESMTP"
  349.  
  350. #####################################################
  351. ### end main/02_exim4-config_options
  352. #####################################################
  353. #####################################################
  354. ### main/03_exim4-config_tlsoptions
  355. #####################################################
  356.  
  357. ### main/03_exim4-config_tlsoptions
  358. #################################
  359.  
  360. # TLS/SSL configuration for exim as an SMTP server.
  361. # See /usr/share/doc/exim4-base/README.Debian.gz for explanations.
  362.  
  363. MAIN_TLS_ENABLE = 1
  364.  
  365. .ifdef MAIN_TLS_ENABLE
  366. # Defines what hosts to 'advertise' STARTTLS functionality to. The
  367. # default, *, will advertise to all hosts that connect with EHLO.
  368. .ifndef MAIN_TLS_ADVERTISE_HOSTS
  369. MAIN_TLS_ADVERTISE_HOSTS = *
  370. .endif
  371. tls_advertise_hosts = MAIN_TLS_ADVERTISE_HOSTS
  372.  
  373.  
  374. # Full paths to Certificate and Private Key. The Private Key file
  375. # must be kept 'secret' and should be owned by root.Debian-exim mode
  376. # 640 (-rw-r-----). exim-gencert takes care of these prerequisites.
  377. # Normally, exim4 looks for certificate and key in different files:
  378. # MAIN_TLS_CERTIFICATE - path to certificate file,
  379. # CONFDIR/exim.crt if unset
  380. # MAIN_TLS_PRIVATEKEY - path to private key file
  381. # CONFDIR/exim.key if unset
  382. # You can also configure exim to look for certificate and key in the
  383. # same file, set MAIN_TLS_CERTKEY to that file to enable. This takes
  384. # precedence over all other settings regarding certificate and key file.
  385. .ifdef MAIN_TLS_CERTKEY
  386. tls_certificate = MAIN_TLS_CERTKEY
  387. .else
  388. .ifndef MAIN_TLS_CERTIFICATE
  389. MAIN_TLS_CERTIFICATE = /etc/ssl/certs/mail.pem
  390. .endif
  391. tls_certificate = MAIN_TLS_CERTIFICATE
  392.  
  393. .ifndef MAIN_TLS_PRIVATEKEY
  394. MAIN_TLS_PRIVATEKEY = /etc/ssl/certs/mail.pem
  395. .endif
  396. tls_privatekey = MAIN_TLS_PRIVATEKEY
  397. .endif
  398.  
  399. # Pointer to the CA Certificates against which client certificates are
  400. # checked. This is controlled by the `tls_verify_hosts' and
  401. # `tls_try_verify_hosts' lists below.
  402. # If you want to check server certificates, you need to add an
  403. # tls_verify_certificates statement to the smtp transport.
  404. # /etc/ssl/certs/ca-certificates.crt is generated by
  405. # the "ca-certificates" package's update-ca-certificates(8) command.
  406. .ifndef MAIN_TLS_VERIFY_CERTIFICATES
  407. MAIN_TLS_VERIFY_CERTIFICATES = ${if exists{/etc/ssl/certs/ca-certificates.crt}\
  408. {/etc/ssl/certs/ca-certificates.crt}\
  409. {/dev/null}}
  410. .endif
  411. tls_verify_certificates = MAIN_TLS_VERIFY_CERTIFICATES
  412.  
  413.  
  414. # A list of hosts which are constrained by `tls_verify_certificates'. A host
  415. # that matches `tls_verify_host' must present a certificate that is
  416. # verifyable through `tls_verify_certificates' in order to be accepted as an
  417. # SMTP client. If it does not, the connection is aborted.
  418. .ifdef MAIN_TLS_VERIFY_HOSTS
  419. tls_verify_hosts = MAIN_TLS_VERIFY_HOSTS
  420. .endif
  421.  
  422. # A weaker form of checking: if a client matches `tls_try_verify_hosts' (but
  423. # not `tls_verify_hosts'), request a certificate and check it against
  424. # `tls_verify_certificates' but do not abort the connection if there is no
  425. # certificate or if the certificate presented does not match. (This
  426. # condition can be tested for in ACLs through `verify = certificate')
  427. # By default, this check is done for all hosts. It is known that some
  428. # clients (including incredimail's version downloadable in February
  429. # 2008) choke on this. To disable, set MAIN_TLS_TRY_VERIFY_HOSTS to an
  430. # empty value.
  431. .ifdef MAIN_TLS_TRY_VERIFY_HOSTS
  432. tls_try_verify_hosts = MAIN_TLS_TRY_VERIFY_HOSTS
  433. .endif
  434.  
  435. .endif
  436. #####################################################
  437. ### end main/03_exim4-config_tlsoptions
  438. #####################################################
  439. #####################################################
  440. ### main/90_exim4-config_log_selector
  441. #####################################################
  442.  
  443. ### main/90_exim4-config_log_selector
  444. #################################
  445.  
  446. # uncomment this for debugging
  447. # MAIN_LOG_SELECTOR == MAIN_LOG_SELECTOR +all -subject -arguments
  448.  
  449. .ifdef MAIN_LOG_SELECTOR
  450. log_selector = MAIN_LOG_SELECTOR
  451. .endif
  452. #####################################################
  453. ### end main/90_exim4-config_log_selector
  454. #####################################################
  455. #####################################################
  456. ### acl/00_exim4-config_header
  457. #####################################################
  458.  
  459. ######################################################################
  460. # ACL CONFIGURATION #
  461. # Specifies access control lists for incoming SMTP mail #
  462. ######################################################################
  463. begin acl
  464.  
  465.  
  466. #####################################################
  467. ### end acl/00_exim4-config_header
  468. #####################################################
  469. #####################################################
  470. ### acl/20_exim4-config_local_deny_exceptions
  471. #####################################################
  472.  
  473. ### acl/20_exim4-config_local_deny_exceptions
  474. #################################
  475.  
  476. # This is used to determine whitelisted senders and hosts.
  477. # It checks for CONFDIR/host_local_deny_exceptions and
  478. # CONFDIR/sender_local_deny_exceptions.
  479. #
  480. # It is meant to be used from some other acl entry.
  481. #
  482. # See exim4-config_files(5) for details.
  483. #
  484. # If the files do not exist, the white list never matches, which is
  485. # the desired behaviour.
  486. #
  487. # The old file names CONFDIR/local_host_whitelist and
  488. # CONFDIR/local_sender_whitelist will continue to be honored for a
  489. # transition period. Their use is deprecated.
  490.  
  491. acl_local_deny_exceptions:
  492. accept
  493. hosts = ${if exists{CONFDIR/host_local_deny_exceptions}\
  494. {CONFDIR/host_local_deny_exceptions}\
  495. {}}
  496. accept
  497. senders = ${if exists{CONFDIR/sender_local_deny_exceptions}\
  498. {CONFDIR/sender_local_deny_exceptions}\
  499. {}}
  500. accept
  501. hosts = ${if exists{CONFDIR/local_host_whitelist}\
  502. {CONFDIR/local_host_whitelist}\
  503. {}}
  504. accept
  505. senders = ${if exists{CONFDIR/local_sender_whitelist}\
  506. {CONFDIR/local_sender_whitelist}\
  507. {}}
  508.  
  509. # This hook allows you to hook in your own ACLs without having to
  510. # modify this file. If you do it like we suggest, you'll end up with
  511. # a small performance penalty since there is an additional file being
  512. # accessed. This doesn't happen if you leave the macro unset.
  513. .ifdef LOCAL_DENY_EXCEPTIONS_LOCAL_ACL_FILE
  514. .include LOCAL_DENY_EXCEPTIONS_LOCAL_ACL_FILE
  515. .endif
  516.  
  517. # this is still supported for a transition period and is deprecated.
  518. .ifdef WHITELIST_LOCAL_DENY_LOCAL_ACL_FILE
  519. .include WHITELIST_LOCAL_DENY_LOCAL_ACL_FILE
  520. .endif
  521. #####################################################
  522. ### end acl/20_exim4-config_local_deny_exceptions
  523. #####################################################
  524. #####################################################
  525. ### acl/30_exim4-config_check_mail
  526. #####################################################
  527.  
  528. ### acl/30_exim4-config_check_mail
  529. #################################
  530.  
  531. # This access control list is used for every MAIL command in an incoming
  532. # SMTP message. The tests are run in order until the address is either
  533. # accepted or denied.
  534. #
  535. acl_check_mail:
  536. .ifdef CHECK_MAIL_HELO_ISSUED
  537. deny
  538. message = no HELO given before MAIL command
  539. condition = ${if def:sender_helo_name {no}{yes}}
  540. .endif
  541.  
  542. accept
  543. #####################################################
  544. ### end acl/30_exim4-config_check_mail
  545. #####################################################
  546. #####################################################
  547. ### acl/30_exim4-config_check_rcpt
  548. #####################################################
  549.  
  550. ### acl/30_exim4-config_check_rcpt
  551. #################################
  552.  
  553. # This access control list is used for every RCPT command in an incoming
  554. # SMTP message. The tests are run in order until the address is either
  555. # accepted or denied.
  556. #
  557. acl_check_rcpt:
  558.  
  559. # Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by
  560. # testing for an empty sending host field.
  561. accept
  562. hosts = :
  563. control = dkim_disable_verify
  564.  
  565. # Do not try to verify DKIM signatures of incoming mail if DC_minimaldns
  566. # or DISABLE_DKIM_VERIFY are set.
  567. .ifdef DC_minimaldns
  568. warn
  569. control = dkim_disable_verify
  570. .else
  571. .ifdef DISABLE_DKIM_VERIFY
  572. warn
  573. control = dkim_disable_verify
  574. .endif
  575. .endif
  576.  
  577. # The following section of the ACL is concerned with local parts that contain
  578. # certain non-alphanumeric characters. Dots in unusual places are
  579. # handled by this ACL as well.
  580. #
  581. # Non-alphanumeric characters other than dots are rarely found in genuine
  582. # local parts, but are often tried by people looking to circumvent
  583. # relaying restrictions. Therefore, although they are valid in local
  584. # parts, these rules disallow certain non-alphanumeric characters, as
  585. # a precaution.
  586. #
  587. # Empty components (two dots in a row) are not valid in RFC 2822, but Exim
  588. # allows them because they have been encountered. (Consider local parts
  589. # constructed as "firstinitial.secondinitial.familyname" when applied to
  590. # a name without a second initial.) However, a local part starting
  591. # with a dot or containing /../ can cause trouble if it is used as part of a
  592. # file name (e.g. for a mailing list). This is also true for local parts that
  593. # contain slashes. A pipe symbol can also be troublesome if the local part is
  594. # incorporated unthinkingly into a shell command line.
  595. #
  596. # These ACL components will block recipient addresses that are valid
  597. # from an RFC2822 point of view. We chose to have them blocked by
  598. # default for security reasons.
  599. #
  600. # If you feel that your site should have less strict recipient
  601. # checking, please feel free to change the default values of the macros
  602. # defined in main/01_exim4-config_listmacrosdefs or override them from a
  603. # local configuration file.
  604. #
  605. # Two different rules are used. The first one has a quite strict
  606. # default, and is applied to messages that are addressed to one of the
  607. # local domains handled by this host.
  608.  
  609. # The default value of CHECK_RCPT_LOCAL_LOCALPARTS is defined in
  610. # main/01_exim4-config_listmacrosdefs:
  611. # CHECK_RCPT_LOCAL_LOCALPARTS = ^[.] : ^.*[@%!/|`#&?]
  612. # This blocks local parts that begin with a dot or contain a quite
  613. # broad range of non-alphanumeric characters.
  614. .ifdef CHECK_RCPT_LOCAL_LOCALPARTS
  615. deny
  616. domains = +local_domains
  617. local_parts = CHECK_RCPT_LOCAL_LOCALPARTS
  618. message = restricted characters in address
  619. .endif
  620.  
  621.  
  622. # The second rule applies to all other domains, and its default is
  623. # considerably less strict.
  624.  
  625. # The default value of CHECK_RCPT_REMOTE_LOCALPARTS is defined in
  626. # main/01_exim4-config_listmacrosdefs:
  627. # CHECK_RCPT_REMOTE_LOCALPARTS = ^[./|] : ^.*[@%!`#&?] : ^.*/\\.\\./
  628.  
  629. # It allows local users to send outgoing messages to sites
  630. # that use slashes and vertical bars in their local parts. It blocks
  631. # local parts that begin with a dot, slash, or vertical bar, but allows
  632. # these characters within the local part. However, the sequence /../ is
  633. # barred. The use of some other non-alphanumeric characters is blocked.
  634. # Single quotes might probably be dangerous as well, but they're
  635. # allowed by the default regexps to avoid rejecting mails to Ireland.
  636. # The motivation here is to prevent local users (or local users' malware)
  637. # from mounting certain kinds of attack on remote sites.
  638. .ifdef CHECK_RCPT_REMOTE_LOCALPARTS
  639. deny
  640. domains = !+local_domains
  641. local_parts = CHECK_RCPT_REMOTE_LOCALPARTS
  642. message = restricted characters in address
  643. .endif
  644.  
  645.  
  646. # Accept mail to postmaster in any local domain, regardless of the source,
  647. # and without verifying the sender.
  648. #
  649. accept
  650. .ifndef CHECK_RCPT_POSTMASTER
  651. local_parts = postmaster
  652. .else
  653. local_parts = CHECK_RCPT_POSTMASTER
  654. .endif
  655. domains = +local_domains : +relay_to_domains
  656.  
  657. require verify = sender
  658.  
  659. deny message = HELO/EHLO required by SMTP RFC
  660. condition = ${if eq{$sender_helo_name}{}{yes}{no}}
  661.  
  662.  
  663. deny message = Go Away! You are spammer.
  664. condition = ${if match{$sender_host_name} \
  665. {bezeqint\\.net|net\\.il|dialup|dsl|pool|peer|dhcp} \
  666. {yes}{no}}
  667.  
  668. deny message = rejected because \
  669. $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
  670. log_message = found in $dnslist_domain
  671. dnslists = relays.ordb.org
  672.  
  673. deny message = message from \
  674. $sender_host_address rejected - see http://njabl.org/
  675. log_message = found in $dnslist_domain
  676. dnslists = dnsbl.njabl.org
  677.  
  678. deny message = rejected because \
  679. $sender_host_address for bad WHOIS info, see http://www.rfc-ignorant.org/
  680. log_message = found in $dnslist_domain
  681. dnslists = ipwhois.rfc-ignorant.org
  682.  
  683. deny message = rejected because $sender_host_address \
  684. is in a black list at $dnslist_domain\n$dnslist_text
  685. log_message = found in $dnslist_domain
  686. dnslists = dialups.mail-abuse.org
  687.  
  688. deny message = Spam blocked see: \
  689. http://www.spamcop.net/w3m?action=checkblock&ip=$sender_host_address
  690. log_message = found in $dnslist_domain
  691. dnslists = bl.spamcop.net
  692.  
  693. deny message = rejected, $sender_host_address \
  694. Open Proxy, see: $dnslist_domain\n$dnslist_text
  695. log_message = found in $dnslist_domain
  696. dnslists = dnsbl.void.ru
  697.  
  698. # Deny unless the sender address can be verified.
  699. #
  700. # This is disabled by default so that DNSless systems don't break. If
  701. # your system can do DNS lookups without delay or cost, you might want
  702. # to enable this feature.
  703. #
  704. # This feature does not work in smarthost and satellite setups as
  705. # with these setups all domains pass verification. See spec.txt chapter
  706. # 39.31 with the added information that a smarthost/satellite setup
  707. # routes all non-local e-mail to the smarthost.
  708. .ifdef CHECK_RCPT_VERIFY_SENDER
  709. deny
  710. message = Sender verification failed
  711. !acl = acl_local_deny_exceptions
  712. !verify = sender
  713. .endif
  714.  
  715. # Verify senders listed in local_sender_callout with a callout.
  716. #
  717. # In smarthost and satellite setups, this causes the callout to be
  718. # done to the smarthost. Verification will thus only be reliable if the
  719. # smarthost does reject illegal addresses in the SMTP dialog.
  720. deny
  721. !acl = acl_local_deny_exceptions
  722. senders = ${if exists{CONFDIR/local_sender_callout}\
  723. {CONFDIR/local_sender_callout}\
  724. {}}
  725. !verify = sender/callout
  726.  
  727.  
  728. # Accept if the message comes from one of the hosts for which we are an
  729. # outgoing relay. It is assumed that such hosts are most likely to be MUAs,
  730. # so we set control=submission to make Exim treat the message as a
  731. # submission. It will fix up various errors in the message, for example, the
  732. # lack of a Date: header line. If you are actually relaying out out from
  733. # MTAs, you may want to disable this. If you are handling both relaying from
  734. # MTAs and submissions from MUAs you should probably split them into two
  735. # lists, and handle them differently.
  736.  
  737. # Recipient verification is omitted here, because in many cases the clients
  738. # are dumb MUAs that don't cope well with SMTP error responses. If you are
  739. # actually relaying out from MTAs, you should probably add recipient
  740. # verification here.
  741.  
  742. # Note that, by putting this test before any DNS black list checks, you will
  743. # always accept from these hosts, even if they end up on a black list. The
  744. # assumption is that they are your friends, and if they get onto black
  745. # list, it is a mistake.
  746. accept
  747. hosts = +relay_from_hosts
  748. control = submission/sender_retain
  749. control = dkim_disable_verify
  750.  
  751.  
  752. # Accept if the message arrived over an authenticated connection, from
  753. # any host. Again, these messages are usually from MUAs, so recipient
  754. # verification is omitted, and submission mode is set. And again, we do this
  755. # check before any black list tests.
  756. accept
  757. authenticated = *
  758. control = submission/sender_retain
  759. control = dkim_disable_verify
  760.  
  761.  
  762. # Insist that any other recipient address that we accept is either in one of
  763. # our local domains, or is in a domain for which we explicitly allow
  764. # relaying. Any other domain is rejected as being unacceptable for relaying.
  765. require
  766. message = relay not permitted
  767. domains = +local_domains : +relay_to_domains
  768.  
  769.  
  770. # We also require all accepted addresses to be verifiable. This check will
  771. # do local part verification for local domains, but only check the domain
  772. # for remote domains.
  773. require
  774. verify = recipient
  775.  
  776.  
  777. # Verify recipients listed in local_rcpt_callout with a callout.
  778. # This is especially handy for forwarding MX hosts (secondary MX or
  779. # mail hubs) of domains that receive a lot of spam to non-existent
  780. # addresses. The only way to check local parts for remote relay
  781. # domains is to use a callout (add /callout), but please read the
  782. # documentation about callouts before doing this.
  783. deny
  784. !acl = acl_local_deny_exceptions
  785. recipients = ${if exists{CONFDIR/local_rcpt_callout}\
  786. {CONFDIR/local_rcpt_callout}\
  787. {}}
  788. !verify = recipient/callout
  789.  
  790.  
  791. # CONFDIR/local_sender_blacklist holds a list of envelope senders that
  792. # should have their access denied to the local host. Incoming messages
  793. # with one of these senders are rejected at RCPT time.
  794. #
  795. # The explicit white lists are honored as well as negative items in
  796. # the black list. See exim4-config_files(5) for details.
  797. deny
  798. message = sender envelope address $sender_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster
  799. !acl = acl_local_deny_exceptions
  800. senders = ${if exists{CONFDIR/local_sender_blacklist}\
  801. {CONFDIR/local_sender_blacklist}\
  802. {}}
  803.  
  804.  
  805. # deny bad sites (IP address)
  806. # CONFDIR/local_host_blacklist holds a list of host names, IP addresses
  807. # and networks (CIDR notation) that should have their access denied to
  808. # The local host. Messages coming in from a listed host will have all
  809. # RCPT statements rejected.
  810. #
  811. # The explicit white lists are honored as well as negative items in
  812. # the black list. See exim4-config_files(5) for details.
  813. deny
  814. message = sender IP address $sender_host_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster
  815. !acl = acl_local_deny_exceptions
  816. hosts = ${if exists{CONFDIR/local_host_blacklist}\
  817. {CONFDIR/local_host_blacklist}\
  818. {}}
  819.  
  820.  
  821. # Warn if the sender host does not have valid reverse DNS.
  822. #
  823. # If your system can do DNS lookups without delay or cost, you might want
  824. # to enable this.
  825. # If sender_host_address is defined, it's a remote call. If
  826. # sender_host_name is not defined, then reverse lookup failed. Use
  827. # this instead of !verify = reverse_host_lookup to catch deferrals
  828. # as well as outright failures.
  829. .ifdef CHECK_RCPT_REVERSE_DNS
  830. warn
  831. condition = ${if and{{def:sender_host_address}{!def:sender_host_name}}\
  832. {yes}{no}}
  833. add_header = X-Host-Lookup-Failed: Reverse DNS lookup failed for $sender_host_address (${if eq{$host_lookup_failed}{1}{failed}{deferred}})
  834. .endif
  835.  
  836.  
  837. # Use spfquery to perform a pair of SPF checks (for details, see
  838. # http://www.openspf.org/)
  839. #
  840. # This is quite costly in terms of DNS lookups (~6 lookups per mail). Do not
  841. # enable if that's an issue. Also note that if you enable this, you must
  842. # install "spf-tools-perl" which provides the spfquery command.
  843. # Missing spf-tools-perl will trigger the "Unexpected error in
  844. # SPF check" warning.
  845. .ifdef CHECK_RCPT_SPF
  846. deny
  847. message = [SPF] $sender_host_address is not allowed to send mail from \
  848. ${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}. \
  849. Please see \
  850. http://www.openspf.org/Why?scope=${if def:sender_address_domain \
  851. {mfrom}{helo}};identity=${if def:sender_address_domain \
  852. {$sender_address}{$sender_helo_name}};ip=$sender_host_address
  853. log_message = SPF check failed.
  854. !acl = acl_local_deny_exceptions
  855. condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
  856. \"$sender_host_address\" --identity \
  857. ${if def:sender_address_domain \
  858. {--scope mfrom --identity \"$sender_address\"}\
  859. {--scope helo --identity \"$sender_helo_name\"}}}\
  860. {no}{${if eq {$runrc}{1}{yes}{no}}}}
  861.  
  862. defer
  863. message = Temporary DNS error while checking SPF record. Try again later.
  864. !acl = acl_local_deny_exceptions
  865. condition = ${if eq {$runrc}{5}{yes}{no}}
  866.  
  867. warn
  868. condition = ${if <={$runrc}{6}{yes}{no}}
  869. add_header = Received-SPF: ${if eq {$runrc}{0}{pass}\
  870. {${if eq {$runrc}{2}{softfail}\
  871. {${if eq {$runrc}{3}{neutral}\
  872. {${if eq {$runrc}{4}{permerror}\
  873. {${if eq {$runrc}{6}{none}{error}}}}}}}}}\
  874. } client-ip=$sender_host_address; \
  875. ${if def:sender_address_domain \
  876. {envelope-from=${sender_address}; }{}}\
  877. helo=$sender_helo_name
  878.  
  879. warn
  880. log_message = Unexpected error in SPF check.
  881. condition = ${if >{$runrc}{6}{yes}{no}}
  882. .endif
  883.  
  884.  
  885. # Check against classic DNS "black" lists (DNSBLs) which list
  886. # sender IP addresses
  887. .ifdef CHECK_RCPT_IP_DNSBLS
  888. warn
  889. dnslists = CHECK_RCPT_IP_DNSBLS
  890. add_header = X-Warning: $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
  891. log_message = $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
  892. .endif
  893.  
  894.  
  895. # Check against DNSBLs which list sender domains, with an option to locally
  896. # whitelist certain domains that might be blacklisted.
  897. #
  898. # Note: If you define CHECK_RCPT_DOMAIN_DNSBLS, you must append
  899. # "/$sender_address_domain" after each domain. For example:
  900. # CHECK_RCPT_DOMAIN_DNSBLS = rhsbl.foo.org/$sender_address_domain \
  901. # : rhsbl.bar.org/$sender_address_domain
  902. .ifdef CHECK_RCPT_DOMAIN_DNSBLS
  903. warn
  904. !senders = ${if exists{CONFDIR/local_domain_dnsbl_whitelist}\
  905. {CONFDIR/local_domain_dnsbl_whitelist}\
  906. {}}
  907. dnslists = CHECK_RCPT_DOMAIN_DNSBLS
  908. add_header = X-Warning: $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
  909. log_message = $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
  910. .endif
  911.  
  912.  
  913. # This hook allows you to hook in your own ACLs without having to
  914. # modify this file. If you do it like we suggest, you'll end up with
  915. # a small performance penalty since there is an additional file being
  916. # accessed. This doesn't happen if you leave the macro unset.
  917. .ifdef CHECK_RCPT_LOCAL_ACL_FILE
  918. .include CHECK_RCPT_LOCAL_ACL_FILE
  919. .endif
  920.  
  921.  
  922. #############################################################################
  923. # This check is commented out because it is recognized that not every
  924. # sysadmin will want to do it. If you enable it, the check performs
  925. # Client SMTP Authorization (csa) checks on the sending host. These checks
  926. # do DNS lookups for SRV records. The CSA proposal is currently (May 2005)
  927. # an Internet draft. You can, of course, add additional conditions to this
  928. # ACL statement to restrict the CSA checks to certain hosts only.
  929. #
  930. # require verify = csa
  931. #############################################################################
  932.  
  933.  
  934. # Accept if the address is in a domain for which we are an incoming relay,
  935. # but again, only if the recipient can be verified.
  936.  
  937. accept
  938. domains = +relay_to_domains
  939. endpass
  940. message = unknown user
  941. verify = recipient
  942.  
  943.  
  944. accept domains = +local_domains
  945. endpass
  946. message = unknown user
  947. verify = recipient
  948.  
  949.  
  950. accept hosts = +relay_from_hosts
  951. accept authenticated = *
  952. deny message = relay not permitted
  953.  
  954.  
  955. # At this point, the address has passed all the checks that have been
  956. # configured, so we accept it unconditionally.
  957.  
  958. accept
  959. #####################################################
  960. ### end acl/30_exim4-config_check_rcpt
  961. #####################################################
  962.  
  963.  
  964. acl_check_mime:
  965.  
  966. warn decode = default
  967.  
  968. deny message = Blacklisted file extension detected ($mime_filename)
  969. condition = ${if match \
  970. {${lc:$mime_filename}} \
  971. {\N(\.exe|\.pif|\.bat|\.scr|\.lnk|\.com|\.vbs|\.cpl)$\N} \
  972. {1}{0}}
  973.  
  974. deny message = Sorry, noone speaks chinese here
  975. condition = ${if eq{$mime_charset}{gb2312}{1}{0}}
  976.  
  977. accept
  978.  
  979.  
  980.  
  981. #####################################################
  982. ### acl/40_exim4-config_check_data
  983. #####################################################
  984.  
  985. ### acl/40_exim4-config_check_data
  986. #################################
  987.  
  988. # This ACL is used after the contents of a message have been received. This
  989. # is the ACL in which you can test a message's headers or body, and in
  990. # particular, this is where you can invoke external virus or spam scanners.
  991.  
  992. acl_check_data:
  993.  
  994. # Deny unless the address list headers are syntactically correct.
  995. #
  996. # If you enable this, you might reject legitimate mail.
  997. .ifdef CHECK_DATA_VERIFY_HEADER_SYNTAX
  998. deny
  999. message = Message headers fail syntax check
  1000. !acl = acl_local_deny_exceptions
  1001. !verify = header_syntax
  1002. .endif
  1003.  
  1004.  
  1005. # require that there is a verifiable sender address in at least
  1006. # one of the "Sender:", "Reply-To:", or "From:" header lines.
  1007. .ifdef CHECK_DATA_VERIFY_HEADER_SENDER
  1008. deny
  1009. message = No verifiable sender address in message headers
  1010. !acl = acl_local_deny_exceptions
  1011. !verify = header_sender
  1012. .endif
  1013.  
  1014.  
  1015. # Deny if the message contains malware. Before enabling this check, you
  1016. # must install a virus scanner and set the av_scanner option in the
  1017. # main configuration.
  1018. #
  1019. # exim4-daemon-heavy must be used for this section to work.
  1020. #
  1021. # deny
  1022. # malware = *
  1023. # message = This message was detected as possible malware ($malware_name).
  1024.  
  1025.  
  1026. # Add headers to a message if it is judged to be spam. Before enabling this,
  1027. # you must install SpamAssassin. You also need to set the spamd_address
  1028. # option in the main configuration.
  1029. #
  1030. # exim4-daemon-heavy must be used for this section to work.
  1031. #
  1032. # Please note that this is only suiteable as an example. There are
  1033. # multiple issues with this configuration method. For example, if you go
  1034. # this way, you'll give your spamassassin daemon write access to the
  1035. # entire exim spool which might be a security issue in case of a
  1036. # spamassassin exploit.
  1037. #
  1038. # See the exim docs and the exim wiki for more suitable examples.
  1039. #
  1040. # warn
  1041. # spam = Debian-exim:true
  1042. # add_header = X-Spam_score: $spam_score\n\
  1043. # X-Spam_score_int: $spam_score_int\n\
  1044. # X-Spam_bar: $spam_bar\n\
  1045. # X-Spam_report: $spam_report
  1046.  
  1047.  
  1048. # This hook allows you to hook in your own ACLs without having to
  1049. # modify this file. If you do it like we suggest, you'll end up with
  1050. # a small performance penalty since there is an additional file being
  1051. # accessed. This doesn't happen if you leave the macro unset.
  1052. .ifdef CHECK_DATA_LOCAL_ACL_FILE
  1053. .include CHECK_DATA_LOCAL_ACL_FILE
  1054. .endif
  1055.  
  1056.  
  1057. # accept otherwise
  1058. accept
  1059. #####################################################
  1060. ### end acl/40_exim4-config_check_data
  1061. #####################################################
  1062.  
  1063.  
  1064. acl_check_connect:
  1065.  
  1066. warn hosts = 127.0.0.1
  1067. control = no_enforce_sync
  1068.  
  1069. accept
  1070.  
  1071.  
  1072. #####################################################
  1073. ### router/00_exim4-config_header
  1074. #####################################################
  1075.  
  1076. ######################################################################
  1077. # ROUTERS CONFIGURATION #
  1078. # Specifies how addresses are handled #
  1079. ######################################################################
  1080. # THE ORDER IN WHICH THE ROUTERS ARE DEFINED IS IMPORTANT! #
  1081. # An address is passed to each router in turn until it is accepted. #
  1082. ######################################################################
  1083.  
  1084. begin routers
  1085.  
  1086. #####################################################
  1087. ### end router/00_exim4-config_header
  1088. #####################################################
  1089. #####################################################
  1090. ### router/100_exim4-config_domain_literal
  1091. #####################################################
  1092.  
  1093. ### router/100_exim4-config_domain_literal
  1094. #################################
  1095.  
  1096. # This router handles e-mail addresses in "domain literal" form like
  1097. # <user@[10.11.12.13]>. The RFCs require this facility, but it is disabled
  1098. # in the default config since it is seldomly used and frequently abused.
  1099. # Domain literal support also needs to be enabled in the main config,
  1100. # which is automatically done if you use the enable macro
  1101. # MAIN_ALLOW_DOMAIN_LITERALS.
  1102.  
  1103. .ifdef MAIN_ALLOW_DOMAIN_LITERALS
  1104. domain_literal:
  1105. debug_print = "R: domain_literal for $local_part@$domain"
  1106. driver = ipliteral
  1107. domains = ! +local_domains
  1108. transport = remote_smtp
  1109. .endif
  1110. #####################################################
  1111. ### end router/100_exim4-config_domain_literal
  1112. #####################################################
  1113. #####################################################
  1114. ### router/150_exim4-config_hubbed_hosts
  1115. #####################################################
  1116.  
  1117. # router/150_exim4-config_hubbed_hosts
  1118. #################################
  1119.  
  1120. # route specific domains manually.
  1121. #
  1122. # see exim4-config_files(5) and spec.txt chapter 20.3 through 20.7 for
  1123. # more detailed documentation.
  1124.  
  1125. hubbed_hosts:
  1126. debug_print = "R: hubbed_hosts for $domain"
  1127. driver = manualroute
  1128. domains = "${if exists{CONFDIR/hubbed_hosts}\
  1129. {partial-lsearch;CONFDIR/hubbed_hosts}\
  1130. fail}"
  1131. same_domain_copy_routing = yes
  1132. route_data = ${lookup{$domain}partial-lsearch{CONFDIR/hubbed_hosts}}
  1133. transport = remote_smtp
  1134. #####################################################
  1135. ### end router/150_exim4-config_hubbed_hosts
  1136. #####################################################
  1137. #####################################################
  1138. ### router/200_exim4-config_primary
  1139. #####################################################
  1140.  
  1141. ### router/200_exim4-config_primary
  1142. #################################
  1143. # This file holds the primary router, responsible for nonlocal mails
  1144.  
  1145. .ifdef DCconfig_internet
  1146. # configtype=internet
  1147. #
  1148. # deliver mail to the recipient if recipient domain is a domain we
  1149. # relay for. We do not ignore any target hosts here since delivering to
  1150. # a site local or even a link local address might be wanted here, and if
  1151. # such an address has found its way into the MX record of such a domain,
  1152. # the local admin is probably in a place where that broken MX record
  1153. # could be fixed.
  1154.  
  1155. dnslookup_relay_to_domains:
  1156. debug_print = "R: dnslookup_relay_to_domains for $local_part@$domain"
  1157. driver = dnslookup
  1158. domains = ! +local_domains : +relay_to_domains
  1159. transport = remote_smtp
  1160. same_domain_copy_routing = yes
  1161. no_more
  1162.  
  1163. # deliver mail directly to the recipient. This router is only reached
  1164. # for domains that we do not relay for. Since we most probably can't
  1165. # have broken MX records pointing to site local or link local IP
  1166. # addresses fixed, we ignore target hosts pointing to these addresses.
  1167.  
  1168. dnslookup:
  1169. debug_print = "R: dnslookup for $local_part@$domain"
  1170. driver = dnslookup
  1171. domains = ! +local_domains
  1172. transport = remote_smtp
  1173. same_domain_copy_routing = yes
  1174. # ignore private rfc1918 and APIPA addresses
  1175. ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 192.168.0.0/16 :\
  1176. 172.16.0.0/12 : 10.0.0.0/8 : 169.254.0.0/16 :\
  1177. 255.255.255.255
  1178. no_more
  1179.  
  1180. .endif
  1181.  
  1182.  
  1183. .ifdef DCconfig_local
  1184. # configtype=local
  1185. #
  1186. # Stand-alone system, so generate an error for mail to a non-local domain
  1187. nonlocal:
  1188. debug_print = "R: nonlocal for $local_part@$domain"
  1189. driver = redirect
  1190. domains = ! +local_domains
  1191. allow_fail
  1192. data = :fail: Mailing to remote domains not supported
  1193. no_more
  1194.  
  1195. .endif
  1196.  
  1197.  
  1198. .ifdef DCconfig_smarthost DCconfig_satellite
  1199. # configtype=smarthost or configtype=satellite
  1200. #
  1201. # Send all non-local mail to a single other machine (smarthost).
  1202. #
  1203. # This means _ALL_ non-local mail goes to the smarthost. This will most
  1204. # probably not do what you want for domains that are listed in
  1205. # relay_domains. The most typical use for relay_domains is to control
  1206. # relaying for incoming e-mail on secondary MX hosts. In that case,
  1207. # it doesn't make sense to send the mail to the smarthost since the
  1208. # smarthost will probably send the message right back here, causing a
  1209. # loop.
  1210. #
  1211. # If you want to use a smarthost while being secondary MX for some
  1212. # domains, you'll need to copy the dnslookup_relay_to_domains router
  1213. # here so that mail to relay_domains is handled separately.
  1214.  
  1215. smarthost:
  1216. debug_print = "R: smarthost for $local_part@$domain"
  1217. driver = manualroute
  1218. domains = ! +local_domains
  1219. transport = remote_smtp_smarthost
  1220. route_list = * DCsmarthost byname
  1221. host_find_failed = defer
  1222. same_domain_copy_routing = yes
  1223. no_more
  1224.  
  1225. .endif
  1226.  
  1227.  
  1228. # The "no_more" above means that all later routers are for
  1229. # domains in the local_domains list, i.e. just like Exim 3 directors.
  1230. #####################################################
  1231. ### end router/200_exim4-config_primary
  1232. #####################################################
  1233. #####################################################
  1234. ### router/300_exim4-config_real_local
  1235. #####################################################
  1236.  
  1237. ### router/300_exim4-config_real_local
  1238. #################################
  1239.  
  1240. # This router allows reaching a local user while avoiding local
  1241. # processing. This can be used to inform a user of a broken .forward
  1242. # file, for example. The userforward router does this.
  1243.  
  1244. COND_LOCAL_SUBMITTER = "\
  1245. ${if match_ip{$sender_host_address}{:@[]}\
  1246. {1}{0}\
  1247. }"
  1248.  
  1249. real_local:
  1250. debug_print = "R: real_local for $local_part@$domain"
  1251. driver = accept
  1252. domains = +local_domains
  1253. condition = COND_LOCAL_SUBMITTER
  1254. local_part_prefix = real-
  1255. check_local_user
  1256. transport = LOCAL_DELIVERY
  1257.  
  1258. #####################################################
  1259. ### end router/300_exim4-config_real_local
  1260. #####################################################
  1261. #####################################################
  1262. ### router/400_exim4-config_system_aliases
  1263. #####################################################
  1264.  
  1265. ### router/400_exim4-config_system_aliases
  1266. #################################
  1267.  
  1268. # This router handles aliasing using a traditional /etc/aliases file.
  1269. #
  1270. ##### NB You must ensure that /etc/aliases exists. It used to be the case
  1271. ##### NB that every Unix had that file, because it was the Sendmail default.
  1272. ##### NB These days, there are systems that don't have it. Your aliases
  1273. ##### NB file should at least contain an alias for "postmaster".
  1274. #
  1275. # This router handles the local part in a case-insensitive way which
  1276. # satisfies the RFCs requirement that postmaster be reachable regardless
  1277. # of case. If you decide to handle /etc/aliases in a caseful way, you
  1278. # need to make arrangements for a caseless postmaster.
  1279. #
  1280. # Delivery to arbitrary directories, files, and piping to programs in
  1281. # /etc/aliases is disabled per default.
  1282. # If that is a problem for you, see
  1283. # /usr/share/doc/exim4-base/README.Debian.gz
  1284. # for explanation and some workarounds.
  1285.  
  1286. system_aliases:
  1287. debug_print = "R: system_aliases for $local_part@$domain"
  1288. driver = redirect
  1289. domains = +local_domains
  1290. allow_fail
  1291. allow_defer
  1292. data = ${lookup mysql{SELECT recipients FROM aliases \
  1293. WHERE local_part='${local_part}' AND domain='${domain}'}}
  1294. .ifdef SYSTEM_ALIASES_USER
  1295. user = SYSTEM_ALIASES_USER
  1296. .endif
  1297. .ifdef SYSTEM_ALIASES_GROUP
  1298. group = SYSTEM_ALIASES_GROUP
  1299. .endif
  1300. .ifdef SYSTEM_ALIASES_FILE_TRANSPORT
  1301. file_transport = SYSTEM_ALIASES_FILE_TRANSPORT
  1302. .endif
  1303. .ifdef SYSTEM_ALIASES_PIPE_TRANSPORT
  1304. pipe_transport = SYSTEM_ALIASES_PIPE_TRANSPORT
  1305. .endif
  1306. .ifdef SYSTEM_ALIASES_DIRECTORY_TRANSPORT
  1307. directory_transport = SYSTEM_ALIASES_DIRECTORY_TRANSPORT
  1308. .endif
  1309. #####################################################
  1310. ### end router/400_exim4-config_system_aliases
  1311. #####################################################
  1312. #####################################################
  1313. ### router/500_exim4-config_hubuser
  1314. #####################################################
  1315.  
  1316. ### router/500_exim4-config_hubuser
  1317. #################################
  1318.  
  1319. .ifdef DCconfig_satellite
  1320. # This router is only used for configtype=satellite.
  1321. # It takes care to route all mail targetted to <somelocaluser@this.machine>
  1322. # to the host where we read our mail
  1323. #
  1324. hub_user:
  1325. debug_print = "R: hub_user for $local_part@$domain"
  1326. driver = redirect
  1327. domains = +local_domains
  1328. data = ${local_part}@DCreadhost
  1329. check_local_user
  1330.  
  1331. # Grab the redirected mail and deliver it.
  1332. # This is a duplicate of the smarthost router, needed because
  1333. # DCreadhost might end up as part of +local_domains
  1334. hub_user_smarthost:
  1335. debug_print = "R: hub_user_smarthost for $local_part@$domain"
  1336. driver = manualroute
  1337. domains = DCreadhost
  1338. transport = remote_smtp_smarthost
  1339. route_list = * DCsmarthost byname
  1340. host_find_failed = defer
  1341. same_domain_copy_routing = yes
  1342. check_local_user
  1343. .endif
  1344.  
  1345.  
  1346. #####################################################
  1347. ### end router/500_exim4-config_hubuser
  1348. #####################################################
  1349. #####################################################
  1350. ### router/600_exim4-config_userforward
  1351. #####################################################
  1352.  
  1353. ### router/600_exim4-config_userforward
  1354. #################################
  1355.  
  1356. # This router handles forwarding using traditional .forward files in users'
  1357. # home directories. It also allows mail filtering with a forward file
  1358. # starting with the string "# Exim filter" or "# Sieve filter".
  1359. #
  1360. # The no_verify setting means that this router is skipped when Exim is
  1361. # verifying addresses. Similarly, no_expn means that this router is skipped if
  1362. # Exim is processing an EXPN command.
  1363. #
  1364. # The check_ancestor option means that if the forward file generates an
  1365. # address that is an ancestor of the current one, the current one gets
  1366. # passed on instead. This covers the case where A is aliased to B and B
  1367. # has a .forward file pointing to A.
  1368. #
  1369. # The four transports specified at the end are those that are used when
  1370. # forwarding generates a direct delivery to a directory, or a file, or to a
  1371. # pipe, or sets up an auto-reply, respectively.
  1372. #
  1373. userforward:
  1374. debug_print = "R: userforward for $local_part@$domain"
  1375. driver = redirect
  1376. allow_fail
  1377. allow_defer
  1378. data = ${lookup mysql{SELECT recipients FROM userforward \
  1379. WHERE local_part='${local_part}' AND domain='${domain}'}}
  1380. domains = +local_domains
  1381. check_local_user
  1382. # file = $home/.forward
  1383. require_files = $local_part:$home/.forward
  1384. no_verify
  1385. no_expn
  1386. check_ancestor
  1387. allow_filter
  1388. forbid_smtp_code = true
  1389. directory_transport = address_directory
  1390. file_transport = address_file
  1391. pipe_transport = address_pipe
  1392. reply_transport = address_reply
  1393. skip_syntax_errors
  1394. syntax_errors_to = real-$local_part@$domain
  1395. syntax_errors_text = \
  1396. This is an automatically generated message. An error has\n\
  1397. been found in your .forward file. Details of the error are\n\
  1398. reported below. While this error persists, you will receive\n\
  1399. a copy of this message for every message that is addressed\n\
  1400. to you. If your .forward file is a filter file, or if it is\n\
  1401. a non-filter file containing no valid forwarding addresses,\n\
  1402. a copy of each incoming message will be put in your normal\n\
  1403. mailbox. If a non-filter file contains at least one valid\n\
  1404. forwarding address, forwarding to the valid addresses will\n\
  1405. happen, and those will be the only deliveries that occur.
  1406.  
  1407. virtual_localuser:
  1408. driver = accept
  1409. domains = ${lookup mysql{SELECT domain from domains WHERE domain='${domain}'}}
  1410. local_parts = ${lookup mysql{SELECT login from users \
  1411. WHERE login='${local_part}' AND domain='${domain}'}}
  1412. transport = local_delivery
  1413.  
  1414.  
  1415. #####################################################
  1416. ### end router/600_exim4-config_userforward
  1417. #####################################################
  1418. #####################################################
  1419. ### router/700_exim4-config_procmail
  1420. #####################################################
  1421.  
  1422. procmail:
  1423. debug_print = "R: procmail for $local_part@$domain"
  1424. driver = accept
  1425. domains = +local_domains
  1426. check_local_user
  1427. transport = procmail_pipe
  1428. # emulate OR with "if exists"-expansion
  1429. require_files = ${local_part}:\
  1430. ${if exists{/etc/procmailrc}\
  1431. {/etc/procmailrc}{${home}/.procmailrc}}:\
  1432. +/usr/bin/procmail
  1433. no_verify
  1434. no_expn
  1435.  
  1436. #####################################################
  1437. ### end router/700_exim4-config_procmail
  1438. #####################################################
  1439. #####################################################
  1440. ### router/800_exim4-config_maildrop
  1441. #####################################################
  1442.  
  1443. ### router/800_exim4-config_maildrop
  1444. #################################
  1445.  
  1446. maildrop:
  1447. debug_print = "R: maildrop for $local_part@$domain"
  1448. driver = accept
  1449. domains = +local_domains
  1450. check_local_user
  1451. transport = maildrop_pipe
  1452. require_files = ${local_part}:${home}/.mailfilter:+/usr/bin/maildrop
  1453. no_verify
  1454. no_expn
  1455.  
  1456. #####################################################
  1457. ### end router/800_exim4-config_maildrop
  1458. #####################################################
  1459. #####################################################
  1460. ### router/850_exim4-config_lowuid
  1461. #####################################################
  1462.  
  1463. ### router/850_exim4-config_lowuid
  1464. #################################
  1465.  
  1466. .ifndef FIRST_USER_ACCOUNT_UID
  1467. FIRST_USER_ACCOUNT_UID = 0
  1468. .endif
  1469.  
  1470. .ifndef DEFAULT_SYSTEM_ACCOUNT_ALIAS
  1471. DEFAULT_SYSTEM_ACCOUNT_ALIAS = :fail: no mail to system accounts
  1472. .endif
  1473.  
  1474. COND_SYSTEM_USER_AND_REMOTE_SUBMITTER = "\
  1475. ${if and{{! match_ip{$sender_host_address}{:@[]}}\
  1476. {<{$local_user_uid}{FIRST_USER_ACCOUNT_UID}}}\
  1477. {1}{0}\
  1478. }"
  1479.  
  1480. lowuid_aliases:
  1481. debug_print = "R: lowuid_aliases for $local_part@$domain (UID $local_user_uid)"
  1482. check_local_user
  1483. driver = redirect
  1484. allow_fail
  1485. domains = +local_domains
  1486. condition = COND_SYSTEM_USER_AND_REMOTE_SUBMITTER
  1487. data = ${if exists{CONFDIR/lowuid-aliases}\
  1488. {${lookup{$local_part}lsearch{CONFDIR/lowuid-aliases}\
  1489. {$value}{DEFAULT_SYSTEM_ACCOUNT_ALIAS}}}\
  1490. {DEFAULT_SYSTEM_ACCOUNT_ALIAS}}
  1491. #####################################################
  1492. ### end router/850_exim4-config_lowuid
  1493. #####################################################
  1494. #####################################################
  1495. ### router/900_exim4-config_local_user
  1496. #####################################################
  1497.  
  1498. ### router/900_exim4-config_local_user
  1499. #################################
  1500.  
  1501. # This router matches local user mailboxes. If the router fails, the error
  1502. # message is "Unknown user".
  1503.  
  1504. local_user:
  1505. debug_print = "R: local_user for $local_part@$domain"
  1506. driver = accept
  1507. domains = +local_domains
  1508. check_local_user
  1509. local_parts = ! root
  1510. transport = LOCAL_DELIVERY
  1511. cannot_route_message = Unknown user
  1512. #####################################################
  1513. ### end router/900_exim4-config_local_user
  1514. #####################################################
  1515. #####################################################
  1516. ### router/mmm_mail4root
  1517. #####################################################
  1518.  
  1519. ### router/mmm_mail4root
  1520. #################################
  1521. # deliver mail addressed to root to /var/mail/mail as user mail:mail
  1522. # if it was not redirected in /etc/aliases or by other means
  1523. # Exim cannot deliver as root since 4.24 (FIXED_NEVER_USERS)
  1524.  
  1525. mail4root:
  1526. debug_print = "R: mail4root for $local_part@$domain"
  1527. driver = redirect
  1528. domains = +local_domains
  1529. data = /var/mail/mail
  1530. file_transport = address_file
  1531. local_parts = root
  1532. user = mail
  1533. group = mail
  1534.  
  1535. #####################################################
  1536. ### end router/mmm_mail4root
  1537. #####################################################
  1538.  
  1539.  
  1540.  
  1541. virtual_user:
  1542. driver = accept
  1543. domains = dsearch;/etc/vmail
  1544. condition = ${lookup{$local_part}lsearch{/etc/vmail/$domain/passwd}\
  1545. {yes}{no}}
  1546. transport = virtual_mail_spool
  1547.  
  1548.  
  1549.  
  1550.  
  1551.  
  1552. #####################################################
  1553. ### transport/00_exim4-config_header
  1554. #####################################################
  1555.  
  1556. ######################################################################
  1557. # TRANSPORTS CONFIGURATION #
  1558. ######################################################################
  1559. # ORDER DOES NOT MATTER #
  1560. # Only one appropriate transport is called for each delivery. #
  1561. ######################################################################
  1562.  
  1563. # A transport is used only when referenced from a router that successfully
  1564. # handles an address.
  1565.  
  1566. begin transports
  1567.  
  1568. #####################################################
  1569. ### end transport/00_exim4-config_header
  1570. #####################################################
  1571. #####################################################
  1572. ### transport/10_exim4-config_transport-macros
  1573. #####################################################
  1574.  
  1575. ### transport/10_exim4-config_transport-macros
  1576. #################################
  1577.  
  1578. .ifdef HIDE_MAILNAME
  1579. REMOTE_SMTP_HEADERS_REWRITE=*@+local_domains $1@DCreadhost frs : *@ETC_MAILNAME $1@DCreadhost frs
  1580. REMOTE_SMTP_RETURN_PATH=${if match_domain{$sender_address_domain}{+local_domains}{${sender_address_local_part}@DCreadhost}{${if match_domain{$sender_address_domain}{ETC_MAILNAME}{${sender_address_local_part}@DCreadhost}fail}}}
  1581. .endif
  1582.  
  1583. .ifdef REMOTE_SMTP_HELO_FROM_DNS
  1584. .ifdef REMOTE_SMTP_HELO_DATA
  1585. REMOTE_SMTP_HELO_DATA==${lookup dnsdb {ptr=$sending_ip_address}{$value}{$primary_hostname}}
  1586. .else
  1587. REMOTE_SMTP_HELO_DATA=${lookup dnsdb {ptr=$sending_ip_address}{$value}{$primary_hostname}}
  1588. .endif
  1589. .endif
  1590. #####################################################
  1591. ### end transport/10_exim4-config_transport-macros
  1592. #####################################################
  1593. #####################################################
  1594. ### transport/30_exim4-config_address_file
  1595. #####################################################
  1596.  
  1597. # This transport is used for handling deliveries directly to files that are
  1598. # generated by aliasing or forwarding.
  1599. #
  1600. address_file:
  1601. debug_print = "T: address_file for $local_part@$domain"
  1602. driver = appendfile
  1603. delivery_date_add
  1604. envelope_to_add
  1605. return_path_add
  1606.  
  1607. #####################################################
  1608. ### end transport/30_exim4-config_address_file
  1609. #####################################################
  1610. #####################################################
  1611. ### transport/30_exim4-config_address_pipe
  1612. #####################################################
  1613.  
  1614. # This transport is used for handling pipe deliveries generated by
  1615. # .forward files. If the commands fails and produces any output on standard
  1616. # output or standard error streams, the output is returned to the sender
  1617. # of the message as a delivery error.
  1618. address_pipe:
  1619. debug_print = "T: address_pipe for $local_part@$domain"
  1620. driver = pipe
  1621. return_output
  1622.  
  1623. #####################################################
  1624. ### end transport/30_exim4-config_address_pipe
  1625. #####################################################
  1626. #####################################################
  1627. ### transport/30_exim4-config_address_reply
  1628. #####################################################
  1629.  
  1630. # This transport is used for handling autoreplies generated by the filtering
  1631. # option of the userforward router.
  1632. #
  1633. address_reply:
  1634. debug_print = "T: autoreply for $local_part@$domain"
  1635. driver = autoreply
  1636.  
  1637. #####################################################
  1638. ### end transport/30_exim4-config_address_reply
  1639. #####################################################
  1640. #####################################################
  1641. ### transport/30_exim4-config_mail_spool
  1642. #####################################################
  1643.  
  1644. ### transport/30_exim4-config_mail_spool
  1645.  
  1646. # This transport is used for local delivery to user mailboxes in traditional
  1647. # BSD mailbox format.
  1648. #
  1649. mail_spool:
  1650. debug_print = "T: appendfile for $local_part@$domain"
  1651. driver = appendfile
  1652. file = /var/mail/$local_part
  1653. delivery_date_add
  1654. envelope_to_add
  1655. return_path_add
  1656. group = mail
  1657. mode = 0660
  1658. mode_fail_narrower = false
  1659.  
  1660. #####################################################
  1661. ### end transport/30_exim4-config_mail_spool
  1662. #####################################################
  1663. #####################################################
  1664. ### transport/30_exim4-config_maildir_home
  1665. #####################################################
  1666.  
  1667. ### transport/30_exim4-config_maildir_home
  1668. #################################
  1669.  
  1670. # Use this instead of mail_spool if you want to to deliver to Maildir in
  1671. # home-directory - change the definition of LOCAL_DELIVERY
  1672. #
  1673. maildir_home:
  1674. debug_print = "T: maildir_home for $local_part@$domain"
  1675. driver = appendfile
  1676. .ifdef MAILDIR_HOME_MAILDIR_LOCATION
  1677. directory = MAILDIR_HOME_MAILDIR_LOCATION
  1678. .else
  1679. directory = $home/Maildir
  1680. .endif
  1681. .ifdef MAILDIR_HOME_CREATE_DIRECTORY
  1682. create_directory
  1683. .endif
  1684. .ifdef MAILDIR_HOME_CREATE_FILE
  1685. create_file = MAILDIR_HOME_CREATE_FILE
  1686. .endif
  1687. delivery_date_add
  1688. envelope_to_add
  1689. return_path_add
  1690. maildir_format
  1691. .ifdef MAILDIR_HOME_DIRECTORY_MODE
  1692. directory_mode = MAILDIR_HOME_DIRECTORY_MODE
  1693. .else
  1694. directory_mode = 0700
  1695. .endif
  1696. .ifdef MAILDIR_HOME_MODE
  1697. mode = MAILDIR_HOME_MODE
  1698. .else
  1699. mode = 0600
  1700. .endif
  1701. mode_fail_narrower = false
  1702. # This transport always chdirs to $home before trying to deliver. If
  1703. # $home is not accessible, this chdir fails and prevents delivery.
  1704. # If you are in a setup where home directories might not be
  1705. # accessible, uncomment the current_directory line below.
  1706. # current_directory = /
  1707. #####################################################
  1708. ### end transport/30_exim4-config_maildir_home
  1709. #####################################################
  1710. #####################################################
  1711. ### transport/30_exim4-config_maildrop_pipe
  1712. #####################################################
  1713.  
  1714. maildrop_pipe:
  1715. debug_print = "T: maildrop_pipe for $local_part@$domain"
  1716. driver = pipe
  1717. path = "/bin:/usr/bin:/usr/local/bin"
  1718. command = "/usr/bin/maildrop"
  1719. return_path_add
  1720. delivery_date_add
  1721. envelope_to_add
  1722.  
  1723. #####################################################
  1724. ### end transport/30_exim4-config_maildrop_pipe
  1725. #####################################################
  1726. #####################################################
  1727. ### transport/30_exim4-config_procmail_pipe
  1728. #####################################################
  1729.  
  1730. procmail_pipe:
  1731. debug_print = "T: procmail_pipe for $local_part@$domain"
  1732. driver = pipe
  1733. path = "/bin:/usr/bin:/usr/local/bin"
  1734. command = "/usr/bin/procmail"
  1735. return_path_add
  1736. delivery_date_add
  1737. envelope_to_add
  1738.  
  1739. #####################################################
  1740. ### end transport/30_exim4-config_procmail_pipe
  1741. #####################################################
  1742. #####################################################
  1743. ### transport/30_exim4-config_remote_smtp
  1744. #####################################################
  1745.  
  1746. ### transport/30_exim4-config_remote_smtp
  1747. #################################
  1748. # This transport is used for delivering messages over SMTP connections.
  1749.  
  1750. remote_smtp:
  1751. debug_print = "T: remote_smtp for $local_part@$domain"
  1752. driver = smtp
  1753. .ifdef REMOTE_SMTP_HOSTS_AVOID_TLS
  1754. hosts_avoid_tls = REMOTE_SMTP_HOSTS_AVOID_TLS
  1755. .endif
  1756. .ifdef REMOTE_SMTP_HEADERS_REWRITE
  1757. headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE
  1758. .endif
  1759. .ifdef REMOTE_SMTP_RETURN_PATH
  1760. return_path = REMOTE_SMTP_RETURN_PATH
  1761. .endif
  1762. .ifdef REMOTE_SMTP_HELO_DATA
  1763. helo_data=REMOTE_SMTP_HELO_DATA
  1764. .endif
  1765. .ifdef DKIM_DOMAIN
  1766. dkim_domain = DKIM_DOMAIN
  1767. .endif
  1768. .ifdef DKIM_SELECTOR
  1769. dkim_selector = DKIM_SELECTOR
  1770. .endif
  1771. .ifdef DKIM_PRIVATE_KEY
  1772. dkim_private_key = DKIM_PRIVATE_KEY
  1773. .endif
  1774. .ifdef DKIM_CANON
  1775. dkim_canon = DKIM_CANON
  1776. .endif
  1777. .ifdef DKIM_STRICT
  1778. dkim_strict = DKIM_STRICT
  1779. .endif
  1780. .ifdef DKIM_SIGN_HEADERS
  1781. dkim_sign_headers = DKIM_SIGN_HEADERS
  1782. .endif
  1783. #####################################################
  1784. ### end transport/30_exim4-config_remote_smtp
  1785. #####################################################
  1786.  
  1787.  
  1788. local_delivery:
  1789. driver = appendfile
  1790. check_string = ""
  1791. create_directory
  1792. delivery_date_add
  1793. directory = /var/mail/$domain/$local_part
  1794. directory_mode = 770
  1795. envelope_to_add
  1796. group = mail
  1797. maildir_format
  1798. maildir_tag = ,S=$message_size
  1799. message_prefix = ""
  1800. message_suffix = ""
  1801. mode = 0660
  1802. quota = ${lookup mysql{SELECT quota FROM users \
  1803. WHERE login='${local_part}' AND domain='${domain}'}{${value}M}}
  1804. quota_size_regex = S=(\d+)$
  1805. quota_warn_threshold = 75%
  1806. return_path_add
  1807.  
  1808.  
  1809. virtual_mail_spool:
  1810. driver = appendfile
  1811. user = ${extract{2}{:}\
  1812. {${lookup{$local_part}lsearch{/etc/vmail/$domain/passwd}}\
  1813. }}
  1814. file = ${extract{5}{:}\
  1815. {${lookup{$local_part}lsearch{/etc/vmail/$domain/passwd}}\
  1816. }}/mail/$domain/$local_part/inbox
  1817. group = ${extract{3}{:}\
  1818. {${lookup{$local_part}lsearch{/etc/vmail/$domain/passwd}}\
  1819. }}
  1820. mode = 0600
  1821.  
  1822.  
  1823.  
  1824.  
  1825.  
  1826. #####################################################
  1827. ### transport/30_exim4-config_remote_smtp_smarthost
  1828. #####################################################
  1829.  
  1830. ### transport/30_exim4-config_remote_smtp_smarthost
  1831. #################################
  1832.  
  1833. # This transport is used for delivering messages over SMTP connections
  1834. # to a smarthost. The local host tries to authenticate.
  1835. # This transport is used for smarthost and satellite configurations.
  1836.  
  1837. remote_smtp_smarthost:
  1838. debug_print = "T: remote_smtp_smarthost for $local_part@$domain"
  1839. driver = smtp
  1840. hosts_try_auth = <; ${if exists{CONFDIR/passwd.client} \
  1841. {\
  1842. ${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$host_address}}\
  1843. }\
  1844. {} \
  1845. }
  1846. .ifdef REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS
  1847. hosts_avoid_tls = REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS
  1848. .endif
  1849. .ifdef REMOTE_SMTP_HEADERS_REWRITE
  1850. headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE
  1851. .endif
  1852. .ifdef REMOTE_SMTP_RETURN_PATH
  1853. return_path = REMOTE_SMTP_RETURN_PATH
  1854. .endif
  1855. .ifdef REMOTE_SMTP_HELO_DATA
  1856. helo_data=REMOTE_SMTP_HELO_DATA
  1857. .endif
  1858. #####################################################
  1859. ### end transport/30_exim4-config_remote_smtp_smarthost
  1860. #####################################################
  1861. #####################################################
  1862. ### transport/35_exim4-config_address_directory
  1863. #####################################################
  1864. # This transport is used for handling file addresses generated by alias
  1865. # or .forward files if the path ends in "/", which causes it to be treated
  1866. # as a directory name rather than a file name.
  1867.  
  1868. address_directory:
  1869. debug_print = "T: address_directory for $local_part@$domain"
  1870. driver = appendfile
  1871. delivery_date_add
  1872. envelope_to_add
  1873. return_path_add
  1874. check_string = ""
  1875. escape_string = ""
  1876. maildir_format
  1877.  
  1878. #####################################################
  1879. ### end transport/35_exim4-config_address_directory
  1880. #####################################################
  1881. #####################################################
  1882. ### retry/00_exim4-config_header
  1883. #####################################################
  1884.  
  1885. ######################################################################
  1886. # RETRY CONFIGURATION #
  1887. ######################################################################
  1888.  
  1889. begin retry
  1890.  
  1891. #####################################################
  1892. ### end retry/00_exim4-config_header
  1893. #####################################################
  1894. #####################################################
  1895. ### retry/30_exim4-config
  1896. #####################################################
  1897.  
  1898. ### retry/30_exim4-config
  1899. #################################
  1900.  
  1901. # This single retry rule applies to all domains and all errors. It specifies
  1902. # retries every 15 minutes for 2 hours, then increasing retry intervals,
  1903. # starting at 1 hour and increasing each time by a factor of 1.5, up to 16
  1904. # hours, then retries every 6 hours until 4 days have passed since the first
  1905. # failed delivery.
  1906.  
  1907. # Please note that these rules only limit the frequenzy of retries, the
  1908. # effective retry-time depends on the frequenzy of queue-running, too.
  1909. # See QUEUEINTERVAL in /etc/default/exim4.
  1910.  
  1911. # Address or Domain Error Retries
  1912. # ----------------- ----- -------
  1913.  
  1914. * quota
  1915. * * F,2h,15m; G,16h,1h,1.5; F,4d,6h
  1916.  
  1917. #####################################################
  1918. ### end retry/30_exim4-config
  1919. #####################################################
  1920. #####################################################
  1921. ### rewrite/00_exim4-config_header
  1922. #####################################################
  1923.  
  1924. ######################################################################
  1925. # REWRITE CONFIGURATION #
  1926. ######################################################################
  1927.  
  1928. begin rewrite
  1929.  
  1930. #####################################################
  1931. ### end rewrite/00_exim4-config_header
  1932. #####################################################
  1933. #####################################################
  1934. ### rewrite/31_exim4-config_rewriting
  1935. #####################################################
  1936.  
  1937. ### rewrite/31_exim4-config_rewriting
  1938. #################################
  1939.  
  1940. # This rewriting rule is particularily useful for dialup users who
  1941. # don't have their own domain, but could be useful for anyone.
  1942. # It looks up the real address of all local users in a file
  1943. .ifndef NO_EAA_REWRITE_REWRITE
  1944. *@+local_domains "${lookup{${local_part}}lsearch{/etc/email-addresses}\
  1945. {$value}fail}" Ffrs
  1946. # identical rewriting rule for /etc/mailname
  1947. *@ETC_MAILNAME "${lookup{${local_part}}lsearch{/etc/email-addresses}\
  1948. {$value}fail}" Ffrs
  1949. .endif
  1950.  
  1951.  
  1952. #####################################################
  1953. ### end rewrite/31_exim4-config_rewriting
  1954. #####################################################
  1955. #####################################################
  1956. ### auth/00_exim4-config_header
  1957. #####################################################
  1958.  
  1959. ######################################################################
  1960. # AUTHENTICATION CONFIGURATION #
  1961. ######################################################################
  1962.  
  1963. begin authenticators
  1964.  
  1965.  
  1966. #####################################################
  1967. ### end auth/00_exim4-config_header
  1968. #####################################################
  1969. #####################################################
  1970. ### auth/30_exim4-config_examples
  1971. #####################################################
  1972.  
  1973. ### auth/30_exim4-config_examples
  1974. #################################
  1975.  
  1976. # The examples below are for server side authentication, when the
  1977. # local exim is SMTP server and clients authenticate to the local exim.
  1978.  
  1979. # They allow two styles of plain-text authentication against an
  1980. # CONFDIR/passwd file whose syntax is described in exim4_passwd(5).
  1981.  
  1982. # Hosts that are allowed to use AUTH are defined by the
  1983. # auth_advertise_hosts option in the main configuration. The default is
  1984. # "*", which allows authentication to all hosts over all kinds of
  1985. # connections if there is at least one authenticator defined here.
  1986. # Authenticators which rely on unencrypted clear text passwords don't
  1987. # advertise on unencrypted connections by default. Thus, it might be
  1988. # wise to set up TLS to allow encrypted connections. If TLS cannot be
  1989. # used for some reason, you can set AUTH_SERVER_ALLOW_NOTLS_PASSWORDS to
  1990. # advertise unencrypted clear text password based authenticators on all
  1991. # connections. As this is severely reducing security, using TLS is
  1992. # preferred over allowing clear text password based authenticators on
  1993. # unencrypted connections.
  1994.  
  1995.  
  1996. # PLAIN authentication has no server prompts. The client sends its
  1997. # credentials in one lump, containing an authorization ID (which we do not
  1998. # use), an authentication ID, and a password. The latter two appear as
  1999. # $auth2 and $auth3 in the configuration and should be checked against a
  2000. # valid username and password. In a real configuration you would typically
  2001. # use $auth2 as a lookup key, and compare $auth3 against the result of the
  2002. # lookup, perhaps using the crypteq{}{} condition.
  2003.  
  2004. # plain_server:
  2005. # driver = plaintext
  2006. # public_name = PLAIN
  2007. # server_condition = "${if crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
  2008. # server_set_id = $auth2
  2009. # server_prompts = :
  2010. # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
  2011. # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
  2012. # .endif
  2013.  
  2014. # LOGIN authentication has traditional prompts and responses. There is no
  2015. # authorization ID in this mechanism, so unlike PLAIN the username and
  2016. # password are $auth1 and $auth2. Apart from that you can use the same
  2017. # server_condition setting for both authenticators.
  2018.  
  2019. # login_server:
  2020. # driver = plaintext
  2021. # public_name = LOGIN
  2022. # server_prompts = "Username:: : Password::"
  2023. # server_condition = "${if crypteq{$auth2}{${extract{1}{:}{${lookup{$auth1}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
  2024. # server_set_id = $auth1
  2025. # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
  2026. # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
  2027. # .endif
  2028. #
  2029. # cram_md5_server:
  2030. # driver = cram_md5
  2031. # public_name = CRAM-MD5
  2032. # server_secret = ${extract{2}{:}{${lookup{$auth1}lsearch{CONFDIR/passwd}{$value}fail}}}
  2033. # server_set_id = $auth1
  2034.  
  2035. # Here is an example of CRAM-MD5 authentication against PostgreSQL:
  2036. #
  2037. # psqldb_auth_server:
  2038. # driver = cram_md5
  2039. # public_name = CRAM-MD5
  2040. # server_secret = ${lookup pgsql{SELECT pw FROM users WHERE username = '${quote_pgsql:$auth1}'}{$value}fail}
  2041. # server_set_id = $auth1
  2042.  
  2043. # Authenticate against local passwords using sasl2-bin
  2044. # Requires exim_uid to be a member of sasl group, see README.Debian.gz
  2045. # plain_saslauthd_server:
  2046. # driver = plaintext
  2047. # public_name = PLAIN
  2048. # server_condition = ${if saslauthd{{$auth2}{$auth3}}{1}{0}}
  2049. # server_set_id = $auth2
  2050. # server_prompts = :
  2051. # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
  2052. # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
  2053. # .endif
  2054. #
  2055. # login_saslauthd_server:
  2056. # driver = plaintext
  2057. # public_name = LOGIN
  2058. # server_prompts = "Username:: : Password::"
  2059. # # don't send system passwords over unencrypted connections
  2060. # server_condition = ${if saslauthd{{$auth1}{$auth2}}{1}{0}}
  2061. # server_set_id = $auth1
  2062. # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
  2063. # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
  2064. # .endif
  2065. #
  2066. # ntlm_sasl_server:
  2067. # driver = cyrus_sasl
  2068. # public_name = NTLM
  2069. # server_realm = <short main hostname>
  2070. # server_set_id = $auth1
  2071. # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
  2072. # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
  2073. # .endif
  2074. #
  2075. # digest_md5_sasl_server:
  2076. # driver = cyrus_sasl
  2077. # public_name = DIGEST-MD5
  2078. # server_realm = <short main hostname>
  2079. # server_set_id = $auth1
  2080. # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
  2081. # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
  2082. # .endif
  2083.  
  2084. # Authentcate against cyrus-sasl
  2085. # This is mainly untested, please report any problems to
  2086. # pkg-exim4-users@lists.alioth.debian.org.
  2087. # cram_md5_sasl_server:
  2088. # driver = cyrus_sasl
  2089. # public_name = CRAM-MD5
  2090. # server_realm = <short main hostname>
  2091. # server_set_id = $auth1
  2092. #
  2093. # plain_sasl_server:
  2094. # driver = cyrus_sasl
  2095. # public_name = PLAIN
  2096. # server_realm = <short main hostname>
  2097. # server_set_id = $auth1
  2098. # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
  2099. # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
  2100. # .endif
  2101. #
  2102. # login_sasl_server:
  2103. # driver = cyrus_sasl
  2104. # public_name = LOGIN
  2105. # server_realm = <short main hostname>
  2106. # server_set_id = $auth1
  2107. # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
  2108. # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
  2109. # .endif
  2110.  
  2111. # Authenticate against courier authdaemon
  2112.  
  2113. # This is now the (working!) example from
  2114. # http://www.exim.org/eximwiki/FAQ/Policy_controls/Q0730
  2115. # Possible pitfall: access rights on /var/run/courier/authdaemon/socket.
  2116. # plain_courier_authdaemon:
  2117. # driver = plaintext
  2118. # public_name = PLAIN
  2119. # server_condition = \
  2120. # ${extract {ADDRESS} \
  2121. # {${readsocket{/var/run/courier/authdaemon/socket} \
  2122. # {AUTH ${strlen:exim\nlogin\n$auth2\n$auth3\n}\nexim\nlogin\n$auth2\n$auth3\n} }} \
  2123. # {yes} \
  2124. # fail}
  2125. # server_set_id = $auth2
  2126. # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
  2127. # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
  2128. # .endif
  2129.  
  2130. # login_courier_authdaemon:
  2131. # driver = plaintext
  2132. # public_name = LOGIN
  2133. # server_prompts = Username:: : Password::
  2134. # server_condition = \
  2135. # ${extract {ADDRESS} \
  2136. # {${readsocket{/var/run/courier/authdaemon/socket} \
  2137. # {AUTH ${strlen:exim\nlogin\n$auth1\n$auth2\n}\nexim\nlogin\n$auth1\n$auth2\n} }} \
  2138. # {yes} \
  2139. # fail}
  2140. # server_set_id = $auth1
  2141. # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
  2142. # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
  2143. # .endif
  2144.  
  2145. # This one is a bad hack to support the broken version 4.xx of
  2146. # Microsoft Outlook Express which violates the RFCs by demanding
  2147. # "250-AUTH=" instead of "250-AUTH ".
  2148. # If your list of offered authenticators is other than PLAIN and LOGIN,
  2149. # you need to adapt the public_name line manually.
  2150. # It has to be the last authenticator to work and has not been tested
  2151. # well. Use at your own risk.
  2152. # See the thread entry point from
  2153. # http://www.exim.org/mail-archives/exim-users/Week-of-Mon-20050214/msg00213.html
  2154. # for the related discussion on the exim-users mailing list.
  2155. # Thanks to Fred Viles for this great work.
  2156.  
  2157. # support_broken_outlook_express_4_server:
  2158. # driver = plaintext
  2159. # public_name = "\r\n250-AUTH=PLAIN LOGIN"
  2160. # server_prompts = User Name : Password
  2161. # server_condition = no
  2162. # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
  2163. # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
  2164. # .endif
  2165.  
  2166. ##############
  2167. # See /usr/share/doc/exim4-base/README.Debian.gz
  2168. ##############
  2169.  
  2170. # These examples below are the equivalent for client side authentication.
  2171. # They get the passwords from CONFDIR/passwd.client, whose format is
  2172. # defined in exim4_passwd_client(5)
  2173.  
  2174. # Because AUTH PLAIN and AUTH LOGIN send the password in clear, we
  2175. # only allow these mechanisms over encrypted connections by default.
  2176. # You can set AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS to allow unencrypted
  2177. # clear text password authentication on all connections.
  2178.  
  2179. auth_cram_md5:
  2180. driver = cram_md5
  2181. public_name = CRAM-MD5
  2182. server_secret = ${lookup mysql{SELECT decrypt FROM users \
  2183. WHERE login = '${quote_mysql:${local_part:$1}}' \
  2184. AND domain = '${quote_mysql:${domain:$1}}' \
  2185. AND status = '1'}{$value}fail}
  2186. server_set_id = $1
  2187.  
  2188. auth_plain:
  2189. driver = plaintext
  2190. public_name = PLAINA
  2191. server_condition = ${lookup mysql{SELECT login FROM users \
  2192. WHERE login = '${quote_mysql:${local_part:$2}}' \
  2193. AND domain = '${quote_mysql:${domain:$2}}' \
  2194. AND decrypt = '${quote_mysql:$3}' \
  2195. AND status = '1'}{yes}{no}}
  2196. server_prompts = :
  2197. server_set_id = $2
  2198.  
  2199. auth_login:
  2200. driver = plaintext
  2201. public_name = LOGINA
  2202. server_condition = ${lookup mysql{SELECT login FROM users \
  2203. WHERE login = '${quote_mysql:${local_part:$1}}' \
  2204. AND domain = '${quote_mysql:${domain:$1}}' \
  2205. AND decrypt = '${quote_mysql:$2}' \
  2206. AND status = '1'}{yes}{no}}
  2207. server_prompts = Username:: : Password::
  2208. server_set_id = $1
  2209.  
  2210.  
  2211. #####################################################
  2212. ### end auth/30_exim4-config_examples
  2213. #####################################################
  2214.  
  2215.  
  2216.  
  2217. dovecot_login:
  2218. driver = dovecot
  2219. public_name = LOGIN
  2220. server_socket = /var/run/dovecot/auth-client
  2221. # setting server_set_id might break several headers in mails sent by authenticated smtp. So be careful.
  2222. server_set_id = $auth1
  2223. dovecot_plain:
  2224. driver = dovecot
  2225. public_name = PLAIN
  2226. server_socket = /var/run/dovecot/auth-client
  2227. server_set_id = $auth1
  2228.  
  2229.  
  2230. bogus:
  2231. driver = plaintext
  2232. public_name = "\r\n250-AUTH=PLAIN LOGIN"
  2233. server_prompts = :
  2234. server_condition = no
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement