#######################################################################1

1. ######################################################################
2. #1 #
3. # Exim configuration file for Hestia Control Panel #
4. # #
5. ######################################################################
6.  
7. SPAMASSASSIN = yes
8. SPAM_SCORE = 50
9. SPAM_REJECT_SCORE = 100
10. CLAMD = yes
11.  
12. #smtp_banner = $smtp_active_hostname
13. #smtp_active_hostname = ${if exists {/etc/exim4/mailhelo.conf}{${lookup{$interface_address}lsearch{/etc/exim4/mailhelo.conf}{$value}{$primary_hostname}}}{$primary_hostname}}
14. #рабочий банер
15. smtp_banner = "${smtp_active_hostname}"
16. smtp_active_hostname = ${lookup{$interface_address}lsearch{/etc/ip_hostname}{$value}{$primary_hostname}}
17. add_environment = <; PATH=/bin:/usr/bin
18. keep_environment =
19. disable_ipv6 = true
20.  
21. domainlist local_domains = dsearch;/etc/exim4/domains/
22. domainlist relay_to_domains = dsearch;/etc/exim4/domains/
23. hostlist relay_from_hosts = 127.0.0.1
24. hostlist whitelist = net-iplsearch;/etc/exim4/white-blocks.conf
25. hostlist spammers = net-iplsearch;/etc/exim4/spam-blocks.conf
26. no_local_from_check
27. untrusted_set_sender = *
28. acl_smtp_connect = acl_check_spammers
29. acl_smtp_mail = acl_check_mail
30. acl_smtp_rcpt = acl_check_rcpt
31. acl_smtp_data = acl_check_data
32. acl_smtp_mime = acl_check_mime
33.  
34. .ifdef SPAMASSASSIN
35. spamd_address = 127.0.0.1 783
36. .endif
37.  
38. .ifdef CLAMD
39. av_scanner = clamd: /var/run/clamav/clamd.ctl
40. .endif
41.  
42. log_selector = +tls_sni
43.  
44. tls_advertise_hosts = *
45.  
46. # We test that $tls_in_sni is a valid domain, by an arbitrary email address foo@domain.tld .
47. # Then, we extract the domain with a function that would fail if the email address is invalid.
48. # If the certificate exists, we will use it, otherwise the default certificate in /etc/ssl will be used.
49. tls_certificate = \
50. ${if and {\
51. { eq {${domain:foo@$tls_in_sni}} {$tls_in_sni}}\
52. { exists{/usr/local/hestia/ssl/mail/$tls_in_sni.crt} }\
53. }\
54. {/usr/local/hestia/ssl/mail/$tls_in_sni.crt}\
55. {/usr/local/hestia/ssl/certificate.crt}\
56. }
57.  
58. tls_privatekey = \
59. ${if and {\
60. { eq {${domain:foo@$tls_in_sni}} {$tls_in_sni}}\
61. { exists{/usr/local/hestia/ssl/mail/$tls_in_sni.key} }\
62. }\
63. {/usr/local/hestia/ssl/mail/$tls_in_sni.key}\
64. {/usr/local/hestia/ssl/certificate.key}\
65. }
66.  
67. daemon_smtp_ports = 25 : 465 : 587
68. tls_on_connect_ports = 465
69. never_users = root
70. host_lookup = *
71. rfc1413_hosts = *
72. rfc1413_query_timeout = 0s
73. ignore_bounce_errors_after = 2d
74. timeout_frozen_after = 7d
75.  
76. DKIM_DOMAIN = ${lc:${domain:$h_from:}}
77. DKIM_FILE = /etc/exim4/domains/${lc:${domain:$h_from:}}/dkim.pem
78. DKIM_PRIVATE_KEY = ${if exists{DKIM_FILE}{DKIM_FILE}{0}}
79.  
80. OUTGOING_IP = /etc/exim4/domains/$sender_address_domain/ip
81.  
82. SMTP_RELAY_FILE = ${if exists{/etc/exim4/domains/${sender_address_domain}/smtp_relay.conf}{/etc/exim4/domains/$sender_address_domain/smtp_relay.conf}{/etc/exim4/smtp_relay.conf}}
83. SMTP_RELAY_HOST = ${lookup{host}lsearch{SMTP_RELAY_FILE}}
84. SMTP_RELAY_PORT = ${lookup{port}lsearch{SMTP_RELAY_FILE}}
85. SMTP_RELAY_USER = ${lookup{user}lsearch{SMTP_RELAY_FILE}}
86. SMTP_RELAY_PASS = ${lookup{pass}lsearch{SMTP_RELAY_FILE}}
87.  
88. # Custom Filter
89. #system_filter = /etc/exim4/system.filter
90. #system_filter_user = Debian-exim
91.  
92. ######################################################################
93. # ACL CONFIGURATION #
94. # Specifies access control lists for incoming SMTP mail #
95. ######################################################################
96.  
97. acl_not_smtp = acl_not_smtp
98.  
99. begin acl
100.  
101. # Limit per user for PHP scripts
102. acl_not_smtp:
103. deny message = Website of user $authenticated_id is sending too many emails - rate overlimit = $sender_rate / $sender_rate_period
104. ratelimit = 200 / 1h / $authenticated_id
105.  
106. warn ratelimit = 100 / 1h / strict / $authenticated_id
107. log_message = Sender rate [limitlog]: log / account / $authenticated_id / $sender_rate / $sender_rate_period
108.  
109. accept
110.  
111. acl_check_spammers:
112. accept hosts = +whitelist
113.  
114. drop message = Your host in blacklist on this server.
115. log_message = Host in blacklist
116. hosts = +spammers
117.  
118. accept
119.  
120.  
121. acl_check_mail:
122. deny condition = ${if eq{$sender_helo_name}{}}
123. message = HELO required before MAIL
124.  
125. drop message = Helo name contains an IP address (HELO was $sender_helo_name) and not is valid
126. condition = ${if match{$sender_helo_name}{\N((\d{1,3}[.-]\d{1,3}[.-]\d{1,3}[.-]\d{1,3})|([0-9a-f]{8})|([0-9A-F]{8}))\N}{yes}{no}}
127. condition = ${if match {${lookup dnsdb{>: defer_never,ptr=$sender_host_address}}\}{$sender_helo_name}{no}{yes}}
128. delay = 45s
129.  
130. drop condition = ${if isip{$sender_helo_name}}
131. message = Access denied - Invalid HELO name (See RFC2821 4.1.3)
132.  
133. drop condition = ${if eq{[$interface_address]}{$sender_helo_name}}
134. message = $interface_address is _my_ address
135.  
136. accept
137.  
138.  
139. acl_check_rcpt:
140. accept hosts = :
141.  
142. # Limit per email account for SMTP auhenticated users
143. deny message = Email account $authenticated_id is sending too many emails - rate overlimit = $sender_rate / $sender_rate_period
144. ratelimit = 200 / 1h / $authenticated_id
145.  
146. warn ratelimit = 100 / 1h / strict / $authenticated_id
147. log_message = Sender rate [limitlog]: log / email / $authenticated_id / $sender_rate / $sender_rate_period
148.  
149. deny message = Restricted characters in address
150. domains = +local_domains
151. local_parts = ^[.] : ^.*[@%!/|]
152.  
153. deny message = Restricted characters in address
154. domains = !+local_domains
155. local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
156.  
157. require verify = sender
158.  
159. accept hosts = +relay_from_hosts
160. control = submission
161.  
162. accept authenticated = *
163. control = submission/domain=
164.  
165. deny message = Rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
166. hosts = !+whitelist
167. dnslists = ${readfile {/etc/exim4/dnsbl.conf}{:}}
168.  
169. require message = relay not permitted
170. domains = +local_domains : +relay_to_domains
171.  
172. deny message = smtp auth required
173. sender_domains = +local_domains
174. !authenticated = *
175.  
176. require verify = recipient
177.  
178. .ifdef CLAMD
179. warn set acl_m0 = no
180.  
181. warn condition = ${if exists {/etc/exim4/domains/$domain/antivirus}{yes}{no}}
182. set acl_m0 = yes
183. .endif
184.  
185. .ifdef SPAMASSASSIN
186. warn set acl_m1 = no
187.  
188. warn condition = ${if exists {/etc/exim4/domains/$domain/antispam}{yes}{no}}
189. set acl_m1 = yes
190. warn condition = ${if exists {/etc/exim4/domains/$domain/reject_spam}{yes}{no}}
191. set acl_m3 = yes
192. .endif
193.  
194. accept
195.  
196.  
197. acl_check_data:
198. .ifdef CLAMD
199. deny message = Message contains a virus ($malware_name) and has been rejected
200. malware = */defer_ok
201. condition = ${if eq{$acl_m0}{yes}{yes}{no}}
202. .endif
203.  
204. .ifdef SPAMASSASSIN
205. warn !authenticated = *
206. hosts = !+relay_from_hosts
207. condition = ${if < {$message_size}{1024K}}
208. condition = ${if eq{$acl_m1}{yes}{yes}{no}}
209. spam = debian-spamd:true/defer_ok
210. add_header = X-Spam-Score: $spam_score_int
211. add_header = X-Spam-Bar: $spam_bar
212. add_header = X-Spam-Report: $spam_report
213. set acl_m2 = $spam_score_int
214.  
215. warn condition = ${if !eq{$acl_m2}{} {yes}{no}}
216. condition = ${if >{$acl_m2}{SPAM_SCORE} {yes}{no}}
217. add_header = X-Spam-Status: Yes
218. message = SpamAssassin detected spam (from $sender_address to $recipients).
219. .endif
220.  
221. accept
222.  
223.  
224. acl_check_mime:
225. deny message = Blacklisted file extension detected
226. condition = ${if match {${lc:$mime_filename}}{\N(\.ace|\.ade|\.adp|\.app|\.arj|\.asp|\.aspx|\.asx|\.bas|\.bat|\.cab|\.cer|\.chm|\.cmd|\.cnt|\.com|\.cpl|\.crt|\.csh|\.der|\.diagcab|\.dll|\.efi|\.exe|\.fla|\.fon|\.fxp|\.gadget|\.grp|\.hlp|\.hpj|\.hta|\.htc|\.img|\.inf|\.ins|\.iso|\.isp|\.its|\.jar|\.jnlp|\.js|\.jse|\.ksh|\.lib|\.lnk|\.mad|\.maf|\.mag|\.mam|\.maq|\.mar|\.mas|\.mat|\.mau|\.mav|\.maw|\.mcf|\.mda|\.mdb|\.mde|\.mdt|\.mdw|\.mdz|\.msc|\.msh|\.msh1|\.msh1xml|\.msh2|\.msh2xml|\.mshxml|\.msi|\.msp|\.mst|\.msu|\.ops|\.osd|\.pcd|\.pif|\.pl|\.plg|\.prf|\.prg|\.printerexport|\.ps1|\.ps1xml|\.ps2|\.ps2xml|\.psc1|\.psc2|\.psd1|\.psdm1|\.pst|\.py|\.pyc|\.pyo|\.pyw|\.pyz|\.pyzw|\.reg|\.scf|\.scr|\.sct|\.sfx|\.shb|\.shs|\.swf|\.sys|\.theme|\.tmp|\.ttf|\.url|\.vb|\.vba|\.vbe|\.vbp|\.vbs|\.vhd|\.vhdx|\.vsmacros|\.vsw|\.vxd|\.webpnp|\.website|\.wim|\.ws|\.wsc|\.wsf|\.wsh|\.xbap|\.xll|\.xnk)$\N}{1}{0}}
227.  
228. accept
229.  
230.  
231.  
232. ######################################################################
233. # AUTHENTICATION CONFIGURATION #
234. ######################################################################
235. begin authenticators
236.  
237. smtp_relay_login:
238. driver = plaintext
239. public_name = LOGIN
240. hide client_send = : SMTP_RELAY_USER : SMTP_RELAY_PASS
241.  
242. dovecot_plain:
243. driver = dovecot
244. public_name = PLAIN
245. server_socket = /var/run/dovecot/auth-client
246. server_set_id = $auth1
247.  
248. dovecot_login:
249. driver = dovecot
250. public_name = LOGIN
251. server_socket = /var/run/dovecot/auth-client
252. server_set_id = $auth1
253.  
254.  
255.  
256. ######################################################################
257. # ROUTERS CONFIGURATION #
258. # Specifies how addresses are handled #
259. ######################################################################
260. begin routers
261.  
262. send_via_smtp_relay:
263. driver = manualroute
264. address_data = SMTP_RELAY_HOST:SMTP_RELAY_PORT
265. domains = !+local_domains
266. require_files = SMTP_RELAY_FILE
267. transport = smtp_relay_smtp
268. route_list = * ${extract{1}{:}{$address_data}}::${extract{2}{:}{$address_data}}
269. no_more
270. no_verify
271.  
272. dnslookup:
273. driver = dnslookup
274. domains = !+local_domains
275. transport = remote_smtp
276. no_more
277.  
278. userforward:
279. driver = redirect
280. check_local_user
281. file = $home/.forward
282. require_files = ${local_part}:+${home}/.forward
283. domains = +local_domains
284. allow_filter
285. no_verify
286. no_expn
287. check_ancestor
288. file_transport = address_file
289. pipe_transport = address_pipe
290. reply_transport = address_reply
291.  
292. procmail:
293. driver = accept
294. check_local_user
295. require_files = ${local_part}:+${home}/.procmailrc:/usr/bin/procmail
296. transport = procmail
297. no_verify
298.  
299. autoreplay:
300. driver = accept
301. require_files = /etc/exim4/domains/$domain/autoreply.${local_part}.msg
302. condition = ${if exists{/etc/exim4/domains/$domain/autoreply.${local_part}.msg}{yes}{no}}
303. retry_use_local_part
304. transport = userautoreply
305. unseen
306.  
307. aliases:
308. driver = redirect
309. headers_add = X-redirected: yes
310. data = ${extract{1}{:}{${lookup{$local_part@$domain}lsearch{/etc/exim4/domains/$domain/aliases}}}}
311. require_files = /etc/exim4/domains/$domain/aliases
312. redirect_router = dnslookup
313. pipe_transport = address_pipe
314. unseen
315.  
316. localuser_fwd_only:
317. driver = accept
318. transport = devnull
319. condition = ${if exists{/etc/exim4/domains/$domain/fwd_only}{${lookup{$local_part}lsearch{/etc/exim4/domains/$domain/fwd_only}{true}{false}}}}
320.  
321. localuser_spam:
322. driver = accept
323. transport = local_spam_delivery
324. condition = ${if eq {${if match{$h_X-Spam-Status:}{\N^Yes\N}{yes}{no}}} {${lookup{$local_part}lsearch{/etc/exim4/domains/$domain/passwd}{yes}{no_such_user}}}}
325.  
326. localuser:
327. driver = accept
328. transport = local_delivery
329. condition = ${lookup{$local_part}lsearch{/etc/exim4/domains/$domain/passwd}{true}{false}}
330.  
331. catchall:
332. driver = redirect
333. headers_add = X-redirected: yes
334. require_files = /etc/exim4/domains/$domain/aliases
335. data = ${extract{1}{:}{${lookup{*@$domain}lsearch{/etc/exim4/domains/$domain/aliases}}}}
336. file_transport = local_delivery
337. redirect_router = dnslookup
338.  
339. terminate_alias:
340. driver = accept
341. transport = devnull
342. condition = ${lookup{$local_part@$domain}lsearch{/etc/exim4/domains/$domain/aliases}{true}{false}}
343.  
344.  
345.  
346. ######################################################################
347. # TRANSPORTS CONFIGURATION #
348. ######################################################################
349. begin transports
350.  
351. smtp_relay_smtp:
352. driver = smtp
353. hosts_require_auth = $host_address
354. hosts_require_tls = $host_address
355.  
356. remote_smtp:
357. driver = smtp
358. helo_data = ${lookup dnsdb{>: defer_never,ptr=$sending_ip_address}{${listextract{1}{$value}}}{$primary_hostname}}
359. dkim_domain = DKIM_DOMAIN
360. dkim_selector = mail
361. dkim_private_key = DKIM_PRIVATE_KEY
362. dkim_canon = relaxed
363. dkim_strict = 0
364. hosts_try_fastopen = !*.l.google.com
365. interface = ${if exists{OUTGOING_IP}{${readfile{OUTGOING_IP}}}}
366.  
367. procmail:
368. driver = pipe
369. command = "/usr/bin/procmail -d $local_part"
370. return_path_add
371. delivery_date_add
372. envelope_to_add
373. user = $local_part
374. initgroups
375. return_output
376.  
377. local_delivery:
378. driver = appendfile
379. maildir_format
380. maildir_use_size_file
381. user = ${extract{2}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/$domain/passwd}}}}
382. group = mail
383. create_directory
384. directory_mode = 770
385. mode = 660
386. use_lockfile = no
387. delivery_date_add
388. envelope_to_add
389. return_path_add
390. directory = "${extract{5}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/$domain/passwd}}}}/mail/$domain/$local_part"
391. quota = ${extract{6}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/$domain/passwd}}}}M
392. quota_warn_threshold = 75%
393.  
394. local_spam_delivery:
395. driver = appendfile
396. maildir_format
397. maildir_use_size_file
398. user = ${extract{2}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/$domain/passwd}}}}
399. group = mail
400. create_directory
401. directory_mode = 770
402. mode = 660
403. use_lockfile = no
404. delivery_date_add
405. envelope_to_add
406. return_path_add
407. directory = "${extract{5}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/$domain/passwd}}}}/mail/$domain/$local_part/.Spam"
408. quota = ${extract{6}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/$domain/passwd}}}}M
409. quota_directory = "${extract{5}{:}{${lookup{$local_part}lsearch{/etc/exim4/domains/$domain/passwd}}}}/mail/$domain/$local_part"
410. quota_warn_threshold = 75%
411.  
412. address_pipe:
413. driver = pipe
414. return_output
415.  
416. address_file:
417. driver = appendfile
418. delivery_date_add
419. envelope_to_add
420. return_path_add
421.  
422. address_reply:
423. driver = autoreply
424.  
425. userautoreply:
426. driver = autoreply
427. file = /etc/exim4/domains/$domain/autoreply.${local_part}.msg
428. from = "${local_part}@${domain}"
429. headers = Content-Type: text/plain; charset=utf-8;\nContent-Transfer-Encoding: 8bit
430. subject = "${if def:h_Subject: {Autoreply: \"${rfc2047:$h_Subject:}\"} {Autoreply Message}}"
431. to = "${sender_address}"
432.  
433. devnull:
434. driver = appendfile
435. file = /dev/null
436.  
437.  
438.  
439. ######################################################################
440. # RETRY CONFIGURATION #
441. ######################################################################
442. begin retry
443.  
444. # Address or Domain Error Retries
445. # ----------------- ----- -------
446. * * F,2h,15m; G,16h,1h,1.5; F,4d,6h
447.  
448.  
449.  
450. ######################################################################
451. # REWRITE CONFIGURATION #
452. ######################################################################
453. begin rewrite
454.  
455.  
456.  
457. ######################################################################
458.