NoPaste

exim4 config

von JYPDWhite

SNIPPET_TEXT:
  1. #####################################################
  2. ### main/01_exim4-config_listmacrosdefs
  3. #####################################################
  4. ######################################################################
  5. #      Runtime configuration file for Exim 4 (Debian Packaging)      #
  6. ######################################################################
  7.  
  8. ######################################################################
  9. # /etc/exim4/exim4.conf.template is only used with the non-split
  10. #   configuration scheme.
  11. # /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs is only used
  12. #   with the split configuration scheme.
  13. # If you find this comment anywhere else, somebody copied it there.
  14. # Documentation about the Debian exim4 configuration scheme can be
  15. # found in /usr/share/doc/exim4-base/README.Debian.gz.
  16. ######################################################################
  17.  
  18. ######################################################################
  19. #                    MAIN CONFIGURATION SETTINGS                     #
  20. ######################################################################
  21.  
  22. # uwe grasshoff aenderung damit mailman seine email bekommen kann
  23. SYSTEM_ALIASES_PIPE_TRANSPORT = address_pipe
  24.  
  25. #Mailman---------------------- BEGIN EXIM4 MAIN   ----------------------------
  26. # Home dir for your Mailman installation -- aka Mailman's prefix
  27. # directory.
  28. MAILMAN_HOME=/var/lib/mailman
  29. MAILMAN_WRAP=MAILMAN_HOME/mail/mailman
  30.  
  31. # User and group for Mailman, should match your --with-mail-gid
  32. # switch to Mailman's configure script.
  33. MAILMAN_USER=list
  34. MAILMAN_GROUP=daemon
  35.  
  36. # Where to store messages sent to mailman-loop - used if the
  37. # mailman-owner addressbounces.
  38. MAILMAN_LOOP=MAILMAN_HOME/data/owner-bounces.mbox
  39. #Mailman----------------------  END EXIM4 MAIN    ----------------------------
  40.  
  41.  
  42. # Just for reference and scripts.
  43. # On Debian systems, the main binary is installed as exim4 to avoid
  44. # conflicts with the exim 3 packages.
  45. exim_path = /usr/sbin/exim4
  46.  
  47. # Macro defining the main configuration directory.
  48. # We do not use absolute paths.
  49. .ifndef CONFDIR
  50. CONFDIR = /etc/exim4
  51. .endif
  52.  
  53. # debconf-driven macro definitions get inserted after this line
  54. UPEX4CmacrosUPEX4C = 1
  55.  
  56. # Create domain and host lists for relay control
  57. # '@' refers to 'the name of the local host'
  58.  
  59. # List of domains considered local for exim. Domains not listed here
  60. # need to be deliverable remotely.
  61. domainlist local_domains = MAIN_LOCAL_DOMAINS
  62.  
  63. # List of recipient domains to relay _to_. Use this list if you're -
  64. # for example - fallback MX or mail gateway for domains.
  65. domainlist relay_to_domains = MAIN_RELAY_TO_DOMAINS
  66.  
  67. # List of sender networks (IP addresses) to _unconditionally_ relay
  68. # _for_. If you intend to be SMTP AUTH server, you do not need to enter
  69. # anything here.
  70. hostlist relay_from_hosts = MAIN_RELAY_NETS
  71.  
  72.  
  73. # Decide which domain to use to add to all unqualified addresses.
  74. # If MAIN_PRIMARY_HOSTNAME_AS_QUALIFY_DOMAIN is defined, the primary
  75. # hostname is used. If not, but MAIN_QUALIFY_DOMAIN is set, the value
  76. # of MAIN_QUALIFY_DOMAIN is used. If both macros are not defined,
  77. # the first line of /etc/mailname is used.
  78. .ifndef MAIN_PRIMARY_HOSTNAME_AS_QUALIFY_DOMAIN
  79. .ifndef MAIN_QUALIFY_DOMAIN
  80. qualify_domain = ETC_MAILNAME
  81. .else
  82. qualify_domain = MAIN_QUALIFY_DOMAIN
  83. .endif
  84. .endif
  85.  
  86. # listen on all all interfaces?
  87. .ifdef MAIN_LOCAL_INTERFACES
  88. local_interfaces = MAIN_LOCAL_INTERFACES
  89. .endif
  90.  
  91. .ifndef LOCAL_DELIVERY
  92. # The default transport, set in /etc/exim4/update-exim4.conf.conf,
  93. # defaulting to mail_spool. See CONFDIR/conf.d/transport/ for possibilities
  94. LOCAL_DELIVERY=mail_spool
  95. .endif
  96.  
  97. # The gecos field in /etc/passwd holds not only the name. see passwd(5).
  98. gecos_pattern = ^([^,:]*)
  99. gecos_name = $1
  100.  
  101. # define macros to be used in acl/30_exim4-config_check_rcpt to check
  102. # recipient local parts for strange characters.
  103.  
  104. # This macro definition really should be in
  105. # acl/30_exim4-config_check_rcpt but cannot be there due to
  106. # http://www.exim.org/bugzilla/show_bug.cgi?id=101 as of exim 4.62.
  107.  
  108. # These macros are documented in acl/30_exim4-config_check_rcpt,
  109. # can be changed here or overridden by a locally added configuration
  110. # file as described in README.Debian section "Using Exim Macros to control
  111. # the configuration".
  112.  
  113. .ifndef CHECK_RCPT_LOCAL_LOCALPARTS
  114. CHECK_RCPT_LOCAL_LOCALPARTS = ^[.] : ^.*[@%!/|`#&?]
  115. .endif
  116.  
  117. .ifndef CHECK_RCPT_REMOTE_LOCALPARTS
  118. CHECK_RCPT_REMOTE_LOCALPARTS = ^[./|] : ^.*[@%!`#&?] : ^.*/\\.\\./
  119. .endif
  120.  
  121. # always log tls_peerdn as we use TLS for outgoing connects by default
  122. .ifndef MAIN_LOG_SELECTOR
  123. MAIN_LOG_SELECTOR = +smtp_protocol_error +smtp_syntax_error +tls_certificate_verified +tls_peerdn
  124. .endif
  125. #####################################################
  126. ### end main/01_exim4-config_listmacrosdefs
  127. #####################################################
  128. #####################################################
  129. ### main/02_exim4-config_options
  130. #####################################################
  131.  
  132. ### main/02_exim4-config_options
  133. #################################
  134.  
  135.  
  136. # Defines the access control list that is run when an
  137. # SMTP MAIL command is received.
  138. #
  139. .ifndef MAIN_ACL_CHECK_MAIL
  140. MAIN_ACL_CHECK_MAIL = acl_check_mail
  141. .endif
  142. acl_smtp_mail = MAIN_ACL_CHECK_MAIL
  143.  
  144.  
  145. # Defines the access control list that is run when an
  146. # SMTP RCPT command is received.
  147. #
  148. .ifndef MAIN_ACL_CHECK_RCPT
  149. MAIN_ACL_CHECK_RCPT = acl_check_rcpt
  150. .endif
  151. acl_smtp_rcpt = MAIN_ACL_CHECK_RCPT
  152.  
  153.  
  154. # Defines the access control list that is run when an
  155. # SMTP DATA command is received.
  156. #
  157. .ifndef MAIN_ACL_CHECK_DATA
  158. MAIN_ACL_CHECK_DATA = acl_check_data
  159. .endif
  160. acl_smtp_data = MAIN_ACL_CHECK_DATA
  161.  
  162.  
  163. # Message size limit. The default (used when MESSAGE_SIZE_LIMIT
  164. # is unset) is 50 MB
  165. .ifdef MESSAGE_SIZE_LIMIT
  166. message_size_limit = MESSAGE_SIZE_LIMIT
  167. .endif
  168.  
  169.  
  170. # If you are running exim4-daemon-heavy or a custom version of Exim that
  171. # was compiled with the content-scanning extension, you can cause incoming
  172. # messages to be automatically scanned for viruses. You have to modify the
  173. # configuration in two places to set this up. The first of them is here,
  174. # where you define the interface to your scanner. This example is typical
  175. # for ClamAV; see the manual for details of what to set for other virus
  176. # scanners. The second modification is in the acl_check_data access
  177. # control list.
  178.  
  179. # av_scanner = clamd:/var/run/clamav/clamd.ctl
  180.  
  181.  
  182. # For spam scanning, there is a similar option that defines the interface to
  183. # SpamAssassin. You do not need to set this if you are using the default, which
  184. # is shown in this commented example. As for virus scanning, you must also
  185. # modify the acl_check_data access control list to enable spam scanning.
  186.  
  187. # spamd_address = 127.0.0.1 783
  188.  
  189. # Domain used to qualify unqualified recipient addresses
  190. # If this option is not set, the qualify_domain value is used.
  191. # qualify_recipient = <value of qualify_domain>
  192.  
  193.  
  194. # Allow Exim to recognize addresses of the form "user@[10.11.12.13]",
  195. # where the domain part is a "domain literal" (an IP address) instead
  196. # of a named domain. The RFCs require this facility, but it is disabled
  197. # in the default config since it is rarely used and frequently abused.
  198. # Domain literal support also needs a special router, which is automatically
  199. # enabled if you use the enable macro MAIN_ALLOW_DOMAIN_LITERALS.
  200. # Additionally, you might want to make your local IP addresses (or @[])
  201. # local domains.
  202. .ifdef MAIN_ALLOW_DOMAIN_LITERALS
  203. allow_domain_literals
  204. .endif
  205.  
  206.  
  207. # Do a reverse DNS lookup on all incoming IP calls, in order to get the
  208. # true host name. If you feel this is too expensive, the networks for
  209. # which a lookup is done can be listed here.
  210. .ifndef DC_minimaldns
  211. .ifndef MAIN_HOST_LOOKUP
  212. MAIN_HOST_LOOKUP = *
  213. .endif
  214. host_lookup = MAIN_HOST_LOOKUP
  215. .endif
  216.  
  217.  
  218. # In a minimaldns setup, update-exim4.conf guesses the hostname and
  219. # dumps it here to avoid DNS lookups being done at Exim run time.
  220. .ifdef MAIN_HARDCODE_PRIMARY_HOSTNAME
  221. primary_hostname = MAIN_HARDCODE_PRIMARY_HOSTNAME
  222. .endif
  223.  
  224. # The settings below cause Exim to make RFC 1413 (ident) callbacks
  225. # for all incoming SMTP calls. You can limit the hosts to which these
  226. # calls are made, and/or change the timeout that is used. If you set
  227. # the timeout to zero, all RFC 1413 calls are disabled. RFC 1413 calls
  228. # are cheap and can provide useful information for tracing problem
  229. # messages, but some hosts and firewalls have problems with them.
  230. # This can result in a timeout instead of an immediate refused
  231. # connection, leading to delays on starting up SMTP sessions.
  232. # (The default was reduced from 30s to 5s for release 4.61. and to
  233. # disabled for release 4.86)
  234. #
  235. #rfc1413_hosts = *
  236. #rfc1413_query_timeout = 5s
  237.  
  238.  
  239. # Enable an efficiency feature.  We advertise the feature; clients
  240. # may request to use it.  For multi-recipient mails we then can
  241. # reject or accept per-user after the message is received.
  242. #
  243. prdr_enable = true
  244.  
  245. # When using an external relay tester (such as rt.njabl.org and/or the
  246. # currently defunct relay-test.mail-abuse.org, the test may be aborted
  247. # since exim complains about "too many nonmail commands". If you want
  248. # the test to complete, add the host from where "your" relay tester
  249. # connects from to the MAIN_SMTP_ACCEPT_MAX_NOMAIL_HOSTS macro.
  250. # Please note that a non-empty setting may cause extra DNS lookups to
  251. # happen, which is the reason why this option is commented out in the
  252. # default settings.
  253. # MAIN_SMTP_ACCEPT_MAX_NOMAIL_HOSTS = !rt.njabl.org
  254. .ifdef MAIN_SMTP_ACCEPT_MAX_NOMAIL_HOSTS
  255. smtp_accept_max_nonmail_hosts = MAIN_SMTP_ACCEPT_MAX_NOMAIL_HOSTS
  256. .endif
  257.  
  258. # By default, exim forces a Sender: header containing the local
  259. # account name at the local host name in all locally submitted messages
  260. # that don't have the local account name at the local host name in the
  261. # From: header, deletes any Sender: header present in the submitted
  262. # message and forces the envelope sender of all locally submitted
  263. # messages to the local account name at the local host name.
  264. # The following settings allow local users to specify their own envelope sender
  265. # in a locally submitted message. Sender: headers existing in a locally
  266. # submitted message are not removed, and no automatic Sender: headers
  267. # are added. These settings are fine for most hosts.
  268. # If you run exim on a classical multi-user systems where all users
  269. # have local mailboxes that can be reached via SMTP from the Internet
  270. # with the local FQDN as the domain part of the address, you might want
  271. # to disable the following three lines for traceability reasons.
  272. .ifndef MAIN_FORCE_SENDER
  273. local_from_check = false
  274. local_sender_retain = true
  275. untrusted_set_sender = *
  276. .endif
  277.  
  278.  
  279. # By default, Exim expects all envelope addresses to be fully qualified, that
  280. # is, they must contain both a local part and a domain. Configure exim
  281. # to accept unqualified addresses from certain hosts. When this is done,
  282. # unqualified addresses are qualified using the settings of qualify_domain
  283. # and/or qualify_recipient (see above).
  284. # sender_unqualified_hosts = <unset>
  285. # recipient_unqualified_hosts = <unset>
  286.  
  287.  
  288. # Configure Exim to support the "percent hack" for certain domains.
  289. # The "percent hack" is the feature by which mail addressed to x%y@z
  290. # (where z is one of the domains listed) is locally rerouted to x@y
  291. # and sent on. If z is not one of the "percent hack" domains, x%y is
  292. # treated as an ordinary local part. The percent hack is rarely needed
  293. # nowadays but frequently abused. You should not enable it unless you
  294. # are sure that you really need it.
  295. # percent_hack_domains = <unset>
  296.  
  297.  
  298. # Bounce handling
  299. .ifndef MAIN_IGNORE_BOUNCE_ERRORS_AFTER
  300. MAIN_IGNORE_BOUNCE_ERRORS_AFTER = 2d
  301. .endif
  302. ignore_bounce_errors_after = MAIN_IGNORE_BOUNCE_ERRORS_AFTER
  303.  
  304. .ifndef MAIN_TIMEOUT_FROZEN_AFTER
  305. MAIN_TIMEOUT_FROZEN_AFTER = 7d
  306. .endif
  307. timeout_frozen_after = MAIN_TIMEOUT_FROZEN_AFTER
  308.  
  309. .ifndef MAIN_FREEZE_TELL
  310. MAIN_FREEZE_TELL = postmaster
  311. .endif
  312. freeze_tell = MAIN_FREEZE_TELL
  313.  
  314.  
  315. # Define spool directory
  316. .ifndef SPOOLDIR
  317. SPOOLDIR = /var/spool/exim4
  318. .endif
  319. spool_directory = SPOOLDIR
  320.  
  321.  
  322. # trusted users can set envelope-from to arbitrary values
  323. .ifndef MAIN_TRUSTED_USERS
  324. MAIN_TRUSTED_USERS = uucp
  325. .endif
  326. trusted_users = MAIN_TRUSTED_USERS
  327. .ifdef MAIN_TRUSTED_GROUPS
  328. trusted_groups = MAIN_TRUSTED_GROUPS
  329. .endif
  330.  
  331.  
  332. # users in admin group can do many other things
  333. # admin_groups = <unset>
  334.  
  335.  
  336. # SMTP Banner. The example includes the Debian version in the SMTP dialog
  337. # MAIN_SMTP_BANNER = "${primary_hostname} ESMTP Exim ${version_number} (Debian package MAIN_PACKAGE_VERSION) ${tod_full}"
  338. # smtp_banner = $smtp_active_hostname ESMTP Exim $version_number $tod_full
  339.  
  340. .ifdef MAIN_KEEP_ENVIRONMENT
  341. keep_environment = MAIN_KEEP_ENVIRONMENT
  342. .else
  343. # set option to empty value to avoid warning.
  344. keep_environment =
  345. .endif
  346. .ifdef MAIN_ADD_ENVIRONMENT
  347. add_environment = MAIN_ADD_ENVIRONMENT
  348. .endif
  349. #####################################################
  350. ### end main/02_exim4-config_options
  351. #####################################################
  352. #####################################################
  353. ### main/03_exim4-config_tlsoptions
  354. #####################################################
  355.  
  356. ### main/03_exim4-config_tlsoptions
  357. #################################
  358.  
  359. # TLS/SSL configuration for exim as an SMTP server.
  360. # See /usr/share/doc/exim4-base/README.Debian.gz for explanations.
  361.  
  362. MAIN_TLS_ENABLE = yes
  363. .ifdef MAIN_TLS_ENABLE
  364. # Defines what hosts to 'advertise' STARTTLS functionality to. The
  365. # default, *, will advertise to all hosts that connect with EHLO.
  366. .ifndef MAIN_TLS_ADVERTISE_HOSTS
  367. MAIN_TLS_ADVERTISE_HOSTS = *
  368. .endif
  369. tls_advertise_hosts = MAIN_TLS_ADVERTISE_HOSTS
  370.  
  371.  
  372. # Full paths to Certificate and Private Key. The Private Key file
  373. # must be kept 'secret' and should be owned by root.Debian-exim mode
  374. # 640 (-rw-r-----). exim-gencert takes care of these prerequisites.
  375. # Normally, exim4 looks for certificate and key in different files:
  376. #   MAIN_TLS_CERTIFICATE - path to certificate file,
  377. #                          CONFDIR/exim.crt if unset
  378. #   MAIN_TLS_PRIVATEKEY  - path to private key file
  379. #                          CONFDIR/exim.key if unset
  380. # You can also configure exim to look for certificate and key in the
  381. # same file, set MAIN_TLS_CERTKEY to that file to enable. This takes
  382. # precedence over all other settings regarding certificate and key file.
  383.  
  384. MAIN_TLS_CERTIFICATE=/etc/exim4/cert.pem
  385. MAIN_TLS_PRIVATEKEY=/etc/exim4/privkey.pem
  386.  
  387. .ifdef MAIN_TLS_CERTKEY
  388. tls_certificate = MAIN_TLS_CERTKEY
  389. .else
  390. .ifndef MAIN_TLS_CERTIFICATE
  391. MAIN_TLS_CERTIFICATE = CONFDIR/exim.crt
  392. .endif
  393. tls_certificate = MAIN_TLS_CERTIFICATE
  394.  
  395. .ifndef MAIN_TLS_PRIVATEKEY
  396. MAIN_TLS_PRIVATEKEY = CONFDIR/exim.key
  397. .endif
  398. tls_privatekey = MAIN_TLS_PRIVATEKEY
  399. .endif
  400.  
  401. # Pointer to the CA Certificates against which client certificates are
  402. # checked. This is controlled by the `tls_verify_hosts' and
  403. # `tls_try_verify_hosts' lists below.
  404. # If you want to check server certificates, you need to add an
  405. # tls_verify_certificates statement to the smtp transport.
  406. # /etc/ssl/certs/ca-certificates.crt is generated by
  407. # the "ca-certificates" package's update-ca-certificates(8) command.
  408. .ifndef MAIN_TLS_VERIFY_CERTIFICATES
  409. MAIN_TLS_VERIFY_CERTIFICATES = ${if exists{/etc/ssl/certs/ca-certificates.crt}\
  410.                                     {/etc/ssl/certs/ca-certificates.crt}\
  411.                                     {/dev/null}}
  412. .endif
  413. tls_verify_certificates = MAIN_TLS_VERIFY_CERTIFICATES
  414.  
  415.  
  416. # A list of hosts which are constrained by `tls_verify_certificates'. A host
  417. # that matches `tls_verify_host' must present a certificate that is
  418. # verifyable through `tls_verify_certificates' in order to be accepted as an
  419. # SMTP client. If it does not, the connection is aborted.
  420. .ifdef MAIN_TLS_VERIFY_HOSTS
  421. tls_verify_hosts = MAIN_TLS_VERIFY_HOSTS
  422. .endif
  423.  
  424. # A weaker form of checking: if a client matches `tls_try_verify_hosts' (but
  425. # not `tls_verify_hosts'), request a certificate and check it against
  426. # `tls_verify_certificates' but do not abort the connection if there is no
  427. # certificate or if the certificate presented does not match. (This
  428. # condition can be tested for in ACLs through `verify = certificate')
  429. # By default, this check is done for all hosts. It is known that some
  430. # clients (including incredimail's version downloadable in February
  431. # 2008) choke on this. To disable, set MAIN_TLS_TRY_VERIFY_HOSTS to an
  432. # empty value.
  433. .ifdef MAIN_TLS_TRY_VERIFY_HOSTS
  434. tls_try_verify_hosts = MAIN_TLS_TRY_VERIFY_HOSTS
  435. .endif
  436.  
  437. .ifdef _HAVE_GNUTLS
  438. tls_dhparam = historic
  439. .endif
  440.  
  441. .else
  442. # Don't advertise TLS if MAIN_TLS_ENABLE is not set.
  443. tls_advertise_hosts =
  444. .endif
  445. #####################################################
  446. ### end main/03_exim4-config_tlsoptions
  447. #####################################################
  448. #####################################################
  449. ### main/90_exim4-config_log_selector
  450. #####################################################
  451.  
  452. ### main/90_exim4-config_log_selector
  453. #################################
  454.  
  455. # uncomment this for debugging
  456. # MAIN_LOG_SELECTOR == MAIN_LOG_SELECTOR +all -subject -arguments
  457.  
  458. .ifdef MAIN_LOG_SELECTOR
  459. log_selector = MAIN_LOG_SELECTOR
  460. .endif
  461. #####################################################
  462. ### end main/90_exim4-config_log_selector
  463. #####################################################
  464. #####################################################
  465. ### acl/00_exim4-config_header
  466. #####################################################
  467.  
  468. ######################################################################
  469. #                       ACL CONFIGURATION                            #
  470. #         Specifies access control lists for incoming SMTP mail      #
  471. ######################################################################
  472. begin acl
  473.  
  474.  
  475. #####################################################
  476. ### end acl/00_exim4-config_header
  477. #####################################################
  478. #####################################################
  479. ### acl/20_exim4-config_local_deny_exceptions
  480. #####################################################
  481.  
  482. ### acl/20_exim4-config_local_deny_exceptions
  483. #################################
  484.  
  485. # This is used to determine whitelisted senders and hosts.
  486. # It checks for CONFDIR/host_local_deny_exceptions and
  487. # CONFDIR/sender_local_deny_exceptions.
  488. #
  489. # It is meant to be used from some other acl entry.
  490. #
  491. # See exim4-config_files(5) for details.
  492. #
  493. # If the files do not exist, the white list never matches, which is
  494. # the desired behaviour.
  495. #
  496. # The old file names CONFDIR/local_host_whitelist and
  497. # CONFDIR/local_sender_whitelist will continue to be honored for a
  498. # transition period. Their use is deprecated.
  499.  
  500. acl_local_deny_exceptions:
  501.   accept
  502.     hosts = ${if exists{CONFDIR/host_local_deny_exceptions}\
  503.                  {CONFDIR/host_local_deny_exceptions}\
  504.                  {}}
  505.   accept
  506.     senders = ${if exists{CONFDIR/sender_local_deny_exceptions}\
  507.                    {CONFDIR/sender_local_deny_exceptions}\
  508.                    {}}
  509.   accept
  510.     hosts = ${if exists{CONFDIR/local_host_whitelist}\
  511.                  {CONFDIR/local_host_whitelist}\
  512.                  {}}
  513.   accept
  514.     senders = ${if exists{CONFDIR/local_sender_whitelist}\
  515.                    {CONFDIR/local_sender_whitelist}\
  516.                    {}}
  517.  
  518.   # This hook allows you to hook in your own ACLs without having to
  519.   # modify this file. If you do it like we suggest, you'll end up with
  520.   # a small performance penalty since there is an additional file being
  521.   # accessed. This doesn't happen if you leave the macro unset.
  522.   .ifdef LOCAL_DENY_EXCEPTIONS_LOCAL_ACL_FILE
  523.   .include LOCAL_DENY_EXCEPTIONS_LOCAL_ACL_FILE
  524.   .endif
  525.  
  526.   # this is still supported for a transition period and is deprecated.
  527.   .ifdef WHITELIST_LOCAL_DENY_LOCAL_ACL_FILE
  528.   .include WHITELIST_LOCAL_DENY_LOCAL_ACL_FILE
  529.   .endif
  530. #####################################################
  531. ### end acl/20_exim4-config_local_deny_exceptions
  532. #####################################################
  533. #####################################################
  534. ### acl/30_exim4-config_check_mail
  535. #####################################################
  536.  
  537. ### acl/30_exim4-config_check_mail
  538. #################################
  539.  
  540. # This access control list is used for every MAIL command in an incoming
  541. # SMTP message. The tests are run in order until the address is either
  542. # accepted or denied.
  543. #
  544. acl_check_mail:
  545.  
  546.   accept
  547. #####################################################
  548. ### end acl/30_exim4-config_check_mail
  549. #####################################################
  550. #####################################################
  551. ### acl/30_exim4-config_check_rcpt
  552. #####################################################
  553.  
  554. ### acl/30_exim4-config_check_rcpt
  555. #################################
  556.  
  557. # This access control list is used for every RCPT command in an incoming
  558. # SMTP message. The tests are run in order until the address is either
  559. # accepted or denied.
  560. #
  561. acl_check_rcpt:
  562.  
  563.   # Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by
  564.   # testing for an empty sending host field.
  565.   accept
  566.     hosts = :
  567.     control = dkim_disable_verify
  568.  
  569.   # Do not try to verify DKIM signatures of incoming mail if DC_minimaldns
  570.   # or DISABLE_DKIM_VERIFY are set.
  571. .ifdef DC_minimaldns
  572.   warn
  573.     control = dkim_disable_verify
  574. .else
  575. .ifdef DISABLE_DKIM_VERIFY
  576.   warn
  577.     control = dkim_disable_verify
  578. .endif
  579. .endif
  580.  
  581.   # The following section of the ACL is concerned with local parts that contain
  582.   # certain non-alphanumeric characters. Dots in unusual places are
  583.   # handled by this ACL as well.
  584.   #
  585.   # Non-alphanumeric characters other than dots are rarely found in genuine
  586.   # local parts, but are often tried by people looking to circumvent
  587.   # relaying restrictions. Therefore, although they are valid in local
  588.   # parts, these rules disallow certain non-alphanumeric characters, as
  589.   # a precaution.
  590.   #
  591.   # Empty components (two dots in a row) are not valid in RFC 2822, but Exim
  592.   # allows them because they have been encountered. (Consider local parts
  593.   # constructed as "firstinitial.secondinitial.familyname" when applied to
  594.   # a name without a second initial.) However, a local part starting
  595.   # with a dot or containing /../ can cause trouble if it is used as part of a
  596.   # file name (e.g. for a mailing list). This is also true for local parts that
  597.   # contain slashes. A pipe symbol can also be troublesome if the local part is
  598.   # incorporated unthinkingly into a shell command line.
  599.   #
  600.   # These ACL components will block recipient addresses that are valid
  601.   # from an RFC2822 point of view. We chose to have them blocked by
  602.   # default for security reasons.
  603.   #
  604.   # If you feel that your site should have less strict recipient
  605.   # checking, please feel free to change the default values of the macros
  606.   # defined in main/01_exim4-config_listmacrosdefs or override them from a
  607.   # local configuration file.
  608.   #
  609.   # Two different rules are used. The first one has a quite strict
  610.   # default, and is applied to messages that are addressed to one of the
  611.   # local domains handled by this host.
  612.  
  613.   # The default value of CHECK_RCPT_LOCAL_LOCALPARTS is defined in
  614.   # main/01_exim4-config_listmacrosdefs:
  615.   # CHECK_RCPT_LOCAL_LOCALPARTS = ^[.] : ^.*[@%!/|`#&?]
  616.   # This blocks local parts that begin with a dot or contain a quite
  617.   # broad range of non-alphanumeric characters.
  618.   .ifdef CHECK_RCPT_LOCAL_LOCALPARTS
  619.   deny
  620.     domains = +local_domains
  621.     local_parts = CHECK_RCPT_LOCAL_LOCALPARTS
  622.     message = restricted characters in address
  623.   .endif
  624.  
  625.  
  626.   # The second rule applies to all other domains, and its default is
  627.   # considerably less strict.
  628.  
  629.   # The default value of CHECK_RCPT_REMOTE_LOCALPARTS is defined in
  630.   # main/01_exim4-config_listmacrosdefs:
  631.   # CHECK_RCPT_REMOTE_LOCALPARTS = ^[./|] : ^.*[@%!`#&?] : ^.*/\\.\\./
  632.  
  633.   # It allows local users to send outgoing messages to sites
  634.   # that use slashes and vertical bars in their local parts. It blocks
  635.   # local parts that begin with a dot, slash, or vertical bar, but allows
  636.   # these characters within the local part. However, the sequence /../ is
  637.   # barred. The use of some other non-alphanumeric characters is blocked.
  638.   # Single quotes might probably be dangerous as well, but they're
  639.   # allowed by the default regexps to avoid rejecting mails to Ireland.
  640.   # The motivation here is to prevent local users (or local users' malware)
  641.   # from mounting certain kinds of attack on remote sites.
  642.   .ifdef CHECK_RCPT_REMOTE_LOCALPARTS
  643.   deny
  644.     domains = !+local_domains
  645.     local_parts = CHECK_RCPT_REMOTE_LOCALPARTS
  646.     message = restricted characters in address
  647.   .endif
  648.  
  649.  
  650.   # Accept mail to postmaster in any local domain, regardless of the source,
  651.   # and without verifying the sender.
  652.   #
  653.   accept
  654.     .ifndef CHECK_RCPT_POSTMASTER
  655.     local_parts = postmaster
  656.     .else
  657.     local_parts = CHECK_RCPT_POSTMASTER
  658.     .endif
  659.     domains = +local_domains : +relay_to_domains
  660.  
  661.  
  662.   # Deny unless the sender address can be verified.
  663.   #
  664.   # This is disabled by default so that DNSless systems don't break. If
  665.   # your system can do DNS lookups without delay or cost, you might want
  666.   # to enable this feature.
  667.   #
  668.   # This feature does not work in smarthost and satellite setups as
  669.   # with these setups all domains pass verification. See spec.txt section
  670.   # "Access control lists" subsection "Address verification" with the added
  671.   # information that a smarthost/satellite setup routes all non-local e-mail
  672.   # to the smarthost.
  673.   .ifdef CHECK_RCPT_VERIFY_SENDER
  674.   deny
  675.     message = Sender verification failed
  676.     !acl = acl_local_deny_exceptions
  677.     !verify = sender
  678.   .endif
  679.  
  680.   # Verify senders listed in local_sender_callout with a callout.
  681.   #
  682.   # In smarthost and satellite setups, this causes the callout to be
  683.   # done to the smarthost. Verification will thus only be reliable if the
  684.   # smarthost does reject illegal addresses in the SMTP dialog.
  685.   deny
  686.     !acl = acl_local_deny_exceptions
  687.     senders = ${if exists{CONFDIR/local_sender_callout}\
  688.                          {CONFDIR/local_sender_callout}\
  689.                    {}}
  690.     !verify = sender/callout
  691.  
  692.  
  693.   # Accept if the message comes from one of the hosts for which we are an
  694.   # outgoing relay. It is assumed that such hosts are most likely to be MUAs,
  695.   # so we set control=submission to make Exim treat the message as a
  696.   # submission. It will fix up various errors in the message, for example, the
  697.   # lack of a Date: header line. If you are actually relaying out out from
  698.   # MTAs, you may want to disable this. If you are handling both relaying from
  699.   # MTAs and submissions from MUAs you should probably split them into two
  700.   # lists, and handle them differently.
  701.  
  702.   # Recipient verification is omitted here, because in many cases the clients
  703.   # are dumb MUAs that don't cope well with SMTP error responses. If you are
  704.   # actually relaying out from MTAs, you should probably add recipient
  705.   # verification here.
  706.  
  707.   # Note that, by putting this test before any DNS black list checks, you will
  708.   # always accept from these hosts, even if they end up on a black list. The
  709.   # assumption is that they are your friends, and if they get onto black
  710.   # list, it is a mistake.
  711.   accept
  712.     hosts = +relay_from_hosts
  713.     control = submission/sender_retain
  714.     control = dkim_disable_verify
  715.  
  716.  
  717.   # Accept if the message arrived over an authenticated connection, from
  718.   # any host. Again, these messages are usually from MUAs, so recipient
  719.   # verification is omitted, and submission mode is set. And again, we do this
  720.   # check before any black list tests.
  721.   accept
  722.     authenticated = *
  723.     control = submission/sender_retain
  724.     control = dkim_disable_verify
  725.  
  726.   # Insist that a HELO/EHLO was accepted.
  727.  
  728.   require message       = nice hosts say HELO first
  729.           condition     = ${if def:sender_helo_name}
  730.  
  731.   # Insist that any other recipient address that we accept is either in one of
  732.   # our local domains, or is in a domain for which we explicitly allow
  733.   # relaying. Any other domain is rejected as being unacceptable for relaying.
  734.   require
  735.     message = relay not permitted
  736.     domains = +local_domains : +relay_to_domains
  737.  
  738.  
  739.   # We also require all accepted addresses to be verifiable. This check will
  740.   # do local part verification for local domains, but only check the domain
  741.   # for remote domains.
  742.   require
  743.     verify = recipient
  744.  
  745.  
  746.   # Verify recipients listed in local_rcpt_callout with a callout.
  747.   # This is especially handy for forwarding MX hosts (secondary MX or
  748.   # mail hubs) of domains that receive a lot of spam to non-existent
  749.   # addresses.  The only way to check local parts for remote relay
  750.   # domains is to use a callout (add /callout), but please read the
  751.   # documentation about callouts before doing this.
  752.   deny
  753.     !acl = acl_local_deny_exceptions
  754.     recipients = ${if exists{CONFDIR/local_rcpt_callout}\
  755.                             {CONFDIR/local_rcpt_callout}\
  756.                       {}}
  757.     !verify = recipient/callout
  758.  
  759.  
  760.   # CONFDIR/local_sender_blacklist holds a list of envelope senders that
  761.   # should have their access denied to the local host. Incoming messages
  762.   # with one of these senders are rejected at RCPT time.
  763.   #
  764.   # The explicit white lists are honored as well as negative items in
  765.   # the black list. See exim4-config_files(5) for details.
  766.   deny
  767.     message = sender envelope address $sender_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster
  768.     !acl = acl_local_deny_exceptions
  769.     senders = ${if exists{CONFDIR/local_sender_blacklist}\
  770.                    {CONFDIR/local_sender_blacklist}\
  771.                    {}}
  772.  
  773.  
  774.   # deny bad sites (IP address)
  775.   # CONFDIR/local_host_blacklist holds a list of host names, IP addresses
  776.   # and networks (CIDR notation)  that should have their access denied to
  777.   # The local host. Messages coming in from a listed host will have all
  778.   # RCPT statements rejected.
  779.   #
  780.   # The explicit white lists are honored as well as negative items in
  781.   # the black list. See exim4-config_files(5) for details.
  782.   deny
  783.     message = sender IP address $sender_host_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster
  784.     !acl = acl_local_deny_exceptions
  785.     hosts = ${if exists{CONFDIR/local_host_blacklist}\
  786.                  {CONFDIR/local_host_blacklist}\
  787.                  {}}
  788.  
  789.  
  790.   # Warn if the sender host does not have valid reverse DNS.
  791.   #
  792.   # If your system can do DNS lookups without delay or cost, you might want
  793.   # to enable this.
  794.   # If sender_host_address is defined, it's a remote call.  If
  795.   # sender_host_name is not defined, then reverse lookup failed.  Use
  796.   # this instead of !verify = reverse_host_lookup to catch deferrals
  797.   # as well as outright failures.
  798.   .ifdef CHECK_RCPT_REVERSE_DNS
  799.   warn
  800.     condition = ${if and{{def:sender_host_address}{!def:sender_host_name}}\
  801.                       {yes}{no}}
  802.     add_header = X-Host-Lookup-Failed: Reverse DNS lookup failed for $sender_host_address (${if eq{$host_lookup_failed}{1}{failed}{deferred}})
  803.   .endif
  804.  
  805.  
  806.   # Use spfquery to perform a pair of SPF checks (for details, see
  807.   # http://www.openspf.org/)
  808.   #
  809.   # This is quite costly in terms of DNS lookups (~6 lookups per mail).  Do not
  810.   # enable if that's an issue.  Also note that if you enable this, you must
  811.   # install "spf-tools-perl" which provides the spfquery command.
  812.   # Missing spf-tools-perl will trigger the "Unexpected error in
  813.   # SPF check" warning.
  814.   .ifdef CHECK_RCPT_SPF
  815.   deny
  816.     message = [SPF] $sender_host_address is not allowed to send mail from \
  817.               ${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}.  \
  818.               Please see \
  819.               http://www.openspf.org/Why?scope=${if def:sender_address_domain \
  820.               {mfrom}{helo}};identity=${if def:sender_address_domain \
  821.               {$sender_address}{$sender_helo_name}};ip=$sender_host_address
  822.     log_message = SPF check failed.
  823.     !acl = acl_local_deny_exceptions
  824.     condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
  825.                    ${quote:$sender_host_address} --identity \
  826.                    ${if def:sender_address_domain \
  827.                        {--scope mfrom  --identity ${quote:$sender_address}}\
  828.                        {--scope helo --identity ${quote:$sender_helo_name}}}}\
  829.                    {no}{${if eq {$runrc}{1}{yes}{no}}}}
  830.  
  831.   defer
  832.     message = Temporary DNS error while checking SPF record.  Try again later.
  833.     !acl = acl_local_deny_exceptions
  834.     condition = ${if eq {$runrc}{5}{yes}{no}}
  835.  
  836.   warn
  837.     condition = ${if <={$runrc}{6}{yes}{no}}
  838.     add_header = Received-SPF: ${if eq {$runrc}{0}{pass}\
  839.                                 {${if eq {$runrc}{2}{softfail}\
  840.                                  {${if eq {$runrc}{3}{neutral}\
  841.                                   {${if eq {$runrc}{4}{permerror}\
  842.                                    {${if eq {$runrc}{6}{none}{error}}}}}}}}}\
  843.                                 } client-ip=$sender_host_address; \
  844.                                 ${if def:sender_address_domain \
  845.                                    {envelope-from=${sender_address}; }{}}\
  846.                                 helo=$sender_helo_name
  847.  
  848.   warn
  849.     log_message = Unexpected error in SPF check.
  850.     condition = ${if >{$runrc}{6}{yes}{no}}
  851.   .endif
  852.  
  853.  
  854.   # Check against classic DNS "black" lists (DNSBLs) which list
  855.   # sender IP addresses
  856.   .ifdef CHECK_RCPT_IP_DNSBLS
  857.   warn
  858.     dnslists = CHECK_RCPT_IP_DNSBLS
  859.     add_header = X-Warning: $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
  860.     log_message = $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
  861.   .endif
  862.  
  863.  
  864.   # Check against DNSBLs which list sender domains, with an option to locally
  865.   # whitelist certain domains that might be blacklisted.
  866.   #
  867.   # Note: If you define CHECK_RCPT_DOMAIN_DNSBLS, you must append
  868.   # "/$sender_address_domain" after each domain.  For example:
  869.   # CHECK_RCPT_DOMAIN_DNSBLS = rhsbl.foo.org/$sender_address_domain \
  870.   #                            : rhsbl.bar.org/$sender_address_domain
  871.   .ifdef CHECK_RCPT_DOMAIN_DNSBLS
  872.   warn
  873.     !senders = ${if exists{CONFDIR/local_domain_dnsbl_whitelist}\
  874.                     {CONFDIR/local_domain_dnsbl_whitelist}\
  875.                     {}}
  876.     dnslists = CHECK_RCPT_DOMAIN_DNSBLS
  877.     add_header = X-Warning: $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
  878.     log_message = $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
  879.   .endif
  880.  
  881.  
  882.   # This hook allows you to hook in your own ACLs without having to
  883.   # modify this file. If you do it like we suggest, you'll end up with
  884.   # a small performance penalty since there is an additional file being
  885.   # accessed. This doesn't happen if you leave the macro unset.
  886.   .ifdef CHECK_RCPT_LOCAL_ACL_FILE
  887.   .include CHECK_RCPT_LOCAL_ACL_FILE
  888.   .endif
  889.  
  890.  
  891.   #############################################################################
  892.   # This check is commented out because it is recognized that not every
  893.   # sysadmin will want to do it. If you enable it, the check performs
  894.   # Client SMTP Authorization (csa) checks on the sending host. These checks
  895.   # do DNS lookups for SRV records. The CSA proposal is currently (May 2005)
  896.   # an Internet draft. You can, of course, add additional conditions to this
  897.   # ACL statement to restrict the CSA checks to certain hosts only.
  898.   #
  899.   # require verify = csa
  900.   #############################################################################
  901.  
  902.  
  903.   # Accept if the address is in a domain for which we are an incoming relay,
  904.   # but again, only if the recipient can be verified.
  905.  
  906.   accept
  907.     domains = +relay_to_domains
  908.     endpass
  909.     verify = recipient
  910.  
  911.  
  912.   # At this point, the address has passed all the checks that have been
  913.   # configured, so we accept it unconditionally.
  914.  
  915.   accept
  916. #####################################################
  917. ### end acl/30_exim4-config_check_rcpt
  918. #####################################################
  919. #####################################################
  920. ### acl/40_exim4-config_check_data
  921. #####################################################
  922.  
  923. ### acl/40_exim4-config_check_data
  924. #################################
  925.  
  926. # This ACL is used after the contents of a message have been received. This
  927. # is the ACL in which you can test a message's headers or body, and in
  928. # particular, this is where you can invoke external virus or spam scanners.
  929.  
  930. acl_check_data:
  931.  
  932.   # Deny if the message contains an overlong line.  Per the standards
  933.   # we should never receive one such via SMTP.
  934.   #
  935.   .ifndef IGNORE_SMTP_LINE_LENGTH_LIMIT
  936.   deny    message    = maximum allowed line length is 998 octets, \
  937.                        got $max_received_linelength
  938.           condition  = ${if > {$max_received_linelength}{998}}
  939.   .endif
  940.  
  941.   # Deny unless the address list headers are syntactically correct.
  942.   #
  943.   # If you enable this, you might reject legitimate mail.
  944.   .ifdef CHECK_DATA_VERIFY_HEADER_SYNTAX
  945.   deny
  946.     message = Message headers fail syntax check
  947.     !acl = acl_local_deny_exceptions
  948.     !verify = header_syntax
  949.   .endif
  950.  
  951.  
  952.   # require that there is a verifiable sender address in at least
  953.   # one of the "Sender:", "Reply-To:", or "From:" header lines.
  954.   .ifdef CHECK_DATA_VERIFY_HEADER_SENDER
  955.   deny
  956.     message = No verifiable sender address in message headers
  957.     !acl = acl_local_deny_exceptions
  958.     !verify = header_sender
  959.   .endif
  960.  
  961.  
  962.   # Deny if the message contains malware. Before enabling this check, you
  963.   # must install a virus scanner and set the av_scanner option in the
  964.   # main configuration.
  965.   #
  966.   # exim4-daemon-heavy must be used for this section to work.
  967.   #
  968.   # deny
  969.   #   malware = *
  970.   #   message = This message was detected as possible malware ($malware_name).
  971.  
  972.  
  973.   # Add headers to a message if it is judged to be spam. Before enabling this,
  974.   # you must install SpamAssassin. You also need to set the spamd_address
  975.   # option in the main configuration.
  976.   #
  977.   # exim4-daemon-heavy must be used for this section to work.
  978.   #
  979.   # Please note that this is only suiteable as an example. There are
  980.   # multiple issues with this configuration method. For example, if you go
  981.   # this way, you'll give your spamassassin daemon write access to the
  982.   # entire exim spool which might be a security issue in case of a
  983.   # spamassassin exploit.
  984.   #
  985.   # See the exim docs and the exim wiki for more suitable examples.
  986.   #
  987.   # warn
  988.   #   spam = Debian-exim:true
  989.   #   add_header = X-Spam_score: $spam_score\n\
  990.   #             X-Spam_score_int: $spam_score_int\n\
  991.   #             X-Spam_bar: $spam_bar\n\
  992.   #             X-Spam_report: $spam_report
  993.  
  994.  
  995.   # This hook allows you to hook in your own ACLs without having to
  996.   # modify this file. If you do it like we suggest, you'll end up with
  997.   # a small performance penalty since there is an additional file being
  998.   # accessed. This doesn't happen if you leave the macro unset.
  999.   .ifdef CHECK_DATA_LOCAL_ACL_FILE
  1000.   .include CHECK_DATA_LOCAL_ACL_FILE
  1001.   .endif
  1002.  
  1003.  
  1004.   # accept otherwise
  1005.   accept
  1006. #####################################################
  1007. ### end acl/40_exim4-config_check_data
  1008. #####################################################
  1009. #####################################################
  1010. ### router/00_exim4-config_header
  1011. #####################################################
  1012.  
  1013. ######################################################################
  1014. #                      ROUTERS CONFIGURATION                         #
  1015. #               Specifies how addresses are handled                  #
  1016. ######################################################################
  1017. #     THE ORDER IN WHICH THE ROUTERS ARE DEFINED IS IMPORTANT!       #
  1018. # An address is passed to each router in turn until it is accepted.  #
  1019. ######################################################################
  1020.  
  1021. begin routers
  1022.  
  1023. #####################################################
  1024. ### end router/00_exim4-config_header
  1025. #####################################################
  1026. #####################################################
  1027. ### router/100_exim4-config_domain_literal
  1028. #####################################################
  1029.  
  1030. ### router/100_exim4-config_domain_literal
  1031. #################################
  1032.  
  1033. # This router handles e-mail addresses in "domain literal" form like
  1034. # <user@[10.11.12.13]>. The RFCs require this facility, but it is disabled
  1035. # in the default config since it is rarely used and frequently abused.
  1036. # Domain literal support also needs to be enabled in the main config,
  1037. # which is automatically done if you use the enable macro
  1038. # MAIN_ALLOW_DOMAIN_LITERALS.
  1039.  
  1040. .ifdef MAIN_ALLOW_DOMAIN_LITERALS
  1041. domain_literal:
  1042.   debug_print = "R: domain_literal for $local_part@$domain"
  1043.   driver = ipliteral
  1044.   domains = ! +local_domains
  1045.   transport = remote_smtp
  1046. .endif
  1047. #####################################################
  1048. ### end router/100_exim4-config_domain_literal
  1049. #####################################################
  1050. #####################################################
  1051. ### router/150_exim4-config_hubbed_hosts
  1052. #####################################################
  1053.  
  1054. # router/150_exim4-config_hubbed_hosts
  1055. #################################
  1056.  
  1057. # route specific domains manually.
  1058. #
  1059. # see exim4-config_files(5) and spec.txt chapter 20.3 through 20.7 for
  1060. # more detailed documentation.
  1061.  
  1062. hubbed_hosts:
  1063.   debug_print = "R: hubbed_hosts for $domain"
  1064.   driver = manualroute
  1065.   domains = "${if exists{CONFDIR/hubbed_hosts}\
  1066.                    {partial-lsearch;CONFDIR/hubbed_hosts}\
  1067.               fail}"
  1068.   same_domain_copy_routing = yes
  1069.   route_data = ${lookup{$domain}partial-lsearch{CONFDIR/hubbed_hosts}}
  1070.   transport = remote_smtp
  1071. #####################################################
  1072. ### end router/150_exim4-config_hubbed_hosts
  1073. #####################################################
  1074. #####################################################
  1075. ### router/200_exim4-config_primary
  1076. #####################################################
  1077.  
  1078. ### router/200_exim4-config_primary
  1079. #################################
  1080. # This file holds the primary router, responsible for nonlocal mails
  1081.  
  1082. .ifdef DCconfig_internet
  1083. # configtype=internet
  1084. #
  1085. # deliver mail to the recipient if recipient domain is a domain we
  1086. # relay for. We do not ignore any target hosts here since delivering to
  1087. # a site local or even a link local address might be wanted here, and if
  1088. # such an address has found its way into the MX record of such a domain,
  1089. # the local admin is probably in a place where that broken MX record
  1090. # could be fixed.
  1091.  
  1092. dnslookup_relay_to_domains:
  1093.   debug_print = "R: dnslookup_relay_to_domains for $local_part@$domain"
  1094.   driver = dnslookup
  1095.   domains = ! +local_domains : +relay_to_domains
  1096.   transport = remote_smtp
  1097.   same_domain_copy_routing = yes
  1098.   no_more
  1099.  
  1100. # deliver mail directly to the recipient. This router is only reached
  1101. # for domains that we do not relay for. Since we most probably can't
  1102. # have broken MX records pointing to site local or link local IP
  1103. # addresses fixed, we ignore target hosts pointing to these addresses.
  1104.  
  1105. dnslookup:
  1106.   debug_print = "R: dnslookup for $local_part@$domain"
  1107.   driver = dnslookup
  1108.   domains = ! +local_domains
  1109.   transport = remote_smtp
  1110.   same_domain_copy_routing = yes
  1111.   # ignore private rfc1918 and APIPA addresses
  1112.   ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 192.168.0.0/16 :\
  1113.                         172.16.0.0/12 : 10.0.0.0/8 : 169.254.0.0/16 :\
  1114.                         255.255.255.255
  1115.   no_more
  1116.  
  1117. .endif
  1118.  
  1119.  
  1120. .ifdef DCconfig_local
  1121. # configtype=local
  1122. #
  1123. # Stand-alone system, so generate an error for mail to a non-local domain
  1124. nonlocal:
  1125.   debug_print = "R: nonlocal for $local_part@$domain"
  1126.   driver = redirect
  1127.   domains = ! +local_domains
  1128.   allow_fail
  1129.   data = :fail: Mailing to remote domains not supported
  1130.   no_more
  1131.  
  1132. .endif
  1133.  
  1134.  
  1135. .ifdef DCconfig_smarthost DCconfig_satellite
  1136. # configtype=smarthost or configtype=satellite
  1137. #
  1138. # Send all non-local mail to a single other machine (smarthost).
  1139. #
  1140. # This means _ALL_ non-local mail goes to the smarthost. This will most
  1141. # probably not do what you want for domains that are listed in
  1142. # relay_domains. The most typical use for relay_domains is to control
  1143. # relaying for incoming e-mail on secondary MX hosts. In that case,
  1144. # it doesn't make sense to send the mail to the smarthost since the
  1145. # smarthost will probably send the message right back here, causing a
  1146. # loop.
  1147. #
  1148. # If you want to use a smarthost while being secondary MX for some
  1149. # domains, you'll need to copy the dnslookup_relay_to_domains router
  1150. # here so that mail to relay_domains is handled separately.
  1151.  
  1152. smarthost:
  1153.   debug_print = "R: smarthost for $local_part@$domain"
  1154.   driver = manualroute
  1155.   domains = ! +local_domains
  1156.   transport = remote_smtp_smarthost
  1157.   route_list = * DCsmarthost byname
  1158.   host_find_failed = ignore
  1159.   same_domain_copy_routing = yes
  1160.   no_more
  1161.  
  1162. .endif
  1163.  
  1164.  
  1165. # The "no_more" above means that all later routers are for
  1166. # domains in the local_domains list, i.e. just like Exim 3 directors.
  1167. #####################################################
  1168. ### end router/200_exim4-config_primary
  1169. #####################################################
  1170. #####################################################
  1171. ### router/300_exim4-config_real_local
  1172. #####################################################
  1173.  
  1174. ### router/300_exim4-config_real_local
  1175. #################################
  1176.  
  1177. # This router allows reaching a local user while avoiding local
  1178. # processing. This can be used to inform a user of a broken .forward
  1179. # file, for example. The userforward router does this.
  1180.  
  1181. COND_LOCAL_SUBMITTER = "\
  1182.                ${if match_ip{$sender_host_address}{:@[]}\
  1183.                     {1}{0}\
  1184.                 }"
  1185.  
  1186. real_local:
  1187.   debug_print = "R: real_local for $local_part@$domain"
  1188.   driver = accept
  1189.   domains = +local_domains
  1190.   condition = COND_LOCAL_SUBMITTER
  1191.   local_part_prefix = real-
  1192.   check_local_user
  1193.   transport = LOCAL_DELIVERY
  1194.  
  1195. #####################################################
  1196. ### end router/300_exim4-config_real_local
  1197. #####################################################
  1198. #####################################################
  1199. ### router/400_exim4-config_system_aliases
  1200. #####################################################
  1201.  
  1202. ### router/400_exim4-config_system_aliases
  1203. #################################
  1204.  
  1205. # This router handles aliasing using a traditional /etc/aliases file.
  1206. #
  1207. ##### NB  You must ensure that /etc/aliases exists. It used to be the case
  1208. ##### NB  that every Unix had that file, because it was the Sendmail default.
  1209. ##### NB  These days, there are systems that don't have it. Your aliases
  1210. ##### NB  file should at least contain an alias for "postmaster".
  1211. #
  1212. # This router handles the local part in a case-insensitive way which
  1213. # satisfies the RFCs requirement that postmaster be reachable regardless
  1214. # of case. If you decide to handle /etc/aliases in a caseful way, you
  1215. # need to make arrangements for a caseless postmaster.
  1216. #
  1217. # Delivery to arbitrary directories, files, and piping to programs in
  1218. # /etc/aliases is disabled per default.
  1219. # If that is a problem for you, see
  1220. #   /usr/share/doc/exim4-base/README.Debian.gz
  1221. # for explanation and some workarounds.
  1222.  
  1223. system_aliases:
  1224.   debug_print = "R: system_aliases for $local_part@$domain"
  1225.   driver = redirect
  1226.   domains = +local_domains
  1227.   allow_fail
  1228.   allow_defer
  1229.   data = ${lookup{$local_part}lsearch{/etc/aliases}}
  1230.   .ifdef SYSTEM_ALIASES_USER
  1231.   user = SYSTEM_ALIASES_USER
  1232.   .endif
  1233.   .ifdef SYSTEM_ALIASES_GROUP
  1234.   group = SYSTEM_ALIASES_GROUP
  1235.   .endif
  1236.   .ifdef SYSTEM_ALIASES_FILE_TRANSPORT
  1237.   file_transport = SYSTEM_ALIASES_FILE_TRANSPORT
  1238.   .endif
  1239.   .ifdef SYSTEM_ALIASES_PIPE_TRANSPORT
  1240.   pipe_transport = SYSTEM_ALIASES_PIPE_TRANSPORT
  1241.   .endif
  1242.   .ifdef SYSTEM_ALIASES_DIRECTORY_TRANSPORT
  1243.   directory_transport = SYSTEM_ALIASES_DIRECTORY_TRANSPORT
  1244.   .endif
  1245. #####################################################
  1246. ### end router/400_exim4-config_system_aliases
  1247. #####################################################
  1248. #####################################################
  1249. ### router/500_exim4-config_hubuser
  1250. #####################################################
  1251.  
  1252. ### router/500_exim4-config_hubuser
  1253. #################################
  1254.  
  1255. .ifdef DCconfig_satellite
  1256. # This router is only used for configtype=satellite.
  1257. # It takes care to route all mail targeted to <somelocaluser@this.machine>
  1258. # to the host where we read our mail
  1259. #
  1260. hub_user:
  1261.   debug_print = "R: hub_user for $local_part@$domain"
  1262.   driver = redirect
  1263.   domains = +local_domains
  1264.   data = ${local_part}@DCreadhost
  1265.   check_local_user
  1266.  
  1267. # Grab the redirected mail and deliver it.
  1268. # This is a duplicate of the smarthost router, needed because
  1269. # DCreadhost might end up as part of +local_domains
  1270. hub_user_smarthost:
  1271.   debug_print = "R: hub_user_smarthost for $local_part@$domain"
  1272.   driver = manualroute
  1273.   domains = DCreadhost
  1274.   transport = remote_smtp_smarthost
  1275.   route_list = * DCsmarthost byname
  1276.   host_find_failed = ignore
  1277.   same_domain_copy_routing = yes
  1278.   check_local_user
  1279. .endif
  1280.  
  1281.  
  1282. #####################################################
  1283. ### end router/500_exim4-config_hubuser
  1284. #####################################################
  1285. #####################################################
  1286. ### router/600_exim4-config_userforward
  1287. #####################################################
  1288.  
  1289. ### router/600_exim4-config_userforward
  1290. #################################
  1291.  
  1292. # This router handles forwarding using traditional .forward files in users'
  1293. # home directories. It also allows mail filtering with a forward file
  1294. # starting with the string "# Exim filter" or "# Sieve filter".
  1295. #
  1296. # The no_verify setting means that this router is skipped when Exim is
  1297. # verifying addresses. Similarly, no_expn means that this router is skipped if
  1298. # Exim is processing an EXPN command.
  1299. #
  1300. # The check_ancestor option means that if the forward file generates an
  1301. # address that is an ancestor of the current one, the current one gets
  1302. # passed on instead. This covers the case where A is aliased to B and B
  1303. # has a .forward file pointing to A.
  1304. #
  1305. # The four transports specified at the end are those that are used when
  1306. # forwarding generates a direct delivery to a directory, or a file, or to a
  1307. # pipe, or sets up an auto-reply, respectively.
  1308. #
  1309. userforward:
  1310.   debug_print = "R: userforward for $local_part@$domain"
  1311.   driver = redirect
  1312.   domains = +local_domains
  1313.   check_local_user
  1314.   file = $home/.forward
  1315.   require_files = $local_part:$home/.forward
  1316.   no_verify
  1317.   no_expn
  1318.   check_ancestor
  1319.   allow_filter
  1320.   forbid_smtp_code = true
  1321.   directory_transport = address_directory
  1322.   file_transport = address_file
  1323.   pipe_transport = address_pipe
  1324.   reply_transport = address_reply
  1325.   skip_syntax_errors
  1326.   syntax_errors_to = real-$local_part@$domain
  1327.   syntax_errors_text = \
  1328.     This is an automatically generated message. An error has\n\
  1329.     been found in your .forward file. Details of the error are\n\
  1330.     reported below. While this error persists, you will receive\n\
  1331.     a copy of this message for every message that is addressed\n\
  1332.     to you. If your .forward file is a filter file, or if it is\n\
  1333.     a non-filter file containing no valid forwarding addresses,\n\
  1334.     a copy of each incoming message will be put in your normal\n\
  1335.     mailbox. If a non-filter file contains at least one valid\n\
  1336.     forwarding address, forwarding to the valid addresses will\n\
  1337.     happen, and those will be the only deliveries that occur.
  1338.  
  1339. #####################################################
  1340. ### end router/600_exim4-config_userforward
  1341. #####################################################
  1342. #####################################################
  1343. ### router/700_exim4-config_procmail
  1344. #####################################################
  1345.  
  1346. procmail:
  1347.   debug_print = "R: procmail for $local_part@$domain"
  1348.   driver = accept
  1349.   domains = +local_domains
  1350.   check_local_user
  1351.   transport = procmail_pipe
  1352.   # emulate OR with "if exists"-expansion
  1353.   require_files = ${local_part}:\
  1354.                   ${if exists{/etc/procmailrc}\
  1355.                     {/etc/procmailrc}{${home}/.procmailrc}}:\
  1356.                   +/usr/bin/procmail
  1357.   no_verify
  1358.   no_expn
  1359.  
  1360. #####################################################
  1361. ### end router/700_exim4-config_procmail
  1362. #####################################################
  1363. #####################################################
  1364. ### router/800_exim4-config_maildrop
  1365. #####################################################
  1366.  
  1367. ### router/800_exim4-config_maildrop
  1368. #################################
  1369.  
  1370. maildrop:
  1371.   debug_print = "R: maildrop for $local_part@$domain"
  1372.   driver = accept
  1373.   domains = +local_domains
  1374.   check_local_user
  1375.   transport = maildrop_pipe
  1376.   require_files = ${local_part}:${home}/.mailfilter:+/usr/bin/maildrop
  1377.   no_verify
  1378.   no_expn
  1379.  
  1380. #####################################################
  1381. ### end router/800_exim4-config_maildrop
  1382. #####################################################
  1383. #####################################################
  1384. ### router/850_exim4-config_lowuid
  1385. #####################################################
  1386.  
  1387. ### router/850_exim4-config_lowuid
  1388. #################################
  1389.  
  1390. .ifndef FIRST_USER_ACCOUNT_UID
  1391. FIRST_USER_ACCOUNT_UID = 0
  1392. .endif
  1393.  
  1394. .ifndef DEFAULT_SYSTEM_ACCOUNT_ALIAS
  1395. DEFAULT_SYSTEM_ACCOUNT_ALIAS = :fail: no mail to system accounts
  1396. .endif
  1397.  
  1398. COND_SYSTEM_USER_AND_REMOTE_SUBMITTER = "\
  1399.                ${if and{{! match_ip{$sender_host_address}{:@[]}}\
  1400.                         {<{$local_user_uid}{FIRST_USER_ACCOUNT_UID}}}\
  1401.                     {1}{0}\
  1402.                 }"
  1403.  
  1404. lowuid_aliases:
  1405.   debug_print = "R: lowuid_aliases for $local_part@$domain (UID $local_user_uid)"
  1406.   check_local_user
  1407.   driver = redirect
  1408.   allow_fail
  1409.   domains = +local_domains
  1410.   condition = COND_SYSTEM_USER_AND_REMOTE_SUBMITTER
  1411.   data = ${if exists{CONFDIR/lowuid-aliases}\
  1412.               {${lookup{$local_part}lsearch{CONFDIR/lowuid-aliases}\
  1413.               {$value}{DEFAULT_SYSTEM_ACCOUNT_ALIAS}}}\
  1414.               {DEFAULT_SYSTEM_ACCOUNT_ALIAS}}
  1415. #####################################################
  1416. ### end router/850_exim4-config_lowuid
  1417. #####################################################
  1418. #####################################################
  1419. ### router/900_exim4-config_local_user
  1420. #####################################################
  1421.  
  1422. ### router/900_exim4-config_local_user
  1423. #################################
  1424.  
  1425. # This router matches local user mailboxes. If the router fails, the error
  1426. # message is "Unknown user".
  1427.  
  1428. local_user:
  1429.   debug_print = "R: local_user for $local_part@$domain"
  1430.   driver = accept
  1431.   domains = +local_domains
  1432.   check_local_user
  1433.   local_parts = ! root
  1434.   transport = LOCAL_DELIVERY
  1435.   cannot_route_message = Unknown user
  1436. #####################################################
  1437. ### end router/900_exim4-config_local_user
  1438. #####################################################
  1439.  
  1440.  
  1441. #mailman---------------------- BEGIN EXIM4 ROUTER ----------------------------
  1442. # Messages get sent out with
  1443. # envelope from "mailman-bounces@virtual_domain"
  1444. # But mailman doesn't put such addresses
  1445. # in the aliases. Recognise these here.
  1446. mailman_workaround:
  1447.   debug_print = "R: mailman_workaround for $local_part@$domain"
  1448.   domains = +local_domains
  1449.   require_files = MAILMAN_HOME/lists/$local_part/config.pck
  1450.   driver = accept
  1451.   local_parts = mailman
  1452.   local_part_suffix_optional
  1453.   local_part_suffix = -bounces : -bounces+* : \
  1454.            -confirm+* : -join : -leave : \
  1455.            -subscribe : -unsubscribe : \
  1456.            -owner : -request : -admin
  1457.   transport = mailman_transport
  1458.   group = MAILMAN_GROUP
  1459.  
  1460. # We need to handle the mailman-loop separately from the other addresses
  1461. # since the loop action is not handled by the wrapper.
  1462. mailman_loop_router:
  1463.   debug_print = "R: mailman_loop for $local_part@$domain"
  1464.   domains = +local_domains
  1465.   require_files = MAILMAN_HOME/lists/$local_part/config.pck
  1466.   driver = accept
  1467.   local_parts = mailman
  1468.   transport = mailman_loop_transport
  1469.   local_part_suffix = -loop
  1470.   group = MAILMAN_GROUP
  1471.  
  1472. # Mailman lists
  1473. mailman_router:
  1474.   debug_print = "R: mailman_router for $local_part@$domain"
  1475.   domains = +local_domains
  1476.   condition = ${lookup{$local_part@$domain}lsearch{MAILMAN_HOME/data/virtual-mailman}{1}{0}}
  1477.   require_files = MAILMAN_HOME/lists/$local_part/config.pck
  1478.   driver = accept
  1479.   local_part_suffix_optional
  1480.   local_part_suffix = -bounces : -bounces+* : \
  1481.                       -confirm+* : -join : -leave : \
  1482.                       -subscribe : -unsubscribe : \
  1483.                       -owner : -request : -admin
  1484.   transport = mailman_transport
  1485.   group = MAILMAN_GROUP
  1486. #mailman----------------------  END EXIM4 ROUTER  ----------------------------
  1487.  
  1488.  
  1489.  
  1490. #####################################################
  1491. ### router/mmm_mail4root
  1492. #####################################################
  1493.  
  1494. ### router/mmm_mail4root
  1495. #################################
  1496. # deliver mail addressed to root to /var/mail/mail as user mail:mail
  1497. # if it was not redirected in /etc/aliases or by other means
  1498. # Exim cannot deliver as root since 4.24 (FIXED_NEVER_USERS)
  1499.  
  1500. mail4root:
  1501.   debug_print = "R: mail4root for $local_part@$domain"
  1502.   driver = redirect
  1503.   domains = +local_domains
  1504.   data = /var/mail/mail
  1505.   file_transport = address_file
  1506.   local_parts = root
  1507.   user = mail
  1508.   group = mail
  1509.  
  1510. #####################################################
  1511. ### end router/mmm_mail4root
  1512. #####################################################
  1513. #####################################################
  1514. ### transport/00_exim4-config_header
  1515. #####################################################
  1516.  
  1517. ######################################################################
  1518. #                      TRANSPORTS CONFIGURATION                      #
  1519. ######################################################################
  1520. #                       ORDER DOES NOT MATTER                        #
  1521. #     Only one appropriate transport is called for each delivery.    #
  1522. ######################################################################
  1523.  
  1524. # A transport is used only when referenced from a router that successfully
  1525. # handles an address.
  1526.  
  1527. begin transports
  1528.  
  1529. #####################################################
  1530. ### end transport/00_exim4-config_header
  1531. #####################################################
  1532. #####################################################
  1533. ### transport/10_exim4-config_transport-macros
  1534. #####################################################
  1535.  
  1536. ### transport/10_exim4-config_transport-macros
  1537. #################################
  1538.  
  1539. .ifdef HIDE_MAILNAME
  1540. REMOTE_SMTP_HEADERS_REWRITE=*@+local_domains $1@DCreadhost frs : *@ETC_MAILNAME $1@DCreadhost frs
  1541. REMOTE_SMTP_RETURN_PATH=${if match_domain{$sender_address_domain}{+local_domains}{${sender_address_local_part}@DCreadhost}{${if match_domain{$sender_address_domain}{ETC_MAILNAME}{${sender_address_local_part}@DCreadhost}fail}}}
  1542. .endif
  1543.  
  1544. .ifdef REMOTE_SMTP_HELO_FROM_DNS
  1545. .ifdef REMOTE_SMTP_HELO_DATA
  1546. REMOTE_SMTP_HELO_DATA==${lookup dnsdb {ptr=$sending_ip_address}{$value}{$primary_hostname}}
  1547. .else
  1548. REMOTE_SMTP_HELO_DATA=${lookup dnsdb {ptr=$sending_ip_address}{$value}{$primary_hostname}}
  1549. .endif
  1550. .endif
  1551. #####################################################
  1552. ### end transport/10_exim4-config_transport-macros
  1553. #####################################################
  1554. #####################################################
  1555. ### transport/30_exim4-config_address_file
  1556. #####################################################
  1557.  
  1558. # This transport is used for handling deliveries directly to files that are
  1559. # generated by aliasing or forwarding.
  1560. #
  1561. address_file:
  1562.   debug_print = "T: address_file for $local_part@$domain"
  1563.   driver = appendfile
  1564.   delivery_date_add
  1565.   envelope_to_add
  1566.   return_path_add
  1567.  
  1568. #####################################################
  1569. ### end transport/30_exim4-config_address_file
  1570. #####################################################
  1571. #####################################################
  1572. ### transport/30_exim4-config_address_pipe
  1573. #####################################################
  1574.  
  1575. # This transport is used for handling pipe deliveries generated by
  1576. # .forward files. If the commands fails and produces any output on standard
  1577. # output or standard error streams, the output is returned to the sender
  1578. # of the message as a delivery error.
  1579. address_pipe:
  1580.   debug_print = "T: address_pipe for $local_part@$domain"
  1581.   driver = pipe
  1582.   return_fail_output
  1583.  
  1584. #####################################################
  1585. ### end transport/30_exim4-config_address_pipe
  1586. #####################################################
  1587. #####################################################
  1588. ### transport/30_exim4-config_address_reply
  1589. #####################################################
  1590.  
  1591. # This transport is used for handling autoreplies generated by the filtering
  1592. # option of the userforward router.
  1593. #
  1594. address_reply:
  1595.   debug_print = "T: autoreply for $local_part@$domain"
  1596.   driver = autoreply
  1597.  
  1598. #####################################################
  1599. ### end transport/30_exim4-config_address_reply
  1600. #####################################################
  1601. #####################################################
  1602. ### transport/30_exim4-config_mail_spool
  1603. #####################################################
  1604.  
  1605. ### transport/30_exim4-config_mail_spool
  1606.  
  1607. # This transport is used for local delivery to user mailboxes in traditional
  1608. # BSD mailbox format.
  1609. #
  1610. mail_spool:
  1611.   debug_print = "T: appendfile for $local_part@$domain"
  1612.   driver = appendfile
  1613.   file = /var/mail/$local_part
  1614.   delivery_date_add
  1615.   envelope_to_add
  1616.   return_path_add
  1617.   group = mail
  1618.   mode = 0660
  1619.   mode_fail_narrower = false
  1620.  
  1621. #####################################################
  1622. ### end transport/30_exim4-config_mail_spool
  1623. #####################################################
  1624. #####################################################
  1625. ### transport/30_exim4-config_maildir_home
  1626. #####################################################
  1627.  
  1628. ### transport/30_exim4-config_maildir_home
  1629. #################################
  1630.  
  1631. # Use this instead of mail_spool if you want to to deliver to Maildir in
  1632. # home-directory - change the definition of LOCAL_DELIVERY
  1633. #
  1634. maildir_home:
  1635.   debug_print = "T: maildir_home for $local_part@$domain"
  1636.   driver = appendfile
  1637.   .ifdef MAILDIR_HOME_MAILDIR_LOCATION
  1638.   directory = MAILDIR_HOME_MAILDIR_LOCATION
  1639.   .else
  1640.   directory = $home/Maildir
  1641.   .endif
  1642.   .ifdef MAILDIR_HOME_CREATE_DIRECTORY
  1643.   create_directory
  1644.   .endif
  1645.   .ifdef MAILDIR_HOME_CREATE_FILE
  1646.   create_file = MAILDIR_HOME_CREATE_FILE
  1647.   .endif
  1648.   delivery_date_add
  1649.   envelope_to_add
  1650.   return_path_add
  1651.   maildir_format
  1652.   .ifdef MAILDIR_HOME_DIRECTORY_MODE
  1653.   directory_mode = MAILDIR_HOME_DIRECTORY_MODE
  1654.   .else
  1655.   directory_mode = 0700
  1656.   .endif
  1657.   .ifdef MAILDIR_HOME_MODE
  1658.   mode = MAILDIR_HOME_MODE
  1659.   .else
  1660.   mode = 0600
  1661.   .endif
  1662.   mode_fail_narrower = false
  1663.   # This transport always chdirs to $home before trying to deliver. If
  1664.   # $home is not accessible, this chdir fails and prevents delivery.
  1665.   # If you are in a setup where home directories might not be
  1666.   # accessible, uncomment the current_directory line below.
  1667.   # current_directory = /
  1668. #####################################################
  1669. ### end transport/30_exim4-config_maildir_home
  1670. #####################################################
  1671. #####################################################
  1672. ### transport/30_exim4-config_maildrop_pipe
  1673. #####################################################
  1674.  
  1675. maildrop_pipe:
  1676.   debug_print = "T: maildrop_pipe for $local_part@$domain"
  1677.   driver = pipe
  1678.   path = "/bin:/usr/bin:/usr/local/bin"
  1679.   command = "/usr/bin/maildrop"
  1680.   message_prefix =
  1681.   message_suffix =
  1682.   return_path_add
  1683.   delivery_date_add
  1684.   envelope_to_add
  1685.  
  1686. #####################################################
  1687. ### end transport/30_exim4-config_maildrop_pipe
  1688. #####################################################
  1689. #####################################################
  1690. ### transport/30_exim4-config_procmail_pipe
  1691. #####################################################
  1692.  
  1693. procmail_pipe:
  1694.   debug_print = "T: procmail_pipe for $local_part@$domain"
  1695.   driver = pipe
  1696.   path = "/bin:/usr/bin:/usr/local/bin"
  1697.   command = "/usr/bin/procmail"
  1698.   return_path_add
  1699.   delivery_date_add
  1700.   envelope_to_add
  1701.  
  1702. #####################################################
  1703. ### end transport/30_exim4-config_procmail_pipe
  1704. #####################################################
  1705. #####################################################
  1706. ### transport/30_exim4-config_remote_smtp
  1707. #####################################################
  1708.  
  1709. ### transport/30_exim4-config_remote_smtp
  1710. #################################
  1711. # This transport is used for delivering messages over SMTP connections.
  1712. # Refuse to send any message with over-long lines, which could have
  1713. # been received other than via SMTP. The use of message_size_limit to
  1714. # enforce this is a red herring.
  1715.  
  1716. remote_smtp:
  1717.   debug_print = "T: remote_smtp for $local_part@$domain"
  1718.   driver = smtp
  1719. .ifndef IGNORE_SMTP_LINE_LENGTH_LIMIT
  1720.   message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
  1721. .endif
  1722. .ifdef REMOTE_SMTP_HOSTS_AVOID_TLS
  1723.   hosts_avoid_tls = REMOTE_SMTP_HOSTS_AVOID_TLS
  1724. .endif
  1725. .ifdef REMOTE_SMTP_HEADERS_REWRITE
  1726.   headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE
  1727. .endif
  1728. .ifdef REMOTE_SMTP_RETURN_PATH
  1729.   return_path = REMOTE_SMTP_RETURN_PATH
  1730. .endif
  1731. .ifdef REMOTE_SMTP_HELO_DATA
  1732.   helo_data=REMOTE_SMTP_HELO_DATA
  1733. .endif
  1734. .ifdef DKIM_DOMAIN
  1735. dkim_domain = DKIM_DOMAIN
  1736. .endif
  1737. .ifdef DKIM_SELECTOR
  1738. dkim_selector = DKIM_SELECTOR
  1739. .endif
  1740. .ifdef DKIM_PRIVATE_KEY
  1741. dkim_private_key = DKIM_PRIVATE_KEY
  1742. .endif
  1743. .ifdef DKIM_CANON
  1744. dkim_canon = DKIM_CANON
  1745. .endif
  1746. .ifdef DKIM_STRICT
  1747. dkim_strict = DKIM_STRICT
  1748. .endif
  1749. .ifdef DKIM_SIGN_HEADERS
  1750. dkim_sign_headers = DKIM_SIGN_HEADERS
  1751. .endif
  1752. .ifdef TLS_DH_MIN_BITS
  1753. tls_dh_min_bits = TLS_DH_MIN_BITS
  1754. .endif
  1755. .ifdef REMOTE_SMTP_TLS_CERTIFICATE
  1756. tls_certificate = REMOTE_SMTP_TLS_CERTIFICATE
  1757. .endif
  1758. .ifdef REMOTE_SMTP_PRIVATEKEY
  1759. tls_privatekey = REMOTE_SMTP_PRIVATEKEY
  1760. .endif
  1761. #####################################################
  1762. ### end transport/30_exim4-config_remote_smtp
  1763. #####################################################
  1764. #####################################################
  1765. ### transport/30_exim4-config_remote_smtp_smarthost
  1766. #####################################################
  1767.  
  1768. ### transport/30_exim4-config_remote_smtp_smarthost
  1769. #################################
  1770.  
  1771. # This transport is used for delivering messages over SMTP connections
  1772. # to a smarthost. The local host tries to authenticate.
  1773. # This transport is used for smarthost and satellite configurations.
  1774. # Refuse to send any messsage with over-long lines, which could have
  1775. # been received other than via SMTP. The use of message_size_limit to
  1776. # enforce this is a red herring.
  1777.  
  1778. remote_smtp_smarthost:
  1779.   debug_print = "T: remote_smtp_smarthost for $local_part@$domain"
  1780.   driver = smtp
  1781. .ifndef IGNORE_SMTP_LINE_LENGTH_LIMIT
  1782.   message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
  1783. .endif
  1784.   hosts_try_auth = <; ${if exists{CONFDIR/passwd.client} \
  1785.         {\
  1786.         ${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$host_address}}\
  1787.         }\
  1788.         {} \
  1789.       }
  1790. .ifdef REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS
  1791.   hosts_avoid_tls = REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS
  1792. .endif
  1793. .ifdef REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS
  1794.   hosts_require_tls = REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS
  1795. .endif
  1796. .ifdef REMOTE_SMTP_HEADERS_REWRITE
  1797.   headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE
  1798. .endif
  1799. .ifdef REMOTE_SMTP_RETURN_PATH
  1800.   return_path = REMOTE_SMTP_RETURN_PATH
  1801. .endif
  1802. .ifdef REMOTE_SMTP_HELO_DATA
  1803.   helo_data=REMOTE_SMTP_HELO_DATA
  1804. .endif
  1805. .ifdef TLS_DH_MIN_BITS
  1806. tls_dh_min_bits = TLS_DH_MIN_BITS
  1807. .endif
  1808. .ifdef REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE
  1809. tls_certificate = REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE
  1810. .endif
  1811. .ifdef REMOTE_SMTP_SMARTHOST_PRIVATEKEY
  1812. tls_privatekey = REMOTE_SMTP_SMARTHOST_PRIVATEKEY
  1813. .endif
  1814. #####################################################
  1815. ### end transport/30_exim4-config_remote_smtp_smarthost
  1816. #####################################################
  1817. #####################################################
  1818. ### transport/35_exim4-config_address_directory
  1819. #####################################################
  1820. # This transport is used for handling file addresses generated by alias
  1821. # or .forward files if the path ends in "/", which causes it to be treated
  1822. # as a directory name rather than a file name.
  1823.  
  1824. address_directory:
  1825.   debug_print = "T: address_directory for $local_part@$domain"
  1826.   driver = appendfile
  1827.   delivery_date_add
  1828.   envelope_to_add
  1829.   return_path_add
  1830.   check_string = ""
  1831.   escape_string = ""
  1832.   maildir_format
  1833.  
  1834. #####################################################
  1835. ### end transport/35_exim4-config_address_directory
  1836. #####################################################
  1837.  
  1838.  
  1839.  
  1840. #mailman---------------------- BEGIN EXIM4 TRANSPORT -------------------------
  1841. mailman_transport:
  1842.   debug_print = "T: mailman_transport for $local_part@$domain"
  1843.   driver = pipe
  1844.   command = MAILMAN_WRAP \
  1845.             '${if def:local_part_suffix \
  1846.                   {${sg{$local_part_suffix}{-(\\w+)(\\+.*)?}{\$1}}} \
  1847.                   {post}}' \
  1848.             $local_part
  1849.   current_directory = MAILMAN_HOME
  1850.   home_directory = MAILMAN_HOME
  1851.   user = MAILMAN_USER
  1852.   group = MAILMAN_GROUP
  1853.   freeze_exec_fail = true
  1854.  
  1855. mailman_loop_transport:
  1856.   driver = appendfile
  1857.   file = MAILMAN_LOOP
  1858.   delivery_date_add
  1859.   envelope_to_add
  1860.   return_path_add
  1861.   user = MAILMAN_USER
  1862.   group = MAILMAN_GROUP
  1863. #mailman----------------------  END EXIM4 TRANSPORT  -------------------------
  1864.  
  1865.  
  1866.  
  1867.  
  1868. #####################################################
  1869. ### retry/00_exim4-config_header
  1870. #####################################################
  1871.  
  1872. ######################################################################
  1873. #                      RETRY CONFIGURATION                           #
  1874. ######################################################################
  1875.  
  1876. begin retry
  1877.  
  1878. #####################################################
  1879. ### end retry/00_exim4-config_header
  1880. #####################################################
  1881. #####################################################
  1882. ### retry/30_exim4-config
  1883. #####################################################
  1884.  
  1885. ### retry/30_exim4-config
  1886. #################################
  1887.  
  1888. # This single retry rule applies to all domains and all errors. It specifies
  1889. # retries every 15 minutes for 2 hours, then increasing retry intervals,
  1890. # starting at 1 hour and increasing each time by a factor of 1.5, up to 16
  1891. # hours, then retries every 6 hours until 4 days have passed since the first
  1892. # failed delivery.
  1893.  
  1894. # Please note that these rules only limit the frequency of retries, the
  1895. # effective retry-time depends on the frequency of queue-running, too.
  1896. # See QUEUEINTERVAL in /etc/default/exim4.
  1897.  
  1898. # Address or Domain    Error       Retries
  1899. # -----------------    -----       -------
  1900.  
  1901. *                      *           F,2h,15m; G,16h,1h,1.5; F,4d,6h
  1902.  
  1903. #####################################################
  1904. ### end retry/30_exim4-config
  1905. #####################################################
  1906. #####################################################
  1907. ### rewrite/00_exim4-config_header
  1908. #####################################################
  1909.  
  1910. ######################################################################
  1911. #                      REWRITE CONFIGURATION                         #
  1912. ######################################################################
  1913.  
  1914. begin rewrite
  1915.  
  1916. #####################################################
  1917. ### end rewrite/00_exim4-config_header
  1918. #####################################################
  1919. #####################################################
  1920. ### rewrite/31_exim4-config_rewriting
  1921. #####################################################
  1922.  
  1923. ### rewrite/31_exim4-config_rewriting
  1924. #################################
  1925.  
  1926. # This rewriting rule is particularly useful for dialup users who
  1927. # don't have their own domain, but could be useful for anyone.
  1928. # It looks up the real address of all local users in a file
  1929. .ifndef NO_EAA_REWRITE_REWRITE
  1930. *@+local_domains "${lookup{${local_part}}lsearch{/etc/email-addresses}\
  1931.                    {$value}fail}" Ffrs
  1932. # identical rewriting rule for /etc/mailname
  1933. *@ETC_MAILNAME "${lookup{${local_part}}lsearch{/etc/email-addresses}\
  1934.                    {$value}fail}" Ffrs
  1935. .endif
  1936.  
  1937.  
  1938. #####################################################
  1939. ### end rewrite/31_exim4-config_rewriting
  1940. #####################################################
  1941. #####################################################
  1942. ### auth/00_exim4-config_header
  1943. #####################################################
  1944.  
  1945. ######################################################################
  1946. #                   AUTHENTICATION CONFIGURATION                     #
  1947. ######################################################################
  1948.  
  1949. begin authenticators
  1950.  
  1951.  
  1952. #####################################################
  1953. ### end auth/00_exim4-config_header
  1954. #####################################################
  1955. #####################################################
  1956. ### auth/30_exim4-config_examples
  1957. #####################################################
  1958.  
  1959. ### auth/30_exim4-config_examples
  1960. #################################
  1961.  
  1962. # The examples below are for server side authentication, when the
  1963. # local exim is SMTP server and clients authenticate to the local exim.
  1964.  
  1965. # They allow two styles of plain-text authentication against an
  1966. # CONFDIR/passwd file whose syntax is described in exim4_passwd(5).
  1967.  
  1968. # Hosts that are allowed to use AUTH are defined by the
  1969. # auth_advertise_hosts option in the main configuration. The default is
  1970. # "*", which allows authentication to all hosts over all kinds of
  1971. # connections if there is at least one authenticator defined here.
  1972. # Authenticators which rely on unencrypted clear text passwords don't
  1973. # advertise on unencrypted connections by default. Thus, it might be
  1974. # wise to set up TLS to allow encrypted connections. If TLS cannot be
  1975. # used for some reason, you can set AUTH_SERVER_ALLOW_NOTLS_PASSWORDS to
  1976. # advertise unencrypted clear text password based authenticators on all
  1977. # connections. As this is severely reducing security, using TLS is
  1978. # preferred over allowing clear text password based authenticators on
  1979. # unencrypted connections.
  1980.  
  1981. # PLAIN authentication has no server prompts. The client sends its
  1982. # credentials in one lump, containing an authorization ID (which we do not
  1983. # use), an authentication ID, and a password. The latter two appear as
  1984. # $auth2 and $auth3 in the configuration and should be checked against a
  1985. # valid username and password. In a real configuration you would typically
  1986. # use $auth2 as a lookup key, and compare $auth3 against the result of the
  1987. # lookup, perhaps using the crypteq{}{} condition.
  1988.  
  1989. # plain_server:
  1990. #   driver = plaintext
  1991. #   public_name = PLAIN
  1992. #   server_condition = "${if crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
  1993. #   server_set_id = $auth2
  1994. #   server_prompts = :
  1995. #   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
  1996. #   server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
  1997. #   .endif
  1998.  
  1999. # LOGIN authentication has traditional prompts and responses. There is no
  2000. # authorization ID in this mechanism, so unlike PLAIN the username and
  2001. # password are $auth1 and $auth2. Apart from that you can use the same
  2002. # server_condition setting for both authenticators.
  2003.  
  2004. # login_server:
  2005. #   driver = plaintext
  2006. #   public_name = LOGIN
  2007. #   server_prompts = "Username:: : Password::"
  2008. #   server_condition = "${if crypteq{$auth2}{${extract{1}{:}{${lookup{$auth1}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
  2009. #   server_set_id = $auth1
  2010. #   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
  2011. #   server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
  2012. #   .endif
  2013. #
  2014. # cram_md5_server:
  2015. #   driver = cram_md5
  2016. #   public_name = CRAM-MD5
  2017. #   server_secret = ${extract{2}{:}{${lookup{$auth1}lsearch{CONFDIR/passwd}{$value}fail}}}
  2018. #   server_set_id = $auth1
  2019.  
  2020. # Here is an example of CRAM-MD5 authentication against PostgreSQL:
  2021. #
  2022. # psqldb_auth_server:
  2023. #   driver = cram_md5
  2024. #   public_name = CRAM-MD5
  2025. #   server_secret = ${lookup pgsql{SELECT pw FROM users WHERE username = '${quote_pgsql:$auth1}'}{$value}fail}
  2026. #   server_set_id = $auth1
  2027.  
  2028. # Authenticate against local passwords using sasl2-bin
  2029. # Requires exim_uid to be a member of sasl group, see README.Debian.gz
  2030.  plain_saslauthd_server:
  2031.    driver = plaintext
  2032.    public_name = PLAIN
  2033.    server_condition = ${if saslauthd{{$auth2}{$auth3}}{1}{0}}
  2034.    server_set_id = $auth2
  2035.    server_prompts = :
  2036.    .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
  2037.    server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
  2038.    .endif
  2039. #
  2040.  login_saslauthd_server:
  2041.    driver = plaintext
  2042.    public_name = LOGIN
  2043.    server_prompts = "Username:: : Password::"
  2044.    # don't send system passwords over unencrypted connections
  2045.    server_condition = ${if saslauthd{{$auth1}{$auth2}}{1}{0}}
  2046.    server_set_id = $auth1
  2047.    .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
  2048.    server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
  2049.    .endif
  2050. #
  2051. # ntlm_sasl_server:
  2052. #   driver = cyrus_sasl
  2053. #   public_name = NTLM
  2054. #   server_realm = <short main hostname>
  2055. #   server_set_id = $auth1
  2056. #   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
  2057. #   server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
  2058. #   .endif
  2059. #
  2060. # digest_md5_sasl_server:
  2061. #   driver = cyrus_sasl
  2062. #   public_name = DIGEST-MD5
  2063. #   server_realm = <short main hostname>
  2064. #   server_set_id = $auth1
  2065. #   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
  2066. #   server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
  2067. #   .endif
  2068.  
  2069. # Authentcate against cyrus-sasl
  2070. # This is mainly untested, please report any problems to
  2071. # pkg-exim4-users@lists.alioth.debian.org.
  2072. # cram_md5_sasl_server:
  2073. #   driver = cyrus_sasl
  2074. #   public_name = CRAM-MD5
  2075. #   server_realm = <short main hostname>
  2076. #   server_set_id = $auth1
  2077. #
  2078. # plain_sasl_server:
  2079. #   driver = cyrus_sasl
  2080. #   public_name = PLAIN
  2081. #   server_realm = <short main hostname>
  2082. #   server_set_id = $auth1
  2083. #   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
  2084. #   server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
  2085. #   .endif
  2086. #
  2087. # login_sasl_server:
  2088. #   driver = cyrus_sasl
  2089. #   public_name = LOGIN
  2090. #   server_realm = <short main hostname>
  2091. #   server_set_id = $auth1
  2092. #   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
  2093. #   server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
  2094. #   .endif
  2095.  
  2096. # Authenticate against courier authdaemon
  2097.  
  2098. # This is now the (working!) example from
  2099. # http://www.exim.org/eximwiki/FAQ/Policy_controls/Q0730
  2100. # Possible pitfall: access rights on /var/run/courier/authdaemon/socket.
  2101. # plain_courier_authdaemon:
  2102. #   driver = plaintext
  2103. #   public_name = PLAIN
  2104. #   server_condition = \
  2105. #     ${extract {ADDRESS} \
  2106. #               {${readsocket{/var/run/courier/authdaemon/socket} \
  2107. #               {AUTH ${strlen:exim\nlogin\n$auth2\n$auth3\n}\nexim\nlogin\n$auth2\n$auth3\n} }} \
  2108. #               {yes} \
  2109. #               fail}
  2110. #   server_set_id = $auth2
  2111. #   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
  2112. #   server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
  2113. #   .endif
  2114.  
  2115. # login_courier_authdaemon:
  2116. #   driver = plaintext
  2117. #   public_name = LOGIN
  2118. #   server_prompts = Username:: : Password::
  2119. #   server_condition = \
  2120. #     ${extract {ADDRESS} \
  2121. #               {${readsocket{/var/run/courier/authdaemon/socket} \
  2122. #               {AUTH ${strlen:exim\nlogin\n$auth1\n$auth2\n}\nexim\nlogin\n$auth1\n$auth2\n} }} \
  2123. #               {yes} \
  2124. #               fail}
  2125. #   server_set_id = $auth1
  2126. #   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
  2127. #   server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
  2128. #   .endif
  2129.  
  2130. # This one is a bad hack to support the broken version 4.xx of
  2131. # Microsoft Outlook Express which violates the RFCs by demanding
  2132. # "250-AUTH=" instead of "250-AUTH ".
  2133. # If your list of offered authenticators is other than PLAIN and LOGIN,
  2134. # you need to adapt the public_name line manually.
  2135. # It has to be the last authenticator to work and has not been tested
  2136. # well. Use at your own risk.
  2137. # See the thread entry point from
  2138. # http://www.exim.org/mail-archives/exim-users/Week-of-Mon-20050214/msg00213.html
  2139. # for the related discussion on the exim-users mailing list.
  2140. # Thanks to Fred Viles for this great work.
  2141.  
  2142. # support_broken_outlook_express_4_server:
  2143. #   driver = plaintext
  2144. #   public_name = "\r\n250-AUTH=PLAIN LOGIN"
  2145. #   server_prompts = User Name : Password
  2146. #   server_condition = no
  2147. #   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
  2148. #   server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
  2149. #   .endif
  2150.  
  2151. ##############
  2152. # See /usr/share/doc/exim4-base/README.Debian.gz
  2153. ##############
  2154.  
  2155. # These examples below are the equivalent for client side authentication.
  2156. # They get the passwords from CONFDIR/passwd.client, whose format is
  2157. # defined in exim4_passwd_client(5)
  2158.  
  2159. # Because AUTH PLAIN and AUTH LOGIN send the password in clear, we
  2160. # only allow these mechanisms over encrypted connections by default.
  2161. # You can set AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS to allow unencrypted
  2162. # clear text password authentication on all connections.
  2163.  
  2164. cram_md5:
  2165.   driver = cram_md5
  2166.   public_name = CRAM-MD5
  2167.   client_name = ${extract{1}{:}{${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}}}
  2168.   client_secret = ${extract{2}{:}{${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}}}
  2169.  
  2170. # this returns the matching line from passwd.client and doubles all ^
  2171. PASSWDLINE=${sg{\
  2172.                 ${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}\
  2173.                 }\
  2174.                 {\\N[\\^]\\N}\
  2175.                 {^^}\
  2176.             }
  2177.  
  2178. plain:
  2179.   driver = plaintext
  2180.   public_name = PLAIN
  2181. .ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS
  2182.   client_send = "<; ${if !eq{$tls_out_cipher}{}\
  2183.                     {^${extract{1}{:}{PASSWDLINE}}\
  2184.                      ^${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}\
  2185.                    }fail}"
  2186. .else
  2187.   client_send = "<; ^${extract{1}{:}{PASSWDLINE}}\
  2188.                     ^${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}"
  2189. .endif
  2190.  
  2191. login:
  2192.   driver = plaintext
  2193.   public_name = LOGIN
  2194. .ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS
  2195.   # Return empty string if not non-TLS AND looking up $host in passwd-file
  2196.   # yields a non-empty string; fail otherwise.
  2197.   client_send = "<; ${if and{\
  2198.                           {!eq{$tls_out_cipher}{}}\
  2199.                           {!eq{PASSWDLINE}{}}\
  2200.                          }\
  2201.                       {}fail}\
  2202.                  ; ${extract{1}{::}{PASSWDLINE}}\
  2203.                  ; ${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}"
  2204. .else
  2205.   # Return empty string if looking up $host in passwd-file yields a
  2206.   # non-empty string; fail otherwise.
  2207.   client_send = "<; ${if !eq{PASSWDLINE}{}\
  2208.                       {}fail}\
  2209.                  ; ${extract{1}{::}{PASSWDLINE}}\
  2210.                  ; ${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}"
  2211. .endif
  2212. #####################################################
  2213. ### end auth/30_exim4-config_examples
  2214. #####################################################

Quellcode

Hier kannst du den Code kopieren und ihn in deinen bevorzugten Editor einfügen. PASTEBIN_DOWNLOAD_SNIPPET_EXPLAIN