-### acl/20_exim4-config_whitelist_local_deny
+### acl/20_exim4-config_local_deny_exceptions
#################################
# This is used to determine whitelisted senders and hosts.
-# It checks for CONFDIR/local_host_whitelist and
-# CONFDIR/local_sender_whitelist.
+# It checks for CONFDIR/host_local_deny_exceptions and
+# CONFDIR/sender_local_deny_exceptions.
#
# It is meant to be used from some other acl entry.
#
#
# If the files do not exist, the white list never matches, which is
# the desired behaviour.
+#
+# The old file names CONFDIR/local_host_whitelist and
+# CONFDIR/local_sender_whitelist will continue to be honored for a
+# transition period. Their use is deprecated.
-acl_whitelist_local_deny:
+acl_local_deny_exceptions:
+ accept
+ hosts = ${if exists{CONFDIR/host_local_deny_exceptions}\
+ {CONFDIR/host_local_deny_exceptions}\
+ {}}
+ accept
+ senders = ${if exists{CONFDIR/sender_local_deny_exceptions}\
+ {CONFDIR/sender_local_deny_exceptions}\
+ {}}
accept
hosts = ${if exists{CONFDIR/local_host_whitelist}\
{CONFDIR/local_host_whitelist}\
# modify this file. If you do it like we suggest, you'll end up with
# a small performance penalty since there is an additional file being
# accessed. This doesn't happen if you leave the macro unset.
+ .ifdef LOCAL_DENY_EXCEPTIONS_LOCAL_ACL_FILE
+ .include LOCAL_DENY_EXCEPTIONS_LOCAL_ACL_FILE
+ .endif
+
+ # this is still supported for a transition period and is deprecated.
.ifdef WHITELIST_LOCAL_DENY_LOCAL_ACL_FILE
.include WHITELIST_LOCAL_DENY_LOCAL_ACL_FILE
.endif
# testing for an empty sending host field.
accept
hosts = :
+ control = dkim_disable_verify
+ # Do not try to verify DKIM signatures of incoming mail if DC_minimaldns
+ # or DISABLE_DKIM_VERIFY are set.
+.ifdef DC_minimaldns
+ warn
+ control = dkim_disable_verify
+.else
+.ifdef DISABLE_DKIM_VERIFY
+ warn
+ control = dkim_disable_verify
+.endif
+.endif
# The following section of the ACL is concerned with local parts that contain
# certain non-alphanumeric characters. Dots in unusual places are
# done to the smarthost. Verification will thus only be reliable if the
# smarthost does reject illegal addresses in the SMTP dialog.
deny
- !acl = acl_whitelist_local_deny
+ !acl = acl_local_deny_exceptions
senders = ${if exists{CONFDIR/local_sender_callout}\
{CONFDIR/local_sender_callout}\
{}}
accept
hosts = +relay_from_hosts
control = submission/sender_retain
+ control = dkim_disable_verify
# Accept if the message arrived over an authenticated connection, from
accept
authenticated = *
control = submission/sender_retain
+ control = dkim_disable_verify
# Insist that any other recipient address that we accept is either in one of
# domains is to use a callout (add /callout), but please read the
# documentation about callouts before doing this.
deny
- !acl = acl_whitelist_local_deny
+ !acl = acl_local_deny_exceptions
recipients = ${if exists{CONFDIR/local_rcpt_callout}\
{CONFDIR/local_rcpt_callout}\
{}}
# the black list. See exim4-config_files(5) for details.
deny
message = sender envelope address $sender_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster
- !acl = acl_whitelist_local_deny
+ !acl = acl_local_deny_exceptions
senders = ${if exists{CONFDIR/local_sender_blacklist}\
{CONFDIR/local_sender_blacklist}\
{}}
# RCPT statements rejected.
#
# The explicit white lists are honored as well as negative items in
- # the black list. See /usr/share/doc/exim4-config/default_acl for details.
+ # the black list. See exim4-config_files(5) for details.
deny
message = sender IP address $sender_host_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster
- !acl = acl_whitelist_local_deny
+ !acl = acl_local_deny_exceptions
hosts = ${if exists{CONFDIR/local_host_blacklist}\
{CONFDIR/local_host_blacklist}\
{}}
# as well as outright failures.
.ifdef CHECK_RCPT_REVERSE_DNS
warn
- message = X-Host-Lookup-Failed: Reverse DNS lookup failed for $sender_host_address (${if eq{$host_lookup_failed}{1}{failed}{deferred}})
- condition = ${if and{{def:sender_host_address}{!def:sender_host_name}}\
+ condition = ${if and{{def:sender_host_address}{!def:sender_host_name}}\
{yes}{no}}
+ log_message = Reverse DNS lookup failed for $sender_host_address (${if eq{$host_lookup_failed}{1}{failed}{deferred}})
+ add_header = X-Host-Lookup-Failed: Reverse DNS lookup failed for $sender_host_address (${if eq{$host_lookup_failed}{1}{failed}{deferred}})
.endif
#
# This is quite costly in terms of DNS lookups (~6 lookups per mail). Do not
# enable if that's an issue. Also note that if you enable this, you must
- # install "libmail-spf-query-perl" which provides the spfquery command.
- # Missing libmail-spf-query-perl will trigger the "Unexpected error in
+ # install "spf-tools-perl" which provides the spfquery command.
+ # Missing spf-tools-perl will trigger the "Unexpected error in
# SPF check" warning.
.ifdef CHECK_RCPT_SPF
deny
- message = [SPF] $sender_host_address is not allowed to send mail from ${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}. \
- Please see http://www.openspf.org/why.html?sender=$sender_address&ip=$sender_host_address
+ message = [SPF] $sender_host_address is not allowed to send mail from \
+ ${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}. \
+ Please see \
+ http://www.openspf.org/Why?scope=${if def:sender_address_domain \
+ {mfrom}{helo}};identity=${if def:sender_address_domain \
+ {$sender_address}{$sender_helo_name}};ip=$sender_host_address
log_message = SPF check failed.
- condition = ${run{/usr/bin/spfquery --ip \"$sender_host_address\" --mail-from \"$sender_address\" --helo \"$sender_helo_name\"}\
- {no}{${if eq {$runrc}{1}{yes}{no}}}}
+ !acl = acl_local_deny_exceptions
+ condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
+ ${quote:$sender_host_address} --identity \
+ ${if def:sender_address_domain \
+ {--scope mfrom --identity ${quote:$sender_address}}\
+ {--scope helo --identity ${quote:$sender_helo_name}}}}\
+ {no}{${if eq {$runrc}{1}{yes}{no}}}}
defer
message = Temporary DNS error while checking SPF record. Try again later.
+ !acl = acl_local_deny_exceptions
condition = ${if eq {$runrc}{5}{yes}{no}}
warn
- message = Received-SPF: ${if eq {$runrc}{0}{pass}{${if eq {$runrc}{2}{softfail}\
- {${if eq {$runrc}{3}{neutral}{${if eq {$runrc}{4}{unknown}{${if eq {$runrc}{6}{none}{error}}}}}}}}}}
condition = ${if <={$runrc}{6}{yes}{no}}
+ add_header = Received-SPF: ${if eq {$runrc}{0}{pass}\
+ {${if eq {$runrc}{2}{softfail}\
+ {${if eq {$runrc}{3}{neutral}\
+ {${if eq {$runrc}{4}{permerror}\
+ {${if eq {$runrc}{6}{none}{error}}}}}}}}}\
+ } client-ip=$sender_host_address; \
+ ${if def:sender_address_domain \
+ {envelope-from=${sender_address}; }{}}\
+ helo=$sender_helo_name
warn
log_message = Unexpected error in SPF check.
condition = ${if >{$runrc}{6}{yes}{no}}
-
- # Support for best-guess (see http://www.openspf.org/developers-guide.html)
- warn
- message = X-SPF-Guess: ${run{/usr/bin/spfquery --ip \"$sender_host_address\" --mail-from \"$sender_address\" \ --helo \"$sender_helo_name\" --guess true}\
- {pass}{${if eq {$runrc}{2}{softfail}{${if eq {$runrc}{3}{neutral}{${if eq {$runrc}{4}{unknown}\
- {${if eq {$runrc}{6}{none}{error}}}}}}}}}}
- condition = ${if <={$runrc}{6}{yes}{no}}
-
- defer
- message = Temporary DNS error while checking SPF record. Try again later.
- condition = ${if eq {$runrc}{5}{yes}{no}}
.endif
# : rhsbl.bar.org/$sender_address_domain
.ifdef CHECK_RCPT_DOMAIN_DNSBLS
warn
- message = X-Warning: $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
- log_message = $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
!senders = ${if exists{CONFDIR/local_domain_dnsbl_whitelist}\
{CONFDIR/local_domain_dnsbl_whitelist}\
{}}
dnslists = CHECK_RCPT_DOMAIN_DNSBLS
+ add_header = X-Warning: $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
+ log_message = $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
.endif
.ifdef CHECK_DATA_VERIFY_HEADER_SYNTAX
deny
message = Message headers fail syntax check
- !acl = acl_whitelist_local_deny
+ !acl = acl_local_deny_exceptions
!verify = header_syntax
.endif
.ifdef CHECK_DATA_VERIFY_HEADER_SENDER
deny
message = No verifiable sender address in message headers
- !acl = acl_whitelist_local_deny
+ !acl = acl_local_deny_exceptions
!verify = header_sender
.endif
#
# warn
# spam = Debian-exim:true
- # message = X-Spam_score: $spam_score\n\
+ # add_header = X-Spam_score: $spam_score\n\
# X-Spam_score_int: $spam_score_int\n\
# X-Spam_bar: $spam_bar\n\
# X-Spam_report: $spam_report
# local exim is SMTP server and clients authenticate to the local exim.
# They allow two styles of plain-text authentication against an
-# CONFDIR/passwd file whose syntax is described in exim_passwd(5).
+# CONFDIR/passwd file whose syntax is described in exim4_passwd(5).
# Hosts that are allowed to use AUTH are defined by the
# auth_advertise_hosts option in the main configuration. The default is
# server_set_id = $auth2
# server_prompts = :
# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
-# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
+# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
# .endif
# LOGIN authentication has traditional prompts and responses. There is no
# server_condition = "${if crypteq{$auth2}{${extract{1}{:}{${lookup{$auth1}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
# server_set_id = $auth1
# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
-# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
+# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
# .endif
#
# cram_md5_server:
# server_set_id = $auth2
# server_prompts = :
# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
-# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
+# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
# .endif
#
# login_saslauthd_server:
# server_condition = ${if saslauthd{{$auth1}{$auth2}}{1}{0}}
# server_set_id = $auth1
# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
-# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
+# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
# .endif
#
# ntlm_sasl_server:
# server_realm = <short main hostname>
# server_set_id = $auth1
# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
-# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
+# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
# .endif
#
# digest_md5_sasl_server:
# server_realm = <short main hostname>
# server_set_id = $auth1
# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
-# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
+# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
# .endif
# Authentcate against cyrus-sasl
# server_realm = <short main hostname>
# server_set_id = $auth1
# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
-# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
+# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
# .endif
#
# login_sasl_server:
# server_realm = <short main hostname>
# server_set_id = $auth1
# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
-# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
+# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
# .endif
# Authenticate against courier authdaemon
# fail}
# server_set_id = $auth2
# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
-# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
+# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
# .endif
# login_courier_authdaemon:
# fail}
# server_set_id = $auth1
# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
-# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
+# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
# .endif
# This one is a bad hack to support the broken version 4.xx of
# server_prompts = User Name : Password
# server_condition = no
# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
-# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
+# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
# .endif
##############
# You can set AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS to allow unencrypted
# clear text password authentication on all connections.
-cram_md5:
- driver = cram_md5
- public_name = CRAM-MD5
- client_name = ${extract{1}{:}{${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}}}
- client_secret = ${extract{2}{:}{${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}}}
+# cram_md5:
+# driver = cram_md5
+# public_name = CRAM-MD5
+# client_name = ${extract{1}{:}{${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}}}
+# client_secret = ${extract{2}{:}{${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}}}
-# hcoop-change: Authenticate against either /etc/courier/exim.dat or
-# SASL for plain and login authenticators
+# # this returns the matching line from passwd.client and doubles all ^
+# PASSWDLINE=${sg{\
+# ${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}\
+# }\
+# {\\N[\\^]\\N}\
+# {^^}\
+# }
+# hcoop-change: auth against sasld
hcoop_plain:
driver = plaintext
public_name = PLAIN
}}{|}{ }}}}}} \
{saslauthd {{$auth2}{$auth3}{exim4}}}}}
server_set_id = $auth2
- server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
+ server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
hcoop_login:
driver = plaintext
}}{|}{ }}}}}} \
{saslauthd {{$auth1}{$auth2}{exim4}}}}}
server_set_id = $auth1
- server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
-
-# this returns the matching line from passwd.client and doubles all ^
-PASSWDLINE=${sg{\
- ${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}\
- }\
- {\\N[\\^]\\N}\
- {^^}\
- }
+ server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
# hcoop-change: Comment out plain and login authenticators
# driver = plaintext
# public_name = PLAIN
# .ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS
-# client_send = "<; ${if !eq{$tls_cipher}{}\
+# client_send = "<; ${if !eq{$tls_out_cipher}{}\
# {^${extract{1}{:}{PASSWDLINE}}\
# ^${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}\
# }fail}"
# # Return empty string if not non-TLS AND looking up $host in passwd-file
# # yields a non-empty string; fail otherwise.
# client_send = "<; ${if and{\
-# {!eq{$tls_cipher}{}}\
+# {!eq{$tls_out_cipher}{}}\
# {!eq{PASSWDLINE}{}}\
# }\
# {}fail}\
# {}fail}\
# ; ${extract{1}{::}{PASSWDLINE}}\
# ; ${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}"
-# .endif
+# .endif
\ No newline at end of file
-
######################################################################
# Runtime configuration file for Exim 4 (Debian Packaging) #
######################################################################
# If you find this comment anywhere else, somebody copied it there.
# Documentation about the Debian exim4 configuration scheme can be
# found in /usr/share/doc/exim4-base/README.Debian.gz.
-#
-# Strings like DEBCONFsomethingDEBCONF are replaced by installation
-# dependent values by update-exim4.conf, the script which builds the
-# actual configuration from the templates.
######################################################################
######################################################################
CONFDIR = /etc/exim4
.endif
-# This sets a macro DC_minimaldns if dc_minimaldns=true. If
-# dc_minimaldns=false, this expands to an empty line.
-.ifndef DC_minimaldns
-DEBCONFminimaldnsDEBCONF
-.endif
-
-# Create other macros from Debconf. Macros created here are used in
-# other places in exim config.
-.ifndef DC_visiblename
-DC_visiblename=DEBCONFvisiblenameDEBCONF
-.endif
+# debconf-driven macro definitions get inserted after this line
+UPEX4CmacrosUPEX4C = 1
# Create domain and host lists for relay control
# '@' refers to 'the name of the local host'
# List of domains considered local for exim. Domains not listed here
# need to be deliverable remotely.
-# hcoop-change: comment out
-#.ifndef MAIN_LOCAL_DOMAINS
-#MAIN_LOCAL_DOMAINS = DEBCONFlocal_domainsDEBCONF
-#.endif
-#domainlist local_domains = MAIN_LOCAL_DOMAINS
+# hcoop-change: comment out, provided by domtool
+# domainlist local_domains = MAIN_LOCAL_DOMAINS
# List of recipient domains to relay _to_. Use this list if you're -
# for example - fallback MX or mail gateway for domains.
-# hcoop-change: comment out
-#.ifndef MAIN_RELAY_TO_DOMAINS
-#MAIN_RELAY_TO_DOMAINS = DEBCONFrelay_domainsDEBCONF
-#.endif
-#domainlist relay_to_domains = MAIN_RELAY_TO_DOMAINS
+# hcoop-change: comment out, provided by domtool
+# domainlist relay_to_domains = MAIN_RELAY_TO_DOMAINS
# hcoop-change: List of domains that accept mail from local users.
# Mail sent to other domains we manage will be transformed into a
# List of sender networks (IP addresses) to _unconditionally_ relay
# _for_. If you intend to be SMTP AUTH server, you do not need to enter
# anything here.
-.ifndef MAIN_RELAY_NETS
-MAIN_RELAY_NETS = DEBCONFrelay_netsDEBCONF
-.endif
hostlist relay_from_hosts = MAIN_RELAY_NETS
-# Specify the domain you want to be added to all unqualified addresses
-# here. Unqualified addresses are accepted only from local callers by
-# default. The recipient_unqualified_hosts option can be used to permit
-# unqualified addresses from remote sources.
-# If qualify_domain is not set, the primary_hostname value is used for
-# qualification.
-# The ifdef bracket makes sure that an empty debconf value is correctly
-# translated to "unset".
-.ifdef DC_visiblename
-qualify_domain = DC_visiblename
-.endif
-
-# only used for satellite-system
-.ifndef DCreadhost
-DCreadhost = DEBCONFreadhostDEBCONF
+# Decide which domain to use to add to all unqualified addresses.
+# If MAIN_PRIMARY_HOSTNAME_AS_QUALIFY_DOMAIN is defined, the primary
+# hostname is used. If not, but MAIN_QUALIFY_DOMAIN is set, the value
+# of MAIN_QUALIFY_DOMAIN is used. If both macros are not defined,
+# the first line of /etc/mailname is used.
+.ifndef MAIN_PRIMARY_HOSTNAME_AS_QUALIFY_DOMAIN
+.ifndef MAIN_QUALIFY_DOMAIN
+qualify_domain = ETC_MAILNAME
+.else
+qualify_domain = MAIN_QUALIFY_DOMAIN
.endif
-
-#for satellite and smarthost-systems
-.ifndef DCsmarthost
-DCsmarthost = DEBCONFsmarthostDEBCONF
.endif
# listen on all all interfaces?
.ifdef MAIN_LOCAL_INTERFACES
local_interfaces = MAIN_LOCAL_INTERFACES
-.else
-DEBCONFlistenonpublicDEBCONF
.endif
.ifndef LOCAL_DELIVERY
# The default transport, set in /etc/exim4/update-exim4.conf.conf,
# defaulting to mail_spool. See CONFDIR/conf.d/transport/ for possibilities
-LOCAL_DELIVERY=DEBCONFlocaldeliveryDEBCONF
+LOCAL_DELIVERY=mail_spool
.endif
# The gecos field in /etc/passwd holds not only the name. see passwd(5).
gecos_pattern = ^([^,:]*)
gecos_name = $1
-
-# define a macro DCconfig_smarthost, DCconfig_satellite, etc. we need this
-# for .ifdef ... .endif
-.ifndef DCconfig_satellite
-.ifndef DCconfig_internet
-.ifndef DCconfig_local
-.ifndef DCconfig_smarthost
-DCconfig_DEBCONFconfigtypeDEBCONF = 1
-.endif
-.endif
-.endif
-.endif
-
-
# define macros to be used in acl/30_exim4-config_check_rcpt to check
# recipient local parts for strange characters.
# scanners. The second modification is in the acl_check_data access
# control list.
-# av_scanner = clamd:/tmp/clamd
+# av_scanner = clamd:/var/run/clamav/clamd.ctl
# For spam scanning, there is a similar option that defines the interface to
# in the default config since it is seldomly used and frequently abused.
# Domain literal support also needs a special router, which is automatically
# enabled if you use the enable macro MAIN_ALLOW_DOMAIN_LITERALS.
+# Additionally, you might want to make your local IP addresses (or @[])
+# local domains.
.ifdef MAIN_ALLOW_DOMAIN_LITERALS
allow_domain_literals
.endif
# In a minimaldns setup, update-exim4.conf guesses the hostname and
# dumps it here to avoid DNS lookups being done at Exim run time.
-DEBCONF_hardcode_primary_hostname_DEBCONF
+.ifdef MAIN_HARDCODE_PRIMARY_HOSTNAME
+primary_hostname = MAIN_HARDCODE_PRIMARY_HOSTNAME
+.endif
# The settings below, which are actually the same as the defaults in the
# code, cause Exim to make RFC 1413 (ident) callbacks for all incoming SMTP
# rfc1413_hosts = *
# rfc1413_query_timeout = 5s
+# When using an external relay tester (such as rt.njabl.org and/or the
+# currently defunct relay-test.mail-abuse.org, the test may be aborted
+# since exim complains about "too many nonmail commands". If you want
+# the test to complete, add the host from where "your" relay tester
+# connects from to the MAIN_SMTP_ACCEPT_MAX_NOMAIL_HOSTS macro.
+# Please note that a non-empty setting may cause extra DNS lookups to
+# happen, which is the reason why this option is commented out in the
+# default settings.
+# MAIN_SMTP_ACCEPT_MAX_NOMAIL_HOSTS = !rt.njabl.org
+.ifdef MAIN_SMTP_ACCEPT_MAX_NOMAIL_HOSTS
+smtp_accept_max_nonmail_hosts = MAIN_SMTP_ACCEPT_MAX_NOMAIL_HOSTS
+.endif
# By default, exim forces a Sender: header containing the local
# account name at the local host name in all locally submitted messages
# SMTP Banner. The example includes the Debian version in the SMTP dialog
-# MAIN_SMTP_BANNER = "${primary_hostname} ESMTP Exim ${version_number} (Debian package DEBCONFpackageversionDEBCONF) ${tod_full}"
+# MAIN_SMTP_BANNER = "${primary_hostname} ESMTP Exim ${version_number} (Debian package MAIN_PACKAGE_VERSION) ${tod_full}"
# smtp_banner = $smtp_active_hostname ESMTP Exim $version_number $tod_full
-
# hcoop-change: raise limit for incoming SMTP connections
smtp_accept_max = 45
### main/03_exim4-config_tlsoptions
#################################
-# TLS/SSL configuration.
+# TLS/SSL configuration for exim as an SMTP server.
# See /usr/share/doc/exim4-base/README.Debian.gz for explanations.
-
.ifdef MAIN_TLS_ENABLE
# Defines what hosts to 'advertise' STARTTLS functionality to. The
# default, *, will advertise to all hosts that connect with EHLO.
# `tls_verify_certificates' but do not abort the connection if there is no
# certificate or if the certificate presented does not match. (This
# condition can be tested for in ACLs through `verify = certificate')
-.ifndef MAIN_TLS_TRY_VERIFY_HOSTS
-MAIN_TLS_TRY_VERIFY_HOSTS = *
-.endif
+# By default, this check is done for all hosts. It is known that some
+# clients (including incredimail's version downloadable in February
+# 2008) choke on this. To disable, set MAIN_TLS_TRY_VERIFY_HOSTS to an
+# empty value.
+.ifdef MAIN_TLS_TRY_VERIFY_HOSTS
tls_try_verify_hosts = MAIN_TLS_TRY_VERIFY_HOSTS
+.endif
.endif
# switch to Mailman's configure script.
# Value is normally "mailman"
MAILMAN_USER=list
-MAILMAN_GROUP=list
+MAILMAN_GROUP=daemon
# These values are derived from the ones above and should not need
# editing unless you have munged your mailman installation
# hours, then retries every 6 hours until 4 days have passed since the first
# failed delivery.
-# Please note that these rules only limit the frequenzy of retries, the
-# effective retry-time depends on the frequenzy of queue-running, too.
+# Please note that these rules only limit the frequency of retries, the
+# effective retry-time depends on the frequency of queue-running, too.
# See QUEUEINTERVAL in /etc/default/exim4.
# hcoop-change: Customize all of this to not penalize local users so
# This rewriting rule is particularily useful for dialup users who
# don't have their own domain, but could be useful for anyone.
# It looks up the real address of all local users in a file
+.ifndef NO_EAA_REWRITE_REWRITE
*@+local_domains "${lookup{${local_part}}lsearch{/etc/email-addresses}\
{$value}fail}" Ffrs
# identical rewriting rule for /etc/mailname
-DEBCONFrewriteemailaddresses_mailnameDEBCONF
+*@ETC_MAILNAME "${lookup{${local_part}}lsearch{/etc/email-addresses}\
+ {$value}fail}" Ffrs
+.endif
domains = ! +local_domains
transport = remote_smtp_smarthost
route_list = * DCsmarthost byname
- host_find_failed = defer
+ host_find_failed = ignore
same_domain_copy_routing = yes
no_more
# processing. This can be used to inform a user of a broken .forward
# file, for example. The userforward router does this.
+COND_LOCAL_SUBMITTER = "\
+ ${if match_ip{$sender_host_address}{:@[]}\
+ {1}{0}\
+ }"
# hcoop-change: Use unix_domains rather than local_domains.
real_local:
debug_print = "R: real_local for $local_part@$domain"
driver = accept
+# hcoop-change: disable local submitter test, this rejects from trusted relay hosts
+# condition = COND_LOCAL_SUBMITTER
domains = +unix_domains
local_part_prefix = real-
check_local_user
# /usr/share/doc/exim4-base/README.Debian.gz
# for explanation and some workarounds.
+# hcoop-change: unix_domains instead of local_domains
+
system_aliases:
debug_print = "R: system_aliases for $local_part@$domain"
driver = redirect
domains = DCreadhost
transport = remote_smtp_smarthost
route_list = * DCsmarthost byname
- host_find_failed = defer
+ host_find_failed = ignore
same_domain_copy_routing = yes
check_local_user
.endif
# The four transports specified at the end are those that are used when
# forwarding generates a direct delivery to a directory, or a file, or to a
# pipe, or sets up an auto-reply, respectively.
-
+#
# hcoop-change: Use unix_domains rather than local_domains. Use
# .public/.forward rather than .forward. Do not verify the owner and
# group of the .forward file.
check_ancestor
allow_filter
forbid_smtp_code = true
-# forbid_filter_run = true
-# forbid_pipe = true
directory_transport = address_directory
file_transport = address_file
pipe_transport = address_pipe
--- /dev/null
+
+### router/850_exim4-config_lowuid
+#################################
+
+.ifndef FIRST_USER_ACCOUNT_UID
+FIRST_USER_ACCOUNT_UID = 0
+.endif
+
+.ifndef DEFAULT_SYSTEM_ACCOUNT_ALIAS
+DEFAULT_SYSTEM_ACCOUNT_ALIAS = :fail: no mail to system accounts
+.endif
+
+COND_SYSTEM_USER_AND_REMOTE_SUBMITTER = "\
+ ${if and{{! match_ip{$sender_host_address}{:@[]}}\
+ {<{$local_user_uid}{FIRST_USER_ACCOUNT_UID}}}\
+ {1}{0}\
+ }"
+
+# hcoop-change: separate local and remote router
+# hcoop-change: disable remote check since it interferes with relaying from hosts (should be in ACL)
+
+# lowuid_aliases_remote:
+# debug_print = "R: lowuid_aliases_remote for $local_part@$domain (UID $local_user_uid)"
+# check_local_user
+# driver = redirect
+# allow_fail
+# domains = +unix_domains
+# condition = COND_SYSTEM_USER_AND_REMOTE_SUBMITTER
+# data = ${if exists{CONFDIR/lowuid-aliases}\
+# {${lookup{$local_part}lsearch{CONFDIR/lowuid-aliases}\
+# {$value}{DEFAULT_SYSTEM_ACCOUNT_ALIAS}}}\
+# {DEFAULT_SYSTEM_ACCOUNT_ALIAS}}
+
+
+# hcoop-change: redirect all local low uid mail to one account
+COND_SYSTEM_USER = ${if <{$local_user_uid}{FIRST_USER_ACCOUNT_UID}{1}{0}}
+
+lowuid_aliases_local:
+ debug_print = "R: lowuid_aliases_local for $local_part@$domain (UID $local_user_uid)"
+ check_local_user
+ driver = redirect
+ allow_fail
+ domains = +unix_domains
+ condition = COND_SYSTEM_USER
+ data = ${if exists{CONFDIR/lowuid-aliases}\
+ {${lookup{$local_part}lsearch{CONFDIR/lowuid-aliases}\
+ {$value}{HCOOP_SYSTEM_ACCOUNT_ALIAS}}}\
+ {HCOOP_SYSTEM_ACCOUNT_ALIAS}}
--- /dev/null
+
+### transport/10_exim4-config_transport-macros
+#################################
+
+.ifdef HIDE_MAILNAME
+REMOTE_SMTP_HEADERS_REWRITE=*@+local_domains $1@DCreadhost frs : *@ETC_MAILNAME $1@DCreadhost frs
+REMOTE_SMTP_RETURN_PATH=${if match_domain{$sender_address_domain}{+local_domains}{${sender_address_local_part}@DCreadhost}{${if match_domain{$sender_address_domain}{ETC_MAILNAME}{${sender_address_local_part}@DCreadhost}fail}}}
+.endif
+
+.ifdef REMOTE_SMTP_HELO_FROM_DNS
+.ifdef REMOTE_SMTP_HELO_DATA
+REMOTE_SMTP_HELO_DATA==${lookup dnsdb {ptr=$sending_ip_address}{$value}{$primary_hostname}}
+.else
+REMOTE_SMTP_HELO_DATA=${lookup dnsdb {ptr=$sending_ip_address}{$value}{$primary_hostname}}
+.endif
+.endif
path = "/bin:/usr/bin:/usr/local/bin"
environment = AFS_IS=${run{/etc/exim4/get-token ${local_part}}{}}enabled
command = "/usr/bin/maildrop"
+ message_prefix =
+ message_suffix =
return_path_add
delivery_date_add
envelope_to_add
driver = pipe
path = "/bin:/usr/bin:/usr/local/bin"
environment = AFS_IS=${run{/etc/exim4/get-token ${local_part}}{}}enabled
-# command = "/home/mwolson_admin/procmailtest"
command = /usr/bin/procmail ${home}/.procmail.d/procmailrc
return_path_add
delivery_date_add
remote_smtp:
debug_print = "T: remote_smtp for $local_part@$domain"
driver = smtp
- # to disable TLS on outgoing connections, uncomment this
- # hosts_avoid_tls = *
+.ifdef REMOTE_SMTP_HOSTS_AVOID_TLS
+ hosts_avoid_tls = REMOTE_SMTP_HOSTS_AVOID_TLS
+.endif
+.ifdef REMOTE_SMTP_HEADERS_REWRITE
+ headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE
+.endif
+.ifdef REMOTE_SMTP_RETURN_PATH
+ return_path = REMOTE_SMTP_RETURN_PATH
+.endif
+.ifdef REMOTE_SMTP_HELO_DATA
+ helo_data=REMOTE_SMTP_HELO_DATA
+.endif
+.ifdef DKIM_DOMAIN
+dkim_domain = DKIM_DOMAIN
+.endif
+.ifdef DKIM_SELECTOR
+dkim_selector = DKIM_SELECTOR
+.endif
+.ifdef DKIM_PRIVATE_KEY
+dkim_private_key = DKIM_PRIVATE_KEY
+.endif
+.ifdef DKIM_CANON
+dkim_canon = DKIM_CANON
+.endif
+.ifdef DKIM_STRICT
+dkim_strict = DKIM_STRICT
+.endif
+.ifdef DKIM_SIGN_HEADERS
+dkim_sign_headers = DKIM_SIGN_HEADERS
+.endif
+.ifdef TLS_DH_MIN_BITS
+tls_dh_min_bits = TLS_DH_MIN_BITS
+.endif
+.ifdef REMOTE_SMTP_TLS_CERTIFICATE
+tls_certificate = REMOTE_SMTP_TLS_CERTIFICATE
+.endif
+.ifdef REMOTE_SMTP_PRIVATEKEY
+tls_privatekey = REMOTE_SMTP_PRIVATEKEY
+.endif
#################################
# This transport is used for delivering messages over SMTP connections
-# to a smarthost. The local host tries to authenticate and does some
-# modification in headers and return-path.
+# to a smarthost. The local host tries to authenticate.
# This transport is used for smarthost and satellite configurations.
remote_smtp_smarthost:
debug_print = "T: remote_smtp_smarthost for $local_part@$domain"
driver = smtp
- hosts_try_auth = ${if exists{CONFDIR/passwd.client} \
+ hosts_try_auth = <; ${if exists{CONFDIR/passwd.client} \
{\
${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$host_address}}\
}\
{} \
}
- # to disable TLS on outgoing connections, uncomment this
- # hosts_avoid_tls = *
- DEBCONFheaders_rewriteDEBCONF
- DEBCONFreturn_pathDEBCONF
+.ifdef REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS
+ hosts_avoid_tls = REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS
+.endif
+.ifdef REMOTE_SMTP_HEADERS_REWRITE
+ headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE
+.endif
+.ifdef REMOTE_SMTP_RETURN_PATH
+ return_path = REMOTE_SMTP_RETURN_PATH
+.endif
+.ifdef REMOTE_SMTP_HELO_DATA
+ helo_data=REMOTE_SMTP_HELO_DATA
+.endif
+.ifdef TLS_DH_MIN_BITS
+tls_dh_min_bits = TLS_DH_MIN_BITS
+.endif
+.ifdef REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE
+tls_certificate = REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE
+.endif
+.ifdef REMOTE_SMTP_SMARTHOST_PRIVATEKEY
+tls_privatekey = REMOTE_SMTP_SMARTHOST_PRIVATEKEY
+.endif
+++ /dev/null
-
-# This transport is used for handling deliveries directly to files that are
-# generated by aliasing or forwarding.
-#
-# hcoop-change: Add bogus group line to make sure get-token gets executed
-trouble_users:
- debug_print = "T: trouble_users for $local_part@$domain"
- driver = appendfile
- group = mail
- file = /var/tmp/frozen/${local_part}
- delivery_date_add
- envelope_to_add
- return_path_add
-
# changes, so this is usually fine, but will break local schemes that mess
# around with multiple versions of the file.
#
-# update-exim4.conf uses this file to determine variable values to replace
-# the DEBCONFsomethingDEBCONF strings in the configuration template files.
+# update-exim4.conf uses this file to determine variable values to generate
+# exim configuration macros for the configuration file.
#
# Most settings found in here do have corresponding questions in the
# Debconf configuration, but not all of them.