# accepted or denied.
#
acl_check_mail:
- .ifdef CHECK_MAIL_HELO_ISSUED
- deny
- message = no HELO given before MAIL command
- condition = ${if def:sender_helo_name {no}{yes}}
- .endif
--
accept
.else
local_parts = CHECK_RCPT_POSTMASTER
.endif
- domains = +local_domains : +relay_to_domains
-
+ domains = +local_domains : +unix_domains : +relay_to_domains
-
# Deny unless the sender address can be verified.
#
# This is disabled by default so that DNSless systems don't break. If
# Check against classic DNS "black" lists (DNSBLs) which list
# sender IP addresses
.ifdef CHECK_RCPT_IP_DNSBLS
- warn
+ # hcoop-change: drop connection instead of warning
+ drop
+ message = X-Warning: $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
+ log_message = $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
dnslists = CHECK_RCPT_IP_DNSBLS
+ add_header = X-Warning: $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
+ log_message = $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
.endif
.include CHECK_RCPT_LOCAL_ACL_FILE
.endif
+ # hcoop-change: 2015-03-19 clinton_admin
+ # testing if this will reject the fucktons of spam hitting logs@,
+ # most of it fscking signed with valid DKIM keys and evading
+ # spamassassin.
+ deny
+ log_message = rejecting non-hcoop host sending to logs
+ recipients = logs@*.hcoop.net
+ !hosts = +relay_from_hosts
-
#############################################################################
# This check is commented out because it is recognized that not every
# sysadmin will want to do it. If you enable it, the check performs
# You can set AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS to allow unencrypted
# clear text password authentication on all connections.
-cram_md5:
- driver = cram_md5
- public_name = CRAM-MD5
- client_name = ${extract{1}{:}{${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}}}
- client_secret = ${extract{2}{:}{${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}}}
-
-# this returns the matching line from passwd.client and doubles all ^
-PASSWDLINE=${sg{\
- ${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}\
- }\
- {\\N[\\^]\\N}\
- {^^}\
- }
-
-plain:
+# cram_md5:
+# driver = cram_md5
+# public_name = CRAM-MD5
+# client_name = ${extract{1}{:}{${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}}}
+# client_secret = ${extract{2}{:}{${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}}}
+
+# # this returns the matching line from passwd.client and doubles all ^
+# PASSWDLINE=${sg{\
+# ${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}\
+# }\
+# {\\N[\\^]\\N}\
+# {^^}\
+# }
+
++# # this returns the matching line from passwd.client and doubles all ^
++# PASSWDLINE=${sg{\
++# ${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}\
++# }\
++# {\\N[\\^]\\N}\
++# {^^}\
++# }
++
+# plain:
+# driver = plaintext
+# public_name = PLAIN
+# .ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS
+# client_send = "<; ${if !eq{$tls_out_cipher}{}\
+# {^${extract{1}{:}{PASSWDLINE}}\
+# ^${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}\
+# }fail}"
+# .else
+# client_send = "<; ^${extract{1}{:}{PASSWDLINE}}\
+# ^${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}"
+# .endif
+
+# login:
+# driver = plaintext
+# public_name = LOGIN
+# .ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS
+# # Return empty string if not non-TLS AND looking up $host in passwd-file
+# # yields a non-empty string; fail otherwise.
+# client_send = "<; ${if and{\
+# {!eq{$tls_out_cipher}{}}\
+# {!eq{PASSWDLINE}{}}\
+# }\
+# {}fail}\
+# ; ${extract{1}{::}{PASSWDLINE}}\
+# ; ${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}"
+# .else
+# # Return empty string if looking up $host in passwd-file yields a
+# # non-empty string; fail otherwise.
+# client_send = "<; ${if !eq{PASSWDLINE}{}\
+# {}fail}\
+# ; ${extract{1}{::}{PASSWDLINE}}\
+# ; ${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}"
+# .endif
+
+# hcoop-change: auth against sasld
+hcoop_plain:
driver = plaintext
public_name = PLAIN
-.ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS
- client_send = "<; ${if !eq{$tls_out_cipher}{}\
- {^${extract{1}{:}{PASSWDLINE}}\
- ^${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}\
- }fail}"
-.else
- client_send = "<; ^${extract{1}{:}{PASSWDLINE}}\
- ^${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}"
-.endif
-
-login:
+ server_prompts = :
+ server_condition = \
+ ${if or {{crypteq {$auth3} \
+ {${extract{systempw}{${tr{${lookup{$auth2} \
+ dbm{/etc/courier/exim.dat} \
+ }}{|}{ }}}}}} \
+ {saslauthd {{$auth2}{$auth3}{exim4}}}}}
+ server_set_id = $auth2
+ server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
+
+hcoop_login:
driver = plaintext
public_name = LOGIN
-.ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS
- # Return empty string if not non-TLS AND looking up $host in passwd-file
- # yields a non-empty string; fail otherwise.
- client_send = "<; ${if and{\
- {!eq{$tls_out_cipher}{}}\
- {!eq{PASSWDLINE}{}}\
- }\
- {}fail}\
- ; ${extract{1}{::}{PASSWDLINE}}\
- ; ${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}"
-.else
- # Return empty string if looking up $host in passwd-file yields a
- # non-empty string; fail otherwise.
- client_send = "<; ${if !eq{PASSWDLINE}{}\
- {}fail}\
- ; ${extract{1}{::}{PASSWDLINE}}\
- ; ${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}"
-.endif
+ server_prompts = "Username:: : Password::"
+ server_condition = \
+ ${if or {{crypteq {$auth2} \
+ {${extract{systempw}{${tr{${lookup{$auth1} \
+ dbm{/etc/courier/exim.dat} \
+ }}{|}{ }}}}}} \
+ {saslauthd {{$auth1}{$auth2}{exim4}}}}}
+ server_set_id = $auth1
- server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
++ server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
++
.endif
# always log tls_peerdn as we use TLS for outgoing connects by default
+ .ifndef MAIN_LOG_SELECTOR
+ MAIN_LOG_SELECTOR = +smtp_protocol_error +smtp_syntax_error +tls_certificate_verified +tls_peerdn
+ .endif
++
++# always log tls_peerdn as we use TLS for outgoing connects by default
+# hcoop-change: add +tls_ciper
+.ifndef MAIN_LOG_SELECTOR
+MAIN_LOG_SELECTOR = +tls_cipher +tls_peerdn
+.endif
+
+# hcoop-change: use file_transport = address_file for /etc/aliases
+# delivery, as per old configuration
+SYSTEM_ALIASES_FILE_TRANSPORT = address_file
+
+# hcoop-change: deliver mail to AFS
+MAILDIR_HOME_MAILDIR_LOCATION = /afs/hcoop.net/common/email
+
+# hcoop-change: enable TLS
+MAIN_TLS_ENABLE = yes
+
+# hcoop-change: enabled sender verification
+CHECK_RCPT_VERIFY_SENDER = true
+CHECK_RCPT_IP_DNSBLS = zen.spamhaus.org
+CHECK_RCPT_REVERSE_DNS = true
+CHECK_RCPT_SPF = true
+
+# hcoop-change: use hcoop cert 2015-05-04 clinton
+MAIN_TLS_CERTKEY = /etc/hcoop-ssl/hcoop.pem
+
+# hcoop-change: uncomment and set to mailman host if this server does not host mailman
+#HCOOP_MAILMAN_RELAY_HOST = deleuze.hcoop.net
+
+# hcoop-change: all mail for users < 1000 to logs, reject entirely from untrusted remote hosts
+FIRST_USER_ACCOUNT_UID = 1000
+HCOOP_SYSTEM_ACCOUNT_ALIAS = logs@hcoop.net
primary_hostname = MAIN_HARDCODE_PRIMARY_HOSTNAME
.endif
- # The settings below, which are actually the same as the defaults in the
- # code, cause Exim to make RFC 1413 (ident) callbacks for all incoming SMTP
- # calls. You can limit the hosts to which these calls are made, and/or change
- # the timeout that is used. If you set the timeout to zero, all RFC 1413 calls
- # are disabled. RFC 1413 calls are cheap and can provide useful information
- # for tracing problem messages, but some hosts and firewalls are
- # misconfigured to drop the requests instead of either answering or
- # rejecting them. This can result in a timeout instead of an immediate refused
- # connection, leading to delays on starting up SMTP sessions. (The default was
- # reduced from 30s to 5s for release 4.61.)
- # rfc1413_hosts =
- # rfc1413_query_timeout = 0s
+ # The settings below cause Exim to make RFC 1413 (ident) callbacks
+ # for all incoming SMTP calls. You can limit the hosts to which these
+ # calls are made, and/or change the timeout that is used. If you set
+ # the timeout to zero, all RFC 1413 calls are disabled. RFC 1413 calls
+ # are cheap and can provide useful information for tracing problem
+ # messages, but some hosts and firewalls have problems with them.
+ # This can result in a timeout instead of an immediate refused
+ # connection, leading to delays on starting up SMTP sessions.
+ # (The default was reduced from 30s to 5s for release 4.61. and to
+ # disabled for release 4.86)
+ #
-#rfc1413_hosts = *
-#rfc1413_query_timeout = 5s
++#rfc1413_hosts =
++#rfc1413_query_timeout = 0s
+
+
+ # Enable an efficiency feature. We advertise the feature; clients
+ # may request to use it. For multi-recipient mails we then can
+ # reject or accept per-user after the message is received.
+ #
+ prdr_enable = true
# When using an external relay tester (such as rt.njabl.org and/or the
# currently defunct relay-test.mail-abuse.org, the test may be aborted
# SMTP Banner. The example includes the Debian version in the SMTP dialog
# MAIN_SMTP_BANNER = "${primary_hostname} ESMTP Exim ${version_number} (Debian package MAIN_PACKAGE_VERSION) ${tod_full}"
# smtp_banner = $smtp_active_hostname ESMTP Exim $version_number $tod_full
- tls_on_connect_ports = smtps
+
+# hcoop-change: better load limiting
+# these values should be checked, documented, and committed to git (clinton)
+smtp_accept_max = 50
+retry_data_expire = 1d
+retry_interval_max = 8h
+# load max is just a guess for what will work ATM...
+queue_only_load = 20
+deliver_queue_load_max = 36
+queue_run_max = 10
+
+# hcoop-change: raise limit for incoming SMTP connections
+#smtp_accept_max = 95
+
+# hcoop-change: expire retry data after a single day
+#retry_data_expire = 1d
+
+# hcoop-change: don't penalize hosts past 4 hours
+#retry_interval_max = 4h
+
+# hcoop-change: disable smtp_enforce_sync (https://bugzilla.mozilla.org/show_bug.cgi?id=538809)
+smtp_enforce_sync = false
+
+# hcoop-change: disable ipv6 because exim seems unaware we can lookup AAAA but not actually reach them
+disable_ipv6 = true
+
+# hcoop-change: disable pointless ident check
+rfc1413_hosts =
+rfc1413_query_timeout = 0s
+
+# hcoop-change: submission + legacy smtp (many members use smtps)
+daemon_smtp_ports = smtp : smtps : submission
++tls_on_connect_ports = smtps
++
+ .ifdef MAIN_KEEP_ENVIRONMENT
+ keep_environment = MAIN_KEEP_ENVIRONMENT
+ .else
+ # set option to empty value to avoid warning.
+ keep_environment =
+ .endif
+ .ifdef MAIN_ADD_ENVIRONMENT
+ add_environment = MAIN_ADD_ENVIRONMENT
+ .endif
# effective retry-time depends on the frequency of queue-running, too.
# See QUEUEINTERVAL in /etc/default/exim4.
++
+# hcoop-change: Customize all of this to not penalize local users so
+# much for timeouts.
+
# Address or Domain Error Retries
# ----------------- ----- -------
-* * F,2h,15m; G,16h,1h,1.5; F,4d,6h
+# Local users who might have temporary AFS-related issues
+localhost * F,10m,1m; F,30m,5m; G,6h,10m,1.2; G,1d,1h,1.5; F,4d,6h
+hcoop.net * F,10m,1m; F,30m,5m; G,6h,10m,1.2; G,1d,1h,1.5; F,4d,6h
+
+# gmail this is probably spam
+gmail.com data_4xx G,2d,30m,1.5
+
+# Default
+* * F,4h,10m; G,16h,1h,1.5; F,4d,6h
+
${if match_ip{$sender_host_address}{:@[]}\
{1}{0}\
}"
+
+# hcoop-change: Use unix_domains rather than local_domains.
+
real_local:
debug_print = "R: real_local for $local_part@$domain"
driver = accept
- condition = COND_LOCAL_SUBMITTER
- domains = +local_domains
+ domains = +unix_domains
+ condition = COND_LOCAL_SUBMITTER
local_part_prefix = real-
check_local_user
transport = LOCAL_DELIVERY
check_local_user
driver = redirect
allow_fail
- domains = +local_domains
- condition = COND_SYSTEM_USER_AND_REMOTE_SUBMITTER
+ domains = +unix_domains
+ condition = COND_SYSTEM_USER
data = ${if exists{CONFDIR/lowuid-aliases}\
{${lookup{$local_part}lsearch{CONFDIR/lowuid-aliases}\
- {$value}{DEFAULT_SYSTEM_ACCOUNT_ALIAS}}}\
- {DEFAULT_SYSTEM_ACCOUNT_ALIAS}}
+ {$value}{HCOOP_SYSTEM_ACCOUNT_ALIAS}}}\
+ {HCOOP_SYSTEM_ACCOUNT_ALIAS}}
++
# $home is not accessible, this chdir fails and prevents delivery.
# If you are in a setup where home directories might not be
# accessible, uncomment the current_directory line below.
- # current_directory = /
+ #
+ # hcoop-change: uncommented this
+ current_directory = /
+ # hcoop-change: Try 20 times rather than 10 before deferring.
+ maildir_retries = 20
- check_owner = false
++ check_owner = false
++
remote_smtp:
debug_print = "T: remote_smtp for $local_part@$domain"
driver = smtp
++ # hcoop-change: drop hosts_max_try to avoid hitting all gmail MX at once
+ hosts_max_try = 2
+ .ifndef IGNORE_SMTP_LINE_LENGTH_LIMIT
+ message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
+ .endif
.ifdef REMOTE_SMTP_HOSTS_AVOID_TLS
hosts_avoid_tls = REMOTE_SMTP_HOSTS_AVOID_TLS
.endif
remote_smtp_smarthost:
debug_print = "T: remote_smtp_smarthost for $local_part@$domain"
driver = smtp
++
+ .ifndef IGNORE_SMTP_LINE_LENGTH_LIMIT
+ message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
+ .endif
++
hosts_try_auth = <; ${if exists{CONFDIR/passwd.client} \
{\
${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$host_address}}\
address_directory:
debug_print = "T: address_directory for $local_part@$domain"
driver = appendfile
- # group = mail${run{/etc/exim4/get-token ${local_part}}{}}
+ directory = ${address_file}${run{/etc/exim4/get-token ${local_part}}{}}
delivery_date_add
envelope_to_add
return_path_add