# accepted or denied.
#
acl_check_mail:
+
accept
### acl/30_exim4-config_check_rcpt
#################################
+# define macros to be used below in this file to check recipient
+# local parts for strange characters. Documentation below.
+# This blocks local parts that begin with a dot or contain a quite
+# broad range of non-alphanumeric characters.
+
+.ifndef CHECK_RCPT_LOCAL_LOCALPARTS
+CHECK_RCPT_LOCAL_LOCALPARTS = ^[.] : ^.*[@%!/|`#&?]
+.endif
+
+.ifndef CHECK_RCPT_REMOTE_LOCALPARTS
+CHECK_RCPT_REMOTE_LOCALPARTS = ^[./|] : ^.*[@%!`#&?] : ^.*/\\.\\./
+.endif
+
# This access control list is used for every RCPT command in an incoming
# SMTP message. The tests are run in order until the address is either
# accepted or denied.
# incorporated unthinkingly into a shell command line.
#
# These ACL components will block recipient addresses that are valid
- # from an RFC2822 point of view. We chose to have them blocked by
+ # from an RFC5322 point of view. We chose to have them blocked by
# default for security reasons.
#
# If you feel that your site should have less strict recipient
# default, and is applied to messages that are addressed to one of the
# local domains handled by this host.
- # The default value of CHECK_RCPT_LOCAL_LOCALPARTS is defined in
- # main/01_exim4-config_listmacrosdefs:
- # CHECK_RCPT_LOCAL_LOCALPARTS = ^[.] : ^.*[@%!/|`#&?]
- # This blocks local parts that begin with a dot or contain a quite
- # broad range of non-alphanumeric characters.
+ # The default value of CHECK_RCPT_LOCAL_LOCALPARTS is defined
+ # at the top of this file.
.ifdef CHECK_RCPT_LOCAL_LOCALPARTS
deny
domains = +local_domains : +unix_domains
# to enable this feature.
#
# This feature does not work in smarthost and satellite setups as
- # with these setups all domains pass verification. See spec.txt chapter
- # 39.31 with the added information that a smarthost/satellite setup
- # routes all non-local e-mail to the smarthost.
+ # with these setups all domains pass verification. See spec.txt section
+ # "Access control lists" subsection "Address verification" with the added
+ # information that a smarthost/satellite setup routes all non-local e-mail
+ # to the smarthost.
.ifdef CHECK_RCPT_VERIFY_SENDER
# hcoop-change: warn so that we can track down webapps sending
# without a valid return user, but not break the many web apps that
# the black list. See exim4-config_files(5) for details.
deny
message = sender envelope address $sender_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster
+ log_message = sender envelope address is locally blacklisted.
!acl = acl_local_deny_exceptions
senders = ${if exists{CONFDIR/local_sender_blacklist}\
{CONFDIR/local_sender_blacklist}\
# the black list. See exim4-config_files(5) for details.
deny
message = sender IP address $sender_host_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster
+ log_message = sender IP address is locally blacklisted.
!acl = acl_local_deny_exceptions
hosts = ${if exists{CONFDIR/local_host_blacklist}\
{CONFDIR/local_host_blacklist}\
condition = ${if > {$max_received_linelength}{998}}
.endif
- # Deny unless the address list headers are syntactically correct.
+ # Deny if the headers contain badly-formed addresses.
#
- # If you enable this, you might reject legitimate mail.
- .ifdef CHECK_DATA_VERIFY_HEADER_SYNTAX
+ .ifndef NO_CHECK_DATA_VERIFY_HEADER_SYNTAX
deny
- message = Message headers fail syntax check
!acl = acl_local_deny_exceptions
!verify = header_syntax
+ message = header syntax
+ log_message = header syntax ($acl_verify_message)
.endif
# Add headers to a message if it is judged to be spam. Before enabling this,
- # you must install SpamAssassin. You also need to set the spamd_address
+ # you must install SpamAssassin. You may also need to set the spamd_address
# option in the main configuration.
#
# exim4-daemon-heavy must be used for this section to work.
#
- # Please note that this is only suiteable as an example. There are
- # multiple issues with this configuration method. For example, if you go
- # this way, you'll give your spamassassin daemon write access to the
- # entire exim spool which might be a security issue in case of a
- # spamassassin exploit.
+ # Please note that this is only suiteable as an example. See
+ # /usr/share/doc/exim4-base/README.Debian.gz
#
# See the exim docs and the exim wiki for more suitable examples.
#
+ # # Remove internal headers
# warn
- # spam = Debian-exim:true
- # add_header = X-Spam_score: $spam_score\n\
- # X-Spam_score_int: $spam_score_int\n\
- # X-Spam_bar: $spam_bar\n\
- # X-Spam_report: $spam_report
+ # remove_header = X-Spam_score: X-Spam_score_int : X-Spam_bar : \
+ # X-Spam_report
+ #
+ # warn
+ # condition = ${if <{$message_size}{120k}{1}{0}}
+ # # ":true" to add headers/acl variables even if not spam
+ # spam = nobody:true
+ # add_header = X-Spam_score: $spam_score
+ # add_header = X-Spam_bar: $spam_bar
+ # # Do not enable this unless you have shorted SpamAssassin's report
+ # #add_header = X-Spam_report: $spam_report
+ #
+ # Reject spam messages (score >15.0).
+ # This breaks mailing list and forward messages.
+ # deny
+ # message = Classified as spam (score $spam_score)
+ # condition = ${if <{$message_size}{120k}{1}{0}}
+ # condition = ${if >{$spam_score_int}{150}{true}{false}}
# This hook allows you to hook in your own ACLs without having to
# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
# .endif
-#
+#
# digest_md5_sasl_server:
# driver = cyrus_sasl
# public_name = DIGEST-MD5
# You can set AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS to allow unencrypted
# clear text password authentication on all connections.
-# cram_md5:
-# driver = cram_md5
-# public_name = CRAM-MD5
-# client_name = ${extract{1}{:}{${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}}}
-# client_secret = ${extract{2}{:}{${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}}}
-
-# # this returns the matching line from passwd.client and doubles all ^
-# PASSWDLINE=${sg{\
-# ${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}\
-# }\
-# {\\N[\\^]\\N}\
-# {^^}\
-# }
-
-# # this returns the matching line from passwd.client and doubles all ^
-# PASSWDLINE=${sg{\
-# ${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}\
-# }\
-# {\\N[\\^]\\N}\
-# {^^}\
-# }
-
-# plain:
-# driver = plaintext
-# public_name = PLAIN
-# .ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS
-# client_send = "<; ${if !eq{$tls_out_cipher}{}\
-# {^${extract{1}{:}{PASSWDLINE}}\
-# ^${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}\
-# }fail}"
-# .else
-# client_send = "<; ^${extract{1}{:}{PASSWDLINE}}\
-# ^${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}"
-# .endif
-
-# login:
-# driver = plaintext
-# public_name = LOGIN
-# .ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS
-# # Return empty string if not non-TLS AND looking up $host in passwd-file
-# # yields a non-empty string; fail otherwise.
-# client_send = "<; ${if and{\
-# {!eq{$tls_out_cipher}{}}\
-# {!eq{PASSWDLINE}{}}\
-# }\
-# {}fail}\
-# ; ${extract{1}{::}{PASSWDLINE}}\
-# ; ${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}"
-# .else
-# # Return empty string if looking up $host in passwd-file yields a
-# # non-empty string; fail otherwise.
-# client_send = "<; ${if !eq{PASSWDLINE}{}\
-# {}fail}\
-# ; ${extract{1}{::}{PASSWDLINE}}\
-# ; ${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}"
-# .endif
-
# hcoop-change: auth against sasld
hcoop_plain:
driver = plaintext
gecos_pattern = ^([^,:]*)
gecos_name = $1
-# define macros to be used in acl/30_exim4-config_check_rcpt to check
-# recipient local parts for strange characters.
-
-# This macro definition really should be in
-# acl/30_exim4-config_check_rcpt but cannot be there due to
-# http://www.exim.org/bugzilla/show_bug.cgi?id=101 as of exim 4.62.
-
-# These macros are documented in acl/30_exim4-config_check_rcpt,
-# can be changed here or overridden by a locally added configuration
-# file as described in README.Debian section "Using Exim Macros to control
-# the configuration".
-
-.ifndef CHECK_RCPT_LOCAL_LOCALPARTS
-CHECK_RCPT_LOCAL_LOCALPARTS = ^[.] : ^.*[@%!/|`#&?]
-.endif
-
-.ifndef CHECK_RCPT_REMOTE_LOCALPARTS
-CHECK_RCPT_REMOTE_LOCALPARTS = ^[./|] : ^.*[@%!`#&?] : ^.*/\\.\\./
-.endif
-
-# always log tls_peerdn as we use TLS for outgoing connects by default
-.ifndef MAIN_LOG_SELECTOR
-MAIN_LOG_SELECTOR = +smtp_protocol_error +smtp_syntax_error +tls_certificate_verified +tls_peerdn
-.endif
-
# always log tls_peerdn as we use TLS for outgoing connects by default
-# hcoop-change: add +tls_ciper
+# hcoop-change: add +tls_cipher
.ifndef MAIN_LOG_SELECTOR
-MAIN_LOG_SELECTOR = +tls_cipher +tls_peerdn
+MAIN_LOG_SELECTOR = +smtp_protocol_error +smtp_syntax_error +tls_certificate_verified +tls_peerdn +tls_cipher
.endif
-
# hcoop-change: use file_transport = address_file for /etc/aliases
# delivery, as per old configuration
SYSTEM_ALIASES_FILE_TRANSPORT = address_file
host_lookup = MAIN_HOST_LOOKUP
.endif
+# The setting below causes Exim to try to initialize the system resolver
+# library with DNSSEC support. It has no effect if your library lacks
+# DNSSEC support.
+dns_dnssec_ok = 1
# In a minimaldns setup, update-exim4.conf guesses the hostname and
# dumps it here to avoid DNS lookups being done at Exim run time.
# (The default was reduced from 30s to 5s for release 4.61. and to
# disabled for release 4.86)
#
-#rfc1413_hosts =
-#rfc1413_query_timeout = 0s
+#rfc1413_hosts = *
+#rfc1413_query_timeout = 5s
# Enable an efficiency feature. We advertise the feature; clients
gmail.com data_4xx G,2d,30m,1.5
# Default
-* * F,4h,10m; G,16h,1h,1.5; F,4d,6h
+* * F,2h,15m; G,16h,1h,1.5; F,4d,6h
domains = ! +local_domains : ! +unix_domains : +relay_to_domains
transport = remote_smtp
same_domain_copy_routing = yes
+ dnssec_request_domains = *
no_more
# deliver mail directly to the recipient. This router is only reached
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 192.168.0.0/16 :\
172.16.0.0/12 : 10.0.0.0/8 : 169.254.0.0/16 :\
255.255.255.255
+ dnssec_request_domains = *
no_more
.endif
.ifdef REMOTE_SMTP_PRIVATEKEY
tls_privatekey = REMOTE_SMTP_PRIVATEKEY
.endif
+.ifndef REMOTE_SMTP_DISABLE_DANE
+dnssec_request_domains = *
+hosts_try_dane = *
+.endif
remote_smtp_smarthost:
debug_print = "T: remote_smtp_smarthost for $local_part@$domain"
driver = smtp
-
+ multi_domain
.ifndef IGNORE_SMTP_LINE_LENGTH_LIMIT
message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
.endif
-
hosts_try_auth = <; ${if exists{CONFDIR/passwd.client} \
{\
${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$host_address}}\