Integrate changes from 4.92

Biggest change is enabling DNSSEC

diff --git a/conf.d/acl/30_exim4-config_check_mail b/conf.d/acl/30_exim4-config_check_mail
index dbb1728..f8c53d6 100644 (file)
--- a/conf.d/acl/30_exim4-config_check_mail
+++ b/conf.d/acl/30_exim4-config_check_mail
@@ -7,4 +7,5 @@
 # accepted or denied.
 #
 acl_check_mail:
 # accepted or denied.
 #
 acl_check_mail:

+

   accept
   accept

diff --git a/conf.d/acl/30_exim4-config_check_rcpt b/conf.d/acl/30_exim4-config_check_rcpt
index c426f60..2578a5f 100644 (file)
--- a/conf.d/acl/30_exim4-config_check_rcpt
+++ b/conf.d/acl/30_exim4-config_check_rcpt
@@ -2,6 +2,19 @@
 ### acl/30_exim4-config_check_rcpt
 #################################
 
 ### acl/30_exim4-config_check_rcpt
 #################################
 

+# define macros to be used below in this file to check recipient
+# local parts for strange characters. Documentation below.
+# This blocks local parts that begin with a dot or contain a quite
+# broad range of non-alphanumeric characters.
+
+.ifndef CHECK_RCPT_LOCAL_LOCALPARTS
+CHECK_RCPT_LOCAL_LOCALPARTS = ^[.] : ^.*[@%!/|`#&?]
+.endif
+
+.ifndef CHECK_RCPT_REMOTE_LOCALPARTS
+CHECK_RCPT_REMOTE_LOCALPARTS = ^[./|] : ^.*[@%!`#&?] : ^.*/\\.\\./
+.endif
+

 # This access control list is used for every RCPT command in an incoming
 # SMTP message. The tests are run in order until the address is either
 # accepted or denied.
 # This access control list is used for every RCPT command in an incoming
 # SMTP message. The tests are run in order until the address is either
 # accepted or denied.


@@ -46,7 +59,7 @@ acl_check_rcpt:
   # incorporated unthinkingly into a shell command line.
   #
   # These ACL components will block recipient addresses that are valid
   # incorporated unthinkingly into a shell command line.
   #
   # These ACL components will block recipient addresses that are valid

-  # from an RFC2822 point of view. We chose to have them blocked by
+  # from an RFC5322 point of view. We chose to have them blocked by

   # default for security reasons.
   #
   # If you feel that your site should have less strict recipient
   # default for security reasons.
   #
   # If you feel that your site should have less strict recipient


@@ -58,11 +71,8 @@ acl_check_rcpt:
   # default, and is applied to messages that are addressed to one of the
   # local domains handled by this host.
 
   # default, and is applied to messages that are addressed to one of the
   # local domains handled by this host.
 

-  # The default value of CHECK_RCPT_LOCAL_LOCALPARTS is defined in
-  # main/01_exim4-config_listmacrosdefs:
-  # CHECK_RCPT_LOCAL_LOCALPARTS = ^[.] : ^.*[@%!/|`#&?]
-  # This blocks local parts that begin with a dot or contain a quite
-  # broad range of non-alphanumeric characters.
+  # The default value of CHECK_RCPT_LOCAL_LOCALPARTS is defined
+  # at the top of this file.

   .ifdef CHECK_RCPT_LOCAL_LOCALPARTS
   deny
     domains = +local_domains : +unix_domains
   .ifdef CHECK_RCPT_LOCAL_LOCALPARTS
   deny
     domains = +local_domains : +unix_domains


@@ -113,9 +123,10 @@ acl_check_rcpt:
   # to enable this feature.
   #
   # This feature does not work in smarthost and satellite setups as
   # to enable this feature.
   #
   # This feature does not work in smarthost and satellite setups as

-  # with these setups all domains pass verification. See spec.txt chapter
-  # 39.31 with the added information that a smarthost/satellite setup
-  # routes all non-local e-mail to the smarthost.
+  # with these setups all domains pass verification. See spec.txt section
+  # "Access control lists" subsection "Address verification" with the added
+  # information that a smarthost/satellite setup routes all non-local e-mail
+  # to the smarthost.

   .ifdef CHECK_RCPT_VERIFY_SENDER
   # hcoop-change: warn so that we can track down webapps sending
   # without a valid return user, but not break the many web apps that
   .ifdef CHECK_RCPT_VERIFY_SENDER
   # hcoop-change: warn so that we can track down webapps sending
   # without a valid return user, but not break the many web apps that


@@ -234,6 +245,7 @@ acl_check_rcpt:
   # the black list. See exim4-config_files(5) for details.
   deny
     message = sender envelope address $sender_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster
   # the black list. See exim4-config_files(5) for details.
   deny
     message = sender envelope address $sender_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster

+    log_message = sender envelope address is locally blacklisted.

     !acl = acl_local_deny_exceptions
     senders = ${if exists{CONFDIR/local_sender_blacklist}\
                    {CONFDIR/local_sender_blacklist}\
     !acl = acl_local_deny_exceptions
     senders = ${if exists{CONFDIR/local_sender_blacklist}\
                    {CONFDIR/local_sender_blacklist}\


@@ -250,6 +262,7 @@ acl_check_rcpt:
   # the black list. See exim4-config_files(5) for details.
   deny
     message = sender IP address $sender_host_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster
   # the black list. See exim4-config_files(5) for details.
   deny
     message = sender IP address $sender_host_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster

+    log_message = sender IP address is locally blacklisted.

     !acl = acl_local_deny_exceptions
     hosts = ${if exists{CONFDIR/local_host_blacklist}\
                  {CONFDIR/local_host_blacklist}\
     !acl = acl_local_deny_exceptions
     hosts = ${if exists{CONFDIR/local_host_blacklist}\
                  {CONFDIR/local_host_blacklist}\

diff --git a/conf.d/acl/40_exim4-config_check_data b/conf.d/acl/40_exim4-config_check_data
index abfa164..5b5c099 100644 (file)
--- a/conf.d/acl/40_exim4-config_check_data
+++ b/conf.d/acl/40_exim4-config_check_data
@@ -17,14 +17,14 @@ acl_check_data:
           condition  = ${if > {$max_received_linelength}{998}}
   .endif
 
           condition  = ${if > {$max_received_linelength}{998}}
   .endif
 

-  # Deny unless the address list headers are syntactically correct.
+  # Deny if the headers contain badly-formed addresses.

   #
   #

-  # If you enable this, you might reject legitimate mail.
-  .ifdef CHECK_DATA_VERIFY_HEADER_SYNTAX
+  .ifndef NO_CHECK_DATA_VERIFY_HEADER_SYNTAX

   deny
   deny

-    message = Message headers fail syntax check

     !acl = acl_local_deny_exceptions
     !verify = header_syntax
     !acl = acl_local_deny_exceptions
     !verify = header_syntax

+    message = header syntax
+    log_message = header syntax ($acl_verify_message)

   .endif
 
 
   .endif
 
 


@@ -50,25 +50,36 @@ acl_check_data:
 
 
   # Add headers to a message if it is judged to be spam. Before enabling this,
 
 
   # Add headers to a message if it is judged to be spam. Before enabling this,

-  # you must install SpamAssassin. You also need to set the spamd_address
+  # you must install SpamAssassin. You may also need to set the spamd_address

   # option in the main configuration.
   #
   # exim4-daemon-heavy must be used for this section to work.
   #
   # option in the main configuration.
   #
   # exim4-daemon-heavy must be used for this section to work.
   #

-  # Please note that this is only suiteable as an example. There are
-  # multiple issues with this configuration method. For example, if you go
-  # this way, you'll give your spamassassin daemon write access to the
-  # entire exim spool which might be a security issue in case of a
-  # spamassassin exploit.
+  # Please note that this is only suiteable as an example. See
+  # /usr/share/doc/exim4-base/README.Debian.gz

   #
   # See the exim docs and the exim wiki for more suitable examples.
   #
   #
   # See the exim docs and the exim wiki for more suitable examples.
   #

+  # # Remove internal headers

   # warn
   # warn

-  #   spam = Debian-exim:true
-  #   add_header = X-Spam_score: $spam_score\n\
-  #             X-Spam_score_int: $spam_score_int\n\
-  #             X-Spam_bar: $spam_bar\n\
-  #             X-Spam_report: $spam_report
+  #   remove_header = X-Spam_score: X-Spam_score_int : X-Spam_bar : \
+  #                   X-Spam_report
+  #
+  # warn
+  #   condition = ${if <{$message_size}{120k}{1}{0}}
+  #   # ":true" to add headers/acl variables even if not spam
+  #   spam = nobody:true
+  #   add_header = X-Spam_score: $spam_score
+  #   add_header = X-Spam_bar: $spam_bar
+  #   # Do not enable this unless you have shorted SpamAssassin's report
+  #   #add_header = X-Spam_report: $spam_report
+  #
+  # Reject spam messages (score >15.0).
+  # This breaks mailing list and forward messages.
+  # deny
+  #   message = Classified as spam (score $spam_score)
+  #   condition = ${if <{$message_size}{120k}{1}{0}}
+  #   condition = ${if >{$spam_score_int}{150}{true}{false}}

 
 
   # This hook allows you to hook in your own ACLs without having to
 
 
   # This hook allows you to hook in your own ACLs without having to

diff --git a/conf.d/auth/30_exim4-config_examples b/conf.d/auth/30_exim4-config_examples
index a934a11..f1de5d4 100644 (file)
--- a/conf.d/auth/30_exim4-config_examples
+++ b/conf.d/auth/30_exim4-config_examples
@@ -99,7 +99,7 @@
 #   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
 #   server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
 #   .endif
 #   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
 #   server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
 #   .endif

-#
+# 

 # digest_md5_sasl_server:
 #   driver = cyrus_sasl
 #   public_name = DIGEST-MD5
 # digest_md5_sasl_server:
 #   driver = cyrus_sasl
 #   public_name = DIGEST-MD5


@@ -204,63 +204,6 @@
 # You can set AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS to allow unencrypted
 # clear text password authentication on all connections.
 
 # You can set AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS to allow unencrypted
 # clear text password authentication on all connections.
 

-# cram_md5:
-#   driver = cram_md5
-#   public_name = CRAM-MD5
-#   client_name = ${extract{1}{:}{${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}}}
-#   client_secret = ${extract{2}{:}{${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}}}
-
-# # this returns the matching line from passwd.client and doubles all ^
-# PASSWDLINE=${sg{\
-#                 ${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}\
-#              }\
-#              {\\N[\\^]\\N}\
-#              {^^}\
-#          }
-
-# # this returns the matching line from passwd.client and doubles all ^
-# PASSWDLINE=${sg{\
-#                 ${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}\
-#              }\
-#              {\\N[\\^]\\N}\
-#              {^^}\
-#          }
-
-# plain:
-#   driver = plaintext
-#   public_name = PLAIN
-# .ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS
-#   client_send = "<; ${if !eq{$tls_out_cipher}{}\
-#                     {^${extract{1}{:}{PASSWDLINE}}\
-#                   ^${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}\
-#                 }fail}"
-# .else
-#   client_send = "<; ^${extract{1}{:}{PASSWDLINE}}\
-#                  ^${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}"
-# .endif
-
-# login:
-#   driver = plaintext
-#   public_name = LOGIN
-# .ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS
-#   # Return empty string if not non-TLS AND looking up $host in passwd-file
-#   # yields a non-empty string; fail otherwise.
-#   client_send = "<; ${if and{\
-#                           {!eq{$tls_out_cipher}{}}\
-#                           {!eq{PASSWDLINE}{}}\
-#                          }\
-#                       {}fail}\
-#                  ; ${extract{1}{::}{PASSWDLINE}}\
-#               ; ${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}"
-# .else
-#   # Return empty string if looking up $host in passwd-file yields a
-#   # non-empty string; fail otherwise.
-#   client_send = "<; ${if !eq{PASSWDLINE}{}\
-#                       {}fail}\
-#                  ; ${extract{1}{::}{PASSWDLINE}}\
-#               ; ${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}"
-# .endif
-

 # hcoop-change: auth against sasld
 hcoop_plain:
   driver = plaintext
 # hcoop-change: auth against sasld
 hcoop_plain:
   driver = plaintext

diff --git a/conf.d/main/01_exim4-config_listmacrosdefs b/conf.d/main/01_exim4-config_listmacrosdefs
index f1e4268..01214de 100644 (file)
--- a/conf.d/main/01_exim4-config_listmacrosdefs
+++ b/conf.d/main/01_exim4-config_listmacrosdefs
@@ -82,37 +82,11 @@ LOCAL_DELIVERY=mail_spool
 gecos_pattern = ^([^,:]*)
 gecos_name = $1
 
 gecos_pattern = ^([^,:]*)
 gecos_name = $1
 

-# define macros to be used in acl/30_exim4-config_check_rcpt to check
-# recipient local parts for strange characters.
-
-# This macro definition really should be in
-# acl/30_exim4-config_check_rcpt but cannot be there due to
-# http://www.exim.org/bugzilla/show_bug.cgi?id=101 as of exim 4.62.
-
-# These macros are documented in acl/30_exim4-config_check_rcpt,
-# can be changed here or overridden by a locally added configuration
-# file as described in README.Debian section "Using Exim Macros to control
-# the configuration".
-
-.ifndef CHECK_RCPT_LOCAL_LOCALPARTS
-CHECK_RCPT_LOCAL_LOCALPARTS = ^[.] : ^.*[@%!/|`#&?]
-.endif
-
-.ifndef CHECK_RCPT_REMOTE_LOCALPARTS
-CHECK_RCPT_REMOTE_LOCALPARTS = ^[./|] : ^.*[@%!`#&?] : ^.*/\\.\\./
-.endif
-
-# always log tls_peerdn as we use TLS for outgoing connects by default
-.ifndef MAIN_LOG_SELECTOR
-MAIN_LOG_SELECTOR = +smtp_protocol_error +smtp_syntax_error +tls_certificate_verified +tls_peerdn
-.endif
-

 # always log tls_peerdn as we use TLS for outgoing connects by default
 # always log tls_peerdn as we use TLS for outgoing connects by default

-# hcoop-change: add +tls_ciper
+# hcoop-change: add +tls_cipher

 .ifndef MAIN_LOG_SELECTOR
 .ifndef MAIN_LOG_SELECTOR

-MAIN_LOG_SELECTOR = +tls_cipher +tls_peerdn
+MAIN_LOG_SELECTOR = +smtp_protocol_error +smtp_syntax_error +tls_certificate_verified +tls_peerdn +tls_cipher

 .endif
 .endif

-

 # hcoop-change: use file_transport = address_file for /etc/aliases
 # delivery, as per old configuration
 SYSTEM_ALIASES_FILE_TRANSPORT = address_file
 # hcoop-change: use file_transport = address_file for /etc/aliases
 # delivery, as per old configuration
 SYSTEM_ALIASES_FILE_TRANSPORT = address_file

diff --git a/conf.d/main/02_exim4-config_options b/conf.d/main/02_exim4-config_options
index 47c8782..600d54a 100644 (file)
--- a/conf.d/main/02_exim4-config_options
+++ b/conf.d/main/02_exim4-config_options
@@ -84,6 +84,10 @@ MAIN_HOST_LOOKUP = *
 host_lookup = MAIN_HOST_LOOKUP
 .endif
 
 host_lookup = MAIN_HOST_LOOKUP
 .endif
 

+# The setting below causes Exim to try to initialize the system resolver
+# library with DNSSEC support.  It has no effect if your library lacks
+# DNSSEC support.
+dns_dnssec_ok = 1

 
 # In a minimaldns setup, update-exim4.conf guesses the hostname and
 # dumps it here to avoid DNS lookups being done at Exim run time.
 
 # In a minimaldns setup, update-exim4.conf guesses the hostname and
 # dumps it here to avoid DNS lookups being done at Exim run time.


@@ -102,8 +106,8 @@ primary_hostname = MAIN_HARDCODE_PRIMARY_HOSTNAME
 # (The default was reduced from 30s to 5s for release 4.61. and to
 # disabled for release 4.86)
 #
 # (The default was reduced from 30s to 5s for release 4.61. and to
 # disabled for release 4.86)
 #

-#rfc1413_hosts = 
-#rfc1413_query_timeout = 0s
+#rfc1413_hosts = *
+#rfc1413_query_timeout = 5s

 
 
 # Enable an efficiency feature.  We advertise the feature; clients
 
 
 # Enable an efficiency feature.  We advertise the feature; clients

diff --git a/conf.d/retry/30_exim4-config b/conf.d/retry/30_exim4-config
index 047175a..73822ef 100644 (file)
--- a/conf.d/retry/30_exim4-config
+++ b/conf.d/retry/30_exim4-config
@@ -27,5 +27,5 @@ hcoop.net              *           F,10m,1m; F,30m,5m; G,6h,10m,1.2; G,1d,1h,1.5
 gmail.com             data_4xx    G,2d,30m,1.5
 
 # Default
 gmail.com             data_4xx    G,2d,30m,1.5
 
 # Default

-*                      *           F,4h,10m; G,16h,1h,1.5; F,4d,6h
+*                      *           F,2h,15m; G,16h,1h,1.5; F,4d,6h

 
 

diff --git a/conf.d/router/200_exim4-config_primary b/conf.d/router/200_exim4-config_primary
index 8ed2236..68237aa 100644 (file)
--- a/conf.d/router/200_exim4-config_primary
+++ b/conf.d/router/200_exim4-config_primary
@@ -19,6 +19,7 @@ dnslookup_relay_to_domains:
   domains = ! +local_domains : ! +unix_domains : +relay_to_domains
   transport = remote_smtp
   same_domain_copy_routing = yes
   domains = ! +local_domains : ! +unix_domains : +relay_to_domains
   transport = remote_smtp
   same_domain_copy_routing = yes

+  dnssec_request_domains = *

   no_more
 
 # deliver mail directly to the recipient. This router is only reached
   no_more
 
 # deliver mail directly to the recipient. This router is only reached


@@ -36,6 +37,7 @@ dnslookup:
   ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 192.168.0.0/16 :\
                         172.16.0.0/12 : 10.0.0.0/8 : 169.254.0.0/16 :\
                        255.255.255.255
   ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 192.168.0.0/16 :\
                         172.16.0.0/12 : 10.0.0.0/8 : 169.254.0.0/16 :\
                        255.255.255.255

+  dnssec_request_domains = *

   no_more
 
 .endif
   no_more
 
 .endif

diff --git a/conf.d/transport/30_exim4-config_remote_smtp b/conf.d/transport/30_exim4-config_remote_smtp
index 7534101..8430577 100644 (file)
--- a/conf.d/transport/30_exim4-config_remote_smtp
+++ b/conf.d/transport/30_exim4-config_remote_smtp
@@ -54,3 +54,7 @@ tls_certificate = REMOTE_SMTP_TLS_CERTIFICATE
 .ifdef REMOTE_SMTP_PRIVATEKEY
 tls_privatekey = REMOTE_SMTP_PRIVATEKEY
 .endif
 .ifdef REMOTE_SMTP_PRIVATEKEY
 tls_privatekey = REMOTE_SMTP_PRIVATEKEY
 .endif

+.ifndef REMOTE_SMTP_DISABLE_DANE
+dnssec_request_domains = *
+hosts_try_dane = *
+.endif

diff --git a/conf.d/transport/30_exim4-config_remote_smtp_smarthost b/conf.d/transport/30_exim4-config_remote_smtp_smarthost
index c5d0df2..8c6b757 100644 (file)
--- a/conf.d/transport/30_exim4-config_remote_smtp_smarthost
+++ b/conf.d/transport/30_exim4-config_remote_smtp_smarthost
@@ -12,11 +12,10 @@
 remote_smtp_smarthost:
   debug_print = "T: remote_smtp_smarthost for $local_part@$domain"
   driver = smtp
 remote_smtp_smarthost:
   debug_print = "T: remote_smtp_smarthost for $local_part@$domain"
   driver = smtp

-
+  multi_domain

 .ifndef IGNORE_SMTP_LINE_LENGTH_LIMIT
   message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
 .endif
 .ifndef IGNORE_SMTP_LINE_LENGTH_LIMIT
   message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
 .endif

-

   hosts_try_auth = <; ${if exists{CONFDIR/passwd.client} \
         {\
         ${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$host_address}}\
   hosts_try_auth = <; ${if exists{CONFDIR/passwd.client} \
         {\
         ${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$host_address}}\