merge hcoop transport configuration changes
[hcoop/zz_old/config/exim4-hopper.git] / exim4.conf.template
CommitLineData
d38e06ff
CE
1#####################################################
2### main/01_exim4-config_listmacrosdefs
3#####################################################
4######################################################################
5# Runtime configuration file for Exim 4 (Debian Packaging) #
6######################################################################
7
8######################################################################
9# /etc/exim4/exim4.conf.template is only used with the non-split
10# configuration scheme.
11# /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs is only used
12# with the split configuration scheme.
13# If you find this comment anywhere else, somebody copied it there.
14# Documentation about the Debian exim4 configuration scheme can be
15# found in /usr/share/doc/exim4-base/README.Debian.gz.
16######################################################################
17
18######################################################################
19# MAIN CONFIGURATION SETTINGS #
20######################################################################
21
22# Just for reference and scripts.
23# On Debian systems, the main binary is installed as exim4 to avoid
24# conflicts with the exim 3 packages.
25exim_path = /usr/sbin/exim4
26
27# Macro defining the main configuration directory.
28# We do not use absolute paths.
29.ifndef CONFDIR
30CONFDIR = /etc/exim4
31.endif
32
33# debconf-driven macro definitions get inserted after this line
34UPEX4CmacrosUPEX4C = 1
35
36# Create domain and host lists for relay control
37# '@' refers to 'the name of the local host'
38
39# List of domains considered local for exim. Domains not listed here
40# need to be deliverable remotely.
41domainlist local_domains = MAIN_LOCAL_DOMAINS
42
43# List of recipient domains to relay _to_. Use this list if you're -
44# for example - fallback MX or mail gateway for domains.
45domainlist relay_to_domains = MAIN_RELAY_TO_DOMAINS
46
47# List of sender networks (IP addresses) to _unconditionally_ relay
48# _for_. If you intend to be SMTP AUTH server, you do not need to enter
49# anything here.
50hostlist relay_from_hosts = MAIN_RELAY_NETS
51
52
53# Decide which domain to use to add to all unqualified addresses.
54# If MAIN_PRIMARY_HOSTNAME_AS_QUALIFY_DOMAIN is defined, the primary
55# hostname is used. If not, but MAIN_QUALIFY_DOMAIN is set, the value
56# of MAIN_QUALIFY_DOMAIN is used. If both macros are not defined,
57# the first line of /etc/mailname is used.
58.ifndef MAIN_PRIMARY_HOSTNAME_AS_QUALIFY_DOMAIN
59.ifndef MAIN_QUALIFY_DOMAIN
60qualify_domain = ETC_MAILNAME
61.else
62qualify_domain = MAIN_QUALIFY_DOMAIN
63.endif
64.endif
65
66# listen on all all interfaces?
67.ifdef MAIN_LOCAL_INTERFACES
68local_interfaces = MAIN_LOCAL_INTERFACES
69.endif
70
71.ifndef LOCAL_DELIVERY
72# The default transport, set in /etc/exim4/update-exim4.conf.conf,
73# defaulting to mail_spool. See CONFDIR/conf.d/transport/ for possibilities
74LOCAL_DELIVERY=mail_spool
75.endif
76
77# The gecos field in /etc/passwd holds not only the name. see passwd(5).
78gecos_pattern = ^([^,:]*)
79gecos_name = $1
80
81# define macros to be used in acl/30_exim4-config_check_rcpt to check
82# recipient local parts for strange characters.
83
84# This macro definition really should be in
85# acl/30_exim4-config_check_rcpt but cannot be there due to
86# http://www.exim.org/bugzilla/show_bug.cgi?id=101 as of exim 4.62.
87
88# These macros are documented in acl/30_exim4-config_check_rcpt,
89# can be changed here or overridden by a locally added configuration
90# file as described in README.Debian chapter 2.1.2
91
92.ifndef CHECK_RCPT_LOCAL_LOCALPARTS
93CHECK_RCPT_LOCAL_LOCALPARTS = ^[.] : ^.*[@%!/|`#&?]
94.endif
95
96.ifndef CHECK_RCPT_REMOTE_LOCALPARTS
97CHECK_RCPT_REMOTE_LOCALPARTS = ^[./|] : ^.*[@%!`#&?] : ^.*/\\.\\./
98.endif
99
100# always log tls_peerdn as we use TLS for outgoing connects by default
101.ifndef MAIN_LOG_SELECTOR
102MAIN_LOG_SELECTOR = +tls_peerdn
103.endif
104#####################################################
105### end main/01_exim4-config_listmacrosdefs
106#####################################################
107#####################################################
108### main/02_exim4-config_options
109#####################################################
110
111### main/02_exim4-config_options
112#################################
113
114
115# Defines the access control list that is run when an
116# SMTP MAIL command is received.
117#
118.ifndef MAIN_ACL_CHECK_MAIL
119MAIN_ACL_CHECK_MAIL = acl_check_mail
120.endif
121acl_smtp_mail = MAIN_ACL_CHECK_MAIL
122
123
124# Defines the access control list that is run when an
125# SMTP RCPT command is received.
126#
127.ifndef MAIN_ACL_CHECK_RCPT
128MAIN_ACL_CHECK_RCPT = acl_check_rcpt
129.endif
130acl_smtp_rcpt = MAIN_ACL_CHECK_RCPT
131
132
133# Defines the access control list that is run when an
134# SMTP DATA command is received.
135#
136.ifndef MAIN_ACL_CHECK_DATA
137MAIN_ACL_CHECK_DATA = acl_check_data
138.endif
139acl_smtp_data = MAIN_ACL_CHECK_DATA
140
141
142# Message size limit. The default (used when MESSAGE_SIZE_LIMIT
143# is unset) is 50 MB
144.ifdef MESSAGE_SIZE_LIMIT
145message_size_limit = MESSAGE_SIZE_LIMIT
146.endif
147
148
149# If you are running exim4-daemon-heavy or a custom version of Exim that
150# was compiled with the content-scanning extension, you can cause incoming
151# messages to be automatically scanned for viruses. You have to modify the
152# configuration in two places to set this up. The first of them is here,
153# where you define the interface to your scanner. This example is typical
154# for ClamAV; see the manual for details of what to set for other virus
155# scanners. The second modification is in the acl_check_data access
156# control list.
157
158# av_scanner = clamd:/tmp/clamd
159
160
161# For spam scanning, there is a similar option that defines the interface to
162# SpamAssassin. You do not need to set this if you are using the default, which
163# is shown in this commented example. As for virus scanning, you must also
164# modify the acl_check_data access control list to enable spam scanning.
165
166# spamd_address = 127.0.0.1 783
167
168# Domain used to qualify unqualified recipient addresses
169# If this option is not set, the qualify_domain value is used.
170# qualify_recipient = <value of qualify_domain>
171
172
173# Allow Exim to recognize addresses of the form "user@[10.11.12.13]",
174# where the domain part is a "domain literal" (an IP address) instead
175# of a named domain. The RFCs require this facility, but it is disabled
176# in the default config since it is seldomly used and frequently abused.
177# Domain literal support also needs a special router, which is automatically
178# enabled if you use the enable macro MAIN_ALLOW_DOMAIN_LITERALS.
179# Additionally, you might want to make your local IP addresses (or @[])
180# local domains.
181.ifdef MAIN_ALLOW_DOMAIN_LITERALS
182allow_domain_literals
183.endif
184
185
186# Do a reverse DNS lookup on all incoming IP calls, in order to get the
187# true host name. If you feel this is too expensive, the networks for
188# which a lookup is done can be listed here.
189.ifndef DC_minimaldns
190.ifndef MAIN_HOST_LOOKUP
191MAIN_HOST_LOOKUP = *
192.endif
193host_lookup = MAIN_HOST_LOOKUP
194.endif
195
196
197# In a minimaldns setup, update-exim4.conf guesses the hostname and
198# dumps it here to avoid DNS lookups being done at Exim run time.
199.ifdef MAIN_HARDCODE_PRIMARY_HOSTNAME
200primary_hostname = MAIN_HARDCODE_PRIMARY_HOSTNAME
201.endif
202
203# The settings below, which are actually the same as the defaults in the
204# code, cause Exim to make RFC 1413 (ident) callbacks for all incoming SMTP
205# calls. You can limit the hosts to which these calls are made, and/or change
206# the timeout that is used. If you set the timeout to zero, all RFC 1413 calls
207# are disabled. RFC 1413 calls are cheap and can provide useful information
208# for tracing problem messages, but some hosts and firewalls are
209# misconfigured to drop the requests instead of either answering or
210# rejecting them. This can result in a timeout instead of an immediate refused
211# connection, leading to delays on starting up SMTP sessions. (The default was
212# reduced from 30s to 5s for release 4.61.)
213# rfc1413_hosts = *
214# rfc1413_query_timeout = 5s
215
216# When using an external relay tester (such as rt.njabl.org and/or the
217# currently defunct relay-test.mail-abuse.org, the test may be aborted
218# since exim complains about "too many nonmail commands". If you want
219# the test to complete, add the host from where "your" relay tester
220# connects from to the MAIN_SMTP_ACCEPT_MAX_NOMAIL_HOSTS macro.
221# Please note that a non-empty setting may cause extra DNS lookups to
222# happen, which is the reason why this option is commented out in the
223# default settings.
224# MAIN_SMTP_ACCEPT_MAX_NOMAIL_HOSTS = !rt.njabl.org
225.ifdef MAIN_SMTP_ACCEPT_MAX_NOMAIL_HOSTS
226smtp_accept_max_nonmail_hosts = MAIN_SMTP_ACCEPT_MAX_NOMAIL_HOSTS
227.endif
228
229# By default, exim forces a Sender: header containing the local
230# account name at the local host name in all locally submitted messages
231# that don't have the local account name at the local host name in the
232# From: header, deletes any Sender: header present in the submitted
233# message and forces the envelope sender of all locally submitted
234# messages to the local account name at the local host name.
235# The following settings allow local users to specify their own envelope sender
236# in a locally submitted message. Sender: headers existing in a locally
237# submitted message are not removed, and no automatic Sender: headers
238# are added. These settings are fine for most hosts.
239# If you run exim on a classical multi-user systems where all users
240# have local mailboxes that can be reached via SMTP from the Internet
241# with the local FQDN as the domain part of the address, you might want
242# to disable the following three lines for traceability reasons.
243.ifndef MAIN_FORCE_SENDER
244local_from_check = false
245local_sender_retain = true
246untrusted_set_sender = *
247.endif
248
249
250# By default, Exim expects all envelope addresses to be fully qualified, that
251# is, they must contain both a local part and a domain. Configure exim
252# to accept unqualified addresses from certain hosts. When this is done,
253# unqualified addresses are qualified using the settings of qualify_domain
254# and/or qualify_recipient (see above).
255# sender_unqualified_hosts = <unset>
256# recipient_unqualified_hosts = <unset>
257
258
259# Configure Exim to support the "percent hack" for certain domains.
260# The "percent hack" is the feature by which mail addressed to x%y@z
261# (where z is one of the domains listed) is locally rerouted to x@y
262# and sent on. If z is not one of the "percent hack" domains, x%y is
263# treated as an ordinary local part. The percent hack is rarely needed
264# nowadays but frequently abused. You should not enable it unless you
265# are sure that you really need it.
266# percent_hack_domains = <unset>
267
268
269# Bounce handling
270.ifndef MAIN_IGNORE_BOUNCE_ERRORS_AFTER
271MAIN_IGNORE_BOUNCE_ERRORS_AFTER = 2d
272.endif
273ignore_bounce_errors_after = MAIN_IGNORE_BOUNCE_ERRORS_AFTER
274
275.ifndef MAIN_TIMEOUT_FROZEN_AFTER
276MAIN_TIMEOUT_FROZEN_AFTER = 7d
277.endif
278timeout_frozen_after = MAIN_TIMEOUT_FROZEN_AFTER
279
280.ifndef MAIN_FREEZE_TELL
281MAIN_FREEZE_TELL = postmaster
282.endif
283freeze_tell = MAIN_FREEZE_TELL
284
285
286# Define spool directory
287.ifndef SPOOLDIR
288SPOOLDIR = /var/spool/exim4
289.endif
290spool_directory = SPOOLDIR
291
292
293# trusted users can set envelope-from to arbitrary values
294.ifndef MAIN_TRUSTED_USERS
295MAIN_TRUSTED_USERS = uucp
296.endif
297trusted_users = MAIN_TRUSTED_USERS
298.ifdef MAIN_TRUSTED_GROUPS
299trusted_groups = MAIN_TRUSTED_GROUPS
300.endif
301
302
303# users in admin group can do many other things
304# admin_groups = <unset>
305
306
307# SMTP Banner. The example includes the Debian version in the SMTP dialog
308# MAIN_SMTP_BANNER = "${primary_hostname} ESMTP Exim ${version_number} (Debian package MAIN_PACKAGE_VERSION) ${tod_full}"
309# smtp_banner = $smtp_active_hostname ESMTP Exim $version_number $tod_full
310#####################################################
311### end main/02_exim4-config_options
312#####################################################
313#####################################################
314### main/03_exim4-config_tlsoptions
315#####################################################
316
317### main/03_exim4-config_tlsoptions
318#################################
319
320# TLS/SSL configuration for exim as an SMTP server.
321# See /usr/share/doc/exim4-base/README.Debian.gz for explanations.
322
323.ifdef MAIN_TLS_ENABLE
324# Defines what hosts to 'advertise' STARTTLS functionality to. The
325# default, *, will advertise to all hosts that connect with EHLO.
326.ifndef MAIN_TLS_ADVERTISE_HOSTS
327MAIN_TLS_ADVERTISE_HOSTS = *
328.endif
329tls_advertise_hosts = MAIN_TLS_ADVERTISE_HOSTS
330
331
332# Full paths to Certificate and Private Key. The Private Key file
333# must be kept 'secret' and should be owned by root.Debian-exim mode
334# 640 (-rw-r-----). exim-gencert takes care of these prerequisites.
335# Normally, exim4 looks for certificate and key in different files:
336# MAIN_TLS_CERTIFICATE - path to certificate file,
337# CONFDIR/exim.crt if unset
338# MAIN_TLS_PRIVATEKEY - path to private key file
339# CONFDIR/exim.key if unset
340# You can also configure exim to look for certificate and key in the
341# same file, set MAIN_TLS_CERTKEY to that file to enable. This takes
342# precedence over all other settings regarding certificate and key file.
343.ifdef MAIN_TLS_CERTKEY
344tls_certificate = MAIN_TLS_CERTKEY
345.else
346.ifndef MAIN_TLS_CERTIFICATE
347MAIN_TLS_CERTIFICATE = CONFDIR/exim.crt
348.endif
349tls_certificate = MAIN_TLS_CERTIFICATE
350
351.ifndef MAIN_TLS_PRIVATEKEY
352MAIN_TLS_PRIVATEKEY = CONFDIR/exim.key
353.endif
354tls_privatekey = MAIN_TLS_PRIVATEKEY
355.endif
356
357# Pointer to the CA Certificates against which client certificates are
358# checked. This is controlled by the `tls_verify_hosts' and
359# `tls_try_verify_hosts' lists below.
360# If you want to check server certificates, you need to add an
361# tls_verify_certificates statement to the smtp transport.
362# /etc/ssl/certs/ca-certificates.crt is generated by
363# the "ca-certificates" package's update-ca-certificates(8) command.
364.ifndef MAIN_TLS_VERIFY_CERTIFICATES
365MAIN_TLS_VERIFY_CERTIFICATES = ${if exists{/etc/ssl/certs/ca-certificates.crt}\
366 {/etc/ssl/certs/ca-certificates.crt}\
367 {/dev/null}}
368.endif
369tls_verify_certificates = MAIN_TLS_VERIFY_CERTIFICATES
370
371
372# A list of hosts which are constrained by `tls_verify_certificates'. A host
373# that matches `tls_verify_host' must present a certificate that is
374# verifyable through `tls_verify_certificates' in order to be accepted as an
375# SMTP client. If it does not, the connection is aborted.
376.ifdef MAIN_TLS_VERIFY_HOSTS
377tls_verify_hosts = MAIN_TLS_VERIFY_HOSTS
378.endif
379
380# A weaker form of checking: if a client matches `tls_try_verify_hosts' (but
381# not `tls_verify_hosts'), request a certificate and check it against
382# `tls_verify_certificates' but do not abort the connection if there is no
383# certificate or if the certificate presented does not match. (This
384# condition can be tested for in ACLs through `verify = certificate')
385# By default, this check is done for all hosts. It is known that some
386# clients (including incredimail's version downloadable in February
387# 2008) choke on this. To disable, set MAIN_TLS_TRY_VERIFY_HOSTS to an
388# empty value.
389.ifndef MAIN_TLS_TRY_VERIFY_HOSTS
390MAIN_TLS_TRY_VERIFY_HOSTS = *
391.endif
392tls_try_verify_hosts = MAIN_TLS_TRY_VERIFY_HOSTS
393
394.endif
395#####################################################
396### end main/03_exim4-config_tlsoptions
397#####################################################
398#####################################################
399### main/90_exim4-config_log_selector
400#####################################################
401
402### main/90_exim4-config_log_selector
403#################################
404
405# uncomment this for debugging
406# MAIN_LOG_SELECTOR == MAIN_LOG_SELECTOR +all -subject -arguments
407
408.ifdef MAIN_LOG_SELECTOR
409log_selector = MAIN_LOG_SELECTOR
410.endif
411#####################################################
412### end main/90_exim4-config_log_selector
413#####################################################
414#####################################################
415### acl/00_exim4-config_header
416#####################################################
417
418######################################################################
419# ACL CONFIGURATION #
420# Specifies access control lists for incoming SMTP mail #
421######################################################################
422begin acl
423
424
425#####################################################
426### end acl/00_exim4-config_header
427#####################################################
428#####################################################
429### acl/20_exim4-config_local_deny_exceptions
430#####################################################
431
432### acl/20_exim4-config_local_deny_exceptions
433#################################
434
435# This is used to determine whitelisted senders and hosts.
436# It checks for CONFDIR/host_local_deny_exceptions and
437# CONFDIR/sender_local_deny_exceptions.
438#
439# It is meant to be used from some other acl entry.
440#
441# See exim4-config_files(5) for details.
442#
443# If the files do not exist, the white list never matches, which is
444# the desired behaviour.
445#
446# The old file names CONFDIR/local_host_whitelist and
447# CONFDIR/local_sender_whitelist will continue to be honored for a
448# transition period. Their use is deprecated.
449
450acl_local_deny_exceptions:
451 accept
452 hosts = ${if exists{CONFDIR/host_local_deny_exceptions}\
453 {CONFDIR/host_local_deny_exceptions}\
454 {}}
455 accept
456 senders = ${if exists{CONFDIR/sender_local_deny_exceptions}\
457 {CONFDIR/sender_local_deny_exceptions}\
458 {}}
459 accept
460 hosts = ${if exists{CONFDIR/local_host_whitelist}\
461 {CONFDIR/local_host_whitelist}\
462 {}}
463 accept
464 senders = ${if exists{CONFDIR/local_sender_whitelist}\
465 {CONFDIR/local_sender_whitelist}\
466 {}}
467
468 # This hook allows you to hook in your own ACLs without having to
469 # modify this file. If you do it like we suggest, you'll end up with
470 # a small performance penalty since there is an additional file being
471 # accessed. This doesn't happen if you leave the macro unset.
472 .ifdef LOCAL_DENY_EXCEPTIONS_LOCAL_ACL_FILE
473 .include LOCAL_DENY_EXCEPTIONS_LOCAL_ACL_FILE
474 .endif
475
476 # this is still supported for a transition period and is deprecated.
477 .ifdef WHITELIST_LOCAL_DENY_LOCAL_ACL_FILE
478 .include WHITELIST_LOCAL_DENY_LOCAL_ACL_FILE
479 .endif
480#####################################################
481### end acl/20_exim4-config_local_deny_exceptions
482#####################################################
483#####################################################
484### acl/30_exim4-config_check_mail
485#####################################################
486
487### acl/30_exim4-config_check_mail
488#################################
489
490# This access control list is used for every MAIL command in an incoming
491# SMTP message. The tests are run in order until the address is either
492# accepted or denied.
493#
494acl_check_mail:
495 .ifdef CHECK_MAIL_HELO_ISSUED
496 deny
497 message = no HELO given before MAIL command
498 condition = ${if def:sender_helo_name {no}{yes}}
499 .endif
500
501 accept
502#####################################################
503### end acl/30_exim4-config_check_mail
504#####################################################
505#####################################################
506### acl/30_exim4-config_check_rcpt
507#####################################################
508
509### acl/30_exim4-config_check_rcpt
510#################################
511
512# This access control list is used for every RCPT command in an incoming
513# SMTP message. The tests are run in order until the address is either
514# accepted or denied.
515#
516acl_check_rcpt:
517
518 # Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by
519 # testing for an empty sending host field.
520 accept
521 hosts = :
522
523
524 # The following section of the ACL is concerned with local parts that contain
525 # certain non-alphanumeric characters. Dots in unusual places are
526 # handled by this ACL as well.
527 #
528 # Non-alphanumeric characters other than dots are rarely found in genuine
529 # local parts, but are often tried by people looking to circumvent
530 # relaying restrictions. Therefore, although they are valid in local
531 # parts, these rules disallow certain non-alphanumeric characters, as
532 # a precaution.
533 #
534 # Empty components (two dots in a row) are not valid in RFC 2822, but Exim
535 # allows them because they have been encountered. (Consider local parts
536 # constructed as "firstinitial.secondinitial.familyname" when applied to
537 # a name without a second initial.) However, a local part starting
538 # with a dot or containing /../ can cause trouble if it is used as part of a
539 # file name (e.g. for a mailing list). This is also true for local parts that
540 # contain slashes. A pipe symbol can also be troublesome if the local part is
541 # incorporated unthinkingly into a shell command line.
542 #
543 # These ACL components will block recipient addresses that are valid
544 # from an RFC2822 point of view. We chose to have them blocked by
545 # default for security reasons.
546 #
547 # If you feel that your site should have less strict recipient
548 # checking, please feel free to change the default values of the macros
549 # defined in main/01_exim4-config_listmacrosdefs or override them from a
550 # local configuration file.
551 #
552 # Two different rules are used. The first one has a quite strict
553 # default, and is applied to messages that are addressed to one of the
554 # local domains handled by this host.
555
556 # The default value of CHECK_RCPT_LOCAL_LOCALPARTS is defined in
557 # main/01_exim4-config_listmacrosdefs:
558 # CHECK_RCPT_LOCAL_LOCALPARTS = ^[.] : ^.*[@%!/|`#&?]
559 # This blocks local parts that begin with a dot or contain a quite
560 # broad range of non-alphanumeric characters.
561 .ifdef CHECK_RCPT_LOCAL_LOCALPARTS
562 deny
563 domains = +local_domains
564 local_parts = CHECK_RCPT_LOCAL_LOCALPARTS
565 message = restricted characters in address
566 .endif
567
568
569 # The second rule applies to all other domains, and its default is
570 # considerably less strict.
571
572 # The default value of CHECK_RCPT_REMOTE_LOCALPARTS is defined in
573 # main/01_exim4-config_listmacrosdefs:
574 # CHECK_RCPT_REMOTE_LOCALPARTS = ^[./|] : ^.*[@%!`#&?] : ^.*/\\.\\./
575
576 # It allows local users to send outgoing messages to sites
577 # that use slashes and vertical bars in their local parts. It blocks
578 # local parts that begin with a dot, slash, or vertical bar, but allows
579 # these characters within the local part. However, the sequence /../ is
580 # barred. The use of some other non-alphanumeric characters is blocked.
581 # Single quotes might probably be dangerous as well, but they're
582 # allowed by the default regexps to avoid rejecting mails to Ireland.
583 # The motivation here is to prevent local users (or local users' malware)
584 # from mounting certain kinds of attack on remote sites.
585 .ifdef CHECK_RCPT_REMOTE_LOCALPARTS
586 deny
587 domains = !+local_domains
588 local_parts = CHECK_RCPT_REMOTE_LOCALPARTS
589 message = restricted characters in address
590 .endif
591
592
593 # Accept mail to postmaster in any local domain, regardless of the source,
594 # and without verifying the sender.
595 #
596 accept
597 .ifndef CHECK_RCPT_POSTMASTER
598 local_parts = postmaster
599 .else
600 local_parts = CHECK_RCPT_POSTMASTER
601 .endif
602 domains = +local_domains : +relay_to_domains
603
604
605 # Deny unless the sender address can be verified.
606 #
607 # This is disabled by default so that DNSless systems don't break. If
608 # your system can do DNS lookups without delay or cost, you might want
609 # to enable this feature.
610 #
611 # This feature does not work in smarthost and satellite setups as
612 # with these setups all domains pass verification. See spec.txt chapter
613 # 39.31 with the added information that a smarthost/satellite setup
614 # routes all non-local e-mail to the smarthost.
615 .ifdef CHECK_RCPT_VERIFY_SENDER
616 deny
617 message = Sender verification failed
618 !acl = acl_local_deny_exceptions
619 !verify = sender
620 .endif
621
622 # Verify senders listed in local_sender_callout with a callout.
623 #
624 # In smarthost and satellite setups, this causes the callout to be
625 # done to the smarthost. Verification will thus only be reliable if the
626 # smarthost does reject illegal addresses in the SMTP dialog.
627 deny
628 !acl = acl_local_deny_exceptions
629 senders = ${if exists{CONFDIR/local_sender_callout}\
630 {CONFDIR/local_sender_callout}\
631 {}}
632 !verify = sender/callout
633
634
635 # Accept if the message comes from one of the hosts for which we are an
636 # outgoing relay. It is assumed that such hosts are most likely to be MUAs,
637 # so we set control=submission to make Exim treat the message as a
638 # submission. It will fix up various errors in the message, for example, the
639 # lack of a Date: header line. If you are actually relaying out out from
640 # MTAs, you may want to disable this. If you are handling both relaying from
641 # MTAs and submissions from MUAs you should probably split them into two
642 # lists, and handle them differently.
643
644 # Recipient verification is omitted here, because in many cases the clients
645 # are dumb MUAs that don't cope well with SMTP error responses. If you are
646 # actually relaying out from MTAs, you should probably add recipient
647 # verification here.
648
649 # Note that, by putting this test before any DNS black list checks, you will
650 # always accept from these hosts, even if they end up on a black list. The
651 # assumption is that they are your friends, and if they get onto black
652 # list, it is a mistake.
653 accept
654 hosts = +relay_from_hosts
655 control = submission/sender_retain
656
657
658 # Accept if the message arrived over an authenticated connection, from
659 # any host. Again, these messages are usually from MUAs, so recipient
660 # verification is omitted, and submission mode is set. And again, we do this
661 # check before any black list tests.
662 accept
663 authenticated = *
664 control = submission/sender_retain
665
666
667 # Insist that any other recipient address that we accept is either in one of
668 # our local domains, or is in a domain for which we explicitly allow
669 # relaying. Any other domain is rejected as being unacceptable for relaying.
670 require
671 message = relay not permitted
672 domains = +local_domains : +relay_to_domains
673
674
675 # We also require all accepted addresses to be verifiable. This check will
676 # do local part verification for local domains, but only check the domain
677 # for remote domains.
678 require
679 verify = recipient
680
681
682 # Verify recipients listed in local_rcpt_callout with a callout.
683 # This is especially handy for forwarding MX hosts (secondary MX or
684 # mail hubs) of domains that receive a lot of spam to non-existent
685 # addresses. The only way to check local parts for remote relay
686 # domains is to use a callout (add /callout), but please read the
687 # documentation about callouts before doing this.
688 deny
689 !acl = acl_local_deny_exceptions
690 recipients = ${if exists{CONFDIR/local_rcpt_callout}\
691 {CONFDIR/local_rcpt_callout}\
692 {}}
693 !verify = recipient/callout
694
695
696 # CONFDIR/local_sender_blacklist holds a list of envelope senders that
697 # should have their access denied to the local host. Incoming messages
698 # with one of these senders are rejected at RCPT time.
699 #
700 # The explicit white lists are honored as well as negative items in
701 # the black list. See exim4-config_files(5) for details.
702 deny
703 message = sender envelope address $sender_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster
704 !acl = acl_local_deny_exceptions
705 senders = ${if exists{CONFDIR/local_sender_blacklist}\
706 {CONFDIR/local_sender_blacklist}\
707 {}}
708
709
710 # deny bad sites (IP address)
711 # CONFDIR/local_host_blacklist holds a list of host names, IP addresses
712 # and networks (CIDR notation) that should have their access denied to
713 # The local host. Messages coming in from a listed host will have all
714 # RCPT statements rejected.
715 #
716 # The explicit white lists are honored as well as negative items in
717 # the black list. See exim4-config_files(5) for details.
718 deny
719 message = sender IP address $sender_host_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster
720 !acl = acl_local_deny_exceptions
721 hosts = ${if exists{CONFDIR/local_host_blacklist}\
722 {CONFDIR/local_host_blacklist}\
723 {}}
724
725
726 # Warn if the sender host does not have valid reverse DNS.
727 #
728 # If your system can do DNS lookups without delay or cost, you might want
729 # to enable this.
730 # If sender_host_address is defined, it's a remote call. If
731 # sender_host_name is not defined, then reverse lookup failed. Use
732 # this instead of !verify = reverse_host_lookup to catch deferrals
733 # as well as outright failures.
734 .ifdef CHECK_RCPT_REVERSE_DNS
735 warn
736 message = X-Host-Lookup-Failed: Reverse DNS lookup failed for $sender_host_address (${if eq{$host_lookup_failed}{1}{failed}{deferred}})
737 condition = ${if and{{def:sender_host_address}{!def:sender_host_name}}\
738 {yes}{no}}
739 .endif
740
741
742 # Use spfquery to perform a pair of SPF checks (for details, see
743 # http://www.openspf.org/)
744 #
745 # This is quite costly in terms of DNS lookups (~6 lookups per mail). Do not
746 # enable if that's an issue. Also note that if you enable this, you must
747 # install "libmail-spf-query-perl" which provides the spfquery command.
748 # Missing libmail-spf-query-perl will trigger the "Unexpected error in
749 # SPF check" warning.
750 .ifdef CHECK_RCPT_SPF
751 deny
752 message = [SPF] $sender_host_address is not allowed to send mail from ${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}. \
753 Please see http://www.openspf.org/Why?scope=${if def:sender_address_domain {mfrom}{helo}};identity=${if def:sender_address_domain {$sender_address}{$sender_helo_name}};ip=$sender_host_address
754 log_message = SPF check failed.
755 !acl = acl_local_deny_exceptions
756 condition = ${run{/usr/bin/spfquery --ip \"$sender_host_address\" --mail-from \"$sender_address\" --helo \"$sender_helo_name\"}\
757 {no}{${if eq {$runrc}{1}{yes}{no}}}}
758
759 defer
760 message = Temporary DNS error while checking SPF record. Try again later.
761 condition = ${if eq {$runrc}{5}{yes}{no}}
762
763 warn
764 message = Received-SPF: ${if eq {$runrc}{0}{pass}{${if eq {$runrc}{2}{softfail}\
765 {${if eq {$runrc}{3}{neutral}{${if eq {$runrc}{4}{unknown}{${if eq {$runrc}{6}{none}{error}}}}}}}}}}
766 condition = ${if <={$runrc}{6}{yes}{no}}
767
768 warn
769 log_message = Unexpected error in SPF check.
770 condition = ${if >{$runrc}{6}{yes}{no}}
771
772 # Support for best-guess (see http://www.openspf.org/developers-guide.html)
773 warn
774 message = X-SPF-Guess: ${run{/usr/bin/spfquery --ip \"$sender_host_address\" --mail-from \"$sender_address\" \ --helo \"$sender_helo_name\" --guess true}\
775 {pass}{${if eq {$runrc}{2}{softfail}{${if eq {$runrc}{3}{neutral}{${if eq {$runrc}{4}{unknown}\
776 {${if eq {$runrc}{6}{none}{error}}}}}}}}}}
777 condition = ${if <={$runrc}{6}{yes}{no}}
778
779 defer
780 message = Temporary DNS error while checking SPF record. Try again later.
781 condition = ${if eq {$runrc}{5}{yes}{no}}
782 .endif
783
784
785 # Check against classic DNS "black" lists (DNSBLs) which list
786 # sender IP addresses
787 .ifdef CHECK_RCPT_IP_DNSBLS
788 warn
789 message = X-Warning: $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
790 log_message = $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
791 dnslists = CHECK_RCPT_IP_DNSBLS
792 .endif
793
794
795 # Check against DNSBLs which list sender domains, with an option to locally
796 # whitelist certain domains that might be blacklisted.
797 #
798 # Note: If you define CHECK_RCPT_DOMAIN_DNSBLS, you must append
799 # "/$sender_address_domain" after each domain. For example:
800 # CHECK_RCPT_DOMAIN_DNSBLS = rhsbl.foo.org/$sender_address_domain \
801 # : rhsbl.bar.org/$sender_address_domain
802 .ifdef CHECK_RCPT_DOMAIN_DNSBLS
803 warn
804 message = X-Warning: $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
805 log_message = $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
806 !senders = ${if exists{CONFDIR/local_domain_dnsbl_whitelist}\
807 {CONFDIR/local_domain_dnsbl_whitelist}\
808 {}}
809 dnslists = CHECK_RCPT_DOMAIN_DNSBLS
810 .endif
811
812
813 # This hook allows you to hook in your own ACLs without having to
814 # modify this file. If you do it like we suggest, you'll end up with
815 # a small performance penalty since there is an additional file being
816 # accessed. This doesn't happen if you leave the macro unset.
817 .ifdef CHECK_RCPT_LOCAL_ACL_FILE
818 .include CHECK_RCPT_LOCAL_ACL_FILE
819 .endif
820
821
822 #############################################################################
823 # This check is commented out because it is recognized that not every
824 # sysadmin will want to do it. If you enable it, the check performs
825 # Client SMTP Authorization (csa) checks on the sending host. These checks
826 # do DNS lookups for SRV records. The CSA proposal is currently (May 2005)
827 # an Internet draft. You can, of course, add additional conditions to this
828 # ACL statement to restrict the CSA checks to certain hosts only.
829 #
830 # require verify = csa
831 #############################################################################
832
833
834 # Accept if the address is in a domain for which we are an incoming relay,
835 # but again, only if the recipient can be verified.
836
837 accept
838 domains = +relay_to_domains
839 endpass
840 verify = recipient
841
842
843 # At this point, the address has passed all the checks that have been
844 # configured, so we accept it unconditionally.
845
846 accept
847#####################################################
848### end acl/30_exim4-config_check_rcpt
849#####################################################
850#####################################################
851### acl/40_exim4-config_check_data
852#####################################################
853
854### acl/40_exim4-config_check_data
855#################################
856
857# This ACL is used after the contents of a message have been received. This
858# is the ACL in which you can test a message's headers or body, and in
859# particular, this is where you can invoke external virus or spam scanners.
860
861acl_check_data:
862
863 # Deny unless the address list headers are syntactically correct.
864 #
865 # If you enable this, you might reject legitimate mail.
866 .ifdef CHECK_DATA_VERIFY_HEADER_SYNTAX
867 deny
868 message = Message headers fail syntax check
869 !acl = acl_local_deny_exceptions
870 !verify = header_syntax
871 .endif
872
873
874 # require that there is a verifiable sender address in at least
875 # one of the "Sender:", "Reply-To:", or "From:" header lines.
876 .ifdef CHECK_DATA_VERIFY_HEADER_SENDER
877 deny
878 message = No verifiable sender address in message headers
879 !acl = acl_local_deny_exceptions
880 !verify = header_sender
881 .endif
882
883
884 # Deny if the message contains malware. Before enabling this check, you
885 # must install a virus scanner and set the av_scanner option in the
886 # main configuration.
887 #
888 # exim4-daemon-heavy must be used for this section to work.
889 #
890 # deny
891 # malware = *
892 # message = This message was detected as possible malware ($malware_name).
893
894
895 # Add headers to a message if it is judged to be spam. Before enabling this,
896 # you must install SpamAssassin. You also need to set the spamd_address
897 # option in the main configuration.
898 #
899 # exim4-daemon-heavy must be used for this section to work.
900 #
901 # Please note that this is only suiteable as an example. There are
902 # multiple issues with this configuration method. For example, if you go
903 # this way, you'll give your spamassassin daemon write access to the
904 # entire exim spool which might be a security issue in case of a
905 # spamassassin exploit.
906 #
907 # See the exim docs and the exim wiki for more suitable examples.
908 #
909 # warn
910 # spam = Debian-exim:true
911 # message = X-Spam_score: $spam_score\n\
912 # X-Spam_score_int: $spam_score_int\n\
913 # X-Spam_bar: $spam_bar\n\
914 # X-Spam_report: $spam_report
915
916
917 # This hook allows you to hook in your own ACLs without having to
918 # modify this file. If you do it like we suggest, you'll end up with
919 # a small performance penalty since there is an additional file being
920 # accessed. This doesn't happen if you leave the macro unset.
921 .ifdef CHECK_DATA_LOCAL_ACL_FILE
922 .include CHECK_DATA_LOCAL_ACL_FILE
923 .endif
924
925
926 # accept otherwise
927 accept
928#####################################################
929### end acl/40_exim4-config_check_data
930#####################################################
931#####################################################
932### router/00_exim4-config_header
933#####################################################
934
935######################################################################
936# ROUTERS CONFIGURATION #
937# Specifies how addresses are handled #
938######################################################################
939# THE ORDER IN WHICH THE ROUTERS ARE DEFINED IS IMPORTANT! #
940# An address is passed to each router in turn until it is accepted. #
941######################################################################
942
943begin routers
944
945#####################################################
946### end router/00_exim4-config_header
947#####################################################
948#####################################################
949### router/100_exim4-config_domain_literal
950#####################################################
951
952### router/100_exim4-config_domain_literal
953#################################
954
955# This router handles e-mail addresses in "domain literal" form like
956# <user@[10.11.12.13]>. The RFCs require this facility, but it is disabled
957# in the default config since it is seldomly used and frequently abused.
958# Domain literal support also needs to be enabled in the main config,
959# which is automatically done if you use the enable macro
960# MAIN_ALLOW_DOMAIN_LITERALS.
961
962.ifdef MAIN_ALLOW_DOMAIN_LITERALS
963domain_literal:
964 debug_print = "R: domain_literal for $local_part@$domain"
965 driver = ipliteral
966 domains = ! +local_domains
967 transport = remote_smtp
968.endif
969#####################################################
970### end router/100_exim4-config_domain_literal
971#####################################################
972#####################################################
973### router/150_exim4-config_hubbed_hosts
974#####################################################
975
976# router/150_exim4-config_hubbed_hosts
977#################################
978
979# route specific domains manually.
980#
981# see exim4-config_files(5) and spec.txt chapter 20.3 through 20.7 for
982# more detailed documentation.
983
984hubbed_hosts:
985 debug_print = "R: hubbed_hosts for $domain"
986 driver = manualroute
987 domains = "${if exists{CONFDIR/hubbed_hosts}\
988 {partial-lsearch;CONFDIR/hubbed_hosts}\
989 fail}"
990 same_domain_copy_routing = yes
991 route_data = ${lookup{$domain}partial-lsearch{CONFDIR/hubbed_hosts}}
992 transport = remote_smtp
993#####################################################
994### end router/150_exim4-config_hubbed_hosts
995#####################################################
996#####################################################
997### router/200_exim4-config_primary
998#####################################################
999
1000### router/200_exim4-config_primary
1001#################################
1002# This file holds the primary router, responsible for nonlocal mails
1003
1004.ifdef DCconfig_internet
1005# configtype=internet
1006#
1007# deliver mail to the recipient if recipient domain is a domain we
1008# relay for. We do not ignore any target hosts here since delivering to
1009# a site local or even a link local address might be wanted here, and if
1010# such an address has found its way into the MX record of such a domain,
1011# the local admin is probably in a place where that broken MX record
1012# could be fixed.
1013
1014dnslookup_relay_to_domains:
1015 debug_print = "R: dnslookup_relay_to_domains for $local_part@$domain"
1016 driver = dnslookup
1017 domains = ! +local_domains : +relay_to_domains
1018 transport = remote_smtp
1019 same_domain_copy_routing = yes
1020 no_more
1021
1022# deliver mail directly to the recipient. This router is only reached
1023# for domains that we do not relay for. Since we most probably can't
1024# have broken MX records pointing to site local or link local IP
1025# addresses fixed, we ignore target hosts pointing to these addresses.
1026
1027dnslookup:
1028 debug_print = "R: dnslookup for $local_part@$domain"
1029 driver = dnslookup
1030 domains = ! +local_domains
1031 transport = remote_smtp
1032 same_domain_copy_routing = yes
1033 # ignore private rfc1918 and APIPA addresses
1034 ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 192.168.0.0/16 :\
1035 172.16.0.0/12 : 10.0.0.0/8 : 169.254.0.0/16 :\
1036 255.255.255.255
1037 no_more
1038
1039.endif
1040
1041
1042.ifdef DCconfig_local
1043# configtype=local
1044#
1045# Stand-alone system, so generate an error for mail to a non-local domain
1046nonlocal:
1047 debug_print = "R: nonlocal for $local_part@$domain"
1048 driver = redirect
1049 domains = ! +local_domains
1050 allow_fail
1051 data = :fail: Mailing to remote domains not supported
1052 no_more
1053
1054.endif
1055
1056
1057.ifdef DCconfig_smarthost DCconfig_satellite
1058# configtype=smarthost or configtype=satellite
1059#
1060# Send all non-local mail to a single other machine (smarthost).
1061#
1062# This means _ALL_ non-local mail goes to the smarthost. This will most
1063# probably not do what you want for domains that are listed in
1064# relay_domains. The most typical use for relay_domains is to control
1065# relaying for incoming e-mail on secondary MX hosts. In that case,
1066# it doesn't make sense to send the mail to the smarthost since the
1067# smarthost will probably send the message right back here, causing a
1068# loop.
1069#
1070# If you want to use a smarthost while being secondary MX for some
1071# domains, you'll need to copy the dnslookup_relay_to_domains router
1072# here so that mail to relay_domains is handled separately.
1073
1074smarthost:
1075 debug_print = "R: smarthost for $local_part@$domain"
1076 driver = manualroute
1077 domains = ! +local_domains
1078 transport = remote_smtp_smarthost
1079 route_list = * DCsmarthost byname
1080 host_find_failed = defer
1081 same_domain_copy_routing = yes
1082 no_more
1083
1084.endif
1085
1086
1087# The "no_more" above means that all later routers are for
1088# domains in the local_domains list, i.e. just like Exim 3 directors.
1089#####################################################
1090### end router/200_exim4-config_primary
1091#####################################################
1092#####################################################
1093### router/300_exim4-config_real_local
1094#####################################################
1095
1096### router/300_exim4-config_real_local
1097#################################
1098
1099# This router allows reaching a local user while avoiding local
1100# processing. This can be used to inform a user of a broken .forward
1101# file, for example. The userforward router does this.
1102
1103COND_LOCAL_SUBMITTER = "\
1104 ${if match_ip{$sender_host_address}{:@[]}\
1105 {1}{0}\
1106 }"
1107
1108real_local:
1109 debug_print = "R: real_local for $local_part@$domain"
1110 driver = accept
1111 domains = +local_domains
1112 condition = COND_LOCAL_SUBMITTER
1113 local_part_prefix = real-
1114 check_local_user
1115 transport = LOCAL_DELIVERY
1116
1117#####################################################
1118### end router/300_exim4-config_real_local
1119#####################################################
1120#####################################################
1121### router/400_exim4-config_system_aliases
1122#####################################################
1123
1124### router/400_exim4-config_system_aliases
1125#################################
1126
1127# This router handles aliasing using a traditional /etc/aliases file.
1128#
1129##### NB You must ensure that /etc/aliases exists. It used to be the case
1130##### NB that every Unix had that file, because it was the Sendmail default.
1131##### NB These days, there are systems that don't have it. Your aliases
1132##### NB file should at least contain an alias for "postmaster".
1133#
1134# This router handles the local part in a case-insensitive way which
1135# satisfies the RFCs requirement that postmaster be reachable regardless
1136# of case. If you decide to handle /etc/aliases in a caseful way, you
1137# need to make arrangements for a caseless postmaster.
1138#
1139# Delivery to arbitrary directories, files, and piping to programs in
1140# /etc/aliases is disabled per default.
1141# If that is a problem for you, see
1142# /usr/share/doc/exim4-base/README.Debian.gz
1143# for explanation and some workarounds.
1144
1145system_aliases:
1146 debug_print = "R: system_aliases for $local_part@$domain"
1147 driver = redirect
1148 domains = +local_domains
1149 allow_fail
1150 allow_defer
1151 data = ${lookup{$local_part}lsearch{/etc/aliases}}
1152 .ifdef SYSTEM_ALIASES_USER
1153 user = SYSTEM_ALIASES_USER
1154 .endif
1155 .ifdef SYSTEM_ALIASES_GROUP
1156 group = SYSTEM_ALIASES_GROUP
1157 .endif
1158 .ifdef SYSTEM_ALIASES_FILE_TRANSPORT
1159 file_transport = SYSTEM_ALIASES_FILE_TRANSPORT
1160 .endif
1161 .ifdef SYSTEM_ALIASES_PIPE_TRANSPORT
1162 pipe_transport = SYSTEM_ALIASES_PIPE_TRANSPORT
1163 .endif
1164 .ifdef SYSTEM_ALIASES_DIRECTORY_TRANSPORT
1165 directory_transport = SYSTEM_ALIASES_DIRECTORY_TRANSPORT
1166 .endif
1167#####################################################
1168### end router/400_exim4-config_system_aliases
1169#####################################################
1170#####################################################
1171### router/500_exim4-config_hubuser
1172#####################################################
1173
1174### router/500_exim4-config_hubuser
1175#################################
1176
1177.ifdef DCconfig_satellite
1178# This router is only used for configtype=satellite.
1179# It takes care to route all mail targetted to <somelocaluser@this.machine>
1180# to the host where we read our mail
1181#
1182hub_user:
1183 debug_print = "R: hub_user for $local_part@$domain"
1184 driver = redirect
1185 domains = +local_domains
1186 data = ${local_part}@DCreadhost
1187 check_local_user
1188
1189# Grab the redirected mail and deliver it.
1190# This is a duplicate of the smarthost router, needed because
1191# DCreadhost might end up as part of +local_domains
1192hub_user_smarthost:
1193 debug_print = "R: hub_user_smarthost for $local_part@$domain"
1194 driver = manualroute
1195 domains = DCreadhost
1196 transport = remote_smtp_smarthost
1197 route_list = * DCsmarthost byname
1198 host_find_failed = defer
1199 same_domain_copy_routing = yes
1200 check_local_user
1201.endif
1202
1203
1204#####################################################
1205### end router/500_exim4-config_hubuser
1206#####################################################
1207#####################################################
1208### router/600_exim4-config_userforward
1209#####################################################
1210
1211### router/600_exim4-config_userforward
1212#################################
1213
1214# This router handles forwarding using traditional .forward files in users'
1215# home directories. It also allows mail filtering with a forward file
1216# starting with the string "# Exim filter" or "# Sieve filter".
1217#
1218# The no_verify setting means that this router is skipped when Exim is
1219# verifying addresses. Similarly, no_expn means that this router is skipped if
1220# Exim is processing an EXPN command.
1221#
1222# The check_ancestor option means that if the forward file generates an
1223# address that is an ancestor of the current one, the current one gets
1224# passed on instead. This covers the case where A is aliased to B and B
1225# has a .forward file pointing to A.
1226#
1227# The four transports specified at the end are those that are used when
1228# forwarding generates a direct delivery to a directory, or a file, or to a
1229# pipe, or sets up an auto-reply, respectively.
1230#
1231userforward:
1232 debug_print = "R: userforward for $local_part@$domain"
1233 driver = redirect
1234 domains = +local_domains
1235 check_local_user
1236 file = $home/.forward
1237 require_files = $local_part:$home/.forward
1238 no_verify
1239 no_expn
1240 check_ancestor
1241 allow_filter
1242 forbid_smtp_code = true
1243 directory_transport = address_directory
1244 file_transport = address_file
1245 pipe_transport = address_pipe
1246 reply_transport = address_reply
1247 skip_syntax_errors
1248 syntax_errors_to = real-$local_part@$domain
1249 syntax_errors_text = \
1250 This is an automatically generated message. An error has\n\
1251 been found in your .forward file. Details of the error are\n\
1252 reported below. While this error persists, you will receive\n\
1253 a copy of this message for every message that is addressed\n\
1254 to you. If your .forward file is a filter file, or if it is\n\
1255 a non-filter file containing no valid forwarding addresses,\n\
1256 a copy of each incoming message will be put in your normal\n\
1257 mailbox. If a non-filter file contains at least one valid\n\
1258 forwarding address, forwarding to the valid addresses will\n\
1259 happen, and those will be the only deliveries that occur.
1260
1261#####################################################
1262### end router/600_exim4-config_userforward
1263#####################################################
1264#####################################################
1265### router/700_exim4-config_procmail
1266#####################################################
1267
1268procmail:
1269 debug_print = "R: procmail for $local_part@$domain"
1270 driver = accept
1271 domains = +local_domains
1272 check_local_user
1273 transport = procmail_pipe
1274 # emulate OR with "if exists"-expansion
1275 require_files = ${local_part}:\
1276 ${if exists{/etc/procmailrc}\
1277 {/etc/procmailrc}{${home}/.procmailrc}}:\
1278 +/usr/bin/procmail
1279 no_verify
1280 no_expn
1281
1282#####################################################
1283### end router/700_exim4-config_procmail
1284#####################################################
1285#####################################################
1286### router/800_exim4-config_maildrop
1287#####################################################
1288
1289### router/800_exim4-config_maildrop
1290#################################
1291
1292maildrop:
1293 debug_print = "R: maildrop for $local_part@$domain"
1294 driver = accept
1295 domains = +local_domains
1296 check_local_user
1297 transport = maildrop_pipe
1298 require_files = ${local_part}:${home}/.mailfilter:+/usr/bin/maildrop
1299 no_verify
1300 no_expn
1301
1302#####################################################
1303### end router/800_exim4-config_maildrop
1304#####################################################
1305#####################################################
1306### router/850_exim4-config_lowuid
1307#####################################################
1308
1309### router/850_exim4-config_lowuid
1310#################################
1311
1312.ifndef FIRST_USER_ACCOUNT_UID
1313FIRST_USER_ACCOUNT_UID = 0
1314.endif
1315
1316.ifndef DEFAULT_SYSTEM_ACCOUNT_ALIAS
1317DEFAULT_SYSTEM_ACCOUNT_ALIAS = :fail: no mail to system accounts
1318.endif
1319
1320COND_SYSTEM_USER_AND_REMOTE_SUBMITTER = "\
1321 ${if and{{! match_ip{$sender_host_address}{:@[]}}\
1322 {<{$local_user_uid}{FIRST_USER_ACCOUNT_UID}}}\
1323 {1}{0}\
1324 }"
1325
1326lowuid_aliases:
1327 debug_print = "R: lowuid_aliases for $local_part@$domain (UID $local_user_uid)"
1328 check_local_user
1329 driver = redirect
1330 allow_fail
1331 domains = +local_domains
1332 condition = COND_SYSTEM_USER_AND_REMOTE_SUBMITTER
1333 data = ${if exists{/etc/exim4/lowuid-aliases}\
1334 {${lookup{$local_part}lsearch{/etc/exim4/lowuid-aliases}\
1335 {$value}{DEFAULT_SYSTEM_ACCOUNT_ALIAS}}}{DEFAULT_SYSTEM_ACCOUNT_ALIAS}}
1336#####################################################
1337### end router/850_exim4-config_lowuid
1338#####################################################
1339#####################################################
1340### router/900_exim4-config_local_user
1341#####################################################
1342
1343### router/900_exim4-config_local_user
1344#################################
1345
1346# This router matches local user mailboxes. If the router fails, the error
1347# message is "Unknown user".
1348
1349local_user:
1350 debug_print = "R: local_user for $local_part@$domain"
1351 driver = accept
1352 domains = +local_domains
1353 check_local_user
1354 local_parts = ! root
1355 transport = LOCAL_DELIVERY
1356 cannot_route_message = Unknown user
1357#####################################################
1358### end router/900_exim4-config_local_user
1359#####################################################
1360#####################################################
1361### router/mmm_mail4root
1362#####################################################
1363
1364### router/mmm_mail4root
1365#################################
1366# deliver mail addressed to root to /var/mail/mail as user mail:mail
1367# if it was not redirected in /etc/aliases or by other means
1368# Exim cannot deliver as root since 4.24 (FIXED_NEVER_USERS)
1369
1370mail4root:
1371 debug_print = "R: mail4root for $local_part@$domain"
1372 driver = redirect
1373 domains = +local_domains
1374 data = /var/mail/mail
1375 file_transport = address_file
1376 local_parts = root
1377 user = mail
1378 group = mail
1379
1380#####################################################
1381### end router/mmm_mail4root
1382#####################################################
1383#####################################################
1384### transport/00_exim4-config_header
1385#####################################################
1386
1387######################################################################
1388# TRANSPORTS CONFIGURATION #
1389######################################################################
1390# ORDER DOES NOT MATTER #
1391# Only one appropriate transport is called for each delivery. #
1392######################################################################
1393
1394# A transport is used only when referenced from a router that successfully
1395# handles an address.
1396
1397begin transports
1398
1399#####################################################
1400### end transport/00_exim4-config_header
1401#####################################################
1402#####################################################
1403### transport/10_exim4-config_transport-macros
1404#####################################################
1405
1406### transport/10_exim4-config_transport-macros
1407#################################
1408
1409.ifdef HIDE_MAILNAME
1410REMOTE_SMTP_HEADERS_REWRITE=*@+local_domains $1@DCreadhost frs : *@ETC_MAILNAME $1@DCreadhost frs
1411REMOTE_SMTP_RETURN_PATH=${if match_domain{$sender_address_domain}{+local_domains}{${sender_address_local_part}@DCreadhost}{${if match_domain{$sender_address_domain}{ETC_MAILNAME}{${sender_address_local_part}@DCreadhost}fail}}}
1412.endif
1413
1414.ifdef REMOTE_SMTP_HELO_FROM_DNS
1415REMOTE_SMTP_HELO_DATA=${lookup dnsdb {ptr=$sending_ip_address}{$value}{$primary_hostname}}
1416.endif
1417#####################################################
1418### end transport/10_exim4-config_transport-macros
1419#####################################################
1420#####################################################
1421### transport/30_exim4-config_address_file
1422#####################################################
1423
1424# This transport is used for handling deliveries directly to files that are
1425# generated by aliasing or forwarding.
1426#
1427address_file:
1428 debug_print = "T: address_file for $local_part@$domain"
1429 driver = appendfile
1430 delivery_date_add
1431 envelope_to_add
1432 return_path_add
1433
1434#####################################################
1435### end transport/30_exim4-config_address_file
1436#####################################################
1437#####################################################
1438### transport/30_exim4-config_address_pipe
1439#####################################################
1440
1441# This transport is used for handling pipe deliveries generated by
1442# .forward files. If the commands fails and produces any output on standard
1443# output or standard error streams, the output is returned to the sender
1444# of the message as a delivery error.
1445address_pipe:
1446 debug_print = "T: address_pipe for $local_part@$domain"
1447 driver = pipe
1448 return_fail_output
1449
1450#####################################################
1451### end transport/30_exim4-config_address_pipe
1452#####################################################
1453#####################################################
1454### transport/30_exim4-config_address_reply
1455#####################################################
1456
1457# This transport is used for handling autoreplies generated by the filtering
1458# option of the userforward router.
1459#
1460address_reply:
1461 debug_print = "T: autoreply for $local_part@$domain"
1462 driver = autoreply
1463
1464#####################################################
1465### end transport/30_exim4-config_address_reply
1466#####################################################
1467#####################################################
1468### transport/30_exim4-config_mail_spool
1469#####################################################
1470
1471### transport/30_exim4-config_mail_spool
1472
1473# This transport is used for local delivery to user mailboxes in traditional
1474# BSD mailbox format.
1475#
1476mail_spool:
1477 debug_print = "T: appendfile for $local_part@$domain"
1478 driver = appendfile
1479 file = /var/mail/$local_part
1480 delivery_date_add
1481 envelope_to_add
1482 return_path_add
1483 group = mail
1484 mode = 0660
1485 mode_fail_narrower = false
1486
1487#####################################################
1488### end transport/30_exim4-config_mail_spool
1489#####################################################
1490#####################################################
1491### transport/30_exim4-config_maildir_home
1492#####################################################
1493
1494### transport/30_exim4-config_maildir_home
1495#################################
1496
1497# Use this instead of mail_spool if you want to to deliver to Maildir in
1498# home-directory - change the definition of LOCAL_DELIVERY
1499#
1500maildir_home:
1501 debug_print = "T: maildir_home for $local_part@$domain"
1502 driver = appendfile
1503 .ifdef MAILDIR_HOME_MAILDIR_LOCATION
1504 directory = MAILDIR_HOME_MAILDIR_LOCATION
1505 .else
1506 directory = $home/Maildir
1507 .endif
1508 .ifdef MAILDIR_HOME_CREATE_DIRECTORY
1509 create_directory
1510 .endif
1511 .ifdef MAILDIR_HOME_CREATE_FILE
1512 create_file = MAILDIR_HOME_CREATE_FILE
1513 .endif
1514 delivery_date_add
1515 envelope_to_add
1516 return_path_add
1517 maildir_format
1518 .ifdef MAILDIR_HOME_DIRECTORY_MODE
1519 directory_mode = MAILDIR_HOME_DIRECTORY_MODE
1520 .else
1521 directory_mode = 0700
1522 .endif
1523 .ifdef MAILDIR_HOME_MODE
1524 mode = MAILDIR_HOME_MODE
1525 .else
1526 mode = 0600
1527 .endif
1528 mode_fail_narrower = false
1529 # This transport always chdirs to $home before trying to deliver. If
1530 # $home is not accessible, this chdir fails and prevents delivery.
1531 # If you are in a setup where home directories might not be
1532 # accessible, uncomment the current_directory line below.
1533 # current_directory = /
1534#####################################################
1535### end transport/30_exim4-config_maildir_home
1536#####################################################
1537#####################################################
1538### transport/30_exim4-config_maildrop_pipe
1539#####################################################
1540
1541maildrop_pipe:
1542 debug_print = "T: maildrop_pipe for $local_part@$domain"
1543 driver = pipe
1544 path = "/bin:/usr/bin:/usr/local/bin"
1545 command = "/usr/bin/maildrop"
1546 return_path_add
1547 delivery_date_add
1548 envelope_to_add
1549
1550#####################################################
1551### end transport/30_exim4-config_maildrop_pipe
1552#####################################################
1553#####################################################
1554### transport/30_exim4-config_procmail_pipe
1555#####################################################
1556
1557procmail_pipe:
1558 debug_print = "T: procmail_pipe for $local_part@$domain"
1559 driver = pipe
1560 path = "/bin:/usr/bin:/usr/local/bin"
1561 command = "/usr/bin/procmail"
1562 return_path_add
1563 delivery_date_add
1564 envelope_to_add
1565
1566#####################################################
1567### end transport/30_exim4-config_procmail_pipe
1568#####################################################
1569#####################################################
1570### transport/30_exim4-config_remote_smtp
1571#####################################################
1572
1573### transport/30_exim4-config_remote_smtp
1574#################################
1575# This transport is used for delivering messages over SMTP connections.
1576
1577remote_smtp:
1578 debug_print = "T: remote_smtp for $local_part@$domain"
1579 driver = smtp
1580.ifdef REMOTE_SMTP_HOSTS_AVOID_TLS
1581 hosts_avoid_tls = REMOTE_SMTP_HOSTS_AVOID_TLS
1582.endif
1583.ifdef REMOTE_SMTP_HEADERS_REWRITE
1584 headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE
1585.endif
1586.ifdef REMOTE_SMTP_RETURN_PATH
1587 return_path = REMOTE_SMTP_RETURN_PATH
1588.endif
1589.ifdef REMOTE_SMTP_HELO_FROM_DNS
1590 helo_data=REMOTE_SMTP_HELO_DATA
1591.endif
1592#####################################################
1593### end transport/30_exim4-config_remote_smtp
1594#####################################################
1595#####################################################
1596### transport/30_exim4-config_remote_smtp_smarthost
1597#####################################################
1598
1599### transport/30_exim4-config_remote_smtp_smarthost
1600#################################
1601
1602# This transport is used for delivering messages over SMTP connections
1603# to a smarthost. The local host tries to authenticate.
1604# This transport is used for smarthost and satellite configurations.
1605
1606remote_smtp_smarthost:
1607 debug_print = "T: remote_smtp_smarthost for $local_part@$domain"
1608 driver = smtp
1609 hosts_try_auth = <; ${if exists{CONFDIR/passwd.client} \
1610 {\
1611 ${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$host_address}}\
1612 }\
1613 {} \
1614 }
1615.ifdef REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS
1616 hosts_avoid_tls = REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS
1617.endif
1618.ifdef REMOTE_SMTP_HEADERS_REWRITE
1619 headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE
1620.endif
1621.ifdef REMOTE_SMTP_RETURN_PATH
1622 return_path = REMOTE_SMTP_RETURN_PATH
1623.endif
1624.ifdef REMOTE_SMTP_HELO_FROM_DNS
1625 helo_data=REMOTE_SMTP_HELO_DATA
1626.endif
1627#####################################################
1628### end transport/30_exim4-config_remote_smtp_smarthost
1629#####################################################
1630#####################################################
1631### transport/35_exim4-config_address_directory
1632#####################################################
1633# This transport is used for handling file addresses generated by alias
1634# or .forward files if the path ends in "/", which causes it to be treated
1635# as a directory name rather than a file name.
1636
1637address_directory:
1638 debug_print = "T: address_directory for $local_part@$domain"
1639 driver = appendfile
1640 delivery_date_add
1641 envelope_to_add
1642 return_path_add
1643 check_string = ""
1644 escape_string = ""
1645 maildir_format
1646
1647#####################################################
1648### end transport/35_exim4-config_address_directory
1649#####################################################
1650#####################################################
1651### retry/00_exim4-config_header
1652#####################################################
1653
1654######################################################################
1655# RETRY CONFIGURATION #
1656######################################################################
1657
1658begin retry
1659
1660#####################################################
1661### end retry/00_exim4-config_header
1662#####################################################
1663#####################################################
1664### retry/30_exim4-config
1665#####################################################
1666
1667### retry/30_exim4-config
1668#################################
1669
1670# This single retry rule applies to all domains and all errors. It specifies
1671# retries every 15 minutes for 2 hours, then increasing retry intervals,
1672# starting at 1 hour and increasing each time by a factor of 1.5, up to 16
1673# hours, then retries every 6 hours until 4 days have passed since the first
1674# failed delivery.
1675
1676# Please note that these rules only limit the frequenzy of retries, the
1677# effective retry-time depends on the frequenzy of queue-running, too.
1678# See QUEUEINTERVAL in /etc/default/exim4.
1679
1680# Address or Domain Error Retries
1681# ----------------- ----- -------
1682
1683* * F,2h,15m; G,16h,1h,1.5; F,4d,6h
1684
1685#####################################################
1686### end retry/30_exim4-config
1687#####################################################
1688#####################################################
1689### rewrite/00_exim4-config_header
1690#####################################################
1691
1692######################################################################
1693# REWRITE CONFIGURATION #
1694######################################################################
1695
1696begin rewrite
1697
1698#####################################################
1699### end rewrite/00_exim4-config_header
1700#####################################################
1701#####################################################
1702### rewrite/31_exim4-config_rewriting
1703#####################################################
1704
1705### rewrite/31_exim4-config_rewriting
1706#################################
1707
1708# This rewriting rule is particularily useful for dialup users who
1709# don't have their own domain, but could be useful for anyone.
1710# It looks up the real address of all local users in a file
1711.ifndef NO_EAA_REWRITE_REWRITE
1712*@+local_domains "${lookup{${local_part}}lsearch{/etc/email-addresses}\
1713 {$value}fail}" Ffrs
1714# identical rewriting rule for /etc/mailname
1715*@ETC_MAILNAME "${lookup{${local_part}}lsearch{/etc/email-addresses}\
1716 {$value}fail}" Ffrs
1717.endif
1718
1719
1720#####################################################
1721### end rewrite/31_exim4-config_rewriting
1722#####################################################
1723#####################################################
1724### auth/00_exim4-config_header
1725#####################################################
1726
1727######################################################################
1728# AUTHENTICATION CONFIGURATION #
1729######################################################################
1730
1731begin authenticators
1732
1733
1734#####################################################
1735### end auth/00_exim4-config_header
1736#####################################################
1737#####################################################
1738### auth/30_exim4-config_examples
1739#####################################################
1740
1741### auth/30_exim4-config_examples
1742#################################
1743
1744# The examples below are for server side authentication, when the
1745# local exim is SMTP server and clients authenticate to the local exim.
1746
1747# They allow two styles of plain-text authentication against an
1748# CONFDIR/passwd file whose syntax is described in exim4_passwd(5).
1749
1750# Hosts that are allowed to use AUTH are defined by the
1751# auth_advertise_hosts option in the main configuration. The default is
1752# "*", which allows authentication to all hosts over all kinds of
1753# connections if there is at least one authenticator defined here.
1754# Authenticators which rely on unencrypted clear text passwords don't
1755# advertise on unencrypted connections by default. Thus, it might be
1756# wise to set up TLS to allow encrypted connections. If TLS cannot be
1757# used for some reason, you can set AUTH_SERVER_ALLOW_NOTLS_PASSWORDS to
1758# advertise unencrypted clear text password based authenticators on all
1759# connections. As this is severely reducing security, using TLS is
1760# preferred over allowing clear text password based authenticators on
1761# unencrypted connections.
1762
1763# PLAIN authentication has no server prompts. The client sends its
1764# credentials in one lump, containing an authorization ID (which we do not
1765# use), an authentication ID, and a password. The latter two appear as
1766# $auth2 and $auth3 in the configuration and should be checked against a
1767# valid username and password. In a real configuration you would typically
1768# use $auth2 as a lookup key, and compare $auth3 against the result of the
1769# lookup, perhaps using the crypteq{}{} condition.
1770
1771# plain_server:
1772# driver = plaintext
1773# public_name = PLAIN
1774# server_condition = "${if crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
1775# server_set_id = $auth2
1776# server_prompts = :
1777# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
1778# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
1779# .endif
1780
1781# LOGIN authentication has traditional prompts and responses. There is no
1782# authorization ID in this mechanism, so unlike PLAIN the username and
1783# password are $auth1 and $auth2. Apart from that you can use the same
1784# server_condition setting for both authenticators.
1785
1786# login_server:
1787# driver = plaintext
1788# public_name = LOGIN
1789# server_prompts = "Username:: : Password::"
1790# server_condition = "${if crypteq{$auth2}{${extract{1}{:}{${lookup{$auth1}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
1791# server_set_id = $auth1
1792# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
1793# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
1794# .endif
1795#
1796# cram_md5_server:
1797# driver = cram_md5
1798# public_name = CRAM-MD5
1799# server_secret = ${extract{2}{:}{${lookup{$auth1}lsearch{CONFDIR/passwd}{$value}fail}}}
1800# server_set_id = $auth1
1801
1802# Here is an example of CRAM-MD5 authentication against PostgreSQL:
1803#
1804# psqldb_auth_server:
1805# driver = cram_md5
1806# public_name = CRAM-MD5
1807# server_secret = ${lookup pgsql{SELECT pw FROM users WHERE username = '${quote_pgsql:$auth1}'}{$value}fail}
1808# server_set_id = $auth1
1809
1810# Authenticate against local passwords using sasl2-bin
1811# Requires exim_uid to be a member of sasl group, see README.Debian.gz
1812# plain_saslauthd_server:
1813# driver = plaintext
1814# public_name = PLAIN
1815# server_condition = ${if saslauthd{{$auth2}{$auth3}}{1}{0}}
1816# server_set_id = $auth2
1817# server_prompts = :
1818# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
1819# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
1820# .endif
1821#
1822# login_saslauthd_server:
1823# driver = plaintext
1824# public_name = LOGIN
1825# server_prompts = "Username:: : Password::"
1826# # don't send system passwords over unencrypted connections
1827# server_condition = ${if saslauthd{{$auth1}{$auth2}}{1}{0}}
1828# server_set_id = $auth1
1829# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
1830# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
1831# .endif
1832#
1833# ntlm_sasl_server:
1834# driver = cyrus_sasl
1835# public_name = NTLM
1836# server_realm = <short main hostname>
1837# server_set_id = $auth1
1838# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
1839# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
1840# .endif
1841#
1842# digest_md5_sasl_server:
1843# driver = cyrus_sasl
1844# public_name = DIGEST-MD5
1845# server_realm = <short main hostname>
1846# server_set_id = $auth1
1847# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
1848# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
1849# .endif
1850
1851# Authentcate against cyrus-sasl
1852# This is mainly untested, please report any problems to
1853# pkg-exim4-users@lists.alioth.debian.org.
1854# cram_md5_sasl_server:
1855# driver = cyrus_sasl
1856# public_name = CRAM-MD5
1857# server_realm = <short main hostname>
1858# server_set_id = $auth1
1859#
1860# plain_sasl_server:
1861# driver = cyrus_sasl
1862# public_name = PLAIN
1863# server_realm = <short main hostname>
1864# server_set_id = $auth1
1865# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
1866# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
1867# .endif
1868#
1869# login_sasl_server:
1870# driver = cyrus_sasl
1871# public_name = LOGIN
1872# server_realm = <short main hostname>
1873# server_set_id = $auth1
1874# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
1875# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
1876# .endif
1877
1878# Authenticate against courier authdaemon
1879
1880# This is now the (working!) example from
1881# http://www.exim.org/eximwiki/FAQ/Policy_controls/Q0730
1882# Possible pitfall: access rights on /var/run/courier/authdaemon/socket.
1883# plain_courier_authdaemon:
1884# driver = plaintext
1885# public_name = PLAIN
1886# server_condition = \
1887# ${extract {ADDRESS} \
1888# {${readsocket{/var/run/courier/authdaemon/socket} \
1889# {AUTH ${strlen:exim\nlogin\n$auth2\n$auth3\n}\nexim\nlogin\n$auth2\n$auth3\n} }} \
1890# {yes} \
1891# fail}
1892# server_set_id = $auth2
1893# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
1894# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
1895# .endif
1896
1897# login_courier_authdaemon:
1898# driver = plaintext
1899# public_name = LOGIN
1900# server_prompts = Username:: : Password::
1901# server_condition = \
1902# ${extract {ADDRESS} \
1903# {${readsocket{/var/run/courier/authdaemon/socket} \
1904# {AUTH ${strlen:exim\nlogin\n$auth1\n$auth2\n}\nexim\nlogin\n$auth1\n$auth2\n} }} \
1905# {yes} \
1906# fail}
1907# server_set_id = $auth1
1908# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
1909# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
1910# .endif
1911
1912# This one is a bad hack to support the broken version 4.xx of
1913# Microsoft Outlook Express which violates the RFCs by demanding
1914# "250-AUTH=" instead of "250-AUTH ".
1915# If your list of offered authenticators is other than PLAIN and LOGIN,
1916# you need to adapt the public_name line manually.
1917# It has to be the last authenticator to work and has not been tested
1918# well. Use at your own risk.
1919# See the thread entry point from
1920# http://www.exim.org/mail-archives/exim-users/Week-of-Mon-20050214/msg00213.html
1921# for the related discussion on the exim-users mailing list.
1922# Thanks to Fred Viles for this great work.
1923
1924# support_broken_outlook_express_4_server:
1925# driver = plaintext
1926# public_name = "\r\n250-AUTH=PLAIN LOGIN"
1927# server_prompts = User Name : Password
1928# server_condition = no
1929# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
1930# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
1931# .endif
1932
1933##############
1934# See /usr/share/doc/exim4-base/README.Debian.gz
1935##############
1936
1937# These examples below are the equivalent for client side authentication.
1938# They get the passwords from CONFDIR/passwd.client, whose format is
1939# defined in exim4_passwd_client(5)
1940
1941# Because AUTH PLAIN and AUTH LOGIN send the password in clear, we
1942# only allow these mechanisms over encrypted connections by default.
1943# You can set AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS to allow unencrypted
1944# clear text password authentication on all connections.
1945
1946cram_md5:
1947 driver = cram_md5
1948 public_name = CRAM-MD5
1949 client_name = ${extract{1}{:}{${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}}}
1950 client_secret = ${extract{2}{:}{${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}}}
1951
1952# this returns the matching line from passwd.client and doubles all ^
1953PASSWDLINE=${sg{\
1954 ${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}\
1955 }\
1956 {\\N[\\^]\\N}\
1957 {^^}\
1958 }
1959
1960plain:
1961 driver = plaintext
1962 public_name = PLAIN
1963.ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS
1964 client_send = "<; ${if !eq{$tls_cipher}{}\
1965 {^${extract{1}{:}{PASSWDLINE}}\
1966 ^${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}\
1967 }fail}"
1968.else
1969 client_send = "<; ^${extract{1}{:}{PASSWDLINE}}\
1970 ^${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}"
1971.endif
1972
1973login:
1974 driver = plaintext
1975 public_name = LOGIN
1976.ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS
1977 # Return empty string if not non-TLS AND looking up $host in passwd-file
1978 # yields a non-empty string; fail otherwise.
1979 client_send = "<; ${if and{\
1980 {!eq{$tls_cipher}{}}\
1981 {!eq{PASSWDLINE}{}}\
1982 }\
1983 {}fail}\
1984 ; ${extract{1}{::}{PASSWDLINE}}\
1985 ; ${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}"
1986.else
1987 # Return empty string if looking up $host in passwd-file yields a
1988 # non-empty string; fail otherwise.
1989 client_send = "<; ${if !eq{PASSWDLINE}{}\
1990 {}fail}\
1991 ; ${extract{1}{::}{PASSWDLINE}}\
1992 ; ${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}"
1993.endif
1994#####################################################
1995### end auth/30_exim4-config_examples
1996#####################################################