-
Notifications
You must be signed in to change notification settings - Fork 0
/
exim.conf
603 lines (465 loc) · 24.1 KB
/
exim.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
primary_hostname = FQDN
exim_user = UID
exim_group = GID
spool_directory = SPOOL
#log_file_path = ./exim-spool/log/%slog
#process_log_path = ./exim-spool/exim-process.info
# The next three settings create two lists of domains and one list of hosts.
# These lists are referred to later in this configuration using the syntax
# +local_domains, +relay_to_domains, and +relay_from_hosts, respectively. They
# are all colon-separated lists:
domainlist local_domains = FQDN : localhost : localhost.localdomain
domainlist relay_to_domains =
hostlist relay_from_hosts = localhost
acl_smtp_mail = acl_check_mail
acl_smtp_rcpt = acl_check_rcpt
.ifdef _HAVE_PRDR
acl_smtp_data_prdr = acl_check_prdr
.endif
acl_smtp_data = acl_check_data
acl_smtp_mime = acl_check_mime
# Allow any client to use TLS.
tls_advertise_hosts = *
# Specify the location of the Exim server's TLS certificate and private key.
# The private key must not be encrypted (password protected). You can put
# the certificate and private key in the same file, in which case you only
# need the first setting, or in separate files, in which case you need both
# options.
tls_certificate = /etc/pki/tls/certs/exim.pem
tls_privatekey = /etc/pki/tls/private/exim.pem
# For OpenSSL, prefer EC- over RSA-authenticated ciphers
# tls_require_ciphers = ECDSA:RSA:!COMPLEMENTOFDEFAULT
# In order to support roaming users who wish to send email from anywhere,
# you may want to make Exim listen on other ports as well as port 25, in
# case these users need to send email from a network that blocks port 25.
# The standard port for this purpose is port 587, the "message submission"
# port. See RFC 4409 for details. Microsoft MUAs cannot be configured to
# talk the message submission protocol correctly, so if you need to support
# them you should also allow TLS-on-connect on the traditional but
# non-standard port 465.
#daemon_smtp_ports = 25 : 465 : 587
#tls_on_connect_ports = 465
daemon_smtp_ports = 2525
never_users =
host_lookup = *
# Do not allow authentication
auth_advertise_hosts =
# Enable an efficiency feature. We advertise the feature; clients
# may request to use it. For multi-recipient mails we then can
# reject or accept per-user after the message is received.
# This supports recipient-dependent content filtering; without it
# you have to temp-reject any recipients after the first that have
# incompatible filtering, and do the filtering in the data ACL.
# Even with this enabled, you must support the old style for peers
# not flagging support for PRDR (visible via $prdr_requested).
#
.ifdef _HAVE_PRDR
prdr_enable = true
.endif
# Unless you run a high-volume site you probably want more logging
# detail than the default. Adjust to suit.
log_selector = +smtp_protocol_error +smtp_syntax_error \
+tls_certificate_verified +all
ignore_bounce_errors_after = 2d
timeout_frozen_after = 7d
keep_environment = ^LDAP
add_environment = PATH=/usr/bin::/bin
######################################################################
# ACL CONFIGURATION #
# Specifies access control lists for incoming SMTP mail #
######################################################################
begin acl
# This access control list is used for the MAIL command in an incoming
# SMTP message.
acl_check_mail:
# Hosts are required to say HELO (or EHLO) before sending mail.
# So don't allow them to use the MAIL command if they haven't
# done so.
deny condition = ${if eq{$sender_helo_name}{} {1}}
message = Nice boys say HELO first
# Use the lack of reverse DNS to trigger greylisting. Some people
# even reject for it but that would be a little excessive.
warn condition = ${if eq{$sender_host_name}{} {1}}
set acl_m_greylistreasons = Host $sender_host_address lacks reverse DNS\n$acl_m_greylistreasons
accept
# This access control list is used for every RCPT command in an incoming
# SMTP message. The tests are run in order until the address is either
# accepted or denied.
acl_check_rcpt:
# Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by
# testing for an empty sending host field.
accept hosts = :
control = dkim_disable_verify
control = dmarc_disable_verify
#############################################################################
# The following section of the ACL is concerned with local parts that contain
# @ or % or ! or / or | or dots in unusual places.
#
# The characters other than dots are rarely found in genuine local parts, but
# are often tried by people looking to circumvent relaying restrictions.
# Therefore, although they are valid in local parts, these rules lock them
# out, as a precaution.
#
# Empty components (two dots in a row) are not valid in RFC 2822, but Exim
# allows them because they have been encountered. (Consider local parts
# constructed as "firstinitial.secondinitial.familyname" when applied to
# someone like me, who has no second initial.) However, a local part starting
# with a dot or containing /../ can cause trouble if it is used as part of a
# file name (e.g. for a mailing list). This is also true for local parts that
# contain slashes. A pipe symbol can also be troublesome if the local part is
# incorporated unthinkingly into a shell command line.
#
# Two different rules are used. The first one is stricter, and is applied to
# messages that are addressed to one of the local domains handled by this
# host. The line "domains = +local_domains" restricts it to domains that are
# defined by the "domainlist local_domains" setting above. The rule blocks
# local parts that begin with a dot or contain @ % ! / or |. If you have
# local accounts that include these characters, you will have to modify this
# rule.
deny message = Restricted characters in address
domains = +local_domains
local_parts = ^[.] : ^.*[@%!/|]
# The second rule applies to all other domains, and is less strict. The line
# "domains = !+local_domains" restricts it to domains that are NOT defined by
# the "domainlist local_domains" setting above. The exclamation mark is a
# negating operator. This rule allows your own users to send outgoing
# messages to sites that use slashes and vertical bars in their local parts.
# It blocks local parts that begin with a dot, slash, or vertical bar, but
# allows these characters within the local part. However, the sequence /../
# is barred. The use of @ % and ! is blocked, as before. The motivation here
# is to prevent your users (or your users' viruses) from mounting certain
# kinds of attack on remote sites.
deny message = Restricted characters in address
domains = !+local_domains
local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
#############################################################################
# Accept mail to postmaster in any local domain, regardless of the source,
# and without verifying the sender.
accept local_parts = postmaster
domains = +local_domains
# Deny unless the sender address can be routed. For proper verification of the
# address, read the documentation on callouts and add the /callout modifier.
require verify = sender
# Accept if the message comes from one of the hosts for which we are an
# outgoing relay. It is assumed that such hosts are most likely to be MUAs,
# so we set control=submission to make Exim treat the message as a
# submission. It will fix up various errors in the message, for example, the
# lack of a Date: header line. If you are actually relaying out out from
# MTAs, you may want to disable this. If you are handling both relaying from
# MTAs and submissions from MUAs you should probably split them into two
# lists, and handle them differently.
# Recipient verification is omitted here, because in many cases the clients
# are dumb MUAs that don't cope well with SMTP error responses. If you are
# actually relaying out from MTAs, you should probably add recipient
# verification here.
# Note that, by putting this test before any DNS black list checks, you will
# always accept from these hosts, even if they end up on a black list. The
# assumption is that they are your friends, and if they get onto a black
# list, it is a mistake.
accept hosts = +relay_from_hosts
control = submission
control = dkim_disable_verify
control = dmarc_disable_verify
# Accept if the message arrived over an authenticated connection, from
# any host. Again, these messages are usually from MUAs, so recipient
# verification is omitted, and submission mode is set. And again, we do this
# check before any black list tests.
accept authenticated = *
control = submission
control = dkim_disable_verify
control = dmarc_disable_verify
# Insist that a HELO/EHLO was accepted.
require message = nice hosts say HELO first
condition = ${if def:sender_helo_name}
# Insist that any other recipient address that we accept is either in one of
# our local domains, or is in a domain for which we explicitly allow
# relaying. Any other domain is rejected as being unacceptable for relaying.
require message = relay not permitted
domains = +local_domains : +relay_to_domains
# We also require all accepted addresses to be verifiable. This check will
# do local part verification for local domains, but only check the domain
# for remote domains. The only way to check local parts for the remote
# relay domains is to use a callout (add /callout), but please read the
# documentation about callouts before doing this.
require verify = recipient
#############################################################################
# There are no default checks on DNS black lists because the domains that
# contain these lists are changing all the time. However, here are two
# examples of how you can get Exim to perform a DNS black list lookup at this
# point. The first one denies, whereas the second just warns. The third
# triggers greylisting for any host in the blacklist.
#
# deny dnslists = black.list.example
# message = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
#
# warn dnslists = black.list.example
# add_header = X-Warning: $sender_host_address is in a black list at $dnslist_domain
# log_message = found in $dnslist_domain
#
# warn dnslists = black.list.example
# set acl_m_greylistreasons = Host found in $dnslist_domain\n$acl_m_greylistreasons
#
#############################################################################
#############################################################################
# This check is commented out because it is recognized that not every
# sysadmin will want to do it. If you enable it, the check performs
# Client SMTP Authorization (csa) checks on the sending host. These checks
# do DNS lookups for SRV records. The CSA proposal is currently (May 2005)
# an Internet draft. You can, of course, add additional conditions to this
# ACL statement to restrict the CSA checks to certain hosts only.
#
# require verify = csa
#############################################################################
#############################################################################
# If doing per-user content filtering then recipients with filters different
# to the first recipient must be deferred unless the sender talks PRDR.
#
# defer !condition = $prdr_requested
# condition = ${if > {0}{$receipients_count}}
# condition = ${if !eq {$acl_m_content_filter} \
# {${lookup PER_RCPT_CONTENT_FILTER}}}
# warn !condition = $prdr_requested
# condition = ${if > {0}{$receipients_count}}
# set acl_m_content_filter = ${lookup PER_RCPT_CONTENT_FILTER}
#############################################################################
# Alternatively, greylist for it:
# warn !verify = csa
# set acl_m_greylistreasons = Host failed CSA check\n$acl_m_greylistreasons
# At this point, the address has passed all the checks that have been
# configured, so we accept it unconditionally.
accept
# This ACL is used once per recipient, for multi-recipient messages, if
# we advertised PRDR. It can be used to perform receipient-dependent
# header- and body- based filtering and rejections.
# We set a variable to record that PRDR was active used, so that checking
# in the data ACL can be skipped.
.ifdef _HAVE_PRDR
acl_check_prdr:
warn set acl_m_did_prdr = y
#############################################################################
# do lookup on filtering, with $local_part@$domain, deny on filter match
#
# deny set acl_m_content_filter = ${lookup PER_RCPT_CONTENT_FILTER}
# condition = ...
#############################################################################
accept
.endif
# This ACL is used after the contents of a message have been received. This
# is the ACL in which you can test a message's headers or body, and in
# particular, this is where you can invoke external virus or spam scanners.
# Some suggested ways of configuring these tests are shown below, commented
# out. Without any tests, this ACL accepts all messages. If you want to use
# such tests, you must ensure that Exim is compiled with the content-scanning
# extension (WITH_CONTENT_SCAN=yes in Local/Makefile).
acl_check_data:
# Deny if the message contains an overlong line. Per the standards
# we should never receive one such via SMTP.
#
deny condition = ${if > {$max_received_linelength}{998}}
message = maximum allowed line length is 998 octets, \
got $max_received_linelength
# Deny if the headers contain badly-formed addresses.
#
deny !verify = header_syntax
message = header syntax
log_message = header syntax ($acl_verify_message)
# Put simple tests first. A good one is to check for the presence of a
# Message-Id: header, which RFC2822 says SHOULD be present. Some broken
# or misconfigured mailer software occasionally omits this from genuine
# messages too, though -- although it's not hard for the offender to fix
# after they receive a bounce because of it.
#
# deny condition = ${if !def:h_Message-ID: {1}}
# message = RFC2822 says that all mail SHOULD have a Message-ID header.\n\
# Most messages without it are spam, so your mail has been rejected.
#
# Alternatively if we're feeling more lenient we could just use it to
# trigger greylisting instead:
warn condition = ${if !def:h_Message-ID: {1}}
set acl_m_greylistreasons = Message lacks Message-Id: header. Consult RFC2822.\n$acl_m_greylistreasons
# Deny if the message contains a virus. Before enabling this check, you
# must install a virus scanner and set the av_scanner option above.
#
# deny malware = *
# message = This message contains a virus ($malware_name).
# Bypass SpamAssassin checks if the message is too large.
#
# accept condition = ${if >={$message_size}{100000} {1}}
# add_header = X-Spam-Note: SpamAssassin run bypassed due to message size
#############################################################################
# No more tests if PRDR was actively used.
# accept condition = ${if def:acl_m_did_prdr}
#
# To get here, all message recipients must have identical per-user
# content filtering (enforced by RCPT ACL). Do lookup for filter
# and deny on match.
#
# deny set acl_m_content_filter = ${lookup PER_RCPT_CONTENT_FILTER}
# condition = ...
#############################################################################
# Run SpamAssassin, but allow for it to fail or time out. Add a warning message
# and accept the mail if that happens. Add an X-Spam-Flag: header if the SA
# score exceeds the SA system threshold.
#
# warn spam = nobody/defer_ok
# add_header = X-Spam-Flag: YES
#
# accept condition = ${if !def:spam_score_int {1}}
# add_header = X-Spam-Note: SpamAssassin invocation failed
#
# Unconditionally add score and report headers
#
# warn add_header = X-Spam-Score: $spam_score ($spam_bar)\n\
# X-Spam-Report: $spam_report
# And reject if the SpamAssassin score is greater than ten
#
# deny condition = ${if >{$spam_score_int}{100} {1}}
# message = Your message scored $spam_score SpamAssassin point. Report follows:\n\
# $spam_report
# Trigger greylisting (if enabled) if the SpamAssassin score is greater than 0.5
#
# warn condition = ${if >{$spam_score_int}{5} {1}}
# set acl_m_greylistreasons = Message has $spam_score SpamAssassin points\n$acl_m_greylistreasons
# If you want to greylist _all_ mail rather than only mail which looks like there
# might be something wrong with it, then you can do this...
#
# warn set acl_m_greylistreasons = We greylist all mail\n$acl_m_greylistreasons
# Now, invoke the greylisting. For this you need to have installed the exim-greylist
# package which contains this subroutine, and you need to uncomment the bit below
# which includes it too. Whenever the $acl_m_greylistreasons variable is non-empty,
# greylisting will kick in and will defer the mail to check if the sender is a
# proper mail which which retries, or whether it's a zombie. For more details, see
# the exim-greylist.conf.inc file itself.
#
# require acl = greylist_mail
accept
# To enable the greylisting, also uncomment this line:
# .include /etc/exim/exim-greylist.conf.inc
acl_check_mime:
# File extension filtering.
deny message = Blacklisted file extension detected
condition = ${if match \
{${lc:$mime_filename}} \
{\N(\.exe|\.pif|\.bat|\.scr|\.lnk|\.com)$\N} \
{1}{0}}
accept
######################################################################
# ROUTERS CONFIGURATION #
# Specifies how addresses are handled #
######################################################################
# THE ORDER IN WHICH THE ROUTERS ARE DEFINED IS IMPORTANT! #
# An address is passed to each router in turn until it is accepted. #
######################################################################
begin routers
dnslookup:
driver = dnslookup
domains = ! +local_domains
transport = remote_smtp
ignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; ::1
no_more
route_nimnews:
driver = manualroute
domains = +local_domains
route_list = * LMTP_HOST::LMTP_PORT byname
transport = transport_nimnews
self = send
######################################################################
# TRANSPORTS CONFIGURATION #
######################################################################
# ORDER DOES NOT MATTER #
# Only one appropriate transport is called for each delivery. #
######################################################################
# A transport is used only when referenced from a router that successfully
# handles an address.
begin transports
transport_nimnews:
driver = smtp
protocol = lmtp
port = LMTP_PORT
remote_smtp:
driver = smtp
message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
######################################################################
# RETRY CONFIGURATION #
######################################################################
begin retry
# This single retry rule applies to all domains and all errors. It specifies
# retries every 15 minutes for 2 hours, then increasing retry intervals,
# starting at 1 hour and increasing each time by a factor of 1.5, up to 16
# hours, then retries every 6 hours until 4 days have passed since the first
# failed delivery.
# WARNING: If you do not have any retry rules at all (this section of the
# configuration is non-existent or empty), Exim will not do any retries of
# messages that fail to get delivered at the first attempt. The effect will
# be to treat temporary errors as permanent. Therefore, DO NOT remove this
# retry rule unless you really don't want any retries.
# Address or Domain Error Retries
# ----------------- ----- -------
* * F,2h,15m; G,16h,1h,1.5; F,4d,6h
######################################################################
# REWRITE CONFIGURATION #
######################################################################
# There are no rewriting specifications in this default configuration file.
begin rewrite
######################################################################
# AUTHENTICATION CONFIGURATION #
######################################################################
begin authenticators
# This authenticator supports CRAM-MD5 username/password authentication
# with Exim acting as a _client_, as it might when sending its outgoing
# mail to a smarthost rather than directly to the final recipient.
# Replace SMTPAUTH_USERNAME and SMTPAUTH_PASSWORD as appropriate.
#client_auth:
# driver = cram_md5
# public_name = CRAM-MD5
# client_name = SMTPAUTH_USERNAME
# client_secret = SMTPAUTH_PASSWORD
#
# The following authenticators support plaintext username/password
# authentication using the standard PLAIN mechanism and the traditional
# but non-standard LOGIN mechanism, with Exim acting as the server.
# PLAIN and LOGIN are enough to support most MUA software.
#
# These authenticators are not complete: you need to change the
# server_condition settings to specify how passwords are verified.
# They are set up to offer authentication to the client only if the
# connection is encrypted with TLS, so you also need to add support
# for TLS. See the global configuration options section at the start
# of this file for more about TLS.
#
# The default RCPT ACL checks for successful authentication, and will accept
# messages from authenticated users from anywhere on the Internet.
#
# PLAIN authentication has no server prompts. The client sends its
# credentials in one lump, containing an authorization ID (which we do not
# use), an authentication ID, and a password. The latter two appear as
# $auth2 and $auth3 in the configuration and should be checked against a
# valid username and password. In a real configuration you would typically
# use $auth2 as a lookup key, and compare $auth3 against the result of the
# lookup, perhaps using the crypteq{}{} condition.
#PLAIN:
# driver = plaintext
# server_set_id = $auth2
# server_prompts = :
# server_condition = ${if saslauthd{{$2}{$3}{smtp}} {1}}
# server_advertise_condition = ${if def:tls_in_cipher }
# LOGIN authentication has traditional prompts and responses. There is no
# authorization ID in this mechanism, so unlike PLAIN the username and
# password are $auth1 and $auth2. Apart from that you can use the same
# server_condition setting for both authenticators.
#LOGIN:
# driver = plaintext
# server_set_id = $auth1
# server_prompts = <| Username: | Password:
# server_condition = ${if saslauthd{{$1}{$2}{smtp}} {1}}
# server_advertise_condition = ${if def:tls_in_cipher }
######################################################################
# CONFIGURATION FOR local_scan() #
######################################################################
# If you have built Exim to include a local_scan() function that contains
# tables for private options, you can define those options here. Remember to
# uncomment the "begin" line. It is commented by default because it provokes
# an error with Exim binaries that are not built with LOCAL_SCAN_HAS_OPTIONS
# set in the Local/Makefile.
# begin local_scan
# End of Exim configuration file