1 #####################################################
2 ### main/01_exim4-config_listmacrosdefs
3 #####################################################
4 ######################################################################
5 # Runtime configuration file for Exim 4 (Debian Packaging) #
6 ######################################################################
8 ######################################################################
9 # /etc/exim4/exim4.conf.template is only used with the non-split
10 # configuration scheme.
11 # /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs is only used
12 # with the split configuration scheme.
13 # If you find this comment anywhere else, somebody copied it there.
14 # Documentation about the Debian exim4 configuration scheme can be
15 # found in /usr/share/doc/exim4-base/README.Debian.gz.
16 ######################################################################
18 ######################################################################
19 # MAIN CONFIGURATION SETTINGS #
20 ######################################################################
22 # Just for reference and scripts.
23 # On Debian systems, the main binary is installed as exim4 to avoid
24 # conflicts with the exim 3 packages.
25 exim_path = /usr/sbin/exim4
27 # Macro defining the main configuration directory.
28 # We do not use absolute paths.
33 # debconf-driven macro definitions get inserted after this line
34 UPEX4CmacrosUPEX4C = 1
36 # Create domain and host lists for relay control
37 # '@' refers to 'the name of the local host'
39 # List of domains considered local for exim. Domains not listed here
40 # need to be deliverable remotely.
41 domainlist local_domains = MAIN_LOCAL_DOMAINS
43 # List of recipient domains to relay _to_. Use this list if you're -
44 # for example - fallback MX or mail gateway for domains.
45 domainlist relay_to_domains = MAIN_RELAY_TO_DOMAINS
47 # List of sender networks (IP addresses) to _unconditionally_ relay
48 # _for_. If you intend to be SMTP AUTH server, you do not need to enter
50 hostlist relay_from_hosts = MAIN_RELAY_NETS
53 # Decide which domain to use to add to all unqualified addresses.
54 # If MAIN_PRIMARY_HOSTNAME_AS_QUALIFY_DOMAIN is defined, the primary
55 # hostname is used. If not, but MAIN_QUALIFY_DOMAIN is set, the value
56 # of MAIN_QUALIFY_DOMAIN is used. If both macros are not defined,
57 # the first line of /etc/mailname is used.
58 .ifndef MAIN_PRIMARY_HOSTNAME_AS_QUALIFY_DOMAIN
59 .ifndef MAIN_QUALIFY_DOMAIN
60 qualify_domain = ETC_MAILNAME
62 qualify_domain = MAIN_QUALIFY_DOMAIN
66 # listen on all all interfaces?
67 .ifdef MAIN_LOCAL_INTERFACES
68 local_interfaces = MAIN_LOCAL_INTERFACES
71 .ifndef LOCAL_DELIVERY
72 # The default transport, set in /etc/exim4/update-exim4.conf.conf,
73 # defaulting to mail_spool. See CONFDIR/conf.d/transport/ for possibilities
74 LOCAL_DELIVERY=mail_spool
77 # The gecos field in /etc/passwd holds not only the name. see passwd(5).
78 gecos_pattern = ^([^,:]*)
81 # define macros to be used in acl/30_exim4-config_check_rcpt to check
82 # recipient local parts for strange characters.
84 # This macro definition really should be in
85 # acl/30_exim4-config_check_rcpt but cannot be there due to
86 # http://www.exim.org/bugzilla/show_bug.cgi?id=101 as of exim 4.62.
88 # These macros are documented in acl/30_exim4-config_check_rcpt,
89 # can be changed here or overridden by a locally added configuration
90 # file as described in README.Debian chapter 2.1.2
92 .ifndef CHECK_RCPT_LOCAL_LOCALPARTS
93 CHECK_RCPT_LOCAL_LOCALPARTS = ^[.] : ^.*[@%!/|`#&?]
96 .ifndef CHECK_RCPT_REMOTE_LOCALPARTS
97 CHECK_RCPT_REMOTE_LOCALPARTS = ^[./|] : ^.*[@%!`#&?] : ^.*/\\.\\./
100 # always log tls_peerdn as we use TLS for outgoing connects by default
101 .ifndef MAIN_LOG_SELECTOR
102 MAIN_LOG_SELECTOR = +tls_peerdn
104 #####################################################
105 ### end main/01_exim4-config_listmacrosdefs
106 #####################################################
107 #####################################################
108 ### main/02_exim4-config_options
109 #####################################################
111 ### main/02_exim4-config_options
112 #################################
115 # Defines the access control list that is run when an
116 # SMTP MAIL command is received.
118 .ifndef MAIN_ACL_CHECK_MAIL
119 MAIN_ACL_CHECK_MAIL = acl_check_mail
121 acl_smtp_mail = MAIN_ACL_CHECK_MAIL
124 # Defines the access control list that is run when an
125 # SMTP RCPT command is received.
127 .ifndef MAIN_ACL_CHECK_RCPT
128 MAIN_ACL_CHECK_RCPT = acl_check_rcpt
130 acl_smtp_rcpt = MAIN_ACL_CHECK_RCPT
133 # Defines the access control list that is run when an
134 # SMTP DATA command is received.
136 .ifndef MAIN_ACL_CHECK_DATA
137 MAIN_ACL_CHECK_DATA = acl_check_data
139 acl_smtp_data = MAIN_ACL_CHECK_DATA
142 # Message size limit. The default (used when MESSAGE_SIZE_LIMIT
144 .ifdef MESSAGE_SIZE_LIMIT
145 message_size_limit = MESSAGE_SIZE_LIMIT
149 # If you are running exim4-daemon-heavy or a custom version of Exim that
150 # was compiled with the content-scanning extension, you can cause incoming
151 # messages to be automatically scanned for viruses. You have to modify the
152 # configuration in two places to set this up. The first of them is here,
153 # where you define the interface to your scanner. This example is typical
154 # for ClamAV; see the manual for details of what to set for other virus
155 # scanners. The second modification is in the acl_check_data access
158 # av_scanner = clamd:/tmp/clamd
161 # For spam scanning, there is a similar option that defines the interface to
162 # SpamAssassin. You do not need to set this if you are using the default, which
163 # is shown in this commented example. As for virus scanning, you must also
164 # modify the acl_check_data access control list to enable spam scanning.
166 # spamd_address = 127.0.0.1 783
168 # Domain used to qualify unqualified recipient addresses
169 # If this option is not set, the qualify_domain value is used.
170 # qualify_recipient = <value of qualify_domain>
173 # Allow Exim to recognize addresses of the form "user@[10.11.12.13]",
174 # where the domain part is a "domain literal" (an IP address) instead
175 # of a named domain. The RFCs require this facility, but it is disabled
176 # in the default config since it is seldomly used and frequently abused.
177 # Domain literal support also needs a special router, which is automatically
178 # enabled if you use the enable macro MAIN_ALLOW_DOMAIN_LITERALS.
179 # Additionally, you might want to make your local IP addresses (or @[])
181 .ifdef MAIN_ALLOW_DOMAIN_LITERALS
182 allow_domain_literals
186 # Do a reverse DNS lookup on all incoming IP calls, in order to get the
187 # true host name. If you feel this is too expensive, the networks for
188 # which a lookup is done can be listed here.
189 .ifndef DC_minimaldns
190 .ifndef MAIN_HOST_LOOKUP
193 host_lookup = MAIN_HOST_LOOKUP
197 # In a minimaldns setup, update-exim4.conf guesses the hostname and
198 # dumps it here to avoid DNS lookups being done at Exim run time.
199 .ifdef MAIN_HARDCODE_PRIMARY_HOSTNAME
200 primary_hostname = MAIN_HARDCODE_PRIMARY_HOSTNAME
203 # The settings below, which are actually the same as the defaults in the
204 # code, cause Exim to make RFC 1413 (ident) callbacks for all incoming SMTP
205 # calls. You can limit the hosts to which these calls are made, and/or change
206 # the timeout that is used. If you set the timeout to zero, all RFC 1413 calls
207 # are disabled. RFC 1413 calls are cheap and can provide useful information
208 # for tracing problem messages, but some hosts and firewalls are
209 # misconfigured to drop the requests instead of either answering or
210 # rejecting them. This can result in a timeout instead of an immediate refused
211 # connection, leading to delays on starting up SMTP sessions. (The default was
212 # reduced from 30s to 5s for release 4.61.)
214 # rfc1413_query_timeout = 5s
216 # When using an external relay tester (such as rt.njabl.org and/or the
217 # currently defunct relay-test.mail-abuse.org, the test may be aborted
218 # since exim complains about "too many nonmail commands". If you want
219 # the test to complete, add the host from where "your" relay tester
220 # connects from to the MAIN_SMTP_ACCEPT_MAX_NOMAIL_HOSTS macro.
221 # Please note that a non-empty setting may cause extra DNS lookups to
222 # happen, which is the reason why this option is commented out in the
224 # MAIN_SMTP_ACCEPT_MAX_NOMAIL_HOSTS = !rt.njabl.org
225 .ifdef MAIN_SMTP_ACCEPT_MAX_NOMAIL_HOSTS
226 smtp_accept_max_nonmail_hosts = MAIN_SMTP_ACCEPT_MAX_NOMAIL_HOSTS
229 # By default, exim forces a Sender: header containing the local
230 # account name at the local host name in all locally submitted messages
231 # that don't have the local account name at the local host name in the
232 # From: header, deletes any Sender: header present in the submitted
233 # message and forces the envelope sender of all locally submitted
234 # messages to the local account name at the local host name.
235 # The following settings allow local users to specify their own envelope sender
236 # in a locally submitted message. Sender: headers existing in a locally
237 # submitted message are not removed, and no automatic Sender: headers
238 # are added. These settings are fine for most hosts.
239 # If you run exim on a classical multi-user systems where all users
240 # have local mailboxes that can be reached via SMTP from the Internet
241 # with the local FQDN as the domain part of the address, you might want
242 # to disable the following three lines for traceability reasons.
243 .ifndef MAIN_FORCE_SENDER
244 local_from_check = false
245 local_sender_retain = true
246 untrusted_set_sender = *
250 # By default, Exim expects all envelope addresses to be fully qualified, that
251 # is, they must contain both a local part and a domain. Configure exim
252 # to accept unqualified addresses from certain hosts. When this is done,
253 # unqualified addresses are qualified using the settings of qualify_domain
254 # and/or qualify_recipient (see above).
255 # sender_unqualified_hosts = <unset>
256 # recipient_unqualified_hosts = <unset>
259 # Configure Exim to support the "percent hack" for certain domains.
260 # The "percent hack" is the feature by which mail addressed to x%y@z
261 # (where z is one of the domains listed) is locally rerouted to x@y
262 # and sent on. If z is not one of the "percent hack" domains, x%y is
263 # treated as an ordinary local part. The percent hack is rarely needed
264 # nowadays but frequently abused. You should not enable it unless you
265 # are sure that you really need it.
266 # percent_hack_domains = <unset>
270 .ifndef MAIN_IGNORE_BOUNCE_ERRORS_AFTER
271 MAIN_IGNORE_BOUNCE_ERRORS_AFTER = 2d
273 ignore_bounce_errors_after = MAIN_IGNORE_BOUNCE_ERRORS_AFTER
275 .ifndef MAIN_TIMEOUT_FROZEN_AFTER
276 MAIN_TIMEOUT_FROZEN_AFTER = 7d
278 timeout_frozen_after = MAIN_TIMEOUT_FROZEN_AFTER
280 .ifndef MAIN_FREEZE_TELL
281 MAIN_FREEZE_TELL = postmaster
283 freeze_tell = MAIN_FREEZE_TELL
286 # Define spool directory
288 SPOOLDIR = /var/spool/exim4
290 spool_directory = SPOOLDIR
293 # trusted users can set envelope-from to arbitrary values
294 .ifndef MAIN_TRUSTED_USERS
295 MAIN_TRUSTED_USERS = uucp
297 trusted_users = MAIN_TRUSTED_USERS
298 .ifdef MAIN_TRUSTED_GROUPS
299 trusted_groups = MAIN_TRUSTED_GROUPS
303 # users in admin group can do many other things
304 # admin_groups = <unset>
307 # SMTP Banner. The example includes the Debian version in the SMTP dialog
308 # MAIN_SMTP_BANNER = "${primary_hostname} ESMTP Exim ${version_number} (Debian package MAIN_PACKAGE_VERSION) ${tod_full}"
309 # smtp_banner = $smtp_active_hostname ESMTP Exim $version_number $tod_full
310 #####################################################
311 ### end main/02_exim4-config_options
312 #####################################################
313 #####################################################
314 ### main/03_exim4-config_tlsoptions
315 #####################################################
317 ### main/03_exim4-config_tlsoptions
318 #################################
320 # TLS/SSL configuration for exim as an SMTP server.
321 # See /usr/share/doc/exim4-base/README.Debian.gz for explanations.
323 .ifdef MAIN_TLS_ENABLE
324 # Defines what hosts to 'advertise' STARTTLS functionality to. The
325 # default, *, will advertise to all hosts that connect with EHLO.
326 .ifndef MAIN_TLS_ADVERTISE_HOSTS
327 MAIN_TLS_ADVERTISE_HOSTS = *
329 tls_advertise_hosts = MAIN_TLS_ADVERTISE_HOSTS
332 # Full paths to Certificate and Private Key. The Private Key file
333 # must be kept 'secret' and should be owned by root.Debian-exim mode
334 # 640 (-rw-r-----). exim-gencert takes care of these prerequisites.
335 # Normally, exim4 looks for certificate and key in different files:
336 # MAIN_TLS_CERTIFICATE - path to certificate file,
337 # CONFDIR/exim.crt if unset
338 # MAIN_TLS_PRIVATEKEY - path to private key file
339 # CONFDIR/exim.key if unset
340 # You can also configure exim to look for certificate and key in the
341 # same file, set MAIN_TLS_CERTKEY to that file to enable. This takes
342 # precedence over all other settings regarding certificate and key file.
343 .ifdef MAIN_TLS_CERTKEY
344 tls_certificate = MAIN_TLS_CERTKEY
346 .ifndef MAIN_TLS_CERTIFICATE
347 MAIN_TLS_CERTIFICATE = CONFDIR/exim.crt
349 tls_certificate = MAIN_TLS_CERTIFICATE
351 .ifndef MAIN_TLS_PRIVATEKEY
352 MAIN_TLS_PRIVATEKEY = CONFDIR/exim.key
354 tls_privatekey = MAIN_TLS_PRIVATEKEY
357 # Pointer to the CA Certificates against which client certificates are
358 # checked. This is controlled by the `tls_verify_hosts' and
359 # `tls_try_verify_hosts' lists below.
360 # If you want to check server certificates, you need to add an
361 # tls_verify_certificates statement to the smtp transport.
362 # /etc/ssl/certs/ca-certificates.crt is generated by
363 # the "ca-certificates" package's update-ca-certificates(8) command.
364 .ifndef MAIN_TLS_VERIFY_CERTIFICATES
365 MAIN_TLS_VERIFY_CERTIFICATES = ${if exists{/etc/ssl/certs/ca-certificates.crt}\
366 {/etc/ssl/certs/ca-certificates.crt}\
369 tls_verify_certificates = MAIN_TLS_VERIFY_CERTIFICATES
372 # A list of hosts which are constrained by `tls_verify_certificates'. A host
373 # that matches `tls_verify_host' must present a certificate that is
374 # verifyable through `tls_verify_certificates' in order to be accepted as an
375 # SMTP client. If it does not, the connection is aborted.
376 .ifdef MAIN_TLS_VERIFY_HOSTS
377 tls_verify_hosts = MAIN_TLS_VERIFY_HOSTS
380 # A weaker form of checking: if a client matches `tls_try_verify_hosts' (but
381 # not `tls_verify_hosts'), request a certificate and check it against
382 # `tls_verify_certificates' but do not abort the connection if there is no
383 # certificate or if the certificate presented does not match. (This
384 # condition can be tested for in ACLs through `verify = certificate')
385 # By default, this check is done for all hosts. It is known that some
386 # clients (including incredimail's version downloadable in February
387 # 2008) choke on this. To disable, set MAIN_TLS_TRY_VERIFY_HOSTS to an
389 .ifndef MAIN_TLS_TRY_VERIFY_HOSTS
390 MAIN_TLS_TRY_VERIFY_HOSTS = *
392 tls_try_verify_hosts = MAIN_TLS_TRY_VERIFY_HOSTS
395 #####################################################
396 ### end main/03_exim4-config_tlsoptions
397 #####################################################
398 #####################################################
399 ### main/90_exim4-config_log_selector
400 #####################################################
402 ### main/90_exim4-config_log_selector
403 #################################
405 # uncomment this for debugging
406 # MAIN_LOG_SELECTOR == MAIN_LOG_SELECTOR +all -subject -arguments
408 .ifdef MAIN_LOG_SELECTOR
409 log_selector = MAIN_LOG_SELECTOR
411 #####################################################
412 ### end main/90_exim4-config_log_selector
413 #####################################################
414 #####################################################
415 ### acl/00_exim4-config_header
416 #####################################################
418 ######################################################################
419 # ACL CONFIGURATION #
420 # Specifies access control lists for incoming SMTP mail #
421 ######################################################################
425 #####################################################
426 ### end acl/00_exim4-config_header
427 #####################################################
428 #####################################################
429 ### acl/20_exim4-config_local_deny_exceptions
430 #####################################################
432 ### acl/20_exim4-config_local_deny_exceptions
433 #################################
435 # This is used to determine whitelisted senders and hosts.
436 # It checks for CONFDIR/host_local_deny_exceptions and
437 # CONFDIR/sender_local_deny_exceptions.
439 # It is meant to be used from some other acl entry.
441 # See exim4-config_files(5) for details.
443 # If the files do not exist, the white list never matches, which is
444 # the desired behaviour.
446 # The old file names CONFDIR/local_host_whitelist and
447 # CONFDIR/local_sender_whitelist will continue to be honored for a
448 # transition period. Their use is deprecated.
450 acl_local_deny_exceptions:
452 hosts = ${if exists{CONFDIR/host_local_deny_exceptions}\
453 {CONFDIR/host_local_deny_exceptions}\
456 senders = ${if exists{CONFDIR/sender_local_deny_exceptions}\
457 {CONFDIR/sender_local_deny_exceptions}\
460 hosts = ${if exists{CONFDIR/local_host_whitelist}\
461 {CONFDIR/local_host_whitelist}\
464 senders = ${if exists{CONFDIR/local_sender_whitelist}\
465 {CONFDIR/local_sender_whitelist}\
468 # This hook allows you to hook in your own ACLs without having to
469 # modify this file. If you do it like we suggest, you'll end up with
470 # a small performance penalty since there is an additional file being
471 # accessed. This doesn't happen if you leave the macro unset.
472 .ifdef LOCAL_DENY_EXCEPTIONS_LOCAL_ACL_FILE
473 .include LOCAL_DENY_EXCEPTIONS_LOCAL_ACL_FILE
476 # this is still supported for a transition period and is deprecated.
477 .ifdef WHITELIST_LOCAL_DENY_LOCAL_ACL_FILE
478 .include WHITELIST_LOCAL_DENY_LOCAL_ACL_FILE
480 #####################################################
481 ### end acl/20_exim4-config_local_deny_exceptions
482 #####################################################
483 #####################################################
484 ### acl/30_exim4-config_check_mail
485 #####################################################
487 ### acl/30_exim4-config_check_mail
488 #################################
490 # This access control list is used for every MAIL command in an incoming
491 # SMTP message. The tests are run in order until the address is either
492 # accepted or denied.
495 .ifdef CHECK_MAIL_HELO_ISSUED
497 message = no HELO given before MAIL command
498 condition = ${if def:sender_helo_name {no}{yes}}
502 #####################################################
503 ### end acl/30_exim4-config_check_mail
504 #####################################################
505 #####################################################
506 ### acl/30_exim4-config_check_rcpt
507 #####################################################
509 ### acl/30_exim4-config_check_rcpt
510 #################################
512 # This access control list is used for every RCPT command in an incoming
513 # SMTP message. The tests are run in order until the address is either
514 # accepted or denied.
518 # Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by
519 # testing for an empty sending host field.
524 # The following section of the ACL is concerned with local parts that contain
525 # certain non-alphanumeric characters. Dots in unusual places are
526 # handled by this ACL as well.
528 # Non-alphanumeric characters other than dots are rarely found in genuine
529 # local parts, but are often tried by people looking to circumvent
530 # relaying restrictions. Therefore, although they are valid in local
531 # parts, these rules disallow certain non-alphanumeric characters, as
534 # Empty components (two dots in a row) are not valid in RFC 2822, but Exim
535 # allows them because they have been encountered. (Consider local parts
536 # constructed as "firstinitial.secondinitial.familyname" when applied to
537 # a name without a second initial.) However, a local part starting
538 # with a dot or containing /../ can cause trouble if it is used as part of a
539 # file name (e.g. for a mailing list). This is also true for local parts that
540 # contain slashes. A pipe symbol can also be troublesome if the local part is
541 # incorporated unthinkingly into a shell command line.
543 # These ACL components will block recipient addresses that are valid
544 # from an RFC2822 point of view. We chose to have them blocked by
545 # default for security reasons.
547 # If you feel that your site should have less strict recipient
548 # checking, please feel free to change the default values of the macros
549 # defined in main/01_exim4-config_listmacrosdefs or override them from a
550 # local configuration file.
552 # Two different rules are used. The first one has a quite strict
553 # default, and is applied to messages that are addressed to one of the
554 # local domains handled by this host.
556 # The default value of CHECK_RCPT_LOCAL_LOCALPARTS is defined in
557 # main/01_exim4-config_listmacrosdefs:
558 # CHECK_RCPT_LOCAL_LOCALPARTS = ^[.] : ^.*[@%!/|`#&?]
559 # This blocks local parts that begin with a dot or contain a quite
560 # broad range of non-alphanumeric characters.
561 .ifdef CHECK_RCPT_LOCAL_LOCALPARTS
563 domains = +local_domains
564 local_parts = CHECK_RCPT_LOCAL_LOCALPARTS
565 message = restricted characters in address
569 # The second rule applies to all other domains, and its default is
570 # considerably less strict.
572 # The default value of CHECK_RCPT_REMOTE_LOCALPARTS is defined in
573 # main/01_exim4-config_listmacrosdefs:
574 # CHECK_RCPT_REMOTE_LOCALPARTS = ^[./|] : ^.*[@%!`#&?] : ^.*/\\.\\./
576 # It allows local users to send outgoing messages to sites
577 # that use slashes and vertical bars in their local parts. It blocks
578 # local parts that begin with a dot, slash, or vertical bar, but allows
579 # these characters within the local part. However, the sequence /../ is
580 # barred. The use of some other non-alphanumeric characters is blocked.
581 # Single quotes might probably be dangerous as well, but they're
582 # allowed by the default regexps to avoid rejecting mails to Ireland.
583 # The motivation here is to prevent local users (or local users' malware)
584 # from mounting certain kinds of attack on remote sites.
585 .ifdef CHECK_RCPT_REMOTE_LOCALPARTS
587 domains = !+local_domains
588 local_parts = CHECK_RCPT_REMOTE_LOCALPARTS
589 message = restricted characters in address
593 # Accept mail to postmaster in any local domain, regardless of the source,
594 # and without verifying the sender.
597 .ifndef CHECK_RCPT_POSTMASTER
598 local_parts = postmaster
600 local_parts = CHECK_RCPT_POSTMASTER
602 domains = +local_domains : +relay_to_domains
605 # Deny unless the sender address can be verified.
607 # This is disabled by default so that DNSless systems don't break. If
608 # your system can do DNS lookups without delay or cost, you might want
609 # to enable this feature.
611 # This feature does not work in smarthost and satellite setups as
612 # with these setups all domains pass verification. See spec.txt chapter
613 # 39.31 with the added information that a smarthost/satellite setup
614 # routes all non-local e-mail to the smarthost.
615 .ifdef CHECK_RCPT_VERIFY_SENDER
617 message = Sender verification failed
618 !acl = acl_local_deny_exceptions
622 # Verify senders listed in local_sender_callout with a callout.
624 # In smarthost and satellite setups, this causes the callout to be
625 # done to the smarthost. Verification will thus only be reliable if the
626 # smarthost does reject illegal addresses in the SMTP dialog.
628 !acl = acl_local_deny_exceptions
629 senders = ${if exists{CONFDIR/local_sender_callout}\
630 {CONFDIR/local_sender_callout}\
632 !verify = sender/callout
635 # Accept if the message comes from one of the hosts for which we are an
636 # outgoing relay. It is assumed that such hosts are most likely to be MUAs,
637 # so we set control=submission to make Exim treat the message as a
638 # submission. It will fix up various errors in the message, for example, the
639 # lack of a Date: header line. If you are actually relaying out out from
640 # MTAs, you may want to disable this. If you are handling both relaying from
641 # MTAs and submissions from MUAs you should probably split them into two
642 # lists, and handle them differently.
644 # Recipient verification is omitted here, because in many cases the clients
645 # are dumb MUAs that don't cope well with SMTP error responses. If you are
646 # actually relaying out from MTAs, you should probably add recipient
649 # Note that, by putting this test before any DNS black list checks, you will
650 # always accept from these hosts, even if they end up on a black list. The
651 # assumption is that they are your friends, and if they get onto black
652 # list, it is a mistake.
654 hosts = +relay_from_hosts
655 control = submission/sender_retain
658 # Accept if the message arrived over an authenticated connection, from
659 # any host. Again, these messages are usually from MUAs, so recipient
660 # verification is omitted, and submission mode is set. And again, we do this
661 # check before any black list tests.
664 control = submission/sender_retain
667 # Insist that any other recipient address that we accept is either in one of
668 # our local domains, or is in a domain for which we explicitly allow
669 # relaying. Any other domain is rejected as being unacceptable for relaying.
671 message = relay not permitted
672 domains = +local_domains : +relay_to_domains
675 # We also require all accepted addresses to be verifiable. This check will
676 # do local part verification for local domains, but only check the domain
677 # for remote domains.
682 # Verify recipients listed in local_rcpt_callout with a callout.
683 # This is especially handy for forwarding MX hosts (secondary MX or
684 # mail hubs) of domains that receive a lot of spam to non-existent
685 # addresses. The only way to check local parts for remote relay
686 # domains is to use a callout (add /callout), but please read the
687 # documentation about callouts before doing this.
689 !acl = acl_local_deny_exceptions
690 recipients = ${if exists{CONFDIR/local_rcpt_callout}\
691 {CONFDIR/local_rcpt_callout}\
693 !verify = recipient/callout
696 # CONFDIR/local_sender_blacklist holds a list of envelope senders that
697 # should have their access denied to the local host. Incoming messages
698 # with one of these senders are rejected at RCPT time.
700 # The explicit white lists are honored as well as negative items in
701 # the black list. See exim4-config_files(5) for details.
703 message = sender envelope address $sender_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster
704 !acl = acl_local_deny_exceptions
705 senders = ${if exists{CONFDIR/local_sender_blacklist}\
706 {CONFDIR/local_sender_blacklist}\
710 # deny bad sites (IP address)
711 # CONFDIR/local_host_blacklist holds a list of host names, IP addresses
712 # and networks (CIDR notation) that should have their access denied to
713 # The local host. Messages coming in from a listed host will have all
714 # RCPT statements rejected.
716 # The explicit white lists are honored as well as negative items in
717 # the black list. See exim4-config_files(5) for details.
719 message = sender IP address $sender_host_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster
720 !acl = acl_local_deny_exceptions
721 hosts = ${if exists{CONFDIR/local_host_blacklist}\
722 {CONFDIR/local_host_blacklist}\
726 # Warn if the sender host does not have valid reverse DNS.
728 # If your system can do DNS lookups without delay or cost, you might want
730 # If sender_host_address is defined, it's a remote call. If
731 # sender_host_name is not defined, then reverse lookup failed. Use
732 # this instead of !verify = reverse_host_lookup to catch deferrals
733 # as well as outright failures.
734 .ifdef CHECK_RCPT_REVERSE_DNS
736 message = X-Host-Lookup-Failed: Reverse DNS lookup failed for $sender_host_address (${if eq{$host_lookup_failed}{1}{failed}{deferred}})
737 condition = ${if and{{def:sender_host_address}{!def:sender_host_name}}\
742 # Use spfquery to perform a pair of SPF checks (for details, see
743 # http://www.openspf.org/)
745 # This is quite costly in terms of DNS lookups (~6 lookups per mail). Do not
746 # enable if that's an issue. Also note that if you enable this, you must
747 # install "libmail-spf-query-perl" which provides the spfquery command.
748 # Missing libmail-spf-query-perl will trigger the "Unexpected error in
749 # SPF check" warning.
750 .ifdef CHECK_RCPT_SPF
752 message = [SPF] $sender_host_address is not allowed to send mail from ${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}. \
753 Please see http://www.openspf.org/Why?scope=${if def:sender_address_domain {mfrom}{helo}};identity=${if def:sender_address_domain {$sender_address}{$sender_helo_name}};ip=$sender_host_address
754 log_message = SPF check failed.
755 !acl = acl_local_deny_exceptions
756 condition = ${run{/usr/bin/spfquery --ip \"$sender_host_address\" --mail-from \"$sender_address\" --helo \"$sender_helo_name\"}\
757 {no}{${if eq {$runrc}{1}{yes}{no}}}}
760 message = Temporary DNS error while checking SPF record. Try again later.
761 condition = ${if eq {$runrc}{5}{yes}{no}}
764 message = Received-SPF: ${if eq {$runrc}{0}{pass}{${if eq {$runrc}{2}{softfail}\
765 {${if eq {$runrc}{3}{neutral}{${if eq {$runrc}{4}{unknown}{${if eq {$runrc}{6}{none}{error}}}}}}}}}}
766 condition = ${if <={$runrc}{6}{yes}{no}}
769 log_message = Unexpected error in SPF check.
770 condition = ${if >{$runrc}{6}{yes}{no}}
772 # Support for best-guess (see http://www.openspf.org/developers-guide.html)
774 message = X-SPF-Guess: ${run{/usr/bin/spfquery --ip \"$sender_host_address\" --mail-from \"$sender_address\" \ --helo \"$sender_helo_name\" --guess true}\
775 {pass}{${if eq {$runrc}{2}{softfail}{${if eq {$runrc}{3}{neutral}{${if eq {$runrc}{4}{unknown}\
776 {${if eq {$runrc}{6}{none}{error}}}}}}}}}}
777 condition = ${if <={$runrc}{6}{yes}{no}}
780 message = Temporary DNS error while checking SPF record. Try again later.
781 condition = ${if eq {$runrc}{5}{yes}{no}}
785 # Check against classic DNS "black" lists (DNSBLs) which list
786 # sender IP addresses
787 .ifdef CHECK_RCPT_IP_DNSBLS
789 message = X-Warning: $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
790 log_message = $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
791 dnslists = CHECK_RCPT_IP_DNSBLS
795 # Check against DNSBLs which list sender domains, with an option to locally
796 # whitelist certain domains that might be blacklisted.
798 # Note: If you define CHECK_RCPT_DOMAIN_DNSBLS, you must append
799 # "/$sender_address_domain" after each domain. For example:
800 # CHECK_RCPT_DOMAIN_DNSBLS = rhsbl.foo.org/$sender_address_domain \
801 # : rhsbl.bar.org/$sender_address_domain
802 .ifdef CHECK_RCPT_DOMAIN_DNSBLS
804 message = X-Warning: $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
805 log_message = $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
806 !senders = ${if exists{CONFDIR/local_domain_dnsbl_whitelist}\
807 {CONFDIR/local_domain_dnsbl_whitelist}\
809 dnslists = CHECK_RCPT_DOMAIN_DNSBLS
813 # This hook allows you to hook in your own ACLs without having to
814 # modify this file. If you do it like we suggest, you'll end up with
815 # a small performance penalty since there is an additional file being
816 # accessed. This doesn't happen if you leave the macro unset.
817 .ifdef CHECK_RCPT_LOCAL_ACL_FILE
818 .include CHECK_RCPT_LOCAL_ACL_FILE
822 #############################################################################
823 # This check is commented out because it is recognized that not every
824 # sysadmin will want to do it. If you enable it, the check performs
825 # Client SMTP Authorization (csa) checks on the sending host. These checks
826 # do DNS lookups for SRV records. The CSA proposal is currently (May 2005)
827 # an Internet draft. You can, of course, add additional conditions to this
828 # ACL statement to restrict the CSA checks to certain hosts only.
830 # require verify = csa
831 #############################################################################
834 # Accept if the address is in a domain for which we are an incoming relay,
835 # but again, only if the recipient can be verified.
838 domains = +relay_to_domains
843 # At this point, the address has passed all the checks that have been
844 # configured, so we accept it unconditionally.
847 #####################################################
848 ### end acl/30_exim4-config_check_rcpt
849 #####################################################
850 #####################################################
851 ### acl/40_exim4-config_check_data
852 #####################################################
854 ### acl/40_exim4-config_check_data
855 #################################
857 # This ACL is used after the contents of a message have been received. This
858 # is the ACL in which you can test a message's headers or body, and in
859 # particular, this is where you can invoke external virus or spam scanners.
863 # Deny unless the address list headers are syntactically correct.
865 # If you enable this, you might reject legitimate mail.
866 .ifdef CHECK_DATA_VERIFY_HEADER_SYNTAX
868 message = Message headers fail syntax check
869 !acl = acl_local_deny_exceptions
870 !verify = header_syntax
874 # require that there is a verifiable sender address in at least
875 # one of the "Sender:", "Reply-To:", or "From:" header lines.
876 .ifdef CHECK_DATA_VERIFY_HEADER_SENDER
878 message = No verifiable sender address in message headers
879 !acl = acl_local_deny_exceptions
880 !verify = header_sender
884 # Deny if the message contains malware. Before enabling this check, you
885 # must install a virus scanner and set the av_scanner option in the
886 # main configuration.
888 # exim4-daemon-heavy must be used for this section to work.
892 # message = This message was detected as possible malware ($malware_name).
895 # Add headers to a message if it is judged to be spam. Before enabling this,
896 # you must install SpamAssassin. You also need to set the spamd_address
897 # option in the main configuration.
899 # exim4-daemon-heavy must be used for this section to work.
901 # Please note that this is only suiteable as an example. There are
902 # multiple issues with this configuration method. For example, if you go
903 # this way, you'll give your spamassassin daemon write access to the
904 # entire exim spool which might be a security issue in case of a
905 # spamassassin exploit.
907 # See the exim docs and the exim wiki for more suitable examples.
910 # spam = Debian-exim:true
911 # message = X-Spam_score: $spam_score\n\
912 # X-Spam_score_int: $spam_score_int\n\
913 # X-Spam_bar: $spam_bar\n\
914 # X-Spam_report: $spam_report
917 # This hook allows you to hook in your own ACLs without having to
918 # modify this file. If you do it like we suggest, you'll end up with
919 # a small performance penalty since there is an additional file being
920 # accessed. This doesn't happen if you leave the macro unset.
921 .ifdef CHECK_DATA_LOCAL_ACL_FILE
922 .include CHECK_DATA_LOCAL_ACL_FILE
928 #####################################################
929 ### end acl/40_exim4-config_check_data
930 #####################################################
931 #####################################################
932 ### router/00_exim4-config_header
933 #####################################################
935 ######################################################################
936 # ROUTERS CONFIGURATION #
937 # Specifies how addresses are handled #
938 ######################################################################
939 # THE ORDER IN WHICH THE ROUTERS ARE DEFINED IS IMPORTANT! #
940 # An address is passed to each router in turn until it is accepted. #
941 ######################################################################
945 #####################################################
946 ### end router/00_exim4-config_header
947 #####################################################
948 #####################################################
949 ### router/100_exim4-config_domain_literal
950 #####################################################
952 ### router/100_exim4-config_domain_literal
953 #################################
955 # This router handles e-mail addresses in "domain literal" form like
956 # <user@[10.11.12.13]>. The RFCs require this facility, but it is disabled
957 # in the default config since it is seldomly used and frequently abused.
958 # Domain literal support also needs to be enabled in the main config,
959 # which is automatically done if you use the enable macro
960 # MAIN_ALLOW_DOMAIN_LITERALS.
962 .ifdef MAIN_ALLOW_DOMAIN_LITERALS
964 debug_print = "R: domain_literal for $local_part@$domain"
966 domains = ! +local_domains
967 transport = remote_smtp
969 #####################################################
970 ### end router/100_exim4-config_domain_literal
971 #####################################################
972 #####################################################
973 ### router/150_exim4-config_hubbed_hosts
974 #####################################################
976 # router/150_exim4-config_hubbed_hosts
977 #################################
979 # route specific domains manually.
981 # see exim4-config_files(5) and spec.txt chapter 20.3 through 20.7 for
982 # more detailed documentation.
985 debug_print = "R: hubbed_hosts for $domain"
987 domains = "${if exists{CONFDIR/hubbed_hosts}\
988 {partial-lsearch;CONFDIR/hubbed_hosts}\
990 same_domain_copy_routing = yes
991 route_data = ${lookup{$domain}partial-lsearch{CONFDIR/hubbed_hosts}}
992 transport = remote_smtp
993 #####################################################
994 ### end router/150_exim4-config_hubbed_hosts
995 #####################################################
996 #####################################################
997 ### router/200_exim4-config_primary
998 #####################################################
1000 ### router/200_exim4-config_primary
1001 #################################
1002 # This file holds the primary router, responsible for nonlocal mails
1004 .ifdef DCconfig_internet
1005 # configtype=internet
1007 # deliver mail to the recipient if recipient domain is a domain we
1008 # relay for. We do not ignore any target hosts here since delivering to
1009 # a site local or even a link local address might be wanted here, and if
1010 # such an address has found its way into the MX record of such a domain,
1011 # the local admin is probably in a place where that broken MX record
1014 dnslookup_relay_to_domains:
1015 debug_print = "R: dnslookup_relay_to_domains for $local_part@$domain"
1017 domains = ! +local_domains : +relay_to_domains
1018 transport = remote_smtp
1019 same_domain_copy_routing = yes
1022 # deliver mail directly to the recipient. This router is only reached
1023 # for domains that we do not relay for. Since we most probably can't
1024 # have broken MX records pointing to site local or link local IP
1025 # addresses fixed, we ignore target hosts pointing to these addresses.
1028 debug_print = "R: dnslookup for $local_part@$domain"
1030 domains = ! +local_domains
1031 transport = remote_smtp
1032 same_domain_copy_routing = yes
1033 # ignore private rfc1918 and APIPA addresses
1034 ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 192.168.0.0/16 :\
1035 172.16.0.0/12 : 10.0.0.0/8 : 169.254.0.0/16 :\
1042 .ifdef DCconfig_local
1045 # Stand-alone system, so generate an error for mail to a non-local domain
1047 debug_print = "R: nonlocal for $local_part@$domain"
1049 domains = ! +local_domains
1051 data = :fail: Mailing to remote domains not supported
1057 .ifdef DCconfig_smarthost DCconfig_satellite
1058 # configtype=smarthost or configtype=satellite
1060 # Send all non-local mail to a single other machine (smarthost).
1062 # This means _ALL_ non-local mail goes to the smarthost. This will most
1063 # probably not do what you want for domains that are listed in
1064 # relay_domains. The most typical use for relay_domains is to control
1065 # relaying for incoming e-mail on secondary MX hosts. In that case,
1066 # it doesn't make sense to send the mail to the smarthost since the
1067 # smarthost will probably send the message right back here, causing a
1070 # If you want to use a smarthost while being secondary MX for some
1071 # domains, you'll need to copy the dnslookup_relay_to_domains router
1072 # here so that mail to relay_domains is handled separately.
1075 debug_print = "R: smarthost for $local_part@$domain"
1076 driver = manualroute
1077 domains = ! +local_domains
1078 transport = remote_smtp_smarthost
1079 route_list = * DCsmarthost byname
1080 host_find_failed = defer
1081 same_domain_copy_routing = yes
1087 # The "no_more" above means that all later routers are for
1088 # domains in the local_domains list, i.e. just like Exim 3 directors.
1089 #####################################################
1090 ### end router/200_exim4-config_primary
1091 #####################################################
1092 #####################################################
1093 ### router/300_exim4-config_real_local
1094 #####################################################
1096 ### router/300_exim4-config_real_local
1097 #################################
1099 # This router allows reaching a local user while avoiding local
1100 # processing. This can be used to inform a user of a broken .forward
1101 # file, for example. The userforward router does this.
1103 COND_LOCAL_SUBMITTER = "\
1104 ${if match_ip{$sender_host_address}{:@[]}\
1109 debug_print = "R: real_local for $local_part@$domain"
1111 domains = +local_domains
1112 condition = COND_LOCAL_SUBMITTER
1113 local_part_prefix = real-
1115 transport = LOCAL_DELIVERY
1117 #####################################################
1118 ### end router/300_exim4-config_real_local
1119 #####################################################
1120 #####################################################
1121 ### router/400_exim4-config_system_aliases
1122 #####################################################
1124 ### router/400_exim4-config_system_aliases
1125 #################################
1127 # This router handles aliasing using a traditional /etc/aliases file.
1129 ##### NB You must ensure that /etc/aliases exists. It used to be the case
1130 ##### NB that every Unix had that file, because it was the Sendmail default.
1131 ##### NB These days, there are systems that don't have it. Your aliases
1132 ##### NB file should at least contain an alias for "postmaster".
1134 # This router handles the local part in a case-insensitive way which
1135 # satisfies the RFCs requirement that postmaster be reachable regardless
1136 # of case. If you decide to handle /etc/aliases in a caseful way, you
1137 # need to make arrangements for a caseless postmaster.
1139 # Delivery to arbitrary directories, files, and piping to programs in
1140 # /etc/aliases is disabled per default.
1141 # If that is a problem for you, see
1142 # /usr/share/doc/exim4-base/README.Debian.gz
1143 # for explanation and some workarounds.
1146 debug_print = "R: system_aliases for $local_part@$domain"
1148 domains = +local_domains
1151 data = ${lookup{$local_part}lsearch{/etc/aliases}}
1152 .ifdef SYSTEM_ALIASES_USER
1153 user = SYSTEM_ALIASES_USER
1155 .ifdef SYSTEM_ALIASES_GROUP
1156 group = SYSTEM_ALIASES_GROUP
1158 .ifdef SYSTEM_ALIASES_FILE_TRANSPORT
1159 file_transport = SYSTEM_ALIASES_FILE_TRANSPORT
1161 .ifdef SYSTEM_ALIASES_PIPE_TRANSPORT
1162 pipe_transport = SYSTEM_ALIASES_PIPE_TRANSPORT
1164 .ifdef SYSTEM_ALIASES_DIRECTORY_TRANSPORT
1165 directory_transport = SYSTEM_ALIASES_DIRECTORY_TRANSPORT
1167 #####################################################
1168 ### end router/400_exim4-config_system_aliases
1169 #####################################################
1170 #####################################################
1171 ### router/500_exim4-config_hubuser
1172 #####################################################
1174 ### router/500_exim4-config_hubuser
1175 #################################
1177 .ifdef DCconfig_satellite
1178 # This router is only used for configtype=satellite.
1179 # It takes care to route all mail targetted to <somelocaluser@this.machine>
1180 # to the host where we read our mail
1183 debug_print = "R: hub_user for $local_part@$domain"
1185 domains = +local_domains
1186 data = ${local_part}@DCreadhost
1189 # Grab the redirected mail and deliver it.
1190 # This is a duplicate of the smarthost router, needed because
1191 # DCreadhost might end up as part of +local_domains
1193 debug_print = "R: hub_user_smarthost for $local_part@$domain"
1194 driver = manualroute
1195 domains = DCreadhost
1196 transport = remote_smtp_smarthost
1197 route_list = * DCsmarthost byname
1198 host_find_failed = defer
1199 same_domain_copy_routing = yes
1204 #####################################################
1205 ### end router/500_exim4-config_hubuser
1206 #####################################################
1207 #####################################################
1208 ### router/600_exim4-config_userforward
1209 #####################################################
1211 ### router/600_exim4-config_userforward
1212 #################################
1214 # This router handles forwarding using traditional .forward files in users'
1215 # home directories. It also allows mail filtering with a forward file
1216 # starting with the string "# Exim filter" or "# Sieve filter".
1218 # The no_verify setting means that this router is skipped when Exim is
1219 # verifying addresses. Similarly, no_expn means that this router is skipped if
1220 # Exim is processing an EXPN command.
1222 # The check_ancestor option means that if the forward file generates an
1223 # address that is an ancestor of the current one, the current one gets
1224 # passed on instead. This covers the case where A is aliased to B and B
1225 # has a .forward file pointing to A.
1227 # The four transports specified at the end are those that are used when
1228 # forwarding generates a direct delivery to a directory, or a file, or to a
1229 # pipe, or sets up an auto-reply, respectively.
1232 debug_print = "R: userforward for $local_part@$domain"
1234 domains = +local_domains
1236 file = $home/.forward
1237 require_files = $local_part:$home/.forward
1242 forbid_smtp_code = true
1243 directory_transport = address_directory
1244 file_transport = address_file
1245 pipe_transport = address_pipe
1246 reply_transport = address_reply
1248 syntax_errors_to = real-$local_part@$domain
1249 syntax_errors_text = \
1250 This is an automatically generated message. An error has\n\
1251 been found in your .forward file. Details of the error are\n\
1252 reported below. While this error persists, you will receive\n\
1253 a copy of this message for every message that is addressed\n\
1254 to you. If your .forward file is a filter file, or if it is\n\
1255 a non-filter file containing no valid forwarding addresses,\n\
1256 a copy of each incoming message will be put in your normal\n\
1257 mailbox. If a non-filter file contains at least one valid\n\
1258 forwarding address, forwarding to the valid addresses will\n\
1259 happen, and those will be the only deliveries that occur.
1261 #####################################################
1262 ### end router/600_exim4-config_userforward
1263 #####################################################
1264 #####################################################
1265 ### router/700_exim4-config_procmail
1266 #####################################################
1269 debug_print = "R: procmail for $local_part@$domain"
1271 domains = +local_domains
1273 transport = procmail_pipe
1274 # emulate OR with "if exists"-expansion
1275 require_files = ${local_part}:\
1276 ${if exists{/etc/procmailrc}\
1277 {/etc/procmailrc}{${home}/.procmailrc}}:\
1282 #####################################################
1283 ### end router/700_exim4-config_procmail
1284 #####################################################
1285 #####################################################
1286 ### router/800_exim4-config_maildrop
1287 #####################################################
1289 ### router/800_exim4-config_maildrop
1290 #################################
1293 debug_print = "R: maildrop for $local_part@$domain"
1295 domains = +local_domains
1297 transport = maildrop_pipe
1298 require_files = ${local_part}:${home}/.mailfilter:+/usr/bin/maildrop
1302 #####################################################
1303 ### end router/800_exim4-config_maildrop
1304 #####################################################
1305 #####################################################
1306 ### router/850_exim4-config_lowuid
1307 #####################################################
1309 ### router/850_exim4-config_lowuid
1310 #################################
1312 .ifndef FIRST_USER_ACCOUNT_UID
1313 FIRST_USER_ACCOUNT_UID = 0
1316 .ifndef DEFAULT_SYSTEM_ACCOUNT_ALIAS
1317 DEFAULT_SYSTEM_ACCOUNT_ALIAS = :fail: no mail to system accounts
1320 COND_SYSTEM_USER_AND_REMOTE_SUBMITTER = "\
1321 ${if and{{! match_ip{$sender_host_address}{:@[]}}\
1322 {<{$local_user_uid}{FIRST_USER_ACCOUNT_UID}}}\
1327 debug_print = "R: lowuid_aliases for $local_part@$domain (UID $local_user_uid)"
1331 domains = +local_domains
1332 condition = COND_SYSTEM_USER_AND_REMOTE_SUBMITTER
1333 data = ${if exists{/etc/exim4/lowuid-aliases}\
1334 {${lookup{$local_part}lsearch{/etc/exim4/lowuid-aliases}\
1335 {$value}{DEFAULT_SYSTEM_ACCOUNT_ALIAS}}}{DEFAULT_SYSTEM_ACCOUNT_ALIAS}}
1336 #####################################################
1337 ### end router/850_exim4-config_lowuid
1338 #####################################################
1339 #####################################################
1340 ### router/900_exim4-config_local_user
1341 #####################################################
1343 ### router/900_exim4-config_local_user
1344 #################################
1346 # This router matches local user mailboxes. If the router fails, the error
1347 # message is "Unknown user".
1350 debug_print = "R: local_user for $local_part@$domain"
1352 domains = +local_domains
1354 local_parts = ! root
1355 transport = LOCAL_DELIVERY
1356 cannot_route_message = Unknown user
1357 #####################################################
1358 ### end router/900_exim4-config_local_user
1359 #####################################################
1360 #####################################################
1361 ### router/mmm_mail4root
1362 #####################################################
1364 ### router/mmm_mail4root
1365 #################################
1366 # deliver mail addressed to root to /var/mail/mail as user mail:mail
1367 # if it was not redirected in /etc/aliases or by other means
1368 # Exim cannot deliver as root since 4.24 (FIXED_NEVER_USERS)
1371 debug_print = "R: mail4root for $local_part@$domain"
1373 domains = +local_domains
1374 data = /var/mail/mail
1375 file_transport = address_file
1380 #####################################################
1381 ### end router/mmm_mail4root
1382 #####################################################
1383 #####################################################
1384 ### transport/00_exim4-config_header
1385 #####################################################
1387 ######################################################################
1388 # TRANSPORTS CONFIGURATION #
1389 ######################################################################
1390 # ORDER DOES NOT MATTER #
1391 # Only one appropriate transport is called for each delivery. #
1392 ######################################################################
1394 # A transport is used only when referenced from a router that successfully
1395 # handles an address.
1399 #####################################################
1400 ### end transport/00_exim4-config_header
1401 #####################################################
1402 #####################################################
1403 ### transport/10_exim4-config_transport-macros
1404 #####################################################
1406 ### transport/10_exim4-config_transport-macros
1407 #################################
1409 .ifdef HIDE_MAILNAME
1410 REMOTE_SMTP_HEADERS_REWRITE=*@+local_domains $1@DCreadhost frs : *@ETC_MAILNAME $1@DCreadhost frs
1411 REMOTE_SMTP_RETURN_PATH=${if match_domain{$sender_address_domain}{+local_domains}{${sender_address_local_part}@DCreadhost}{${if match_domain{$sender_address_domain}{ETC_MAILNAME}{${sender_address_local_part}@DCreadhost}fail}}}
1414 .ifdef REMOTE_SMTP_HELO_FROM_DNS
1415 REMOTE_SMTP_HELO_DATA=${lookup dnsdb {ptr=$sending_ip_address}{$value}{$primary_hostname}}
1417 #####################################################
1418 ### end transport/10_exim4-config_transport-macros
1419 #####################################################
1420 #####################################################
1421 ### transport/30_exim4-config_address_file
1422 #####################################################
1424 # This transport is used for handling deliveries directly to files that are
1425 # generated by aliasing or forwarding.
1428 debug_print = "T: address_file for $local_part@$domain"
1434 #####################################################
1435 ### end transport/30_exim4-config_address_file
1436 #####################################################
1437 #####################################################
1438 ### transport/30_exim4-config_address_pipe
1439 #####################################################
1441 # This transport is used for handling pipe deliveries generated by
1442 # .forward files. If the commands fails and produces any output on standard
1443 # output or standard error streams, the output is returned to the sender
1444 # of the message as a delivery error.
1446 debug_print = "T: address_pipe for $local_part@$domain"
1450 #####################################################
1451 ### end transport/30_exim4-config_address_pipe
1452 #####################################################
1453 #####################################################
1454 ### transport/30_exim4-config_address_reply
1455 #####################################################
1457 # This transport is used for handling autoreplies generated by the filtering
1458 # option of the userforward router.
1461 debug_print = "T: autoreply for $local_part@$domain"
1464 #####################################################
1465 ### end transport/30_exim4-config_address_reply
1466 #####################################################
1467 #####################################################
1468 ### transport/30_exim4-config_mail_spool
1469 #####################################################
1471 ### transport/30_exim4-config_mail_spool
1473 # This transport is used for local delivery to user mailboxes in traditional
1474 # BSD mailbox format.
1477 debug_print = "T: appendfile for $local_part@$domain"
1479 file = /var/mail/$local_part
1485 mode_fail_narrower = false
1487 #####################################################
1488 ### end transport/30_exim4-config_mail_spool
1489 #####################################################
1490 #####################################################
1491 ### transport/30_exim4-config_maildir_home
1492 #####################################################
1494 ### transport/30_exim4-config_maildir_home
1495 #################################
1497 # Use this instead of mail_spool if you want to to deliver to Maildir in
1498 # home-directory - change the definition of LOCAL_DELIVERY
1501 debug_print = "T: maildir_home for $local_part@$domain"
1503 .ifdef MAILDIR_HOME_MAILDIR_LOCATION
1504 directory = MAILDIR_HOME_MAILDIR_LOCATION
1506 directory = $home/Maildir
1508 .ifdef MAILDIR_HOME_CREATE_DIRECTORY
1511 .ifdef MAILDIR_HOME_CREATE_FILE
1512 create_file = MAILDIR_HOME_CREATE_FILE
1518 .ifdef MAILDIR_HOME_DIRECTORY_MODE
1519 directory_mode = MAILDIR_HOME_DIRECTORY_MODE
1521 directory_mode = 0700
1523 .ifdef MAILDIR_HOME_MODE
1524 mode = MAILDIR_HOME_MODE
1528 mode_fail_narrower = false
1529 # This transport always chdirs to $home before trying to deliver. If
1530 # $home is not accessible, this chdir fails and prevents delivery.
1531 # If you are in a setup where home directories might not be
1532 # accessible, uncomment the current_directory line below.
1533 # current_directory = /
1534 #####################################################
1535 ### end transport/30_exim4-config_maildir_home
1536 #####################################################
1537 #####################################################
1538 ### transport/30_exim4-config_maildrop_pipe
1539 #####################################################
1542 debug_print = "T: maildrop_pipe for $local_part@$domain"
1544 path = "/bin:/usr/bin:/usr/local/bin"
1545 command = "/usr/bin/maildrop"
1550 #####################################################
1551 ### end transport/30_exim4-config_maildrop_pipe
1552 #####################################################
1553 #####################################################
1554 ### transport/30_exim4-config_procmail_pipe
1555 #####################################################
1558 debug_print = "T: procmail_pipe for $local_part@$domain"
1560 path = "/bin:/usr/bin:/usr/local/bin"
1561 command = "/usr/bin/procmail"
1566 #####################################################
1567 ### end transport/30_exim4-config_procmail_pipe
1568 #####################################################
1569 #####################################################
1570 ### transport/30_exim4-config_remote_smtp
1571 #####################################################
1573 ### transport/30_exim4-config_remote_smtp
1574 #################################
1575 # This transport is used for delivering messages over SMTP connections.
1578 debug_print = "T: remote_smtp for $local_part@$domain"
1580 .ifdef REMOTE_SMTP_HOSTS_AVOID_TLS
1581 hosts_avoid_tls = REMOTE_SMTP_HOSTS_AVOID_TLS
1583 .ifdef REMOTE_SMTP_HEADERS_REWRITE
1584 headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE
1586 .ifdef REMOTE_SMTP_RETURN_PATH
1587 return_path = REMOTE_SMTP_RETURN_PATH
1589 .ifdef REMOTE_SMTP_HELO_FROM_DNS
1590 helo_data=REMOTE_SMTP_HELO_DATA
1592 #####################################################
1593 ### end transport/30_exim4-config_remote_smtp
1594 #####################################################
1595 #####################################################
1596 ### transport/30_exim4-config_remote_smtp_smarthost
1597 #####################################################
1599 ### transport/30_exim4-config_remote_smtp_smarthost
1600 #################################
1602 # This transport is used for delivering messages over SMTP connections
1603 # to a smarthost. The local host tries to authenticate.
1604 # This transport is used for smarthost and satellite configurations.
1606 remote_smtp_smarthost:
1607 debug_print = "T: remote_smtp_smarthost for $local_part@$domain"
1609 hosts_try_auth = <; ${if exists{CONFDIR/passwd.client} \
1611 ${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$host_address}}\
1615 .ifdef REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS
1616 hosts_avoid_tls = REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS
1618 .ifdef REMOTE_SMTP_HEADERS_REWRITE
1619 headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE
1621 .ifdef REMOTE_SMTP_RETURN_PATH
1622 return_path = REMOTE_SMTP_RETURN_PATH
1624 .ifdef REMOTE_SMTP_HELO_FROM_DNS
1625 helo_data=REMOTE_SMTP_HELO_DATA
1627 #####################################################
1628 ### end transport/30_exim4-config_remote_smtp_smarthost
1629 #####################################################
1630 #####################################################
1631 ### transport/35_exim4-config_address_directory
1632 #####################################################
1633 # This transport is used for handling file addresses generated by alias
1634 # or .forward files if the path ends in "/", which causes it to be treated
1635 # as a directory name rather than a file name.
1638 debug_print = "T: address_directory for $local_part@$domain"
1647 #####################################################
1648 ### end transport/35_exim4-config_address_directory
1649 #####################################################
1650 #####################################################
1651 ### retry/00_exim4-config_header
1652 #####################################################
1654 ######################################################################
1655 # RETRY CONFIGURATION #
1656 ######################################################################
1660 #####################################################
1661 ### end retry/00_exim4-config_header
1662 #####################################################
1663 #####################################################
1664 ### retry/30_exim4-config
1665 #####################################################
1667 ### retry/30_exim4-config
1668 #################################
1670 # This single retry rule applies to all domains and all errors. It specifies
1671 # retries every 15 minutes for 2 hours, then increasing retry intervals,
1672 # starting at 1 hour and increasing each time by a factor of 1.5, up to 16
1673 # hours, then retries every 6 hours until 4 days have passed since the first
1676 # Please note that these rules only limit the frequenzy of retries, the
1677 # effective retry-time depends on the frequenzy of queue-running, too.
1678 # See QUEUEINTERVAL in /etc/default/exim4.
1680 # Address or Domain Error Retries
1681 # ----------------- ----- -------
1683 * * F,2h,15m; G,16h,1h,1.5; F,4d,6h
1685 #####################################################
1686 ### end retry/30_exim4-config
1687 #####################################################
1688 #####################################################
1689 ### rewrite/00_exim4-config_header
1690 #####################################################
1692 ######################################################################
1693 # REWRITE CONFIGURATION #
1694 ######################################################################
1698 #####################################################
1699 ### end rewrite/00_exim4-config_header
1700 #####################################################
1701 #####################################################
1702 ### rewrite/31_exim4-config_rewriting
1703 #####################################################
1705 ### rewrite/31_exim4-config_rewriting
1706 #################################
1708 # This rewriting rule is particularily useful for dialup users who
1709 # don't have their own domain, but could be useful for anyone.
1710 # It looks up the real address of all local users in a file
1711 .ifndef NO_EAA_REWRITE_REWRITE
1712 *@+local_domains "${lookup{${local_part}}lsearch{/etc/email-addresses}\
1714 # identical rewriting rule for /etc/mailname
1715 *@ETC_MAILNAME "${lookup{${local_part}}lsearch{/etc/email-addresses}\
1720 #####################################################
1721 ### end rewrite/31_exim4-config_rewriting
1722 #####################################################
1723 #####################################################
1724 ### auth/00_exim4-config_header
1725 #####################################################
1727 ######################################################################
1728 # AUTHENTICATION CONFIGURATION #
1729 ######################################################################
1731 begin authenticators
1734 #####################################################
1735 ### end auth/00_exim4-config_header
1736 #####################################################
1737 #####################################################
1738 ### auth/30_exim4-config_examples
1739 #####################################################
1741 ### auth/30_exim4-config_examples
1742 #################################
1744 # The examples below are for server side authentication, when the
1745 # local exim is SMTP server and clients authenticate to the local exim.
1747 # They allow two styles of plain-text authentication against an
1748 # CONFDIR/passwd file whose syntax is described in exim4_passwd(5).
1750 # Hosts that are allowed to use AUTH are defined by the
1751 # auth_advertise_hosts option in the main configuration. The default is
1752 # "*", which allows authentication to all hosts over all kinds of
1753 # connections if there is at least one authenticator defined here.
1754 # Authenticators which rely on unencrypted clear text passwords don't
1755 # advertise on unencrypted connections by default. Thus, it might be
1756 # wise to set up TLS to allow encrypted connections. If TLS cannot be
1757 # used for some reason, you can set AUTH_SERVER_ALLOW_NOTLS_PASSWORDS to
1758 # advertise unencrypted clear text password based authenticators on all
1759 # connections. As this is severely reducing security, using TLS is
1760 # preferred over allowing clear text password based authenticators on
1761 # unencrypted connections.
1763 # PLAIN authentication has no server prompts. The client sends its
1764 # credentials in one lump, containing an authorization ID (which we do not
1765 # use), an authentication ID, and a password. The latter two appear as
1766 # $auth2 and $auth3 in the configuration and should be checked against a
1767 # valid username and password. In a real configuration you would typically
1768 # use $auth2 as a lookup key, and compare $auth3 against the result of the
1769 # lookup, perhaps using the crypteq{}{} condition.
1772 # driver = plaintext
1773 # public_name = PLAIN
1774 # server_condition = "${if crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
1775 # server_set_id = $auth2
1776 # server_prompts = :
1777 # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
1778 # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
1781 # LOGIN authentication has traditional prompts and responses. There is no
1782 # authorization ID in this mechanism, so unlike PLAIN the username and
1783 # password are $auth1 and $auth2. Apart from that you can use the same
1784 # server_condition setting for both authenticators.
1787 # driver = plaintext
1788 # public_name = LOGIN
1789 # server_prompts = "Username:: : Password::"
1790 # server_condition = "${if crypteq{$auth2}{${extract{1}{:}{${lookup{$auth1}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
1791 # server_set_id = $auth1
1792 # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
1793 # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
1798 # public_name = CRAM-MD5
1799 # server_secret = ${extract{2}{:}{${lookup{$auth1}lsearch{CONFDIR/passwd}{$value}fail}}}
1800 # server_set_id = $auth1
1802 # Here is an example of CRAM-MD5 authentication against PostgreSQL:
1804 # psqldb_auth_server:
1806 # public_name = CRAM-MD5
1807 # server_secret = ${lookup pgsql{SELECT pw FROM users WHERE username = '${quote_pgsql:$auth1}'}{$value}fail}
1808 # server_set_id = $auth1
1810 # Authenticate against local passwords using sasl2-bin
1811 # Requires exim_uid to be a member of sasl group, see README.Debian.gz
1812 # plain_saslauthd_server:
1813 # driver = plaintext
1814 # public_name = PLAIN
1815 # server_condition = ${if saslauthd{{$auth2}{$auth3}}{1}{0}}
1816 # server_set_id = $auth2
1817 # server_prompts = :
1818 # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
1819 # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
1822 # login_saslauthd_server:
1823 # driver = plaintext
1824 # public_name = LOGIN
1825 # server_prompts = "Username:: : Password::"
1826 # # don't send system passwords over unencrypted connections
1827 # server_condition = ${if saslauthd{{$auth1}{$auth2}}{1}{0}}
1828 # server_set_id = $auth1
1829 # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
1830 # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
1834 # driver = cyrus_sasl
1835 # public_name = NTLM
1836 # server_realm = <short main hostname>
1837 # server_set_id = $auth1
1838 # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
1839 # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
1842 # digest_md5_sasl_server:
1843 # driver = cyrus_sasl
1844 # public_name = DIGEST-MD5
1845 # server_realm = <short main hostname>
1846 # server_set_id = $auth1
1847 # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
1848 # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
1851 # Authentcate against cyrus-sasl
1852 # This is mainly untested, please report any problems to
1853 # pkg-exim4-users@lists.alioth.debian.org.
1854 # cram_md5_sasl_server:
1855 # driver = cyrus_sasl
1856 # public_name = CRAM-MD5
1857 # server_realm = <short main hostname>
1858 # server_set_id = $auth1
1860 # plain_sasl_server:
1861 # driver = cyrus_sasl
1862 # public_name = PLAIN
1863 # server_realm = <short main hostname>
1864 # server_set_id = $auth1
1865 # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
1866 # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
1869 # login_sasl_server:
1870 # driver = cyrus_sasl
1871 # public_name = LOGIN
1872 # server_realm = <short main hostname>
1873 # server_set_id = $auth1
1874 # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
1875 # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
1878 # Authenticate against courier authdaemon
1880 # This is now the (working!) example from
1881 # http://www.exim.org/eximwiki/FAQ/Policy_controls/Q0730
1882 # Possible pitfall: access rights on /var/run/courier/authdaemon/socket.
1883 # plain_courier_authdaemon:
1884 # driver = plaintext
1885 # public_name = PLAIN
1886 # server_condition = \
1887 # ${extract {ADDRESS} \
1888 # {${readsocket{/var/run/courier/authdaemon/socket} \
1889 # {AUTH ${strlen:exim\nlogin\n$auth2\n$auth3\n}\nexim\nlogin\n$auth2\n$auth3\n} }} \
1892 # server_set_id = $auth2
1893 # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
1894 # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
1897 # login_courier_authdaemon:
1898 # driver = plaintext
1899 # public_name = LOGIN
1900 # server_prompts = Username:: : Password::
1901 # server_condition = \
1902 # ${extract {ADDRESS} \
1903 # {${readsocket{/var/run/courier/authdaemon/socket} \
1904 # {AUTH ${strlen:exim\nlogin\n$auth1\n$auth2\n}\nexim\nlogin\n$auth1\n$auth2\n} }} \
1907 # server_set_id = $auth1
1908 # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
1909 # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
1912 # This one is a bad hack to support the broken version 4.xx of
1913 # Microsoft Outlook Express which violates the RFCs by demanding
1914 # "250-AUTH=" instead of "250-AUTH ".
1915 # If your list of offered authenticators is other than PLAIN and LOGIN,
1916 # you need to adapt the public_name line manually.
1917 # It has to be the last authenticator to work and has not been tested
1918 # well. Use at your own risk.
1919 # See the thread entry point from
1920 # http://www.exim.org/mail-archives/exim-users/Week-of-Mon-20050214/msg00213.html
1921 # for the related discussion on the exim-users mailing list.
1922 # Thanks to Fred Viles for this great work.
1924 # support_broken_outlook_express_4_server:
1925 # driver = plaintext
1926 # public_name = "\r\n250-AUTH=PLAIN LOGIN"
1927 # server_prompts = User Name : Password
1928 # server_condition = no
1929 # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
1930 # server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
1934 # See /usr/share/doc/exim4-base/README.Debian.gz
1937 # These examples below are the equivalent for client side authentication.
1938 # They get the passwords from CONFDIR/passwd.client, whose format is
1939 # defined in exim4_passwd_client(5)
1941 # Because AUTH PLAIN and AUTH LOGIN send the password in clear, we
1942 # only allow these mechanisms over encrypted connections by default.
1943 # You can set AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS to allow unencrypted
1944 # clear text password authentication on all connections.
1948 public_name = CRAM-MD5
1949 client_name = ${extract{1}{:}{${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}}}
1950 client_secret = ${extract{2}{:}{${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}}}
1952 # this returns the matching line from passwd.client and doubles all ^
1954 ${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}\
1963 .ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS
1964 client_send = "<; ${if !eq{$tls_cipher}{}\
1965 {^${extract{1}{:}{PASSWDLINE}}\
1966 ^${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}\
1969 client_send = "<; ^${extract{1}{:}{PASSWDLINE}}\
1970 ^${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}"
1976 .ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS
1977 # Return empty string if not non-TLS AND looking up $host in passwd-file
1978 # yields a non-empty string; fail otherwise.
1979 client_send = "<; ${if and{\
1980 {!eq{$tls_cipher}{}}\
1981 {!eq{PASSWDLINE}{}}\
1984 ; ${extract{1}{::}{PASSWDLINE}}\
1985 ; ${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}"
1987 # Return empty string if looking up $host in passwd-file yields a
1988 # non-empty string; fail otherwise.
1989 client_send = "<; ${if !eq{PASSWDLINE}{}\
1991 ; ${extract{1}{::}{PASSWDLINE}}\
1992 ; ${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}"
1994 #####################################################
1995 ### end auth/30_exim4-config_examples
1996 #####################################################