From 00913fc5c4f0bd4a78df5fb067cfb10392aebe7c Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Wed, 8 Apr 2009 19:41:28 +0200 Subject: [PATCH] exim: Completely review the exim configuration. This commit mostly removes the fancy Debian debconf automatic stuff, since that creates a lot of overhead with macros being defined in one place and the actual configuration in another place. Other unused parts of the configuration are also unused. Configuration is added for the main delivery lookups to happen from ldap data. Both persons and groups in the LDAP directory can have email addresses defined, which will then get forwarded or delivered appropriately (for emailaddresses in the virtual_domains setting, of course). Email will also be delivered for any username@host addresses, where host is one of the drsnuggles vservers. --- .../acl/20_exim4-config_local_deny_exceptions | 49 ---- .../conf.d/acl/30_exim4-config_check_mail | 4 +- .../conf.d/acl/30_exim4-config_check_rcpt | 242 ++--------------- .../conf.d/acl/40_exim4-config_check_data | 51 +--- .../conf.d/auth/30_exim4-config_examples | 254 ------------------ .../main/01_exim4-config_listmacrosdefs | 100 ------- etc/exim4/conf.d/main/02_exim4-config_options | 200 -------------- .../conf.d/main/03_exim4-config_tlsoptions | 79 ------ .../conf.d/main/90_exim4-config_log_selector | 10 - etc/exim4/conf.d/main/main_config | 61 +++++ etc/exim4/conf.d/rewrite/10_ldap | 12 + .../conf.d/rewrite/31_exim4-config_rewriting | 16 -- .../router/100_exim4-config_domain_literal | 18 -- etc/exim4/conf.d/router/10_outbound | 35 +++ .../router/150_exim4-config_hubbed_hosts | 18 -- etc/exim4/conf.d/router/15_real_local | 13 + .../conf.d/router/200_exim4-config_primary | 90 ------- etc/exim4/conf.d/router/20_system_aliases | 12 + .../conf.d/router/300_exim4-config_real_local | 22 -- etc/exim4/conf.d/router/30_ldap | 184 +++++++++++++ .../router/400_exim4-config_system_aliases | 44 --- etc/exim4/conf.d/router/40_local_delivery | 109 ++++++++ .../conf.d/router/500_exim4-config_hubuser | 31 --- .../router/600_exim4-config_userforward | 51 ---- .../conf.d/router/700_exim4-config_procmail | 15 -- .../conf.d/router/800_exim4-config_maildrop | 14 - .../conf.d/router/850_exim4-config_lowuid | 28 -- .../conf.d/router/900_exim4-config_local_user | 15 -- etc/exim4/conf.d/router/mmm_mail4root | 17 -- .../10_exim4-config_transport-macros | 12 - .../transport/30_exim4-config_mail_spool | 17 -- .../transport/30_exim4-config_maildir_home | 26 +- .../transport/30_exim4-config_maildrop_pipe | 10 - .../transport/30_exim4-config_remote_smtp | 12 - .../30_exim4-config_remote_smtp_smarthost | 29 -- etc/exim4/update-exim4.conf.conf | 17 +- 36 files changed, 459 insertions(+), 1458 deletions(-) delete mode 100644 etc/exim4/conf.d/acl/20_exim4-config_local_deny_exceptions delete mode 100644 etc/exim4/conf.d/auth/30_exim4-config_examples delete mode 100644 etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs delete mode 100644 etc/exim4/conf.d/main/02_exim4-config_options delete mode 100644 etc/exim4/conf.d/main/03_exim4-config_tlsoptions delete mode 100644 etc/exim4/conf.d/main/90_exim4-config_log_selector create mode 100644 etc/exim4/conf.d/main/main_config create mode 100644 etc/exim4/conf.d/rewrite/10_ldap delete mode 100644 etc/exim4/conf.d/rewrite/31_exim4-config_rewriting delete mode 100644 etc/exim4/conf.d/router/100_exim4-config_domain_literal create mode 100644 etc/exim4/conf.d/router/10_outbound delete mode 100644 etc/exim4/conf.d/router/150_exim4-config_hubbed_hosts create mode 100644 etc/exim4/conf.d/router/15_real_local delete mode 100644 etc/exim4/conf.d/router/200_exim4-config_primary create mode 100644 etc/exim4/conf.d/router/20_system_aliases delete mode 100644 etc/exim4/conf.d/router/300_exim4-config_real_local create mode 100644 etc/exim4/conf.d/router/30_ldap delete mode 100644 etc/exim4/conf.d/router/400_exim4-config_system_aliases create mode 100644 etc/exim4/conf.d/router/40_local_delivery delete mode 100644 etc/exim4/conf.d/router/500_exim4-config_hubuser delete mode 100644 etc/exim4/conf.d/router/600_exim4-config_userforward delete mode 100644 etc/exim4/conf.d/router/700_exim4-config_procmail delete mode 100644 etc/exim4/conf.d/router/800_exim4-config_maildrop delete mode 100644 etc/exim4/conf.d/router/850_exim4-config_lowuid delete mode 100644 etc/exim4/conf.d/router/900_exim4-config_local_user delete mode 100644 etc/exim4/conf.d/router/mmm_mail4root delete mode 100644 etc/exim4/conf.d/transport/10_exim4-config_transport-macros delete mode 100644 etc/exim4/conf.d/transport/30_exim4-config_mail_spool delete mode 100644 etc/exim4/conf.d/transport/30_exim4-config_maildrop_pipe delete mode 100644 etc/exim4/conf.d/transport/30_exim4-config_remote_smtp_smarthost diff --git a/etc/exim4/conf.d/acl/20_exim4-config_local_deny_exceptions b/etc/exim4/conf.d/acl/20_exim4-config_local_deny_exceptions deleted file mode 100644 index 2372795..0000000 --- a/etc/exim4/conf.d/acl/20_exim4-config_local_deny_exceptions +++ /dev/null @@ -1,49 +0,0 @@ - -### acl/20_exim4-config_local_deny_exceptions -################################# - -# This is used to determine whitelisted senders and hosts. -# It checks for CONFDIR/host_local_deny_exceptions and -# CONFDIR/sender_local_deny_exceptions. -# -# It is meant to be used from some other acl entry. -# -# See exim4-config_files(5) for details. -# -# If the files do not exist, the white list never matches, which is -# the desired behaviour. -# -# The old file names CONFDIR/local_host_whitelist and -# CONFDIR/local_sender_whitelist will continue to be honored for a -# transition period. Their use is deprecated. - -acl_local_deny_exceptions: - accept - hosts = ${if exists{CONFDIR/host_local_deny_exceptions}\ - {CONFDIR/host_local_deny_exceptions}\ - {}} - accept - senders = ${if exists{CONFDIR/sender_local_deny_exceptions}\ - {CONFDIR/sender_local_deny_exceptions}\ - {}} - accept - hosts = ${if exists{CONFDIR/local_host_whitelist}\ - {CONFDIR/local_host_whitelist}\ - {}} - accept - senders = ${if exists{CONFDIR/local_sender_whitelist}\ - {CONFDIR/local_sender_whitelist}\ - {}} - - # This hook allows you to hook in your own ACLs without having to - # modify this file. If you do it like we suggest, you'll end up with - # a small performance penalty since there is an additional file being - # accessed. This doesn't happen if you leave the macro unset. - .ifdef LOCAL_DENY_EXCEPTIONS_LOCAL_ACL_FILE - .include LOCAL_DENY_EXCEPTIONS_LOCAL_ACL_FILE - .endif - - # this is still supported for a transition period and is deprecated. - .ifdef WHITELIST_LOCAL_DENY_LOCAL_ACL_FILE - .include WHITELIST_LOCAL_DENY_LOCAL_ACL_FILE - .endif diff --git a/etc/exim4/conf.d/acl/30_exim4-config_check_mail b/etc/exim4/conf.d/acl/30_exim4-config_check_mail index 7a6a3e7..e2df277 100644 --- a/etc/exim4/conf.d/acl/30_exim4-config_check_mail +++ b/etc/exim4/conf.d/acl/30_exim4-config_check_mail @@ -7,10 +7,8 @@ # accepted or denied. # acl_check_mail: - .ifdef CHECK_MAIL_HELO_ISSUED deny message = no HELO given before MAIL command - condition = ${if def:sender_helo_name {no}{yes}} - .endif + condition = ${if !def:sender_helo_name } accept diff --git a/etc/exim4/conf.d/acl/30_exim4-config_check_rcpt b/etc/exim4/conf.d/acl/30_exim4-config_check_rcpt index 41682eb..21be517 100644 --- a/etc/exim4/conf.d/acl/30_exim4-config_check_rcpt +++ b/etc/exim4/conf.d/acl/30_exim4-config_check_rcpt @@ -36,35 +36,21 @@ acl_check_rcpt: # These ACL components will block recipient addresses that are valid # from an RFC2822 point of view. We chose to have them blocked by # default for security reasons. - # - # If you feel that your site should have less strict recipient - # checking, please feel free to change the default values of the macros - # defined in main/01_exim4-config_listmacrosdefs or override them from a - # local configuration file. # # Two different rules are used. The first one has a quite strict # default, and is applied to messages that are addressed to one of the # local domains handled by this host. - # The default value of CHECK_RCPT_LOCAL_LOCALPARTS is defined in - # main/01_exim4-config_listmacrosdefs: - # CHECK_RCPT_LOCAL_LOCALPARTS = ^[.] : ^.*[@%!/|`#&?] - # This blocks local parts that begin with a dot or contain a quite - # broad range of non-alphanumeric characters. - .ifdef CHECK_RCPT_LOCAL_LOCALPARTS deny domains = +local_domains - local_parts = CHECK_RCPT_LOCAL_LOCALPARTS + # This blocks local parts that begin with a dot or contain a quite + # broad range of non-alphanumeric characters. + local_parts = ^[.] : ^.*[@%!/|`#&?] message = restricted characters in address - .endif # The second rule applies to all other domains, and its default is # considerably less strict. - - # The default value of CHECK_RCPT_REMOTE_LOCALPARTS is defined in - # main/01_exim4-config_listmacrosdefs: - # CHECK_RCPT_REMOTE_LOCALPARTS = ^[./|] : ^.*[@%!`#&?] : ^.*/\\.\\./ # It allows local users to send outgoing messages to sites # that use slashes and vertical bars in their local parts. It blocks @@ -75,87 +61,46 @@ acl_check_rcpt: # allowed by the default regexps to avoid rejecting mails to Ireland. # The motivation here is to prevent local users (or local users' malware) # from mounting certain kinds of attack on remote sites. - .ifdef CHECK_RCPT_REMOTE_LOCALPARTS deny domains = !+local_domains - local_parts = CHECK_RCPT_REMOTE_LOCALPARTS + local_parts = ^[./|] : ^.*[@%!`#&?] : ^.*/\\.\\./ message = restricted characters in address - .endif # Accept mail to postmaster in any local domain, regardless of the source, # and without verifying the sender. # accept - .ifndef CHECK_RCPT_POSTMASTER local_parts = postmaster - .else - local_parts = CHECK_RCPT_POSTMASTER - .endif domains = +local_domains : +relay_to_domains # Deny unless the sender address can be verified. # - # This is disabled by default so that DNSless systems don't break. If - # your system can do DNS lookups without delay or cost, you might want - # to enable this feature. - # - # This feature does not work in smarthost and satellite setups as - # with these setups all domains pass verification. See spec.txt chapter - # 39.31 with the added information that a smarthost/satellite setup - # routes all non-local e-mail to the smarthost. - .ifdef CHECK_RCPT_VERIFY_SENDER + # This also performs "callout" verification, i.e., connect to the sender's + # mailserver and see if it accepts the mail address. This is quite + # expensive, but might save a bunch of spamchecks... deny message = Sender verification failed - !acl = acl_local_deny_exceptions - !verify = sender - .endif - - # Verify senders listed in local_sender_callout with a callout. - # - # In smarthost and satellite setups, this causes the callout to be - # done to the smarthost. Verification will thus only be reliable if the - # smarthost does reject illegal addresses in the SMTP dialog. - deny - !acl = acl_local_deny_exceptions - senders = ${if exists{CONFDIR/local_sender_callout}\ - {CONFDIR/local_sender_callout}\ - {}} !verify = sender/callout - # Accept if the message comes from one of the hosts for which we are an - # outgoing relay. It is assumed that such hosts are most likely to be MUAs, - # so we set control=submission to make Exim treat the message as a - # submission. It will fix up various errors in the message, for example, the - # lack of a Date: header line. If you are actually relaying out out from - # MTAs, you may want to disable this. If you are handling both relaying from - # MTAs and submissions from MUAs you should probably split them into two - # lists, and handle them differently. - - # Recipient verification is omitted here, because in many cases the clients - # are dumb MUAs that don't cope well with SMTP error responses. If you are - # actually relaying out from MTAs, you should probably add recipient - # verification here. - - # Note that, by putting this test before any DNS black list checks, you will - # always accept from these hosts, even if they end up on a black list. The - # assumption is that they are your friends, and if they get onto black - # list, it is a mistake. - accept - hosts = +relay_from_hosts - control = submission/sender_retain - - # Accept if the message arrived over an authenticated connection, from - # any host. Again, these messages are usually from MUAs, so recipient - # verification is omitted, and submission mode is set. And again, we do this + # any host. These messages are usually from MUAs, so recipient + # verification is omitted, and submission mode is set. We do this # check before any black list tests. accept authenticated = * control = submission/sender_retain + # Accept if the message comes from one of the hosts for which we are an + # outgoing relay. These hosts are only dumb forwarders (nullmailers), not + # real MTAs, so we set control=submission to make Exim treat the message as a + # submission. It will fix up various errors in the message, for example, the + # lack of a Date: header line. + accept + hosts = +relay_from_hosts + #control = submission/sender_retain # Insist that any other recipient address that we accept is either in one of # our local domains, or is in a domain for which we explicitly allow @@ -172,50 +117,6 @@ acl_check_rcpt: verify = recipient - # Verify recipients listed in local_rcpt_callout with a callout. - # This is especially handy for forwarding MX hosts (secondary MX or - # mail hubs) of domains that receive a lot of spam to non-existent - # addresses. The only way to check local parts for remote relay - # domains is to use a callout (add /callout), but please read the - # documentation about callouts before doing this. - deny - !acl = acl_local_deny_exceptions - recipients = ${if exists{CONFDIR/local_rcpt_callout}\ - {CONFDIR/local_rcpt_callout}\ - {}} - !verify = recipient/callout - - - # CONFDIR/local_sender_blacklist holds a list of envelope senders that - # should have their access denied to the local host. Incoming messages - # with one of these senders are rejected at RCPT time. - # - # The explicit white lists are honored as well as negative items in - # the black list. See exim4-config_files(5) for details. - deny - message = sender envelope address $sender_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster - !acl = acl_local_deny_exceptions - senders = ${if exists{CONFDIR/local_sender_blacklist}\ - {CONFDIR/local_sender_blacklist}\ - {}} - - - # deny bad sites (IP address) - # CONFDIR/local_host_blacklist holds a list of host names, IP addresses - # and networks (CIDR notation) that should have their access denied to - # The local host. Messages coming in from a listed host will have all - # RCPT statements rejected. - # - # The explicit white lists are honored as well as negative items in - # the black list. See exim4-config_files(5) for details. - deny - message = sender IP address $sender_host_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster - !acl = acl_local_deny_exceptions - hosts = ${if exists{CONFDIR/local_host_blacklist}\ - {CONFDIR/local_host_blacklist}\ - {}} - - # Warn if the sender host does not have valid reverse DNS. # # If your system can do DNS lookups without delay or cost, you might want @@ -224,116 +125,13 @@ acl_check_rcpt: # sender_host_name is not defined, then reverse lookup failed. Use # this instead of !verify = reverse_host_lookup to catch deferrals # as well as outright failures. - .ifdef CHECK_RCPT_REVERSE_DNS warn message = X-Host-Lookup-Failed: Reverse DNS lookup failed for $sender_host_address (${if eq{$host_lookup_failed}{1}{failed}{deferred}}) - condition = ${if and{{def:sender_host_address}{!def:sender_host_name}}\ - {yes}{no}} - .endif - - - # Use spfquery to perform a pair of SPF checks (for details, see - # http://www.openspf.org/) - # - # This is quite costly in terms of DNS lookups (~6 lookups per mail). Do not - # enable if that's an issue. Also note that if you enable this, you must - # install "libmail-spf-query-perl" which provides the spfquery command. - # Missing libmail-spf-query-perl will trigger the "Unexpected error in - # SPF check" warning. - .ifdef CHECK_RCPT_SPF - deny - message = [SPF] $sender_host_address is not allowed to send mail from ${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}. \ - Please see http://www.openspf.org/Why?scope=${if def:sender_address_domain {mfrom}{helo}};identity=${if def:sender_address_domain {$sender_address}{$sender_helo_name}};ip=$sender_host_address - log_message = SPF check failed. - !acl = acl_local_deny_exceptions - condition = ${run{/usr/bin/spfquery --ip \"$sender_host_address\" --mail-from \"$sender_address\" --helo \"$sender_helo_name\"}\ - {no}{${if eq {$runrc}{1}{yes}{no}}}} - - defer - message = Temporary DNS error while checking SPF record. Try again later. - condition = ${if eq {$runrc}{5}{yes}{no}} - - warn - message = Received-SPF: ${if eq {$runrc}{0}{pass}{${if eq {$runrc}{2}{softfail}\ - {${if eq {$runrc}{3}{neutral}{${if eq {$runrc}{4}{unknown}{${if eq {$runrc}{6}{none}{error}}}}}}}}}} - condition = ${if <={$runrc}{6}{yes}{no}} - - warn - log_message = Unexpected error in SPF check. - condition = ${if >{$runrc}{6}{yes}{no}} - - # Support for best-guess (see http://www.openspf.org/developers-guide.html) - warn - message = X-SPF-Guess: ${run{/usr/bin/spfquery --ip \"$sender_host_address\" --mail-from \"$sender_address\" \ --helo \"$sender_helo_name\" --guess true}\ - {pass}{${if eq {$runrc}{2}{softfail}{${if eq {$runrc}{3}{neutral}{${if eq {$runrc}{4}{unknown}\ - {${if eq {$runrc}{6}{none}{error}}}}}}}}}} - condition = ${if <={$runrc}{6}{yes}{no}} - - defer - message = Temporary DNS error while checking SPF record. Try again later. - condition = ${if eq {$runrc}{5}{yes}{no}} - .endif - - - # Check against classic DNS "black" lists (DNSBLs) which list - # sender IP addresses - .ifdef CHECK_RCPT_IP_DNSBLS - warn - message = X-Warning: $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text) - log_message = $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text) - dnslists = CHECK_RCPT_IP_DNSBLS - .endif - - - # Check against DNSBLs which list sender domains, with an option to locally - # whitelist certain domains that might be blacklisted. - # - # Note: If you define CHECK_RCPT_DOMAIN_DNSBLS, you must append - # "/$sender_address_domain" after each domain. For example: - # CHECK_RCPT_DOMAIN_DNSBLS = rhsbl.foo.org/$sender_address_domain \ - # : rhsbl.bar.org/$sender_address_domain - .ifdef CHECK_RCPT_DOMAIN_DNSBLS - warn - message = X-Warning: $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text) - log_message = $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text) - !senders = ${if exists{CONFDIR/local_domain_dnsbl_whitelist}\ - {CONFDIR/local_domain_dnsbl_whitelist}\ - {}} - dnslists = CHECK_RCPT_DOMAIN_DNSBLS - .endif - - - # This hook allows you to hook in your own ACLs without having to - # modify this file. If you do it like we suggest, you'll end up with - # a small performance penalty since there is an additional file being - # accessed. This doesn't happen if you leave the macro unset. - .ifdef CHECK_RCPT_LOCAL_ACL_FILE - .include CHECK_RCPT_LOCAL_ACL_FILE - .endif - - - ############################################################################# - # This check is commented out because it is recognized that not every - # sysadmin will want to do it. If you enable it, the check performs - # Client SMTP Authorization (csa) checks on the sending host. These checks - # do DNS lookups for SRV records. The CSA proposal is currently (May 2005) - # an Internet draft. You can, of course, add additional conditions to this - # ACL statement to restrict the CSA checks to certain hosts only. - # - # require verify = csa - ############################################################################# - - - # Accept if the address is in a domain for which we are an incoming relay, - # but again, only if the recipient can be verified. - - accept - domains = +relay_to_domains - endpass - verify = recipient - + verify = reverse_host_lookup # At this point, the address has passed all the checks that have been # configured, so we accept it unconditionally. accept + +# vim: set sts=2 expandtab sw=2 ai: diff --git a/etc/exim4/conf.d/acl/40_exim4-config_check_data b/etc/exim4/conf.d/acl/40_exim4-config_check_data index 958639d..0cf685a 100644 --- a/etc/exim4/conf.d/acl/40_exim4-config_check_data +++ b/etc/exim4/conf.d/acl/40_exim4-config_check_data @@ -10,66 +10,17 @@ acl_check_data: # Deny unless the address list headers are syntactically correct. # - # If you enable this, you might reject legitimate mail. - .ifdef CHECK_DATA_VERIFY_HEADER_SYNTAX + # This might reject legitimate mail... deny message = Message headers fail syntax check - !acl = acl_local_deny_exceptions !verify = header_syntax - .endif # require that there is a verifiable sender address in at least # one of the "Sender:", "Reply-To:", or "From:" header lines. - .ifdef CHECK_DATA_VERIFY_HEADER_SENDER deny message = No verifiable sender address in message headers - !acl = acl_local_deny_exceptions !verify = header_sender - .endif - - - # Deny if the message contains malware. Before enabling this check, you - # must install a virus scanner and set the av_scanner option in the - # main configuration. - # - # exim4-daemon-heavy must be used for this section to work. - # - # deny - # malware = * - # message = This message was detected as possible malware ($malware_name). - - - # Add headers to a message if it is judged to be spam. Before enabling this, - # you must install SpamAssassin. You also need to set the spamd_address - # option in the main configuration. - # - # exim4-daemon-heavy must be used for this section to work. - # - # Please note that this is only suiteable as an example. There are - # multiple issues with this configuration method. For example, if you go - # this way, you'll give your spamassassin daemon write access to the - # entire exim spool which might be a security issue in case of a - # spamassassin exploit. - # - # See the exim docs and the exim wiki for more suitable examples. - # - # warn - # spam = Debian-exim:true - # message = X-Spam_score: $spam_score\n\ - # X-Spam_score_int: $spam_score_int\n\ - # X-Spam_bar: $spam_bar\n\ - # X-Spam_report: $spam_report - - - # This hook allows you to hook in your own ACLs without having to - # modify this file. If you do it like we suggest, you'll end up with - # a small performance penalty since there is an additional file being - # accessed. This doesn't happen if you leave the macro unset. - .ifdef CHECK_DATA_LOCAL_ACL_FILE - .include CHECK_DATA_LOCAL_ACL_FILE - .endif - # accept otherwise accept diff --git a/etc/exim4/conf.d/auth/30_exim4-config_examples b/etc/exim4/conf.d/auth/30_exim4-config_examples deleted file mode 100644 index 13853da..0000000 --- a/etc/exim4/conf.d/auth/30_exim4-config_examples +++ /dev/null @@ -1,254 +0,0 @@ - -### auth/30_exim4-config_examples -################################# - -# The examples below are for server side authentication, when the -# local exim is SMTP server and clients authenticate to the local exim. - -# They allow two styles of plain-text authentication against an -# CONFDIR/passwd file whose syntax is described in exim4_passwd(5). - -# Hosts that are allowed to use AUTH are defined by the -# auth_advertise_hosts option in the main configuration. The default is -# "*", which allows authentication to all hosts over all kinds of -# connections if there is at least one authenticator defined here. -# Authenticators which rely on unencrypted clear text passwords don't -# advertise on unencrypted connections by default. Thus, it might be -# wise to set up TLS to allow encrypted connections. If TLS cannot be -# used for some reason, you can set AUTH_SERVER_ALLOW_NOTLS_PASSWORDS to -# advertise unencrypted clear text password based authenticators on all -# connections. As this is severely reducing security, using TLS is -# preferred over allowing clear text password based authenticators on -# unencrypted connections. - -# PLAIN authentication has no server prompts. The client sends its -# credentials in one lump, containing an authorization ID (which we do not -# use), an authentication ID, and a password. The latter two appear as -# $auth2 and $auth3 in the configuration and should be checked against a -# valid username and password. In a real configuration you would typically -# use $auth2 as a lookup key, and compare $auth3 against the result of the -# lookup, perhaps using the crypteq{}{} condition. - -# plain_server: -# driver = plaintext -# public_name = PLAIN -# server_condition = "${if crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}" -# server_set_id = $auth2 -# server_prompts = : -# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS -# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} -# .endif - -# LOGIN authentication has traditional prompts and responses. There is no -# authorization ID in this mechanism, so unlike PLAIN the username and -# password are $auth1 and $auth2. Apart from that you can use the same -# server_condition setting for both authenticators. - -# login_server: -# driver = plaintext -# public_name = LOGIN -# server_prompts = "Username:: : Password::" -# server_condition = "${if crypteq{$auth2}{${extract{1}{:}{${lookup{$auth1}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}" -# server_set_id = $auth1 -# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS -# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} -# .endif -# -# cram_md5_server: -# driver = cram_md5 -# public_name = CRAM-MD5 -# server_secret = ${extract{2}{:}{${lookup{$auth1}lsearch{CONFDIR/passwd}{$value}fail}}} -# server_set_id = $auth1 - -# Here is an example of CRAM-MD5 authentication against PostgreSQL: -# -# psqldb_auth_server: -# driver = cram_md5 -# public_name = CRAM-MD5 -# server_secret = ${lookup pgsql{SELECT pw FROM users WHERE username = '${quote_pgsql:$auth1}'}{$value}fail} -# server_set_id = $auth1 - -# Authenticate against local passwords using sasl2-bin -# Requires exim_uid to be a member of sasl group, see README.Debian.gz -# plain_saslauthd_server: -# driver = plaintext -# public_name = PLAIN -# server_condition = ${if saslauthd{{$auth2}{$auth3}}{1}{0}} -# server_set_id = $auth2 -# server_prompts = : -# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS -# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} -# .endif -# -# login_saslauthd_server: -# driver = plaintext -# public_name = LOGIN -# server_prompts = "Username:: : Password::" -# # don't send system passwords over unencrypted connections -# server_condition = ${if saslauthd{{$auth1}{$auth2}}{1}{0}} -# server_set_id = $auth1 -# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS -# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} -# .endif -# -# ntlm_sasl_server: -# driver = cyrus_sasl -# public_name = NTLM -# server_realm = -# server_set_id = $auth1 -# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS -# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} -# .endif -# -# digest_md5_sasl_server: -# driver = cyrus_sasl -# public_name = DIGEST-MD5 -# server_realm = -# server_set_id = $auth1 -# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS -# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} -# .endif - -# Authentcate against cyrus-sasl -# This is mainly untested, please report any problems to -# pkg-exim4-users@lists.alioth.debian.org. -# cram_md5_sasl_server: -# driver = cyrus_sasl -# public_name = CRAM-MD5 -# server_realm = -# server_set_id = $auth1 -# -# plain_sasl_server: -# driver = cyrus_sasl -# public_name = PLAIN -# server_realm = -# server_set_id = $auth1 -# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS -# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} -# .endif -# -# login_sasl_server: -# driver = cyrus_sasl -# public_name = LOGIN -# server_realm = -# server_set_id = $auth1 -# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS -# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} -# .endif - -# Authenticate against courier authdaemon - -# This is now the (working!) example from -# http://www.exim.org/eximwiki/FAQ/Policy_controls/Q0730 -# Possible pitfall: access rights on /var/run/courier/authdaemon/socket. -# plain_courier_authdaemon: -# driver = plaintext -# public_name = PLAIN -# server_condition = \ -# ${extract {ADDRESS} \ -# {${readsocket{/var/run/courier/authdaemon/socket} \ -# {AUTH ${strlen:exim\nlogin\n$auth2\n$auth3\n}\nexim\nlogin\n$auth2\n$auth3\n} }} \ -# {yes} \ -# fail} -# server_set_id = $auth2 -# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS -# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} -# .endif - -# login_courier_authdaemon: -# driver = plaintext -# public_name = LOGIN -# server_prompts = Username:: : Password:: -# server_condition = \ -# ${extract {ADDRESS} \ -# {${readsocket{/var/run/courier/authdaemon/socket} \ -# {AUTH ${strlen:exim\nlogin\n$auth1\n$auth2\n}\nexim\nlogin\n$auth1\n$auth2\n} }} \ -# {yes} \ -# fail} -# server_set_id = $auth1 -# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS -# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} -# .endif - -# This one is a bad hack to support the broken version 4.xx of -# Microsoft Outlook Express which violates the RFCs by demanding -# "250-AUTH=" instead of "250-AUTH ". -# If your list of offered authenticators is other than PLAIN and LOGIN, -# you need to adapt the public_name line manually. -# It has to be the last authenticator to work and has not been tested -# well. Use at your own risk. -# See the thread entry point from -# http://www.exim.org/mail-archives/exim-users/Week-of-Mon-20050214/msg00213.html -# for the related discussion on the exim-users mailing list. -# Thanks to Fred Viles for this great work. - -# support_broken_outlook_express_4_server: -# driver = plaintext -# public_name = "\r\n250-AUTH=PLAIN LOGIN" -# server_prompts = User Name : Password -# server_condition = no -# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS -# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} -# .endif - -############## -# See /usr/share/doc/exim4-base/README.Debian.gz -############## - -# These examples below are the equivalent for client side authentication. -# They get the passwords from CONFDIR/passwd.client, whose format is -# defined in exim4_passwd_client(5) - -# Because AUTH PLAIN and AUTH LOGIN send the password in clear, we -# only allow these mechanisms over encrypted connections by default. -# You can set AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS to allow unencrypted -# clear text password authentication on all connections. - -cram_md5: - driver = cram_md5 - public_name = CRAM-MD5 - client_name = ${extract{1}{:}{${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}}} - client_secret = ${extract{2}{:}{${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}}} - -# this returns the matching line from passwd.client and doubles all ^ -PASSWDLINE=${sg{\ - ${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}\ - }\ - {\\N[\\^]\\N}\ - {^^}\ - } - -plain: - driver = plaintext - public_name = PLAIN -.ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS - client_send = "<; ${if !eq{$tls_cipher}{}\ - {^${extract{1}{:}{PASSWDLINE}}\ - ^${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}\ - }fail}" -.else - client_send = "<; ^${extract{1}{:}{PASSWDLINE}}\ - ^${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}" -.endif - -login: - driver = plaintext - public_name = LOGIN -.ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS - # Return empty string if not non-TLS AND looking up $host in passwd-file - # yields a non-empty string; fail otherwise. - client_send = "<; ${if and{\ - {!eq{$tls_cipher}{}}\ - {!eq{PASSWDLINE}{}}\ - }\ - {}fail}\ - ; ${extract{1}{::}{PASSWDLINE}}\ - ; ${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}" -.else - # Return empty string if looking up $host in passwd-file yields a - # non-empty string; fail otherwise. - client_send = "<; ${if !eq{PASSWDLINE}{}\ - {}fail}\ - ; ${extract{1}{::}{PASSWDLINE}}\ - ; ${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}" -.endif diff --git a/etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs b/etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs deleted file mode 100644 index 8e51605..0000000 --- a/etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs +++ /dev/null @@ -1,100 +0,0 @@ -###################################################################### -# Runtime configuration file for Exim 4 (Debian Packaging) # -###################################################################### - -###################################################################### -# /etc/exim4/exim4.conf.template is only used with the non-split -# configuration scheme. -# /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs is only used -# with the split configuration scheme. -# If you find this comment anywhere else, somebody copied it there. -# Documentation about the Debian exim4 configuration scheme can be -# found in /usr/share/doc/exim4-base/README.Debian.gz. -###################################################################### - -###################################################################### -# MAIN CONFIGURATION SETTINGS # -###################################################################### - -# Just for reference and scripts. -# On Debian systems, the main binary is installed as exim4 to avoid -# conflicts with the exim 3 packages. -exim_path = /usr/sbin/exim4 - -# Macro defining the main configuration directory. -# We do not use absolute paths. -.ifndef CONFDIR -CONFDIR = /etc/exim4 -.endif - -# debconf-driven macro definitions get inserted after this line -UPEX4CmacrosUPEX4C = 1 - -# Create domain and host lists for relay control -# '@' refers to 'the name of the local host' - -# List of domains considered local for exim. Domains not listed here -# need to be deliverable remotely. -domainlist local_domains = MAIN_LOCAL_DOMAINS - -# List of recipient domains to relay _to_. Use this list if you're - -# for example - fallback MX or mail gateway for domains. -domainlist relay_to_domains = MAIN_RELAY_TO_DOMAINS - -# List of sender networks (IP addresses) to _unconditionally_ relay -# _for_. If you intend to be SMTP AUTH server, you do not need to enter -# anything here. -hostlist relay_from_hosts = MAIN_RELAY_NETS - - -# Decide which domain to use to add to all unqualified addresses. -# If MAIN_PRIMARY_HOSTNAME_AS_QUALIFY_DOMAIN is defined, the primary -# hostname is used. If not, but MAIN_QUALIFY_DOMAIN is set, the value -# of MAIN_QUALIFY_DOMAIN is used. If both macros are not defined, -# the first line of /etc/mailname is used. -.ifndef MAIN_PRIMARY_HOSTNAME_AS_QUALIFY_DOMAIN -.ifndef MAIN_QUALIFY_DOMAIN -qualify_domain = ETC_MAILNAME -.else -qualify_domain = MAIN_QUALIFY_DOMAIN -.endif -.endif - -# listen on all all interfaces? -.ifdef MAIN_LOCAL_INTERFACES -local_interfaces = MAIN_LOCAL_INTERFACES -.endif - -.ifndef LOCAL_DELIVERY -# The default transport, set in /etc/exim4/update-exim4.conf.conf, -# defaulting to mail_spool. See CONFDIR/conf.d/transport/ for possibilities -LOCAL_DELIVERY=mail_spool -.endif - -# The gecos field in /etc/passwd holds not only the name. see passwd(5). -gecos_pattern = ^([^,:]*) -gecos_name = $1 - -# define macros to be used in acl/30_exim4-config_check_rcpt to check -# recipient local parts for strange characters. - -# This macro definition really should be in -# acl/30_exim4-config_check_rcpt but cannot be there due to -# http://www.exim.org/bugzilla/show_bug.cgi?id=101 as of exim 4.62. - -# These macros are documented in acl/30_exim4-config_check_rcpt, -# can be changed here or overridden by a locally added configuration -# file as described in README.Debian chapter 2.1.2 - -.ifndef CHECK_RCPT_LOCAL_LOCALPARTS -CHECK_RCPT_LOCAL_LOCALPARTS = ^[.] : ^.*[@%!/|`#&?] -.endif - -.ifndef CHECK_RCPT_REMOTE_LOCALPARTS -CHECK_RCPT_REMOTE_LOCALPARTS = ^[./|] : ^.*[@%!`#&?] : ^.*/\\.\\./ -.endif - -# always log tls_peerdn as we use TLS for outgoing connects by default -.ifndef MAIN_LOG_SELECTOR -MAIN_LOG_SELECTOR = +tls_peerdn -.endif diff --git a/etc/exim4/conf.d/main/02_exim4-config_options b/etc/exim4/conf.d/main/02_exim4-config_options deleted file mode 100644 index 44cb455..0000000 --- a/etc/exim4/conf.d/main/02_exim4-config_options +++ /dev/null @@ -1,200 +0,0 @@ - -### main/02_exim4-config_options -################################# - - -# Defines the access control list that is run when an -# SMTP MAIL command is received. -# -.ifndef MAIN_ACL_CHECK_MAIL -MAIN_ACL_CHECK_MAIL = acl_check_mail -.endif -acl_smtp_mail = MAIN_ACL_CHECK_MAIL - - -# Defines the access control list that is run when an -# SMTP RCPT command is received. -# -.ifndef MAIN_ACL_CHECK_RCPT -MAIN_ACL_CHECK_RCPT = acl_check_rcpt -.endif -acl_smtp_rcpt = MAIN_ACL_CHECK_RCPT - - -# Defines the access control list that is run when an -# SMTP DATA command is received. -# -.ifndef MAIN_ACL_CHECK_DATA -MAIN_ACL_CHECK_DATA = acl_check_data -.endif -acl_smtp_data = MAIN_ACL_CHECK_DATA - - -# Message size limit. The default (used when MESSAGE_SIZE_LIMIT -# is unset) is 50 MB -.ifdef MESSAGE_SIZE_LIMIT -message_size_limit = MESSAGE_SIZE_LIMIT -.endif - - -# If you are running exim4-daemon-heavy or a custom version of Exim that -# was compiled with the content-scanning extension, you can cause incoming -# messages to be automatically scanned for viruses. You have to modify the -# configuration in two places to set this up. The first of them is here, -# where you define the interface to your scanner. This example is typical -# for ClamAV; see the manual for details of what to set for other virus -# scanners. The second modification is in the acl_check_data access -# control list. - -# av_scanner = clamd:/tmp/clamd - - -# For spam scanning, there is a similar option that defines the interface to -# SpamAssassin. You do not need to set this if you are using the default, which -# is shown in this commented example. As for virus scanning, you must also -# modify the acl_check_data access control list to enable spam scanning. - -# spamd_address = 127.0.0.1 783 - -# Domain used to qualify unqualified recipient addresses -# If this option is not set, the qualify_domain value is used. -# qualify_recipient = - - -# Allow Exim to recognize addresses of the form "user@[10.11.12.13]", -# where the domain part is a "domain literal" (an IP address) instead -# of a named domain. The RFCs require this facility, but it is disabled -# in the default config since it is seldomly used and frequently abused. -# Domain literal support also needs a special router, which is automatically -# enabled if you use the enable macro MAIN_ALLOW_DOMAIN_LITERALS. -# Additionally, you might want to make your local IP addresses (or @[]) -# local domains. -.ifdef MAIN_ALLOW_DOMAIN_LITERALS -allow_domain_literals -.endif - - -# Do a reverse DNS lookup on all incoming IP calls, in order to get the -# true host name. If you feel this is too expensive, the networks for -# which a lookup is done can be listed here. -.ifndef DC_minimaldns -.ifndef MAIN_HOST_LOOKUP -MAIN_HOST_LOOKUP = * -.endif -host_lookup = MAIN_HOST_LOOKUP -.endif - - -# In a minimaldns setup, update-exim4.conf guesses the hostname and -# dumps it here to avoid DNS lookups being done at Exim run time. -.ifdef MAIN_HARDCODE_PRIMARY_HOSTNAME -primary_hostname = MAIN_HARDCODE_PRIMARY_HOSTNAME -.endif - -# The settings below, which are actually the same as the defaults in the -# code, cause Exim to make RFC 1413 (ident) callbacks for all incoming SMTP -# calls. You can limit the hosts to which these calls are made, and/or change -# the timeout that is used. If you set the timeout to zero, all RFC 1413 calls -# are disabled. RFC 1413 calls are cheap and can provide useful information -# for tracing problem messages, but some hosts and firewalls are -# misconfigured to drop the requests instead of either answering or -# rejecting them. This can result in a timeout instead of an immediate refused -# connection, leading to delays on starting up SMTP sessions. (The default was -# reduced from 30s to 5s for release 4.61.) -# rfc1413_hosts = * -# rfc1413_query_timeout = 5s - -# When using an external relay tester (such as rt.njabl.org and/or the -# currently defunct relay-test.mail-abuse.org, the test may be aborted -# since exim complains about "too many nonmail commands". If you want -# the test to complete, add the host from where "your" relay tester -# connects from to the MAIN_SMTP_ACCEPT_MAX_NOMAIL_HOSTS macro. -# Please note that a non-empty setting may cause extra DNS lookups to -# happen, which is the reason why this option is commented out in the -# default settings. -# MAIN_SMTP_ACCEPT_MAX_NOMAIL_HOSTS = !rt.njabl.org -.ifdef MAIN_SMTP_ACCEPT_MAX_NOMAIL_HOSTS -smtp_accept_max_nonmail_hosts = MAIN_SMTP_ACCEPT_MAX_NOMAIL_HOSTS -.endif - -# By default, exim forces a Sender: header containing the local -# account name at the local host name in all locally submitted messages -# that don't have the local account name at the local host name in the -# From: header, deletes any Sender: header present in the submitted -# message and forces the envelope sender of all locally submitted -# messages to the local account name at the local host name. -# The following settings allow local users to specify their own envelope sender -# in a locally submitted message. Sender: headers existing in a locally -# submitted message are not removed, and no automatic Sender: headers -# are added. These settings are fine for most hosts. -# If you run exim on a classical multi-user systems where all users -# have local mailboxes that can be reached via SMTP from the Internet -# with the local FQDN as the domain part of the address, you might want -# to disable the following three lines for traceability reasons. -.ifndef MAIN_FORCE_SENDER -local_from_check = false -local_sender_retain = true -untrusted_set_sender = * -.endif - - -# By default, Exim expects all envelope addresses to be fully qualified, that -# is, they must contain both a local part and a domain. Configure exim -# to accept unqualified addresses from certain hosts. When this is done, -# unqualified addresses are qualified using the settings of qualify_domain -# and/or qualify_recipient (see above). -# sender_unqualified_hosts = -# recipient_unqualified_hosts = - - -# Configure Exim to support the "percent hack" for certain domains. -# The "percent hack" is the feature by which mail addressed to x%y@z -# (where z is one of the domains listed) is locally rerouted to x@y -# and sent on. If z is not one of the "percent hack" domains, x%y is -# treated as an ordinary local part. The percent hack is rarely needed -# nowadays but frequently abused. You should not enable it unless you -# are sure that you really need it. -# percent_hack_domains = - - -# Bounce handling -.ifndef MAIN_IGNORE_BOUNCE_ERRORS_AFTER -MAIN_IGNORE_BOUNCE_ERRORS_AFTER = 2d -.endif -ignore_bounce_errors_after = MAIN_IGNORE_BOUNCE_ERRORS_AFTER - -.ifndef MAIN_TIMEOUT_FROZEN_AFTER -MAIN_TIMEOUT_FROZEN_AFTER = 7d -.endif -timeout_frozen_after = MAIN_TIMEOUT_FROZEN_AFTER - -.ifndef MAIN_FREEZE_TELL -MAIN_FREEZE_TELL = postmaster -.endif -freeze_tell = MAIN_FREEZE_TELL - - -# Define spool directory -.ifndef SPOOLDIR -SPOOLDIR = /var/spool/exim4 -.endif -spool_directory = SPOOLDIR - - -# trusted users can set envelope-from to arbitrary values -.ifndef MAIN_TRUSTED_USERS -MAIN_TRUSTED_USERS = uucp -.endif -trusted_users = MAIN_TRUSTED_USERS -.ifdef MAIN_TRUSTED_GROUPS -trusted_groups = MAIN_TRUSTED_GROUPS -.endif - - -# users in admin group can do many other things -# admin_groups = - - -# SMTP Banner. The example includes the Debian version in the SMTP dialog -# MAIN_SMTP_BANNER = "${primary_hostname} ESMTP Exim ${version_number} (Debian package MAIN_PACKAGE_VERSION) ${tod_full}" -# smtp_banner = $smtp_active_hostname ESMTP Exim $version_number $tod_full diff --git a/etc/exim4/conf.d/main/03_exim4-config_tlsoptions b/etc/exim4/conf.d/main/03_exim4-config_tlsoptions deleted file mode 100644 index a098f9b..0000000 --- a/etc/exim4/conf.d/main/03_exim4-config_tlsoptions +++ /dev/null @@ -1,79 +0,0 @@ - -### main/03_exim4-config_tlsoptions -################################# - -# TLS/SSL configuration for exim as an SMTP server. -# See /usr/share/doc/exim4-base/README.Debian.gz for explanations. - -.ifdef MAIN_TLS_ENABLE -# Defines what hosts to 'advertise' STARTTLS functionality to. The -# default, *, will advertise to all hosts that connect with EHLO. -.ifndef MAIN_TLS_ADVERTISE_HOSTS -MAIN_TLS_ADVERTISE_HOSTS = * -.endif -tls_advertise_hosts = MAIN_TLS_ADVERTISE_HOSTS - - -# Full paths to Certificate and Private Key. The Private Key file -# must be kept 'secret' and should be owned by root.Debian-exim mode -# 640 (-rw-r-----). exim-gencert takes care of these prerequisites. -# Normally, exim4 looks for certificate and key in different files: -# MAIN_TLS_CERTIFICATE - path to certificate file, -# CONFDIR/exim.crt if unset -# MAIN_TLS_PRIVATEKEY - path to private key file -# CONFDIR/exim.key if unset -# You can also configure exim to look for certificate and key in the -# same file, set MAIN_TLS_CERTKEY to that file to enable. This takes -# precedence over all other settings regarding certificate and key file. -.ifdef MAIN_TLS_CERTKEY -tls_certificate = MAIN_TLS_CERTKEY -.else -.ifndef MAIN_TLS_CERTIFICATE -MAIN_TLS_CERTIFICATE = CONFDIR/exim.crt -.endif -tls_certificate = MAIN_TLS_CERTIFICATE - -.ifndef MAIN_TLS_PRIVATEKEY -MAIN_TLS_PRIVATEKEY = CONFDIR/exim.key -.endif -tls_privatekey = MAIN_TLS_PRIVATEKEY -.endif - -# Pointer to the CA Certificates against which client certificates are -# checked. This is controlled by the `tls_verify_hosts' and -# `tls_try_verify_hosts' lists below. -# If you want to check server certificates, you need to add an -# tls_verify_certificates statement to the smtp transport. -# /etc/ssl/certs/ca-certificates.crt is generated by -# the "ca-certificates" package's update-ca-certificates(8) command. -.ifndef MAIN_TLS_VERIFY_CERTIFICATES -MAIN_TLS_VERIFY_CERTIFICATES = ${if exists{/etc/ssl/certs/ca-certificates.crt}\ - {/etc/ssl/certs/ca-certificates.crt}\ - {/dev/null}} -.endif -tls_verify_certificates = MAIN_TLS_VERIFY_CERTIFICATES - - -# A list of hosts which are constrained by `tls_verify_certificates'. A host -# that matches `tls_verify_host' must present a certificate that is -# verifyable through `tls_verify_certificates' in order to be accepted as an -# SMTP client. If it does not, the connection is aborted. -.ifdef MAIN_TLS_VERIFY_HOSTS -tls_verify_hosts = MAIN_TLS_VERIFY_HOSTS -.endif - -# A weaker form of checking: if a client matches `tls_try_verify_hosts' (but -# not `tls_verify_hosts'), request a certificate and check it against -# `tls_verify_certificates' but do not abort the connection if there is no -# certificate or if the certificate presented does not match. (This -# condition can be tested for in ACLs through `verify = certificate') -# By default, this check is done for all hosts. It is known that some -# clients (including incredimail's version downloadable in February -# 2008) choke on this. To disable, set MAIN_TLS_TRY_VERIFY_HOSTS to an -# empty value. -.ifndef MAIN_TLS_TRY_VERIFY_HOSTS -MAIN_TLS_TRY_VERIFY_HOSTS = * -.endif -tls_try_verify_hosts = MAIN_TLS_TRY_VERIFY_HOSTS - -.endif diff --git a/etc/exim4/conf.d/main/90_exim4-config_log_selector b/etc/exim4/conf.d/main/90_exim4-config_log_selector deleted file mode 100644 index 685c404..0000000 --- a/etc/exim4/conf.d/main/90_exim4-config_log_selector +++ /dev/null @@ -1,10 +0,0 @@ - -### main/90_exim4-config_log_selector -################################# - -# uncomment this for debugging -# MAIN_LOG_SELECTOR == MAIN_LOG_SELECTOR +all -subject -arguments - -.ifdef MAIN_LOG_SELECTOR -log_selector = MAIN_LOG_SELECTOR -.endif diff --git a/etc/exim4/conf.d/main/main_config b/etc/exim4/conf.d/main/main_config new file mode 100644 index 0000000..9d05b0e --- /dev/null +++ b/etc/exim4/conf.d/main/main_config @@ -0,0 +1,61 @@ +###################################################################### +# MAIN CONFIGURATION SETTINGS # +###################################################################### + +# LDAP server to use for main lookups +LDAPSERVER=ldap://ldap.drsnuggles.stderr.nl:389 +LDAPBASE=dc=drsnuggles,dc=stderr,dc=nl + +# List of virtual domains for which we deliver to any address that happens to +# be configured in the LDAP directory. +domainlist virtual_domains = stdout.nl : blues-brothers.eu +# List of real hosts for which we deliver mail to real users. +domainlist real_domains = *.drsnuggles.stderr.nl : drsnuggles.stderr.nl +# The list of domains for which we handle mail ourselves +domainlist local_domains = virtual_domains : real_domains + +# List of recipient domains to relay _to_. Use this list if you're - +# for example - fallback MX or mail gateway for domains. +domainlist relay_to_domains = + +# Relay messages for all other vservers and the host. We would specify +# +real_domains here, but mixing domainlists and hostlist doesn't seem to work +# at first glance. +hostlist relay_from_hosts = *.drsnuggles.stderr.nl : drsnuggles.stderr.nl + +# Use this domain on any unqualified addresses that get submitted. Since this +# can come from any vserver, just use our main hostname. +qualify_domain = drsnuggles.stderr.nl + +# The gecos field in /etc/passwd holds not only the name. see passwd(5). +gecos_pattern = ^([^,:]*) +gecos_name = $1 + +# Defines the access control list that is run when an +# SMTP MAIL command is received. +acl_smtp_mail = acl_check_mail +# Defines the access control list that is run when an +# SMTP RCPT command is received. +acl_smtp_rcpt = acl_check_rcpt +# Defines the access control list that is run when an +# SMTP DATA command is received. +acl_smtp_data = acl_check_data + + +# Do a reverse DNS lookup on all incoming IP calls, in order to get the +# true host name. +host_lookup = * + +# Queue handling +# +# Drop undeliverable bounces after this time +ignore_bounce_errors_after = 2d +# Bounce frozen messages after this time +timeout_frozen_after = 7d +# Tell postmaster about freezing +freeze_tell = postmaster +# Define spool directory +spool_directory = /var/spool/exim4 + +# Log subjects, for easy tracing of messages and peer dn on TLS connections. +log_selector = +subject +tls_peerdn +tls_certificate_verified diff --git a/etc/exim4/conf.d/rewrite/10_ldap b/etc/exim4/conf.d/rewrite/10_ldap new file mode 100644 index 0000000..f994d65 --- /dev/null +++ b/etc/exim4/conf.d/rewrite/10_ldap @@ -0,0 +1,12 @@ +################################ +# Any outgoing mail sent by a user from a domain in local_hosts has its From: +# address and envelope From address rewritten to use his primary mail address +# from ldap. +# +################################# + +*@+real_domains \ + "${lookup ldap {LDAPURL?mail?sub?(uid=${quote_ldap:$local_part})} \ + {$value}fail}" Ff + +# vim: set sts=2 expandtab sw=2 ai: diff --git a/etc/exim4/conf.d/rewrite/31_exim4-config_rewriting b/etc/exim4/conf.d/rewrite/31_exim4-config_rewriting deleted file mode 100644 index b11b797..0000000 --- a/etc/exim4/conf.d/rewrite/31_exim4-config_rewriting +++ /dev/null @@ -1,16 +0,0 @@ - -### rewrite/31_exim4-config_rewriting -################################# - -# This rewriting rule is particularily useful for dialup users who -# don't have their own domain, but could be useful for anyone. -# It looks up the real address of all local users in a file -.ifndef NO_EAA_REWRITE_REWRITE -*@+local_domains "${lookup{${local_part}}lsearch{/etc/email-addresses}\ - {$value}fail}" Ffrs -# identical rewriting rule for /etc/mailname -*@ETC_MAILNAME "${lookup{${local_part}}lsearch{/etc/email-addresses}\ - {$value}fail}" Ffrs -.endif - - diff --git a/etc/exim4/conf.d/router/100_exim4-config_domain_literal b/etc/exim4/conf.d/router/100_exim4-config_domain_literal deleted file mode 100644 index 244b479..0000000 --- a/etc/exim4/conf.d/router/100_exim4-config_domain_literal +++ /dev/null @@ -1,18 +0,0 @@ - -### router/100_exim4-config_domain_literal -################################# - -# This router handles e-mail addresses in "domain literal" form like -# . The RFCs require this facility, but it is disabled -# in the default config since it is seldomly used and frequently abused. -# Domain literal support also needs to be enabled in the main config, -# which is automatically done if you use the enable macro -# MAIN_ALLOW_DOMAIN_LITERALS. - -.ifdef MAIN_ALLOW_DOMAIN_LITERALS -domain_literal: - debug_print = "R: domain_literal for $local_part@$domain" - driver = ipliteral - domains = ! +local_domains - transport = remote_smtp -.endif diff --git a/etc/exim4/conf.d/router/10_outbound b/etc/exim4/conf.d/router/10_outbound new file mode 100644 index 0000000..d30f36a --- /dev/null +++ b/etc/exim4/conf.d/router/10_outbound @@ -0,0 +1,35 @@ +### router/200_exim4-config_primary +################################# +# This file holds the primary router, responsible for nonlocal mails + +# deliver mail to the recipient if recipient domain is a domain we +# relay for. We do not ignore any target hosts here since delivering to +# a site local or even a link local address might be wanted here, and if +# such an address has found its way into the MX record of such a domain, +# the local admin is probably in a place where that broken MX record +# could be fixed. + +dnslookup_relay_to_domains: + debug_print = "R: dnslookup_relay_to_domains for $local_part@$domain" + driver = dnslookup + domains = ! +local_domains : +relay_to_domains + transport = remote_smtp + same_domain_copy_routing = yes + no_more + +# deliver mail directly to the recipient. This router is only reached +# for domains that we do not relay for. Since we most probably can't +# have broken MX records pointing to site local or link local IP +# addresses fixed, we ignore target hosts pointing to these addresses. + +dnslookup: + debug_print = "R: dnslookup for $local_part@$domain" + driver = dnslookup + domains = ! +local_domains + transport = remote_smtp + same_domain_copy_routing = yes + # ignore private rfc1918 and APIPA addresses + ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 192.168.0.0/16 :\ + 172.16.0.0/12 : 10.0.0.0/8 : 169.254.0.0/16 :\ + 255.255.255.255 + no_more diff --git a/etc/exim4/conf.d/router/150_exim4-config_hubbed_hosts b/etc/exim4/conf.d/router/150_exim4-config_hubbed_hosts deleted file mode 100644 index a0fcb26..0000000 --- a/etc/exim4/conf.d/router/150_exim4-config_hubbed_hosts +++ /dev/null @@ -1,18 +0,0 @@ - -# router/150_exim4-config_hubbed_hosts -################################# - -# route specific domains manually. -# -# see exim4-config_files(5) and spec.txt chapter 20.3 through 20.7 for -# more detailed documentation. - -hubbed_hosts: - debug_print = "R: hubbed_hosts for $domain" - driver = manualroute - domains = "${if exists{CONFDIR/hubbed_hosts}\ - {partial-lsearch;CONFDIR/hubbed_hosts}\ - fail}" - same_domain_copy_routing = yes - route_data = ${lookup{$domain}partial-lsearch{CONFDIR/hubbed_hosts}} - transport = remote_smtp diff --git a/etc/exim4/conf.d/router/15_real_local b/etc/exim4/conf.d/router/15_real_local new file mode 100644 index 0000000..d654524 --- /dev/null +++ b/etc/exim4/conf.d/router/15_real_local @@ -0,0 +1,13 @@ +# This router allows reaching a local user while avoiding local processing. +# This matches only the "localhost" domain, which is used in the last step of +# delivery and should never be set on external messages. This can be used to +# inform a user of a broken .forward file, for example. The userforward router +# does this. + +real_local: + debug_print = "R: real_local for $local_part@$domain" + driver = accept + domains = localhost + local_part_prefix = real- + check_local_user + transport = maildir_home diff --git a/etc/exim4/conf.d/router/200_exim4-config_primary b/etc/exim4/conf.d/router/200_exim4-config_primary deleted file mode 100644 index 8b2bafb..0000000 --- a/etc/exim4/conf.d/router/200_exim4-config_primary +++ /dev/null @@ -1,90 +0,0 @@ - -### router/200_exim4-config_primary -################################# -# This file holds the primary router, responsible for nonlocal mails - -.ifdef DCconfig_internet -# configtype=internet -# -# deliver mail to the recipient if recipient domain is a domain we -# relay for. We do not ignore any target hosts here since delivering to -# a site local or even a link local address might be wanted here, and if -# such an address has found its way into the MX record of such a domain, -# the local admin is probably in a place where that broken MX record -# could be fixed. - -dnslookup_relay_to_domains: - debug_print = "R: dnslookup_relay_to_domains for $local_part@$domain" - driver = dnslookup - domains = ! +local_domains : +relay_to_domains - transport = remote_smtp - same_domain_copy_routing = yes - no_more - -# deliver mail directly to the recipient. This router is only reached -# for domains that we do not relay for. Since we most probably can't -# have broken MX records pointing to site local or link local IP -# addresses fixed, we ignore target hosts pointing to these addresses. - -dnslookup: - debug_print = "R: dnslookup for $local_part@$domain" - driver = dnslookup - domains = ! +local_domains - transport = remote_smtp - same_domain_copy_routing = yes - # ignore private rfc1918 and APIPA addresses - ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 192.168.0.0/16 :\ - 172.16.0.0/12 : 10.0.0.0/8 : 169.254.0.0/16 :\ - 255.255.255.255 - no_more - -.endif - - -.ifdef DCconfig_local -# configtype=local -# -# Stand-alone system, so generate an error for mail to a non-local domain -nonlocal: - debug_print = "R: nonlocal for $local_part@$domain" - driver = redirect - domains = ! +local_domains - allow_fail - data = :fail: Mailing to remote domains not supported - no_more - -.endif - - -.ifdef DCconfig_smarthost DCconfig_satellite -# configtype=smarthost or configtype=satellite -# -# Send all non-local mail to a single other machine (smarthost). -# -# This means _ALL_ non-local mail goes to the smarthost. This will most -# probably not do what you want for domains that are listed in -# relay_domains. The most typical use for relay_domains is to control -# relaying for incoming e-mail on secondary MX hosts. In that case, -# it doesn't make sense to send the mail to the smarthost since the -# smarthost will probably send the message right back here, causing a -# loop. -# -# If you want to use a smarthost while being secondary MX for some -# domains, you'll need to copy the dnslookup_relay_to_domains router -# here so that mail to relay_domains is handled separately. - -smarthost: - debug_print = "R: smarthost for $local_part@$domain" - driver = manualroute - domains = ! +local_domains - transport = remote_smtp_smarthost - route_list = * DCsmarthost byname - host_find_failed = defer - same_domain_copy_routing = yes - no_more - -.endif - - -# The "no_more" above means that all later routers are for -# domains in the local_domains list, i.e. just like Exim 3 directors. diff --git a/etc/exim4/conf.d/router/20_system_aliases b/etc/exim4/conf.d/router/20_system_aliases new file mode 100644 index 0000000..3c15259 --- /dev/null +++ b/etc/exim4/conf.d/router/20_system_aliases @@ -0,0 +1,12 @@ +### router/400_exim4-config_system_aliases +################################# + +# This router handles aliasing using a traditional /etc/aliases file, but for +# local hosts only. Virtual domains must take own measures to ensure that the +# postmaster address works. + +system_aliases: + debug_print = "R: system_aliases for $local_part@$domain" + driver = redirect + domains = +real_domains + data = ${lookup{$local_part}lsearch{/etc/aliases}} diff --git a/etc/exim4/conf.d/router/300_exim4-config_real_local b/etc/exim4/conf.d/router/300_exim4-config_real_local deleted file mode 100644 index 34ea282..0000000 --- a/etc/exim4/conf.d/router/300_exim4-config_real_local +++ /dev/null @@ -1,22 +0,0 @@ - -### router/300_exim4-config_real_local -################################# - -# This router allows reaching a local user while avoiding local -# processing. This can be used to inform a user of a broken .forward -# file, for example. The userforward router does this. - -COND_LOCAL_SUBMITTER = "\ - ${if match_ip{$sender_host_address}{:@[]}\ - {1}{0}\ - }" - -real_local: - debug_print = "R: real_local for $local_part@$domain" - driver = accept - domains = +local_domains - condition = COND_LOCAL_SUBMITTER - local_part_prefix = real- - check_local_user - transport = LOCAL_DELIVERY - diff --git a/etc/exim4/conf.d/router/30_ldap b/etc/exim4/conf.d/router/30_ldap new file mode 100644 index 0000000..2f195c8 --- /dev/null +++ b/etc/exim4/conf.d/router/30_ldap @@ -0,0 +1,184 @@ +### router/900_exim4-config_local_user +################################# + +# These routers deal with mail meant for virtual_domains and real_domains. +# The targets for addresses in these domains and hosts are taken from +# the LDAP server. +# +# The first two routers check the LDAP directory to find an object to +# which the mail should be delivered. The first one works on +# virtual_domains, and finds an object based on the mail or +# alternateMailAddress attributes. For example, info@stdin.nl might be +# resolved by that one. The second one works on real_domains and finds an +# object based its uid (i.e., username). For example, +# matthijs@login.drsnuggles.stderr.nl might be resolved by the second +# router. +# +# The next set of routers works when a person is retrieved. They handle +# forwarding the mail to another mail server when the mailHost attribute +# is set but it is not us, forwarding the email to any +# mailForwardingAddresses in the object or delivering the mail locally +# when the mailHost is set. Note that both either or both of the last +# two routers can apply. If none of these three apply, routing continues +# to the last set. Local delivery works by redirecting to username@localhost +# and redirecting to the local_delivery router. This allows for a number of +# different routers (put after the local_delivery router) to handle the +# local_delivery. This is also the only way to get to any routers after the +# ones in this file! +# +# The last two routers work when a group is retrieved. They handle +# forwarding the mail to any members, both rfc822members (ie, addresses) +# and uniqueMembers (ie, other LDAP objects). +# +# Note that this distinction between persons and groups is not made by +# looking at the object classes, but at the attributes. Any object that +# has a mailHost and/or mailForwardingAddresses is treated as a person, +# meaning that only these two attributes are processed. Any object that +# has neither of these attributes is assumed to be a group and has its +# rfc822members and uniqueMembers processed. Any object that has none of +# these properties, will cause a delivery failure. +# +# Note also that only the first two routers have the domains +# precondition set, to differentiate between virtual_domains and +# real_domains. Assuming that the routers in this file will only be called for +# virtual_domains and real_domains, exactly one of these two routers will be +# called. If the lookup fails, the more option ensures that the rest of the +# routers are not called. +# +# The routers in this file assume that the url to LDAP server is defined +# as LDAPSERVER and the base dn is defined as LDAPBASE. No assumptions +# are made about the structure of the LDAP directory, so any object that +# has the mail or mailForwardingAddress attributes is considered a +# valid target for email, anywhere in the directory. These routers do +# assume that a single email address is listed only once. If not, mails +# to the address will be deferred. + +LDAPURL=LDAPSERVER/LDAPBASE + +# This router looks up an object in the ldap directory using its mail and +# alternateMailAddress attributes, for any domains in virtual_domains. +# This handles email addresses in "virtual" domains, since the object +# found does not need to actually have a username (it can even be a +# group). +ADDR=${quote_ldap:${local_part}@${domain}} +ldap_lookup_virtual: + debug_print = "R: ldap_lookup_virtual for $local_part@$domain: Finding person or group with (alternate) email address $local_part@$domain" + driver = redirect + domains = +virtual_domains + address_data = ${lookup ldap {LDAPURL?uid,mailHost,mailForwardingAddress,rfc822member,uniqueMember?sub?(|(mail=ADDR)(mailAlternateAddress=ADDR))}{$value}fail} + # Noop, this router just needs to pass its preconditions, evaluate + # address_data and then pass control to ldap_person_other_mailhost below + data = ${local_part}@${domain} + redirect_router=ldap_person_other_mailhost + # If no objects are found and the address_data expansion is forced to fail, + # stop processing. Note that this setting does not apply when the domains + # precondition fails. + more = false + cannot_route_message = "Unknown address" + +# This router looks up an object in the ldap directory using its uid +# (username) attribute, for any hosts in real_domains. This handles email +# addresses of actual users in this domain, i.e., objects that have uid +# property. +LOCALPART=${quote_ldap:${local_part}} +ldap_lookup_real: + debug_print = "R: ldap_lookup_real for $local_part@$domain: Finding user with uid $local_part" + driver = redirect + domains = +real_domains + address_data = ${lookup ldap {LDAPURL?uid,mailHost,mailForwardingAddress?sub?(uid=LOCALPART)}{$value}fail} + # Noop, this router just needs to pass its preconditions, evaluate + # address_data and then pass control to ldap_person_other_mailhost below + data = ${local_part}@${domain} + redirect_router=ldap_person_other_mailhost + # If no objects are found and the address_data expansion is forced to fail, + # stop processing. Note that this setting does not apply when the domains + # precondition fails. + more = false + cannot_route_message = "Unknown user" + +# If the person has a mailhost configured, and it's not us, forward to +# that mailhost. If this router accepts, no others will be tried. This +# means we're also not processing any mailForwardingAddresses, assuming +# that the host forwarded to will do this. +# +# This entry is mostly future-compatible, since at the time of writing +# there are no other mailservers using the same LDAP directory. But it +# looks cool! +ldap_person_other_mailhost: + debug_print = "R: ldap_person_other_mailhost for $local_part@$domain: Forwarding to a mailHost if it is not us" + driver = manualroute + condition = ${if and { \ + # If mailhost is not empty + {!eqi{${extract{mailHost}{$address_data}}}{}} \ + # And mailhost is not this host + {!eqi{${extract{mailHost}{$address_data}}}{$primary_hostname}} \ + }} + # Then, forward to the other mailHost + route_data = ${extract{mailHost}{$address_data}} + transport = remote_smtp + +# Forward the mail to any mailForwardingAddresses configured +DELIVER_HERE=${if eqi{${extract{mailHost}{$address_data}}}{$primary_hostname}{true}{false}} +ldap_person_forward: + debug_print = "R: ldap_person_forward for $local_part@$domain: Forwarding to any mailForwardingAddresses" + driver = redirect + data = ${extract{mailForwardingAddress}{$address_data}} + # Pass the message to the ldap_person_local router as well, so we can support both + # local delivery and forwarding. However, only set unseen to yes if we know + # the ldap_person_local will accept it. Just putting unseen = yes here doesn't + # work because if there is no local delivery, an error message is generated + # even when the email was forwarded succesfully. + unseen = DELIVER_HERE + +# Deliver the mail locally if the mailHost points to us. +ldap_person_local: + debug_print = "R: ldap_person_local for $local_part@$domain: Doing local delivery if the mailHost is us" + driver = redirect + # Lookup if there is a user that has the target email address in either his + # mail attribute, or one of his mailAlternateAddresses and also has his + # mailstore on this host as its mailhost. + condition = DELIVER_HERE + # Forward the email to username@localhost. There is a separate set of routers + # that explicitly handles the localhost "domain", and has support for things + # like .forward files, procmail, etc. + data = ${extract{uid}{$address_data}}@localhost + redirect_router = local_delivery + +# If any of the two above routers accepted the message, processing will +# stop here! + +# Forward the mail to any full members (uniqueMember) configured +ldap_group_member: + debug_print = "R: ldap_group_member for $local_part@$domain: Forwarding to any uniqueMembers" + driver = redirect + # Lookup the mail address (if any) of each member. This gracefully ignores + # any members without an email address. + data = ${map \ + # Since multipe attributes are separated by ", ", we replace ", " by "\n" + # and use that as a list separator (fortunately it's not just ",", as the + # documentation suggests, since then we would have had one big dn...) + {<\n ${sg \ + {${extract{uniqueMember}{$address_data}}} \ + {, } \ + {\n} \ + }} \ + {${lookup ldap {LDAPSERVER/$item?mail?base?}}} \ + } + # Pass the message to the ldap_group_address router as well, so we can support both + # addresses (rfc822member) and dns (uniqueMember) in a group. + # However, only set unseen to yes if we know the ldap_group_address will + # accept it. Just putting unseen = yes here doesn't work because if there is + # no local delivery, an error message is generated even when the email was + # already forwarded succesfully. + unseen = ${if !eqi{${extract{rfc822member}{$address_data}}}{}{true}{false}} + +# Forward the mail to any mail-only members (rfc822member) configured +ldap_group_address: + debug_print = "R: ldap_group_address for $local_part@$domain: Forwarding to any rfc822members" + driver = redirect + data = ${extract{rfc822member}{$address_data}} + cannot_route_message = "Recipient is not set up for mail reception" + # If this router did not match, stop processing. + more = false + +# vim: set sts=2 expandtab sw=2 ai: diff --git a/etc/exim4/conf.d/router/400_exim4-config_system_aliases b/etc/exim4/conf.d/router/400_exim4-config_system_aliases deleted file mode 100644 index f5f5f1c..0000000 --- a/etc/exim4/conf.d/router/400_exim4-config_system_aliases +++ /dev/null @@ -1,44 +0,0 @@ - -### router/400_exim4-config_system_aliases -################################# - -# This router handles aliasing using a traditional /etc/aliases file. -# -##### NB You must ensure that /etc/aliases exists. It used to be the case -##### NB that every Unix had that file, because it was the Sendmail default. -##### NB These days, there are systems that don't have it. Your aliases -##### NB file should at least contain an alias for "postmaster". -# -# This router handles the local part in a case-insensitive way which -# satisfies the RFCs requirement that postmaster be reachable regardless -# of case. If you decide to handle /etc/aliases in a caseful way, you -# need to make arrangements for a caseless postmaster. -# -# Delivery to arbitrary directories, files, and piping to programs in -# /etc/aliases is disabled per default. -# If that is a problem for you, see -# /usr/share/doc/exim4-base/README.Debian.gz -# for explanation and some workarounds. - -system_aliases: - debug_print = "R: system_aliases for $local_part@$domain" - driver = redirect - domains = +local_domains - allow_fail - allow_defer - data = ${lookup{$local_part}lsearch{/etc/aliases}} - .ifdef SYSTEM_ALIASES_USER - user = SYSTEM_ALIASES_USER - .endif - .ifdef SYSTEM_ALIASES_GROUP - group = SYSTEM_ALIASES_GROUP - .endif - .ifdef SYSTEM_ALIASES_FILE_TRANSPORT - file_transport = SYSTEM_ALIASES_FILE_TRANSPORT - .endif - .ifdef SYSTEM_ALIASES_PIPE_TRANSPORT - pipe_transport = SYSTEM_ALIASES_PIPE_TRANSPORT - .endif - .ifdef SYSTEM_ALIASES_DIRECTORY_TRANSPORT - directory_transport = SYSTEM_ALIASES_DIRECTORY_TRANSPORT - .endif diff --git a/etc/exim4/conf.d/router/40_local_delivery b/etc/exim4/conf.d/router/40_local_delivery new file mode 100644 index 0000000..ad6c559 --- /dev/null +++ b/etc/exim4/conf.d/router/40_local_delivery @@ -0,0 +1,109 @@ +################################# +# The routers that handle the actual local delivery of mail. These routers all +# work just on the localhost "domain", so any previous routers that want to +# have mail delivered locally should redirect to username@localhost and set +# redirect_router to "local_delivery". These routers are not used directly on +# incoming messages, the first router guarantees this. +# +# These routers support .forward files, procmail and mbox delivery in +# /var/mail, each tried in turn. +################################# + + +# Dummy noop router, that ensures that these routers are never called directly +# on an incoming message and enforces that they only be called when a previous +# router explicitely sets redirect_router to local_delivery. +always_fail: + debug_print = "R: local_delivery for $local_part@$domain" + driver = redirect + data = + more = false + cannot_route_message = "Internal error" + +# Dummy noop router, that can be used by other routers for the value of +# redirect_router or pass_router, without being dependent on the (order of) +# actual delivery routers below. +local_delivery: + debug_print = "R: local_delivery for $local_part@$domain" + driver = redirect + data = + +# This router handles forwarding using traditional .forward files in users' +# home directories. It also allows mail filtering with a forward file +# starting with the string "# Exim filter" or "# Sieve filter". +# +# The no_verify setting means that this router is skipped when Exim is +# verifying addresses. Similarly, no_expn means that this router is skipped if +# Exim is processing an EXPN command. +# +# The check_ancestor option means that if the forward file generates an +# address that is an ancestor of the current one, the current one gets +# passed on instead. This covers the case where A is aliased to B and B +# has a .forward file pointing to A. +# +# The four transports specified at the end are those that are used when +# forwarding generates a direct delivery to a directory, or a file, or to a +# pipe, or sets up an auto-reply, respectively. +# +# Any syntax errors in the .forward are sent with the real- prefix, which the +# real_local router directly delivers through the maildir_home transport, +# avoiding the routers in this file. +userforward: + debug_print = "R: userforward for $local_part@$domain" + driver = redirect + domains = localhost + check_local_user + file = $home/.forward + require_files = $local_part:$home/.forward + no_verify + no_expn + check_ancestor + allow_filter + forbid_smtp_code = true + directory_transport = address_directory + file_transport = address_file + pipe_transport = address_pipe + reply_transport = address_reply + skip_syntax_errors + syntax_errors_to = real-$local_part@$domain + syntax_errors_text = \ + This is an automatically generated message. An error has\n\ + been found in your .forward file. Details of the error are\n\ + reported below. While this error persists, you will receive\n\ + a copy of this message for every message that is addressed\n\ + to you. If your .forward file is a filter file, or if it is\n\ + a non-filter file containing no valid forwarding addresses,\n\ + a copy of each incoming message will be put in your normal\n\ + mailbox. If a non-filter file contains at least one valid\n\ + forwarding address, forwarding to the valid addresses will\n\ + happen, and those will be the only deliveries that occur. + +# Let procmail deliver the message if a global or local (in the user's +# homedir) procmailrc exists. +procmail: + debug_print = "R: procmail for $local_part@$domain" + driver = accept + domains = localhost + check_local_user + transport = procmail_pipe + # emulate OR with "if exists"-expansion + require_files = ${local_part}:\ + ${if exists{/etc/procmailrc}\ + {/etc/procmailrc}{${home}/.procmailrc}}:\ + +/usr/bin/procmail + no_verify + no_expn + +# This router delivers to /var/mail. +local_user: + debug_print = "R: local_user for $local_part@$domain" + driver = accept + domains = localhost + check_local_user + local_parts = ! root + transport = maildir_home + # If we get here, some previous router redirected to a non-existing user. + # That should not happen! + cannot_route_message = Unknown user: This should not happen + +# vim: set sts=2 expandtab sw=2 ai: diff --git a/etc/exim4/conf.d/router/500_exim4-config_hubuser b/etc/exim4/conf.d/router/500_exim4-config_hubuser deleted file mode 100644 index 52a8dc2..0000000 --- a/etc/exim4/conf.d/router/500_exim4-config_hubuser +++ /dev/null @@ -1,31 +0,0 @@ - -### router/500_exim4-config_hubuser -################################# - -.ifdef DCconfig_satellite -# This router is only used for configtype=satellite. -# It takes care to route all mail targetted to -# to the host where we read our mail -# -hub_user: - debug_print = "R: hub_user for $local_part@$domain" - driver = redirect - domains = +local_domains - data = ${local_part}@DCreadhost - check_local_user - -# Grab the redirected mail and deliver it. -# This is a duplicate of the smarthost router, needed because -# DCreadhost might end up as part of +local_domains -hub_user_smarthost: - debug_print = "R: hub_user_smarthost for $local_part@$domain" - driver = manualroute - domains = DCreadhost - transport = remote_smtp_smarthost - route_list = * DCsmarthost byname - host_find_failed = defer - same_domain_copy_routing = yes - check_local_user -.endif - - diff --git a/etc/exim4/conf.d/router/600_exim4-config_userforward b/etc/exim4/conf.d/router/600_exim4-config_userforward deleted file mode 100644 index 59259ca..0000000 --- a/etc/exim4/conf.d/router/600_exim4-config_userforward +++ /dev/null @@ -1,51 +0,0 @@ - -### router/600_exim4-config_userforward -################################# - -# This router handles forwarding using traditional .forward files in users' -# home directories. It also allows mail filtering with a forward file -# starting with the string "# Exim filter" or "# Sieve filter". -# -# The no_verify setting means that this router is skipped when Exim is -# verifying addresses. Similarly, no_expn means that this router is skipped if -# Exim is processing an EXPN command. -# -# The check_ancestor option means that if the forward file generates an -# address that is an ancestor of the current one, the current one gets -# passed on instead. This covers the case where A is aliased to B and B -# has a .forward file pointing to A. -# -# The four transports specified at the end are those that are used when -# forwarding generates a direct delivery to a directory, or a file, or to a -# pipe, or sets up an auto-reply, respectively. -# -userforward: - debug_print = "R: userforward for $local_part@$domain" - driver = redirect - domains = +local_domains - check_local_user - file = $home/.forward - require_files = $local_part:$home/.forward - no_verify - no_expn - check_ancestor - allow_filter - forbid_smtp_code = true - directory_transport = address_directory - file_transport = address_file - pipe_transport = address_pipe - reply_transport = address_reply - skip_syntax_errors - syntax_errors_to = real-$local_part@$domain - syntax_errors_text = \ - This is an automatically generated message. An error has\n\ - been found in your .forward file. Details of the error are\n\ - reported below. While this error persists, you will receive\n\ - a copy of this message for every message that is addressed\n\ - to you. If your .forward file is a filter file, or if it is\n\ - a non-filter file containing no valid forwarding addresses,\n\ - a copy of each incoming message will be put in your normal\n\ - mailbox. If a non-filter file contains at least one valid\n\ - forwarding address, forwarding to the valid addresses will\n\ - happen, and those will be the only deliveries that occur. - diff --git a/etc/exim4/conf.d/router/700_exim4-config_procmail b/etc/exim4/conf.d/router/700_exim4-config_procmail deleted file mode 100644 index 8d827c7..0000000 --- a/etc/exim4/conf.d/router/700_exim4-config_procmail +++ /dev/null @@ -1,15 +0,0 @@ - -procmail: - debug_print = "R: procmail for $local_part@$domain" - driver = accept - domains = +local_domains - check_local_user - transport = procmail_pipe - # emulate OR with "if exists"-expansion - require_files = ${local_part}:\ - ${if exists{/etc/procmailrc}\ - {/etc/procmailrc}{${home}/.procmailrc}}:\ - +/usr/bin/procmail - no_verify - no_expn - diff --git a/etc/exim4/conf.d/router/800_exim4-config_maildrop b/etc/exim4/conf.d/router/800_exim4-config_maildrop deleted file mode 100644 index 0c57fc6..0000000 --- a/etc/exim4/conf.d/router/800_exim4-config_maildrop +++ /dev/null @@ -1,14 +0,0 @@ - -### router/800_exim4-config_maildrop -################################# - -maildrop: - debug_print = "R: maildrop for $local_part@$domain" - driver = accept - domains = +local_domains - check_local_user - transport = maildrop_pipe - require_files = ${local_part}:${home}/.mailfilter:+/usr/bin/maildrop - no_verify - no_expn - diff --git a/etc/exim4/conf.d/router/850_exim4-config_lowuid b/etc/exim4/conf.d/router/850_exim4-config_lowuid deleted file mode 100644 index 10e09a4..0000000 --- a/etc/exim4/conf.d/router/850_exim4-config_lowuid +++ /dev/null @@ -1,28 +0,0 @@ - -### router/850_exim4-config_lowuid -################################# - -.ifndef FIRST_USER_ACCOUNT_UID -FIRST_USER_ACCOUNT_UID = 0 -.endif - -.ifndef DEFAULT_SYSTEM_ACCOUNT_ALIAS -DEFAULT_SYSTEM_ACCOUNT_ALIAS = :fail: no mail to system accounts -.endif - -COND_SYSTEM_USER_AND_REMOTE_SUBMITTER = "\ - ${if and{{! match_ip{$sender_host_address}{:@[]}}\ - {<{$local_user_uid}{FIRST_USER_ACCOUNT_UID}}}\ - {1}{0}\ - }" - -lowuid_aliases: - debug_print = "R: lowuid_aliases for $local_part@$domain (UID $local_user_uid)" - check_local_user - driver = redirect - allow_fail - domains = +local_domains - condition = COND_SYSTEM_USER_AND_REMOTE_SUBMITTER - data = ${if exists{/etc/exim4/lowuid-aliases}\ - {${lookup{$local_part}lsearch{/etc/exim4/lowuid-aliases}\ - {$value}{DEFAULT_SYSTEM_ACCOUNT_ALIAS}}}{DEFAULT_SYSTEM_ACCOUNT_ALIAS}} diff --git a/etc/exim4/conf.d/router/900_exim4-config_local_user b/etc/exim4/conf.d/router/900_exim4-config_local_user deleted file mode 100644 index 423c729..0000000 --- a/etc/exim4/conf.d/router/900_exim4-config_local_user +++ /dev/null @@ -1,15 +0,0 @@ - -### router/900_exim4-config_local_user -################################# - -# This router matches local user mailboxes. If the router fails, the error -# message is "Unknown user". - -local_user: - debug_print = "R: local_user for $local_part@$domain" - driver = accept - domains = +local_domains - check_local_user - local_parts = ! root - transport = LOCAL_DELIVERY - cannot_route_message = Unknown user diff --git a/etc/exim4/conf.d/router/mmm_mail4root b/etc/exim4/conf.d/router/mmm_mail4root deleted file mode 100644 index 88017ba..0000000 --- a/etc/exim4/conf.d/router/mmm_mail4root +++ /dev/null @@ -1,17 +0,0 @@ - -### router/mmm_mail4root -################################# -# deliver mail addressed to root to /var/mail/mail as user mail:mail -# if it was not redirected in /etc/aliases or by other means -# Exim cannot deliver as root since 4.24 (FIXED_NEVER_USERS) - -mail4root: - debug_print = "R: mail4root for $local_part@$domain" - driver = redirect - domains = +local_domains - data = /var/mail/mail - file_transport = address_file - local_parts = root - user = mail - group = mail - diff --git a/etc/exim4/conf.d/transport/10_exim4-config_transport-macros b/etc/exim4/conf.d/transport/10_exim4-config_transport-macros deleted file mode 100644 index 2c885bc..0000000 --- a/etc/exim4/conf.d/transport/10_exim4-config_transport-macros +++ /dev/null @@ -1,12 +0,0 @@ - -### transport/10_exim4-config_transport-macros -################################# - -.ifdef HIDE_MAILNAME -REMOTE_SMTP_HEADERS_REWRITE=*@+local_domains $1@DCreadhost frs : *@ETC_MAILNAME $1@DCreadhost frs -REMOTE_SMTP_RETURN_PATH=${if match_domain{$sender_address_domain}{+local_domains}{${sender_address_local_part}@DCreadhost}{${if match_domain{$sender_address_domain}{ETC_MAILNAME}{${sender_address_local_part}@DCreadhost}fail}}} -.endif - -.ifdef REMOTE_SMTP_HELO_FROM_DNS -REMOTE_SMTP_HELO_DATA=${lookup dnsdb {ptr=$sending_ip_address}{$value}{$primary_hostname}} -.endif diff --git a/etc/exim4/conf.d/transport/30_exim4-config_mail_spool b/etc/exim4/conf.d/transport/30_exim4-config_mail_spool deleted file mode 100644 index 21dfae4..0000000 --- a/etc/exim4/conf.d/transport/30_exim4-config_mail_spool +++ /dev/null @@ -1,17 +0,0 @@ - -### transport/30_exim4-config_mail_spool - -# This transport is used for local delivery to user mailboxes in traditional -# BSD mailbox format. -# -mail_spool: - debug_print = "T: appendfile for $local_part@$domain" - driver = appendfile - file = /var/mail/$local_part - delivery_date_add - envelope_to_add - return_path_add - group = mail - mode = 0660 - mode_fail_narrower = false - diff --git a/etc/exim4/conf.d/transport/30_exim4-config_maildir_home b/etc/exim4/conf.d/transport/30_exim4-config_maildir_home index a872acc..50795a0 100644 --- a/etc/exim4/conf.d/transport/30_exim4-config_maildir_home +++ b/etc/exim4/conf.d/transport/30_exim4-config_maildir_home @@ -2,40 +2,16 @@ ### transport/30_exim4-config_maildir_home ################################# -# Use this instead of mail_spool if you want to to deliver to Maildir in -# home-directory - change the definition of LOCAL_DELIVERY -# +# Deliver email to the directory Maildir in the user's home directory. maildir_home: debug_print = "T: maildir_home for $local_part@$domain" driver = appendfile - .ifdef MAILDIR_HOME_MAILDIR_LOCATION - directory = MAILDIR_HOME_MAILDIR_LOCATION - .else directory = $home/Maildir - .endif - .ifdef MAILDIR_HOME_CREATE_DIRECTORY create_directory - .endif - .ifdef MAILDIR_HOME_CREATE_FILE - create_file = MAILDIR_HOME_CREATE_FILE - .endif delivery_date_add envelope_to_add return_path_add maildir_format - .ifdef MAILDIR_HOME_DIRECTORY_MODE - directory_mode = MAILDIR_HOME_DIRECTORY_MODE - .else directory_mode = 0700 - .endif - .ifdef MAILDIR_HOME_MODE - mode = MAILDIR_HOME_MODE - .else mode = 0600 - .endif mode_fail_narrower = false - # This transport always chdirs to $home before trying to deliver. If - # $home is not accessible, this chdir fails and prevents delivery. - # If you are in a setup where home directories might not be - # accessible, uncomment the current_directory line below. - # current_directory = / diff --git a/etc/exim4/conf.d/transport/30_exim4-config_maildrop_pipe b/etc/exim4/conf.d/transport/30_exim4-config_maildrop_pipe deleted file mode 100644 index 0ba27bc..0000000 --- a/etc/exim4/conf.d/transport/30_exim4-config_maildrop_pipe +++ /dev/null @@ -1,10 +0,0 @@ - -maildrop_pipe: - debug_print = "T: maildrop_pipe for $local_part@$domain" - driver = pipe - path = "/bin:/usr/bin:/usr/local/bin" - command = "/usr/bin/maildrop" - return_path_add - delivery_date_add - envelope_to_add - diff --git a/etc/exim4/conf.d/transport/30_exim4-config_remote_smtp b/etc/exim4/conf.d/transport/30_exim4-config_remote_smtp index 2266c92..33622c1 100644 --- a/etc/exim4/conf.d/transport/30_exim4-config_remote_smtp +++ b/etc/exim4/conf.d/transport/30_exim4-config_remote_smtp @@ -6,15 +6,3 @@ remote_smtp: debug_print = "T: remote_smtp for $local_part@$domain" driver = smtp -.ifdef REMOTE_SMTP_HOSTS_AVOID_TLS - hosts_avoid_tls = REMOTE_SMTP_HOSTS_AVOID_TLS -.endif -.ifdef REMOTE_SMTP_HEADERS_REWRITE - headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE -.endif -.ifdef REMOTE_SMTP_RETURN_PATH - return_path = REMOTE_SMTP_RETURN_PATH -.endif -.ifdef REMOTE_SMTP_HELO_FROM_DNS - helo_data=REMOTE_SMTP_HELO_DATA -.endif diff --git a/etc/exim4/conf.d/transport/30_exim4-config_remote_smtp_smarthost b/etc/exim4/conf.d/transport/30_exim4-config_remote_smtp_smarthost deleted file mode 100644 index 83edbd7..0000000 --- a/etc/exim4/conf.d/transport/30_exim4-config_remote_smtp_smarthost +++ /dev/null @@ -1,29 +0,0 @@ - -### transport/30_exim4-config_remote_smtp_smarthost -################################# - -# This transport is used for delivering messages over SMTP connections -# to a smarthost. The local host tries to authenticate. -# This transport is used for smarthost and satellite configurations. - -remote_smtp_smarthost: - debug_print = "T: remote_smtp_smarthost for $local_part@$domain" - driver = smtp - hosts_try_auth = <; ${if exists{CONFDIR/passwd.client} \ - {\ - ${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$host_address}}\ - }\ - {} \ - } -.ifdef REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS - hosts_avoid_tls = REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS -.endif -.ifdef REMOTE_SMTP_HEADERS_REWRITE - headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE -.endif -.ifdef REMOTE_SMTP_RETURN_PATH - return_path = REMOTE_SMTP_RETURN_PATH -.endif -.ifdef REMOTE_SMTP_HELO_FROM_DNS - helo_data=REMOTE_SMTP_HELO_DATA -.endif diff --git a/etc/exim4/update-exim4.conf.conf b/etc/exim4/update-exim4.conf.conf index 431fafd..a7a3bff 100644 --- a/etc/exim4/update-exim4.conf.conf +++ b/etc/exim4/update-exim4.conf.conf @@ -16,16 +16,19 @@ # # This is a Debian specific file -dc_eximconfig_configtype='internet' +CFILEMODE='644' +dc_use_split_config='true' + +# THe options below are not used in this heaviliy customized configuration (but +# leaving them undefined causes update-exim4.conf to barf). +dc_eximconfig_configtype='' dc_other_hostnames='' dc_local_interfaces='' dc_readhost='' dc_relay_domains='' -dc_minimaldns='false' -dc_relay_nets='10.42.0.0/24' +dc_minimaldns='' +dc_relay_nets='' dc_smarthost='' -CFILEMODE='644' -dc_use_split_config='true' dc_hide_mailname='' -dc_mailname_in_oh='true' -dc_localdelivery='mail_spool' +dc_mailname_in_oh='' +dc_localdelivery='' -- 2.30.2