# begin processing main ##### ##################################################### ### /etc/exim4/conf.d/main/00_local_macros ##################################################### # Versenden von E-Mails # Authentifizierung im Format ldap_uid@real@mailhost.com # Falls erfolgreich, wird die Mail and die Empfänger nach # dem unten erläuterten Empfängerschema verschickt. # Besitzt der Benutzer nur eine lokale E-Mail-Addresse, # kann er aber Mails nicht über das Internet versenden, sondern # nur an lokale Empfänger versenden, z.B. ldap_uid@localhost oder # real@mailhost.com # # Unterstützte Varianten der Angaben von Empfängern für E-Mails # (1) ldap_uid@real@mailhost.com # (2) ldap_uid@localhost # (3) real@mailhost.com # Dovecot erwartet immer das Format (1) # # (1) ldap_uid@real@mailhost.com # Die Mail wird direkt an den Dovecot LDA übergeben # (2) ldap_uid@localhost # Die E-Mail-Addresse wird in folgendes Format umgewandelt: # ldap_uid@ldap_uid@ldap_localdomain # Die Mail wird anschließend an den Dovecot LDA übergeben # (3) real@mailhost.com # Es werden die Benutzer gesucht, die die entsprechende E-Mail-Addresse # besitzen. Wird kein Benutzer gefunden, wird die E-Mail über das Internet # verschickt (s.o.) # Mails an lokale Benutzer über den Dovecot LDA zustellen # Auskommentiert, da in der Datei /etc/exim4/update-exim4.conf.conf die # Variable dc_localdelivery='dovecot_delivery' gesetzt wurde #LOCAL_DELIVERY=dovecot_delivery # Mails an lokale Benutzer mit externer Mailaddresse über den Dovecot LDA zustellen LOCAL_DELIVERY_EXTERNAL=dovecot_external_delivery # Sicherstellen, das System-Accounts keine Mails bekommen können FIRST_USER_ACCOUNT_UID = 1000 # Temporär Einloggen über unsichere Verbindung auch mit PLAIN und LOGIN erlauben #AUTH_SERVER_ALLOW_NOTLS_PASSWORDS = "true" # Wichtige Veränderungen, damit Mails mit getmail # ohne Veränderung der Header zugestellt werden # # Lokaler Check für zu versendende Nachrichten - acl_not_smtp_start = acl_check_not_smtp ############################################################################## # DSPAM Configuration ############################################################################## USE_DSPAM = yes ############################################################################## # LDAP Configuration ############################################################################## # LDAP-Servers - necessary to specify because of TLS certificates ldap_default_servers = myhost.com # LDAP BASE LDAP_BASE = ou=accounts,o=default,dc=myhost,dc=com ############################################################################## # SEC_MAIL_USER ############################################################################## # Benutzer, über den Mails via getmail zugestellt werden # Header von Mails, die über diesen Benutzer zugestellt werden bleiben # unverändert SEC_MAIL_USER=secmail # Überprüft, ob die UID des versendenden Benutzers, derjenigen des SEC_MAIL_USERs entspricht, # indem sie dessen UID in /etc/passwd ausliest IS_SENDER_SECMAIL = eq{$originator_uid}{${extract{2}{:}{${lookup{SEC_MAIL_USER}lsearch{/etc/passwd}{$value}}}}} # kein Received: Header, wenn Mail von User SEC_MAIL_USER versandt wurde received_header_text = ${if !IS_SENDER_SECMAIL {Received: ${if def:sender_rcvhost {from $sender_rcvhost\n\t}{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)\n\t}}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} ${if def:tls_cipher {($tls_cipher)\n\t}}(Exim $version_number)\n\t${if def:sender_address {(envelope-from <$sender_address>)\n\t}}id $message_exim_id${if def:received_for {\n\tfor $received_for}}}{}} # Transport, der bei Mails von SEC_MAIL_USER verwendet werden soll LOCAL_DELIVERY_SECMAIL = dovecot_delivery_secmail ############################################################################## # TLS-Konfiguration ############################################################################## # TLS aktivieren MAIN_TLS_ENABLE = yes # TLS-Zertifikat MAIN_TLS_CERTIFICATE = /etc/ssl/certs/myhost.com.crt # TLS-Schlüssel MAIN_TLS_PRIVATEKEY = /etc/ssl/private/myhost.com.key # CA-Zertifikat, das zur Überprüfung von Client-Zertifiakten dient MAIN_TLS_VERIFY_CERTIFICATES = /etc/ssl/certs/myCA.pem # Welche IP-Addressen müssen ein gültiges Zertifikat vorweisen #MAIN_TLS_VERIFY_HOSTS = * # Welche IP-Addressen müssen kein gültiges Zertifikat vorweisen #MAIN_TLS_TRY_VERIFY_HOSTS = 127.0.0.1 ############################################################################## # Prüfschemata ############################################################################## # Extrahiert die uid aus der Senderaddresse also # ldap_uid aus ldap_uid@real@mailhost.com SENDER_EXTRACT_UID = ${sg{${lc:$sender_address}} \ {\N^([a-zA-Z0-9_.-]+)@([a-zA-Z0-9_.-]+@[a-zA-Z0-9_.-]+)$\N}{\$1}} # Extrahiert die E-Mail-Addresse aus der Senderaddresse also # real@mailhost.com aus ldap_uid@real@mailhost.com SENDER_EXTRACT_REAL_MAIL = ${sg{${lc:$sender_address}} \ {\N^([a-zA-Z0-9_.-]+)@([a-zA-Z0-9_.-]+@[a-zA-Z0-9_.-]+)$\N}{\$2}} # Überprüft, ob die E-Mail-Addresse des Absenders auf einem entfernten # Server liegt und eine gültige lokale Benutzer-UID angegeben wurde IS_SENDER_REMOTE = ${lookup ldap \ {ldap:///uid=${quote_ldap_dn:SENDER_EXTRACT_UID},LDAP_BASE??sub?(&(dcSubMailAddress=${quote_ldap:SENDER_EXTRACT_REAL_MAIL})(dcAccountStatus=active))} \ {yes}fail} # Prüft, ob $local_part als UID im LDAP-Verzeichnis vorhanden ist und # der zugehörige Benutzer ein gültiger E-Mail-Benutzer ist IS_LOCAL_PART_VALID = ${lookup ldap \ {ldap:///uid=${quote_ldap_dn:${lc:$local_part}},LDAP_BASE??base?(objectClass=dcMailUser)} \ {yes}{no}} # Prüft, ob $local_part@$domain der Form ldap_uid@real@mailhost.com entspricht # und sich die entsprechenden Einträge im LDAP-Verzeichnis befinden IS_COMBINED_ADDRESS_VALID = \ ${lookup ldap \ {ldap:///uid=${quote_ldap_dn:${lc:\ # extract real uid from uid__orig__address@mailhost.com or uid__orig__alias@mailhost.com ${sg{${lc:$local_part@$domain}}{\N^([a-zA-Z0-9_.-]+)__orig__([a-zA-Z0-9_.-]+@[a-zA-Z0-9_.-]+)$\N}{\$1}} \ }},LDAP_BASE??sub?(& \ (dcSubMailAddress=${quote_ldap:${lc:\ # extract address@mailhost.com/alias@mailhost.com from uid__orig__address@mailhost.com or uid__orig__alias@mailhost.com ${sg{${lc:$local_part@$domain}}{\N^([a-zA-Z0-9_.-]+)__orig__([a-zA-Z0-9_.-]+@[a-zA-Z0-9_.-]+)$\N}{\$2}}\ }})\ (dcAccountStatus=active) \ )} \ {yes}{no}} # Generiert aus uid__orig__address@mailhost.com => uid@address@mailhost.com GET_LOCAL_MAIL_EXTERNAL = ${sg{${lc:$local_part@$domain}}{\\N^([a-zA-Z0-9_.-]+)__orig__([a-zA-Z0-9_.-]+@[a-zA-Z0-9_.-]+)$\\N}{\\$1@\\$2}} # Gibt falls Mail-Addresse im LDAP-Verzeichnis vorhanden ist die zugehörige(n) UID(s) zurück # für lokale Addressen address@localdomain oder alias@localdomain => uid # für externe Addressen address@mailhost.com oder alias@mailhost.com => uid__orig__address@mailhost.com bzw. uid__orig__alias@mailhost.com GET_UID_FOR_RCPT = ${tr \ {${lookup ldapm \ {ldap:///LDAP_BASE??sub?${if match_domain{$domain}{+local_domains}{(mail=${quote_ldap:$local_part@ETC_MAILNAME})}{(&(dcSubMailAddress=${quote_ldap:$local_part@$domain})(dcAccountStatus=active))}}} \ # Regex: Put in multiline mode with (?m) and match any uid="xyz" entry {${sg{${lc:$value}}{\N(?m)^.*uid="(.*?)".*$\N}{\$1\ # add a suffix with the external address if it is not an address of a local domain ${if match_domain{$domain}{+local_domains}{}{__orig__$local_part@$domain}}}}} \ }} \ {\n}{,} \ } # Gibt die Liste der richtigen Mail-Addressen zurück, falls es sich beim Empfänger um einen LDAP-Alias handelt GET_ALIAS_FOR_RCPT = ${tr \ {${lookup ldapm \ {ldap:///LDAP_BASE?mail,dcSubMailAddress?sub?(|(dcMailAlias=${quote_ldap:$local_part${if match_domain{$domain}{+local_domains}{@ETC_MAILNAME}{@$domain}}})(&(dcMailAlternateAddress=${quote_ldap:$local_part@$domain})(dcAccountStatus=active)))} \ # Regex: Put in multiline mode with (?m) and match any mail="xyz" or dcsubmailaddress="xyz" entry {${sg{${lc:$value}}{\N(?m)^.*(mail|dcsubmailaddress)="(.*?)".*$\N}{\$2}}} \ }} \ {\n}{,} \ } # Gibt die Liste der Alias-Addressen für die Mail-Addresse zurück, mit der der User sich erfolgreich per SMTP angemeldet # hat wird benötigt, um zu überprüfen, ob der Benutzer mit einem bestimmten Absender eine Mail verfassen darf oder nicht. GET_ALIAS_FOR_AUTH = ${tr \ {${lookup ldapm \ {ldap:///LDAP_BASE?dcMailAlias,dcMailAlternateAddress?sub?(|(mail=${quote_ldap:AUTH_SERVER_MAIL})(&(dcSubMailAddress=${quote_ldap:AUTH_SERVER_MAIL})(dcAccountStatus=active)))} \ # Regex: Put in multiline mode with (?m) and match any dcmailalias="xyz" or dcmailalternateaddress="xyz" entry {${sg{${lc:$value}}{\N(?m)^.*(dcmailalias|dcmailalternateaddress)="(.*?)".*$\N}{\$2}}} \ }} \ {\n}{,} \ } # Gibt falls uid im LDAP-Verzeichnis vorhanden ist die komplette Addresse zurück, # also uid > uid@local_local_part GET_COMPLETE_MAIL_FOR_LOCAL_PART_UID = ${lookup ldap \ {ldap:///uid=${quote_ldap_dn:${lc:$local_part}},LDAP_BASE?mail?base?(objectClass=dcMailUser)} \ {${local_part}@${value}}} # Gibt die lokale Mail-Addresse zurück - wichtig für den Dovecot LDA zur Zustellung # uid > uid@local_local_part@qualify_domain bzw. # uid > uid@remote_local_part@remote_domain GET_LOCAL_MAIL = ${if match_domain{$parent_domain}{+local_domains} \ # Von Anfang an war Mail nur an lokale Mail-Addresse addressiert {GET_COMPLETE_MAIL_FOR_LOCAL_PART_UID} \ # Mail ist an externe Addresse adressiert, für die aber lokal die Mails per getmail abgerufen werden # Sicherheitshalber überprüfen, ob entsprechender LDAP-Eintrag existiert {${lookup ldap \ {ldap:///uid=${quote_ldap_dn:${lc:$local_part}},LDAP_BASE?dcSubMailAddress?sub?(&(dcSubMailAddress=${quote_ldap:$parent_local_part@$parent_domain})(dcAccountStatus=active))} \ # Falls LDAP-Suche erfolgreich {$local_part@$parent_local_part@$parent_domain} \ # Falls nicht erfolgreich, Mail an die lokale Addresse zustellen {GET_COMPLETE_MAIL_FOR_LOCAL_PART_UID} \ }} \ } # Überprüft, ob für den authentifizierten E-Mail-Versender die Zusendung über einen # Remote-SMTP-Server, z.B. GMX hinterlegt ist # Dazu müssen Angaben zu dcSMTPServer, dcSMTPLogin und dcSMTPPassword vorhanden sein # Um überhaupt festzustellen, dass ein authentifizierter Benutzer sich eingeloggt hat und um diese von evt. lokalen Benutzer zu unterscheiden, wird geprüft, ob $authenticated_id ein @ in der Mitte enthält. Bei lokalen Benutzern entspricht $authenticated_id nämlich nur dem Benutzernamen IS_AUTH_REMOTE = ${if match{$authenticated_id}{\N^.+@.+\N} \ {${lookup ldap { \ user="uid=${quote_ldap_dn:AUTH_SERVER_UID},LDAP_BASE" \ pass=${quote:AUTH_SERVER_PASSWORD} \ ldap:///LDAP_BASE??sub?(&(dcSubMailAddress=${quote_ldap:AUTH_SERVER_MAIL})(dcAccountStatus=active)(dcSMTPServer=*)(dcSMTPLogin=*)(dcSMTPPassword=*))} \ {yes}fail}} \ {no}} # Gibt den zugehörigen Remote-SMTP-Server für einen authentifizierten E-Mail-Versender zurück AUTH_REMOTE_SERVER = ${lookup ldap { \ user="uid=${quote_ldap_dn:AUTH_SERVER_UID},LDAP_BASE" \ pass=${quote:AUTH_SERVER_PASSWORD} \ ldap:///LDAP_BASE?dcSMTPServer?sub?(&(dcSubMailAddress=${quote_ldap:AUTH_SERVER_MAIL})(dcAccountStatus=active)(dcSMTPServer=*)(dcSMTPLogin=*)(dcSMTPPassword=*))} \ {$value}{}} # Gibt den zugehörigen Remote-SMTP-Login für einen authentifizierten E-Mail-Versender zurück # Doppelpunkt muss doppelt eingegeben werden, da als Liste aufgefasst bei client_send/client_name Variable AUTH_REMOTE_LOGIN = ${lookup ldap {\ user="uid=${quote_ldap_dn:AUTH_SERVER_UID},LDAP_BASE" \ pass=${quote:AUTH_SERVER_PASSWORD} \ ldap:///LDAP_BASE?dcSMTPLogin?sub?(&(dcSubMailAddress=${quote_ldap:AUTH_SERVER_MAIL})(dcAccountStatus=active)(dcSMTPServer=*)(dcSMTPLogin=*)(dcSMTPPassword=*))} \ {$value}{}} # Gibt das zugehörige Remote-SMTP-Passwort für einen authentifizierten E-Mail-Versender zurück # Doppelpunkt muss doppelt eingegeben werden, da als Liste aufgefasst bei client_send/client_secret Variable AUTH_REMOTE_PASSWORD = ${lookup ldap {\ user="uid=${quote_ldap_dn:AUTH_SERVER_UID},LDAP_BASE" \ pass=${quote:AUTH_SERVER_PASSWORD} \ ldap:///LDAP_BASE?dcSMTPPassword?sub?(&(dcSubMailAddress=${quote_ldap:AUTH_SERVER_MAIL})(dcAccountStatus=active)(dcSMTPServer=*)(dcSMTPLogin=*)(dcSMTPPassword=*))} \ {$value}{}} # Prüft, ob gültige Zugangsdaten für die Authentifizierung mit der PLAIN-Methode angegeben wurden AUTH_SERVER_PLAIN_AUTH = ${if ldapauth \ {user="uid=${quote_ldap_dn:${sg{${lc:$auth2}} \ {\N^([a-zA-Z0-9_.-]+)@([a-zA-Z0-9_@.-]+)$\N}{\$1}}},LDAP_BASE" \ pass=${quote:$auth3} \ ldap:///}{yes}{no}} # Prüft, ob gültige Zugangsdaten für die Authentifizierung mit der LOGIN-Methode angegeben wurden AUTH_SERVER_LOGIN_AUTH = ${if ldapauth \ {user="uid=${quote_ldap_dn:${sg{${lc:$auth1}} \ {\N^([a-zA-Z0-9_.-]+)@([a-zA-Z0-9_@.-]+)$\N}{\$1}}},LDAP_BASE" \ pass=${quote:$auth2} \ ldap:///}{yes}{no}} # Extrahiert die E-Mail-Addresse aus $authenticated_id AUTH_SERVER_MAIL = ${sg{${lc:${extract{1}{\/}{$authenticated_id}}}}{\N^([a-zA-Z0-9_.-]+)@([a-zA-Z0-9_@.-]+)$\N}{\$2}} # Extrahiert die UID aus $authenticated_id AUTH_SERVER_UID = ${sg{${lc:${extract{1}{\/}{$authenticated_id}}}}{\N^([a-zA-Z0-9_.-]+)@([a-zA-Z0-9_@.-]+)$\N}{\$1}} # Extrahiert das Passwort aus $authenticated_id AUTH_SERVER_PASSWORD = ${extract{2}{\/}{$authenticated_id}} # Spoofing vermeiden, d.h. Absenderaddresse=Addresse der Anmeldung oder ein Alias davon, wenn jemand eine Mail versenden will # wichtig für ACL check_mail IS_AUTH_SENDER_BAD = \ # Testen, ob die Domain in AUTH_SERVER_MAIL eine lokale Domain ist ${if match_domain{AUTH_SERVER_MAIL}{+local_domains} \ # Falls ja, testen, ob der Addressteil des Absender mit dem Addressteil der Authentifizierung übereinstimmt {${if match_local_part{${lc:AUTH_SERVER_MAIL}} {${lc:$sender_address}} {no} \ # Absenderaddresse enthält nicht denselben lokalen Part # auf LDAP-Aliase testen {${if match_local_part{${lc:$sender_address}} \ # Aliase sind durch Komma getrennt, wir brauchen aber eine Liste (Trennung durch Doppelpunkt) {${lc:${tr{GET_ALIAS_FOR_AUTH}{,}{::}}}} \ {no}{yes}}}\ }} \ # Falls nein, teste ob Absender exakt mit der Mailaddresse des externem Mail-Accounts übereinstimmt {${if match_address {${lc:AUTH_SERVER_MAIL}} {${lc:$sender_address}} {no} \ # Absenderaddresse mit Anmeldeaddresse nicht identisch # auf LDAP-Aliase testen {${if match_address {${lc:$sender_address}} \ # Aliase sind durch Komma getrennt, wir brauchen aber eine Liste (Trennung durch Doppelpunkt) {${lc:${tr{GET_ALIAS_FOR_AUTH}{,}{::}}}} \ {no}\ # Test, ob der Absender der lokale Secmail-Benutzer ist und die Mail von localhost kommt # falls ja, Mail zulassen {${if and{ \ {match_domain{$sender_address_domain}{+local_domains}} \ {match_local_part{$sender_address_local_part}{SEC_MAIL_USER}} \ {match_ip{$sender_host_address}{+own_hosts}} \ }\ {no}\ {yes}\ }}\ }}\ }}} # Prüft bei Mails, ob der Sender falsch angegeben ist (yes=bad sender) # Falls die Adresse des Senders keine lokale Domain ist und falls der # Versender sich nicht authentifiziert hat, dann erfolgt keine Prüfung IS_SENDER_BAD = ${if or{{match_domain{$sender_address_domain}{+local_domains}}{ge{${strlen:$authenticated_id}}{1}}}\ {IS_AUTH_SENDER_BAD}\ {no}} # Checks whether a user is allowed to send emails to a remote host If this is not the case, then we do the check IS_AUTH_TO_SEND_REMOTE = \ # We first have to check, that the sender address is from a local domain ${if match_domain{$sender_address_domain}{+local_domains}\ # Then we check whether the sender corresponds with the authentication # This is the case for shell users since in this case ($authenticated_id=username of a local user) {${if eq{${lc:$sender_address_local_part}}{${lc:$authenticated_id}}\ {yes} \ # If the user is not a shell user, do the normal test for authenticated users (see above) {!IS_AUTH_SENDER_BAD}\ }} \ {no} \ } # @[] is a list of all local IPs # If exim is used localy in batch mode (exim4 -bs) then "$host" is empty, the ": :" adds the empty string. hostlist own_hosts = @[] : : # address for reclassifying/learning false positive spam mails MAIL_ADDRESS_HAM = ham # address for reclassifying/learning undetected spam MAIL_ADDRESS_SPAM = spam ##################################################### ### end /etc/exim4/conf.d/main/00_local_macros ##################################################### ##################################################### ### /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs ##################################################### ###################################################################### # Runtime configuration file for Exim 4 (Debian Packaging) # ###################################################################### ###################################################################### # /etc/exim4/exim4.conf.template is only used with the non-split # configuration scheme. # /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs is only used # with the split configuration scheme. # If you find this comment anywhere else, somebody copied it there. # Documentation about the Debian exim4 configuration scheme can be # found in /usr/share/doc/exim4-base/README.Debian.gz. ###################################################################### ###################################################################### # MAIN CONFIGURATION SETTINGS # ###################################################################### # Just for reference and scripts. # On Debian systems, the main binary is installed as exim4 to avoid # conflicts with the exim 3 packages. exim_path = /usr/sbin/exim # Macro defining the main configuration directory. # We do not use absolute paths. .ifndef CONFDIR CONFDIR = /etc/exim .endif # Do Sender Policy Framework check CHECK_RCPT_SPF=yes # debconf-driven macro definitions get inserted after this line UPEX4CmacrosUPEX4C = 1 ############################################## # the following macro definitions were created # dynamically by /usr/sbin/update-exim4.conf .ifndef MAIN_HARDCODE_PRIMARY_HOSTNAME MAIN_HARDCODE_PRIMARY_HOSTNAME=myserver.com .endif .ifndef MAIN_PACKAGE_VERSION MAIN_PACKAGE_VERSION=4.71 .endif .ifndef MAIN_LOCAL_DOMAINS MAIN_LOCAL_DOMAINS=@:localhost:myserver:myserver.com .endif .ifndef MAIN_RELAY_TO_DOMAINS MAIN_RELAY_TO_DOMAINS=empty .endif .ifndef ETC_MAILNAME ETC_MAILNAME=myserver.com .endif .ifndef LOCAL_DELIVERY LOCAL_DELIVERY=dovecot_delivery .endif .ifndef MAIN_RELAY_NETS MAIN_RELAY_NETS=: 127.0.0.1 : ::::1 .endif .ifndef DCreadhost DCreadhost=empty .endif .ifndef DCsmarthost DCsmarthost=myserver.com .endif .ifndef DC_eximconfig_configtype DC_eximconfig_configtype=local .endif .ifndef DCconfig_local DCconfig_local=1 .endif DCconfig_internet=1 #Verify DNS Lookup CHECK_RCPT_REVERSE_DNS = yes ############################################## # Create domain and host lists for relay control # '@' refers to 'the name of the local host' # List of domains considered local for exim. Domains not listed here # need to be deliverable remotely. domainlist local_domains = MAIN_LOCAL_DOMAINS # List of recipient domains to relay _to_. Use this list if you're - # for example - fallback MX or mail gateway for domains. domainlist relay_to_domains = MAIN_RELAY_TO_DOMAINS # List of sender networks (IP addresses) to _unconditionally_ relay # _for_. If you intend to be SMTP AUTH server, you do not need to enter # anything here. hostlist relay_from_hosts = MAIN_RELAY_NETS # Decide which domain to use to add to all unqualified addresses. # If MAIN_PRIMARY_HOSTNAME_AS_QUALIFY_DOMAIN is defined, the primary # hostname is used. If not, but MAIN_QUALIFY_DOMAIN is set, the value # of MAIN_QUALIFY_DOMAIN is used. If both macros are not defined, # the first line of /etc/mailname is used. .ifndef MAIN_PRIMARY_HOSTNAME_AS_QUALIFY_DOMAIN .ifndef MAIN_QUALIFY_DOMAIN qualify_domain = ETC_MAILNAME .else qualify_domain = MAIN_QUALIFY_DOMAIN .endif .endif # listen on all all interfaces? .ifdef MAIN_LOCAL_INTERFACES local_interfaces = MAIN_LOCAL_INTERFACES .endif .ifndef LOCAL_DELIVERY # The default transport, set in /etc/exim4/update-exim4.conf.conf, # defaulting to mail_spool. See CONFDIR/conf.d/transport/ for possibilities LOCAL_DELIVERY=mail_spool .endif # The gecos field in /etc/passwd holds not only the name. see passwd(5). gecos_pattern = ^([^,:]*) gecos_name = $1 # define macros to be used in acl/30_exim4-config_check_rcpt to check # recipient local parts for strange characters. # This macro definition really should be in # acl/30_exim4-config_check_rcpt but cannot be there due to # http://www.exim.org/bugzilla/show_bug.cgi?id=101 as of exim 4.62. # These macros are documented in acl/30_exim4-config_check_rcpt, # can be changed here or overridden by a locally added configuration # file as described in README.Debian chapter 2.1.2 .ifndef CHECK_RCPT_LOCAL_LOCALPARTS CHECK_RCPT_LOCAL_LOCALPARTS = ^[.] : ^.*[@%!/|`#&?] .endif .ifndef CHECK_RCPT_REMOTE_LOCALPARTS CHECK_RCPT_REMOTE_LOCALPARTS = ^[./|] : ^.*[@%!`#&?] : ^.*/\\.\\./ .endif # always log tls_peerdn as we use TLS for outgoing connects by default .ifndef MAIN_LOG_SELECTOR MAIN_LOG_SELECTOR = +tls_peerdn .endif ##################################################### ### end /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs ##################################################### ##################################################### ### /etc/exim4/conf.d/main/02_exim4-config_options ##################################################### ### main/02_exim4-config_options ################################# # Defines the access control list that is run when an # SMTP MAIL command is received. # .ifndef MAIN_ACL_CHECK_MAIL MAIN_ACL_CHECK_MAIL = acl_check_mail .endif acl_smtp_mail = MAIN_ACL_CHECK_MAIL # Defines the access control list that is run when an # SMTP RCPT command is received. # .ifndef MAIN_ACL_CHECK_RCPT MAIN_ACL_CHECK_RCPT = acl_check_rcpt .endif acl_smtp_rcpt = MAIN_ACL_CHECK_RCPT # Defines the access control list that is run when an # SMTP DATA command is received. # .ifndef MAIN_ACL_CHECK_DATA MAIN_ACL_CHECK_DATA = acl_check_data .endif acl_smtp_data = MAIN_ACL_CHECK_DATA # Message size limit. The default (used when MESSAGE_SIZE_LIMIT # is unset) is 50 MB .ifdef MESSAGE_SIZE_LIMIT message_size_limit = MESSAGE_SIZE_LIMIT .endif # If you are running exim4-daemon-heavy or a custom version of Exim that # was compiled with the content-scanning extension, you can cause incoming # messages to be automatically scanned for viruses. You have to modify the # configuration in two places to set this up. The first of them is here, # where you define the interface to your scanner. This example is typical # for ClamAV; see the manual for details of what to set for other virus # scanners. The second modification is in the acl_check_data access # control list. # av_scanner = clamd:/tmp/clamd # For spam scanning, there is a similar option that defines the interface to # SpamAssassin. You do not need to set this if you are using the default, which # is shown in this commented example. As for virus scanning, you must also # modify the acl_check_data access control list to enable spam scanning. # spamd_address = 127.0.0.1 783 # Domain used to qualify unqualified recipient addresses # If this option is not set, the qualify_domain value is used. # qualify_recipient = # Allow Exim to recognize addresses of the form "user@[10.11.12.13]", # where the domain part is a "domain literal" (an IP address) instead # of a named domain. The RFCs require this facility, but it is disabled # in the default config since it is seldomly used and frequently abused. # Domain literal support also needs a special router, which is automatically # enabled if you use the enable macro MAIN_ALLOW_DOMAIN_LITERALS. # Additionally, you might want to make your local IP addresses (or @[]) # local domains. .ifdef MAIN_ALLOW_DOMAIN_LITERALS allow_domain_literals .endif # Do a reverse DNS lookup on all incoming IP calls, in order to get the # true host name. If you feel this is too expensive, the networks for # which a lookup is done can be listed here. .ifndef DC_minimaldns .ifndef MAIN_HOST_LOOKUP MAIN_HOST_LOOKUP = * .endif host_lookup = MAIN_HOST_LOOKUP .endif # In a minimaldns setup, update-exim4.conf guesses the hostname and # dumps it here to avoid DNS lookups being done at Exim run time. .ifdef MAIN_HARDCODE_PRIMARY_HOSTNAME primary_hostname = MAIN_HARDCODE_PRIMARY_HOSTNAME .endif # The settings below, which are actually the same as the defaults in the # code, cause Exim to make RFC 1413 (ident) callbacks for all incoming SMTP # calls. You can limit the hosts to which these calls are made, and/or change # the timeout that is used. If you set the timeout to zero, all RFC 1413 calls # are disabled. RFC 1413 calls are cheap and can provide useful information # for tracing problem messages, but some hosts and firewalls are # misconfigured to drop the requests instead of either answering or # rejecting them. This can result in a timeout instead of an immediate refused # connection, leading to delays on starting up SMTP sessions. (The default was # reduced from 30s to 5s for release 4.61.) # rfc1413_hosts = * # rfc1413_query_timeout = 5s # When using an external relay tester (such as rt.njabl.org and/or the # currently defunct relay-test.mail-abuse.org, the test may be aborted # since exim complains about "too many nonmail commands". If you want # the test to complete, add the host from where "your" relay tester # connects from to the MAIN_SMTP_ACCEPT_MAX_NOMAIL_HOSTS macro. # Please note that a non-empty setting may cause extra DNS lookups to # happen, which is the reason why this option is commented out in the # default settings. # MAIN_SMTP_ACCEPT_MAX_NOMAIL_HOSTS = !rt.njabl.org .ifdef MAIN_SMTP_ACCEPT_MAX_NOMAIL_HOSTS smtp_accept_max_nonmail_hosts = MAIN_SMTP_ACCEPT_MAX_NOMAIL_HOSTS .endif # By default, exim forces a Sender: header containing the local # account name at the local host name in all locally submitted messages # that don't have the local account name at the local host name in the # From: header, deletes any Sender: header present in the submitted # message and forces the envelope sender of all locally submitted # messages to the local account name at the local host name. # The following settings allow local users to specify their own envelope sender # in a locally submitted message. Sender: headers existing in a locally # submitted message are not removed, and no automatic Sender: headers # are added. These settings are fine for most hosts. # If you run exim on a classical multi-user systems where all users # have local mailboxes that can be reached via SMTP from the Internet # with the local FQDN as the domain part of the address, you might want # to disable the following three lines for traceability reasons. .ifndef MAIN_FORCE_SENDER local_from_check = false local_sender_retain = true untrusted_set_sender = * .endif # By default, Exim expects all envelope addresses to be fully qualified, that # is, they must contain both a local part and a domain. Configure exim # to accept unqualified addresses from certain hosts. When this is done, # unqualified addresses are qualified using the settings of qualify_domain # and/or qualify_recipient (see above). # sender_unqualified_hosts = # recipient_unqualified_hosts = # Configure Exim to support the "percent hack" for certain domains. # The "percent hack" is the feature by which mail addressed to x%y@z # (where z is one of the domains listed) is locally rerouted to x@y # and sent on. If z is not one of the "percent hack" domains, x%y is # treated as an ordinary local part. The percent hack is rarely needed # nowadays but frequently abused. You should not enable it unless you # are sure that you really need it. # percent_hack_domains = # Bounce handling .ifndef MAIN_IGNORE_BOUNCE_ERRORS_AFTER MAIN_IGNORE_BOUNCE_ERRORS_AFTER = 2d .endif ignore_bounce_errors_after = MAIN_IGNORE_BOUNCE_ERRORS_AFTER .ifndef MAIN_TIMEOUT_FROZEN_AFTER MAIN_TIMEOUT_FROZEN_AFTER = 7d .endif timeout_frozen_after = MAIN_TIMEOUT_FROZEN_AFTER .ifndef MAIN_FREEZE_TELL MAIN_FREEZE_TELL = postmaster .endif freeze_tell = MAIN_FREEZE_TELL # Define spool directory .ifndef SPOOLDIR SPOOLDIR = /var/spool/exim4 .endif spool_directory = SPOOLDIR # trusted users can set envelope-from to arbitrary values .ifndef MAIN_TRUSTED_USERS MAIN_TRUSTED_USERS = uucp .endif trusted_users = MAIN_TRUSTED_USERS .ifdef MAIN_TRUSTED_GROUPS trusted_groups = MAIN_TRUSTED_GROUPS .endif # users in admin group can do many other things # admin_groups = # SMTP Banner. The example includes the Debian version in the SMTP dialog # MAIN_SMTP_BANNER = "${primary_hostname} ESMTP Exim ${version_number} (Debian package MAIN_PACKAGE_VERSION) ${tod_full}" # smtp_banner = $smtp_active_hostname ESMTP Exim $version_number $tod_full # Anonymize Server version according to http://wiki.exim.org/ProtectYourPrivacy smtp_banner = $smtp_active_hostname ESMTP Mail Server Ready ##################################################### ### end /etc/exim4/conf.d/main/02_exim4-config_options ##################################################### ##################################################### ### /etc/exim4/conf.d/main/03_exim4-config_tlsoptions ##################################################### ### main/03_exim4-config_tlsoptions ################################# # TLS/SSL configuration for exim as an SMTP server. # See /usr/share/doc/exim4-base/README.Debian.gz for explanations. .ifdef MAIN_TLS_ENABLE # Defines what hosts to 'advertise' STARTTLS functionality to. The # default, *, will advertise to all hosts that connect with EHLO. .ifndef MAIN_TLS_ADVERTISE_HOSTS MAIN_TLS_ADVERTISE_HOSTS = * .endif tls_advertise_hosts = MAIN_TLS_ADVERTISE_HOSTS # Full paths to Certificate and Private Key. The Private Key file # must be kept 'secret' and should be owned by root.Debian-exim mode # 640 (-rw-r-----). exim-gencert takes care of these prerequisites. # Normally, exim4 looks for certificate and key in different files: # MAIN_TLS_CERTIFICATE - path to certificate file, # CONFDIR/exim.crt if unset # MAIN_TLS_PRIVATEKEY - path to private key file # CONFDIR/exim.key if unset # You can also configure exim to look for certificate and key in the # same file, set MAIN_TLS_CERTKEY to that file to enable. This takes # precedence over all other settings regarding certificate and key file. .ifdef MAIN_TLS_CERTKEY tls_certificate = MAIN_TLS_CERTKEY .else .ifndef MAIN_TLS_CERTIFICATE MAIN_TLS_CERTIFICATE = CONFDIR/exim.crt .endif tls_certificate = MAIN_TLS_CERTIFICATE .ifndef MAIN_TLS_PRIVATEKEY MAIN_TLS_PRIVATEKEY = CONFDIR/exim.key .endif tls_privatekey = MAIN_TLS_PRIVATEKEY .endif # Pointer to the CA Certificates against which client certificates are # checked. This is controlled by the `tls_verify_hosts' and # `tls_try_verify_hosts' lists below. # If you want to check server certificates, you need to add an # tls_verify_certificates statement to the smtp transport. # /etc/ssl/certs/ca-certificates.crt is generated by # the "ca-certificates" package's update-ca-certificates(8) command. .ifndef MAIN_TLS_VERIFY_CERTIFICATES MAIN_TLS_VERIFY_CERTIFICATES = ${if exists{/etc/ssl/certs/ca-certificates.crt}\ {/etc/ssl/certs/ca-certificates.crt}\ {/dev/null}} .endif tls_verify_certificates = MAIN_TLS_VERIFY_CERTIFICATES # A list of hosts which are constrained by `tls_verify_certificates'. A host # that matches `tls_verify_host' must present a certificate that is # verifyable through `tls_verify_certificates' in order to be accepted as an # SMTP client. If it does not, the connection is aborted. .ifdef MAIN_TLS_VERIFY_HOSTS tls_verify_hosts = MAIN_TLS_VERIFY_HOSTS .endif # A weaker form of checking: if a client matches `tls_try_verify_hosts' (but # not `tls_verify_hosts'), request a certificate and check it against # `tls_verify_certificates' but do not abort the connection if there is no # certificate or if the certificate presented does not match. (This # condition can be tested for in ACLs through `verify = certificate') # By default, this check is done for all hosts. It is known that some # clients (including incredimail's version downloadable in February # 2008) choke on this. To disable, set MAIN_TLS_TRY_VERIFY_HOSTS to an # empty value. .ifndef MAIN_TLS_TRY_VERIFY_HOSTS MAIN_TLS_TRY_VERIFY_HOSTS = * .endif tls_try_verify_hosts = MAIN_TLS_TRY_VERIFY_HOSTS .endif ##################################################### ### end /etc/exim4/conf.d/main/03_exim4-config_tlsoptions ##################################################### ##################################################### ### /etc/exim4/conf.d/main/90_exim4-config_log_selector ##################################################### ### main/90_exim4-config_log_selector ################################# # uncomment this for debugging # MAIN_LOG_SELECTOR == MAIN_LOG_SELECTOR +all -subject -arguments .ifdef MAIN_LOG_SELECTOR log_selector = MAIN_LOG_SELECTOR .endif ##################################################### ### end /etc/exim4/conf.d/main/90_exim4-config_log_selector ##################################################### # end of main ##### # begin processing acl ##### ##################################################### ### /etc/exim4/conf.d/acl/00_exim4-config_header ##################################################### ###################################################################### # ACL CONFIGURATION # # Specifies access control lists for incoming SMTP mail # ###################################################################### begin acl ##################################################### ### end /etc/exim4/conf.d/acl/00_exim4-config_header ##################################################### ##################################################### ### /etc/exim4/conf.d/acl/10_exim4-config_check_not_smtp ##################################################### ### acl/10_exim4-config_check_not_smtp ################################# # This access control list is used for every local command/user sending mails via exim # Basically it accepts everything but ensures for Mails sent by User with uid=secmail # that headers of these messages do not get touched (delivery via getmail) acl_check_not_smtp: # Special handling for getmail uid accept # Ensure that uid is getmail condition=${if IS_SENDER_SECMAIL {yes}{no}} # Do not modify anything in headers control=suppress_local_fixups # Accept finally accept ##################################################### ### end /etc/exim4/conf.d/acl/10_exim4-config_check_not_smtp ##################################################### ##################################################### ### /etc/exim4/conf.d/acl/20_exim4-config_local_deny_exceptions ##################################################### ### acl/20_exim4-config_local_deny_exceptions ################################# # This is used to determine whitelisted senders and hosts. # It checks for CONFDIR/host_local_deny_exceptions and # CONFDIR/sender_local_deny_exceptions. # # It is meant to be used from some other acl entry. # # See exim4-config_files(5) for details. # # If the files do not exist, the white list never matches, which is # the desired behaviour. # # The old file names CONFDIR/local_host_whitelist and # CONFDIR/local_sender_whitelist will continue to be honored for a # transition period. Their use is deprecated. acl_local_deny_exceptions: accept hosts = ${if exists{CONFDIR/host_local_deny_exceptions}\ {CONFDIR/host_local_deny_exceptions}\ {}} accept senders = ${if exists{CONFDIR/sender_local_deny_exceptions}\ {CONFDIR/sender_local_deny_exceptions}\ {}} accept hosts = ${if exists{CONFDIR/local_host_whitelist}\ {CONFDIR/local_host_whitelist}\ {}} accept senders = ${if exists{CONFDIR/local_sender_whitelist}\ {CONFDIR/local_sender_whitelist}\ {}} # This hook allows you to hook in your own ACLs without having to # modify this file. If you do it like we suggest, you'll end up with # a small performance penalty since there is an additional file being # accessed. This doesn't happen if you leave the macro unset. .ifdef LOCAL_DENY_EXCEPTIONS_LOCAL_ACL_FILE .include LOCAL_DENY_EXCEPTIONS_LOCAL_ACL_FILE .endif # this is still supported for a transition period and is deprecated. .ifdef WHITELIST_LOCAL_DENY_LOCAL_ACL_FILE .include WHITELIST_LOCAL_DENY_LOCAL_ACL_FILE .endif ##################################################### ### end /etc/exim4/conf.d/acl/20_exim4-config_local_deny_exceptions ##################################################### ##################################################### ### /etc/exim4/conf.d/acl/30_exim4-config_check_mail ##################################################### ### acl/30_exim4-config_check_mail ################################# # This access control list is used for every MAIL command in an incoming # SMTP message. The tests are run in order until the address is either # accepted or denied. # acl_check_mail: .ifdef CHECK_MAIL_HELO_ISSUED deny message = no HELO given before MAIL command condition = ${if def:sender_helo_name {no}{yes}} .endif deny message = bad sender log_message = bad sender (auth_id=AUTH_SERVER_MAIL mismatches sender=$sender_address) # Spoofing vermeiden, d.h. falls der Absender von einer lokalen Domain ist oder authentifiziert ist # muss die Absenderaddresse=Addresse der Anmeldung oder ein Alias davon sein condition = IS_SENDER_BAD accept ##################################################### ### end /etc/exim4/conf.d/acl/30_exim4-config_check_mail ##################################################### ##################################################### ### /etc/exim4/conf.d/acl/30_exim4-config_check_rcpt ##################################################### ### acl/30_exim4-config_check_rcpt ################################# # This access control list is used for every RCPT command in an incoming # SMTP message. The tests are run in order until the address is either # accepted or denied. # acl_check_rcpt: # Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by # testing for an empty sending host field. # We do not accept unauthenticated connections at all #accept # hosts = : # The following section of the ACL is concerned with local parts that contain # certain non-alphanumeric characters. Dots in unusual places are # handled by this ACL as well. # # Non-alphanumeric characters other than dots are rarely found in genuine # local parts, but are often tried by people looking to circumvent # relaying restrictions. Therefore, although they are valid in local # parts, these rules disallow certain non-alphanumeric characters, as # a precaution. # # Empty components (two dots in a row) are not valid in RFC 2822, but Exim # allows them because they have been encountered. (Consider local parts # constructed as "firstinitial.secondinitial.familyname" when applied to # a name without a second initial.) However, a local part starting # with a dot or containing /../ can cause trouble if it is used as part of a # file name (e.g. for a mailing list). This is also true for local parts that # contain slashes. A pipe symbol can also be troublesome if the local part is # incorporated unthinkingly into a shell command line. # # These ACL components will block recipient addresses that are valid # from an RFC2822 point of view. We chose to have them blocked by # default for security reasons. # # If you feel that your site should have less strict recipient # checking, please feel free to change the default values of the macros # defined in main/01_exim4-config_listmacrosdefs or override them from a # local configuration file. # # Two different rules are used. The first one has a quite strict # default, and is applied to messages that are addressed to one of the # local domains handled by this host. # The default value of CHECK_RCPT_LOCAL_LOCALPARTS is defined in # main/01_exim4-config_listmacrosdefs: # CHECK_RCPT_LOCAL_LOCALPARTS = ^[.] : ^.*[@%!/|`#&?] # This blocks local parts that begin with a dot or contain a quite # broad range of non-alphanumeric characters. .ifdef CHECK_RCPT_LOCAL_LOCALPARTS deny domains = +local_domains local_parts = CHECK_RCPT_LOCAL_LOCALPARTS message = restricted characters in address .endif # The second rule applies to all other domains, and its default is # considerably less strict. # The default value of CHECK_RCPT_REMOTE_LOCALPARTS is defined in # main/01_exim4-config_listmacrosdefs: # CHECK_RCPT_REMOTE_LOCALPARTS = ^[./|] : ^.*[@%!`#&?] : ^.*/\\.\\./ # It allows local users to send outgoing messages to sites # that use slashes and vertical bars in their local parts. It blocks # local parts that begin with a dot, slash, or vertical bar, but allows # these characters within the local part. However, the sequence /../ is # barred. The use of some other non-alphanumeric characters is blocked. # Single quotes might probably be dangerous as well, but they're # allowed by the default regexps to avoid rejecting mails to Ireland. # The motivation here is to prevent local users (or local users' malware) # from mounting certain kinds of attack on remote sites. .ifdef CHECK_RCPT_REMOTE_LOCALPARTS deny domains = !+local_domains local_parts = CHECK_RCPT_REMOTE_LOCALPARTS message = restricted characters in address .endif # Accept mail to postmaster in any local domain, regardless of the source, # and without verifying the sender. # accept .ifndef CHECK_RCPT_POSTMASTER local_parts = postmaster .else local_parts = CHECK_RCPT_POSTMASTER .endif domains = +local_domains : +relay_to_domains # Deny unless the sender address can be verified. # # This is disabled by default so that DNSless systems don't break. If # your system can do DNS lookups without delay or cost, you might want # to enable this feature. # # This feature does not work in smarthost and satellite setups as # with these setups all domains pass verification. See spec.txt chapter # 39.31 with the added information that a smarthost/satellite setup # routes all non-local e-mail to the smarthost. .ifdef CHECK_RCPT_VERIFY_SENDER deny message = Sender verification failed !acl = acl_local_deny_exceptions !verify = sender .endif # Verify senders listed in local_sender_callout with a callout. # # In smarthost and satellite setups, this causes the callout to be # done to the smarthost. Verification will thus only be reliable if the # smarthost does reject illegal addresses in the SMTP dialog. deny !acl = acl_local_deny_exceptions senders = ${if exists{CONFDIR/local_sender_callout}\ {CONFDIR/local_sender_callout}\ {}} !verify = sender/callout # Accept if the message comes from one of the hosts for which we are an # outgoing relay. It is assumed that such hosts are most likely to be MUAs, # so we set control=submission to make Exim treat the message as a # submission. It will fix up various errors in the message, for example, the # lack of a Date: header line. If you are actually relaying out out from # MTAs, you may want to disable this. If you are handling both relaying from # MTAs and submissions from MUAs you should probably split them into two # lists, and handle them differently. # Recipient verification is omitted here, because in many cases the clients # are dumb MUAs that don't cope well with SMTP error responses. If you are # actually relaying out from MTAs, you should probably add recipient # verification here. # Note that, by putting this test before any DNS black list checks, you will # always accept from these hosts, even if they end up on a black list. The # assumption is that they are your friends, and if they get onto black # list, it is a mistake. # We do not accept Relay at all - even not from localhost! #accept # hosts = +relay_from_hosts # control = submission/sender_retain # We also require all accepted addresses to be verifiable. This check will # do local part verification for local domains, but only check the domain # for remote domains. require verify = recipient # Accept if the message arrived over an authenticated connection, from # any host. Again, these messages are usually from MUAs, so recipient # verification is omitted, and submission mode is set. And again, we do this # check before any black list tests. accept authenticated = * # Nur unter der Bedingung, dass der Absender ein valider, entfernter User in LDAP # ist Empfänger bedingungslos akzeptieren, d.h. lokale User können keine Mails an entfernte hosts verschicken #condition = IS_SENDER_REMOTE #control = submission/sender_retain # Deny all unauthenticated remote hosts to send mail to # spam or ham email addresses deny hosts = !+own_hosts local_parts = MAIL_ADDRESS_HAM : MAIL_ADDRESS_SPAM # Insist that any other recipient address that we accept is either in one of # our local domains, or is in a domain for which we explicitly allow # relaying. Any other domain is rejected as being unacceptable for relaying. require message = relay not permitted domains = +local_domains : +relay_to_domains # Verify recipients listed in local_rcpt_callout with a callout. # This is especially handy for forwarding MX hosts (secondary MX or # mail hubs) of domains that receive a lot of spam to non-existent # addresses. The only way to check local parts for remote relay # domains is to use a callout (add /callout), but please read the # documentation about callouts before doing this. deny !acl = acl_local_deny_exceptions recipients = ${if exists{CONFDIR/local_rcpt_callout}\ {CONFDIR/local_rcpt_callout}\ {}} !verify = recipient/callout # CONFDIR/local_sender_blacklist holds a list of envelope senders that # should have their access denied to the local host. Incoming messages # with one of these senders are rejected at RCPT time. # # The explicit white lists are honored as well as negative items in # the black list. See exim4-config_files(5) for details. deny message = sender envelope address $sender_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster !acl = acl_local_deny_exceptions senders = ${if exists{CONFDIR/local_sender_blacklist}\ {CONFDIR/local_sender_blacklist}\ {}} # deny bad sites (IP address) # CONFDIR/local_host_blacklist holds a list of host names, IP addresses # and networks (CIDR notation) that should have their access denied to # The local host. Messages coming in from a listed host will have all # RCPT statements rejected. # # The explicit white lists are honored as well as negative items in # the black list. See exim4-config_files(5) for details. deny message = sender IP address $sender_host_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster !acl = acl_local_deny_exceptions hosts = ${if exists{CONFDIR/local_host_blacklist}\ {CONFDIR/local_host_blacklist}\ {}} # Warn if the sender host does not have valid reverse DNS. # # If your system can do DNS lookups without delay or cost, you might want # to enable this. # If sender_host_address is defined, it's a remote call. If # sender_host_name is not defined, then reverse lookup failed. Use # this instead of !verify = reverse_host_lookup to catch deferrals # as well as outright failures. .ifdef CHECK_RCPT_REVERSE_DNS warn message = X-Host-Lookup-Failed: Reverse DNS lookup failed for $sender_host_address (${if eq{$host_lookup_failed}{1}{failed}{deferred}}) condition = ${if and{{def:sender_host_address}{!def:sender_host_name}}\ {yes}{no}} .endif # Use spfquery to perform a pair of SPF checks (for details, see # http://www.openspf.org/) # # This is quite costly in terms of DNS lookups (~6 lookups per mail). Do not # enable if that's an issue. Also note that if you enable this, you must # install "libmail-spf-query-perl" which provides the spfquery command. # Missing libmail-spf-query-perl will trigger the "Unexpected error in # SPF check" warning. .ifdef CHECK_RCPT_SPF deny message = $spf_smtp_comment log_message = SPF check failed. !acl = acl_local_deny_exceptions spf = fail defer message = $spf_smtp_comment spf = err_temp warn message = $spf_received spf = softfail:none:neutral:pass warn log_message = Unexpected error in SPF check. spf = err_perm .endif # Check against classic DNS "black" lists (DNSBLs) which list # sender IP addresses .ifdef CHECK_RCPT_IP_DNSBLS warn message = X-Warning: $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text) log_message = $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text) dnslists = CHECK_RCPT_IP_DNSBLS .endif # Check against DNSBLs which list sender domains, with an option to locally # whitelist certain domains that might be blacklisted. # # Note: If you define CHECK_RCPT_DOMAIN_DNSBLS, you must append # "/$sender_address_domain" after each domain. For example: # CHECK_RCPT_DOMAIN_DNSBLS = rhsbl.foo.org/$sender_address_domain \ # : rhsbl.bar.org/$sender_address_domain .ifdef CHECK_RCPT_DOMAIN_DNSBLS warn message = X-Warning: $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text) log_message = $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text) !senders = ${if exists{CONFDIR/local_domain_dnsbl_whitelist}\ {CONFDIR/local_domain_dnsbl_whitelist}\ {}} dnslists = CHECK_RCPT_DOMAIN_DNSBLS .endif # This hook allows you to hook in your own ACLs without having to # modify this file. If you do it like we suggest, you'll end up with # a small performance penalty since there is an additional file being # accessed. This doesn't happen if you leave the macro unset. .ifdef CHECK_RCPT_LOCAL_ACL_FILE .include CHECK_RCPT_LOCAL_ACL_FILE .endif ############################################################################# # This check is commented out because it is recognized that not every # sysadmin will want to do it. If you enable it, the check performs # Client SMTP Authorization (csa) checks on the sending host. These checks # do DNS lookups for SRV records. The CSA proposal is currently (May 2005) # an Internet draft. You can, of course, add additional conditions to this # ACL statement to restrict the CSA checks to certain hosts only. # # require verify = csa ############################################################################# # Accept if the address is in a domain for which we are an incoming relay, # but again, only if the recipient can be verified. accept domains = +relay_to_domains endpass verify = recipient # At this point, the address has passed all the checks that have been # configured, so we accept it unconditionally. accept ##################################################### ### end /etc/exim4/conf.d/acl/30_exim4-config_check_rcpt ##################################################### ##################################################### ### /etc/exim4/conf.d/acl/40_exim4-config_check_data ##################################################### ### acl/40_exim4-config_check_data ################################# # This ACL is used after the contents of a message have been received. This # is the ACL in which you can test a message's headers or body, and in # particular, this is where you can invoke external virus or spam scanners. acl_check_data: # Deny unless the address list headers are syntactically correct. # # If you enable this, you might reject legitimate mail. .ifdef CHECK_DATA_VERIFY_HEADER_SYNTAX deny message = Message headers fail syntax check !acl = acl_local_deny_exceptions !verify = header_syntax .endif # require that there is a verifiable sender address in at least # one of the "Sender:", "Reply-To:", or "From:" header lines. .ifdef CHECK_DATA_VERIFY_HEADER_SENDER deny message = No verifiable sender address in message headers !acl = acl_local_deny_exceptions !verify = header_sender .endif # Deny if the message contains malware. Before enabling this check, you # must install a virus scanner and set the av_scanner option in the # main configuration. # # exim4-daemon-heavy must be used for this section to work. # # deny # malware = * # message = This message was detected as possible malware ($malware_name). # Add headers to a message if it is judged to be spam. Before enabling this, # you must install SpamAssassin. You also need to set the spamd_address # option in the main configuration. # # exim4-daemon-heavy must be used for this section to work. # # Please note that this is only suiteable as an example. There are # multiple issues with this configuration method. For example, if you go # this way, you'll give your spamassassin daemon write access to the # entire exim spool which might be a security issue in case of a # spamassassin exploit. # # See the exim docs and the exim wiki for more suitable examples. # # warn # spam = Debian-exim:true # message = X-Spam_score: $spam_score\n\ # X-Spam_score_int: $spam_score_int\n\ # X-Spam_bar: $spam_bar\n\ # X-Spam_report: $spam_report # This hook allows you to hook in your own ACLs without having to # modify this file. If you do it like we suggest, you'll end up with # a small performance penalty since there is an additional file being # accessed. This doesn't happen if you leave the macro unset. .ifdef CHECK_DATA_LOCAL_ACL_FILE .include CHECK_DATA_LOCAL_ACL_FILE .endif # accept otherwise accept ##################################################### ### end /etc/exim4/conf.d/acl/40_exim4-config_check_data ##################################################### # end of acl ##### # begin processing router ##### ##################################################### ### /etc/exim4/conf.d/router/00_exim4-config_header ##################################################### ###################################################################### # ROUTERS CONFIGURATION # # Specifies how addresses are handled # ###################################################################### # THE ORDER IN WHICH THE ROUTERS ARE DEFINED IS IMPORTANT! # # An address is passed to each router in turn until it is accepted. # ###################################################################### begin routers ##################################################### ### end /etc/exim4/conf.d/router/00_exim4-config_header ##################################################### ##################################################### ### /etc/exim4/conf.d/router/100_exim4-config_domain_literal ##################################################### ### router/100_exim4-config_domain_literal ################################# # This router handles e-mail addresses in "domain literal" form like # . The RFCs require this facility, but it is disabled # in the default config since it is seldomly used and frequently abused. # Domain literal support also needs to be enabled in the main config, # which is automatically done if you use the enable macro # MAIN_ALLOW_DOMAIN_LITERALS. .ifdef MAIN_ALLOW_DOMAIN_LITERALS domain_literal: debug_print = "R: domain_literal for $local_part@$domain" driver = ipliteral domains = ! +local_domains transport = remote_smtp .endif ##################################################### ### end /etc/exim4/conf.d/router/100_exim4-config_domain_literal ##################################################### ##################################################### ### /etc/exim4/conf.d/router/150_exim4-config_hubbed_hosts ##################################################### # router/150_exim4-config_hubbed_hosts ################################# # route specific domains manually. # # see exim4-config_files(5) and spec.txt chapter 20.3 through 20.7 for # more detailed documentation. hubbed_hosts: debug_print = "R: hubbed_hosts for $domain" driver = manualroute domains = "${if exists{CONFDIR/hubbed_hosts}\ {partial-lsearch;CONFDIR/hubbed_hosts}\ fail}" same_domain_copy_routing = yes route_data = ${lookup{$domain}partial-lsearch{CONFDIR/hubbed_hosts}} transport = remote_smtp ##################################################### ### end /etc/exim4/conf.d/router/150_exim4-config_hubbed_hosts ##################################################### ##################################################### ### /etc/exim4/conf.d/router/200_exim4-config_system_aliases ##################################################### ### router/400_exim4-config_system_aliases ################################# # This router handles aliasing using a traditional /etc/aliases file. # ##### NB You must ensure that /etc/aliases exists. It used to be the case ##### NB that every Unix had that file, because it was the Sendmail default. ##### NB These days, there are systems that don't have it. Your aliases ##### NB file should at least contain an alias for "postmaster". # # This router handles the local part in a case-insensitive way which # satisfies the RFCs requirement that postmaster be reachable regardless # of case. If you decide to handle /etc/aliases in a caseful way, you # need to make arrangements for a caseless postmaster. # # Delivery to arbitrary directories, files, and piping to programs in # /etc/aliases is disabled per default. # If that is a problem for you, see # /usr/share/doc/exim4-base/README.Debian.gz # for explanation and some workarounds. system_aliases: debug_print = "R: system_aliases for $local_part@$domain" driver = redirect domains = +local_domains allow_fail allow_defer data = ${lookup{$local_part}lsearch{/etc/mail/aliases}} .ifdef SYSTEM_ALIASES_USER user = SYSTEM_ALIASES_USER .endif .ifdef SYSTEM_ALIASES_GROUP group = SYSTEM_ALIASES_GROUP .endif .ifdef SYSTEM_ALIASES_FILE_TRANSPORT file_transport = SYSTEM_ALIASES_FILE_TRANSPORT .endif .ifdef SYSTEM_ALIASES_PIPE_TRANSPORT pipe_transport = SYSTEM_ALIASES_PIPE_TRANSPORT .endif .ifdef SYSTEM_ALIASES_DIRECTORY_TRANSPORT directory_transport = SYSTEM_ALIASES_DIRECTORY_TRANSPORT .endif ##################################################### ### end /etc/exim4/conf.d/router/200_exim4-config_system_aliases ##################################################### ##################################################### ### /etc/exim4/conf.d/router/300_exim4-config_lowuid ##################################################### ### router/850_exim4-config_lowuid ################################# .ifndef FIRST_USER_ACCOUNT_UID FIRST_USER_ACCOUNT_UID = 0 .endif .ifndef DEFAULT_SYSTEM_ACCOUNT_ALIAS DEFAULT_SYSTEM_ACCOUNT_ALIAS = :fail: no mail to system accounts .endif COND_SYSTEM_USER_AND_REMOTE_SUBMITTER = "\ ${if and{{! match_ip{$sender_host_address}{:@[]}}\ {<{$local_user_uid}{FIRST_USER_ACCOUNT_UID}}}\ {1}{0}\ }" lowuid_aliases: debug_print = "R: lowuid_aliases for $local_part@$domain (UID $local_user_uid)" check_local_user driver = redirect allow_fail domains = +local_domains condition = COND_SYSTEM_USER_AND_REMOTE_SUBMITTER data = ${if exists{/etc/exim/lowuid-aliases}\ {${lookup{$local_part}lsearch{/etc/exim/lowuid-aliases}\ {$value}{DEFAULT_SYSTEM_ACCOUNT_ALIAS}}}{DEFAULT_SYSTEM_ACCOUNT_ALIAS}} ##################################################### ### end /etc/exim4/conf.d/router/300_exim4-config_lowuid ##################################################### ##################################################### ### /etc/exim4/conf.d/router/300_exim4-config_one_domain ##################################################### # Redirect all mails to local domains to the primary domain (here: myserver.com) primary_domain_redirect: debug_print = "R: primary_domain_redirect for $local_part@$domain to $local_part@ETC_MAILNAME" driver = redirect domains = +local_domains condition = ${if !match_domain{$domain}{ETC_MAILNAME}{yes}fail} data = $local_part@ETC_MAILNAME check_ancestor ##################################################### ### end /etc/exim4/conf.d/router/300_exim4-config_one_domain ##################################################### ##################################################### ### /etc/exim4/conf.d/router/390_exim4-config_local_delivery_secmail ##################################################### ############################################ ### router/390_exim4-config_local_delivery ############################################ # This router matches local user ldap mailboxes. If the router fails, the error # message is "Unknown user". local_user_secmail: debug_print = "R: local_user_secmail for $local_part@$domain" driver = accept domains = +local_domains local_parts = ! root condition = ${if IS_SENDER_SECMAIL {IS_LOCAL_PART_VALID}{no}} transport = LOCAL_DELIVERY_SECMAIL ##################################################### ### end /etc/exim4/conf.d/router/390_exim4-config_local_delivery_secmail ##################################################### ##################################################### ### /etc/exim4/conf.d/router/400_exim4-config_local_delivery ##################################################### ##################################################### ### router/600_exim4-config_local_delivery ################################# local_external_user: debug_print = "R: local_external_user $local_part@$domain" driver = accept local_parts = ! root condition = IS_COMBINED_ADDRESS_VALID transport = LOCAL_DELIVERY_EXTERNAL # This router matches local user ldap mailboxes. If the router fails, the error # message is "Unknown user". local_user: debug_print = "R: local_user for $local_part@$domain" driver = accept domains = +local_domains local_parts = ! root condition = IS_LOCAL_PART_VALID transport = LOCAL_DELIVERY cannot_route_message = Unknown user ##################################################### ### end /etc/exim4/conf.d/router/400_exim4-config_local_delivery ##################################################### ##################################################### ### /etc/exim4/conf.d/router/410_exim4-config_spam_classification ##################################################### ################################################ ### router/410_exim4-config_spam_classification ################################################ # This router matches the local spam and ham mailboxes # which are used to train the spam filter with false # spam positives or unrecognized spam. router_spam_training: debug_print = "R: spam training issued by mail from $sender_address@$sender_address_domain to $local_part@$domain" driver = accept domains = +local_domains local_parts = MAIL_ADDRESS_HAM : MAIL_ADDRESS_SPAM transport = transport_spam_training ################################################ ### router/410_exim4-config_spam_classification ################################################ ##################################################### ### end /etc/exim4/conf.d/router/410_exim4-config_spam_classification ##################################################### ##################################################### ### /etc/exim4/conf.d/router/500_exim4-config_ldap_uid_aliases ##################################################### ### router/500_exim4-config_ldap_uid_aliases ################################# # This router handles aliasing using the ldap directory by checking the $local_part # for a valid uid. # ldap_uid_aliases: debug_print = "R: ldap_uid_alias for $local_part@$domain" driver = redirect data = GET_UID_FOR_RCPT check_ancestor ##################################################### ### end /etc/exim4/conf.d/router/500_exim4-config_ldap_uid_aliases ##################################################### ##################################################### ### /etc/exim4/conf.d/router/600_exim4-config_ldap_aliases ##################################################### ### router/600_exim4-config_ldap_aliases ################################# # This router handles aliasing using the ldap directory by checking the $local_part # for a valid uid. # ldap_aliases: debug_print = "R: ldap_alias for $local_part@$domain" driver = redirect data = GET_ALIAS_FOR_RCPT check_ancestor ##################################################### ### end /etc/exim4/conf.d/router/600_exim4-config_ldap_aliases ##################################################### ##################################################### ### /etc/exim4/conf.d/router/700_exim4-config_sender_relay_smtp ##################################################### ### router/500_exim4-config_hubuser ################################# .ifdef DCconfig_satellite # This router is only used for configtype=satellite. # It takes care to route all mail targetted to # to the host where we read our mail # hub_user: debug_print = "R: hub_user for $local_part@$domain" driver = redirect domains = +local_domains data = ${local_part}@DCreadhost check_local_user # Grab the redirected mail and deliver it. # This is a duplicate of the smarthost router, needed because # DCreadhost might end up as part of +local_domains hub_user_smarthost: debug_print = "R: hub_user_smarthost for $local_part@$domain" driver = manualroute domains = DCreadhost transport = remote_smtp_smarthost route_list = * DCsmarthost byname host_find_failed = defer same_domain_copy_routing = yes check_local_user .endif smarthost_auto: #debug_print = "R: remote_smtp_smarthost_auto sent by AUTH_SERVER_UID with mail address AUTH_SERVER_MAIL to $local_part@$domain" condition = IS_AUTH_REMOTE driver = manualroute domains = ! +local_domains route_data = AUTH_REMOTE_SERVER transport = remote_smtp_smarthost_auto ##################################################### ### end /etc/exim4/conf.d/router/700_exim4-config_sender_relay_smtp ##################################################### ##################################################### ### router/800_exim4-config_primary ##################################################### # This file holds the primary router, responsible for nonlocal mails .ifdef DCconfig_internet # configtype=internet # # deliver mail to the recipient if recipient domain is a domain we # relay for. We do not ignore any target hosts here since delivering to # a site local or even a link local address might be wanted here, and if # such an address has found its way into the MX record of such a domain, # the local admin is probably in a place where that broken MX record # could be fixed. dnslookup_relay_to_domains: debug_print = "R: dnslookup_relay_to_domains for $local_part@$domain" driver = dnslookup domains = ! +local_domains : +relay_to_domains transport = remote_smtp same_domain_copy_routing = yes no_more # deliver mail directly to the recipient. This router is only reached # for domains that we do not relay for. Since we most probably can't # have broken MX records pointing to site local or link local IP # addresses fixed, we ignore target hosts pointing to these addresses. dnslookup: debug_print = "R: dnslookup for $local_part@$domain" driver = dnslookup domains = ! +local_domains condition = IS_AUTH_TO_SEND_REMOTE transport = remote_smtp same_domain_copy_routing = yes # ignore private rfc1918 and APIPA addresses ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 192.168.0.0/16 :\ 172.16.0.0/12 : 10.0.0.0/8 : 169.254.0.0/16 :\ 255.255.255.255 no_more .endif ##################################################### ### router/800_exim4-config_primary ##################################################### ##################################################### ### /etc/exim4/conf.d/router/mmm_mail4root ##################################################### ### router/mmm_mail4root ################################# # deliver mail addressed to root to /var/mail/mail as user mail:mail # if it was not redirected in /etc/aliases or by other means # Exim cannot deliver as root since 4.24 (FIXED_NEVER_USERS) mail4root: debug_print = "R: mail4root for $local_part@$domain" driver = redirect domains = +local_domains data = /var/mail/mail file_transport = address_file local_parts = root user = mail group = mail ##################################################### ### end /etc/exim4/conf.d/router/mmm_mail4root ##################################################### # end of router ##### # begin processing transport ##### ##################################################### ### /etc/exim4/conf.d/transport/00_exim4-config_header ##################################################### ###################################################################### # TRANSPORTS CONFIGURATION # ###################################################################### # ORDER DOES NOT MATTER # # Only one appropriate transport is called for each delivery. # ###################################################################### # A transport is used only when referenced from a router that successfully # handles an address. begin transports ##################################################### ### end /etc/exim4/conf.d/transport/00_exim4-config_header ##################################################### ##################################################### ### /etc/exim4/conf.d/transport/10_exim4-config_transport-macros ##################################################### ### transport/10_exim4-config_transport-macros ################################# .ifdef HIDE_MAILNAME REMOTE_SMTP_HEADERS_REWRITE=*@+local_domains $1@DCreadhost frs : *@ETC_MAILNAME $1@DCreadhost frs REMOTE_SMTP_RETURN_PATH=${if match_domain{$sender_address_domain}{+local_domains}{${sender_address_local_part}@DCreadhost}{${if match_domain{$sender_address_domain}{ETC_MAILNAME}{${sender_address_local_part}@DCreadhost}fail}}} .endif .ifdef REMOTE_SMTP_HELO_FROM_DNS REMOTE_SMTP_HELO_DATA=${lookup dnsdb {ptr=$sending_ip_address}{$value}{$primary_hostname}} .endif ##################################################### ### end /etc/exim4/conf.d/transport/10_exim4-config_transport-macros ##################################################### ##################################################### ### /etc/exim4/conf.d/transport/30_exim4-config_address_file ##################################################### # This transport is used for handling deliveries directly to files that are # generated by aliasing or forwarding. # address_file: debug_print = "T: address_file for $local_part@$domain" driver = appendfile delivery_date_add envelope_to_add return_path_add ##################################################### ### end /etc/exim4/conf.d/transport/30_exim4-config_address_file ##################################################### ##################################################### ### /etc/exim4/conf.d/transport/30_exim4-config_address_pipe ##################################################### # This transport is used for handling pipe deliveries generated by # .forward files. If the commands fails and produces any output on standard # output or standard error streams, the output is returned to the sender # of the message as a delivery error. address_pipe: debug_print = "T: address_pipe for $local_part@$domain" driver = pipe return_fail_output ##################################################### ### end /etc/exim4/conf.d/transport/30_exim4-config_address_pipe ##################################################### ##################################################### ### /etc/exim4/conf.d/transport/30_exim4-config_address_reply ##################################################### # This transport is used for handling autoreplies generated by the filtering # option of the userforward router. # address_reply: debug_print = "T: autoreply for $local_part@$domain" driver = autoreply ##################################################### ### end /etc/exim4/conf.d/transport/30_exim4-config_address_reply ##################################################### ##################################################### ### /etc/exim4/conf.d/transport/30_exim4-config_dovecot_delivery_pipe ##################################################### dovecot_delivery: debug_print = "T: dovecot_delivery_pipe for $local_part@$domain translates to GET_LOCAL_MAIL" driver = pipe .ifdef USE_DSPAM transport_filter = /usr/bin/dspam --client --deliver=innocent,spam --user "GET_LOCAL_MAIL" --stdout .endif headers_remove = X-DSPAM-Result:X-DSPAM-Processed:X-DSPAM-Confidence:X-DSPAM-Probability:X-DSPAM-Signature command = /usr/libexec/dovecot/deliver -d "GET_LOCAL_MAIL" message_prefix = message_suffix = delivery_date_add envelope_to_add return_path_add log_output user = secmail group = secmail ##################################################### ### end /etc/exim4/conf.d/transport/30_exim4-config_dovecot_delivery_pipe ##################################################### ##################################################### ### /etc/exim4/conf.d/transport/30_exim4-config_dovecot_external_delivery_pipe ##################################################### dovecot_external_delivery: debug_print = "T: dovecot_external_delivery_pipe for GET_LOCAL_MAIL_EXTERNAL" driver = pipe .ifdef USE_DSPAM transport_filter = /usr/bin/dspam --client --deliver=innocent,spam --user "GET_LOCAL_MAIL_EXTERNAL" --stdout .endif headers_remove = X-DSPAM-Result:X-DSPAM-Processed:X-DSPAM-Confidence:X-DSPAM-Probability:X-DSPAM-Signature command = /usr/libexec/dovecot/deliver -d "GET_LOCAL_MAIL_EXTERNAL" message_prefix = message_suffix = delivery_date_add envelope_to_add return_path_add log_output user = secmail group = secmail ##################################################### ### end /etc/exim4/conf.d/transport/30_exim4-config_dovecot_external_delivery_pipe ##################################################### ##################################################### ### /etc/exim4/conf.d/transport/30_exim4-config_dovecot_delivery_pipe_secmail ##################################################### ############################################################ ### transport/30_exim4-config_dovecot_delivery_pipe_secmail ############################################################ dovecot_delivery_secmail: debug_print = "T: dovecot_delivery_pipe_secmail for $local_part@$domain translates to GET_LOCAL_MAIL" driver = pipe .ifdef USE_DSPAM transport_filter = /usr/bin/dspam --client --deliver=innocent,spam --user "GET_LOCAL_MAIL" --stdout .endif headers_remove = X-DSPAM-Result:X-DSPAM-Processed:X-DSPAM-Confidence:X-DSPAM-Probability:X-DSPAM-Signature command = /usr/libexec/dovecot/deliver -d "GET_LOCAL_MAIL" message_prefix = message_suffix = # Do not add additional Headers delivery_date_add = false envelope_to_add = false return_path_add = false log_output user = secmail group = secmail ############################################################ ### transport/30_exim4-config_dovecot_delivery_pipe_secmail ############################################################ ##################################################### ### end /etc/exim4/conf.d/transport/30_exim4-config_dovecot_delivery_pipe_secmail ##################################################### ##################################################### ### /etc/exim4/conf.d/transport/30_exim4-config_mail_spool ##################################################### ### transport/30_exim4-config_mail_spool # This transport is used for local delivery to user mailboxes in traditional # BSD mailbox format. # mail_spool: debug_print = "T: appendfile for $local_part@$domain" driver = appendfile file = /var/mail/$local_part delivery_date_add envelope_to_add return_path_add group = mail mode = 0660 mode_fail_narrower = false ##################################################### ### end /etc/exim4/conf.d/transport/30_exim4-config_mail_spool ##################################################### ##################################################### ### /etc/exim4/conf.d/transport/30_exim4-config_maildir_home ##################################################### ### transport/30_exim4-config_maildir_home ################################# # Use this instead of mail_spool if you want to to deliver to Maildir in # home-directory - change the definition of LOCAL_DELIVERY # maildir_home: debug_print = "T: maildir_home for $local_part@$domain" driver = appendfile .ifdef MAILDIR_HOME_MAILDIR_LOCATION directory = MAILDIR_HOME_MAILDIR_LOCATION .else directory = $home/Maildir .endif .ifdef MAILDIR_HOME_CREATE_DIRECTORY create_directory .endif .ifdef MAILDIR_HOME_CREATE_FILE create_file = MAILDIR_HOME_CREATE_FILE .endif delivery_date_add envelope_to_add return_path_add maildir_format .ifdef MAILDIR_HOME_DIRECTORY_MODE directory_mode = MAILDIR_HOME_DIRECTORY_MODE .else directory_mode = 0700 .endif .ifdef MAILDIR_HOME_MODE mode = MAILDIR_HOME_MODE .else mode = 0600 .endif mode_fail_narrower = false # This transport always chdirs to $home before trying to deliver. If # $home is not accessible, this chdir fails and prevents delivery. # If you are in a setup where home directories might not be # accessible, uncomment the current_directory line below. # current_directory = / ##################################################### ### end /etc/exim4/conf.d/transport/30_exim4-config_maildir_home ##################################################### ##################################################### ### /etc/exim4/conf.d/transport/30_exim4-config_maildrop_pipe ##################################################### maildrop_pipe: debug_print = "T: maildrop_pipe for $local_part@$domain" driver = pipe path = "/bin:/usr/bin:/usr/local/bin" command = "/usr/bin/maildrop" return_path_add delivery_date_add envelope_to_add ##################################################### ### end /etc/exim4/conf.d/transport/30_exim4-config_maildrop_pipe ##################################################### ##################################################### ### /etc/exim4/conf.d/transport/30_exim4-config_procmail_pipe ##################################################### procmail_pipe: debug_print = "T: procmail_pipe for $local_part@$domain" driver = pipe path = "/bin:/usr/bin:/usr/local/bin" command = "/usr/bin/procmail" return_path_add delivery_date_add envelope_to_add ##################################################### ### end /etc/exim4/conf.d/transport/30_exim4-config_procmail_pipe ##################################################### ##################################################### ### /etc/exim4/conf.d/transport/30_exim4-config_remote_smtp ##################################################### ### transport/30_exim4-config_remote_smtp ################################# # This transport is used for delivering messages over SMTP connections. remote_smtp: debug_print = "T: remote_smtp for $local_part@$domain" driver = smtp .ifdef REMOTE_SMTP_HOSTS_AVOID_TLS hosts_avoid_tls = REMOTE_SMTP_HOSTS_AVOID_TLS .endif .ifdef REMOTE_SMTP_HEADERS_REWRITE headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE .endif .ifdef REMOTE_SMTP_RETURN_PATH return_path = REMOTE_SMTP_RETURN_PATH .endif .ifdef REMOTE_SMTP_HELO_FROM_DNS helo_data=REMOTE_SMTP_HELO_DATA .endif ##################################################### ### end /etc/exim4/conf.d/transport/30_exim4-config_remote_smtp ##################################################### ##################################################### ### /etc/exim4/conf.d/transport/30_exim4-config_remote_smtp_smarthost ##################################################### ### transport/30_exim4-config_remote_smtp_smarthost ################################# # This transport is used for delivering messages over SMTP connections # to a smarthost. The local host tries to authenticate. # This transport is used for smarthost and satellite configurations. remote_smtp_smarthost: debug_print = "T: remote_smtp_smarthost for $local_part@$domain" driver = smtp hosts_try_auth = <; ${if exists{CONFDIR/passwd.client} \ {\ ${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$host_address}}\ }\ {} \ } .ifdef REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS hosts_avoid_tls = REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS .endif .ifdef REMOTE_SMTP_HEADERS_REWRITE headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE .endif .ifdef REMOTE_SMTP_RETURN_PATH return_path = REMOTE_SMTP_RETURN_PATH .endif .ifdef REMOTE_SMTP_HELO_FROM_DNS helo_data=REMOTE_SMTP_HELO_DATA .endif ##################################################### ### end /etc/exim4/conf.d/transport/30_exim4-config_remote_smtp_smarthost ##################################################### ##################################################### ### /etc/exim4/conf.d/transport/30_exim4-config_remote_smtp_smarthost_auto ##################################################### ######################################################### ### transport/30_exim4-config_remote_smtp_smarthost_auto ######################################################### # This transport is used for delivering messages over SMTP connections # to a smarthost. The local host tries to authenticate. # This transport is used for smarthost and satellite configurations. remote_smtp_smarthost_auto: debug_print = "T: remote_smtp_smarthost_auto for $local_part@$domain from user AUTH_SERVER_MAIL" driver = smtp # retry to connect to external mail servers even # if they have been down longer than the cutoff time delay_after_cutoff = false hosts_require_auth = AUTH_REMOTE_SERVER ##################################################### ### end /etc/exim4/conf.d/transport/30_exim4-config_remote_smtp_smarthost_auto ##################################################### ##################################################### ### /etc/exim4/conf.d/transport/30_exim4-config_transport_spam_training ##################################################### ##################################################### ### transport/30_exim4-config_transport_spam_training ##################################################### .ifdef USE_DSPAM transport_spam_training: debug_print = "T: spam training issued by mail from $sender_address@$sender_address_domain to $local_part@$domain" driver = pipe command = /usr/bin/dspam "${if eq{$local_part}{MAIL_ADDRESS_HAM} {--class=innocent}{--class=spam}}" --client --source=error --delivery=stdout --user globaluser message_prefix = message_suffix = # Do not add additional Headers delivery_date_add = false envelope_to_add = false return_path_add = false log_output user = secmail group = secmail .endif ##################################################### ### transport/30_exim4-config_transport_spam_training ##################################################### ##################################################### ### end /etc/exim4/conf.d/transport/30_exim4-config_transport_spam_training ##################################################### ##################################################### ### /etc/exim4/conf.d/transport/35_exim4-config_address_directory ##################################################### # This transport is used for handling file addresses generated by alias # or .forward files if the path ends in "/", which causes it to be treated # as a directory name rather than a file name. address_directory: debug_print = "T: address_directory for $local_part@$domain" driver = appendfile delivery_date_add envelope_to_add return_path_add check_string = "" escape_string = "" maildir_format ##################################################### ### end /etc/exim4/conf.d/transport/35_exim4-config_address_directory ##################################################### # end of transport ##### # begin processing retry ##### ##################################################### ### /etc/exim4/conf.d/retry/00_exim4-config_header ##################################################### ###################################################################### # RETRY CONFIGURATION # ###################################################################### begin retry ##################################################### ### end /etc/exim4/conf.d/retry/00_exim4-config_header ##################################################### ##################################################### ### /etc/exim4/conf.d/retry/30_exim4-config ##################################################### ### retry/30_exim4-config ################################# # This single retry rule applies to all domains and all errors. It specifies # retries every 15 minutes for 2 hours, then increasing retry intervals, # starting at 1 hour and increasing each time by a factor of 1.5, up to 16 # hours, then retries every 6 hours until 4 days have passed since the first # failed delivery. # Please note that these rules only limit the frequenzy of retries, the # effective retry-time depends on the frequenzy of queue-running, too. # See QUEUEINTERVAL in /etc/default/exim4. # Address or Domain Error Retries # ----------------- ----- ------- * * F,2h,15m; G,16h,1h,1.5; F,4d,6h ##################################################### ### end /etc/exim4/conf.d/retry/30_exim4-config ##################################################### # end of retry ##### # begin processing rewrite ##### ##################################################### ### /etc/exim4/conf.d/rewrite/00_exim4-config_header ##################################################### ###################################################################### # REWRITE CONFIGURATION # ###################################################################### begin rewrite ##################################################### ### end /etc/exim4/conf.d/rewrite/00_exim4-config_header ##################################################### ##################################################### ### /etc/exim4/conf.d/rewrite/31_exim4-config_rewriting ##################################################### ### rewrite/31_exim4-config_rewriting ################################# # This rewriting rule is particularily useful for dialup users who # don't have their own domain, but could be useful for anyone. # It looks up the real address of all local users in a file .ifndef NO_EAA_REWRITE_REWRITE *@+local_domains "${lookup{${local_part}}lsearch{/etc/mail/email-addresses}\ {$value}fail}" Ffrs # identical rewriting rule for /etc/mailname *@ETC_MAILNAME "${lookup{${local_part}}lsearch{/etc/mail/email-addresses}\ {$value}fail}" Ffrs .endif ##################################################### ### end /etc/exim4/conf.d/rewrite/31_exim4-config_rewriting ##################################################### # end of rewrite ##### # begin processing auth ##### ##################################################### ### /etc/exim4/conf.d/auth/00_exim4-config_header ##################################################### ###################################################################### # AUTHENTICATION CONFIGURATION # ###################################################################### begin authenticators ##################################################### ### end /etc/exim4/conf.d/auth/00_exim4-config_header ##################################################### ##################################################### ### /etc/exim4/conf.d/auth/10_exim4-config_ldap_auth ##################################################### plain_ldapauth_server: driver = plaintext public_name = PLAIN # Methode wird generall nur angeboten, bei TLS-verschlüsselter Verbindung # Ausnahme: AUTH_SERVER_ALLOW_NOTLS_PASSWORDS ist gesetzt .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} .endif server_condition = AUTH_SERVER_PLAIN_AUTH # Als $authenticated_id den Teil nach dem @ speichern #server_set_id = ${sg{${lc:$2}}{\N^([a-zA-Z0-9_.-]+)@([a-zA-Z0-9_@.-]+)$\N}{\$2}} server_set_id = $auth2/$auth3 server_prompts = : login_ldapauth_server: driver = plaintext public_name = LOGIN server_prompts = Username:: : Password:: # Methode wird generall nur angeboten, bei TLS-verschlüsselter Verbindung # Ausnahme: AUTH_SERVER_ALLOW_NOTLS_PASSWORDS ist gesetzt .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} .endif server_condition = AUTH_SERVER_LOGIN_AUTH # Als $authenticated_id den Teil nach dem @ speichern #server_set_id = ${sg{${lc:$auth1}}{\N^([a-zA-Z0-9_.-]+)@([a-zA-Z0-9_@.-]+)$\N}{\$2}} server_set_id = $auth1/$auth2 cram_md5_client: driver = cram_md5 public_name = CRAM-MD5 client_name = AUTH_REMOTE_LOGIN client_secret = AUTH_REMOTE_PASSWORD plain_client: driver = plaintext public_name = PLAIN # client_send is treated as a string list therefore a ":" such as in ldap:// would # cause problems. Therefore we have to add the prefix "<|" and user "|" as a separator instead of ":" client_send = <|^AUTH_REMOTE_LOGIN^AUTH_REMOTE_PASSWORD login_client: driver = plaintext public_name = LOGIN # client_send is treated as a string list therefore a ":" such as in ldap:// would # cause problems. Therefore we have to add the prefix "<|" and user "|" as a separator instead of ":" client_send = <| | AUTH_REMOTE_LOGIN | AUTH_REMOTE_PASSWORD ##################################################### ### end /etc/exim4/conf.d/auth/10_exim4-config_ldap_auth ##################################################### # end of auth #####