diff --git a/scripts/Configure-Makefile b/scripts/Configure-Makefile index 61368ec..e8fe9ef 100755 --- a/scripts/Configure-Makefile +++ b/scripts/Configure-Makefile @@ -297,7 +297,7 @@ if [ "${EXIM_PERL}" != "" ] ; then mv $mft $mftt echo "PERL_CC=`$PERL_COMMAND -MConfig -e 'print $Config{cc}'`" >>$mft - echo "PERL_CCOPTS=`$PERL_COMMAND -MExtUtils::Embed -e ccopts`" >>$mft + echo "PERL_CCOPTS=`$PERL_COMMAND -MExtUtils::Embed -e ccopts` \$(CFLAGS)" >>$mft echo "PERL_LIBS=`$PERL_COMMAND -MExtUtils::Embed -e ldopts`" >>$mft echo "" >>$mft cat $mftt >> $mft diff --git a/src/EDITME b/src/EDITME index f4329fa..b0643e0 100644 --- a/src/EDITME +++ b/src/EDITME @@ -99,7 +99,7 @@ # /usr/local/sbin. The installation script will try to create this directory, # and any superior directories, if they do not exist. -BIN_DIRECTORY=/usr/exim/bin +BIN_DIRECTORY=/usr/sbin #------------------------------------------------------------------------------ @@ -115,7 +115,7 @@ BIN_DIRECTORY=/usr/exim/bin # don't exist. It will also install a default runtime configuration if this # file does not exist. -CONFIGURE_FILE=/usr/exim/configure +CONFIGURE_FILE=/etc/exim/exim.conf # It is possible to specify a colon-separated list of files for CONFIGURE_FILE. # In this case, Exim will use the first of them that exists when it is run. @@ -132,7 +132,7 @@ CONFIGURE_FILE=/usr/exim/configure # deliveries. (Local deliveries run as various non-root users, typically as the # owner of a local mailbox.) Specifying these values as root is not supported. -EXIM_USER= +EXIM_USER=93 # If you specify EXIM_USER as a name, this is looked up at build time, and the # uid number is built into the binary. However, you can specify that this @@ -153,7 +153,7 @@ EXIM_USER= # for EXIM_USER (e.g. EXIM_USER=exim), you don't need to set EXIM_GROUP unless # you want to use a group other than the default group for the given user. -# EXIM_GROUP= +EXIM_GROUP=93 # Many sites define a user called "exim", with an appropriate default group, # and use @@ -210,10 +210,10 @@ SPOOL_DIRECTORY=/var/spool/exim # If you are building with TLS, the library configuration must be done: # Uncomment this if you are using OpenSSL -# USE_OPENSSL=yes +USE_OPENSSL=yes # Uncomment one of these settings if you are using OpenSSL; pkg-config vs not # and an optional location. -# USE_OPENSSL_PC=openssl +USE_OPENSSL_PC=openssl # TLS_LIBS=-lssl -lcrypto # TLS_LIBS=-L/usr/local/openssl/lib -lssl -lcrypto @@ -340,7 +340,7 @@ TRANSPORT_SMTP=yes # This one is special-purpose, and commonly not required, so it is not # included by default. -# TRANSPORT_LMTP=yes +TRANSPORT_LMTP=yes #------------------------------------------------------------------------------ @@ -349,9 +349,9 @@ TRANSPORT_SMTP=yes # MBX, is included only when requested. If you do not know what this is about, # leave these settings commented out. -# SUPPORT_MAILDIR=yes -# SUPPORT_MAILSTORE=yes -# SUPPORT_MBX=yes +SUPPORT_MAILDIR=yes +SUPPORT_MAILSTORE=yes +SUPPORT_MBX=yes #------------------------------------------------------------------------------ @@ -409,22 +409,28 @@ LOOKUP_DBM=yes LOOKUP_LSEARCH=yes LOOKUP_DNSDB=yes -# LOOKUP_CDB=yes -# LOOKUP_DSEARCH=yes +LOOKUP_CDB=yes +LOOKUP_DSEARCH=yes # LOOKUP_IBASE=yes # LOOKUP_JSON=yes -# LOOKUP_LDAP=yes +LOOKUP_LDAP=yes +LDAP_LIB_TYPE=OPENLDAP2 +LOOKUP_LIBS=-lldap -llber -lsqlite3 # LOOKUP_LMDB=yes -# LOOKUP_MYSQL=yes -# LOOKUP_MYSQL_PC=mariadb -# LOOKUP_NIS=yes +LOOKUP_MYSQL=2 +LOOKUP_MYSQL_PC=mariadb +LOOKUP_NIS=yes # LOOKUP_NISPLUS=yes +CFLAGS+=-I/usr/include/nsl -I/usr/include/tirpc +LIBS+=-L/usr/$(_lib)/nsl + # LOOKUP_ORACLE=yes -# LOOKUP_PASSWD=yes -# LOOKUP_PGSQL=yes +LOOKUP_PASSWD=yes +LOOKUP_PGSQL=2 +LOOKUP_PGSQL_LIBS=-lpq # LOOKUP_REDIS=yes -# LOOKUP_SQLITE=yes +LOOKUP_SQLITE=yes # LOOKUP_SQLITE_PC=sqlite3 # LOOKUP_WHOSON=yes @@ -437,7 +443,7 @@ LOOKUP_DNSDB=yes # Some platforms may need this for LOOKUP_NIS: -# LIBS += -lnsl +LIBS += -lnsl #------------------------------------------------------------------------------ # If you have set LOOKUP_LDAP=yes, you should set LDAP_LIB_TYPE to indicate @@ -504,7 +510,7 @@ SUPPORT_DANE=yes # files are defaulted in the OS/Makefile-Default file, but can be overridden in # local OS-specific make files. -# EXIM_MONITOR=eximon.bin +EXIM_MONITOR=eximon.bin #------------------------------------------------------------------------------ @@ -514,7 +520,7 @@ SUPPORT_DANE=yes # and the MIME ACL. Please read the documentation to learn more about these # features. -# WITH_CONTENT_SCAN=yes +WITH_CONTENT_SCAN=yes # If you have content scanning you may wish to only include some of the scanner # interfaces. Uncomment any of these lines to remove that code. @@ -607,12 +613,12 @@ DISABLE_MAL_MKS=yes # using libopendmarc libraries. You must have SPF and DKIM support enabled also. # Library version libopendmarc-1.4.1-1.fc33.x86_64 (on Fedora 33) is known broken; # 1.3.2-3 works. I seems that the OpenDMARC project broke their API. -# SUPPORT_DMARC=yes +SUPPORT_DMARC=yes # CFLAGS += -I/usr/local/include -# LDFLAGS += -lopendmarc +LDFLAGS += -lopendmarc # Uncomment the following if you need to change the default. You can # override it at runtime (main config option dmarc_tld_file) -# DMARC_TLD_FILE=/etc/exim/opendmarc.tlds +DMARC_TLD_FILE=/usr/share/publicsuffix/public_suffix_list.dat # Uncomment the following line to add ARC (Authenticated Received Chain) # support. You must have SPF and DKIM support enabled also. @@ -712,7 +718,7 @@ FIXED_NEVER_USERS=root # CONFIGURE_OWNER setting, to specify a configuration file which is listed in # the TRUSTED_CONFIG_LIST file, then root privileges are not dropped by Exim. -# TRUSTED_CONFIG_LIST=/usr/exim/trusted_configs +TRUSTED_CONFIG_LIST=/etc/exim/trusted-configs #------------------------------------------------------------------------------ @@ -764,18 +770,18 @@ ALLOW_INSECURE_TAINTED_DATA=yes # included in the Exim binary. You will then need to set up the run time # configuration to make use of the mechanism(s) selected. -# AUTH_CRAM_MD5=yes -# AUTH_CYRUS_SASL=yes -# AUTH_DOVECOT=yes +AUTH_CRAM_MD5=yes +AUTH_CYRUS_SASL=yes +AUTH_DOVECOT=yes # AUTH_EXTERNAL=yes -# AUTH_GSASL=yes -# AUTH_GSASL_PC=libgsasl +AUTH_GSASL=yes +AUTH_GSASL_PC=libgsasl # AUTH_HEIMDAL_GSSAPI=yes # AUTH_HEIMDAL_GSSAPI_PC=heimdal-gssapi # AUTH_HEIMDAL_GSSAPI_PC=heimdal-gssapi heimdal-krb5 -# AUTH_PLAINTEXT=yes -# AUTH_SPA=yes -# AUTH_TLS=yes +AUTH_PLAINTEXT=yes +AUTH_SPA=yes +AUTH_TLS=yes # Heimdal through 1.5 required pkg-config 'heimdal-gssapi'; Heimdal 7.1 # requires multiple pkg-config files to work with Exim, so the second example @@ -802,7 +808,7 @@ ALLOW_INSECURE_TAINTED_DATA=yes # one that is set in the headers_charset option. The default setting is # defined by this setting: -HEADERS_CHARSET="ISO-8859-1" +HEADERS_CHARSET="UTF-8" # If you are going to make use of $header_xxx expansions in your configuration # file, or if your users are going to use them in filter files, and the normal @@ -822,7 +828,7 @@ HEADERS_CHARSET="ISO-8859-1" # the Sieve filter support. For those OS where iconv() is known to be installed # as standard, the file in OS/Makefile-xxxx contains # -# HAVE_ICONV=yes +HAVE_ICONV=yes # # If you are not using one of those systems, but have installed iconv(), you # need to uncomment that line above. In some cases, you may find that iconv() @@ -898,7 +904,7 @@ HEADERS_CHARSET="ISO-8859-1" # Once you have done this, "make install" will build the info files and # install them in the directory you have defined. -# INFO_DIRECTORY=/usr/share/info +INFO_DIRECTORY=/usr/share/info #------------------------------------------------------------------------------ @@ -911,7 +917,7 @@ HEADERS_CHARSET="ISO-8859-1" # %s. This will be replaced by one of the strings "main", "panic", or "reject" # to form the final file names. Some installations may want something like this: -# LOG_FILE_PATH=/var/log/exim_%slog +LOG_FILE_PATH=/var/log/exim/%s.log # which results in files with names /var/log/exim_mainlog, etc. The directory # in which the log files are placed must exist; Exim does not try to create @@ -983,7 +989,7 @@ ZCAT_COMMAND=/usr/bin/zcat # (version 5.004 or later) installed, set EXIM_PERL to perl.o. Using embedded # Perl costs quite a lot of resources. Only do this if you really need it. -# EXIM_PERL=perl.o +EXIM_PERL=perl.o #------------------------------------------------------------------------------ @@ -993,7 +999,7 @@ ZCAT_COMMAND=/usr/bin/zcat # that the local_scan API is made available by the linker. You may also need # to add -ldl to EXTRALIBS so that dlopen() is available to Exim. -# EXPAND_DLFUNC=yes +EXPAND_DLFUNC=yes #------------------------------------------------------------------------------ @@ -1003,7 +1009,7 @@ ZCAT_COMMAND=/usr/bin/zcat # support, which is intended for use in conjunction with the SMTP AUTH # facilities, is included only when requested by the following setting: -# SUPPORT_PAM=yes +SUPPORT_PAM=yes # You probably need to add -lpam to EXTRALIBS, and in some releases of # GNU/Linux -ldl is also needed. @@ -1015,12 +1021,12 @@ ZCAT_COMMAND=/usr/bin/zcat # If you may want to use outbound (client-side) proxying, using Socks5, # uncomment the line below. -# SUPPORT_SOCKS=yes +SUPPORT_SOCKS=yes # If you may want to use inbound (server-side) proxying, using Proxy Protocol, # uncomment the line below. -# SUPPORT_PROXY=yes +SUPPORT_PROXY=yes #------------------------------------------------------------------------------ @@ -1044,9 +1050,9 @@ ZCAT_COMMAND=/usr/bin/zcat # installed on your system (www.libspf2.org). Depending on where it is installed # you may have to edit the CFLAGS and LDFLAGS lines. -# SUPPORT_SPF=yes +SUPPORT_SPF=yes # CFLAGS += -I/usr/local/include -# LDFLAGS += -lspf2 +LDFLAGS += -lspf2 #------------------------------------------------------------------------------ @@ -1111,7 +1117,7 @@ ZCAT_COMMAND=/usr/bin/zcat # group. Once you have installed saslauthd, you should arrange for it to be # started by root at boot time. -# CYRUS_SASLAUTHD_SOCKET=/var/state/saslauthd/mux +CYRUS_SASLAUTHD_SOCKET=/var/run/saslauthd/mux #------------------------------------------------------------------------------ @@ -1125,8 +1131,8 @@ ZCAT_COMMAND=/usr/bin/zcat # library for TCP wrappers, so you probably need something like this: # # USE_TCP_WRAPPERS=yes -# CFLAGS=-O -I/usr/local/include -# EXTRALIBS_EXIM=-L/usr/local/lib -lwrap +CFLAGS+=$(RPM_OPT_FLAGS) $(PIE) +EXTRALIBS_EXIM=-lpam -ldl -export-dynamic -rdynamic # # but of course there may need to be other things in CFLAGS and EXTRALIBS_EXIM # as well. @@ -1178,7 +1184,7 @@ SYSTEM_ALIASES_FILE=/etc/aliases # is "yes", as well as supporting line editing, a history of input lines in the # current run is maintained. -# USE_READLINE=yes +USE_READLINE=yes # You may need to add -ldl to EXTRALIBS when you set USE_READLINE=yes. # Note that this option adds to the size of the Exim binary, because the @@ -1195,7 +1201,7 @@ SYSTEM_ALIASES_FILE=/etc/aliases #------------------------------------------------------------------------------ # Uncomment this setting to include IPv6 support. -# HAVE_IPV6=yes +HAVE_IPV6=yes ############################################################################### # THINGS YOU ALMOST NEVER NEED TO MENTION # @@ -1216,13 +1222,13 @@ SYSTEM_ALIASES_FILE=/etc/aliases # haven't got Perl, Exim will still build and run; you just won't be able to # use those utilities. -# CHOWN_COMMAND=/usr/bin/chown -# CHGRP_COMMAND=/usr/bin/chgrp -# CHMOD_COMMAND=/usr/bin/chmod -# MV_COMMAND=/bin/mv -# RM_COMMAND=/bin/rm -# TOUCH_COMMAND=/usr/bin/touch -# PERL_COMMAND=/usr/bin/perl +CHOWN_COMMAND=/usr/bin/chown +CHGRP_COMMAND=/usr/bin/chgrp +CHMOD_COMMAND=/usr/bin/chmod +MV_COMMAND=/usr/bin/mv +RM_COMMAND=/usr/bin/rm +TOUCH_COMMAND=/usr/bin/touch +PERL_COMMAND=/usr/bin/perl #------------------------------------------------------------------------------ @@ -1424,7 +1430,7 @@ EXIM_TMPDIR="/tmp" # (process id) to a file so that it can easily be identified. The path of the # file can be specified here. Some installations may want something like this: -# PID_FILE_PATH=/var/lock/exim.pid +PID_FILE_PATH=/var/run/exim.pid # If PID_FILE_PATH is not defined, Exim writes a file in its spool directory # using the name "exim-daemon.pid". diff --git a/src/configure.default b/src/configure.default index 3761daf..a5d3718 100644 --- a/src/configure.default +++ b/src/configure.default @@ -67,7 +67,7 @@ # +local_domains, +relay_to_domains, and +relay_from_hosts, respectively. They # are all colon-separated lists: -domainlist local_domains = @ +domainlist local_domains = @ : localhost : localhost.localdomain domainlist relay_to_domains = hostlist relay_from_hosts = localhost # (We rely upon hostname resolution working for localhost, because the default @@ -119,11 +119,13 @@ hostlist relay_from_hosts = localhost # manual for details. The lists above are used in the access control lists for # checking incoming messages. The names of these ACLs are defined here: +acl_smtp_mail = acl_check_mail acl_smtp_rcpt = acl_check_rcpt .ifdef _HAVE_PRDR acl_smtp_data_prdr = acl_check_prdr .endif acl_smtp_data = acl_check_data +acl_smtp_mime = acl_check_mime # You should not change those settings until you understand how ACLs work. @@ -136,7 +138,7 @@ acl_smtp_data = acl_check_data # of what to set for other virus scanners. The second modification is in the # acl_check_data access control list (see below). -# av_scanner = clamd:/tmp/clamd +av_scanner = clamd:/var/run/clamd.exim/clamd.sock # For spam scanning, there is a similar option that defines the interface to @@ -147,6 +149,12 @@ acl_smtp_data = acl_check_data # spamd_address = 127.0.0.1 783 +# Set the default sqlite database file for greylisting. Uncomment this +# if you use the greylisting ACLs defined below. + +# sqlite_dbfile = /var/spool/exim/db/greylist.db + + # If Exim is compiled with support for TLS, you may want to change the # following option so that Exim disallows certain clients from makeing encrypted # connections. The default is to allow all. @@ -157,7 +165,7 @@ acl_smtp_data = acl_check_data # This is equivalent to the default. -# tls_advertise_hosts = * +tls_advertise_hosts = * # Specify the location of the Exim server's TLS certificate and private key. # The private key must not be encrypted (password protected). You can put @@ -165,8 +173,8 @@ acl_smtp_data = acl_check_data # need the first setting, or in separate files, in which case you need both # options. -# tls_certificate = /etc/ssl/exim.crt -# tls_privatekey = /etc/ssl/exim.pem +tls_certificate = /etc/pki/tls/certs/exim.pem +tls_privatekey = /etc/pki/tls/private/exim.pem # For OpenSSL, prefer EC- over RSA-authenticated ciphers .ifdef _HAVE_OPENSSL @@ -189,8 +197,8 @@ tls_resumption_hosts = ${if inlist {$received_port}{587:465} {:}{*}} # them you should also allow TLS-on-connect on the traditional but # non-standard port 465. -# daemon_smtp_ports = 25 : 465 : 587 -# tls_on_connect_ports = 465 +daemon_smtp_ports = 25 : 465 : 587 +tls_on_connect_ports = 465 # Specify the domain you want to be added to all unqualified addresses @@ -248,6 +256,24 @@ never_users = root host_lookup = * +# This setting, if uncommented, allows users to authenticate using +# their system passwords against saslauthd if they connect over a +# secure connection. If you have network logins such as NIS or +# Kerberos rather than only local users, then you possibly also want +# to configure /etc/sysconfig/saslauthd to use the 'pam' mechanism +# too. Once a user is authenticated, the acl_check_rcpt ACL then +# allows them to relay through the system. +# +# auth_advertise_hosts = ${if eq {$tls_cipher}{}{}{*}} +# +# By default, we set this option to allow SMTP AUTH from nowhere +# (Exim's default would be to allow it from anywhere, even on an +# unencrypted connection). +# +# Comment this one out if you uncomment the above. Did you make sure +# saslauthd is actually running first? +# +auth_advertise_hosts = # The setting below causes Exim to try to initialize the system resolver # library with DNSSEC support. It has no effect if your library lacks @@ -378,8 +404,8 @@ timeout_frozen_after = 7d # Note that TZ is handled separately by the timezone runtime option # and TIMEZONE_DEFAULT buildtime option. -# keep_environment = ^LDAP -# add_environment = PATH=/usr/bin::/bin +keep_environment = ^LDAP +add_environment = PATH=/usr/bin::/bin @@ -390,6 +416,29 @@ timeout_frozen_after = 7d begin acl + +# This access control list is used for the MAIL command in an incoming +# SMTP message. + +acl_check_mail: + + # Hosts are required to say HELO (or EHLO) before sending mail. + # So don't allow them to use the MAIL command if they haven't + # done so. + + deny condition = ${if eq{$sender_helo_name}{} {1}} + message = Nice boys say HELO first + + # Use the lack of reverse DNS to trigger greylisting. Some people + # even reject for it but that would be a little excessive. + + warn condition = ${if eq{$sender_host_name}{} {1}} + set acl_m_greylistreasons = Host $sender_host_address lacks reverse DNS\n$acl_m_greylistreasons + + accept + + + # This access control list is used for every RCPT command in an incoming # SMTP message. The tests are run in order until the address is either # accepted or denied. @@ -401,6 +450,7 @@ acl_check_rcpt: accept hosts = : control = dkim_disable_verify + control = dmarc_disable_verify ############################################################################# # The following section of the ACL is concerned with local parts that contain @@ -454,7 +504,8 @@ acl_check_rcpt: accept local_parts = postmaster domains = +local_domains - # Deny unless the sender address can be verified. + # Deny unless the sender address can be routed. For proper verification of the + # address, read the documentation on callouts and add the /callout modifier. require verify = sender @@ -494,6 +545,7 @@ acl_check_rcpt: accept hosts = +relay_from_hosts control = submission control = dkim_disable_verify + control = dmarc_disable_verify # Accept if the message arrived over an authenticated connection, from # any host. Again, these messages are usually from MUAs, so recipient @@ -503,6 +555,7 @@ acl_check_rcpt: accept authenticated = * control = submission control = dkim_disable_verify + control = dmarc_disable_verify # Insist that any other recipient address that we accept is either in one of # our local domains, or is in a domain for which we explicitly allow @@ -523,7 +576,8 @@ acl_check_rcpt: # There are no default checks on DNS black lists because the domains that # contain these lists are changing all the time. However, here are two # examples of how you can get Exim to perform a DNS black list lookup at this - # point. The first one denies, whereas the second just warns. + # point. The first one denies, whereas the second just warns. The third + # triggers greylisting for any host in the blacklist. # # deny dnslists = black.list.example # message = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text @@ -531,6 +585,10 @@ acl_check_rcpt: # warn dnslists = black.list.example # add_header = X-Warning: $sender_host_address is in a black list at $dnslist_domain # log_message = found in $dnslist_domain + # + # warn dnslists = black.list.example + # set acl_m_greylistreasons = Host found in $dnslist_domain\n$acl_m_greylistreasons + # ############################################################################# ############################################################################# @@ -557,6 +615,10 @@ acl_check_rcpt: # set acl_m_content_filter = ${lookup PER_RCPT_CONTENT_FILTER} ############################################################################# + # Alternatively, greylist for it: + # warn !verify = csa + # set acl_m_greylistreasons = Host failed CSA check\n$acl_m_greylistreasons + # At this point, the address has passed all the checks that have been # configured, so we accept it unconditionally. @@ -606,21 +668,32 @@ acl_check_data: message = header syntax log_message = header syntax ($acl_verify_message) + # Put simple tests first. A good one is to check for the presence of a + # Message-Id: header, which RFC2822 says SHOULD be present. Some broken + # or misconfigured mailer software occasionally omits this from genuine + # messages too, though -- although it's not hard for the offender to fix + # after they receive a bounce because of it. + # + # deny condition = ${if !def:h_Message-ID: {1}} + # message = RFC2822 says that all mail SHOULD have a Message-ID header.\n\ + # Most messages without it are spam, so your mail has been rejected. + # + # Alternatively if we're feeling more lenient we could just use it to + # trigger greylisting instead: + + warn condition = ${if !def:h_Message-ID: {1}} + set acl_m_greylistreasons = Message lacks Message-Id: header. Consult RFC2822.\n$acl_m_greylistreasons + # Deny if the message contains a virus. Before enabling this check, you # must install a virus scanner and set the av_scanner option above. # # deny malware = * # message = This message contains a virus ($malware_name). - # Add headers to a message if it is judged to be spam. Before enabling this, - # you must install SpamAssassin. You may also need to set the spamd_address - # option above. + # Bypass SpamAssassin checks if the message is too large. # - # warn spam = nobody - # add_header = X-Spam_score: $spam_score\n\ - # X-Spam_score_int: $spam_score_int\n\ - # X-Spam_bar: $spam_bar\n\ - # X-Spam_report: $spam_report + # accept condition = ${if >={$message_size}{100000} {1}} + # add_header = X-Spam-Note: SpamAssassin run bypassed due to message size ############################################################################# # No more tests if PRDR was actively used. @@ -634,11 +707,63 @@ acl_check_data: # condition = ... ############################################################################# + # Run SpamAssassin, but allow for it to fail or time out. Add a warning message + # and accept the mail if that happens. Add an X-Spam-Flag: header if the SA + # score exceeds the SA system threshold. + # + # warn spam = nobody/defer_ok + # add_header = X-Spam-Flag: YES + # + # accept condition = ${if !def:spam_score_int {1}} + # add_header = X-Spam-Note: SpamAssassin invocation failed + # + + # Unconditionally add score and report headers + # + # warn add_header = X-Spam-Score: $spam_score ($spam_bar)\n\ + # X-Spam-Report: $spam_report + + # And reject if the SpamAssassin score is greater than ten + # + # deny condition = ${if >{$spam_score_int}{100} {1}} + # message = Your message scored $spam_score SpamAssassin point. Report follows:\n\ + # $spam_report + + # Trigger greylisting (if enabled) if the SpamAssassin score is greater than 0.5 + # + # warn condition = ${if >{$spam_score_int}{5} {1}} + # set acl_m_greylistreasons = Message has $spam_score SpamAssassin points\n$acl_m_greylistreasons + - # Accept the message. + # If you want to greylist _all_ mail rather than only mail which looks like there + # might be something wrong with it, then you can do this... + # + # warn set acl_m_greylistreasons = We greylist all mail\n$acl_m_greylistreasons + + # Now, invoke the greylisting. For this you need to have installed the exim-greylist + # package which contains this subroutine, and you need to uncomment the bit below + # which includes it too. Whenever the $acl_m_greylistreasons variable is non-empty, + # greylisting will kick in and will defer the mail to check if the sender is a + # proper mail which which retries, or whether it's a zombie. For more details, see + # the exim-greylist.conf.inc file itself. + # + # require acl = greylist_mail accept +# To enable the greylisting, also uncomment this line: +# .include /etc/exim/exim-greylist.conf.inc + +acl_check_mime: + + # File extension filtering. + deny message = Blacklisted file extension detected + condition = ${if match \ + {${lc:$mime_filename}} \ + {\N(\.exe|\.pif|\.bat|\.scr|\.lnk|\.com)$\N} \ + {1}{0}} + + accept ###################################################################### @@ -740,7 +865,7 @@ system_aliases: driver = redirect allow_fail allow_defer - data = ${lookup{$local_part}lsearch{SYSTEM_ALIASES_FILE}} + data = ${lookup{$local_part}lsearch{/etc/aliases}} # user = exim file_transport = address_file pipe_transport = address_pipe @@ -778,7 +903,7 @@ userforward: # local_part_suffix = +* : -* # local_part_suffix_optional file = $home/.forward -# allow_filter + allow_filter no_verify no_expn check_ancestor @@ -786,6 +911,12 @@ userforward: pipe_transport = address_pipe reply_transport = address_reply +procmail: + driver = accept + check_local_user + require_files = ${local_part}:+${home}/.procmailrc:/usr/bin/procmail + transport = procmail + no_verify # This router matches local user mailboxes. If the router fails, the error # message is "Unknown user". @@ -826,6 +957,25 @@ remote_smtp: tls_resumption_hosts = * .endif +# This transport is used for delivering messages over SMTP using the +# "message submission" port (RFC4409). + +remote_msa: + driver = smtp + port = 587 + hosts_require_auth = * + + +# This transport invokes procmail to deliver mail +procmail: + driver = pipe + command = "/usr/bin/procmail -d $local_part" + return_path_add + delivery_date_add + envelope_to_add + user = $local_part + initgroups + return_output # This transport is used for delivering messages to a smarthost, if the # smarthost router is enabled. This starts from the same basis as @@ -880,8 +1030,8 @@ local_delivery: delivery_date_add envelope_to_add return_path_add -# group = mail -# mode = 0660 + group = mail + mode = 0660 # This transport is used for handling pipe deliveries generated by alias or @@ -914,6 +1064,16 @@ address_reply: driver = autoreply +# This transport is used to deliver local mail to cyrus IMAP server via UNIX +# socket. You'll need to configure the 'localuser' router above to use it. +# +#lmtp_delivery: +# home_directory = /var/spool/imap +# driver = lmtp +# command = "/usr/lib/cyrus-imapd/deliver -l" +# batch_max = 20 +# user = cyrus + ###################################################################### # RETRY CONFIGURATION # @@ -954,6 +1114,21 @@ begin rewrite # AUTHENTICATION CONFIGURATION # ###################################################################### +begin authenticators + +# This authenticator supports CRAM-MD5 username/password authentication +# with Exim acting as a _client_, as it might when sending its outgoing +# mail to a smarthost rather than directly to the final recipient. +# Replace SMTPAUTH_USERNAME and SMTPAUTH_PASSWORD as appropriate. + +#client_auth: +# driver = cram_md5 +# public_name = CRAM-MD5 +# client_name = SMTPAUTH_USERNAME +# client_secret = SMTPAUTH_PASSWORD + +# + # The following authenticators support plaintext username/password # authentication using the standard PLAIN mechanism and the traditional # but non-standard LOGIN mechanism, with Exim acting as the server. @@ -969,7 +1144,7 @@ begin rewrite # The default RCPT ACL checks for successful authentication, and will accept # messages from authenticated users from anywhere on the Internet. -begin authenticators +# # PLAIN authentication has no server prompts. The client sends its # credentials in one lump, containing an authorization ID (which we do not @@ -983,7 +1158,7 @@ begin authenticators # driver = plaintext # server_set_id = $auth2 # server_prompts = : -# server_condition = Authentication is not yet configured +# server_condition = ${if saslauthd{{$2}{$3}{smtp}} {1}} # server_advertise_condition = ${if def:tls_in_cipher } # LOGIN authentication has traditional prompts and responses. There is no @@ -995,7 +1170,7 @@ begin authenticators # driver = plaintext # server_set_id = $auth1 # server_prompts = <| Username: | Password: -# server_condition = Authentication is not yet configured +# server_condition = ${if saslauthd{{$1}{$2}{smtp}} {1}} # server_advertise_condition = ${if def:tls_in_cipher }