Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
16 changed files
with
797 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
redo-ifchange exim.conf exim.main.conf exim.acls.conf exim.routers.conf exim.transports.conf exim.retry.conf exim.rewrite.conf exim.authenticators.conf exim.local_scan.conf | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,183 @@ | ||
###################################################################### | ||
# ACL CONFIGURATION # | ||
# Specifies access control lists for incoming SMTP mail # | ||
###################################################################### | ||
|
||
begin acl | ||
|
||
# This access control list is used for every RCPT command in an incoming | ||
# SMTP message. The tests are run in order until the address is either | ||
# accepted or denied. | ||
|
||
acl_check_rcpt: | ||
|
||
# Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by | ||
# testing for an empty sending host field. | ||
|
||
accept hosts = : | ||
control = dkim_disable_verify | ||
|
||
############################################################################# | ||
# The following section of the ACL is concerned with local parts that contain | ||
# @ or % or ! or / or | or dots in unusual places. | ||
# | ||
# The characters other than dots are rarely found in genuine local parts, but | ||
# are often tried by people looking to circumvent relaying restrictions. | ||
# Therefore, although they are valid in local parts, these rules lock them | ||
# out, as a precaution. | ||
# | ||
# Empty components (two dots in a row) are not valid in RFC 2822, but Exim | ||
# allows them because they have been encountered. (Consider local parts | ||
# constructed as "firstinitial.secondinitial.familyname" when applied to | ||
# someone like me, who has no second initial.) However, a local part starting | ||
# with a dot or containing /../ can cause trouble if it is used as part of a | ||
# file name (e.g. for a mailing list). This is also true for local parts that | ||
# contain slashes. A pipe symbol can also be troublesome if the local part is | ||
# incorporated unthinkingly into a shell command line. | ||
# | ||
# Two different rules are used. The first one is stricter, and is applied to | ||
# messages that are addressed to one of the local domains handled by this | ||
# host. The line "domains = +local_domains" restricts it to domains that are | ||
# defined by the "domainlist local_domains" setting above. The rule blocks | ||
# local parts that begin with a dot or contain @ % ! / or |. If you have | ||
# local accounts that include these characters, you will have to modify this | ||
# rule. | ||
|
||
deny message = Restricted characters in address | ||
domains = +local_domains | ||
local_parts = ^[.] : ^.*[@%!/|] | ||
|
||
# The second rule applies to all other domains, and is less strict. The line | ||
# "domains = !+local_domains" restricts it to domains that are NOT defined by | ||
# the "domainlist local_domains" setting above. The exclamation mark is a | ||
# negating operator. This rule allows your own users to send outgoing | ||
# messages to sites that use slashes and vertical bars in their local parts. | ||
# It blocks local parts that begin with a dot, slash, or vertical bar, but | ||
# allows these characters within the local part. However, the sequence /../ | ||
# is barred. The use of @ % and ! is blocked, as before. The motivation here | ||
# is to prevent your users (or your users' viruses) from mounting certain | ||
# kinds of attack on remote sites. | ||
|
||
deny message = Restricted characters in address | ||
domains = !+local_domains | ||
local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./ | ||
############################################################################# | ||
|
||
# Accept mail to postmaster in any local domain, regardless of the source, | ||
# and without verifying the sender. | ||
|
||
accept local_parts = postmaster | ||
domains = +local_domains | ||
|
||
# Deny unless the sender address can be verified. | ||
|
||
require verify = sender | ||
|
||
# Accept if the message comes from one of the hosts for which we are an | ||
# outgoing relay. It is assumed that such hosts are most likely to be MUAs, | ||
# so we set control=submission to make Exim treat the message as a | ||
# submission. It will fix up various errors in the message, for example, the | ||
# lack of a Date: header line. If you are actually relaying out out from | ||
# MTAs, you may want to disable this. If you are handling both relaying from | ||
# MTAs and submissions from MUAs you should probably split them into two | ||
# lists, and handle them differently. | ||
|
||
# Recipient verification is omitted here, because in many cases the clients | ||
# are dumb MUAs that don't cope well with SMTP error responses. If you are | ||
# actually relaying out from MTAs, you should probably add recipient | ||
# verification here. | ||
|
||
# Note that, by putting this test before any DNS black list checks, you will | ||
# always accept from these hosts, even if they end up on a black list. The | ||
# assumption is that they are your friends, and if they get onto a black | ||
# list, it is a mistake. | ||
|
||
accept hosts = +relay_from_hosts | ||
control = submission | ||
control = dkim_disable_verify | ||
|
||
# Accept if the message arrived over an authenticated connection, from | ||
# any host. Again, these messages are usually from MUAs, so recipient | ||
# verification is omitted, and submission mode is set. And again, we do this | ||
# check before any black list tests. | ||
|
||
accept authenticated = * | ||
control = submission | ||
control = dkim_disable_verify | ||
|
||
# Insist that any other recipient address that we accept is either in one of | ||
# our local domains, or is in a domain for which we explicitly allow | ||
# relaying. Any other domain is rejected as being unacceptable for relaying. | ||
|
||
require message = relay not permitted | ||
domains = +local_domains : +relay_to_domains | ||
|
||
# We also require all accepted addresses to be verifiable. This check will | ||
# do local part verification for local domains, but only check the domain | ||
# for remote domains. The only way to check local parts for the remote | ||
# relay domains is to use a callout (add /callout), but please read the | ||
# documentation about callouts before doing this. | ||
|
||
require verify = recipient | ||
|
||
############################################################################# | ||
# There are no default checks on DNS black lists because the domains that | ||
# contain these lists are changing all the time. However, here are two | ||
# examples of how you can get Exim to perform a DNS black list lookup at this | ||
# point. The first one denies, whereas the second just warns. | ||
# | ||
# deny message = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text | ||
# dnslists = black.list.example | ||
# | ||
# warn dnslists = black.list.example | ||
# add_header = X-Warning: $sender_host_address is in a black list at $dnslist_domain | ||
# log_message = found in $dnslist_domain | ||
############################################################################# | ||
|
||
############################################################################# | ||
# This check is commented out because it is recognized that not every | ||
# sysadmin will want to do it. If you enable it, the check performs | ||
# Client SMTP Authorization (csa) checks on the sending host. These checks | ||
# do DNS lookups for SRV records. The CSA proposal is currently (May 2005) | ||
# an Internet draft. You can, of course, add additional conditions to this | ||
# ACL statement to restrict the CSA checks to certain hosts only. | ||
# | ||
# require verify = csa | ||
############################################################################# | ||
|
||
# At this point, the address has passed all the checks that have been | ||
# configured, so we accept it unconditionally. | ||
|
||
accept | ||
|
||
|
||
# This ACL is used after the contents of a message have been received. This | ||
# is the ACL in which you can test a message's headers or body, and in | ||
# particular, this is where you can invoke external virus or spam scanners. | ||
# Some suggested ways of configuring these tests are shown below, commented | ||
# out. Without any tests, this ACL accepts all messages. If you want to use | ||
# such tests, you must ensure that Exim is compiled with the content-scanning | ||
# extension (WITH_CONTENT_SCAN=yes in Local/Makefile). | ||
|
||
acl_check_data: | ||
|
||
# Deny if the message contains a virus. Before enabling this check, you | ||
# must install a virus scanner and set the av_scanner option above. | ||
# | ||
# deny malware = * | ||
# message = This message contains a virus ($malware_name). | ||
|
||
# Add headers to a message if it is judged to be spam. Before enabling this, | ||
# you must install SpamAssassin. You may also need to set the spamd_address | ||
# option above. | ||
# | ||
# warn spam = nobody | ||
# add_header = X-Spam_score: $spam_score\n\ | ||
# X-Spam_score_int: $spam_score_int\n\ | ||
# X-Spam_bar: $spam_bar\n\ | ||
# X-Spam_report: $spam_report | ||
|
||
# Accept the message. | ||
|
||
accept | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
###################################################################### | ||
# AUTHENTICATION CONFIGURATION # | ||
###################################################################### | ||
|
||
# The following authenticators support plaintext username/password | ||
# authentication using the standard PLAIN mechanism and the traditional | ||
# but non-standard LOGIN mechanism, with Exim acting as the server. | ||
# PLAIN and LOGIN are enough to support most MUA software. | ||
# | ||
# These authenticators are not complete: you need to change the | ||
# server_condition settings to specify how passwords are verified. | ||
# They are set up to offer authentication to the client only if the | ||
# connection is encrypted with TLS, so you also need to add support | ||
# for TLS. See the global configuration options section at the start | ||
# of this file for more about TLS. | ||
# | ||
# The default RCPT ACL checks for successful authentication, and will accept | ||
# messages from authenticated users from anywhere on the Internet. | ||
|
||
begin authenticators | ||
|
||
# PLAIN authentication has no server prompts. The client sends its | ||
# credentials in one lump, containing an authorization ID (which we do not | ||
# use), an authentication ID, and a password. The latter two appear as | ||
# $auth2 and $auth3 in the configuration and should be checked against a | ||
# valid username and password. In a real configuration you would typically | ||
# use $auth2 as a lookup key, and compare $auth3 against the result of the | ||
# lookup, perhaps using the crypteq{}{} condition. | ||
|
||
#PLAIN: | ||
# driver = plaintext | ||
# server_set_id = $auth2 | ||
# server_prompts = : | ||
# server_condition = Authentication is not yet configured | ||
# server_advertise_condition = ${if def:tls_cipher } | ||
|
||
# LOGIN authentication has traditional prompts and responses. There is no | ||
# authorization ID in this mechanism, so unlike PLAIN the username and | ||
# password are $auth1 and $auth2. Apart from that you can use the same | ||
# server_condition setting for both authenticators. | ||
|
||
#LOGIN: | ||
# driver = plaintext | ||
# server_set_id = $auth1 | ||
# server_prompts = <| Username: | Password: | ||
# server_condition = Authentication is not yet configured | ||
# server_advertise_condition = ${if def:tls_cipher } | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
###################################################################### | ||
# Runtime configuration file for Exim # | ||
###################################################################### | ||
|
||
|
||
# This is a default configuration file which will operate correctly in | ||
# uncomplicated installations. Please see the manual for a complete list | ||
# of all the runtime configuration options that can be included in a | ||
# configuration file. There are many more than are mentioned here. The | ||
# manual is in the file doc/spec.txt in the Exim distribution as a plain | ||
# ASCII file. Other formats (PostScript, Texinfo, HTML, PDF) are available | ||
# from the Exim ftp sites. The manual is also online at the Exim web sites. | ||
|
||
|
||
# This file is divided into several parts, all but the first of which are | ||
# headed by a line starting with the word "begin". Only those parts that | ||
# are required need to be present. Blank lines, and lines starting with # | ||
# are ignored. | ||
|
||
|
||
########### IMPORTANT ########## IMPORTANT ########### IMPORTANT ########### | ||
# # | ||
# Whenever you change Exim's configuration file, you *must* remember to # | ||
# HUP the Exim daemon, because it will not pick up the new configuration # | ||
# until you do. However, any other Exim processes that are started, for # | ||
# example, a process started by an MUA in order to send a message, will # | ||
# see the new configuration as soon as it is in place. # | ||
# # | ||
# You do not need to HUP the daemon for changes in auxiliary files that # | ||
# are referenced from this file. They are read every time they are used. # | ||
# # | ||
# It is usually a good idea to test a new configuration for syntactic # | ||
# correctness before installing it (for example, by running the command # | ||
# "exim -C /config/file.new -bV"). # | ||
# # | ||
########### IMPORTANT ########## IMPORTANT ########### IMPORTANT ########### | ||
|
||
.include exim.main.conf | ||
.include exim.acls.conf | ||
.include exim.routers.conf | ||
.include exim.transports.conf | ||
.include exim.retry.conf | ||
.include exim.rewrite.conf | ||
.include exim.authenticators.conf | ||
.include exim.local_scan.conf | ||
|
||
# End of Exim configuration file | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
###################################################################### | ||
# CONFIGURATION FOR local_scan() # | ||
###################################################################### | ||
|
||
# If you have built Exim to include a local_scan() function that contains | ||
# tables for private options, you can define those options here. Remember to | ||
# uncomment the "begin" line. It is commented by default because it provokes | ||
# an error with Exim binaries that are not built with LOCAL_SCAN_HAS_OPTIONS | ||
# set in the Local/Makefile. | ||
|
||
# begin local_scan | ||
|
Oops, something went wrong.