exim4.conf

# Database setttings and SQL macros

hide pgsql_servers = <server>/<db>/<user>/<password>

SQL_ALL_DOMAINS       = SELECT array_to_string(ARRAY(SELECT DISTINCT domainname FROM all_domains ORDER BY domainname),':')
SQL_ANTISPAM          = SELECT CASE WHEN antispam IS TRUE THEN 1 ELSE 0 END FROM all_domains WHERE domainname=lower('${quote_pgsql:$domain}')
SQL_ANTIVIRUS         = SELECT CASE WHEN antivirus IS TRUE THEN 1 ELSE 0 END FROM all_domains WHERE domainname=lower('${quote_pgsql:$domain}')
SQL_AUTH_HOSTS        = SELECT array_to_string(ARRAY(SELECT DISTINCT mailroute FROM all_domains WHERE delivery_username!='' AND delivery_password!=''),':')
SQL_ENABLED           = SELECT CASE WHEN enabled IS TRUE THEN 1 ELSE 0 END FROM all_domains WHERE domainname=lower('${quote_pgsql:$domain}')
SQL_GEOBLOCK          = SELECT CASE WHEN geoblock IS TRUE THEN 1 ELSE 0 END FROM all_domains WHERE domainname=lower('${quote_pgsql:$domain}')
SQL_GREYLISTING       = SELECT CASE WHEN greylist IS TRUE THEN 1 ELSE 0 END FROM all_domains WHERE domainname=lower('${quote_pgsql:$domain}')
SQL_GREYLIST_ADD      = INSERT INTO greylist (relay_ip, from_domain) VALUES ( '$sender_host_address', lower('${quote_pgsql:$sender_address_domain}'))
SQL_GREYLIST_TEST     = SELECT CASE WHEN now() > block_expires THEN 2 ELSE 1 END FROM greylist WHERE relay_ip='$sender_host_address' AND from_domain=lower('${quote_pgsql:$sender_address_domain}') ORDER BY id;
SQL_GREYLIST_UPDATE   = UPDATE greylist SET record_expires = now() + interval '7 days' WHERE relay_ip='$sender_host_address' AND from_domain=lower('${quote_pgsql:$sender_address_domain}')
SQL_INVALID_MAILBOX   = SELECT COUNT(*) FROM all_invalid_localparts WHERE domainname=lower('${quote_pgsql:$domain}') AND localpart=lower('${quote_pgsql:$local_part}')
SQL_LOG_MALWARE       = SELECT log_to_db ('$message_exim_id','malware',lower('$sender_host_address'),lower('${quote_pgsql:$sender_address}'),lower('${quote_pgsql:$recipients}'),trim(both ' ' from '${quote_pgsql:$malware_name}'),$message_size)
SQL_LOG_NORMAL        = SELECT log_to_db ('$message_exim_id','normal',lower('$sender_host_address'),lower('${quote_pgsql:$sender_address}'),lower('${quote_pgsql:$recipients}'),trim(both ' ' from '$spam_score $spam_report'),$message_size)
SQL_LOG_SPAM          = SELECT log_to_db ('$message_exim_id','spam',lower('$sender_host_address'),lower('${quote_pgsql:$sender_address}'),lower('${quote_pgsql:$recipients}'),trim(both ' ' from '$spam_score $spam_report'),$message_size)
SQL_MAILROUTE         = SELECT mailroute FROM all_domains WHERE domainname=lower('${quote_pgsql:$domain}')
SQL_QADDRESS          = SELECT quarantine_address FROM all_domains WHERE domainname=lower('${quote_pgsql:$domain}')
SQL_QUARANTINE        = SELECT CASE WHEN quarantine IS TRUE THEN 1 ELSE 0 END FROM all_domains WHERE domainname=lower('${quote_pgsql:$domain}')
SQL_REJECT_MESSAGE    = SELECT COALESCE ((SELECT reject_messages.reject_message FROM all_domains,reject_messages WHERE all_domains.id=reject_messages.domain_id AND all_domains.domainname='$acl_m_domain' and from_domain='$sender_address_domain'),(SELECT reject_message FROM all_domains WHERE domainname='$acl_m_domain'))
SQL_ROUTED_DOMAINS    = SELECT array_to_string(ARRAY(SELECT DISTINCT domainname FROM all_domains WHERE domaintype='routed' ORDER BY domainname),':')
SQL_SPAMSCORE         = SELECT spamscore FROM all_domains WHERE domainname=lower('${quote_pgsql:$domain}')
SQL_STRICT_ADDRESSING = SELECT CASE WHEN strictaddress IS TRUE THEN 1 ELSE 0 END FROM all_domains WHERE domainname=lower('${quote_pgsql:$domain}')
SQL_TRANSIENT_BAN     = SELECT COUNT(*) FROM transient_bans WHERE host='$sender_host_address'
SQL_VALID_MAILBOX     = SELECT COUNT(*) FROM all_valid_localparts WHERE domainname=lower('${quote_pgsql:$domain}') AND localpart=lower('${quote_pgsql:$local_part}')
SQL_VALID_VMAILBOX    = SELECT COUNT(*) FROM virtual_redirects WHERE domainname=lower('${quote_pgsql:$domain}') AND localpart=lower('${quote_pgsql:$local_part}')
SQL_VIRTUAL_DOMAINS   = SELECT array_to_string(ARRAY(SELECT DISTINCT domainname FROM all_domains WHERE domaintype='virtual' ORDER BY domainname),':')
SQL_VIRTUAL_REDIRECT  = SELECT redirect_to FROM virtual_redirects WHERE domainname=lower('${quote_pgsql:$domain}') AND localpart=lower('${quote_pgsql:$local_part}')

SQL_BANNED_ASN     = SELECT COUNT(*) FROM asn_exception WHERE domainname=lower('${quote_pgsql:$domain}') AND asn='$acl_m_asn'
SQL_BANNED_COUNTRY = SELECT COUNT(*) FROM cc_exception WHERE domainname=lower('${quote_pgsql:$domain}') AND country_code='$acl_m_cc'

SQL_BANNED_ALL_ASN = SELECT COUNT(*) FROM global_bans WHERE object='asn' AND asn='$acl_m_asn'
SQL_BANNED_NET     = SELECT COUNT(*) FROM global_bans WHERE object='netblock' AND '$sender_host_address' <<= netblock
SQL_BANNED_DOMAIN  = SELECT COUNT(*) FROM global_bans WHERE object='domain' AND sender_domain=lower('$sender_address_domain')
SQL_BANNED_ADDRESS = SELECT COUNT(*) FROM global_bans WHERE object='address' AND sender_address=lower('${quote_pgsql:$sender_address}')

SQL_BL_NET     = SELECT COUNT(*) FROM bl_exception_netblock WHERE domainname=lower('${quote_pgsql:$domain}') AND '$sender_host_address' <<= netblock
SQL_BL_DOMAIN  = SELECT COUNT(*) FROM bl_exception_domain WHERE domainname=lower('${quote_pgsql:$domain}') AND sender_domain=lower('$sender_address_domain')
SQL_BL_ADDRESS = SELECT COUNT(*) FROM bl_exception_address WHERE domainname=lower('${quote_pgsql:$domain}') AND sender_address=lower('${quote_pgsql:$sender_address}')

SQL_GL_NET     = SELECT COUNT(*) FROM gl_exception_netblock WHERE domainname=lower('${quote_pgsql:$domain}') AND '$sender_host_address' <<= netblock
SQL_GL_DOMAIN  = SELECT COUNT(*) FROM gl_exception_domain WHERE domainname=lower('${quote_pgsql:$domain}') AND sender_domain=lower('$sender_address_domain')
SQL_GL_ADDRESS = SELECT COUNT(*) FROM gl_exception_address WHERE domainname=lower('${quote_pgsql:$domain}') AND sender_address=lower('${quote_pgsql:$sender_address}')

SQL_WL_NET     = SELECT COUNT(*) FROM wl_exception_netblock WHERE domainname=lower('${quote_pgsql:$domain}') AND '$sender_host_address' <<= netblock
SQL_WL_DOMAIN  = SELECT COUNT(*) FROM wl_exception_domain WHERE domainname=lower('${quote_pgsql:$domain}') AND sender_domain=lower('$sender_address_domain')
SQL_WL_ADDRESS = SELECT COUNT(*) FROM wl_exception_address WHERE domainname=lower('${quote_pgsql:$domain}') AND sender_address=lower('${quote_pgsql:$sender_address}')

SQL_ACCEPT_NET     = SELECT COUNT(*) FROM global_accepts WHERE object='netblock' AND '$sender_host_address' <<= netblock
SQL_ACCEPT_DOMAIN  = SELECT COUNT(*) FROM global_accepts WHERE object='domain' AND sender_domain=lower('$sender_address_domain')
SQL_ACCEPT_ADDRESS = SELECT COUNT(*) FROM global_accepts WHERE object='address' AND sender_address=lower('${quote_pgsql:$sender_address}')

SQL_ACCEPT_NOREVDNS = SELECT COUNT(*) FROM norevdns_exception WHERE domainname=lower('${quote_pgsql:$domain}') AND '$sender_host_address' <<= netblock

# Configuration macros

CHECK_RCPT_LOCAL_LOCALPARTS = ^[.] : ^.*[@%!/|`#&?]
CHECK_RCPT_REMOTE_LOCALPARTS = ^[./|] : ^.*[@%!`#&?] : ^.*/\\.\\./
CONFDIR  = /etc/exim4
MAILNAME = hardened.mx

# Other settings

acl_smtp_data              = acl_check_data
acl_smtp_mail              = acl_check_mail
acl_smtp_mime              = acl_smtp_mime
acl_smtp_rcpt              = acl_check_rcpt
av_scanner                 = clamd:/var/run/clamav/clamd.ctl
check_rfc2047_length       = false
disable_ipv6               = true
exim_path                  = /usr/sbin/exim4
gecos_name                 = $1
gecos_pattern              = ^([^,:]*)
host_lookup                = *
hosts_proxy                = 172.16.0.0/12
ignore_bounce_errors_after = 1d
local_from_check           = false
local_interfaces           = 0.0.0.0
local_sender_retain        = true
log_file_path              = :syslog
log_selector               = +tls_peerdn +proxy +subject
message_size_limit         = 50M
primary_hostname           = hardened.mx
qualify_domain             = hardened.mx
smtp_return_error_details  = true
split_spool_directory      = true
spool_directory            = /var/spool/exim4
timeout_frozen_after       = 1h
tls_advertise_hosts        = *
tls_certificate            = CONFDIR/exim.crt
tls_privatekey             = CONFDIR/exim.key
tls_try_verify_hosts       = *
tls_verify_certificates    = /etc/ssl/certs/ca-certificates.crt
trusted_users              = uucp
untrusted_set_sender       = *
write_rejectlog            = false

domainlist filtered_domains = ${lookup pgsql{SQL_ALL_DOMAINS}}
domainlist routed_domains   = ${lookup pgsql{SQL_ROUTED_DOMAINS}}
domainlist virtual_domains  = ${lookup pgsql{SQL_VIRTUAL_DOMAINS}}

add_environment =
keep_environment =

begin acl

acl_check_mail:

    deny
        message   = No HELO given before MAIL command.
        condition = ${if def:sender_helo_name {no}{yes}}

    deny
        message   = Invalid HELO.
        condition = ${if isip{$sender_helo_name}}

    deny
        message   = Invalid HELO.
        condition = ${if isip6{$sender_helo_name}}

    accept

acl_check_rcpt:

    require
        message = Relay not permitted.
        domains = +filtered_domains

    warn
        condition     = ${run{CONFDIR/memcache_asn_lookup.pl $sender_host_address}{yes}{no}}
        set acl_m_asn = $value

    warn
        condition    = ${run{CONFDIR/memcache_geoip_lookup.pl $sender_host_address}{yes}{no}}
        set acl_m_cc = $value

    defer
        message   = Excess connection attempts.
        ratelimit = 10 / 10s / per_mail / strict

    defer
        message   = Unable to accept mail for this domain at this time.
        condition = ${if = {${lookup pgsql{SQL_ENABLED}}}{0}}

    defer
        message   = Multiple destination domains per transaction is unsupported.  Please try again.
        condition = ${if and{ {!eq{$acl_m_lastrcptdomain}{}} {!eq{$acl_m_lastrcptdomain}{$domain}} } {true}{false}}

    warn
        set acl_m_lastrcptdomain = $domain

    warn
        set acl_m_antispam = ${lookup pgsql{SQL_ANTISPAM}}

    warn
        set acl_m_spamscore = ${lookup pgsql{SQL_SPAMSCORE}}

    warn
        set acl_m_antivirus = ${lookup pgsql{SQL_ANTIVIRUS}}

    warn
        set acl_m_greylisting = ${lookup pgsql{SQL_GREYLISTING}}

    warn
        set acl_m_strictaddressing = ${lookup pgsql{SQL_STRICT_ADDRESSING}}

    warn
        set acl_m_quarantine = ${lookup pgsql{SQL_QUARANTINE}}

    deny
        message     = Restricted characters in address.
        domains     = +filtered_domains
        local_parts = CHECK_RCPT_LOCAL_LOCALPARTS

    deny
        message   = Recipient mailbox does not exist.
        condition = ${if > {${lookup pgsql{SQL_INVALID_MAILBOX}}}{0}}

    deny
        message     = Restricted characters in address.
        domains     = !+filtered_domains
        local_parts = CHECK_RCPT_REMOTE_LOCALPARTS

    deny
        message   = Recipient mailbox does not exist.
        domains   = +virtual_domains
        condition = ${if < {${lookup pgsql{SQL_VALID_VMAILBOX}}}{1}}

    deny
        message   = Recipient mailbox does not exist.
        domains   = +routed_domains
        condition = ${if eq {$acl_m_strictaddressing}{1}}
        condition = ${if < {${lookup pgsql{SQL_VALID_MAILBOX}}}{1}}

    warn
        set acl_m_iswhitelisted = 0

    accept
        condition                 = ${if > {${lookup pgsql{SQL_ACCEPT_NET}}}{0}}
        set acl_m_iswhitelisted   = 1
        set acl_m_whitelistreason = $sender_host_address is from a globally whitelisted network.

    accept
        condition                 = ${if > {${lookup pgsql{SQL_ACCEPT_DOMAIN}}}{0}}
        set acl_m_iswhitelisted   = 1
        set acl_m_whitelistreason = $sender_address_domain is a globally whitelisted domain.

    accept
        condition                 = ${if > {${lookup pgsql{SQL_ACCEPT_ADDRESS}}}{0}}
        set acl_m_iswhitelisted   = 1
        set acl_m_whitelistreason = $sender_address is a globally whitelisted address.

    accept
        condition                 = ${if > {${lookup pgsql{SQL_WL_NET}}}{0}}
        set acl_m_iswhitelisted   = 1
        set acl_m_whitelistreason = $sender_host_address is from a whitelisted network.

    accept
        condition                 = ${if > {${lookup pgsql{SQL_WL_DOMAIN}}}{0}}
        set acl_m_iswhitelisted   = 1
        set acl_m_whitelistreason = $sender_address_domain is a whitelisted domain.

    accept
        condition                 = ${if > {${lookup pgsql{SQL_WL_ADDRESS}}}{0}}
        set acl_m_iswhitelisted   = 1
        set acl_m_whitelistreason = $sender_address is a whitelisted address.

    defer
        message   = Transient ban present for $sender_host_address.
        condition = ${if eq {$acl_m_iswhitelisted}{0}}
        condition = ${if > {${lookup pgsql{SQL_TRANSIENT_BAN}}}{0}}

    deny
        message   = Mail from sender location is not accepted.
        condition = ${if > {${lookup pgsql{SQL_BANNED_COUNTRY}}}{0}}

    deny
        message   = Mail from sender ASN is not accepted.
        condition = ${if > {${lookup pgsql{SQL_BANNED_ALL_ASN}}}{0}}

    deny
        message   = Mail from sender ASN is not accepted by this domain.
        condition = ${if > {${lookup pgsql{SQL_BANNED_ASN}}}{0}}

    deny
        message   = Banned sender pattern.
        condition = ${if eq{${lookup{$sender_address}nwildlsearch{CONFDIR/banned_wildcards.txt}{1}}}{1}}

    deny
        message   = Globally blacklisted network.
        condition = ${if > {${lookup pgsql{SQL_BANNED_NET}}}{0}}

    deny
        message   = Globally blacklisted domain.
        condition = ${if > {${lookup pgsql{SQL_BANNED_DOMAIN}}}{0}}

    deny
        message   = Globally blacklisted address.
        condition = ${if > {${lookup pgsql{SQL_BANNED_ADDRESS}}}{0}}

    deny
        message   = Blacklisted network.
        condition = ${if > {${lookup pgsql{SQL_BL_NET}}}{0}}

    deny
        message   = Blacklisted domain.
        condition = ${if > {${lookup pgsql{SQL_BL_DOMAIN}}}{0}}

    deny
        message   = Blacklisted address.
        condition = ${if > {${lookup pgsql{SQL_BL_ADDRESS}}}{0}}

    deny
        message  = Sending IP is listed at zen.spamhaus.org.
        dnslists = XXXXXXXXXX.zen.dq.spamhaus.net/$sender_host_address

    deny
        message  = Sending domain is listed in the Spamhaus DBL.
        dnslists = XXXXXXXXXX.dbl.dq.spamhaus.net/$sender_address_domain

    deny
        message  = Communicado Ltd - http://blog.hinterlands.org/2013/10/unwanted-email-from-communicado-ltd/
        dnslists = excommunicado.co.uk/$sender_address_domain

    deny
        message  = Sending domain listed in rjek.com
        dnslists = mailsl.dnsbl.rjek.com/$sender_address_domain

    deny
        message  = Sender address is listed in rjek.com phishing list.
        dnslists = phish.dnsbl.rjek.com/${sha1:${lc:${sender_address}}}

    defer
        message   = No PTR found for $sender_host_address.
        condition = ${if eq {${lookup pgsql{SQL_ACCEPT_NOREVDNS}}}{0}}
        !verify   = reverse_host_lookup

    warn
        set acl_m_greyliststate = ${lookup pgsql{SQL_GREYLIST_TEST}{$value}{0}}
        condition = ${if eq {$acl_m_greylisting}{1}}

    defer
        message    = Greylisted.
        !condition = ${if > {${lookup pgsql{SQL_GL_NET}}}{0}}
        !condition = ${if > {${lookup pgsql{SQL_GL_DOMAIN}}}{0}}
        !condition = ${if > {${lookup pgsql{SQL_GL_ADDRESS}}}{0}}
        condition  = ${if eq {$acl_m_greylisting}{1}}
        condition  = ${if eq {$acl_m_greyliststate}{0}}
        condition  = ${lookup pgsql{SQL_GREYLIST_ADD}}

    defer
        message    = Greylisted.
        !condition = ${if > {${lookup pgsql{SQL_GL_NET}}}{0}}
        !condition = ${if > {${lookup pgsql{SQL_GL_DOMAIN}}}{0}}
        !condition = ${if > {${lookup pgsql{SQL_GL_ADDRESS}}}{0}}
        condition  = ${if eq {$acl_m_greylisting}{1}}
        condition  = ${if eq {$acl_m_greyliststate}{1}}

    warn
        set acl_m_greylist_update = ${lookup pgsql{SQL_GREYLIST_UPDATE}}
        !condition = ${if > {${lookup pgsql{SQL_GL_NET}}}{0}}
        !condition = ${if > {${lookup pgsql{SQL_GL_DOMAIN}}}{0}}
        !condition = ${if > {${lookup pgsql{SQL_GL_ADDRESS}}}{0}}
        condition  = ${if eq {$acl_m_greylisting}{1}}
        condition  = ${if eq {$acl_m_greyliststate}{2}}

    defer
        message = Sender verification failed.
        !verify = sender/no_details

    deny
        message             = $sender_host_address is not allowed to send mail from $sender_address_domain.
        log_message         = SPF check failed.
        set acl_m_spfquery  = -ip=$sender_host_address -sender=$sender_address -helo=$sender_helo_name
        set acl_m_spfresult = ${run{/usr/bin/spfquery $acl_m_spfquery}}
        condition           = ${if eq {$runrc}{3}{true}{false}}

    warn
        condition    = ${run{CONFDIR/maxmind_geoip_lookup.pl $sender_host_address}{yes}{no}}
        set acl_m_cc = $value
        add_header   = X-HMX-Country-Code: $acl_m_cc

    warn
        condition     = ${run{CONFDIR/maxmind_asn_lookup.pl $sender_host_address}{yes}{no}}
        set acl_m_asn = $value
        add_header    = X-HMX-ASN: $acl_m_asn

    warn
        add_header       = X-Clacks-Overhead: GNU Terry Pratchett
        set acl_m_domain = $domain

    deny
        message   = Mail from sender location is not accepted.
        condition = ${if > {${lookup pgsql{SQL_BANNED_COUNTRY}}}{0}}

    deny
        message   = Mail from sender ASN is not accepted.
        condition = ${if > {${lookup pgsql{SQL_BANNED_ALL_ASN}}}{0}}

    deny
        message   = Mail from sender ASN is not accepted by this domain.
        condition = ${if > {${lookup pgsql{SQL_BANNED_ASN}}}{0}}

    accept

acl_smtp_mime:

    warn
        decode = default

    deny
        message   = Blacklisted file extension detected.
        condition = ${if match {${lc:$mime_filename}} {\N(\.exe|\.pif|\.bat|\.scr|\.lnk|\.com|\.vbs)$\N}{1}{0}}

    accept

acl_check_data:

    warn
        condition   = ${if eq {$acl_m_iswhitelisted}{1}}
        add_header  = X-HMX-Whitelisted: Yes
        add_header  = X-HMX-Whitelist-Reason: $acl_m_whitelistreason
        log_message = Whitelisted: $acl_m_whitelistreason

    accept
        condition  = ${if eq {$acl_m_iswhitelisted}{1}}

    deny
        message = Message headers fail syntax check.
        !verify = header_syntax

    defer
        message = No verifiable sender address in message headers.
        !verify = header_sender

    warn
        set acl_m_rejectmessage = ${lookup pgsql{SQL_REJECT_MESSAGE}}

    warn
        condition                  = ${if eq {$acl_m_quarantine}{1}}
        malware                    = *
        condition                  = ${if eq {$acl_m_antivirus}{1}}
        set acl_m_logmail          = ${lookup pgsql{SQL_LOG_MALWARE}}
        set acl_m_sendtoquarantine = 1

    warn
        condition                  = ${if eq {$acl_m_quarantine}{1}}
        spam                       = Debian-exim:true
        condition                  = ${if eq {$acl_m_antispam}{1}}
        condition                  = ${if > {$spam_score_int}{$acl_m_spamscore}}
        set acl_m_logmail          = ${lookup pgsql{SQL_LOG_SPAM}}
        set acl_m_sendtoquarantine = 1

    deny
        condition         = ${if eq {$acl_m_quarantine}{0}}
        message           = ${if eq{$acl_m_rejectmessage}{}{Message appears to be infected with $malware_name.}{$acl_m_rejectmessage}}
        malware           = *
        condition         = ${if eq {$acl_m_antivirus}{1}}
        set acl_m_logmail = ${lookup pgsql{SQL_LOG_MALWARE}}

    deny
        condition         = ${if eq {$acl_m_quarantine}{0}}
        message           = ${if eq{$acl_m_rejectmessage}{}{Your message scored $spam_score points.}{$acl_m_rejectmessage}}
        spam              = Debian-exim:true
        condition         = ${if eq {$acl_m_antispam}{1}}
        condition         = ${if > {$spam_score_int}{$acl_m_spamscore}}
        set acl_m_logmail = ${lookup pgsql{SQL_LOG_SPAM}}

    warn
        set acl_m_logmail = ${lookup pgsql{SQL_LOG_NORMAL}}

    accept

begin routers

    hmx_quarantine:
        driver    = redirect
        data      = ${lookup pgsql{SQL_QADDRESS}}
        condition = ${if eq {$acl_m_sendtoquarantine}{1}}

    hmx_routed:
        driver     = manualroute
        domains    = ${lookup pgsql{SQL_ROUTED_DOMAINS}}
        route_data = ${lookup pgsql{SQL_MAILROUTE}}
        transport  = remote_smtp

    hmx_virtual:
        driver  = redirect
        domains = ${lookup pgsql{SQL_VIRTUAL_DOMAINS}}
        data    = ${lookup pgsql{SQL_VIRTUAL_REDIRECT}}

    nothmx:
        driver    = dnslookup
        transport = remote_smtp

begin transports

    remote_smtp:
        driver         = smtp
        hosts_try_auth = ${lookup pgsql{SQL_AUTH_HOSTS}}

begin retry

*                      *           F,2h,15m; G,16h,1h,1.5; F,4d,6h

begin rewrite

begin authenticators

PASSWDLINE=${sg{\
                ${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}\
                }\
                {\\N[\\^]\\N}\
                {^^}\
            }

plain:
    driver      = plaintext
    public_name = PLAIN
    client_send = "<; ^${extract{1}{:}{PASSWDLINE}}^${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}"