###################################################################### # Runtime configuration file for Exim # ###################################################################### # This is a default configuration file which will operate correctly in # uncomplicated installations. Please see the manual for a complete list # of all the runtime configuration options that can be included in a # configuration file. There are many more than are mentioned here. The # manual is in the file doc/spec.txt in the Exim distribution as a plain # ASCII file. Other formats (PostScript, Texinfo, HTML, PDF) are available # from the Exim ftp sites. The manual is also online at the Exim web sites. # This file is divided into several parts, all but the first of which are # headed by a line starting with the word "begin". Only those parts that # are required need to be present. Blank lines, and lines starting with # # are ignored. ########### IMPORTANT ########## IMPORTANT ########### IMPORTANT ########### # # # Whenever you change Exim's configuration file, you *must* remember to # # HUP the Exim daemon, because it will not pick up the new configuration # # until you do. However, any other Exim processes that are started, for # # example, a process started by an MUA in order to send a message, will # # see the new configuration as soon as it is in place. # # # # You do not need to HUP the daemon for changes in auxiliary files that # # are referenced from this file. They are read every time they are used. # # # # It is usually a good idea to test a new configuration for syntactic # # correctness before installing it (for example, by running the command # # "exim -C /config/file.new -bV"). # # # ########### IMPORTANT ########## IMPORTANT ########### IMPORTANT ########### GRAYLIST_TEST = SELECT CASE \ WHEN now() - block_expires > 0 THEN 2 \ ELSE 1 \ END \ FROM exim.relaytofrom \ WHERE relay_ip='${quote_pgsql:$sender_host_address}' \ AND from_domain='${quote_pgsql:$sender_address_domain}' GRAYLIST_ADD = INSERT INTO exim.relaytofrom (relay_ip, from_domain) \ VALUES ( '${quote_pgsql:$sender_host_address}', \ '${quote_pgsql:$sender_address_domain}') hide pgsql_servers = db.theinternetco.net/theinternetco.net/exim/password:localhost/theinternetco.net/exim/password # Home dir for your Mailman installation -- aka Mailman's prefix # directory. MAILMAN_WRAP=/usr/lib/mailman/mail/mailman #spamd_address = /var/run/spamd.sock smtp_receive_timeout = 30s # Stupid Exchange! helo_allow_chars = _ ###################################################################### # MAIN CONFIGURATION SETTINGS # ###################################################################### # Specify your host's canonical name here. This should normally be the fully # qualified "official" name of your host. If this option is not set, the # uname() function is called to obtain the name. In many cases this does # the right thing and you need not set anything explicitly. # primary_hostname = local_interfaces = <; 0.0.0.0.25; ::0.25 extra_local_interfaces = <; ::0 ; 0.0.0.0 smtp_accept_max = 300 # The next three settings create two lists of domains and one list of hosts. # These lists are referred to later in this configuration using the syntax # +local_domains, +relay_to_domains, and +relay_from_hosts, respectively. They # are all colon-separated lists: domainlist virtual_domains = dsearch;/etc/mail/virtual/$primary_hostname domainlist real_domains = @:dsearch;/etc/mail/real/$primary_hostname domainlist local_domains = +virtual_domains:+real_domains domainlist relay_to_domains = \ dsearch;/etc/mail/virtual/sirius.theinternetco.net : \ dsearch;/etc/mail/virtual/procyon.theinternetco.net : \ dsearch;/etc/mail/virtual/arcturus.theinternetco.net : \ dsearch;/etc/mail/virtual/other hostlist relay_from_hosts = <, 127.0.0.1,206.168.67.0/24,206.168.119.0/25,66.118.192.0/19,2001:470:1f01:301::1/64,*.theinternetco.net # If You wish to enable support for clam antivirus, uncomment the following # lines here, and search for 'acl' section of this file (look for 'begin acl' # keyword). This will require clamav package to be installed and configured. # Other antivirus engines are also supported. Read # /usr/share/doc/exim-*/exiscan-acl-spec.txt.gz for more info. av_scanner = clamd:/var/lib/clamav/clamd.socket acl_smtp_data = acl_check_data system_filter = /etc/mail/system.filter system_filter_user = exim # Most straightforward access control requirements can be obtained by # appropriate settings of the above options. In more complicated situations, you # may need to modify the Access Control List (ACL) which appears later in this # file. # The first setting specifies your local domains, for example: # # domainlist local_domains = my.first.domain : my.second.domain # # You can use "@" to mean "the name of the local host", as in the default # setting above. This is the name that is specified by primary_hostname, # as specified above (or defaulted). If you do not want to do any local # deliveries, remove the "@" rom the setting above. If you want to accept mail # addressed to your host's literal IP address, for example, mail addressed to # "user@[192.168.23.44]", you can add "@[]" as an item in the local domains # list. You also need to uncomment "allow_domain_literals" below. This is not # recommended for today's Internet. # The second setting specifies domains for which your host is an incoming relay. # If you are not doing any relaying, you should leave the list empty. However, # if your host is an MX backup or gateway of some kind for some domains, you # must set relay_to_domains to match those domains. For example: # # domainlist relay_to_domains = *.myco.com : my.friend.org # # This will allow any host to relay through your host to those domains. # See the section of the manual entitled "Control of relaying" for more # information. # The third setting specifies hosts that can use your host as an outgoing relay # to any other host on the Internet. Such a setting commonly refers to a # complete local network as well as the localhost. For example: # # hostlist relay_from_hosts = 127.0.0.1 : 192.168.0.0/16 # # The "/16" is a bit mask (CIDR notation), not a number of hosts. Note that you # have to include 127.0.0.1 if you want to allow processes on your host to send # SMTP mail by using the loopback address. A number of MUAs use this method of # sending mail. # All three of these lists may contain many different kinds of item, including # wildcarded names, regular expressions, and file lookups. See the reference # manual for details. The lists above are used in the access control list for # incoming messages. The name of this ACL is defined here: acl_smtp_rcpt = acl_check_rcpt # You should not change that setting until you understand how ACLs work. # Specify the domain you want to be added to all unqualified addresses # here. An unqualified address is one that does not contain an "@" character # followed by a domain. For example, "caesar@rome.ex" is a fully qualified # address, but the string "caesar" (i.e. just a login name) is an unqualified # email address. Unqualified addresses are accepted only from local callers by # default. See the recipient_unqualified_hosts option if you want to permit # unqualified addresses from remote sources. If this option is not set, the # primary_hostname value is used for qualification. qualify_domain = independence.net # If you want unqualified recipient addresses to be qualified with a different # domain to unqualified sender addresses, specify the recipient domain here. # If this option is not set, the qualify_domain value is used. # qualify_recipient = # The following line must be uncommented if you want Exim to recognize # addresses of the form "user@[10.11.12.13]" that is, with a "domain literal" # (an IP address) instead of a named domain. The RFCs still require this form, # but it makes little sense to permit mail to be sent to specific hosts by # their IP address in the modern Internet. This ancient format has been used # by those seeking to abuse hosts by using them for unwanted relaying. If you # really do want to support domain literals, uncomment the following line, and # see also the "domain_literal" router below. # allow_domain_literals # No deliveries will ever be run under the uids of these users (a colon- # separated list). An attempt to do so causes a panic error to be logged, and # the delivery to be deferred. This is a paranoic safety catch. Note that the # default setting means you cannot deliver mail addressed to root as if it # were a normal user. This isn't usually a problem, as most sites have an alias # for root that redirects such mail to a human administrator. never_users = root untrusted_set_sender = http # The setting below causes Exim to do a reverse DNS lookup on all incoming # IP calls, in order to get the true host name. If you feel this is too # expensive, you can specify the networks for which a lookup is done, or # remove the setting entirely. host_lookup = 206.168.0.0/16 # The settings below, which are actually the same as the defaults in the # code, cause Exim to make RFC 1413 (ident) callbacks for all incoming SMTP # calls. You can limit the hosts to which these calls are made, and/or change # the timeout that is used. If you set the timeout to zero, all RFC 1413 calls # are disabled. RFC 1413 calls are cheap and can provide useful information # for tracing problem messages, but some hosts and firewalls have problems # with them. This can result in a timeout instead of an immediate refused # connection, leading to delays on starting up an SMTP session. rfc1413_hosts = rfc1413_query_timeout = 30s # By default, Exim expects all envelope addresses to be fully qualified, that # is, they must contain both a local part and a domain. If you want to accept # unqualified addresses (just a local part) from certain hosts, you can specify # these hosts by setting one or both of # # sender_unqualified_hosts = # recipient_unqualified_hosts = # # to control sender and recipient addresses, respectively. When this is done, # unqualified addresses are qualified using the settings of qualify_domain # and/or qualify_recipient (see above). # If you want Exim to support the "percent hack" for certain domains, # uncomment the following line and provide a list of domains. The "percent # hack" is the feature by which mail addressed to x%y@z (where z is one of # the domains listed) is locally rerouted to x@y and sent on. If z is not one # of the "percent hack" domains, x%y is treated as an ordinary local part. This # hack is rarely needed nowadays; you should not enable it unless you are sure # that you really need it. # # percent_hack_domains = # # As well as setting this option you will also need to remove the test # for local parts containing % in the ACL definition below. # When Exim can neither deliver a message nor return it to sender, it "freezes" # the delivery error message (aka "bounce message"). There are also other # circumstances in which messages get frozen. They will stay on the queue for # ever unless one of the following options is set. # This option unfreezes frozen bounce messages after two days, tries # once more to deliver them, and ignores any delivery failures. ignore_bounce_errors_after = 2d # This option cancels (removes) frozen messages that are older than a week. timeout_frozen_after = 7d ###################################################################### # ACL CONFIGURATION # # Specifies access control lists for incoming SMTP mail # ###################################################################### begin acl # This access control list is used for every message after DATA command in # incoming SMTP connection. It's used mainly for malware (viruses) scanning. # Uncomment it, 'av_scanner' and 'acl_smtp_data' to enable support for # antivirus software. Read /usr/share/doc/exim-*/exiscan-acl-spec.txt.gz # for detailed instructions. Also remember to change 'mysecret' to # something else. This will add cryptographic "checks done" header that # will prevent re-scanning when the message re-visits one of your mail # servers, and the body size did not change. acl_check_data: accept condition = ${if eq {${hmac{md5}{mysecret}{$body_linecount}}}{$h_X-Scan-Signature:} {1}{0}} accept condition = ${if eq {$acl_m1}{postmaster}{1}{0}} deny message = $found_extension files are not accepted here demime = vbs:bat:pif:scr:vbs:wsh:dll warn message = X-MIME-Warning: Serious MIME defect detected ($demime_reason) condition = ${if >{$message_size}{100000}{0}{1}} demime = * condition = ${if >{$demime_errorlevel}{2}{1}{0}} deny message = Virus found :$malware_name condition = ${if >{$message_size}{100000}{0}{1}} demime = * malware = * warn message = X-Scan-Signature: ${hmac{md5}{mysecret}{$body_linecount}} accept authenticated = * # -------- SPAM ---------------- # put headers in all messages (no matter if spam or not) # warn message = X-Spam-Score: $spam_score ($spam_bar) # condition = ${if >{$message_size}{100000}{0}{1}} # spam = $acl_m0:true # warn message = X-Spam-Report: $spam_report # condition = ${if >{$message_size}{100000}{0}{1}} # spam = $acl_m0:true # warn message = Junk: yes # condition = ${if >{$message_size}{100000}{0}{1}} # spam = $acl_m0 # condition = ${if >{$spam_score_int}{60}{1}{0}} # add second subject line with *SPAM* marker when message # is over threshold # warn message = X-New-Subject: *SPAM* $h_subject: # condition = ${if >{$message_size}{100000}{0}{1}} # condition = ${lookup {$local_part} lsearch{/etc/mail/unfilteredusers}{false}{true}} # spam = $acl_m0 # condition = ${if >{$spam_score_int}{60}{1}{0}} # # # reject spam at high scores (> 15) # deny message = This message scored $spam_score spam points. # condition = ${if >{$message_size}{100000}{0}{1}} # condition = ${if >{$spam_score_int}{150}{1}{0}} # spam = $acl_m0:true # -------- ACCEPT -------------- accept # This access control list is used for every RCPT command in an incoming # SMTP message. The tests are run in order until the address is either # accepted or denied. acl_check_rcpt: warn set acl_m0 = ${if eq{${lookup passwd{$local_part@$domain}{1}{0}}}{1}{$local_part@$domain}{$local_part}} warn set acl_m1 = $local_part # Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by # testing for an empty sending host field. accept hosts = : # Perform greylist test warn set acl_m2 = ${lookup pgsql{GRAYLIST_TEST}{$value}{0}} # Deny if the local part contains @ or % or / or | or !. These are rarely # found in genuine local parts, but are often tried by people looking to # circumvent relaying restrictions. deny local_parts = ^.*[@%!/|] # Accept mail to postmaster in any local domain, regardless of the source, # and without verifying the sender. accept local_parts = postmaster domains = +local_domains accept local_parts = daddyray domains = independence.net # Deny unless the sender address can be verified. require verify = sender # Accept if the message comes from one of the hosts for which we are an # outgoing relay. Recipient verification is omitted here, because in many # cases the clients are dumb MUAs that don't cope well with SMTP error # responses. If you are actually relaying out from MTAs, you should probably # add recipient verification here. accept hosts = +relay_from_hosts # Accept if the message arrived over an authenticated connection, from # any host. Again, these messages are usually from MUAs, so recipient # verification is omitted. accept authenticated = * #deny message = $sender_host_address is not allowed to send mail from $sender_address_domain # spf = fail ############################################################################# # There are no checks on DNS "black" lists because the domains that contain # these lists are changing all the time. However, here are two examples of # how you could get Exim to perform a DNS black list lookup at this point. # The first one denies, while the second just warns. # # deny message = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text # dnslists = black.list.example # # warn message = X-Warning: $sender_host_address is in a black list at $dnslist_domain # log_message = found in $dnslist_domain # dnslists = black.list.example ############################################################################# # Perform greylist defer defer message = Greylisted - please try again a little later. condition = ${if eq{$acl_m2}{0}{1}} condition = ${lookup pgsql{GRAYLIST_ADD}{yes}{no}} defer message = Greylisted - please try again shortly. condition = ${if eq{$acl_m2}{1}{1}} deny senders = hosts = 166.102.165.0/24 recipients = bowen@independence.net # Accept if the address is in a local domain, but only if the recipient can # be verified. Otherwise deny. The "endpass" line is the border between # passing on to the next ACL statement (if tests above it fail) or denying # access (if tests below it fail). accept domains = +local_domains endpass message = unknown user verify = recipient # Accept if the address is in a domain for which we are relaying, but again, # only if the recipient can be verified. accept domains = +relay_to_domains endpass message = unrouteable address (not in list) verify = recipient # If control reaches this point, the domain is neither in +local_domains # nor in +relay_to_domains. # Reaching the end of the ACL causes a "deny", but we might as well give # an explicit message. deny message = relay not permitted ###################################################################### # ROUTERS CONFIGURATION # # Specifies how addresses are handled # ###################################################################### # THE ORDER IN WHICH THE ROUTERS ARE DEFINED IS IMPORTANT! # # An address is passed to each router in turn until it is accepted. # ###################################################################### begin routers # This router routes to remote hosts over SMTP by explicit IP address, # when an email address is given in "domain literal" form, for example, # . The RFCs require this facility. However, it is # little-known these days, and has been exploited by evil people seeking # to abuse SMTP relays. Consequently it is commented out in the default # configuration. If you uncomment this router, you also need to uncomment # allow_domain_literals above, so that Exim can recognize the syntax of # domain literal addresses. # domain_literal: # driver = ipliteral # transport = remote_smtp # This router routes addresses that are not in local domains by doing a DNS # lookup on the domain name. Any domain that resolves to a loopback interface # address (127.0.0.0/8) is treated as if it had no DNS entry. If the DNS # lookup fails, no further routers are tried because of the no_more setting, # and consequently the address is unrouteable. dnslookup: driver = dnslookup # driver = manualroute # route_list = "* procyon.theinternetco.net" domains = ! +local_domains transport = remote_smtp ignore_target_hosts = 127.0.0.0/8 no_more # The remaining routers handle addresses in the local domain(s). # This router handles aliasing using a traditional /etc/mail/aliases file. # ##### NB You must ensure that /etc/mail/aliases exists. It used to be the case ##### NB that every Unix had that file, because it was the Sendmail default. ##### NB These days, there are systems that don't have it. Your aliases ##### NB file should at least contain an alias for "postmaster". # # If any of your aliases expand to pipes or files, you will need to set # up a user and a group for these deliveries to run under. You can do # this by uncommenting the "user" option below (changing the user name # as appropriate) and adding a "group" option if necessary. Alternatively, you # can specify "user" on the transports that are used. Note that the transports # listed below are the same as are used for .forward files; you might want # to set up different ones for pipe and file deliveries from aliases. system_aliases: driver = redirect allow_fail allow_defer data = ${lookup{$local_part}lsearch{/etc/mail/aliases}} # user = exim file_transport = address_file pipe_transport = address_pipe # This router handles forwarding using traditional .forward files in users' # home directories. If you want it also to allow mail filtering when a forward # file starts with the string "# Exim filter", uncomment the "allow_filter" # option. # The no_verify setting means that this router is skipped when Exim is # verifying addresses. Similarly, no_expn means that this router is skipped if # Exim is processing an EXPN command. # The check_ancestor option means that if the forward file generates an # address that is an ancestor of the current one, the current one gets # passed on instead. This covers the case where A is aliased to B and B # has a .forward file pointing to A. mailman_router: driver = accept require_files = /var/spool/mailman/lists/$local_part/config.pck user=mailman group=mailman local_part_suffix_optional local_part_suffix = -bounces : -bounces+* : \ -confirm+* : -join : -leave : \ -owner : -request : -admin transport = mailman_transport domains = mail.theinternetco.net:lists.rubyarchive.org:lists.quickcard.biz # The three transports specified at the end are those that are used when # forwarding generates a direct delivery to a file, or to a pipe, or sets # up an auto-reply, respectively. virtual_aliases: driver = redirect domains = +virtual_domains data = ${lookup{$local_part}lsearch*{/etc/mail/virtual/$primary_hostname/$domain}} pipe_transport = address_pipe real_aliases: driver = redirect allow_fail domains = +real_domains data = ${lookup{$local_part}lsearch*{/etc/mail/real/$primary_hostname/$domain}} pipe_transport = address_pipe user = exim rumble: driver = accept transport = rumble domains = lists.ridgway.us domain_user_forward: driver = redirect condition = ${lookup passwd{$local_part@$domain} {1} {0}} user = $local_part@$domain domains = dsearch;/etc/mail/virtual/$primary_hostname file = ${extract{5}{:}{${lookup passwd{$local_part@$domain}}}}/.forward no_verify no_expn check_ancestor allow_filter file_transport = address_file pipe_transport = address_pipe reply_transport = address_reply domainuser_junk: driver = accept domains = dsearch;/etc/mail/virtual/$primary_hostname user = $local_part@$domain transport = domain_delivery_junk condition = ${if and{\ {or{{def:header_Junk:}{def:header_Junk:}}}\ {eq {${lookup {$local_part@$domain} lsearch{/etc/mail/unfilteredusers} {0}{1} }}{1}}\ }{${lookup passwd{$local_part@$domain} {1} {0}}}{0}} domain_user: driver = accept domains = dsearch;/etc/mail/virtual/$primary_hostname user = $local_part@$domain condition = ${lookup passwd{$local_part@$domain} {1} {0}} transport = domain_delivery userforward: driver = redirect check_local_user domains = +real_domains file = $home/.forward no_verify no_expn check_ancestor allow_filter file_transport = address_file pipe_transport = address_pipe reply_transport = address_reply localuser_junk: driver = accept check_local_user domains = +real_domains transport = local_delivery_junk condition = ${if and{{or{{def:header_Junk:}{def:header_Junk:}}}{eq {${lookup {$local_part} lsearch{/etc/mail/unfilteredusers} {no}{yes} }}{yes}}}{yes}{no}} # This router matches local user mailboxes. localuser: driver = accept check_local_user domains = +real_domains transport = local_delivery ###################################################################### # TRANSPORTS CONFIGURATION # ###################################################################### # ORDER DOES NOT MATTER # # Only one appropriate transport is called for each delivery. # ###################################################################### # A transport is used only when referenced from a router that successfully # handles an address. begin transports # This transport is used for delivering messages over SMTP connections. remote_smtp: driver = smtp # This transport is used for local delivery to user mailboxes in traditional # BSD mailbox format. By default it will be run under the uid and gid of the # local user, and requires the sticky bit to be set on the /var/mail directory. # Some systems use the alternative approach of running mail deliveries under a # particular group instead of using the sticky bit. The commented options below # show how this can be done. mailman_transport: driver = pipe command = MAILMAN_WRAP \ '${if def:local_part_suffix \ {${sg{$local_part_suffix}{-(\\w+)(\\+.*)?}{\$1}}} \ {post}}' \ $local_part current_directory = /var/lib/mailman home_directory = /var/lib/mailman user = mailman group = mailman local_delivery: driver = appendfile directory = $home/Maildir maildir_format = true delivery_date_add envelope_to_add return_path_add # group = mail # mode = 0660 local_delivery_junk: driver = appendfile directory = $home/Maildir/.Junk maildir_format = true delivery_date_add envelope_to_add return_path_add domain_delivery: driver = appendfile directory = ${extract{5}{:}{${lookup passwd{$local_part@$domain}}}}/Maildir user = $local_part@$domain maildir_format = true delivery_date_add envelope_to_add return_path_add domain_delivery_junk: driver = appendfile directory = ${extract{5}{:}{${lookup passwd{$local_part@$domain}}}}/Maildir/.Junk user = $local_part@$domain maildir_format = true delivery_date_add envelope_to_add return_path_add rumble: driver = pipe command = "/usr/bin/rumble" user = dev.theinternetco.net group = dev.theinternetco.net # This transport is used for handling pipe deliveries generated by alias or # .forward files. If the pipe generates any standard output, it is returned # to the sender of the message as a delivery error. Set return_fail_output # instead of return_output if you want this to happen only when the pipe fails # to complete normally. You can set different transports for aliases and # forwards if you want to - see the references to address_pipe in the routers # section above. address_pipe: driver = pipe return_output # This transport is used for handling deliveries directly to files that are # generated by aliasing or forwarding. address_file: driver = appendfile delivery_date_add envelope_to_add return_path_add # This transport is used for handling autoreplies generated by the filtering # option of the userforward router. address_reply: driver = autoreply ###################################################################### # RETRY CONFIGURATION # ###################################################################### begin retry # This single retry rule applies to all domains and all errors. It specifies # retries every 15 minutes for 2 hours, then increasing retry intervals, # starting at 1 hour and increasing each time by a factor of 1.5, up to 16 # hours, then retries every 6 hours until 4 days have passed since the first # failed delivery. # Domain Error Retries # ------ ----- ------- * * F,2h,15m; G,16h,1h,1.5; F,4d,6h ###################################################################### # REWRITE CONFIGURATION # ###################################################################### # There are no rewriting specifications in this default configuration file. begin rewrite ###################################################################### # AUTHENTICATION CONFIGURATION # ###################################################################### # There are no authenticator specifications in this default configuration file. begin authenticators # Uncomment lines below to enable SMTP AUTH support. Be aware that this # requires cyrus-sasl-saslauthd package to be installed. plain: driver = plaintext public_name = PLAIN server_prompts = : server_condition = ${if saslauthd{{$2}{$3}{smtp}}{1}{0}} server_set_id = $2 login: driver = plaintext public_name = LOGIN server_prompts = "Username:: : Password::" server_condition = ${if saslauthd{{$1}{$2}{smtp}}{1}{0}} server_set_id = $1 # End of Exim configuration file