Commit | Line | Data |
---|---|---|
e0f3765a PH |
1 | # Below is an Exim 4 config file which is designed for an Exim server that |
2 | # is put in front of an Exchange 5.5 system but which verifies the valid | |
3 | # addresses that are stored in Exchange via LDAP lookups against the Exchange | |
4 | # server. The advantage being that I can do much more aggressive spam | |
5 | # fighting, make my own set of policy decisions etc, using the flexibility of | |
6 | # Exim while still supporting the Exchange system for final delivery (not my | |
7 | # ideal situation but the company relies on it). In any case, I thought this | |
8 | # was sufficiently useful and answers some semi-regular questions on the list, | |
9 | # that it might be included in either the FAQ or the sample configs. | |
10 | ||
11 | # From: Tabor J. Wells <twells@fsckit.net> | |
12 | # Date: Wed, 21 Aug 2002 11:16:36 -0400 | |
13 | ||
14 | ||
15 | ||
16 | ||
17 | ###################################################################### | |
18 | # Runtime configuration file for Exim # | |
19 | ###################################################################### | |
20 | ||
21 | ||
22 | # This is a default configuration file which will operate correctly in | |
23 | # uncomplicated installations. Please see the manual for a complete list | |
24 | # of all the runtime configuration options that can be included in a | |
25 | # configuration file. There are many more than are mentioned here. The | |
26 | # manual is in the file doc/spec.txt in the Exim distribution as a plain | |
27 | # ASCII file. Other formats (PostScript, Texinfo, HTML, PDF) are available | |
28 | # from the Exim ftp sites. The manual is also online at the Exim web sites. | |
29 | ||
30 | ||
31 | # This file is divided into several parts, all but the first of which are | |
32 | # headed by a line starting with the word "begin". Only those parts that | |
33 | # are required need to be present. Blank lines, and lines starting with # | |
34 | # are ignored. | |
35 | ||
36 | ||
37 | ########### IMPORTANT ########## IMPORTANT ########### IMPORTANT ########### | |
38 | # # | |
39 | # Whenever you change Exim's configuration file, you *must* remember to # | |
40 | # HUP the Exim daemon, because it will not pick up the new configuration # | |
41 | # until you do. However, any other Exim processes that are started, for # | |
42 | # example, a process started by an MUA in order to send a message, will # | |
43 | # see the new configuration as soon as it is in place. # | |
44 | # # | |
45 | # You do not need to HUP the daemon for changes in auxiliary files that # | |
46 | # are referenced from this file. They are read every time they are used. # | |
47 | # # | |
48 | # It is usually a good idea to test a new configuration for syntactic # | |
49 | # correctness before installing it (for example, by running the command # | |
50 | # "exim -C /config/file.new -bV"). # | |
51 | # # | |
52 | ########### IMPORTANT ########## IMPORTANT ########### IMPORTANT ########### | |
53 | ||
54 | ||
55 | ||
56 | ###################################################################### | |
57 | # MAIN CONFIGURATION SETTINGS # | |
58 | ###################################################################### | |
59 | ||
60 | # Specify your host's canonical name here. This should normally be the fully | |
61 | # qualified "official" name of your host. If this option is not set, the | |
62 | # uname() function is called to obtain the name. In many cases this does | |
63 | # the right thing and you need not set anything explicitly. | |
64 | ||
65 | # primary_hostname = | |
66 | ||
67 | ||
68 | # The next three settings create two lists of domains and one list of hosts. | |
69 | # These lists are referred to later in this configuration using the syntax | |
70 | # +local_domains, +relay_to_domains, and +relay_from_hosts, respectively. They | |
71 | # are all colon-separated lists: | |
72 | ||
73 | domainlist local_domains = @ : dbm;/etc/exim/db/localdomains.db | |
74 | domainlist relay_to_domains = | |
75 | hostlist relay_from_hosts = 127.0.0.1 : 192.168.1.0/24 | |
76 | ||
77 | # Most straightforward access control requirements can be obtained by | |
78 | # appropriate settings of the above options. In more complicated situations, you | |
79 | # may need to modify the Access Control List (ACL) which appears later in this | |
80 | # file. | |
81 | ||
82 | # The first setting specifies your local domains, for example: | |
83 | # | |
84 | # domainlist local_domains = my.first.domain : my.second.domain | |
85 | # | |
86 | # You can use "@" to mean "the name of the local host", as in the default | |
87 | # setting above. This is the name that is specified by primary_hostname, | |
88 | # as specified above (or defaulted). If you do not want to do any local | |
89 | # deliveries, remove the "@" from the setting above. If you want to accept mail | |
90 | # addressed to your host's literal IP address, for example, mail addressed to | |
91 | # "user@[192.168.23.44]", you can add "@[]" as an item in the local domains | |
92 | # list. You also need to uncomment "allow_domain_literals" below. This is not | |
93 | # recommended for today's Internet. | |
94 | ||
95 | # The second setting specifies domains for which your host is an incoming relay. | |
96 | # If you are not doing any relaying, you should leave the list empty. However, | |
97 | # if your host is an MX backup or gateway of some kind for some domains, you | |
98 | # must set relay_to_domains to match those domains. For example: | |
99 | # | |
100 | # domainlist relay_to_domains = *.myco.com : my.friend.org | |
101 | # | |
102 | # This will allow any host to relay through your host to those domains. | |
103 | # See the section of the manual entitled "Control of relaying" for more | |
104 | # information. | |
105 | ||
106 | # The third setting specifies hosts that can use your host as an outgoing relay | |
107 | # to any other host on the Internet. Such a setting commonly refers to a | |
108 | # complete local network as well as the localhost. For example: | |
109 | # | |
110 | # hostlist relay_from_hosts = 127.0.0.1 : 192.168.0.0/16 | |
111 | # | |
112 | # The "/16" is a bit mask (CIDR notation), not a number of hosts. Note that you | |
113 | # have to include 127.0.0.1 if you want to allow processes on your host to send | |
114 | # SMTP mail by using the loopback address. A number of MUAs use this method of | |
115 | # sending mail. | |
116 | ||
117 | ||
118 | # All three of these lists may contain many different kinds of item, including | |
119 | # wildcarded names, regular expressions, and file lookups. See the reference | |
120 | # manual for details. The lists above are used in the access control list for | |
121 | # incoming messages. The name of this ACL is defined here: | |
122 | ||
123 | acl_smtp_rcpt = acl_check_rcpt | |
124 | ||
125 | # You should not change that setting until you understand how ACLs work. | |
126 | ||
127 | ||
128 | # Specify the domain you want to be added to all unqualified addresses | |
129 | # here. An unqualified address is one that does not contain an "@" character | |
130 | # followed by a domain. For example, "caesar@rome.example" is a fully qualified | |
131 | # address, but the string "caesar" (i.e. just a login name) is an unqualified | |
132 | # email address. Unqualified addresses are accepted only from local callers by | |
133 | # default. See the recipient_unqualified_hosts option if you want to permit | |
134 | # unqualified addresses from remote sources. If this option is not set, the | |
135 | # primary_hostname value is used for qualification. | |
136 | ||
137 | # qualify_domain = | |
138 | ||
139 | ||
140 | # If you want unqualified recipient addresses to be qualified with a different | |
141 | # domain to unqualified sender addresses, specify the recipient domain here. | |
142 | # If this option is not set, the qualify_domain value is used. | |
143 | ||
144 | # qualify_recipient = | |
145 | ||
146 | ||
147 | # The following line must be uncommented if you want Exim to recognize | |
148 | # addresses of the form "user@[10.11.12.13]" that is, with a "domain literal" | |
149 | # (an IP address) instead of a named domain. The RFCs still require this form, | |
150 | # but it makes little sense to permit mail to be sent to specific hosts by | |
151 | # their IP address in the modern Internet. This ancient format has been used | |
152 | # by those seeking to abuse hosts by using them for unwanted relaying. If you | |
153 | # really do want to support domain literals, uncomment the following line, and | |
154 | # see also the "domain_literal" router below. | |
155 | ||
156 | # allow_domain_literals | |
157 | ||
158 | ||
159 | # No deliveries will ever be run under the uids of these users (a colon- | |
160 | # separated list). An attempt to do so causes a panic error to be logged, and | |
161 | # the delivery to be deferred. This is a paranoic safety catch. Note that the | |
162 | # default setting means you cannot deliver mail addressed to root as if it | |
163 | # were a normal user. This isn't usually a problem, as most sites have an alias | |
164 | # for root that redirects such mail to a human administrator. | |
165 | ||
166 | never_users = root | |
167 | ||
168 | ||
169 | # The setting below causes Exim to do a reverse DNS lookup on all incoming | |
170 | # IP calls, in order to get the true host name. If you feel this is too | |
171 | # expensive, you can specify the networks for which a lookup is done, or | |
172 | # remove the setting entirely. | |
173 | ||
174 | host_lookup = * | |
175 | ||
176 | ||
177 | # The settings below, which are actually the same as the defaults in the | |
178 | # code, cause Exim to make RFC 1413 (ident) callbacks for all incoming SMTP | |
179 | # calls. You can limit the hosts to which these calls are made, and/or change | |
180 | # the timeout that is used. If you set the timeout to zero, all RFC 1413 calls | |
181 | # are disabled. RFC 1413 calls are cheap and can provide useful information | |
182 | # for tracing problem messages, but some hosts and firewalls have problems | |
183 | # with them. This can result in a timeout instead of an immediate refused | |
184 | # connection, leading to delays on starting up an SMTP session. | |
185 | ||
186 | rfc1413_hosts = * | |
187 | rfc1413_query_timeout = 30s | |
188 | ||
189 | ||
190 | # By default, Exim expects all envelope addresses to be fully qualified, that | |
191 | # is, they must contain both a local part and a domain. If you want to accept | |
192 | # unqualified addresses (just a local part) from certain hosts, you can specify | |
193 | # these hosts by setting one or both of | |
194 | # | |
195 | # sender_unqualified_hosts = | |
196 | # recipient_unqualified_hosts = | |
197 | # | |
198 | # to control sender and recipient addresses, respectively. When this is done, | |
199 | # unqualified addresses are qualified using the settings of qualify_domain | |
200 | # and/or qualify_recipient (see above). | |
201 | ||
202 | ||
203 | # If you want Exim to support the "percent hack" for certain domains, | |
204 | # uncomment the following line and provide a list of domains. The "percent | |
205 | # hack" is the feature by which mail addressed to x%y@z (where z is one of | |
206 | # the domains listed) is locally rerouted to x@y and sent on. If z is not one | |
207 | # of the "percent hack" domains, x%y is treated as an ordinary local part. This | |
208 | # hack is rarely needed nowadays; you should not enable it unless you are sure | |
209 | # that you really need it. | |
210 | # | |
211 | # percent_hack_domains = | |
212 | # | |
213 | # As well as setting this option you will also need to remove the test | |
214 | # for local parts containing % in the ACL definition below. | |
215 | ||
216 | ||
217 | # When Exim can neither deliver a message nor return it to sender, it "freezes" | |
218 | # the delivery error message (aka "bounce message"). There are also other | |
219 | # circumstances in which messages get frozen. They will stay on the queue for | |
220 | # ever unless one of the following options is set. | |
221 | ||
222 | # This option unfreezes frozen bounce messages after two days, tries | |
223 | # once more to deliver them, and ignores any delivery failures. | |
224 | ||
225 | ignore_bounce_errors_after = 2d | |
226 | ||
227 | # This option cancels (removes) frozen messages that are older than a week. | |
228 | ||
229 | timeout_frozen_after = 7d | |
230 | ||
231 | # Defined LDAP default servers | |
232 | ldap_default_servers = 192.168.1.101 | |
233 | ||
234 | ||
235 | ||
236 | ###################################################################### | |
237 | # ACL CONFIGURATION # | |
238 | # Specifies access control lists for incoming SMTP mail # | |
239 | ###################################################################### | |
240 | ||
241 | begin acl | |
242 | ||
243 | # This access control list is used for every RCPT command in an incoming | |
244 | # SMTP message. The tests are run in order until the address is either | |
245 | # accepted or denied. | |
246 | ||
247 | acl_check_rcpt: | |
248 | ||
249 | # Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by | |
250 | # testing for an empty sending host field. | |
251 | ||
252 | accept hosts = : | |
253 | ||
254 | # Deny if the local part contains @ or % or / or | or !. These are rarely | |
255 | # found in genuine local parts, but are often tried by people looking to | |
256 | # circumvent relaying restrictions. | |
257 | ||
258 | # Also deny if the local part starts with a dot. Empty components aren't | |
259 | # strictly legal in RFC 2822, but Exim allows them because this is common. | |
260 | # However, actually starting with a dot may cause trouble if the local part | |
261 | # is used as a file name (e.g. for a mailing list). | |
262 | ||
263 | deny local_parts = ^.*[@%!/|] : ^\\. | |
264 | ||
265 | # Accept mail to postmaster in any local domain, regardless of the source, | |
266 | # and without verifying the sender. | |
267 | ||
268 | accept local_parts = postmaster | |
269 | domains = +local_domains | |
270 | ||
271 | # Deny unless the sender address can be verified. | |
272 | ||
273 | require verify = sender | |
274 | ||
275 | ############################################################################# | |
276 | # There are no checks on DNS "black" lists because the domains that contain | |
277 | # these lists are changing all the time. However, here are two examples of | |
278 | # how you could get Exim to perform a DNS black list lookup at this point. | |
279 | # The first one denies, while the second just warns. | |
280 | # | |
281 | # deny message = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text | |
282 | # dnslists = black.list.example | |
283 | # | |
284 | # warn message = X-Warning: $sender_host_address is in a black list at $dnslist_domain | |
285 | # log_message = found in $dnslist_domain | |
286 | # dnslists = black.list.example | |
287 | ############################################################################# | |
288 | ||
289 | # Accept if the address is in a local domain, but only if the recipient can | |
290 | # be verified. Otherwise deny. The "endpass" line is the border between | |
291 | # passing on to the next ACL statement (if tests above it fail) or denying | |
292 | # access (if tests below it fail). | |
293 | ||
294 | accept domains = +local_domains | |
295 | endpass | |
296 | message = unknown user | |
297 | verify = recipient | |
298 | ||
299 | # Accept if the address is in a domain for which we are relaying, but again, | |
300 | # only if the recipient can be verified. | |
301 | ||
302 | accept domains = +relay_to_domains | |
303 | endpass | |
304 | message = unrouteable address | |
305 | verify = recipient | |
306 | ||
307 | # If control reaches this point, the domain is neither in +local_domains | |
308 | # nor in +relay_to_domains. | |
309 | ||
310 | # Accept if the message comes from one of the hosts for which we are an | |
311 | # outgoing relay. Recipient verification is omitted here, because in many | |
312 | # cases the clients are dumb MUAs that don't cope well with SMTP error | |
313 | # responses. If you are actually relaying out from MTAs, you should probably | |
314 | # add recipient verification here. | |
315 | ||
316 | accept hosts = +relay_from_hosts | |
317 | ||
318 | # Accept if the message arrived over an authenticated connection, from | |
319 | # any host. Again, these messages are usually from MUAs, so recipient | |
320 | # verification is omitted. | |
321 | ||
322 | accept authenticated = * | |
323 | ||
324 | # Reaching the end of the ACL causes a "deny", but we might as well give | |
325 | # an explicit message. | |
326 | ||
327 | deny message = relay not permitted | |
328 | ||
329 | ||
330 | ||
331 | ###################################################################### | |
332 | # ROUTERS CONFIGURATION # | |
333 | # Specifies how addresses are handled # | |
334 | ###################################################################### | |
335 | # THE ORDER IN WHICH THE ROUTERS ARE DEFINED IS IMPORTANT! # | |
336 | # An address is passed to each router in turn until it is accepted. # | |
337 | ###################################################################### | |
338 | ||
339 | begin routers | |
340 | ||
341 | # This router routes to remote hosts over SMTP by explicit IP address, | |
342 | # when an email address is given in "domain literal" form, for example, | |
343 | # <user@[192.168.35.64]>. The RFCs require this facility. However, it is | |
344 | # little-known these days, and has been exploited by evil people seeking | |
345 | # to abuse SMTP relays. Consequently it is commented out in the default | |
346 | # configuration. If you uncomment this router, you also need to uncomment | |
347 | # allow_domain_literals above, so that Exim can recognize the syntax of | |
348 | # domain literal addresses. | |
349 | ||
350 | # domain_literal: | |
351 | # driver = ipliteral | |
352 | # domains = ! +local_domains | |
353 | # transport = remote_smtp | |
354 | ||
355 | ||
356 | # This router routes addresses that are not in local domains by doing a DNS | |
357 | # lookup on the domain name. Any domain that resolves to 0.0.0.0 or to a | |
358 | # loopback interface address (127.0.0.0/8) is treated as if it had no DNS | |
359 | # entry. Note that 0.0.0.0 is the same as 0.0.0.0/32, which is commonly treated | |
360 | # as the local host inside the network stack. It is not 0.0.0.0/0, the default | |
361 | # route. If the DNS lookup fails, no further routers are tried because of | |
362 | # the no_more setting, and consequently the address is unrouteable. | |
363 | ||
364 | dnslookup: | |
365 | driver = dnslookup | |
366 | domains = ! +local_domains | |
367 | transport = remote_smtp | |
368 | ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 10.0.0.0/8 : 172.16.0.0/12 | |
369 | no_more | |
370 | ||
371 | ||
372 | # The remaining routers handle addresses in the local domain(s). | |
373 | ||
374 | ||
375 | # This router handles aliasing using a traditional /etc/aliases file. | |
376 | # | |
377 | ##### NB You must ensure that /etc/aliases exists. It used to be the case | |
378 | ##### NB that every Unix had that file, because it was the Sendmail default. | |
379 | ##### NB These days, there are systems that don't have it. Your aliases | |
380 | ##### NB file should at least contain an alias for "postmaster". | |
381 | # | |
382 | # If any of your aliases expand to pipes or files, you will need to set | |
383 | # up a user and a group for these deliveries to run under. You can do | |
384 | # this by uncommenting the "user" option below (changing the user name | |
385 | # as appropriate) and adding a "group" option if necessary. Alternatively, you | |
386 | # can specify "user" on the transports that are used. Note that the transports | |
387 | # listed below are the same as are used for .forward files; you might want | |
388 | # to set up different ones for pipe and file deliveries from aliases. | |
389 | ||
390 | system_aliases: | |
391 | driver = redirect | |
392 | allow_fail | |
393 | allow_defer | |
394 | data = ${lookup{$local_part}lsearch{/etc/exim/txt/aliases.txt}} | |
395 | # user = exim | |
396 | file_transport = address_file | |
397 | pipe_transport = address_pipe | |
398 | ||
399 | # This router matches local user mailboxes. | |
400 | # Domains set to $primary_hostname so that I can route stuff locally as need | |
401 | # be but prevent user@mylocaldomain.com from delivering locally when 'user' | |
402 | # also matches the Exchange lookup below. | |
403 | ||
404 | localuser: | |
405 | driver = accept | |
406 | check_local_user | |
407 | domains = $primary_hostname | |
408 | transport = local_delivery | |
409 | no_more | |
410 | ||
411 | # Routers for lookups in LDAP on Exchange if they exist there then punt | |
412 | ||
413 | # First if it exists as a otherMailbox=smtp$user@example.com (Exchange's | |
414 | # format for aliases then substitute the canonical email address for this user | |
415 | # as defined by mail= | |
416 | ||
417 | exchangeothermailboxlookup: | |
418 | driver = redirect | |
419 | data = ${lookup ldap {ldap:///?mail?sub?(otherMailbox=smtp\$${quote_ldap:$local_part}@${quote_ldap:$domain})}} | |
420 | domains = dbm;/etc/exim/db/localdomains.db | |
421 | verify_recipient | |
422 | ||
423 | # This lookup verifies the mail=user@example.com format and if it exists | |
424 | # Pass to the the manualroute router which is used to punt to the internal | |
425 | # Exchange server as defined by domain. | |
426 | ||
427 | exchangemaillookup: | |
428 | driver = redirect | |
429 | data = ${lookup ldap {ldap:///?mail?sub?(mail=${quote_ldap:$local_part}@${quote_ldap:$domain})}} | |
430 | domains = dbm;/etc/exim/db/localdomains.db | |
431 | verify_recipient | |
432 | self = pass | |
433 | pass_router = exchangeroute | |
434 | no_more | |
435 | ||
436 | # localdomains.db contain entries that look like: | |
437 | # example.com: 192.168.1.101 | |
438 | # example.net: 192.168.1.102 | |
439 | # etc. | |
440 | ||
441 | exchangeroute: | |
442 | driver = manualroute | |
443 | transport = remote_smtp | |
444 | route_data = ${lookup{$domain}dbm{/etc/exim/db/localdomains.db}} | |
445 | ||
446 | ###################################################################### | |
447 | # TRANSPORTS CONFIGURATION # | |
448 | ###################################################################### | |
449 | # ORDER DOES NOT MATTER # | |
450 | # Only one appropriate transport is called for each delivery. # | |
451 | ###################################################################### | |
452 | ||
453 | # A transport is used only when referenced from a router that successfully | |
454 | # handles an address. | |
455 | ||
456 | begin transports | |
457 | ||
458 | ||
459 | # This transport is used for delivering messages over SMTP connections. | |
460 | ||
461 | remote_smtp: | |
462 | driver = smtp | |
463 | ||
464 | ||
465 | # This transport is used for local delivery to user mailboxes in traditional | |
466 | # BSD mailbox format. By default it will be run under the uid and gid of the | |
467 | # local user, and requires the sticky bit to be set on the /var/mail directory. | |
468 | # Some systems use the alternative approach of running mail deliveries under a | |
469 | # particular group instead of using the sticky bit. The commented options below | |
470 | # show how this can be done. | |
471 | ||
472 | local_delivery: | |
473 | driver = appendfile | |
474 | file = /var/mail/$local_part | |
475 | delivery_date_add | |
476 | envelope_to_add | |
477 | return_path_add | |
478 | # group = mail | |
479 | # mode = 0660 | |
480 | ||
481 | ||
482 | # This transport is used for handling pipe deliveries generated by alias or | |
483 | # .forward files. If the pipe generates any standard output, it is returned | |
484 | # to the sender of the message as a delivery error. Set return_fail_output | |
485 | # instead of return_output if you want this to happen only when the pipe fails | |
486 | # to complete normally. You can set different transports for aliases and | |
487 | # forwards if you want to - see the references to address_pipe in the routers | |
488 | # section above. | |
489 | ||
490 | address_pipe: | |
491 | driver = pipe | |
492 | return_output | |
493 | ||
494 | ||
495 | # This transport is used for handling deliveries directly to files that are | |
496 | # generated by aliasing or forwarding. | |
497 | ||
498 | address_file: | |
499 | driver = appendfile | |
500 | delivery_date_add | |
501 | envelope_to_add | |
502 | return_path_add | |
503 | ||
504 | ||
505 | # This transport is used for handling autoreplies generated by the filtering | |
506 | # option of the userforward router. | |
507 | ||
508 | address_reply: | |
509 | driver = autoreply | |
510 | ||
511 | ||
512 | ||
513 | ###################################################################### | |
514 | # RETRY CONFIGURATION # | |
515 | ###################################################################### | |
516 | ||
517 | begin retry | |
518 | ||
519 | # This single retry rule applies to all domains and all errors. It specifies | |
520 | # retries every 15 minutes for 2 hours, then increasing retry intervals, | |
521 | # starting at 1 hour and increasing each time by a factor of 1.5, up to 16 | |
522 | # hours, then retries every 6 hours until 4 days have passed since the first | |
523 | # failed delivery. | |
524 | ||
525 | # Domain Error Retries | |
526 | # ------ ----- ------- | |
527 | ||
528 | * * F,2h,15m; G,16h,1h,1.5; F,4d,6h | |
529 | ||
530 | ||
531 | ||
532 | ###################################################################### | |
533 | # REWRITE CONFIGURATION # | |
534 | ###################################################################### | |
535 | ||
536 | # There are no rewriting specifications in this default configuration file. | |
537 | ||
538 | begin rewrite | |
539 | ||
540 | ||
541 | ||
542 | ###################################################################### | |
543 | # AUTHENTICATION CONFIGURATION # | |
544 | ###################################################################### | |
545 | ||
546 | # There are no authenticator specifications in this default configuration file. | |
547 | ||
548 | begin authenticators | |
549 | ||
550 | ||
551 | # End of Exim configuration file |