Commit | Line | Data |
---|---|---|
e0f3765a PH |
1 | Date: Mon, 2 Dec 2002 10:35:06 +0000 |
2 | From: Mike Richardson <doctor@mcc.ac.uk> | |
3 | ||
4 | Hiya, | |
5 | ||
6 | I thought I'd submit this as an example of an authenticated mail hub | |
7 | configuration. Several people have asked for it so I thought it | |
8 | might be of interest. | |
9 | ||
10 | Authenticated mail hubs using LDAP to authenticate against which simply | |
11 | forward mail to central mailrouters. X headers are added for audit | |
12 | trail purposes. | |
13 | ||
14 | Config: | |
15 | ######################################################################### | |
16 | ||
17 | acl_smtp_rcpt = acl_check_rcpt | |
18 | ||
19 | ignore_bounce_errors_after = 12h | |
20 | ||
21 | timeout_frozen_after = 3d | |
22 | ||
23 | # LDAP server: | |
24 | ||
25 | hide ldap_default_servers=ldap.your.site | |
26 | ||
27 | # SSL options. advertise TLS but don't insist on it. | |
28 | ||
29 | tls_advertise_hosts=* | |
30 | tls_certificate=/var/cert/securemail.your.site.cert | |
31 | tls_privatekey=/var/cert/securemail.your.site.key | |
32 | tls_verify_hosts= * | |
33 | ||
34 | # Remove the queue runner logs and add logging of the interface, protocols | |
35 | # and connections. Useful for debugging when users are having difficulty | |
36 | # configuring and connecting. Many ISPs use Transparent Proxying | |
37 | ||
38 | log_selector= +incoming_interface -queue_run +smtp_protocol_error | |
39 | +smtp_syntax_error +smtp_connection | |
40 | ||
41 | # SMTP input limits. Some connections are reserved for local users. | |
42 | ||
43 | smtp_accept_max=200 | |
44 | smtp_accept_queue=150 | |
45 | smtp_accept_reserve=10 | |
46 | smtp_reserve_hosts=130.88.0.0/16 | |
47 | smtp_connect_backlog=100 | |
48 | ||
49 | # Overloading | |
50 | ||
51 | queue_only_load=5 | |
52 | deliver_queue_load_max=7 | |
53 | ||
54 | # Message size limits | |
55 | ||
56 | message_size_limit=10M | |
57 | return_size_limit=65535 | |
58 | ||
59 | # Spool space check | |
60 | ||
61 | check_spool_space=100M | |
62 | ||
63 | # directory splitting | |
64 | ||
65 | split_spool_directory | |
66 | ||
67 | # Parallel remote deliver | |
68 | ||
69 | remote_max_parallel = 10 | |
70 | ||
71 | # My system filter is to create extra logging info for X-Mailer info. | |
72 | ||
73 | system_filter=/etc/systemfilter | |
74 | system_filter_user=exim | |
75 | ||
76 | # Listen of multiple interfaces to defeat transparent proxying | |
77 | ||
78 | local_interfaces = 130.88.200.47.25 : 130.88.200.47.465 : 130.88.200.47.587 | |
79 | ||
80 | # Only accept local traffic and authenticated stuff. | |
81 | # Error message points to useful web page. | |
82 | ||
83 | acl_check_rcpt: | |
84 | ||
85 | accept hosts = : | |
86 | deny local_parts = ^.*[@%!/|] | |
87 | require verify = sender | |
88 | ||
89 | accept authenticated = * | |
90 | ||
91 | deny message = Not authenticated, see http://www.useful.web.page/ | |
92 | ||
93 | ||
94 | ||
95 | ###################################################################### | |
96 | # ROUTERS CONFIGURATION # | |
97 | # Specifies how addresses are handled # | |
98 | ###################################################################### | |
99 | ||
100 | begin routers | |
101 | ||
102 | # Manual route to force all traffic through our hubs which handle all | |
103 | # the alias expansion, domain routing etc. | |
104 | # I add an X header for audit trail purposes but no more information that | |
105 | # would be expected from a legitimate email. Don't want to upset the DPA | |
106 | # people | |
107 | ||
108 | smarthost: | |
109 | driver = manualroute | |
110 | headers_add =X-Authenticated-Sender: ${lookup ldap\ | |
111 | {ldap:///o=ac,c=uk?cn?sub?(&(uid=$authenticated_id))}{$value}{no}} from \ | |
112 | ${sender_fullhost}\nX-Authenticated-From: ${lookup ldap\ | |
113 | {ldap:///o=ac,c=uk?mail?sub?(&(uid=$authenticated_id))}{$value}{no}} | |
114 | transport = remote_smtp | |
115 | domains = ! +local_domains | |
116 | route_list=* mailrouter.your.site | |
117 | ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 | |
118 | no_more | |
119 | ||
120 | # All other routes as per normal... | |
121 | ||
122 | ||
123 | ###################################################################### | |
124 | # AUTHENTICATION CONFIGURATION # | |
125 | ###################################################################### | |
126 | ||
127 | # This only supports PLAIN and LOGIN due to the nature of our LDAP server. | |
128 | ||
129 | begin authenticators | |
130 | ||
131 | plain: | |
132 | driver= plaintext | |
133 | public_name = PLAIN | |
134 | server_condition="${lookup ldap {user=\"${lookup \ | |
135 | ldapdn{ldap:///o=ac,c=uk?sn?sub?(&(uid=$2))}{$value}{no}}\" pass=$3 \ | |
136 | ldap:///o=ac,c=uk?sn?sub?(&(uid=$2))}{yes}{no}}" | |
137 | server_set_id = $2 | |
138 | ||
139 | login: | |
140 | driver = plaintext | |
141 | public_name= LOGIN | |
142 | server_prompts = "Username:: : Password::" | |
143 | server_condition="${lookup ldap {user=\"${lookup \ | |
144 | ldapdn{ldap:///o=ac,c=uk?sn?sub?(&(uid=$1))}{$value}{no}}\" pass=$2 \ | |
145 | ldap:///o=ac,c=uk?sn?sub?(&(uid=$1))}{yes}{no}}" | |
146 | server_set_id=$1 | |
147 | # End of Exim configuration file | |
148 | ########################################################################## |