Commit | Line | Data |
---|---|---|
059ec3d9 PH |
1 | ###################################################################### |
2 | # Runtime configuration file for Exim # | |
3 | ###################################################################### | |
4 | ||
5 | ||
6 | # This is a default configuration file which will operate correctly in | |
7 | # uncomplicated installations. Please see the manual for a complete list | |
8 | # of all the runtime configuration options that can be included in a | |
9 | # configuration file. There are many more than are mentioned here. The | |
10 | # manual is in the file doc/spec.txt in the Exim distribution as a plain | |
11 | # ASCII file. Other formats (PostScript, Texinfo, HTML, PDF) are available | |
20f0f788 | 12 | # from the Exim ftp sites. The manual is also online at the Exim website. |
059ec3d9 PH |
13 | |
14 | ||
15 | # This file is divided into several parts, all but the first of which are | |
16 | # headed by a line starting with the word "begin". Only those parts that | |
17 | # are required need to be present. Blank lines, and lines starting with # | |
18 | # are ignored. | |
19 | ||
20 | ||
21 | ########### IMPORTANT ########## IMPORTANT ########### IMPORTANT ########### | |
22 | # # | |
23 | # Whenever you change Exim's configuration file, you *must* remember to # | |
24 | # HUP the Exim daemon, because it will not pick up the new configuration # | |
25 | # until you do. However, any other Exim processes that are started, for # | |
26 | # example, a process started by an MUA in order to send a message, will # | |
27 | # see the new configuration as soon as it is in place. # | |
28 | # # | |
29 | # You do not need to HUP the daemon for changes in auxiliary files that # | |
30 | # are referenced from this file. They are read every time they are used. # | |
31 | # # | |
32 | # It is usually a good idea to test a new configuration for syntactic # | |
33 | # correctness before installing it (for example, by running the command # | |
34 | # "exim -C /config/file.new -bV"). # | |
35 | # # | |
36 | ########### IMPORTANT ########## IMPORTANT ########### IMPORTANT ########### | |
37 | ||
38 | ||
39 | ||
75fc3782 PP |
40 | ###################################################################### |
41 | # MACROS # | |
42 | ###################################################################### | |
43 | # | |
44 | ||
45 | # If you want to use a smarthost instead of sending directly to recipient | |
46 | # domains, uncomment this macro definition and set a real hostname. | |
47 | # An appropriately privileged user can then redirect email on the command-line | |
48 | # in emergencies, via -D. | |
49 | # | |
50 | # ROUTER_SMARTHOST=MAIL.HOSTNAME.FOR.CENTRAL.SERVER.EXAMPLE | |
51 | ||
059ec3d9 PH |
52 | ###################################################################### |
53 | # MAIN CONFIGURATION SETTINGS # | |
54 | ###################################################################### | |
f26587cb | 55 | # |
059ec3d9 PH |
56 | |
57 | # Specify your host's canonical name here. This should normally be the fully | |
58 | # qualified "official" name of your host. If this option is not set, the | |
59 | # uname() function is called to obtain the name. In many cases this does | |
60 | # the right thing and you need not set anything explicitly. | |
61 | ||
62 | # primary_hostname = | |
63 | ||
64 | ||
65 | # The next three settings create two lists of domains and one list of hosts. | |
66 | # These lists are referred to later in this configuration using the syntax | |
67 | # +local_domains, +relay_to_domains, and +relay_from_hosts, respectively. They | |
68 | # are all colon-separated lists: | |
69 | ||
70 | domainlist local_domains = @ | |
71 | domainlist relay_to_domains = | |
ff284120 PP |
72 | hostlist relay_from_hosts = localhost |
73 | # (We rely upon hostname resolution working for localhost, because the default | |
74 | # uncommented configuration needs to work in IPv4-only environments.) | |
059ec3d9 PH |
75 | |
76 | # Most straightforward access control requirements can be obtained by | |
53394084 | 77 | # appropriate settings of the above options. In more complicated situations, |
92db8b2d | 78 | # you may need to modify the Access Control Lists (ACLs) which appear later in |
53394084 | 79 | # this file. |
059ec3d9 PH |
80 | |
81 | # The first setting specifies your local domains, for example: | |
82 | # | |
83 | # domainlist local_domains = my.first.domain : my.second.domain | |
84 | # | |
85 | # You can use "@" to mean "the name of the local host", as in the default | |
86 | # setting above. This is the name that is specified by primary_hostname, | |
87 | # as specified above (or defaulted). If you do not want to do any local | |
88 | # deliveries, remove the "@" from the setting above. If you want to accept mail | |
89 | # addressed to your host's literal IP address, for example, mail addressed to | |
90 | # "user@[192.168.23.44]", you can add "@[]" as an item in the local domains | |
91 | # list. You also need to uncomment "allow_domain_literals" below. This is not | |
92 | # recommended for today's Internet. | |
93 | ||
94 | # The second setting specifies domains for which your host is an incoming relay. | |
95 | # If you are not doing any relaying, you should leave the list empty. However, | |
96 | # if your host is an MX backup or gateway of some kind for some domains, you | |
97 | # must set relay_to_domains to match those domains. For example: | |
98 | # | |
99 | # domainlist relay_to_domains = *.myco.com : my.friend.org | |
100 | # | |
101 | # This will allow any host to relay through your host to those domains. | |
102 | # See the section of the manual entitled "Control of relaying" for more | |
103 | # information. | |
104 | ||
105 | # The third setting specifies hosts that can use your host as an outgoing relay | |
106 | # to any other host on the Internet. Such a setting commonly refers to a | |
107 | # complete local network as well as the localhost. For example: | |
108 | # | |
ff284120 | 109 | # hostlist relay_from_hosts = <; 127.0.0.1 ; ::1 ; 192.168.0.0/16 |
059ec3d9 PH |
110 | # |
111 | # The "/16" is a bit mask (CIDR notation), not a number of hosts. Note that you | |
112 | # have to include 127.0.0.1 if you want to allow processes on your host to send | |
113 | # SMTP mail by using the loopback address. A number of MUAs use this method of | |
ff284120 PP |
114 | # sending mail. Often, connections are made to "localhost", which might be ::1 |
115 | # on IPv6-enabled hosts. Do not forget CIDR for your IPv6 networks. | |
059ec3d9 | 116 | |
059ec3d9 PH |
117 | # All three of these lists may contain many different kinds of item, including |
118 | # wildcarded names, regular expressions, and file lookups. See the reference | |
74e0617f PH |
119 | # manual for details. The lists above are used in the access control lists for |
120 | # checking incoming messages. The names of these ACLs are defined here: | |
059ec3d9 | 121 | |
95dfacf2 JH |
122 | acl_smtp_rcpt = acl_check_rcpt |
123 | .ifdef _HAVE_PRDR | |
124 | acl_smtp_data_prdr = acl_check_prdr | |
125 | .endif | |
126 | acl_smtp_data = acl_check_data | |
74e0617f PH |
127 | |
128 | # You should not change those settings until you understand how ACLs work. | |
129 | ||
130 | ||
131 | # If you are running a version of Exim that was compiled with the content- | |
132 | # scanning extension, you can cause incoming messages to be automatically | |
133 | # scanned for viruses. You have to modify the configuration in two places to | |
134 | # set this up. The first of them is here, where you define the interface to | |
135 | # your scanner. This example is typical for ClamAV; see the manual for details | |
136 | # of what to set for other virus scanners. The second modification is in the | |
137 | # acl_check_data access control list (see below). | |
059ec3d9 | 138 | |
74e0617f PH |
139 | # av_scanner = clamd:/tmp/clamd |
140 | ||
141 | ||
142 | # For spam scanning, there is a similar option that defines the interface to | |
143 | # SpamAssassin. You do not need to set this if you are using the default, which | |
144 | # is shown in this commented example. As for virus scanning, you must also | |
145 | # modify the acl_check_data access control list to enable spam scanning. | |
146 | ||
147 | # spamd_address = 127.0.0.1 783 | |
059ec3d9 PH |
148 | |
149 | ||
6083aca0 TF |
150 | # If Exim is compiled with support for TLS, you may want to enable the |
151 | # following options so that Exim allows clients to make encrypted | |
152 | # connections. In the authenticators section below, there are template | |
153 | # configurations for plaintext username/password authentication. This kind | |
154 | # of authentication is only safe when used within a TLS connection, so the | |
155 | # authenticators will only work if the following TLS settings are turned on | |
156 | # as well. | |
157 | ||
158 | # Allow any client to use TLS. | |
159 | ||
160 | # tls_advertise_hosts = * | |
161 | ||
162 | # Specify the location of the Exim server's TLS certificate and private key. | |
163 | # The private key must not be encrypted (password protected). You can put | |
164 | # the certificate and private key in the same file, in which case you only | |
165 | # need the first setting, or in separate files, in which case you need both | |
166 | # options. | |
167 | ||
168 | # tls_certificate = /etc/ssl/exim.crt | |
169 | # tls_privatekey = /etc/ssl/exim.pem | |
170 | ||
ba86e143 | 171 | # For OpenSSL, prefer EC- over RSA-authenticated ciphers |
1fa62f99 | 172 | # tls_require_ciphers = ECDSA:RSA:!COMPLEMENTOFDEFAULT |
ba86e143 | 173 | |
6083aca0 TF |
174 | # In order to support roaming users who wish to send email from anywhere, |
175 | # you may want to make Exim listen on other ports as well as port 25, in | |
176 | # case these users need to send email from a network that blocks port 25. | |
177 | # The standard port for this purpose is port 587, the "message submission" | |
178 | # port. See RFC 4409 for details. Microsoft MUAs cannot be configured to | |
179 | # talk the message submission protocol correctly, so if you need to support | |
180 | # them you should also allow TLS-on-connect on the traditional but | |
181 | # non-standard port 465. | |
182 | ||
183 | # daemon_smtp_ports = 25 : 465 : 587 | |
184 | # tls_on_connect_ports = 465 | |
185 | ||
186 | ||
059ec3d9 PH |
187 | # Specify the domain you want to be added to all unqualified addresses |
188 | # here. An unqualified address is one that does not contain an "@" character | |
189 | # followed by a domain. For example, "caesar@rome.example" is a fully qualified | |
190 | # address, but the string "caesar" (i.e. just a login name) is an unqualified | |
191 | # email address. Unqualified addresses are accepted only from local callers by | |
192 | # default. See the recipient_unqualified_hosts option if you want to permit | |
193 | # unqualified addresses from remote sources. If this option is not set, the | |
194 | # primary_hostname value is used for qualification. | |
195 | ||
196 | # qualify_domain = | |
197 | ||
198 | ||
199 | # If you want unqualified recipient addresses to be qualified with a different | |
200 | # domain to unqualified sender addresses, specify the recipient domain here. | |
201 | # If this option is not set, the qualify_domain value is used. | |
202 | ||
203 | # qualify_recipient = | |
204 | ||
205 | ||
206 | # The following line must be uncommented if you want Exim to recognize | |
207 | # addresses of the form "user@[10.11.12.13]" that is, with a "domain literal" | |
208 | # (an IP address) instead of a named domain. The RFCs still require this form, | |
209 | # but it makes little sense to permit mail to be sent to specific hosts by | |
210 | # their IP address in the modern Internet. This ancient format has been used | |
211 | # by those seeking to abuse hosts by using them for unwanted relaying. If you | |
212 | # really do want to support domain literals, uncomment the following line, and | |
213 | # see also the "domain_literal" router below. | |
214 | ||
215 | # allow_domain_literals | |
216 | ||
217 | ||
92db8b2d PH |
218 | # No deliveries will ever be run under the uids of users specified by |
219 | # never_users (a colon-separated list). An attempt to do so causes a panic | |
220 | # error to be logged, and the delivery to be deferred. This is a paranoic | |
221 | # safety catch. There is an even stronger safety catch in the form of the | |
222 | # FIXED_NEVER_USERS setting in the configuration for building Exim. The list of | |
223 | # users that it specifies is built into the binary, and cannot be changed. The | |
224 | # option below just adds additional users to the list. The default for | |
225 | # FIXED_NEVER_USERS is "root", but just to be absolutely sure, the default here | |
226 | # is also "root". | |
059ec3d9 PH |
227 | |
228 | # Note that the default setting means you cannot deliver mail addressed to root | |
229 | # as if it were a normal user. This isn't usually a problem, as most sites have | |
230 | # an alias for root that redirects such mail to a human administrator. | |
231 | ||
232 | never_users = root | |
233 | ||
234 | ||
235 | # The setting below causes Exim to do a reverse DNS lookup on all incoming | |
236 | # IP calls, in order to get the true host name. If you feel this is too | |
237 | # expensive, you can specify the networks for which a lookup is done, or | |
238 | # remove the setting entirely. | |
239 | ||
240 | host_lookup = * | |
241 | ||
242 | ||
bdf9ce82 PP |
243 | # The setting below causes Exim to try to initialize the system resolver |
244 | # library with DNSSEC support. It has no effect if your library lacks | |
245 | # DNSSEC support. | |
246 | ||
247 | dns_dnssec_ok = 1 | |
248 | ||
249 | ||
f926e272 JH |
250 | # The settings below cause Exim to make RFC 1413 (ident) callbacks |
251 | # for all incoming SMTP calls. You can limit the hosts to which these | |
252 | # calls are made, and/or change the timeout that is used. If you set | |
253 | # the timeout to zero, all RFC 1413 calls are disabled. RFC 1413 calls | |
254 | # are cheap and can provide useful information for tracing problem | |
255 | # messages, but some hosts and firewalls have problems with them. | |
256 | # This can result in a timeout instead of an immediate refused | |
257 | # connection, leading to delays on starting up SMTP sessions. | |
258 | # (The default was reduced from 30s to 5s for release 4.61. and to | |
259 | # disabled for release 4.86) | |
260 | # | |
261 | #rfc1413_hosts = * | |
262 | #rfc1413_query_timeout = 5s | |
059ec3d9 PH |
263 | |
264 | ||
ff1c79bc JH |
265 | # Enable an efficiency feature. We advertise the feature; clients |
266 | # may request to use it. For multi-recipient mails we then can | |
267 | # reject or accept per-user after the message is received. | |
2f6c7b1a JH |
268 | # This supports recipient-dependent content filtering; without it |
269 | # you have to temp-reject any recipients after the first that have | |
270 | # incompatible filtering, and do the filtering in the data ACL. | |
271 | # Even with this enabled, you must support the old style for peers | |
272 | # not flagging support for PRDR (visible via $prdr_requested). | |
ff1c79bc | 273 | # |
95dfacf2 | 274 | .ifdef _HAVE_PRDR |
ff1c79bc | 275 | prdr_enable = true |
95dfacf2 | 276 | .endif |
ff1c79bc JH |
277 | |
278 | ||
059ec3d9 PH |
279 | # By default, Exim expects all envelope addresses to be fully qualified, that |
280 | # is, they must contain both a local part and a domain. If you want to accept | |
281 | # unqualified addresses (just a local part) from certain hosts, you can specify | |
282 | # these hosts by setting one or both of | |
283 | # | |
284 | # sender_unqualified_hosts = | |
285 | # recipient_unqualified_hosts = | |
286 | # | |
287 | # to control sender and recipient addresses, respectively. When this is done, | |
288 | # unqualified addresses are qualified using the settings of qualify_domain | |
289 | # and/or qualify_recipient (see above). | |
290 | ||
291 | ||
df081f7a JH |
292 | # Unless you run a high-volume site you probably want more logging |
293 | # detail than the default. Adjust to suit. | |
294 | ||
295 | log_selector = +smtp_protocol_error +smtp_syntax_error \ | |
48162f79 | 296 | +tls_certificate_verified |
df081f7a JH |
297 | |
298 | ||
059ec3d9 PH |
299 | # If you want Exim to support the "percent hack" for certain domains, |
300 | # uncomment the following line and provide a list of domains. The "percent | |
301 | # hack" is the feature by which mail addressed to x%y@z (where z is one of | |
302 | # the domains listed) is locally rerouted to x@y and sent on. If z is not one | |
303 | # of the "percent hack" domains, x%y is treated as an ordinary local part. This | |
304 | # hack is rarely needed nowadays; you should not enable it unless you are sure | |
305 | # that you really need it. | |
306 | # | |
307 | # percent_hack_domains = | |
308 | # | |
309 | # As well as setting this option you will also need to remove the test | |
310 | # for local parts containing % in the ACL definition below. | |
311 | ||
312 | ||
313 | # When Exim can neither deliver a message nor return it to sender, it "freezes" | |
314 | # the delivery error message (aka "bounce message"). There are also other | |
315 | # circumstances in which messages get frozen. They will stay on the queue for | |
316 | # ever unless one of the following options is set. | |
317 | ||
318 | # This option unfreezes frozen bounce messages after two days, tries | |
319 | # once more to deliver them, and ignores any delivery failures. | |
320 | ||
321 | ignore_bounce_errors_after = 2d | |
322 | ||
323 | # This option cancels (removes) frozen messages that are older than a week. | |
324 | ||
325 | timeout_frozen_after = 7d | |
326 | ||
327 | ||
92db8b2d PH |
328 | # By default, messages that are waiting on Exim's queue are all held in a |
329 | # single directory called "input" which it itself within Exim's spool | |
330 | # directory. (The default spool directory is specified when Exim is built, and | |
331 | # is often /var/spool/exim/.) Exim works best when its queue is kept short, but | |
332 | # there are circumstances where this is not always possible. If you uncomment | |
333 | # the setting below, messages on the queue are held in 62 subdirectories of | |
334 | # "input" instead of all in the same directory. The subdirectories are called | |
335 | # 0, 1, ... A, B, ... a, b, ... z. This has two benefits: (1) If your file | |
336 | # system degrades with many files in one directory, this is less likely to | |
337 | # happen; (2) Exim can process the queue one subdirectory at a time instead of | |
338 | # all at once, which can give better performance with large queues. | |
339 | ||
340 | # split_spool_directory = true | |
341 | ||
342 | ||
6901c596 PP |
343 | # If you're in a part of the world where ASCII is not sufficient for most |
344 | # text, then you're probably familiar with RFC2047 message header extensions. | |
345 | # By default, Exim adheres to the specification, including a limit of 76 | |
346 | # characters to a line, with encoded words fitting within a line. | |
347 | # If you wish to use decoded headers in message filters in such a way | |
348 | # that successful decoding of malformed messages matters, you may wish to | |
349 | # configure Exim to be more lenient. | |
350 | # | |
351 | # check_rfc2047_length = false | |
352 | # | |
353 | # In particular, the Exim maintainers have had multiple reports of problems | |
354 | # from Russian administrators of issues until they disable this check, | |
355 | # because of some popular, yet buggy, mail composition software. | |
356 | ||
059ec3d9 | 357 | |
9cbad13b PP |
358 | # If you wish to be strictly RFC compliant, or if you know you'll be |
359 | # exchanging email with systems that are not 8-bit clean, then you may | |
360 | # wish to disable advertising 8BITMIME. Uncomment this option to do so. | |
361 | ||
362 | # accept_8bitmime = false | |
363 | ||
364 | ||
f26587cb HSHR |
365 | # Exim does not make use of environment variables itself. However, |
366 | # libraries that Exim uses (e.g. LDAP) depend on specific environment settings. | |
367 | # There are two lists: keep_environment for the variables we trust, and | |
368 | # add_environment for variables we want to set to a specific value. | |
4c04137d | 369 | # Note that TZ is handled separately by the timezone runtime option |
f26587cb HSHR |
370 | # and TIMEZONE_DEFAULT buildtime option. |
371 | ||
372 | # keep_environment = ^LDAP | |
373 | # add_environment = PATH=/usr/bin::/bin | |
374 | ||
375 | ||
376 | ||
059ec3d9 PH |
377 | ###################################################################### |
378 | # ACL CONFIGURATION # | |
379 | # Specifies access control lists for incoming SMTP mail # | |
380 | ###################################################################### | |
381 | ||
382 | begin acl | |
383 | ||
384 | # This access control list is used for every RCPT command in an incoming | |
385 | # SMTP message. The tests are run in order until the address is either | |
386 | # accepted or denied. | |
387 | ||
388 | acl_check_rcpt: | |
389 | ||
390 | # Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by | |
391 | # testing for an empty sending host field. | |
392 | ||
393 | accept hosts = : | |
94f85d3e | 394 | control = dkim_disable_verify |
059ec3d9 PH |
395 | |
396 | ############################################################################# | |
397 | # The following section of the ACL is concerned with local parts that contain | |
398 | # @ or % or ! or / or | or dots in unusual places. | |
399 | # | |
400 | # The characters other than dots are rarely found in genuine local parts, but | |
401 | # are often tried by people looking to circumvent relaying restrictions. | |
402 | # Therefore, although they are valid in local parts, these rules lock them | |
403 | # out, as a precaution. | |
404 | # | |
405 | # Empty components (two dots in a row) are not valid in RFC 2822, but Exim | |
406 | # allows them because they have been encountered. (Consider local parts | |
407 | # constructed as "firstinitial.secondinitial.familyname" when applied to | |
408 | # someone like me, who has no second initial.) However, a local part starting | |
409 | # with a dot or containing /../ can cause trouble if it is used as part of a | |
410 | # file name (e.g. for a mailing list). This is also true for local parts that | |
411 | # contain slashes. A pipe symbol can also be troublesome if the local part is | |
412 | # incorporated unthinkingly into a shell command line. | |
413 | # | |
414 | # Two different rules are used. The first one is stricter, and is applied to | |
415 | # messages that are addressed to one of the local domains handled by this | |
53394084 PH |
416 | # host. The line "domains = +local_domains" restricts it to domains that are |
417 | # defined by the "domainlist local_domains" setting above. The rule blocks | |
418 | # local parts that begin with a dot or contain @ % ! / or |. If you have | |
419 | # local accounts that include these characters, you will have to modify this | |
420 | # rule. | |
059ec3d9 PH |
421 | |
422 | deny message = Restricted characters in address | |
423 | domains = +local_domains | |
424 | local_parts = ^[.] : ^.*[@%!/|] | |
425 | ||
53394084 PH |
426 | # The second rule applies to all other domains, and is less strict. The line |
427 | # "domains = !+local_domains" restricts it to domains that are NOT defined by | |
428 | # the "domainlist local_domains" setting above. The exclamation mark is a | |
429 | # negating operator. This rule allows your own users to send outgoing | |
430 | # messages to sites that use slashes and vertical bars in their local parts. | |
431 | # It blocks local parts that begin with a dot, slash, or vertical bar, but | |
432 | # allows these characters within the local part. However, the sequence /../ | |
433 | # is barred. The use of @ % and ! is blocked, as before. The motivation here | |
434 | # is to prevent your users (or your users' viruses) from mounting certain | |
435 | # kinds of attack on remote sites. | |
059ec3d9 PH |
436 | |
437 | deny message = Restricted characters in address | |
438 | domains = !+local_domains | |
439 | local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./ | |
440 | ############################################################################# | |
441 | ||
442 | # Accept mail to postmaster in any local domain, regardless of the source, | |
443 | # and without verifying the sender. | |
444 | ||
445 | accept local_parts = postmaster | |
446 | domains = +local_domains | |
447 | ||
448 | # Deny unless the sender address can be verified. | |
449 | ||
450 | require verify = sender | |
451 | ||
5de37277 | 452 | # Accept if the message comes from one of the hosts for which we are an |
cc38ddbf PH |
453 | # outgoing relay. It is assumed that such hosts are most likely to be MUAs, |
454 | # so we set control=submission to make Exim treat the message as a | |
455 | # submission. It will fix up various errors in the message, for example, the | |
456 | # lack of a Date: header line. If you are actually relaying out out from | |
457 | # MTAs, you may want to disable this. If you are handling both relaying from | |
458 | # MTAs and submissions from MUAs you should probably split them into two | |
459 | # lists, and handle them differently. | |
460 | ||
461 | # Recipient verification is omitted here, because in many cases the clients | |
462 | # are dumb MUAs that don't cope well with SMTP error responses. If you are | |
463 | # actually relaying out from MTAs, you should probably add recipient | |
464 | # verification here. | |
465 | ||
466 | # Note that, by putting this test before any DNS black list checks, you will | |
467 | # always accept from these hosts, even if they end up on a black list. The | |
468 | # assumption is that they are your friends, and if they get onto a black | |
469 | # list, it is a mistake. | |
5de37277 PH |
470 | |
471 | accept hosts = +relay_from_hosts | |
cc38ddbf | 472 | control = submission |
94f85d3e | 473 | control = dkim_disable_verify |
5de37277 PH |
474 | |
475 | # Accept if the message arrived over an authenticated connection, from | |
476 | # any host. Again, these messages are usually from MUAs, so recipient | |
cc38ddbf PH |
477 | # verification is omitted, and submission mode is set. And again, we do this |
478 | # check before any black list tests. | |
5de37277 PH |
479 | |
480 | accept authenticated = * | |
cc38ddbf | 481 | control = submission |
94f85d3e | 482 | control = dkim_disable_verify |
5de37277 | 483 | |
731c6a90 JH |
484 | # Insist that a HELO/EHLO was accepted. |
485 | ||
48162f79 HSHR |
486 | require message = nice hosts say HELO first |
487 | condition = ${if def:sender_helo_name} | |
731c6a90 | 488 | |
9ecb03f3 PH |
489 | # Insist that any other recipient address that we accept is either in one of |
490 | # our local domains, or is in a domain for which we explicitly allow | |
491 | # relaying. Any other domain is rejected as being unacceptable for relaying. | |
492 | ||
493 | require message = relay not permitted | |
8bffe342 | 494 | domains = +local_domains : +relay_to_domains |
9ecb03f3 PH |
495 | |
496 | # We also require all accepted addresses to be verifiable. This check will | |
497 | # do local part verification for local domains, but only check the domain | |
498 | # for remote domains. The only way to check local parts for the remote | |
499 | # relay domains is to use a callout (add /callout), but please read the | |
500 | # documentation about callouts before doing this. | |
501 | ||
502 | require verify = recipient | |
503 | ||
059ec3d9 | 504 | ############################################################################# |
5de37277 PH |
505 | # There are no default checks on DNS black lists because the domains that |
506 | # contain these lists are changing all the time. However, here are two | |
507 | # examples of how you can get Exim to perform a DNS black list lookup at this | |
508 | # point. The first one denies, whereas the second just warns. | |
059ec3d9 PH |
509 | # |
510 | # deny message = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text | |
511 | # dnslists = black.list.example | |
512 | # | |
42119b09 PH |
513 | # warn dnslists = black.list.example |
514 | # add_header = X-Warning: $sender_host_address is in a black list at $dnslist_domain | |
059ec3d9 | 515 | # log_message = found in $dnslist_domain |
059ec3d9 PH |
516 | ############################################################################# |
517 | ||
a4e3111f PH |
518 | ############################################################################# |
519 | # This check is commented out because it is recognized that not every | |
520 | # sysadmin will want to do it. If you enable it, the check performs | |
521 | # Client SMTP Authorization (csa) checks on the sending host. These checks | |
522 | # do DNS lookups for SRV records. The CSA proposal is currently (May 2005) | |
523 | # an Internet draft. You can, of course, add additional conditions to this | |
524 | # ACL statement to restrict the CSA checks to certain hosts only. | |
525 | # | |
526 | # require verify = csa | |
527 | ############################################################################# | |
528 | ||
95dfacf2 JH |
529 | ############################################################################# |
530 | # If doing per-user content filtering then recipients with filters different | |
531 | # to the first recipient must be deferred unless the sender talks PRDR. | |
532 | # | |
533 | # defer !condition = $prdr_requested | |
534 | # condition = ${if > {0}{$receipients_count}} | |
535 | # condition = ${if !eq {$acl_m_content_filter} \ | |
536 | # {${lookup PER_RCPT_CONTENT_FILTER}}} | |
537 | # warn !condition = $prdr_requested | |
538 | # condition = ${if > {0}{$receipients_count}} | |
539 | # set acl_m_content_filter = ${lookup PER_RCPT_CONTENT_FILTER} | |
540 | ############################################################################# | |
541 | ||
9ecb03f3 PH |
542 | # At this point, the address has passed all the checks that have been |
543 | # configured, so we accept it unconditionally. | |
059ec3d9 | 544 | |
9ecb03f3 | 545 | accept |
059ec3d9 PH |
546 | |
547 | ||
95dfacf2 JH |
548 | # This ACL is used once per recipient, for multi-recipient messages, if |
549 | # we advertised PRDR. It can be used to perform receipient-dependent | |
550 | # header- and body- based filtering and rejections. | |
551 | # We set a variable to record that PRDR was active used, so that checking | |
552 | # in the data ACL can be skipped. | |
553 | ||
554 | .ifdef _HAVE_PRDR | |
555 | acl_check_prdr: | |
556 | warn set acl_m_did_prdr = y | |
95dfacf2 JH |
557 | |
558 | ############################################################################# | |
559 | # do lookup on filtering, with $local_part@$domain, deny on filter match | |
560 | # | |
561 | # deny set acl_m_content_filter = ${lookup PER_RCPT_CONTENT_FILTER} | |
562 | # condition = ... | |
563 | ############################################################################# | |
564 | ||
565 | accept | |
23def169 | 566 | .endif |
95dfacf2 | 567 | |
74e0617f PH |
568 | # This ACL is used after the contents of a message have been received. This |
569 | # is the ACL in which you can test a message's headers or body, and in | |
570 | # particular, this is where you can invoke external virus or spam scanners. | |
571 | # Some suggested ways of configuring these tests are shown below, commented | |
572 | # out. Without any tests, this ACL accepts all messages. If you want to use | |
573 | # such tests, you must ensure that Exim is compiled with the content-scanning | |
574 | # extension (WITH_CONTENT_SCAN=yes in Local/Makefile). | |
575 | ||
576 | acl_check_data: | |
577 | ||
8c952127 JH |
578 | # Deny if the message contains an overlong line. Per the standards |
579 | # we should never receive one such via SMTP. | |
580 | # | |
adb278a5 HSHR |
581 | deny message = maximum allowed line length is 998 octets, \ |
582 | got $max_received_linelength | |
583 | condition = ${if > {$max_received_linelength}{998}} | |
8c952127 | 584 | |
4b7a7471 JH |
585 | # Deny if the headers contain badly-formed addresses. |
586 | # | |
48162f79 HSHR |
587 | deny !verify = header_syntax |
588 | message = header syntax | |
589 | log_message = header syntax ($acl_verify_message) | |
4b7a7471 | 590 | |
74e0617f PH |
591 | # Deny if the message contains a virus. Before enabling this check, you |
592 | # must install a virus scanner and set the av_scanner option above. | |
593 | # | |
42119b09 PH |
594 | # deny malware = * |
595 | # message = This message contains a virus ($malware_name). | |
74e0617f PH |
596 | |
597 | # Add headers to a message if it is judged to be spam. Before enabling this, | |
598 | # you must install SpamAssassin. You may also need to set the spamd_address | |
599 | # option above. | |
600 | # | |
42119b09 PH |
601 | # warn spam = nobody |
602 | # add_header = X-Spam_score: $spam_score\n\ | |
603 | # X-Spam_score_int: $spam_score_int\n\ | |
604 | # X-Spam_bar: $spam_bar\n\ | |
605 | # X-Spam_report: $spam_report | |
74e0617f | 606 | |
95dfacf2 JH |
607 | ############################################################################# |
608 | # No more tests if PRDR was actively used. | |
609 | # accept condition = ${if def:acl_m_did_prdr} | |
610 | # | |
611 | # To get here, all message recipients must have identical per-user | |
612 | # content filtering (enforced by RCPT ACL). Do lookup for filter | |
613 | # and deny on match. | |
614 | # | |
615 | # deny set acl_m_content_filter = ${lookup PER_RCPT_CONTENT_FILTER} | |
616 | # condition = ... | |
617 | ############################################################################# | |
618 | ||
619 | ||
74e0617f PH |
620 | # Accept the message. |
621 | ||
622 | accept | |
623 | ||
624 | ||
059ec3d9 PH |
625 | |
626 | ###################################################################### | |
627 | # ROUTERS CONFIGURATION # | |
628 | # Specifies how addresses are handled # | |
629 | ###################################################################### | |
630 | # THE ORDER IN WHICH THE ROUTERS ARE DEFINED IS IMPORTANT! # | |
631 | # An address is passed to each router in turn until it is accepted. # | |
632 | ###################################################################### | |
633 | ||
634 | begin routers | |
635 | ||
636 | # This router routes to remote hosts over SMTP by explicit IP address, | |
637 | # when an email address is given in "domain literal" form, for example, | |
638 | # <user@[192.168.35.64]>. The RFCs require this facility. However, it is | |
639 | # little-known these days, and has been exploited by evil people seeking | |
640 | # to abuse SMTP relays. Consequently it is commented out in the default | |
641 | # configuration. If you uncomment this router, you also need to uncomment | |
642 | # allow_domain_literals above, so that Exim can recognize the syntax of | |
643 | # domain literal addresses. | |
644 | ||
645 | # domain_literal: | |
646 | # driver = ipliteral | |
647 | # domains = ! +local_domains | |
648 | # transport = remote_smtp | |
649 | ||
650 | ||
75fc3782 PP |
651 | # This router can be used when you want to send all mail to a |
652 | # server which handles DNS lookups for you; an ISP will typically run such | |
653 | # a server for their customers. The hostname in route_data comes from the | |
654 | # macro defined at the top of the file. If not defined, then we'll use the | |
655 | # dnslookup router below instead. | |
656 | # Beware that the hostname is specified again in the Transport. | |
657 | ||
658 | .ifdef ROUTER_SMARTHOST | |
659 | ||
660 | smarthost: | |
661 | driver = manualroute | |
662 | domains = ! +local_domains | |
663 | transport = smarthost_smtp | |
664 | route_data = ROUTER_SMARTHOST | |
665 | ignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; ::1 | |
666 | no_more | |
667 | ||
668 | .else | |
669 | ||
059ec3d9 | 670 | # This router routes addresses that are not in local domains by doing a DNS |
53394084 PH |
671 | # lookup on the domain name. The exclamation mark that appears in "domains = ! |
672 | # +local_domains" is a negating operator, that is, it can be read as "not". The | |
673 | # recipient's domain must not be one of those defined by "domainlist | |
674 | # local_domains" above for this router to be used. | |
675 | # | |
676 | # If the router is used, any domain that resolves to 0.0.0.0 or to a loopback | |
677 | # interface address (127.0.0.0/8) is treated as if it had no DNS entry. Note | |
678 | # that 0.0.0.0 is the same as 0.0.0.0/32, which is commonly treated as the | |
679 | # local host inside the network stack. It is not 0.0.0.0/0, the default route. | |
680 | # If the DNS lookup fails, no further routers are tried because of the no_more | |
681 | # setting, and consequently the address is unrouteable. | |
059ec3d9 PH |
682 | |
683 | dnslookup: | |
684 | driver = dnslookup | |
685 | domains = ! +local_domains | |
686 | transport = remote_smtp | |
687 | ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 | |
ff284120 PP |
688 | # if ipv6-enabled then instead use: |
689 | # ignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; ::1 | |
059ec3d9 PH |
690 | no_more |
691 | ||
75fc3782 PP |
692 | # This closes the ROUTER_SMARTHOST ifdef around the choice of routing for |
693 | # off-site mail. | |
694 | .endif | |
4eae92ae PP |
695 | |
696 | ||
53394084 PH |
697 | # The remaining routers handle addresses in the local domain(s), that is those |
698 | # domains that are defined by "domainlist local_domains" above. | |
059ec3d9 PH |
699 | |
700 | ||
701 | # This router handles aliasing using a linearly searched alias file with the | |
702 | # name SYSTEM_ALIASES_FILE. When this configuration is installed automatically, | |
703 | # the name gets inserted into this file from whatever is set in Exim's | |
704 | # build-time configuration. The default path is the traditional /etc/aliases. | |
705 | # If you install this configuration by hand, you need to specify the correct | |
706 | # path in the "data" setting below. | |
707 | # | |
708 | ##### NB You must ensure that the alias file exists. It used to be the case | |
709 | ##### NB that every Unix had that file, because it was the Sendmail default. | |
710 | ##### NB These days, there are systems that don't have it. Your aliases | |
711 | ##### NB file should at least contain an alias for "postmaster". | |
712 | # | |
713 | # If any of your aliases expand to pipes or files, you will need to set | |
714 | # up a user and a group for these deliveries to run under. You can do | |
715 | # this by uncommenting the "user" option below (changing the user name | |
716 | # as appropriate) and adding a "group" option if necessary. Alternatively, you | |
717 | # can specify "user" on the transports that are used. Note that the transports | |
718 | # listed below are the same as are used for .forward files; you might want | |
719 | # to set up different ones for pipe and file deliveries from aliases. | |
720 | ||
721 | system_aliases: | |
722 | driver = redirect | |
723 | allow_fail | |
724 | allow_defer | |
725 | data = ${lookup{$local_part}lsearch{SYSTEM_ALIASES_FILE}} | |
726 | # user = exim | |
727 | file_transport = address_file | |
728 | pipe_transport = address_pipe | |
729 | ||
730 | ||
731 | # This router handles forwarding using traditional .forward files in users' | |
732 | # home directories. If you want it also to allow mail filtering when a forward | |
733 | # file starts with the string "# Exim filter" or "# Sieve filter", uncomment | |
734 | # the "allow_filter" option. | |
735 | ||
059ec3d9 PH |
736 | # The no_verify setting means that this router is skipped when Exim is |
737 | # verifying addresses. Similarly, no_expn means that this router is skipped if | |
738 | # Exim is processing an EXPN command. | |
739 | ||
d9108297 PP |
740 | # If you want this router to treat local parts with suffixes introduced by "-" |
741 | # or "+" characters as if the suffixes did not exist, uncomment the two local_ | |
742 | # part_suffix options. Then, for example, xxxx-foo@your.domain will be treated | |
743 | # in the same way as xxxx@your.domain by this router. Because this router is | |
744 | # not used for verification, if you choose to uncomment those options, then you | |
745 | # will *need* to make the same change to the localuser router. (There are | |
746 | # other approaches, if this is undesirable, but they add complexity). | |
747 | ||
059ec3d9 PH |
748 | # The check_ancestor option means that if the forward file generates an |
749 | # address that is an ancestor of the current one, the current one gets | |
750 | # passed on instead. This covers the case where A is aliased to B and B | |
751 | # has a .forward file pointing to A. | |
752 | ||
753 | # The three transports specified at the end are those that are used when | |
754 | # forwarding generates a direct delivery to a file, or to a pipe, or sets | |
755 | # up an auto-reply, respectively. | |
756 | ||
757 | userforward: | |
758 | driver = redirect | |
759 | check_local_user | |
760 | # local_part_suffix = +* : -* | |
761 | # local_part_suffix_optional | |
762 | file = $home/.forward | |
763 | # allow_filter | |
764 | no_verify | |
765 | no_expn | |
766 | check_ancestor | |
767 | file_transport = address_file | |
768 | pipe_transport = address_pipe | |
769 | reply_transport = address_reply | |
770 | ||
771 | ||
772 | # This router matches local user mailboxes. If the router fails, the error | |
773 | # message is "Unknown user". | |
774 | ||
775 | # If you want this router to treat local parts with suffixes introduced by "-" | |
776 | # or "+" characters as if the suffixes did not exist, uncomment the two local_ | |
777 | # part_suffix options. Then, for example, xxxx-foo@your.domain will be treated | |
778 | # in the same way as xxxx@your.domain by this router. | |
779 | ||
780 | localuser: | |
781 | driver = accept | |
782 | check_local_user | |
783 | # local_part_suffix = +* : -* | |
784 | # local_part_suffix_optional | |
785 | transport = local_delivery | |
786 | cannot_route_message = Unknown user | |
787 | ||
788 | ||
789 | ||
790 | ###################################################################### | |
791 | # TRANSPORTS CONFIGURATION # | |
792 | ###################################################################### | |
793 | # ORDER DOES NOT MATTER # | |
794 | # Only one appropriate transport is called for each delivery. # | |
795 | ###################################################################### | |
796 | ||
797 | # A transport is used only when referenced from a router that successfully | |
798 | # handles an address. | |
799 | ||
800 | begin transports | |
801 | ||
802 | ||
803 | # This transport is used for delivering messages over SMTP connections. | |
85ffcba6 AM |
804 | # Refuse to send any message with over-long lines, which could have |
805 | # been received other than via SMTP. The use of message_size_limit to | |
8c952127 | 806 | # enforce this is a red herring. |
059ec3d9 PH |
807 | |
808 | remote_smtp: | |
809 | driver = smtp | |
8c952127 | 810 | message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}} |
95dfacf2 JH |
811 | .ifdef _HAVE_PRDR |
812 | hosts_try_prdr = * | |
813 | .endif | |
059ec3d9 PH |
814 | |
815 | ||
26739076 PP |
816 | # This transport is used for delivering messages to a smarthost, if the |
817 | # smarthost router is enabled. This starts from the same basis as | |
818 | # "remote_smtp" but then turns on various security options, because | |
819 | # we assume that if you're told "use smarthost.example.org as the smarthost" | |
820 | # then there will be TLS available, with a verifiable certificate for that | |
821 | # hostname, using decent TLS. | |
822 | ||
823 | smarthost_smtp: | |
824 | driver = smtp | |
825 | message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}} | |
826 | multi_domain | |
827 | # | |
828 | .ifdef _HAVE_TLS | |
829 | # Comment out any of these which you have to, then file a Support | |
830 | # request with your smarthost provider to get things fixed: | |
831 | hosts_require_tls = * | |
26739076 PP |
832 | tls_verify_hosts = * |
833 | # As long as tls_verify_hosts is enabled, this won't matter, but if you | |
834 | # have to comment it out then this will at least log whether you succeed | |
835 | # or not: | |
836 | tls_try_verify_hosts = * | |
837 | # | |
75fc3782 PP |
838 | # The SNI name should match the name which we'll expect to verify; |
839 | # many mail systems don't use SNI and this doesn't matter, but if it does, | |
840 | # we need to send a name which the remote site will recognize. | |
aa6e77af | 841 | # This _should_ be the name which the smarthost operators specified as |
75fc3782 PP |
842 | # the hostname for sending your mail to. |
843 | tls_sni = ROUTER_SMARTHOST | |
844 | # | |
26739076 | 845 | .ifdef _HAVE_OPENSSL |
bdf9ce82 | 846 | tls_require_ciphers = HIGH:!aNULL:@STRENGTH |
26739076 PP |
847 | .endif |
848 | .ifdef _HAVE_GNUTLS | |
bdf9ce82 | 849 | tls_require_ciphers = SECURE192:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1 |
26739076 PP |
850 | .endif |
851 | .endif | |
95dfacf2 JH |
852 | .ifdef _HAVE_PRDR |
853 | hosts_try_prdr = * | |
854 | .endif | |
26739076 PP |
855 | |
856 | ||
059ec3d9 PH |
857 | # This transport is used for local delivery to user mailboxes in traditional |
858 | # BSD mailbox format. By default it will be run under the uid and gid of the | |
859 | # local user, and requires the sticky bit to be set on the /var/mail directory. | |
860 | # Some systems use the alternative approach of running mail deliveries under a | |
861 | # particular group instead of using the sticky bit. The commented options below | |
862 | # show how this can be done. | |
863 | ||
864 | local_delivery: | |
865 | driver = appendfile | |
163144aa | 866 | file = /var/mail/$local_part_verified |
059ec3d9 PH |
867 | delivery_date_add |
868 | envelope_to_add | |
869 | return_path_add | |
870 | # group = mail | |
871 | # mode = 0660 | |
872 | ||
873 | ||
874 | # This transport is used for handling pipe deliveries generated by alias or | |
875 | # .forward files. If the pipe generates any standard output, it is returned | |
876 | # to the sender of the message as a delivery error. Set return_fail_output | |
877 | # instead of return_output if you want this to happen only when the pipe fails | |
878 | # to complete normally. You can set different transports for aliases and | |
879 | # forwards if you want to - see the references to address_pipe in the routers | |
880 | # section above. | |
881 | ||
882 | address_pipe: | |
883 | driver = pipe | |
884 | return_output | |
885 | ||
886 | ||
887 | # This transport is used for handling deliveries directly to files that are | |
888 | # generated by aliasing or forwarding. | |
889 | ||
890 | address_file: | |
891 | driver = appendfile | |
892 | delivery_date_add | |
893 | envelope_to_add | |
894 | return_path_add | |
895 | ||
896 | ||
897 | # This transport is used for handling autoreplies generated by the filtering | |
898 | # option of the userforward router. | |
899 | ||
900 | address_reply: | |
901 | driver = autoreply | |
902 | ||
903 | ||
904 | ||
905 | ###################################################################### | |
906 | # RETRY CONFIGURATION # | |
907 | ###################################################################### | |
908 | ||
909 | begin retry | |
910 | ||
911 | # This single retry rule applies to all domains and all errors. It specifies | |
912 | # retries every 15 minutes for 2 hours, then increasing retry intervals, | |
913 | # starting at 1 hour and increasing each time by a factor of 1.5, up to 16 | |
914 | # hours, then retries every 6 hours until 4 days have passed since the first | |
915 | # failed delivery. | |
916 | ||
c46cc0a4 PH |
917 | # WARNING: If you do not have any retry rules at all (this section of the |
918 | # configuration is non-existent or empty), Exim will not do any retries of | |
919 | # messages that fail to get delivered at the first attempt. The effect will | |
920 | # be to treat temporary errors as permanent. Therefore, DO NOT remove this | |
921 | # retry rule unless you really don't want any retries. | |
922 | ||
059ec3d9 PH |
923 | # Address or Domain Error Retries |
924 | # ----------------- ----- ------- | |
925 | ||
926 | * * F,2h,15m; G,16h,1h,1.5; F,4d,6h | |
927 | ||
928 | ||
929 | ||
930 | ###################################################################### | |
931 | # REWRITE CONFIGURATION # | |
932 | ###################################################################### | |
933 | ||
934 | # There are no rewriting specifications in this default configuration file. | |
935 | ||
936 | begin rewrite | |
937 | ||
938 | ||
939 | ||
940 | ###################################################################### | |
941 | # AUTHENTICATION CONFIGURATION # | |
942 | ###################################################################### | |
943 | ||
6083aca0 TF |
944 | # The following authenticators support plaintext username/password |
945 | # authentication using the standard PLAIN mechanism and the traditional | |
946 | # but non-standard LOGIN mechanism, with Exim acting as the server. | |
947 | # PLAIN and LOGIN are enough to support most MUA software. | |
948 | # | |
949 | # These authenticators are not complete: you need to change the | |
950 | # server_condition settings to specify how passwords are verified. | |
951 | # They are set up to offer authentication to the client only if the | |
952 | # connection is encrypted with TLS, so you also need to add support | |
953 | # for TLS. See the global configuration options section at the start | |
954 | # of this file for more about TLS. | |
955 | # | |
956 | # The default RCPT ACL checks for successful authentication, and will accept | |
957 | # messages from authenticated users from anywhere on the Internet. | |
059ec3d9 PH |
958 | |
959 | begin authenticators | |
960 | ||
6083aca0 TF |
961 | # PLAIN authentication has no server prompts. The client sends its |
962 | # credentials in one lump, containing an authorization ID (which we do not | |
963 | # use), an authentication ID, and a password. The latter two appear as | |
964 | # $auth2 and $auth3 in the configuration and should be checked against a | |
965 | # valid username and password. In a real configuration you would typically | |
966 | # use $auth2 as a lookup key, and compare $auth3 against the result of the | |
967 | # lookup, perhaps using the crypteq{}{} condition. | |
968 | ||
969 | #PLAIN: | |
970 | # driver = plaintext | |
971 | # server_set_id = $auth2 | |
972 | # server_prompts = : | |
973 | # server_condition = Authentication is not yet configured | |
d9b2312b | 974 | # server_advertise_condition = ${if def:tls_in_cipher } |
6083aca0 TF |
975 | |
976 | # LOGIN authentication has traditional prompts and responses. There is no | |
977 | # authorization ID in this mechanism, so unlike PLAIN the username and | |
978 | # password are $auth1 and $auth2. Apart from that you can use the same | |
979 | # server_condition setting for both authenticators. | |
980 | ||
981 | #LOGIN: | |
982 | # driver = plaintext | |
983 | # server_set_id = $auth1 | |
984 | # server_prompts = <| Username: | Password: | |
985 | # server_condition = Authentication is not yet configured | |
d9b2312b | 986 | # server_advertise_condition = ${if def:tls_in_cipher } |
059ec3d9 PH |
987 | |
988 | ||
989 | ###################################################################### | |
990 | # CONFIGURATION FOR local_scan() # | |
991 | ###################################################################### | |
992 | ||
993 | # If you have built Exim to include a local_scan() function that contains | |
994 | # tables for private options, you can define those options here. Remember to | |
995 | # uncomment the "begin" line. It is commented by default because it provokes | |
996 | # an error with Exim binaries that are not built with LOCAL_SCAN_HAS_OPTIONS | |
997 | # set in the Local/Makefile. | |
998 | ||
999 | # begin local_scan | |
1000 | ||
1001 | ||
1002 | # End of Exim configuration file |