Grammar changes in docs
[exim.git] / configs / config.samples / C043
CommitLineData
e0f3765a
PH
1# Below is an Exim 4 config file which is designed for an Exim server that
2# is put in front of an Exchange 5.5 system but which verifies the valid
3# addresses that are stored in Exchange via LDAP lookups against the Exchange
4# server. The advantage being that I can do much more aggressive spam
5# fighting, make my own set of policy decisions etc, using the flexibility of
6# Exim while still supporting the Exchange system for final delivery (not my
7# ideal situation but the company relies on it). In any case, I thought this
8# was sufficiently useful and answers some semi-regular questions on the list,
9# that it might be included in either the FAQ or the sample configs.
10
11# From: Tabor J. Wells <twells@fsckit.net>
12# Date: Wed, 21 Aug 2002 11:16:36 -0400
13
14
15
16
17######################################################################
18# Runtime configuration file for Exim #
19######################################################################
20
21
22# This is a default configuration file which will operate correctly in
23# uncomplicated installations. Please see the manual for a complete list
24# of all the runtime configuration options that can be included in a
25# configuration file. There are many more than are mentioned here. The
26# manual is in the file doc/spec.txt in the Exim distribution as a plain
27# ASCII file. Other formats (PostScript, Texinfo, HTML, PDF) are available
20f0f788 28# from the Exim ftp sites. The manual is also online at the Exim website.
e0f3765a
PH
29
30
31# This file is divided into several parts, all but the first of which are
32# headed by a line starting with the word "begin". Only those parts that
33# are required need to be present. Blank lines, and lines starting with #
34# are ignored.
35
36
37########### IMPORTANT ########## IMPORTANT ########### IMPORTANT ###########
38# #
39# Whenever you change Exim's configuration file, you *must* remember to #
40# HUP the Exim daemon, because it will not pick up the new configuration #
41# until you do. However, any other Exim processes that are started, for #
42# example, a process started by an MUA in order to send a message, will #
43# see the new configuration as soon as it is in place. #
44# #
45# You do not need to HUP the daemon for changes in auxiliary files that #
46# are referenced from this file. They are read every time they are used. #
47# #
48# It is usually a good idea to test a new configuration for syntactic #
49# correctness before installing it (for example, by running the command #
50# "exim -C /config/file.new -bV"). #
51# #
52########### IMPORTANT ########## IMPORTANT ########### IMPORTANT ###########
53
54
55
56######################################################################
57# MAIN CONFIGURATION SETTINGS #
58######################################################################
59
60# Specify your host's canonical name here. This should normally be the fully
61# qualified "official" name of your host. If this option is not set, the
62# uname() function is called to obtain the name. In many cases this does
63# the right thing and you need not set anything explicitly.
64
65# primary_hostname =
66
67
68# The next three settings create two lists of domains and one list of hosts.
69# These lists are referred to later in this configuration using the syntax
70# +local_domains, +relay_to_domains, and +relay_from_hosts, respectively. They
71# are all colon-separated lists:
72
73domainlist local_domains = @ : dbm;/etc/exim/db/localdomains.db
74domainlist relay_to_domains =
75hostlist relay_from_hosts = 127.0.0.1 : 192.168.1.0/24
76
77# Most straightforward access control requirements can be obtained by
78# appropriate settings of the above options. In more complicated situations, you
79# may need to modify the Access Control List (ACL) which appears later in this
80# file.
81
82# The first setting specifies your local domains, for example:
83#
84# domainlist local_domains = my.first.domain : my.second.domain
85#
86# You can use "@" to mean "the name of the local host", as in the default
87# setting above. This is the name that is specified by primary_hostname,
88# as specified above (or defaulted). If you do not want to do any local
89# deliveries, remove the "@" from the setting above. If you want to accept mail
90# addressed to your host's literal IP address, for example, mail addressed to
91# "user@[192.168.23.44]", you can add "@[]" as an item in the local domains
92# list. You also need to uncomment "allow_domain_literals" below. This is not
93# recommended for today's Internet.
94
95# The second setting specifies domains for which your host is an incoming relay.
96# If you are not doing any relaying, you should leave the list empty. However,
97# if your host is an MX backup or gateway of some kind for some domains, you
98# must set relay_to_domains to match those domains. For example:
99#
100# domainlist relay_to_domains = *.myco.com : my.friend.org
101#
102# This will allow any host to relay through your host to those domains.
103# See the section of the manual entitled "Control of relaying" for more
104# information.
105
106# The third setting specifies hosts that can use your host as an outgoing relay
107# to any other host on the Internet. Such a setting commonly refers to a
108# complete local network as well as the localhost. For example:
109#
110# hostlist relay_from_hosts = 127.0.0.1 : 192.168.0.0/16
111#
112# The "/16" is a bit mask (CIDR notation), not a number of hosts. Note that you
113# have to include 127.0.0.1 if you want to allow processes on your host to send
114# SMTP mail by using the loopback address. A number of MUAs use this method of
115# sending mail.
116
117
118# All three of these lists may contain many different kinds of item, including
119# wildcarded names, regular expressions, and file lookups. See the reference
120# manual for details. The lists above are used in the access control list for
121# incoming messages. The name of this ACL is defined here:
122
123acl_smtp_rcpt = acl_check_rcpt
124
125# You should not change that setting until you understand how ACLs work.
126
127
128# Specify the domain you want to be added to all unqualified addresses
129# here. An unqualified address is one that does not contain an "@" character
130# followed by a domain. For example, "caesar@rome.example" is a fully qualified
131# address, but the string "caesar" (i.e. just a login name) is an unqualified
132# email address. Unqualified addresses are accepted only from local callers by
133# default. See the recipient_unqualified_hosts option if you want to permit
134# unqualified addresses from remote sources. If this option is not set, the
135# primary_hostname value is used for qualification.
136
137# qualify_domain =
138
139
140# If you want unqualified recipient addresses to be qualified with a different
141# domain to unqualified sender addresses, specify the recipient domain here.
142# If this option is not set, the qualify_domain value is used.
143
144# qualify_recipient =
145
146
147# The following line must be uncommented if you want Exim to recognize
148# addresses of the form "user@[10.11.12.13]" that is, with a "domain literal"
149# (an IP address) instead of a named domain. The RFCs still require this form,
150# but it makes little sense to permit mail to be sent to specific hosts by
151# their IP address in the modern Internet. This ancient format has been used
152# by those seeking to abuse hosts by using them for unwanted relaying. If you
153# really do want to support domain literals, uncomment the following line, and
154# see also the "domain_literal" router below.
155
156# allow_domain_literals
157
158
159# No deliveries will ever be run under the uids of these users (a colon-
160# separated list). An attempt to do so causes a panic error to be logged, and
161# the delivery to be deferred. This is a paranoic safety catch. Note that the
162# default setting means you cannot deliver mail addressed to root as if it
163# were a normal user. This isn't usually a problem, as most sites have an alias
164# for root that redirects such mail to a human administrator.
165
166never_users = root
167
168
169# The setting below causes Exim to do a reverse DNS lookup on all incoming
170# IP calls, in order to get the true host name. If you feel this is too
171# expensive, you can specify the networks for which a lookup is done, or
172# remove the setting entirely.
173
174host_lookup = *
175
176
177# The settings below, which are actually the same as the defaults in the
178# code, cause Exim to make RFC 1413 (ident) callbacks for all incoming SMTP
179# calls. You can limit the hosts to which these calls are made, and/or change
180# the timeout that is used. If you set the timeout to zero, all RFC 1413 calls
181# are disabled. RFC 1413 calls are cheap and can provide useful information
182# for tracing problem messages, but some hosts and firewalls have problems
183# with them. This can result in a timeout instead of an immediate refused
184# connection, leading to delays on starting up an SMTP session.
185
186rfc1413_hosts = *
187rfc1413_query_timeout = 30s
188
189
190# By default, Exim expects all envelope addresses to be fully qualified, that
191# is, they must contain both a local part and a domain. If you want to accept
192# unqualified addresses (just a local part) from certain hosts, you can specify
193# these hosts by setting one or both of
194#
195# sender_unqualified_hosts =
196# recipient_unqualified_hosts =
197#
198# to control sender and recipient addresses, respectively. When this is done,
199# unqualified addresses are qualified using the settings of qualify_domain
200# and/or qualify_recipient (see above).
201
202
203# If you want Exim to support the "percent hack" for certain domains,
204# uncomment the following line and provide a list of domains. The "percent
205# hack" is the feature by which mail addressed to x%y@z (where z is one of
206# the domains listed) is locally rerouted to x@y and sent on. If z is not one
207# of the "percent hack" domains, x%y is treated as an ordinary local part. This
208# hack is rarely needed nowadays; you should not enable it unless you are sure
209# that you really need it.
210#
211# percent_hack_domains =
212#
213# As well as setting this option you will also need to remove the test
214# for local parts containing % in the ACL definition below.
215
216
217# When Exim can neither deliver a message nor return it to sender, it "freezes"
218# the delivery error message (aka "bounce message"). There are also other
219# circumstances in which messages get frozen. They will stay on the queue for
220# ever unless one of the following options is set.
221
222# This option unfreezes frozen bounce messages after two days, tries
223# once more to deliver them, and ignores any delivery failures.
224
225ignore_bounce_errors_after = 2d
226
227# This option cancels (removes) frozen messages that are older than a week.
228
229timeout_frozen_after = 7d
230
231# Defined LDAP default servers
232ldap_default_servers = 192.168.1.101
233
234
235
236######################################################################
237# ACL CONFIGURATION #
238# Specifies access control lists for incoming SMTP mail #
239######################################################################
240
241begin acl
242
243# This access control list is used for every RCPT command in an incoming
244# SMTP message. The tests are run in order until the address is either
245# accepted or denied.
246
247acl_check_rcpt:
248
249 # Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by
250 # testing for an empty sending host field.
251
252 accept hosts = :
253
254 # Deny if the local part contains @ or % or / or | or !. These are rarely
255 # found in genuine local parts, but are often tried by people looking to
256 # circumvent relaying restrictions.
257
258 # Also deny if the local part starts with a dot. Empty components aren't
259 # strictly legal in RFC 2822, but Exim allows them because this is common.
260 # However, actually starting with a dot may cause trouble if the local part
261 # is used as a file name (e.g. for a mailing list).
262
263 deny local_parts = ^.*[@%!/|] : ^\\.
264
265 # Accept mail to postmaster in any local domain, regardless of the source,
266 # and without verifying the sender.
267
268 accept local_parts = postmaster
269 domains = +local_domains
270
271 # Deny unless the sender address can be verified.
272
273 require verify = sender
274
275 #############################################################################
276 # There are no checks on DNS "black" lists because the domains that contain
277 # these lists are changing all the time. However, here are two examples of
278 # how you could get Exim to perform a DNS black list lookup at this point.
279 # The first one denies, while the second just warns.
280 #
281 # deny message = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
282 # dnslists = black.list.example
283 #
284 # warn message = X-Warning: $sender_host_address is in a black list at $dnslist_domain
285 # log_message = found in $dnslist_domain
286 # dnslists = black.list.example
287 #############################################################################
288
289 # Accept if the address is in a local domain, but only if the recipient can
290 # be verified. Otherwise deny. The "endpass" line is the border between
291 # passing on to the next ACL statement (if tests above it fail) or denying
292 # access (if tests below it fail).
293
294 accept domains = +local_domains
295 endpass
296 message = unknown user
297 verify = recipient
298
299 # Accept if the address is in a domain for which we are relaying, but again,
300 # only if the recipient can be verified.
301
302 accept domains = +relay_to_domains
303 endpass
304 message = unrouteable address
305 verify = recipient
306
307 # If control reaches this point, the domain is neither in +local_domains
308 # nor in +relay_to_domains.
309
310 # Accept if the message comes from one of the hosts for which we are an
311 # outgoing relay. Recipient verification is omitted here, because in many
312 # cases the clients are dumb MUAs that don't cope well with SMTP error
313 # responses. If you are actually relaying out from MTAs, you should probably
314 # add recipient verification here.
315
316 accept hosts = +relay_from_hosts
317
318 # Accept if the message arrived over an authenticated connection, from
319 # any host. Again, these messages are usually from MUAs, so recipient
320 # verification is omitted.
321
322 accept authenticated = *
323
324 # Reaching the end of the ACL causes a "deny", but we might as well give
325 # an explicit message.
326
327 deny message = relay not permitted
328
329
330
331######################################################################
332# ROUTERS CONFIGURATION #
333# Specifies how addresses are handled #
334######################################################################
335# THE ORDER IN WHICH THE ROUTERS ARE DEFINED IS IMPORTANT! #
336# An address is passed to each router in turn until it is accepted. #
337######################################################################
338
339begin routers
340
341# This router routes to remote hosts over SMTP by explicit IP address,
342# when an email address is given in "domain literal" form, for example,
343# <user@[192.168.35.64]>. The RFCs require this facility. However, it is
344# little-known these days, and has been exploited by evil people seeking
345# to abuse SMTP relays. Consequently it is commented out in the default
346# configuration. If you uncomment this router, you also need to uncomment
347# allow_domain_literals above, so that Exim can recognize the syntax of
348# domain literal addresses.
349
350# domain_literal:
351# driver = ipliteral
352# domains = ! +local_domains
353# transport = remote_smtp
354
355
356# This router routes addresses that are not in local domains by doing a DNS
357# lookup on the domain name. Any domain that resolves to 0.0.0.0 or to a
358# loopback interface address (127.0.0.0/8) is treated as if it had no DNS
359# entry. Note that 0.0.0.0 is the same as 0.0.0.0/32, which is commonly treated
360# as the local host inside the network stack. It is not 0.0.0.0/0, the default
361# route. If the DNS lookup fails, no further routers are tried because of
362# the no_more setting, and consequently the address is unrouteable.
363
364dnslookup:
365 driver = dnslookup
366 domains = ! +local_domains
367 transport = remote_smtp
368 ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 10.0.0.0/8 : 172.16.0.0/12
369 no_more
370
371
372# The remaining routers handle addresses in the local domain(s).
373
374
375# This router handles aliasing using a traditional /etc/aliases file.
376#
377##### NB You must ensure that /etc/aliases exists. It used to be the case
378##### NB that every Unix had that file, because it was the Sendmail default.
379##### NB These days, there are systems that don't have it. Your aliases
380##### NB file should at least contain an alias for "postmaster".
381#
382# If any of your aliases expand to pipes or files, you will need to set
383# up a user and a group for these deliveries to run under. You can do
384# this by uncommenting the "user" option below (changing the user name
385# as appropriate) and adding a "group" option if necessary. Alternatively, you
386# can specify "user" on the transports that are used. Note that the transports
387# listed below are the same as are used for .forward files; you might want
388# to set up different ones for pipe and file deliveries from aliases.
389
390system_aliases:
391 driver = redirect
392 allow_fail
393 allow_defer
394 data = ${lookup{$local_part}lsearch{/etc/exim/txt/aliases.txt}}
395# user = exim
396 file_transport = address_file
397 pipe_transport = address_pipe
398
399# This router matches local user mailboxes.
400# Domains set to $primary_hostname so that I can route stuff locally as need
401# be but prevent user@mylocaldomain.com from delivering locally when 'user'
402# also matches the Exchange lookup below.
403
404localuser:
405 driver = accept
406 check_local_user
407 domains = $primary_hostname
408 transport = local_delivery
409 no_more
410
411# Routers for lookups in LDAP on Exchange if they exist there then punt
412
413# First if it exists as a otherMailbox=smtp$user@example.com (Exchange's
414# format for aliases then substitute the canonical email address for this user
415# as defined by mail=
416
417exchangeothermailboxlookup:
418 driver = redirect
419 data = ${lookup ldap {ldap:///?mail?sub?(otherMailbox=smtp\$${quote_ldap:$local_part}@${quote_ldap:$domain})}}
420 domains = dbm;/etc/exim/db/localdomains.db
421 verify_recipient
422
423# This lookup verifies the mail=user@example.com format and if it exists
424# Pass to the the manualroute router which is used to punt to the internal
425# Exchange server as defined by domain.
426
427exchangemaillookup:
428 driver = redirect
429 data = ${lookup ldap {ldap:///?mail?sub?(mail=${quote_ldap:$local_part}@${quote_ldap:$domain})}}
430 domains = dbm;/etc/exim/db/localdomains.db
431 verify_recipient
432 self = pass
433 pass_router = exchangeroute
434 no_more
435
436# localdomains.db contain entries that look like:
437# example.com: 192.168.1.101
438# example.net: 192.168.1.102
439# etc.
440
441exchangeroute:
442 driver = manualroute
443 transport = remote_smtp
444 route_data = ${lookup{$domain}dbm{/etc/exim/db/localdomains.db}}
445
446######################################################################
447# TRANSPORTS CONFIGURATION #
448######################################################################
449# ORDER DOES NOT MATTER #
450# Only one appropriate transport is called for each delivery. #
451######################################################################
452
453# A transport is used only when referenced from a router that successfully
454# handles an address.
455
456begin transports
457
458
459# This transport is used for delivering messages over SMTP connections.
460
461remote_smtp:
462 driver = smtp
463
464
465# This transport is used for local delivery to user mailboxes in traditional
466# BSD mailbox format. By default it will be run under the uid and gid of the
467# local user, and requires the sticky bit to be set on the /var/mail directory.
468# Some systems use the alternative approach of running mail deliveries under a
469# particular group instead of using the sticky bit. The commented options below
470# show how this can be done.
471
472local_delivery:
473 driver = appendfile
474 file = /var/mail/$local_part
475 delivery_date_add
476 envelope_to_add
477 return_path_add
478# group = mail
479# mode = 0660
480
481
482# This transport is used for handling pipe deliveries generated by alias or
483# .forward files. If the pipe generates any standard output, it is returned
484# to the sender of the message as a delivery error. Set return_fail_output
485# instead of return_output if you want this to happen only when the pipe fails
486# to complete normally. You can set different transports for aliases and
487# forwards if you want to - see the references to address_pipe in the routers
488# section above.
489
490address_pipe:
491 driver = pipe
492 return_output
493
494
495# This transport is used for handling deliveries directly to files that are
496# generated by aliasing or forwarding.
497
498address_file:
499 driver = appendfile
500 delivery_date_add
501 envelope_to_add
502 return_path_add
503
504
505# This transport is used for handling autoreplies generated by the filtering
506# option of the userforward router.
507
508address_reply:
509 driver = autoreply
510
511
512
513######################################################################
514# RETRY CONFIGURATION #
515######################################################################
516
517begin retry
518
519# This single retry rule applies to all domains and all errors. It specifies
520# retries every 15 minutes for 2 hours, then increasing retry intervals,
521# starting at 1 hour and increasing each time by a factor of 1.5, up to 16
522# hours, then retries every 6 hours until 4 days have passed since the first
523# failed delivery.
524
525# Domain Error Retries
526# ------ ----- -------
527
528* * F,2h,15m; G,16h,1h,1.5; F,4d,6h
529
530
531
532######################################################################
533# REWRITE CONFIGURATION #
534######################################################################
535
536# There are no rewriting specifications in this default configuration file.
537
538begin rewrite
539
540
541
542######################################################################
543# AUTHENTICATION CONFIGURATION #
544######################################################################
545
546# There are no authenticator specifications in this default configuration file.
547
548begin authenticators
549
550
551# End of Exim configuration file