projects / exim.git / blame
| Commit | Line | Data |
|---|---|---|
| e0f3765a PH |
1 | Date: Mon, 2 Dec 2002 10:35:06 +0000 |
| 2 | From: Mike Richardson <doctor@mcc.ac.uk> | |
| 3 | ||
| 4 | Hiya, | |
| 5 | ||
| 6 | I thought I'd submit this as an example of an authenticated mail hub | |
| 7 | configuration. Several people have asked for it so I thought it | |
| 8 | might be of interest. | |
| 9 | ||
| 10 | Authenticated mail hubs using LDAP to authenticate against which simply | |
| 11 | forward mail to central mailrouters. X headers are added for audit | |
| 12 | trail purposes. | |
| 13 | ||
| 14 | Config: | |
| 15 | ######################################################################### | |
| 16 | ||
| 17 | acl_smtp_rcpt = acl_check_rcpt | |
| 18 | ||
| 19 | ignore_bounce_errors_after = 12h | |
| 20 | ||
| 21 | timeout_frozen_after = 3d | |
| 22 | ||
| 23 | # LDAP server: | |
| 24 | ||
| 25 | hide ldap_default_servers=ldap.your.site | |
| 26 | ||
| 27 | # SSL options. advertise TLS but don't insist on it. | |
| 28 | ||
| 29 | tls_advertise_hosts=* | |
| 30 | tls_certificate=/var/cert/securemail.your.site.cert | |
| 31 | tls_privatekey=/var/cert/securemail.your.site.key | |
| 32 | tls_verify_hosts= * | |
| 33 | ||
| 34 | # Remove the queue runner logs and add logging of the interface, protocols | |
| 35 | # and connections. Useful for debugging when users are having difficulty | |
| 36 | # configuring and connecting. Many ISPs use Transparent Proxying | |
| 37 | ||
| 38 | log_selector= +incoming_interface -queue_run +smtp_protocol_error | |
| 39 | +smtp_syntax_error +smtp_connection | |
| 40 | ||
| 41 | # SMTP input limits. Some connections are reserved for local users. | |
| 42 | ||
| 43 | smtp_accept_max=200 | |
| 44 | smtp_accept_queue=150 | |
| 45 | smtp_accept_reserve=10 | |
| 46 | smtp_reserve_hosts=130.88.0.0/16 | |
| 47 | smtp_connect_backlog=100 | |
| 48 | ||
| 49 | # Overloading | |
| 50 | ||
| 51 | queue_only_load=5 | |
| 52 | deliver_queue_load_max=7 | |
| 53 | ||
| 54 | # Message size limits | |
| 55 | ||
| 56 | message_size_limit=10M | |
| 57 | return_size_limit=65535 | |
| 58 | ||
| 59 | # Spool space check | |
| 60 | ||
| 61 | check_spool_space=100M | |
| 62 | ||
| 63 | # directory splitting | |
| 64 | ||
| 65 | split_spool_directory | |
| 66 | ||
| 67 | # Parallel remote deliver | |
| 68 | ||
| 69 | remote_max_parallel = 10 | |
| 70 | ||
| 71 | # My system filter is to create extra logging info for X-Mailer info. | |
| 72 | ||
| 73 | system_filter=/etc/systemfilter | |
| 74 | system_filter_user=exim | |
| 75 | ||
| 76 | # Listen of multiple interfaces to defeat transparent proxying | |
| 77 | ||
| 78 | local_interfaces = 130.88.200.47.25 : 130.88.200.47.465 : 130.88.200.47.587 | |
| 79 | ||
| 80 | # Only accept local traffic and authenticated stuff. | |
| 81 | # Error message points to useful web page. | |
| 82 | ||
| 83 | acl_check_rcpt: | |
| 84 | ||
| 85 | accept hosts = : | |
| 86 | deny local_parts = ^.*[@%!/|] | |
| 87 | require verify = sender | |
| 88 | ||
| 89 | accept authenticated = * | |
| 90 | ||
| 91 | deny message = Not authenticated, see http://www.useful.web.page/ | |
| 92 | ||
| 93 | ||
| 94 | ||
| 95 | ###################################################################### | |
| 96 | # ROUTERS CONFIGURATION # | |
| 97 | # Specifies how addresses are handled # | |
| 98 | ###################################################################### | |
| 99 | ||
| 100 | begin routers | |
| 101 | ||
| 102 | # Manual route to force all traffic through our hubs which handle all | |
| 103 | # the alias expansion, domain routing etc. | |
| 104 | # I add an X header for audit trail purposes but no more information that | |
| 105 | # would be expected from a legitimate email. Don't want to upset the DPA | |
| 106 | # people | |
| 107 | ||
| 108 | smarthost: | |
| 109 | driver = manualroute | |
| 110 | headers_add =X-Authenticated-Sender: ${lookup ldap\ | |
| 111 | {ldap:///o=ac,c=uk?cn?sub?(&(uid=$authenticated_id))}{$value}{no}} from \ | |
| 112 | ${sender_fullhost}\nX-Authenticated-From: ${lookup ldap\ | |
| 113 | {ldap:///o=ac,c=uk?mail?sub?(&(uid=$authenticated_id))}{$value}{no}} | |
| 114 | transport = remote_smtp | |
| 115 | domains = ! +local_domains | |
| 116 | route_list=* mailrouter.your.site | |
| 117 | ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 | |
| 118 | no_more | |
| 119 | ||
| 120 | # All other routes as per normal... | |
| 121 | ||
| 122 | ||
| 123 | ###################################################################### | |
| 124 | # AUTHENTICATION CONFIGURATION # | |
| 125 | ###################################################################### | |
| 126 | ||
| 127 | # This only supports PLAIN and LOGIN due to the nature of our LDAP server. | |
| 128 | ||
| 129 | begin authenticators | |
| 130 | ||
| 131 | plain: | |
| 132 | driver= plaintext | |
| 133 | public_name = PLAIN | |
| 134 | server_condition="${lookup ldap {user=\"${lookup \ | |
| 135 | ldapdn{ldap:///o=ac,c=uk?sn?sub?(&(uid=$2))}{$value}{no}}\" pass=$3 \ | |
| 136 | ldap:///o=ac,c=uk?sn?sub?(&(uid=$2))}{yes}{no}}" | |
| 137 | server_set_id = $2 | |
| 138 | ||
| 139 | login: | |
| 140 | driver = plaintext | |
| 141 | public_name= LOGIN | |
| 142 | server_prompts = "Username:: : Password::" | |
| 143 | server_condition="${lookup ldap {user=\"${lookup \ | |
| 144 | ldapdn{ldap:///o=ac,c=uk?sn?sub?(&(uid=$1))}{$value}{no}}\" pass=$2 \ | |
| 145 | ldap:///o=ac,c=uk?sn?sub?(&(uid=$1))}{yes}{no}}" | |
| 146 | server_set_id=$1 | |
| 147 | # End of Exim configuration file | |
| 148 | ########################################################################## |