| 1 | Date: Mon, 2 Dec 2002 10:35:06 +0000 |
| 2 | From: Mike Richardson <doctor@mcc.ac.uk> |
| 3 | |
| 4 | Hiya, |
| 5 | |
| 6 | I thought I'd submit this as an example of an authenticated mail hub |
| 7 | configuration. Several people have asked for it so I thought it |
| 8 | might be of interest. |
| 9 | |
| 10 | Authenticated mail hubs using LDAP to authenticate against which simply |
| 11 | forward mail to central mailrouters. X headers are added for audit |
| 12 | trail purposes. |
| 13 | |
| 14 | Config: |
| 15 | ######################################################################### |
| 16 | |
| 17 | acl_smtp_rcpt = acl_check_rcpt |
| 18 | |
| 19 | ignore_bounce_errors_after = 12h |
| 20 | |
| 21 | timeout_frozen_after = 3d |
| 22 | |
| 23 | # LDAP server: |
| 24 | |
| 25 | hide ldap_default_servers=ldap.your.site |
| 26 | |
| 27 | # SSL options. advertise TLS but don't insist on it. |
| 28 | |
| 29 | tls_advertise_hosts=* |
| 30 | tls_certificate=/var/cert/securemail.your.site.cert |
| 31 | tls_privatekey=/var/cert/securemail.your.site.key |
| 32 | tls_verify_hosts= * |
| 33 | |
| 34 | # Remove the queue runner logs and add logging of the interface, protocols |
| 35 | # and connections. Useful for debugging when users are having difficulty |
| 36 | # configuring and connecting. Many ISPs use Transparent Proxying |
| 37 | |
| 38 | log_selector= +incoming_interface -queue_run +smtp_protocol_error |
| 39 | +smtp_syntax_error +smtp_connection |
| 40 | |
| 41 | # SMTP input limits. Some connections are reserved for local users. |
| 42 | |
| 43 | smtp_accept_max=200 |
| 44 | smtp_accept_queue=150 |
| 45 | smtp_accept_reserve=10 |
| 46 | smtp_reserve_hosts=130.88.0.0/16 |
| 47 | smtp_connect_backlog=100 |
| 48 | |
| 49 | # Overloading |
| 50 | |
| 51 | queue_only_load=5 |
| 52 | deliver_queue_load_max=7 |
| 53 | |
| 54 | # Message size limits |
| 55 | |
| 56 | message_size_limit=10M |
| 57 | return_size_limit=65535 |
| 58 | |
| 59 | # Spool space check |
| 60 | |
| 61 | check_spool_space=100M |
| 62 | |
| 63 | # directory splitting |
| 64 | |
| 65 | split_spool_directory |
| 66 | |
| 67 | # Parallel remote deliver |
| 68 | |
| 69 | remote_max_parallel = 10 |
| 70 | |
| 71 | # My system filter is to create extra logging info for X-Mailer info. |
| 72 | |
| 73 | system_filter=/etc/systemfilter |
| 74 | system_filter_user=exim |
| 75 | |
| 76 | # Listen of multiple interfaces to defeat transparent proxying |
| 77 | |
| 78 | local_interfaces = 130.88.200.47.25 : 130.88.200.47.465 : 130.88.200.47.587 |
| 79 | |
| 80 | # Only accept local traffic and authenticated stuff. |
| 81 | # Error message points to useful web page. |
| 82 | |
| 83 | acl_check_rcpt: |
| 84 | |
| 85 | accept hosts = : |
| 86 | deny local_parts = ^.*[@%!/|] |
| 87 | require verify = sender |
| 88 | |
| 89 | accept authenticated = * |
| 90 | |
| 91 | deny message = Not authenticated, see http://www.useful.web.page/ |
| 92 | |
| 93 | |
| 94 | |
| 95 | ###################################################################### |
| 96 | # ROUTERS CONFIGURATION # |
| 97 | # Specifies how addresses are handled # |
| 98 | ###################################################################### |
| 99 | |
| 100 | begin routers |
| 101 | |
| 102 | # Manual route to force all traffic through our hubs which handle all |
| 103 | # the alias expansion, domain routing etc. |
| 104 | # I add an X header for audit trail purposes but no more information that |
| 105 | # would be expected from a legitimate email. Don't want to upset the DPA |
| 106 | # people |
| 107 | |
| 108 | smarthost: |
| 109 | driver = manualroute |
| 110 | headers_add =X-Authenticated-Sender: ${lookup ldap\ |
| 111 | {ldap:///o=ac,c=uk?cn?sub?(&(uid=$authenticated_id))}{$value}{no}} from \ |
| 112 | ${sender_fullhost}\nX-Authenticated-From: ${lookup ldap\ |
| 113 | {ldap:///o=ac,c=uk?mail?sub?(&(uid=$authenticated_id))}{$value}{no}} |
| 114 | transport = remote_smtp |
| 115 | domains = ! +local_domains |
| 116 | route_list=* mailrouter.your.site |
| 117 | ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 |
| 118 | no_more |
| 119 | |
| 120 | # All other routes as per normal... |
| 121 | |
| 122 | |
| 123 | ###################################################################### |
| 124 | # AUTHENTICATION CONFIGURATION # |
| 125 | ###################################################################### |
| 126 | |
| 127 | # This only supports PLAIN and LOGIN due to the nature of our LDAP server. |
| 128 | |
| 129 | begin authenticators |
| 130 | |
| 131 | plain: |
| 132 | driver= plaintext |
| 133 | public_name = PLAIN |
| 134 | server_condition="${lookup ldap {user=\"${lookup \ |
| 135 | ldapdn{ldap:///o=ac,c=uk?sn?sub?(&(uid=$2))}{$value}{no}}\" pass=$3 \ |
| 136 | ldap:///o=ac,c=uk?sn?sub?(&(uid=$2))}{yes}{no}}" |
| 137 | server_set_id = $2 |
| 138 | |
| 139 | login: |
| 140 | driver = plaintext |
| 141 | public_name= LOGIN |
| 142 | server_prompts = "Username:: : Password::" |
| 143 | server_condition="${lookup ldap {user=\"${lookup \ |
| 144 | ldapdn{ldap:///o=ac,c=uk?sn?sub?(&(uid=$1))}{$value}{no}}\" pass=$2 \ |
| 145 | ldap:///o=ac,c=uk?sn?sub?(&(uid=$1))}{yes}{no}}" |
| 146 | server_set_id=$1 |
| 147 | # End of Exim configuration file |
| 148 | ########################################################################## |