configs/config.samples/C044

   1 Date: Mon, 2 Dec 2002 10:35:06 +0000
   2 From: Mike Richardson <doctor@mcc.ac.uk>
   3
   4 Hiya,
   5
   6 I thought I'd submit this as an example of an authenticated mail hub
   7 configuration. Several people have asked for it so I thought it
   8 might be of interest.
   9
  10 Authenticated mail hubs using LDAP to authenticate against which simply
  11 forward mail to central mailrouters. X headers are added for audit
  12 trail purposes.
  13
  14 Config:
  15 #########################################################################
  16
  17 acl_smtp_rcpt = acl_check_rcpt
  18
  19 ignore_bounce_errors_after = 12h
  20
  21 timeout_frozen_after = 3d
  22
  23 # LDAP server:
  24
  25 hide ldap_default_servers=ldap.your.site
  26
  27 # SSL options. advertise TLS but don't insist on it.
  28
  29 tls_advertise_hosts=*
  30 tls_certificate=/var/cert/securemail.your.site.cert
  31 tls_privatekey=/var/cert/securemail.your.site.key
  32 tls_verify_hosts= *
  33
  34 # Remove the queue runner logs and add logging of the interface, protocols
  35 # and connections. Useful for debugging when users are having difficulty
  36 # configuring and connecting. Many ISPs use Transparent Proxying
  37
  38 log_selector= +incoming_interface -queue_run +smtp_protocol_error
  39 +smtp_syntax_error +smtp_connection
  40
  41 # SMTP input limits. Some connections are reserved for local users.
  42
  43 smtp_accept_max=200
  44 smtp_accept_queue=150
  45 smtp_accept_reserve=10
  46 smtp_reserve_hosts=130.88.0.0/16
  47 smtp_connect_backlog=100
  48
  49 # Overloading
  50
  51 queue_only_load=5
  52 deliver_queue_load_max=7
  53
  54 # Message size limits
  55
  56 message_size_limit=10M
  57 return_size_limit=65535
  58
  59 # Spool space check
  60
  61 check_spool_space=100M
  62
  63 # directory splitting
  64
  65 split_spool_directory
  66
  67 # Parallel remote deliver
  68
  69 remote_max_parallel = 10
  70
  71 # My system filter is to create extra logging info for X-Mailer info.
  72
  73 system_filter=/etc/systemfilter
  74 system_filter_user=exim
  75
  76 # Listen of multiple interfaces to defeat transparent proxying
  77
  78 local_interfaces = 130.88.200.47.25 : 130.88.200.47.465 : 130.88.200.47.587
  79
  80 # Only accept local traffic and authenticated stuff.
  81 # Error message points to useful web page.
  82
  83 acl_check_rcpt:
  84
  85   accept  hosts = :
  86   deny    local_parts   = ^.*[@%!/|]
  87   require verify        = sender
  88
  89   accept  authenticated = *
  90
  91   deny    message       = Not authenticated, see http://www.useful.web.page/
  92
  93
  94
  95 ######################################################################
  96 #                      ROUTERS CONFIGURATION                         #
  97 #               Specifies how addresses are handled                  #
  98 ######################################################################
  99
 100 begin routers
 101
 102 # Manual route to force all traffic through our hubs which handle all
 103 # the alias expansion, domain routing etc.
 104 # I add an X header for audit trail purposes but no more information that
 105 # would be expected from a legitimate email. Don't want to upset the DPA
 106 # people
 107
 108 smarthost:
 109   driver = manualroute
 110   headers_add =X-Authenticated-Sender: ${lookup ldap\
 111 {ldap:///o=ac,c=uk?cn?sub?(&(uid=$authenticated_id))}{$value}{no}} from \
 112 ${sender_fullhost}\nX-Authenticated-From: ${lookup ldap\
 113 {ldap:///o=ac,c=uk?mail?sub?(&(uid=$authenticated_id))}{$value}{no}}
 114   transport = remote_smtp
 115   domains = ! +local_domains
 116   route_list=* mailrouter.your.site
 117   ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
 118   no_more
 119
 120 # All other routes as per normal...
 121
 122
 123 ######################################################################
 124 #                   AUTHENTICATION CONFIGURATION                     #
 125 ######################################################################
 126
 127 # This only supports PLAIN and LOGIN due to the nature of our LDAP server.
 128
 129 begin authenticators
 130
 131 plain:
 132   driver= plaintext
 133   public_name = PLAIN
 134   server_condition="${lookup ldap {user=\"${lookup \
 135 ldapdn{ldap:///o=ac,c=uk?sn?sub?(&(uid=$2))}{$value}{no}}\" pass=$3 \
 136 ldap:///o=ac,c=uk?sn?sub?(&(uid=$2))}{yes}{no}}"
 137   server_set_id = $2
 138
 139 login:
 140   driver = plaintext
 141   public_name= LOGIN
 142   server_prompts = "Username:: : Password::"
 143   server_condition="${lookup ldap {user=\"${lookup \
 144 ldapdn{ldap:///o=ac,c=uk?sn?sub?(&(uid=$1))}{$value}{no}}\" pass=$2 \
 145 ldap:///o=ac,c=uk?sn?sub?(&(uid=$1))}{yes}{no}}"
 146   server_set_id=$1
 147 # End of Exim configuration file
 148 ##########################################################################