+######################################################################
+# MACROS #
+######################################################################
+#
+
+# If you want to use a smarthost instead of sending directly to recipient
+# domains, uncomment this macro definition and set a real hostname.
+# An appropriately privileged user can then redirect email on the command-line
+# in emergencies, via -D.
+#
+# ROUTER_SMARTHOST=MAIL.HOSTNAME.FOR.CENTRAL.SERVER.EXAMPLE
+
######################################################################
# MAIN CONFIGURATION SETTINGS #
######################################################################
# tls_certificate = /etc/ssl/exim.crt
# tls_privatekey = /etc/ssl/exim.pem
+# For OpenSSL, prefer EC- over RSA-authenticated ciphers
+# tls_require_ciphers = ECDSA:RSA:!COMPLEMENTOFDEFAULT
+
# In order to support roaming users who wish to send email from anywhere,
# you may want to make Exim listen on other ports as well as port 25, in
# case these users need to send email from a network that blocks port 25.
host_lookup = *
+# The setting below causes Exim to try to initialize the system resolver
+# library with DNSSEC support. It has no effect if your library lacks
+# DNSSEC support.
+
+dns_dnssec_ok = 1
+
+
# The settings below cause Exim to make RFC 1413 (ident) callbacks
# for all incoming SMTP calls. You can limit the hosts to which these
# calls are made, and/or change the timeout that is used. If you set
# libraries that Exim uses (e.g. LDAP) depend on specific environment settings.
# There are two lists: keep_environment for the variables we trust, and
# add_environment for variables we want to set to a specific value.
-# Note that TZ is handled separateley by the timezone runtime option
+# Note that TZ is handled separately by the timezone runtime option
# and TIMEZONE_DEFAULT buildtime option.
# keep_environment = ^LDAP
# Deny if the message contains an overlong line. Per the standards
# we should never receive one such via SMTP.
#
- deny condition = ${if > {$max_received_linelength}{998}}
+ deny message = maximum allowed line length is 998 octets, \
+ got $max_received_linelength
+ condition = ${if > {$max_received_linelength}{998}}
+
+ # Deny if the headers contain badly-formed addresses.
+ #
+ deny !verify = header_syntax
+ message = header syntax
+ log_message = header syntax ($acl_verify_message)
# Deny if the message contains a virus. Before enabling this check, you
# must install a virus scanner and set the av_scanner option above.
# transport = remote_smtp
+# This router can be used when you want to send all mail to a
+# server which handles DNS lookups for you; an ISP will typically run such
+# a server for their customers. The hostname in route_data comes from the
+# macro defined at the top of the file. If not defined, then we'll use the
+# dnslookup router below instead.
+# Beware that the hostname is specified again in the Transport.
+
+.ifdef ROUTER_SMARTHOST
+
+smarthost:
+ driver = manualroute
+ domains = ! +local_domains
+ transport = smarthost_smtp
+ route_data = ROUTER_SMARTHOST
+ ignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; ::1
+ no_more
+
+.else
+
# This router routes addresses that are not in local domains by doing a DNS
# lookup on the domain name. The exclamation mark that appears in "domains = !
# +local_domains" is a negating operator, that is, it can be read as "not". The
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
# if ipv6-enabled then instead use:
# ignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; ::1
+ dnssec_request_domains = *
no_more
-
-# This alternative router can be used when you want to send all mail to a
-# server which handles DNS lookups for you; an ISP will typically run such
-# a server for their customers. If you uncomment "smarthost" then you
-# should comment out "dnslookup" above. Setting a real hostname in route_data
-# wouldn't hurt either.
-
-# smarthost:
-# driver = manualroute
-# domains = ! +local_domains
-# transport = remote_smtp
-# route_data = MAIL.HOSTNAME.FOR.CENTRAL.SERVER.EXAMPLE
-# ignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; ::1
-# no_more
+# This closes the ROUTER_SMARTHOST ifdef around the choice of routing for
+# off-site mail.
+.endif
# The remaining routers handle addresses in the local domain(s), that is those
remote_smtp:
driver = smtp
message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
+.ifdef _HAVE_DANE
+ dnssec_request_domains = *
+ hosts_try_dane = *
+.endif
+
+
+# This transport is used for delivering messages to a smarthost, if the
+# smarthost router is enabled. This starts from the same basis as
+# "remote_smtp" but then turns on various security options, because
+# we assume that if you're told "use smarthost.example.org as the smarthost"
+# then there will be TLS available, with a verifiable certificate for that
+# hostname, using decent TLS.
+
+smarthost_smtp:
+ driver = smtp
+ message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
+ multi_domain
+ #
+.ifdef _HAVE_TLS
+ # Comment out any of these which you have to, then file a Support
+ # request with your smarthost provider to get things fixed:
+ hosts_require_tls = *
+ tls_verify_hosts = *
+ # As long as tls_verify_hosts is enabled, this won't matter, but if you
+ # have to comment it out then this will at least log whether you succeed
+ # or not:
+ tls_try_verify_hosts = *
+ #
+ # The SNI name should match the name which we'll expect to verify;
+ # many mail systems don't use SNI and this doesn't matter, but if it does,
+ # we need to send a name which the remote site will recognize.
+ # This _should_ be the name which the smarthost operators specified as
+ # the hostname for sending your mail to.
+ tls_sni = ROUTER_SMARTHOST
+ #
+.ifdef _HAVE_OPENSSL
+ tls_require_ciphers = HIGH:!aNULL:@STRENGTH
+.endif
+.ifdef _HAVE_GNUTLS
+ tls_require_ciphers = SECURE192:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1
+.endif
+.endif
# This transport is used for local delivery to user mailboxes in traditional
projects / exim.git / blobdiff