-# $Cambridge: exim/src/src/configure.default,v 1.8 2006/06/07 17:42:27 fanf2 Exp $
-
######################################################################
# Runtime configuration file for Exim #
######################################################################
######################################################################
# MAIN CONFIGURATION SETTINGS #
######################################################################
+#
# Specify your host's canonical name here. This should normally be the fully
# qualified "official" name of your host. If this option is not set, the
domainlist local_domains = @
domainlist relay_to_domains =
-hostlist relay_from_hosts = 127.0.0.1
+hostlist relay_from_hosts = localhost
+# (We rely upon hostname resolution working for localhost, because the default
+# uncommented configuration needs to work in IPv4-only environments.)
# Most straightforward access control requirements can be obtained by
# appropriate settings of the above options. In more complicated situations,
-# you may need to modify the Access Control List (ACL) which appears later in
+# you may need to modify the Access Control Lists (ACLs) which appear later in
# this file.
# The first setting specifies your local domains, for example:
# to any other host on the Internet. Such a setting commonly refers to a
# complete local network as well as the localhost. For example:
#
-# hostlist relay_from_hosts = 127.0.0.1 : 192.168.0.0/16
+# hostlist relay_from_hosts = <; 127.0.0.1 ; ::1 ; 192.168.0.0/16
#
# The "/16" is a bit mask (CIDR notation), not a number of hosts. Note that you
# have to include 127.0.0.1 if you want to allow processes on your host to send
# SMTP mail by using the loopback address. A number of MUAs use this method of
-# sending mail.
+# sending mail. Often, connections are made to "localhost", which might be ::1
+# on IPv6-enabled hosts. Do not forget CIDR for your IPv6 networks.
# All three of these lists may contain many different kinds of item, including
# wildcarded names, regular expressions, and file lookups. See the reference
# tls_certificate = /etc/ssl/exim.crt
# tls_privatekey = /etc/ssl/exim.pem
+# For OpenSSL, prefer EC- over RSA-authenticated ciphers
+# tls_require_ciphers = ECDSA:RSA:!COMPLEMENTOFDEFAULT
+
# In order to support roaming users who wish to send email from anywhere,
# you may want to make Exim listen on other ports as well as port 25, in
# case these users need to send email from a network that blocks port 25.
# allow_domain_literals
-# No deliveries will ever be run under the uids of these users (a colon-
-# separated list). An attempt to do so causes a panic error to be logged, and
-# the delivery to be deferred. This is a paranoic safety catch. There is an
-# even stronger safety catch in the form of the FIXED_NEVER_USERS setting
-# in the configuration for building Exim. The list of users that it specifies
-# is built into the binary, and cannot be changed. The option below just adds
-# additional users to the list. The default for FIXED_NEVER_USERS is "root",
-# but just to be absolutely sure, the default here is also "root".
+# No deliveries will ever be run under the uids of users specified by
+# never_users (a colon-separated list). An attempt to do so causes a panic
+# error to be logged, and the delivery to be deferred. This is a paranoic
+# safety catch. There is an even stronger safety catch in the form of the
+# FIXED_NEVER_USERS setting in the configuration for building Exim. The list of
+# users that it specifies is built into the binary, and cannot be changed. The
+# option below just adds additional users to the list. The default for
+# FIXED_NEVER_USERS is "root", but just to be absolutely sure, the default here
+# is also "root".
# Note that the default setting means you cannot deliver mail addressed to root
# as if it were a normal user. This isn't usually a problem, as most sites have
host_lookup = *
-# The settings below, which are actually the same as the defaults in the
-# code, cause Exim to make RFC 1413 (ident) callbacks for all incoming SMTP
-# calls. You can limit the hosts to which these calls are made, and/or change
-# the timeout that is used. If you set the timeout to zero, all RFC 1413 calls
-# are disabled. RFC 1413 calls are cheap and can provide useful information
-# for tracing problem messages, but some hosts and firewalls have problems
-# with them. This can result in a timeout instead of an immediate refused
-# connection, leading to delays on starting up SMTP sessions. (The default was
-# reduced from 30s to 5s for release 4.61.)
+# The setting below causes Exim to try to initialize the system resolver
+# library with DNSSEC support. It has no effect if your library lacks
+# DNSSEC support.
+
+dns_dnssec_ok = 1
-rfc1413_hosts = *
-rfc1413_query_timeout = 5s
+
+# The settings below cause Exim to make RFC 1413 (ident) callbacks
+# for all incoming SMTP calls. You can limit the hosts to which these
+# calls are made, and/or change the timeout that is used. If you set
+# the timeout to zero, all RFC 1413 calls are disabled. RFC 1413 calls
+# are cheap and can provide useful information for tracing problem
+# messages, but some hosts and firewalls have problems with them.
+# This can result in a timeout instead of an immediate refused
+# connection, leading to delays on starting up SMTP sessions.
+# (The default was reduced from 30s to 5s for release 4.61. and to
+# disabled for release 4.86)
+#
+#rfc1413_hosts = *
+#rfc1413_query_timeout = 5s
+
+
+# Enable an efficiency feature. We advertise the feature; clients
+# may request to use it. For multi-recipient mails we then can
+# reject or accept per-user after the message is received.
+#
+prdr_enable = true
# By default, Exim expects all envelope addresses to be fully qualified, that
# and/or qualify_recipient (see above).
+# Unless you run a high-volume site you probably want more logging
+# detail than the default. Adjust to suit.
+
+log_selector = +smtp_protocol_error +smtp_syntax_error \
+ +tls_certificate_verified
+
+
# If you want Exim to support the "percent hack" for certain domains,
# uncomment the following line and provide a list of domains. The "percent
# hack" is the feature by which mail addressed to x%y@z (where z is one of
timeout_frozen_after = 7d
+# By default, messages that are waiting on Exim's queue are all held in a
+# single directory called "input" which it itself within Exim's spool
+# directory. (The default spool directory is specified when Exim is built, and
+# is often /var/spool/exim/.) Exim works best when its queue is kept short, but
+# there are circumstances where this is not always possible. If you uncomment
+# the setting below, messages on the queue are held in 62 subdirectories of
+# "input" instead of all in the same directory. The subdirectories are called
+# 0, 1, ... A, B, ... a, b, ... z. This has two benefits: (1) If your file
+# system degrades with many files in one directory, this is less likely to
+# happen; (2) Exim can process the queue one subdirectory at a time instead of
+# all at once, which can give better performance with large queues.
+
+# split_spool_directory = true
+
+
+# If you're in a part of the world where ASCII is not sufficient for most
+# text, then you're probably familiar with RFC2047 message header extensions.
+# By default, Exim adheres to the specification, including a limit of 76
+# characters to a line, with encoded words fitting within a line.
+# If you wish to use decoded headers in message filters in such a way
+# that successful decoding of malformed messages matters, you may wish to
+# configure Exim to be more lenient.
+#
+# check_rfc2047_length = false
+#
+# In particular, the Exim maintainers have had multiple reports of problems
+# from Russian administrators of issues until they disable this check,
+# because of some popular, yet buggy, mail composition software.
+
+
+# If you wish to be strictly RFC compliant, or if you know you'll be
+# exchanging email with systems that are not 8-bit clean, then you may
+# wish to disable advertising 8BITMIME. Uncomment this option to do so.
+
+# accept_8bitmime = false
+
+
+# Exim does not make use of environment variables itself. However,
+# libraries that Exim uses (e.g. LDAP) depend on specific environment settings.
+# There are two lists: keep_environment for the variables we trust, and
+# add_environment for variables we want to set to a specific value.
+# Note that TZ is handled separately by the timezone runtime option
+# and TIMEZONE_DEFAULT buildtime option.
+
+# keep_environment = ^LDAP
+# add_environment = PATH=/usr/bin::/bin
+
+
######################################################################
# ACL CONFIGURATION #
# testing for an empty sending host field.
accept hosts = :
+ control = dkim_disable_verify
#############################################################################
# The following section of the ACL is concerned with local parts that contain
accept hosts = +relay_from_hosts
control = submission
+ control = dkim_disable_verify
# Accept if the message arrived over an authenticated connection, from
# any host. Again, these messages are usually from MUAs, so recipient
accept authenticated = *
control = submission
+ control = dkim_disable_verify
+
+ # Insist that a HELO/EHLO was accepted.
+
+ require message = nice hosts say HELO first
+ condition = ${if def:sender_helo_name}
+
+ # Insist that any other recipient address that we accept is either in one of
+ # our local domains, or is in a domain for which we explicitly allow
+ # relaying. Any other domain is rejected as being unacceptable for relaying.
+
+ require message = relay not permitted
+ domains = +local_domains : +relay_to_domains
+
+ # We also require all accepted addresses to be verifiable. This check will
+ # do local part verification for local domains, but only check the domain
+ # for remote domains. The only way to check local parts for the remote
+ # relay domains is to use a callout (add /callout), but please read the
+ # documentation about callouts before doing this.
+
+ require verify = recipient
#############################################################################
# There are no default checks on DNS black lists because the domains that
# deny message = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
# dnslists = black.list.example
#
- # warn message = X-Warning: $sender_host_address is in a black list at $dnslist_domain
+ # warn dnslists = black.list.example
+ # add_header = X-Warning: $sender_host_address is in a black list at $dnslist_domain
# log_message = found in $dnslist_domain
- # dnslists = black.list.example
#############################################################################
#############################################################################
# require verify = csa
#############################################################################
- # Accept if the address is in a local domain, but only if the recipient can
- # be verified. Otherwise deny. The "endpass" line is the border between
- # passing on to the next ACL statement (if tests above it fail) or denying
- # access (if tests below it fail).
+ # At this point, the address has passed all the checks that have been
+ # configured, so we accept it unconditionally.
- accept domains = +local_domains
- endpass
- verify = recipient
-
- # Accept if the address is in a domain for which we are an incoming relay,
- # but again, only if the recipient can be verified.
-
- accept domains = +relay_to_domains
- endpass
- verify = recipient
-
- # Reaching the end of the ACL causes a "deny", but we might as well give
- # an explicit message.
-
- deny message = relay not permitted
+ accept
# This ACL is used after the contents of a message have been received. This
acl_check_data:
+ # Deny if the message contains an overlong line. Per the standards
+ # we should never receive one such via SMTP.
+ #
+ deny message = maximum allowed line length is 998 octets, \
+ got $max_received_linelength
+ condition = ${if > {$max_received_linelength}{998}}
+
+ # Deny if the headers contain badly-formed addresses.
+ #
+ deny !verify = header_syntax
+ message = header syntax
+ log_message = header syntax ($acl_verify_message)
+
# Deny if the message contains a virus. Before enabling this check, you
# must install a virus scanner and set the av_scanner option above.
#
- # deny malware = *
- # message = This message contains a virus ($malware_name).
+ # deny malware = *
+ # message = This message contains a virus ($malware_name).
# Add headers to a message if it is judged to be spam. Before enabling this,
# you must install SpamAssassin. You may also need to set the spamd_address
# option above.
#
- # warn spam = nobody
- # message = X-Spam_score: $spam_score\n\
- # X-Spam_score_int: $spam_score_int\n\
- # X-Spam_bar: $spam_bar\n\
- # X-Spam_report: $spam_report
+ # warn spam = nobody
+ # add_header = X-Spam_score: $spam_score\n\
+ # X-Spam_score_int: $spam_score_int\n\
+ # X-Spam_bar: $spam_bar\n\
+ # X-Spam_report: $spam_report
# Accept the message.
domains = ! +local_domains
transport = remote_smtp
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
+# if ipv6-enabled then instead use:
+# ignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; ::1
+ dnssec_request_domains = *
no_more
+# This alternative router can be used when you want to send all mail to a
+# server which handles DNS lookups for you; an ISP will typically run such
+# a server for their customers. If you uncomment "smarthost" then you
+# should comment out "dnslookup" above. Setting a real hostname in route_data
+# wouldn't hurt either.
+
+# smarthost:
+# driver = manualroute
+# domains = ! +local_domains
+# transport = smarthost_smtp
+# route_data = MAIL.HOSTNAME.FOR.CENTRAL.SERVER.EXAMPLE
+# ignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; ::1
+# no_more
+
+
# The remaining routers handle addresses in the local domain(s), that is those
# domains that are defined by "domainlist local_domains" above.
# file starts with the string "# Exim filter" or "# Sieve filter", uncomment
# the "allow_filter" option.
-# If you want this router to treat local parts with suffixes introduced by "-"
-# or "+" characters as if the suffixes did not exist, uncomment the two local_
-# part_suffix options. Then, for example, xxxx-foo@your.domain will be treated
-# in the same way as xxxx@your.domain by this router. You probably want to make
-# the same change to the localuser router.
-
# The no_verify setting means that this router is skipped when Exim is
# verifying addresses. Similarly, no_expn means that this router is skipped if
# Exim is processing an EXPN command.
+# If you want this router to treat local parts with suffixes introduced by "-"
+# or "+" characters as if the suffixes did not exist, uncomment the two local_
+# part_suffix options. Then, for example, xxxx-foo@your.domain will be treated
+# in the same way as xxxx@your.domain by this router. Because this router is
+# not used for verification, if you choose to uncomment those options, then you
+# will *need* to make the same change to the localuser router. (There are
+# other approaches, if this is undesirable, but they add complexity).
+
# The check_ancestor option means that if the forward file generates an
# address that is an ancestor of the current one, the current one gets
# passed on instead. This covers the case where A is aliased to B and B
# This transport is used for delivering messages over SMTP connections.
+# Refuse to send any message with over-long lines, which could have
+# been received other than via SMTP. The use of message_size_limit to
+# enforce this is a red herring.
remote_smtp:
driver = smtp
+ message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
+.ifdef _HAVE_DANE
+ dnssec_request_domains = *
+ hosts_try_dane = *
+.endif
+
+
+# This transport is used for delivering messages to a smarthost, if the
+# smarthost router is enabled. This starts from the same basis as
+# "remote_smtp" but then turns on various security options, because
+# we assume that if you're told "use smarthost.example.org as the smarthost"
+# then there will be TLS available, with a verifiable certificate for that
+# hostname, using decent TLS.
+
+smarthost_smtp:
+ driver = smtp
+ message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
+ multi_domain
+ #
+.ifdef _HAVE_TLS
+ # Comment out any of these which you have to, then file a Support
+ # request with your smarthost provider to get things fixed:
+ hosts_require_tls = *
+ tls_sni = $host
+ tls_verify_hosts = *
+ # As long as tls_verify_hosts is enabled, this won't matter, but if you
+ # have to comment it out then this will at least log whether you succeed
+ # or not:
+ tls_try_verify_hosts = *
+ #
+.ifdef _HAVE_OPENSSL
+ tls_require_ciphers = HIGH:!aNULL:@STRENGTH
+.endif
+.ifdef _HAVE_GNUTLS
+ tls_require_ciphers = SECURE192:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1
+.endif
+.endif
# This transport is used for local delivery to user mailboxes in traditional
# hours, then retries every 6 hours until 4 days have passed since the first
# failed delivery.
+# WARNING: If you do not have any retry rules at all (this section of the
+# configuration is non-existent or empty), Exim will not do any retries of
+# messages that fail to get delivered at the first attempt. The effect will
+# be to treat temporary errors as permanent. Therefore, DO NOT remove this
+# retry rule unless you really don't want any retries.
+
# Address or Domain Error Retries
# ----------------- ----- -------
# server_set_id = $auth2
# server_prompts = :
# server_condition = Authentication is not yet configured
-# server_advertise_condition = ${if def:tls_cipher }
+# server_advertise_condition = ${if def:tls_in_cipher }
# LOGIN authentication has traditional prompts and responses. There is no
# authorization ID in this mechanism, so unlike PLAIN the username and
# server_set_id = $auth1
# server_prompts = <| Username: | Password:
# server_condition = Authentication is not yet configured
-# server_advertise_condition = ${if def:tls_cipher }
+# server_advertise_condition = ${if def:tls_in_cipher }
######################################################################