-# $Cambridge: exim/src/src/configure.default,v 1.2 2005/03/29 09:49:49 ph10 Exp $
+# $Cambridge: exim/src/src/configure.default,v 1.7 2006/02/20 16:31:49 ph10 Exp $
######################################################################
# Runtime configuration file for Exim #
hostlist relay_from_hosts = 127.0.0.1
# Most straightforward access control requirements can be obtained by
-# appropriate settings of the above options. In more complicated situations, you
-# may need to modify the Access Control List (ACL) which appears later in this
-# file.
+# appropriate settings of the above options. In more complicated situations,
+# you may need to modify the Access Control List (ACL) which appears later in
+# this file.
# The first setting specifies your local domains, for example:
#
# are disabled. RFC 1413 calls are cheap and can provide useful information
# for tracing problem messages, but some hosts and firewalls have problems
# with them. This can result in a timeout instead of an immediate refused
-# connection, leading to delays on starting up an SMTP session.
+# connection, leading to delays on starting up SMTP sessions. (The default was
+# reduced from 30s to 5s for release 4.61.)
rfc1413_hosts = *
-rfc1413_query_timeout = 30s
+rfc1413_query_timeout = 5s
# By default, Exim expects all envelope addresses to be fully qualified, that
#
# Two different rules are used. The first one is stricter, and is applied to
# messages that are addressed to one of the local domains handled by this
- # host. It blocks local parts that begin with a dot or contain @ % ! / or |.
- # If you have local accounts that include these characters, you will have to
- # modify this rule.
+ # host. The line "domains = +local_domains" restricts it to domains that are
+ # defined by the "domainlist local_domains" setting above. The rule blocks
+ # local parts that begin with a dot or contain @ % ! / or |. If you have
+ # local accounts that include these characters, you will have to modify this
+ # rule.
deny message = Restricted characters in address
domains = +local_domains
local_parts = ^[.] : ^.*[@%!/|]
- # The second rule applies to all other domains, and is less strict. This
- # allows your own users to send outgoing messages to sites that use slashes
- # and vertical bars in their local parts. It blocks local parts that begin
- # with a dot, slash, or vertical bar, but allows these characters within the
- # local part. However, the sequence /../ is barred. The use of @ % and ! is
- # blocked, as before. The motivation here is to prevent your users (or
- # your users' viruses) from mounting certain kinds of attack on remote sites.
+ # The second rule applies to all other domains, and is less strict. The line
+ # "domains = !+local_domains" restricts it to domains that are NOT defined by
+ # the "domainlist local_domains" setting above. The exclamation mark is a
+ # negating operator. This rule allows your own users to send outgoing
+ # messages to sites that use slashes and vertical bars in their local parts.
+ # It blocks local parts that begin with a dot, slash, or vertical bar, but
+ # allows these characters within the local part. However, the sequence /../
+ # is barred. The use of @ % and ! is blocked, as before. The motivation here
+ # is to prevent your users (or your users' viruses) from mounting certain
+ # kinds of attack on remote sites.
deny message = Restricted characters in address
domains = !+local_domains
require verify = sender
+ # Accept if the message comes from one of the hosts for which we are an
+ # outgoing relay. It is assumed that such hosts are most likely to be MUAs,
+ # so we set control=submission to make Exim treat the message as a
+ # submission. It will fix up various errors in the message, for example, the
+ # lack of a Date: header line. If you are actually relaying out out from
+ # MTAs, you may want to disable this. If you are handling both relaying from
+ # MTAs and submissions from MUAs you should probably split them into two
+ # lists, and handle them differently.
+
+ # Recipient verification is omitted here, because in many cases the clients
+ # are dumb MUAs that don't cope well with SMTP error responses. If you are
+ # actually relaying out from MTAs, you should probably add recipient
+ # verification here.
+
+ # Note that, by putting this test before any DNS black list checks, you will
+ # always accept from these hosts, even if they end up on a black list. The
+ # assumption is that they are your friends, and if they get onto a black
+ # list, it is a mistake.
+
+ accept hosts = +relay_from_hosts
+ control = submission
+
+ # Accept if the message arrived over an authenticated connection, from
+ # any host. Again, these messages are usually from MUAs, so recipient
+ # verification is omitted, and submission mode is set. And again, we do this
+ # check before any black list tests.
+
+ accept authenticated = *
+ control = submission
+
#############################################################################
- # There are no checks on DNS "black" lists because the domains that contain
- # these lists are changing all the time. However, here are two examples of
- # how you could get Exim to perform a DNS black list lookup at this point.
- # The first one denies, while the second just warns.
+ # There are no default checks on DNS black lists because the domains that
+ # contain these lists are changing all the time. However, here are two
+ # examples of how you can get Exim to perform a DNS black list lookup at this
+ # point. The first one denies, whereas the second just warns.
#
# deny message = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
# dnslists = black.list.example
# dnslists = black.list.example
#############################################################################
+ #############################################################################
+ # This check is commented out because it is recognized that not every
+ # sysadmin will want to do it. If you enable it, the check performs
+ # Client SMTP Authorization (csa) checks on the sending host. These checks
+ # do DNS lookups for SRV records. The CSA proposal is currently (May 2005)
+ # an Internet draft. You can, of course, add additional conditions to this
+ # ACL statement to restrict the CSA checks to certain hosts only.
+ #
+ # require verify = csa
+ #############################################################################
+
# Accept if the address is in a local domain, but only if the recipient can
# be verified. Otherwise deny. The "endpass" line is the border between
# passing on to the next ACL statement (if tests above it fail) or denying
endpass
verify = recipient
- # Accept if the address is in a domain for which we are relaying, but again,
- # only if the recipient can be verified.
+ # Accept if the address is in a domain for which we are an incoming relay,
+ # but again, only if the recipient can be verified.
accept domains = +relay_to_domains
endpass
verify = recipient
- # If control reaches this point, the domain is neither in +local_domains
- # nor in +relay_to_domains.
-
- # Accept if the message comes from one of the hosts for which we are an
- # outgoing relay. Recipient verification is omitted here, because in many
- # cases the clients are dumb MUAs that don't cope well with SMTP error
- # responses. If you are actually relaying out from MTAs, you should probably
- # add recipient verification here.
-
- accept hosts = +relay_from_hosts
-
- # Accept if the message arrived over an authenticated connection, from
- # any host. Again, these messages are usually from MUAs, so recipient
- # verification is omitted.
-
- accept authenticated = *
-
# Reaching the end of the ACL causes a "deny", but we might as well give
# an explicit message.
# This router routes addresses that are not in local domains by doing a DNS
-# lookup on the domain name. Any domain that resolves to 0.0.0.0 or to a
-# loopback interface address (127.0.0.0/8) is treated as if it had no DNS
-# entry. Note that 0.0.0.0 is the same as 0.0.0.0/32, which is commonly treated
-# as the local host inside the network stack. It is not 0.0.0.0/0, the default
-# route. If the DNS lookup fails, no further routers are tried because of
-# the no_more setting, and consequently the address is unrouteable.
+# lookup on the domain name. The exclamation mark that appears in "domains = !
+# +local_domains" is a negating operator, that is, it can be read as "not". The
+# recipient's domain must not be one of those defined by "domainlist
+# local_domains" above for this router to be used.
+#
+# If the router is used, any domain that resolves to 0.0.0.0 or to a loopback
+# interface address (127.0.0.0/8) is treated as if it had no DNS entry. Note
+# that 0.0.0.0 is the same as 0.0.0.0/32, which is commonly treated as the
+# local host inside the network stack. It is not 0.0.0.0/0, the default route.
+# If the DNS lookup fails, no further routers are tried because of the no_more
+# setting, and consequently the address is unrouteable.
dnslookup:
driver = dnslookup
no_more
-# The remaining routers handle addresses in the local domain(s).
+# The remaining routers handle addresses in the local domain(s), that is those
+# domains that are defined by "domainlist local_domains" above.
# This router handles aliasing using a linearly searched alias file with the
git://git.exim.org / exim.git / blobdiff