# spamd_address = 127.0.0.1 783
-# If Exim is compiled with support for TLS, you may want to enable the
-# following options so that Exim allows clients to make encrypted
-# connections. In the authenticators section below, there are template
-# configurations for plaintext username/password authentication. This kind
-# of authentication is only safe when used within a TLS connection, so the
-# authenticators will only work if the following TLS settings are turned on
-# as well.
+# If Exim is compiled with support for TLS, you may want to change the
+# following option so that Exim disallows certain clients from makeing encrypted
+# connections. The default is to allow all.
+# In the authenticators section below, there are template configurations for
+# plaintext username/password authentication. This kind of authentication is
+# only safe when used within a TLS connection, so the authenticators will only
+# work if TLS is allowed here.
-# Allow any client to use TLS.
+# This is equivalent to the default.
# tls_advertise_hosts = *
# tls_privatekey = /etc/ssl/exim.pem
# For OpenSSL, prefer EC- over RSA-authenticated ciphers
-# tls_require_ciphers = ECDSA:RSA:!COMPLEMENTOFDEFAULT
+.ifdef _HAVE_OPENSSL
+tls_require_ciphers = ECDSA:RSA:!COMPLEMENTOFDEFAULT
+.endif
+
+# Don't offer resumption to (most) MUAs, who we don't want to reuse
+# tickets. Once the TLS extension for vended ticket numbers comes
+# though, re-examine since resumption on a single-use ticket is still a benefit.
+.ifdef _HAVE_TLS_RESUME
+tls_resumption_hosts = ${if inlist {$received_port}{587:465} {:}{*}}
+.endif
# In order to support roaming users who wish to send email from anywhere,
# you may want to make Exim listen on other ports as well as port 25, in
# case these users need to send email from a network that blocks port 25.
-# The standard port for this purpose is port 587, the "message submission"
-# port. See RFC 4409 for details. Microsoft MUAs cannot be configured to
+# The standard ports for this purpose are:
+# port 587, the "message submission" port - see RFC 4409 for details,
+# and 465 the TLS-encrypted "submission" port, service name is "submissions",
+# see RFC 8314.
+
+# Microsoft MUAs cannot be configured to
# talk the message submission protocol correctly, so if you need to support
-# them you should also allow TLS-on-connect on the traditional but
-# non-standard port 465.
+# them you should also allow TLS-on-connect on the traditional (and now
+# standard) port 465.
# daemon_smtp_ports = 25 : 465 : 587
# tls_on_connect_ports = 465
# By default, messages that are waiting on Exim's queue are all held in a
-# single directory called "input" which it itself within Exim's spool
+# single directory called "input" which is itself within Exim's spool
# directory. (The default spool directory is specified when Exim is built, and
# is often /var/spool/exim/.) Exim works best when its queue is kept short, but
# there are circumstances where this is not always possible. If you uncomment
require verify = sender
+ # Reject all RCPT commands after too many bad recipients
+ # This is partly a defense against spam abuse and partly attacker abuse.
+ # Real senders should manage, by the time they get to 10 RCPT directives,
+ # to have had at least half of them be real addresses.
+ #
+ # This is a lightweight check and can protect you against repeated
+ # invocations of more heavy-weight checks which would come after it.
+
+ deny condition = ${if and {\
+ {>{$rcpt_count}{10}}\
+ {<{$recipients_count}{${eval:$rcpt_count/2}}} }}
+ message = Rejected for too many bad recipients
+ logwrite = REJECT [$sender_host_address]: bad recipient count high [${eval:$rcpt_count-$recipients_count}]
+
# Accept if the message comes from one of the hosts for which we are an
# outgoing relay. It is assumed that such hosts are most likely to be MUAs,
# so we set control=submission to make Exim treat the message as a
control = submission
control = dkim_disable_verify
- # Insist that a HELO/EHLO was accepted.
-
- require message = nice hosts say HELO first
- condition = ${if def:sender_helo_name}
-
# Insist that any other recipient address that we accept is either in one of
# our local domains, or is in a domain for which we explicitly allow
# relaying. Any other domain is rejected as being unacceptable for relaying.
# examples of how you can get Exim to perform a DNS black list lookup at this
# point. The first one denies, whereas the second just warns.
#
- # deny message = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
- # dnslists = black.list.example
+ # deny dnslists = black.list.example
+ # message = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
#
# warn dnslists = black.list.example
# add_header = X-Warning: $sender_host_address is in a black list at $dnslist_domain
# to the first recipient must be deferred unless the sender talks PRDR.
#
# defer !condition = $prdr_requested
- # condition = ${if > {0}{$receipients_count}}
+ # condition = ${if > {0}{$recipients_count}}
# condition = ${if !eq {$acl_m_content_filter} \
# {${lookup PER_RCPT_CONTENT_FILTER}}}
# warn !condition = $prdr_requested
- # condition = ${if > {0}{$receipients_count}}
+ # condition = ${if > {0}{$recipients_count}}
# set acl_m_content_filter = ${lookup PER_RCPT_CONTENT_FILTER}
#############################################################################
.ifdef _HAVE_PRDR
acl_check_prdr:
warn set acl_m_did_prdr = y
-.endif
#############################################################################
# do lookup on filtering, with $local_part@$domain, deny on filter match
#############################################################################
accept
+.endif
# This ACL is used after the contents of a message have been received. This
# is the ACL in which you can test a message's headers or body, and in
# Deny if the message contains an overlong line. Per the standards
# we should never receive one such via SMTP.
#
- deny message = maximum allowed line length is 998 octets, \
+ deny condition = ${if > {$max_received_linelength}{998}}
+ message = maximum allowed line length is 998 octets, \
got $max_received_linelength
- condition = ${if > {$max_received_linelength}{998}}
# Deny if the headers contain badly-formed addresses.
#
# This transport is used for delivering messages over SMTP connections.
-# Refuse to send any message with over-long lines, which could have
-# been received other than via SMTP. The use of message_size_limit to
-# enforce this is a red herring.
remote_smtp:
driver = smtp
- message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
-.ifdef _HAVE_PRDR
- hosts_try_prdr = *
+.ifdef _HAVE_TLS_RESUME
+ tls_resumption_hosts = *
.endif
smarthost_smtp:
driver = smtp
- message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
multi_domain
#
.ifdef _HAVE_TLS
# request with your smarthost provider to get things fixed:
hosts_require_tls = *
tls_verify_hosts = *
- # As long as tls_verify_hosts is enabled, this won't matter, but if you
- # have to comment it out then this will at least log whether you succeed
- # or not:
+ # As long as tls_verify_hosts is enabled this will have no effect,
+ # but if you have to comment it out then this will at least log whether
+ # you succeed or not:
tls_try_verify_hosts = *
#
# The SNI name should match the name which we'll expect to verify;
.ifdef _HAVE_GNUTLS
tls_require_ciphers = SECURE192:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1
.endif
+.ifdef _HAVE_TLS_RESUME
+ tls_resumption_hosts = *
.endif
-.ifdef _HAVE_PRDR
- hosts_try_prdr = *
.endif
local_delivery:
driver = appendfile
- file = /var/mail/$local_part
+ file = /var/mail/$local_part_data
delivery_date_add
envelope_to_add
return_path_add