X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/23def16946e9b22f9f5e010dcef1082c42d699ac..38089ca5c8f4c06092324099fc38494f8491b53c:/src/src/configure.default

diff --git a/src/src/configure.default b/src/src/configure.default
index cf38305e5..3761dafbf 100644
--- a/src/src/configure.default
+++ b/src/src/configure.default
@@ -147,15 +147,15 @@ acl_smtp_data =         acl_check_data
 # spamd_address = 127.0.0.1 783
 
 
-# If Exim is compiled with support for TLS, you may want to enable the
-# following options so that Exim allows clients to make encrypted
-# connections. In the authenticators section below, there are template
-# configurations for plaintext username/password authentication. This kind
-# of authentication is only safe when used within a TLS connection, so the
-# authenticators will only work if the following TLS settings are turned on
-# as well.
+# If Exim is compiled with support for TLS, you may want to change the
+# following option so that Exim disallows certain clients from makeing encrypted
+# connections. The default is to allow all.
+# In the authenticators section below, there are template configurations for
+# plaintext username/password authentication. This kind of authentication is
+# only safe when used within a TLS connection, so the authenticators will only
+# work if TLS is allowed here.
 
-# Allow any client to use TLS.
+# This is equivalent to the default.
 
 # tls_advertise_hosts = *
 
@@ -169,7 +169,16 @@ acl_smtp_data =         acl_check_data
 # tls_privatekey = /etc/ssl/exim.pem
 
 # For OpenSSL, prefer EC- over RSA-authenticated ciphers
-# tls_require_ciphers = ECDSA:RSA:!COMPLEMENTOFDEFAULT
+.ifdef _HAVE_OPENSSL
+tls_require_ciphers = ECDSA:RSA:!COMPLEMENTOFDEFAULT
+.endif
+
+# Don't offer resumption to (most) MUAs, who we don't want to reuse
+# tickets.  Once the TLS extension for vended ticket numbers comes
+# though, re-examine since resumption on a single-use ticket is still a benefit.
+.ifdef _HAVE_TLS_RESUME
+tls_resumption_hosts = ${if inlist {$received_port}{587:465} {:}{*}}
+.endif
 
 # In order to support roaming users who wish to send email from anywhere,
 # you may want to make Exim listen on other ports as well as port 25, in
@@ -326,7 +335,7 @@ timeout_frozen_after = 7d
 
 
 # By default, messages that are waiting on Exim's queue are all held in a
-# single directory called "input" which it itself within Exim's spool
+# single directory called "input" which is itself within Exim's spool
 # directory. (The default spool directory is specified when Exim is built, and
 # is often /var/spool/exim/.) Exim works best when its queue is kept short, but
 # there are circumstances where this is not always possible. If you uncomment
@@ -449,6 +458,20 @@ acl_check_rcpt:
 
   require verify        = sender
 
+  # Reject all RCPT commands after too many bad recipients
+  # This is partly a defense against spam abuse and partly attacker abuse.
+  # Real senders should manage, by the time they get to 10 RCPT directives,
+  # to have had at least half of them be real addresses.
+  #
+  # This is a lightweight check and can protect you against repeated
+  # invocations of more heavy-weight checks which would come after it.
+
+  deny    condition     = ${if and {\
+                        {>{$rcpt_count}{10}}\
+                        {<{$recipients_count}{${eval:$rcpt_count/2}}} }}
+          message       = Rejected for too many bad recipients
+          logwrite      = REJECT [$sender_host_address]: bad recipient count high [${eval:$rcpt_count-$recipients_count}]
+
   # Accept if the message comes from one of the hosts for which we are an
   # outgoing relay. It is assumed that such hosts are most likely to be MUAs,
   # so we set control=submission to make Exim treat the message as a
@@ -481,11 +504,6 @@ acl_check_rcpt:
           control       = submission
           control       = dkim_disable_verify
 
-  # Insist that a HELO/EHLO was accepted.
-
-  require message       = nice hosts say HELO first
-          condition     = ${if def:sender_helo_name}
-
   # Insist that any other recipient address that we accept is either in one of
   # our local domains, or is in a domain for which we explicitly allow
   # relaying. Any other domain is rejected as being unacceptable for relaying.
@@ -507,8 +525,8 @@ acl_check_rcpt:
   # examples of how you can get Exim to perform a DNS black list lookup at this
   # point. The first one denies, whereas the second just warns.
   #
-  # deny    message       = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
-  #         dnslists      = black.list.example
+  # deny    dnslists      = black.list.example
+  #         message       = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
   #
   # warn    dnslists      = black.list.example
   #         add_header    = X-Warning: $sender_host_address is in a black list at $dnslist_domain
@@ -531,11 +549,11 @@ acl_check_rcpt:
   # to the first recipient must be deferred unless the sender talks PRDR.
   #
   # defer  !condition     = $prdr_requested
-  #        condition      = ${if > {0}{$receipients_count}}
+  #        condition      = ${if > {0}{$recipients_count}}
   #        condition      = ${if !eq {$acl_m_content_filter} \
   #                                  {${lookup PER_RCPT_CONTENT_FILTER}}}
   # warn   !condition     = $prdr_requested
-  #        condition      = ${if > {0}{$receipients_count}}
+  #        condition      = ${if > {0}{$recipients_count}}
   #        set acl_m_content_filter = ${lookup PER_RCPT_CONTENT_FILTER}
   #############################################################################
 
@@ -578,9 +596,9 @@ acl_check_data:
   # Deny if the message contains an overlong line.  Per the standards
   # we should never receive one such via SMTP.
   #
-  deny    message    = maximum allowed line length is 998 octets, \
+  deny    condition  = ${if > {$max_received_linelength}{998}}
+          message    = maximum allowed line length is 998 octets, \
                        got $max_received_linelength
-          condition  = ${if > {$max_received_linelength}{998}}
 
   # Deny if the headers contain badly-formed addresses.
   #
@@ -801,15 +819,11 @@ begin transports
 
 
 # This transport is used for delivering messages over SMTP connections.
-# Refuse to send any message with over-long lines, which could have
-# been received other than via SMTP. The use of message_size_limit to
-# enforce this is a red herring.
 
 remote_smtp:
   driver = smtp
-  message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
-.ifdef _HAVE_PRDR
-  hosts_try_prdr = *
+.ifdef _HAVE_TLS_RESUME
+  tls_resumption_hosts = *
 .endif
 
 
@@ -822,7 +836,6 @@ remote_smtp:
 
 smarthost_smtp:
   driver = smtp
-  message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
   multi_domain
   #
 .ifdef _HAVE_TLS
@@ -830,9 +843,9 @@ smarthost_smtp:
   # request with your smarthost provider to get things fixed:
   hosts_require_tls = *
   tls_verify_hosts = *
-  # As long as tls_verify_hosts is enabled, this won't matter, but if you
-  # have to comment it out then this will at least log whether you succeed
-  # or not:
+  # As long as tls_verify_hosts is enabled, this this will have no effect,
+  # but if you have to comment it out then this will at least log whether
+  # you succeed or not:
   tls_try_verify_hosts = *
   #
   # The SNI name should match the name which we'll expect to verify;
@@ -848,9 +861,9 @@ smarthost_smtp:
 .ifdef _HAVE_GNUTLS
   tls_require_ciphers = SECURE192:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1
 .endif
+.ifdef _HAVE_TLS_RESUME
+  tls_resumption_hosts = *
 .endif
-.ifdef _HAVE_PRDR
-  hosts_try_prdr = *
 .endif
 
 
@@ -863,7 +876,7 @@ smarthost_smtp:
 
 local_delivery:
   driver = appendfile
-  file = /var/mail/$local_part
+  file = /var/mail/$local_part_data
   delivery_date_add
   envelope_to_add
   return_path_add