X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/8bffe3429669509867febc3e4503d5c57830744b..a050bbe0d120464d80dab3eb8af420c4ec686ca8:/src/src/configure.default diff --git a/src/src/configure.default b/src/src/configure.default index 156e9d144..729cdc392 100644 --- a/src/src/configure.default +++ b/src/src/configure.default @@ -1,5 +1,3 @@ -# $Cambridge: exim/src/src/configure.default,v 1.12 2006/10/25 08:42:57 ph10 Exp $ - ###################################################################### # Runtime configuration file for Exim # ###################################################################### @@ -11,7 +9,7 @@ # configuration file. There are many more than are mentioned here. The # manual is in the file doc/spec.txt in the Exim distribution as a plain # ASCII file. Other formats (PostScript, Texinfo, HTML, PDF) are available -# from the Exim ftp sites. The manual is also online at the Exim web sites. +# from the Exim ftp sites. The manual is also online at the Exim website. # This file is divided into several parts, all but the first of which are @@ -39,9 +37,22 @@ +###################################################################### +# MACROS # +###################################################################### +# + +# If you want to use a smarthost instead of sending directly to recipient +# domains, uncomment this macro definition and set a real hostname. +# An appropriately privileged user can then redirect email on the command-line +# in emergencies, via -D. +# +# ROUTER_SMARTHOST=MAIL.HOSTNAME.FOR.CENTRAL.SERVER.EXAMPLE + ###################################################################### # MAIN CONFIGURATION SETTINGS # ###################################################################### +# # Specify your host's canonical name here. This should normally be the fully # qualified "official" name of your host. If this option is not set, the @@ -58,7 +69,9 @@ domainlist local_domains = @ domainlist relay_to_domains = -hostlist relay_from_hosts = 127.0.0.1 +hostlist relay_from_hosts = localhost +# (We rely upon hostname resolution working for localhost, because the default +# uncommented configuration needs to work in IPv4-only environments.) # Most straightforward access control requirements can be obtained by # appropriate settings of the above options. In more complicated situations, @@ -93,20 +106,24 @@ hostlist relay_from_hosts = 127.0.0.1 # to any other host on the Internet. Such a setting commonly refers to a # complete local network as well as the localhost. For example: # -# hostlist relay_from_hosts = 127.0.0.1 : 192.168.0.0/16 +# hostlist relay_from_hosts = <; 127.0.0.1 ; ::1 ; 192.168.0.0/16 # # The "/16" is a bit mask (CIDR notation), not a number of hosts. Note that you # have to include 127.0.0.1 if you want to allow processes on your host to send # SMTP mail by using the loopback address. A number of MUAs use this method of -# sending mail. +# sending mail. Often, connections are made to "localhost", which might be ::1 +# on IPv6-enabled hosts. Do not forget CIDR for your IPv6 networks. # All three of these lists may contain many different kinds of item, including # wildcarded names, regular expressions, and file lookups. See the reference # manual for details. The lists above are used in the access control lists for # checking incoming messages. The names of these ACLs are defined here: -acl_smtp_rcpt = acl_check_rcpt -acl_smtp_data = acl_check_data +acl_smtp_rcpt = acl_check_rcpt +.ifdef _HAVE_PRDR +acl_smtp_data_prdr = acl_check_prdr +.endif +acl_smtp_data = acl_check_data # You should not change those settings until you understand how ACLs work. @@ -151,6 +168,9 @@ acl_smtp_data = acl_check_data # tls_certificate = /etc/ssl/exim.crt # tls_privatekey = /etc/ssl/exim.pem +# For OpenSSL, prefer EC- over RSA-authenticated ciphers +# tls_require_ciphers = ECDSA:RSA:!COMPLEMENTOFDEFAULT + # In order to support roaming users who wish to send email from anywhere, # you may want to make Exim listen on other ports as well as port 25, in # case these users need to send email from a network that blocks port 25. @@ -220,18 +240,40 @@ never_users = root host_lookup = * -# The settings below, which are actually the same as the defaults in the -# code, cause Exim to make RFC 1413 (ident) callbacks for all incoming SMTP -# calls. You can limit the hosts to which these calls are made, and/or change -# the timeout that is used. If you set the timeout to zero, all RFC 1413 calls -# are disabled. RFC 1413 calls are cheap and can provide useful information -# for tracing problem messages, but some hosts and firewalls have problems -# with them. This can result in a timeout instead of an immediate refused -# connection, leading to delays on starting up SMTP sessions. (The default was -# reduced from 30s to 5s for release 4.61.) +# The setting below causes Exim to try to initialize the system resolver +# library with DNSSEC support. It has no effect if your library lacks +# DNSSEC support. -rfc1413_hosts = * -rfc1413_query_timeout = 5s +dns_dnssec_ok = 1 + + +# The settings below cause Exim to make RFC 1413 (ident) callbacks +# for all incoming SMTP calls. You can limit the hosts to which these +# calls are made, and/or change the timeout that is used. If you set +# the timeout to zero, all RFC 1413 calls are disabled. RFC 1413 calls +# are cheap and can provide useful information for tracing problem +# messages, but some hosts and firewalls have problems with them. +# This can result in a timeout instead of an immediate refused +# connection, leading to delays on starting up SMTP sessions. +# (The default was reduced from 30s to 5s for release 4.61. and to +# disabled for release 4.86) +# +#rfc1413_hosts = * +#rfc1413_query_timeout = 5s + + +# Enable an efficiency feature. We advertise the feature; clients +# may request to use it. For multi-recipient mails we then can +# reject or accept per-user after the message is received. +# This supports recipient-dependent content filtering; without it +# you have to temp-reject any recipients after the first that have +# incompatible filtering, and do the filtering in the data ACL. +# Even with this enabled, you must support the old style for peers +# not flagging support for PRDR (visible via $prdr_requested). +# +.ifdef _HAVE_PRDR +prdr_enable = true +.endif # By default, Exim expects all envelope addresses to be fully qualified, that @@ -247,6 +289,13 @@ rfc1413_query_timeout = 5s # and/or qualify_recipient (see above). +# Unless you run a high-volume site you probably want more logging +# detail than the default. Adjust to suit. + +log_selector = +smtp_protocol_error +smtp_syntax_error \ + +tls_certificate_verified + + # If you want Exim to support the "percent hack" for certain domains, # uncomment the following line and provide a list of domains. The "percent # hack" is the feature by which mail addressed to x%y@z (where z is one of @@ -277,7 +326,7 @@ timeout_frozen_after = 7d # By default, messages that are waiting on Exim's queue are all held in a -# single directory called "input" which it itself within Exim's spool +# single directory called "input" which is itself within Exim's spool # directory. (The default spool directory is specified when Exim is built, and # is often /var/spool/exim/.) Exim works best when its queue is kept short, but # there are circumstances where this is not always possible. If you uncomment @@ -291,6 +340,39 @@ timeout_frozen_after = 7d # split_spool_directory = true +# If you're in a part of the world where ASCII is not sufficient for most +# text, then you're probably familiar with RFC2047 message header extensions. +# By default, Exim adheres to the specification, including a limit of 76 +# characters to a line, with encoded words fitting within a line. +# If you wish to use decoded headers in message filters in such a way +# that successful decoding of malformed messages matters, you may wish to +# configure Exim to be more lenient. +# +# check_rfc2047_length = false +# +# In particular, the Exim maintainers have had multiple reports of problems +# from Russian administrators of issues until they disable this check, +# because of some popular, yet buggy, mail composition software. + + +# If you wish to be strictly RFC compliant, or if you know you'll be +# exchanging email with systems that are not 8-bit clean, then you may +# wish to disable advertising 8BITMIME. Uncomment this option to do so. + +# accept_8bitmime = false + + +# Exim does not make use of environment variables itself. However, +# libraries that Exim uses (e.g. LDAP) depend on specific environment settings. +# There are two lists: keep_environment for the variables we trust, and +# add_environment for variables we want to set to a specific value. +# Note that TZ is handled separately by the timezone runtime option +# and TIMEZONE_DEFAULT buildtime option. + +# keep_environment = ^LDAP +# add_environment = PATH=/usr/bin::/bin + + ###################################################################### # ACL CONFIGURATION # @@ -309,6 +391,7 @@ acl_check_rcpt: # testing for an empty sending host field. accept hosts = : + control = dkim_disable_verify ############################################################################# # The following section of the ACL is concerned with local parts that contain @@ -387,6 +470,7 @@ acl_check_rcpt: accept hosts = +relay_from_hosts control = submission + control = dkim_disable_verify # Accept if the message arrived over an authenticated connection, from # any host. Again, these messages are usually from MUAs, so recipient @@ -395,6 +479,12 @@ acl_check_rcpt: accept authenticated = * control = submission + control = dkim_disable_verify + + # Insist that a HELO/EHLO was accepted. + + require message = nice hosts say HELO first + condition = ${if def:sender_helo_name} # Insist that any other recipient address that we accept is either in one of # our local domains, or is in a domain for which we explicitly allow @@ -417,8 +507,8 @@ acl_check_rcpt: # examples of how you can get Exim to perform a DNS black list lookup at this # point. The first one denies, whereas the second just warns. # - # deny message = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text - # dnslists = black.list.example + # deny dnslists = black.list.example + # message = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text # # warn dnslists = black.list.example # add_header = X-Warning: $sender_host_address is in a black list at $dnslist_domain @@ -436,12 +526,45 @@ acl_check_rcpt: # require verify = csa ############################################################################# + ############################################################################# + # If doing per-user content filtering then recipients with filters different + # to the first recipient must be deferred unless the sender talks PRDR. + # + # defer !condition = $prdr_requested + # condition = ${if > {0}{$receipients_count}} + # condition = ${if !eq {$acl_m_content_filter} \ + # {${lookup PER_RCPT_CONTENT_FILTER}}} + # warn !condition = $prdr_requested + # condition = ${if > {0}{$receipients_count}} + # set acl_m_content_filter = ${lookup PER_RCPT_CONTENT_FILTER} + ############################################################################# + # At this point, the address has passed all the checks that have been # configured, so we accept it unconditionally. accept +# This ACL is used once per recipient, for multi-recipient messages, if +# we advertised PRDR. It can be used to perform receipient-dependent +# header- and body- based filtering and rejections. +# We set a variable to record that PRDR was active used, so that checking +# in the data ACL can be skipped. + +.ifdef _HAVE_PRDR +acl_check_prdr: + warn set acl_m_did_prdr = y + + ############################################################################# + # do lookup on filtering, with $local_part@$domain, deny on filter match + # + # deny set acl_m_content_filter = ${lookup PER_RCPT_CONTENT_FILTER} + # condition = ... + ############################################################################# + + accept +.endif + # This ACL is used after the contents of a message have been received. This # is the ACL in which you can test a message's headers or body, and in # particular, this is where you can invoke external virus or spam scanners. @@ -452,6 +575,19 @@ acl_check_rcpt: acl_check_data: + # Deny if the message contains an overlong line. Per the standards + # we should never receive one such via SMTP. + # + deny condition = ${if > {$max_received_linelength}{998}} + message = maximum allowed line length is 998 octets, \ + got $max_received_linelength + + # Deny if the headers contain badly-formed addresses. + # + deny !verify = header_syntax + message = header syntax + log_message = header syntax ($acl_verify_message) + # Deny if the message contains a virus. Before enabling this check, you # must install a virus scanner and set the av_scanner option above. # @@ -468,6 +604,19 @@ acl_check_data: # X-Spam_bar: $spam_bar\n\ # X-Spam_report: $spam_report + ############################################################################# + # No more tests if PRDR was actively used. + # accept condition = ${if def:acl_m_did_prdr} + # + # To get here, all message recipients must have identical per-user + # content filtering (enforced by RCPT ACL). Do lookup for filter + # and deny on match. + # + # deny set acl_m_content_filter = ${lookup PER_RCPT_CONTENT_FILTER} + # condition = ... + ############################################################################# + + # Accept the message. accept @@ -499,6 +648,25 @@ begin routers # transport = remote_smtp +# This router can be used when you want to send all mail to a +# server which handles DNS lookups for you; an ISP will typically run such +# a server for their customers. The hostname in route_data comes from the +# macro defined at the top of the file. If not defined, then we'll use the +# dnslookup router below instead. +# Beware that the hostname is specified again in the Transport. + +.ifdef ROUTER_SMARTHOST + +smarthost: + driver = manualroute + domains = ! +local_domains + transport = smarthost_smtp + route_data = ROUTER_SMARTHOST + ignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; ::1 + no_more + +.else + # This router routes addresses that are not in local domains by doing a DNS # lookup on the domain name. The exclamation mark that appears in "domains = ! # +local_domains" is a negating operator, that is, it can be read as "not". The @@ -517,8 +685,14 @@ dnslookup: domains = ! +local_domains transport = remote_smtp ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 +# if ipv6-enabled then instead use: +# ignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; ::1 no_more +# This closes the ROUTER_SMARTHOST ifdef around the choice of routing for +# off-site mail. +.endif + # The remaining routers handle addresses in the local domain(s), that is those # domains that are defined by "domainlist local_domains" above. @@ -559,16 +733,18 @@ system_aliases: # file starts with the string "# Exim filter" or "# Sieve filter", uncomment # the "allow_filter" option. -# If you want this router to treat local parts with suffixes introduced by "-" -# or "+" characters as if the suffixes did not exist, uncomment the two local_ -# part_suffix options. Then, for example, xxxx-foo@your.domain will be treated -# in the same way as xxxx@your.domain by this router. You probably want to make -# the same change to the localuser router. - # The no_verify setting means that this router is skipped when Exim is # verifying addresses. Similarly, no_expn means that this router is skipped if # Exim is processing an EXPN command. +# If you want this router to treat local parts with suffixes introduced by "-" +# or "+" characters as if the suffixes did not exist, uncomment the two local_ +# part_suffix options. Then, for example, xxxx-foo@your.domain will be treated +# in the same way as xxxx@your.domain by this router. Because this router is +# not used for verification, if you choose to uncomment those options, then you +# will *need* to make the same change to the localuser router. (There are +# other approaches, if this is undesirable, but they add complexity). + # The check_ancestor option means that if the forward file generates an # address that is an ancestor of the current one, the current one gets # passed on instead. This covers the case where A is aliased to B and B @@ -625,9 +801,57 @@ begin transports # This transport is used for delivering messages over SMTP connections. +# Refuse to send any message with over-long lines, which could have +# been received other than via SMTP. The use of message_size_limit to +# enforce this is a red herring. remote_smtp: driver = smtp + message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}} +.ifdef _HAVE_PRDR + hosts_try_prdr = * +.endif + + +# This transport is used for delivering messages to a smarthost, if the +# smarthost router is enabled. This starts from the same basis as +# "remote_smtp" but then turns on various security options, because +# we assume that if you're told "use smarthost.example.org as the smarthost" +# then there will be TLS available, with a verifiable certificate for that +# hostname, using decent TLS. + +smarthost_smtp: + driver = smtp + message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}} + multi_domain + # +.ifdef _HAVE_TLS + # Comment out any of these which you have to, then file a Support + # request with your smarthost provider to get things fixed: + hosts_require_tls = * + tls_verify_hosts = * + # As long as tls_verify_hosts is enabled, this won't matter, but if you + # have to comment it out then this will at least log whether you succeed + # or not: + tls_try_verify_hosts = * + # + # The SNI name should match the name which we'll expect to verify; + # many mail systems don't use SNI and this doesn't matter, but if it does, + # we need to send a name which the remote site will recognize. + # This _should_ be the name which the smarthost operators specified as + # the hostname for sending your mail to. + tls_sni = ROUTER_SMARTHOST + # +.ifdef _HAVE_OPENSSL + tls_require_ciphers = HIGH:!aNULL:@STRENGTH +.endif +.ifdef _HAVE_GNUTLS + tls_require_ciphers = SECURE192:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1 +.endif +.endif +.ifdef _HAVE_PRDR + hosts_try_prdr = * +.endif # This transport is used for local delivery to user mailboxes in traditional @@ -639,7 +863,7 @@ remote_smtp: local_delivery: driver = appendfile - file = /var/mail/$local_part + file = /var/mail/$local_part_data delivery_date_add envelope_to_add return_path_add @@ -690,6 +914,12 @@ begin retry # hours, then retries every 6 hours until 4 days have passed since the first # failed delivery. +# WARNING: If you do not have any retry rules at all (this section of the +# configuration is non-existent or empty), Exim will not do any retries of +# messages that fail to get delivered at the first attempt. The effect will +# be to treat temporary errors as permanent. Therefore, DO NOT remove this +# retry rule unless you really don't want any retries. + # Address or Domain Error Retries # ----------------- ----- ------- @@ -741,7 +971,7 @@ begin authenticators # server_set_id = $auth2 # server_prompts = : # server_condition = Authentication is not yet configured -# server_advertise_condition = ${if def:tls_cipher } +# server_advertise_condition = ${if def:tls_in_cipher } # LOGIN authentication has traditional prompts and responses. There is no # authorization ID in this mechanism, so unlike PLAIN the username and @@ -753,7 +983,7 @@ begin authenticators # server_set_id = $auth1 # server_prompts = <| Username: | Password: # server_condition = Authentication is not yet configured -# server_advertise_condition = ${if def:tls_cipher } +# server_advertise_condition = ${if def:tls_in_cipher } ######################################################################