X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/aa6e77afb5ba7df42fcff06cac744b1f4a4105d2..38089ca5c8f4c06092324099fc38494f8491b53c:/src/src/configure.default diff --git a/src/src/configure.default b/src/src/configure.default index 15ca3fdae..3761dafbf 100644 --- a/src/src/configure.default +++ b/src/src/configure.default @@ -9,7 +9,7 @@ # configuration file. There are many more than are mentioned here. The # manual is in the file doc/spec.txt in the Exim distribution as a plain # ASCII file. Other formats (PostScript, Texinfo, HTML, PDF) are available -# from the Exim ftp sites. The manual is also online at the Exim web sites. +# from the Exim ftp sites. The manual is also online at the Exim website. # This file is divided into several parts, all but the first of which are @@ -119,8 +119,11 @@ hostlist relay_from_hosts = localhost # manual for details. The lists above are used in the access control lists for # checking incoming messages. The names of these ACLs are defined here: -acl_smtp_rcpt = acl_check_rcpt -acl_smtp_data = acl_check_data +acl_smtp_rcpt = acl_check_rcpt +.ifdef _HAVE_PRDR +acl_smtp_data_prdr = acl_check_prdr +.endif +acl_smtp_data = acl_check_data # You should not change those settings until you understand how ACLs work. @@ -144,15 +147,15 @@ acl_smtp_data = acl_check_data # spamd_address = 127.0.0.1 783 -# If Exim is compiled with support for TLS, you may want to enable the -# following options so that Exim allows clients to make encrypted -# connections. In the authenticators section below, there are template -# configurations for plaintext username/password authentication. This kind -# of authentication is only safe when used within a TLS connection, so the -# authenticators will only work if the following TLS settings are turned on -# as well. +# If Exim is compiled with support for TLS, you may want to change the +# following option so that Exim disallows certain clients from makeing encrypted +# connections. The default is to allow all. +# In the authenticators section below, there are template configurations for +# plaintext username/password authentication. This kind of authentication is +# only safe when used within a TLS connection, so the authenticators will only +# work if TLS is allowed here. -# Allow any client to use TLS. +# This is equivalent to the default. # tls_advertise_hosts = * @@ -166,7 +169,16 @@ acl_smtp_data = acl_check_data # tls_privatekey = /etc/ssl/exim.pem # For OpenSSL, prefer EC- over RSA-authenticated ciphers -# tls_require_ciphers = ECDSA:RSA:!COMPLEMENTOFDEFAULT +.ifdef _HAVE_OPENSSL +tls_require_ciphers = ECDSA:RSA:!COMPLEMENTOFDEFAULT +.endif + +# Don't offer resumption to (most) MUAs, who we don't want to reuse +# tickets. Once the TLS extension for vended ticket numbers comes +# though, re-examine since resumption on a single-use ticket is still a benefit. +.ifdef _HAVE_TLS_RESUME +tls_resumption_hosts = ${if inlist {$received_port}{587:465} {:}{*}} +.endif # In order to support roaming users who wish to send email from anywhere, # you may want to make Exim listen on other ports as well as port 25, in @@ -262,8 +274,15 @@ dns_dnssec_ok = 1 # Enable an efficiency feature. We advertise the feature; clients # may request to use it. For multi-recipient mails we then can # reject or accept per-user after the message is received. +# This supports recipient-dependent content filtering; without it +# you have to temp-reject any recipients after the first that have +# incompatible filtering, and do the filtering in the data ACL. +# Even with this enabled, you must support the old style for peers +# not flagging support for PRDR (visible via $prdr_requested). # +.ifdef _HAVE_PRDR prdr_enable = true +.endif # By default, Exim expects all envelope addresses to be fully qualified, that @@ -283,7 +302,7 @@ prdr_enable = true # detail than the default. Adjust to suit. log_selector = +smtp_protocol_error +smtp_syntax_error \ - +tls_certificate_verified + +tls_certificate_verified # If you want Exim to support the "percent hack" for certain domains, @@ -316,7 +335,7 @@ timeout_frozen_after = 7d # By default, messages that are waiting on Exim's queue are all held in a -# single directory called "input" which it itself within Exim's spool +# single directory called "input" which is itself within Exim's spool # directory. (The default spool directory is specified when Exim is built, and # is often /var/spool/exim/.) Exim works best when its queue is kept short, but # there are circumstances where this is not always possible. If you uncomment @@ -439,6 +458,20 @@ acl_check_rcpt: require verify = sender + # Reject all RCPT commands after too many bad recipients + # This is partly a defense against spam abuse and partly attacker abuse. + # Real senders should manage, by the time they get to 10 RCPT directives, + # to have had at least half of them be real addresses. + # + # This is a lightweight check and can protect you against repeated + # invocations of more heavy-weight checks which would come after it. + + deny condition = ${if and {\ + {>{$rcpt_count}{10}}\ + {<{$recipients_count}{${eval:$rcpt_count/2}}} }} + message = Rejected for too many bad recipients + logwrite = REJECT [$sender_host_address]: bad recipient count high [${eval:$rcpt_count-$recipients_count}] + # Accept if the message comes from one of the hosts for which we are an # outgoing relay. It is assumed that such hosts are most likely to be MUAs, # so we set control=submission to make Exim treat the message as a @@ -471,11 +504,6 @@ acl_check_rcpt: control = submission control = dkim_disable_verify - # Insist that a HELO/EHLO was accepted. - - require message = nice hosts say HELO first - condition = ${if def:sender_helo_name} - # Insist that any other recipient address that we accept is either in one of # our local domains, or is in a domain for which we explicitly allow # relaying. Any other domain is rejected as being unacceptable for relaying. @@ -497,8 +525,8 @@ acl_check_rcpt: # examples of how you can get Exim to perform a DNS black list lookup at this # point. The first one denies, whereas the second just warns. # - # deny message = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text - # dnslists = black.list.example + # deny dnslists = black.list.example + # message = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text # # warn dnslists = black.list.example # add_header = X-Warning: $sender_host_address is in a black list at $dnslist_domain @@ -516,12 +544,45 @@ acl_check_rcpt: # require verify = csa ############################################################################# + ############################################################################# + # If doing per-user content filtering then recipients with filters different + # to the first recipient must be deferred unless the sender talks PRDR. + # + # defer !condition = $prdr_requested + # condition = ${if > {0}{$recipients_count}} + # condition = ${if !eq {$acl_m_content_filter} \ + # {${lookup PER_RCPT_CONTENT_FILTER}}} + # warn !condition = $prdr_requested + # condition = ${if > {0}{$recipients_count}} + # set acl_m_content_filter = ${lookup PER_RCPT_CONTENT_FILTER} + ############################################################################# + # At this point, the address has passed all the checks that have been # configured, so we accept it unconditionally. accept +# This ACL is used once per recipient, for multi-recipient messages, if +# we advertised PRDR. It can be used to perform receipient-dependent +# header- and body- based filtering and rejections. +# We set a variable to record that PRDR was active used, so that checking +# in the data ACL can be skipped. + +.ifdef _HAVE_PRDR +acl_check_prdr: + warn set acl_m_did_prdr = y + + ############################################################################# + # do lookup on filtering, with $local_part@$domain, deny on filter match + # + # deny set acl_m_content_filter = ${lookup PER_RCPT_CONTENT_FILTER} + # condition = ... + ############################################################################# + + accept +.endif + # This ACL is used after the contents of a message have been received. This # is the ACL in which you can test a message's headers or body, and in # particular, this is where you can invoke external virus or spam scanners. @@ -535,15 +596,15 @@ acl_check_data: # Deny if the message contains an overlong line. Per the standards # we should never receive one such via SMTP. # - deny message = maximum allowed line length is 998 octets, \ + deny condition = ${if > {$max_received_linelength}{998}} + message = maximum allowed line length is 998 octets, \ got $max_received_linelength - condition = ${if > {$max_received_linelength}{998}} # Deny if the headers contain badly-formed addresses. # - deny !verify = header_syntax - message = header syntax - log_message = header syntax ($acl_verify_message) + deny !verify = header_syntax + message = header syntax + log_message = header syntax ($acl_verify_message) # Deny if the message contains a virus. Before enabling this check, you # must install a virus scanner and set the av_scanner option above. @@ -561,6 +622,19 @@ acl_check_data: # X-Spam_bar: $spam_bar\n\ # X-Spam_report: $spam_report + ############################################################################# + # No more tests if PRDR was actively used. + # accept condition = ${if def:acl_m_did_prdr} + # + # To get here, all message recipients must have identical per-user + # content filtering (enforced by RCPT ACL). Do lookup for filter + # and deny on match. + # + # deny set acl_m_content_filter = ${lookup PER_RCPT_CONTENT_FILTER} + # condition = ... + ############################################################################# + + # Accept the message. accept @@ -631,7 +705,6 @@ dnslookup: ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 # if ipv6-enabled then instead use: # ignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; ::1 - dnssec_request_domains = * no_more # This closes the ROUTER_SMARTHOST ifdef around the choice of routing for @@ -746,16 +819,11 @@ begin transports # This transport is used for delivering messages over SMTP connections. -# Refuse to send any message with over-long lines, which could have -# been received other than via SMTP. The use of message_size_limit to -# enforce this is a red herring. remote_smtp: driver = smtp - message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}} -.ifdef _HAVE_DANE - dnssec_request_domains = * - hosts_try_dane = * +.ifdef _HAVE_TLS_RESUME + tls_resumption_hosts = * .endif @@ -768,7 +836,6 @@ remote_smtp: smarthost_smtp: driver = smtp - message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}} multi_domain # .ifdef _HAVE_TLS @@ -776,9 +843,9 @@ smarthost_smtp: # request with your smarthost provider to get things fixed: hosts_require_tls = * tls_verify_hosts = * - # As long as tls_verify_hosts is enabled, this won't matter, but if you - # have to comment it out then this will at least log whether you succeed - # or not: + # As long as tls_verify_hosts is enabled, this this will have no effect, + # but if you have to comment it out then this will at least log whether + # you succeed or not: tls_try_verify_hosts = * # # The SNI name should match the name which we'll expect to verify; @@ -794,6 +861,9 @@ smarthost_smtp: .ifdef _HAVE_GNUTLS tls_require_ciphers = SECURE192:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1 .endif +.ifdef _HAVE_TLS_RESUME + tls_resumption_hosts = * +.endif .endif @@ -806,7 +876,7 @@ smarthost_smtp: local_delivery: driver = appendfile - file = /var/mail/$local_part + file = /var/mail/$local_part_data delivery_date_add envelope_to_add return_path_add