X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/e05f33e0b79c14608757a60f2f3f8588008355f7..e0f3765aeecd3116bb4171bd0c5f9b609e7c0588:/configs/config.samples/C043 diff --git a/configs/config.samples/C043 b/configs/config.samples/C043 new file mode 100644 index 000000000..2de6a61b8 --- /dev/null +++ b/configs/config.samples/C043 @@ -0,0 +1,551 @@ +# Below is an Exim 4 config file which is designed for an Exim server that +# is put in front of an Exchange 5.5 system but which verifies the valid +# addresses that are stored in Exchange via LDAP lookups against the Exchange +# server. The advantage being that I can do much more aggressive spam +# fighting, make my own set of policy decisions etc, using the flexibility of +# Exim while still supporting the Exchange system for final delivery (not my +# ideal situation but the company relies on it). In any case, I thought this +# was sufficiently useful and answers some semi-regular questions on the list, +# that it might be included in either the FAQ or the sample configs. + +# From: Tabor J. Wells +# Date: Wed, 21 Aug 2002 11:16:36 -0400 + + + + +###################################################################### +# Runtime configuration file for Exim # +###################################################################### + + +# This is a default configuration file which will operate correctly in +# uncomplicated installations. Please see the manual for a complete list +# of all the runtime configuration options that can be included in a +# configuration file. There are many more than are mentioned here. The +# manual is in the file doc/spec.txt in the Exim distribution as a plain +# ASCII file. Other formats (PostScript, Texinfo, HTML, PDF) are available +# from the Exim ftp sites. The manual is also online at the Exim web sites. + + +# This file is divided into several parts, all but the first of which are +# headed by a line starting with the word "begin". Only those parts that +# are required need to be present. Blank lines, and lines starting with # +# are ignored. + + +########### IMPORTANT ########## IMPORTANT ########### IMPORTANT ########### +# # +# Whenever you change Exim's configuration file, you *must* remember to # +# HUP the Exim daemon, because it will not pick up the new configuration # +# until you do. However, any other Exim processes that are started, for # +# example, a process started by an MUA in order to send a message, will # +# see the new configuration as soon as it is in place. # +# # +# You do not need to HUP the daemon for changes in auxiliary files that # +# are referenced from this file. They are read every time they are used. # +# # +# It is usually a good idea to test a new configuration for syntactic # +# correctness before installing it (for example, by running the command # +# "exim -C /config/file.new -bV"). # +# # +########### IMPORTANT ########## IMPORTANT ########### IMPORTANT ########### + + + +###################################################################### +# MAIN CONFIGURATION SETTINGS # +###################################################################### + +# Specify your host's canonical name here. This should normally be the fully +# qualified "official" name of your host. If this option is not set, the +# uname() function is called to obtain the name. In many cases this does +# the right thing and you need not set anything explicitly. + +# primary_hostname = + + +# The next three settings create two lists of domains and one list of hosts. +# These lists are referred to later in this configuration using the syntax +# +local_domains, +relay_to_domains, and +relay_from_hosts, respectively. They +# are all colon-separated lists: + +domainlist local_domains = @ : dbm;/etc/exim/db/localdomains.db +domainlist relay_to_domains = +hostlist relay_from_hosts = 127.0.0.1 : 192.168.1.0/24 + +# Most straightforward access control requirements can be obtained by +# appropriate settings of the above options. In more complicated situations, you +# may need to modify the Access Control List (ACL) which appears later in this +# file. + +# The first setting specifies your local domains, for example: +# +# domainlist local_domains = my.first.domain : my.second.domain +# +# You can use "@" to mean "the name of the local host", as in the default +# setting above. This is the name that is specified by primary_hostname, +# as specified above (or defaulted). If you do not want to do any local +# deliveries, remove the "@" from the setting above. If you want to accept mail +# addressed to your host's literal IP address, for example, mail addressed to +# "user@[192.168.23.44]", you can add "@[]" as an item in the local domains +# list. You also need to uncomment "allow_domain_literals" below. This is not +# recommended for today's Internet. + +# The second setting specifies domains for which your host is an incoming relay. +# If you are not doing any relaying, you should leave the list empty. However, +# if your host is an MX backup or gateway of some kind for some domains, you +# must set relay_to_domains to match those domains. For example: +# +# domainlist relay_to_domains = *.myco.com : my.friend.org +# +# This will allow any host to relay through your host to those domains. +# See the section of the manual entitled "Control of relaying" for more +# information. + +# The third setting specifies hosts that can use your host as an outgoing relay +# to any other host on the Internet. Such a setting commonly refers to a +# complete local network as well as the localhost. For example: +# +# hostlist relay_from_hosts = 127.0.0.1 : 192.168.0.0/16 +# +# The "/16" is a bit mask (CIDR notation), not a number of hosts. Note that you +# have to include 127.0.0.1 if you want to allow processes on your host to send +# SMTP mail by using the loopback address. A number of MUAs use this method of +# sending mail. + + +# All three of these lists may contain many different kinds of item, including +# wildcarded names, regular expressions, and file lookups. See the reference +# manual for details. The lists above are used in the access control list for +# incoming messages. The name of this ACL is defined here: + +acl_smtp_rcpt = acl_check_rcpt + +# You should not change that setting until you understand how ACLs work. + + +# Specify the domain you want to be added to all unqualified addresses +# here. An unqualified address is one that does not contain an "@" character +# followed by a domain. For example, "caesar@rome.example" is a fully qualified +# address, but the string "caesar" (i.e. just a login name) is an unqualified +# email address. Unqualified addresses are accepted only from local callers by +# default. See the recipient_unqualified_hosts option if you want to permit +# unqualified addresses from remote sources. If this option is not set, the +# primary_hostname value is used for qualification. + +# qualify_domain = + + +# If you want unqualified recipient addresses to be qualified with a different +# domain to unqualified sender addresses, specify the recipient domain here. +# If this option is not set, the qualify_domain value is used. + +# qualify_recipient = + + +# The following line must be uncommented if you want Exim to recognize +# addresses of the form "user@[10.11.12.13]" that is, with a "domain literal" +# (an IP address) instead of a named domain. The RFCs still require this form, +# but it makes little sense to permit mail to be sent to specific hosts by +# their IP address in the modern Internet. This ancient format has been used +# by those seeking to abuse hosts by using them for unwanted relaying. If you +# really do want to support domain literals, uncomment the following line, and +# see also the "domain_literal" router below. + +# allow_domain_literals + + +# No deliveries will ever be run under the uids of these users (a colon- +# separated list). An attempt to do so causes a panic error to be logged, and +# the delivery to be deferred. This is a paranoic safety catch. Note that the +# default setting means you cannot deliver mail addressed to root as if it +# were a normal user. This isn't usually a problem, as most sites have an alias +# for root that redirects such mail to a human administrator. + +never_users = root + + +# The setting below causes Exim to do a reverse DNS lookup on all incoming +# IP calls, in order to get the true host name. If you feel this is too +# expensive, you can specify the networks for which a lookup is done, or +# remove the setting entirely. + +host_lookup = * + + +# The settings below, which are actually the same as the defaults in the +# code, cause Exim to make RFC 1413 (ident) callbacks for all incoming SMTP +# calls. You can limit the hosts to which these calls are made, and/or change +# the timeout that is used. If you set the timeout to zero, all RFC 1413 calls +# are disabled. RFC 1413 calls are cheap and can provide useful information +# for tracing problem messages, but some hosts and firewalls have problems +# with them. This can result in a timeout instead of an immediate refused +# connection, leading to delays on starting up an SMTP session. + +rfc1413_hosts = * +rfc1413_query_timeout = 30s + + +# By default, Exim expects all envelope addresses to be fully qualified, that +# is, they must contain both a local part and a domain. If you want to accept +# unqualified addresses (just a local part) from certain hosts, you can specify +# these hosts by setting one or both of +# +# sender_unqualified_hosts = +# recipient_unqualified_hosts = +# +# to control sender and recipient addresses, respectively. When this is done, +# unqualified addresses are qualified using the settings of qualify_domain +# and/or qualify_recipient (see above). + + +# If you want Exim to support the "percent hack" for certain domains, +# uncomment the following line and provide a list of domains. The "percent +# hack" is the feature by which mail addressed to x%y@z (where z is one of +# the domains listed) is locally rerouted to x@y and sent on. If z is not one +# of the "percent hack" domains, x%y is treated as an ordinary local part. This +# hack is rarely needed nowadays; you should not enable it unless you are sure +# that you really need it. +# +# percent_hack_domains = +# +# As well as setting this option you will also need to remove the test +# for local parts containing % in the ACL definition below. + + +# When Exim can neither deliver a message nor return it to sender, it "freezes" +# the delivery error message (aka "bounce message"). There are also other +# circumstances in which messages get frozen. They will stay on the queue for +# ever unless one of the following options is set. + +# This option unfreezes frozen bounce messages after two days, tries +# once more to deliver them, and ignores any delivery failures. + +ignore_bounce_errors_after = 2d + +# This option cancels (removes) frozen messages that are older than a week. + +timeout_frozen_after = 7d + +# Defined LDAP default servers +ldap_default_servers = 192.168.1.101 + + + +###################################################################### +# ACL CONFIGURATION # +# Specifies access control lists for incoming SMTP mail # +###################################################################### + +begin acl + +# This access control list is used for every RCPT command in an incoming +# SMTP message. The tests are run in order until the address is either +# accepted or denied. + +acl_check_rcpt: + + # Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by + # testing for an empty sending host field. + + accept hosts = : + + # Deny if the local part contains @ or % or / or | or !. These are rarely + # found in genuine local parts, but are often tried by people looking to + # circumvent relaying restrictions. + + # Also deny if the local part starts with a dot. Empty components aren't + # strictly legal in RFC 2822, but Exim allows them because this is common. + # However, actually starting with a dot may cause trouble if the local part + # is used as a file name (e.g. for a mailing list). + + deny local_parts = ^.*[@%!/|] : ^\\. + + # Accept mail to postmaster in any local domain, regardless of the source, + # and without verifying the sender. + + accept local_parts = postmaster + domains = +local_domains + + # Deny unless the sender address can be verified. + + require verify = sender + + ############################################################################# + # There are no checks on DNS "black" lists because the domains that contain + # these lists are changing all the time. However, here are two examples of + # how you could get Exim to perform a DNS black list lookup at this point. + # The first one denies, while the second just warns. + # + # deny message = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text + # dnslists = black.list.example + # + # warn message = X-Warning: $sender_host_address is in a black list at $dnslist_domain + # log_message = found in $dnslist_domain + # dnslists = black.list.example + ############################################################################# + + # Accept if the address is in a local domain, but only if the recipient can + # be verified. Otherwise deny. The "endpass" line is the border between + # passing on to the next ACL statement (if tests above it fail) or denying + # access (if tests below it fail). + + accept domains = +local_domains + endpass + message = unknown user + verify = recipient + + # Accept if the address is in a domain for which we are relaying, but again, + # only if the recipient can be verified. + + accept domains = +relay_to_domains + endpass + message = unrouteable address + verify = recipient + + # If control reaches this point, the domain is neither in +local_domains + # nor in +relay_to_domains. + + # Accept if the message comes from one of the hosts for which we are an + # outgoing relay. Recipient verification is omitted here, because in many + # cases the clients are dumb MUAs that don't cope well with SMTP error + # responses. If you are actually relaying out from MTAs, you should probably + # add recipient verification here. + + accept hosts = +relay_from_hosts + + # Accept if the message arrived over an authenticated connection, from + # any host. Again, these messages are usually from MUAs, so recipient + # verification is omitted. + + accept authenticated = * + + # Reaching the end of the ACL causes a "deny", but we might as well give + # an explicit message. + + deny message = relay not permitted + + + +###################################################################### +# ROUTERS CONFIGURATION # +# Specifies how addresses are handled # +###################################################################### +# THE ORDER IN WHICH THE ROUTERS ARE DEFINED IS IMPORTANT! # +# An address is passed to each router in turn until it is accepted. # +###################################################################### + +begin routers + +# This router routes to remote hosts over SMTP by explicit IP address, +# when an email address is given in "domain literal" form, for example, +# . The RFCs require this facility. However, it is +# little-known these days, and has been exploited by evil people seeking +# to abuse SMTP relays. Consequently it is commented out in the default +# configuration. If you uncomment this router, you also need to uncomment +# allow_domain_literals above, so that Exim can recognize the syntax of +# domain literal addresses. + +# domain_literal: +# driver = ipliteral +# domains = ! +local_domains +# transport = remote_smtp + + +# This router routes addresses that are not in local domains by doing a DNS +# lookup on the domain name. Any domain that resolves to 0.0.0.0 or to a +# loopback interface address (127.0.0.0/8) is treated as if it had no DNS +# entry. Note that 0.0.0.0 is the same as 0.0.0.0/32, which is commonly treated +# as the local host inside the network stack. It is not 0.0.0.0/0, the default +# route. If the DNS lookup fails, no further routers are tried because of +# the no_more setting, and consequently the address is unrouteable. + +dnslookup: + driver = dnslookup + domains = ! +local_domains + transport = remote_smtp + ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 10.0.0.0/8 : 172.16.0.0/12 + no_more + + +# The remaining routers handle addresses in the local domain(s). + + +# This router handles aliasing using a traditional /etc/aliases file. +# +##### NB You must ensure that /etc/aliases exists. It used to be the case +##### NB that every Unix had that file, because it was the Sendmail default. +##### NB These days, there are systems that don't have it. Your aliases +##### NB file should at least contain an alias for "postmaster". +# +# If any of your aliases expand to pipes or files, you will need to set +# up a user and a group for these deliveries to run under. You can do +# this by uncommenting the "user" option below (changing the user name +# as appropriate) and adding a "group" option if necessary. Alternatively, you +# can specify "user" on the transports that are used. Note that the transports +# listed below are the same as are used for .forward files; you might want +# to set up different ones for pipe and file deliveries from aliases. + +system_aliases: + driver = redirect + allow_fail + allow_defer + data = ${lookup{$local_part}lsearch{/etc/exim/txt/aliases.txt}} +# user = exim + file_transport = address_file + pipe_transport = address_pipe + +# This router matches local user mailboxes. +# Domains set to $primary_hostname so that I can route stuff locally as need +# be but prevent user@mylocaldomain.com from delivering locally when 'user' +# also matches the Exchange lookup below. + +localuser: + driver = accept + check_local_user + domains = $primary_hostname + transport = local_delivery + no_more + +# Routers for lookups in LDAP on Exchange if they exist there then punt + +# First if it exists as a otherMailbox=smtp$user@example.com (Exchange's +# format for aliases then substitute the canonical email address for this user +# as defined by mail= + +exchangeothermailboxlookup: + driver = redirect + data = ${lookup ldap {ldap:///?mail?sub?(otherMailbox=smtp\$${quote_ldap:$local_part}@${quote_ldap:$domain})}} + domains = dbm;/etc/exim/db/localdomains.db + verify_recipient + +# This lookup verifies the mail=user@example.com format and if it exists +# Pass to the the manualroute router which is used to punt to the internal +# Exchange server as defined by domain. + +exchangemaillookup: + driver = redirect + data = ${lookup ldap {ldap:///?mail?sub?(mail=${quote_ldap:$local_part}@${quote_ldap:$domain})}} + domains = dbm;/etc/exim/db/localdomains.db + verify_recipient + self = pass + pass_router = exchangeroute + no_more + +# localdomains.db contain entries that look like: +# example.com: 192.168.1.101 +# example.net: 192.168.1.102 +# etc. + +exchangeroute: + driver = manualroute + transport = remote_smtp + route_data = ${lookup{$domain}dbm{/etc/exim/db/localdomains.db}} + +###################################################################### +# TRANSPORTS CONFIGURATION # +###################################################################### +# ORDER DOES NOT MATTER # +# Only one appropriate transport is called for each delivery. # +###################################################################### + +# A transport is used only when referenced from a router that successfully +# handles an address. + +begin transports + + +# This transport is used for delivering messages over SMTP connections. + +remote_smtp: + driver = smtp + + +# This transport is used for local delivery to user mailboxes in traditional +# BSD mailbox format. By default it will be run under the uid and gid of the +# local user, and requires the sticky bit to be set on the /var/mail directory. +# Some systems use the alternative approach of running mail deliveries under a +# particular group instead of using the sticky bit. The commented options below +# show how this can be done. + +local_delivery: + driver = appendfile + file = /var/mail/$local_part + delivery_date_add + envelope_to_add + return_path_add +# group = mail +# mode = 0660 + + +# This transport is used for handling pipe deliveries generated by alias or +# .forward files. If the pipe generates any standard output, it is returned +# to the sender of the message as a delivery error. Set return_fail_output +# instead of return_output if you want this to happen only when the pipe fails +# to complete normally. You can set different transports for aliases and +# forwards if you want to - see the references to address_pipe in the routers +# section above. + +address_pipe: + driver = pipe + return_output + + +# This transport is used for handling deliveries directly to files that are +# generated by aliasing or forwarding. + +address_file: + driver = appendfile + delivery_date_add + envelope_to_add + return_path_add + + +# This transport is used for handling autoreplies generated by the filtering +# option of the userforward router. + +address_reply: + driver = autoreply + + + +###################################################################### +# RETRY CONFIGURATION # +###################################################################### + +begin retry + +# This single retry rule applies to all domains and all errors. It specifies +# retries every 15 minutes for 2 hours, then increasing retry intervals, +# starting at 1 hour and increasing each time by a factor of 1.5, up to 16 +# hours, then retries every 6 hours until 4 days have passed since the first +# failed delivery. + +# Domain Error Retries +# ------ ----- ------- + +* * F,2h,15m; G,16h,1h,1.5; F,4d,6h + + + +###################################################################### +# REWRITE CONFIGURATION # +###################################################################### + +# There are no rewriting specifications in this default configuration file. + +begin rewrite + + + +###################################################################### +# AUTHENTICATION CONFIGURATION # +###################################################################### + +# There are no authenticator specifications in this default configuration file. + +begin authenticators + + +# End of Exim configuration file