X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/fde873f3a2871df467e5783eaa685295015c0089..9aba085b920ab3b8cdd1085db917145785ca24cf:/src/src/configure.default diff --git a/src/src/configure.default b/src/src/configure.default index 424c8df6b..6127a9bf0 100644 --- a/src/src/configure.default +++ b/src/src/configure.default @@ -169,7 +169,16 @@ acl_smtp_data = acl_check_data # tls_privatekey = /etc/ssl/exim.pem # For OpenSSL, prefer EC- over RSA-authenticated ciphers -# tls_require_ciphers = ECDSA:RSA:!COMPLEMENTOFDEFAULT +.ifdef _HAVE_OPENSSL +tls_require_ciphers = ECDSA:RSA:!COMPLEMENTOFDEFAULT +.endif + +# Don't offer resumption to (most) MUAs, who we don't want to reuse +# tickets. Once the TLS extension for vended ticket numbers comes +# though, re-examine since resumption on a single-use ticket is still a benefit. +.ifdef _HAVE_TLS_RESUME +tls_resumption_hosts = ${if inlist {$received_port}{587:465} {:}{*}} +.endif # In order to support roaming users who wish to send email from anywhere, # you may want to make Exim listen on other ports as well as port 25, in @@ -326,7 +335,7 @@ timeout_frozen_after = 7d # By default, messages that are waiting on Exim's queue are all held in a -# single directory called "input" which it itself within Exim's spool +# single directory called "input" which is itself within Exim's spool # directory. (The default spool directory is specified when Exim is built, and # is often /var/spool/exim/.) Exim works best when its queue is kept short, but # there are circumstances where this is not always possible. If you uncomment @@ -507,8 +516,8 @@ acl_check_rcpt: # examples of how you can get Exim to perform a DNS black list lookup at this # point. The first one denies, whereas the second just warns. # - # deny message = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text - # dnslists = black.list.example + # deny dnslists = black.list.example + # message = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text # # warn dnslists = black.list.example # add_header = X-Warning: $sender_host_address is in a black list at $dnslist_domain @@ -531,11 +540,11 @@ acl_check_rcpt: # to the first recipient must be deferred unless the sender talks PRDR. # # defer !condition = $prdr_requested - # condition = ${if > {0}{$receipients_count}} + # condition = ${if > {0}{$recipients_count}} # condition = ${if !eq {$acl_m_content_filter} \ # {${lookup PER_RCPT_CONTENT_FILTER}}} # warn !condition = $prdr_requested - # condition = ${if > {0}{$receipients_count}} + # condition = ${if > {0}{$recipients_count}} # set acl_m_content_filter = ${lookup PER_RCPT_CONTENT_FILTER} ############################################################################# @@ -554,7 +563,6 @@ acl_check_rcpt: .ifdef _HAVE_PRDR acl_check_prdr: warn set acl_m_did_prdr = y -.endif ############################################################################# # do lookup on filtering, with $local_part@$domain, deny on filter match @@ -564,6 +572,7 @@ acl_check_prdr: ############################################################################# accept +.endif # This ACL is used after the contents of a message have been received. This # is the ACL in which you can test a message's headers or body, and in @@ -578,9 +587,9 @@ acl_check_data: # Deny if the message contains an overlong line. Per the standards # we should never receive one such via SMTP. # - deny message = maximum allowed line length is 998 octets, \ + deny condition = ${if > {$max_received_linelength}{998}} + message = maximum allowed line length is 998 octets, \ got $max_received_linelength - condition = ${if > {$max_received_linelength}{998}} # Deny if the headers contain badly-formed addresses. # @@ -663,9 +672,6 @@ smarthost: transport = smarthost_smtp route_data = ROUTER_SMARTHOST ignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; ::1 -.ifdef _HAVE_DNSSEC - dnssec_request_domains = * -.endif no_more .else @@ -804,15 +810,11 @@ begin transports # This transport is used for delivering messages over SMTP connections. -# Refuse to send any message with over-long lines, which could have -# been received other than via SMTP. The use of message_size_limit to -# enforce this is a red herring. remote_smtp: driver = smtp - message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}} -.ifdef _HAVE_PRDR - hosts_try_prdr = * +.ifdef _HAVE_TLS_RESUME + tls_resumption_hosts = * .endif @@ -825,7 +827,6 @@ remote_smtp: smarthost_smtp: driver = smtp - message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}} multi_domain # .ifdef _HAVE_TLS @@ -833,9 +834,9 @@ smarthost_smtp: # request with your smarthost provider to get things fixed: hosts_require_tls = * tls_verify_hosts = * - # As long as tls_verify_hosts is enabled, this won't matter, but if you - # have to comment it out then this will at least log whether you succeed - # or not: + # As long as tls_verify_hosts is enabled, this this will have no effect, + # but if you have to comment it out then this will at least log whether + # you succeed or not: tls_try_verify_hosts = * # # The SNI name should match the name which we'll expect to verify; @@ -851,9 +852,9 @@ smarthost_smtp: .ifdef _HAVE_GNUTLS tls_require_ciphers = SECURE192:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1 .endif +.ifdef _HAVE_TLS_RESUME + tls_resumption_hosts = * .endif -.ifdef _HAVE_PRDR - hosts_try_prdr = * .endif @@ -866,7 +867,7 @@ smarthost_smtp: local_delivery: driver = appendfile - file = /var/mail/$local_part + file = /var/mail/$local_part_data delivery_date_add envelope_to_add return_path_add