hostlist reservedaddrs = RESERVEDADDRS
+.ifdef USE_TLS
+tls_certificate = /etc/exim4/ssl/thishost.crt
+tls_privatekey = /etc/exim4/ssl/thishost.key
+tls_try_verify_hosts = *
+tls_verify_certificates = /etc/exim4/ssl/ca.crt
+tls_crl = /etc/exim4/ssl/ca.crl
+.endif
+
#system_filter = /etc/exim4/filter
#system_filter_file_transport = address_file
remote_sort_domains = *.debian.org:*.debian.net
pipelining_advertise_hosts = !*
+.ifdef USE_TLS
+tls_advertise_hosts = *
+.endif
smtp_enforce_sync = true
log_selector = +tls_cipher +tls_peerdn +queue_time +deliver_time +smtp_connection +smtp_incomplete_transaction +smtp_confirmation
defer !hosts = +debianhosts
condition = ${if >{${eval:$acl_c1}}{0}}
ratelimit = 10 / 60m / per_rcpt / $sender_host_address
- message = slow down (no reverse dns, or dialup)
+ message = slow down (no reverse dns, mismatched ehlo, dialup, or in blacklists)
.ifdef HAVE_POLICYD
# Check with policyd-weight - this only works with a version after etch's,
message = Blackisted URI found in body
deny condition = ${if eq {$acl_m1}{DBSignedMail}}
- condition = ${if and {{!match {$message_body}{PGP MESSAGE}} \
- {!match {$message_body}{PGP SIGNED MESSAGE}} \
- {!match {$message_body}{PGP SIGNATURE}} \
- } \
+ condition = ${if and {{!match {$message_body}{PGP MESSAGE}} \
+ {!match {$message_body}{PGP SIGNED MESSAGE}} \
+ {!match {$message_body}{PGP SIGNATURE}} \
+ {!match {$header_content-type:}{multipart/signed}} \
+ {!match {$header_content-type:}{pgp}} \
+ } \
}
message = Mail to this address needs to be PGP-signed
remote_smtp:
driver = smtp
connect_timeout = 1m
- hosts_avoid_tls = *
+.ifdef USE_TLS
+ tls_tempfail_tryclear = true
+ tls_certificate = /etc/exim4/ssl/thishost.crt
+ tls_privatekey = /etc/exim4/ssl/thishost.key
+.endif
# Send the message to procmail
procmail_pipe: