# us. This is primarily only usefull for emergancy 'queue
# flushing' operations, but should be populated with a list
# of trusted machines. Wildcards are not permitted
+# mailhubdomains - Domains for which we are the MX, but the mail is relayed
+# elsewhere. This is designed for use with small volume or
+# restricted machines that need to use a smarthost for mail
+# traffic. We will relay for them based on ssl cert validation
+# but we need to teach exim how to route the mail to them. This is
+# that list.
# The division of files is designed so that all hosts may share rcpthosts
# and relayhosts, these could be replicated automatically if necessary.
# accept mail for them.
domainlist rcpthosts = partial-lsearch;/etc/exim4/rcpthosts
hostlist debianhosts = 127.0.0.1 : net-lsearch;/var/lib/misc/thishost/debianhosts
+domainlist mailhubdomains = lsearch;/etc/exim4/manualroute
.ifndef RESERVEDADDRS
RESERVEDADDRS = 0.0.0.0/8 : 127.0.0.0/8 : 10.0.0.0/8 : 169.254.0.0/16 : \
hostlist reservedaddrs = RESERVEDADDRS
+.ifdef USE_TLS
+tls_certificate = /etc/exim4/ssl/thishost.crt
+tls_privatekey = /etc/exim4/ssl/thishost.key
+tls_try_verify_hosts = *
+tls_verify_certificates = /etc/exim4/ssl/ca.crt
+tls_crl = /etc/exim4/ssl/ca.crl
+.endif
+
#system_filter = /etc/exim4/filter
#system_filter_file_transport = address_file
av_scanner = CLAMAV
.endif
-.ifdef HAVE_USER_DEBBUGS
+.ifdef HAVE_USER_DEBBUGS MAIL_RELAY STUPID_FIREWALL
daemon_smtp_ports = 25 : 587
.endif
remote_sort_domains = *.debian.org:*.debian.net
pipelining_advertise_hosts = !*
+.ifdef USE_TLS
+tls_advertise_hosts = *
+.endif
smtp_enforce_sync = true
log_selector = +tls_cipher +tls_peerdn +queue_time +deliver_time +smtp_connection +smtp_incomplete_transaction +smtp_confirmation
#!!# ACL that is used after the RCPT command on the submission port
check_submission:
+ # Accept if the source is local SMTP (i.e. not over TCP/IP).
+ # We do this by testing for an empty sending host field.
+ accept hosts = : 127.0.0.1
# Defer after too many bad RCPT TO's. Legit MTAs will retry later.
# This is a rough pass at preventing addres harvesting or other mail blasts.
+.ifdef MAIL_RELAY
+ accept verify = certificate
+.endif
+
defer log_message = Too many bad recipients ${eval:$rcpt_fail_count} out of $rcpt_count
message = Too many bad recipients, try again later
condition = ${if > {${eval:$rcpt_fail_count}}{3}{yes}{no}}
ratelimit = 5 / 60m / per_rcpt / $sender_host_address
message = sorry, only 5 reports per hour for submission
+ accept domains = +localhost
+ endpass
+ message = unknown user
+ verify = recipient
+
+ accept domains = +mailhubdomains
+ endpass
+ message = unknown user
+ verify = recipient/callout=30s,defer_ok,use_sender,no_cache
+
accept domains = +submission_domains
endpass
message = unknown user
#!!# ACL that is used after the RCPT command
check_recipient:
+.ifdef MAIL_RELAY
+ accept verify = certificate
+.endif
+
# Defer after too many bad RCPT TO's. Legit MTAs will retry later.
# This is a rough pass at preventing addres harvesting or other mail blasts.
defer !hosts = +debianhosts
condition = ${if >{${eval:$acl_c1}}{0}}
ratelimit = 10 / 60m / per_rcpt / $sender_host_address
- message = slow down (no reverse dns, or dialup)
+ message = slow down (no reverse dns, mismatched ehlo, dialup, or in blacklists)
.ifdef HAVE_POLICYD
# Check with policyd-weight - this only works with a version after etch's,
!hosts = +debianhosts : WHITELIST
!verify = sender/callout
+ accept domains = +mailhubdomains
+ endpass
+ message = unknown user
+ verify = recipient/callout=30s,defer_ok,use_sender,no_cache
+
accept domains = +handled_domains
endpass
message = unknown user
message = Blackisted URI found in body
deny condition = ${if eq {$acl_m1}{DBSignedMail}}
- condition = ${if and {{!match {$message_body}{PGP MESSAGE}} \
- {!match {$message_body}{PGP SIGNED MESSAGE}} \
- {!match {$message_body}{PGP SIGNATURE}} \
- } \
+ condition = ${if and {{!match {$message_body}{PGP MESSAGE}} \
+ {!match {$message_body}{PGP SIGNED MESSAGE}} \
+ {!match {$message_body}{PGP SIGNATURE}} \
+ {!match {$header_content-type:}{multipart/signed}} \
+ {!match {$header_content-type:}{pgp}} \
+ } \
}
message = Mail to this address needs to be PGP-signed
# An address is passed to each in turn until it is accepted. #
######################################################################
+relay_manualroute:
+ driver = manualroute
+ domains = +mailhubdomains
+ transport = remote_smtp
+ route_data = ${lookup{$domain}lsearch{/etc/exim4/manualroute}}
+ require_files = /etc/exim4/manualroute
+
bsmtp:
debug_print = "R: bsmtp for $local_part@$domain"
driver = manualroute
transport = remote_smtp
ignore_target_hosts = +reservedaddrs
+.ifdef SMARTHOST
+smarthost:
+ debug_print = "R: smarthost for $local_part@$domain"
+ driver = manualroute
+ domains = !+handled_domains
+ transport = remote_smtp_smarthost
+ route_list = * SMARTHOST
+ host_find_failed = defer
+ same_domain_copy_routing = yes
+ no_more
+.endif
# This router routes to remote hosts over SMTP using a DNS lookup.
# Ignore reserved network responses, including localhost.
dnslookup:
remote_smtp:
driver = smtp
connect_timeout = 1m
- hosts_avoid_tls = *
+.ifdef USE_TLS
+ tls_certificate = /etc/exim4/ssl/thishost.crt
+ tls_privatekey = /etc/exim4/ssl/thishost.key
+.endif
+
+remote_smtp_smarthost:
+ debug_print = "T: remote_smtp_smarthost for $local_part@$domain"
+ driver = smtp
+.ifdef SMARTHST_PORT
+ port = SMARTHST_PORT
+.endif
+.ifdef USE_TLS
+ tls_tempfail_tryclear = false
+ tls_certificate = /etc/exim4/ssl/thishost.crt
+ tls_privatekey = /etc/exim4/ssl/thishost.key
+.endif
# Send the message to procmail
procmail_pipe:
projects / mirror / dsa-puppet.git / blobdiff