+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
# This is the main exim4 configuration file based on the 28.08.05 version by
# ametzler
# It is hand crafted, do not replace with anything generated by a config
# us. This is primarily only usefull for emergancy 'queue
# flushing' operations, but should be populated with a list
# of trusted machines. Wildcards are not permitted
+# mailhubdomains - Domains for which we are the MX, but the mail is relayed
+# elsewhere. This is designed for use with small volume or
+# restricted machines that need to use a smarthost for mail
+# traffic. We will relay for them based on ssl cert validation
+# but we need to teach exim how to route the mail to them. This is
+# that list.
# The division of files is designed so that all hosts may share rcpthosts
# and relayhosts, these could be replicated automatically if necessary.
# accept mail for them.
domainlist rcpthosts = partial-lsearch;/etc/exim4/rcpthosts
hostlist debianhosts = 127.0.0.1 : net-lsearch;/var/lib/misc/thishost/debianhosts
+domainlist mailhubdomains = lsearch;/etc/exim4/manualroute
.ifndef RESERVEDADDRS
RESERVEDADDRS = 0.0.0.0/8 : 127.0.0.0/8 : 10.0.0.0/8 : 169.254.0.0/16 : \
hostlist reservedaddrs = RESERVEDADDRS
+.ifdef USE_TLS
+tls_certificate = /etc/exim4/ssl/thishost.crt
+tls_privatekey = /etc/exim4/ssl/thishost.key
+tls_try_verify_hosts = *
+tls_verify_certificates = /etc/exim4/ssl/ca.crt
+tls_crl = /etc/exim4/ssl/ca.crl
+.endif
+
#system_filter = /etc/exim4/filter
#system_filter_file_transport = address_file
av_scanner = CLAMAV
.endif
-.ifdef HAVE_USER_DEBBUGS
+.ifdef HAVE_USER_DEBBUGS MAIL_RELAY STUPID_FIREWALL
daemon_smtp_ports = 25 : 587
.endif
remote_sort_domains = *.debian.org:*.debian.net
pipelining_advertise_hosts = !*
+.ifdef USE_TLS
+tls_advertise_hosts = *
+.endif
smtp_enforce_sync = true
log_selector = +tls_cipher +tls_peerdn +queue_time +deliver_time +smtp_connection +smtp_incomplete_transaction +smtp_confirmation
# Defer after too many bad RCPT TO's. Legit MTAs will retry later.
# This is a rough pass at preventing addres harvesting or other mail blasts.
+.ifdef MAIL_RELAY
+ accept verify = certificate
+.endif
+
defer log_message = Too many bad recipients ${eval:$rcpt_fail_count} out of $rcpt_count
message = Too many bad recipients, try again later
condition = ${if > {${eval:$rcpt_fail_count}}{3}{yes}{no}}
#!!# ACL that is used after the RCPT command
check_recipient:
+.ifdef MAIL_RELAY
+ accept verify = certificate
+.endif
+
# Defer after too many bad RCPT TO's. Legit MTAs will retry later.
# This is a rough pass at preventing addres harvesting or other mail blasts.
defer !hosts = +debianhosts
condition = ${if >{${eval:$acl_c1}}{0}}
ratelimit = 10 / 60m / per_rcpt / $sender_host_address
- message = slow down (no reverse dns, or dialup)
+ message = slow down (no reverse dns, mismatched ehlo, dialup, or in blacklists)
.ifdef HAVE_POLICYD
# Check with policyd-weight - this only works with a version after etch's,
!hosts = +debianhosts : WHITELIST
!verify = sender/callout
+ accept domains = +mailhubdomains
+ endpass
+ message = unknown user
+ verify = recipient/callout,defer_ok
+
accept domains = +handled_domains
endpass
message = unknown user
message = Blackisted URI found in body
deny condition = ${if eq {$acl_m1}{DBSignedMail}}
- condition = ${if and {{!match {$message_body}{PGP MESSAGE}} \
- {!match {$message_body}{PGP SIGNED MESSAGE}} \
- {!match {$message_body}{PGP SIGNATURE}} \
- } \
+ condition = ${if and {{!match {$message_body}{PGP MESSAGE}} \
+ {!match {$message_body}{PGP SIGNED MESSAGE}} \
+ {!match {$message_body}{PGP SIGNATURE}} \
+ {!match {$header_content-type:}{multipart/signed}} \
+ {!match {$header_content-type:}{pgp}} \
+ } \
}
message = Mail to this address needs to be PGP-signed
# An address is passed to each in turn until it is accepted. #
######################################################################
+relay_manualroute:
+ driver = manualroute
+ domains = +mailhubdomains
+ transport = remote_smtp
+ route_data = ${lookup{$domain}lsearch{/etc/exim4/manualroute}}
+ require_files = /etc/exim4/manualroute
+
bsmtp:
debug_print = "R: bsmtp for $local_part@$domain"
driver = manualroute
remote_smtp:
driver = smtp
connect_timeout = 1m
- hosts_avoid_tls = *
+.ifdef USE_TLS
+# tls_tempfail_tryclear = true
+ tls_certificate = /etc/exim4/ssl/thishost.crt
+ tls_privatekey = /etc/exim4/ssl/thishost.key
+# tls_verify_certificates = /etc/exim4/ssl/ca.crt
+# tls_crl = /etc/exim4/ssl/ca.crl
+.endif
# Send the message to procmail
procmail_pipe:
projects / mirror / dsa-puppet.git / blobdiff