X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Fexim%2Ffiles%2Fcommon%2Fexim4.conf;h=93802745adeb21a5f40868fc185e1830352411b3;hb=5a40c34e0e576183b800c6981826a6c3a444c13b;hp=f9e3ad56ae6ceba2aafb0d153905aa35c9144aaa;hpb=22985054a29c60aa87252dc8a609896ece491452;p=mirror%2Fdsa-puppet.git diff --git a/modules/exim/files/common/exim4.conf b/modules/exim/files/common/exim4.conf index f9e3ad56a..93802745a 100644 --- a/modules/exim/files/common/exim4.conf +++ b/modules/exim/files/common/exim4.conf @@ -39,6 +39,12 @@ # us. This is primarily only usefull for emergancy 'queue # flushing' operations, but should be populated with a list # of trusted machines. Wildcards are not permitted +# mailhubdomains - Domains for which we are the MX, but the mail is relayed +# elsewhere. This is designed for use with small volume or +# restricted machines that need to use a smarthost for mail +# traffic. We will relay for them based on ssl cert validation +# but we need to teach exim how to route the mail to them. This is +# that list. # The division of files is designed so that all hosts may share rcpthosts # and relayhosts, these could be replicated automatically if necessary. @@ -115,6 +121,7 @@ localpartlist local_only_users = lsearch;/etc/exim4/localusers # accept mail for them. domainlist rcpthosts = partial-lsearch;/etc/exim4/rcpthosts hostlist debianhosts = 127.0.0.1 : net-lsearch;/var/lib/misc/thishost/debianhosts +domainlist mailhubdomains = lsearch;/etc/exim4/manualroute .ifndef RESERVEDADDRS RESERVEDADDRS = 0.0.0.0/8 : 127.0.0.0/8 : 10.0.0.0/8 : 169.254.0.0/16 : \ @@ -190,7 +197,7 @@ queue_list_requires_admin = false av_scanner = CLAMAV .endif -.ifdef HAVE_USER_DEBBUGS +.ifdef HAVE_USER_DEBBUGS MAIL_RELAY STUPID_FIREWALL daemon_smtp_ports = 25 : 587 .endif @@ -312,6 +319,10 @@ check_submission: # Defer after too many bad RCPT TO's. Legit MTAs will retry later. # This is a rough pass at preventing addres harvesting or other mail blasts. +.ifdef MAIL_RELAY + accept verify = certificate +.endif + defer log_message = Too many bad recipients ${eval:$rcpt_fail_count} out of $rcpt_count message = Too many bad recipients, try again later condition = ${if > {${eval:$rcpt_fail_count}}{3}{yes}{no}} @@ -330,6 +341,10 @@ check_submission: #!!# ACL that is used after the RCPT command check_recipient: +.ifdef MAIL_RELAY + accept verify = certificate +.endif + # Defer after too many bad RCPT TO's. Legit MTAs will retry later. # This is a rough pass at preventing addres harvesting or other mail blasts. @@ -607,6 +622,11 @@ check_recipient: !hosts = +debianhosts : WHITELIST !verify = sender/callout + accept domains = +mailhubdomains + endpass + message = unknown user + verify = recipient/callout,defer_ok + accept domains = +handled_domains endpass message = unknown user @@ -723,6 +743,13 @@ begin routers # An address is passed to each in turn until it is accepted. # ###################################################################### +relay_manualroute: + driver = manualroute + domains = +mailhubdomains + transport = remote_smtp + route_data = ${lookup{$domain}lsearch{/etc/exim4/manualroute}} + require_files = /etc/exim4/manualroute + bsmtp: debug_print = "R: bsmtp for $local_part@$domain" driver = manualroute @@ -1129,9 +1156,11 @@ remote_smtp: driver = smtp connect_timeout = 1m .ifdef USE_TLS - tls_tempfail_tryclear = true +# tls_tempfail_tryclear = true tls_certificate = /etc/exim4/ssl/thishost.crt tls_privatekey = /etc/exim4/ssl/thishost.key +# tls_verify_certificates = /etc/exim4/ssl/ca.crt +# tls_crl = /etc/exim4/ssl/ca.crl .endif # Send the message to procmail