X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Fexim%2Ftemplates%2Feximconf.erb;h=5d2d137088b10adc15923a6741b8ce235c38191a;hb=e966c5717763d5e385166ce43b8f5275f160da45;hp=e2f02d6757511cb736a67c5da68d5112943868ce;hpb=8291bcf921d1a52ff09c1549ccd6b596e9f44b79;p=mirror%2Fdsa-puppet.git diff --git a/modules/exim/templates/eximconf.erb b/modules/exim/templates/eximconf.erb index e2f02d675..5d2d13708 100644 --- a/modules/exim/templates/eximconf.erb +++ b/modules/exim/templates/eximconf.erb @@ -32,6 +32,8 @@ # flushing' operations, but should be populated with a list # of trusted machines. Wildcards are not permitted # bsmtp_domains - Domains that we deliver locally via bsmtp +# submission-domains - Domains for which mail will be accepted via the +# submission port <%- if @is_mailrelay -%> # mailhubdomains - Domains for which we are the MX, but the mail is relayed # elsewhere. This is designed for use with small volume or @@ -41,6 +43,11 @@ # that list. <%- end -%> +# From /var/lib/misc / UD: +# +# mail-forward.cdb - aliases for @d.o +# user-forward.cdb - aliases for @thishost.d.o + # Exim's wildcard mechanism is a bit odd in that to say "any address in # debian.org including debian.org" you must use two patterns, # *.debian.org @@ -121,10 +128,15 @@ localpartlist local_only_users = lsearch;/etc/exim4/localusers localpartlist postmasterish = postmaster : abuse : hostmaster -hostlist debianhosts = <; ; 127.0.0.1 ; ::1 ; /var/lib/misc/thishost/debianhosts ; 89.16.166.49 ; 82.195.75.76 ; 2001:41b8:202:deb:bab5:0:52c3:4b4c +hostlist debianhosts = <; ; 127.0.0.1 ; ::1 ; /var/lib/misc/thishost/debianhosts hostlist reservedaddrs = 0.0.0.0/8 : 127.0.0.0/8 : 10.0.0.0/8 : 169.254.0.0/16 : 172.16.0.0/12 : 192.0.0.0/24 : 192.168.0.0/16 : 224.0.0.0/4 : 240.0.0.0/5 : 248.0.0.0/5 +domainlist google_mxen = aspmx.l.google.com : gmail-smtp-in.l.google.com : \ + *.aspmx.l.google.com : *.gmail-smtp-in.l.google.com + +domainlist single_domain_mx = +google_mxen + <%- if @is_mailrelay -%> # Domains we relay for; that is domains that aren't considered local but we # accept mail for them. @@ -142,7 +154,7 @@ tls_crl = /etc/exim4/ssl/ca.crl # expensive, you can specify the networks for which a lookup is done, or # remove the setting entirely. host_lookup = * -# dns_ipv4_lookup = !localhost (disabled upon sgrans request, zobel, 2010-03-16) +dns_ipv4_lookup = +google_mxen # If this option is set, then any process that is running as one of the # listed users may pass a message to Exim and specify the sender's @@ -166,6 +178,13 @@ local_from_check = false gecos_pattern = ^([^,:]*) gecos_name = $1 +# Do *not* include the body of the original message in a bounce +# The combinaton of bounce_return_message and bounce_return_body +# allows us to return only the headers within a bounce + +bounce_return_message = true +bounce_return_body = false + # This tells Exim to immediately discard error messages (ie double bounces). ignore_bounce_errors_after = 0s auto_thaw = 1d @@ -242,7 +261,15 @@ pipelining_advertise_hosts = !* tls_advertise_hosts = * smtp_enforce_sync = true -log_selector = +tls_cipher +tls_peerdn +queue_time +deliver_time +smtp_connection +smtp_incomplete_transaction +smtp_confirmation +smtp_protocol_error +log_selector = \ + +tls_cipher \ + +tls_peerdn \ + +queue_time \ + +deliver_time \ + +smtp_connection \ + +smtp_incomplete_transaction \ + +smtp_confirmation \ + +smtp_protocol_error received_header_text = Received: ${if def:sender_rcvhost {from $sender_rcvhost\n\t}\ {${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)\n\t}}}}\ @@ -288,10 +315,11 @@ acl_spamlovers: deny acl_getprofile: - # This is a bad hack to reset the variable, by defining it be something - # never referenced. - warn set acl_m_rprf = $acl_m_undefined + # Determine the mail profile for this recipient. + # An empty string implies no match has been found. + + warn set acl_m_rprf = warn recipients = survey@popcon.debian.org set acl_m_rprf = PopconMail @@ -497,8 +525,6 @@ check_helo: #!!# ACL that is used after the RCPT command on the submission port check_submission: - # Accept if the source is local SMTP (i.e. not over TCP/IP). - # We do this by testing for an empty sending host field. accept hosts = +debianhosts <%- if @is_mailrelay -%> @@ -660,14 +686,7 @@ check_recipient: message = slow down (no reverse dns, mismatched ehlo, dialup, or in blacklists) <%- if has_variable?("policydweight") && @policydweight -%> - # Check with policyd-weight - this only works with a version after etch's, - # sadly. etch's version attempts to hold the socket open, since that's what - # postfix expects. Exim, on the other hand, expects the remote side to close - # the socket when it's finished sending data, so it see each transaction as - # an incomplete read. I'm sure there's a way we could force Exim to do - # something sick and clever to force either the interpretation or the socket - # closure, but I'm fairly sure it's now worth it, since the backport of - # policyd-weight is trivial. + # Check with policyd-weight warn !hosts = +debianhosts condition = ${if !eq {$acl_m_prf}{PopconMail}} set acl_m_pw = ${readsocket{inet:127.0.0.1:12525}\ @@ -1058,7 +1077,10 @@ begin routers relay_manualroute: driver = manualroute domains = +mailhubdomains - transport = remote_smtp + transport = ${if forany{${lookup dnsdb{>: mxh=$domain}}}\ + {match_domain{$item}{+single_domain_mx}}\ + {remote_smtp_single_domain}{remote_smtp}\ + } route_data = ${lookup{$domain}lsearch{/etc/exim4/manualroute}} require_files = /etc/exim4/manualroute @@ -1101,7 +1123,10 @@ dnslookup: debug_print = "R: dnslookup for $local_part@$domain" driver = dnslookup domains = !+handled_domains - transport = remote_smtp + transport = ${if forany{${lookup dnsdb{>: mxh=$domain}}}\ + {match_domain{$item}{+single_domain_mx}}\ + {remote_smtp_single_domain}{remote_smtp}\ + } ignore_target_hosts = +reservedaddrs no_more @@ -1564,6 +1589,14 @@ remote_smtp: tls_certificate = /etc/exim4/ssl/thishost.crt tls_privatekey = /etc/exim4/ssl/thishost.key +remote_smtp_single_domain: + driver = smtp + connect_timeout = 15s + delay_after_cutoff = false + no_multi_domain + tls_certificate = /etc/exim4/ssl/thishost.crt + tls_privatekey = /etc/exim4/ssl/thishost.key + <%- if @use_smarthost -%> remote_smtp_smarthost: debug_print = "T: remote_smtp_smarthost for $local_part@$domain"