--- exim-4.69/src/configure.default.configure_default 2007-06-26 13:21:36.000000000 +0200 +++ exim-4.69/src/configure.default 2009-03-28 20:07:28.000000000 +0100 @@ -56,7 +56,7 @@ # +local_domains, +relay_to_domains, and +relay_from_hosts, respectively. They # are all colon-separated lists: -domainlist local_domains = @ +domainlist local_domains = @ : @[] : localhost : localhost.localdomain : $primary_hostname domainlist relay_to_domains = hostlist relay_from_hosts = 127.0.0.1 @@ -106,7 +106,8 @@ # checking incoming messages. The names of these ACLs are defined here: acl_smtp_rcpt = acl_check_rcpt -acl_smtp_data = acl_check_data +#acl_smtp_data = acl_check_data +#accept_8bitmime = true # You should not change those settings until you understand how ACLs work. @@ -119,7 +120,7 @@ # of what to set for other virus scanners. The second modification is in the # acl_check_data access control list (see below). -# av_scanner = clamd:/tmp/clamd +# av_scanner = clamd:127.0.0.1 3310 # For spam scanning, there is a similar option that defines the interface to @@ -129,6 +130,8 @@ # spamd_address = 127.0.0.1 783 +# Enable spam scanning at SMTP time (urpmi exim-plugins-SpamAssassin): +# local_scan_path = /usr/lib/exim/sa-exim.so # If Exim is compiled with support for TLS, you may want to enable the # following options so that Exim allows clients to make encrypted @@ -139,7 +142,6 @@ # as well. # Allow any client to use TLS. - # tls_advertise_hosts = * # Specify the location of the Exim server's TLS certificate and private key. @@ -148,8 +150,16 @@ # need the first setting, or in separate files, in which case you need both # options. -# tls_certificate = /etc/ssl/exim.crt -# tls_privatekey = /etc/ssl/exim.pem +# You can use self-signed cerficates: +# openssl req -x509 -newkey rsa:1024 -days 3650 -nodes \ +# -out /etc/ssl/exim/certs/exim.pem \ +# -ketout /etc/ssl/exim/private/exim.pem +# And dhparam: +# openssl dhparam -check -text -5 512 -out /etc/ssl/exim/dhparam/exim.pem + +#tls_certificate = /etc/ssl/exim/certs/exim.pem +#tls_privatekey = /etc/ssl/exim/private/exim.pem +# tls_dhparam = /etc/ssl/exim/dhparam/exim.pem # In order to support roaming users who wish to send email from anywhere, # you may want to make Exim listen on other ports as well as port 25, in @@ -211,6 +221,10 @@ never_users = root +# Exim user: +#exim_user = 8 +#exim_group = 12 +trusted_users = nobody # The setting below causes Exim to do a reverse DNS lookup on all incoming # IP calls, in order to get the true host name. If you feel this is too @@ -291,6 +305,27 @@ # split_spool_directory = true +# Customize 'received_header_text' and 'smtp_banner': + +FULL_HOSTINFO = $primary_hostname ${if def:interface_address \ + {([$interface_address]:$interface_port)} }\ + ${if !def:interface_address {([local]:$received_protocol)} } + +FULL_EXIMINFO = Exim-$version_number (MandrivaLinux) MTA + +smtp_banner = FULL_HOSTINFO ESMTP FULL_EXIMINFO $tod_full + +received_header_text = Received: \ + from ${if def:sender_rcvhost {$sender_rcvhost\n\t} \ + {${if def:sender_ident {$sender_ident } {localhost } }\ + ${if def:sender_helo_name {(helo=$sender_helo_name) } }} }\ + by FULL_HOSTINFO\n\t\ + ${if def:received_protocol {with $received_protocol } }\ + ${if def:sender_host_authenticated \ + {($sender_host_authenticated:$authenticated_id) } }\ + ${if def:tls_cipher {($tls_cipher)\n\t} }\ + id $message_id - Using FULL_EXIMINFO \n\t\ + (return-path <$sender_address>) ###################################################################### # ACL CONFIGURATION # @@ -452,28 +487,29 @@ acl_check_data: - # Deny if the message contains a virus. Before enabling this check, you - # must install a virus scanner and set the av_scanner option above. - # - # deny malware = * - # message = This message contains a virus ($malware_name). - - # Add headers to a message if it is judged to be spam. Before enabling this, - # you must install SpamAssassin. You may also need to set the spamd_address - # option above. - # - # warn spam = nobody - # add_header = X-Spam_score: $spam_score\n\ - # X-Spam_score_int: $spam_score_int\n\ - # X-Spam_bar: $spam_bar\n\ - # X-Spam_report: $spam_report - - # Accept the message. + # Reject virus infested messages. + deny message = This message contains malware ($malware_name) + malware = * + + # Always add X-Spam-Score and X-Spam-Report headers, using SA system-wide settings + # (user "nobody"), no matter if over threshold or not. + warn message = X-Spam-Score: $spam_score ($spam_bar) + spam = nobody:true + warn message = X-Spam-Report: $spam_report + spam = nobody:true + + # Add X-Spam-Flag if spam is over system-wide threshold + warn message = X-Spam-Flag: YES + spam = nobody + + # Reject spam messages with score over 10, using an extra condition. + deny message = This message scored $spam_score points. Congratulations! + spam = nobody:true + condition = ${if >{$spam_score_int}{100}{1}{0}} + # finally accept all the rest accept - - ###################################################################### # ROUTERS CONFIGURATION # # Specifies how addresses are handled # @@ -494,6 +530,7 @@ # domain literal addresses. # domain_literal: +# debug_print = "R: domain_literal for $local_part@$domain" # driver = ipliteral # domains = ! +local_domains # transport = remote_smtp @@ -513,11 +550,26 @@ # setting, and consequently the address is unrouteable. dnslookup: + debug_print = "R: dnslookup for $local_part@$domain" driver = dnslookup domains = ! +local_domains transport = remote_smtp - ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 - no_more + # ignore private rfc1918 and APIPA addresses + ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 192.168.0.0/16 :\ + 172.16.0.0/12 : 10.0.0.0/8 : 169.254.0.0/16 :\ + 255.255.255.255 no_more + +# Send all mail to a smarthost: +#smarthost: +# debug_print = "R: smarthost for $local_part@$domain" +# driver = manualroute +# domains = !+local_domains +# transport = remote_smtp_smarthost +## Replace 'my.fai.com' to your smtp fai: +# route_list = * my.fai.com byname +# host_find_failed = defer +# same_domain_copy_routing = yes +# no_more # The remaining routers handle addresses in the local domain(s), that is those @@ -525,7 +577,7 @@ # This router handles aliasing using a linearly searched alias file with the -# name SYSTEM_ALIASES_FILE. When this configuration is installed automatically, +# name /etc/exim/aliases. When this configuration is installed automatically, # the name gets inserted into this file from whatever is set in Exim's # build-time configuration. The default path is the traditional /etc/aliases. # If you install this configuration by hand, you need to specify the correct @@ -545,11 +597,12 @@ # to set up different ones for pipe and file deliveries from aliases. system_aliases: + debug_print = "R: system_aliases for $local_part@$domain" driver = redirect allow_fail allow_defer - data = ${lookup{$local_part}lsearch{SYSTEM_ALIASES_FILE}} -# user = exim + data = ${lookup{$local_part}lsearch{/etc/exim/aliases}} +# user = mail file_transport = address_file pipe_transport = address_pipe @@ -579,6 +632,7 @@ # up an auto-reply, respectively. userforward: + debug_print = "R: userforward for $local_part@$domain" driver = redirect check_local_user # local_part_suffix = +* : -* @@ -592,7 +646,6 @@ pipe_transport = address_pipe reply_transport = address_reply - # This router matches local user mailboxes. If the router fails, the error # message is "Unknown user". @@ -602,6 +655,7 @@ # in the same way as xxxx@your.domain by this router. localuser: + debug_print = "R: localuser for $local_part@$domain" driver = accept check_local_user # local_part_suffix = +* : -* @@ -627,9 +681,9 @@ # This transport is used for delivering messages over SMTP connections. remote_smtp: + debug_print = "T: remote_smtp for $local_part@$domain" driver = smtp - # This transport is used for local delivery to user mailboxes in traditional # BSD mailbox format. By default it will be run under the uid and gid of the # local user, and requires the sticky bit to be set on the /var/mail directory. @@ -638,6 +692,7 @@ # show how this can be done. local_delivery: + debug_print = "T: local_delivery for $local_part@$domain" driver = appendfile file = /var/mail/$local_part delivery_date_add @@ -656,6 +711,7 @@ # section above. address_pipe: + debug_print = "T: address_pipe for $local_part@$domain" driver = pipe return_output @@ -664,6 +720,7 @@ # generated by aliasing or forwarding. address_file: + debug_print = "T: address_file for $local_part@$domain" driver = appendfile delivery_date_add envelope_to_add @@ -674,9 +731,17 @@ # option of the userforward router. address_reply: + debug_print = "T: address_reply for $local_part@$domain" driver = autoreply - +# This transport is used to deliver local mail to cyrus IMAP server via UNIX +# socket. +# +#local_delivery: +# driver = lmtp +# command = "/usr/lib/cyrus-imapd/deliver -l" +# batch_max = 20 +# user = cyrus ###################################################################### # RETRY CONFIGURATION # @@ -711,7 +776,11 @@ begin rewrite +# This is an example of a useful rewriting rule---it looks up the real +# address of all local users in a file +# *@$primary_hostname ${lookup{$1}lsearch{/etc/email-addresses}\ +# {$value}fail} bcfrF ###################################################################### # AUTHENTICATION CONFIGURATION # @@ -722,13 +791,6 @@ # but non-standard LOGIN mechanism, with Exim acting as the server. # PLAIN and LOGIN are enough to support most MUA software. # -# These authenticators are not complete: you need to change the -# server_condition settings to specify how passwords are verified. -# They are set up to offer authentication to the client only if the -# connection is encrypted with TLS, so you also need to add support -# for TLS. See the global configuration options section at the start -# of this file for more about TLS. -# # The default RCPT ACL checks for successful authentication, and will accept # messages from authenticated users from anywhere on the Internet. @@ -742,12 +804,14 @@ # use $auth2 as a lookup key, and compare $auth3 against the result of the # lookup, perhaps using the crypteq{}{} condition. +## SMTP Authentication (SASL): +# #PLAIN: -# driver = plaintext -# server_set_id = $auth2 -# server_prompts = : -# server_condition = Authentication is not yet configured -# server_advertise_condition = ${if def:tls_cipher } +# driver = plaintext +# server_set_id = $auth2 +# server_prompts = : +# server_condition = ${if saslauthd{{$auth2}{$auth3}{smtp}} {1}} +# server_advertise_condition = ${if def:tls_cipher } # LOGIN authentication has traditional prompts and responses. There is no # authorization ID in this mechanism, so unlike PLAIN the username and @@ -755,11 +819,57 @@ # server_condition setting for both authenticators. #LOGIN: -# driver = plaintext -# server_set_id = $auth1 -# server_prompts = <| Username: | Password: -# server_condition = Authentication is not yet configured -# server_advertise_condition = ${if def:tls_cipher } +# driver = plaintext +# server_set_id = $auth1 +# server_prompts = <| Username: | Password: +# server_condition = ${if saslauthd{{$auth1}{$auth2}{smtp}} {1}} +# server_advertise_condition = ${if def:tls_cipher } + + +## SMTP Authentication (PERL): +# in "MAIN CONFIGURATION SETTINGS": +#perl_startup = do '/etc/exim/exim_perl.pl' +#perl_at_start + +#auth_perl_plain: +# driver = plaintext +# server_set_id = $auth2 +# server_prompts = : +## POP3: +# server_condition = ${perl{auth_perl}{localhost}{$auth2}{$auth3}{pop}} +## IMAP: +# server_condition = ${perl{auth_perl}{localhost}{$auth2}{$auth3}{imap}} +# server_advertise_condition = ${if def:tls_cipher } + +#auth_perl_login: +# driver = plaintext +# server_set_id = $auth1 +# server_prompts = <| Username: | Password: +## POP3: +# server_condition = ${perl{auth_perl}{localhost}{$auth1}{$auth2}{pop}} +## IMAP: +# server_condition = ${perl{auth_perl}{localhost}{$auth1}{$auth2}{imap}} +# server_condition = Authentication is not yet configured +# server_advertise_condition = ${if def:tls_cipher } + + +## Here is an example of CRAM-MD5 authentication against SQLite: +# +# sqlite_auth_crammd5: +# driver = cram_md5 +# public_name = CRAM-MD5 +# server_secret = ${lookup sqlite{/path/to/sqlite.db SELECT pw FROM users WHERE username = '${quote_sqlite:$auth1}'}{$value}fail} +# server_set_id = $auth1 + +## Here is an example of CRAM-MD5 authentication against MySQL: +# in "MAIN CONFIGURATION SETTINGS": +# hide mysql_servers = localhost::(/var/lib/mysql/mysql.sock)/db_name/db_user/db_pass +# +# mysql_auth_crammd5: +# driver = cram_md5 +# public_name = CRAM-MD5 +# server_secret = ${lookup mysql{ SELECT pw FROM users WHERE username = '${quote_mysql:$auth1}'}{$value}fail} +# server_set_id = $auth1 ######################################################################