###################################################################### # MAIN CONFIGURATION SETTINGS # ###################################################################### # Access control lists for checking incoming messages. # The names of these ACLs are defined here: acl_smtp_rcpt = ${if ={587}{$interface_port} {acl_mua_rcpt} {acl_mta_rcpt}} acl_smtp_mail = ${if ={587}{$interface_port} {acl_mua_mail} {accept}} acl_smtp_data = ${if ={587}{$interface_port} {acl_mua_data} {acl_mta_data}} acl_smtp_dkim = acl_mta_dkim # You should not change those settings until you understand how ACLs work. # If you are running a version of Exim that was compiled with the content- # scanning extension, you can cause incoming messages to be automatically # scanned for viruses. You have to modify the configuration in two places to # set this up. The first of them is here, where you define the interface to # your scanner. This example is typical for ClamAV; see the manual for details # of what to set for other virus scanners. The second modification is in the # acl_check_data access control list (see below). # av_scanner = clamd:/run/clamav/clamd.sock # For spam scanning, there is a similar option that defines the interface to # SpamAssassin. You do not need to set this if you are using the default, which # is shown in this commented example. As for virus scanning, you must also # modify the acl_check_data access control list to enable spam scanning. # spamd_address = 127.0.0.1 783 # spamd_address = 127.0.0.1 11333 variant=rspamd # If Exim is compiled with support for TLS, you may want to enable the # following options so that Exim allows clients to make encrypted # connections. In the authenticators section below, there are template # configurations for plaintext username/password authentication. This kind # of authentication is only safe when used within a TLS connection, so the # authenticators will only work if the following TLS settings are turned on # as well. # Allow any client to use TLS. tls_advertise_hosts = * # Specify the location of the Exim server's TLS certificate and private key. # The private key must not be encrypted (password protected). You can put # the certificate and private key in the same file, in which case you only # need the first setting, or in separate files, in which case you need both # options. tls_certificate = CERTDIR/$primary_hostname.crt tls_privatekey = CERTDIR/$primary_hostname.pem # In order to support roaming users who wish to send email from anywhere, # you may want to make Exim listen on other ports as well as port 25, in # case these users need to send email from a network that blocks port 25. # The standard port for this purpose is port 587, the "message submission" # port. See RFC 4409 for details. Microsoft MUAs cannot be configured to # talk the message submission protocol correctly, so if you need to support # them you should also allow TLS-on-connect on the traditional but # non-standard port 465. daemon_smtp_ports = 25 : 587 # tls_on_connect_ports = 465 # Specify the domain you want to be added to all unqualified addresses # here. An unqualified address is one that does not contain an "@" character # followed by a domain. For example, "caesar@rome.example" is a fully qualified # address, but the string "caesar" (i.e. just a login name) is an unqualified # email address. Unqualified addresses are accepted only from local callers by # default. See the recipient_unqualified_hosts option if you want to permit # unqualified addresses from remote sources. If this option is not set, the # primary_hostname value is used for qualification. # qualify_domain = # If you want unqualified recipient addresses to be qualified with a different # domain to unqualified sender addresses, specify the recipient domain here. # If this option is not set, the qualify_domain value is used. # qualify_recipient = # The following line must be uncommented if you want Exim to recognize # addresses of the form "user@[10.11.12.13]" that is, with a "domain literal" # (an IP address) instead of a named domain. The RFCs still require this form, # but it makes little sense to permit mail to be sent to specific hosts by # their IP address in the modern Internet. This ancient format has been used # by those seeking to abuse hosts by using them for unwanted relaying. If you # really do want to support domain literals, uncomment the following line, and # see also the "domain_literal" router below. # allow_domain_literals # No deliveries will ever be run under the uids of users specified by # never_users (a colon-separated list). An attempt to do so causes a panic # error to be logged, and the delivery to be deferred. This is a paranoic # safety catch. There is an even stronger safety catch in the form of the # FIXED_NEVER_USERS setting in the configuration for building Exim. The list of # users that it specifies is built into the binary, and cannot be changed. The # option below just adds additional users to the list. The default for # FIXED_NEVER_USERS is "root", but just to be absolutely sure, the default here # is also "root". # Note that the default setting means you cannot deliver mail addressed to root # as if it were a normal user. This isn't usually a problem, as most sites have # an alias for root that redirects such mail to a human administrator. never_users = root # The setting below causes Exim to do a reverse DNS lookup on all incoming # IP calls, in order to get the true host name. If you feel this is too # expensive, you can specify the networks for which a lookup is done, or # remove the setting entirely. host_lookup = * # The settings below cause Exim to make RFC 1413 (ident) callbacks # for all incoming SMTP calls. You can limit the hosts to which these # calls are made, and/or change the timeout that is used. If you set # the timeout to zero, all RFC 1413 calls are disabled. RFC 1413 calls # are cheap and can provide useful information for tracing problem # messages, but some hosts and firewalls have problems with them. # This can result in a timeout instead of an immediate refused # connection, leading to delays on starting up SMTP sessions. # (The default was reduced from 30s to 5s for release 4.61. and to # disabled for release 4.86) # rfc1413_hosts = * rfc1413_query_timeout = 5s # Enable an efficiency feature. We advertise the feature; clients # may request to use it. For multi-recipient mails we then can # reject or accept per-user after the message is received. # prdr_enable = true # By default, Exim expects all envelope addresses to be fully qualified, that # is, they must contain both a local part and a domain. If you want to accept # unqualified addresses (just a local part) from certain hosts, you can specify # these hosts by setting one or both of # # sender_unqualified_hosts = # recipient_unqualified_hosts = # # to control sender and recipient addresses, respectively. When this is done, # unqualified addresses are qualified using the settings of qualify_domain # and/or qualify_recipient (see above). # When an untrusted user submits a message to Exim using the standard input, # Exim normally creates an envelope sender address from the user’s login and # the default qualification domain. # The untrusted_set_sender option allows you to permit untrusted users to set # other envelope sender addresses in a controlled way. When it is set, untrusted # users are allowed to set envelope sender addresses that match any of the # patterns in the list. Like all address lists, the string is expanded. # # The envelope sender address will be checked against a list of valid aliases # for the current authenticated user in a dedicated ACL. untrusted_set_sender = * # When a local message is received from an untrusted user and local_from_check is # true (the default), and the suppress_local_fixups control has not been set, a # check is made to see if the address given in the From: header line is the # correct (local) sender of the message. The address that is expected has the # login name as the local part and the value of qualify_domain as the domain. local_from_check = false # Unless you run a high-volume site you probably want more logging # detail than the default. Adjust to suit. log_selector = +smtp_protocol_error +smtp_syntax_error +tls_certificate_verified # If you want Exim to support the "percent hack" for certain domains, # uncomment the following line and provide a list of domains. The "percent # hack" is the feature by which mail addressed to x%y@z (where z is one of # the domains listed) is locally rerouted to x@y and sent on. If z is not one # of the "percent hack" domains, x%y is treated as an ordinary local part. This # hack is rarely needed nowadays; you should not enable it unless you are sure # that you really need it. # # percent_hack_domains = # # As well as setting this option you will also need to remove the test # for local parts containing % in the ACL definition below. # When Exim can neither deliver a message nor return it to sender, it "freezes" # the delivery error message (aka "bounce message"). There are also other # circumstances in which messages get frozen. They will stay on the queue for # ever unless one of the following options is set. # This option unfreezes frozen bounce messages after two days, tries # once more to deliver them, and ignores any delivery failures. ignore_bounce_errors_after = 2d # This option cancels (removes) frozen messages that are older than a week. timeout_frozen_after = 7d # By default, messages that are waiting on Exim's queue are all held in a # single directory called "input" which it itself within Exim's spool # directory. (The default spool directory is specified when Exim is built, and # is often /var/spool/exim/.) Exim works best when its queue is kept short, but # there are circumstances where this is not always possible. If you uncomment # the setting below, messages on the queue are held in 62 subdirectories of # "input" instead of all in the same directory. The subdirectories are called # 0, 1, ... A, B, ... a, b, ... z. This has two benefits: (1) If your file # system degrades with many files in one directory, this is less likely to # happen; (2) Exim can process the queue one subdirectory at a time instead of # all at once, which can give better performance with large queues. # split_spool_directory = true # If you're in a part of the world where ASCII is not sufficient for most # text, then you're probably familiar with RFC2047 message header extensions. # By default, Exim adheres to the specification, including a limit of 76 # characters to a line, with encoded words fitting within a line. # If you wish to use decoded headers in message filters in such a way # that successful decoding of malformed messages matters, you may wish to # configure Exim to be more lenient. # # check_rfc2047_length = false # # In particular, the Exim maintainers have had multiple reports of problems # from Russian administrators of issues until they disable this check, # because of some popular, yet buggy, mail composition software. # If you wish to be strictly RFC compliant, or if you know you'll be # exchanging email with systems that are not 8-bit clean, then you may # wish to disable advertising 8BITMIME. Uncomment this option to do so. # accept_8bitmime = false # Exim does not make use of environment variables itself. However, # libraries that Exim uses (e.g. LDAP) depend on specific environment settings. # There are two lists: keep_environment for the variables we trust, and # add_environment for variables we want to set to a specific value. # Note that TZ is handled separateley by the timezone runtime option # and TIMEZONE_DEFAULT buildtime option. # keep_environment = ^LDAP # add_environment = PATH=/usr/bin::/bin # 2017-11-25 Critical Exim Security Vulnerability: disable chunking # https://lists.exim.org/lurker/message/20171125.034842.d1d75cac.en.html chunking_advertise_hosts =