summaryrefslogtreecommitdiff
path: root/conf.d/010_main.conf
blob: 5ad88ab682da39b9caf34778f4570a293e6b825f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
######################################################################
#                    MAIN CONFIGURATION SETTINGS                     #
######################################################################

# Access control lists for checking incoming messages.
# The names of these ACLs are defined here:

acl_smtp_rcpt = ${if ={587}{$interface_port} {acl_mua_rcpt} {acl_mta_rcpt}}
acl_smtp_mail = ${if ={587}{$interface_port} {acl_mua_mail} {accept}}
acl_smtp_data = ${if ={587}{$interface_port} {acl_mua_data} {acl_mta_data}}
acl_smtp_dkim = acl_mta_dkim

# You should not change those settings until you understand how ACLs work.


# If you are running a version of Exim that was compiled with the content-
# scanning extension, you can cause incoming messages to be automatically
# scanned for viruses. You have to modify the configuration in two places to
# set this up. The first of them is here, where you define the interface to
# your scanner. This example is typical for ClamAV; see the manual for details
# of what to set for other virus scanners. The second modification is in the
# acl_check_data access control list (see below).

# av_scanner = clamd:/run/clamav/clamd.sock


# For spam scanning, there is a similar option that defines the interface to
# SpamAssassin. You do not need to set this if you are using the default, which
# is shown in this commented example. As for virus scanning, you must also
# modify the acl_check_data access control list to enable spam scanning.

# spamd_address = 127.0.0.1 783
# spamd_address = 127.0.0.1 11333 variant=rspamd

.ifdef SPAMD_ADDRESS
spamd_address = SPAMD_ADDRESS
.endif


# If Exim is compiled with support for TLS, you may want to enable the
# following options so that Exim allows clients to make encrypted
# connections. In the authenticators section below, there are template
# configurations for plaintext username/password authentication. This kind
# of authentication is only safe when used within a TLS connection, so the
# authenticators will only work if the following TLS settings are turned on
# as well.

# Allow any client to use TLS.

tls_advertise_hosts = *

# Specify the location of the Exim server's TLS certificate and private key.
# The private key must not be encrypted (password protected). You can put
# the certificate and private key in the same file, in which case you only
# need the first setting, or in separate files, in which case you need both
# options.

tls_certificate = CERTDIR/$primary_hostname.crt
tls_privatekey = CERTDIR/$primary_hostname.pem

# In order to support roaming users who wish to send email from anywhere,
# you may want to make Exim listen on other ports as well as port 25, in
# case these users need to send email from a network that blocks port 25.
# The standard port for this purpose is port 587, the "message submission"
# port. See RFC 4409 for details. Microsoft MUAs cannot be configured to
# talk the message submission protocol correctly, so if you need to support
# them you should also allow TLS-on-connect on the traditional but
# non-standard port 465.

daemon_smtp_ports = 25 : 587
# tls_on_connect_ports = 465


# Specify the domain you want to be added to all unqualified addresses
# here. An unqualified address is one that does not contain an "@" character
# followed by a domain. For example, "caesar@rome.example" is a fully qualified
# address, but the string "caesar" (i.e. just a login name) is an unqualified
# email address. Unqualified addresses are accepted only from local callers by
# default. See the recipient_unqualified_hosts option if you want to permit
# unqualified addresses from remote sources. If this option is not set, the
# primary_hostname value is used for qualification.

# qualify_domain =


# If you want unqualified recipient addresses to be qualified with a different
# domain to unqualified sender addresses, specify the recipient domain here.
# If this option is not set, the qualify_domain value is used.

# qualify_recipient =


# The following line must be uncommented if you want Exim to recognize
# addresses of the form "user@[10.11.12.13]" that is, with a "domain literal"
# (an IP address) instead of a named domain. The RFCs still require this form,
# but it makes little sense to permit mail to be sent to specific hosts by
# their IP address in the modern Internet. This ancient format has been used
# by those seeking to abuse hosts by using them for unwanted relaying. If you
# really do want to support domain literals, uncomment the following line, and
# see also the "domain_literal" router below.

# allow_domain_literals


# No deliveries will ever be run under the uids of users specified by
# never_users (a colon-separated list). An attempt to do so causes a panic
# error to be logged, and the delivery to be deferred. This is a paranoic
# safety catch. There is an even stronger safety catch in the form of the
# FIXED_NEVER_USERS setting in the configuration for building Exim. The list of
# users that it specifies is built into the binary, and cannot be changed. The
# option below just adds additional users to the list. The default for
# FIXED_NEVER_USERS is "root", but just to be absolutely sure, the default here
# is also "root".

# Note that the default setting means you cannot deliver mail addressed to root
# as if it were a normal user. This isn't usually a problem, as most sites have
# an alias for root that redirects such mail to a human administrator.

never_users = root


# The setting below causes Exim to do a reverse DNS lookup on all incoming
# IP calls, in order to get the true host name. If you feel this is too
# expensive, you can specify the networks for which a lookup is done, or
# remove the setting entirely.

host_lookup = *


# The settings below cause Exim to make RFC 1413 (ident) callbacks
# for all incoming SMTP calls. You can limit the hosts to which these
# calls are made, and/or change the timeout that is used. If you set
# the timeout to zero, all RFC 1413 calls are disabled. RFC 1413 calls
# are cheap and can provide useful information for tracing problem
# messages, but some hosts and firewalls have problems with them.
# This can result in a timeout instead of an immediate refused
# connection, leading to delays on starting up SMTP sessions.
# (The default was reduced from 30s to 5s for release 4.61. and to
# disabled for release 4.86)
#
rfc1413_hosts = *
rfc1413_query_timeout = 5s


# Enable an efficiency feature.  We advertise the feature; clients
# may request to use it.  For multi-recipient mails we then can
# reject or accept per-user after the message is received.
#
prdr_enable = true


# By default, Exim expects all envelope addresses to be fully qualified, that
# is, they must contain both a local part and a domain. If you want to accept
# unqualified addresses (just a local part) from certain hosts, you can specify
# these hosts by setting one or both of
#
# sender_unqualified_hosts =
# recipient_unqualified_hosts =
#
# to control sender and recipient addresses, respectively. When this is done,
# unqualified addresses are qualified using the settings of qualify_domain
# and/or qualify_recipient (see above).


# When an untrusted user submits a message to Exim using the standard input,
# Exim normally creates an envelope sender address from the user’s login and
# the default qualification domain.
# The untrusted_set_sender option allows you to permit untrusted users to set
# other envelope sender addresses in a controlled way. When it is set, untrusted
# users are allowed to set envelope sender addresses that match any of the
# patterns in the list. Like all address lists, the string is expanded.
#
# The envelope sender address will be checked against a list of valid aliases
# for the current authenticated user in a dedicated ACL.

untrusted_set_sender = *


# When a local message is received from an untrusted user and local_from_check is
# true (the default), and the suppress_local_fixups control has not been set, a
# check is made to see if the address given in the From: header line is the
# correct (local) sender of the message. The address that is expected has the
# login name as the local part and the value of qualify_domain as the domain.

local_from_check = false


# Unless you run a high-volume site you probably want more logging
# detail than the default.  Adjust to suit.

log_selector = +smtp_protocol_error +smtp_syntax_error +tls_certificate_verified


# If you want Exim to support the "percent hack" for certain domains,
# uncomment the following line and provide a list of domains. The "percent
# hack" is the feature by which mail addressed to x%y@z (where z is one of
# the domains listed) is locally rerouted to x@y and sent on. If z is not one
# of the "percent hack" domains, x%y is treated as an ordinary local part. This
# hack is rarely needed nowadays; you should not enable it unless you are sure
# that you really need it.
#
# percent_hack_domains =
#
# As well as setting this option you will also need to remove the test
# for local parts containing % in the ACL definition below.


# When Exim can neither deliver a message nor return it to sender, it "freezes"
# the delivery error message (aka "bounce message"). There are also other
# circumstances in which messages get frozen. They will stay on the queue for
# ever unless one of the following options is set.

# This option unfreezes frozen bounce messages after two days, tries
# once more to deliver them, and ignores any delivery failures.

ignore_bounce_errors_after = 2d

# This option cancels (removes) frozen messages that are older than a week.

timeout_frozen_after = 7d


# By default, messages that are waiting on Exim's queue are all held in a
# single directory called "input" which it itself within Exim's spool
# directory. (The default spool directory is specified when Exim is built, and
# is often /var/spool/exim/.) Exim works best when its queue is kept short, but
# there are circumstances where this is not always possible. If you uncomment
# the setting below, messages on the queue are held in 62 subdirectories of
# "input" instead of all in the same directory. The subdirectories are called
# 0, 1, ... A, B, ... a, b, ... z. This has two benefits: (1) If your file
# system degrades with many files in one directory, this is less likely to
# happen; (2) Exim can process the queue one subdirectory at a time instead of
# all at once, which can give better performance with large queues.

# split_spool_directory = true


# If you're in a part of the world where ASCII is not sufficient for most
# text, then you're probably familiar with RFC2047 message header extensions.
# By default, Exim adheres to the specification, including a limit of 76
# characters to a line, with encoded words fitting within a line.
# If you wish to use decoded headers in message filters in such a way
# that successful decoding of malformed messages matters, you may wish to
# configure Exim to be more lenient.
#
# check_rfc2047_length = false
#
# In particular, the Exim maintainers have had multiple reports of problems
# from Russian administrators of issues until they disable this check,
# because of some popular, yet buggy, mail composition software.


# If you wish to be strictly RFC compliant, or if you know you'll be
# exchanging email with systems that are not 8-bit clean, then you may
# wish to disable advertising 8BITMIME.  Uncomment this option to do so.

# accept_8bitmime = false


# Exim does not make use of environment variables itself. However,
# libraries that Exim uses (e.g. LDAP) depend on specific environment settings.
# There are two lists: keep_environment for the variables we trust, and
# add_environment for variables we want to set to a specific value.
# Note that TZ is handled separateley by the timezone runtime option
# and TIMEZONE_DEFAULT buildtime option.

# keep_environment = ^LDAP
# add_environment = PATH=/usr/bin::/bin


# 2017-11-25 Critical Exim Security Vulnerability: disable chunking
# https://lists.exim.org/lurker/message/20171125.034842.d1d75cac.en.html

chunking_advertise_hosts =