###### ###### Exim runtime configuration file for ###### ###### COLON.COLONDOT.NET ###### ###### Exim versions 4.30 and above (with exiscan) ###### #### This file implements policy-based access control #### #### Level 0: Postmaster / Authenticated user (warn on everything) #### Level 1: Block on L1RBL / Block unwanted attachments #### Level 2: Block on L2RBL / Sender Verify / some HELO name checking (against ourselves) #### Level 3: Block on L3RBL #### Level 4: Block on L4RBL / Header checking (syntax, sender, messageid, date) #### Level 5: Block on L5RBL / HELO name checking ### ### MACRO DEFINITIONS (settings) ### # Interface IP addresses INT_LISTEN_IP = 193.201.200.71 INT_SAUCE_IP = 193.201.200.70 INT_SAUCE_PORT = 25 INT_MAIN_PORT = 25 INT_MSA_PORT = 587 # Domains used internally DM_PRIMARY = colon.colondot.net DM_SAUCE = DM_PRIMARY DM_NONSAUCE = plus.colondot.net DM_LISTMGR = mailman.colondot.net DM_AUTODNS = autodns.colondot.net DM_CNOSRS = opensrs.colondot.net # Blackhole listings RBL_WARN = bl.spamcop.net : relays.ordb.org : list.dsbl.org : multihop.dsbl.org : unconfirmed.dsbl.org : sbl.spamhaus.org : xbl.spamhaus.org RBL_BLOCK_L1 = rbl.colondot.net RBL_BLOCK_L2 = RBL_BLOCK_L3 = sbl.spamhaus.org RBL_BLOCK_L4 = RBL_BLOCK_L5 = relays.ordb.org : list.dsbl.org # Localparts which go unchecked LP_PRECHECK = postmaster : mailadmin : abuse # Locations of files and directories DIR_EXIM = /etc/exim DIR_SECONDARY = DIR_EXIM/secondary DIR_ALIAS = DIR_EXIM/aliases DIR_POLICY = DIR_EXIM/policies FILE_ALIAS = /etc/aliases FILE_LOCALBATCH = DIR_EXIM/localbatch FILE_VUSERS = DIR_EXIM/virtualusers FILE_SEC_LIST = DIR_SECONDARY/relay-list FILE_SEC_MGR = DIR_SECONDARY/managers FILE_TLS_V_CERTS = DIR_EXIM/certs FILE_TLS_CERT = DIR_EXIM/cert-outgoing FILE_TLS_KEY = DIR_EXIM/key-outgoing FILE_TLS_DHPARAM = DIR_EXIM/dhparam FILE_TLS_AVOID = DIR_EXIM/tlsavoid FILE_POLICY = DIR_EXIM/rcpt-policy FILE_CNOSRS_ALIAS = DIR_EXIM/opensrs FILE_BADSENDERS = DIR_EXIM/badsenders DIR_MAILMAN_HOME = /usr/local/mailman FILE_MAILMAN_WRAP = DIR_MAILMAN_HOME/mail/wrapper # uids and gids UID_EXIM = mailnull GID_EXIM = mail UID_CYRUS = cyrus UID_SAUCE = sauce GID_ADMIN = mailadmin UID_AUTODNS = autodns GID_AUTODNS = autodns UID_CNOSRS = opensrs GID_CNOSRS = opensrs UID_MM_CALLER = mailman UID_MAILMAN = UID_EXIM GID_MAILMAN = mailnull UID_WEBMAIL = prayer # policy POLICY_PM = 0 POLICY_DEFAULT = 5 # headers H_SYNTAX = X-Colondot-Syntax: H_WARN = X-Colondot-Warn: # filetypes FT_L1 = ade : adp : ask : bas : bat : chm : cmd : com : cpl : crt : exe : hlp FT_L2 = hta : inf : ins : isp : js : jse : lnk : mda : mdb : mde : mdt : mdw FT_L3 = mdz : msi : msp : mst : ops : pcd : pif : prf : reg : scf : scr : shb FT_L4 = shs : url : vb : vbe : vbs : wsc : wsf : wsh : cnf : mad : maf : mag FT_L5 = mam : maq : mar : mas : mat : mav : maw : xnk : mhtml : msc : sct FT_ALL = FT_L1 : FT_L2 : FT_L3 : FT_L4 : FT_L5 # rfc3330 list IP_BAD_RFC1918 = 10.0.0.0/8 : 172.16.0.0/12 : 192.168.0.0/16 IP_BAD_LOCAL = 0.0.0.0/8 : 127.0.0.0/8 : 169.254.0.0/16 IP_BAD_MULTICAST = 224.0.0.0/4 : 240.0.0.0/4 IP_BAD_RFC3330 = 192.0.2.0/24 : 198.18.0.0/15 IP_BAD_NETS = IP_BAD_RFC1918 : IP_BAD_LOCAL : IP_BAD_MULTICAST : IP_BAD_RFC3330 ### ### MACRO DEFINITIONS (expansions) ### # this gets the policy level of a given recipient from the database # search path for policy is: # 1 policy file for this domain exists # 1.1 lookup localpart in this file # 1.2 lookup localpart in main policy file # 1.3 default # 2 lookup localpart in main policy file # 3 lookup full address in main policy file # 4 default EX_POLICY_DIR_LK=${lookup{${lc:$local_part}} wildlsearch {DIR_POLICY/${lc:$domain}} {$value}{EX_POLICY_LP_ONLY}} EX_POLICY_DIR_CD=${if exists{DIR_POLICY/${lc:$domain}} {EX_POLICY_DIR_LK}{EX_POLICY_LP_FULL}} EX_POLICY_LP_ONLY=${lookup{${lc:$local_part}} lsearch {FILE_POLICY} {$value}{POLICY_DEFAULT}} EX_POLICY_LP_FULL=${lookup{${lc:$local_part}} lsearch {FILE_POLICY} {$value}{EX_POLICY_ADDR}} EX_POLICY_ADDR=${lookup{${lc:$local_part}@${lc:$domain}} lsearch*@ {FILE_POLICY} {$value}{POLICY_DEFAULT}} RCPT_POLICY=${if match{:LP_PRECHECK:}{^.*:\\s*\\Q$local_part\\E\\s*:} {POLICY_PM}{EX_POLICY_DIR_CD}} # this gets the spool information BATCHFILE_DM=lsearch;FILE_LOCALBATCH BATCHFILE_RES=${lookup{${lc:$domain}} lsearch {FILE_LOCALBATCH} {$value}} # this is how we look up our secondary mx configuration EX_SEC_MGR=${lookup{${lc:$domain}} partial-lsearch {FILE_SEC_MGR} {$value} {default}} SECONDARY_RES=${lookup{${lc:$domain}} partial-lsearch {DIR_SECONDARY/EX_SEC_MGR}} # this is how we look up most of our domains ALIAS_DM=dsearch;DIR_ALIAS ALIAS_RESNOEXP=${lookup{${lc:$local_part}} lsearch*@ {DIR_ALIAS/${lc:$domain}} {$value}} ALIAS_RESEXP=${expand:ALIAS_RESNOEXP} # this is how we look up normal system aliases SYS_AL_RES=${lookup{$local_part} lsearch {FILE_ALIAS}} # this is how we tell when something is a valid mailman list MAILMAN_FILE_REQ=<; DIR_MAILMAN_HOME/lists/${lc:$local_part}/config.db # this is how we tell when we're talking to TLS TLS_COND=${if eq{$tls_cipher}{} {no}{yes}} # autodns script name AUTODNS_SCRIPT="|/etc/namedb/autodns/autodns.pl" # opensrs script name CNOSRS_SCRIPT=${lookup{${lc:$local_part}} lsearch {FILE_CNOSRS_ALIAS} {$value}} # cyrus script name CYRUS_SCRIPT=/usr/local/cyrus/bin/deliver -r "$return_path" "${lc:$local_part}" # useful expansions for various levels of policy EX_POLICY_L1=${if >={$acl_m9}{1} {yes}{no}} EX_POLICY_L2=${if >={$acl_m9}{2} {yes}{no}} EX_POLICY_L3=${if >={$acl_m9}{3} {yes}{no}} EX_POLICY_L4=${if >={$acl_m9}{4} {yes}{no}} EX_POLICY_L5=${if >={$acl_m9}{5} {yes}{no}} # enable or disable delays depending on what variables are set .ifdef DEBUG EX_DL_BEG=${if eq{}{} {0s}{ EX_DL_END=}} .else EX_DL_BEG=${if eq{$acl_c0}{} { EX_DL_END=}{0s}} .endif ### ### MAIN CONFIGURATION : lists ### hostlist listen_ip = INT_LISTEN_IP hostlist sauce_ip = INT_SAUCE_IP hostlist rbl_hosts = <; ! ; !+listen_ip ; ! +sauce_ip ; ! 127.0.0.0/8 ; ! ::1 ; * hostlist relay_hosts = <; ; 127.0.0.1/32 ; ::1 ; +sauce_ip ; +listen_ip hostlist badipnet = IP_BAD_NETS hostlist badiphost = domainlist sauce_ip = INT_SAUCE_IP domainlist sauce_domains = DM_SAUCE domainlist non_sauce_domains= DM_NONSAUCE domainlist list_domain = DM_LISTMGR domainlist opensrs_domain = DM_CNOSRS domainlist autodns_domain = DM_AUTODNS domainlist aliases_domains = ALIAS_DM domainlist batchmx_domains = BATCHFILE_DM domainlist internal_domains = localhost : +list_domain : +opensrs_domain domainlist local_domains = @[] : +internal_domains : +sauce_domains : +non_sauce_domains : +autodns_domain : +batchmx_domains : +aliases_domains domainlist local_domains_ns = !+list_domain : !+aliases_domains : !+batchmx_domains : !+non_sauce_domains : +local_domains domainlist relay_domains = FILE_SEC_LIST addresslist bad_senders = FILE_BADSENDERS ### ### MAIN CONFIGURATION : ACL Delegation ### acl_smtp_connect = check_connect acl_smtp_helo = check_helo acl_smtp_auth = check_auth acl_smtp_mail = check_mail acl_smtp_rcpt = check_rcpt acl_smtp_data = check_data acl_not_smtp = check_nonsmtp ### ### MAIN CONFIGURATION : Qualifying and hostnaming ### primary_hostname = DM_PRIMARY qualify_domain = DM_PRIMARY qualify_recipient = DM_PRIMARY ### ### MAIN CONFIGURATION : Interfaces ### hosts_treat_as_local = +sauce_ip local_interfaces = <; [INT_LISTEN_IP]:INT_MAIN_PORT ; [127.0.0.1]:INT_MAIN_PORT ; [::0]:INT_MAIN_PORT ; [INT_SAUCE_IP]:INT_MSA_PORT ; [INT_LISTEN_IP]:INT_MSA_PORT ; [127.0.0.1]:INT_MSA_PORT ; [::0]:INT_MSA_PORT ### ### MAIN CONFIGURATION : UIDs and GIDs ### exim_user = UID_EXIM exim_group = GID_EXIM never_users = root trusted_users = UID_SAUCE : UID_EXIM : UID_MM_CALLER : UID_CNOSRS : UID_WEBMAIL admin_groups = GID_ADMIN untrusted_set_sender = * ### ### MAIN CONFIGURATION : TLS ### tls_advertise_hosts = ! : !127.0.0.0/8 : !FILE_TLS_AVOID : * tls_try_verify_hosts = * tls_verify_certificates= FILE_TLS_V_CERTS tls_certificate = FILE_TLS_CERT tls_privatekey = FILE_TLS_KEY tls_dhparam = FILE_TLS_DHPARAM ### ### MAIN CONFIGURATION : Logging ### log_selector = +tls_cipher +tls_peerdn +delivery_size \ +smtp_connection +smtp_protocol_error +smtp_syntax_error \ +incoming_interface ### ### MAIN CONFIGURATION : Mail parameters ### host_lookup = * helo_try_verify_hosts = * recipients_max = 105 message_size_limit = 32M helo_allow_chars = +_ allow_domain_literals = true ### ### MAIN CONFIGURATION : SMTP parameters ### smtp_connect_backlog = 15 smtp_accept_max = 200 smtp_accept_max_per_host = 3 smtp_banner = $primary_hostname ESMTP Exim $version_number ${if ={$interface_port}{INT_MSA_PORT} {Authenticated mail only}{Colondot.net mail service}} ready ### ### MAIN CONFIGURATION : Miscellaneous parameters ### accept_8bitmime = true delivery_date_remove = true envelope_to_remove = true return_path_remove = true freeze_tell = postmaster pid_file_path = /var/run/exim.pid return_size_limit = 5K rfc1413_query_timeout = 10s ### ### ACL CONFIGURATION ### begin acl ## ACL VARS USED: ## c0 : use delays ## c7 : helo error message ## c8 : delay badness for helo denying ## c9 : policy for the helo denying ## m0 : current policy for this message ## m8 : current delay for this command ## m9 : cached policy for this recipient ### ### ACL CONFIGURATION : Checks for non-smtp mail ### check_nonsmtp: deny senders = +bad_senders message = This address is marked as recipient only accept ### ### ACL CONFIGURATION : Checks on TCP connection establishment ### check_connect: warn set acl_m8 = 0 set acl_c8 = 0 warn condition = ${if ={$interface_port}{INT_MSA_PORT} {yes}{no}} set acl_c0 = 1 warn # sauce does its own delaying condition = ${if eq{$interface_address}{INT_SAUCE_IP} {yes}{no}} condition = ${if ={$interface_port}{INT_SAUCE_PORT} {yes}{no}} set acl_c0 = 1 warn hosts = +rbl_hosts dnslists = RBL_WARN set acl_m8 = ${eval:$acl_m8 + 30} warn condition = $host_lookup_failed set acl_m8 = ${eval:$acl_m8 + 10} accept delay = EX_DL_BEG${if >{$acl_m8}{90} {90}{$acl_m8}}sEX_DL_END ### ### ACL CONFIGURATION : Checks on HELO/EHLO arguments ### check_helo: warn set acl_m8 = 0 warn condition = ${if ={$interface_port}{INT_MSA_PORT} {yes}{no}} set acl_c0 = 1 warn hosts = +rbl_hosts dnslists = RBL_WARN set acl_m8 = ${eval:$acl_m8 + 30} warn acl = badhelo_names warn set acl_m8 = ${eval:$acl_m8 + $acl_c8} warn condition = $host_lookup_failed set acl_m8 = ${eval:$acl_m8 + 10} accept hosts = +relay_hosts set acl_c0 = 1 accept verify = certificate set acl_c0 = 1 accept delay = EX_DL_BEG${if >{$acl_m8}{280} {280}{$acl_m8}}sEX_DL_END ### ### ACL CONFIGURATION : Extensive checks on HELO/EHLO arguments ### badhelo_names: accept condition = ${if eq{$sender_host_address}{$interface_address} {yes}{no}} accept verify = helo deny # say no if they forge my interface address as their helo name condition = ${if eq{$sender_helo_name}{$interface_address} {yes}{no}} log_message = Forged IP address as HELO name: $sender_helo_name set acl_c9 = 2 set acl_c8 = 90 set acl_c7 = Forged IP address deny # say no if they forge my interface address properly as their helo name condition = ${if eq{$sender_helo_name}{[$interface_address]} {yes}{no}} log_message = Forged IP address literal as HELO name: $sender_helo_name set acl_c9 = 2 set acl_c8 = 70 set acl_c7 = Forged address literal deny # say no if they helo with a name that's my primary hostname condition = ${if eq{$sender_helo_name}{$primary_hostname} {yes}{no}} log_message = Forged hostname as HELO name: $sender_helo_name set acl_c9 = 2 set acl_c8 = 90 set acl_c7 = Forged hostname deny condition = ${if eq{$sender_helo_name}{yahoo.com} {yes}} log_message = Forged Yahoo HELO name: $sender_helo_name set acl_c9 = 4 set acl_c8 = 45 set acl_c7 = Likely forged yahoo.com deny condition = ${if eq{$sender_helo_name}{email.com} {yes}} log_message = Forged email.com HELO name: $sender_helo_name set acl_c9 = 4 set acl_c8 = 45 set acl_c7 = Likely forged email.com deny condition = ${if eq{$sender_helo_name}{mail.com} {yes}} log_message = Forged mail.com HELO name: $sender_helo_name set acl_c9 = 4 set acl_c8 = 45 set acl_c7 = Likely forged mail.com deny condition = ${if eq{$sender_helo_name}{hotmail.com} {yes}} condition = ${if match{$sender_host_name}{\N^.*\.(?:hotmail|msn)\.com$\N} {no}{yes}} log_message = Forged hotmail.com HELO name: $sender_helo_name set acl_c9 = 4 set acl_c8 = 45 set acl_c7 = Likely forged hotmail.com deny condition = ${lookup {${lc:$sender_helo_name}} dsearch{DIR_ALIAS} {yes}{no}} log_message = Forged local HELO name: $sender_helo_name set acl_c9 = 4 set acl_c8 = 55 set acl_c7 = Likely forged local domain deny condition = ${if match{$sender_helo_name}{\N^.*\.\N} {no}{yes}} condition = ${if eq{$sender_helo_name}{${uc:$sender_helo_name}} {yes}{no}} log_message = Unqualified HELO name IN CAPS: $sender_helo_name set acl_c9 = 5 set acl_c8 = 20 set acl_c7 = Unqualified and in caps deny condition = ${if match{$sender_helo_name}{\N^.*\.\N} {no}{yes}} log_message = Unqualified HELO name: $sender_helo_name set acl_c9 = 5 set acl_c8 = 10 set acl_c7 = Unqualified deny condition = ${if match{$sender_helo_name}{\N^.*_\N} {yes}{no}} log_message = HELO name with underscore: $sender_helo_name set acl_c9 = 5 set acl_c8 = 10 set acl_c7 = Contained '_' deny condition = ${if match{$sender_helo_name}{\N^.*\+\N} {yes}{no}} log_message = HELO name with plus sign: $sender_helo_name set acl_c9 = 5 set acl_c8 = 10 set acl_c7 = Contained '+' accept set acl_c8 = 5 set acl_c7 = Verification failed ### ### ACL CONFIGURATION : Checks on AUTH commands ### check_auth: accept encrypted = * deny message = No unencrypted AUTH allowed ### ### ACL CONFIGURATION : Checks on MAIL commands ### check_mail: warn set acl_m8 = 0 warn condition = ${if ={$interface_port}{INT_MSA_PORT} {yes}{no}} set acl_c0 = 1 accept hosts = +relay_hosts set acl_c0 = 1 accept verify = certificate set acl_c0 = 1 accept authenticated = * set acl_c0 = 1 # after this point, we're not authenticated in any way. deny condition = ${if ={$interface_port}{INT_MSA_PORT} {yes}{no}} warn hosts = +rbl_hosts dnslists = RBL_WARN set acl_m8 = ${eval:$acl_m8 + 30} warn condition = ${if eq{$acl_c8}{} {no}{yes}} set acl_m8 = ${eval:$acl_m8 + $acl_c8} warn condition = $host_lookup_failed set acl_m8 = ${eval:$acl_m8 + 5} warn senders = +bad_senders set acl_m8 = ${eval:$acl_m8 + 30} warn !verify = sender set acl_m8 = ${eval:$acl_m8 + 30} accept delay = EX_DL_BEG${if >{$acl_m8}{280} {280}{$acl_m8}}sEX_DL_END ### ### ACL CONFIGURATION : Checks on RCPT commands ### check_rcpt: warn set acl_m8 = 0 deny domains = +internal_domains hosts = ! : !127.0.0.0/8 message = Unrouteable address warn # cache the current recipients policy level set acl_m9 = RCPT_POLICY warn # if we're authenticated, the current policy level is postmaster's authenticated = * set acl_m9 = POLICY_PM warn # if we're a relay host, the current policy level is postmaster's hosts = +relay_hosts set acl_m9 = POLICY_PM warn # if we're using a verified cert, the current policy level is postmaster's verify = certificate set acl_m9 = POLICY_PM deny hosts = +rbl_hosts condition = EX_POLICY_L1 dnslists = RBL_BLOCK_L1 message = $sender_host_address is on a realtime-blacklist: $dnslist_domain (${if eq{$dnslist_text}{} {$dnslist_value}{$dnslist_text}}) delay = EX_DL_BEG120sEX_DL_END deny hosts = +rbl_hosts condition = EX_POLICY_L2 dnslists = RBL_BLOCK_L2 message = $sender_host_address is on a realtime-blacklist: $dnslist_domain (${if eq{$dnslist_text}{} {$dnslist_value}{$dnslist_text}}) delay = EX_DL_BEG100sEX_DL_END deny hosts = +rbl_hosts condition = EX_POLICY_L3 dnslists = RBL_BLOCK_L3 message = $sender_host_address is on a realtime-blacklist: $dnslist_domain (${if eq{$dnslist_text}{} {$dnslist_value}{$dnslist_text}}) delay = EX_DL_BEG80sEX_DL_END deny hosts = +rbl_hosts condition = EX_POLICY_L4 dnslists = RBL_BLOCK_L4 message = $sender_host_address is on a realtime-blacklist: $dnslist_domain (${if eq{$dnslist_text}{} {$dnslist_value}{$dnslist_text}}) delay = EX_DL_BEG60sEX_DL_END deny hosts = +rbl_hosts condition = EX_POLICY_L5 dnslists = RBL_BLOCK_L5 message = $sender_host_address is on a realtime-blacklist: $dnslist_domain (${if eq{$dnslist_text}{} {$dnslist_value}{$dnslist_text}}) delay = EX_DL_BEG40sEX_DL_END deny !verify = sender condition = EX_POLICY_L2 message = Sender verify failed for $sender_address delay = EX_DL_BEG40sEX_DL_END warn condition = ${if eq{$acl_c8}{} {no}{yes}} set acl_m8 = ${eval:$acl_m8 + $acl_c8} deny condition = ${if eq{$acl_c9}{} {no}{${if >={$acl_m9}{$acl_c9} {yes}{no}}}} message = Verify failed for hello name $sender_helo_name delay = EX_DL_BEG${if >{$acl_m8}{280} {280}{$acl_m8}}sEX_DL_END deny senders = +bad_senders message = Faked mail, this address may not send mail delay = EX_DL_BEG${if >{$acl_m8}{240} {240}{$acl_m8}}sEX_DL_END delay = EX_DL_BEG40sEX_DL_END deny senders = : recipients = +bad_senders message = Faked bounce, this address may not send mail delay = EX_DL_BEG${if >{$acl_m8}{240} {240}{$acl_m8}}sEX_DL_END delay = EX_DL_BEG40sEX_DL_END defer # defer if we've noticed our policy difference condition = ${if eq{$acl_m0}{$acl_m9} {no} {${if eq{$acl_m0}{} {no}{yes}}}} message = Policy difference for recipients, please try this recipient again later # for any accept after this point, we MUST do a set acl_m0 = $acl_m9 warn !authenticated = * hosts = !+relay_hosts : +rbl_hosts !verify = certificate message = H_WARN RBL: $sender_host_address in $dnslist_domain dnslists = RBL_WARN set acl_m8 = ${eval:$acl_m8 + 30} warn !authenticated = * hosts = !+relay_hosts : +rbl_hosts !verify = certificate !verify = sender message = H_WARN VERIFY: $sender_address wasn't verified set acl_m8 = ${eval:$acl_m8 + 30} warn !authenticated = * hosts = !+relay_hosts : +rbl_hosts !verify = certificate condition = ${if eq{$acl_c7}{} {no}{yes}} message = H_WARN HELO: Bad hello name: $sender_helo_name ($acl_c7) warn !authenticated = * hosts = !+relay_hosts : +rbl_hosts !verify = certificate message = H_WARN RDNS: $sender_host_address has no rDNS condition = $host_lookup_failed set acl_m8 = ${eval:$acl_m8 + 5} accept domains = +local_domains endpass set acl_m0 = $acl_m9 delay = EX_DL_BEG${if >{$acl_m8}{280} {280}{$acl_m8}}sEX_DL_END message = Unknown user verify = recipient accept domains = +relay_domains verify = recipient/callout=25s,defer_ok endpass message = Unknown user at remote host, please do not try spamming through secondary MX set acl_m0 = $acl_m9 delay = EX_DL_BEG${if >{$acl_m8}{280} {280}{$acl_m8}}sEX_DL_END accept hosts = +relay_hosts set acl_m0 = $acl_m9 accept authenticated = * set acl_m0 = $acl_m9 accept verify = certificate set acl_m0 = $acl_m9 deny message = Relay not permitted delay = EX_DL_BEG${if >{$acl_m8}{220} {220}{$acl_m8}}sEX_DL_END delay = EX_DL_BEG30sEX_DL_END ### ### ACL CONFIGURATION : Checks after final dot ### check_data: deny condition = EX_POLICY_L4 !verify = header_syntax message = Header syntax errors found, most likely incorrectly quoted addresses deny condition = EX_POLICY_L4 !verify = header_sender message = No valid sender header line found, please format the mail correctly deny condition = EX_POLICY_L4 condition = ${if !def:h_Message-ID: {yes}} message = Well-formed messages contain Message-ID headers deny condition = EX_POLICY_L4 condition = ${if !def:h_Date: {yes}} message = Well-formed messages contain Date headers deny condition = EX_POLICY_L1 message = Badly formed MIME structure demime = * condition = ${if >{$demime_errorlevel}{2} {yes}{no}} deny condition = EX_POLICY_L1 message = Unwanted attachment ($found_extension) - not allowed demime = FT_ALL deny condition = EX_POLICY_L1 message = Encrypted zip files not allowed demime = zip condition = ${if match{$message_body}{ UEsDB....[Q-Za-fw-z0-9\+/]} {yes}{no}} warn message = H_SYNTAX MIME: Bad mime structure demime = * condition = ${if >{$demime_errorlevel}{2} {yes}{no}} warn message = H_WARN ATTACH: Worrying attachment type ($found_extension) demime = FT_ALL warn message = H_WARN ZIP: Encrypted zip detected demime = zip condition = ${if match{$message_body}{ UEsDB....[Q-Za-fw-z0-9\+/]} {yes}{no}} warn hosts = !+relay_hosts !authenticated= * !verify = certificate condition = ${if !def:h_Message-ID: {yes}} message = H_SYNTAX MESSAGEID: Missing Message-ID: header warn hosts = !+relay_hosts !authenticated= * !verify = certificate condition = ${if !def:h_Date: {yes}} message = H_SYNTAX DATE: Missing Date: header warn condition = ${if !def:h_Message-ID: {yes}} message = Message-ID: warn condition = ${if !def:h_Date: {yes}} message = Date: $tod_full warn !verify = header_syntax message = H_SYNTAX HEADER: Syntax errors found in header warn !verify = header_sender message = H_WARN SENDER: No valid senders found in header accept ### ### AUTH CONFIGURATION ### begin authenticators ### ### AUTH CONFIGURATION: PLAIN over TLS ### plain_tls: driver = cyrus_sasl public_name = PLAIN server_hostname= colon.colondot.net server_realm = colon.colondot.net server_set_id = $1 server_advertise_condition = TLS_COND ### ### AUTH CONFIGURATION: CRAM-MD5 over TLS ### cram_md5_tls: driver = cyrus_sasl public_name = CRAM-MD5 server_hostname= colon.colondot.net server_realm = colon.colondot.net server_set_id = $1 server_advertise_condition = TLS_COND ### ### AUTH CONFIGURATION: DIGEST-MD5 over TLS ### digest_md5_tls: driver = cyrus_sasl public_name = DIGEST-MD5 server_hostname= colon.colondot.net server_realm = colon.colondot.net server_set_id = $1 server_advertise_condition = TLS_COND ### ### ROUTE CONFIGURATION ### begin routers ### ### ROUTE CONFIGURATION : Remote (secondary MX) ### r_secondary_mx: driver = manualroute transport = t_remote_smtp domains = !+local_domains : +relay_domains route_data = SECONDARY_RES ### ### ROUTE CONFIGURATION : Remote (outbound mail) ### r_lookuphost: driver = dnslookup transport = t_remote_smtp domains = !+local_domains ignore_target_hosts= +badipnet : +badiphost self = pass r_literal: driver = ipliteral transport = t_remote_smtp domains = !+local_domains ignore_target_hosts= +badipnet : +badiphost more = false ### ### ROUTE CONFIGURATION : Local (batched mail) ### l_batchsmtp: driver = accept domains = +batchmx_domains transport = t_batchsmtp retry_use_local_part= true more = false ### ### ROUTE CONFIGURATION : Local (robots) ### l_autodns: driver = redirect domains = DM_AUTODNS pipe_transport = t_autodns_pipe data = AUTODNS_SCRIPT retry_use_local_part= true more = false l_opensrs: driver = redirect domains = DM_CNOSRS pipe_transport = t_opensrs_pipe data = CNOSRS_SCRIPT retry_use_local_part= true more = false ### ### ROUTE CONFIGURATION : Local (normal alias handling) ### l_dir_aliases: driver = redirect forbid_file = true forbid_pipe = true allow_defer = true allow_fail = true retry_use_local_part= true domains = +aliases_domains data = ALIAS_RESEXP l_dir_postmaster: driver = redirect domains = +aliases_domains retry_use_local_part= true local_parts = LP_PRECHECK data = postmaster@$primary_hostname ### ### ROUTE CONFIGURATION : Local (system alias handling) ### l_sys_aliases: driver = redirect allow_defer = true allow_fail = true data = SYS_AL_RES domains = !+list_domain : !+aliases_domains : !+batchmx_domains : +local_domains user = root file_transport = t_address_file pipe_transport = t_address_pipe retry_use_local_part= true ### ### ROUTE CONFIGURATION : Local (user forward-file handling) ### l_userforward_simple: driver = redirect allow_filter = true check_ancestor = true check_local_user=true domains = +local_domains_ns modemask = 002 file_transport = t_address_file pipe_transport = t_address_pipe reply_transport= t_address_reply file = $home/.forward retry_use_local_part= true verify = false l_userforward_hidden: driver = redirect allow_filter = true check_ancestor = true check_local_user=true domains = +local_domains_ns modemask = 002 file_transport = t_address_file pipe_transport = t_address_pipe reply_transport= t_address_reply file = $home/.forward-hidden retry_use_local_part= true verify = false ### ### ROUTE CONFIGURATION : Local (user suffix forward-file handling) ### l_usersuffix_vrfy: driver = accept verify_only = true domains = +local_domains_ns check_local_user= true local_part_suffix= +* condition = ${if exists{$home/.forward-suffix} {yes}{no}} l_usersuffix: driver = redirect allow_filter = true check_ancestor = true check_local_user=true domains = +local_domains_ns modemask = 002 file_transport = t_address_file pipe_transport = t_address_pipe reply_transport= t_address_reply file = $home/.forward-suffix local_part_suffix= +* retry_use_local_part= true verify = false l_usersuffix_default: driver = redirect check_local_user=true domains = +local_domains_ns local_part_suffix= +* condition = ${if exists{$home/.forward-suffix} {yes}{no}} data = $local_part retry_use_local_part= true verify = false ### ### ROUTE CONFIGURATION : Local (non SAUCE forward-file handling) ### l_usernsforward_vrfy: driver = accept verify_only = true domains = +non_sauce_domains check_local_user= true local_part_suffix= +* local_part_suffix_optional= true condition = ${if exists{$home/.forward-plus} {yes}{no}} l_usernsforward: driver = redirect allow_filter = true check_ancestor = true check_local_user=true domains = +non_sauce_domains modemask = 002 file_transport = t_address_file pipe_transport = t_address_pipe reply_transport= t_address_reply file = $home/.forward-plus local_part_suffix= +* local_part_suffix_optional=true retry_use_local_part= true verify = false l_usernsforward_default: driver = redirect check_local_user=true domains = +non_sauce_domains local_part_suffix= +* local_part_suffix_optional=true condition = ${if exists{$home/.forward-plus} {yes}{no}} data = $local_part retry_use_local_part= true verify = false ### ### ROUTE CONFIGURATION : Local (actual delivery) ### l_system_user: driver = accept check_local_user= true domains = +local_domains_ns transport = t_local_cyrus retry_use_local_part= true l_virtual_user: driver = accept local_parts = FILE_VUSERS domains = +local_domains_ns transport = t_local_cyrus retry_use_local_part= true ### ### ROUTE CONFIGURATION : Local (Mailman) ### l_mm_admin: driver = accept domains = +list_domain local_part_suffix= -admin require_files = MAILMAN_FILE_REQ retry_use_local_part= true transport = t_mm_admin l_mm_request: driver = accept domains = +list_domain local_part_suffix= -request require_files = MAILMAN_FILE_REQ retry_use_local_part= true transport = t_mm_request l_mm_list: driver = accept domains = +list_domain require_files = MAILMAN_FILE_REQ retry_use_local_part= true transport = t_mm_list ### ### TRANSPORTS CONFIGURATION ### begin transports ### ### TRANSPORTS CONFIGURATION : Remote transports ### t_remote_smtp: driver = smtp tls_certificate= FILE_TLS_CERT tls_privatekey = FILE_TLS_KEY hosts_avoid_tls= FILE_TLS_AVOID ### ### TRANSPORTS CONFIGURATION : Local IMAPd delivery ### t_local_cyrus: driver = pipe command = CYRUS_SCRIPT delivery_date_add= true envelope_to_add= true message_prefix = "" return_output = true temp_errors = 75:73 user = UID_CYRUS ### ### TRANSPORTS CONFIGURATION : Batch SMTP delivery ### t_batchsmtp: driver = appendfile batch_max = 100 message_prefix = "" use_bsmtp = true file = BATCHFILE_RES user = UID_EXIM group = GID_EXIM mode = 0600 ### ### TRANSPORTS CONFIGURATION : Expansion ancillary ### t_address_file: driver = appendfile delivery_date_add= true envelope_to_add= true return_path_add= true t_address_pipe: driver = pipe delivery_date_add= true envelope_to_add= true return_path_add= true return_output = true t_address_reply: driver = autoreply ### ### TRANSPORTS CONFIGURATION : Mail robots ### t_autodns_pipe: driver = pipe delivery_date_add= true envelope_to_add= true return_path_add= true return_output = true user = UID_AUTODNS group = GID_AUTODNS t_opensrs_pipe: driver = pipe delivery_date_add= true envelope_to_add= true return_path_add= true return_output = true user = UID_CNOSRS group = GID_CNOSRS ### ### TRANSPORTS CONFIGURATION : Mailing lists ### t_mm_admin: driver = pipe command = FILE_MAILMAN_WRAP mailowner "${lc:$local_part}" current_directory= DIR_MAILMAN_HOME home_directory = DIR_MAILMAN_HOME user = UID_MAILMAN group = GID_MAILMAN t_mm_request: driver = pipe command = FILE_MAILMAN_WRAP mailcmd "${lc:$local_part}" current_directory= DIR_MAILMAN_HOME home_directory = DIR_MAILMAN_HOME user = UID_MAILMAN group = GID_MAILMAN t_mm_list: driver = pipe command = FILE_MAILMAN_WRAP post "${lc:$local_part}" current_directory= DIR_MAILMAN_HOME home_directory = DIR_MAILMAN_HOME user = UID_MAILMAN group = GID_MAILMAN ### ### RETRY CONFIGURATION ### begin retry ### ### RETRY CONFIGURATION : Default retry strategy ### # domain error retries * * F,2h,15m ; G,16h,1h,1.5 ; F,4d,8h ### ### REWRITE CONFIGURATION ### begin rewrite ###### ###### End of Exim configure file ###### ###### COLON.COLONDOT.NET ######