Bug#763594: exim4-config: Save result of update-exim4.conf in /etc/exim4
Andrei POPESCU
andreimpopescu at gmail.com
Wed Oct 1 09:14:10 UTC 2014
Control: reassign -1 exim4-config 4.80-7
On Mi, 01 oct 14, 07:39:06, Debian BTS wrote:
>
> Package: exim4-config Version: 4.80-7
> Severity: normal
>
> Dear Maintainer,
> The outcome of the invokation of update-exim4.config is stored in a
> subdirectory of /var/. This doesn't seem to have any advantage in comparison
> to putting the file into /etc/exim4 with other configuration files.
>
>
> -- Package-specific info:
> Exim version 4.80 #2 built 02-Jan-2013 19:14:51
> Copyright (c) University of Cambridge, 1995 - 2012
> (c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2012
> Berkeley DB: Berkeley DB 5.1.29: (October 25, 2011)
> Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc GnuTLS move_frozen_messages Content_Scanning DKIM Old_Demime
> Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch ldap ldapdn ldapm mysql nis nis0 passwd pgsql sqlite
> Authenticators: cram_md5 cyrus_sasl dovecot plaintext spa
> Routers: accept dnslookup ipliteral iplookup manualroute queryprogram redirect
> Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
> Fixed never_users: 0
> Size of off_t: 8
> # /etc/exim4/update-exim4.conf.conf
> #
> # Edit this file and /etc/mailname by hand and execute update-exim4.conf
> # yourself or use 'dpkg-reconfigure exim4-config'
> #
> # Please note that this is _not_ a dpkg-conffile and that automatic changes
> # to this file might happen. The code handling this will honor your local
> # changes, so this is usually fine, but will break local schemes that mess
> # around with multiple versions of the file.
> #
> # update-exim4.conf uses this file to determine variable values to generate
> # exim configuration macros for the configuration file.
> #
> # Most settings found in here do have corresponding questions in the
> # Debconf configuration, but not all of them.
> #
> # This is a Debian specific file
>
> dc_eximconfig_configtype='smarthost'
> dc_other_hostnames='richtercloud.de'
> dc_local_interfaces='127.0.0.1 ; ::1 ; 192.168.178.76'
> dc_readhost=''
> dc_relay_domains=''
> dc_minimaldns='false'
> dc_relay_nets=''
> dc_smarthost='smtp.elasticmail.com::2525'
> CFILEMODE='644'
> dc_use_split_config='false'
> dc_hide_mailname='false'
> dc_mailname_in_oh='true'
> dc_localdelivery='maildir_home'
> mailname:richtercloud.de
>
> -- System Information:
> Debian Release: 7.6
> APT prefers stable-updates
> APT policy: (990, 'stable-updates'), (990, 'stable'), (90, 'testing')
> Architecture: armhf (armv7l)
>
> Kernel: Linux 3.2.40 (SMP w/2 CPU cores)
> Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
> Shell: /bin/sh linked to /bin/dash
>
> Versions of packages exim4-config depends on:
> ii adduser 3.113+nmu3
> ii debconf [debconf-2.0] 1.5.49
>
> exim4-config recommends no packages.
>
> exim4-config suggests no packages.
>
> -- Configuration Files:
> /etc/exim4/conf.d/router/200_exim4-config_primary changed:
> ..ifdef DCconfig_internet
> dnslookup_relay_to_domains:
> debug_print = "R: dnslookup_relay_to_domains for $local_part@$domain"
> driver = dnslookup
> domains = ! +local_domains : +relay_to_domains
> transport = remote_smtp
> same_domain_copy_routing = yes
> no_more
> dnslookup:
> debug_print = "R: dnslookup for $local_part@$domain"
> driver = dnslookup
> domains = ! +local_domains
> transport = remote_smtp
> same_domain_copy_routing = yes
> # ignore private rfc1918 and APIPA addresses
> ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 192.168.0.0/16 :\
> 172.16.0.0/12 : 10.0.0.0/8 : 169.254.0.0/16 :\
> 255.255.255.255
> no_more
> ..endif
> ..ifdef DCconfig_local
> nonlocal:
> debug_print = "R: nonlocal for $local_part@$domain"
> driver = redirect
> domains = ! +local_domains
> allow_fail
> data = :fail: Mailing to remote domains not supported
> no_more
> ..endif
> ..ifdef DCconfig_smarthost DCconfig_satellite
> smarthost:
> debug_print = "R: smarthost for $local_part@$domain"
> driver = manualroute
> domains = ! +local_domains
> transport = remote_smtp_smarthost
> #route_list = * DCsmarthost byname
> route_list = smtp.elasticmail.com
> host_find_failed = defer
> same_domain_copy_routing = yes
> no_more
> ..endif
>
> /etc/exim4/exim4.conf.template changed:
> exim_path = /usr/sbin/exim4
> ..ifndef CONFDIR
> CONFDIR = /etc/exim4
> ..endif
> UPEX4CmacrosUPEX4C = 1
> domainlist local_domains = MAIN_LOCAL_DOMAINS
> domainlist relay_to_domains = MAIN_RELAY_TO_DOMAINS
> hostlist relay_from_hosts = 0.0.0.0/0
> ..ifndef MAIN_PRIMARY_HOSTNAME_AS_QUALIFY_DOMAIN
> ..ifndef MAIN_QUALIFY_DOMAIN
> qualify_domain = ETC_MAILNAME
> ..else
> qualify_domain = MAIN_QUALIFY_DOMAIN
> ..endif
> ..endif
> ..ifdef MAIN_LOCAL_INTERFACES
> local_interfaces = MAIN_LOCAL_INTERFACES
> ..endif
> ..ifndef LOCAL_DELIVERY
> LOCAL_DELIVERY=mail_spool
> ..endif
> gecos_pattern = ^([^,:]*)
> gecos_name = $1
> ..ifndef CHECK_RCPT_LOCAL_LOCALPARTS
> CHECK_RCPT_LOCAL_LOCALPARTS = ^[.] : ^.*[@%!/|`#&?]
> ..endif
> ..ifndef CHECK_RCPT_REMOTE_LOCALPARTS
> CHECK_RCPT_REMOTE_LOCALPARTS = ^[./|] : ^.*[@%!`#&?] : ^.*/\\.\\./
> ..endif
> ..ifndef MAIN_LOG_SELECTOR
> MAIN_LOG_SELECTOR = +tls_peerdn
> ..endif
> ..ifndef MAIN_ACL_CHECK_MAIL
> MAIN_ACL_CHECK_MAIL = acl_check_mail
> ..endif
> acl_smtp_mail = MAIN_ACL_CHECK_MAIL
> ..ifndef MAIN_ACL_CHECK_RCPT
> MAIN_ACL_CHECK_RCPT = acl_check_rcpt
> ..endif
> acl_smtp_rcpt = MAIN_ACL_CHECK_RCPT
> ..ifndef MAIN_ACL_CHECK_DATA
> MAIN_ACL_CHECK_DATA = acl_check_data
> ..endif
> acl_smtp_data = MAIN_ACL_CHECK_DATA
> ..ifdef MESSAGE_SIZE_LIMIT
> message_size_limit = MESSAGE_SIZE_LIMIT
> ..endif
> ..ifdef MAIN_ALLOW_DOMAIN_LITERALS
> allow_domain_literals
> ..endif
> ..ifndef DC_minimaldns
> ..ifndef MAIN_HOST_LOOKUP
> MAIN_HOST_LOOKUP = *
> ..endif
> host_lookup = MAIN_HOST_LOOKUP
> ..endif
> ..ifdef MAIN_HARDCODE_PRIMARY_HOSTNAME
> primary_hostname = richtercloud.de
> ..endif
> ..ifdef MAIN_SMTP_ACCEPT_MAX_NOMAIL_HOSTS
> smtp_accept_max_nonmail_hosts = MAIN_SMTP_ACCEPT_MAX_NOMAIL_HOSTS
> ..endif
> ..ifndef MAIN_FORCE_SENDER
> local_from_check = false
> local_sender_retain = true
> untrusted_set_sender = *
> ..endif
> ..ifndef MAIN_IGNORE_BOUNCE_ERRORS_AFTER
> MAIN_IGNORE_BOUNCE_ERRORS_AFTER = 2d
> ..endif
> ignore_bounce_errors_after = MAIN_IGNORE_BOUNCE_ERRORS_AFTER
> ..ifndef MAIN_TIMEOUT_FROZEN_AFTER
> MAIN_TIMEOUT_FROZEN_AFTER = 7d
> ..endif
> timeout_frozen_after = MAIN_TIMEOUT_FROZEN_AFTER
> ..ifndef MAIN_FREEZE_TELL
> MAIN_FREEZE_TELL = postmaster
> ..endif
> freeze_tell = MAIN_FREEZE_TELL
> ..ifndef SPOOLDIR
> SPOOLDIR = /var/spool/exim4
> ..endif
> spool_directory = SPOOLDIR
> ..ifndef MAIN_TRUSTED_USERS
> MAIN_TRUSTED_USERS = uucp
> ..endif
> trusted_users = MAIN_TRUSTED_USERS
> ..ifdef MAIN_TRUSTED_GROUPS
> trusted_groups = MAIN_TRUSTED_GROUPS
> ..endif
> MAIN_TLS_ENABLE = yes
> ..ifdef MAIN_TLS_ENABLE
> ..ifndef MAIN_TLS_ADVERTISE_HOSTS
> MAIN_TLS_ADVERTISE_HOSTS = *
> ..endif
> tls_advertise_hosts = MAIN_TLS_ADVERTISE_HOSTS
> ..ifdef MAIN_TLS_CERTKEY
> tls_certificate = MAIN_TLS_CERTKEY
> ..else
> ..ifndef MAIN_TLS_CERTIFICATE
> MAIN_TLS_CERTIFICATE = CONFDIR/exim.crt
> ..endif
> tls_certificate = MAIN_TLS_CERTIFICATE
> ..ifndef MAIN_TLS_PRIVATEKEY
> MAIN_TLS_PRIVATEKEY = CONFDIR/exim.key
> ..endif
> tls_privatekey = MAIN_TLS_PRIVATEKEY
> ..endif
> ..ifndef MAIN_TLS_VERIFY_CERTIFICATES
> MAIN_TLS_VERIFY_CERTIFICATES = ${if exists{/etc/ssl/certs/ca-certificates.crt}\
> {/etc/ssl/certs/ca-certificates.crt}\
> {/dev/null}}
> ..endif
> tls_verify_certificates = MAIN_TLS_VERIFY_CERTIFICATES
> ..ifdef MAIN_TLS_VERIFY_HOSTS
> tls_verify_hosts = MAIN_TLS_VERIFY_HOSTS
> ..endif
> ..ifdef MAIN_TLS_TRY_VERIFY_HOSTS
> tls_try_verify_hosts = MAIN_TLS_TRY_VERIFY_HOSTS
> ..endif
> ..endif
> ..ifdef MAIN_LOG_SELECTOR
> log_selector = MAIN_LOG_SELECTOR
> ..endif
> begin acl
> acl_local_deny_exceptions:
> accept
> hosts = ${if exists{CONFDIR/host_local_deny_exceptions}\
> {CONFDIR/host_local_deny_exceptions}\
> {}}
> accept
> senders = ${if exists{CONFDIR/sender_local_deny_exceptions}\
> {CONFDIR/sender_local_deny_exceptions}\
> {}}
> accept
> hosts = ${if exists{CONFDIR/local_host_whitelist}\
> {CONFDIR/local_host_whitelist}\
> {}}
> accept
> senders = ${if exists{CONFDIR/local_sender_whitelist}\
> {CONFDIR/local_sender_whitelist}\
> {}}
> # This hook allows you to hook in your own ACLs without having to
> # modify this file. If you do it like we suggest, you'll end up with
> # a small performance penalty since there is an additional file being
> # accessed. This doesn't happen if you leave the macro unset.
> .ifdef LOCAL_DENY_EXCEPTIONS_LOCAL_ACL_FILE
> .include LOCAL_DENY_EXCEPTIONS_LOCAL_ACL_FILE
> .endif
>
> # this is still supported for a transition period and is deprecated.
> .ifdef WHITELIST_LOCAL_DENY_LOCAL_ACL_FILE
> .include WHITELIST_LOCAL_DENY_LOCAL_ACL_FILE
> .endif
> acl_check_mail:
> .ifdef CHECK_MAIL_HELO_ISSUED
> deny
> message = no HELO given before MAIL command
> condition = ${if def:sender_helo_name {no}{yes}}
> .endif
> accept
> acl_check_rcpt:
> # Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by
> # testing for an empty sending host field.
> accept
> hosts = :
> control = dkim_disable_verify
> # Do not try to verify DKIM signatures of incoming mail if DC_minimaldns
> # or DISABLE_DKIM_VERIFY are set.
> ..ifdef DC_minimaldns
> warn
> control = dkim_disable_verify
> ..else
> ..ifdef DISABLE_DKIM_VERIFY
> warn
> control = dkim_disable_verify
> ..endif
> ..endif
> # The following section of the ACL is concerned with local parts that contain
> # certain non-alphanumeric characters. Dots in unusual places are
> # handled by this ACL as well.
> #
> # Non-alphanumeric characters other than dots are rarely found in genuine
> # local parts, but are often tried by people looking to circumvent
> # relaying restrictions. Therefore, although they are valid in local
> # parts, these rules disallow certain non-alphanumeric characters, as
> # a precaution.
> #
> # Empty components (two dots in a row) are not valid in RFC 2822, but Exim
> # allows them because they have been encountered. (Consider local parts
> # constructed as "firstinitial.secondinitial.familyname" when applied to
> # a name without a second initial.) However, a local part starting
> # with a dot or containing /../ can cause trouble if it is used as part of a
> # file name (e.g. for a mailing list). This is also true for local parts that
> # contain slashes. A pipe symbol can also be troublesome if the local part is
> # incorporated unthinkingly into a shell command line.
> #
> # These ACL components will block recipient addresses that are valid
> # from an RFC2822 point of view. We chose to have them blocked by
> # default for security reasons.
> #
> # If you feel that your site should have less strict recipient
> # checking, please feel free to change the default values of the macros
> # defined in main/01_exim4-config_listmacrosdefs or override them from a
> # local configuration file.
> #
> # Two different rules are used. The first one has a quite strict
> # default, and is applied to messages that are addressed to one of the
> # local domains handled by this host.
> # The default value of CHECK_RCPT_LOCAL_LOCALPARTS is defined in
> # main/01_exim4-config_listmacrosdefs:
> # CHECK_RCPT_LOCAL_LOCALPARTS = ^[.] : ^.*[@%!/|`#&?]
> # This blocks local parts that begin with a dot or contain a quite
> # broad range of non-alphanumeric characters.
> .ifdef CHECK_RCPT_LOCAL_LOCALPARTS
> deny
> domains = +local_domains
> local_parts = CHECK_RCPT_LOCAL_LOCALPARTS
> message = restricted characters in address
> .endif
> # The second rule applies to all other domains, and its default is
> # considerably less strict.
>
> # The default value of CHECK_RCPT_REMOTE_LOCALPARTS is defined in
> # main/01_exim4-config_listmacrosdefs:
> # CHECK_RCPT_REMOTE_LOCALPARTS = ^[./|] : ^.*[@%!`#&?] : ^.*/\\.\\./
> # It allows local users to send outgoing messages to sites
> # that use slashes and vertical bars in their local parts. It blocks
> # local parts that begin with a dot, slash, or vertical bar, but allows
> # these characters within the local part. However, the sequence /../ is
> # barred. The use of some other non-alphanumeric characters is blocked.
> # Single quotes might probably be dangerous as well, but they're
> # allowed by the default regexps to avoid rejecting mails to Ireland.
> # The motivation here is to prevent local users (or local users' malware)
> # from mounting certain kinds of attack on remote sites.
> .ifdef CHECK_RCPT_REMOTE_LOCALPARTS
> deny
> domains = !+local_domains
> local_parts = CHECK_RCPT_REMOTE_LOCALPARTS
> message = restricted characters in address
> .endif
> # Accept mail to postmaster in any local domain, regardless of the source,
> # and without verifying the sender.
> #
> accept
> .ifndef CHECK_RCPT_POSTMASTER
> local_parts = postmaster
> .else
> local_parts = CHECK_RCPT_POSTMASTER
> .endif
> domains = +local_domains : +relay_to_domains
> # Deny unless the sender address can be verified.
> #
> # This is disabled by default so that DNSless systems don't break. If
> # your system can do DNS lookups without delay or cost, you might want
> # to enable this feature.
> #
> # This feature does not work in smarthost and satellite setups as
> # with these setups all domains pass verification. See spec.txt chapter
> # 39.31 with the added information that a smarthost/satellite setup
> # routes all non-local e-mail to the smarthost.
> .ifdef CHECK_RCPT_VERIFY_SENDER
> deny
> message = Sender verification failed
> !acl = acl_local_deny_exceptions
> !verify = sender
> .endif
> # Verify senders listed in local_sender_callout with a callout.
> #
> # In smarthost and satellite setups, this causes the callout to be
> # done to the smarthost. Verification will thus only be reliable if the
> # smarthost does reject illegal addresses in the SMTP dialog.
> deny
> !acl = acl_local_deny_exceptions
> senders = ${if exists{CONFDIR/local_sender_callout}\
> {CONFDIR/local_sender_callout}\
> {}}
> !verify = sender/callout
> # Accept if the message comes from one of the hosts for which we are an
> # outgoing relay. It is assumed that such hosts are most likely to be MUAs,
> # so we set control=submission to make Exim treat the message as a
> # submission. It will fix up various errors in the message, for example, the
> # lack of a Date: header line. If you are actually relaying out out from
> # MTAs, you may want to disable this. If you are handling both relaying from
> # MTAs and submissions from MUAs you should probably split them into two
> # lists, and handle them differently.
> # Recipient verification is omitted here, because in many cases the clients
> # are dumb MUAs that don't cope well with SMTP error responses. If you are
> # actually relaying out from MTAs, you should probably add recipient
> # verification here.
> # Note that, by putting this test before any DNS black list checks, you will
> # always accept from these hosts, even if they end up on a black list. The
> # assumption is that they are your friends, and if they get onto black
> # list, it is a mistake.
> accept
> hosts = +relay_from_hosts
> control = submission/sender_retain
> control = dkim_disable_verify
> # Accept if the message arrived over an authenticated connection, from
> # any host. Again, these messages are usually from MUAs, so recipient
> # verification is omitted, and submission mode is set. And again, we do this
> # check before any black list tests.
> accept
> authenticated = *
> control = submission/sender_retain
> control = dkim_disable_verify
> # Insist that any other recipient address that we accept is either in one of
> # our local domains, or is in a domain for which we explicitly allow
> # relaying. Any other domain is rejected as being unacceptable for relaying.
> require
> message = relay not permitted
> domains = +local_domains : +relay_to_domains
> # We also require all accepted addresses to be verifiable. This check will
> # do local part verification for local domains, but only check the domain
> # for remote domains.
> require
> verify = recipient
> # Verify recipients listed in local_rcpt_callout with a callout.
> # This is especially handy for forwarding MX hosts (secondary MX or
> # mail hubs) of domains that receive a lot of spam to non-existent
> # addresses. The only way to check local parts for remote relay
> # domains is to use a callout (add /callout), but please read the
> # documentation about callouts before doing this.
> deny
> !acl = acl_local_deny_exceptions
> recipients = ${if exists{CONFDIR/local_rcpt_callout}\
> {CONFDIR/local_rcpt_callout}\
> {}}
> !verify = recipient/callout
> # CONFDIR/local_sender_blacklist holds a list of envelope senders that
> # should have their access denied to the local host. Incoming messages
> # with one of these senders are rejected at RCPT time.
> #
> # The explicit white lists are honored as well as negative items in
> # the black list. See exim4-config_files(5) for details.
> deny
> message = sender envelope address $sender_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster
> !acl = acl_local_deny_exceptions
> senders = ${if exists{CONFDIR/local_sender_blacklist}\
> {CONFDIR/local_sender_blacklist}\
> {}}
> # deny bad sites (IP address)
> # CONFDIR/local_host_blacklist holds a list of host names, IP addresses
> # and networks (CIDR notation) that should have their access denied to
> # The local host. Messages coming in from a listed host will have all
> # RCPT statements rejected.
> #
> # The explicit white lists are honored as well as negative items in
> # the black list. See exim4-config_files(5) for details.
> deny
> message = sender IP address $sender_host_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster
> !acl = acl_local_deny_exceptions
> hosts = ${if exists{CONFDIR/local_host_blacklist}\
> {CONFDIR/local_host_blacklist}\
> {}}
> # Warn if the sender host does not have valid reverse DNS.
> #
> # If your system can do DNS lookups without delay or cost, you might want
> # to enable this.
> # If sender_host_address is defined, it's a remote call. If
> # sender_host_name is not defined, then reverse lookup failed. Use
> # this instead of !verify = reverse_host_lookup to catch deferrals
> # as well as outright failures.
> .ifdef CHECK_RCPT_REVERSE_DNS
> warn
> condition = ${if and{{def:sender_host_address}{!def:sender_host_name}}\
> {yes}{no}}
> add_header = X-Host-Lookup-Failed: Reverse DNS lookup failed for $sender_host_address (${if eq{$host_lookup_failed}{1}{failed}{deferred}})
> .endif
> # Use spfquery to perform a pair of SPF checks (for details, see
> # http://www.openspf.org/)
> #
> # This is quite costly in terms of DNS lookups (~6 lookups per mail). Do not
> # enable if that's an issue. Also note that if you enable this, you must
> # install "spf-tools-perl" which provides the spfquery command.
> # Missing spf-tools-perl will trigger the "Unexpected error in
> # SPF check" warning.
> .ifdef CHECK_RCPT_SPF
> deny
> message = [SPF] $sender_host_address is not allowed to send mail from \
> ${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}. \
> Please see \
> http://www.openspf.org/Why?scope=${if def:sender_address_domain \
> {mfrom}{helo}};identity=${if def:sender_address_domain \
> {$sender_address}{$sender_helo_name}};ip=$sender_host_address
> log_message = SPF check failed.
> !acl = acl_local_deny_exceptions
> condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
> ${quote:$sender_host_address} --identity \
> ${if def:sender_address_domain \
> {--scope mfrom --identity ${quote:$sender_address}}\
> {--scope helo --identity ${quote:$sender_helo_name}}}}\
> {no}{${if eq {$runrc}{1}{yes}{no}}}}
> defer
> message = Temporary DNS error while checking SPF record. Try again later.
> !acl = acl_local_deny_exceptions
> condition = ${if eq {$runrc}{5}{yes}{no}}
> warn
> condition = ${if <={$runrc}{6}{yes}{no}}
> add_header = Received-SPF: ${if eq {$runrc}{0}{pass}\
> {${if eq {$runrc}{2}{softfail}\
> {${if eq {$runrc}{3}{neutral}\
> {${if eq {$runrc}{4}{permerror}\
> {${if eq {$runrc}{6}{none}{error}}}}}}}}}\
> } client-ip=$sender_host_address; \
> ${if def:sender_address_domain \
> {envelope-from=${sender_address}; }{}}\
> helo=$sender_helo_name
> warn
> log_message = Unexpected error in SPF check.
> condition = ${if >{$runrc}{6}{yes}{no}}
> .endif
> # Check against classic DNS "black" lists (DNSBLs) which list
> # sender IP addresses
> .ifdef CHECK_RCPT_IP_DNSBLS
> warn
> dnslists = CHECK_RCPT_IP_DNSBLS
> add_header = X-Warning: $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
> log_message = $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
> .endif
> # Check against DNSBLs which list sender domains, with an option to locally
> # whitelist certain domains that might be blacklisted.
> #
> # Note: If you define CHECK_RCPT_DOMAIN_DNSBLS, you must append
> # "/$sender_address_domain" after each domain. For example:
> # CHECK_RCPT_DOMAIN_DNSBLS = rhsbl.foo.org/$sender_address_domain \
> # : rhsbl.bar.org/$sender_address_domain
> .ifdef CHECK_RCPT_DOMAIN_DNSBLS
> warn
> !senders = ${if exists{CONFDIR/local_domain_dnsbl_whitelist}\
> {CONFDIR/local_domain_dnsbl_whitelist}\
> {}}
> dnslists = CHECK_RCPT_DOMAIN_DNSBLS
> add_header = X-Warning: $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
> log_message = $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
> .endif
> # This hook allows you to hook in your own ACLs without having to
> # modify this file. If you do it like we suggest, you'll end up with
> # a small performance penalty since there is an additional file being
> # accessed. This doesn't happen if you leave the macro unset.
> .ifdef CHECK_RCPT_LOCAL_ACL_FILE
> .include CHECK_RCPT_LOCAL_ACL_FILE
> .endif
> #############################################################################
> # This check is commented out because it is recognized that not every
> # sysadmin will want to do it. If you enable it, the check performs
> # Client SMTP Authorization (csa) checks on the sending host. These checks
> # do DNS lookups for SRV records. The CSA proposal is currently (May 2005)
> # an Internet draft. You can, of course, add additional conditions to this
> # ACL statement to restrict the CSA checks to certain hosts only.
> #
> # require verify = csa
> #############################################################################
> # Accept if the address is in a domain for which we are an incoming relay,
> # but again, only if the recipient can be verified.
> accept
> domains = +relay_to_domains
> endpass
> verify = recipient
> # At this point, the address has passed all the checks that have been
> # configured, so we accept it unconditionally.
> accept
> acl_check_data:
> # Deny unless the address list headers are syntactically correct.
> #
> # If you enable this, you might reject legitimate mail.
> .ifdef CHECK_DATA_VERIFY_HEADER_SYNTAX
> deny
> message = Message headers fail syntax check
> !acl = acl_local_deny_exceptions
> !verify = header_syntax
> .endif
> # require that there is a verifiable sender address in at least
> # one of the "Sender:", "Reply-To:", or "From:" header lines.
> .ifdef CHECK_DATA_VERIFY_HEADER_SENDER
> deny
> message = No verifiable sender address in message headers
> !acl = acl_local_deny_exceptions
> !verify = header_sender
> .endif
> # Deny if the message contains malware. Before enabling this check, you
> # must install a virus scanner and set the av_scanner option in the
> # main configuration.
> #
> # exim4-daemon-heavy must be used for this section to work.
> #
> # deny
> # malware = *
> # message = This message was detected as possible malware ($malware_name).
> # Add headers to a message if it is judged to be spam. Before enabling this,
> # you must install SpamAssassin. You also need to set the spamd_address
> # option in the main configuration.
> #
> # exim4-daemon-heavy must be used for this section to work.
> #
> # Please note that this is only suiteable as an example. There are
> # multiple issues with this configuration method. For example, if you go
> # this way, you'll give your spamassassin daemon write access to the
> # entire exim spool which might be a security issue in case of a
> # spamassassin exploit.
> #
> # See the exim docs and the exim wiki for more suitable examples.
> #
> # warn
> # spam = Debian-exim:true
> # add_header = X-Spam_score: $spam_score\n\
> # X-Spam_score_int: $spam_score_int\n\
> # X-Spam_bar: $spam_bar\n\
> # X-Spam_report: $spam_report
> # This hook allows you to hook in your own ACLs without having to
> # modify this file. If you do it like we suggest, you'll end up with
> # a small performance penalty since there is an additional file being
> # accessed. This doesn't happen if you leave the macro unset.
> .ifdef CHECK_DATA_LOCAL_ACL_FILE
> .include CHECK_DATA_LOCAL_ACL_FILE
> .endif
> # accept otherwise
> accept
> begin routers
> ..ifdef MAIN_ALLOW_DOMAIN_LITERALS
> domain_literal:
> debug_print = "R: domain_literal for $local_part@$domain"
> driver = ipliteral
> domains = ! +local_domains
> transport = remote_smtp
> ..endif
> hubbed_hosts:
> debug_print = "R: hubbed_hosts for $domain"
> driver = manualroute
> domains = "${if exists{CONFDIR/hubbed_hosts}\
> {partial-lsearch;CONFDIR/hubbed_hosts}\
> fail}"
> same_domain_copy_routing = yes
> route_data = ${lookup{$domain}partial-lsearch{CONFDIR/hubbed_hosts}}
> transport = remote_smtp
> ..ifdef DCconfig_internet
> dnslookup_relay_to_domains:
> debug_print = "R: dnslookup_relay_to_domains for $local_part@$domain"
> driver = dnslookup
> domains = ! +local_domains : +relay_to_domains
> transport = remote_smtp
> same_domain_copy_routing = yes
> no_more
> dnslookup:
> debug_print = "R: dnslookup for $local_part@$domain"
> driver = dnslookup
> domains = ! +local_domains
> transport = remote_smtp
> same_domain_copy_routing = yes
> # ignore private rfc1918 and APIPA addresses
> ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 192.168.0.0/16 :\
> 172.16.0.0/12 : 10.0.0.0/8 : 169.254.0.0/16 :\
> 255.255.255.255
> no_more
> ..endif
> ..ifdef DCconfig_local
> nonlocal:
> debug_print = "R: nonlocal for $local_part@$domain"
> driver = redirect
> domains = ! +local_domains
> allow_fail
> data = :fail: Mailing to remote domains not supported
> no_more
> ..endif
> ..ifdef DCconfig_smarthost DCconfig_satellite
> smarthost:
> debug_print = "R: smarthost for $local_part@$domain"
> driver = manualroute
> domains = ! +local_domains
> transport = remote_smtp_smarthost
> route_list = * DCsmarthost byname
> host_find_failed = defer
> same_domain_copy_routing = yes
> no_more
> ..endif
> COND_LOCAL_SUBMITTER = "\
> ${if match_ip{$sender_host_address}{:@[]}\
> {1}{0}\
> }"
> real_local:
> debug_print = "R: real_local for $local_part@$domain"
> driver = accept
> domains = +local_domains
> condition = COND_LOCAL_SUBMITTER
> local_part_prefix = real-
> check_local_user
> transport = LOCAL_DELIVERY
> system_aliases:
> debug_print = "R: system_aliases for $local_part@$domain"
> driver = redirect
> domains = +local_domains
> allow_fail
> allow_defer
> data = ${lookup{$local_part}lsearch{/etc/aliases}}
> .ifdef SYSTEM_ALIASES_USER
> user = SYSTEM_ALIASES_USER
> .endif
> .ifdef SYSTEM_ALIASES_GROUP
> group = SYSTEM_ALIASES_GROUP
> .endif
> .ifdef SYSTEM_ALIASES_FILE_TRANSPORT
> file_transport = SYSTEM_ALIASES_FILE_TRANSPORT
> .endif
> .ifdef SYSTEM_ALIASES_PIPE_TRANSPORT
> pipe_transport = SYSTEM_ALIASES_PIPE_TRANSPORT
> .endif
> .ifdef SYSTEM_ALIASES_DIRECTORY_TRANSPORT
> directory_transport = SYSTEM_ALIASES_DIRECTORY_TRANSPORT
> .endif
> ..ifdef DCconfig_satellite
> hub_user:
> debug_print = "R: hub_user for $local_part@$domain"
> driver = redirect
> domains = +local_domains
> data = ${local_part}@DCreadhost
> check_local_user
> hub_user_smarthost:
> debug_print = "R: hub_user_smarthost for $local_part@$domain"
> driver = manualroute
> domains = DCreadhost
> transport = remote_smtp_smarthost
> route_list = * DCsmarthost byname
> host_find_failed = defer
> same_domain_copy_routing = yes
> check_local_user
> ..endif
> userforward:
> debug_print = "R: userforward for $local_part@$domain"
> driver = redirect
> domains = +local_domains
> check_local_user
> file = $home/.forward
> require_files = $local_part:$home/.forward
> no_verify
> no_expn
> check_ancestor
> allow_filter
> forbid_smtp_code = true
> directory_transport = address_directory
> file_transport = address_file
> pipe_transport = address_pipe
> reply_transport = address_reply
> skip_syntax_errors
> syntax_errors_to = real-$local_part@$domain
> syntax_errors_text = \
> This is an automatically generated message. An error has\n\
> been found in your .forward file. Details of the error are\n\
> reported below. While this error persists, you will receive\n\
> a copy of this message for every message that is addressed\n\
> to you. If your .forward file is a filter file, or if it is\n\
> a non-filter file containing no valid forwarding addresses,\n\
> a copy of each incoming message will be put in your normal\n\
> mailbox. If a non-filter file contains at least one valid\n\
> forwarding address, forwarding to the valid addresses will\n\
> happen, and those will be the only deliveries that occur.
> procmail:
> debug_print = "R: procmail for $local_part@$domain"
> driver = accept
> domains = +local_domains
> check_local_user
> transport = procmail_pipe
> # emulate OR with "if exists"-expansion
> require_files = ${local_part}:\
> ${if exists{/etc/procmailrc}\
> {/etc/procmailrc}{${home}/.procmailrc}}:\
> +/usr/bin/procmail
> no_verify
> no_expn
> maildrop:
> debug_print = "R: maildrop for $local_part@$domain"
> driver = accept
> domains = +local_domains
> check_local_user
> transport = maildrop_pipe
> require_files = ${local_part}:${home}/.mailfilter:+/usr/bin/maildrop
> no_verify
> no_expn
> ..ifndef FIRST_USER_ACCOUNT_UID
> FIRST_USER_ACCOUNT_UID = 0
> ..endif
> ..ifndef DEFAULT_SYSTEM_ACCOUNT_ALIAS
> DEFAULT_SYSTEM_ACCOUNT_ALIAS = :fail: no mail to system accounts
> ..endif
> COND_SYSTEM_USER_AND_REMOTE_SUBMITTER = "\
> ${if and{{! match_ip{$sender_host_address}{:@[]}}\
> {<{$local_user_uid}{FIRST_USER_ACCOUNT_UID}}}\
> {1}{0}\
> }"
> lowuid_aliases:
> debug_print = "R: lowuid_aliases for $local_part@$domain (UID $local_user_uid)"
> check_local_user
> driver = redirect
> allow_fail
> domains = +local_domains
> condition = COND_SYSTEM_USER_AND_REMOTE_SUBMITTER
> data = ${if exists{CONFDIR/lowuid-aliases}\
> {${lookup{$local_part}lsearch{CONFDIR/lowuid-aliases}\
> {$value}{DEFAULT_SYSTEM_ACCOUNT_ALIAS}}}\
> {DEFAULT_SYSTEM_ACCOUNT_ALIAS}}
> local_user:
> debug_print = "R: local_user for $local_part@$domain"
> driver = accept
> domains = +local_domains
> check_local_user
> local_parts = ! root
> transport = LOCAL_DELIVERY
> cannot_route_message = Unknown user
> mail4root:
> debug_print = "R: mail4root for $local_part@$domain"
> driver = redirect
> domains = +local_domains
> data = /var/mail/mail
> file_transport = address_file
> local_parts = root
> user = mail
> group = mail
> begin transports
> ..ifdef HIDE_MAILNAME
> REMOTE_SMTP_HEADERS_REWRITE=*@+local_domains $1 at DCreadhost frs : *@ETC_MAILNAME $1 at DCreadhost frs
> REMOTE_SMTP_RETURN_PATH=${if match_domain{$sender_address_domain}{+local_domains}{${sender_address_local_part}@DCreadhost}{${if match_domain{$sender_address_domain}{ETC_MAILNAME}{${sender_address_local_part}@DCreadhost}fail}}}
> ..endif
> ..ifdef REMOTE_SMTP_HELO_FROM_DNS
> ..ifdef REMOTE_SMTP_HELO_DATA
> REMOTE_SMTP_HELO_DATA==${lookup dnsdb {ptr=$sending_ip_address}{$value}{$primary_hostname}}
> ..else
> REMOTE_SMTP_HELO_DATA=${lookup dnsdb {ptr=$sending_ip_address}{$value}{$primary_hostname}}
> ..endif
> ..endif
> address_file:
> debug_print = "T: address_file for $local_part@$domain"
> driver = appendfile
> delivery_date_add
> envelope_to_add
> return_path_add
> address_pipe:
> debug_print = "T: address_pipe for $local_part@$domain"
> driver = pipe
> return_fail_output
> address_reply:
> debug_print = "T: autoreply for $local_part@$domain"
> driver = autoreply
> mail_spool:
> debug_print = "T: appendfile for $local_part@$domain"
> driver = appendfile
> file = /var/mail/$local_part
> delivery_date_add
> envelope_to_add
> return_path_add
> group = mail
> mode = 0660
> mode_fail_narrower = false
> maildir_home:
> debug_print = "T: maildir_home for $local_part@$domain"
> driver = appendfile
> .ifdef MAILDIR_HOME_MAILDIR_LOCATION
> directory = MAILDIR_HOME_MAILDIR_LOCATION
> .else
> directory = $home/Maildir
> .endif
> .ifdef MAILDIR_HOME_CREATE_DIRECTORY
> create_directory
> .endif
> .ifdef MAILDIR_HOME_CREATE_FILE
> create_file = MAILDIR_HOME_CREATE_FILE
> .endif
> delivery_date_add
> envelope_to_add
> return_path_add
> maildir_format
> .ifdef MAILDIR_HOME_DIRECTORY_MODE
> directory_mode = MAILDIR_HOME_DIRECTORY_MODE
> .else
> directory_mode = 0700
> .endif
> .ifdef MAILDIR_HOME_MODE
> mode = MAILDIR_HOME_MODE
> .else
> mode = 0600
> .endif
> mode_fail_narrower = false
> # This transport always chdirs to $home before trying to deliver. If
> # $home is not accessible, this chdir fails and prevents delivery.
> # If you are in a setup where home directories might not be
> # accessible, uncomment the current_directory line below.
> # current_directory = /
> maildrop_pipe:
> debug_print = "T: maildrop_pipe for $local_part@$domain"
> driver = pipe
> path = "/bin:/usr/bin:/usr/local/bin"
> command = "/usr/bin/maildrop"
> return_path_add
> delivery_date_add
> envelope_to_add
> procmail_pipe:
> debug_print = "T: procmail_pipe for $local_part@$domain"
> driver = pipe
> path = "/bin:/usr/bin:/usr/local/bin"
> command = "/usr/bin/procmail"
> return_path_add
> delivery_date_add
> envelope_to_add
> remote_smtp:
> debug_print = "T: remote_smtp for $local_part@$domain"
> driver = smtp
> ..ifdef REMOTE_SMTP_HOSTS_AVOID_TLS
> hosts_avoid_tls = REMOTE_SMTP_HOSTS_AVOID_TLS
> ..endif
> ..ifdef REMOTE_SMTP_HEADERS_REWRITE
> headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE
> ..endif
> ..ifdef REMOTE_SMTP_RETURN_PATH
> return_path = REMOTE_SMTP_RETURN_PATH
> ..endif
> ..ifdef REMOTE_SMTP_HELO_DATA
> helo_data=REMOTE_SMTP_HELO_DATA
> ..endif
> ..ifdef DKIM_DOMAIN
> dkim_domain = DKIM_DOMAIN
> ..endif
> ..ifdef DKIM_SELECTOR
> dkim_selector = DKIM_SELECTOR
> ..endif
> ..ifdef DKIM_PRIVATE_KEY
> dkim_private_key = DKIM_PRIVATE_KEY
> ..endif
> ..ifdef DKIM_CANON
> dkim_canon = DKIM_CANON
> ..endif
> ..ifdef DKIM_STRICT
> dkim_strict = DKIM_STRICT
> ..endif
> ..ifdef DKIM_SIGN_HEADERS
> dkim_sign_headers = DKIM_SIGN_HEADERS
> ..endif
> ..ifdef TLS_DH_MIN_BITS
> tls_dh_min_bits = TLS_DH_MIN_BITS
> ..endif
> linux:
> driver = manualroute
> domains = vger.linux.org
> transport = remote_smtp
> passonto_elasticmail:
> driver = manualroute
> domains = *
> transport = remote_smtp
> route_data = smtp.elasticmail.com:2525
> local_users:
> driver = accept
> check_local_user ## the precondition check, the router will only run if this is meet
> transport = local_delivery
> remote_smtp_smarthost:
> debug_print = "T: remote_smtp_smarthost for $local_part@$domain"
> driver = smtp
> hosts_try_auth = <; ${if exists{CONFDIR/passwd.client} \
> {\
> ${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$host_address}}\
> }\
> {} \
> }
> ..ifdef REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS
> hosts_avoid_tls = REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS
> ..endif
> ..ifdef REMOTE_SMTP_HEADERS_REWRITE
> headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE
> ..endif
> ..ifdef REMOTE_SMTP_RETURN_PATH
> return_path = REMOTE_SMTP_RETURN_PATH
> ..endif
> ..ifdef REMOTE_SMTP_HELO_DATA
> helo_data=REMOTE_SMTP_HELO_DATA
> ..endif
> ..ifdef TLS_DH_MIN_BITS
> tls_dh_min_bits = TLS_DH_MIN_BITS
> ..endif
> address_directory:
> debug_print = "T: address_directory for $local_part@$domain"
> driver = appendfile
> delivery_date_add
> envelope_to_add
> return_path_add
> check_string = ""
> escape_string = ""
> maildir_format
> begin retry
> * * F,2h,15m; G,16h,1h,1.5; F,4d,6h
> begin rewrite
> ..ifndef NO_EAA_REWRITE_REWRITE
> *@+local_domains "${lookup{${local_part}}lsearch{/etc/email-addresses}\
> {$value}fail}" Ffrs
> *@ETC_MAILNAME "${lookup{${local_part}}lsearch{/etc/email-addresses}\
> {$value}fail}" Ffrs
> ..endif
> begin authenticators
> plain_saslauthd_server:
> driver = plaintext
> public_name = PLAIN
> server_condition = ${if saslauthd{{$auth2}{$auth3}}{1}{0}}
> server_set_id = $auth2
> server_prompts = :
> .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
> server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
> .endif
> cram_md5:
> driver = cram_md5
> public_name = CRAM-MD5
> client_name = ${extract{1}{:}{${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}}}
> client_secret = ${extract{2}{:}{${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}}}
> PASSWDLINE=${sg{\
> ${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}\
> }\
> {\\N[\\^]\\N}\
> {^^}\
> }
> plain:
> driver = plaintext
> public_name = PLAIN
> ..ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS
> client_send = "<; ${if !eq{$tls_cipher}{}\
> {^${extract{1}{:}{PASSWDLINE}}\
> ^${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}\
> }fail}"
> ..else
> client_send = "<; ^${extract{1}{:}{PASSWDLINE}}\
> ^${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}"
> ..endif
> login:
> driver = plaintext
> public_name = LOGIN
> ..ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS
> # Return empty string if not non-TLS AND looking up $host in passwd-file
> # yields a non-empty string; fail otherwise.
> client_send = "<; ${if and{\
> {!eq{$tls_cipher}{}}\
> {!eq{PASSWDLINE}{}}\
> }\
> {}fail}\
> ; ${extract{1}{::}{PASSWDLINE}}\
> ; ${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}"
> ..else
> # Return empty string if looking up $host in passwd-file yields a
> # non-empty string; fail otherwise.
> client_send = "<; ${if !eq{PASSWDLINE}{}\
> {}fail}\
> ; ${extract{1}{::}{PASSWDLINE}}\
> ; ${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}"
> ..endif
>
> /etc/exim4/passwd.client changed:
> smtp.elasticemail.com:48aea5b0-0d73-4a5d-bb28-ccf8507e489e:48aea5b0-0d73-4a5d-bb28-ccf8507e489e
>
>
> -- debconf information:
> * exim4/dc_other_hostnames: richtercloud.de
> * exim4/dc_eximconfig_configtype: mail sent by smarthost; received via SMTP or fetchmail
> exim4/no_config: true
> * exim4/hide_mailname: false
> exim4/dc_postmaster:
> * exim4/dc_smarthost: richtercloud.de
> exim4/dc_relay_domains:
> * exim4/dc_relay_nets:
> * exim4/mailname: richtercloud.de
> exim4/dc_readhost:
> * exim4/use_split_config: false
> exim4/exim4-config-title:
> * exim4/dc_localdelivery: Maildir format in home directory
> * exim4/dc_local_interfaces: 127.0.0.1 ; ::1 ; 192.168.178.76
> * exim4/dc_minimaldns: false
--
http://wiki.debian.org/FAQsFromDebianUser
Offtopic discussions among Debian users and developers:
http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic
http://nuvreauspam.ro/gpg-transition.txt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-exim4-maintainers/attachments/20141001/04061183/attachment-0003.sig>
More information about the Pkg-exim4-maintainers
mailing list