automatic import of eximopeneuler24.03_LTS_SP2

1 files changed, 799 insertions, 0 deletions

diff --git a/exim-4.99.1-config.patch b/exim-4.99.1-config.patch
new file mode 100644
index 0000000..bec3580
--- /dev/null
+++ b/exim-4.99.1-config.patch
@@ -0,0 +1,799 @@
+--- exim-4.99.1.orig/scripts/Configure-Makefile	2026-01-30 10:30:47.834924979 +0800
++++ exim-4.99.1/scripts/Configure-Makefile	2026-01-30 11:52:29.722378196 +0800
+@@ -367,7 +367,7 @@
+ 
+   mv $mft $mftt
+   echo "PERL_CC=${perl_cc}" >>$mft
+-  echo "PERL_CCOPTS=${perl_ccopts}" >>$mft
++  echo "PERL_CCOPTS=${perl_ccopts} \$(CFLAGS)" >>$mft
+   echo "PERL_LIBS=${perl_libs}" >>$mft
+   echo "PERL_CFLAGS=${perl_cflags}" >>$mft
+   echo "PERL_LFLAGS=${perl_lflags}" >>$mft
+--- exim-4.99.1.orig/src/EDITME	2026-01-30 10:30:47.833924976 +0800
++++ exim-4.99.1/src/EDITME	2026-01-30 11:52:59.213474957 +0800
+@@ -104,7 +104,7 @@
+ # /usr/local/sbin. The installation script will try to create this directory,
+ # and any superior directories, if they do not exist.
+ 
+-BIN_DIRECTORY=/usr/exim/bin
++BIN_DIRECTORY=/usr/sbin
+ 
+ 
+ #------------------------------------------------------------------------------
+@@ -120,7 +120,7 @@
+ # don't exist. It will also install a default runtime configuration if this
+ # file does not exist.
+ 
+-CONFIGURE_FILE=/usr/exim/configure
++CONFIGURE_FILE=/etc/exim/exim.conf
+ 
+ # It is possible to specify a colon-separated list of files for CONFIGURE_FILE.
+ # In this case, Exim will use the first of them that exists when it is run.
+@@ -137,7 +137,7 @@
+ # deliveries. (Local deliveries run as various non-root users, typically as the
+ # owner of a local mailbox.) Specifying these values as root is not supported.
+ 
+-EXIM_USER=
++EXIM_USER=93
+ 
+ # If you specify EXIM_USER as a name, this is looked up at build time, and the
+ # uid number is built into the binary. However, you can specify that this
+@@ -158,7 +158,7 @@
+ # for EXIM_USER (e.g. EXIM_USER=exim), you don't need to set EXIM_GROUP unless
+ # you want to use a group other than the default group for the given user.
+ 
+-# EXIM_GROUP=
++EXIM_GROUP=93
+ 
+ # Many sites define a user called "exim", with an appropriate default group,
+ # and use
+@@ -215,10 +215,10 @@
+ # If you are building with TLS, the library configuration must be done:
+ 
+ # Uncomment this if you are using OpenSSL
+-# USE_OPENSSL=yes
++USE_OPENSSL=yes
+ # Uncomment one of these settings if you are using OpenSSL; pkg-config vs not
+ # and an optional location.
+-# USE_OPENSSL_PC=openssl
++USE_OPENSSL_PC=openssl
+ # TLS_LIBS=-lssl -lcrypto
+ # TLS_LIBS=-L/usr/local/openssl/lib -lssl -lcrypto
+ 
+@@ -362,7 +362,7 @@
+ # This one is special-purpose, and commonly not required, so it is not
+ # included by default.
+ 
+-# TRANSPORT_LMTP=yes
++TRANSPORT_LMTP=yes
+ 
+ 
+ #------------------------------------------------------------------------------
+@@ -371,9 +371,9 @@
+ # MBX, is included only when requested. If you do not know what this is about,
+ # leave these settings commented out.
+ 
+-# SUPPORT_MAILDIR=yes
+-# SUPPORT_MAILSTORE=yes
+-# SUPPORT_MBX=yes
++SUPPORT_MAILDIR=yes
++SUPPORT_MAILSTORE=yes
++SUPPORT_MBX=yes
+ 
+ 
+ #------------------------------------------------------------------------------
+@@ -434,22 +434,28 @@
+ LOOKUP_LSEARCH=yes
+ LOOKUP_DNSDB=yes
+ 
+-# LOOKUP_CDB=yes
+-# LOOKUP_DSEARCH=yes
++LOOKUP_CDB=yes
++LOOKUP_DSEARCH=yes
+ # LOOKUP_IBASE=yes
+ # LOOKUP_JSON=yes
+-# LOOKUP_LDAP=yes
++LOOKUP_LDAP=yes
++LDAP_LIB_TYPE=OPENLDAP2
++LOOKUP_LIBS=-lldap -llber -lsqlite3
+ # LOOKUP_LMDB=yes
+ 
+-# LOOKUP_MYSQL=yes
+-# LOOKUP_MYSQL_PC=mariadb
++LOOKUP_MYSQL=2
++LOOKUP_MYSQL_PC=mysqlclient
+ # LOOKUP_NIS=yes
+ # LOOKUP_NISPLUS=yes
++CFLAGS+=-I/usr/include/nsl -I/usr/include/tirpc
++LIBS+=-L/usr/$(_lib)/nsl
++
+ # LOOKUP_ORACLE=yes
+-# LOOKUP_PASSWD=yes
+-# LOOKUP_PGSQL=yes
++LOOKUP_PASSWD=yes
++LOOKUP_PGSQL=2
++LOOKUP_PGSQL_LIBS=-lpq
+ # LOOKUP_REDIS=yes
+-# LOOKUP_SQLITE=yes
++LOOKUP_SQLITE=yes
+ # LOOKUP_SQLITE_PC=sqlite3
+ # LOOKUP_WHOSON=yes
+ 
+@@ -551,7 +557,7 @@
+ # files are defaulted in the OS/Makefile-Default file, but can be overridden in
+ # local OS-specific make files.
+ 
+-# EXIM_MONITOR=eximon.bin
++EXIM_MONITOR=eximon.bin
+ 
+ 
+ #------------------------------------------------------------------------------
+@@ -583,7 +589,7 @@
+ # and the MIME ACL. Please read the documentation to learn more about these
+ # features.
+ 
+-# WITH_CONTENT_SCAN=yes
++WITH_CONTENT_SCAN=yes
+ 
+ # If you have content scanning you may wish to only include some of the scanner
+ # interfaces.  Uncomment any of these lines to remove that code.
+@@ -677,13 +683,13 @@
+ # is historic).  The same rules as for other module builds apply; use
+ # SUPPORT_DMARC_{INCLUDE,LIBS}.
+ #
+-# SUPPORT_DMARC=yes
++SUPPORT_DMARC=yes
+ # CFLAGS += -I/usr/local/include
+-# LDFLAGS += -lopendmarc
++LDFLAGS += -lopendmarc
+ #
+ # Uncomment the following if you need to change the default. You can
+ # override it at runtime (main config option dmarc_tld_file)
+-# DMARC_TLD_FILE=/etc/exim/opendmarc.tlds
++DMARC_TLD_FILE=/usr/share/publicsuffix/public_suffix_list.dat
+ #
+ # Library version libopendmarc-1.4.1-1.fc33.x86_64  (on Fedora 33) is known broken;
+ # 1.3.2-3 works.  It seems that the OpenDMARC project broke their API.
+@@ -821,7 +827,7 @@
+ # CONFIGURE_OWNER setting, to specify a configuration file which is listed in
+ # the TRUSTED_CONFIG_LIST file, then root privileges are not dropped by Exim.
+ 
+-# TRUSTED_CONFIG_LIST=/usr/exim/trusted_configs
++TRUSTED_CONFIG_LIST=/etc/exim/trusted-configs
+ 
+ 
+ #------------------------------------------------------------------------------
+@@ -879,18 +885,18 @@
+ # core exim build.  This gets them linked with the module instead.
+ # The heimdal does build but we have no test coverage so it is not know to work.
+ 
+-# AUTH_CRAM_MD5=yes
+-# AUTH_CYRUS_SASL=yes
+-# AUTH_DOVECOT=yes
++AUTH_CRAM_MD5=yes
++AUTH_CYRUS_SASL=yes
++AUTH_DOVECOT=yes
+ # AUTH_EXTERNAL=yes
+-# AUTH_GSASL=yes
+-# AUTH_GSASL_PC=libgsasl
++AUTH_GSASL=yes
++AUTH_GSASL_PC=libgsasl
+ # AUTH_HEIMDAL_GSSAPI=yes
+ # AUTH_HEIMDAL_GSSAPI_PC=heimdal-gssapi
+ # AUTH_HEIMDAL_GSSAPI_PC=heimdal-gssapi heimdal-krb5
+-# AUTH_PLAINTEXT=yes
+-# AUTH_SPA=yes
+-# AUTH_TLS=yes
++AUTH_PLAINTEXT=yes
++AUTH_SPA=yes
++AUTH_TLS=yes
+ 
+ # Heimdal through 1.5 required pkg-config 'heimdal-gssapi'; Heimdal 7.1
+ # requires multiple pkg-config files to work with Exim, so the second example
+@@ -917,7 +923,7 @@
+ # one that is set in the headers_charset option. The default setting is
+ # defined by this setting:
+ 
+-HEADERS_CHARSET="ISO-8859-1"
++HEADERS_CHARSET="UTF-8"
+ 
+ # If you are going to make use of $header_xxx expansions in your configuration
+ # file, or if your users are going to use them in filter files, and the normal
+@@ -937,7 +943,7 @@
+ # the Sieve filter support. For those OS where iconv() is known to be installed
+ # as standard, the file in OS/Makefile-xxxx contains
+ #
+-# HAVE_ICONV=yes
++HAVE_ICONV=yes
+ #
+ # If you are not using one of those systems, but have installed iconv(), you
+ # need to uncomment that line above. In some cases, you may find that iconv()
+@@ -1013,7 +1019,7 @@
+ # Once you have done this, "make install" will build the info files and
+ # install them in the directory you have defined.
+ 
+-# INFO_DIRECTORY=/usr/share/info
++INFO_DIRECTORY=/usr/share/info
+ 
+ 
+ #------------------------------------------------------------------------------
+@@ -1026,7 +1032,7 @@
+ # %s. This will be replaced by one of the strings "main", "panic", or "reject"
+ # to form the final file names. Some installations may want something like this:
+ 
+-# LOG_FILE_PATH=/var/log/exim_%slog
++LOG_FILE_PATH=/var/log/exim/%s.log
+ 
+ # which results in files with names /var/log/exim_mainlog, etc. The directory
+ # in which the log files are placed must exist; Exim does not try to create
+@@ -1099,7 +1105,7 @@
+ # Perl costs quite a lot of resources. Only do this if you really need it.
+ #
+ 
+-# EXIM_PERL=perl.o
++EXIM_PERL=perl.o
+ 
+ # For a dynamic module build add also SUPPORT_PERL=2 and SUPPORT_PAM_(INCLUED,LIBS)
+ #SUPPORT_PERL=2
+@@ -1114,7 +1120,7 @@
+ # that the local_scan API is made available by the linker. You may also need
+ # to add -ldl to EXTRALIBS so that dlopen() is available to Exim.
+ 
+-# EXPAND_DLFUNC=yes
++EXPAND_DLFUNC=yes
+ 
+ 
+ #------------------------------------------------------------------------------
+@@ -1126,7 +1132,7 @@
+ #
+ # For a dynamic module build add SUPPORT_PAM=2 and SUPPORT_PAM_LIBS=-lpam
+ 
+-# SUPPORT_PAM=yes
++SUPPORT_PAM=yes
+ 
+ # You probably need to add -lpam to EXTRALIBS, and in some releases of
+ # GNU/Linux -ldl is also needed.
+@@ -1138,12 +1144,12 @@
+ # If you may want to use outbound (client-side) proxying, using Socks5,
+ # uncomment the line below.
+ 
+-# SUPPORT_SOCKS=yes
++SUPPORT_SOCKS=yes
+ 
+ # If you may want to use inbound (server-side) proxying, using Proxy Protocol,
+ # uncomment the line below.
+ 
+-# SUPPORT_PROXY=yes
++SUPPORT_PROXY=yes
+ 
+ 
+ #------------------------------------------------------------------------------
+@@ -1176,9 +1182,9 @@
+ # is historic).  The same rules as for other module builds apply; use
+ # SUPPORT_SPF_{INCLUDE,LIBS}.
+ 
+-# SUPPORT_SPF=yes
++SUPPORT_SPF=yes
+ # CFLAGS  += -I/usr/local/include
+-# LDFLAGS += -lspf2
++LDFLAGS += -lspf2
+ 
+ 
+ #------------------------------------------------------------------------------
+@@ -1246,7 +1252,7 @@
+ # group. Once you have installed saslauthd, you should arrange for it to be
+ # started by root at boot time.
+ 
+-# CYRUS_SASLAUTHD_SOCKET=/var/state/saslauthd/mux
++CYRUS_SASLAUTHD_SOCKET=/var/run/saslauthd/mux
+ 
+ 
+ #------------------------------------------------------------------------------
+@@ -1288,7 +1294,7 @@
+ # is "yes", as well as supporting line editing, a history of input lines in the
+ # current run is maintained.
+ 
+-# USE_READLINE=yes
++USE_READLINE=yes
+ 
+ # You may need to add -ldl to EXTRALIBS when you set USE_READLINE=yes.
+ # Note that this option adds to the size of the Exim binary, because the
+@@ -1305,7 +1311,7 @@
+ #------------------------------------------------------------------------------
+ # Uncomment this setting to include IPv6 support.
+ 
+-# HAVE_IPV6=yes
++HAVE_IPV6=yes
+ 
+ ###############################################################################
+ #              THINGS YOU ALMOST NEVER NEED TO MENTION                        #
+@@ -1326,13 +1332,13 @@
+ # haven't got Perl, Exim will still build and run; you just won't be able to
+ # use those utilities.
+ 
+-# CHOWN_COMMAND=/usr/bin/chown
+-# CHGRP_COMMAND=/usr/bin/chgrp
+-# CHMOD_COMMAND=/usr/bin/chmod
+-# MV_COMMAND=/bin/mv
+-# RM_COMMAND=/bin/rm
+-# TOUCH_COMMAND=/usr/bin/touch
+-# PERL_COMMAND=/usr/bin/perl
++CHOWN_COMMAND=/usr/bin/chown
++CHGRP_COMMAND=/usr/bin/chgrp
++CHMOD_COMMAND=/usr/bin/chmod
++MV_COMMAND=/usr/bin/mv
++RM_COMMAND=/usr/bin/rm
++TOUCH_COMMAND=/usr/bin/touch
++PERL_COMMAND=/usr/bin/perl
+ 
+ 
+ #------------------------------------------------------------------------------
+@@ -1534,7 +1540,7 @@
+ # (process id) to a file so that it can easily be identified. The path of the
+ # file can be specified here. Some installations may want something like this:
+ 
+-# PID_FILE_PATH=/var/lock/exim.pid
++PID_FILE_PATH=/var/run/exim.pid
+ 
+ # If PID_FILE_PATH is not defined, Exim writes a file in its spool directory
+ # using the name "exim-daemon.pid".
+@@ -1615,3 +1621,8 @@
+ # DISABLE_CLIENT_CMD_LOG=yes
+ 
+ # End of EDITME for Exim.
++
++#------------------------------------------------------------------------------
++# RPM build configuration
++CFLAGS+=$(RPM_OPT_FLAGS) $(PIE)
++EXTRALIBS_EXIM=-lpam -ldl -export-dynamic -rdynamic
+--- exim-4.99.1.orig/src/configure.default	2026-01-30 10:30:47.833924976 +0800
++++ exim-4.99.1/src/configure.default	2026-01-30 11:44:50.309870731 +0800
+@@ -67,7 +67,7 @@
+ # +local_domains, +relay_to_domains, and +relay_from_hosts, respectively. They
+ # are all colon-separated lists:
+ 
+-domainlist local_domains = @
++domainlist local_domains = @ : localhost : localhost.localdomain
+ domainlist relay_to_domains =
+ hostlist   relay_from_hosts = localhost
+ # (We rely upon hostname resolution working for localhost, because the default
+@@ -119,11 +119,13 @@
+ # manual for details. The lists above are used in the access control lists for
+ # checking incoming messages. The names of these ACLs are defined here:
+ 
++acl_smtp_mail =         acl_check_mail
+ acl_smtp_rcpt =         acl_check_rcpt
+ .ifdef _HAVE_PRDR
+ acl_smtp_data_prdr =    acl_check_prdr
+ .endif
+ acl_smtp_data =         acl_check_data
++acl_smtp_mime =         acl_check_mime
+ 
+ # You should not change those settings until you understand how ACLs work.
+ 
+@@ -136,7 +138,7 @@
+ # of what to set for other virus scanners. The second modification is in the
+ # acl_check_data access control list (see below).
+ 
+-# av_scanner = clamd:/tmp/clamd
++av_scanner = clamd:/var/run/clamd.exim/clamd.sock
+ 
+ 
+ # For spam scanning, there is a similar option that defines the interface to
+@@ -147,6 +149,12 @@
+ # spamd_address = 127.0.0.1 783
+ 
+ 
++# Set the default sqlite database file for greylisting. Uncomment this
++# if you use the greylisting ACLs defined below.
++
++# sqlite_dbfile = /var/spool/exim/db/greylist.db
++
++
+ # If Exim is compiled with support for TLS, you may want to change the
+ # following option so that Exim disallows certain clients from makeing encrypted
+ # connections. The default is to allow all.
+@@ -157,7 +165,7 @@
+ 
+ # This is equivalent to the default.
+ 
+-# tls_advertise_hosts = *
++tls_advertise_hosts = *
+ 
+ # Specify the location of the Exim server's TLS certificate and private key.
+ # The private key must not be encrypted (password protected). You can put
+@@ -165,8 +173,8 @@
+ # need the first setting, or in separate files, in which case you need both
+ # options.
+ 
+-# tls_certificate = /etc/ssl/exim.crt
+-# tls_privatekey = /etc/ssl/exim.pem
++tls_certificate = /etc/pki/tls/certs/exim.pem
++tls_privatekey = /etc/pki/tls/private/exim.pem
+ 
+ # For OpenSSL, prefer EC- over RSA-authenticated ciphers
+ .ifdef _HAVE_OPENSSL
+@@ -193,8 +201,8 @@
+ # them you should also allow TLS-on-connect on the traditional (and now
+ # standard) port 465.
+ 
+-# daemon_smtp_ports = 25 : 465 : 587
+-# tls_on_connect_ports = 465
++daemon_smtp_ports = 25 : 465 : 587
++tls_on_connect_ports = 465
+ 
+ 
+ # Specify the domain you want to be added to all unqualified addresses
+@@ -252,6 +260,24 @@
+ 
+ host_lookup = *
+ 
++# This setting, if uncommented, allows users to authenticate using
++# their system passwords against saslauthd if they connect over a
++# secure connection. If you have network logins such as NIS or
++# Kerberos rather than only local users, then you possibly also want
++# to configure /etc/sysconfig/saslauthd to use the 'pam' mechanism
++# too. Once a user is authenticated, the acl_check_rcpt ACL then
++# allows them to relay through the system.
++#
++# auth_advertise_hosts = ${if eq {$tls_cipher}{}{}{*}}
++#
++# By default, we set this option to allow SMTP AUTH from nowhere
++# (Exim's default would be to allow it from anywhere, even on an
++# unencrypted connection).
++#
++# Comment this one out if you uncomment the above. Did you make sure
++# saslauthd is actually running first?
++#
++auth_advertise_hosts =
+ 
+ # The setting below causes Exim to try to initialize the system resolver
+ # library with DNSSEC support.  It has no effect if your library lacks
+@@ -382,8 +408,8 @@
+ # Note that TZ is handled separately by the timezone runtime option
+ # and TIMEZONE_DEFAULT buildtime option.
+ 
+-# keep_environment = ^LDAP
+-# add_environment = PATH=/usr/bin::/bin
++keep_environment = ^LDAP
++add_environment = PATH=/usr/bin::/bin
+ 
+ 
+ 
+@@ -394,6 +420,29 @@
+ 
+ begin acl
+ 
++
++# This access control list is used for the MAIL command in an incoming
++# SMTP message.
++
++acl_check_mail:
++
++  # Hosts are required to say HELO (or EHLO) before sending mail.
++  # So don't allow them to use the MAIL command if they haven't
++  # done so.
++
++  deny condition = ${if eq{$sender_helo_name}{} {1}}
++       message = Nice boys say HELO first
++
++  # Use the lack of reverse DNS to trigger greylisting. Some people
++  # even reject for it but that would be a little excessive.
++
++  warn condition = ${if eq{$sender_host_name}{} {1}}
++       set acl_m_greylistreasons = Host $sender_host_address lacks reverse DNS\n$acl_m_greylistreasons
++
++  accept
++
++
++
+ # This access control list is used for every RCPT command in an incoming
+ # SMTP message. The tests are run in order until the address is either
+ # accepted or denied.
+@@ -405,6 +454,7 @@
+ 
+   accept  hosts = :
+           control = dkim_disable_verify
++          control = dmarc_disable_verify
+ 
+   #############################################################################
+   # The following section of the ACL is concerned with local parts that contain
+@@ -458,7 +508,8 @@
+   accept  local_parts   = postmaster
+           domains       = +local_domains
+ 
+-  # Deny unless the sender address can be verified.
++  # Deny unless the sender address can be routed. For proper verification of the
++  # address, read the documentation on callouts and add the /callout modifier.
+ 
+   require verify        = sender
+ 
+@@ -498,6 +549,7 @@
+   accept  hosts         = +relay_from_hosts
+           control       = submission
+           control       = dkim_disable_verify
++          control       = dmarc_disable_verify
+ 
+   # Accept if the message arrived over an authenticated connection, from
+   # any host. Again, these messages are usually from MUAs, so recipient
+@@ -507,6 +559,7 @@
+   accept  authenticated = *
+           control       = submission
+           control       = dkim_disable_verify
++          control       = dmarc_disable_verify
+ 
+   # Insist that any other recipient address that we accept is either in one of
+   # our local domains, or is in a domain for which we explicitly allow
+@@ -527,7 +580,8 @@
+   # There are no default checks on DNS black lists because the domains that
+   # contain these lists are changing all the time. However, here are two
+   # examples of how you can get Exim to perform a DNS black list lookup at this
+-  # point. The first one denies, whereas the second just warns.
++  # point. The first one denies, whereas the second just warns. The third
++  # triggers greylisting for any host in the blacklist.
+   #
+   # deny    dnslists      = black.list.example
+   #         message       = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
+@@ -535,6 +589,10 @@
+   # warn    dnslists      = black.list.example
+   #         add_header    = X-Warning: $sender_host_address is in a black list at $dnslist_domain
+   #         log_message   = found in $dnslist_domain
++  #
++  # warn    dnslists      = black.list.example
++  #         set acl_m_greylistreasons = Host found in $dnslist_domain\n$acl_m_greylistreasons
++  #
+   #############################################################################
+ 
+   #############################################################################
+@@ -561,6 +619,10 @@
+   #        set acl_m_content_filter = ${lookup PER_RCPT_CONTENT_FILTER}
+   #############################################################################
+ 
++  # Alternatively, greylist for it:
++  # warn !verify = csa
++  #      set acl_m_greylistreasons = Host failed CSA check\n$acl_m_greylistreasons
++
+   # At this point, the address has passed all the checks that have been
+   # configured, so we accept it unconditionally.
+ 
+@@ -610,21 +672,32 @@
+           message =     header syntax
+           log_message = header syntax ($acl_verify_message)
+ 
++  # Put simple tests first. A good one is to check for the presence of a
++  # Message-Id: header, which RFC2822 says SHOULD be present. Some broken
++  # or misconfigured mailer software occasionally omits this from genuine
++  # messages too, though -- although it's not hard for the offender to fix
++  # after they receive a bounce because of it.
++  #
++  # deny    condition  = ${if !def:h_Message-ID: {1}}
++  #         message    = RFC2822 says that all mail SHOULD have a Message-ID header.\n\
++  #                      Most messages without it are spam, so your mail has been rejected.
++  #
++  # Alternatively if we're feeling more lenient we could just use it to
++  # trigger greylisting instead:
++
++  warn    condition  = ${if !def:h_Message-ID: {1}}
++          set acl_m_greylistreasons = Message lacks Message-Id: header. Consult RFC2822.\n$acl_m_greylistreasons
++
+   # Deny if the message contains a virus. Before enabling this check, you
+   # must install a virus scanner and set the av_scanner option above.
+   #
+   # deny    malware    = *
+   #         message    = This message contains a virus ($malware_name).
+ 
+-  # Add headers to a message if it is judged to be spam. Before enabling this,
+-  # you must install SpamAssassin. You may also need to set the spamd_address
+-  # option above.
+-  #
+-  # warn    spam       = nobody
+-  #         add_header = X-Spam_score: $spam_score\n\
+-  #                      X-Spam_score_int: $spam_score_int\n\
+-  #                      X-Spam_bar: $spam_bar\n\
+-  #                      X-Spam_report: $spam_report
++  # Bypass SpamAssassin checks if the message is too large.
++  #
++  # accept  condition  = ${if >={$message_size}{100000} {1}}
++  #         add_header = X-Spam-Note: SpamAssassin run bypassed due to message size
+ 
+   #############################################################################
+   # No more tests if PRDR was actively used.
+@@ -638,11 +711,63 @@
+   #           condition    = ...
+   #############################################################################
+ 
++  # Run SpamAssassin, but allow for it to fail or time out. Add a warning message
++  # and accept the mail if that happens. Add an X-Spam-Flag: header if the SA
++  # score exceeds the SA system threshold.
++  #
++  # warn    spam       = nobody/defer_ok
++  #         add_header = X-Spam-Flag: YES
++  #
++  # accept  condition  = ${if !def:spam_score_int {1}}
++  #         add_header = X-Spam-Note: SpamAssassin invocation failed
++  #
++
++  # Unconditionally add score and report headers
++  #
++  # warn    add_header = X-Spam-Score: $spam_score ($spam_bar)\n\
++  #                      X-Spam-Report: $spam_report
+ 
+-  # Accept the message.
++  # And reject if the SpamAssassin score is greater than ten
++  #
++  # deny    condition = ${if >{$spam_score_int}{100} {1}}
++  #         message   = Your message scored $spam_score SpamAssassin point. Report follows:\n\
++  #  	    	        $spam_report
++
++  # Trigger greylisting (if enabled) if the SpamAssassin score is greater than 0.5
++  #
++  # warn    condition = ${if >{$spam_score_int}{5} {1}}
++  #         set acl_m_greylistreasons = Message has $spam_score SpamAssassin points\n$acl_m_greylistreasons
++
++
++  # If you want to greylist _all_ mail rather than only mail which looks like there
++  # might be something wrong with it, then you can do this...
++  #
++  # warn set acl_m_greylistreasons = We greylist all mail\n$acl_m_greylistreasons
++
++  # Now, invoke the greylisting. For this you need to have installed the exim-greylist
++  # package which contains this subroutine, and you need to uncomment the bit below
++  # which includes it too. Whenever the $acl_m_greylistreasons variable is non-empty,
++  # greylisting will kick in and will defer the mail to check if the sender is a
++  # proper mail which which retries, or whether it's a zombie. For more details, see
++  # the exim-greylist.conf.inc file itself.
++  #
++  # require acl = greylist_mail
+ 
+   accept
+ 
++# To enable the greylisting, also uncomment this line:
++# .include /etc/exim/exim-greylist.conf.inc
++
++acl_check_mime:
++
++  # File extension filtering.
++  deny message = Blacklisted file extension detected
++       condition = ${if match \
++                        {${lc:$mime_filename}} \
++                        {\N(\.exe|\.pif|\.bat|\.scr|\.lnk|\.com)$\N} \
++                     {1}{0}}
++
++  accept
+ 
+ 
+ ######################################################################
+@@ -744,7 +869,7 @@
+   driver = redirect
+   allow_fail
+   allow_defer
+-  data = ${lookup{$local_part}lsearch{SYSTEM_ALIASES_FILE}}
++  data = ${lookup{$local_part}lsearch{/etc/aliases}}
+ # user = exim
+   file_transport = address_file
+   pipe_transport = address_pipe
+@@ -782,7 +907,7 @@
+ # local_part_suffix = +* : -*
+ # local_part_suffix_optional
+   file = $home/.forward
+-# allow_filter
++  allow_filter
+   no_verify
+   no_expn
+   check_ancestor
+@@ -790,6 +915,12 @@
+   pipe_transport = address_pipe
+   reply_transport = address_reply
+ 
++procmail:
++  driver = accept
++  check_local_user
++  require_files = ${local_part}:+${home}/.procmailrc:/usr/bin/procmail
++  transport = procmail
++  no_verify
+ 
+ # This router matches local user mailboxes. If the router fails, the error
+ # message is "Unknown user".
+@@ -830,6 +961,25 @@
+   tls_resumption_hosts = *
+ .endif
+ 
++# This transport is used for delivering messages over SMTP using the
++# "message submission" port (RFC4409).
++
++remote_msa:
++  driver = smtp
++  port = 587
++  hosts_require_auth = *
++
++
++# This transport invokes procmail to deliver mail
++procmail:
++  driver = pipe
++  command = "/usr/bin/procmail -d $local_part"
++  return_path_add
++  delivery_date_add
++  envelope_to_add
++  user = $local_part
++  initgroups
++  return_output
+ 
+ # This transport is used for delivering messages to a smarthost, if the
+ # smarthost router is enabled.  This starts from the same basis as
+@@ -884,8 +1034,8 @@
+   delivery_date_add
+   envelope_to_add
+   return_path_add
+-# group = mail
+-# mode = 0660
++  group = mail
++  mode = 0660
+ 
+ 
+ # This transport is used for handling pipe deliveries generated by alias or
+@@ -918,6 +1068,16 @@
+   driver = autoreply
+ 
+ 
++# This transport is used to deliver local mail to cyrus IMAP server via UNIX
++# socket. You'll need to configure the 'localuser' router above to use it.
++#
++#lmtp_delivery:
++#  home_directory = /var/spool/imap
++#  driver = lmtp
++#  command = "/usr/lib/cyrus-imapd/deliver -l"
++#  batch_max = 20
++#  user = cyrus
++
+ 
+ ######################################################################
+ #                      RETRY CONFIGURATION                           #
+@@ -958,6 +1118,21 @@
+ #                   AUTHENTICATION CONFIGURATION                     #
+ ######################################################################
+ 
++begin authenticators
++
++# This authenticator supports CRAM-MD5 username/password authentication
++# with Exim acting as a _client_, as it might when sending its outgoing
++# mail to a smarthost rather than directly to the final recipient.
++# Replace SMTPAUTH_USERNAME and SMTPAUTH_PASSWORD as appropriate.
++
++#client_auth:
++#  driver = cram_md5
++#  public_name = CRAM-MD5
++#  client_name = SMTPAUTH_USERNAME
++#  client_secret = SMTPAUTH_PASSWORD
++
++#
++
+ # The following authenticators support plaintext username/password
+ # authentication using the standard PLAIN mechanism and the traditional
+ # but non-standard LOGIN mechanism, with Exim acting as the server.
+@@ -973,7 +1148,7 @@
+ # The default RCPT ACL checks for successful authentication, and will accept
+ # messages from authenticated users from anywhere on the Internet.
+ 
+-begin authenticators
++#
+ 
+ # PLAIN authentication has no server prompts. The client sends its
+ # credentials in one lump, containing an authorization ID (which we do not
+@@ -987,7 +1162,7 @@
+ #  driver                     = plaintext
+ #  server_set_id              = $auth2
+ #  server_prompts             = :
+-#  server_condition           = Authentication is not yet configured
++#  server_condition           = ${if saslauthd{{$2}{$3}{smtp}} {1}}
+ #  server_advertise_condition = ${if def:tls_in_cipher }
+ 
+ # LOGIN authentication has traditional prompts and responses. There is no
+@@ -999,7 +1174,7 @@
+ #  driver                     = plaintext
+ #  server_set_id              = $auth1
+ #  server_prompts             = <| Username: | Password:
+-#  server_condition           = Authentication is not yet configured
++#  server_condition           = ${if saslauthd{{$1}{$2}{smtp}} {1}}
+ #  server_advertise_condition = ${if def:tls_in_cipher }
+ 
+