diff options
Diffstat (limited to 'exim-4.98.2-config.patch')
| -rw-r--r-- | exim-4.98.2-config.patch | 816 |
1 files changed, 816 insertions, 0 deletions
diff --git a/exim-4.98.2-config.patch b/exim-4.98.2-config.patch new file mode 100644 index 0000000..12996b1 --- /dev/null +++ b/exim-4.98.2-config.patch @@ -0,0 +1,816 @@ +diff --git a/scripts/Configure-Makefile b/scripts/Configure-Makefile +index dc5015f..07f8c23 100755 +--- a/scripts/Configure-Makefile ++++ b/scripts/Configure-Makefile +@@ -319,7 +319,7 @@ if [ "${EXIM_PERL}" != "" ] ; then + + mv $mft $mftt + echo "PERL_CC=`$PERL_COMMAND -MConfig -e 'print $Config{cc}'`" >>$mft +- echo "PERL_CCOPTS=`$PERL_COMMAND -MExtUtils::Embed -e ccopts`" >>$mft ++ echo "PERL_CCOPTS=`$PERL_COMMAND -MExtUtils::Embed -e ccopts` \$(CFLAGS)" >>$mft + echo "PERL_LIBS=`$PERL_COMMAND -MExtUtils::Embed -e ldopts`" >>$mft + echo "" >>$mft + cat $mftt >> $mft +diff --git a/src/EDITME b/src/EDITME +index ebfaf64..9e4e818 100644 +--- a/src/EDITME ++++ b/src/EDITME +@@ -103,7 +103,7 @@ + # /usr/local/sbin. The installation script will try to create this directory, + # and any superior directories, if they do not exist. + +-BIN_DIRECTORY=/usr/exim/bin ++BIN_DIRECTORY=/usr/sbin + + + #------------------------------------------------------------------------------ +@@ -119,7 +119,7 @@ BIN_DIRECTORY=/usr/exim/bin + # don't exist. It will also install a default runtime configuration if this + # file does not exist. + +-CONFIGURE_FILE=/usr/exim/configure ++CONFIGURE_FILE=/etc/exim/exim.conf + + # It is possible to specify a colon-separated list of files for CONFIGURE_FILE. + # In this case, Exim will use the first of them that exists when it is run. +@@ -136,7 +136,7 @@ CONFIGURE_FILE=/usr/exim/configure + # deliveries. (Local deliveries run as various non-root users, typically as the + # owner of a local mailbox.) Specifying these values as root is not supported. + +-EXIM_USER= ++EXIM_USER=93 + + # If you specify EXIM_USER as a name, this is looked up at build time, and the + # uid number is built into the binary. However, you can specify that this +@@ -157,7 +157,7 @@ EXIM_USER= + # for EXIM_USER (e.g. EXIM_USER=exim), you don't need to set EXIM_GROUP unless + # you want to use a group other than the default group for the given user. + +-# EXIM_GROUP= ++EXIM_GROUP=93 + + # Many sites define a user called "exim", with an appropriate default group, + # and use +@@ -214,10 +214,10 @@ SPOOL_DIRECTORY=/var/spool/exim + # If you are building with TLS, the library configuration must be done: + + # Uncomment this if you are using OpenSSL +-# USE_OPENSSL=yes ++USE_OPENSSL=yes + # Uncomment one of these settings if you are using OpenSSL; pkg-config vs not + # and an optional location. +-# USE_OPENSSL_PC=openssl ++USE_OPENSSL_PC=openssl + # TLS_LIBS=-lssl -lcrypto + # TLS_LIBS=-L/usr/local/openssl/lib -lssl -lcrypto + +@@ -344,7 +344,7 @@ TRANSPORT_SMTP=yes + # This one is special-purpose, and commonly not required, so it is not + # included by default. + +-# TRANSPORT_LMTP=yes ++TRANSPORT_LMTP=yes + + + #------------------------------------------------------------------------------ +@@ -353,9 +353,9 @@ TRANSPORT_SMTP=yes + # MBX, is included only when requested. If you do not know what this is about, + # leave these settings commented out. + +-# SUPPORT_MAILDIR=yes +-# SUPPORT_MAILSTORE=yes +-# SUPPORT_MBX=yes ++SUPPORT_MAILDIR=yes ++SUPPORT_MAILSTORE=yes ++SUPPORT_MBX=yes + + + #------------------------------------------------------------------------------ +@@ -413,22 +413,28 @@ LOOKUP_DBM=yes + LOOKUP_LSEARCH=yes + LOOKUP_DNSDB=yes + +-# LOOKUP_CDB=yes +-# LOOKUP_DSEARCH=yes ++LOOKUP_CDB=yes ++LOOKUP_DSEARCH=yes + # LOOKUP_IBASE=yes + # LOOKUP_JSON=yes +-# LOOKUP_LDAP=yes ++LOOKUP_LDAP=yes ++LDAP_LIB_TYPE=OPENLDAP2 ++LOOKUP_LIBS=-lldap -llber -lsqlite3 + # LOOKUP_LMDB=yes + +-# LOOKUP_MYSQL=yes +-# LOOKUP_MYSQL_PC=mariadb +-# LOOKUP_NIS=yes +-# LOOKUP_NISPLUS=yes ++LOOKUP_MYSQL=2 ++LOOKUP_MYSQL_PC=mariadb ++# LOOKUP_NIS=yes ++# LOOKUP_NISPLUS=yes ++CFLAGS+=-I/usr/include/nsl -I/usr/include/tirpc ++LIBS+=-L/usr/$(_lib)/nsl ++ + # LOOKUP_ORACLE=yes +-# LOOKUP_PASSWD=yes +-# LOOKUP_PGSQL=yes ++LOOKUP_PASSWD=yes ++LOOKUP_PGSQL=2 ++LOOKUP_PGSQL_LIBS=-lpq + # LOOKUP_REDIS=yes +-# LOOKUP_SQLITE=yes ++LOOKUP_SQLITE=yes + # LOOKUP_SQLITE_PC=sqlite3 + # LOOKUP_WHOSON=yes + +@@ -441,7 +447,7 @@ LOOKUP_DNSDB=yes + + + # Some platforms may need this for LOOKUP_NIS: +-# LIBS += -lnsl ++LIBS += -lnsl + + #------------------------------------------------------------------------------ + # If you have set LOOKUP_LDAP=yes, you should set LDAP_LIB_TYPE to indicate +@@ -515,7 +521,7 @@ SUPPORT_DANE=yes + # files are defaulted in the OS/Makefile-Default file, but can be overridden in + # local OS-specific make files. + +-# EXIM_MONITOR=eximon.bin ++EXIM_MONITOR=eximon.bin + + + #------------------------------------------------------------------------------ +@@ -525,7 +531,7 @@ SUPPORT_DANE=yes + # and the MIME ACL. Please read the documentation to learn more about these + # features. + +-# WITH_CONTENT_SCAN=yes ++WITH_CONTENT_SCAN=yes + + # If you have content scanning you may wish to only include some of the scanner + # interfaces. Uncomment any of these lines to remove that code. +@@ -609,12 +615,12 @@ DISABLE_MAL_MKS=yes + + # Uncomment the following line to add DMARC checking capability, implemented + # using libopendmarc libraries. You must have SPF and DKIM support enabled also. +-# SUPPORT_DMARC=yes ++SUPPORT_DMARC=yes + # CFLAGS += -I/usr/local/include +-# LDFLAGS += -lopendmarc ++LDFLAGS += -lopendmarc + # Uncomment the following if you need to change the default. You can + # override it at runtime (main config option dmarc_tld_file) +-# DMARC_TLD_FILE=/etc/exim/opendmarc.tlds ++DMARC_TLD_FILE=/usr/share/publicsuffix/public_suffix_list.dat + # + # Library version libopendmarc-1.4.1-1.fc33.x86_64 (on Fedora 33) is known broken; + # 1.3.2-3 works. It seems that the OpenDMARC project broke their API. +@@ -749,7 +755,7 @@ FIXED_NEVER_USERS=root + # CONFIGURE_OWNER setting, to specify a configuration file which is listed in + # the TRUSTED_CONFIG_LIST file, then root privileges are not dropped by Exim. + +-# TRUSTED_CONFIG_LIST=/usr/exim/trusted_configs ++TRUSTED_CONFIG_LIST=/etc/exim/trusted-configs + + + #------------------------------------------------------------------------------ +@@ -794,18 +800,18 @@ FIXED_NEVER_USERS=root + # included in the Exim binary. You will then need to set up the run time + # configuration to make use of the mechanism(s) selected. + +-# AUTH_CRAM_MD5=yes +-# AUTH_CYRUS_SASL=yes +-# AUTH_DOVECOT=yes ++AUTH_CRAM_MD5=yes ++AUTH_CYRUS_SASL=yes ++AUTH_DOVECOT=yes + # AUTH_EXTERNAL=yes +-# AUTH_GSASL=yes +-# AUTH_GSASL_PC=libgsasl ++AUTH_GSASL=yes ++AUTH_GSASL_PC=libgsasl + # AUTH_HEIMDAL_GSSAPI=yes + # AUTH_HEIMDAL_GSSAPI_PC=heimdal-gssapi + # AUTH_HEIMDAL_GSSAPI_PC=heimdal-gssapi heimdal-krb5 +-# AUTH_PLAINTEXT=yes +-# AUTH_SPA=yes +-# AUTH_TLS=yes ++AUTH_PLAINTEXT=yes ++AUTH_SPA=yes ++AUTH_TLS=yes + + # Heimdal through 1.5 required pkg-config 'heimdal-gssapi'; Heimdal 7.1 + # requires multiple pkg-config files to work with Exim, so the second example +@@ -832,7 +838,7 @@ FIXED_NEVER_USERS=root + # one that is set in the headers_charset option. The default setting is + # defined by this setting: + +-HEADERS_CHARSET="ISO-8859-1" ++HEADERS_CHARSET="UTF-8" + + # If you are going to make use of $header_xxx expansions in your configuration + # file, or if your users are going to use them in filter files, and the normal +@@ -852,7 +858,7 @@ HEADERS_CHARSET="ISO-8859-1" + # the Sieve filter support. For those OS where iconv() is known to be installed + # as standard, the file in OS/Makefile-xxxx contains + # +-# HAVE_ICONV=yes ++HAVE_ICONV=yes + # + # If you are not using one of those systems, but have installed iconv(), you + # need to uncomment that line above. In some cases, you may find that iconv() +@@ -928,7 +934,7 @@ HEADERS_CHARSET="ISO-8859-1" + # Once you have done this, "make install" will build the info files and + # install them in the directory you have defined. + +-# INFO_DIRECTORY=/usr/share/info ++INFO_DIRECTORY=/usr/share/info + + + #------------------------------------------------------------------------------ +@@ -941,7 +947,7 @@ HEADERS_CHARSET="ISO-8859-1" + # %s. This will be replaced by one of the strings "main", "panic", or "reject" + # to form the final file names. Some installations may want something like this: + +-# LOG_FILE_PATH=/var/log/exim_%slog ++LOG_FILE_PATH=/var/log/exim/%s.log + + # which results in files with names /var/log/exim_mainlog, etc. The directory + # in which the log files are placed must exist; Exim does not try to create +@@ -1013,7 +1019,7 @@ ZCAT_COMMAND=/usr/bin/zcat + # (version 5.004 or later) installed, set EXIM_PERL to perl.o. Using embedded + # Perl costs quite a lot of resources. Only do this if you really need it. + +-# EXIM_PERL=perl.o ++EXIM_PERL=perl.o + + + #------------------------------------------------------------------------------ +@@ -1023,7 +1029,7 @@ ZCAT_COMMAND=/usr/bin/zcat + # that the local_scan API is made available by the linker. You may also need + # to add -ldl to EXTRALIBS so that dlopen() is available to Exim. + +-# EXPAND_DLFUNC=yes ++EXPAND_DLFUNC=yes + + + #------------------------------------------------------------------------------ +@@ -1033,7 +1039,7 @@ ZCAT_COMMAND=/usr/bin/zcat + # support, which is intended for use in conjunction with the SMTP AUTH + # facilities, is included only when requested by the following setting: + +-# SUPPORT_PAM=yes ++SUPPORT_PAM=yes + + # You probably need to add -lpam to EXTRALIBS, and in some releases of + # GNU/Linux -ldl is also needed. +@@ -1045,12 +1051,12 @@ ZCAT_COMMAND=/usr/bin/zcat + # If you may want to use outbound (client-side) proxying, using Socks5, + # uncomment the line below. + +-# SUPPORT_SOCKS=yes ++SUPPORT_SOCKS=yes + + # If you may want to use inbound (server-side) proxying, using Proxy Protocol, + # uncomment the line below. + +-# SUPPORT_PROXY=yes ++SUPPORT_PROXY=yes + + + #------------------------------------------------------------------------------ +@@ -1074,9 +1080,9 @@ ZCAT_COMMAND=/usr/bin/zcat + # installed on your system (www.libspf2.org). Depending on where it is installed + # you may have to edit the CFLAGS and LDFLAGS lines. + +-# SUPPORT_SPF=yes ++SUPPORT_SPF=yes + # CFLAGS += -I/usr/local/include +-# LDFLAGS += -lspf2 ++LDFLAGS += -lspf2 + + + #------------------------------------------------------------------------------ +@@ -1141,7 +1147,7 @@ ZCAT_COMMAND=/usr/bin/zcat + # group. Once you have installed saslauthd, you should arrange for it to be + # started by root at boot time. + +-# CYRUS_SASLAUTHD_SOCKET=/var/state/saslauthd/mux ++CYRUS_SASLAUTHD_SOCKET=/var/run/saslauthd/mux + + + #------------------------------------------------------------------------------ +@@ -1155,8 +1161,8 @@ ZCAT_COMMAND=/usr/bin/zcat + # library for TCP wrappers, so you probably need something like this: + # + # USE_TCP_WRAPPERS=yes +-# CFLAGS=-O -I/usr/local/include +-# EXTRALIBS_EXIM=-L/usr/local/lib -lwrap ++CFLAGS+=$(RPM_OPT_FLAGS) $(PIE) ++EXTRALIBS_EXIM=-lpam -ldl -export-dynamic -rdynamic + # + # but of course there may need to be other things in CFLAGS and EXTRALIBS_EXIM + # as well. +@@ -1208,7 +1214,7 @@ SYSTEM_ALIASES_FILE=/etc/aliases + # is "yes", as well as supporting line editing, a history of input lines in the + # current run is maintained. + +-# USE_READLINE=yes ++USE_READLINE=yes + + # You may need to add -ldl to EXTRALIBS when you set USE_READLINE=yes. + # Note that this option adds to the size of the Exim binary, because the +@@ -1225,7 +1231,7 @@ SYSTEM_ALIASES_FILE=/etc/aliases + #------------------------------------------------------------------------------ + # Uncomment this setting to include IPv6 support. + +-# HAVE_IPV6=yes ++HAVE_IPV6=yes + + ############################################################################### + # THINGS YOU ALMOST NEVER NEED TO MENTION # +@@ -1246,13 +1252,13 @@ SYSTEM_ALIASES_FILE=/etc/aliases + # haven't got Perl, Exim will still build and run; you just won't be able to + # use those utilities. + +-# CHOWN_COMMAND=/usr/bin/chown +-# CHGRP_COMMAND=/usr/bin/chgrp +-# CHMOD_COMMAND=/usr/bin/chmod +-# MV_COMMAND=/bin/mv +-# RM_COMMAND=/bin/rm +-# TOUCH_COMMAND=/usr/bin/touch +-# PERL_COMMAND=/usr/bin/perl ++CHOWN_COMMAND=/usr/bin/chown ++CHGRP_COMMAND=/usr/bin/chgrp ++CHMOD_COMMAND=/usr/bin/chmod ++MV_COMMAND=/usr/bin/mv ++RM_COMMAND=/usr/bin/rm ++TOUCH_COMMAND=/usr/bin/touch ++PERL_COMMAND=/usr/bin/perl + + + #------------------------------------------------------------------------------ +@@ -1454,7 +1460,7 @@ EXIM_TMPDIR="/tmp" + # (process id) to a file so that it can easily be identified. The path of the + # file can be specified here. Some installations may want something like this: + +-# PID_FILE_PATH=/var/lock/exim.pid ++PID_FILE_PATH=/var/run/exim.pid + + # If PID_FILE_PATH is not defined, Exim writes a file in its spool directory + # using the name "exim-daemon.pid". +diff --git a/src/configure.default b/src/configure.default +index 633c653..6379927 100644 +--- a/src/configure.default ++++ b/src/configure.default +@@ -67,7 +67,7 @@ + # +local_domains, +relay_to_domains, and +relay_from_hosts, respectively. They + # are all colon-separated lists: + +-domainlist local_domains = @ ++domainlist local_domains = @ : localhost : localhost.localdomain + domainlist relay_to_domains = + hostlist relay_from_hosts = localhost + # (We rely upon hostname resolution working for localhost, because the default +@@ -119,11 +119,13 @@ hostlist relay_from_hosts = localhost + # manual for details. The lists above are used in the access control lists for + # checking incoming messages. The names of these ACLs are defined here: + ++acl_smtp_mail = acl_check_mail + acl_smtp_rcpt = acl_check_rcpt + .ifdef _HAVE_PRDR + acl_smtp_data_prdr = acl_check_prdr + .endif + acl_smtp_data = acl_check_data ++acl_smtp_mime = acl_check_mime + + # You should not change those settings until you understand how ACLs work. + +@@ -136,7 +138,7 @@ acl_smtp_data = acl_check_data + # of what to set for other virus scanners. The second modification is in the + # acl_check_data access control list (see below). + +-# av_scanner = clamd:/tmp/clamd ++av_scanner = clamd:/var/run/clamd.exim/clamd.sock + + + # For spam scanning, there is a similar option that defines the interface to +@@ -147,6 +149,12 @@ acl_smtp_data = acl_check_data + # spamd_address = 127.0.0.1 783 + + ++# Set the default sqlite database file for greylisting. Uncomment this ++# if you use the greylisting ACLs defined below. ++ ++# sqlite_dbfile = /var/spool/exim/db/greylist.db ++ ++ + # If Exim is compiled with support for TLS, you may want to change the + # following option so that Exim disallows certain clients from makeing encrypted + # connections. The default is to allow all. +@@ -157,7 +165,7 @@ acl_smtp_data = acl_check_data + + # This is equivalent to the default. + +-# tls_advertise_hosts = * ++tls_advertise_hosts = * + + # Specify the location of the Exim server's TLS certificate and private key. + # The private key must not be encrypted (password protected). You can put +@@ -165,8 +173,8 @@ acl_smtp_data = acl_check_data + # need the first setting, or in separate files, in which case you need both + # options. + +-# tls_certificate = /etc/ssl/exim.crt +-# tls_privatekey = /etc/ssl/exim.pem ++tls_certificate = /etc/pki/tls/certs/exim.pem ++tls_privatekey = /etc/pki/tls/private/exim.pem + + # For OpenSSL, prefer EC- over RSA-authenticated ciphers + .ifdef _HAVE_OPENSSL +@@ -193,8 +201,8 @@ tls_resumption_hosts = ${if inlist {$received_port}{587:465} {:}{*}} + # them you should also allow TLS-on-connect on the traditional (and now + # standard) port 465. + +-# daemon_smtp_ports = 25 : 465 : 587 +-# tls_on_connect_ports = 465 ++daemon_smtp_ports = 25 : 465 : 587 ++tls_on_connect_ports = 465 + + + # Specify the domain you want to be added to all unqualified addresses +@@ -252,6 +260,24 @@ never_users = root + + host_lookup = * + ++# This setting, if uncommented, allows users to authenticate using ++# their system passwords against saslauthd if they connect over a ++# secure connection. If you have network logins such as NIS or ++# Kerberos rather than only local users, then you possibly also want ++# to configure /etc/sysconfig/saslauthd to use the 'pam' mechanism ++# too. Once a user is authenticated, the acl_check_rcpt ACL then ++# allows them to relay through the system. ++# ++# auth_advertise_hosts = ${if eq {$tls_cipher}{}{}{*}} ++# ++# By default, we set this option to allow SMTP AUTH from nowhere ++# (Exim's default would be to allow it from anywhere, even on an ++# unencrypted connection). ++# ++# Comment this one out if you uncomment the above. Did you make sure ++# saslauthd is actually running first? ++# ++auth_advertise_hosts = + + # The setting below causes Exim to try to initialize the system resolver + # library with DNSSEC support. It has no effect if your library lacks +@@ -382,8 +408,8 @@ timeout_frozen_after = 7d + # Note that TZ is handled separately by the timezone runtime option + # and TIMEZONE_DEFAULT buildtime option. + +-# keep_environment = ^LDAP +-# add_environment = PATH=/usr/bin::/bin ++keep_environment = ^LDAP ++add_environment = PATH=/usr/bin::/bin + + + +@@ -394,6 +420,29 @@ timeout_frozen_after = 7d + + begin acl + ++ ++# This access control list is used for the MAIL command in an incoming ++# SMTP message. ++ ++acl_check_mail: ++ ++ # Hosts are required to say HELO (or EHLO) before sending mail. ++ # So don't allow them to use the MAIL command if they haven't ++ # done so. ++ ++ deny condition = ${if eq{$sender_helo_name}{} {1}} ++ message = Nice boys say HELO first ++ ++ # Use the lack of reverse DNS to trigger greylisting. Some people ++ # even reject for it but that would be a little excessive. ++ ++ warn condition = ${if eq{$sender_host_name}{} {1}} ++ set acl_m_greylistreasons = Host $sender_host_address lacks reverse DNS\n$acl_m_greylistreasons ++ ++ accept ++ ++ ++ + # This access control list is used for every RCPT command in an incoming + # SMTP message. The tests are run in order until the address is either + # accepted or denied. +@@ -405,6 +454,7 @@ acl_check_rcpt: + + accept hosts = : + control = dkim_disable_verify ++ control = dmarc_disable_verify + + ############################################################################# + # The following section of the ACL is concerned with local parts that contain +@@ -458,7 +508,8 @@ acl_check_rcpt: + accept local_parts = postmaster + domains = +local_domains + +- # Deny unless the sender address can be verified. ++ # Deny unless the sender address can be routed. For proper verification of the ++ # address, read the documentation on callouts and add the /callout modifier. + + require verify = sender + +@@ -498,6 +549,7 @@ acl_check_rcpt: + accept hosts = +relay_from_hosts + control = submission + control = dkim_disable_verify ++ control = dmarc_disable_verify + + # Accept if the message arrived over an authenticated connection, from + # any host. Again, these messages are usually from MUAs, so recipient +@@ -507,6 +559,7 @@ acl_check_rcpt: + accept authenticated = * + control = submission + control = dkim_disable_verify ++ control = dmarc_disable_verify + + # Insist that any other recipient address that we accept is either in one of + # our local domains, or is in a domain for which we explicitly allow +@@ -527,7 +580,8 @@ acl_check_rcpt: + # There are no default checks on DNS black lists because the domains that + # contain these lists are changing all the time. However, here are two + # examples of how you can get Exim to perform a DNS black list lookup at this +- # point. The first one denies, whereas the second just warns. ++ # point. The first one denies, whereas the second just warns. The third ++ # triggers greylisting for any host in the blacklist. + # + # deny dnslists = black.list.example + # message = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text +@@ -535,6 +589,10 @@ acl_check_rcpt: + # warn dnslists = black.list.example + # add_header = X-Warning: $sender_host_address is in a black list at $dnslist_domain + # log_message = found in $dnslist_domain ++ # ++ # warn dnslists = black.list.example ++ # set acl_m_greylistreasons = Host found in $dnslist_domain\n$acl_m_greylistreasons ++ # + ############################################################################# + + ############################################################################# +@@ -561,6 +619,10 @@ acl_check_rcpt: + # set acl_m_content_filter = ${lookup PER_RCPT_CONTENT_FILTER} + ############################################################################# + ++ # Alternatively, greylist for it: ++ # warn !verify = csa ++ # set acl_m_greylistreasons = Host failed CSA check\n$acl_m_greylistreasons ++ + # At this point, the address has passed all the checks that have been + # configured, so we accept it unconditionally. + +@@ -610,21 +672,32 @@ acl_check_data: + message = header syntax + log_message = header syntax ($acl_verify_message) + ++ # Put simple tests first. A good one is to check for the presence of a ++ # Message-Id: header, which RFC2822 says SHOULD be present. Some broken ++ # or misconfigured mailer software occasionally omits this from genuine ++ # messages too, though -- although it's not hard for the offender to fix ++ # after they receive a bounce because of it. ++ # ++ # deny condition = ${if !def:h_Message-ID: {1}} ++ # message = RFC2822 says that all mail SHOULD have a Message-ID header.\n\ ++ # Most messages without it are spam, so your mail has been rejected. ++ # ++ # Alternatively if we're feeling more lenient we could just use it to ++ # trigger greylisting instead: ++ ++ warn condition = ${if !def:h_Message-ID: {1}} ++ set acl_m_greylistreasons = Message lacks Message-Id: header. Consult RFC2822.\n$acl_m_greylistreasons ++ + # Deny if the message contains a virus. Before enabling this check, you + # must install a virus scanner and set the av_scanner option above. + # + # deny malware = * + # message = This message contains a virus ($malware_name). + +- # Add headers to a message if it is judged to be spam. Before enabling this, +- # you must install SpamAssassin. You may also need to set the spamd_address +- # option above. ++ # Bypass SpamAssassin checks if the message is too large. + # +- # warn spam = nobody +- # add_header = X-Spam_score: $spam_score\n\ +- # X-Spam_score_int: $spam_score_int\n\ +- # X-Spam_bar: $spam_bar\n\ +- # X-Spam_report: $spam_report ++ # accept condition = ${if >={$message_size}{100000} {1}} ++ # add_header = X-Spam-Note: SpamAssassin run bypassed due to message size + + ############################################################################# + # No more tests if PRDR was actively used. +@@ -638,11 +711,63 @@ acl_check_data: + # condition = ... + ############################################################################# + ++ # Run SpamAssassin, but allow for it to fail or time out. Add a warning message ++ # and accept the mail if that happens. Add an X-Spam-Flag: header if the SA ++ # score exceeds the SA system threshold. ++ # ++ # warn spam = nobody/defer_ok ++ # add_header = X-Spam-Flag: YES ++ # ++ # accept condition = ${if !def:spam_score_int {1}} ++ # add_header = X-Spam-Note: SpamAssassin invocation failed ++ # ++ ++ # Unconditionally add score and report headers ++ # ++ # warn add_header = X-Spam-Score: $spam_score ($spam_bar)\n\ ++ # X-Spam-Report: $spam_report ++ ++ # And reject if the SpamAssassin score is greater than ten ++ # ++ # deny condition = ${if >{$spam_score_int}{100} {1}} ++ # message = Your message scored $spam_score SpamAssassin point. Report follows:\n\ ++ # $spam_report ++ ++ # Trigger greylisting (if enabled) if the SpamAssassin score is greater than 0.5 ++ # ++ # warn condition = ${if >{$spam_score_int}{5} {1}} ++ # set acl_m_greylistreasons = Message has $spam_score SpamAssassin points\n$acl_m_greylistreasons ++ + +- # Accept the message. ++ # If you want to greylist _all_ mail rather than only mail which looks like there ++ # might be something wrong with it, then you can do this... ++ # ++ # warn set acl_m_greylistreasons = We greylist all mail\n$acl_m_greylistreasons ++ ++ # Now, invoke the greylisting. For this you need to have installed the exim-greylist ++ # package which contains this subroutine, and you need to uncomment the bit below ++ # which includes it too. Whenever the $acl_m_greylistreasons variable is non-empty, ++ # greylisting will kick in and will defer the mail to check if the sender is a ++ # proper mail which which retries, or whether it's a zombie. For more details, see ++ # the exim-greylist.conf.inc file itself. ++ # ++ # require acl = greylist_mail + + accept + ++# To enable the greylisting, also uncomment this line: ++# .include /etc/exim/exim-greylist.conf.inc ++ ++acl_check_mime: ++ ++ # File extension filtering. ++ deny message = Blacklisted file extension detected ++ condition = ${if match \ ++ {${lc:$mime_filename}} \ ++ {\N(\.exe|\.pif|\.bat|\.scr|\.lnk|\.com)$\N} \ ++ {1}{0}} ++ ++ accept + + + ###################################################################### +@@ -744,7 +869,7 @@ system_aliases: + driver = redirect + allow_fail + allow_defer +- data = ${lookup{$local_part}lsearch{SYSTEM_ALIASES_FILE}} ++ data = ${lookup{$local_part}lsearch{/etc/aliases}} + # user = exim + file_transport = address_file + pipe_transport = address_pipe +@@ -782,7 +907,7 @@ userforward: + # local_part_suffix = +* : -* + # local_part_suffix_optional + file = $home/.forward +-# allow_filter ++ allow_filter + no_verify + no_expn + check_ancestor +@@ -790,6 +915,12 @@ userforward: + pipe_transport = address_pipe + reply_transport = address_reply + ++procmail: ++ driver = accept ++ check_local_user ++ require_files = ${local_part}:+${home}/.procmailrc:/usr/bin/procmail ++ transport = procmail ++ no_verify + + # This router matches local user mailboxes. If the router fails, the error + # message is "Unknown user". +@@ -830,6 +961,25 @@ remote_smtp: + tls_resumption_hosts = * + .endif + ++# This transport is used for delivering messages over SMTP using the ++# "message submission" port (RFC4409). ++ ++remote_msa: ++ driver = smtp ++ port = 587 ++ hosts_require_auth = * ++ ++ ++# This transport invokes procmail to deliver mail ++procmail: ++ driver = pipe ++ command = "/usr/bin/procmail -d $local_part" ++ return_path_add ++ delivery_date_add ++ envelope_to_add ++ user = $local_part ++ initgroups ++ return_output + + # This transport is used for delivering messages to a smarthost, if the + # smarthost router is enabled. This starts from the same basis as +@@ -884,8 +1034,8 @@ local_delivery: + delivery_date_add + envelope_to_add + return_path_add +-# group = mail +-# mode = 0660 ++ group = mail ++ mode = 0660 + + + # This transport is used for handling pipe deliveries generated by alias or +@@ -918,6 +1068,16 @@ address_reply: + driver = autoreply + + ++# This transport is used to deliver local mail to cyrus IMAP server via UNIX ++# socket. You'll need to configure the 'localuser' router above to use it. ++# ++#lmtp_delivery: ++# home_directory = /var/spool/imap ++# driver = lmtp ++# command = "/usr/lib/cyrus-imapd/deliver -l" ++# batch_max = 20 ++# user = cyrus ++ + + ###################################################################### + # RETRY CONFIGURATION # +@@ -958,6 +1118,21 @@ begin rewrite + # AUTHENTICATION CONFIGURATION # + ###################################################################### + ++begin authenticators ++ ++# This authenticator supports CRAM-MD5 username/password authentication ++# with Exim acting as a _client_, as it might when sending its outgoing ++# mail to a smarthost rather than directly to the final recipient. ++# Replace SMTPAUTH_USERNAME and SMTPAUTH_PASSWORD as appropriate. ++ ++#client_auth: ++# driver = cram_md5 ++# public_name = CRAM-MD5 ++# client_name = SMTPAUTH_USERNAME ++# client_secret = SMTPAUTH_PASSWORD ++ ++# ++ + # The following authenticators support plaintext username/password + # authentication using the standard PLAIN mechanism and the traditional + # but non-standard LOGIN mechanism, with Exim acting as the server. +@@ -973,7 +1148,7 @@ begin rewrite + # The default RCPT ACL checks for successful authentication, and will accept + # messages from authenticated users from anywhere on the Internet. + +-begin authenticators ++# + + # PLAIN authentication has no server prompts. The client sends its + # credentials in one lump, containing an authorization ID (which we do not +@@ -987,7 +1162,7 @@ begin authenticators + # driver = plaintext + # server_set_id = $auth2 + # server_prompts = : +-# server_condition = Authentication is not yet configured ++# server_condition = ${if saslauthd{{$2}{$3}{smtp}} {1}} + # server_advertise_condition = ${if def:tls_in_cipher } + + # LOGIN authentication has traditional prompts and responses. There is no +@@ -999,7 +1174,7 @@ begin authenticators + # driver = plaintext + # server_set_id = $auth1 + # server_prompts = <| Username: | Password: +-# server_condition = Authentication is not yet configured ++# server_condition = ${if saslauthd{{$1}{$2}{smtp}} {1}} + # server_advertise_condition = ${if def:tls_in_cipher } + + |