path: root/exim-4.98.2-config.patch

diff --git a/scripts/Configure-Makefile b/scripts/Configure-Makefile
index dc5015f..07f8c23 100755
--- a/scripts/Configure-Makefile
+++ b/scripts/Configure-Makefile
@@ -319,7 +319,7 @@ if [ "${EXIM_PERL}" != "" ] ; then
 
   mv $mft $mftt
   echo "PERL_CC=`$PERL_COMMAND -MConfig -e 'print $Config{cc}'`" >>$mft
-  echo "PERL_CCOPTS=`$PERL_COMMAND -MExtUtils::Embed -e ccopts`" >>$mft
+  echo "PERL_CCOPTS=`$PERL_COMMAND -MExtUtils::Embed -e ccopts` \$(CFLAGS)" >>$mft
   echo "PERL_LIBS=`$PERL_COMMAND -MExtUtils::Embed -e ldopts`" >>$mft
   echo "" >>$mft
   cat $mftt >> $mft
diff --git a/src/EDITME b/src/EDITME
index ebfaf64..9e4e818 100644
--- a/src/EDITME
+++ b/src/EDITME
@@ -103,7 +103,7 @@
 # /usr/local/sbin. The installation script will try to create this directory,
 # and any superior directories, if they do not exist.
 
-BIN_DIRECTORY=/usr/exim/bin
+BIN_DIRECTORY=/usr/sbin
 
 
 #------------------------------------------------------------------------------
@@ -119,7 +119,7 @@ BIN_DIRECTORY=/usr/exim/bin
 # don't exist. It will also install a default runtime configuration if this
 # file does not exist.
 
-CONFIGURE_FILE=/usr/exim/configure
+CONFIGURE_FILE=/etc/exim/exim.conf
 
 # It is possible to specify a colon-separated list of files for CONFIGURE_FILE.
 # In this case, Exim will use the first of them that exists when it is run.
@@ -136,7 +136,7 @@ CONFIGURE_FILE=/usr/exim/configure
 # deliveries. (Local deliveries run as various non-root users, typically as the
 # owner of a local mailbox.) Specifying these values as root is not supported.
 
-EXIM_USER=
+EXIM_USER=93
 
 # If you specify EXIM_USER as a name, this is looked up at build time, and the
 # uid number is built into the binary. However, you can specify that this
@@ -157,7 +157,7 @@ EXIM_USER=
 # for EXIM_USER (e.g. EXIM_USER=exim), you don't need to set EXIM_GROUP unless
 # you want to use a group other than the default group for the given user.
 
-# EXIM_GROUP=
+EXIM_GROUP=93
 
 # Many sites define a user called "exim", with an appropriate default group,
 # and use
@@ -214,10 +214,10 @@ SPOOL_DIRECTORY=/var/spool/exim
 # If you are building with TLS, the library configuration must be done:
 
 # Uncomment this if you are using OpenSSL
-# USE_OPENSSL=yes
+USE_OPENSSL=yes
 # Uncomment one of these settings if you are using OpenSSL; pkg-config vs not
 # and an optional location.
-# USE_OPENSSL_PC=openssl
+USE_OPENSSL_PC=openssl
 # TLS_LIBS=-lssl -lcrypto
 # TLS_LIBS=-L/usr/local/openssl/lib -lssl -lcrypto
 
@@ -344,7 +344,7 @@ TRANSPORT_SMTP=yes
 # This one is special-purpose, and commonly not required, so it is not
 # included by default.
 
-# TRANSPORT_LMTP=yes
+TRANSPORT_LMTP=yes
 
 
 #------------------------------------------------------------------------------
@@ -353,9 +353,9 @@ TRANSPORT_SMTP=yes
 # MBX, is included only when requested. If you do not know what this is about,
 # leave these settings commented out.
 
-# SUPPORT_MAILDIR=yes
-# SUPPORT_MAILSTORE=yes
-# SUPPORT_MBX=yes
+SUPPORT_MAILDIR=yes
+SUPPORT_MAILSTORE=yes
+SUPPORT_MBX=yes
 
 
 #------------------------------------------------------------------------------
@@ -413,22 +413,28 @@ LOOKUP_DBM=yes
 LOOKUP_LSEARCH=yes
 LOOKUP_DNSDB=yes
 
-# LOOKUP_CDB=yes
-# LOOKUP_DSEARCH=yes
+LOOKUP_CDB=yes
+LOOKUP_DSEARCH=yes
 # LOOKUP_IBASE=yes
 # LOOKUP_JSON=yes
-# LOOKUP_LDAP=yes
+LOOKUP_LDAP=yes
+LDAP_LIB_TYPE=OPENLDAP2
+LOOKUP_LIBS=-lldap -llber -lsqlite3
 # LOOKUP_LMDB=yes
 
-# LOOKUP_MYSQL=yes
-# LOOKUP_MYSQL_PC=mariadb
-# LOOKUP_NIS=yes
-# LOOKUP_NISPLUS=yes
+LOOKUP_MYSQL=2
+LOOKUP_MYSQL_PC=mariadb
+# LOOKUP_NIS=yes
+# LOOKUP_NISPLUS=yes
+CFLAGS+=-I/usr/include/nsl -I/usr/include/tirpc
+LIBS+=-L/usr/$(_lib)/nsl
+
 # LOOKUP_ORACLE=yes
-# LOOKUP_PASSWD=yes
-# LOOKUP_PGSQL=yes
+LOOKUP_PASSWD=yes
+LOOKUP_PGSQL=2
+LOOKUP_PGSQL_LIBS=-lpq
 # LOOKUP_REDIS=yes
-# LOOKUP_SQLITE=yes
+LOOKUP_SQLITE=yes
 # LOOKUP_SQLITE_PC=sqlite3
 # LOOKUP_WHOSON=yes
 
@@ -441,7 +447,7 @@ LOOKUP_DNSDB=yes
 
 
 # Some platforms may need this for LOOKUP_NIS:
-# LIBS += -lnsl
+LIBS += -lnsl
 
 #------------------------------------------------------------------------------
 # If you have set LOOKUP_LDAP=yes, you should set LDAP_LIB_TYPE to indicate
@@ -515,7 +521,7 @@ SUPPORT_DANE=yes
 # files are defaulted in the OS/Makefile-Default file, but can be overridden in
 # local OS-specific make files.
 
-# EXIM_MONITOR=eximon.bin
+EXIM_MONITOR=eximon.bin
 
 
 #------------------------------------------------------------------------------
@@ -525,7 +531,7 @@ SUPPORT_DANE=yes
 # and the MIME ACL. Please read the documentation to learn more about these
 # features.
 
-# WITH_CONTENT_SCAN=yes
+WITH_CONTENT_SCAN=yes
 
 # If you have content scanning you may wish to only include some of the scanner
 # interfaces.  Uncomment any of these lines to remove that code.
@@ -609,12 +615,12 @@ DISABLE_MAL_MKS=yes
 
 # Uncomment the following line to add DMARC checking capability, implemented
 # using libopendmarc libraries. You must have SPF and DKIM support enabled also.
-# SUPPORT_DMARC=yes
+SUPPORT_DMARC=yes
 # CFLAGS += -I/usr/local/include
-# LDFLAGS += -lopendmarc
+LDFLAGS += -lopendmarc
 # Uncomment the following if you need to change the default. You can
 # override it at runtime (main config option dmarc_tld_file)
-# DMARC_TLD_FILE=/etc/exim/opendmarc.tlds
+DMARC_TLD_FILE=/usr/share/publicsuffix/public_suffix_list.dat
 #
 # Library version libopendmarc-1.4.1-1.fc33.x86_64  (on Fedora 33) is known broken;
 # 1.3.2-3 works.  It seems that the OpenDMARC project broke their API.
@@ -749,7 +755,7 @@ FIXED_NEVER_USERS=root
 # CONFIGURE_OWNER setting, to specify a configuration file which is listed in
 # the TRUSTED_CONFIG_LIST file, then root privileges are not dropped by Exim.
 
-# TRUSTED_CONFIG_LIST=/usr/exim/trusted_configs
+TRUSTED_CONFIG_LIST=/etc/exim/trusted-configs
 
 
 #------------------------------------------------------------------------------
@@ -794,18 +800,18 @@ FIXED_NEVER_USERS=root
 # included in the Exim binary. You will then need to set up the run time
 # configuration to make use of the mechanism(s) selected.
 
-# AUTH_CRAM_MD5=yes
-# AUTH_CYRUS_SASL=yes
-# AUTH_DOVECOT=yes
+AUTH_CRAM_MD5=yes
+AUTH_CYRUS_SASL=yes
+AUTH_DOVECOT=yes
 # AUTH_EXTERNAL=yes
-# AUTH_GSASL=yes
-# AUTH_GSASL_PC=libgsasl
+AUTH_GSASL=yes
+AUTH_GSASL_PC=libgsasl
 # AUTH_HEIMDAL_GSSAPI=yes
 # AUTH_HEIMDAL_GSSAPI_PC=heimdal-gssapi
 # AUTH_HEIMDAL_GSSAPI_PC=heimdal-gssapi heimdal-krb5
-# AUTH_PLAINTEXT=yes
-# AUTH_SPA=yes
-# AUTH_TLS=yes
+AUTH_PLAINTEXT=yes
+AUTH_SPA=yes
+AUTH_TLS=yes
 
 # Heimdal through 1.5 required pkg-config 'heimdal-gssapi'; Heimdal 7.1
 # requires multiple pkg-config files to work with Exim, so the second example
@@ -832,7 +838,7 @@ FIXED_NEVER_USERS=root
 # one that is set in the headers_charset option. The default setting is
 # defined by this setting:
 
-HEADERS_CHARSET="ISO-8859-1"
+HEADERS_CHARSET="UTF-8"
 
 # If you are going to make use of $header_xxx expansions in your configuration
 # file, or if your users are going to use them in filter files, and the normal
@@ -852,7 +858,7 @@ HEADERS_CHARSET="ISO-8859-1"
 # the Sieve filter support. For those OS where iconv() is known to be installed
 # as standard, the file in OS/Makefile-xxxx contains
 #
-# HAVE_ICONV=yes
+HAVE_ICONV=yes
 #
 # If you are not using one of those systems, but have installed iconv(), you
 # need to uncomment that line above. In some cases, you may find that iconv()
@@ -928,7 +934,7 @@ HEADERS_CHARSET="ISO-8859-1"
 # Once you have done this, "make install" will build the info files and
 # install them in the directory you have defined.
 
-# INFO_DIRECTORY=/usr/share/info
+INFO_DIRECTORY=/usr/share/info
 
 
 #------------------------------------------------------------------------------
@@ -941,7 +947,7 @@ HEADERS_CHARSET="ISO-8859-1"
 # %s. This will be replaced by one of the strings "main", "panic", or "reject"
 # to form the final file names. Some installations may want something like this:
 
-# LOG_FILE_PATH=/var/log/exim_%slog
+LOG_FILE_PATH=/var/log/exim/%s.log
 
 # which results in files with names /var/log/exim_mainlog, etc. The directory
 # in which the log files are placed must exist; Exim does not try to create
@@ -1013,7 +1019,7 @@ ZCAT_COMMAND=/usr/bin/zcat
 # (version 5.004 or later) installed, set EXIM_PERL to perl.o. Using embedded
 # Perl costs quite a lot of resources. Only do this if you really need it.
 
-# EXIM_PERL=perl.o
+EXIM_PERL=perl.o
 
 
 #------------------------------------------------------------------------------
@@ -1023,7 +1029,7 @@ ZCAT_COMMAND=/usr/bin/zcat
 # that the local_scan API is made available by the linker. You may also need
 # to add -ldl to EXTRALIBS so that dlopen() is available to Exim.
 
-# EXPAND_DLFUNC=yes
+EXPAND_DLFUNC=yes
 
 
 #------------------------------------------------------------------------------
@@ -1033,7 +1039,7 @@ ZCAT_COMMAND=/usr/bin/zcat
 # support, which is intended for use in conjunction with the SMTP AUTH
 # facilities, is included only when requested by the following setting:
 
-# SUPPORT_PAM=yes
+SUPPORT_PAM=yes
 
 # You probably need to add -lpam to EXTRALIBS, and in some releases of
 # GNU/Linux -ldl is also needed.
@@ -1045,12 +1051,12 @@ ZCAT_COMMAND=/usr/bin/zcat
 # If you may want to use outbound (client-side) proxying, using Socks5,
 # uncomment the line below.
 
-# SUPPORT_SOCKS=yes
+SUPPORT_SOCKS=yes
 
 # If you may want to use inbound (server-side) proxying, using Proxy Protocol,
 # uncomment the line below.
 
-# SUPPORT_PROXY=yes
+SUPPORT_PROXY=yes
 
 
 #------------------------------------------------------------------------------
@@ -1074,9 +1080,9 @@ ZCAT_COMMAND=/usr/bin/zcat
 # installed on your system (www.libspf2.org). Depending on where it is installed
 # you may have to edit the CFLAGS and LDFLAGS lines.
 
-# SUPPORT_SPF=yes
+SUPPORT_SPF=yes
 # CFLAGS  += -I/usr/local/include
-# LDFLAGS += -lspf2
+LDFLAGS += -lspf2
 
 
 #------------------------------------------------------------------------------
@@ -1141,7 +1147,7 @@ ZCAT_COMMAND=/usr/bin/zcat
 # group. Once you have installed saslauthd, you should arrange for it to be
 # started by root at boot time.
 
-# CYRUS_SASLAUTHD_SOCKET=/var/state/saslauthd/mux
+CYRUS_SASLAUTHD_SOCKET=/var/run/saslauthd/mux
 
 
 #------------------------------------------------------------------------------
@@ -1155,8 +1161,8 @@ ZCAT_COMMAND=/usr/bin/zcat
 # library for TCP wrappers, so you probably need something like this:
 #
 # USE_TCP_WRAPPERS=yes
-# CFLAGS=-O -I/usr/local/include
-# EXTRALIBS_EXIM=-L/usr/local/lib -lwrap
+CFLAGS+=$(RPM_OPT_FLAGS) $(PIE)
+EXTRALIBS_EXIM=-lpam -ldl -export-dynamic -rdynamic
 #
 # but of course there may need to be other things in CFLAGS and EXTRALIBS_EXIM
 # as well.
@@ -1208,7 +1214,7 @@ SYSTEM_ALIASES_FILE=/etc/aliases
 # is "yes", as well as supporting line editing, a history of input lines in the
 # current run is maintained.
 
-# USE_READLINE=yes
+USE_READLINE=yes
 
 # You may need to add -ldl to EXTRALIBS when you set USE_READLINE=yes.
 # Note that this option adds to the size of the Exim binary, because the
@@ -1225,7 +1231,7 @@ SYSTEM_ALIASES_FILE=/etc/aliases
 #------------------------------------------------------------------------------
 # Uncomment this setting to include IPv6 support.
 
-# HAVE_IPV6=yes
+HAVE_IPV6=yes
 
 ###############################################################################
 #              THINGS YOU ALMOST NEVER NEED TO MENTION                        #
@@ -1246,13 +1252,13 @@ SYSTEM_ALIASES_FILE=/etc/aliases
 # haven't got Perl, Exim will still build and run; you just won't be able to
 # use those utilities.
 
-# CHOWN_COMMAND=/usr/bin/chown
-# CHGRP_COMMAND=/usr/bin/chgrp
-# CHMOD_COMMAND=/usr/bin/chmod
-# MV_COMMAND=/bin/mv
-# RM_COMMAND=/bin/rm
-# TOUCH_COMMAND=/usr/bin/touch
-# PERL_COMMAND=/usr/bin/perl
+CHOWN_COMMAND=/usr/bin/chown
+CHGRP_COMMAND=/usr/bin/chgrp
+CHMOD_COMMAND=/usr/bin/chmod
+MV_COMMAND=/usr/bin/mv
+RM_COMMAND=/usr/bin/rm
+TOUCH_COMMAND=/usr/bin/touch
+PERL_COMMAND=/usr/bin/perl
 
 
 #------------------------------------------------------------------------------
@@ -1454,7 +1460,7 @@ EXIM_TMPDIR="/tmp"
 # (process id) to a file so that it can easily be identified. The path of the
 # file can be specified here. Some installations may want something like this:
 
-# PID_FILE_PATH=/var/lock/exim.pid
+PID_FILE_PATH=/var/run/exim.pid
 
 # If PID_FILE_PATH is not defined, Exim writes a file in its spool directory
 # using the name "exim-daemon.pid".
diff --git a/src/configure.default b/src/configure.default
index 633c653..6379927 100644
--- a/src/configure.default
+++ b/src/configure.default
@@ -67,7 +67,7 @@
 # +local_domains, +relay_to_domains, and +relay_from_hosts, respectively. They
 # are all colon-separated lists:
 
-domainlist local_domains = @
+domainlist local_domains = @ : localhost : localhost.localdomain
 domainlist relay_to_domains =
 hostlist   relay_from_hosts = localhost
 # (We rely upon hostname resolution working for localhost, because the default
@@ -119,11 +119,13 @@ hostlist   relay_from_hosts = localhost
 # manual for details. The lists above are used in the access control lists for
 # checking incoming messages. The names of these ACLs are defined here:
 
+acl_smtp_mail =         acl_check_mail
 acl_smtp_rcpt =         acl_check_rcpt
 .ifdef _HAVE_PRDR
 acl_smtp_data_prdr =    acl_check_prdr
 .endif
 acl_smtp_data =         acl_check_data
+acl_smtp_mime =         acl_check_mime
 
 # You should not change those settings until you understand how ACLs work.
 
@@ -136,7 +138,7 @@ acl_smtp_data =         acl_check_data
 # of what to set for other virus scanners. The second modification is in the
 # acl_check_data access control list (see below).
 
-# av_scanner = clamd:/tmp/clamd
+av_scanner = clamd:/var/run/clamd.exim/clamd.sock
 
 
 # For spam scanning, there is a similar option that defines the interface to
@@ -147,6 +149,12 @@ acl_smtp_data =         acl_check_data
 # spamd_address = 127.0.0.1 783
 
 
+# Set the default sqlite database file for greylisting. Uncomment this
+# if you use the greylisting ACLs defined below.
+
+# sqlite_dbfile = /var/spool/exim/db/greylist.db
+
+
 # If Exim is compiled with support for TLS, you may want to change the
 # following option so that Exim disallows certain clients from makeing encrypted
 # connections. The default is to allow all.
@@ -157,7 +165,7 @@ acl_smtp_data =         acl_check_data
 
 # This is equivalent to the default.
 
-# tls_advertise_hosts = *
+tls_advertise_hosts = *
 
 # Specify the location of the Exim server's TLS certificate and private key.
 # The private key must not be encrypted (password protected). You can put
@@ -165,8 +173,8 @@ acl_smtp_data =         acl_check_data
 # need the first setting, or in separate files, in which case you need both
 # options.
 
-# tls_certificate = /etc/ssl/exim.crt
-# tls_privatekey = /etc/ssl/exim.pem
+tls_certificate = /etc/pki/tls/certs/exim.pem
+tls_privatekey = /etc/pki/tls/private/exim.pem
 
 # For OpenSSL, prefer EC- over RSA-authenticated ciphers
 .ifdef _HAVE_OPENSSL
@@ -193,8 +201,8 @@ tls_resumption_hosts = ${if inlist {$received_port}{587:465} {:}{*}}
 # them you should also allow TLS-on-connect on the traditional (and now
 # standard) port 465.
 
-# daemon_smtp_ports = 25 : 465 : 587
-# tls_on_connect_ports = 465
+daemon_smtp_ports = 25 : 465 : 587
+tls_on_connect_ports = 465
 
 
 # Specify the domain you want to be added to all unqualified addresses
@@ -252,6 +260,24 @@ never_users = root
 
 host_lookup = *
 
+# This setting, if uncommented, allows users to authenticate using
+# their system passwords against saslauthd if they connect over a
+# secure connection. If you have network logins such as NIS or
+# Kerberos rather than only local users, then you possibly also want
+# to configure /etc/sysconfig/saslauthd to use the 'pam' mechanism
+# too. Once a user is authenticated, the acl_check_rcpt ACL then
+# allows them to relay through the system.
+#
+# auth_advertise_hosts = ${if eq {$tls_cipher}{}{}{*}}
+#
+# By default, we set this option to allow SMTP AUTH from nowhere
+# (Exim's default would be to allow it from anywhere, even on an
+# unencrypted connection).
+#
+# Comment this one out if you uncomment the above. Did you make sure
+# saslauthd is actually running first?
+#
+auth_advertise_hosts =
 
 # The setting below causes Exim to try to initialize the system resolver
 # library with DNSSEC support.  It has no effect if your library lacks
@@ -382,8 +408,8 @@ timeout_frozen_after = 7d
 # Note that TZ is handled separately by the timezone runtime option
 # and TIMEZONE_DEFAULT buildtime option.
 
-# keep_environment = ^LDAP
-# add_environment = PATH=/usr/bin::/bin
+keep_environment = ^LDAP
+add_environment = PATH=/usr/bin::/bin
 
 
 
@@ -394,6 +420,29 @@ timeout_frozen_after = 7d
 
 begin acl
 
+
+# This access control list is used for the MAIL command in an incoming
+# SMTP message.
+
+acl_check_mail:
+
+  # Hosts are required to say HELO (or EHLO) before sending mail.
+  # So don't allow them to use the MAIL command if they haven't
+  # done so.
+
+  deny condition = ${if eq{$sender_helo_name}{} {1}}
+       message = Nice boys say HELO first
+
+  # Use the lack of reverse DNS to trigger greylisting. Some people
+  # even reject for it but that would be a little excessive.
+
+  warn condition = ${if eq{$sender_host_name}{} {1}}
+       set acl_m_greylistreasons = Host $sender_host_address lacks reverse DNS\n$acl_m_greylistreasons
+
+  accept
+
+
+
 # This access control list is used for every RCPT command in an incoming
 # SMTP message. The tests are run in order until the address is either
 # accepted or denied.
@@ -405,6 +454,7 @@ acl_check_rcpt:
 
   accept  hosts = :
           control = dkim_disable_verify
+          control = dmarc_disable_verify
 
   #############################################################################
   # The following section of the ACL is concerned with local parts that contain
@@ -458,7 +508,8 @@ acl_check_rcpt:
   accept  local_parts   = postmaster
           domains       = +local_domains
 
-  # Deny unless the sender address can be verified.
+  # Deny unless the sender address can be routed. For proper verification of the
+  # address, read the documentation on callouts and add the /callout modifier.
 
   require verify        = sender
 
@@ -498,6 +549,7 @@ acl_check_rcpt:
   accept  hosts         = +relay_from_hosts
           control       = submission
           control       = dkim_disable_verify
+          control       = dmarc_disable_verify
 
   # Accept if the message arrived over an authenticated connection, from
   # any host. Again, these messages are usually from MUAs, so recipient
@@ -507,6 +559,7 @@ acl_check_rcpt:
   accept  authenticated = *
           control       = submission
           control       = dkim_disable_verify
+          control       = dmarc_disable_verify
 
   # Insist that any other recipient address that we accept is either in one of
   # our local domains, or is in a domain for which we explicitly allow
@@ -527,7 +580,8 @@ acl_check_rcpt:
   # There are no default checks on DNS black lists because the domains that
   # contain these lists are changing all the time. However, here are two
   # examples of how you can get Exim to perform a DNS black list lookup at this
-  # point. The first one denies, whereas the second just warns.
+  # point. The first one denies, whereas the second just warns. The third
+  # triggers greylisting for any host in the blacklist.
   #
   # deny    dnslists      = black.list.example
   #         message       = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
@@ -535,6 +589,10 @@ acl_check_rcpt:
   # warn    dnslists      = black.list.example
   #         add_header    = X-Warning: $sender_host_address is in a black list at $dnslist_domain
   #         log_message   = found in $dnslist_domain
+  #
+  # warn    dnslists      = black.list.example
+  #         set acl_m_greylistreasons = Host found in $dnslist_domain\n$acl_m_greylistreasons
+  #
   #############################################################################
 
   #############################################################################
@@ -561,6 +619,10 @@ acl_check_rcpt:
   #        set acl_m_content_filter = ${lookup PER_RCPT_CONTENT_FILTER}
   #############################################################################
 
+  # Alternatively, greylist for it:
+  # warn !verify = csa
+  #      set acl_m_greylistreasons = Host failed CSA check\n$acl_m_greylistreasons
+
   # At this point, the address has passed all the checks that have been
   # configured, so we accept it unconditionally.
 
@@ -610,21 +672,32 @@ acl_check_data:
           message =     header syntax
           log_message = header syntax ($acl_verify_message)
 
+  # Put simple tests first. A good one is to check for the presence of a
+  # Message-Id: header, which RFC2822 says SHOULD be present. Some broken
+  # or misconfigured mailer software occasionally omits this from genuine
+  # messages too, though -- although it's not hard for the offender to fix
+  # after they receive a bounce because of it.
+  #
+  # deny    condition  = ${if !def:h_Message-ID: {1}}
+  #         message    = RFC2822 says that all mail SHOULD have a Message-ID header.\n\
+  #                      Most messages without it are spam, so your mail has been rejected.
+  #
+  # Alternatively if we're feeling more lenient we could just use it to
+  # trigger greylisting instead:
+
+  warn    condition  = ${if !def:h_Message-ID: {1}}
+          set acl_m_greylistreasons = Message lacks Message-Id: header. Consult RFC2822.\n$acl_m_greylistreasons
+
   # Deny if the message contains a virus. Before enabling this check, you
   # must install a virus scanner and set the av_scanner option above.
   #
   # deny    malware    = *
   #         message    = This message contains a virus ($malware_name).
 
-  # Add headers to a message if it is judged to be spam. Before enabling this,
-  # you must install SpamAssassin. You may also need to set the spamd_address
-  # option above.
+  # Bypass SpamAssassin checks if the message is too large.
   #
-  # warn    spam       = nobody
-  #         add_header = X-Spam_score: $spam_score\n\
-  #                      X-Spam_score_int: $spam_score_int\n\
-  #                      X-Spam_bar: $spam_bar\n\
-  #                      X-Spam_report: $spam_report
+  # accept  condition  = ${if >={$message_size}{100000} {1}}
+  #         add_header = X-Spam-Note: SpamAssassin run bypassed due to message size
 
   #############################################################################
   # No more tests if PRDR was actively used.
@@ -638,11 +711,63 @@ acl_check_data:
   #           condition    = ...
   #############################################################################
 
+  # Run SpamAssassin, but allow for it to fail or time out. Add a warning message
+  # and accept the mail if that happens. Add an X-Spam-Flag: header if the SA
+  # score exceeds the SA system threshold.
+  #
+  # warn    spam       = nobody/defer_ok
+  #         add_header = X-Spam-Flag: YES
+  #
+  # accept  condition  = ${if !def:spam_score_int {1}}
+  #         add_header = X-Spam-Note: SpamAssassin invocation failed
+  #
+
+  # Unconditionally add score and report headers
+  #
+  # warn    add_header = X-Spam-Score: $spam_score ($spam_bar)\n\
+  #                      X-Spam-Report: $spam_report
+
+  # And reject if the SpamAssassin score is greater than ten
+  #
+  # deny    condition = ${if >{$spam_score_int}{100} {1}}
+  #         message   = Your message scored $spam_score SpamAssassin point. Report follows:\n\
+  #  	    	        $spam_report
+
+  # Trigger greylisting (if enabled) if the SpamAssassin score is greater than 0.5
+  #
+  # warn    condition = ${if >{$spam_score_int}{5} {1}}
+  #         set acl_m_greylistreasons = Message has $spam_score SpamAssassin points\n$acl_m_greylistreasons
+
 
-  # Accept the message.
+  # If you want to greylist _all_ mail rather than only mail which looks like there
+  # might be something wrong with it, then you can do this...
+  #
+  # warn set acl_m_greylistreasons = We greylist all mail\n$acl_m_greylistreasons
+
+  # Now, invoke the greylisting. For this you need to have installed the exim-greylist
+  # package which contains this subroutine, and you need to uncomment the bit below
+  # which includes it too. Whenever the $acl_m_greylistreasons variable is non-empty,
+  # greylisting will kick in and will defer the mail to check if the sender is a
+  # proper mail which which retries, or whether it's a zombie. For more details, see
+  # the exim-greylist.conf.inc file itself.
+  #
+  # require acl = greylist_mail
 
   accept
 
+# To enable the greylisting, also uncomment this line:
+# .include /etc/exim/exim-greylist.conf.inc
+
+acl_check_mime:
+
+  # File extension filtering.
+  deny message = Blacklisted file extension detected
+       condition = ${if match \
+                        {${lc:$mime_filename}} \
+                        {\N(\.exe|\.pif|\.bat|\.scr|\.lnk|\.com)$\N} \
+                     {1}{0}}
+
+  accept
 
 
 ######################################################################
@@ -744,7 +869,7 @@ system_aliases:
   driver = redirect
   allow_fail
   allow_defer
-  data = ${lookup{$local_part}lsearch{SYSTEM_ALIASES_FILE}}
+  data = ${lookup{$local_part}lsearch{/etc/aliases}}
 # user = exim
   file_transport = address_file
   pipe_transport = address_pipe
@@ -782,7 +907,7 @@ userforward:
 # local_part_suffix = +* : -*
 # local_part_suffix_optional
   file = $home/.forward
-# allow_filter
+  allow_filter
   no_verify
   no_expn
   check_ancestor
@@ -790,6 +915,12 @@ userforward:
   pipe_transport = address_pipe
   reply_transport = address_reply
 
+procmail:
+  driver = accept
+  check_local_user
+  require_files = ${local_part}:+${home}/.procmailrc:/usr/bin/procmail
+  transport = procmail
+  no_verify
 
 # This router matches local user mailboxes. If the router fails, the error
 # message is "Unknown user".
@@ -830,6 +961,25 @@ remote_smtp:
   tls_resumption_hosts = *
 .endif
 
+# This transport is used for delivering messages over SMTP using the
+# "message submission" port (RFC4409).
+
+remote_msa:
+  driver = smtp
+  port = 587
+  hosts_require_auth = *
+
+
+# This transport invokes procmail to deliver mail
+procmail:
+  driver = pipe
+  command = "/usr/bin/procmail -d $local_part"
+  return_path_add
+  delivery_date_add
+  envelope_to_add
+  user = $local_part
+  initgroups
+  return_output
 
 # This transport is used for delivering messages to a smarthost, if the
 # smarthost router is enabled.  This starts from the same basis as
@@ -884,8 +1034,8 @@ local_delivery:
   delivery_date_add
   envelope_to_add
   return_path_add
-# group = mail
-# mode = 0660
+  group = mail
+  mode = 0660
 
 
 # This transport is used for handling pipe deliveries generated by alias or
@@ -918,6 +1068,16 @@ address_reply:
   driver = autoreply
 
 
+# This transport is used to deliver local mail to cyrus IMAP server via UNIX
+# socket. You'll need to configure the 'localuser' router above to use it.
+#
+#lmtp_delivery:
+#  home_directory = /var/spool/imap
+#  driver = lmtp
+#  command = "/usr/lib/cyrus-imapd/deliver -l"
+#  batch_max = 20
+#  user = cyrus
+
 
 ######################################################################
 #                      RETRY CONFIGURATION                           #
@@ -958,6 +1118,21 @@ begin rewrite
 #                   AUTHENTICATION CONFIGURATION                     #
 ######################################################################
 
+begin authenticators
+
+# This authenticator supports CRAM-MD5 username/password authentication
+# with Exim acting as a _client_, as it might when sending its outgoing
+# mail to a smarthost rather than directly to the final recipient.
+# Replace SMTPAUTH_USERNAME and SMTPAUTH_PASSWORD as appropriate.
+
+#client_auth:
+#  driver = cram_md5
+#  public_name = CRAM-MD5
+#  client_name = SMTPAUTH_USERNAME
+#  client_secret = SMTPAUTH_PASSWORD
+
+#
+
 # The following authenticators support plaintext username/password
 # authentication using the standard PLAIN mechanism and the traditional
 # but non-standard LOGIN mechanism, with Exim acting as the server.
@@ -973,7 +1148,7 @@ begin rewrite
 # The default RCPT ACL checks for successful authentication, and will accept
 # messages from authenticated users from anywhere on the Internet.
 
-begin authenticators
+#
 
 # PLAIN authentication has no server prompts. The client sends its
 # credentials in one lump, containing an authorization ID (which we do not
@@ -987,7 +1162,7 @@ begin authenticators
 #  driver                     = plaintext
 #  server_set_id              = $auth2
 #  server_prompts             = :
-#  server_condition           = Authentication is not yet configured
+#  server_condition           = ${if saslauthd{{$2}{$3}{smtp}} {1}}
 #  server_advertise_condition = ${if def:tls_in_cipher }
 
 # LOGIN authentication has traditional prompts and responses. There is no
@@ -999,7 +1174,7 @@ begin authenticators
 #  driver                     = plaintext
 #  server_set_id              = $auth1
 #  server_prompts             = <| Username: | Password:
-#  server_condition           = Authentication is not yet configured
+#  server_condition           = ${if saslauthd{{$1}{$2}{smtp}} {1}}
 #  server_advertise_condition = ${if def:tls_in_cipher }