blob: 17ec3f05b9a49351635f737389208097349d23be (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
|
Date: Mon, 2 Dec 2002 10:35:06 +0000
From: Mike Richardson <doctor@mcc.ac.uk>
Hiya,
I thought I'd submit this as an example of an authenticated mail hub
configuration. Several people have asked for it so I thought it
might be of interest.
Authenticated mail hubs using LDAP to authenticate against which simply
forward mail to central mailrouters. X headers are added for audit
trail purposes.
Config:
#########################################################################
acl_smtp_rcpt = acl_check_rcpt
ignore_bounce_errors_after = 12h
timeout_frozen_after = 3d
# LDAP server:
hide ldap_default_servers=ldap.your.site
# SSL options. advertise TLS but don't insist on it.
tls_advertise_hosts=*
tls_certificate=/var/cert/securemail.your.site.cert
tls_privatekey=/var/cert/securemail.your.site.key
tls_verify_hosts= *
# Remove the queue runner logs and add logging of the interface, protocols
# and connections. Useful for debugging when users are having difficulty
# configuring and connecting. Many ISPs use Transparent Proxying
log_selector= +incoming_interface -queue_run +smtp_protocol_error
+smtp_syntax_error +smtp_connection
# SMTP input limits. Some connections are reserved for local users.
smtp_accept_max=200
smtp_accept_queue=150
smtp_accept_reserve=10
smtp_reserve_hosts=130.88.0.0/16
smtp_connect_backlog=100
# Overloading
queue_only_load=5
deliver_queue_load_max=7
# Message size limits
message_size_limit=10M
return_size_limit=65535
# Spool space check
check_spool_space=100M
# directory splitting
split_spool_directory
# Parallel remote deliver
remote_max_parallel = 10
# My system filter is to create extra logging info for X-Mailer info.
system_filter=/etc/systemfilter
system_filter_user=exim
# Listen of multiple interfaces to defeat transparent proxying
local_interfaces = 130.88.200.47.25 : 130.88.200.47.465 : 130.88.200.47.587
# Only accept local traffic and authenticated stuff.
# Error message points to useful web page.
acl_check_rcpt:
accept hosts = :
deny local_parts = ^.*[@%!/|]
require verify = sender
accept authenticated = *
deny message = Not authenticated, see http://www.useful.web.page/
######################################################################
# ROUTERS CONFIGURATION #
# Specifies how addresses are handled #
######################################################################
begin routers
# Manual route to force all traffic through our hubs which handle all
# the alias expansion, domain routing etc.
# I add an X header for audit trail purposes but no more information that
# would be expected from a legitimate email. Don't want to upset the DPA
# people
smarthost:
driver = manualroute
headers_add =X-Authenticated-Sender: ${lookup ldap\
{ldap:///o=ac,c=uk?cn?sub?(&(uid=$authenticated_id))}{$value}{no}} from \
${sender_fullhost}\nX-Authenticated-From: ${lookup ldap\
{ldap:///o=ac,c=uk?mail?sub?(&(uid=$authenticated_id))}{$value}{no}}
transport = remote_smtp
domains = ! +local_domains
route_list=* mailrouter.your.site
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
no_more
# All other routes as per normal...
######################################################################
# AUTHENTICATION CONFIGURATION #
######################################################################
# This only supports PLAIN and LOGIN due to the nature of our LDAP server.
begin authenticators
plain:
driver= plaintext
public_name = PLAIN
server_condition="${lookup ldap {user=\"${lookup \
ldapdn{ldap:///o=ac,c=uk?sn?sub?(&(uid=$2))}{$value}{no}}\" pass=$3 \
ldap:///o=ac,c=uk?sn?sub?(&(uid=$2))}{yes}{no}}"
server_set_id = $2
login:
driver = plaintext
public_name= LOGIN
server_prompts = "Username:: : Password::"
server_condition="${lookup ldap {user=\"${lookup \
ldapdn{ldap:///o=ac,c=uk?sn?sub?(&(uid=$1))}{$value}{no}}\" pass=$2 \
ldap:///o=ac,c=uk?sn?sub?(&(uid=$1))}{yes}{no}}"
server_set_id=$1
# End of Exim configuration file
##########################################################################
|