summaryrefslogtreecommitdiff
path: root/configs/config.samples/C044
blob: 17ec3f05b9a49351635f737389208097349d23be (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
Date: Mon, 2 Dec 2002 10:35:06 +0000
From: Mike Richardson <doctor@mcc.ac.uk>

Hiya,

I thought I'd submit this as an example of an authenticated mail hub
configuration. Several people have asked for it so I thought it
might be of interest.

Authenticated mail hubs using LDAP to authenticate against which simply
forward mail to central mailrouters. X headers are added for audit
trail purposes. 

Config:
#########################################################################

acl_smtp_rcpt = acl_check_rcpt

ignore_bounce_errors_after = 12h

timeout_frozen_after = 3d

# LDAP server:

hide ldap_default_servers=ldap.your.site

# SSL options. advertise TLS but don't insist on it.

tls_advertise_hosts=*
tls_certificate=/var/cert/securemail.your.site.cert
tls_privatekey=/var/cert/securemail.your.site.key
tls_verify_hosts= *

# Remove the queue runner logs and add logging of the interface, protocols
# and connections. Useful for debugging when users are having difficulty
# configuring and connecting. Many ISPs use Transparent Proxying

log_selector= +incoming_interface -queue_run +smtp_protocol_error
+smtp_syntax_error +smtp_connection

# SMTP input limits. Some connections are reserved for local users.

smtp_accept_max=200
smtp_accept_queue=150
smtp_accept_reserve=10
smtp_reserve_hosts=130.88.0.0/16
smtp_connect_backlog=100

# Overloading

queue_only_load=5
deliver_queue_load_max=7

# Message size limits

message_size_limit=10M
return_size_limit=65535

# Spool space check

check_spool_space=100M

# directory splitting

split_spool_directory

# Parallel remote deliver

remote_max_parallel = 10

# My system filter is to create extra logging info for X-Mailer info.

system_filter=/etc/systemfilter
system_filter_user=exim

# Listen of multiple interfaces to defeat transparent proxying

local_interfaces = 130.88.200.47.25 : 130.88.200.47.465 : 130.88.200.47.587

# Only accept local traffic and authenticated stuff.
# Error message points to useful web page.

acl_check_rcpt:

  accept  hosts = :
  deny    local_parts   = ^.*[@%!/|]
  require verify        = sender

  accept  authenticated = *

  deny    message       = Not authenticated, see http://www.useful.web.page/



######################################################################
#                      ROUTERS CONFIGURATION                         #
#               Specifies how addresses are handled                  #
######################################################################

begin routers

# Manual route to force all traffic through our hubs which handle all
# the alias expansion, domain routing etc.
# I add an X header for audit trail purposes but no more information that
# would be expected from a legitimate email. Don't want to upset the DPA
# people

smarthost:
  driver = manualroute
  headers_add =X-Authenticated-Sender: ${lookup ldap\
{ldap:///o=ac,c=uk?cn?sub?(&(uid=$authenticated_id))}{$value}{no}} from \
${sender_fullhost}\nX-Authenticated-From: ${lookup ldap\
{ldap:///o=ac,c=uk?mail?sub?(&(uid=$authenticated_id))}{$value}{no}}
  transport = remote_smtp
  domains = ! +local_domains
  route_list=* mailrouter.your.site 
  ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
  no_more

# All other routes as per normal...


######################################################################
#                   AUTHENTICATION CONFIGURATION                     #
######################################################################

# This only supports PLAIN and LOGIN due to the nature of our LDAP server.

begin authenticators

plain:
  driver= plaintext
  public_name = PLAIN
  server_condition="${lookup ldap {user=\"${lookup \
ldapdn{ldap:///o=ac,c=uk?sn?sub?(&(uid=$2))}{$value}{no}}\" pass=$3 \
ldap:///o=ac,c=uk?sn?sub?(&(uid=$2))}{yes}{no}}"
  server_set_id = $2
 
login:
  driver = plaintext
  public_name= LOGIN
  server_prompts = "Username:: : Password::"
  server_condition="${lookup ldap {user=\"${lookup \
ldapdn{ldap:///o=ac,c=uk?sn?sub?(&(uid=$1))}{$value}{no}}\" pass=$2 \
ldap:///o=ac,c=uk?sn?sub?(&(uid=$1))}{yes}{no}}"
  server_set_id=$1
# End of Exim configuration file
##########################################################################