1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
|
From: Nathan Ollerenshaw <nathan@valuecommerce.co.jp>
## I've been working quite hard to come up with a config that reasonably
## matches the qmail-ldap setup, without the warts. I want to submit it
## for inclusion in your config.samples archive, in case anyone else needs
## to do the same as I. I hope its useful.
##
## A few notes; it supports catchalls but not dash extension addressing,
## as I couldn't be bothered, and I'm unsure as to how many people
## actually use the feature. Certainly nobody on my system. It supports
## autoreplies, but not an autoreply on a catchall, because this just
## kills your mailserver when someone does a dictionary spam attack
## against a domain set up this way.
######################################################################
# Runtime configuration file for Exim #
######################################################################
#domainlist local_domains = @ : lsearch:/apps/conf/mail/locals
domainlist local_domains = lsearch;/apps/conf/mail/locals
domainlist relay_to_domains =
# the pop-before-smtp package at http://popbsmtp.sourceforge.net/
# creates the /etc/mail/popauth.db file for us. We have to use dbmnz
# lookup type here.
hostlist relay_from_hosts = 127.0.0.1 : net-dbmnz;/etc/mail/popauth.db
primary_hostname = [[[SET THIS TO LOCAL HOST NAME]]]
# LDAP settings
# Set the following to your ldap server(s)
ldap_default_servers = ldap::389
BASEDN = [[[SET THIS TO YOUR BASE DN IN LDAP]]]
acl_smtp_rcpt = acl_check_rcpt
acl_smtp_data = acl_check_data
exim_user = vmail
exim_group = vmail
trusted_users = vmail
never_users = root
host_lookup = *
rfc1413_hosts = *
rfc1413_query_timeout = 0s
ignore_bounce_errors_after = 2d
timeout_frozen_after = 7d
bounce_return_body = false
accept_8bitmime = true
allow_mx_to_ip = true
auto_thaw = 60m
smtp_accept_max = 0
smtp_load_reserve = 20
delay_warning = 4h:8h:24h
dns_again_means_nonexist = !+local_domains : !+relay_to_domains
spamd_address = 127.0.0.1 783
av_scanner = clamd:127.0.0.1 3310
# Spool settings
split_spool_directory = true
check_spool_space = 100M
check_spool_inodes = 1000
# Logging - enable a bunch of extra useful stuff. Never know, could help
# one day, and at least its better than qmail! Har har!
log_selector = +delivery_size +received_sender +received_recipients \
+subject +sender_on_delivery
# NOTE TO SELF: Lets use syslog and have all six mail servers log to a
# central location so its easier to do statistics gathering and fault
# analysis.
# MACROS
# Secret for all machines in the cluster. Change it to whatever you feel
# is best.
SECRET = Ni2opNyw2pNM3cmWn21nOSbwdq
GET_ADDRESS_DATA = ${lookup ldap {\
ldap:///BASEDN??sub?(&(uid=${quote_ldap:$local_part}@${quote_ldap:$domain}))\
}\
}
GET_CATCHALL_DATA = ${lookup ldap {\
ldap:///BASEDN??sub?(&(uid=catchall@${quote_ldap:$domain}))\
}\
}
MSGCOOKIE = ${hmac{md5}{SECRET}{$body_linecount}}
######################################################################
# ROUTERS CONFIGURATION #
# Specifies how addresses are handled #
######################################################################
begin routers
dnslookup:
driver = dnslookup
domains = ! +local_domains
transport = remote_smtp
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
no_more
system_aliases:
driver = redirect
condition = ${if eq {{$primary_hostname}{$domain} {1}{0}} }
allow_fail
allow_defer
data = ${lookup{$local_part}lsearch{/etc/aliases}}
file_transport = address_file
pipe_transport = address_pipe
# the forward router does the initial LDAP lookup. It then caches this in
# $address_data for use by any of the other routers. Each router will fall
# through if they then don't meet their condition.
lookup:
driver = redirect
address_data = GET_ADDRESS_DATA
# data is intentionally left blank so that the router will decline
# we just want this router to do a lookup so the results are availble
# for the other routers.
data =
# OK, this is where we start supporting crazy qmail-ldap stuff. First, we
# check if the address has a deliveryMode of 'forwardonly'. forwardonly is
# a misnomer, because its possible for and address to be a forward, a mailbox
# and an autoreply. So, we make it do the forward, and check to see if it is
# also a reply or localdelivery, if so we set unseen to yes to make Exim
# copy the message and send it to the next router.
forward:
driver = redirect
condition = ${if match {${extract{deliveryMode}{$address_data}}}{forwardonly} {1}{0}}
data = ${extract{mailForwardingAddress}{$address_data}}
unseen = ${if or {{match {${extract{deliveryMode}{$address_data}}}{reply}} \
{match {${extract{deliveryMode}{$address_data}}}{localdelivery}}} \
{yes}{no}}
# Same deal, check if its a reply, if so we send it to the correct transport.
# After, we see if it needs to go to localdelivery as well.
reply:
driver = accept
condition = ${if match {${extract{deliveryMode}{$address_data}}}{reply} {1}{0}}
transport = auto_reply
unseen = ${if match {${extract{deliveryMode}{$address_data}}}{localdelivery} {yes}{no}}
localdelivery:
driver = accept
condition = ${if match {${extract{deliveryMode}{$address_data}}}{localdelivery} {1}{0}}
transport = local_delivery
# If we've reached this point, the account doesn't exist, so we need to
# check to see if there is a catchall account, and if so do the usual for
# it too. NOTE: we do not support auto-reply in a catch-all.
#
# This could, of course, be abused by someone assigning an auto-reply to
# a forward_catchall.
# NOTE TO SELF: See if reply router can be failed if an address comes from
# a catchall.
lookup_catchall:
driver = redirect
address_data = GET_CATCHALL_DATA
# data is intentionally left blank so that the router will decline
# just want this router to do a lookup.
data =
# could probably do a no_more = true based on the result of that LDAP
# lookup to skip the next few routers, but there is no point as they are
# not doing anything heavy so I'll just let them fall through and fail.
# The catchall routers are exactly the same as the above routers, except
# they make use of the GET_CATCHALL_DATA address_data to decide what to do
# with the mail.
forward_catchall:
driver = redirect
condition = ${if match {${extract{deliveryMode}{$address_data}}}{forwardonly} {1}{0}}
data = ${extract{mailForwardingAddress}{$address_data}}
unseen = ${if match {${extract{deliveryMode}{$address_data}}}{localdelivery} {yes}{no}}
localdelivery_catchall:
driver = accept
condition = ${if match {${extract{deliveryMode}{$address_data}}}{localdelivery} {1}{0}}
transport = local_delivery
######################################################################
# TRANSPORTS CONFIGURATION #
######################################################################
begin transports
remote_smtp:
driver = smtp
# Deliver to the mailbox specified in the LDAP directory. We make sure
# that quota is obeyed, and we try to send a messge to the user if it
# gets to over 85%.
local_delivery:
driver = appendfile
maildir_format
directory = ${extract{mailMessageStore}{$address_data}}/Maildir
create_directory
directory_mode = 0700
delivery_date_add
envelope_to_add
return_path_add
group = vmail
user = vmail
mode = 0600
quota = ${eval:${sg{${extract{1}{,}{${extract{mailQuota}{$address_data}}}}}{S}{}}/1024}K
maildir_use_size_file = true
quota_warn_threshold = 85%
# We set this to iso-2022-jp because we're in japan. Set it to whatever.
auto_reply:
driver = autoreply
subject = "[Auto-Reply] $header_subject"
headers = "Content-Type: text/plain; charset=iso-2022-jp"
to = "$sender_address"
text = ${extract{mailReplyText}{$address_data}}
from = $local_part@$domain
######################################################################
# ACL CONFIGURATION #
# Specifies access control lists for incoming SMTP mail #
######################################################################
begin acl
# You should probably set up exiscan-acl's mime check here to scan for viruses
# and spam and reject at SMTP time. As I won't be doing that for a while, I've
# left it as an exercise for the reader.
acl_check_rcpt:
accept hosts = :
deny message = Restricted characters in address
domains = +local_domains
local_parts = ^[.] : ^.*[@%!/|]
deny message = Restricted characters in address
domains = !+local_domains
local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
accept local_parts = postmaster
domains = +local_domains
require verify = sender
accept domains = +local_domains
endpass
verify = recipient
accept domains = +relay_to_domains
endpass
verify = recipient
accept hosts = +relay_from_hosts
accept authenticated = *
deny message = relay not permitted
acl_check_data:
require verify = header_syntax
message = This message has malformed headers.
deny message = This message contains malformed MIME ($demime_reason).
demime = *
condition = ${if >{$demime_errorlevel}{2}{1}{0}}
deny message = We do not accept ".$found_extension" attachments here as \
they are common file extensions for viruses. If you wish \
to send such an attachment, please zip it first.
demime = bat:btm:cmd:com:cpl:dll:exe:lnk:msi:pif:prf:reg:scr:vbs:url
accept
begin retry
# Address or Domain Error Retries
# ----------------- ----- -------
* * F,2h,15m; G,16h,1h,1.5; F,4d,6h
######################################################################
# REWRITE CONFIGURATION #
######################################################################
# There are no rewriting specifications in this default configuration file.
begin rewrite
######################################################################
# AUTHENTICATION CONFIGURATION #
######################################################################
# There are no authenticator specifications in this default configuration file.
begin authenticators
plain:
driver = plaintext
public_name = PLAIN
server_condition = ${if ldapauth {user="uid=${quote_ldap_dn:$2},BASEDN" \
pass=${quote:$3} ldap:///}{yes}{no}}
server_set_id = $2
login:
driver = plaintext
public_name = LOGIN
server_prompts = Username:: : Password::
server_condition = ${if ldapauth {user="uid=${quote_ldap_dn:$1},BASEDN" \
pass=${quote:$2} ldap:///}{yes}{no}}
server_set_id = $1
######################################################################
# CONFIGURATION FOR local_scan() #
######################################################################
# begin local_scan
# End of Exim configuration file
|