diff options
Diffstat (limited to 'debian/debconf')
37 files changed, 1498 insertions, 0 deletions
diff --git a/debian/debconf/30_exim4-config_example_check_rcpt b/debian/debconf/30_exim4-config_example_check_rcpt new file mode 100644 index 0000000..8e8883d --- /dev/null +++ b/debian/debconf/30_exim4-config_example_check_rcpt @@ -0,0 +1,139 @@ +# This access control list is used for every RCPT command in an incoming +# SMTP message. The tests are run in order until the address is either +# accepted or denied. +# +acl_example_check_rcpt: + # Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by + # testing for an empty sending host field. + accept hosts = : + + # Deny if the local part contains @ or % or / or | or !. These are rarely + # found in genuine local parts, but are often tried by people looking to + # circumvent relaying restrictions. + # + # Also deny if the local part starts with a dot. Empty components aren't + # strictly legal in RFC 2822, but Exim allows them because this is common. + # However, actually starting with a dot may cause trouble if the local part + # is used as a file name (e.g. for a mailing list). + # + deny local_parts = ^.*[@%!/|] : ^\\. + + # Accept mail to postmaster in any local domain, regardless of the source, + # and without verifying the sender. + # + accept local_parts = postmaster + domains = +local_domains + + # Deny unless the sender address can be verified. + deny !acl = acl_whitelist_local_deny + !verify = sender + + # Warn if the sender host does not have valid reverse DNS. + warn message = X-Broken-Reverse-DNS: no host name found for IP address $sender_host_address + !verify = reverse_host_lookup + + # deny bad senders (envelope sender) + # CONFDIR/local_sender_blacklist holds a list of envelope senders that + # should have their access denied to the local host. Incoming messages + # with one of these senders are rejected at RCPT time. + # + # The explicit white lists are honored as well as negative items in + # the black list. See /usr/share/doc/exim4-config/default_acl for details. + deny message = sender envelope address $sender_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster + !acl = acl_whitelist_local_deny + senders = ${if exists{CONFDIR/local_sender_blacklist}\ + {CONFDIR/local_sender_blacklist}\ + {}} + + # deny bad sites (IP address) + # CONFDIR/local_host_blacklist holds a list of host names, IP addresses + # and networks (CIDR notation) that should have their access denied to + # The local host. Messages coming in from a listed host will have all + # RCPT statements rejected. + # + # The explicit white lists are honored as well as negative items in + # the black list. See /usr/share/doc/exim4-config/default_acl for details. + deny message = sender IP address $sender_host_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster + !acl = acl_whitelist_local_deny + hosts = ${if exists{CONFDIR/local_host_blacklist}\ + {CONFDIR/local_host_blacklist}\ + {}} + + + ############################################################################# + # The DNS "black" lists here might have gone out of existence at the + # time you might want to start using this example. Use at your own risk, + # and verify the used lists' policies. + ############################################################################# + + warn message = X-Warning: $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text) + log_message = $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text) + dnslists = inputs.relays.osirusoft.com:dialups.relays.osirusoft.com:spamhaus.relays.osirusoft.com:spamsites.relays.osirusoft.com:spews.relays.osirusoft.com:relays.ordb.org:relays.bl.kundenserver.de:relays.visi.com:sbl.spamhaus.org + + warn message = X-Warning: $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text) + log_message = $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text) + !senders = ${if exists{CONFDIR/local_postmaster.rfc-ignorant.org_whitelist}\ + {CONFDIR/local_postmaster.rfc-ignorant.org_whitelist}\ + {}} + dnslists = postmaster.rfc-ignorant.org/$sender_address_domain + + warn message = X-Warning: $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text) + log_message = $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text) + !senders = ${if exists{CONFDIR/local_abuse.rfc-ignorant.org_whitelist}\ + {CONFDIR/local_abuse.rfc-ignorant.org_whitelist}\ + {}} + dnslists = abuse.rfc-ignorant.org/$sender_address_domain + + warn message = X-Warning: $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text) + log_message = $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text) + !senders = ${if exists{CONFDIR/local_whois.rfc-ignorant.org_whitelist}\ + {CONFDIR/local_whois.rfc-ignorant.org_whitelist}\ + {}} + dnslists = whois.rfc-ignorant.org/$sender_address_domain + + warn message = X-Warning: $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text) + log_message = $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text) + !senders = ${if exists{CONFDIR/local_dsn.rfc-ignorant.org_whitelist}\ + {CONFDIR/local_dsn.rfc-ignorant.org_whitelist}\ + {}} + dnslists = dsn.rfc-ignorant.org/$sender_address_domain + + # Accept if the address is in a local domain, but only if the recipient can + # be verified. Otherwise deny. The "endpass" line is the border between + # passing on to the next ACL statement (if tests above it fail) or denying + # access (if tests below it fail). + # + accept domains = +local_domains + endpass + message = unknown user + verify = recipient + + # Accept if the address is in a domain for which we are relaying, but again, + # only if the recipient can be verified. + # + accept domains = +relay_to_domains + endpass + message = unrouteable address + verify = recipient + + # If control reaches this point, the domain is neither in +local_domains + # nor in +relay_to_domains. + + # Accept if the message comes from one of the hosts for which we are an + # outgoing relay. Recipient verification is omitted here, because in many + # cases the clients are dumb MUAs that don't cope well with SMTP error + # responses. If you are actually relaying out from MTAs, you should probably + # add recipient verification here. + # + accept hosts = +relay_from_hosts + + # Accept if the message arrived over an authenticated connection, from + # any host. Again, these messages are usually from MUAs, so recipient + # verification is omitted. + # + accept authenticated = * + + # Reaching the end of the ACL causes a "deny", but we might as well give + # an explicit message. + # + deny message = relay not permitted diff --git a/debian/debconf/conf.d/acl/00_exim4-config_header b/debian/debconf/conf.d/acl/00_exim4-config_header new file mode 100644 index 0000000..76b017e --- /dev/null +++ b/debian/debconf/conf.d/acl/00_exim4-config_header @@ -0,0 +1,8 @@ + +###################################################################### +# ACL CONFIGURATION # +# Specifies access control lists for incoming SMTP mail # +###################################################################### +begin acl + + diff --git a/debian/debconf/conf.d/acl/20_exim4-config_whitelist_local_deny b/debian/debconf/conf.d/acl/20_exim4-config_whitelist_local_deny new file mode 100644 index 0000000..7ff368f --- /dev/null +++ b/debian/debconf/conf.d/acl/20_exim4-config_whitelist_local_deny @@ -0,0 +1,29 @@ +# This access control list is used to determine whitelisted senders and +# hosts. It checks for CONFDIR/local_host_whitelist and +# CONFDIR/local_sender_whitelist. +# +# It is meant to be used from some other acl entry. +# +# For example, +# deny message = local blacklist example +# !acl = acl_whitelist +# dnslist = some.dns.list.example +# will allow messages with envelope sender listed in local_sender_whitelist +# or messages coming in from hosts listed in local_host_whitelist to be +# accepted even if the delivering host is listed in the dns list. +# +# Whitelisting can also be configured by including negative items in the +# black list. See /usr/share/doc/exim4-config/default_acl for details. +# +# If the files do not exist, the white list never matches, which is +# the desired behaviour. + +acl_whitelist_local_deny: + accept hosts = ${if exists{CONFDIR/local_host_whitelist}\ + {CONFDIR/local_host_whitelist}\ + {}} + accept senders = ${if exists{CONFDIR/local_sender_whitelist}\ + {CONFDIR/local_sender_whitelist}\ + {}} + + diff --git a/debian/debconf/conf.d/acl/30_exim4-config_check_rcpt b/debian/debconf/conf.d/acl/30_exim4-config_check_rcpt new file mode 100644 index 0000000..13d5852 --- /dev/null +++ b/debian/debconf/conf.d/acl/30_exim4-config_check_rcpt @@ -0,0 +1,118 @@ +# This access control list is used for every RCPT command in an incoming +# SMTP message. The tests are run in order until the address is either +# accepted or denied. +# +acl_check_rcpt: + # Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by + # testing for an empty sending host field. + accept hosts = : + + # Deny if the local part contains @ or % or / or | or !. These are rarely + # found in genuine local parts, but are often tried by people looking to + # circumvent relaying restrictions. + # + # Also deny if the local part starts with a dot. Empty components aren't + # strictly legal in RFC 2822, but Exim allows them because this is common. + # However, actually starting with a dot may cause trouble if the local part + # is used as a file name (e.g. for a mailing list). + # + deny local_parts = ^.*[@%!/|] : ^\\. + + # Accept mail to postmaster in any local domain, regardless of the source, + # and without verifying the sender. + # + accept local_parts = postmaster + domains = +local_domains + + # Deny unless the sender address can be verified. + # + # This is disabled by default so that DNSless systems don't break. If + # your system can do DNS lookups without delay or cost, you might want + # to enable the following line. + # deny !acl = acl_whitelist_local_deny + # !verify = sender + + # Warn if the sender host does not have valid reverse DNS. + # + # This is disabled by default so that DNSless systems don't break. If + # your system can do DNS lookups without delay or cost, you might want + # to enable the following lines. + # warn message = X-Broken-Reverse-DNS: no host name found for IP address $sender_host_address + # !verify = reverse_host_lookup + + # deny bad senders (envelope sender) + # CONFDIR/local_sender_blacklist holds a list of envelope senders that + # should have their access denied to the local host. Incoming messages + # with one of these senders are rejected at RCPT time. + # + # The explicit white lists are honored as well as negative items in + # the black list. See /usr/share/doc/exim4-config/default_acl for details. + deny message = sender envelope address $sender_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster + !acl = acl_whitelist_local_deny + senders = ${if exists{CONFDIR/local_sender_blacklist}\ + {CONFDIR/local_sender_blacklist}\ + {}} + + # deny bad sites (IP address) + # CONFDIR/local_host_blacklist holds a list of host names, IP addresses + # and networks (CIDR notation) that should have their access denied to + # The local host. Messages coming in from a listed host will have all + # RCPT statements rejected. + # + # The explicit white lists are honored as well as negative items in + # the black list. See /usr/share/doc/exim4-config/default_acl for details. + deny message = sender IP address $sender_host_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster + !acl = acl_whitelist_local_deny + hosts = ${if exists{CONFDIR/local_host_blacklist}\ + {CONFDIR/local_host_blacklist}\ + {}} + + + ############################################################################# + # There are no checks on DNS "black" lists because the domains that contain + # these lists are changing all the time. You can find examples of + # how to use dnslists in /usr/share/doc/exim4-config/examples/acl + ############################################################################# + + # Accept if the address is in a local domain, but only if the recipient can + # be verified. Otherwise deny. The "endpass" line is the border between + # passing on to the next ACL statement (if tests above it fail) or denying + # access (if tests below it fail). + # + accept domains = +local_domains + endpass + message = unknown user + verify = recipient + + # Accept if the address is in a domain for which we are relaying, but again, + # only if the recipient can be verified. + # + accept domains = +relay_to_domains + endpass + message = unrouteable address + verify = recipient + + # If control reaches this point, the domain is neither in +local_domains + # nor in +relay_to_domains. + + # Accept if the message comes from one of the hosts for which we are an + # outgoing relay. Recipient verification is omitted here, because in many + # cases the clients are dumb MUAs that don't cope well with SMTP error + # responses. If you are actually relaying out from MTAs, you should probably + # add recipient verification here. + # + accept hosts = +relay_from_hosts + + # Accept if the message arrived over an authenticated connection, from + # any host. Again, these messages are usually from MUAs, so recipient + # verification is omitted. + # + accept authenticated = * + + # Reaching the end of the ACL causes a "deny", but we might as well give + # an explicit message. + # + deny message = relay not permitted + + + diff --git a/debian/debconf/conf.d/acl/40_exim4-config_check_data b/debian/debconf/conf.d/acl/40_exim4-config_check_data new file mode 100644 index 0000000..220a572 --- /dev/null +++ b/debian/debconf/conf.d/acl/40_exim4-config_check_data @@ -0,0 +1,29 @@ +# 40_exim4-config_check_data + +acl_check_data: + # Add Message-ID if missing + warn condition = ${if !def:h_Message-ID: {1}} + hosts = +relay_from_hosts + message = Message-ID: <E$message_id@$primary_hostname> + + # Deny unless the address list headers are syntactically correct. + # + # This is disabled by default because it might reject legitimate mail. + # If you want your system to insist on syntactically valid address + # headers, you might want to enable the following lines. + # deny message = Message headers fail syntax check + # !acl = acl_whitelist_local_deny + # !verify = header_syntax + + # require that there is a verifiable sender address in at least + # one of the "Sender:", "Reply-To:", or "From:" header lines. + # deny message = No verifiable sender address in message headers + # !acl = acl_whitelist_local_deny + # !verify = header_sender + + # enforce a message-size limit + # deny message = Message size $message_size is larger than limit of MESSAGE_SIZE_LIMIT + # condition = ${if >{$message_size}{MESSAGE_SIZE_LIMIT}{yes}{no}} + + # accept otherwise + accept diff --git a/debian/debconf/conf.d/auth/00_exim4-config_header b/debian/debconf/conf.d/auth/00_exim4-config_header new file mode 100644 index 0000000..c5f8fc1 --- /dev/null +++ b/debian/debconf/conf.d/auth/00_exim4-config_header @@ -0,0 +1,8 @@ + +###################################################################### +# AUTHENTICATION CONFIGURATION # +###################################################################### + +begin authenticators + + diff --git a/debian/debconf/conf.d/auth/30_exim4-config_examples b/debian/debconf/conf.d/auth/30_exim4-config_examples new file mode 100644 index 0000000..dbc3b9b --- /dev/null +++ b/debian/debconf/conf.d/auth/30_exim4-config_examples @@ -0,0 +1,102 @@ + +### auth/30_exim4-config_examples +################################# + +# The examples below are for server side authentication; they allow two +# styles of plain-text authentication against an CONFDIR/passwd file +# which should have user IDs in the first column and crypted passwords +# in the second. The columns need to be separated by ':'. For CRAM-MD5 +# exim needs access to the UNECRYPTED passwd - the example below assumes +# it is avalable in the third column of CONFDIR/passwd + +# plain_server: +# driver = plaintext +# public_name = PLAIN +# server_condition = "${if crypteq{$3}{${extract{1}{:}{${lookup{$2}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}" +# server_set_id = $2 +# server_prompts = : +# +# login_server: +# driver = plaintext +# public_name = LOGIN +# server_prompts = "Username:: : Password::" +# server_condition = "${if crypteq{$2}{${extract{1}{:}{${lookup{$1}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}" +# server_set_id = $1 +# +# cram_md5_server: +# driver = cram_md5 +# public_name = CRAM-MD5 +# server_secret = ${extract{2}{:}{${lookup{$1}lsearch{CONFDIR/passwd}{$value}fail}}} +# server_set_id = $1 + +# Here is an example of CRAM-MD5 authentication against PostgreSQL: +# +# psqldb_auth: +# driver = cram_md5 +# public_name = CRAM-MD5 +# server_secret = ${lookup pgsql{SELECT pw FROM users WHERE username = '${quote_pgsql:$1}'}{$value}fail} +# server_set_id = $1 + +# Authenticate against local passwords using sasl2-bin +# +# plain_saslauthd: +# driver = plaintext +# public_name = PLAIN +# # don't send system passwords over unencrypted connections +# server_advertise_condition = ${if eq{$tls_cipher}{}{0}{1}} +# server_condition = ${if saslauthd{{$2}{$3}}{1}{0}} +# server_set_id = $2 +# server_prompts = : + +############## +# See /usr/share/doc/exim4-base/README.SMTP-AUTH +############## + +# These examples below are the equivalent for client side authentication. +# They get the passwords from CONFDIR/passwd.client. This file should have +# three columns separated by colons, the first contains the name of the +# mailserver to authenticate against, the second the username and the third +# contains the password. + +### # example for CONFDIR/passwd.client +### mail.server:blah:secret +### # default entry: +### *:bar:foo + +cram_md5: + driver = cram_md5 + public_name = CRAM-MD5 + client_name = ${extract{1}{:}{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}} + client_secret = ${extract{2}{:}{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}} + +# Because AUTH PLAIN sends the password in clear, per default we only allow it +# over encrypted connections. If you want to change this disable the existing +# "client send" entry and enable the one below without the "if !eq{$tls_cipher}{}" +# by removing the hash-mark (#) at the beginning of the line. +plain: + driver = plaintext + public_name = PLAIN + client_send = "${if !eq{$tls_cipher}{}{\ + ^${extract{1}{::}\ + {${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}\ + ^${extract{2}{::}\ + {${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}\ + }fail}" +# client_send = "^${extract{1}{::}{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}^${extract{2}{::}{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}" + +# Because AUTH LOGIN sends the password in clear, per default we only allow it +# over encrypted connections. If you want to change this disable the existing +# "client send" entry and enable the one below without the "if !eq{$tls_cipher}{}" +# by removing the hash-mark (#) at the beginning of the line. +login: + driver = plaintext + public_name = LOGIN + client_send = "${if !eq{$tls_cipher}{}{}fail}\ + : ${extract{1}{::}\ + {${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}} \ + : ${extract{2}{::}\ + {${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}" +# client_send = ": ${extract{1}{::}{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}} : ${extract{2}{::}{${lookup{$host}lsearch*{CONFDIR/passwd.client}{$value}fail}}}" + + + diff --git a/debian/debconf/conf.d/main/01_exim4-config_listmacrosdefs b/debian/debconf/conf.d/main/01_exim4-config_listmacrosdefs new file mode 100644 index 0000000..5b29ed0 --- /dev/null +++ b/debian/debconf/conf.d/main/01_exim4-config_listmacrosdefs @@ -0,0 +1,72 @@ + +###################################################################### +# Runtime configuration file for Exim # +###################################################################### + +###################################################################### +# MAIN CONFIGURATION SETTINGS # +###################################################################### + +# Just for reference and scripts, on debian, the main binary is +# installed as exim4 +exim_path = /usr/sbin/exim4 + +# Macro defining the main configuration directory, we use no abolute +# paths. +CONFDIR = /etc/exim4 + +# Macro defining the message size limit. This is not enabled by default +# in CONFDIR/conf.d/acl/40_exim4-config_check_data +MESSAGE_SIZE_LIMIT = 10M + +# Define a macro DC_minimaldns if dc_minimaldns=true, to use in +# .ifdef-statements otherwise this expands to an empty line +DEBCONFminimaldnsDEBCONF + +# The next three settings create two lists of domains and one list of hosts. +# These lists are referred to later in this configuration using the syntax +# +local_domains, +relay_to_domains, and +relay_from_hosts, respectively. They +# are all colon-separated lists: + +# '@' refers to 'the name of the local host' + +### EXPANSION-begins ###################### +domainlist local_domains = DEBCONFlocal_domainsDEBCONF + +domainlist relay_to_domains = DEBCONFrelay_domainsDEBCONF + +hostlist relay_from_hosts = 127.0.0.1 : ::::1 : DEBCONFrelay_netsDEBCONF + + +# Specify the domain you want to be added to all unqualified addresses +# here. An unqualified address is one that does not contain an "@" character +# followed by a domain. For example, "caesar@rome.example" is a fully qualified +# address, but the string "caesar" (i.e. just a login name) is an unqualified +# email address. Unqualified addresses are accepted only from local callers by +# default. See the recipient_unqualified_hosts option if you want to permit +# unqualified addresses from remote sources. If this option is not set, the +# primary_hostname value is used for qualification. +qualify_domain = DEBCONFvisiblenameDEBCONF + +# only used for satellite-system +DCreadhost = DEBCONFreadhostDEBCONF + +#for satellite and smarthost-systems +DCsmarthost = DEBCONFsmarthostDEBCONF + +# listen on all all interfaces? +DEBCONFlistenonpublicDEBCONF +### EXPANSION-ends ###################### + +# The default delivery method. See CONFDIR/conf.d/transports/ for other +# possibilities +LOCAL_DELIVERY=mail_spool + +# The gecos field in /etc/passwd holds not only the name. see passwd(5). +gecos_pattern = ^([^,:]*) +gecos_name = $1 + + +# define a macro DCconfig_smarthost, DCconfig_satellite, etc. we need this +# for .ifdef ... .endif +DCconfig_DEBCONFconfigtypeDEBCONF = 1 diff --git a/debian/debconf/conf.d/main/02_exim4-config_options b/debian/debconf/conf.d/main/02_exim4-config_options new file mode 100644 index 0000000..1a85e8e --- /dev/null +++ b/debian/debconf/conf.d/main/02_exim4-config_options @@ -0,0 +1,103 @@ + +### main/02_exim4-config_options +################################# + +# This option defines the access control list that is run when an +# SMTP RCPT command is received. +# +acl_smtp_rcpt = acl_check_rcpt + +# This option defines the access control list that is run when an +# SMTP DATA command is received. +# +acl_smtp_data = acl_check_data + +# If you want unqualified recipient addresses to be qualified with a different +# domain to unqualified sender addresses, specify the recipient domain here. +# If this option is not set, the qualify_domain value is used. +# +# qualify_recipient = + +# The following line must be uncommented if you want Exim to recognize +# addresses of the form "user@[10.11.12.13]" that is, with a "domain literal" +# (an IP address) instead of a named domain. The RFCs still require this form, +# but it makes little sense to permit mail to be sent to specific hosts by +# their IP address in the modern Internet. This ancient format has been used +# by those seeking to abuse hosts by using them for unwanted relaying. If you +# really do want to support domain literals, uncomment the following line, and +# see also the "domain_literal" router. +# +# allow_domain_literals + +.ifndef DC_minimaldns +# The setting below causes Exim to do a reverse DNS lookup on all incoming +# IP calls, in order to get the true host name. If you feel this is too +# expensive, you can specify the networks for which a lookup is done, or +# remove the setting entirely. +# +host_lookup = * +.endif + +# The settings below, which are actually the same as the defaults in the +# code, cause Exim to make RFC 1413 (ident) callbacks for all incoming SMTP +# calls. You can limit the hosts to which these calls are made, and/or change +# the timeout that is used. If you set the timeout to zero, all RFC 1413 calls +# are disabled. RFC 1413 calls are cheap and can provide useful information +# for tracing problem messages, but some hosts and firewalls have problems +# with them. This can result in a timeout instead of an immediate refused +# connection, leading to delays on starting up an SMTP session. +# +rfc1413_hosts = * +rfc1413_query_timeout = 30s + +# By default, Exim expects all envelope addresses to be fully qualified, that +# is, they must contain both a local part and a domain. If you want to accept +# unqualified addresses (just a local part) from certain hosts, you can specify +# these hosts by setting one or both of +# +# sender_unqualified_hosts = +# recipient_unqualified_hosts = +# +# to control sender and recipient addresses, respectively. When this is done, +# unqualified addresses are qualified using the settings of qualify_domain +# and/or qualify_recipient (see above). + +# If you want Exim to support the "percent hack" for certain domains, +# uncomment the following line and provide a list of domains. The "percent +# hack" is the feature by which mail addressed to x%y@z (where z is one of +# the domains listed) is locally rerouted to x@y and sent on. If z is not one +# of the "percent hack" domains, x%y is treated as an ordinary local part. This +# hack is rarely needed nowadays; you should not enable it unless you are sure +# that you really need it. +# +# percent_hack_domains = + +# When Exim can neither deliver a message nor return it to sender, it "freezes" +# the delivery error message (aka "bounce message"). There are also other +# circumstances in which messages get frozen. They will stay on the queue for +# ever unless one of the following options is set. + +# This option unfreezes frozen bounce messages after two days, tries +# once more to deliver them, and ignores any delivery failures. +# +ignore_bounce_errors_after = 2d + +# This option cancels (removes) frozen messages that are older than a week. +# +timeout_frozen_after = 7d + +freeze_tell = postmaster + +# Only for interacting with other packages, to make it possible to use +# -DSPOOLDIR to override it on the command line +.ifndef SPOOLDIR +SPOOLDIR = /var/spool/exim4 +.endif +spool_directory = SPOOLDIR + +# uucp should be able to set envelope-from to arbitrary values +trusted_users = uucp + +# uncomment this to get the Debian version in the SMTP dialog +# smtp_banner = "${primary_hostname} ESMTP Exim ${version_number} (Debian package DEBCONFpackageversionDEBCONF) ${tod_full}" + diff --git a/debian/debconf/conf.d/main/03_exim4-config_tlsoptions b/debian/debconf/conf.d/main/03_exim4-config_tlsoptions new file mode 100644 index 0000000..d462ff9 --- /dev/null +++ b/debian/debconf/conf.d/main/03_exim4-config_tlsoptions @@ -0,0 +1,46 @@ +# Example for TLS/SSL configuration. + +# See /usr/share/doc/exim4-base/README.TLS* for explanations. + +# Defines that you want to log what cipher your exim and the peer's mailer +# uses to encrypt the transaction. It also defines you want to log the 'DN' +# (Distinguished Name) of the certificate of the peer. +# +# log_selector = +tls_cipher +tls_peerdn + +# Defines what hosts to 'advertise' STARTTLS functionality to. Setting this +# to * will advertise to all hosts that connect with EHLO, and this is a +# good default +# +# tls_advertise_hosts = * + +# Defines where your SSL-certificate and SSL-Private Key are located. +# This requires a full path. The files pointed to must be kept 'secret' +# and should be owned my root.Debian-exim mode 640 (-rw-r-----). Usually the +# exim-gencert script takes care of these prerequisites. +# +# tls_certificate = CONFDIR/exim.crt +# tls_privatekey = CONFDIR/exim.key + +# A file which contains the certificates of the trusted CAs (Certification +# Authorities) against which host certificates can be checked (through the +# `tls_verify_hosts' and `tls_try_verify_hosts' lists below). +# /etc/ssl/certs/ca-certificates.crt is generated by +# the "ca-certificates" package's update-ca-certificates(8) command. +# +#tls_verify_certificates = /etc/ssl/certs/ca-certificates.crt + +# A list of hosts which are constrained by `tls_verify_certificates'. A host +# that matches `tls_verify_host' must present a certificate that's +# verifyable through `tls_verify_certificates' in order to be accepted as an +# SMTP client. If it does not, the connection is aborted. +# +#tls_verify_hosts = + +# A weaker form of checking: if a client matches `tls_try_verify_hosts' (but +# not `tls_verify_hosts'), request a certificate and check it against +# `tls_verify_certificates' but do not abort the connection if there is no +# certificate or if the certificate presented does not match. (This +# condition can be tested for in ACLs through `verify = certificate') +# +#tls_try_verify_hosts = * diff --git a/debian/debconf/conf.d/retry/00_exim4-config_header b/debian/debconf/conf.d/retry/00_exim4-config_header new file mode 100644 index 0000000..e2bb4a4 --- /dev/null +++ b/debian/debconf/conf.d/retry/00_exim4-config_header @@ -0,0 +1,7 @@ + +###################################################################### +# RETRY CONFIGURATION # +###################################################################### + +begin retry + diff --git a/debian/debconf/conf.d/retry/30_exim4-config b/debian/debconf/conf.d/retry/30_exim4-config new file mode 100644 index 0000000..0ade295 --- /dev/null +++ b/debian/debconf/conf.d/retry/30_exim4-config @@ -0,0 +1,14 @@ + +# This single retry rule applies to all domains and all errors. It specifies +# retries every 15 minutes for 2 hours, then increasing retry intervals, +# starting at 1 hour and increasing each time by a factor of 1.5, up to 16 +# hours, then retries every 6 hours until 4 days have passed since the first +# failed delivery. + +# Domain Error Retries +# ------ ----- ------- + +* * F,2h,15m; G,16h,1h,1.5; F,4d,6h + + + diff --git a/debian/debconf/conf.d/rewrite/00_exim4-config_header b/debian/debconf/conf.d/rewrite/00_exim4-config_header new file mode 100644 index 0000000..a32db17 --- /dev/null +++ b/debian/debconf/conf.d/rewrite/00_exim4-config_header @@ -0,0 +1,7 @@ + +###################################################################### +# REWRITE CONFIGURATION # +###################################################################### + +begin rewrite + diff --git a/debian/debconf/conf.d/rewrite/31_exim4-config_rewriting b/debian/debconf/conf.d/rewrite/31_exim4-config_rewriting new file mode 100644 index 0000000..e5944dc --- /dev/null +++ b/debian/debconf/conf.d/rewrite/31_exim4-config_rewriting @@ -0,0 +1,23 @@ + +### rewrite/31_exim4-config_rewriting +################################# + +# This rewriting rule is particularily useful for dialup users who +# don't have their own domain, but could be useful for anyone. +# It looks up the real address of all local users in a file +*@+local_domains ${lookup{${local_part}}lsearch{/etc/email-addresses}\ + {$value}fail} Ffrs + +# The same as above, using outdated /etc/exim4/email-addresses, please +# move its contents to /etc/email-addresses and delete +# /etc/exim4/email-addresses +*@+local_domains "${if exists {CONFDIR/email-addresses}\ + {${lookup{${local_part}}lsearch{CONFDIR/email-addresses}\ + {$value}fail}}fail}" Ffrs + + + +# hide mailname for satellite system and masqerade as DCreadhost instead +.ifdef DCconfig_satellite +*@+local_domains ${local_part}@DCreadhost Ffr +.endif diff --git a/debian/debconf/conf.d/router/00_exim4-config_header b/debian/debconf/conf.d/router/00_exim4-config_header new file mode 100644 index 0000000..531e21f --- /dev/null +++ b/debian/debconf/conf.d/router/00_exim4-config_header @@ -0,0 +1,11 @@ + +###################################################################### +# ROUTERS CONFIGURATION # +# Specifies how addresses are handled # +###################################################################### +# THE ORDER IN WHICH THE ROUTERS ARE DEFINED IS IMPORTANT! # +# An address is passed to each router in turn until it is accepted. # +###################################################################### + +begin routers + diff --git a/debian/debconf/conf.d/router/100_exim4-config_domain_literal b/debian/debconf/conf.d/router/100_exim4-config_domain_literal new file mode 100644 index 0000000..c07a354 --- /dev/null +++ b/debian/debconf/conf.d/router/100_exim4-config_domain_literal @@ -0,0 +1,16 @@ + +# This router routes to remote hosts over SMTP by explicit IP address, +# when an email address is given in "domain literal" form, for example, +# <user@[192.168.35.64]>. The RFCs require this facility. However, it is +# little-known these days, and has been exploited by evil people seeking +# to abuse SMTP relays. Consequently it is commented out in the default +# configuration. If you uncomment this router, you also need to uncomment +# allow_domain_literals above, so that Exim can recognize the syntax of +# domain literal addresses. + +# domain_literal: +# debug_print = "R: domain_literal for $local_part@$domain" +# driver = ipliteral +# domains = ! +local_domains +# transport = remote_smtp + diff --git a/debian/debconf/conf.d/router/200_exim4-config_primary b/debian/debconf/conf.d/router/200_exim4-config_primary new file mode 100644 index 0000000..0a64829 --- /dev/null +++ b/debian/debconf/conf.d/router/200_exim4-config_primary @@ -0,0 +1,72 @@ + +### router/200_exim4-config_primary +################################# +# This file holds the primary router, responsible for nonlocal mails + +.ifdef DCconfig_internet +# configtype=internet +# +# deliver mail to the recipient if recipient domain is a domain we +# relay for. We do not ignore any target hosts here since delivering to +# a site local or even a link local address might be wanted here, and if +# such an address has found its way into the MX record of such a domain, +# the local admin is probably in a place where that broken MX record +# could be fixed. + +dnslookup_relay_to_domains: + driver = dnslookup + domains = ! +local_domains : +relay_to_domains + transport = remote_smtp + same_domain_copy_routing = yes + no_more + +# deliver mail directly to the recipient. This router is only reached +# for domains that we do not relay for. Since we most probably can't +# have broken MX records pointing to site local or link local IP +# addresses fixed, we ignore target hosts pointing to these addresses. + +dnslookup: + driver = dnslookup + domains = ! +local_domains + transport = remote_smtp + same_domain_copy_routing = yes + # ignore private rfc1918 and APIPA addresses + ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 192.168.0.0/16 :\ + 172.16.0.0/12 : 10.0.0.0/8 : 169.254.0.0/16 + no_more + +.endif + + +.ifdef DCconfig_local +# configtype=local +# +# Stand-alone system, so generate an error for mail to a non-local domain +nonlocal: + driver = redirect + allow_fail + data = :fail: Mailing to remote domains not supported + no_more + domains = ! +local_domains + +.endif + + +.ifdef DCconfig_smarthost DCconfig_satellite +# configtype=smarthost or configtype=satellite +# +# Send all non-local mail to a single other machine (smarthost). +smarthost: + driver = manualroute + domains = ! +local_domains + transport = remote_smtp + route_list = * DCsmarthost + host_find_failed = defer + same_domain_copy_routing = yes + no_more + +.endif + + +# The "no_more" above means that all later routers are for +# domains in the local_domains list, i.e. just like Exim 3 directors. diff --git a/debian/debconf/conf.d/router/300_exim4-config_real_local b/debian/debconf/conf.d/router/300_exim4-config_real_local new file mode 100644 index 0000000..1703d7d --- /dev/null +++ b/debian/debconf/conf.d/router/300_exim4-config_real_local @@ -0,0 +1,9 @@ + +real_local: + debug_print = "R: real_local for $local_part@$domain" + driver = accept + domains = +local_domains + local_part_prefix = real- + check_local_user + transport = LOCAL_DELIVERY + diff --git a/debian/debconf/conf.d/router/400_exim4-config_system_aliases b/debian/debconf/conf.d/router/400_exim4-config_system_aliases new file mode 100644 index 0000000..c663570 --- /dev/null +++ b/debian/debconf/conf.d/router/400_exim4-config_system_aliases @@ -0,0 +1,29 @@ + +# This router handles aliasing using a traditional /etc/aliases file. +# +##### NB You must ensure that /etc/aliases exists. It used to be the case +##### NB that every Unix had that file, because it was the Sendmail default. +##### NB These days, there are systems that don't have it. Your aliases +##### NB file should at least contain an alias for "postmaster". +# +# Piping to programs in /etc/aliases is disabled per default. +# If that is a problem for you, see +# /usr/share/doc/exim4-config/README.system_aliases +# or explanation and some workarounds. +# +# Note that the transports listed below are the same as are used for +# .forward files; you might want to set up different ones for pipe and +# file deliveries from aliases. + +system_aliases: + debug_print = "R: system_aliases for $local_part@$domain" + driver = redirect + domains = +local_domains + allow_fail + allow_defer + data = ${lookup{$local_part}lsearch{/etc/aliases}} +# user = list +# group = mail + file_transport = address_file +# pipe_transport = address_pipe +# directory_transport = address_directory diff --git a/debian/debconf/conf.d/router/500_exim4-config_hubuser b/debian/debconf/conf.d/router/500_exim4-config_hubuser new file mode 100644 index 0000000..1e2a179 --- /dev/null +++ b/debian/debconf/conf.d/router/500_exim4-config_hubuser @@ -0,0 +1,19 @@ + +### router/500_exim4-config_hubuser +################################# + +.ifdef DCconfig_satellite +# This router is only used for configtype=satellite. +# It takes care to route all mail targetted to <somelocaluser@this.machine> +# to the host where we read our mail +# +hub_user: + debug_print = "R: hub_user for $local_part@$domain" + driver = redirect + domains = +local_domains + data = ${local_part}@DCreadhost + check_local_user + +.endif + + diff --git a/debian/debconf/conf.d/router/600_exim4-config_userforward b/debian/debconf/conf.d/router/600_exim4-config_userforward new file mode 100644 index 0000000..2b71cc0 --- /dev/null +++ b/debian/debconf/conf.d/router/600_exim4-config_userforward @@ -0,0 +1,48 @@ + +# router/600_exim4-config_userforward +################################# + +# This router handles forwarding using traditional .forward files in users' +# home directories and filtering with exim's builtin filter language. +# +# The no_verify setting means that this router is skipped when Exim is +# verifying addresses. Similarly, no_expn means that this router is skipped if +# Exim is processing an EXPN command. +# +# The check_ancestor option means that if the forward file generates an +# address that is an ancestor of the current one, the current one gets +# passed on instead. This covers the case where A is aliased to B and B +# has a .forward file pointing to A. +# +# The four transports specified at the end are those that are used when +# forwarding generates a direct delivery to a directory, or a file, or to a +# pipe, or sets up an auto-reply, respectively. +# +userforward: + debug_print = "R: userforward for $local_part@$domain" + driver = redirect + domains = +local_domains + check_local_user + file = $home/.forward + no_verify + no_expn + check_ancestor + allow_filter + directory_transport = address_directory + file_transport = address_file + pipe_transport = address_pipe + reply_transport = address_reply + skip_syntax_errors + syntax_errors_to = real-$local_part@$domain + syntax_errors_text = \ + This is an automatically generated message. An error has\n\ + been found in your .forward file. Details of the error are\n\ + reported below. While this error persists, you will receive\n\ + a copy of this message for every message that is addressed\n\ + to you. If your .forward file is a filter file, or if it is\n\ + a non-filter file containing no valid forwarding addresses,\n\ + a copy of each incoming message will be put in your normal\n\ + mailbox. If a non-filter file contains at least one valid\n\ + forwarding address, forwarding to the valid addresses will\n\ + happen, and those will be the only deliveries that occur. + diff --git a/debian/debconf/conf.d/router/700_exim4-config_procmail b/debian/debconf/conf.d/router/700_exim4-config_procmail new file mode 100644 index 0000000..8c829c5 --- /dev/null +++ b/debian/debconf/conf.d/router/700_exim4-config_procmail @@ -0,0 +1,11 @@ + +procmail: + debug_print = "R: procmail for $local_part@$domain" + driver = accept + domains = +local_domains + check_local_user + transport = procmail_pipe + require_files = ${local_part}:${home}/.procmailrc:+/usr/bin/procmail + no_verify + no_expn + diff --git a/debian/debconf/conf.d/router/800_exim4-config_maildrop b/debian/debconf/conf.d/router/800_exim4-config_maildrop new file mode 100644 index 0000000..0c57fc6 --- /dev/null +++ b/debian/debconf/conf.d/router/800_exim4-config_maildrop @@ -0,0 +1,14 @@ + +### router/800_exim4-config_maildrop +################################# + +maildrop: + debug_print = "R: maildrop for $local_part@$domain" + driver = accept + domains = +local_domains + check_local_user + transport = maildrop_pipe + require_files = ${local_part}:${home}/.mailfilter:+/usr/bin/maildrop + no_verify + no_expn + diff --git a/debian/debconf/conf.d/router/900_exim4-config_local_user b/debian/debconf/conf.d/router/900_exim4-config_local_user new file mode 100644 index 0000000..52e1897 --- /dev/null +++ b/debian/debconf/conf.d/router/900_exim4-config_local_user @@ -0,0 +1,14 @@ + +### router/900_exim4-config_local_user +################################# + +local_user: + debug_print = "R: local_user for $local_part@$domain" + driver = accept + domains = +local_domains + check_local_user + local_parts = ! root + transport = LOCAL_DELIVERY + + + diff --git a/debian/debconf/conf.d/router/mmm_mail4root b/debian/debconf/conf.d/router/mmm_mail4root new file mode 100644 index 0000000..88017ba --- /dev/null +++ b/debian/debconf/conf.d/router/mmm_mail4root @@ -0,0 +1,17 @@ + +### router/mmm_mail4root +################################# +# deliver mail addressed to root to /var/mail/mail as user mail:mail +# if it was not redirected in /etc/aliases or by other means +# Exim cannot deliver as root since 4.24 (FIXED_NEVER_USERS) + +mail4root: + debug_print = "R: mail4root for $local_part@$domain" + driver = redirect + domains = +local_domains + data = /var/mail/mail + file_transport = address_file + local_parts = root + user = mail + group = mail + diff --git a/debian/debconf/conf.d/transport/00_exim4-config_header b/debian/debconf/conf.d/transport/00_exim4-config_header new file mode 100644 index 0000000..48e45da --- /dev/null +++ b/debian/debconf/conf.d/transport/00_exim4-config_header @@ -0,0 +1,13 @@ + +###################################################################### +# TRANSPORTS CONFIGURATION # +###################################################################### +# ORDER DOES NOT MATTER # +# Only one appropriate transport is called for each delivery. # +###################################################################### + +# A transport is used only when referenced from a router that successfully +# handles an address. + +begin transports + diff --git a/debian/debconf/conf.d/transport/30_exim4-config_address_file b/debian/debconf/conf.d/transport/30_exim4-config_address_file new file mode 100644 index 0000000..82b55e2 --- /dev/null +++ b/debian/debconf/conf.d/transport/30_exim4-config_address_file @@ -0,0 +1,11 @@ + +# This transport is used for handling deliveries directly to files that are +# generated by aliasing or forwarding. +# +address_file: + debug_print = "T: address_file for $local_part@$domain" + driver = appendfile + delivery_date_add + envelope_to_add + return_path_add + diff --git a/debian/debconf/conf.d/transport/30_exim4-config_address_pipe b/debian/debconf/conf.d/transport/30_exim4-config_address_pipe new file mode 100644 index 0000000..cb01c37 --- /dev/null +++ b/debian/debconf/conf.d/transport/30_exim4-config_address_pipe @@ -0,0 +1,12 @@ + +# This transport is used for handling pipe deliveries generated by alias or +# .forward files. If the commands fails and produces any output on standard +# output or standard error streams, the output is returned to the sender +# of the message as a delivery error. +# You can set different transports for aliases and forwards if you want to +# - see the references to address_pipe in the routers section above. +address_pipe: + debug_print = "T: address_pipe for $local_part@$domain" + driver = pipe + return_fail_output + diff --git a/debian/debconf/conf.d/transport/30_exim4-config_address_reply b/debian/debconf/conf.d/transport/30_exim4-config_address_reply new file mode 100644 index 0000000..b2b8862 --- /dev/null +++ b/debian/debconf/conf.d/transport/30_exim4-config_address_reply @@ -0,0 +1,8 @@ + +# This transport is used for handling autoreplies generated by the filtering +# option of the userforward router. +# +address_reply: + debug_print = "T: autoreply for $local_part@$domain" + driver = autoreply + diff --git a/debian/debconf/conf.d/transport/30_exim4-config_mail_spool b/debian/debconf/conf.d/transport/30_exim4-config_mail_spool new file mode 100644 index 0000000..21dfae4 --- /dev/null +++ b/debian/debconf/conf.d/transport/30_exim4-config_mail_spool @@ -0,0 +1,17 @@ + +### transport/30_exim4-config_mail_spool + +# This transport is used for local delivery to user mailboxes in traditional +# BSD mailbox format. +# +mail_spool: + debug_print = "T: appendfile for $local_part@$domain" + driver = appendfile + file = /var/mail/$local_part + delivery_date_add + envelope_to_add + return_path_add + group = mail + mode = 0660 + mode_fail_narrower = false + diff --git a/debian/debconf/conf.d/transport/30_exim4-config_maildir_home b/debian/debconf/conf.d/transport/30_exim4-config_maildir_home new file mode 100644 index 0000000..3d25c30 --- /dev/null +++ b/debian/debconf/conf.d/transport/30_exim4-config_maildir_home @@ -0,0 +1,17 @@ + +### transport/30_exim4-config_maildir_home + +# Use this instead of mail_spool if you want to to deliver to Maildir in +# home-directory - change the definition of LOCAL_DELIVERY +# +maildir_home: + debug_print = "T: maildir_home for $local_part@$domain" + driver = appendfile + directory = $home/Maildir + delivery_date_add + envelope_to_add + return_path_add + maildir_format + mode = 0600 + mode_fail_narrower = false + diff --git a/debian/debconf/conf.d/transport/30_exim4-config_maildrop_pipe b/debian/debconf/conf.d/transport/30_exim4-config_maildrop_pipe new file mode 100644 index 0000000..0ba27bc --- /dev/null +++ b/debian/debconf/conf.d/transport/30_exim4-config_maildrop_pipe @@ -0,0 +1,10 @@ + +maildrop_pipe: + debug_print = "T: maildrop_pipe for $local_part@$domain" + driver = pipe + path = "/bin:/usr/bin:/usr/local/bin" + command = "/usr/bin/maildrop" + return_path_add + delivery_date_add + envelope_to_add + diff --git a/debian/debconf/conf.d/transport/30_exim4-config_procmail_pipe b/debian/debconf/conf.d/transport/30_exim4-config_procmail_pipe new file mode 100644 index 0000000..5fb03ff --- /dev/null +++ b/debian/debconf/conf.d/transport/30_exim4-config_procmail_pipe @@ -0,0 +1,10 @@ + +procmail_pipe: + debug_print = "T: procmail_pipe for $local_part@$domain" + driver = pipe + path = "/bin:/usr/bin:/usr/local/bin" + command = "/usr/bin/procmail" + return_path_add + delivery_date_add + envelope_to_add + diff --git a/debian/debconf/conf.d/transport/30_exim4-config_remote_smtp b/debian/debconf/conf.d/transport/30_exim4-config_remote_smtp new file mode 100644 index 0000000..62ab68e --- /dev/null +++ b/debian/debconf/conf.d/transport/30_exim4-config_remote_smtp @@ -0,0 +1,14 @@ + +### transport/30_exim4-config_remote_smtp +################################# +# This transport is used for delivering messages over SMTP connections. +remote_smtp: + debug_print = "T: remote_smtp for $local_part@$domain" + driver = smtp +# hosts_try_auth = DCsmarthost + +# To use SMTP AUTH when sending to your smarthost, uncomment the above line, +# "hosts_try_auth = DCsmarthost" and add the necessary information (password, +# etc.) to the passwd.client file. +# /usr/share/doc/exim4-base/README.SMTP-AUTH + diff --git a/debian/debconf/conf.d/transport/35_exim4-config_address_directory b/debian/debconf/conf.d/transport/35_exim4-config_address_directory new file mode 100644 index 0000000..94541a4 --- /dev/null +++ b/debian/debconf/conf.d/transport/35_exim4-config_address_directory @@ -0,0 +1,13 @@ +# This transport is used for handling file addresses generated by alias +# or .forward files if the path ends in "/", which causes it to be treated +# as a directory name rather than a file name. + +address_directory: + debug_print = "T: address_directory for $local_part@$domain" + driver = appendfile + envelope_to_add = true + return_path_add = true + check_string = "" + escape_string = "" + maildir_format + diff --git a/debian/debconf/default_acl b/debian/debconf/default_acl new file mode 100644 index 0000000..452615c --- /dev/null +++ b/debian/debconf/default_acl @@ -0,0 +1,48 @@ +Access Control in the default configuration +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +The Debian exim 4 package comes with a default configuration that +allows flexible access control and blacklisting of sites and hosts. +The acls involved can be found in /etc/exim4/conf.d/acl with the file +names 20_exim4-config_whitelist_local_deny and 30_exim4-config_check_rcpt, +thus all rejections of messages due to this mechanism happen at RCPT +time. Local configuration of the mechanisms happen through data files +in /etc/exim4, so there is normally no need to change the files in the +acl subdirectory. + +/etc/exim4/local_sender_blacklist contains a list of envelope senders +whose messages will be denied with the error message "locally +blacklisted". This is a full exim 4 address list, and all available +features can be used. This includes negative items, and so it is +possible to exclude addresses from being blacklisted. For convenience, +as an additional method to whitelist addresses from being blocked, an +explicit whitelist is read in from /etc/exim4/local_sender_whitelist. +Entries in the whitelist override corresponding blacklist entries. + +In the blacklist, the trick is to read a line break as "or" if it +follows a positive item, and as "and" if it follows a negative item. + +For example, a /etc/exim4/local_sender_blacklist + +domain1.example +!local@domain2.example +domain2.example +domain3.example + +Exim just evaluates left to right (or up-down in the file listing +context), so you don't get the same kind of operator binding as in a +programming language. + +/etc/exim4/local_host_blacklist contains a list of IP addresses, +networks and host names whose messages will be denied with the error +message "locally blacklisted". This is a full exim 4 host list. Again, +negative items can be used here, and there is also an explicit +whitelist read in from /etc/exim4/local_host_whitelist, and whitelist +entries override blacklistings. + +The example access list shipped in +/usr/share/doc/exim4-config/examples/acl/30_exim4-config_example_check_rcpt +includes a bunch of dnslists configured to warn and/or deny incoming +messages. Some of these lists have a corresponding whitelist, read +in from /etc/exim4/local_$DNSLISTNAME_whitelist which allows the local +administrator to override dnslist entries for domains or IP addresses +that should be able to send mail despite the dnslist entry. diff --git a/debian/debconf/update-exim4.conf b/debian/debconf/update-exim4.conf new file mode 100644 index 0000000..2399388 --- /dev/null +++ b/debian/debconf/update-exim4.conf @@ -0,0 +1,360 @@ +#!/bin/sh +# update-exim4.conf(8) - Generate /var/lib/exim4/config.autogenerated + + +UPEX4C_confdir="/etc/exim4" +UPEX4C_sections="main acl router transport retry rewrite auth" +EXIM="/usr/sbin/exim4" + +UPEX4C_verbose=no +UPEX4C_comments=no +UPEX4C_autoconfigfile=/var/lib/exim4/config.autogenerated +UPEX4C_outputfile="${UPEX4C_autoconfigfile}" +UPEX4C_version="" + +usage() { +cat <<EOF +$0 - Generate exim4 configuration files + Options: + -v|--verbose - Enable verbose mode, tell about ignored files + -h|--help - Show this message + --keepcomments - Do not remove comment lines + --removecomments - Remove comment lines + -o|--output file - write output to file instead of ${UPEX4C_outputfile} + -d|--confdir directory - read input from given directory instead of ${UPEX4C_confdir} +EOF +} + +## Parse commandline +TEMP=$(getopt -n update-exim4.conf \ + -l keepcomments,removecomments,output:,confdir:,help,verbose -- \ + +o:d:vh "$@") + +if test "$?" != 0; then + echo "Terminating..." >&2 + exit 1 +fi + +eval set -- ${TEMP} +while test "$1" != "--"; do + case $1 in + -h|--help) + usage + exit 0 + ;; + -v|--verbose) + UPEX4C_verbose=yes + ;; + --keepcomments) + UPEX4C_comments=yes + ;; + --removecomments) + UPEX4C_comments=no + ;; + -o|--output) + shift + UPEX4C_outputfile="$1" + ;; + -d|--confdir) + shift + UPEX4C_confdir="$1" + ;; + esac + shift +done +shift + +# No non-option arguments allowed. +if [ "$#" -ne 0 ]; then + echo "No non option arguments ($@) allowed" >&2 + usage >&2 + exit 1 +fi + +# exit immediately if /etc/exim4/exim4.conf exists and -o was not specified +if [ -e /etc/exim4/exim4.conf ] && \ + [ "x${UPEX4C_outputfile}" = "x${UPEX4C_autoconfigfile}" ] ; then + exit 0 +fi + + +UPEX4C_confd=$UPEX4C_confdir/conf.d + +[ -d ${UPEX4C_confd} ] || \ +{ printf "$0: Error, no ${UPEX4C_confd}, exiting.\n" 1>&2 ; exit 1 ; } + +[ -d `dirname $UPEX4C_outputfile` ] || \ +{ printf "$0: Error, missing `dirname $UPEX4C_outputfile`, exiting.\n" 1>&2 ; exit 1 ; } + +. $UPEX4C_confdir/update-exim4.conf.conf || \ +{ printf "$0: Error, no $UPEX4C_confdir/update-exim4.conf.conf, exiting.\n" 1>&2 ; exit 1 ; } + +[ "x${CFILEMODE}" = "x" ] && CFILEMODE=644 +[ "x${dc_use_split_config}" = "x" ] && dc_use_split_config='false' + +mailname=`cat /etc/mailname | head -n 1` + +# add localhost and mailname, get rid of spaces and trailing colons +local_domains="`echo ${mailname}:localhost:${dc_other_hostnames} | \ + sed -e 'sÄ[: ]*$ÄÄ' -e 'sÄ *ÄÄ'`" + +TEMPLATEFILE=${UPEX4C_confdir}/exim4.conf.template + +UPEX4C_internal_tmp=`tempfile -m600 -p ex4` + +trap "rm -f ${UPEX4C_internal_tmp}" 0 2 15 + +# test if $1 is user modified, print message +unmodifandmessage() { + [ "$#" -eq 1 ] || return 1 + if unmodified "$1" ; then + return 0 + else + [ "${UPEX4C_verbose}" = "yes" ] && \ + echo "ignoring user modified file $1" + return 1 + fi +} + +# 0123456789abcdef0123456789abcdef + + + +# use this as template for new gen_something functions. +UPEX4C_skeleton() { + UPEX4C_internal_currfile="${UPEX4C_confd}/foo/bar" + unmodifandmessage "${UPEX4C_internal_currfile}" || return + cat << EOF > "${UPEX4C_internal_tmp}" +# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +# This is an md5sum. +####################################### +# WARNING WARNING WARNING WARNING +# This file is dynamically generated by update-exim4.conf(8) using the data +# in /etc/exim4/update-exim4.conf.conf. +EOF +# insert more code that appends to ${UPEX4C_internal_tmp} + UPEX4C_internal_md5=`cat "${UPEX4C_internal_tmp}" | md5sum | cut -d\ -f1` + { echo "# ${UPEX4C_internal_md5}" ; cat "${UPEX4C_internal_tmp}" ; } > \ + "${UPEX4C_internal_currfile}" +} + +# run-parts emulation, stolen from Branden's /etc/X11/Xsession +# Addition: Use file.rul instead if file if it exists. +run_parts () { + # reset LC_COLLATE + unset LANG LC_COLLATE LC_ALL + + if [ -z "$1" ]; then + errormessage "$0: internal run_parts called without an argument" + fi + if [ ! -d "$1" ]; then + errormessage "$0: internal run_parts called, but $1 does not exist or is not a directory." + fi + for F in $(ls $1); do + if expr "$F" : '[[:alnum:]_-]\+$' > /dev/null 2>&1; then + if [ -f "$1/$F" ] ; then + if [ -f "$1/${F}.rul" ] ; then + echo "$1/${F}.rul" + else + echo "$1/$F" + fi + fi + fi + done; +} +# also from Branden +errormessage () { + # pretty-print messages of arbitrary length (no trailing newline) + echo "$*" | fold -s -w ${COLUMNS:-80} >&2; +} + +cat_parts() { + if [ -z "$1" ]; then + errormessage "$0: internal cat_parts called without an argument" + fi + if [ ! -d "$1" ]; then + errormessage "$0: internal cat_parts called, but $1 does not exist or is not a directory." + fi + for file in `run_parts $1`; do + echo "#####################################################" + echo "### $file" + echo "#####################################################" + cat $file + echo "#####################################################" + echo "### end $file" + echo "#####################################################" + done +} + +# check whether the file given as argument was modified by the user +# by comparing the md5sum in the first line with the real one. +unmodified() { + [ "$#" -eq 1 ] || return 1 + [ -f "$1" ] || return 1 + # first line, without the leading '# '. + checksum_current=`sed -n -e '1s/^# //' -e '1p;1q' "$1"` + + # md5sum over the rest of the file. + # some versions of md5sum produce + # '68b329da9893e34099c7d8ad5cb9c940 -' others don't add the dash. + # '68b329da9893e34099c7d8ad5cb9c940' + checksum_new=`sed -n '2,$p' "$1" | md5sum | cut -d\ -f1` + + if [ "${checksum_current}" = "${checksum_new}" ] ; then + return 0 + else + return 1 + fi +} + +# update the md5sum given in the first line, return an error if the file does +# not have an md5sum header in the first line. +updatechecksumheader() { + [ "$#" -eq 1 ] || return 1 + [ -f "$1" ] || return 1 + # check for correct format "# 76a51391da4a0687697224a124b71a17" + sed -n -e '1p;1q' "$1" | grep -q -E '^# [[:xdigit:]]{32}$' || \ + { echo "incorrect format" ; return 1 ;} + + NEWFILE=`tempfile -m600 -p ex4` + sed -n '2,$p' "$1" | md5sum | cut -d\ -f1 | sed '1s/^/# /' > $NEWFILE + sed -n '2,$p' "$1" >> $NEWFILE + mv -f $NEWFILE "$1" +} + +gentmpconf() { + touch ${UPEX4C_outputfile}.tmp + #chown --reference=${TEMPLATEFILE} \ + # ${UPEX4C_outputfile}.tmp ${UPEX4C_outputfile} + #chmod --reference=${TEMPLATEFILE} \ + # ${UPEX4C_outputfile}.tmp ${UPEX4C_outputfile} + if [ "`id -u`" = "0" ]; then + chown root:Debian-exim ${UPEX4C_outputfile}.tmp + [ -e ${UPEX4C_outputfile} ] && \ + chown root:Debian-exim ${UPEX4C_outputfile} + fi + chmod 640 ${UPEX4C_outputfile}.tmp + [ -e ${UPEX4C_outputfile} ] && chmod 640 ${UPEX4C_outputfile} +} + +removecomments(){ + if [ "x${UPEX4C_comments}" = "xno" ] ; then + egrep -v '^[[:space:]]*#' | sed -e '/^$/N;/\n$/D' ; + else + cat + fi +} + +case "$dc_eximconfig_configtype" in + satellite) + ;; + local) + ;; + smarthost|internet) + ;; + none|*) + gentmpconf + for i in ${UPEX4C_sections} ; do + cat_parts ${UPEX4C_confd}/$i + done | \ + removecomments \ + sed -e "s/DEBCONF[^D][^E][^B].*DEBCONF//g" \ + > ${UPEX4C_outputfile}.tmp + mv -f ${UPEX4C_outputfile}.tmp ${UPEX4C_outputfile} + chmod ${CFILEMODE} ${UPEX4C_outputfile} + [ "${UPEX4C_verbose}" = "yes" ] && \ + echo "Not substituting variables since conftype is none (or other)" + exit 0 + ;; +esac + +if [ "x${dc_local_interfaces}" = "x" ] ; then + listenonpublic='# if local_interfaces is unset, we listen on all interfaces' +else + listenonpublic="local_interfaces = ${dc_local_interfaces}" +fi + +if [ "x${dc_minimaldns}" = "xtrue" ] ; then + UPEX4C_minimaldns='DC_minimaldns = 1' +else + UPEX4C_minimaldns='' +fi + +gentmpconf + +cat << EOF > ${UPEX4C_outputfile}.tmp +######### +# WARNING WARNING WARNING +# WARNING WARNING WARNING +# WARNING WARNING WARNING +# WARNING WARNING WARNING +# WARNING WARNING WARNING +# this file is generated dynamically from the files in +# CONFDIR/conf.d/ or /etc/exim4/exim4.conf.template respectively and +# /etc/exim4/update-exim4.conf.conf +# Any changes you make here will be lost. +# See /usr/share/doc/exim4-base/README.Debian.gz and update-exim4.conf(8) +# for instructions of customization. +# WARNING WARNING WARNING +# WARNING WARNING WARNING +# WARNING WARNING WARNING +# WARNING WARNING WARNING +# WARNING WARNING WARNING +######### +EOF + +case "${dc_use_split_config}" in +true) + for i in ${UPEX4C_sections} ; do + echo "# begin processing $i #####" + cat_parts ${UPEX4C_confd}/$i + echo "# end of $i #####" + done | \ + sed -e "sÄDEBCONFlocal_domainsDEBCONFÄ@:${local_domains}Äg" \ + -e "sÄDEBCONFrelay_domainsDEBCONFÄ${dc_relay_domains}Äg" \ + -e "sÄDEBCONFrelay_netsDEBCONFÄ${dc_relay_nets}Äg" \ + -e "sÄDEBCONFvisiblenameDEBCONFÄ${mailname}Äg" \ + -e "sÄDEBCONFreadhostDEBCONFÄ${dc_readhost}Äg" \ + -e "sÄDEBCONFsmarthostDEBCONFÄ${dc_smarthost}Äg" \ + -e "sÄDEBCONFconfigtypeDEBCONFÄ${dc_eximconfig_configtype}Äg" \ + -e "sÄDEBCONFlistenonpublicDEBCONFÄ${listenonpublic}Äg" \ + -e "sÄDEBCONFpackageversionDEBCONFÄ${UPEX4C_version}Äg" \ + -e "sÄDEBCONFminimaldnsDEBCONFÄ${UPEX4C_minimaldns}Äg" \ + -e "sÄDEBCONFnever_usersDEBCONFÄÄg" \ + | removecomments \ + >> ${UPEX4C_outputfile}.tmp +;; +false) + if [ ! -r /etc/exim4/exim4.conf.template ] ; then + echo "Error: Unsplit config selected and /etc/exim4/exim4.conf.template missing ... exiting" 1>&2 + exit 1 + fi + sed -e "sÄDEBCONFlocal_domainsDEBCONFÄ@:${local_domains}Äg" \ + -e "sÄDEBCONFrelay_domainsDEBCONFÄ${dc_relay_domains}Äg" \ + -e "sÄDEBCONFrelay_netsDEBCONFÄ${dc_relay_nets}Äg" \ + -e "sÄDEBCONFvisiblenameDEBCONFÄ${mailname}Äg" \ + -e "sÄDEBCONFreadhostDEBCONFÄ${dc_readhost}Äg" \ + -e "sÄDEBCONFsmarthostDEBCONFÄ${dc_smarthost}Äg" \ + -e "sÄDEBCONFconfigtypeDEBCONFÄ${dc_eximconfig_configtype}Äg" \ + -e "sÄDEBCONFlistenonpublicDEBCONFÄ${listenonpublic}Äg" \ + -e "sÄDEBCONFpackageversionDEBCONFÄ${UPEX4C_version}Äg" \ + -e "sÄDEBCONFminimaldnsDEBCONFÄ${UPEX4C_minimaldns}Äg" \ + -e "sÄDEBCONFnever_usersDEBCONFÄÄg" \ + < /etc/exim4/exim4.conf.template \ + | removecomments \ + >> ${UPEX4C_outputfile}.tmp +;; +esac + +# test validity if called without -o +if [ "x${UPEX4C_outputfile}" = "x${UPEX4C_autoconfigfile}" ] && \ + [ -x ${EXIM} ] ; then + if ! ${EXIM} -C "${UPEX4C_outputfile}.tmp" -bV > /dev/null ; then + errormessage "Invalid new configfile ${UPEX4C_outputfile}.tmp" + errormessage "not installing ${UPEX4C_outputfile}.tmp to ${UPEX4C_outputfile}" + exit 1 + fi +fi + +mv -f ${UPEX4C_outputfile}.tmp ${UPEX4C_outputfile} +chmod ${CFILEMODE} ${UPEX4C_outputfile} |