tls_advertise_hosts = <; !127.0.0.1 ; !::1
+# Configured TLS cipher selection.
+
+tls_require_ciphers = NORMAL:-VERS-SSL3.0:-CIPHER-ALL:-SHA1:-MD5:+SHA1:+AES-256-GCM:+AES-256-CBC:+CAMELLIA-256-CBC:+AES-128-GCM:+AES-128-CBC:+CAMELLIA-128-CBC:%SERVER_PRECEDENCE
+
# Specify the location of the Exim server's TLS certificate and private key.
# The private key must not be encrypted (password protected). You can put
# the certificate and private key in the same file, in which case you only
# testing for an empty sending host field.
accept hosts = :
-<% if node[:lsb][:release].to_i >= 10.04 -%>
control = dkim_disable_verify
-<% end -%>
#############################################################################
# The following section of the ACL is concerned with local parts that contain
deny local_parts = root:postmaster:webmaster:abuse:support
senders = :
- # Block sender of spam backscatter
+ # Block blacklisted senders
- deny senders = www-data@www.easyticket.de:*@email.realestate.co.nz:sipdentistry@mail.mediaworksonline.com:www-data@*.consoglobe.com:lina-noreply@jobstreet.com
+ deny senders = lsearch*@;/etc/exim4/blocked-senders
+ message = Rejected because $sender_address is blacklisted\nQueries to postmaster@$qualify_domain
+ !hosts = +relay_from_hosts
# Accept mail to postmaster in any local domain, regardless of the source,
# and without verifying the sender.
accept hosts = +relay_from_hosts
control = submission
-<% if node[:lsb][:release].to_i >= 10.04 -%>
control = dkim_disable_verify
-<% end -%>
# Accept if the message arrived over an authenticated connection, from
# any host. Again, these messages are usually from MUAs, so recipient
accept authenticated = *
control = submission
-<% if node[:lsb][:release].to_i >= 10.04 -%>
control = dkim_disable_verify
-<% end -%>
# Insist that any other recipient address that we accept is either in one of
# our local domains, or is in a domain for which we explicitly allow
message = This message scored $spam_score SpamAssassin points.
<% end -%>
+ # Deny spammy messages with headers of the form:
+ # X-PHP-Originating-Script: <digits>:<name>.php
+ # X-PHP-Originating-Script: <digits>:<name>.class.php
+ deny condition = ${if match {$h_X-PHP-Originating-Script:}{^[0-9]+:[A-Za-z]+(\\.class)?\\.php\$}}
+ !hosts = +relay_from_hosts
+ message = This message failed local spam checks.
+
# Accept the message.
accept
remote_smtp:
driver = smtp
+ multi_domain = false
+ tls_require_ciphers = NORMAL:-VERS-SSL3.0:-CIPHER-ALL:-SHA1:-MD5:+SHA1:+AES-256-GCM:+AES-256-CBC:+CAMELLIA-256-CBC:+AES-128-GCM:+AES-128-CBC:+CAMELLIA-128-CBC:%SERVER_PRECEDENCE
# This transport is used for handling pipe deliveries generated by alias or
command = <%= details[:command] %>
home_directory = <%= details[:home_directory] %>
path = <%= details[:path] || "/bin:/usr/bin" %>
- return_output
+ return_fail_output
<% else -%>
driver = appendfile
<% if details[:file] -%>
# There are no rewriting specifications in this default configuration file.
begin rewrite
+*@<%= node[:fqdn] %> "${if !match {${lookup{$1}lsearch{/etc/aliases}{$value}}}{@} {$1@openstreetmap.org}fail}" Eh
<% node[:exim][:rewrites].each do |rewrite| -%>
<%= rewrite[:pattern] %> <%= rewrite[:replacement] %> <%= rewrite[:flags] %>
<% end -%>