about summary refs log tree commit diff stats
path: root/core/conf/exim
diff options
context:
space:
mode:
Diffstat (limited to 'core/conf/exim')
-rw-r--r--core/conf/exim/aliases2
-rw-r--r--core/conf/exim/exim.conf39
2 files changed, 34 insertions, 7 deletions
diff --git a/core/conf/exim/aliases b/core/conf/exim/aliases
index 2ebd0b9..2efb04c 100644
--- a/core/conf/exim/aliases
+++ b/core/conf/exim/aliases
@@ -4,7 +4,7 @@
 # The following alias is required by the mail RFCs 2821 and 2822.
 # Set it to the address of a HUMAN who deals with this system's mail problems.
 
-postmaster: c9admin@localhost
+postmaster: c9admin
 
 # It is also common to set the following alias so that if anybody replies to a
 # bounce message from this host, the reply goes to the postmaster.
diff --git a/core/conf/exim/exim.conf b/core/conf/exim/exim.conf
index 397ad70..47a6094 100644
--- a/core/conf/exim/exim.conf
+++ b/core/conf/exim/exim.conf
@@ -40,6 +40,7 @@
 ######################################################################
 #                    MAIN CONFIGURATION SETTINGS                     #
 ######################################################################
+#
 
 # Specify your host's canonical name here. This should normally be the fully
 # qualified "official" name of your host. If this option is not set, the
@@ -141,7 +142,7 @@ acl_smtp_data = acl_check_data
 
 # Allow any client to use TLS.
 
-# tls_advertise_hosts = *
+tls_advertise_hosts = *
 
 # Specify the location of the Exim server's TLS certificate and private key.
 # The private key must not be encrypted (password protected). You can put
@@ -149,8 +150,8 @@ acl_smtp_data = acl_check_data
 # need the first setting, or in separate files, in which case you need both
 # options.
 
-tls_certificate = /etc/ssl/exim.crt
-tls_privatekey = /etc/ssl/exim.pem
+tls_certificate = /etc/ssl/certs/exim.crt
+tls_privatekey = /etc/ssl/keys/exim.key
 
 # In order to support roaming users who wish to send email from anywhere,
 # you may want to make Exim listen on other ports as well as port 25, in
@@ -161,9 +162,8 @@ tls_privatekey = /etc/ssl/exim.pem
 # them you should also allow TLS-on-connect on the traditional but
 # non-standard port 465.
 
-# daemon_smtp_ports = 25 : 465 : 587
-local_interfaces = 127.0.0.1
-# tls_on_connect_ports = 465
+daemon_smtp_ports = 25 : 465 : 587
+tls_on_connect_ports = 465
 
 
 # Specify the domain you want to be added to all unqualified addresses
@@ -289,6 +289,7 @@ log_selector = +smtp_protocol_error +smtp_syntax_error \
 
 
 
+
 # If you want Exim to support the "percent hack" for certain domains,
 # uncomment the following line and provide a list of domains. The "percent
 # hack" is the feature by which mail addressed to x%y@z (where z is one of
@@ -355,6 +356,18 @@ timeout_frozen_after = 7d
 # accept_8bitmime = false
 
 
+# Exim does not make use of environment variables itself. However,
+# libraries that Exim uses (e.g. LDAP) depend on specific environment settings.
+# There are two lists: keep_environment for the variables we trust, and
+# add_environment for variables we want to set to a specific value.
+# Note that TZ is handled separateley by the timezone runtime option
+# and TIMEZONE_DEFAULT buildtime option.
+
+# keep_environment = ^LDAP
+# add_environment = PATH=/usr/bin::/bin
+
+
+
 ######################################################################
 #                       ACL CONFIGURATION                            #
 #         Specifies access control lists for incoming SMTP mail      #
@@ -462,6 +475,11 @@ acl_check_rcpt:
           control       = submission
           control       = dkim_disable_verify
 
+  # Insist that a HELO/EHLO was accepted.
+
+  require message	= nice hosts say HELO first
+          condition	= ${if def:sender_helo_name}
+
   # Insist that any other recipient address that we accept is either in one of
   # our local domains, or is in a domain for which we explicitly allow
   # relaying. Any other domain is rejected as being unacceptable for relaying.
@@ -518,6 +536,11 @@ acl_check_rcpt:
 
 acl_check_data:
 
+  # Deny if the message contains an overlong line.  Per the standards
+  # we should never receive one such via SMTP.
+  #
+  deny    condition  = ${if > {$max_received_linelength}{998}}
+
   # Deny if the message contains a virus. Before enabling this check, you
   # must install a virus scanner and set the av_scanner option above.
   #
@@ -710,9 +733,13 @@ begin transports
 
 
 # This transport is used for delivering messages over SMTP connections.
+# Refuse to send any message with over-long lines, which could have
+# been received other than via SMTP. The use of message_size_limit to
+# enforce this is a red herring.
 
 remote_smtp:
   driver = smtp
+  message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
 
 
 # This transport is used for local delivery to user mailboxes in traditional
generated by cgit-pink 1.4.1-2-gfad0 (git 2.36.2.497.gbbea4dcf42) at 2024-12-12 16:01:55 +0000