diff -Naur exim-4.95_orig/scripts/Configure-Makefile exim-4.95/scripts/Configure-Makefile --- exim-4.95_orig/scripts/Configure-Makefile 2021-09-28 14:24:46.000000000 +0600 +++ exim-4.95/scripts/Configure-Makefile 2022-02-25 16:29:37.940065186 +0600 @@ -297,7 +297,7 @@ mv $mft $mftt echo "PERL_CC=`$PERL_COMMAND -MConfig -e 'print $Config{cc}'`" >>$mft - echo "PERL_CCOPTS=`$PERL_COMMAND -MExtUtils::Embed -e ccopts`" >>$mft + echo "PERL_CCOPTS=`$PERL_COMMAND -MExtUtils::Embed -e ccopts` \$(CFLAGS)" >>$mft echo "PERL_LIBS=`$PERL_COMMAND -MExtUtils::Embed -e ldopts`" >>$mft echo "" >>$mft cat $mftt >> $mft diff -Naur exim-4.95_orig/src/configure.default exim-4.95/src/configure.default --- exim-4.95_orig/src/configure.default 2021-09-28 14:24:46.000000000 +0600 +++ exim-4.95/src/configure.default 2022-02-25 17:51:49.979090483 +0600 @@ -67,7 +67,7 @@ # +local_domains, +relay_to_domains, and +relay_from_hosts, respectively. They # are all colon-separated lists: -domainlist local_domains = @ +domainlist local_domains = @ : localhost : localhost.localdomain domainlist relay_to_domains = hostlist relay_from_hosts = localhost # (We rely upon hostname resolution working for localhost, because the default @@ -119,11 +119,13 @@ # manual for details. The lists above are used in the access control lists for # checking incoming messages. The names of these ACLs are defined here: +acl_smtp_mail = acl_check_mail acl_smtp_rcpt = acl_check_rcpt .ifdef _HAVE_PRDR acl_smtp_data_prdr = acl_check_prdr .endif acl_smtp_data = acl_check_data +acl_smtp_mime = acl_check_mime # You should not change those settings until you understand how ACLs work. @@ -136,7 +138,7 @@ # of what to set for other virus scanners. The second modification is in the # acl_check_data access control list (see below). -# av_scanner = clamd:/tmp/clamd +av_scanner = clamd:/var/run/clamd.exim/clamd.sock # For spam scanning, there is a similar option that defines the interface to @@ -157,7 +159,7 @@ # This is equivalent to the default. -# tls_advertise_hosts = * +tls_advertise_hosts = * # Specify the location of the Exim server's TLS certificate and private key. # The private key must not be encrypted (password protected). You can put @@ -165,8 +167,8 @@ # need the first setting, or in separate files, in which case you need both # options. -# tls_certificate = /etc/ssl/exim.crt -# tls_privatekey = /etc/ssl/exim.pem +tls_certificate = /etc/pki/tls/certs/exim.pem +tls_privatekey = /etc/pki/tls/private/exim.pem # For OpenSSL, prefer EC- over RSA-authenticated ciphers .ifdef _HAVE_OPENSSL @@ -189,8 +191,8 @@ # them you should also allow TLS-on-connect on the traditional but # non-standard port 465. -# daemon_smtp_ports = 25 : 465 : 587 -# tls_on_connect_ports = 465 +daemon_smtp_ports = 25 : 465 : 587 +tls_on_connect_ports = 465 # Specify the domain you want to be added to all unqualified addresses @@ -248,6 +250,25 @@ host_lookup = * +# This setting, if uncommented, allows users to authenticate using +# their system passwords against saslauthd if they connect over a +# secure connection. If you have network logins such as NIS or +# Kerberos rather than only local users, then you possibly also want +# to configure /etc/sysconfig/saslauthd to use the 'pam' mechanism +# too. Once a user is authenticated, the acl_check_rcpt ACL then +# allows them to relay through the system. +# +# auth_advertise_hosts = ${if eq {$tls_cipher}{}{}{*}} +# +# By default, we set this option to allow SMTP AUTH from nowhere +# (Exim's default would be to allow it from anywhere, even on an +# unencrypted connection). +# +# Comment this one out if you uncomment the above. Did you make sure +# saslauthd is actually running first? +# +auth_advertise_hosts = + # The setting below causes Exim to try to initialize the system resolver # library with DNSSEC support. It has no effect if your library lacks @@ -378,8 +399,8 @@ # Note that TZ is handled separately by the timezone runtime option # and TIMEZONE_DEFAULT buildtime option. -# keep_environment = ^LDAP -# add_environment = PATH=/usr/bin::/bin +keep_environment = ^LDAP +add_environment = PATH=/usr/bin::/bin @@ -390,6 +411,29 @@ begin acl + +# This access control list is used for the MAIL command in an incoming +# SMTP message. + +acl_check_mail: + + # Hosts are required to say HELO (or EHLO) before sending mail. + # So don't allow them to use the MAIL command if they haven't + # done so. + + deny condition = ${if eq{$sender_helo_name}{} {1}} + message = Nice boys say HELO first + + # Use the lack of reverse DNS to trigger greylisting. Some people + # even reject for it but that would be a little excessive. + + warn condition = ${if eq{$sender_host_name}{} {1}} + set acl_m_greylistreasons = Host $sender_host_address lacks reverse DNS\n$acl_m_greylistreasons + + accept + + + # This access control list is used for every RCPT command in an incoming # SMTP message. The tests are run in order until the address is either # accepted or denied. @@ -401,6 +445,7 @@ accept hosts = : control = dkim_disable_verify + control = dmarc_disable_verify ############################################################################# # The following section of the ACL is concerned with local parts that contain @@ -454,7 +499,8 @@ accept local_parts = postmaster domains = +local_domains - # Deny unless the sender address can be verified. + # Deny unless the sender address can be routed. For proper verification of the + # address, read the documentation on callouts and add the /callout modifier. require verify = sender @@ -494,6 +540,7 @@ accept hosts = +relay_from_hosts control = submission control = dkim_disable_verify + control = dmarc_disable_verify # Accept if the message arrived over an authenticated connection, from # any host. Again, these messages are usually from MUAs, so recipient @@ -503,6 +550,7 @@ accept authenticated = * control = submission control = dkim_disable_verify + control = dmarc_disable_verify # Insist that any other recipient address that we accept is either in one of # our local domains, or is in a domain for which we explicitly allow @@ -523,7 +571,8 @@ # There are no default checks on DNS black lists because the domains that # contain these lists are changing all the time. However, here are two # examples of how you can get Exim to perform a DNS black list lookup at this - # point. The first one denies, whereas the second just warns. + # point. The first one denies, whereas the second just warns. The third + # triggers greylisting for any host in the blacklist # # deny dnslists = black.list.example # message = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text @@ -531,6 +580,10 @@ # warn dnslists = black.list.example # add_header = X-Warning: $sender_host_address is in a black list at $dnslist_domain # log_message = found in $dnslist_domain + # + # warn dnslists = black.list.example + # set acl_m_greylistreasons = Host found in $dnslist_domain\n$acl_m_greylistreasons + # ############################################################################# ############################################################################# @@ -556,6 +609,10 @@ # condition = ${if > {0}{$recipients_count}} # set acl_m_content_filter = ${lookup PER_RCPT_CONTENT_FILTER} ############################################################################# + # Alternatively, greylist for it: + # warn !verify = csa + # set acl_m_greylistreasons = Host failed CSA check\n$acl_m_greylistreasons + # At this point, the address has passed all the checks that have been # configured, so we accept it unconditionally. @@ -606,21 +663,33 @@ message = header syntax log_message = header syntax ($acl_verify_message) + # Put simple tests first. A good one is to check for the presence of a + # Message-Id: header, which RFC2822 says SHOULD be present. Some broken + # or misconfigured mailer software occasionally omits this from genuine + # messages too, though -- although it's not hard for the offender to fix + # after they receive a bounce because of it. + # + # deny condition = ${if !def:h_Message-ID: {1}} + # message = RFC2822 says that all mail SHOULD have a Message-ID header.\n\ + # Most messages without it are spam, so your mail has been rejected. + # + # Alternatively if we're feeling more lenient we could just use it to + # trigger greylisting instead: + + warn condition = ${if !def:h_Message-ID: {1}} + set acl_m_greylistreasons = Message lacks Message-Id: header. Consult RFC2822.\n$acl_m_greylistreasons + + # Deny if the message contains a virus. Before enabling this check, you # must install a virus scanner and set the av_scanner option above. # # deny malware = * # message = This message contains a virus ($malware_name). - # Add headers to a message if it is judged to be spam. Before enabling this, - # you must install SpamAssassin. You may also need to set the spamd_address - # option above. - # - # warn spam = nobody - # add_header = X-Spam_score: $spam_score\n\ - # X-Spam_score_int: $spam_score_int\n\ - # X-Spam_bar: $spam_bar\n\ - # X-Spam_report: $spam_report + # Bypass SpamAssassin checks if the message is too large. + # + # accept condition = ${if >={$message_size}{100000} {1}} + # add_header = X-Spam-Note: SpamAssassin run bypassed due to message size ############################################################################# # No more tests if PRDR was actively used. @@ -633,13 +702,64 @@ # deny set acl_m_content_filter = ${lookup PER_RCPT_CONTENT_FILTER} # condition = ... ############################################################################# + + # Run SpamAssassin, but allow for it to fail or time out. Add a warning message + # and accept the mail if that happens. Add an X-Spam-Flag: header if the SA + # score exceeds the SA system threshold. + # + # warn spam = nobody/defer_ok + # add_header = X-Spam-Flag: YES + # + # accept condition = ${if !def:spam_score_int {1}} + # add_header = X-Spam-Note: SpamAssassin invocation failed + # + + # Unconditionally add score and report headers + # + # warn add_header = X-Spam-Score: $spam_score ($spam_bar)\n\ + # X-Spam-Report: $spam_report + + # And reject if the SpamAssassin score is greater than ten + # + # deny condition = ${if >{$spam_score_int}{100} {1}} + # message = Your message scored $spam_score SpamAssassin point. Report follows:\n\ + # $spam_report + + # Trigger greylisting (if enabled) if the SpamAssassin score is greater than 0.5 + # + # warn condition = ${if >{$spam_score_int}{5} {1}} + # set acl_m_greylistreasons = Message has $spam_score SpamAssassin points\n$acl_m_greylistreasons - # Accept the message. + # If you want to greylist _all_ mail rather than only mail which looks like there + # might be something wrong with it, then you can do this... + # + # warn set acl_m_greylistreasons = We greylist all mail\n$acl_m_greylistreasons + + # Now, invoke the greylisting. For this you need to have installed the exim-greylist + # package which contains this subroutine, and you need to uncomment the bit below + # which includes it too. Whenever the $acl_m_greylistreasons variable is non-empty, + # greylisting will kick in and will defer the mail to check if the sender is a + # proper mail which which retries, or whether it's a zombie. For more details, see + # the exim-greylist.conf.inc file itself. + # + # require acl = greylist_mail accept +# To enable the greylisting, also uncomment this line: +# .include /etc/exim/exim-greylist.conf.inc + +acl_check_mime: + # File extension filtering. + deny message = Blacklisted file extension detected + condition = ${if match \ + {${lc:$mime_filename}} \ + {\N(\.exe|\.pif|\.bat|\.scr|\.lnk|\.com)$\N} \ + {1}{0}} + + accept ###################################################################### # ROUTERS CONFIGURATION # @@ -740,7 +860,7 @@ driver = redirect allow_fail allow_defer - data = ${lookup{$local_part}lsearch{SYSTEM_ALIASES_FILE}} + data = ${lookup{$local_part}lsearch{/etc/aliases}} # user = exim file_transport = address_file pipe_transport = address_pipe @@ -778,7 +898,7 @@ # local_part_suffix = +* : -* # local_part_suffix_optional file = $home/.forward -# allow_filter + allow_filter no_verify no_expn check_ancestor @@ -786,6 +906,12 @@ pipe_transport = address_pipe reply_transport = address_reply +procmail: + driver = accept + check_local_user + require_files = ${local_part}:+${home}/.procmailrc:/usr/bin/procmail + transport = procmail + no_verify # This router matches local user mailboxes. If the router fails, the error # message is "Unknown user". @@ -826,6 +952,25 @@ tls_resumption_hosts = * .endif +# This transport is used for delivering messages over SMTP using the +# "message submission" port (RFC4409). + +remote_msa: + driver = smtp + port = 587 + hosts_require_auth = * + + +# This transport invokes procmail to deliver mail +procmail: + driver = pipe + command = "/usr/bin/procmail -d $local_part" + return_path_add + delivery_date_add + envelope_to_add + user = $local_part + initgroups + return_output # This transport is used for delivering messages to a smarthost, if the # smarthost router is enabled. This starts from the same basis as @@ -880,8 +1025,8 @@ delivery_date_add envelope_to_add return_path_add -# group = mail -# mode = 0660 + group = mail + mode = 0660 # This transport is used for handling pipe deliveries generated by alias or @@ -914,6 +1059,16 @@ driver = autoreply +# This transport is used to deliver local mail to cyrus IMAP server via UNIX +# socket. You'll need to configure the 'localuser' router above to use it. +# +#lmtp_delivery: +# home_directory = /var/spool/imap +# driver = lmtp +# command = "/usr/lib/cyrus-imapd/deliver -l" +# batch_max = 20 +# user = cyrus + ###################################################################### # RETRY CONFIGURATION # @@ -954,6 +1109,21 @@ # AUTHENTICATION CONFIGURATION # ###################################################################### +begin authenticators + +# This authenticator supports CRAM-MD5 username/password authentication +# with Exim acting as a _client_, as it might when sending its outgoing +# mail to a smarthost rather than directly to the final recipient. +# Replace SMTPAUTH_USERNAME and SMTPAUTH_PASSWORD as appropriate. + +#client_auth: +# driver = cram_md5 +# public_name = CRAM-MD5 +# client_name = SMTPAUTH_USERNAME +# client_secret = SMTPAUTH_PASSWORD + +# + # The following authenticators support plaintext username/password # authentication using the standard PLAIN mechanism and the traditional # but non-standard LOGIN mechanism, with Exim acting as the server. @@ -969,7 +1139,7 @@ # The default RCPT ACL checks for successful authentication, and will accept # messages from authenticated users from anywhere on the Internet. -begin authenticators +# # PLAIN authentication has no server prompts. The client sends its # credentials in one lump, containing an authorization ID (which we do not @@ -983,7 +1153,7 @@ # driver = plaintext # server_set_id = $auth2 # server_prompts = : -# server_condition = Authentication is not yet configured +# server_condition = ${if saslauthd{{$2}{$3}{smtp}} {1}} # server_advertise_condition = ${if def:tls_in_cipher } # LOGIN authentication has traditional prompts and responses. There is no @@ -995,7 +1165,7 @@ # driver = plaintext # server_set_id = $auth1 # server_prompts = <| Username: | Password: -# server_condition = Authentication is not yet configured +# server_condition = ${if saslauthd{{$1}{$2}{smtp}} {1}} # server_advertise_condition = ${if def:tls_in_cipher }