pkgs/raven
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
raven/extras/exim/exim-4.97-config.patch_
Raven f4c2fd5c67 initial commit
2024-02-21 13:47:54 +06:00

454 lines
17 KiB
Plaintext
Raw Permalink Blame History

diff -Naur exim-4.95_orig/scripts/Configure-Makefile exim-4.95/scripts/Configure-Makefile
--- exim-4.95_orig/scripts/Configure-Makefile 2021-09-28 14:24:46.000000000 +0600
+++ exim-4.95/scripts/Configure-Makefile 2022-02-25 16:29:37.940065186 +0600
@@ -297,7 +297,7 @@
mv $mft $mftt
echo "PERL_CC=`$PERL_COMMAND -MConfig -e 'print $Config{cc}'`" >>$mft
- echo "PERL_CCOPTS=`$PERL_COMMAND -MExtUtils::Embed -e ccopts`" >>$mft
+ echo "PERL_CCOPTS=`$PERL_COMMAND -MExtUtils::Embed -e ccopts` \$(CFLAGS)" >>$mft
echo "PERL_LIBS=`$PERL_COMMAND -MExtUtils::Embed -e ldopts`" >>$mft
echo "" >>$mft
cat $mftt >> $mft
diff -Naur exim-4.95_orig/src/configure.default exim-4.95/src/configure.default
--- exim-4.95_orig/src/configure.default 2021-09-28 14:24:46.000000000 +0600
+++ exim-4.95/src/configure.default 2022-02-25 17:51:49.979090483 +0600
@@ -67,7 +67,7 @@
# +local_domains, +relay_to_domains, and +relay_from_hosts, respectively. They
# are all colon-separated lists:
-domainlist local_domains = @
+domainlist local_domains = @ : localhost : localhost.localdomain
domainlist relay_to_domains =
hostlist relay_from_hosts = localhost
# (We rely upon hostname resolution working for localhost, because the default
@@ -119,11 +119,13 @@
# manual for details. The lists above are used in the access control lists for
# checking incoming messages. The names of these ACLs are defined here:
+acl_smtp_mail = acl_check_mail
acl_smtp_rcpt = acl_check_rcpt
.ifdef _HAVE_PRDR
acl_smtp_data_prdr = acl_check_prdr
.endif
acl_smtp_data = acl_check_data
+acl_smtp_mime = acl_check_mime
# You should not change those settings until you understand how ACLs work.
@@ -136,7 +138,7 @@
# of what to set for other virus scanners. The second modification is in the
# acl_check_data access control list (see below).
-# av_scanner = clamd:/tmp/clamd
+av_scanner = clamd:/var/run/clamd.exim/clamd.sock
# For spam scanning, there is a similar option that defines the interface to
@@ -157,7 +159,7 @@
# This is equivalent to the default.
-# tls_advertise_hosts = *
+tls_advertise_hosts = *
# Specify the location of the Exim server's TLS certificate and private key.
# The private key must not be encrypted (password protected). You can put
@@ -165,8 +167,8 @@
# need the first setting, or in separate files, in which case you need both
# options.
-# tls_certificate = /etc/ssl/exim.crt
-# tls_privatekey = /etc/ssl/exim.pem
+tls_certificate = /etc/pki/tls/certs/exim.pem
+tls_privatekey = /etc/pki/tls/private/exim.pem
# For OpenSSL, prefer EC- over RSA-authenticated ciphers
.ifdef _HAVE_OPENSSL
@@ -189,8 +191,8 @@
# them you should also allow TLS-on-connect on the traditional but
# non-standard port 465.
-# daemon_smtp_ports = 25 : 465 : 587
-# tls_on_connect_ports = 465
+daemon_smtp_ports = 25 : 465 : 587
+tls_on_connect_ports = 465
# Specify the domain you want to be added to all unqualified addresses
@@ -248,6 +250,25 @@
host_lookup = *
+# This setting, if uncommented, allows users to authenticate using
+# their system passwords against saslauthd if they connect over a
+# secure connection. If you have network logins such as NIS or
+# Kerberos rather than only local users, then you possibly also want
+# to configure /etc/sysconfig/saslauthd to use the 'pam' mechanism
+# too. Once a user is authenticated, the acl_check_rcpt ACL then
+# allows them to relay through the system.
+#
+# auth_advertise_hosts = ${if eq {$tls_cipher}{}{}{*}}
+#
+# By default, we set this option to allow SMTP AUTH from nowhere
+# (Exim's default would be to allow it from anywhere, even on an
+# unencrypted connection).
+#
+# Comment this one out if you uncomment the above. Did you make sure
+# saslauthd is actually running first?
+#
+auth_advertise_hosts =
+
# The setting below causes Exim to try to initialize the system resolver
# library with DNSSEC support. It has no effect if your library lacks
@@ -378,8 +399,8 @@
# Note that TZ is handled separately by the timezone runtime option
# and TIMEZONE_DEFAULT buildtime option.
-# keep_environment = ^LDAP
-# add_environment = PATH=/usr/bin::/bin
+keep_environment = ^LDAP
+add_environment = PATH=/usr/bin::/bin
@@ -390,6 +411,29 @@
begin acl
+
+# This access control list is used for the MAIL command in an incoming
+# SMTP message.
+
+acl_check_mail:
+
+ # Hosts are required to say HELO (or EHLO) before sending mail.
+ # So don't allow them to use the MAIL command if they haven't
+ # done so.
+
+ deny condition = ${if eq{$sender_helo_name}{} {1}}
+ message = Nice boys say HELO first
+
+ # Use the lack of reverse DNS to trigger greylisting. Some people
+ # even reject for it but that would be a little excessive.
+
+ warn condition = ${if eq{$sender_host_name}{} {1}}
+ set acl_m_greylistreasons = Host $sender_host_address lacks reverse DNS\n$acl_m_greylistreasons
+
+ accept
+
+
+
# This access control list is used for every RCPT command in an incoming
# SMTP message. The tests are run in order until the address is either
# accepted or denied.
@@ -401,6 +445,7 @@
accept hosts = :
control = dkim_disable_verify
+ control = dmarc_disable_verify
#############################################################################
# The following section of the ACL is concerned with local parts that contain
@@ -454,7 +499,8 @@
accept local_parts = postmaster
domains = +local_domains
- # Deny unless the sender address can be verified.
+ # Deny unless the sender address can be routed. For proper verification of the
+ # address, read the documentation on callouts and add the /callout modifier.
require verify = sender
@@ -494,6 +540,7 @@
accept hosts = +relay_from_hosts
control = submission
control = dkim_disable_verify
+ control = dmarc_disable_verify
# Accept if the message arrived over an authenticated connection, from
# any host. Again, these messages are usually from MUAs, so recipient
@@ -503,6 +550,7 @@
accept authenticated = *
control = submission
control = dkim_disable_verify
+ control = dmarc_disable_verify
# Insist that any other recipient address that we accept is either in one of
# our local domains, or is in a domain for which we explicitly allow
@@ -523,7 +571,8 @@
# There are no default checks on DNS black lists because the domains that
# contain these lists are changing all the time. However, here are two
# examples of how you can get Exim to perform a DNS black list lookup at this
- # point. The first one denies, whereas the second just warns.
+ # point. The first one denies, whereas the second just warns. The third
+ # triggers greylisting for any host in the blacklist
#
# deny dnslists = black.list.example
# message = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
@@ -531,6 +580,10 @@
# warn dnslists = black.list.example
# add_header = X-Warning: $sender_host_address is in a black list at $dnslist_domain
# log_message = found in $dnslist_domain
+ #
+ # warn dnslists = black.list.example
+ # set acl_m_greylistreasons = Host found in $dnslist_domain\n$acl_m_greylistreasons
+ #
#############################################################################
#############################################################################
@@ -556,6 +609,10 @@
# condition = ${if > {0}{$recipients_count}}
# set acl_m_content_filter = ${lookup PER_RCPT_CONTENT_FILTER}
#############################################################################
+ # Alternatively, greylist for it:
+ # warn !verify = csa
+ # set acl_m_greylistreasons = Host failed CSA check\n$acl_m_greylistreasons
+
# At this point, the address has passed all the checks that have been
# configured, so we accept it unconditionally.
@@ -606,21 +663,33 @@
message = header syntax
log_message = header syntax ($acl_verify_message)
+ # Put simple tests first. A good one is to check for the presence of a
+ # Message-Id: header, which RFC2822 says SHOULD be present. Some broken
+ # or misconfigured mailer software occasionally omits this from genuine
+ # messages too, though -- although it's not hard for the offender to fix
+ # after they receive a bounce because of it.
+ #
+ # deny condition = ${if !def:h_Message-ID: {1}}
+ # message = RFC2822 says that all mail SHOULD have a Message-ID header.\n\
+ # Most messages without it are spam, so your mail has been rejected.
+ #
+ # Alternatively if we're feeling more lenient we could just use it to
+ # trigger greylisting instead:
+
+ warn condition = ${if !def:h_Message-ID: {1}}
+ set acl_m_greylistreasons = Message lacks Message-Id: header. Consult RFC2822.\n$acl_m_greylistreasons
+
+
# Deny if the message contains a virus. Before enabling this check, you
# must install a virus scanner and set the av_scanner option above.
#
# deny malware = *
# message = This message contains a virus ($malware_name).
- # Add headers to a message if it is judged to be spam. Before enabling this,
- # you must install SpamAssassin. You may also need to set the spamd_address
- # option above.
- #
- # warn spam = nobody
- # add_header = X-Spam_score: $spam_score\n\
- # X-Spam_score_int: $spam_score_int\n\
- # X-Spam_bar: $spam_bar\n\
- # X-Spam_report: $spam_report
+ # Bypass SpamAssassin checks if the message is too large.
+ #
+ # accept condition = ${if >={$message_size}{100000} {1}}
+ # add_header = X-Spam-Note: SpamAssassin run bypassed due to message size
#############################################################################
# No more tests if PRDR was actively used.
@@ -633,13 +702,64 @@
# deny set acl_m_content_filter = ${lookup PER_RCPT_CONTENT_FILTER}
# condition = ...
#############################################################################
+
+ # Run SpamAssassin, but allow for it to fail or time out. Add a warning message
+ # and accept the mail if that happens. Add an X-Spam-Flag: header if the SA
+ # score exceeds the SA system threshold.
+ #
+ # warn spam = nobody/defer_ok
+ # add_header = X-Spam-Flag: YES
+ #
+ # accept condition = ${if !def:spam_score_int {1}}
+ # add_header = X-Spam-Note: SpamAssassin invocation failed
+ #
+
+ # Unconditionally add score and report headers
+ #
+ # warn add_header = X-Spam-Score: $spam_score ($spam_bar)\n\
+ # X-Spam-Report: $spam_report
+
+ # And reject if the SpamAssassin score is greater than ten
+ #
+ # deny condition = ${if >{$spam_score_int}{100} {1}}
+ # message = Your message scored $spam_score SpamAssassin point. Report follows:\n\
+ # $spam_report
+
+ # Trigger greylisting (if enabled) if the SpamAssassin score is greater than 0.5
+ #
+ # warn condition = ${if >{$spam_score_int}{5} {1}}
+ # set acl_m_greylistreasons = Message has $spam_score SpamAssassin points\n$acl_m_greylistreasons
- # Accept the message.
+ # If you want to greylist _all_ mail rather than only mail which looks like there
+ # might be something wrong with it, then you can do this...
+ #
+ # warn set acl_m_greylistreasons = We greylist all mail\n$acl_m_greylistreasons
+
+ # Now, invoke the greylisting. For this you need to have installed the exim-greylist
+ # package which contains this subroutine, and you need to uncomment the bit below
+ # which includes it too. Whenever the $acl_m_greylistreasons variable is non-empty,
+ # greylisting will kick in and will defer the mail to check if the sender is a
+ # proper mail which which retries, or whether it's a zombie. For more details, see
+ # the exim-greylist.conf.inc file itself.
+ #
+ # require acl = greylist_mail
accept
+# To enable the greylisting, also uncomment this line:
+# .include /etc/exim/exim-greylist.conf.inc
+
+acl_check_mime:
+ # File extension filtering.
+ deny message = Blacklisted file extension detected
+ condition = ${if match \
+ {${lc:$mime_filename}} \
+ {\N(\.exe|\.pif|\.bat|\.scr|\.lnk|\.com)$\N} \
+ {1}{0}}
+
+ accept
######################################################################
# ROUTERS CONFIGURATION #
@@ -740,7 +860,7 @@
driver = redirect
allow_fail
allow_defer
- data = ${lookup{$local_part}lsearch{SYSTEM_ALIASES_FILE}}
+ data = ${lookup{$local_part}lsearch{/etc/aliases}}
# user = exim
file_transport = address_file
pipe_transport = address_pipe
@@ -778,7 +898,7 @@
# local_part_suffix = +* : -*
# local_part_suffix_optional
file = $home/.forward
-# allow_filter
+ allow_filter
no_verify
no_expn
check_ancestor
@@ -786,6 +906,12 @@
pipe_transport = address_pipe
reply_transport = address_reply
+procmail:
+ driver = accept
+ check_local_user
+ require_files = ${local_part}:+${home}/.procmailrc:/usr/bin/procmail
+ transport = procmail
+ no_verify
# This router matches local user mailboxes. If the router fails, the error
# message is "Unknown user".
@@ -826,6 +952,25 @@
tls_resumption_hosts = *
.endif
+# This transport is used for delivering messages over SMTP using the
+# "message submission" port (RFC4409).
+
+remote_msa:
+ driver = smtp
+ port = 587
+ hosts_require_auth = *
+
+
+# This transport invokes procmail to deliver mail
+procmail:
+ driver = pipe
+ command = "/usr/bin/procmail -d $local_part"
+ return_path_add
+ delivery_date_add
+ envelope_to_add
+ user = $local_part
+ initgroups
+ return_output
# This transport is used for delivering messages to a smarthost, if the
# smarthost router is enabled. This starts from the same basis as
@@ -880,8 +1025,8 @@
delivery_date_add
envelope_to_add
return_path_add
-# group = mail
-# mode = 0660
+ group = mail
+ mode = 0660
# This transport is used for handling pipe deliveries generated by alias or
@@ -914,6 +1059,16 @@
driver = autoreply
+# This transport is used to deliver local mail to cyrus IMAP server via UNIX
+# socket. You'll need to configure the 'localuser' router above to use it.
+#
+#lmtp_delivery:
+# home_directory = /var/spool/imap
+# driver = lmtp
+# command = "/usr/lib/cyrus-imapd/deliver -l"
+# batch_max = 20
+# user = cyrus
+
######################################################################
# RETRY CONFIGURATION #
@@ -954,6 +1109,21 @@
# AUTHENTICATION CONFIGURATION #
######################################################################
+begin authenticators
+
+# This authenticator supports CRAM-MD5 username/password authentication
+# with Exim acting as a _client_, as it might when sending its outgoing
+# mail to a smarthost rather than directly to the final recipient.
+# Replace SMTPAUTH_USERNAME and SMTPAUTH_PASSWORD as appropriate.
+
+#client_auth:
+# driver = cram_md5
+# public_name = CRAM-MD5
+# client_name = SMTPAUTH_USERNAME
+# client_secret = SMTPAUTH_PASSWORD
+
+#
+
# The following authenticators support plaintext username/password
# authentication using the standard PLAIN mechanism and the traditional
# but non-standard LOGIN mechanism, with Exim acting as the server.
@@ -969,7 +1139,7 @@
# The default RCPT ACL checks for successful authentication, and will accept
# messages from authenticated users from anywhere on the Internet.
-begin authenticators
+#
# PLAIN authentication has no server prompts. The client sends its
# credentials in one lump, containing an authorization ID (which we do not
@@ -983,7 +1153,7 @@
# driver = plaintext
# server_set_id = $auth2
# server_prompts = :
-# server_condition = Authentication is not yet configured
+# server_condition = ${if saslauthd{{$2}{$3}{smtp}} {1}}
# server_advertise_condition = ${if def:tls_in_cipher }
# LOGIN authentication has traditional prompts and responses. There is no
@@ -995,7 +1165,7 @@
# driver = plaintext
# server_set_id = $auth1
# server_prompts = <| Username: | Password:
-# server_condition = Authentication is not yet configured
+# server_condition = ${if saslauthd{{$1}{$2}{smtp}} {1}}
# server_advertise_condition = ${if def:tls_in_cipher }
Reference in New Issue View Git Blame Copy Permalink