.include /etc/exim/macros.conf
hide pgsql_servers = PGSQL_SERVERS
primary_hostname = ms.home.topdog-software.com
domainlist local_domains = @ : localhost : localhost.localdomain
domainlist relay_sql_domains = RELAY_SQL_DOMAINS
domainlist relay_sql_smtp_domains = SMTP_SQL_DOMAINS
domainlist relay_sql_lmtp_domains = LMTP_SQL_DOMAINS
domainlist ldap_domains = LDAP_DOMAINS
domainlist smtp_callback_domains = SMTP_CALLBACK_DOMAINS
domainlist whitelisted_domains = WHITELISTED_DOMAINS
domainlist blacklisted_domains = BLACKLISTED_DOMAINS
addresslist whitelisted_addresses = WHITELISTED_ADDRESS
addresslist blacklisted_addresses = BLACKLISTED_ADDRESS
hostlist whitelisted_hosts = WHITELISTED_HOSTS
hostlist blacklisted_hosts = BLACKLISTED_HOSTS
hostlist relay_sql_hosts = RELAY_SQL_HOSTS
hostlist relay_from_hosts = localhost : localhost.localdomain
acl_smtp_rcpt = acl_check_rcpt
acl_smtp_data = acl_check_data
acl_smtp_mime = acl_check_mime
acl_smtp_connect = acl_check_connect
acl_smtp_helo = acl_check_helo
acl_smtp_dkim = acl_check_dkim
smtp_banner = Baruwa 2.0 $tod_full
smtp_active_hostname = ${if !eq{$sender_host_address}{$received_ip_address}{${lookup dnsdb{>: ptr=$received_ip_address}{${extract{1}{:}{$value}}}{$primary_hostname}}}{$primary_hostname}}
smtp_accept_max_per_connection = 60
smtp_accept_max = 0
smtp_load_reserve = 15
smtp_receive_timeout = 3m
smtp_accept_max_nonmail = 10
smtp_max_unknown_commands = 1
message_size_limit = 20M
spool_directory = /var/spool/exim.in
pipelining_advertise_hosts = 127.0.0.1
process_log_path = /var/spool/exim/exim-process.info
received_header_text = Received: ${if def:sender_rcvhost {from $sender_rcvhost\n\t}{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)\n\t}}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} ${if def:tls_cipher {($tls_cipher)\n\t}}(Baruwa 2.0)\n\t${if def:sender_address {(envelope-from <$sender_address>)\n\t}}id $message_exim_id${if !eq {$received_protocol}{split} { ret-id none;}{}}${if def:received_for {\n\tfor $received_for}}
av_scanner = clamd:/var/run/clamav/clamd.sock
tls_advertise_hosts = ${lookup{$sender_host_address}lsearch{/etc/exim/non-tls-hosts}{}{*}}
tls_certificate = /etc/pki/baruwa/certs/${primary_hostname}.pem
tls_privatekey = /etc/pki/baruwa/private/${primary_hostname}.key
tls_on_connect_ports = 465
tls_require_ciphers = GNUTLS_CIPHERS
daemon_smtp_ports = 25 : 465 : 587
never_users = root
rfc1413_hosts = *
rfc1413_query_timeout = 0s
ignore_bounce_errors_after = 1s
timeout_frozen_after = 1s
auth_advertise_hosts = ${if eq {$tls_cipher}{}{}{*}}
perl_startup = do '/usr/share/baruwa/exim-bcrypt.pl'
perl_at_start = true
begin acl
acl_check_rcpt:
accept hosts = :
control = submission
drop message = The sender $sender_address is banned
hosts = +blacklisted_hosts
drop message = The domain $sender_address_domain is banned
sender_domains = +blacklisted_domains
drop message = Dictionary attack detected
condition = ${if >{$rcpt_fail_count}{3} {yes}{no}}
delay = 10m
drop message = Legitimate bounces are never sent to more than one recipient.
senders = : postmaster@*
condition = ${if >{$recipients_count}{1}{true}{false}}
drop message = Restricted characters in address
domains = +local_domains
local_parts = ^[.] : ^.*[@%!/|]
drop message = Restricted characters in address
domains = !+local_domains
local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
accept local_parts = postmaster
domains = +local_domains : +relay_sql_domains
drop message = sender verification failed
!hosts = 127.0.0.1
!verify = sender
drop message = recipient verification failed
!verify = recipient
accept hosts = +relay_from_hosts : +relay_sql_hosts
control = submission/sender_retain
accept authenticated = *
control = submission/sender_retain
set acl_m_u = $authenticated_id
add_header = X-Authenticated-As: $acl_m_u
require message = relay not permitted
domains = +local_domains : +relay_sql_domains
drop message = The email address does not exist
domains = +smtp_callback_domains
!verify = recipient/success_on_redirect/callout=2m,defer_ok
drop message = The email address does not exist
domains = +ldap_domains
condition = ${lookup ldap{${expand:LDAP_LOOKUP}}{0}{1}}
accept dnslists = wl.rbl.baruwa.net : list.dnswl.org&0.0.0.3 : hostkarma.junkemailfilter.com=127.0.0.1
add_header = X-Baruwa-DNSL-Whitelisted-Host: $sender_host_address
add_header = X-Baruwa-DNSL-Name: ${if eq{$dnslist_domain}{}{list.dnswl.org}{$dnslist_domain}}
logwrite = ${if eq{$dnslist_domain}{wl.rbl.baruwa.net}\
{The sender $sender_host_address is an approved sender}\
{The sender $sender_host_address is in a DNS whitelist at \
${if eq{$dnslist_domain}{}{list.dnswl.org}{$dnslist_domain}}}}
accept senders = +whitelisted_addresses
add_header = X-Baruwa-Whitelisted-Sender: $sender_address
logwrite = The sender address $sender_address is whitelisted
accept sender_domains = +whitelisted_domains
add_header = X-Baruwa-Whitelisted-Domain: $sender_address_domain
logwrite = The sending domain $sender_address_domain is whitelisted
accept hosts = +whitelisted_hosts
add_header = X-Baruwa-Whitelisted-Host: $sender_host_address
logwrite = The sending host $sender_host_address is whitelisted
accept condition = ${lookup{$sender_host_address}iplsearch{/etc/exim/skip_dnsbl}{1}{0}}
drop message = The sender $dnslist_text
dnslists = rbl.baruwa.net=127.0.0.2 : rbl.baruwa.net=127.0.0.2/$sender_address_domain : bl.spameatingmonkey.net : hostkarma.junkemailfilter.com=127.0.0.2
drop message = The sender $sender_host_address is in a black list http://www.spamhaus.org/query/bl?ip=$sender_host_address
dnslists = zen.spamhaus.org
ratelimit = 0 / 2h / strict / per_conn
drop message = The sender $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
dnslists = bl.spamcop.net : cbl.abuseat.org
ratelimit = 0 / 2h / strict / per_conn
drop message = We don't accept messages from hosts without reverse DNS records
log_message = The sender $sender_host_address has no reverse DNS record
!verify = reverse_host_lookup
!verify = sender/no_details/callout=2m,defer_ok
!condition = ${if eq{$sender_verify_failure}{}}
deny message = SPF_MSG
spf = fail
accept
acl_check_data:
accept malware = *
hosts = 127.0.0.1
condition = ${if match \
{${malware_name}} \
{\N(\.UNOFFICIAL)$\N} \
{1}{0}}
add_header = X-Baruwa-Quarantine-Report-Bypass: ${malware_name}
drop malware = *
message = This message contains a virus ($malware_name).
drop message = This message is administratively prohibited
hosts = ! +relay_sql_hosts
!authenticated = *
condition = ${if and {{def:h_Reply-to:}{eq {$h_Reply-to:}{}}}{yes}{no}}
condition = ${lookup{$sender_host_address}iplsearch{/etc/exim/allow_empty_replyto}{0}{1}}
accept
acl_check_mime:
drop message = Blacklisted file extension detected
condition = ${if match \
{${lc:$mime_filename}} \
{\N(\.exe|\.pif|\.bat|\.scr|\.lnk|\.com)$\N} \
{1}{0}}
accept
acl_check_connect:
accept hosts = :
drop message = The sender $sender_host_address is banned
hosts = +blacklisted_hosts
accept message = The sending host $sender_host_address is whitelisted
hosts = +whitelisted_hosts
defer ratelimit = 250 / 15m / strict
message = You can only send $sender_rate_limit msgs per $sender_rate_period
log_message = RATE: $sender_rate/$sender_rate_period (max $sender_rate_limit)
accept
acl_check_helo:
drop message = The sender did not present a HELO/EHLO greeting
log_message = remote host did not present greeting
condition = ${if def:sender_helo_name {false}{true}}
drop message = The sender presented HELO as an IP address (See RFC2821 4.1.3)
condition = ${if isip{$sender_helo_name}}
accept
acl_check_dkim:
accept authenticated = *
accept hosts = :
accept hosts = +whitelisted_hosts
accept condition = ${lookup{$sender_host_address}iplsearch{/etc/exim/skip_dkim}{1}{0}}
deny message = DKIM failure: $dkim_verify_reason
dkim_status = none:invalid
condition = ${if eq {$dkim_key_testing}{1} {no}{yes}}
warn add_header = X-DKIM: Status on $received_ip_address using Baruwa 2.0: dkim=$dkim_verify_status; \
signing_identity="$dkim_cur_signer"
accept
begin routers
split:
driver = accept
domains = +relay_sql_domains
condition = ${if and {{!eq {$received_protocol}{split}}{gt {$recipients_count}{1}}}{yes}{no}}
transport = send_to_self
no_verify
no_address_test
message_checks:
driver = redirect
allow_defer
data = :defer: queued for message checks
no_verify
no_address_test
deliver_clean_smtp:
driver = manualroute
domains = +relay_sql_smtp_domains
transport = remote_smtp
route_data = ${lookup pgsql {ROUTE_QUERY}}
no_more
deliver_clean_lmtp:
driver = manualroute
domains = +relay_sql_lmtp_domains
transport = remote_lmtp
route_data = ${lookup pgsql {ROUTE_QUERY}}
no_more
dnslookup:
driver = dnslookup
domains = ! +local_domains : ! +relay_sql_domains
transport = remote_smtp
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
no_more
system_aliases:
driver = redirect
allow_fail
allow_defer
domains = @
data = ${lookup{$local_part}lsearch{/etc/aliases}}
file_transport = address_file
pipe_transport = address_pipe
localuser:
driver = accept
check_local_user
transport = local_delivery
cannot_route_message = Unknown user
begin transports
send_to_self:
driver = pipe
batch_max = 1
use_bsmtp
command = /usr/sbin/exim -oMr split -bS
user = exim
remote_smtp:
driver = smtp
delay_after_cutoff = false
remote_lmtp:
driver = smtp
protocol = lmtp
delay_after_cutoff = false
port = 25
local_delivery:
driver = appendfile
file = /var/mail/$local_part
delivery_date_add
envelope_to_add
return_path_add
group = mail
mode = 0660
address_pipe:
driver = pipe
return_output
address_file:
driver = appendfile
delivery_date_add
envelope_to_add
return_path_add
begin retry
* * F,2h,15m; G,16h,1h,1.5; F,14d,6h
begin rewrite
begin authenticators
PLAIN:
driver = plaintext
server_prompts = :
server_condition = ${if and{ {!eq {$auth2}{}} {!eq {$auth3}{}}\
{bool{${perl{check_password}\
{${lookup pgsql {ORG_CHECK_PLAIN}{$value}}}\
{$auth3}}}\
}\
}\
{yes}{no}}
server_set_id = $2
server_advertise_condition = ${if def:tls_cipher }
LOGIN:
driver = plaintext
server_prompts = "Username:: : Password::"
server_condition = ${if and{ {!eq {$auth1}{}} {!eq {$auth2}{}}\
{bool{${perl{check_password}\
{${lookup pgsql {ORG_CHECK_LOGIN}{$value}}}\
{$auth2}}}}\
}\
{yes}{no}}
server_set_id = $1
server_advertise_condition = ${if def:tls_cipher }
