Pre-fill the username field if REMOTE_USER is set by means of HTTP Auth

[virtuo.git] / exim.conf

# "exim -C /config/file.new -bV")
# information taken from vexim, http://geekbiker.net/exim-tricks.html,
# gentoo-wiki, debian administrators and others
log_file_path=syslog

primary_hostname = codemages.net

MY_IP = 84.20.228.4
VIRTUO_DB = /etc/virtuo/virtuo.sdb

hostlist whitelist_hosts = sqlite;VIRTUO_DB select host from whitelist where host = '${quote_sqlite:$domain}';
hostlist blacklist_hosts = sqlite;VIRTUO_DB select host from blacklist where host = '${quote_sqlite:$domain}';
domainlist local_domains = @ : sqlite;VIRTUO_DB select domain_alias from domain_aliases where domain_alias = '${quote_sqlite:$domain}'; : sqlite;VIRTUO_DB select domain from domains where domain = '${quote_sqlite:$domain}';
domainlist relay_to_domains = sqlite;VIRTUO_DB select host from relay_to_domains where host = '${quote_sqlite:$domain}';
hostlist   relay_from_hosts = localhost : sqlite;VIRTUO_DB select host from relay_from_hosts where host = '${quote_sqlite:$domain}'; 

trusted_users = www
daemon_smtp_ports = 25 : 465 : 587
tls_on_connect_ports = 465
acl_smtp_rcpt = acl_check_rcpt

acl_smtp_data = acl_check_content

acl_smtp_helo = acl_check_helo

acl_smtp_mime = acl_check_mime

exim_user = exim
exim_group = exim
never_users = root

host_lookup = *

rfc1413_hosts = *
rfc1413_query_timeout = 0s

av_scanner = clamd:127.0.0.1 3310

tls_advertise_hosts = *
tls_certificate = /etc/ssl/certs/freya_cert-2008-05-05.pem
tls_privatekey = /etc/ssl/private/freya_privatekey-2008-05-05.pem

ignore_bounce_errors_after = 2d
#helo_try_verify_hosts = !+relay_from_hosts

timeout_frozen_after = 7d

log_selector = +subject +tls_cipher +tls_peerdn

smtp_banner = "ESMTP Server Ready"

######################################################################
#                       ACL CONFIGURATION                            #
#         Specifies access control lists for incoming SMTP mail      #
######################################################################

begin acl

all_rate_conn:
  defer    message = Sorry, too busy. Try again later.
           ratelimit = 3 / 1s / per_conn / leaky

  accept   delay = 30s

acl_check_helo:

  accept   hosts = :

  accept   hosts = +relay_from_hosts

  accept

acl_check_rcpt:

  deny     message = HELO/EHLO with my ip address. You are not me.
           log_message = HELO/EHLO 84.20.228.4
           !authenticated = * 
           !hosts         = +relay_from_hosts
           condition = ${if eq {$sender_helo_name}{84.20.228.4} {yes}{no}}

  deny     message = HELO/EHLO with my domain name. You are not me.
           log_message = HELO/EHLO my.domain
           !authenticated = * 
           !hosts         = +relay_from_hosts
           condition = ${if match {$sender_helo_name}{mages.ath.cx} {yes}{no}}

  deny     message = HELO/EHLO with my domain name. You are not me.
           log_message = HELO/EHLO my.domain
           !authenticated = * 
           !hosts         = +relay_from_hosts
           condition = ${if match {$sender_helo_name}{codemages.net} {yes}{no}}

  deny     message = HELO/EHLO with my domain name. You are not me.
           log_message = HELO/EHLO my.domain
           !authenticated = * 
           !hosts         = +relay_from_hosts
           condition = ${if match {$sender_helo_name}{levstik.name} {yes}{no}}

  deny     message = Fine, then the mail I accept is also none
           log_message = HELO/EHLO none
           !authenticated = * 
           !hosts         = +relay_from_hosts
           condition = ${if match {$sender_helo_name}{none} {yes}{no}}

  deny     message = You are hardly local, fool
           log_message = HELO/EHLO localhost
           !authenticated = * 
           !hosts         = +relay_from_hosts
           condition = ${if match {$sender_helo_name}{localhost} {yes}{no}}

  deny     message = Invalid HELO. You must be spam or a virus, or your system administrator is an idiot.
           !authenticated = * 
           !hosts         = +relay_from_hosts
           condition = ${if match{$sender_helo_name}{\\.}{no}{yes}}


  deny     condition = ${if match{$sender_helo_name}{^[0-9]\.[0-9]\.[0-9]\.[0-9]}{yes}{no} }
           !authenticated = * 
           !hosts         = +relay_from_hosts
           message   = HELO/EHLO with IP only.
           log_message = HELO/EHLO IP only



#  deny     message = Faked Yahoo, so you must be spam.
#           log_message = Fake Yahoo
#           !authenticated = * 
#           !hosts         = +relay_from_hosts
#           senders = *@yahoo.com
#           condition = ${if match {$sender_host_name}{\Nyahoo.com$\N}{no}{yes}}
#
##  deny     message = Faked Source Mage, so you must be spam.
#           log_message = Fake Source Mage
#           !authenticated = * 
#           !hosts         = +relay_from_hosts : +accept_from_hosts
#           senders = *@sourcemage.org
#           condition = ${if match {$sender_host_name}{\Nsourcemage.org$\N}{no}{yes}}

  deny     message = Faked hotmail, so you must be spam.
           log_message = Fake hotmail
           !authenticated = * 
           !hosts         = +relay_from_hosts
           senders = *@hotmail.com
           condition = ${if match {$sender_host_name}{\Nhotmail.com$\N}{no}{yes}}

  deny     message = Faked MSN, so you must be spam.
           log_message = Fake MSN
           !authenticated = * 
           !hosts         = +relay_from_hosts
           senders = *@msn.com
           condition = ${if match {$sender_host_name}{\N(hotmail|msn).com$\N}{no}{yes}}

  deny     message = Faked ebay, so you must be spam.
           log_message = Fake ebay
           !authenticated = * 
           !hosts         = +relay_from_hosts
           senders = *@ebay.com
           condition = ${if match {$sender_host_name}{\N(ebay).com$\N}{no}{yes}}

  deny     message = Faked Paypal, so you must be spam.
           log_message = Fake paypal
           !authenticated = * 
           !hosts         = +relay_from_hosts
           senders = *@paypal.com
           condition = ${if match {$sender_host_name}{\N(paypal).com$\N}{no}{yes}}


  deny     message = Faked AOL, so you must be spam.
           log_message = Fake AOL
           !authenticated = * 
           !hosts         = +relay_from_hosts
           senders = *@aol.com
           condition = ${if match {$sender_host_name}{\Nmx.aol.com$\N}{no}{yes}}

  deny     message       = DNSBL listed at $dnslist_domain\n$dnslist_text
           !authenticated = *
           !hosts         = +relay_from_hosts
           dnslists      = sqlite;VIRTUO_DB select host from dnsbl ;

#  defer   message       = Greylisting in effect, please try again later.
#          log_message   = greylisted.
#          domains       = +local_domains : +relay_to_domains
#          !senders      = : postmaster@* : abuse@*
#          !hosts        = +relay_from_hosts
#          !authenticated = *
#          condition     = ${if eq {${readsocket{/var/run/greylstd/greylstd.sock}{check $sender_host_address $sender_address $local_part@$domain\n}{5s}{}{}}}{defer}{true}{false}}

  accept   hosts = :

  deny     local_parts   = ^.*[@%!/|] : ^\\.

  accept   local_parts   = postmaster
           domains       = +local_domains

  accept   domains       = +local_domains
           endpass
           verify        = recipient

  accept   domains       = +relay_to_domains
           endpass
           verify        = recipient

  accept   hosts         = +relay_from_hosts

  accept   authenticated = *

  deny     message       = relay not permitted

acl_check_mime:
  # Decode MIME parts to disk. This will support virus scanners later.
  warn     decode      = default

  deny     condition   = ${if > {$mime_anomaly_level}{2} \
                          {true}{false}}
           message     = This message contains a MIME error ($mime_anomaly_text)
           log_message = DENY: MIME Error ($mime_anomaly_text)

  # Too many MIME parts
  #
  deny     condition   = ${if >{$mime_part_count}{1024}{yes}{no}}
           message     = MIME error: Too many parts (max 1024)
           log_message = DENY: MIME Error (Too many MIME parts: $mime_part_count)

  # Excessive line length
  #
  deny     regex       = ^.{8000}
           message     = MIME error: Line length in message or single header exceeds 8000.
           log_message = DENY: MIME Error (Maximum line length exceeded)

  # Partial message
  #
  deny     condition   = ${if eq {$mime_content_type}{message/partial}{yes}{no}}
           message     = MIME error: MIME type message/partial not allowed here
           log_message = DENY: MIME Error (MIME type message/partial found)

  # Filename length too long (> 255 characters)
  #
  deny     condition   = ${if >{${strlen:$mime_filename}}{255}{yes}{no}}
           message     = MIME error: Proposed filename exceeds 255 characters
           log_message = DENY: MIME Error (Proposed filename too long)

  # MIME boundary length too long (> 1024)
  #
  deny     condition   = ${if >{${strlen:$mime_boundary}}{1024}{yes}{no}}
           message     = MIME error: MIME boundary length exceed 1024 characters
           log_message = DENY: MIME Error (Boundary length too long)

  # File extension filtering.
  deny     condition = ${if match \
                        {${lc:$mime_filename}} \
                        {\N(\.bat|\.btm|\.cmd|\.com|\.cpl|\.dll|\.exe|\.lnk|\.msi|\.pif|\.prf|\.reg|\.scr|\.vbs|\.url)$\N} \
                        {1}{0}}
           message = Blacklisted file extension detected in "$mime_filename". If you legitimately need to send these files please zip them first.
           log_message = DENY: Blacklisted extension ("$mime_filename")

   # finally accept all the rest
   accept

acl_check_content:
  deny     condition = ${if !def:h_Message-ID: {1}}
           !authenticated = *
           !hosts         = +relay_from_hosts : +whitelist_hosts
           message = Message SHOULD have Message-ID: but does not

  deny     condition = ${if !def:h_Date: {1}}
           !authenticated = *
           !hosts         = +relay_from_hosts : +whitelist_hosts
           message = Message SHOULD have Date: but does not

  deny     message = Hiding of file extensions is not allowed!
           log_message = Dangerous extension (CLSID hidden)
           regex = ^(?i)Content-Disposition::(.*?)filename=\\s*"+((\{[a-hA-H0-9-]{25,}\})|((.*?)\\s{10,}(.*?)))"+\$ 

  # Reject virus infested messages.
  deny     message = This message contains malware ($malware_name)
           log_message = malware ($malware_name)
           demime = *
           malware = *
           warn message = X-Antivirus-Scanner: Scanned with ClamAV
  # finally accept all the rest
  accept


######################################################################
#                      ROUTERS CONFIGURATION                         #
#               Specifies how addresses are handled                  #
######################################################################
#     THE ORDER IN WHICH THE ROUTERS ARE DEFINED IS IMPORTANT!       #
# An address is passed to each router in turn until it is accepted.  #
######################################################################

begin routers
# sort aliases first
virtual_domain_aliases:
  driver = redirect
  allow_fail
  check_ancestor
  domains = ${lookup sqlite{VIRTUO_DB select domain_alias from domain_aliases }}
  data = ${quote_local_part:$local_part}@${lookup sqlite{VIRTUO_DB select domain_target from domain_aliases where domain_alias = '${domain}' }}


virtual_aliases:
  driver = redirect
  allow_fail
  check_ancestor
  data = ${lookup sqlite{VIRTUO_DB select alias_target from aliases where alias = '${local_part}' and domain= '${domain}' }}
  local_part_suffix = +* : -* : _*
  local_part_suffix_optional
  retry_use_local_part
#  file_transport = dspam_spamcheck
#  reply_transport = address_reply
#  pipe_transport = address_pipe


# List processor
process_list:
        driver = redirect
   headers_add = Precedence: list\n\
                 List-Id: "${lookup sqlite{VIRTUO_DB select description from lists where list = '${local_part}' and domain = '${domain}' }}" <${lookup sqlite{VIRTUO_DB select list from lists where list = '${local_part}' and domain = '${domain}' }}.${lookup sqlite{VIRTUO_DB select domain from lists where list = '${local_part}' and domain = '${domain}' }}>\n\
                 List-Post: <mailto:${lookup sqlite{VIRTUO_DB select list from lists where list = '${local_part}' and domain = '${domain}' }}@${lookup sqlite{VIRTUO_DB select domain from lists where list = '${local_part}' and domain = '${domain}' }}>
          data = ${lookup sqlite{VIRTUO_DB select member from lists_members where list = '${local_part}' and domain= '${domain}' }}

dnslookup:
               driver = dnslookup
              domains = ! +local_domains
            transport = remote_smtp
  ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
              no_more

# nospam-username
dspam_false_positive_router:
   driver = accept
   local_part_prefix = notspam-
   transport = dspam_false_positive
     no_more

dspam_clean_router:
   driver = accept
   local_part_prefix = clean-
   transport = dspam_clean
     no_more

# spam-username
dspam_spam_miss_router:
   driver = accept
   local_part_prefix = spam-
   transport = dspam_spam_miss
     no_more

dspam_spam_corpus_router:
   driver = accept
   local_part_prefix = spamtrain-
   transport = dspam_spam_corpus
     no_more

dspam_router:
  no_verify
  local_part_suffix = +* : -* : _*
  local_part_suffix_optional
  retry_use_local_part
  domains = ! mages.ath.cx
  condition   = "${if and {{!def:h_X-FILTER-DSPAM:} {!eq {$received_protocol}{spam-scanned}}}{1}{0}}"
  headers_add  = "X-FILTER-DSPAM: by $primary_hostname on $tod_full"
  driver = accept
  transport = dspam_spamcheck

virtual_domains:
  driver = redirect
  allow_fail
  check_ancestor
  data = ${lookup sqlite{VIRTUO_DB select home_mail from users where username = '${local_part}' and domain= '${domain}' and home_mail != '' }}
  local_part_suffix = +* : -* : _*
  local_part_suffix_optional
  retry_use_local_part
  file_transport = virtual_delivery
  reply_transport = address_reply
  pipe_transport = address_pipe
  

######################################################################
#                      TRANSPORTS CONFIGURATION                      #
######################################################################
#                       ORDER DOES NOT MATTER                        #
#     Only one appropriate transport is called for each delivery.    #
######################################################################

# A transport is used only when referenced from a router that successfully
# handles an address.

begin transports

dspam_spamcheck:
 driver = pipe
 command = "/usr/sbin/exim -oMr spam-scanned -bS"
 transport_filter = "/usr/bin/dspam --process --stdout --deliver=innocent,spam --user ${lc:$local_part}@${lc:$domain}"
 use_bsmtp = true
 home_directory = "/tmp"
 current_directory = "/tmp"
 temp_errors = *
 user = exim
 group = exim
 log_output = true
 return_fail_output = true
 return_path_add = false
 message_prefix = ""
 message_suffix = ""

dspam_spam_miss:
   driver = pipe
   command = "/usr/bin/dspam --user ${lc:$local_part}@${lc:$domain} --class=spam --source=error"
   home_directory = "/tmp"
   current_directory = "/tmp"
   user = exim
   group = exim
   log_output = true
   return_fail_output = true
   return_path_add = false
   message_prefix =
   message_suffix =

dspam_spam_corpus:
   driver = pipe
   command = "/usr/bin/dspam --user ${lc:$local_part}@${lc:$domain} --class=spam --source=corpus"
   home_directory = "/tmp"
   current_directory = "/tmp"
   user = exim
   group = exim
   log_output = true
   return_fail_output = true
   return_path_add = false
   message_prefix =
   message_suffix = 

dspam_false_positive:
   driver = pipe
   command = "/usr/bin/dspam --user ${lc:$local_part}@${lc:$domain} --class=innocent --source=error"
   home_directory = "/tmp"
   current_directory = "/tmp"
   user = exim
   group = exim
   log_output = true
   return_fail_output = true
   return_path_add = false
   message_prefix =
   message_suffix =

dspam_clean:
   driver = pipe
   command = "/usr/bin/dspam --user ${lc:$local_part}@${lc:$domain} --class=innocent --source=corpus"
   home_directory = "/tmp"
   current_directory = "/tmp"
   user = exim
   group = exim
   log_output = true
   return_fail_output = true
   return_path_add = false
   message_prefix =
   message_suffix =

remote_smtp:
  driver = smtp

virtual_delivery:
  driver = pipe
  envelope_to_add
  return_path_add
  command = /usr/libexec/dovecot/deliver -c /etc/dovecot/dovecot.conf -d $local_part@$domain
  log_output
  user = exim
  group = exim

address_pipe_local:
  driver = pipe
  return_output

address_file:
  driver = appendfile
  delivery_date_add
  envelope_to_add
  return_path_add

address_reply:
  driver = autoreply



######################################################################
#                      RETRY CONFIGURATION                           #
######################################################################

begin retry

# This single retry rule applies to all domains and all errors. It specifies
# retries every 15 minutes for 2 hours, then increasing retry intervals,
# starting at 1 hour and increasing each time by a factor of 1.5, up to 16
# hours, then retries every 6 hours until 4 days have passed since the first
# failed delivery.

# Domain               Error       Retries
# ------               -----       -------

*                      *           F,2h,15m; G,16h,1h,1.5; F,14d,6h



######################################################################
#                      REWRITE CONFIGURATION                         #
######################################################################

# There are no rewriting specifications in this default configuration file.

begin rewrite



######################################################################
#                   AUTHENTICATION CONFIGURATION                     #
######################################################################

# There are no authenticator specifications in this default configuration file.

begin authenticators

dovecot_plain:
  driver = dovecot
  public_name = PLAIN
  server_socket = /var/run/dovecot/auth-client
  server_set_id = $auth1

dovecot_login:
  driver = dovecot
  public_name = LOGIN
  server_socket = /var/run/dovecot/auth-client
  server_set_id = $auth1