# SPDX-License-Identifier: GPL-2.0-or-later and CC0-1.0
# Copyright (c) 2004-2023 University of Cambridge
# Copyright (C) 2023, 2024 Wojtek Kosior <koszko@koszko.org>

# Changes by Wojtek are available under CC0.

# Adapted from
# https://git.exim.org/exim.git/blob/3e6d406e8ae9681a8cc1b404e7f5d1bd6d65d201:/src/src/configure.default

exim_group = vmail
deliver_drop_privilege

spool_directory = /var/spool/exim
log_file_path = $spool_directory/log/%slog
log_selector = +smtp_protocol_error +smtp_syntax_error \
        +tls_certificate_verified +tls_peerdn

domainlist    local_domains = @ : localhost : happyhacking.pl : koszko.org : \
                              koszkonutek-tmp.pl.eu.org
domainlist    relay_to_domains =
hostlist      relay_from_hosts = <; ; 127.0.0.1 ; ::1
localpartlist vmail_usernames = ${sg {${readfile{/var/vmail/passwd}{:::}}}\
                                     {\N:?[^:]+:::\N}\
                                     {:}}

acl_smtp_rcpt =         acl_check_rcpt
.ifdef _HAVE_PRDR
# currently does nothing
acl_smtp_data_prdr =    acl_check_prdr
.endif
acl_smtp_data =         acl_check_data

tls_certificate = /etc/certs/smtp.koszko.org/fullchain.pem
tls_privatekey = /etc/certs/smtp.koszko.org/privkey.pem

tls_verify_certificates = ${if exists{/etc/ssl/certs/ca-certificates.crt}\
                               {/etc/ssl/certs/ca-certificates.crt}\
			       {/dev/null}}

.ifdef _HAVE_GNUTLS
tls_dhparam = historic
.endif

# For OpenSSL, prefer EC- over RSA-authenticated ciphers
.ifdef _HAVE_OPENSSL
tls_require_ciphers = ECDSA:RSA:!COMPLEMENTOFDEFAULT
.endif

daemon_smtp_ports = 25 : 12525 : 465 : 587
tls_on_connect_ports = 465 : 587

primary_hostname = salamina.koszko.org
qualify_domain = koszko.org

never_users = root

host_lookup = *

dns_dnssec_ok = 1

#rfc1413_hosts = *
#rfc1413_query_timeout = 5s

.ifdef _HAVE_PRDR
prdr_enable = true
.endif

ignore_bounce_errors_after = 2d

timeout_frozen_after = 7d

freeze_tell = admin

check_rfc2047_length = false

accept_8bitmime = false

keep_environment =

received_header_text =\
Received: from dummy-client.koszko.org ([192.168.193.169])\n\t\
          by $primary_hostname\
          ${if def:received_protocol\
               { with $received_protocol}}\
          ${if def:tls_in_ver\
               { ($tls_in_ver)}}\
          ${if def:tls_in_cipher_std\
               { tls $tls_in_cipher_std\n\t}}\
          (Exim $version_number)\n\t\
          ${if def:sender_address\
               {(envelope-from <$sender_address>)\n\t}}\
          id $message_exim_id\
          ${if def:received_for\
               {\n\tfor $received_for}}

begin acl

acl_check_rcpt:

  accept  hosts = :
          control = dkim_disable_verify

  deny    message       = Restricted characters in address
          domains       = +local_domains
          local_parts   = ^[.] : ^.*[@%!/|`#&?]

  deny    message       = Restricted characters in address
          domains       = !+local_domains
          local_parts   = ^[./|] : ^.*[@%!`#&?] : ^.*/\\.\\./

  accept  local_parts   = postmaster
          domains       = +local_domains

  warn    !verify       = sender
          log_message   = $acl_verify_message: $sender_verify_failure

  deny    condition     = ${if and {\
                            {>{$rcpt_count}{10}}\
                            {<{$recipients_count}{${eval:$rcpt_count/2}}}\
                            }}
          message       = Rejected for too many bad recipients
          logwrite      = REJECT [$sender_host_address]: \
                          bad recipient count high \
                          [${eval:$rcpt_count-$recipients_count}]

  accept  hosts         = +relay_from_hosts
          control       = submission/sender_retain
          control       = dkim_disable_verify

  accept  authenticated = *
          condition     = ${lookup{$authenticated_id}\
                            lsearch{/var/vmail/admin-users}\
                            {yes}{no}}
          control       = submission/sender_retain
          control       = dkim_disable_verify

  accept  authenticated = *
          control       = submission
          control       = dkim_disable_verify

  require message = relay not permitted
          domains = +local_domains : +relay_to_domains

  require verify = recipient

  accept


.ifdef _HAVE_PRDR
acl_check_prdr:

  warn  set acl_m_did_prdr = y

  accept
.endif

acl_check_data:

  deny    !verify =     header_syntax
          message =     header syntax
          log_message = header syntax ($acl_verify_message)

  accept

begin routers

dnslookup:
  driver = dnslookup
  domains = ! +local_domains
  transport = remote_smtp
  same_domain_copy_routing = yes
  ignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; 192.168.0.0/16 ;\
                        172.16.0.0/12 ; 10.0.0.0/8 ; 169.254.0.0/16 ;\
			255.255.255.255 ; ::1
  dnssec_request_domains = *
  no_more

dot_stripping:
  driver = redirect
  data = ${sg{$local_part}{[.]}{}}@$domain

system_aliases:
  driver = redirect
  allow_fail
  allow_defer
  data = ${lookup{$local_part}lsearch{/etc/aliases}}

vmail_aliases:
  driver = redirect
  allow_fail
  allow_defer
  data = ${lookup{$local_part}lsearch{/var/vmail/aliases}}

vmail_user:
  driver = accept
  local_parts = +vmail_usernames
  transport = vmail_delivery
  cannot_route_message = Unknown user

begin transports

remote_smtp:
  driver = smtp
  dkim_domain = ${sender_address_domain}
  helo_data = ${sender_address_domain}

dkim_selector = mail-salamina
dkim_private_key = /etc/exim/dkim.key

.ifdef _HAVE_DANE
dnssec_request_domains = *
hosts_try_dane = *
.endif

vmail_delivery:
  driver = appendfile
  maildir_format
  create_directory
  delivery_date_add
  envelope_to_add
  return_path_add
  no_check_owner
  group = vmail
  directory = /var/vmail/maildirs/$local_part_data
  directory_mode = 0770
  mode = 0660
  mode_fail_narrower = false

begin retry

# Address or Domain    Error       Retries
# -----------------    -----       -------

*                      *           F,2h,15m; G,16h,1h,1.5; F,4d,6h

begin rewrite

begin authenticators

# PLAIN authentication has no server prompts. The client sends its
# credentials in one lump, containing an authorization ID (which we do not
# use), an authentication ID, and a password. The latter two appear as
# $auth2 and $auth3 in the configuration and should be checked against a
# valid username and password. In a real configuration you would typically
# use $auth2 as a lookup key, and compare $auth3 against the result of the
# lookup, perhaps using the crypteq{}{} condition.

PLAIN:
 driver                     = plaintext
 server_set_id              = $auth2
 server_prompts             = :
 server_condition           = "${if crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}lsearch{/var/vmail/passwd}{$value}{*:*}}}}}{1}{0}}"
 server_advertise_condition = ${if def:tls_in_cipher }

# LOGIN authentication has traditional prompts and responses. There is no
# authorization ID in this mechanism, so unlike PLAIN the username and
# password are $auth1 and $auth2. Apart from that you can use the same
# server_condition setting for both authenticators.

LOGIN:
 driver                     = plaintext
 server_set_id              = $auth1
 server_prompts             = <| Username: | Password:
 server_condition           = "${if crypteq{$auth2}{${extract{1}{:}{${lookup{$auth1}lsearch{/var/vmail/passwd}{$value}{*:*}}}}}{1}{0}}"
 server_advertise_condition = ${if def:tls_in_cipher }

# Hehe
HAPPY_HACKING:
 driver                     = plaintext
 server_prompts             = <| Login hackera: \
                               | Hasło hackera: \
                               | Ulubiony kolor: \
                               | Imię pierwszego zwierzątka domowego: \
                               | Panieńskie nazwisko Babci od strony Mamy:
 server_condition           = 0
 server_advertise_condition = 1