aboutsummaryrefslogtreecommitdiff
# SPDX-License-Identifier: GPL-2.0-or-later and CC0-1.0
# Copyright (c) 2004-2023 University of Cambridge
# Copyright (C) 2023 Wojtek Kosior <koszko@koszko.org>

# Changes by Wojtek are available under CC0.

# Adapted from
# https://git.exim.org/exim.git/blob/3e6d406e8ae9681a8cc1b404e7f5d1bd6d65d201:/src/src/configure.default

spool_directory = /var/spool/exim
log_file_path = $spool_directory/log/%slog
log_selector = +smtp_protocol_error +smtp_syntax_error \
        +tls_certificate_verified +tls_peerdn

domainlist local_domains = @:localhost:koszko.org:koszkonutek-tmp.pl.eu.org
domainlist relay_to_domains =
hostlist   relay_from_hosts = : 127.0.0.1 : ::::1

acl_smtp_rcpt =         acl_check_rcpt
.ifdef _HAVE_PRDR
# currently does nothing
acl_smtp_data_prdr =    acl_check_prdr
.endif
acl_smtp_data =         acl_check_data

tls_certificate = /etc/cert-links/guixbot_koszko.org/fullchain.pem
tls_privatekey = /etc/cert-links/guixbot_koszko.org/privkey.pem

tls_verify_certificates = ${if exists{/etc/ssl/certs/ca-certificates.crt}\
                               {/etc/ssl/certs/ca-certificates.crt}\
			       {/dev/null}}

.ifdef _HAVE_GNUTLS
tls_dhparam = historic
.endif

# For OpenSSL, prefer EC- over RSA-authenticated ciphers
.ifdef _HAVE_OPENSSL
tls_require_ciphers = ECDSA:RSA:!COMPLEMENTOFDEFAULT
.endif

daemon_smtp_ports = 25 : 12525 : 465 : 587
tls_on_connect_ports = 465 : 587

primary_hostname = koszko.org
qualify_domain = koszko.org

never_users = root

host_lookup = *

dns_dnssec_ok = 1

#rfc1413_hosts = *
#rfc1413_query_timeout = 5s

.ifdef _HAVE_PRDR
prdr_enable = true
.endif

ignore_bounce_errors_after = 2d

timeout_frozen_after = 7d

freeze_tell = admin

check_rfc2047_length = false

accept_8bitmime = false

keep_environment =

begin acl

acl_check_rcpt:

  accept  hosts = :
          control = dkim_disable_verify

  deny    message       = Restricted characters in address
          domains       = +local_domains
          local_parts   = ^[.] : ^.*[@%!/|`#&?]

  deny    message       = Restricted characters in address
          domains       = !+local_domains
          local_parts   = ^[./|] : ^.*[@%!`#&?] : ^.*/\\.\\./

  accept  local_parts   = postmaster
          domains       = +local_domains

  require verify        = sender

  deny    condition     = ${if and {\
                        {>{$rcpt_count}{10}}\
                        {<{$recipients_count}{${eval:$rcpt_count/2}}} }}
          message       = Rejected for too many bad recipients
          logwrite      = REJECT [$sender_host_address]: bad recipient count high [${eval:$rcpt_count-$recipients_count}]

  accept  hosts         = +relay_from_hosts
          control       = submission/sender_retain
          control       = dkim_disable_verify

  accept  authenticated = *
          # TODO: only use this for email sent by the admin
          control       = submission/sender_retain
          control       = dkim_disable_verify

  require message = relay not permitted
          domains = +local_domains : +relay_to_domains

  require verify = recipient

  accept


.ifdef _HAVE_PRDR
acl_check_prdr:

  warn  set acl_m_did_prdr = y

  accept
.endif

acl_check_data:

  deny    !verify =     header_syntax
          message =     header syntax
          log_message = header syntax ($acl_verify_message)

  accept

begin routers

dnslookup:
  driver = dnslookup
  domains = ! +local_domains
  transport = remote_smtp
  same_domain_copy_routing = yes
  ignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; 192.168.0.0/16 ;\
                        172.16.0.0/12 ; 10.0.0.0/8 ; 169.254.0.0/16 ;\
			255.255.255.255 ; ::1
  dnssec_request_domains = *
  no_more

system_aliases:
  driver = redirect
  allow_fail
  allow_defer
  data = ${lookup{$local_part}lsearch{/etc/aliases}}

userforward:
  driver = redirect
  check_local_user
# local_part_suffix = +* : -*
# local_part_suffix_optional
  file = $home/.forward
# allow_filter
  no_verify
  no_expn
  check_ancestor
  file_transport = address_file
  pipe_transport = address_pipe
  reply_transport = address_reply

localuser:
  driver = accept
  check_local_user
  transport = local_delivery
  cannot_route_message = Unknown user

begin transports

remote_smtp:
  driver = smtp

dkim_domain = koszko.org
dkim_selector = mail
dkim_private_key = /etc/exim/dkim.pem

.ifdef _HAVE_DANE
dnssec_request_domains = *
hosts_try_dane = *
.endif

local_delivery:
  driver = appendfile
  directory = $home/Maildir
  create_directory
  delivery_date_add
  envelope_to_add
  return_path_add
  maildir_format
  directory_mode = 0700
  mode = 0600
  mode_fail_narrower = false

address_pipe:
  driver = pipe
  return_fail_output

address_file:
  driver = appendfile
  delivery_date_add
  envelope_to_add
  return_path_add

address_reply:
  driver = autoreply

begin retry

# Address or Domain    Error       Retries
# -----------------    -----       -------

*                      *           F,2h,15m; G,16h,1h,1.5; F,4d,6h

begin rewrite

begin authenticators

# PLAIN authentication has no server prompts. The client sends its
# credentials in one lump, containing an authorization ID (which we do not
# use), an authentication ID, and a password. The latter two appear as
# $auth2 and $auth3 in the configuration and should be checked against a
# valid username and password. In a real configuration you would typically
# use $auth2 as a lookup key, and compare $auth3 against the result of the
# lookup, perhaps using the crypteq{}{} condition.

PLAIN:
 driver                     = plaintext
 server_set_id              = $auth2
 server_prompts             = :
 server_condition           = "${if crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}lsearch{/etc/exim/passwd}{$value}{*:*}}}}}{1}{0}}"
 server_advertise_condition = ${if def:tls_in_cipher }

# LOGIN authentication has traditional prompts and responses. There is no
# authorization ID in this mechanism, so unlike PLAIN the username and
# password are $auth1 and $auth2. Apart from that you can use the same
# server_condition setting for both authenticators.

LOGIN:
 driver                     = plaintext
 server_set_id              = $auth1
 server_prompts             = <| Username: | Password:
 server_condition           = "${if crypteq{$auth2}{${extract{1}{:}{${lookup{$auth1}lsearch{/etc/exim/passwd}{$value}{*:*}}}}}{1}{0}}"
 server_advertise_condition = ${if def:tls_in_cipher }

# Hehe
HAPPY_HACKING:
 driver                     = plaintext
 server_set_id              = $auth1
 server_prompts             = <| Login hackera: \
                               | Hasło hackera: \
                               | Ulubiony kolor: \
                               | Imię pierwszego zwierzątka domowego: \
                               | Panieńskie nazwisko Babci od strony Mamy:
 server_condition           = 0
 server_advertise_condition = 1