# SPDX-License-Identifier: GPL-2.0-or-later and CC0-1.0
# Copyright (c) 2004-2023 University of Cambridge
# Copyright (C) 2023 Wojtek Kosior <koszko@koszko.org>
# Changes by Wojtek are available under CC0.
# Adapted from
# https://git.exim.org/exim.git/blob/3e6d406e8ae9681a8cc1b404e7f5d1bd6d65d201:/src/src/configure.default
spool_directory = /var/spool/exim
log_file_path = $spool_directory/log/%slog
log_selector = +smtp_protocol_error +smtp_syntax_error \
+tls_certificate_verified +tls_peerdn
domainlist local_domains = @:localhost:koszko.org:koszkonutek-tmp.pl.eu.org
domainlist relay_to_domains =
hostlist relay_from_hosts = : 127.0.0.1 : ::::1
acl_smtp_rcpt = acl_check_rcpt
.ifdef _HAVE_PRDR
# currently does nothing
acl_smtp_data_prdr = acl_check_prdr
.endif
acl_smtp_data = acl_check_data
tls_certificate = /etc/cert-links/guixbot_koszko.org/fullchain.pem
tls_privatekey = /etc/cert-links/guixbot_koszko.org/privkey.pem
tls_verify_certificates = ${if exists{/etc/ssl/certs/ca-certificates.crt}\
{/etc/ssl/certs/ca-certificates.crt}\
{/dev/null}}
.ifdef _HAVE_GNUTLS
tls_dhparam = historic
.endif
# For OpenSSL, prefer EC- over RSA-authenticated ciphers
.ifdef _HAVE_OPENSSL
tls_require_ciphers = ECDSA:RSA:!COMPLEMENTOFDEFAULT
.endif
daemon_smtp_ports = 25 : 12525 : 465 : 587
tls_on_connect_ports = 465 : 587
primary_hostname = koszko.org
qualify_domain = koszko.org
never_users = root
host_lookup = *
dns_dnssec_ok = 1
#rfc1413_hosts = *
#rfc1413_query_timeout = 5s
.ifdef _HAVE_PRDR
prdr_enable = true
.endif
ignore_bounce_errors_after = 2d
timeout_frozen_after = 7d
freeze_tell = admin
check_rfc2047_length = false
accept_8bitmime = false
keep_environment =
begin acl
acl_check_rcpt:
accept hosts = :
control = dkim_disable_verify
deny message = Restricted characters in address
domains = +local_domains
local_parts = ^[.] : ^.*[@%!/|`#&?]
deny message = Restricted characters in address
domains = !+local_domains
local_parts = ^[./|] : ^.*[@%!`#&?] : ^.*/\\.\\./
accept local_parts = postmaster
domains = +local_domains
require verify = sender
deny condition = ${if and {\
{>{$rcpt_count}{10}}\
{<{$recipients_count}{${eval:$rcpt_count/2}}} }}
message = Rejected for too many bad recipients
logwrite = REJECT [$sender_host_address]: bad recipient count high [${eval:$rcpt_count-$recipients_count}]
accept hosts = +relay_from_hosts
control = submission/sender_retain
control = dkim_disable_verify
accept authenticated = *
# TODO: only use this for email sent by the admin
control = submission/sender_retain
control = dkim_disable_verify
require message = relay not permitted
domains = +local_domains : +relay_to_domains
require verify = recipient
accept
.ifdef _HAVE_PRDR
acl_check_prdr:
warn set acl_m_did_prdr = y
accept
.endif
acl_check_data:
deny !verify = header_syntax
message = header syntax
log_message = header syntax ($acl_verify_message)
accept
begin routers
dnslookup:
driver = dnslookup
domains = ! +local_domains
transport = remote_smtp
same_domain_copy_routing = yes
ignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; 192.168.0.0/16 ;\
172.16.0.0/12 ; 10.0.0.0/8 ; 169.254.0.0/16 ;\
255.255.255.255 ; ::1
dnssec_request_domains = *
no_more
system_aliases:
driver = redirect
allow_fail
allow_defer
data = ${lookup{$local_part}lsearch{/etc/aliases}}
userforward:
driver = redirect
check_local_user
# local_part_suffix = +* : -*
# local_part_suffix_optional
file = $home/.forward
# allow_filter
no_verify
no_expn
check_ancestor
file_transport = address_file
pipe_transport = address_pipe
reply_transport = address_reply
localuser:
driver = accept
check_local_user
transport = local_delivery
cannot_route_message = Unknown user
begin transports
remote_smtp:
driver = smtp
dkim_domain = koszko.org
dkim_selector = mail
dkim_private_key = /etc/exim/dkim.pem
.ifdef _HAVE_DANE
dnssec_request_domains = *
hosts_try_dane = *
.endif
local_delivery:
driver = appendfile
directory = $home/Maildir
create_directory
delivery_date_add
envelope_to_add
return_path_add
maildir_format
directory_mode = 0700
mode = 0600
mode_fail_narrower = false
address_pipe:
driver = pipe
return_fail_output
address_file:
driver = appendfile
delivery_date_add
envelope_to_add
return_path_add
address_reply:
driver = autoreply
begin retry
# Address or Domain Error Retries
# ----------------- ----- -------
* * F,2h,15m; G,16h,1h,1.5; F,4d,6h
begin rewrite
begin authenticators
# PLAIN authentication has no server prompts. The client sends its
# credentials in one lump, containing an authorization ID (which we do not
# use), an authentication ID, and a password. The latter two appear as
# $auth2 and $auth3 in the configuration and should be checked against a
# valid username and password. In a real configuration you would typically
# use $auth2 as a lookup key, and compare $auth3 against the result of the
# lookup, perhaps using the crypteq{}{} condition.
PLAIN:
driver = plaintext
server_set_id = $auth2
server_prompts = :
server_condition = "${if crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}lsearch{/etc/exim/passwd}{$value}{*:*}}}}}{1}{0}}"
server_advertise_condition = ${if def:tls_in_cipher }
# LOGIN authentication has traditional prompts and responses. There is no
# authorization ID in this mechanism, so unlike PLAIN the username and
# password are $auth1 and $auth2. Apart from that you can use the same
# server_condition setting for both authenticators.
LOGIN:
driver = plaintext
server_set_id = $auth1
server_prompts = <| Username: | Password:
server_condition = "${if crypteq{$auth2}{${extract{1}{:}{${lookup{$auth1}lsearch{/etc/exim/passwd}{$value}{*:*}}}}}{1}{0}}"
server_advertise_condition = ${if def:tls_in_cipher }
# Hehe
HAPPY_HACKING:
driver = plaintext
server_set_id = $auth1
server_prompts = <| Login hackera: \
| Hasło hackera: \
| Ulubiony kolor: \
| Imię pierwszego zwierzątka domowego: \
| Panieńskie nazwisko Babci od strony Mamy:
server_condition = 0
server_advertise_condition = 1
