exim4.conf

# before making this live, check for syntax problems:
# exim -C exim4.conf -bV

# primary_hostname =

VDOMAINS=/etc/exim4/vdomains

admin_groups = richardc

trusted_users = richardc

domainlist virtual_domains = dsearch;VDOMAINS/

domainlist local_domains = @ : +virtual_domains
domainlist relay_to_domains =
hostlist   relay_from_hosts = 127.0.0.1

acl_smtp_helo = acl_check_helo
acl_smtp_rcpt = acl_check_rcpt
acl_smtp_data = acl_check_data

spamd_address = 127.0.0.1 783

# qualify_domain =
# qualify_recipient =

# allow_domain_literals
never_users = root
host_lookup = *

rfc1413_hosts = *
rfc1413_query_timeout = 5s

# sender_unqualified_hosts =
# recipient_unqualified_hosts =

# queue everything if the load is too high
#queue_only_load = 1

# abort queue delivery if the load is too high
deliver_queue_load_max = 2

smtp_accept_max = 20
smtp_accept_max_per_host = 4

ignore_bounce_errors_after = 2d

timeout_frozen_after = 7d

add_environment = <; PATH=/bin:/usr/bin
keep_environment =

tls_advertise_hosts  = *
tls_certificate = /etc/letsencrypt/live/mail.unixbeard.net/fullchain.pem
tls_privatekey  = /etc/letsencrypt/live/mail.unixbeard.net/privkey.pem

tls_require_ciphers = ${if =={$received_port}{25}\
    {NORMAL:%VERIFY_ALLOW_SIGN_RSA_MD5}\
    {SECURE128}}


begin acl

acl_check_helo:
  accept  hosts = :

  deny    message       = "HELO/EHLO required by SMTP RFC"
          condition     = ${if eq{$sender_helo_name}{}{yes}{no}}

  accept


acl_check_rcpt:
  accept  hosts = :

  deny    message       = Restricted characters in address
          domains       = +local_domains
          local_parts   = ^[.] : ^.*[@%!/|]

  deny    message       = Restricted characters in address
          domains       = !+local_domains
          local_parts   = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
 
  accept  local_parts   = postmaster
          domains       = +local_domains

  require verify        = sender

  accept  hosts         = +relay_from_hosts
          control       = submission

  accept  authenticated = *
          control       = submission

  # require verify = csa

  deny    message       = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
          dnslists      = zen.spamhaus.org

  accept  domains       = +local_domains
          endpass
          verify        = recipient

  accept  domains       = +relay_to_domains
          endpass
          verify        = recipient

  # Use "spfquery" to obtain SPF status for this particular sender/host.
  # If the return code of that command is 3, this is an unauthorized sender.
  #
  deny
    message     = [SPF] $sender_host_address is not allowed to send mail \
                  from $sender_address_domain.
    log_message = SPF check failed.
    set acl_m9  = -ip=$sender_host_address \
                  -sender=$sender_address \
                  -helo=$sender_helo_name
    set acl_m9  = ${run{/usr/bin/spfquery $acl_m9}}
    condition   = ${if eq {$runrc}{3}{true}{false}}

  deny    message       = relay not permitted


acl_check_data:
  warn    spam      = nobody
          message   = X-is-spam: yes\n\
                      X-Spam-Report: $spam_report

  warn    message   = X-Spam-Score: $spam_score\n\
                      X-Spam-Score-Int: $spam_score_int\n\
                      X-Spam-Bar: $spam_bar

  accept


begin authenticators

# note:  add exim user to the shadow group to let this work
pam_login:
  driver                     = plaintext
  public_name                = LOGIN
  server_advertise_condition = ${if def:tls_cipher}
  server_prompts             = Username:: : Password::
  server_condition           = "${if pam {$1:$2}{yes}{no}}"


begin routers

virtual_domains:
  driver = redirect
  domains = +virtual_domains
  local_part_suffix = +* 
  local_part_suffix_optional
  data = ${lookup{$local_part} lsearch*{VDOMAINS/$domain}}
  pipe_transport = address_pipe
  no_more

dnslookup:
  driver = dnslookup
  domains = ! +local_domains
  transport = remote_smtp
  ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
  no_more

system_aliases:
  driver = redirect
  allow_fail
  allow_defer
  local_part_suffix = +* : -*
  local_part_suffix_optional
  data = ${lookup{$local_part}lsearch{/etc/aliases}}
# user = exim
  file_transport = address_file
  pipe_transport = address_pipe
  directory_transport = address_directory

userforward:
  driver = redirect
  check_local_user
  local_part_suffix = +* : -*
  local_part_suffix_optional
  file = $home/.forward
  allow_filter
  no_verify
  no_expn
  check_ancestor
  file_transport = address_file
  pipe_transport = address_pipe
  reply_transport = address_reply
  directory_transport = address_directory

localuser:
  driver = accept
  check_local_user
  local_part_suffix = +* : -*
  local_part_suffix_optional
  transport = local_delivery
  cannot_route_message = Unknown user


begin transports

remote_smtp:
  driver = smtp

local_delivery:
  driver = appendfile
  file = /var/mail/$local_part
  delivery_date_add
  envelope_to_add
  return_path_add
  group = mail
  mode = 0660

address_pipe:
  driver = pipe
  return_output

address_file:
  driver = appendfile
  delivery_date_add
  envelope_to_add
  return_path_add

address_directory:
  driver = appendfile
  delivery_date_add
  envelope_to_add
  return_path_add
  maildir_format

address_reply:
  driver = autoreply


begin retry

*                      *           F,2h,15m; G,16h,1h,1.5; F,4d,6h