# SpamBlockerTechnology* powered exim.conf, Version 4.2 # 21-May-2013 11:20 (-0700) # Exim configuration file for DirectAdmin # Requires exim.pl as distributed by DirectAdmin here: # http://files.directadmin.com/services/exim.pl Dated 28-Mar-2008 or later # New version 4.2 removes obsolete dnsbl.njabl.org blocklist # Includes SpamBlockerTechnology blocklists and optimizations: # http://www.nobaloney.net/downloads/spamblocker/ # ClamAV optional # SpamAssassin optional # Dovecot/IMAP Mandatory # *SpamBlockerTechnology is a Trademark of NoBaloney Internet Services: # http://www.nobaloney.net # # WARNING! Do NOT use this exim.conf Exim configuration file unless you # make the required modifications to your Exim configuration # following the instructions in the README file included in this # distribution: # README-SpamBlockerVersion4exim.conf.txt # # The original exim.conf file distributed with Exim 4, includes the # following copyright notice: # # Copyright (C) 2002 University of Cambridge, Cambridge, UK # # Portions of the file are taken from the exim.conf file as # distributed with DirectAdmin (http://www.directadmin.com/) # # Copyright (C) 2003-2011 JBMC Software, St Albert, AB, Canada # # Portions of this file are written by NoBaloney Internet Services # and are copyright as follows: # # Copyright (C) 2004-2011 NoBaloney Internet Services, Riverside, Calif., USA # # The entire Exim 4 distribution, including the exim.conf file, is # distributed under the GNU GENERAL PUBLIC LICENSE, Version 2, # June 1991. If you do not have a copy of the GNU GENERAL PUBLIC LICENSE # you may download it, in it's entirety, from the website at: # # http://www.nobaloney.net/exim/gnu-gpl-v2.txt # # Thanks to all the members of the DirectAdmin community and of the exim # community who have given their # much needed and appreciated help. # # The most recent version of this file may always downloaded from the website # at: http://www.nobaloney.net/downloads/spamblocker # # MODIFICATION INSTRUCTIONS # # YOU MUST MAKE THE CHANGES TO THIS # SpamBlockerTechnology* powered exim.conf, Version 4.0 # file as documented in the README file. # # The README file for this version is named: # README-SpamBlockerVersion4exim.conf.txt # CONFIGURATION STARTS HERE #EDIT#1: # primary_hostname = #EDIT#2-CLAMAV: # av_scanner = clamd:/var/run/clamav/clamd #.include_if_exists /etc/exim.clamav.load.conf #EDIT#3: # qualify_domain = #EDIT#4: perl_startup = do '/etc/exim.pl' #EDIT#5: system_filter = /etc/system_filter.exim #EDIT#6: untrusted_set_sender = * #EDIT#7: daemon_smtp_ports = 25 : 587 : 465 tls_on_connect_ports = 465 #EDIT#8: local_from_check = false #EDIT#9: message_size_limit = 20M smtp_receive_timeout = 5m smtp_accept_max = 100 message_body_visible = 3000 print_topbitchars = true smtp_accept_max_nonmail = 19 smtp_accept_max_per_host = 10 recipients_max = 150 smtp_accept_queue_per_connection = 10 smtp_accept_max_per_connection = 100 #EDIT#10: helo_allow_chars = _ #EDIT#11: log_selector = \ +delivery_size \ +sender_on_delivery \ +received_recipients \ +received_sender \ +smtp_confirmation \ +subject \ +smtp_incomplete_transaction \ -dnslist_defer \ -host_lookup_failed \ -queue_run \ -rejected_header \ -retry_defer \ -skip_delivery \ +arguments #EDIT#12: syslog_duplication = false #EDIT#13: acl_smtp_connect = acl_connect acl_smtp_helo = acl_check_helo acl_smtp_rcpt = acl_check_recipient acl_smtp_data = acl_check_message #EDIT#14: addresslist whitelist_senders = lsearch;/etc/virtual/whitelist_senders addresslist blacklist_senders = lsearch;/etc/virtual/blacklist_senders domainlist blacklist_domains = lsearch;/etc/virtual/blacklist_domains domainlist whitelist_domains = lsearch;/etc/virtual/whitelist_domains domainlist local_domains = lsearch;/etc/virtual/domains domainlist relay_domains = lsearch;/etc/virtual/domains domainlist use_rbl_domains = lsearch;/etc/virtual/use_rbl_domains domainlist skip_rbl_domains = lsearch;/etc/virtual/skip_rbl_domains hostlist auth_relay_hosts = * hostlist bad_sender_hosts = lsearch;/etc/virtual/bad_sender_hosts hostlist bad_sender_hosts_ip = /etc/virtual/bad_sender_hosts_ip hostlist whitelist_hosts = lsearch;/etc/virtual/whitelist_hosts hostlist whitelist_hosts_ip = /etc/virtual/whitelist_hosts_ip #EDIT#15: #domainlist skip_av_domains = lsearch;/etc/virtual/skip_av_domains #EDIT#16: hostlist relay_hosts = net-lsearch;/etc/virtual/pophosts #EDIT#17: never_users = root #EDIT#18: host_lookup = * #EDIT#19: rfc1413_hosts = * rfc1413_query_timeout = 0s #EDIT#20: deliver_queue_load_max = 5.0 queue_only_load = 7.5 queue_run_max = 5 #EDIT#21: ignore_bounce_errors_after = 2d timeout_frozen_after = 3d #EDIT#22: trusted_users = mail:majordomo:apache:diradmin #EDIT#23: tls_certificate = /etc/exim.cert tls_privatekey = /etc/exim.key openssl_options = +no_sslv2 +no_sslv3 tls_require_ciphers = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP tls_advertise_hosts = * #auth_over_tls_hosts = * # Access Control Lists ###################### begin acl #EDIT#24: acl_connect: accept hosts = * #EDIT#25: acl_check_helo: # accept mail originating on this server unconditionally accept hosts = @[] : @ # deny if the HELO pretends to be this host deny message = Bad HELO - Host impersonating hostname [$sender_helo_name] condition = ${if or { \ {match{$sender_helo_name}{$smtp_active_hostname}} \ {eq{$sender_helo_name}{[$interface_address]}} \ } {true}{false} } # deny if the HELO is an IP address deny message = HELO is an IP address (See RFC2821 4.1.3) condition = ${if isip{$sender_helo_name}} # deny if the HELO pretends to be one of the domains hosted on the server deny message = Bad HELO - Host impersonating domain name [$sender_helo_name] condition = ${if match_domain{$sender_helo_name}{+local_domains}{true}{false}} hosts = ! +relay_hosts accept #EDIT#26: acl_check_recipient: # block certain well-known exploits, Deny for local domains if # local parts begin with a dot or contain @ % ! / | deny domains = +local_domains local_parts = ^[.] : ^.*[@%!/|] # restrict port 587 to authenticated users only # see also daemon_smtp_ports above accept hosts = +auth_relay_hosts condition = ${if eq {$interface_port}{587} {yes}{no}} endpass message = relay not permitted, authentication required authenticated = * # Deny all Mailer-Daemon messages not for us: deny message = We didn't send the message senders = : domains = !+relay_domains # Deny if the recipient doesn't exist: deny message = No such recipient here domains = +local_domains !verify = recipient # Remaining Mailer-Daemon messages must be for us accept senders = : domains = +relay_domains #EDIT#27: # 1st deny checks if it's a hostname or IPV4 address with dots or IPV6 address deny message = R1: HELO should be a FQDN or address literal (See RFC 2821 4.1.1.1) !authenticated = * condition = ${if match{$sender_helo_name}{\N^\[\N}{no}{yes}} condition = ${if match{$sender_helo_name}{\N\.\N}{no}{yes}} ## 2nd deny makes sure the hostname doesn't end with a dot (invalid) # deny message = R2: HELO should be a FQDN or address literal (See RFC 2821 4.1.1.1) # !authenticated = * # condition = ${if match{$sender_helo_name}{\N\.$\N}} # 3rd deny makes sure the hostname has no double-dots (invalid) deny message = R3: HELO should be a FQDN or address literal (See RFC 2821 4.1.1.1) !authenticated = * condition = ${if match{$sender_helo_name}{\N\.\.\N}} ## 4th deny make sure the hostname doesn't end in .home (invalid domain) # deny message = R4: HELO should be a FQDN or address literal (See RFC 2821 4.1.1.1) # !authenticated = * # condition = ${if match{$sender_helo_name}{\N\.home$\N}} #EDIT#28: # warn domains = +skip_av_domains # set acl_m0 = $tod_epoch #EDIT#29: deny domains = !+local_domains local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./ #EDIT#30: accept hosts = : logwrite = Whitelisted as having local origination #EDIT#31: accept sender_domains = +whitelist_domains logwrite = $sender_host_address whitelisted in local domains whitelist accept hosts = +whitelist_hosts logwrite = $sender_host_address whitelisted in local hosts whitelist accept hosts = +whitelist_hosts_ip logwrite = $sender_host_address whitelisted in local hosts IP# whitelist # accept if envelope sender is in whitelist accept senders = +whitelist_senders logwrite = $sender_host_address whitelisted in local sender whitelist #EDIT#32: deny message = Email blocked by local blacklist domains = +use_rbl_domains domains = !+skip_rbl_domains senders = +blacklist_senders #EDIT#33: deny message = Email blocked by local blacklist # only for domains that do want to be tested against RBLs domains = +use_rbl_domains domains = !+skip_rbl_domains hosts = +bad_sender_hosts #EDIT#34: deny message = Email blocked by local blacklist hosts = +bad_sender_hosts_ip #EDIT#35: accept domains = +local_domains dnslists = list.dnswl.org logwrite = $sender_host_address whitelisted in list.dnswl.org #EDIT#36: # accept domains = +local_domains # dnslists = hostkarma.junkemailfilter.com=127.0.0.1 # logwrite = $sender_host_address whitelisted in hostkarma.junkemailfilter.com #EDIT#37: # accept local_parts = whitelist # domains = example.com #EDIT#38: require verify = sender #EDIT#39: deny message = Email blockedby local blacklist domains = +use_rbl_domains domains = !+skip_rbl_domains sender_domains = +blacklist_domains #EDIT#40: deny message = Forged Paypal Mail, not sent from PayPal. senders = *@paypal.com condition = ${if match {$sender_host_name}{\Npaypal.com$\N}{no}{yes}} #EDIT#41: deny message = Email blocked by $dnslist_domain hosts = !+relay_hosts domains = +use_rbl_domains domains = !+skip_rbl_domains !authenticated = * dnslists = \ cbl.abuseat.org : \ bl.spamcop.net : \ dnsbl.ahbl.org : \ combined.rbl.msrbl.net : \ b.barracudacentral.org : \ zen.spamhaus.org : \ hostkarma.junkemailfilter.com=127.0.0.2 #EDIT#42: deny message = Email blocked by $dnslist_domain hosts = !+relay_hosts domains = +use_rbl_domains domains = !+skip_rbl_domains !authenticated = * dnslists = \ rhsbl.ahbl.org/$sender_address_domain #COMMENT#43: # ACCEPT EMAIL BEGINNING HERE # accept if address is in a local domain as long as recipient can be verified accept domains = +local_domains endpass message = "Unknown User" verify = recipient #COMMENT#44 # accept if address is in a domain for which we relay as long as recipient # can be verified accept domains = +relay_domains endpass verify = recipient #EDIT#45: accept hosts = +relay_hosts accept hosts = +auth_relay_hosts endpass message = authentication required authenticated = * # FINAL DENY EMAIL BEFORE DATA BEGINS HERE # default at end of acl causes a "deny", but line below will give # an explicit error message: deny message = relay not permitted # ACL that is used after the DATA command (ClamAV) acl_check_message: #EDIT#46: #.include_if_exists /etc/exim.clamav.conf ## accept without checking if in skip_av_domains # accept condition =${if and {{def:acl_m0}{def:acl_m0}} {true}{false}} ## deny if email contains malformed MIME header # deny message = This message contains malformed MIME (malformed_MIME:$demime_reason) # demime = * # condition = ${if >{$demime_errorlevel}{2}{1}{0}} ## deny if email containing virus or other harmful content # deny message = This message contains a virus or other harmful content (virus_in_message:$malware_name) # demime = * # malware = * ## deny if email contains an attachment of type we don't accept. # deny message = This message contains an attachment of a type which we do not accept (attachment_not_allow:.$found_extension) # demime = bat:com:pif:prf:scr:vbs:html ## Accept but put warning into headers if message over 1000k # warn message = X-Antivirus-Scanner: Skipped scanning; size over 1000K. You should use an Antivirus Scanner # condition = ${if >={$message_size}{1000k} {1}{0}} # warn message = X-Antivirus-Scanner: Seems clean. You should still use an Antivirus Scanner ## The end of the acl_check_message acl (ClamAV) ## Do NOT comment out the line below or all messages will be denied. accept # AUTHENTICATION CONFIGURATION ############################## begin authenticators plain: driver = plaintext public_name = PLAIN server_prompts = : server_condition = "${perl{smtpauth}}" server_set_id = $2 login: driver = plaintext public_name = LOGIN server_prompts = "Username:: : Password::" server_condition = "${perl{smtpauth}}" server_set_id = $1 #EDIT#47: # REWRITE CONFIGURATION # There is no rewriting specification in this exim.conf file. If your # configuration requires one, it would go here begin routers #EDIT#48: lookuphost: driver = dnslookup domains = ! +local_domains ignore_target_hosts = 127.0.0.0/8 condition = "${perl{check_limits}}" transport = remote_smtp no_more # RELATED: http://help.directadmin.com/item.php?id=153 # smart_route: # driver = manualroute # domains = ! +local_domains # ignore_target_hosts = 127.0.0.0/8 # condition = "${perl{check_limits}}" # route_list = !+local_domains HOSTNAME-or-IP# # transport = remote_smtp #COMMENT#49: #DIRECTORS CONFIGURATION #EDIT#50: #.include_if_exists /etc/exim.spamassassin.conf # spamcheck_director: # driver = accept # condition = "${if and { \ # {!def:authenticated_id} \ # {!def:h_X-Spam-Flag:} \ # {!eq {$received_protocol}{spam-scanned}} \ # {!eq {$received_protocol}{local}} \ # {exists{/home/${lookup{$domain}lsearch{/etc/virtual/domainowners}{$value}}/.spamassassin/user_prefs}} \ # {<{$message_size}{100k}} \ # } {1}{0}}" # retry_use_local_part # transport = spamcheck # no_verify majordomo_aliases: driver = redirect allow_defer allow_fail data = ${if exists{/etc/virtual/${domain}/majordomo/list.aliases}{${lookup{$local_part}lsearch{/etc/virtual/${domain}/majordomo/list.aliases}}}} domains = lsearch;/etc/virtual/domainowners file_transport = address_file group = daemon pipe_transport = majordomo_pipe retry_use_local_part no_rewrite user = majordomo majordomo_private: driver = redirect allow_defer allow_fail #condition = "${if eq {$received_protocol} {local} {true} {false} }" condition = "${if or { {eq {$received_protocol} {local}} \ {eq {$received_protocol} {spam-scanned}} } {true} {false} }" data = ${if exists{/etc/virtual/${domain}/majordomo/private.aliases}{${lookup{$local_part}lsearch{/etc/virtual/${domain}/majordomo/private.aliases}}}} domains = lsearch;/etc/virtual/domainowners file_transport = address_file group = daemon pipe_transport = majordomo_pipe retry_use_local_part user = majordomo domain_filter: driver = redirect allow_filter no_check_local_user condition = "${if exists{/etc/virtual/${domain}/filter}{yes}{no}}" user = "${lookup{$domain}lsearch{/etc/virtual/domainowners}{$value}}" group = "mail" file = /etc/virtual/${domain}/filter directory_transport = address_file pipe_transport = virtual_address_pipe retry_use_local_part no_verify uservacation: # uservacation reply to all except errors, bounces, lists driver = accept condition = ${lookup{$local_part} lsearch {/etc/virtual/${domain}/vacation.conf}{yes}{no}} require_files = /etc/virtual/${domain}/reply/${local_part}.msg # do not reply to errors and bounces or lists senders = " ! ^.*-request@.*:\ ! ^owner-.*@.*:\ ! ^postmaster@.*:\ ! ^listmaster@.*:\ ! ^mailer-daemon@.*\ ! ^root@.*" transport = uservacation unseen userautoreply: driver = accept condition = ${lookup{$local_part} lsearch {/etc/virtual/${domain}/autoresponder.conf}{yes}{no}} require_files = /etc/virtual/${domain}/reply/${local_part}.msg # do not reply to errors and bounces or lists senders = " ! ^.*-request@.*:\ ! ^owner-.*@.*:\ ! ^postmaster@.*:\ ! ^listmaster@.*:\ ! ^mailer-daemon@.*\ ! ^root@.*" transport = userautoreply unseen virtual_aliases_nostar: driver = redirect allow_defer allow_fail data = ${if exists{/etc/virtual/${domain}/aliases}{${lookup{$local_part}lsearch{/etc/virtual/${domain}/aliases}}}} file_transport = address_file group = mail pipe_transport = virtual_address_pipe retry_use_local_part unseen #include_domain = true virtual_user: driver = accept condition = ${perl{save_virtual_user}} domains = lsearch;/etc/virtual/domainowners group = mail retry_use_local_part transport = virtual_localdelivery # accept only if local_part is not in the aliases file # (this implements catch-all) virtual_aliases: driver = redirect allow_defer allow_fail condition = ${if eq {}{${if exists{/etc/virtual/${domain}/aliases}{${lookup{$local_part}lsearch{/etc/virtual/${domain}/aliases}}}}}{yes}{no}} data = ${if exists{/etc/virtual/$domain/aliases}{${lookup{$local_part}lsearch*{/etc/virtual/$domain/aliases}}}} file_transport = address_file group = mail pipe_transport = virtual_address_pipe retry_use_local_part #include_domain = true #COMMENT#51: drop_solo_alias: driver = redirect allow_defer allow_fail data = ${if exists{/etc/virtual/$domain/aliases}{${lookup{$local_part}lsearch{/etc/virtual/$domain/aliases}}}} file_transport = devnull group = mail pipe_transport = devnull retry_use_local_part #include_domain = true #COMMENT#52: userforward: driver = redirect allow_filter check_ancestor check_local_user no_expn file = $home/.forward file_transport = address_file pipe_transport = address_pipe reply_transport = address_reply no_verify system_aliases: driver = redirect allow_defer allow_fail data = ${lookup{$local_part}lsearch{/etc/aliases}} file_transport = address_file pipe_transport = address_pipe retry_use_local_part # user = exim localuser: driver = accept check_local_user condition = "${if eq {$domain} {$primary_hostname} {yes} {no}}" transport = local_delivery #COMMENT#53: # TRANSPORTS CONFIGURATION begin transports #COMMENT#54: spamcheck: driver = pipe batch_max = 100 command = /usr/sbin/exim -oMr spam-scanned -bS current_directory = "/tmp" group = mail home_directory = "/tmp" log_output message_prefix = message_suffix = return_fail_output no_return_path_add transport_filter = /usr/bin/spamc -u ${lookup{$domain}lsearch*{/etc/virtual/domainowners}{$value}} use_bsmtp user = mail #COMMENT#55: majordomo_pipe: driver = pipe group = daemon return_fail_output user = majordomo #COMMENT#56: local_delivery: driver = appendfile delivery_date_add envelope_to_add directory = /home/$local_part/Maildir/ directory_mode = 770 create_directory = true maildir_format group = mail mode = 0660 return_path_add user = ${local_part} #COMMENT#57: virtual_localdelivery: driver = appendfile create_directory delivery_date_add directory_mode = 770 envelope_to_add directory = /home/${lookup{$domain}lsearch*{/etc/virtual/domainowners}{$value}}/imap/${domain}/${local_part}/Maildir maildir_format group = mail mode = 660 return_path_add user = "${lookup{$domain}lsearch*{/etc/virtual/domainowners}{$value}}" quota = ${if exists{/etc/virtual/${domain}/quota}{${lookup{$local_part}lsearch*{/etc/virtual/${domain}/quota}{$value}{0}}}{0}} #EDIT#58: uservacation: driver = autoreply file = /etc/virtual/${domain}/reply/${local_part}.msg from = "${local_part}@${domain}" log = /etc/virtual/${domain}/reply/${local_part}.log no_return_message subject = "${if def:h_Subject: {Autoreply: ${quote:${escape:$h_Subject:}}} {I am on vacation}}" text = "\ ------ ------\n\n\ This message was automatically generated by email software\n\ The delivery of your message has not been affected.\n\n\ ------ ------\n\n" to = "${sender_address}" user = mail once = /etc/virtual/${domain}/reply/${local_part}.once once_file_size = 100K once_repeat = 2d #COMMENT#59: userautoreply: driver = autoreply bcc = ${lookup{${local_part}} lsearch {/etc/virtual/${domain}/autoresponder.conf}{$value}} file = /etc/virtual/${domain}/reply/${local_part}.msg from = "${local_part}@${domain}" log = /etc/virtual/${domain}/reply/${local_part}.log no_return_message subject = "${if def:h_Subject: {Autoreply: ${quote:${escape:$h_Subject:}}} {Autoreply Message}}" to = "${sender_address}" user = mail once = /etc/virtual/${domain}/reply/${local_part}.once once_file_size = 100K once_repeat = 2d #COMMENT#60: devnull: driver = appendfile file = /dev/null #COMMENT#61: remote_smtp: driver = smtp #EDIT#62: address_pipe: driver = pipe return_output virtual_address_pipe: driver = pipe group = nobody return_output user = "${lookup{$domain}lsearch* {/etc/virtual/domainowners}{$value}}" #COMMENT#63: address_file: driver = appendfile delivery_date_add envelope_to_add return_path_add #COMMENT#64: address_reply: driver = autoreply #EDIT#65: # RETRY CONFIGURATION # Domain Error Retries # ------ ----- ------- begin retry * * F,2h,15m; G,16h,1h,1.5; F,4d,8h # End of Exim 4 configuration