#
# $Id$
#
# Master configuration file for *.infradead.org Exim hosts.
#

# Let anyone run 'exim -bp'.
queue_list_requires_admin = false

# ACLs.
acl_smtp_rcpt = check_recipient
acl_smtp_data = check_message
#acl_smtp_etrn = check_etrn
#acl_smtp_vrfy = check_vrfy

# SA-Exim.
local_scan_path = /usr/libexec/exim/sa-exim.so

# Get these from per-site include:
## hostlist relay_hosts
## domainlist extra_local_domains
### These have sane defaults anyway
## qualify_recipient
## primary_hostname

.include $primary_hostname.base.conf

qualify_domain = infradead.org

domainlist local_domains = @ : @[] : +extra_local_domains

pentafluge.infradead.org : \
    lists.infradead.org

domainlist virtual_domains = dsearch;/etc/exim/virtual
domainlist relay_domains = partial1-lsearch;/etc/exim/relay-domains

hostlist trust_hosts = pentafluge.infradead.org : \
		       baythorne.infradead.org : \
		       canuck.infradead.org : \
		       phoenix.infradead.org : \
		       vger.kernel.org

trusted_users = mail
never_users = root

gecos_pattern = ^([^,:]*)
gecos_name = $1

log_selector =  \
              +address_rewrite \
              +smtp_confirmation \
              +tls_cipher \
              +tls_peerdn

# Global system filter to check reply/references and add warnings.
system_filter = /etc/exim/reply_filter

# Allow SMTP AUTH only if encrypted.
auth_advertise_hosts = ${if eq{$tls_cipher}{}{localhost}{*}}

# Do reverse DNS for logging purposes on all connecting machines
host_lookup = *

smtp_accept_queue_per_connection = 100
smtp_load_reserve = 20
deliver_queue_load_max = 15
queue_only_load = 15
accept_8bitmime

tls_advertise_hosts = *
tls_certificate = /usr/share/ssl/certs/exim.pem
tls_privatekey = /usr/share/ssl/certs/exim.pem

received_header_text = "Received: \
         ${if def:sender_rcvhost {from ${sender_rcvhost}\n\t}\
         {${if def:sender_ident {from ${sender_ident} }}\
         ${if def:sender_helo_name {(helo=${sender_helo_name})\n\t}}}}\
         by ${primary_hostname} \
         ${if def:received_protocol {with ${received_protocol}}} \
         (Exim ${version_number} #${compile_number} (Red Hat Linux))\n\t\
         id ${message_id}\
         ${if def:received_for {\n\tfor <$received_for>}}"

freeze_tell = postmaster@pentafluge.infradead.org

######################################################################
#                        ACCESS CONTROL LISTS                        #
######################################################################

begin acl

#!!# ACL that is used after the RCPT command

check_recipient:
  # Deny if the local part starts with a dot.
  deny    local_parts	= ^.*[@%!/|] : ^\\.

  # Accept mail to postmaster in any local domain, regardless of the source,
  # and without verifying the sender.
  accept  local_parts	= postmaster
          domains	= +local_domains : +relay_domains : +virtual_domains

  # Accept mail sent with authentication.
  accept authenticated	= *

  # Deny obviously bogus sender (don't try callout yet)
  require  verify	= sender

  # Don't do RBL checking for the trusted hosts or spam-loving recipients
  deny    hosts		= !+trust_hosts
	  !recipients   = @@lsearch;/etc/exim/rbl-except-recipients
          message	= host is listed in $dnslist_domain blacklist\nMail postmaster@infradead.org if you think this is in error
          dnslists	= list.dsbl.org : relays.ordb.org

  # Deny unknown recipient at local or virtual domain
  deny	   domains	= +local_domains : +virtual_domains
	   !verify	= recipient
	   message	= Unknown recipient

  # Deny unknown recipient at relay domain, with callout but accepting
  # temporary failures (else backup MX is pointless anyway).
  deny	   domains	= +relay_domains
	   !verify	= recipient/defer_ok/callout=20s,random,defer_ok
	   message	= Unknown recipient at target domain
			
  # Now do a callout to verify the sender, except if the message comes
  # from a host we have faith in.
  require  verify	= sender/callout=70s,random,postmaster
           !hosts       = +trust_hosts
#          message	= Sender address verification failed.

  accept  domains	= +local_domains : +virtual_domains : +relay_domains
  accept  hosts		= +relay_hosts
  deny	  message	= Relay not permitted.
  accept


#!!# ACL that is used after the DATA command

check_message:
  # Be a little more lenient for bounces
  accept  senders	= :

  # Require a little standards compliance.
  require verify	= header_syntax
          message	= Invalid address in message header. Consult RFC2822.
 
  # Deny messages without Message-ID.
  deny    hosts     = <; !127.0.0.1 ; !::1
          condition = ${if eq {$h_message-id:}{<E$message_id@$primary_hostname>} {1}}
          message   = Absent Message-ID.
  accept

######################################################################
#                      REWRITE CONFIGURATION                         #
######################################################################

begin rewrite

.include $primary_hostname.rewrites.conf

######################################################################
#                      ROUTERS CONFIGURATION                         #
######################################################################

begin routers

# For the virtual domains, if a user isn't present in the
# alias list, reject it by having no_more set.

virtual_postmaster:
  driver = redirect
  domains = dsearch;/etc/exim/virtual
  local_parts = postmaster:root:abuse:mailer-daemon
  data = postmaster@pentafluge.infradead.org

virtual_domains:
  driver = redirect
  domains = dsearch;/etc/exim/virtual
  data = ${lookup{$local_part}lsearch{/etc/exim/virtual/$domain}}
  headers_add = X-Infradead-Aliases: $original_local_part@$originaldomain rewritten to $local_part@$domain by $primary_hostname
  allow_defer
  allow_fail
  forbid_file
  forbid_pipe
  retry_use_local_part
  no_more

# For the real infradead domains, use aliases if they're present 
# else continue normally. This is just an optimisation.
infradead_aliases:
  driver = redirect
  domains = dsearch;/etc/exim/aliases
  data = ${lookup{$local_part}lsearch{/etc/exim/aliases/$domain}}

# Normal remote SMTP delivery 
lookuphost:
  driver = dnslookup
  domains = ! +local_domains
  transport = remote_smtp

literal:
  driver = ipliteral
  domains = ! +local_domains
  transport = remote_smtp
  no_more

real_localuser:
  driver = accept
  check_local_user
  local_part_prefix = real-
  transport = local_delivery

system_aliases:
  driver = redirect
  allow_defer
  allow_fail
  data = ${lookup{$local_part}lsearch{/etc/aliases}}
  file_transport = address_file
  pipe_transport = address_pipe
  retry_use_local_part
  user = mail

.ifdef MAILMAN_HOME
# Don't accept bounces to the lists themselves.
mailman_bogus_bounces:
  driver = redirect
  domains = +MAILMAN_DOMAINS
  require_files = MAILMAN_HOME/lists/$local_part/config.pck
  allow_fail
  data = :fail: Lists do not send messages and should not receive bounces
  
mailman_router:
  driver = accept
  domains = +MAILMAN_DOMAINS
  require_files = MAILMAN_HOME/lists/$local_part/config.pck
  local_part_suffix_optional
  local_part_suffix = -bounces : -bounces+* : \
                      -confirm+* : -join : -leave : \
                      -owner : -request : -admin
  transport = mailman_transport
.endif

userforward:
  driver = redirect
  allow_filter
  check_ancestor
  check_local_user
  no_expn
  file = $home/.forward
  file_transport = address_file
  initgroups
  modemask = 002
  pipe_transport = address_pipe
  reply_transport = address_reply
  skip_syntax_errors
  syntax_errors_text = "\
    This is an automatically generated message. An error has been \
    found\nin your .forward file. Details of the error are reported \
    below. While\nthis error persists, messages addressed to you will \
    get delivered into\nyour normal mailbox and you will receive a \
    copy of this message for\neach one."
  syntax_errors_to = real-$local_part@$domain
  no_verify

procmail:
  driver = accept
  check_local_user
  require_files = ${local_part}:${home}/.procmailrc
  transport = procmail
  no_verify

localuser:
  driver = accept
  check_local_user
  transport = local_delivery


######################################################################
#                    AUTHENTICATORS CONFIGURATION                    #
######################################################################


begin authenticators

outlook:
  driver = plaintext
  public_name = LOGIN
  server_prompts = "Username:: : Password::"
  server_condition = ${if eq{${lookup{$1}lsearch{/etc/exim/authusers}{$value}fail}}{$2}{yes}{no}}
  server_set_id = $1

plain:
  driver = plaintext
  public_name = PLAIN
  server_prompts = :
  server_condition = ${if eq{${lookup{$2}lsearch{/etc/exim/authusers}{$value}fail}}{$3}{yes}{no}}
  server_set_id = $2


cram:
  driver = cram_md5
  public_name = CRAM-MD5
  server_secret = ${lookup{$1}lsearch{/etc/exim/authusers}{$value}fail}
  server_set_id = $1

######################################################################
#                      TRANSPORTS CONFIGURATION                      #
######################################################################

begin transports

remote_smtp:
  driver = smtp

procmail:
  driver = pipe
  command = "/usr/bin/procmail -d ${local_part}"

local_delivery:
  driver = appendfile
  delivery_date_add
  envelope_to_add
  file = /var/spool/mail/${local_part}
  group = mail
  mode = 0660
  return_path_add
  no_mode_fail_narrower

address_pipe:
  driver = pipe
  return_output

address_file:
  driver = appendfile
  delivery_date_add
  envelope_to_add
  return_path_add
  no_mode_fail_narrower

address_directory:
  driver = appendfile
  check_string = 
  delivery_date_add
  envelope_to_add
  return_path_add
  message_prefix = ""
  message_suffix = ""
  maildir_format
  no_mode_fail_narrower

address_reply:
  driver = autoreply

.ifdef MAILMAN_HOME
mailman_transport:
  driver = pipe
  command = MAILMAN_WRAP \
            '${if def:local_part_suffix \
                  {${sg{$local_part_suffix}{-(\\w+)(\\+.*)?}{\$1}}} \
                  {post}}' \
            $local_part
  current_directory = MAILMAN_HOME
  home_directory = MAILMAN_HOME
  user = MAILMAN_UID
  group = MAILMAN_GID
.endif

######################################################################
#                      RETRY CONFIGURATION                           #
######################################################################


begin retry

*                      *           F,2h,15m; G,16h,1h,1.5; F,4d,8h
