X-Git-Url: https://git.netwichtig.de/gitweb/?a=blobdiff_plain;f=src%2Fsrc%2Fconfigure.default;h=4209ae8c11a9964f14df78ceb74271e41a3cfd9c;hb=fa792e2ce96b4d6f9e39e350ec967ccb833277a7;hp=e5feb7751a4e9d6c52b6719d3c541f9671f11983;hpb=f26587cbf325ebb365cd670db767363775391dc6;p=user%2Fhenk%2Fcode%2Fexim.git diff --git a/src/src/configure.default b/src/src/configure.default index e5feb7751..4209ae8c1 100644 --- a/src/src/configure.default +++ b/src/src/configure.default @@ -153,6 +153,9 @@ acl_smtp_data = acl_check_data # tls_certificate = /etc/ssl/exim.crt # tls_privatekey = /etc/ssl/exim.pem +# For OpenSSL, prefer EC- over RSA-authenticated ciphers +# tls_require_ciphers = ECDSA:RSA:!COMPLEMENTOFDEFAULT + # In order to support roaming users who wish to send email from anywhere, # you may want to make Exim listen on other ports as well as port 25, in # case these users need to send email from a network that blocks port 25. @@ -222,6 +225,13 @@ never_users = root host_lookup = * +# The setting below causes Exim to try to initialize the system resolver +# library with DNSSEC support. It has no effect if your library lacks +# DNSSEC support. + +dns_dnssec_ok = 1 + + # The settings below cause Exim to make RFC 1413 (ident) callbacks # for all incoming SMTP calls. You can limit the hosts to which these # calls are made, and/or change the timeout that is used. If you set @@ -334,7 +344,7 @@ timeout_frozen_after = 7d # libraries that Exim uses (e.g. LDAP) depend on specific environment settings. # There are two lists: keep_environment for the variables we trust, and # add_environment for variables we want to set to a specific value. -# Note that TZ is handled separateley by the timezone runtime option +# Note that TZ is handled separately by the timezone runtime option # and TIMEZONE_DEFAULT buildtime option. # keep_environment = ^LDAP @@ -513,7 +523,15 @@ acl_check_data: # Deny if the message contains an overlong line. Per the standards # we should never receive one such via SMTP. # - deny condition = ${if > {$max_received_linelength}{998}} + deny message = maximum allowed line length is 998 octets, \ + got $max_received_linelength + condition = ${if > {$max_received_linelength}{998}} + + # Deny if the headers contain badly-formed addresses. + # + deny !verify = header_syntax + message = header syntax + log_message = header syntax ($acl_verify_message) # Deny if the message contains a virus. Before enabling this check, you # must install a virus scanner and set the av_scanner option above. @@ -582,6 +600,7 @@ dnslookup: ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 # if ipv6-enabled then instead use: # ignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; ::1 + dnssec_request_domains = * no_more @@ -594,7 +613,7 @@ dnslookup: # smarthost: # driver = manualroute # domains = ! +local_domains -# transport = remote_smtp +# transport = smarthost_smtp # route_data = MAIL.HOSTNAME.FOR.CENTRAL.SERVER.EXAMPLE # ignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; ::1 # no_more @@ -707,13 +726,49 @@ begin transports # This transport is used for delivering messages over SMTP connections. -# Refuse to send any messsage with over-long lines, which could have -# been receved other than via SMTP. The use of message_size_limit to +# Refuse to send any message with over-long lines, which could have +# been received other than via SMTP. The use of message_size_limit to # enforce this is a red herring. remote_smtp: driver = smtp message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}} +.ifdef _HAVE_DANE + dnssec_request_domains = * + hosts_try_dane = * +.endif + + +# This transport is used for delivering messages to a smarthost, if the +# smarthost router is enabled. This starts from the same basis as +# "remote_smtp" but then turns on various security options, because +# we assume that if you're told "use smarthost.example.org as the smarthost" +# then there will be TLS available, with a verifiable certificate for that +# hostname, using decent TLS. + +smarthost_smtp: + driver = smtp + message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}} + multi_domain + # +.ifdef _HAVE_TLS + # Comment out any of these which you have to, then file a Support + # request with your smarthost provider to get things fixed: + hosts_require_tls = * + tls_sni = $host + tls_verify_hosts = * + # As long as tls_verify_hosts is enabled, this won't matter, but if you + # have to comment it out then this will at least log whether you succeed + # or not: + tls_try_verify_hosts = * + # +.ifdef _HAVE_OPENSSL + tls_require_ciphers = HIGH:!aNULL:@STRENGTH +.endif +.ifdef _HAVE_GNUTLS + tls_require_ciphers = SECURE192:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1 +.endif +.endif # This transport is used for local delivery to user mailboxes in traditional