----------------------- ns2 config file -----------------
primary_hostname = ns2
local_interfaces = 0.0.0.0.25 : 127.0.0.1.10025 : 0.0.0.0.465 :
0.0.0.0.587 domainlist local_domains = @
domainlist relay_to_domains =
hostlist relay_from_hosts = 127.0.0.1 : 204.209.81.0/24 : 192.168.0.0/16
: 208.118.93.0/24: 208.118.94.0/24 acl_smtp_rcpt = acl_check_rcpt
acl_smtp_data = acl_check_data
av_scanner = clamd:127.0.0.1 3310
spamd_address = 127.0.0.1 783
tls_advertise_hosts = *
tls_certificate = /usr/exim/ca.crt
tls_privatekey = /usr/exim/ca.key
daemon_smtp_ports = 25 : 465 : 587
tls_on_connect_ports = 465
never_users = root
host_lookup = *
rfc1413_hosts = *
rfc1413_query_timeout = 5s
ignore_bounce_errors_after = 2d
timeout_frozen_after = 7d
auto_thaw = 1m
begin acl
acl_check_rcpt:
# Accept if the source is local SMTP (i.e. not over TCP/IP). We do this
by # testing for an empty sending host field.
accept hosts = :
control = dkim_disable_verify
#########################################################################
#### # The following section of the ACL is concerned with local parts
that contain # @ or % or ! or / or | or dots in unusual places.
#
# The characters other than dots are rarely found in genuine local
parts, but # are often tried by people looking to circumvent relaying
restrictions. # Therefore, although they are valid in local parts,
these rules lock them # out, as a precaution.
#
# Empty components (two dots in a row) are not valid in RFC 2822, but
Exim # allows them because they have been encountered. (Consider local
parts # constructed as "firstinitial.secondinitial.familyname" when
applied to # someone like me, who has no second initial.) However, a
local part starting # with a dot or containing /../ can cause trouble
if it is used as part of a # file name (e.g. for a mailing list). This
is also true for local parts that # contain slashes. A pipe symbol can
also be troublesome if the local part is # incorporated unthinkingly
into a shell command line.
#
# Two different rules are used. The first one is stricter, and is
applied to # messages that are addressed to one of the local domains
handled by this # host. The line "domains = +local_domains" restricts
it to domains that are # defined by the "domainlist local_domains"
setting above. The rule blocks # local parts that begin with a dot or
contain @ % ! / or |. If you have # local accounts that include these
characters, you will have to modify this # rule.
deny message = Restricted characters in address
domains = +local_domains
local_parts = ^[.] : ^.*[@%!/|]
# The second rule applies to all other domains, and is less strict. The
line # "domains = !+local_domains" restricts it to domains that are NOT
defined by # the "domainlist local_domains" setting above. The
exclamation mark is a # negating operator. This rule allows your own
users to send outgoing # messages to sites that use slashes and
vertical bars in their local parts. # It blocks local parts that begin
with a dot, slash, or vertical bar, but # allows these characters
within the local part. However, the sequence /../ # is barred. The use
of @ % and ! is blocked, as before. The motivation here # is to prevent
your users (or your users' viruses) from mounting certain # kinds of
attack on remote sites.
deny message = Restricted characters in address
domains = !+local_domains
local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
#########################################################################
#### # Accept mail to postmaster in any local domain, regardless of the
source, # and without verifying the sender.
accept local_parts = postmaster
domains = +local_domains
# Deny unless the sender address can be verified.
require verify = sender
# Accept if the message comes from one of the hosts for which we are an
# outgoing relay. It is assumed that such hosts are most likely to be
MUAs, # so we set control=submission to make Exim treat the message as a
# submission. It will fix up various errors in the message, for
example, the # lack of a Date: header line. If you are actually
relaying out out from # MTAs, you may want to disable this. If you are
handling both relaying from # MTAs and submissions from MUAs you should
probably split them into two # lists, and handle them differently.
# Recipient verification is omitted here, because in many cases the
clients # are dumb MUAs that don't cope well with SMTP error responses.
If you are # actually relaying out from MTAs, you should probably add
recipient # verification here.
# Note that, by putting this test before any DNS black list checks, you
will # always accept from these hosts, even if they end up on a black
list. The # assumption is that they are your friends, and if they get
onto a black # list, it is a mistake.
accept hosts = +relay_from_hosts
control = submission
control = dkim_disable_verify
# Accept if the message arrived over an authenticated connection, from
# any host. Again, these messages are usually from MUAs, so recipient
# verification is omitted, and submission mode is set. And again, we do
this # check before any black list tests.
accept authenticated = *
control = submission
control = dkim_disable_verify
# Insist that any other recipient address that we accept is either in
one of # our local domains, or is in a domain for which we explicitly
allow # relaying. Any other domain is rejected as being unacceptable
for relaying. require message = relay not permitted
domains = +local_domains : +relay_to_domains
# We also require all accepted addresses to be verifiable. This check
will # do local part verification for local domains, but only check the
domain # for remote domains. The only way to check local parts for the
remote # relay domains is to use a callout (add /callout), but please
read the # documentation about callouts before doing this.
require verify = recipient
#########################################################################
#### # There are no default checks on DNS black lists because the
domains that # contain these lists are changing all the time. However,
here are two # examples of how you can get Exim to perform a DNS black
list lookup at this # point. The first one denies, whereas the second
just warns.
#
deny message = rejected because $sender_host_address is in a
black list at $dnslist_domain\n$dnslist_text
dnslists = sbl-xbl.spamhaus.org : \
dnsbl.njabl.org : \
combined.njabl.org : \
dev.null.dk : \
relays.visi.com : \
bl.spamcop.net : \
hostkarma.junkemailfilter.com=127.0.0.2
#
warn dnslists = sbl-xbl.spamhaus.org: \
dnsbl.njabl.org : \
combined.njabl.org : \
dev.null.dk : \
relays.visi.com : \
bl.spamcop.net : \
hostkarma.junkemailfilter.com=127.0.0.2
add_header = X-Warning: $sender_host_address is in a black
list at $dnslist_domain log_message = found in
$dnslist_domain
#########################################################################
####
#########################################################################
#### # This check is commented out because it is recognized that not
every # sysadmin will want to do it. If you enable it, the check
performs # Client SMTP Authorization (csa) checks on the sending host.
These checks # do DNS lookups for SRV records. The CSA proposal is
currently (May 2005) # an Internet draft. You can, of course, add
additional conditions to this # ACL statement to restrict the CSA
checks to certain hosts only. #
# require verify = csa
#########################################################################
#### # At this point, the address has passed all the checks that have
been # configured, so we accept it unconditionally.
accept
acl_check_data:
accept authenticated = *
# Deny if the message contains a virus. Before enabling this check, you
# must install a virus scanner and set the av_scanner option above.
#
deny malware = *
message = This message contains a virus ($malware_name).
# Add headers to a message if it is judged to be spam. Before enabling
this, # you must install SpamAssassin. You may also need to set the
spamd_address # option above.
#
warn spam = nobody
add_header = X-Spam_score: $spam_score\n\
X-Spam_score_int: $spam_score_int\n\
X-Spam_bar: $spam_bar\n\
X-Spam_report: $spam_report
# Accept the message.
accept
begin routers
check_dnslookup:
driver = dnslookup
domains = ! +local_domains
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
verify_only
pass_router = amavis
no_more
check_system_aliases:
driver = redirect
allow_fail
allow_defer
data = ${lookup{$local_part}lsearch{/etc/aliases}}
verify_only
pass_router = amavis
check_localuser:
driver = accept
check_local_user
verify_only
pass_router = amavis
failed_address_router:
driver = accept
verify_only
fail_verify
amavis:
driver = manualroute
# Do NOT run if received via 10025/tcp or if already spam-scanned
# or if bounce message ($sender_address="")
condition = "${if or {{eq {$interface_port}{10025}} \
{eq {$received_protocol}{spam-scanned}} \
{eq {$sender_address}{}} \
}{0}{1}}"
transport = amavis
route_list = "* localhost byname"
self = send
dnslookup:
driver = dnslookup
domains = ! +local_domains
transport = remote_smtp
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
no_more
system_aliases:
driver = redirect
allow_fail
allow_defer
data = ${lookup{$local_part}lsearch{/etc/aliases}}
file_transport = address_file
pipe_transport = address_pipe
userforward:
driver = redirect
check_local_user
file = $home/.forward
no_verify
no_expn
check_ancestor
file_transport = address_file
pipe_transport = address_pipe
reply_transport = address_reply
localuser:
driver = accept
check_local_user
transport = local_delivery
cannot_route_message = Unknown user
# Do NOT run if received via 10025/tcp or if already spam-scanned
# or if bounce message ($sender_address="")
begin transports
remote_smtp:
driver = smtp
hosts_avoid_tls=*
amavis:
driver = smtp
port = 10024
allow_localhost
local_delivery:
driver = appendfile
file = /var/mail/$local_part
delivery_date_add
envelope_to_add
return_path_add
group = mail
mode = 0600
address_pipe:
driver = pipe
return_output
address_file:
driver = appendfile
delivery_date_add
envelope_to_add
return_path_add
address_reply:
driver = autoreply
begin retry
* * F,2h,15m; G,16h,1h,1.5; F,4d,6h
begin rewrite
begin authenticators
PLAIN:
driver = plaintext
public_name = PLAIN
server_set_id = $auth2
server_prompts = :
server_condition = ${if saslauthd{{$2}{$3}}{1}{0}}
server_advertise_condition = ${if def:tls_cipher }
LOGIN:
driver = plaintext
public_name = LOGIN
server_set_id = $auth1
server_prompts = <| Username: | Password:
server_condition = ${if saslauthd{{$1}{$2}}{1}{0}}
server_advertise_condition = ${if def:tls_cipher }
---- end of conf file ----------------------------
I wish to add that if an e-mail is done via port 465 then do not subject
it to anti-viral tests.
-------------- ns1 configuration -----------------------
primary_hostname = ns1
local_interfaces = 0.0.0.0.25 : 127.0.0.1.10025 : 0.0.0.0.465 :
0.0.0.0.587 domainlist local_domains =
@:secure.nl2k.ab.ca:mail.nl2k.ab.ca:mail.nk.ca:nk.ca:nl2k.ca:nl2k.ab.ca:d
octor.nl2k.ab.ca:lsearch;/usr/exim/vdom3 domainlist relay_to_domains =
hostlist relay_from_hosts = 204.209.81.0/24 : 127.0.0.1 :
208.118.93.0/24: 208.118.94.0/24 trusted_users = exim : majordomo
acl_smtp_rcpt = acl_check_rcpt
acl_smtp_data = acl_check_data
av_scanner = clamd:127.0.0.1 3310
spamd_address = 127.0.0.1 783
tls_advertise_hosts = *
tls_certificate = /usr/exim/ca.crt
tls_privatekey = /usr/exim/ca.key
daemon_smtp_ports = 25 : 465 : 587
tls_on_connect_ports = 465
never_users = root
host_lookup = *
rfc1413_hosts = *
rfc1413_query_timeout = 5s
ignore_bounce_errors_after = 2h
timeout_frozen_after = 6h
auto_thaw = 1m
begin acl
acl_check_rcpt:
# Accept if the source is local SMTP (i.e. not over TCP/IP). We do this
by # testing for an empty sending host field.
accept hosts = :
control = dkim_enable_verify
#########################################################################
#### # The following section of the ACL is concerned with local parts
that contain # @ or % or ! or / or | or dots in unusual places.
#
# The characters other than dots are rarely found in genuine local
parts, but # are often tried by people looking to circumvent relaying
restrictions. # Therefore, although they are valid in local parts,
these rules lock them # out, as a precaution.
#
# Empty components (two dots in a row) are not valid in RFC 2822, but
Exim # allows them because they have been encountered. (Consider local
parts # constructed as "firstinitial.secondinitial.familyname" when
applied to # someone like me, who has no second initial.) However, a
local part starting # with a dot or containing /../ can cause trouble
if it is used as part of a # file name (e.g. for a mailing list). This
is also true for local parts that # contain slashes. A pipe symbol can
also be troublesome if the local part is # incorporated unthinkingly
into a shell command line.
#
# Two different rules are used. The first one is stricter, and is
applied to # messages that are addressed to one of the local domains
handled by this # host. The line "domains = +local_domains" restricts
it to domains that are # defined by the "domainlist local_domains"
setting above. The rule blocks # local parts that begin with a dot or
contain @ % ! / or |. If you have # local accounts that include these
characters, you will have to modify this # rule.
deny message = Restricted characters in address
domains = +local_domains
local_parts = ^[.] : ^.*[@%!/|]
# The second rule applies to all other domains, and is less strict. The
line # "domains = !+local_domains" restricts it to domains that are NOT
defined by # the "domainlist local_domains" setting above. The
exclamation mark is a # negating operator. This rule allows your own
users to send outgoing # messages to sites that use slashes and
vertical bars in their local parts. # It blocks local parts that begin
with a dot, slash, or vertical bar, but # allows these characters
within the local part. However, the sequence /../ # is barred. The use
of @ % and ! is blocked, as before. The motivation here # is to prevent
your users (or your users' viruses) from mounting certain # kinds of
attack on remote sites.
deny message = Restricted characters in address
domains = !+local_domains
local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
#########################################################################
#### # Accept mail to postmaster in any local domain, regardless of the
source, # and without verifying the sender.
accept local_parts = postmaster
domains = +local_domains:lsearch;/usr/exim/vdom3
# Deny unless the sender address can be verified.
##require verify = sender
accept domains = +local_domains:lsearch;/usr/exim/vdom3
endpass
/*
The above is commented out as virtual e-mail addresses are not
being recognised properly. I am using a dbm file.
How Do I get exim to realises that we have local and virtual that needs
supporting ?
*/
## Sender Verify on 'Recipient'
drop message = REJECTED - Sender Verify Failed - error code
\"$sender_verify_failure\"\n\n\ The return address you are using for this
email message <$sender_address>\ does not seem to be a working account.
log_message = REJECTED - Sender Verify Failed - error code
\"$sender_verify_failure\" !hosts = +no_verify
!verify = sender/callout=2m,defer_ok
condition = ${if eq{recipient}{$sender_verify_failure}}
deny message = REJECTED - Recipient Verify Failed - User Not Found
domains = +all_mail_handled_locally
!verify = recipient/callout=2m,defer_ok,use_sender
warn domains = +local_domains:lsearch;/usr/exim/vdom3
!verify = recipient
set acl_c0 = ${eval: $acl_c0+1}
delay = ${eval: ($acl_c0 - 1) * 60}s
# Accept if the message comes from one of the hosts for which we are an
# outgoing relay. It is assumed that such hosts are most likely to be
MUAs, # so we set control=submission to make Exim treat the message as a
# submission. It will fix up various errors in the message, for
example, the # lack of a Date: header line. If you are actually
relaying out out from # MTAs, you may want to disable this. If you are
handling both relaying from # MTAs and submissions from MUAs you should
probably split them into two # lists, and handle them differently.
# Recipient verification is omitted here, because in many cases the
clients # are dumb MUAs that don't cope well with SMTP error responses.
If you are # actually relaying out from MTAs, you should probably add
recipient # verification here.
# Note that, by putting this test before any DNS black list checks, you
will # always accept from these hosts, even if they end up on a black
list. The # assumption is that they are your friends, and if they get
onto a black # list, it is a mistake.
accept hosts = +relay_from_hosts
control = submission
control = dkim_disable_verify
# Accept if the message arrived over an authenticated connection, from
# any host. Again, these messages are usually from MUAs, so recipient
# verification is omitted, and submission mode is set. And again, we do
this # check before any black list tests.
accept authenticated = *
control = submission
control = dkim_disable_verify
# Insist that any other recipient address that we accept is either in
one of # our local domains, or is in a domain for which we explicitly
allow # relaying. Any other domain is rejected as being unacceptable
for relaying. require message = relay not permitted
domains = +local_domains : +relay_to_domains
# We also require all accepted addresses to be verifiable. This check
will # do local part verification for local domains, but only check the
domain # for remote domains. The only way to check local parts for the
remote # relay domains is to use a callout (add /callout), but please
read the # documentation about callouts before doing this.
require verify = recipient
#########################################################################
#### # There are no default checks on DNS black lists because the
domains that # contain these lists are changing all the time. However,
here are two # examples of how you can get Exim to perform a DNS black
list lookup at this # point. The first one denies, whereas the second
just warns.
#
deny message = rejected because $sender_host_address is in a
black list at $dnslist_domain\n$dnslist_text
dnslists = sbl-xbl.spamhaus.org : \
dnsbl.njabl.org : \
combined.njabl.org : \
dev.null.dk : \
relays.visi.com : \
bl.spamcop.net : \
hostkarma.junkemailfilter.com=127.0.0.2
#
warn dnslists = sbl-xbl.spamhaus.org: \
dnsbl.njabl.org : \
combined.njabl.org : \
dev.null.dk : \
relays.visi.com : \
bl.spamcop.net : \
hostkarma.junkemailfilter.com=127.0.0.2
add_header = X-Warning: $sender_host_address is in a black
list at $dnslist_domain log_message = found in
$dnslist_domain
#########################################################################
####
#########################################################################
#### # This check is commented out because it is recognized that not
every # sysadmin will want to do it. If you enable it, the check
performs # Client SMTP Authorization (csa) checks on the sending host.
These checks # do DNS lookups for SRV records. The CSA proposal is
currently (May 2005) # an Internet draft. You can, of course, add
additional conditions to this # ACL statement to restrict the CSA
checks to certain hosts only. #
# require verify = csa
#########################################################################
#### # At this point, the address has passed all the checks that have
been # configured, so we accept it unconditionally.
accept
acl_check_data:
# Deny if the message contains a virus. Before enabling this check, you
# must install a virus scanner and set the av_scanner option above.
#
deny malware = *
message = This message contains a virus ($malware_name).
# Add headers to a message if it is judged to be spam. Before enabling
this, # you must install SpamAssassin. You may also need to set the
spamd_address # option above.
#
warn spam = nobody
add_header = X-Spam_score: $spam_score\n\
X-Spam_score_int: $spam_score_int\n\
X-Spam_bar: $spam_bar\n\
X-Spam_report: $spam_report
# Accept the message.
accept
begin routers
check_dnslookup:
driver = dnslookup
domains = ! +local_domains
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
verify_only
pass_router = amavis
no_more
check_system_aliases:
driver = redirect
allow_fail
allow_defer
data = ${lookup{$local_part}lsearch{/etc/aliases}}
verify_only
pass_router = amavis
check_localuser:
driver = accept
check_local_user
verify_only
pass_router = amavis
failed_address_router:
driver = accept
verify_only
fail_verify
domains_virtual:
domains = +local_domains
driver = redirect
data=${lookup{$local_part@$domain}dbm{/usr/exim/virtemail}}
domains_virtual_others:
domains = +local_domains
driver = redirect
data=${lookup{@$domain}dbm{/usr/exim/virtemail}}
amavis:
driver = manualroute
# Do NOT run if received via 10025/tcp or if already spam-scanned
# or if bounce message ($sender_address="")
condition = "${if or {{eq {$interface_port}{10025}} \
{eq {$received_protocol}{spam-scanned}} \
{eq {$sender_address}{}} \
}{0}{1}}"
transport = amavis
route_list = "* localhost byname"
self = send
dnslookup:
driver = dnslookup
domains = ! +local_domains
transport = remote_smtp
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
no_more
system_aliases:
driver = redirect
allow_fail
allow_defer
data = ${lookup{$local_part}lsearch{/etc/aliases}}
file_transport = address_file
pipe_transport = address_pipe
userforward:
driver = redirect
check_local_user
file = $home/.forward
no_verify
no_expn
check_ancestor
file_transport = address_file
pipe_transport = address_pipe
reply_transport = address_reply
localuser:
driver = accept
check_local_user
transport = local_delivery
cannot_route_message = Unknown user
procmail:
driver = accept
check_local_user
require_files = $home/.procmailrc
transport = procmail_pipe
# Do NOT run if received via 10025/tcp or if already spam-scanned
# or if bounce message ($sender_address="")
lists:
driver = redirect
file = /usr/home/majordomo/lists/$local_part
forbid_pipe
forbid_file
errors_to = [email protected]
user = majordomo
no_more
begin transports
remote_smtp:
driver = smtp
procmail_pipe:
driver = pipe
command = /usr/bin/procmail -d $local_part
return_path_add
delivery_date_add
envelope_to_add
check_string = "From "
escape_string = ">From "
umask = 077
user = $local_part
group = mail
amavis:
driver = smtp
port = 10024
allow_localhost
local_delivery:
driver = appendfile
file = /var/mail/$local_part
delivery_date_add
envelope_to_add
return_path_add
group = mail
mode = 0600
address_pipe:
driver = pipe
return_output
address_file:
driver = appendfile
delivery_date_add
envelope_to_add
return_path_add
address_reply:
driver = autoreply
begin retry
* * F,1h,15m; G,10h,1h,1.5; F,7d,1h
begin rewrite
begin authenticators
PLAIN:
driver = plaintext
public_name = PLAIN
server_set_id = $auth2
server_prompts = :
server_condition = ${if saslauthd{{$2}{$3}}{1}{0}}
server_advertise_condition = ${if def:tls_cipher }
LOGIN:
driver = plaintext
public_name = LOGIN
server_set_id = $auth1
server_prompts = <| Username: | Password:
server_condition = ${if saslauthd{{$1}{$2}}{1}{0}}
server_advertise_condition = ${if def:tls_cipher }
-------------------------- end of ns1 ---------------
Also noticed mail taking about 1 minute to about several hours of days to
come in. How do I rectify this?
--
Member - Liberal International This is [email protected] Ici
[email protected] God, Queen and country! Never Satan President Republic!
Beware AntiChrist rising! http://twitter.com/rootnl2k
http://www.facebook.com/dyadallee
Now is the time time to declare your allegiance!
