Introduction

Exim4 est un serveur MTA (Mail Transport Agent). C'est le serveur SMTP de référence du projet Debian et il est installé par défaut. La configuration présentée permet de monter un serveur SMTP qui peut envoyer et recevoir des messages électroniques. Ce serveur offre un mécanisme d'authentification par STARTLS ainsi qu'une base de mot de passe indépendante du système POSIX.

Information Caractéristiques
Site web origine http://www.exim.org/
Version installée 4.8
Code C
Paquet exim4

Pré-requis

  • Pour la réinstallation d'exim4, il est nécessaire d'avoir réinstallé le système.
  • Exim4 est destiné à être installé sur une distribution Debian Wheezy de base.
  • Il faudra veiller à restaurer également les répertoires Maildir des utilisateurs POSIX concernés pour le stockage du courrier électronique.

Installation du logiciel

Normalement, le paquet exim4-daemon-light est installé par défaut lors de l'installation du système. Au cas où, voici la commande à lancer:

# aptitude install exim4-daemon-light

Répertoires concernés

  • Les fichiers de configuration d'exim4 sont situés dans /etc/exim4/.
  • Il sont répartis en deux parties:
    • Les fichiers de configuration simple qui sont à la racine de /etc/exim4. Ces fichiers sont implémentés par Debian pour configurer facilement Exim4.
    • Les fichiers de configuration fine qui sont situés dans /etc/exim4/conf.d.
  • Pour les mécanismes TLS, Exim4 a besoin d'un certificat public à présenter: /etc/exim4/medspx.fr_key.pem.
  • Pour les mécanismes d'authentification, Exim4 a besoin d'un fichier de mot de passe: /etc/exim4/passwd.
  • Pour déterminer le nom du serveur, Exim utilise le fichier /etc/mailname.

Restaurations

Les éléments à restaurer sont uniquement les fichiers de configuration. Se référer à la procédure de restauration générique pour y parvenir.

# obnam restore /etc/exim4/ /etc/mailname /tmp/
# mv /tmp/exim4 /etc/
# chown -R root:root /etc/exim4
# chown root:Debian-exim /etc/exim4/medspx.fr_key.pem

Configuration spécifique d'Exim

Normalement, la restauration permet de récupérer l'ensemble de la configuration. En cas de problème avec la sauvegarde, on pourra utiliser les fichiers suivants, en plus de la configuration par défaut, pour configurer le service.

/etc/exim4/update-exim4.conf.conf

C'est le fichier de configuration générique de Debian pour Exim4.

# /etc/exim4/update-exim4.conf.conf
#
# Edit this file and /etc/mailname by hand and execute update-exim4.conf
# yourself or use 'dpkg-reconfigure exim4-config'
#
# Please note that this is _not_ a dpkg-conffile and that automatic changes
# to this file might happen. The code handling this will honor your local
# changes, so this is usually fine, but will break local schemes that mess
# around with multiple versions of the file.
#
# update-exim4.conf uses this file to determine variable values to generate
# exim configuration macros for the configuration file.
#
# Most settings found in here do have corresponding questions in the
# Debconf configuration, but not all of them.
#
# This is a Debian specific file
dc_eximconfig_configtype='internet'
dc_other_hostnames='medspx.fr'
dc_local_interfaces='127.0.0.1; 192.168.0.4; 2a01:e35:8a57:24e0:bad:cafe:bad:caca'
disable_ipv6=true
dc_readhost=''
dc_relay_domains=''
dc_minimaldns='false'
dc_relay_nets=''
dc_smarthost=''
CFILEMODE='644'
dc_use_split_config='true'
dc_hide_mailname=''
dc_mailname_in_oh='true'
dc_localdelivery='maildir_home'

/etc/exim4/conf.d/acl/30_exim4-config_check_rcpt

### acl/30_exim4-config_check_rcpt
#################################
# This access control list is used for every RCPT command in an incoming
# SMTP message. The tests are run in order until the address is either
# accepted or denied.
#
acl_check_rcpt:

  # Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by
  # testing for an empty sending host field.
  accept
  hosts = :
  control = dkim_disable_verify

  # The following section of the ACL is concerned with local parts that contain
  # certain non-alphanumeric characters. Dots in unusual places are
  # handled by this ACL as well.
  #
  # Non-alphanumeric characters other than dots are rarely found in genuine
  # local parts, but are often tried by people looking to circumvent
  # relaying restrictions. Therefore, although they are valid in local
  # parts, these rules disallow certain non-alphanumeric characters, as
  # a precaution.
  #
  # Empty components (two dots in a row) are not valid in RFC 2822, but Exim
  # allows them because they have been encountered. (Consider local parts
  # constructed as "firstinitial.secondinitial.familyname" when applied to
  # a name without a second initial.) However, a local part starting
  # with a dot or containing /../ can cause trouble if it is used as part of a
  # file name (e.g. for a mailing list). This is also true for local parts that
  # contain slashes. A pipe symbol can also be troublesome if the local part is
  # incorporated unthinkingly into a shell command line.
  #
  # These ACL components will block recipient addresses that are valid
  # from an RFC2822 point of view. We chose to have them blocked by
  # default for security reasons.
  #
  # If you feel that your site should have less strict recipient
  # checking, please feel free to change the default values of the macros
  # defined in main/01_exim4-config_listmacrosdefs or override them from a
  # local configuration file.
  #
  # Two different rules are used. The first one has a quite strict
  # default, and is applied to messages that are addressed to one of the
  # local domains handled by this host.
  # The default value of CHECK_RCPT_LOCAL_LOCALPARTS is defined in
  # main/01_exim4-config_listmacrosdefs:
  # CHECK_RCPT_LOCAL_LOCALPARTS = ^[.] : ^.*[@%!/|`#&?]
  # This blocks local parts that begin with a dot or contain a quite
  # broad range of non-alphanumeric characters.
  .ifdef CHECK_RCPT_LOCAL_LOCALPARTS
  deny
    domains = +local_domains
    local_parts = CHECK_RCPT_LOCAL_LOCALPARTS
    message = restricted characters in address
  .endif

  # The second rule applies to all other domains, and its default is
  # considerably less strict.

  # The default value of CHECK_RCPT_REMOTE_LOCALPARTS is defined in
  # main/01_exim4-config_listmacrosdefs:
  # CHECK_RCPT_REMOTE_LOCALPARTS = ^[./|] : ^.*[@%!`#&?] : ^.*/\\.\\./
  # It allows local users to send outgoing messages to sites
  # that use slashes and vertical bars in their local parts. It blocks
  # local parts that begin with a dot, slash, or vertical bar, but allows
  # these characters within the local part. However, the sequence /../ is
  # barred. The use of some other non-alphanumeric characters is blocked.
  # Single quotes might probably be dangerous as well, but they're
  # allowed by the default regexps to avoid rejecting mails to Ireland.
  # The motivation here is to prevent local users (or local users' malware)
  # from mounting certain kinds of attack on remote sites.
  .ifdef CHECK_RCPT_REMOTE_LOCALPARTS
  deny
    domains = !+local_domains
    local_parts = CHECK_RCPT_REMOTE_LOCALPARTS
    message = restricted characters in address
  .endif

  # Accept mail to postmaster in any local domain, regardless of the source,
  # and without verifying the sender.
  #
  accept
   .ifndef CHECK_RCPT_POSTMASTER
     local_parts = postmaster
   .else
     local_parts = CHECK_RCPT_POSTMASTER
   .endif
   domains = +local_domains : +relay_to_domains

  # Deny unless the sender address can be verified.
  #
  # This is disabled by default so that DNSless systems don't break. If
  # your system can do DNS lookups without delay or cost, you might want
  # to enable this feature.
  #
  # This feature does not work in smarthost and satellite setups as
  # with these setups all domains pass verification. See spec.txt chapter
  # 39.31 with the added information that a smarthost/satellite setup
  # routes all non-local e-mail to the smarthost.
  .ifdef CHECK_RCPT_VERIFY_SENDER
  deny
    message = Sender verification failed
    !acl = acl_local_deny_exceptions
    !verify = sender
  .endif

  # Verify senders listed in local_sender_callout with a callout.
  #
  # In smarthost and satellite setups, this causes the callout to be
  # done to the smarthost. Verification will thus only be reliable if the
  # smarthost does reject illegal addresses in the SMTP dialog.
  deny
    !acl = acl_local_deny_exceptions
    senders = ${if exists{CONFDIR/local_sender_callout}\
                         {CONFDIR/local_sender_callout}\
                   {}}
    !verify = sender/callout


  # Accept if the message comes from one of the hosts for which we are an
  # outgoing relay. It is assumed that such hosts are most likely to be MUAs,
  # so we set control=submission to make Exim treat the message as a
  # submission. It will fix up various errors in the message, for example, the
  # lack of a Date: header line. If you are actually relaying out out from
  # MTAs, you may want to disable this. If you are handling both relaying from
  # MTAs and submissions from MUAs you should probably split them into two
  # lists, and handle them differently.
  # Recipient verification is omitted here, because in many cases the clients
  # are dumb MUAs that don't cope well with SMTP error responses. If you are
  # actually relaying out from MTAs, you should probably add recipient
  # verification here.
  # Note that, by putting this test before any DNS black list checks, you will
  # always accept from these hosts, even if they end up on a black list. The
  # assumption is that they are your friends, and if they get onto black
  # list, it is a mistake.
  accept
    hosts = +relay_from_hosts
    control = submission/sender_retain
    control = dkim_disable_verify
 
  # Accept if the message arrived over an authenticated connection, from
  # any host. Again, these messages are usually from MUAs, so recipient
  # verification is omitted, and submission mode is set. And again, we do this
  # check before any black list tests.
  deny
    message = Champ From différent du login authentifié
    authenticated = *
    !senders = ${authenticated_id}@medspx.fr

  accept
    authenticated = *
    control = submission
    control = dkim_disable_verify

  # Insist that any other recipient address that we accept is either in one of
  # our local domains, or is in a domain for which we explicitly allow
  # relaying. Any other domain is rejected as being unacceptable for relaying.
  require
    message = relay not permitted
    domains = +local_domains : +relay_to_domains

  # We also require all accepted addresses to be verifiable. This check will
  # do local part verification for local domains, but only check the domain
  # for remote domains.
  require
    verify = recipient
 
  # Verify recipients listed in local_rcpt_callout with a callout.
  # This is especially handy for forwarding MX hosts (secondary MX or
  # mail hubs) of domains that receive a lot of spam to non-existent
  # addresses. The only way to check local parts for remote relay
  # domains is to use a callout (add /callout), but please read the
  # documentation about callouts before doing this.
  deny
    !acl = acl_local_deny_exceptions
    recipients = ${if exists{CONFDIR/local_rcpt_callout}\
                            {CONFDIR/local_rcpt_callout}\
                      {}}
    !verify = recipient/callout

  # CONFDIR/local_sender_blacklist holds a list of envelope senders that
  # should have their access denied to the local host. Incoming messages
  # with one of these senders are rejected at RCPT time.
  #
  # The explicit white lists are honored as well as negative items in
  # the black list. See exim4-config_files(5) for details.
  deny
    message = sender envelope address $sender_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster
    !acl = acl_local_deny_exceptions
    senders = ${if exists{CONFDIR/local_sender_blacklist}\
                         {CONFDIR/local_sender_blacklist}\
                   {}}

  # deny bad sites (IP address)
  # CONFDIR/local_host_blacklist holds a list of host names, IP addresses
  # and networks (CIDR notation) that should have their access denied to
  # The local host. Messages coming in from a listed host will have all
  # RCPT statements rejected.
  #
  # The explicit white lists are honored as well as negative items in
  # the black list. See exim4-config_files(5) for details.
  deny
    message = sender IP address $sender_host_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster
    !acl = acl_local_deny_exceptions
    hosts = ${if exists{CONFDIR/local_host_blacklist}\
                       {CONFDIR/local_host_blacklist}\
                 {}}

  # Warn if the sender host does not have valid reverse DNS.
  #
  # If your system can do DNS lookups without delay or cost, you might want
  # to enable this.
  # If sender_host_address is defined, it's a remote call. If
  # sender_host_name is not defined, then reverse lookup failed. Use
  # this instead of !verify = reverse_host_lookup to catch deferrals
  # as well as outright failures.
  .ifdef CHECK_RCPT_REVERSE_DNS
    warn
     message = X-Host-Lookup-Failed: Reverse DNS lookup failed for $sender_host_address (${if eq{$host_lookup_failed}{1}{failed}{deferred}})
      condition = ${if and{{def:sender_host_address}{!def:sender_host_name}}\
                       {yes}{no}}
  .endif

  # Use spfquery to perform a pair of SPF checks (for details, see
  # http://www.openspf.org/)                                                                                                                                                                  
  #
  # This is quite costly in terms of DNS lookups (~6 lookups per mail). Do not
  # enable if that's an issue. Also note that if you enable this, you must
  # install "spf-tools-perl" which provides the spfquery command.
  # Missing spf-tools-perl will trigger the "Unexpected error in
  # SPF check" warning.
  .ifdef CHECK_RCPT_SPF
  deny
    message = [SPF] $sender_host_address is not allowed to send mail from \
              ${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}. \
              Please see \
              http://www.openspf.org/Why?scope=${if def:sender_address_domain \                                                                                                               
              {mfrom}{helo}};identity=${if def:sender_address_domain \
              {$sender_address}{$sender_helo_name}};ip=$sender_host_address
    log_message = SPF check failed.
    !acl = acl_local_deny_exceptions
    condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
                \"$sender_host_address\" --identity \
                ${if def:sender_address_domain \
                {--scope mfrom --identity \"$sender_address\"}\
                {--scope helo --identity \"$sender_helo_name\"}}}\
                {no}{${if eq {$runrc}{1}{yes}{no}}}}
  defer
    message = Temporary DNS error while checking SPF record. Try again later.
    !acl = acl_local_deny_exceptions
    condition = ${if eq {$runrc}{5}{yes}{no}}
  warn
    condition = ${if <={$runrc}{6}{yes}{no}}
    message = Received-SPF: ${if eq {$runrc}{0}{pass}\
                                {${if eq {$runrc}{2}{softfail}\
                                 {${if eq {$runrc}{3}{neutral}\
                                  {${if eq {$runrc}{4}{permerror}\
                                   {${if eq {$runrc}{6}{none}{error}}}}}}}}}\
                                } client-ip=$sender_host_address; \
                                ${if def:sender_address_domain \
                                    {envelope-from=${sender_address}; }{}}\
                                helo=$sender_helo_name
  warn
    log_message = Unexpected error in SPF check.
    condition = ${if >{$runrc}{6}{yes}{no}}
  .endif

  # Check against classic DNS "black" lists (DNSBLs) which list
  # sender IP addresses
  .ifdef CHECK_RCPT_IP_DNSBLS
  warn
    message = X-Warning: $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
    log_message = $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
    dnslists = CHECK_RCPT_IP_DNSBLS
  .endif

  # Check against DNSBLs which list sender domains, with an option to locally
  # whitelist certain domains that might be blacklisted.
  #
  # Note: If you define CHECK_RCPT_DOMAIN_DNSBLS, you must append
  # "/$sender_address_domain" after each domain. For example:
  # CHECK_RCPT_DOMAIN_DNSBLS = rhsbl.foo.org/$sender_address_domain \
  # : rhsbl.bar.org/$sender_address_domain
  .ifdef CHECK_RCPT_DOMAIN_DNSBLS
  warn
    message = X-Warning: $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
    log_message = $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
    !senders = ${if exists{CONFDIR/local_domain_dnsbl_whitelist}\
                          {CONFDIR/local_domain_dnsbl_whitelist}\
                    {}}
    dnslists = CHECK_RCPT_DOMAIN_DNSBLS
  .endif

  # This hook allows you to hook in your own ACLs without having to
  # modify this file. If you do it like we suggest, you'll end up with
  # a small performance penalty since there is an additional file being
  # accessed. This doesn't happen if you leave the macro unset.
  .ifdef CHECK_RCPT_LOCAL_ACL_FILE
    .include CHECK_RCPT_LOCAL_ACL_FILE
  .endif

  #############################################################################
  # This check is commented out because it is recognized that not every
  # sysadmin will want to do it. If you enable it, the check performs
  # Client SMTP Authorization (csa) checks on the sending host. These checks
  # do DNS lookups for SRV records. The CSA proposal is currently (May 2005)
  # an Internet draft. You can, of course, add additional conditions to this
  # ACL statement to restrict the CSA checks to certain hosts only.
  #
  # require verify = csa
  #############################################################################

  # Accept if the address is in a domain for which we are an incoming relay,
  # but again, only if the recipient can be verified.
  accept
    domains = +relay_to_domains
    endpass
    verify = recipient

  # At this point, the address has passed all the checks that have been
  # configured, so we accept it unconditionally.
  accept 

/etc/exim4/conf.d/auth/20_exim4-config_virtual

### auth/20_exim4-config_virtual
#################################
# Configuration de l'authentification avec un compte virtuel
plain_server:
  driver = plaintext
  public_name = PLAIN
  server_condition = "${if crypteq{$auth3}{\\\{md5\\\}${extract{1}{:}{${lookup{$auth2}lsearch{CONFDIR/passwd}{$value}{fail}}}}}{1}{0}}"
  server_set_id = $auth2
  server_prompts = :
  server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}

/etc/exim4/conf.d/main/000_localmacros

Ce fichier permet de renseigner des variables globales qui seront utilisées dans les autres fichiers de configuration.

# Fichier de macros pour Exim4

MESSAGE_SIZE_LIMIT = 31457280

# on active TLS:
MAIN_TLS_ENABLE = true

# Emplacements des fichiers de clef pour TLS:
MAIN_TLS_CERTIFICATE = /etc/ssl/certs/medspx.fr.cacert.org.sha256.pem
MAIN_TLS_PRIVATEKEY = /etc/exim4/medspx.fr_key.pem

/etc/exim4/conf.d/main/02_exim4-config_options

### main/02_exim4-config_options
#################################

dns_ipv4_lookup = *.gmail.com:*.google.com

# Defines the access control list that is run when an
# SMTP MAIL command is received.
#
.ifndef MAIN_ACL_CHECK_MAIL
  MAIN_ACL_CHECK_MAIL = acl_check_mail
.endif

acl_smtp_mail = MAIN_ACL_CHECK_MAIL

# Defines the access control list that is run when an
# SMTP RCPT command is received.
#
.ifndef MAIN_ACL_CHECK_RCPT
  MAIN_ACL_CHECK_RCPT = acl_check_rcpt
.endif

acl_smtp_rcpt = MAIN_ACL_CHECK_RCPT

# Defines the access control list that is run when an
# SMTP DATA command is received.
#
.ifndef MAIN_ACL_CHECK_DATA
  MAIN_ACL_CHECK_DATA = acl_check_data
.endif

acl_smtp_data = MAIN_ACL_CHECK_DATA

# Message size limit. The default (used when MESSAGE_SIZE_LIMIT
# is unset) is 50 MB
.ifdef MESSAGE_SIZE_LIMIT
  message_size_limit = MESSAGE_SIZE_LIMIT
.endif

# If you are running exim4-daemon-heavy or a custom version of Exim that
# was compiled with the content-scanning extension, you can cause incoming
# messages to be automatically scanned for viruses. You have to modify the
# configuration in two places to set this up. The first of them is here,
# where you define the interface to your scanner. This example is typical
# for ClamAV; see the manual for details of what to set for other virus
# scanners. The second modification is in the acl_check_data access
# control list.
# av_scanner = clamd:/tmp/clamd
# For spam scanning, there is a similar option that defines the interface to
# SpamAssassin. You do not need to set this if you are using the default, which
# is shown in this commented example. As for virus scanning, you must also
# modify the acl_check_data access control list to enable spam scanning.
# spamd_address = 127.0.0.1 783
# Domain used to qualify unqualified recipient addresses
# If this option is not set, the qualify_domain value is used.
# qualify_recipient = <value of qualify_domain>
# Allow Exim to recognize addresses of the form "user@[10.11.12.13]",
# where the domain part is a "domain literal" (an IP address) instead
# of a named domain. The RFCs require this facility, but it is disabled
# in the default config since it is seldomly used and frequently abused.
# Domain literal support also needs a special router, which is automatically
# enabled if you use the enable macro MAIN_ALLOW_DOMAIN_LITERALS.
# Additionally, you might want to make your local IP addresses (or @[])
# local domains.
.ifdef MAIN_ALLOW_DOMAIN_LITERALS
  allow_domain_literals
.endif

# Do a reverse DNS lookup on all incoming IP calls, in order to get the
# true host name. If you feel this is too expensive, the networks for
# which a lookup is done can be listed here.
.ifndef DC_minimaldns
  .ifndef MAIN_HOST_LOOKUP
    MAIN_HOST_LOOKUP = *
  .endif
  host_lookup = MAIN_HOST_LOOKUP
.endif

# In a minimaldns setup, update-exim4.conf guesses the hostname and
# dumps it here to avoid DNS lookups being done at Exim run time.
.ifdef MAIN_HARDCODE_PRIMARY_HOSTNAME
  primary_hostname = MAIN_HARDCODE_PRIMARY_HOSTNAME
.endif

# The settings below, which are actually the same as the defaults in the
# code, cause Exim to make RFC 1413 (ident) callbacks for all incoming SMTP
# calls. You can limit the hosts to which these calls are made, and/or change
# the timeout that is used. If you set the timeout to zero, all RFC 1413 calls
# are disabled. RFC 1413 calls are cheap and can provide useful information
# for tracing problem messages, but some hosts and firewalls are
# misconfigured to drop the requests instead of either answering or
# rejecting them. This can result in a timeout instead of an immediate refused
# connection, leading to delays on starting up SMTP sessions. (The default was
# reduced from 30s to 5s for release 4.61.)
# rfc1413_hosts = *
# rfc1413_query_timeout = 5s
# When using an external relay tester (such as rt.njabl.org and/or the
# currently defunct relay-test.mail-abuse.org, the test may be aborted
# since exim complains about "too many nonmail commands". If you want
# the test to complete, add the host from where "your" relay tester
# connects from to the MAIN_SMTP_ACCEPT_MAX_NOMAIL_HOSTS macro.
# Please note that a non-empty setting may cause extra DNS lookups to
# happen, which is the reason why this option is commented out in the
# default settings.
# MAIN_SMTP_ACCEPT_MAX_NOMAIL_HOSTS = !rt.njabl.org
.ifdef MAIN_SMTP_ACCEPT_MAX_NOMAIL_HOSTS
  smtp_accept_max_nonmail_hosts = MAIN_SMTP_ACCEPT_MAX_NOMAIL_HOSTS
.endif

# By default, exim forces a Sender: header containing the local
# account name at the local host name in all locally submitted messages
# that don't have the local account name at the local host name in the
# From: header, deletes any Sender: header present in the submitted
# message and forces the envelope sender of all locally submitted
# messages to the local account name at the local host name.
# The following settings allow local users to specify their own envelope sender
# in a locally submitted message. Sender: headers existing in a locally
# submitted message are not removed, and no automatic Sender: headers
# are added. These settings are fine for most hosts.
# If you run exim on a classical multi-user systems where all users
# have local mailboxes that can be reached via SMTP from the Internet
# with the local FQDN as the domain part of the address, you might want
# to disable the following three lines for traceability reasons.
.ifndef MAIN_FORCE_SENDER
  local_from_check = false
  local_sender_retain = true
  untrusted_set_sender = *
.endif

# By default, Exim expects all envelope addresses to be fully qualified, that
# is, they must contain both a local part and a domain. Configure exim
# to accept unqualified addresses from certain hosts. When this is done,
# unqualified addresses are qualified using the settings of qualify_domain
# and/or qualify_recipient (see above).
# sender_unqualified_hosts = <unset>
# recipient_unqualified_hosts = <unset>
# Configure Exim to support the "percent hack" for certain domains.
# The "percent hack" is the feature by which mail addressed to x%y@z
# (where z is one of the domains listed) is locally rerouted to x@y
# and sent on. If z is not one of the "percent hack" domains, x%y is
# treated as an ordinary local part. The percent hack is rarely needed
# nowadays but frequently abused. You should not enable it unless you
# are sure that you really need it.
# percent_hack_domains = <unset>
# Bounce handling
.ifndef MAIN_IGNORE_BOUNCE_ERRORS_AFTER
  MAIN_IGNORE_BOUNCE_ERRORS_AFTER = 2d
.endif

ignore_bounce_errors_after = MAIN_IGNORE_BOUNCE_ERRORS_AFTER

.ifndef MAIN_TIMEOUT_FROZEN_AFTER
  MAIN_TIMEOUT_FROZEN_AFTER = 7d
.endif

timeout_frozen_after = MAIN_TIMEOUT_FROZEN_AFTER

.ifndef MAIN_FREEZE_TELL
  MAIN_FREEZE_TELL = postmaster
.endif

freeze_tell = MAIN_FREEZE_TELL

# Define spool directory
.ifndef SPOOLDIR
  SPOOLDIR = /var/spool/exim4
.endif

spool_directory = SPOOLDIR

# trusted users can set envelope-from to arbitrary values
.ifndef MAIN_TRUSTED_USERS
  MAIN_TRUSTED_USERS = uucp
.endif

trusted_users = MAIN_TRUSTED_USERS

.ifdef MAIN_TRUSTED_GROUPS
  trusted_groups = MAIN_TRUSTED_GROUPS
.endif

# users in admin group can do many other things
# admin_groups = <unset>
# SMTP Banner. The example includes the Debian version in the SMTP dialog
# MAIN_SMTP_BANNER = "${primary_hostname} ESMTP Exim ${version_number} (Debian package MAIN_PACKAGE_VERSION) ${tod_full}"
# smtp_banner = $smtp_active_hostname ESMTP Exim $version_number $tod_full 

/etc/exim4/conf.d/main/04_exim4-config_auth

### main/04_exim4-config_auth
#################################
# Configuration de la présentation de l'extension AUTH.

auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{192.168.0.0/24: \
                                                2a01::e35::8a57::24e0::::/64}} 

/etc/exim4/conf.d/router/200_exim4-config_primary

### router/200_exim4-config_primary
#################################
# This file holds the primary router, responsible for nonlocal mails
.ifdef DCconfig_internet
# configtype=internet
#
# deliver mail to the recipient if recipient domain is a domain we
# relay for. We do not ignore any target hosts here since delivering to
# a site local or even a link local address might be wanted here, and if
# such an address has found its way into the MX record of such a domain,
# the local admin is probably in a place where that broken MX record
# could be fixed.
dnslookup_relay_to_domains:
  debug_print = "R: dnslookup_relay_to_domains for $local_part@$domain"
  driver = dnslookup
  domains = ! +local_domains : +relay_to_domains
  transport = remote_smtp
  same_domain_copy_routing = yes
no_more

# deliver mail directly to the recipient. This router is only reached
# for domains that we do not relay for. Since we most probably can't
# have broken MX records pointing to site local or link local IP
# addresses fixed, we ignore target hosts pointing to these addresses.
dnslookup:
  debug_print = "R: dnslookup for $local_part@$domain"
  driver = dnslookup
  domains = ! +local_domains
  transport = remote_smtp
  same_domain_copy_routing = yes
  # ignore private rfc1918 and APIPA addresses
  ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 192.168.0.0/16 :\
                        172.16.0.0/12 : 10.0.0.0/8 : 169.254.0.0/16 :\
                        255.255.255.255: 2a01:e35:8a57:24e0::/64
  no_more
.endif

.ifdef DCconfig_local
# configtype=local
#
# Stand-alone system, so generate an error for mail to a non-local domain
nonlocal:
  debug_print = "R: nonlocal for $local_part@$domain"
  driver = redirect
  domains = ! +local_domains
  allow_fail
  data = :fail: Mailing to remote domains not supported
  no_more
.endif

.ifdef DCconfig_smarthost DCconfig_satellite
# configtype=smarthost or configtype=satellite
#
# Send all non-local mail to a single other machine (smarthost).
#
# This means _ALL_ non-local mail goes to the smarthost. This will most
# probably not do what you want for domains that are listed in
# relay_domains. The most typical use for relay_domains is to control
# relaying for incoming e-mail on secondary MX hosts. In that case,
# it doesn't make sense to send the mail to the smarthost since the
# smarthost will probably send the message right back here, causing a
# loop.
#
# If you want to use a smarthost while being secondary MX for some
# domains, you'll need to copy the dnslookup_relay_to_domains router
# here so that mail to relay_domains is handled separately.
smarthost:
  debug_print = "R: smarthost for $local_part@$domain"
  driver = manualroute
  domains = ! +local_domains
  transport = remote_smtp_smarthost
  route_list = * DCsmarthost byname
  host_find_failed = defer
  same_domain_copy_routing = yes
  no_more
.endif
# The "no_more" above means that all later routers are for
# domains in the local_domains list, i.e. just like Exim 3 directors. 

Procédure de vérification du service

  • Vérifier que le service tourne.
  • Configurer un client mail basique (mutt):

  • Envoyer un courriel