exim-main.j2

######################################################################
#                    MAIN CONFIGURATION SETTINGS                     #
######################################################################

primary_hostname = {{ inventory_hostname }}

domainlist main_domains = {{ domain }} : *.{{ domain }} : *.local.{{ domain }}
domainlist fw_domains = {{ alt_domain }} : *.{{ alt_domain }} {% for d in fw_domains %}: {{ d }} {% endfor %}

domainlist list_domains = lists.{{ domain }}
domainlist local_domains = @ : +main_domains : +fw_domains : +list_domains
domainlist dead_domains = <{% for d in dead_domains %}; {{ d }} {% endfor %}

domainlist relay_to_domains =
hostlist   relay_from_hosts = <; localhost {% for ip in ips %}; {{ ip }} {% endfor %}


acl_smtp_rcpt = acl_check_rcpt
acl_smtp_data = acl_check_data

spamd_address = 127.0.0.1 783

tls_advertise_hosts = *

tls_certificate = /etc/letsencrypt/live/{{ inventory_hostname }}/fullchain.pem
tls_privatekey = /etc/letsencrypt/live/{{ inventory_hostname }}/privkey.pem

daemon_smtp_ports = 25 : 465 : 587
tls_on_connect_ports = 465

qualify_domain = {{ inventory_hostname }}

never_users = root
host_lookup = *

prdr_enable = true

log_file_path =:syslog
log_selector = +smtp_protocol_error +smtp_syntax_error +tls_certificate_verified

ignore_bounce_errors_after = 2d
timeout_frozen_after = 7d


######################################################################
#                       ACL CONFIGURATION                            #
#         Specifies access control lists for incoming SMTP mail      #
######################################################################

begin acl

spf_test:
  warn    set acl_m_spf_record = {{ '${lookup dnsdb{txt=$sender_address_domain}{$value}}' }}

  # From local machines
  accept  hosts = +relay_from_hosts
          add_header = Received-SPF: pass ({{ domain }}: {{ 'message originates from trusted relay) client-ip=${sender_host_address};' }}

  # From authed users
  accept  authenticated = *
          condition = ${if eq{$authenticated_id}{${listextract{1}{<@ $sender_address}}}}
          add_header = Received-SPF: pass (shh.sh: message originates from authenticated user)

  # No SPF record
  accept  !condition = {{ '${if def:acl_m_spf_record}' }}
          add_header = Received-SPF: none ({{ domain }}: {{ '${sender_address} does not designate permitted sender hosts) client-ip=${sender_host_address};' }}

  # SPF +all is meaningless
  accept  condition = {{ '${if match {$acl_m_spf_record}{\\\\+all}}' }}
          add_header = Received-SPF: none ({{ domain }}: {{ '${sender_address} does not designate permitted sender hosts) client-ip=${sender_host_address};' }}

  accept  spf = pass
          set acl_m_spf_pass = $acl_m_spf_record
          add_header = Received-SPF: pass ({{ domain }}: {{ 'domain of ${sender_address} designates ${sender_host_address} as permitted sender) client-ip=${sender_host_address};' }}

  accept  spf = fail
          set acl_m_spf_fail = $acl_m_spf_record
          add_header = Received-SPF: softfail ({{ domain }}: {{ 'domain of ${sender_address} does not designate ${sender_host_address} as permitted sender) client-ip=${sender_host_address};' }}

  accept

acl_check_rcpt:

  accept  hosts = :
          control = dkim_disable_verify

  deny    message       = Restricted characters in address
          domains       = +local_domains
          local_parts   = ^[.] : ^.*[@%!/|]

  deny    message       = Restricted characters in address
          domains       = !+local_domains
          local_parts   = ^[./|] : ^.*[@%!] : ^.*/\\.\\./

  deny    message       = Known spam destination
          domains       = +dead_domains

  accept  local_parts   = postmaster
          domains       = +local_domains

  require verify        = sender

  accept  hosts         = +relay_from_hosts
          control       = submission
          control       = dkim_disable_verify

  accept  authenticated = *
          control       = submission
          control       = dkim_disable_verify

  require message = relay not permitted
          domains = +local_domains : +relay_to_domains

  require verify = recipient

  accept

acl_check_data:
  # From authed users
  accept  authenticated = *
          condition = ${if eq{$authenticated_id}{${listextract{1}{<@ $sender_address}}}}
          add_header = X-Spam-Score: 0.0 (-)\n\
                       X-Spam-Status: 0

  warn    spam       = nobody:true
          add_header = X-Spam-Score: $spam_score ($spam_bar)\n\
                       X-Spam-Report: $spam_report\n\
                       X-Spam-Status: {{ '${if >{$spam_score_int}{50} {1}{0}}' }}

  accept acl = spf_test
         condition = ${if def:acl_m_spf_pass}

  accept

######################################################################
#                      ROUTERS CONFIGURATION                         #
#               Specifies how addresses are handled                  #
######################################################################
#     THE ORDER IN WHICH THE ROUTERS ARE DEFINED IS IMPORTANT!       #
# An address is passed to each router in turn until it is accepted.  #
######################################################################

begin routers
dnslookup:
  driver = dnslookup
  domains = ! +local_domains
  transport = remote_smtp_rewrite
  ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 ; ::1
  no_more

listserv_catch:
  driver = redirect
  domains = +list_domains
  data = postmaster+listserv@shh.sh

rewrite_router:
  domains = +local_domains
  driver = redirect
  allow_fail
  allow_defer
  data = $local_part@{{ domain }}

system_aliases:
  driver = redirect
  allow_fail
  allow_defer
  local_part_suffix = +* : -*
  local_part_suffix_optional
  data = {{ '${lookup{$local_part}lsearch{/etc/mail/aliases}}' }}
  file_transport = address_file
  pipe_transport = address_pipe

userforward:
  driver = redirect
  check_local_user
  local_part_suffix = +* : -*
  local_part_suffix_optional
  file = $home/.forward
  no_verify
  no_expn
  check_ancestor
  file_transport = address_file
  pipe_transport = address_pipe
  reply_transport = address_reply

localuser:
  driver = accept
  check_local_user
  local_part_suffix = +* : -*
  local_part_suffix_optional
  transport = procmail

catchall_scan:
  driver = redirect
  condition = {{ '${if >{$spam_score_int}{50}{1}{0}}' }}
  data = spam@{{ domain }}

catchall:
  driver = redirect
  data = catchall@{{ domain }}

######################################################################
#                      TRANSPORTS CONFIGURATION                      #
######################################################################
#                       ORDER DOES NOT MATTER                        #
#     Only one appropriate transport is called for each delivery.    #
######################################################################

begin transports

remote_smtp:
  driver = smtp
  dkim_domain = {{ '${lc:${domain:$h_from:}}' }}
  dkim_selector = 20160724
  dkim_private_key = /etc/mail/dkim/dkim.{{ domain }}
  dkim_canon = relaxed
  headers_remove = Received

remote_smtp_rewrite:
  driver = smtp
  headers_rewrite = *@*.{{ alt_domain }} $1@{{ domain }} : *@*.{{ domain }} $1@{{ domain }}
  return_path = {{ '${sender_address_local_part}' }}@{{ domain }}
  dkim_domain = {{ '${lc:${domain:$h_from:}}' }}
  dkim_selector = 20160724
  dkim_private_key = /etc/mail/dkim/dkim.{{ domain }}
  dkim_canon = relaxed
  headers_remove = Received

local_delivery:
  driver = appendfile
  # file = /var/mail/$local_part
  delivery_date_add
  envelope_to_add
  return_path_add
  create_directory = true
  directory = {{ '/home/${local_part}/.mail' }}
  maildir_format

procmail:
  driver = pipe
  command = /usr/bin/procmail -d $local_part
  return_path_add
  delivery_date_add
  envelope_to_add
  check_string = "From "
  escape_string = ">From "
  umask = 077
  user = $local_part

address_pipe:
  driver = pipe
  return_output

address_file:
  driver = appendfile
  delivery_date_add
  envelope_to_add
  return_path_add

address_reply:
  driver = autoreply


######################################################################
#                      RETRY CONFIGURATION                           #
######################################################################

begin retry

# Address or Domain    Error       Retries
# -----------------    -----       -------

*                      *           F,2h,15m; G,16h,1h,1.5; F,4d,6h


######################################################################
#                      REWRITE CONFIGURATION                         #
######################################################################

begin rewrite


######################################################################
#                   AUTHENTICATION CONFIGURATION                     #
######################################################################

begin authenticators

PLAIN:
  driver = dovecot
  public_name = PLAIN
  server_socket = /var/run/dovecot/exim-auth
  server_set_id = $auth1
  server_advertise_condition = ${if def:tls_in_cipher}