aboutsummaryrefslogtreecommitdiffstats
# Specify local domains, this is usually hostname -f and hostname - ie bad
# mail names the local machine might create.  They get rewritten to a cloud
# name below
domainlist local_domains =

domainlist relay_to_domains =
hostlist relay_from_hosts = localhost
# Create this file HERE
# It has single lines in the format:
#  domain.com: host=smtp.office365.com::587 helo=cms user=user@domain.com oauth=/home/XX/mail/.cms/exim/unix
# oauth= may also be replaced with password= to do basic authentication. The
# file is searched based on the Envelope From when invoking sendmail
SMARTFN = /etc/exim4/exim-smart-hosts

# We don't have IPv6, do not even try.
disable_ipv6=true

# It is also a good idea to edit /etc/default/exim4 and switch to 'queueonly' mode (Debian)
local_interfaces = <; [127.0.0.1]:25

acl_smtp_rcpt = acl_check_rcpt

tls_advertise_hosts =

# Trusted users are allowed to override the sender envelope
trusted_users = # Add your user name HERE

never_users = root

host_lookup = *

prdr_enable = true

log_selector = +smtp_protocol_error +smtp_syntax_error \
	+tls_certificate_verified

ignore_bounce_errors_after = 2d
timeout_frozen_after = 7d

keep_environment =
add_environment = <; PATH=/bin:/usr/bin

begin acl
acl_check_rcpt:

  # Standard input
  accept  hosts = :
          control = dkim_disable_verify

  deny    message       = Restricted characters in address
          domains       = +local_domains
          local_parts   = ^[.] : ^.*[@%!/|]


  deny    message       = Restricted characters in address
          domains       = !+local_domains
          local_parts   = ^[./|] : ^.*[@%!] : ^.*/\\.\\./


  accept  local_parts   = postmaster
          domains       = +local_domains


  require verify        = sender

  accept  hosts         = +relay_from_hosts
          control       = submission
          control       = dkim_disable_verify

  accept  authenticated = *
          control       = submission
          control       = dkim_disable_verify

  require message = relay not permitted
          domains = +local_domains : +relay_to_domains

  require verify = recipient

  accept

begin routers

# The router is sensitive to the sender address and will use the correct outgoing server.
# Use something like:
#  exim -f 'user@domain.com' -bt user@otherdomain.com
# To quick test
smarthost:
  debug_print = "R: smarthost to $local_part@$domain for $sender_address"
  driver = manualroute
  domains = ! +local_domains
  transport = remote_smtp_smarthost
  address_data = ${lookup{$sender_address_domain}lsearch{SMARTFN}}
  route_data = ${extract{host}{$address_data}}

# There are several cases in exim, particularly internally generated bounces,
# that have an empty envelope from. In this case route based on the
# destination address the cloud relay will insert the account user as the
# envelope from.
empty_envelope:
  debug_print = "R: empty_envelope to $local_part@$domain for '$sender_address'"
  driver = manualroute
  domains = ! +local_domains
  transport = remote_smtp_smarthost
  condition = ${if eq{$sender_address_domain}{}{true}{}}
  address_data = ${lookup{$domain}lsearch{SMARTFN}}
  route_data = ${extract{host}{$address_data}}
  no_more

begin transports

remote_smtp_smarthost:
  debug_print = "T: remote_smtp_smarthost for $local_part@$domain"
  driver = smtp
  helo_data = ${extract{helo}{$address_data}{$value}{example.com}}
  hosts_require_auth = ${extract{user}{$address_data}{*}{}}
  hosts_require_tls = *
  tls_tempfail_tryclear = false
  tls_verify_certificates = system

begin retry

*                      *           F,2h,15m; G,16h,1h,1.5; F,4d,6h

begin rewrite

# Replace user and domain HERE
root@+local_domains user@domain.com Eh
user@+local_domains user@domain.com Eh

begin authenticators

xoauth2_smart:
  driver = plaintext
  client_condition = ${if and {{!eq{$tls_out_cipher}{}} {eq{${extract{oauth}{$address_data}{}fail}}{}}} }
  public_name = XOAUTH2
  client_ignore_invalid_base64 = true
  client_send = : ${readsocket{${extract{oauth}{$address_data}{$value}fail}}{SMTP ${extract{user}{$address_data}{$value}fail}}}

# Plain has fewer round trips, so prefer to use it
plain_smart:
  driver = plaintext
  client_condition = ${if and {{!eq{$tls_out_cipher}{}} {eq{${extract{password}{$address_data}{}fail}}{}}} }
  public_name = PLAIN
  client_send = ^${extract{user}{$address_data}{$value}fail}^${extract{password}{$address_data}}

login_smart:
  driver = plaintext
  client_condition = ${if and {{!eq{$tls_out_cipher}{}} {eq{${extract{password}{$address_data}{}fail}}{}}} }
  public_name = LOGIN
  client_send = : ${extract{user}{$address_data}{$value}fail} : ${extract{password}{$address_data}}
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-03 13:35:50 +0000