#!!# cPanel Exim 4 Config
domainlist blocked_domains = lsearch /etc/blockeddomains
hostlist loopback = <; @[]; 127.0.0.0/8 ; 0.0.0.0 ; ::1 ; 0000:0000:0000:0000:0000:ffff:7f00:0000/8
hostlist senderverifybypass_hosts = net-iplsearch;/etc/senderverifybypasshosts
hostlist skipsmtpcheck_hosts = net-iplsearch;/etc/skipsmtpcheckhosts
hostlist spammeripblocks = net-iplsearch;/etc/spammeripblocks
hostlist blocked_incoming_email_country_ips = ${if exists{/etc/blocked_incoming_email_country_ips} {net-iplsearch;/etc/blocked_incoming_email_country_ips} {} }
hostlist backupmx_hosts = lsearch;/etc/backupmxhosts
hostlist trustedmailhosts = lsearch;/etc/trustedmailhosts
hostlist recent_authed_mail_ips = net-iplsearch;/etc/recent_authed_mail_ips
hostlist neighbor_netblocks = net-iplsearch;/etc/neighbor_netblocks
hostlist greylist_trusted_netblocks = net-iplsearch;/etc/greylist_trusted_netblocks
hostlist greylist_common_mail_providers = net-iplsearch;/etc/greylist_common_mail_providers
hostlist cpanel_mail_netblocks = net-iplsearch;/etc/cpanel_mail_netblocks
hostlist recent_recipient_mail_server_ips = net-iplsearch;/etc/recent_recipient_mail_server_ips
domainlist user_domains = ${if exists{/etc/userdomains} {lsearch;/etc/userdomains} fail}
domainlist local_domains = lsearch;/etc/localdomains
domainlist secondarymx_domains = lsearch;/etc/secondarymx
domainlist relay_domains = +local_domains : +secondarymx_domains
domainlist manualmx_domains = ${if exists {/etc/manualmx} {lsearch;/etc/manualmx} {} }
localpartlist path_safe_localparts = \N^\.*[^./][^/]*$\N
smtp_accept_queue_per_connection = 30
remote_max_parallel = 10
smtp_receive_timeout = 165s
ignore_bounce_errors_after = 1d
rfc1413_query_timeout = 0s
timeout_frozen_after = 5d
auto_thaw = 7d
callout_domain_negative_expire = 1h
callout_negative_expire = 1h
acl_not_smtp = acl_not_smtp
acl_not_smtp_mime = acl_not_smtp_mime
acl_smtp_connect = acl_smtp_connect
acl_smtp_data = acl_smtp_data
acl_smtp_helo = acl_smtp_helo
acl_smtp_mail = acl_smtp_mail
acl_smtp_mime = acl_smtp_mime
acl_smtp_quit = acl_smtp_quit
acl_smtp_notquit = acl_smtp_notquit
acl_smtp_rcpt = acl_smtp_rcpt
message_body_newlines = true
check_rfc2047_length = false
keep_environment = X-SOURCE : X-SOURCE-ARGS : X-SOURCE-DIR
add_environment = PATH=/usr/local/sbin::/usr/local/bin::/sbin::/bin::/usr/sbin::/usr/bin::/sbin::/bin
chunking_advertise_hosts = 198.51.100.1
deliver_queue_load_max = 18
queue_only_load = 36
daemon_smtp_ports = 25 : 465 : 587
tls_on_connect_ports = 465
system_filter_user = cpaneleximfilter
system_filter_group = cpaneleximfilter
smtputf8_advertise_hosts = :
openssl_options = +no_sslv2 +no_sslv3 +no_tlsv1 +no_tlsv1_1
tls_require_ciphers = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
av_scanner = clamd:/var/clamd
timezone = Europe/Berlin
spamd_address = 127.0.0.1 783 retry=30s tmo=3m
tls_certificate = ${if and \
{ \
{gt{$tls_in_sni}{}} \
{!match{$tls_in_sni}{/}} \
} \
{${if exists {/var/cpanel/ssl/domain_tls/$tls_in_sni/combined} \
{/var/cpanel/ssl/domain_tls/$tls_in_sni/combined} \
{${if exists {${sg{/var/cpanel/ssl/domain_tls/$tls_in_sni/combined}{(.+/)[^.]+(.+/combined)}{\$1*\$2}}} \
{${sg{/var/cpanel/ssl/domain_tls/$tls_in_sni/combined}{(.+/)[^.]+(.+/combined)}{\$1*\$2}}} \
{/etc/exim.crt} \
}} \
}} \
{/etc/exim.crt} \
}
tls_privatekey = ${if and \
{ \
{gt{$tls_in_sni}{}} \
{!match{$tls_in_sni}{/}} \
} \
{${if exists {/var/cpanel/ssl/domain_tls/$tls_in_sni/combined} \
{/var/cpanel/ssl/domain_tls/$tls_in_sni/combined} \
{${if exists {${sg{/var/cpanel/ssl/domain_tls/$tls_in_sni/combined}{(.+/)[^.]+(.+/combined)}{\$1*\$2}}} \
{${sg{/var/cpanel/ssl/domain_tls/$tls_in_sni/combined}{(.+/)[^.]+(.+/combined)}{\$1*\$2}}} \
{/etc/exim.key} \
}} \
}} \
{/etc/exim.key} \
}
# +incoming_port, +smtp_connection, +all_parents are needed for cPanel email tracking.
# +retry_defer, +subject, +arguments, +received_recipients are suggested settings that may be disabled.
log_selector = +incoming_port +smtp_connection +all_parents +retry_defer +subject +arguments +received_recipients
system_filter = /etc/cpanel_exim_system_filter
#!!# These options specify the Access Control Lists (ACLs) that
#!!# are used for incoming SMTP messages - after the RCPT and DATA
#!!# commands, respectively.
#!!# This setting defines a named domain list called
#!!# local_domains, created from the old options that
#!!# referred to local domains. It will be referenced
#!!# later on by the syntax "+local_domains".
#!!# Other domain and host lists may follow.
addresslist secondarymx = *@partial-lsearch;/etc/secondarymx
######################################################################
# Runtime configuration file for Exim #
######################################################################
# This is a default configuration file which will operate correctly in
# uncomplicated installations. Please see the manual for a complete list
# of all the runtime configuration options that can be included in a
# configuration file. There are many more than are mentioned here. The
# manual is in the file doc/spec.txt in the Exim distribution as a plain
# ASCII file. Other formats (PostScript, Texinfo, HTML) are available from
# the Exim ftp sites. The manual is also online via the Exim web sites.
# This file is divided into several parts, all but the last of which are
# terminated by a line containing the word "end". The parts must appear
# in the correct order, and all must be present (even if some of them are
# in fact empty). Blank lines, and lines starting with # are ignored.
######################################################################
# MAIN CONFIGURATION SETTINGS #
######################################################################
perl_startup = do '/etc/exim.pl'
#dns_retry = 1
#dns_retrans = 1s
# Specify your host's canonical name here. This should normally be the fully
# qualified "official" name of your host. If this option is not set, the
# uname() function is called to obtain the name.
smtp_banner = "${primary_hostname} ESMTP Exim ${version_number} \
\#${compile_number} ${tod_full} \n\
We do not authorize the use of this system to transport unsolicited, \n\
and/or bulk e-mail."
#nobody as the sender seems to annoy people
untrusted_set_sender = *
local_from_check = false
split_spool_directory = yes
smtp_connect_backlog = 50
smtp_accept_max = 100
# primary_hostname =
# Specify the domain you want to be added to all unqualified addresses
# here. An unqualified address is one that does not contain an "@" character
# followed by a domain. For example, "caesar@rome.ex" is a fully qualified
# address, but the string "caesar" (i.e. just a login name) is an unqualified
# email address. Unqualified addresses are accepted only from local callers by
# default. See the receiver_unqualified_{hosts,nets} options if you want
# to permit unqualified addresses from remote sources. If this option is
# not set, the primary_hostname value is used for qualification.
# qualify_domain =
# If you want unqualified recipient addresses to be qualified with a different
# domain to unqualified sender addresses, specify the recipient domain here.
# If this option is not set, the qualify_domain value is used.
# qualify_recipient =
# Specify your local domains as a colon-separated list here. If this option
# is not set (i.e. not mentioned in the configuration file), the
# qualify_recipient value is used as the only local domain. If you do not want
# to do any local deliveries, uncomment the following line, but do not supply
# any data for it. This sets local_domains to an empty string, which is not
# the same as not mentioning it at all. An empty string specifies that there
# are no local domains; not setting it at all causes the default value (the
# setting of qualify_recipient) to be used.
#!!# message_filter renamed system_filter
message_body_visible = 5000
# Specify a set of options to control the behavior of OpenSSL. The default is to
# disable SSLv2 and SSLv3 due to weaknesses in these protocols.
# If you want to accept mail addressed to your host's literal IP address, for
# example, mail addressed to "user@[111.111.111.111]", then uncomment the
# following line, or supply the literal domain(s) as part of "local_domains"
# above.
# local_domains_include_host_literals
# No local deliveries will ever be run under the uids of these users (a colon-
# separated list). An attempt to do so gets changed so that it runs under the
# uid of "nobody" instead. This is a paranoic safety catch. Note the default
# setting means you cannot deliver mail addressed to root as if it were a
# normal user. This isn't usually a problem, as most sites have an alias for
# root that redirects such mail to a human administrator.
never_users = root
# The use of your host as a mail relay by any host, including the local host
# calling its own SMTP port, is locked out by default. If you want to permit
# relaying from the local host, you should set
#
# host_accept_relay = localhost
#
# If you want to permit relaying through your host from certain hosts or IP
# networks, you need to set the option appropriately, for example
#
#
#
# If you are an MX backup or gateway of some kind for some domains, you must
# set relay_domains to match those domains. This will allow any host to
# relay through your host to those domains.
#
# See the section of the manual entitled "Control of relaying" for more
# information.
# The setting below causes Exim to do a reverse DNS lookup on all incoming
# IP calls, in order to get the true host name. If you feel this is too
# expensive, you can specify the networks for which a lookup is done, or
# remove the setting entirely.
#host_lookup = 0.0.0.0/0
# By default, Exim expects all envelope addresses to be fully qualified, that
# is, they must contain both a local part and a domain. If you want to accept
# unqualified addresses (just a local part) from certain hosts, you can specify
# these hosts by setting one or both of
#
# receiver_unqualified_hosts =
# sender_unqualified_hosts =
#
# to control sender and receiver addresses, respectively. When this is done,
# unqualified addresses are qualified using the settings of qualify_domain
# and/or qualify_recipient (see above).
# Exim contains support for the Realtime Blocking List (RBL) that is being
# maintained as part of the DNS. See http://maps.vix.com/rbl/ for background.
# Uncommenting the first line below will make Exim reject mail from any
# host whose IP address is blacklisted in the RBL at maps.vix.com. Some
# others have followed the RBL lead and have produced other lists: DUL is
# a list of dial-up addresses, and ORBS is a list of open relay systems. The
# second line below checks all three lists.
# rbl_domains = rbl.maps.vix.com
# rbl_domains = rbl.maps.vix.com
# If you want Exim to support the "percent hack" for all your local domains,
# uncomment the following line. This is the feature by which mail addressed
# to x%y@z (where z is one of your local domains) is locally rerouted to
# x@y and sent on. Otherwise x%y is treated as an ordinary local part.
# percent_hack_domains = *
#sender_host_accept = +include_unknown:*
#sender_host_reject = +include_unknown:lsearch*;/etc/spammers
tls_advertise_hosts = *
helo_accept_junk_hosts = *
smtp_enforce_sync = false
#!!#######################################################!!#
#!!# This new section of the configuration contains ACLs #!!#
#!!# (Access Control Lists) derived from the Exim 3 #!!#
#!!# policy control options. #!!#
#!!#######################################################!!#
#!!# These ACLs are crudely constructed from Exim 3 options.
#!!# They are almost certainly not optimal. You should study
#!!# them and rewrite as necessary.
begin acl
########################################################################################
# DO NOT ALTER THIS BLOCK
########################################################################################
#
# cPanel Default ACL Template Version: 108.002
# Template: universal.dist
#
########################################################################################
# DO NOT ALTER THIS BLOCK
########################################################################################
acl_not_smtp:
#BEGIN ACL-OUTGOING-NOTSMTP-CHECKALL-BLOCK
# BEGIN INSERT resolve_vhost_owner
warn
condition = ${if eq{$originator_uid}{${perl{user2uid}{nobody}}}{1}{0}}
set acl_c_vhost_owner = ${perl{resolve_vhost_owner}}
# END INSERT resolve_vhost_owner
# BEGIN INSERT end_default_outgoing_notsmtp_checkall
accept
# END INSERT end_default_outgoing_notsmtp_checkall
#END ACL-OUTGOING-NOTSMTP-CHECKALL-BLOCK
#BEGIN ACL-NOT-SMTP-BLOCK
#END ACL-NOT-SMTP-BLOCK
acl_not_smtp_mime:
#BEGIN ACL-NOT-SMTP-MIME-BLOCK
# BEGIN INSERT disallowed_filenames_bl
# Reject inbound mail with potentially dangerous attachments
# Obfuscation of file names using parameter value continuation evades other filters, but not this one
deny
log_message = DENY: disallowed \"$mime_filename\"
condition = ${if match \
{${lc:$mime_filename}} \
{[.](ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\$}}
message = Attached file '$mime_filename' has disallowed extension.
accept
# END INSERT disallowed_filenames_bl
#END ACL-NOT-SMTP-MIME-BLOCK
acl_not_smtp_start:
#BEGIN ACL-NOT-SMTP-START-BLOCK
#END ACL-NOT-SMTP-START-BLOCK
acl_smtp_auth:
#BEGIN ACL-SMTP-AUTH-BLOCK
#END ACL-SMTP-AUTH-BLOCK
acl_smtp_connect:
#BEGIN ACL-CONNECT-BLOCK
# BEGIN INSERT blockedcountryips
drop
message = Your country is not allowed to connect to this server.
log_message = Country is banned
hosts = +blocked_incoming_email_country_ips
# END INSERT blockedcountryips
# BEGIN INSERT delay_unknown_hosts
warn
!hosts = : +loopback : +neighbor_netblocks : +trustedmailhosts : +recent_authed_mail_ips : +backupmx_hosts : +skipsmtpcheck_hosts : +senderverifybypass_hosts : +greylist_trusted_netblocks : +cpanel_mail_netblocks
#only rate limit port 25
condition = ${if eq {$received_port}{25}{yes}{no}}
delay = 20s
# END INSERT delay_unknown_hosts
# BEGIN INSERT ratelimit
accept
hosts = : +loopback : +recent_authed_mail_ips : +backupmx_hosts
accept
hosts = +trustedmailhosts
accept
condition = ${if match_ip{$sender_host_address}{net-iplsearch;/etc/trustedmailhosts}{1}{0}}
defer
#only rate limit port 25
condition = ${if eq {$received_port}{25}{yes}{no}}
message = The server has reached its limit for processing requests from your host. Please try again later.
log_message = "Host is ratelimited ($sender_rate/$sender_rate_period max:$sender_rate_limit)"
ratelimit = 1.2 / 1h / strict / per_conn / noupdate
# END INSERT ratelimit
# BEGIN INSERT slow_fail_block
warn
#only rate limit port 25
condition = ${if eq {$received_port}{25}{yes}{no}}
# host had a success in the last hour
ratelimit = 1 / 1h / noupdate / per_conn / slow_fail_accept_$sender_host_address
set acl_m4 = 1
defer
#only rate limit port 25
condition = ${if eq {$received_port}{25}{yes}{no}}
condition = ${if eq {${acl_m4}}{1}{0}{1}}
log_message = "Host is ratelimited due to multiple failure only connections ($sender_rate/$sender_rate_period max:$sender_rate_limit)"
ratelimit = 5 / 1h / noupdate / per_conn / slow_fail_block_$sender_host_address
# END INSERT slow_fail_block
# BEGIN INSERT spammerlist
drop
message = Your host is not allowed to connect to this server.
log_message = Host is banned
!hosts = : +skipsmtpcheck_hosts : +trustedmailhosts
hosts = +spammeripblocks
# END INSERT spammerlist
#END ACL-CONNECT-BLOCK
#BEGIN ACL-CONNECT-POST-BLOCK
# BEGIN INSERT default_connect_post
# do not change the comment in the line below, it is required for /usr/local/cpanel/bin/check_exim_config
#acl_smtp_notquit is required for this to work (exim 4.68)
accept
# END INSERT default_connect_post
#END ACL-CONNECT-POST-BLOCK
acl_smtp_data:
# exiscan only
# exiscan only
#BEGIN ACL-OUTGOING-SMTP-CHECKALL-BLOCK
#END ACL-OUTGOING-SMTP-CHECKALL-BLOCK
#BEGIN ACL-CHECK-MESSAGE-PRE-BLOCK
# BEGIN INSERT default_check_message_pre
#
# Enabling this will make the server non-rfc compliant
# require verify = header_sender
#
accept hosts = : +loopback : +recent_authed_mail_ips : +backupmx_hosts
accept
authenticated = *
hosts = *
accept
condition = ${extract \
{size} \
{${stat:/etc/trustedmailhosts}} \
}
hosts = +trustedmailhosts
accept
condition = ${extract \
{size} \
{${stat:/etc/trustedmailhosts}} \
}
condition = ${if match_ip{$sender_host_address}{net-iplsearch;/etc/trustedmailhosts}{1}{0}}
# END INSERT default_check_message_pre
#END ACL-CHECK-MESSAGE-PRE-BLOCK
#BEGIN ACL-PRE-SPAM-SCAN
# BEGIN INSERT mailproviders
# Research in Motion - Blackberry white list
accept
condition = ${if exists {/etc/mailproviders/rim/ips}{${if match_ip{$sender_host_address}{iplsearch;/etc/mailproviders/rim/ips}{1}{0}}}{0}}
# END INSERT mailproviders
#END ACL-PRE-SPAM-SCAN
#BEGIN ACL-SPAM-SCAN-BLOCK
# BEGIN INSERT default_spam_scan
warn
# Remove spam headers from outside sources
condition = ${perl{spamd_is_available}}
!hosts = +skipsmtpcheck_hosts
remove_header = x-spam-subject : x-spam-status : x-spam-score : x-spam-bar : x-spam-report : x-spam-flag : x-ham-report
warn
condition = ${perl{spamd_is_available}}
condition = ${if eq {${acl_m0}}{1}{1}{0}}
spam = ${acl_m1}/defer_ok
# Always make sure cPanel support mail can get through
!hosts = : +trustedmailhosts : +cpanel_mail_netblocks
log_message = "SpamAssassin as ${acl_m1} detected message as spam ($spam_score)"
add_header = X-Spam-Subject: ***SPAM*** $rh_subject
add_header = X-Spam-Status: Yes, score=$spam_score
add_header = X-Spam-Score: $spam_score_int
add_header = X-Spam-Bar: $spam_bar
add_header = X-Spam-Report: ${sg{$spam_report}{\N\n \n\N}{\n}}
add_header = X-Spam-Flag: YES
set acl_m2 = 1
warn
condition = ${perl{spamd_is_available}}
condition = ${if eq {$spam_score_int}{}{0}{${if <= {${spam_score_int}}{8000}{${if >= {${spam_score_int}}{50}{${perl{store_spam}{$sender_host_address}{$spam_score}}}{0}}}{0}}}}
warn
condition = ${perl{spamd_is_available}}
condition = ${if eq {${acl_m0}}{1}{${if eq {${acl_m2}}{1}{0}{1}}}{0}}
add_header = X-Spam-Status: No, score=$spam_score
add_header = X-Spam-Score: $spam_score_int
add_header = X-Spam-Bar: $spam_bar
add_header = X-Ham-Report: ${sg{$spam_report}{\N\n \n\N}{\n}}
add_header = X-Spam-Flag: NO
log_message = "SpamAssassin as ${acl_m1} detected message as NOT spam ($spam_score)"
# END INSERT default_spam_scan
#END ACL-SPAM-SCAN-BLOCK
# exiscan only
#BEGIN ACL-EXISCAN-BLOCK
# BEGIN INSERT default_exiscan
deny message = This message contains a virus or other harmful content ($malware_name)
malware = */defer_ok
warn log_message = Message has been scanned: no virus or other harmful content was found
# END INSERT default_exiscan
#END ACL-EXISCAN-BLOCK
# exiscan only
#BEGIN ACL-RATELIMIT-SPAM-BLOCK
#END ACL-RATELIMIT-SPAM-BLOCK
#BEGIN ACL-SPAM-BLOCK
#END ACL-SPAM-BLOCK
#BEGIN ACL-CHECK-MESSAGE-POST-BLOCK
# BEGIN INSERT default_check_message_post
accept
# END INSERT default_check_message_post
#END ACL-CHECK-MESSAGE-POST-BLOCK
acl_smtp_etrn:
#BEGIN ACL-SMTP-ETRN-BLOCK
#END ACL-SMTP-ETRN-BLOCK
acl_smtp_helo:
#BEGIN ACL-SMTP-HELO-BLOCK
#END ACL-SMTP-HELO-BLOCK
#BEGIN ACL-SMTP-HELO-POST-BLOCK
# BEGIN INSERT default_smtp_helo
accept
# END INSERT default_smtp_helo
#END ACL-SMTP-HELO-POST-BLOCK
acl_smtp_mail:
#BEGIN ACL-MAIL-PRE-BLOCK
# BEGIN INSERT default_mail_pre
# ignore authenticated hosts
accept
authenticated = *
warn
condition = ${if match_ip{$sender_host_address}{+loopback}{${perl{identify_local_connection}{$sender_host_address}{$sender_host_port}{$received_ip_address}{$received_port}{1}}}{0}}
set acl_c_authenticated_local_user = ${perl{get_identified_local_connection_user}}
accept
hosts = : +loopback : +recent_authed_mail_ips : +backupmx_hosts
# END INSERT default_mail_pre
#END ACL-MAIL-PRE-BLOCK
#BEGIN ACL-MAIL-BLOCK
# BEGIN INSERT requirehelo
deny
condition = ${if eq{$sender_helo_name}{}}
message = HELO required before MAIL
# END INSERT requirehelo
# BEGIN INSERT requirehelonoforge
drop
# if ($sender_helo_name eq $primary_hostname) {
# if (defined $interface_address) {
# return is_loopback($interface_address) ? 0 : 1; #ok from localhost
# } else {
# return 0; #exim -bs
# }
# } else {
# return 0;
# }
condition = ${if eq{${lc:$sender_helo_name}}{${lc:$primary_hostname}}{${if def:interface_address {${if match_ip{$interface_address}{+loopback}{0}{1}}}{0}}}{0}}
message = "REJECTED - Bad HELO - Host impersonating [$sender_helo_name]"
drop
condition = ${if eq{[$interface_address]}{$sender_helo_name}}
message = "REJECTED - Interface: $interface_address is _my_ address"
# END INSERT requirehelonoforge
# BEGIN INSERT requirehelosyntax
drop
condition = ${if isip{$sender_helo_name}}
message = Access denied - Invalid HELO name (See RFC2821 4.1.3)
drop
# Required because "[IPv6:<address>]" will have no .s
condition = ${if match{$sender_helo_name}{\N^\[\N}{no}{yes}}
condition = ${if match{$sender_helo_name}{\N\.\N}{no}{yes}}
message = Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
drop
condition = ${if match{$sender_helo_name}{\N\.$\N}}
message = Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
drop
condition = ${if match{$sender_helo_name}{\N\.\.\N}}
message = Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
# END INSERT requirehelosyntax
#END ACL-MAIL-BLOCK
#BEGIN ACL-MAIL-POST-BLOCK
# BEGIN INSERT default_mail_post
accept
# END INSERT default_mail_post
#END ACL-MAIL-POST-BLOCK
acl_smtp_mailauth:
#BEGIN ACL-SMTP-MAILAUTH-BLOCK
#END ACL-SMTP-MAILAUTH-BLOCK
acl_smtp_mime:
#BEGIN ACL-SMTP-MIME-BLOCK
# BEGIN INSERT disallowed_filenames_bl
# Reject inbound mail with potentially dangerous attachments
# Obfuscation of file names using parameter value continuation evades other filters, but not this one
deny
log_message = DENY: disallowed \"$mime_filename\"
condition = ${if match \
{${lc:$mime_filename}} \
{[.](ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\$}}
message = Attached file '$mime_filename' has disallowed extension.
accept
# END INSERT disallowed_filenames_bl
#END ACL-SMTP-MIME-BLOCK
acl_smtp_notquit:
#BEGIN ACL-NOTQUIT-BLOCK
# BEGIN INSERT ratelimit
# ignore authenticated hosts
accept authenticated = *
accept hosts = : +recent_authed_mail_ips : +loopback : +backupmx_hosts
warn
#only rate limit port 25
condition = ${if eq {$received_port}{25}{yes}{no}}
condition = ${if match {$smtp_notquit_reason}{command}{yes}{no}}
log_message = "Connection Ratelimit - $sender_fullhost because of notquit: $smtp_notquit_reason ($sender_rate/$sender_rate_period max:$sender_rate_limit)"
ratelimit = 1.2 / 1h / strict / per_conn
# END INSERT ratelimit
#END ACL-NOTQUIT-BLOCK
acl_smtp_predata:
#BEGIN ACL-SMTP-PREDATA-BLOCK
#END ACL-SMTP-PREDATA-BLOCK
acl_smtp_quit:
#BEGIN ACL-SMTP-QUIT-BLOCK
# BEGIN INSERT slow_fail_block
warn
log_message = "Detected session with all messages failed"
condition = ${if >= {${eval:$rcpt_count}}{1}{${if == {${eval:$rcpt_fail_count}}{${eval:$rcpt_count}}{yes}{no}}}{no}}
set acl_m6 = 1
warn
condition = ${if eq {${acl_m6}}{1}{1}{0}}
ratelimit = 0 / 1h / strict / per_conn / slow_fail_block_$sender_host_address
log_message = "Increment slow_fail_block Ratelimit - $sender_fullhost because of all messages failed"
warn
ratelimit = 1 / 1h / noupdate / per_conn / slow_fail_block_$sender_host_address
condition = ${if >= {${eval:$rcpt_count}}{1}{${if < {${eval:$rcpt_fail_count}}{${eval:$rcpt_count}}{yes}{no}}}{no}}
set acl_m5 = 1
log_message = "Detected session with ok message that previous had all failed"
warn
condition = ${if eq {${acl_m5}}{1}{1}{0}}
ratelimit = 0 / 1h / strict / per_conn / slow_fail_accept_$sender_host_address
log_message = "Decrement slow_fail_lock Ratelimit - $sender_fullhost because one message was successful"
# END INSERT slow_fail_block
#END ACL-SMTP-QUIT-BLOCK
acl_smtp_rcpt:
#BEGIN ACL-RATELIMIT-BLOCK
#END ACL-RATELIMIT-BLOCK
#BEGIN ACL-PRE-RECIPIENT-BLOCK
# BEGIN INSERT default_pre_recipient
warn
!domains = +relay_domains
set acl_m_outbound_recipient = 1
# END INSERT default_pre_recipient
# BEGIN INSERT delay_unknown_hosts
warn
!authenticated = *
!hosts = : +loopback : +neighbor_netblocks : +trustedmailhosts : +recent_authed_mail_ips : +backupmx_hosts : +skipsmtpcheck_hosts : +senderverifybypass_hosts : +greylist_trusted_netblocks : +cpanel_mail_netblocks
#only rate limit port 25
condition = ${if eq {$received_port}{25}{yes}{no}}
delay = 20s
# END INSERT delay_unknown_hosts
# BEGIN INSERT dkim_disable
warn
control = dkim_disable_verify
# END INSERT dkim_disable
#END ACL-PRE-RECIPIENT-BLOCK
#BEGIN ACL-RECIPIENT-BLOCK
# BEGIN INSERT blockeddomains
deny
message = Your host is not allowed to connect to this server.
log_message = Sender domain is banned
sender_domains = !+local_domains : +blocked_domains
# END INSERT blockeddomains
# BEGIN INSERT default_recipient
accept
hosts = :
endpass
verify = recipient
# Accept from any of the domain’s cached remote MX hosts.
# As an optimization, we only check this for local domains because
# only local domains will be in the remote MX cache.
accept
domains = +local_domains
condition = ${if exists {/etc/domain_remote_mx_ips.cdb}{1}{0}}
hosts = ${lookup{$domain}cdb{/etc/domain_remote_mx_ips.cdb}}
endpass
verify = recipient
accept
condition = ${extract{size}{${stat:/etc/skipsmtpcheckhosts}}}
hosts = +skipsmtpcheck_hosts
endpass
verify = recipient
# implemented for "suspend incoming email" feature
deny
domains = !$primary_hostname : +local_domains
condition = ${if exists {${extract{5}{:}{${lookup passwd{${lookup{$domain}lsearch{/etc/userdomains}}}}}{$value}}/etc/.${sg{$local_part}{\N[/+].*\N}{}}@${domain}.suspended_incoming}}
message = 525 5.7.13 Disabled recipient address
log_message = Mail to ${local_part}@${domain} has been suspended
# implemented for "suspend outgoing email" feature for domains and individual webmail/pop accounts
deny
domains = ! +local_domains
condition = ${perl{check_outgoing_mail_suspended}}
message = ${perl{get_outgoing_mail_suspended_message}}
log_message = ${perl{get_outgoing_mail_suspended_message}}
# END INSERT default_recipient
#END ACL-RECIPIENT-BLOCK
#mailman only
#BEGIN ACL-RECIPIENT-MAILMAN-BLOCK
# BEGIN INSERT default_recipient_mailman
# Accept bounces to lists even if callbacks or other checks would fail
accept
domains = +local_domains
condition = ${if match{$local_part}{\N^(\.*[^./][^/]*)-bounces(\+.*)?$\N}}
condition = ${if exists{/usr/local/cpanel/3rdparty/mailman/lists/${1}${if !eq{$domain}{$primary_hostname}{_${domain}}{}}/config.pck}}
add_header = X-WhitelistedRCPT-nohdrfromcallback: Yes
#if it gets here it isn't mailman
# END INSERT default_recipient_mailman
#END ACL-RECIPIENT-MAILMAN-BLOCK
#mailman only
#BEGIN ACL-IDENTIFY-SENDER-BLOCK
# BEGIN INSERT default_identify_sender
# Accept authenticated connections when the connection comes from the main
# account (foo@foo.com, where foo.com's user is foo). Otherwise, we end up
# unintentionally rejecting mail if the user is set to :fail:.
accept
authenticated = *
condition = ${if eq{${lookup{$sender_address_domain}lsearch{/etc/userdomains}}}{$sender_address_local_part}}
endpass
verify = recipient
# deny must be on the same line as hosts so it will get removed by buildeximconf if turned off
deny hosts = ! +loopback : ! +senderverifybypass_hosts
! verify = sender
accept
authenticated = *
endpass
verify = recipient
# if they used "pop before smtp" and its not bound for a localdomain we remember the recent_authed_mail_ips_domain
warn
domains = ! +local_domains
hosts = ! +loopback
hosts = +recent_authed_mail_ips
set acl_c_recent_authed_mail_ips_text_entry = ${perl{get_recent_authed_mail_ips_text_entry}{1}}
add_header = ${if exists{/etc/eximpopbeforesmtpwarning}{${perl{popbeforesmtpwarn}{$sender_host_address}}}{}}
# if they used "pop before smtp" then we just accept
accept
condition = ${if exists{/etc/popbeforesmtp}{1}{0}}
hosts = ! +loopback
hosts = +recent_authed_mail_ips
endpass
verify = recipient
# we need to check alwaysrelay since we don't require recentauthedmailiptracker to be enabled
accept
hosts = ! +loopback
condition = ${if or {{eq{$acl_c_recent_authed_mail_ips_text_entry}{}}{!exists{/etc/popbeforesmtp}}}{${if exists {/etc/alwaysrelay}{${lookup{$sender_host_address}iplsearch{/etc/alwaysrelay}{1}{0}}}{0}}}{0}}
set acl_c_recent_authed_mail_ips_text_entry = ${perl{get_recent_authed_mail_ips_text_entry}{1}}
set acl_c_alwaysrelay = 1
endpass
verify = recipient
#recipient verifications are now done after smtp auth and pop before smtp so the users get back bounces instead of
# a clogged outbox in outlook
# If we skipped identifying the sender in acl_smtp_mail (ie !def:acl_c_authenticated_local_user)
# We need to do it here before we can test the two drops
warn
condition = ${if !def:acl_c_authenticated_local_user}
condition = ${if match_ip{$sender_host_address}{+loopback}}
condition = ${perl{identify_local_connection}{$sender_host_address}{$sender_host_port}{$received_ip_address}{$received_port}{1}}
set acl_c_authenticated_local_user = ${perl{get_identified_local_connection_user}}
# drop connections to localhost that are from demo accounts (required for manual connections)
drop
condition = ${if def:acl_c_authenticated_local_user}
condition = ${if !eq{$acl_c_authenticated_local_user}{root}}
condition = ${if match_ip{$sender_host_address}{+loopback}}
condition = ${lookup{$acl_c_authenticated_local_user}lsearch{/etc/demousers}{1}}
message = Demo accounts may not send mail
# drop connections to localhost that fail auth (required for Horde)
drop
condition = $authentication_failed
condition = ${if match_ip{$sender_host_address}{+loopback}}
message = Authentication failed
# we learned this in the acl_smtp_mail block
accept
condition = ${if def:acl_c_authenticated_local_user}
endpass
verify = recipient
# END INSERT default_identify_sender
# BEGIN INSERT default_message_submission
# Reject unauthenticated relay on port 587
drop
condition = ${if eq{$received_port}{587}{1}{0}}
message = SMTP AUTH is required for message submission on port 587
# END INSERT default_message_submission
#END ACL-IDENTIFY-SENDER-BLOCK
#BEGIN ACL-RECP-VERIFY-BLOCK
# BEGIN INSERT default_recp_verify
# recipient verification to confirm the address is routable.
# no callouts to remote systems are performed by default.
require
verify = recipient
# skip content scanning for suspended recipients that are being queued, blackholed or relayed
accept
condition = ${extract{suspended}{$address_data}}
# END INSERT default_recp_verify
#END ACL-RECP-VERIFY-BLOCK
#BEGIN ACL-POST-RECP-VERIFY-BLOCK
# BEGIN INSERT dictionary_attack
warn
log_message = "Detected Dictionary Attack (Let $rcpt_fail_count bad recipients though before engaging)"
condition = ${if > {${eval:$rcpt_fail_count}}{4}{yes}{no}}
set acl_m7 = 1
warn
condition = ${if eq {${acl_m7}}{1}{1}{0}}
ratelimit = 0 / 1h / strict / per_conn
log_message = "Increment Connection Ratelimit - $sender_fullhost because of Dictionary Attack"
drop
condition = ${if eq {${acl_m7}}{1}{1}{0}}
message = "Number of failed recipients exceeded. Come back in a few hours."
# END INSERT dictionary_attack
#END ACL-POST-RECP-VERIFY-BLOCK
#BEGIN ACL-TRUSTEDLIST-BLOCK
#END ACL-TRUSTEDLIST-BLOCK
#BEGIN ACL-RBL-BLOCK
#END ACL-RBL-BLOCK
#BEGIN ACL-MAILAUTH-BLOCK
#END ACL-MAILAUTH-BLOCK
#BEGIN ACL-GREYLISTING-BLOCK
# BEGIN INSERT greylisting
# Greylisting
defer message = Temporarily unable to process your email. Please try again later.
# skip if authenticated (with SMTP AUTH ...)
!authenticated = *
# skip if spf check passes
!spf = pass
!hosts = +recent_recipient_mail_server_ips : +greylist_trusted_netblocks : +greylist_common_mail_providers : +cpanel_mail_netblocks
domains = +local_domains : +relay_domains
condition = ${sg{${readsocket{/var/run/cpgreylistd.sock}\
{should_defer ${sg{$sender_host_address}{ }{\x01}} ${sg{$sender_address}{ }{\x01}} ${sg{$local_part@$domain}{ }{\x01}}\n}\
{5s}{\n}{no}}}{\n}{}}
log_message = Deferred due to greylisting. Host: '$sender_host_address' From: '$sender_address' To: '$local_part@$domain' SPF: '${if def:spf_result {$spf_result}{unchecked}}'
# END INSERT greylisting
#END ACL-GREYLISTING-BLOCK
#BEGIN ACL-RCPT-HARD-LIMIT-BLOCK
#END ACL-RCPT-HARD-LIMIT-BLOCK
#BEGIN ACL-RCPT-SOFT-LIMIT-BLOCK
#END ACL-RCPT-SOFT-LIMIT-BLOCK
#BEGIN ACL-SPAM-SCAN-CHECK-BLOCK
# BEGIN INSERT default_spam_scan_check
# The only problem with this setup is that if the message is for multiple users on the same server
# and they are on different unix accounts, the settings for the first recipient which has spamassassin enabled will be used.
# This shouldn't be a problem 99.9% of the time, however its a very small price to pay for a massive speed increase.
warn
domains = +local_domains
condition = ${if <= {$message_size}{1000K}}
condition = ${if !eq{${acl_m0}}{1}}
condition = ${if exists{/etc/global_spamassassin_enable}{1}{${if exists{${extract{5}{::}{${lookup passwd{${if eq{$domain}{$primary_hostname}{${sg{$local_part}{\N[/+].*\N}{}}}{${lookup{$domain}lsearch{/etc/userdomains}}}}}}}}/.spamassassinenable}}}}
set acl_m0 = 1
# $local_part should work here rather than $local_part_data, but
# $local_part_data sidesteps a taint-checking bug in Exim 4.94.
#
# Commit 12b7f811de is advertised as the fix for it, but during
# testing an Exim built with that change still had the bug.
# cf. https://www.mail-archive.com/exim-users@exim.org/msg54624.html
#
set acl_m1 = ${if eq{$domain}{$primary_hostname}{${sg{$local_part_data}{\N[/+].*\N}{}}}{${lookup{$domain}lsearch{/etc/userdomains}}}}
# END INSERT default_spam_scan_check
# BEGIN INSERT spam_scan_secondarymx
# Support for scanning secondarymx domains
warn domains = ! +local_domains : +secondarymx_domains
condition = ${if <= {$message_size}{1000K}{1}{0}}
set acl_m0 = 1
set acl_m1 = cpaneleximscanner
# END INSERT spam_scan_secondarymx
#END ACL-SPAM-SCAN-CHECK-BLOCK
#BEGIN ACL-POST-SPAM-SCAN-CHECK-BLOCK
# BEGIN INSERT delay_unknown_hosts
warn
#acl_m2 is spam = YES
condition = ${if eq {${acl_m2}}{1}{1}{0}}
!hosts = : +loopback : +neighbor_netblocks : +trustedmailhosts : +recent_authed_mail_ips : +backupmx_hosts : +skipsmtpcheck_hosts : +senderverifybypass_hosts : +greylist_trusted_netblocks : +cpanel_mail_netblocks
delay = 40s
# END INSERT delay_unknown_hosts
# BEGIN INSERT mailproviders
# Research in Motion - Blackberry white list
warn
condition = ${if exists {/etc/mailproviders/rim/ips}{${if match_ip{$sender_host_address}{iplsearch;/etc/mailproviders/rim/ips}{1}{0}}}{0}}
set acl_m0 = 0
# END INSERT mailproviders
#END ACL-POST-SPAM-SCAN-CHECK-BLOCK
#BEGIN ACL-RECIPIENT-POST-BLOCK
# BEGIN INSERT default_recipient_post
accept domains = +relay_domains
deny message = ${expand:${lookup{host_accept_relay}lsearch{/etc/eximrejects}{$value}}}
log_message = Rejected relay attempt: '$sender_host_address' From: '$sender_address' To: '$local_part@$domain'
# END INSERT default_recipient_post
#END ACL-RECIPIENT-POST-BLOCK
acl_smtp_starttls:
#BEGIN ACL-SMTP-STARTTLS-BLOCK
#END ACL-SMTP-STARTTLS-BLOCK
acl_smtp_vrfy:
#BEGIN ACL-SMTP-SMTP-VRFY-BLOCK
#END ACL-SMTP-SMTP-VRFY-BLOCK
acl_smtp_dkim:
#BEGIN ACL-SMTP-DKIM-BLOCK
#END ACL-SMTP-DKIM-BLOCK
begin authenticators
dovecot_plain:
driver = dovecot
public_name = PLAIN
server_socket = /var/run/dovecot/auth-client
server_set_id = $auth1
server_condition = ${if and {{!match {$auth1}{\N[/]\N}}{eq{${if match {$auth1}{\N[+%:@]\N}{${lookup{${extract{2}{+%:@}{$auth1}}}lsearch{/etc/demodomains}{yes}}}{${lookup{$auth1}lsearch{/etc/demousers}{yes}}}}}{}}}{true}{false}}
server_advertise_condition = ${if or {{def:tls_cipher}{match_ip{$sender_host_address}{+loopback}}}{1}{0}}
dovecot_login:
driver = dovecot
public_name = LOGIN
server_socket = /var/run/dovecot/auth-client
server_set_id = $auth1
server_condition = ${if and {{!match {$auth1}{\N[/]\N}}{eq{${if match {$auth1}{\N[+%:@]\N}{${lookup{${extract{2}{+%:@}{$auth1}}}lsearch{/etc/demodomains}{yes}}}{${lookup{$auth1}lsearch{/etc/demousers}{yes}}}}}{}}}{true}{false}}
server_advertise_condition = ${if or {{def:tls_cipher}{match_ip{$sender_host_address}{+loopback}}}{1}{0}}
# smarthost authentication disabled
######################################################################
# REWRITE CONFIGURATION #
######################################################################
# There are no rewriting specifications in this default configuration file.
begin rewrite
#!!#######################################################!!#
#!!# Here follow routers created from the old routers, #!!#
#!!# for handling non-local domains. #!!#
#!!#######################################################!!#
begin routers
######################################################################
# ROUTERS CONFIGURATION #
# Specifies how remote addresses are handled #
######################################################################
# ORDER DOES MATTER #
# A remote address is passed to each in turn until it is accepted. #
######################################################################
# Remote addresses are those with a domain that does not match any item
# in the "local_domains" setting above.
blackhole_dovenull:
driver= redirect
local_parts = "@dovenull"
allow_fail = true
data = :fail: Unrouteable address
deliver_local_outside_jail:
driver = manualroute
require_files = "+/jail_owner"
# users outside the jail will not be in /etc/passwd => We need to check if $local_part is in /jail_owner
# we can't just check to see if they exist
# because we still want to be able to mail root
domains = +local_domains
transport = remote_smtp
route_list = "* 127.0.0.1"
# self = send allows us to send outside the jail
# we make sure /home/virtfs does not exist before we get here
# to be safe
self = send
suspendedcheck:
driver = redirect
domains = +local_domains
local_parts = ${if eq {$domain} \
{$primary_hostname} \
{+path_safe_localparts} \
{*} \
}
require_files = \
+/etc/exim_suspended_list \
: +/var/cpanel/suspended/${if eq {$domain} {$primary_hostname} \
{$local_part} \
{${lookup \
{$domain} \
lsearch{/etc/userdomains} \
{$value} \
{::::invalid::::} \
}} \
}
local_part_suffix = +*
local_part_suffix_optional
allow_fail
allow_defer
allow_freeze
# Sets r_suspendinfo to the contents of the suspendinfo file,
# r_suspended_shell to the original shell of the suspended account,
# r_suspended_redirect to the real mapped redirect setting.
set = r_suspended_shell=${perl \
{get_suspended_shell} \
{${if eq {$domain} {$primary_hostname} \
{$local_part} \
{${lookup \
{$domain_data} \
lsearch{/etc/userdomains} \
{$value}}} \
}} \
}
# This skips content scanning for the primary account address with
# live-transfers and handles the special :queue: setting by pretending
# those are :blackhole: deliveries during address verification
address_data = \
router=$router_name \
${if \
!match {${lookup \
{$local_part@$domain} \
wildlsearch{/etc/exim_suspended_list} \
{$value} \
{:unknown:} \
}} \
{\N^\s*(:unknown:.*)?$\N} \
{ \
suspended=1 \
redirect=${quote:${if \
!match{${lookup \
{$local_part@$domain} \
wildlsearch{/etc/exim_suspended_list} \
{$value} \
{:unknown:} \
}} \
{\N^\s*:\N} \
{${if eq \
{$verify_mode} \
{} \
{${lookup{$local_part@$domain} \
wildlsearch{/etc/exim_suspended_list} \
{$value} \
{:unknown:} \
}} \
{:blackhole:} \
}} \
{${sg \
{${lookup {$local_part@$domain} \
wildlsearch{/etc/exim_suspended_list} \
{$value} \
{:unknown:} \
}} \
{\N^\s*:queue:\N} \
{${if eq \
{$verify_mode} \
{} \
{:defer:} \
{:blackhole:} \
}} \
}} \
}} \
} \
}
data = ${extract \
{redirect} \
{$address_data} \
}
# The main routers handle traffic to the lists themselves and the suffixed ones
# handle mail to administrative aliases. We have to use a two step process
# because otherwise mail to a list such as foo-admin@example.tld will not be
# handled properly.
mailman_virtual_router:
driver = accept
domains = !$primary_hostname : +local_domains
local_parts = +path_safe_localparts
require_files = /usr/local/cpanel/3rdparty/mailman/lists/${lc::$local_part}_${lc::$domain}/config.pck : /usr/local/cpanel/3rdparty/mailman/mail/mailman
transport = mailman_virtual_transport
mailman_virtual_router_suffixed:
driver = accept
require_files = /usr/local/cpanel/3rdparty/mailman/lists/${lc::$local_part}_${lc::$domain}/config.pck : /usr/local/cpanel/3rdparty/mailman/mail/mailman
domains = !$primary_hostname : +local_domains
local_parts = +path_safe_localparts
local_part_suffix = -admin : \
-bounces : -bounces+* : \
-confirm : -confirm+* : \
-join : -leave : \
-owner : -request : \
-subscribe : -unsubscribe
transport = mailman_virtual_transport
mailman_virtual_router_nodns:
driver = accept
require_files = /usr/local/cpanel/3rdparty/mailman/lists/${lc::$local_part}/config.pck : /usr/local/cpanel/3rdparty/mailman/mail/mailman
condition = \
${if or {{match{$local_part}{.*_.*}} \
{eq{$local_part}{mailman}}} \
{1}{0}}
domains = $primary_hostname
local_parts = +path_safe_localparts
transport = mailman_virtual_transport_nodns
mailman_virtual_router_nodns_suffixed:
driver = accept
require_files = /usr/local/cpanel/3rdparty/mailman/lists/${lc::$local_part}/config.pck : /usr/local/cpanel/3rdparty/mailman/mail/mailman
condition = \
${if or {{match{$local_part}{.*_.*}} \
{eq{$local_part}{mailman}}} \
{1}{0}}
local_part_suffix = -admin : \
-bounces : -bounces+* : \
-confirm : -confirm+* : \
-join : -leave : \
-owner : -request : \
-subscribe : -unsubscribe
domains = $primary_hostname
local_parts = +path_safe_localparts
transport = mailman_virtual_transport_nodns
democheck:
driver = redirect
require_files = "+/etc/demouids"
condition = ${if >= {$originator_uid}{100}{1}{0}}
condition = "${extract{size}{${stat:/etc/demouids}}}"
condition = "${if eq \
{${lookup \
{$originator_uid} \
lsearch{/etc/demouids} \
{$value} \
}} \
{} \
{false} \
{true} \
}"
allow_fail
data = :fail: demo accounts are not permitted to relay email
#
# This is to make sure that cpanel@* always passes sender verification
# so that the system notifications don't get rejected by spam filters
# doing a sender verification check.
#
blackhole_cpanel_at:
driver = redirect
local_parts = cpanel
domains = !$primary_hostname
verify_only
data = :blackhole:
# cPanel Mail Archiving is disabled
reject_domains:
driver = redirect
domains = +blocked_domains
allow_fail
data = :fail: Connection rejected: SPAM source $domain is manually blacklisted.
#
# Handles identification of messages, nobody and webspam and mail trap checks
# in check_mail_permissions and notifies if we are defering a message
#
boxtrapper_autowhitelist:
driver = accept
condition = ${if eq {$authenticated_id}{}{0}{${if eq {$sender_address}{$local_part@$domain}{0}{${if match{$received_protocol}{\N^e?smtps?a$\N}{${perl{checkbx_autowhitelist}{$authenticated_id}}}{${if eq{$received_protocol}{local}{${perl{checkbx_autowhitelist}{$sender_ident}}}{0}}}}}}}}
require_files = "+/usr/local/cpanel/bin/boxtrapper"
transport = boxtrapper_autowhitelist
no_verify
unseen
check_mail_permissions:
domains = ! +local_domains
condition = ${if eq {$authenticated_id}{root}{0}{1}}
ignore_target_hosts = +loopback : 64.94.110.0/24
driver = redirect
allow_filter
reply_transport = address_reply
user = mailnull
no_verify
expn = false
condition = "${perl{check_mail_permissions}}"
data = "${perl{check_mail_permissions_results}}"
#
# discover_sender_information is not included
# because from_rewrites are not enabled
#
#
# If check_mail_permissions needs to defer or fail a message it is done here
#
enforce_mail_permissions:
domains = ! +local_domains
ignore_target_hosts = +loopback : 64.94.110.0/24
condition = ${if eq {$authenticated_id}{root}{0}{1}}
driver = redirect
allow_fail
allow_defer
no_verify
expn = false
condition = "${perl{enforce_mail_permissions}}"
data = "${perl{enforce_mail_permissions_results}}"
#
# Increments max emails per hour if needed
#
increment_max_emails_per_hour_if_needed:
domains = ! +local_domains
ignore_target_hosts = +loopback : 64.94.110.0/24
condition = ${if eq {$authenticated_id}{root}{0}{1}}
driver = redirect
allow_fail
no_verify
one_time
expn = false
condition = "${perl{increment_max_emails_per_hour_if_needed}}"
data = ":unknown:"
#
# reject_forwarded_mail_marked_as_spam is not included
# because no_forward_outbound_spam and no_forward_outbound_spam_over_int
# are both disabled
#
# This router routes to a statically defined host from /etc/manualmx
# so that any mail received for the domain will skip MX lookups and attempt to
# deliver the message directly to the specified host.
manualmx:
driver = manualroute
domains = +manualmx_domains
transport = remote_smtp
route_data = ${lookup \
{$domain} \
lsearch{/etc/manualmx} \
}
#
# lookuphost router
#
#
# Lookup host router for remote smtp and ignores verisign site finder 'service'
# This matches lookup exactly except we look for X-Precedence and Precedence so
# we can determinte what is an auto responder message in the log.
# Note: there is nothing to
# prevent X-Precedence from being added to non-autoresponded messages so this is for
# logging reasons only
#
# Note: Boxtrapper sets Precedence to auto_reply
#
autoreply_dkim_lookuphost:
driver = dnslookup
domains = ! +local_domains
condition = "${perl{sender_domain_can_dkim_sign}}"
condition = "${if \
or { \
{match{$h_precedence:}{auto}} \
{match{$h_x-precedence:}{auto}} \
} \
{1}{0} \
}"
#ignore verisign to prevent waste of bandwidth
ignore_target_hosts = +loopback : 64.94.110.0/24
headers_add = "${perl{mailtrapheaders}}"
transport = dkim_remote_smtp
#
# Lookup host router for remote smtp and ignores verisign site finder 'service' and uses domain keys
#
dkim_lookuphost:
driver = dnslookup
domains = ! +local_domains
condition = "${perl{sender_domain_can_dkim_sign}}"
#ignore verisign to prevent waste of bandwidth
ignore_target_hosts = +loopback : 64.94.110.0/24
headers_add = "${perl{mailtrapheaders}}"
.ifdef SRSENABLED
# if outbound, and forwarding has been done, use an alternate transport
transport = ${if eq {$local_part@$domain} \
{$original_local_part@$original_domain} \
{dkim_remote_smtp} {dkim_remote_forwarded_smtp}}
.else
transport = dkim_remote_smtp
.endif
#
# Lookup host router for remote smtp and ignores verisign site finder 'service'
# This matches lookup exactly except we look for X-Precedence and Precedence so
# we can determinte what is an auto responder message in the log.
# Note: there is nothing to
# prevent X-Precedence from being added to non-autoresponded messages so this is for
# logging reasons only
#
# Note: Boxtrapper sets Precedence to auto_reply
#
autoreply_lookuphost:
driver = dnslookup
domains = ! +local_domains
condition = "${if \
or { \
{match{$h_precedence:}{auto}} \
{match{$h_x-precedence:}{auto}} \
} \
{1}{0} \
}"
#ignore verisign to prevent waste of bandwidth
ignore_target_hosts = +loopback : 64.94.110.0/24
headers_add = "${perl{mailtrapheaders}}"
transport = remote_smtp
#
# Lookup host router for remote smtp and ignores verisign site finder 'service'
#
lookuphost:
# router from etc/exim/replacecf/dkim/lookuphost
driver = dnslookup
domains = ! +local_domains
#ignore verisign to prevent waste of bandwidth
ignore_target_hosts = +loopback : 64.94.110.0/24
headers_add = "${perl{mailtrapheaders}}"
.ifdef SRSENABLED
# if outbound, and forwarding has been done, use an alternate transport
transport = ${if eq {$local_part@$domain} \
{$original_local_part@$original_domain} \
{remote_smtp} {remote_forwarded_smtp}}
.else
transport = remote_smtp
.endif
# This router routes to remote hosts over SMTP by explicit IP address,
# given as a "domain literal" in the form [nnn.nnn.nnn.nnn]. The RFCs
# require this facility, which is why it is enabled by default in Exim.
# If you want to lock it out, set forbid_domain_literals in the main
# configuration section above.
#
# Literal Transports .. ignores verisigns sitefinder service
#
literal:
driver = ipliteral
domains = ! +local_domains
ignore_target_hosts = +loopback : 64.94.110.0/24
headers_add = "${perl{mailtrapheaders}}"
.ifdef SRSENABLED
# if outbound, and forwarding has been done, use an alternate transport
transport = ${if eq {$local_part@$domain} \
{$original_local_part@$original_domain} \
{remote_smtp} {remote_forwarded_smtp}}
.else
transport = remote_smtp
.endif
#!!# This new router is put here to fail all domains that
#!!# were not in local_domains in the Exim 3 configuration.
#
# Trap Failures to Remote Domain
#
fail_remote_domains:
driver = redirect
domains = ! +local_domains : ! localhost : ! localhost.localdomain
allow_fail
data = ${if eq {$verify_mode}{S} \
{:fail: The mail server does not recognize $local_part@$domain as a valid sender.} \
{:fail: The mail server could not deliver mail to $local_part@$domain. The account or domain may not exist, they may be blacklisted, or missing the proper dns entries.} \
}
#!!#######################################################!!#
#!!# Here follow routers created from the old directors, #!!#
#!!# for handling local domains. #!!#
#!!#######################################################!!#
######################################################################
# DIRECTORS CONFIGURATION #
# Specifies how local addresses are handled #
######################################################################
# ORDER DOES MATTER #
# A local address is passed to each in turn until it is accepted. #
######################################################################
# Local addresses are those with a domain that matches some item in the
# "local_domains" setting above, or those which are passed back from the
# routers because of a "self=local" setting (not used in this configuration).
# This director handles aliasing using a traditional /etc/aliases file.
# If any of your aliases expand to pipes or files, you will need to set
# up a user and a group for these deliveries to run under. You can do
# this by uncommenting the "user" option below (changing the user name
# as appropriate) and adding a "group" option if necessary. Alternatively, you
# can specify "user" on the transports that are used. Note that those
# listed below are the same as are used for .forward files; you might want
# to set up different ones for pipe and file deliveries from aliases.
#spam_filter:
# driver = forwardfile
# file = /etc/spam.filter
# no_check_local_user
# no_verify
# filter
# allow_system_actions
#
# Account level filtering for everything but the main account
#
central_filter:
driver = redirect
allow_filter
allow_fail
forbid_filter_run
forbid_filter_perl
forbid_filter_lookup
forbid_filter_readfile
forbid_filter_readsocket
no_check_local_user
domains = !$primary_hostname : dsearch;/etc/vfilters
require_files = "+/etc/vfilters/${domain_data}"
condition = "${extract \
{size} \
{${stat:/etc/vfilters/${domain_data}}} \
}"
file = /etc/vfilters/${domain_data}
file_transport = address_file
directory_transport = address_directory
pipe_transport = ${if forall \
{/bin/cagefs_enter:/usr/sbin/cagefsctl} \
{exists{$item}} \
{cagefs_virtual_address_pipe} \
{${if forany \
{${extract{6} \
{:} \
{${lookup \
passwd{ \
${lookup \
{$domain_data} \
lsearch{/etc/userdomains} \
} \
} \
}} \
}:$r_suspended_shell} \
{match{$item}{\N(jail|no)shell\N}} \
{jailed_virtual_address_pipe} \
{virtual_address_pipe} \
}} \
}
reply_transport = address_reply
router_home_directory = ${extract \
{5} \
{::} \
{${lookup \
passwd{${lookup \
{$domain_data} \
lsearch{/etc/userdomains} \
{$value}}} \
{$value} \
}} \
}
user = "${lookup \
{$domain_data} \
lsearch{/etc/userdomains} \
{$value}}"
no_verify
#
# Account level filtering for the main account
#
# checks /etc/vfilters/maindomain if its a localuser (ie main acct)
#
mainacct_central_user_filter:
driver = redirect
allow_filter
allow_fail
forbid_filter_run
forbid_filter_perl
forbid_filter_lookup
forbid_filter_readfile
forbid_filter_readsocket
check_local_user
domains = $primary_hostname
condition = ${if eq \
{${lookup \
{$local_part_data} \
lsearch{/etc/domainusers} \
{$value} \
}} \
{} \
{0} \
{${if exists \
{/etc/vfilters/${lookup \
{$local_part_data} \
lsearch{/etc/domainusers} \
{$value} \
}} \
{${extract \
{size} \
{${stat:/etc/vfilters/${lookup \
{$local_part_data} \
lsearch{/etc/domainusers} \
{$value} \
}}} \
}} \
{0} \
}} \
}
file = "/etc/vfilters/${lookup \
{$local_part_data} \
lsearch{/etc/domainusers} \
{$value} \
}"
directory_transport = address_directory
file_transport = address_file
pipe_transport = ${if forall \
{/bin/cagefs_enter:/usr/sbin/cagefsctl} \
{exists{$item}} \
{cagefs_address_pipe} \
{${if forany \
{${extract \
{6} \
{:} \
{${lookup \
passwd{$local_part_data} \
}} \
} \:$r_suspended_shell} \
{match{$item}{\N(jail|no)shell\N}} \
{jailed_address_pipe} \
{address_pipe} \
}} \
}
reply_transport = address_reply
user = $local_part_data
group = $local_part_data
retry_use_local_part
no_verify
#
# User Level Filtering for the main account
#
central_user_filter:
driver = redirect
allow_filter
allow_fail
forbid_filter_run
forbid_filter_perl
forbid_filter_lookup
forbid_filter_readfile
forbid_filter_readsocket
check_local_user
domains = $primary_hostname
require_files = "+${extract \
{5} \
{::} \
{${lookup \
passwd{$local_part_data} \
{$value} \
}} \
}/etc/filter"
condition = "${extract \
{size} \
{${stat:${extract \
{5} \
{::} \
{${lookup \
passwd{$local_part_data} \
{$value} \
}} \
}/etc/filter}} \
}"
file = "${extract \
{5} \
{::} \
{${lookup \
passwd{$local_part_data} \
{$value} \
}} \
}/etc/filter"
router_home_directory = ${extract \
{5} \
{::} \
{${lookup \
passwd{$local_part_data} \
{$value} \
}} \
}
directory_transport = address_directory
file_transport = address_file
pipe_transport = ${if forall \
{/bin/cagefs_enter:/usr/sbin/cagefsctl} \
{exists{$item}} \
{cagefs_address_pipe} \
{${if forany \
{${extract \
{6} \
{:} \
{${lookup \
passwd{$local_part_data} \
}} \
} \:$r_suspended_shell} \
{match{$item}{\N(jail|no)shell\N}} \
{jailed_address_pipe} \
{address_pipe} \
}} \
}
reply_transport = address_reply
user = $local_part_data
group = $local_part_data
local_part_suffix = +*
local_part_suffix_optional
retry_use_local_part
no_verify
#
# User Level Filtering for virtual users
#
virtual_user_filter:
driver = redirect
allow_filter
allow_fail
forbid_filter_run
forbid_filter_perl
forbid_filter_lookup
forbid_filter_readfile
forbid_filter_readsocket
domains = \
!$primary_hostname \
: ${lookup \
{$domain} \
lsearch{/etc/userdomains} \
{${perl{untaint}{$domain}}} \
}
require_files = "+${extract \
{5} \
{::} \
{${lookup \
passwd{${lookup \
{$domain_data} \
lsearch{/etc/userdomains} \
{$value}}} \
{$value} \
}} \
}/etc/$domain_data/$local_part_data/filter"
user = "${lookup \
{$domain_data} \
lsearch{/etc/userdomains} \
{$value}}"
router_home_directory = ${extract \
{5} \
{::} \
{${lookup \
passwd{${lookup \
{$domain_data} \
lsearch{/etc/userdomains} \
{$value}}} \
{$value} \
}} \
}
local_parts = ${if exists{${extract \
{5} \
{::} \
{${lookup \
passwd{${lookup \
{$domain_data} \
lsearch{/etc/userdomains} \
{$value}}} \
{$value} \
}} \
}/etc/$domain_data}{dsearch;${extract \
{5} \
{::} \
{${lookup \
passwd{${lookup \
{$domain_data} \
lsearch{/etc/userdomains} \
{$value}}} \
{$value} \
}} \
}/etc/$domain_data}}
condition = "${extract{size}{${stat:$home/etc/$domain_data/$local_part_data/filter}}}"
file = "$home/etc/$domain_data/$local_part_data/filter"
directory_transport = address_directory
file_transport = address_file
pipe_transport = ${if forall \
{/bin/cagefs_enter:/usr/sbin/cagefsctl} \
{exists{$item}} \
{cagefs_virtual_address_pipe} \
{${if forany \
{${extract{6} \
{:} \
{${lookup \
passwd{ \
${lookup \
{$domain_data} \
lsearch{/etc/userdomains} \
} \
} \
}} \
}:$r_suspended_shell} \
{match{$item}{\N(jail|no)shell\N}} \
{jailed_virtual_address_pipe} \
{virtual_address_pipe} \
}} \
}
reply_transport = address_reply
local_part_suffix = +*
local_part_suffix_optional
retry_use_local_part
no_verify
virtual_aliases_nostar:
driver = redirect
allow_defer
allow_fail
domains = !$primary_hostname : dsearch;/etc/valiases
user = "${lookup \
{$domain_data} \
lsearch{/etc/userdomains} \
{$value}}"
address_data = \
"router=$router_name \
redirect=${quote:${lookup \
{$local_part@$domain_data} \
lsearch{/etc/valiases/$domain_data} \
}}"
data = ${extract \
{redirect} \
{$address_data} \
}
file_transport = address_file
pipe_transport = ${if forall \
{/bin/cagefs_enter:/usr/sbin/cagefsctl} \
{exists{$item}} \
{cagefs_virtual_address_pipe} \
{${if forany \
{${extract \
{6} \
{:} \
{${lookup \
passwd{$local_part_data} \
}} \
} \:$r_suspended_shell} \
{match{$item}{\N(jail|no)shell\N}} \
{jailed_virtual_address_pipe} \
{virtual_address_pipe} \
}} \
}
router_home_directory = ${extract \
{5} \
{::} \
{${lookup \
passwd{${lookup \
{$domain_data} \
lsearch{/etc/userdomains} \
{$value}}} \
{$value} \
}} \
}
local_part_suffix = +*
local_part_suffix_optional
retry_use_local_part
unseen
virtual_user_overquota:
driver = redirect
domains = !$primary_hostname : ${lookup{$domain}lsearch{/etc/userdomains}{${perl{untaint}{$domain}}}}
require_files = "+$home/etc/$domain_data"
user = "${lookup \
{$domain_data} \
lsearch{/etc/userdomains} \
{$value}}"
router_home_directory = ${extract \
{5} \
{::} \
{${lookup \
passwd{${lookup \
{$domain_data} \
lsearch{/etc/userdomains} \
{$value}}} \
{$value} \
}} \
}
# NB: On busy servers Dovecot may take several seconds to respond to
# this request. So we set the timeout generously:
condition = "${if match {${readsocket{/var/run/dovecot/quota-status}{request=smtpd_access_policy\nrecipient=${quote:$local_part}@${quote:$domain_data}\nsize=$message_size\n\n}{30s}{\n}{SOCKETFAIL}}}{action=5}{true}{false}}"
data = ":fail:Mailbox is full / Blocks limit exceeded / Inode limit exceeded"
verify_only
allow_fail
#
# Virtual User Spam Boxes
#
virtual_user_spam:
driver = redirect
local_parts = +path_safe_localparts
domains = \
!$primary_hostname \
: ${lookup \
{$domain} \
lsearch{/etc/userdomains} \
{${perl{untaint}{$domain}}} \
}
condition = ${if match{$h_x-spam-status:}{\N^Yes\N}{true}{false}}
require_files = \
"+${extract \
{5} \
{::} \
{${lookup \
passwd{${lookup \
{$domain_data} \
lsearch{/etc/userdomains} \
{$value}}} \
{$value} \
}} \
}/.spamassassinboxenable: \
+${extract \
{5} \
{::} \
{${lookup \
passwd{${lookup \
{$domain_data} \
lsearch{/etc/userdomains} \
{$value}}} \
{$value} \
}} \
}/mail/$domain_data/$local_part"
router_home_directory = ${extract \
{5} \
{::} \
{${lookup \
passwd{${lookup \
{$domain_data} \
lsearch{/etc/userdomains} \
{$value}}} \
{$value} \
}} \
}
headers_remove="x-uidl"
data = "${quote_local_part:$local_part}+spam@$domain_data"
redirect_router = virtual_user
virtual_boxtrapper_user:
driver = accept
local_parts = +path_safe_localparts
domains = !$primary_hostname : ${lookup \
{$domain} \
lsearch{/etc/userdomains} \
{${perl{untaint} \
{$domain} \
}} \
}
require_files = "+/usr/local/cpanel/bin/boxtrapper:+${extract \
{5} \
{::} \
{${lookup \
passwd{${lookup \
{$domain_data} \
lsearch{/etc/userdomains} \
{$value}}} \
{$value} \
}} \
}/etc/$domain_data/$local_part/.boxtrapperenable:+${extract \
{5} \
{::} \
{${lookup \
passwd{${lookup \
{$domain_data} \
lsearch{/etc/userdomains} \
{$value}}} \
{$value} \
}} \
}/mail/$domain_data/$local_part"
user = "${lookup \
{$domain_data} \
lsearch{/etc/userdomains} \
{$value}}"
router_home_directory = "${extract \
{5} \
{::} \
{${lookup \
passwd{${lookup \
{$domain_data} \
lsearch{/etc/userdomains} \
{$value}}} \
{$value} \
}} \
}"
headers_remove="x-uidl"
transport = virtual_boxtrapper_userdelivery
virtual_user:
driver = accept
domains = \
!$primary_hostname \
: ${lookup \
{$domain} \
lsearch{/etc/userdomains} \
{${perl{untaint}{$domain}}} \
}
local_parts = +path_safe_localparts
require_files = "+${extract \
{5} \
{::} \
{${lookup \
passwd{${lookup \
{$domain_data} \
lsearch{/etc/userdomains} \
{$value}}} \
{$value} \
}} \
}/mail/$domain_data/$local_part"
router_home_directory = ${extract \
{5} \
{::} \
{${lookup \
passwd{${lookup \
{$domain_data} \
lsearch{/etc/userdomains} \
{$value}}} \
{$value} \
}} \
}
headers_remove="x-uidl"
local_part_suffix = +*
local_part_suffix_optional
user = mailnull
group = mail
transport = dovecot_virtual_delivery
set = r_bcc_addr=${if forany \
{${addresses:$h_to:}:${addresses:$h_cc:}} \
{or { \
{eqi \
{${extract{1}{+}{${local_part:$item}}}@${domain:$item}} \
{$local_part@$domain_data} \
} \
{eqi \
{${extract{1}{+}{${local_part:$item}}}@${domain:$item}} \
{$original_local_part@$original_domain} \
} \
}} \
{} \
{$local_part@$domain} \
}
set = r_cpanel_user=${lookup \
{$domain_data} \
lsearch{/etc/userdomains} \
{$value}}
#
# If the delivery address, original address (forwarded),
# or address with subaddress is shown on the To: or Cc:
# lines or the message has the List-Id: or Precedence:
# header we allow the message to be batched to
# dovecot LMTP via transport dovecot_virtual_delivery
#
# If it does match match the above we do not allow the message
# to be batched in order to ensure that the Envelope-To: header
# does not contain a user that was Bcc:ed so savvy recipients
# cannot see that another email was Bcc:ed in the header
# via transport dovecot_virtual_delivery_no_batch
#
# Note: match_address would be nice here but the second string
# is not expanded for security reasons
#
#
# has_alias_but_no_mailbox_discarded_to_prevent_loop required either of the following:
#
# 1. There is an active alias in the valias file
# 2. There is an active autoresponder and the * is set to :fail:
#
has_alias_but_no_mailbox_discarded_to_prevent_loop:
driver = redirect
domains = !$primary_hostname : dsearch;/etc/valiases
condition = ${lookup \
{$local_part@$domain_data} \
lsearch{/etc/valiases/$domain_data} \
{1} \
{0} \
}
condition = "${if forany{<, \
${lookup \
{$local_part@$domain_data} \
lsearch{/etc/valiases/$domain_data} \
{$value} \
}} \
{!match{$item}{\N/autorespond\N}} \
{1} \
{${if match \
{${lookup \
{\N*\N} \
lsearch{/etc/valiases/$domain_data} \
{$value} \
}} \
{:fail:} \
{1} \
{0} \
}} \
}"
data=":blackhole:"
local_part_suffix = +*
local_part_suffix_optional
disable_logging = true
# srs is disabled
valias_domain_file:
driver = redirect
allow_defer
allow_fail
domains = !$primary_hostname : dsearch;/etc/vdomainaliases
user = "${lookup \
{$domain_data} \
lsearch{/etc/userdomains} \
{$value}}"
condition = ${lookup {$domain_data} lsearch {/etc/vdomainaliases/$domain_data}{yes}{no} }
address_data = router=$router_name redirect=${quote:${quote_local_part:$local_part}@${lookup{$domain_data}lsearch{/etc/vdomainaliases/$domain_data}}}
data = ${extract{redirect}{$address_data}}
virtual_aliases:
driver = redirect
allow_defer
allow_fail
domains = !$primary_hostname : dsearch;/etc/valiases
user = "${lookup \
{$domain_data} \
lsearch{/etc/userdomains} \
{$value}}"
router_home_directory = ${extract \
{5} \
{::} \
{${lookup \
passwd{${lookup \
{$domain_data} \
lsearch{/etc/userdomains} \
{$value}}} \
{$value} \
}} \
}
address_data = \
"router=$router_name \
redirect=${quote:${lookup \
{*} \
lsearch{/etc/valiases/$domain_data} \
}}"
data = ${extract \
{redirect} \
{$address_data} \
}
file_transport = address_file
pipe_transport = ${if forall \
{/bin/cagefs_enter:/usr/sbin/cagefsctl} \
{exists{$item}} \
{cagefs_virtual_address_pipe} \
{${if forany \
{${extract \
{6} \
{:} \
{${lookup \
passwd{$local_part_data} \
}} \
} \:$r_suspended_shell} \
{match{$item}{\N(jail|no)shell\N}} \
{jailed_virtual_address_pipe} \
{virtual_address_pipe} \
}} \
}
# This director handles forwarding using traditional .forward files.
# If you want it also to allow mail filtering when a forward file
# starts with the string "# Exim filter", uncomment the "filter" option.
# The check_ancestor option means that if the forward file generates an
# address that is an ancestor of the current one, the current one gets
# passed on instead. This covers the case where A is aliased to B and B
# has a .forward file pointing to A. The three transports specified at the
# end are those that are used when forwarding generates a direct delivery
# to a file, or to a pipe, or sets up an auto-reply, respectively.
system_aliases:
driver = redirect
allow_defer
allow_fail
domains = $primary_hostname : localhost
address_data = \
"router=$router_name \
redirect=${quote: \
${lookup \
{$local_part} \
lsearch{/etc/aliases} \
}}"
data = ${extract \
{redirect} \
{$address_data} \
}
file_transport = address_file
pipe_transport = address_pipe
# user = exim
local_aliases:
driver = redirect
allow_defer
allow_fail
domains = $primary_hostname : localhost
address_data = \
"router=$router_name \
redirect=${quote: \
${lookup \
{$local_part} \
lsearch{/etc/localaliases} \
}}"
data = ${extract \
{redirect} \
{$address_data} \
}
file_transport = address_file
pipe_transport = address_pipe
check_local_user
userforward:
driver = redirect
allow_filter
allow_fail
forbid_filter_run
forbid_filter_perl
forbid_filter_lookup
forbid_filter_readfile
forbid_filter_readsocket
check_ancestor
check_local_user
domains = $primary_hostname
no_expn
require_files = "+$home/.forward"
condition = "${extract{size}{${stat:$home/.forward}}}"
file = $home/.forward
file_transport = address_file
pipe_transport = ${if forall \
{/bin/cagefs_enter:/usr/sbin/cagefsctl} \
{exists{$item}} \
{cagefs_address_pipe} \
{${if forany \
{${extract \
{6} \
{:} \
{${lookup \
passwd{$local_part_data} \
}} \
} \:$r_suspended_shell} \
{match{$item}{\N(jail|no)shell\N}} \
{jailed_address_pipe} \
{address_pipe} \
}} \
}
reply_transport = address_reply
directory_transport = address_directory
user = $local_part_data
group = $local_part_data
no_verify
# srs is disabled
localuser_root:
driver = redirect
allow_fail
domains = $primary_hostname : localhost
check_local_user
condition = ${if eq {$local_part_data}{root}}
data = :fail: root cannot accept local mail deliveries
localuser_overquota:
driver = redirect
domains = $primary_hostname
check_local_user
# NB: On busy servers Dovecot may take several seconds to respond to
# this request. So we set the timeout generously:
condition = "${if match {${readsocket{/var/run/dovecot/quota-status}{request=smtpd_access_policy\nrecipient=${quote:$local_part}\nsize=$message_size\n\n}{30s}{\n}{SOCKETFAIL}}}{action=5}{true}{false}}"
data = ":fail:Mailbox is full / Blocks limit exceeded / Inode limit exceeded"
verify_only
allow_fail
#
# Optimized spambox router
#
localuser_spam:
driver = redirect
domains = $primary_hostname
require_files = "+$home/.spamassassinboxenable"
condition = ${if match{$h_x-spam-status:}{\N^Yes\N}{true}{false}}
# sets home,user,group
check_local_user
headers_remove="x-uidl"
data = "${quote_local_part:$local_part_data}+spam"
redirect_router = localuser
boxtrapper_localuser:
driver = accept
require_files = "+/usr/local/cpanel/bin/boxtrapper:+$home/etc/.boxtrapperenable"
check_local_user
domains = $primary_hostname
transport = local_boxtrapper_delivery
localuser:
driver = accept
# sets home,user,group
check_local_user
domains = $primary_hostname
headers_remove="x-uidl"
local_part_suffix = +*
local_part_suffix_optional
user = mailnull
group = mail
transport = dovecot_delivery
set = r_bcc_addr=${if forany \
{${addresses:$h_to:}:${addresses:$h_cc:}} \
{or { \
{ eqi \
{${extract \
{1} \
{+} \
{${local_part:$item}} \
}@${domain:$item}} \
{$local_part@$domain} \
} \
{ eqi \
{${extract \
{1} \
{+} \
{${local_part:$item}} \
}@${domain:$item}} \
{$original_local_part@$original_domain} \
} \
}} \
{} \
{$local_part@$domain} \
}
set = r_cpanel_user=${local_part}
#
# If the delivery address, original address (forwarded),
# or address with subaddress is shown on the To: or Cc:
# lines or the message has the List-Id: or Precedence:
# header we allow the message to be batched to
# dovecot LMTP via transport dovecot_virtual_delivery
#
# If it does match match the above we do not allow the message
# to be batched in order to ensure that the Envelope-To: header
# does not contain a user that was Bcc:ed so savvy recipients
# cannot see that another email was Bcc:ed in the header
# via transport dovecot_virtual_delivery_no_batch
#
# Note: match_address would be nice here but the second string
# is not expanded for security reasons
#
# This director matches local user mailboxes.
######################################################################
# TRANSPORTS CONFIGURATION #
######################################################################
# ORDER DOES NOT MATTER #
# Only one appropriate transport is called for each delivery. #
######################################################################
# A transport is used only when referenced from a director or a router that
# successfully handles an address.
# This transport is used for delivering messages over SMTP connections.
begin transports
mailman_virtual_transport:
driver = pipe
command = /usr/local/cpanel/3rdparty/mailman/mail/mailman \
'${if def:local_part_suffix \
{${sg{$local_part_suffix}{-(\\w+)(\\+.*)?}{\$1}}} \
{post}}' \
${perl{untaint}{${lc:$local_part}_${lc:$domain}}}
current_directory = /usr/local/cpanel/3rdparty/mailman
home_directory = /usr/local/cpanel/3rdparty/mailman
user = mailman
group = mailman
mailman_virtual_transport_nodns:
driver = pipe
command = /usr/local/cpanel/3rdparty/mailman/mail/mailman \
'${if def:local_part_suffix \
{${sg{$local_part_suffix}{-(\\w+)(\\+.*)?}{\$1}}} \
{post}}' \
${perl{untaint}{${lc:$local_part}}}
current_directory = /usr/local/cpanel/3rdparty/mailman
home_directory = /usr/local/cpanel/3rdparty/mailman
user = mailman
group = mailman
remote_smtp:
driver = smtp
interface = <; ${if > \
{${extract \
{size} \
{${stat:/etc/mailips}} \
}} \
{0} \
{${lookup \
{${lc:${perl{get_message_sender_domain}}}} \
lsearch{/etc/mailips} \
{$value} \
{${lookup \
{${if match_domain \
{$original_domain} \
{+relay_domains} \
{${lc:$original_domain}} \
{} \
}} \
lsearch{/etc/mailips} \
{$value} \
{${lookup \
{${perl{get_sender_from_uid}}} \
lsearch*{/etc/mailips} \
{$value} \
{} \
}} \
}} \
}} \
}
helo_data = ${if > \
{${extract{size}{${stat:/etc/mailhelo}}}} \
{0} \
{${lookup \
{${lc:${perl{get_message_sender_domain}}}} \
lsearch{/etc/mailhelo} \
{$value} \
{${lookup \
{${if match_domain \
{$original_domain} \
{+relay_domains} \
{${lc:$original_domain}} \
{} \
}} \
lsearch{/etc/mailhelo} \
{$value} \
{${lookup \
{${perl{get_sender_from_uid}}} \
lsearch*{/etc/mailhelo} \
{$value} \
{$primary_hostname} \
}} \
}} \
}} \
{$primary_hostname} \
}
hosts_try_chunking = 198.51.100.1
message_linelength_limit = 2048
dkim_remote_smtp:
driver = smtp
interface = <; ${if > \
{${extract \
{size} \
{${stat:/etc/mailips}} \
}} \
{0} \
{${lookup \
{${lc:${perl{get_message_sender_domain}}}} \
lsearch{/etc/mailips} \
{$value} \
{${lookup \
{${if match_domain \
{$original_domain} \
{+relay_domains} \
{${lc:$original_domain}} \
{} \
}} \
lsearch{/etc/mailips} \
{$value} \
{${lookup \
{${perl{get_sender_from_uid}}} \
lsearch*{/etc/mailips} \
{$value} \
{} \
}} \
}} \
}} \
}
helo_data = ${if > \
{${extract{size}{${stat:/etc/mailhelo}}}} \
{0} \
{${lookup \
{${lc:${perl{get_message_sender_domain}}}} \
lsearch{/etc/mailhelo} \
{$value} \
{${lookup \
{${if match_domain \
{$original_domain} \
{+relay_domains} \
{${lc:$original_domain}} \
{} \
}} \
lsearch{/etc/mailhelo} \
{$value} \
{${lookup \
{${perl{get_sender_from_uid}}} \
lsearch*{/etc/mailhelo} \
{$value} \
{$primary_hostname} \
}} \
}} \
}} \
{$primary_hostname} \
}
dkim_domain = ${perl{get_dkim_domain}}
dkim_selector = default
dkim_private_key = "/var/cpanel/domain_keys/private/${dkim_domain}"
dkim_canon = relaxed
hosts_try_chunking = 198.51.100.1
message_linelength_limit = 2048
# remote_forwarded_srs absent due to SRS support being disabled
# This transport is used for local delivery to user mailboxes. By default
# it will be run under the uid and gid of the local user, and requires
# the sticky bit to be set on the /var/mail directory. Some systems use
# the alternative approach of running mail deliveries under a particular
# group instead of using the sticky bit. The commented options below show
# how this can be done.
# This transport is used for handling pipe deliveries generated by alias
# or .forward files. If the pipe generates any standard output, it is returned
# to the sender of the message as a delivery error. Set return_fail_output
# instead of return_output if you want this to happen only when the pipe fails
# to complete normally. You can set different transports for aliases and
# forwards if you want to - see the references to address_pipe below.
address_directory:
driver = pipe
command = /usr/libexec/dovecot/dovecot-lda -f ${perl{untaint}{$sender_address}} -d ${perl{convert_address_directory_to_dovecot_lda_destination_username}} -m ${perl{convert_address_directory_to_dovecot_lda_mailbox}}
message_prefix =
message_suffix =
log_output
delivery_date_add
envelope_to_add
return_path_add
temp_errors = 64 : 69 : 70: 71 : 72 : 73 : 74 : 75 : 78
address_pipe:
driver = pipe
return_output
virtual_address_pipe:
driver = pipe
return_output
jailed_address_pipe:
driver = pipe
force_command
command = /usr/local/cpanel/bin/jailexec $address_pipe
return_output
jailed_virtual_address_pipe:
driver = pipe
force_command
command = /usr/local/cpanel/bin/jailexec $address_pipe
return_output
cagefs_address_pipe:
driver = pipe
force_command
command = /bin/cagefs_enter $address_pipe
return_output
cagefs_virtual_address_pipe:
driver = pipe
force_command
command = /bin/cagefs_enter $address_pipe
return_output
# This transport is used for handling deliveries directly to files that are
# generated by aliassing or forwarding.
address_file:
driver = pipe
command = /usr/libexec/dovecot/dovecot-lda -e -f $sender_address -d ${perl{convert_address_directory_to_dovecot_lda_destination_username}} -m ${perl{convert_address_directory_to_dovecot_lda_mailbox}}
message_prefix =
message_suffix =
log_output
delivery_date_add
envelope_to_add
return_path_add
temp_errors = 64 : 69 : 70: 71 : 72 : 73 : 74 : 75 : 78
boxtrapper_autowhitelist:
driver = pipe
headers_only
command = /usr/local/cpanel/bin/boxtrapper --autowhitelist "${perl{untaint}{$authenticated_id}}"
user = ${perl{getemailuser}{$authenticated_id}{$received_protocol}{$sender_ident}}
group = ${extract{3}{:}{${lookup passwd{${perl{getemailuser}{$authenticated_id}{$received_protocol}{$sender_ident}}}{$value}}}}
log_output = true
return_fail_output = true
return_path_add = false
temp_errors = 64 : 69 : 70: 71 : 72 : 73 : 74 : 75 : 78
local_boxtrapper_delivery:
driver = pipe
command = /usr/local/cpanel/bin/boxtrapper "${perl{untaint}{$local_part_data}}" $home
user = $local_part_data
group = ${extract{3}{:}{${lookup passwd{$local_part_data}{$value}}}}
log_output = true
return_fail_output = true
return_path_add = false
temp_errors = 64 : 69 : 70: 71 : 72 : 73 : 74 : 75 : 78
virtual_boxtrapper_userdelivery:
driver = pipe
command = /usr/local/cpanel/bin/boxtrapper \
"${perl{untaint}{$local_part}}@${perl{untaint}{$domain}}" \
$home
user = "${lookup{${perl{untaint}{$domain}}}lsearch{/etc/userdomains}{$value}}"
log_output = true
return_fail_output = true
return_path_add = false
temp_errors = 64 : 69 : 70: 71 : 72 : 73 : 74 : 75 : 78
dovecot_delivery:
driver = lmtp
socket = /var/run/dovecot/lmtp
batch_max = 200
batch_id = "$r_cpanel_user ${if def:r_bcc_addr {$r_bcc_addr}}"
rcpt_include_affixes
delivery_date_add
envelope_to_add
return_path_add
dovecot_virtual_delivery:
driver = lmtp
socket = /var/run/dovecot/lmtp
batch_max = 200
batch_id = "$r_cpanel_user ${if def:r_bcc_addr {$r_bcc_addr}}"
rcpt_include_affixes
delivery_date_add
envelope_to_add
return_path_add
address_reply:
driver = autoreply
# cPanel Mail Archiving is disabled
######################################################################
# RETRY CONFIGURATION #
######################################################################
# This single retry rule applies to all domains and all errors. It specifies
# retries every 15 minutes for 2 hours, then increasing retry intervals,
# starting at 1 hour and increasing each time by a factor of 1.5, up to 16
# hours, then retries every 8 hours until 4 days have passed since the first
# failed delivery.
# Domain Error Retries
# ------ ----- -------
begin retry
+secondarymx * F,4h,5m; G,16h,1h,1.5; F,4d,8h
* * F,2h,15m; G,16h,1h,1.5; F,4d,8h
# End of Exim 4 configuration |