# HG changeset patch # User Heiko Schlittermann (JUMPER) # Date 1387809060 -3600 # Node ID b5fd012185bbc5bb394e8b7dba612ed0f2bd51a6 # Parent 005157ed4391725e01fe36a3a0ab626533c839ca Added the ForwardingMX and Owner attributes diff -r 005157ed4391 -r b5fd012185bb exim.schema --- a/exim.schema Thu Nov 21 21:08:31 2013 +0000 +++ b/exim.schema Mon Dec 23 15:31:00 2013 +0100 @@ -44,7 +44,7 @@ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) attributetype ( - eximAttribute:4 NAME ('x-MailRecipientDN') DESC 'forwarding information to other DN' + eximAttribute:4 NAME ('x-MailForwardingDN') DESC 'forwarding information to other DN' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) @@ -55,6 +55,17 @@ SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) +attributetype ( + eximAttribute:6 NAME ('x-MailForwardingMX') DESC 'name of the server we forward the mail to' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) + +attributetype ( + eximAttribute:4 NAME ('x-MailOwnerDN') DESC 'Owner of this x-MailRecipient object' + EQUALITY distinguishedNameMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) + #### @@ -65,7 +76,8 @@ MUST ( x-MailPrimaryAddress ) MAY ( x-MailAlternateAddress $ x-MailForwardingAddress $ - x-MailRecipientDN $ + x-MailForwardingDN $ + x-MailForwardingMX $ x-MailboxName $ description ) ) diff -r 005157ed4391 -r b5fd012185bb exim4.conf --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/exim4.conf Mon Dec 23 15:31:00 2013 +0100 @@ -0,0 +1,271 @@ +###################################################################### +# Runtime configuration file for Exim # +###################################################################### + +CF = /etc/exim4 +LDAP_BASE = dc=aoterra,dc=de +UBASE = ou=users,LDAP_BASE + + +begin acl + +acl_check_rcpt: + … + accept authenticated = * + control = submission/domain=/\ + name=${lookup ldap \ + {ldap:///UBASE?displayName?sub?x-MailboxName=${quote_ldap:$authenticated_id}}} + control = dkim_disable_verify + +begin router + + … +dnslookup: + driver = dnslookup + condition = ${lookup ldapdn \ + {ldap:///UBASE??sub?(&(objectClass=x-MailRecipient)(mail=${quote_ldap:$local_part@$domain}))}\ + {no}{yes}} + transport = remote_smtp + ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 + fallback_hosts = mout.aoterra.de + no_more + + … + +local: + driver = redirect + address_data = ${lookup ldap \ + {ldap:///UBASE?x-MailRecipientDN,x-MailboxName,x-MailForwardingAddress?sub?mail=${quote_ldap:$local_part@$domain}}} + data = + +forward_file: + driver = redirect + data = ${lookup{$local_part@$domain}lsearch{CF/forward}} + +system_aliases: + driver = redirect + allow_fail + allow_defer + data = ${lookup{$local_part}lsearch{/etc/aliases}} +# user = exim + file_transport = address_file + pipe_transport = address_pipe + +forward_ldap: + driver = redirect + data = ${extract {x-MailForwardingAddress}{$address_data}} ,\ + ${map{<,${extract{x-MailRecipientDN}{$address_data}}} \ + { ${lookup \ + ldap {ldap:///${sg{$item}{,,}{,}}?x-MailPrimaryAddress?}} }} + unseen = ${if eq{${extract{x-MailboxName}{$address_data}}}{} {no}{yes}} + +address2mailbox: + driver = redirect + data = ${extract {x-MailBoxname}{$address_data}} + redirect_router = mailbox + +# check if the user has a x-MailboxName, this mailbox name we +# pass as address_data to the dovecot transport +# If there is no mailbox name, the user is non-existent for us +mailbox: + driver = accept + condition = ${extract{x-MailboxName}{$address_data}} + local_part_suffix = +* : -* + local_part_suffix_optional + transport = dovecot + cannot_route_message = Unknown user + + + +###################################################################### +# TRANSPORTS CONFIGURATION # +###################################################################### +# ORDER DOES NOT MATTER # +# Only one appropriate transport is called for each delivery. # +###################################################################### + +# A transport is used only when referenced from a router that successfully +# handles an address. + +begin transports + + +# This transport is used for delivering messages over SMTP connections. + +remote_smtp_tls: + driver = smtp + #tls_verify_certificates = CF/ssl/mout.aoterra.de-crt.pem + +remote_smtp: + driver = smtp + hosts_require_tls = mout.aoterra.de + tls_certificate = CF/ssl/mail.aoterra.de-crt.pem + tls_privatekey = CF/ssl/mail.aoterra.de-key.pem + + +# This transport is used for local delivery to user mailboxes in traditional +# BSD mailbox format. By default it will be run under the uid and gid of the +# local user, and requires the sticky bit to be set on the /var/mail directory. +# Some systems use the alternative approach of running mail deliveries under a +# particular group instead of using the sticky bit. The commented options below +# show how this can be done. + +local_delivery: + driver = appendfile + file = /var/mail/$local_part + delivery_date_add + envelope_to_add + return_path_add +# group = mail +# mode = 0660 + +dovecot: + driver = lmtp + socket = /run/dovecot/lmtp + +#dovecot: +# driver = pipe +# user = vmail +# group = vmail +# debug_print = "T: deliver to ${extract{x-MailboxName}{$address_data}}" +# command = /usr/lib/dovecot/deliver -e -d ${extract{x-MailboxName}{$address_data}} +# return_fail_output + +# This transport is used for handling pipe deliveries generated by alias or +# .forward files. If the pipe generates any standard output, it is returned +# to the sender of the message as a delivery error. Set return_fail_output +# instead of return_output if you want this to happen only when the pipe fails +# to complete normally. You can set different transports for aliases and +# forwards if you want to - see the references to address_pipe in the routers +# section above. + +address_pipe: + driver = pipe + return_output + + +# This transport is used for handling deliveries directly to files that are +# generated by aliasing or forwarding. + +address_file: + driver = appendfile + delivery_date_add + envelope_to_add + return_path_add + + +# This transport is used for handling autoreplies generated by the filtering +# option of the userforward router. + +address_reply: + driver = autoreply + + + +###################################################################### +# RETRY CONFIGURATION # +###################################################################### + +begin retry + +# This single retry rule applies to all domains and all errors. It specifies +# retries every 15 minutes for 2 hours, then increasing retry intervals, +# starting at 1 hour and increasing each time by a factor of 1.5, up to 16 +# hours, then retries every 6 hours until 4 days have passed since the first +# failed delivery. + +# WARNING: If you do not have any retry rules at all (this section of the +# configuration is non-existent or empty), Exim will not do any retries of +# messages that fail to get delivered at the first attempt. The effect will +# be to treat temporary errors as permanent. Therefore, DO NOT remove this +# retry rule unless you really don't want any retries. + +# Address or Domain Error Retries +# ----------------- ----- ------- + +* * F,2h,15m; G,16h,1h,1.5; F,4d,6h + + + +###################################################################### +# REWRITE CONFIGURATION # +###################################################################### + +# There are no rewriting specifications in this default configuration file. + +begin rewrite + +# fuer lokale Systemmails +*@$primary_hostname $1+$primary_hostname@aoterra.de F + + + +###################################################################### +# AUTHENTICATION CONFIGURATION # +###################################################################### + +# The following authenticators support plaintext username/password +# authentication using the standard PLAIN mechanism and the traditional +# but non-standard LOGIN mechanism, with Exim acting as the server. +# PLAIN and LOGIN are enough to support most MUA software. +# +# These authenticators are not complete: you need to change the +# server_condition settings to specify how passwords are verified. +# They are set up to offer authentication to the client only if the +# connection is encrypted with TLS, so you also need to add support +# for TLS. See the global configuration options section at the start +# of this file for more about TLS. +# +# The default RCPT ACL checks for successful authentication, and will accept +# messages from authenticated users from anywhere on the Internet. + +begin authenticators + +# PLAIN authentication has no server prompts. The client sends its +# credentials in one lump, containing an authorization ID (which we do not +# use), an authentication ID, and a password. The latter two appear as +# $auth2 and $auth3 in the configuration and should be checked against a +# valid username and password. In a real configuration you would typically +# use $auth2 as a lookup key, and compare $auth3 against the result of the +# lookup, perhaps using the crypteq{}{} condition. + +#PLAIN: +# driver = plaintext +# server_set_id = $auth2 +# server_prompts = : +# server_condition = Authentication is not yet configured +# server_advertise_condition = ${if def:tls_cipher } + +# LOGIN authentication has traditional prompts and responses. There is no +# authorization ID in this mechanism, so unlike PLAIN the username and +# password are $auth1 and $auth2. Apart from that you can use the same +# server_condition setting for both authenticators. + +#LOGIN: +# driver = plaintext +# server_set_id = $auth1 +# server_prompts = <| Username: | Password: +# server_condition = Authentication is not yet configured +# server_advertise_condition = ${if def:tls_cipher } + +dovecot_plain: + driver = dovecot + public_name = PLAIN + server_socket = /run/dovecot/auth-client + server_set_id = $auth1 + server_advertise_condition = ${if and{{def:tls_cipher}{eq{$received_port}{587}}}} + +###################################################################### +# CONFIGURATION FOR local_scan() # +###################################################################### + +# If you have built Exim to include a local_scan() function that contains +# tables for private options, you can define those options here. Remember to +# uncomment the "begin" line. It is commented by default because it provokes +# an error with Exim binaries that are not built with LOCAL_SCAN_HAS_OPTIONS +# set in the Local/Makefile. + +# begin local_scan + + +# End of Exim configuration file