--- a/exim.schema Thu Nov 21 21:08:31 2013 +0000
+++ b/exim.schema Mon Dec 23 15:31:00 2013 +0100
@@ -44,7 +44,7 @@
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
attributetype (
- eximAttribute:4 NAME ('x-MailRecipientDN') DESC 'forwarding information to other DN'
+ eximAttribute:4 NAME ('x-MailForwardingDN') DESC 'forwarding information to other DN'
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
@@ -55,6 +55,17 @@
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
+attributetype (
+ eximAttribute:6 NAME ('x-MailForwardingMX') DESC 'name of the server we forward the mail to'
+ EQUALITY caseIgnoreMatch
+ SUBSTR caseIgnoreSubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
+
+attributetype (
+ eximAttribute:4 NAME ('x-MailOwnerDN') DESC 'Owner of this x-MailRecipient object'
+ EQUALITY distinguishedNameMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+
####
@@ -65,7 +76,8 @@
MUST ( x-MailPrimaryAddress )
MAY ( x-MailAlternateAddress $
x-MailForwardingAddress $
- x-MailRecipientDN $
+ x-MailForwardingDN $
+ x-MailForwardingMX $
x-MailboxName $
description ) )
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/exim4.conf Mon Dec 23 15:31:00 2013 +0100
@@ -0,0 +1,271 @@
+######################################################################
+# Runtime configuration file for Exim #
+######################################################################
+
+CF = /etc/exim4
+LDAP_BASE = dc=aoterra,dc=de
+UBASE = ou=users,LDAP_BASE
+
+
+begin acl
+
+acl_check_rcpt:
+ …
+ accept authenticated = *
+ control = submission/domain=/\
+ name=${lookup ldap \
+ {ldap:///UBASE?displayName?sub?x-MailboxName=${quote_ldap:$authenticated_id}}}
+ control = dkim_disable_verify
+
+begin router
+
+ …
+dnslookup:
+ driver = dnslookup
+ condition = ${lookup ldapdn \
+ {ldap:///UBASE??sub?(&(objectClass=x-MailRecipient)(mail=${quote_ldap:$local_part@$domain}))}\
+ {no}{yes}}
+ transport = remote_smtp
+ ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
+ fallback_hosts = mout.aoterra.de
+ no_more
+
+ …
+
+local:
+ driver = redirect
+ address_data = ${lookup ldap \
+ {ldap:///UBASE?x-MailRecipientDN,x-MailboxName,x-MailForwardingAddress?sub?mail=${quote_ldap:$local_part@$domain}}}
+ data =
+
+forward_file:
+ driver = redirect
+ data = ${lookup{$local_part@$domain}lsearch{CF/forward}}
+
+system_aliases:
+ driver = redirect
+ allow_fail
+ allow_defer
+ data = ${lookup{$local_part}lsearch{/etc/aliases}}
+# user = exim
+ file_transport = address_file
+ pipe_transport = address_pipe
+
+forward_ldap:
+ driver = redirect
+ data = ${extract {x-MailForwardingAddress}{$address_data}} ,\
+ ${map{<,${extract{x-MailRecipientDN}{$address_data}}} \
+ { ${lookup \
+ ldap {ldap:///${sg{$item}{,,}{,}}?x-MailPrimaryAddress?}} }}
+ unseen = ${if eq{${extract{x-MailboxName}{$address_data}}}{} {no}{yes}}
+
+address2mailbox:
+ driver = redirect
+ data = ${extract {x-MailBoxname}{$address_data}}
+ redirect_router = mailbox
+
+# check if the user has a x-MailboxName, this mailbox name we
+# pass as address_data to the dovecot transport
+# If there is no mailbox name, the user is non-existent for us
+mailbox:
+ driver = accept
+ condition = ${extract{x-MailboxName}{$address_data}}
+ local_part_suffix = +* : -*
+ local_part_suffix_optional
+ transport = dovecot
+ cannot_route_message = Unknown user
+
+
+
+######################################################################
+# TRANSPORTS CONFIGURATION #
+######################################################################
+# ORDER DOES NOT MATTER #
+# Only one appropriate transport is called for each delivery. #
+######################################################################
+
+# A transport is used only when referenced from a router that successfully
+# handles an address.
+
+begin transports
+
+
+# This transport is used for delivering messages over SMTP connections.
+
+remote_smtp_tls:
+ driver = smtp
+ #tls_verify_certificates = CF/ssl/mout.aoterra.de-crt.pem
+
+remote_smtp:
+ driver = smtp
+ hosts_require_tls = mout.aoterra.de
+ tls_certificate = CF/ssl/mail.aoterra.de-crt.pem
+ tls_privatekey = CF/ssl/mail.aoterra.de-key.pem
+
+
+# This transport is used for local delivery to user mailboxes in traditional
+# BSD mailbox format. By default it will be run under the uid and gid of the
+# local user, and requires the sticky bit to be set on the /var/mail directory.
+# Some systems use the alternative approach of running mail deliveries under a
+# particular group instead of using the sticky bit. The commented options below
+# show how this can be done.
+
+local_delivery:
+ driver = appendfile
+ file = /var/mail/$local_part
+ delivery_date_add
+ envelope_to_add
+ return_path_add
+# group = mail
+# mode = 0660
+
+dovecot:
+ driver = lmtp
+ socket = /run/dovecot/lmtp
+
+#dovecot:
+# driver = pipe
+# user = vmail
+# group = vmail
+# debug_print = "T: deliver to ${extract{x-MailboxName}{$address_data}}"
+# command = /usr/lib/dovecot/deliver -e -d ${extract{x-MailboxName}{$address_data}}
+# return_fail_output
+
+# This transport is used for handling pipe deliveries generated by alias or
+# .forward files. If the pipe generates any standard output, it is returned
+# to the sender of the message as a delivery error. Set return_fail_output
+# instead of return_output if you want this to happen only when the pipe fails
+# to complete normally. You can set different transports for aliases and
+# forwards if you want to - see the references to address_pipe in the routers
+# section above.
+
+address_pipe:
+ driver = pipe
+ return_output
+
+
+# This transport is used for handling deliveries directly to files that are
+# generated by aliasing or forwarding.
+
+address_file:
+ driver = appendfile
+ delivery_date_add
+ envelope_to_add
+ return_path_add
+
+
+# This transport is used for handling autoreplies generated by the filtering
+# option of the userforward router.
+
+address_reply:
+ driver = autoreply
+
+
+
+######################################################################
+# RETRY CONFIGURATION #
+######################################################################
+
+begin retry
+
+# This single retry rule applies to all domains and all errors. It specifies
+# retries every 15 minutes for 2 hours, then increasing retry intervals,
+# starting at 1 hour and increasing each time by a factor of 1.5, up to 16
+# hours, then retries every 6 hours until 4 days have passed since the first
+# failed delivery.
+
+# WARNING: If you do not have any retry rules at all (this section of the
+# configuration is non-existent or empty), Exim will not do any retries of
+# messages that fail to get delivered at the first attempt. The effect will
+# be to treat temporary errors as permanent. Therefore, DO NOT remove this
+# retry rule unless you really don't want any retries.
+
+# Address or Domain Error Retries
+# ----------------- ----- -------
+
+* * F,2h,15m; G,16h,1h,1.5; F,4d,6h
+
+
+
+######################################################################
+# REWRITE CONFIGURATION #
+######################################################################
+
+# There are no rewriting specifications in this default configuration file.
+
+begin rewrite
+
+# fuer lokale Systemmails
+*@$primary_hostname $1+$primary_hostname@aoterra.de F
+
+
+
+######################################################################
+# AUTHENTICATION CONFIGURATION #
+######################################################################
+
+# The following authenticators support plaintext username/password
+# authentication using the standard PLAIN mechanism and the traditional
+# but non-standard LOGIN mechanism, with Exim acting as the server.
+# PLAIN and LOGIN are enough to support most MUA software.
+#
+# These authenticators are not complete: you need to change the
+# server_condition settings to specify how passwords are verified.
+# They are set up to offer authentication to the client only if the
+# connection is encrypted with TLS, so you also need to add support
+# for TLS. See the global configuration options section at the start
+# of this file for more about TLS.
+#
+# The default RCPT ACL checks for successful authentication, and will accept
+# messages from authenticated users from anywhere on the Internet.
+
+begin authenticators
+
+# PLAIN authentication has no server prompts. The client sends its
+# credentials in one lump, containing an authorization ID (which we do not
+# use), an authentication ID, and a password. The latter two appear as
+# $auth2 and $auth3 in the configuration and should be checked against a
+# valid username and password. In a real configuration you would typically
+# use $auth2 as a lookup key, and compare $auth3 against the result of the
+# lookup, perhaps using the crypteq{}{} condition.
+
+#PLAIN:
+# driver = plaintext
+# server_set_id = $auth2
+# server_prompts = :
+# server_condition = Authentication is not yet configured
+# server_advertise_condition = ${if def:tls_cipher }
+
+# LOGIN authentication has traditional prompts and responses. There is no
+# authorization ID in this mechanism, so unlike PLAIN the username and
+# password are $auth1 and $auth2. Apart from that you can use the same
+# server_condition setting for both authenticators.
+
+#LOGIN:
+# driver = plaintext
+# server_set_id = $auth1
+# server_prompts = <| Username: | Password:
+# server_condition = Authentication is not yet configured
+# server_advertise_condition = ${if def:tls_cipher }
+
+dovecot_plain:
+ driver = dovecot
+ public_name = PLAIN
+ server_socket = /run/dovecot/auth-client
+ server_set_id = $auth1
+ server_advertise_condition = ${if and{{def:tls_cipher}{eq{$received_port}{587}}}}
+
+######################################################################
+# CONFIGURATION FOR local_scan() #
+######################################################################
+
+# If you have built Exim to include a local_scan() function that contains
+# tables for private options, you can define those options here. Remember to
+# uncomment the "begin" line. It is commented by default because it provokes
+# an error with Exim binaries that are not built with LOCAL_SCAN_HAS_OPTIONS
+# set in the Local/Makefile.
+
+# begin local_scan
+
+
+# End of Exim configuration file