Skip to content

Instantly share code, notes, and snippets.

@jumanjiman
Created February 28, 2019 14:17
Show Gist options
  • Save jumanjiman/9d75970b1ba5dc9542fa2c27ad75aa15 to your computer and use it in GitHub Desktop.
Save jumanjiman/9d75970b1ba5dc9542fa2c27ad75aa15 to your computer and use it in GitHub Desktop.
exim mail relay
# Default aliases file, installed by Exim. This file contains no real aliases.
# You should edit it to taste.
# The following alias is required by the mail RFCs 2821 and 2822.
# Set it to the address of a HUMAN who deals with this system's mail problems.
# postmaster: [email protected]
# It is also common to set the following alias so that if anybody replies to a
# bounce message from this host, the reply goes to the postmaster.
# mailer-daemon: postmaster
# You should also set up an alias for messages to root, because it is not
# usually a good idea to deliver mail as root.
# root: postmaster
# It is a good idea to redirect any messages sent to system accounts so that
# they don't just get ignored. Here are some common examples
# bin: root
# daemon: root
# ftp: root
# nobody: root
# operator: root
# uucp: root
# You should check your /etc/passwd for any others.
# Other commonly enountered aliases are:
#
# abuse: the person dealing with network and mail abuse
# hostmaster: the person dealing with DNS problems
# webmaster: the person dealing with your web site
####
FROM alpine:3.9
# docker build --rm -t relay --build-arg proxy=<something> .
ARG proxy
RUN http_proxy=${proxy} https_proxy=${proxy} \
apk --no-cache --available upgrade
RUN http_proxy=${proxy} https_proxy=${proxy} \
apk --no-cache add exim
COPY harden /usr/sbin
COPY aliases /etc/mail/
# Leave the packaged config in place.
# Specify ours on the CLI below.
COPY example.com.conf /etc/mail/
RUN /usr/sbin/harden
# Create volumes AFTER harden.
VOLUME ["/var/log/exim", "/var/spool/exim"]
USER exim
ENTRYPOINT ["exim"]
CMD ["-bd", "-v", "-oP", "/dev/null", "-C", "/etc/mail/example.com.conf"]
######################################################################
# Runtime configuration file for Exim #
######################################################################
# This is a default configuration file which will operate correctly in
# uncomplicated installations. Please see the manual for a complete list
# of all the runtime configuration options that can be included in a
# configuration file. There are many more than are mentioned here. The
# manual is in the file doc/spec.txt in the Exim distribution as a plain
# ASCII file. Other formats (PostScript, Texinfo, HTML, PDF) are available
# from the Exim ftp sites. The manual is also online at the Exim web sites.
# This file is divided into several parts, all but the first of which are
# headed by a line starting with the word "begin". Only those parts that
# are required need to be present. Blank lines, and lines starting with #
# are ignored.
########### IMPORTANT ########## IMPORTANT ########### IMPORTANT ###########
# #
# Whenever you change Exim's configuration file, you *must* remember to #
# HUP the Exim daemon, because it will not pick up the new configuration #
# until you do. However, any other Exim processes that are started, for #
# example, a process started by an MUA in order to send a message, will #
# see the new configuration as soon as it is in place. #
# #
# You do not need to HUP the daemon for changes in auxiliary files that #
# are referenced from this file. They are read every time they are used. #
# #
# It is usually a good idea to test a new configuration for syntactic #
# correctness before installing it (for example, by running the command #
# "exim -C /config/file.new -bV"). #
# #
########### IMPORTANT ########## IMPORTANT ########### IMPORTANT ###########
# Avoid any local log files because we start in Dockerfile to stdout.
log_file_path = syslog
# The next three settings create two lists of domains and one list of hosts.
# These lists are referred to later in this configuration using the syntax
# +local_domains, +relay_to_domains, and +relay_from_hosts, respectively. They
# are all colon-separated lists:
# We do not accept local delivery. We only relay.
domainlist local_domains =
# We relay TO these domains.
domainlist relay_to_domains = *.example.com
# We relay FROM these IP ranges.
# The "<;" means to use semicolon as separator.
hostlist relay_from_hosts = <; 127.0.0.1 ; ::1 ; 10.8.0.0/16 ; 10.188.0.0/16
# The lists above are used in the ACLs for checking incoming messages.
# The names of these ACLs are defined here:
acl_smtp_rcpt = acl_check_rcpt
acl_smtp_data = acl_check_data
# Start daemon on high port so we can start unprivileged.
# Docker maps the port to 25 on the host to enable clients
# to use plain old port 25.
daemon_smtp_ports = 2525
# If somebody sends email to "pmorgan",
# change the address to "[email protected]".
qualify_domain = example.com
# Disable RFC1413 (ident) callbacks for incoming smtp calls.
rfc1413_query_timeout = 0s
# Unfreeze bounce messages after one day, then try again to deliver.
# Remove frozen messages that are older than two days.
# See also the retry configuration elsewhere in this file.
ignore_bounce_errors_after = 1d
timeout_frozen_after = 2d
# By default, messages that are waiting on Exim's queue are all held in a
# single directory called "input" which it itself within Exim's spool
# directory. (The default spool directory is specified when Exim is built, and
# is often /var/spool/exim/.) Exim works best when its queue is kept short, but
# there are circumstances where this is not always possible. If you uncomment
# the setting below, messages on the queue are held in 62 subdirectories of
# "input" instead of all in the same directory. The subdirectories are called
# 0, 1, ... A, B, ... a, b, ... z. This has two benefits: (1) If your file
# system degrades with many files in one directory, this is less likely to
# happen; (2) Exim can process the queue one subdirectory at a time instead of
# all at once, which can give better performance with large queues.
# split_spool_directory = true
# If you're in a part of the world where ASCII is not sufficient for most
# text, then you're probably familiar with RFC2047 message header extensions.
# By default, Exim adheres to the specification, including a limit of 76
# characters to a line, with encoded words fitting within a line.
# If you wish to use decoded headers in message filters in such a way
# that successful decoding of malformed messages matters, you may wish to
# configure Exim to be more lenient.
#
# check_rfc2047_length = false
#
# In particular, the Exim maintainers have had multiple reports of problems
# from Russian administrators of issues until they disable this check,
# because of some popular, yet buggy, mail composition software.
# If you wish to be strictly RFC compliant, or if you know you'll be
# exchanging email with systems that are not 8-bit clean, then you may
# wish to disable advertising 8BITMIME. Uncomment this option to do so.
# accept_8bitmime = false
######################################################################
# ACL CONFIGURATION #
# Specifies access control lists for incoming SMTP mail #
######################################################################
begin acl
# This access control list is used for every RCPT command in an incoming
# SMTP message. The tests are run in order until the address is either
# accepted or denied.
acl_check_rcpt:
# Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by
# testing for an empty sending host field.
accept hosts = :
control = dkim_disable_verify
#############################################################################
# The following section of the ACL is concerned with local parts that contain
# @ or % or ! or / or | or dots in unusual places.
#
# The characters other than dots are rarely found in genuine local parts, but
# are often tried by people looking to circumvent relaying restrictions.
# Therefore, although they are valid in local parts, these rules lock them
# out, as a precaution.
#
# Empty components (two dots in a row) are not valid in RFC 2822, but Exim
# allows them because they have been encountered. (Consider local parts
# constructed as "firstinitial.secondinitial.familyname" when applied to
# someone like me, who has no second initial.) However, a local part starting
# with a dot or containing /../ can cause trouble if it is used as part of a
# file name (e.g. for a mailing list). This is also true for local parts that
# contain slashes. A pipe symbol can also be troublesome if the local part is
# incorporated unthinkingly into a shell command line.
#
# Two different rules are used. The first one is stricter, and is applied to
# messages that are addressed to one of the local domains handled by this
# host. The line "domains = +local_domains" restricts it to domains that are
# defined by the "domainlist local_domains" setting above. The rule blocks
# local parts that begin with a dot or contain @ % ! / or |. If you have
# local accounts that include these characters, you will have to modify this
# rule.
deny message = Restricted characters in address
domains = +local_domains
local_parts = ^[.] : ^.*[@%!/|]
# The second rule applies to all other domains, and is less strict. The line
# "domains = !+local_domains" restricts it to domains that are NOT defined by
# the "domainlist local_domains" setting above. The exclamation mark is a
# negating operator. This rule allows your own users to send outgoing
# messages to sites that use slashes and vertical bars in their local parts.
# It blocks local parts that begin with a dot, slash, or vertical bar, but
# allows these characters within the local part. However, the sequence /../
# is barred. The use of @ % and ! is blocked, as before. The motivation here
# is to prevent your users (or your users' viruses) from mounting certain
# kinds of attack on remote sites.
deny message = Restricted characters in address
domains = !+local_domains
local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
#############################################################################
# Accept mail to postmaster in any local domain, regardless of the source,
# and without verifying the sender.
accept local_parts = postmaster
domains = +local_domains
# Deny unless the sender address can be verified.
require verify = sender
# Accept if the message comes from one of the hosts for which we are an
# outgoing relay. It is assumed that such hosts are most likely to be MUAs,
# so we set control=submission to make Exim treat the message as a
# submission. It will fix up various errors in the message, for example, the
# lack of a Date: header line. If you are actually relaying out out from
# MTAs, you may want to disable this. If you are handling both relaying from
# MTAs and submissions from MUAs you should probably split them into two
# lists, and handle them differently.
# Recipient verification is omitted here, because in many cases the clients
# are dumb MUAs that don't cope well with SMTP error responses. If you are
# actually relaying out from MTAs, you should probably add recipient
# verification here.
# Note that, by putting this test before any DNS black list checks, you will
# always accept from these hosts, even if they end up on a black list. The
# assumption is that they are your friends, and if they get onto a black
# list, it is a mistake.
accept hosts = +relay_from_hosts
control = submission
control = dkim_disable_verify
# Accept if the message arrived over an authenticated connection, from
# any host. Again, these messages are usually from MUAs, so recipient
# verification is omitted, and submission mode is set. And again, we do this
# check before any black list tests.
accept authenticated = *
control = submission
control = dkim_disable_verify
# Insist that any other recipient address that we accept is either in one of
# our local domains, or is in a domain for which we explicitly allow
# relaying. Any other domain is rejected as being unacceptable for relaying.
require message = relay not permitted
domains = +local_domains : +relay_to_domains
# We also require all accepted addresses to be verifiable. This check will
# do local part verification for local domains, but only check the domain
# for remote domains. The only way to check local parts for the remote
# relay domains is to use a callout (add /callout), but please read the
# documentation about callouts before doing this.
require verify = recipient
#############################################################################
# There are no default checks on DNS black lists because the domains that
# contain these lists are changing all the time. However, here are two
# examples of how you can get Exim to perform a DNS black list lookup at this
# point. The first one denies, whereas the second just warns.
#
# deny message = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
# dnslists = black.list.example
#
# warn dnslists = black.list.example
# add_header = X-Warning: $sender_host_address is in a black list at $dnslist_domain
# log_message = found in $dnslist_domain
#############################################################################
#############################################################################
# This check is commented out because it is recognized that not every
# sysadmin will want to do it. If you enable it, the check performs
# Client SMTP Authorization (csa) checks on the sending host. These checks
# do DNS lookups for SRV records. The CSA proposal is currently (May 2005)
# an Internet draft. You can, of course, add additional conditions to this
# ACL statement to restrict the CSA checks to certain hosts only.
#
# require verify = csa
#############################################################################
# At this point, the address has passed all the checks that have been
# configured, so we accept it unconditionally.
accept
# This ACL is used after the contents of a message have been received. This
# is the ACL in which you can test a message's headers or body, and in
# particular, this is where you can invoke external virus or spam scanners.
# Some suggested ways of configuring these tests are shown below, commented
# out. Without any tests, this ACL accepts all messages. If you want to use
# such tests, you must ensure that Exim is compiled with the content-scanning
# extension (WITH_CONTENT_SCAN=yes in Local/Makefile).
acl_check_data:
# Deny if the message contains a virus. Before enabling this check, you
# must install a virus scanner and set the av_scanner option above.
#
# deny malware = *
# message = This message contains a virus ($malware_name).
# Add headers to a message if it is judged to be spam. Before enabling this,
# you must install SpamAssassin. You may also need to set the spamd_address
# option above.
#
# warn spam = nobody
# add_header = X-Spam_score: $spam_score\n\
# X-Spam_score_int: $spam_score_int\n\
# X-Spam_bar: $spam_bar\n\
# X-Spam_report: $spam_report
# Accept the message.
accept
######################################################################
# ROUTERS CONFIGURATION #
# Specifies how addresses are handled #
######################################################################
# THE ORDER IN WHICH THE ROUTERS ARE DEFINED IS IMPORTANT! #
# An address is passed to each router in turn until it is accepted. #
######################################################################
begin routers
# This alternative router can be used when you want to send all mail to a
# server which handles DNS lookups for you; an ISP will typically run such
# a server for their customers. If you uncomment "smarthost" then you
# should comment out "dnslookup" above. Setting a real hostname in route_data
# wouldn't hurt either.
smarthost:
driver = manualroute
domains = ! +local_domains
transport = remote_smtp
# This is the public IP of our Threat Mgmt Gateway (TMG).
route_data = 74.120.84.40
ignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; ::1
no_more
######################################################################
# TRANSPORTS CONFIGURATION #
######################################################################
# ORDER DOES NOT MATTER #
# Only one appropriate transport is called for each delivery. #
######################################################################
# A transport is used only when referenced from a router that successfully
# handles an address.
begin transports
# This transport is used for delivering messages over SMTP connections.
remote_smtp:
driver = smtp
######################################################################
# RETRY CONFIGURATION #
######################################################################
begin retry
# This single retry rule applies to all domains and all errors. It specifies
# retries every 15 minutes for 2 hours, then increasing retry intervals,
# starting at 1 hour and increasing each time by a factor of 1.5, up to 16
# hours, then retries every 6 hours until 4 days have passed since the first
# failed delivery.
# WARNING: If you do not have any retry rules at all (this section of the
# configuration is non-existent or empty), Exim will not do any retries of
# messages that fail to get delivered at the first attempt. The effect will
# be to treat temporary errors as permanent. Therefore, DO NOT remove this
# retry rule unless you really don't want any retries.
# Address or Domain Error Retries
# ----------------- ----- -------
* * F,2h,15m; G,16h,1h,1.5; F,4d,6h
######################################################################
# REWRITE CONFIGURATION #
######################################################################
# There are no rewriting specifications in this default configuration file.
begin rewrite
######################################################################
# AUTHENTICATION CONFIGURATION #
######################################################################
# The following authenticators support plaintext username/password
# authentication using the standard PLAIN mechanism and the traditional
# but non-standard LOGIN mechanism, with Exim acting as the server.
# PLAIN and LOGIN are enough to support most MUA software.
#
# These authenticators are not complete: you need to change the
# server_condition settings to specify how passwords are verified.
# They are set up to offer authentication to the client only if the
# connection is encrypted with TLS, so you also need to add support
# for TLS. See the global configuration options section at the start
# of this file for more about TLS.
#
# The default RCPT ACL checks for successful authentication, and will accept
# messages from authenticated users from anywhere on the Internet.
begin authenticators
# PLAIN authentication has no server prompts. The client sends its
# credentials in one lump, containing an authorization ID (which we do not
# use), an authentication ID, and a password. The latter two appear as
# $auth2 and $auth3 in the configuration and should be checked against a
# valid username and password. In a real configuration you would typically
# use $auth2 as a lookup key, and compare $auth3 against the result of the
# lookup, perhaps using the crypteq{}{} condition.
#PLAIN:
# driver = plaintext
# server_set_id = $auth2
# server_prompts = :
# server_condition = Authentication is not yet configured
# server_advertise_condition = ${if def:tls_in_cipher }
# LOGIN authentication has traditional prompts and responses. There is no
# authorization ID in this mechanism, so unlike PLAIN the username and
# password are $auth1 and $auth2. Apart from that you can use the same
# server_condition setting for both authenticators.
#LOGIN:
# driver = plaintext
# server_set_id = $auth1
# server_prompts = <| Username: | Password:
# server_condition = Authentication is not yet configured
# server_advertise_condition = ${if def:tls_in_cipher }
######################################################################
# CONFIGURATION FOR local_scan() #
######################################################################
# If you have built Exim to include a local_scan() function that contains
# tables for private options, you can define those options here. Remember to
# uncomment the "begin" line. It is commented by default because it provokes
# an error with Exim binaries that are not built with LOCAL_SCAN_HAS_OPTIONS
# set in the Local/Makefile.
# begin local_scan
# End of Exim configuration file
#!/bin/sh
set -x
set -e
#
# Docker build calls this script to harden the image during build.
#
# NOTE: To build on CircleCI, you must take care to keep the `find`
# command out of the /proc filesystem to avoid errors like:
#
# find: /proc/tty/driver: Permission denied
# lxc-start: The container failed to start.
# lxc-start: Additional information can be obtained by \
# setting the --logfile and --logpriority options.
# Remove existing crontabs, if any.
rm -fr /var/spool/cron
rm -fr /etc/crontabs
rm -fr /etc/periodic
# Remove all but a handful of admin commands.
find /sbin /usr/sbin ! -type d \
-a ! -name exim \
-a ! -name nologin \
-delete
# Remove world-writable permissions.
# This breaks apps that need to write to /tmp,
# such as ssh-agent.
find / -xdev -type d -perm +0002 -not -path /dev/mqueue -exec chmod o-w {} +
find / -xdev -type f -perm +0002 -exec chmod o-w {} +
# Remove unnecessary user accounts, including root.
sed -i -r '/^(exim)/!d' /etc/group
sed -i -r '/^(exim)/!d' /etc/passwd
# Disable interactive login for everybody.
sed -i -r 's#^(.*):[^:]*$#\1:/sbin/nologin#' /etc/passwd
sysdirs="
/bin
/etc
/lib
/sbin
/usr
"
# Remove apk configs.
find $sysdirs -xdev -regex '.*apk.*' -exec rm -fr {} +
# Remove crufty...
# /etc/shadow-
# /etc/passwd-
# /etc/group-
find $sysdirs -xdev -type f -regex '.*-$' -exec rm -f {} +
# Ensure system dirs are owned by root and not writable by anybody else.
find $sysdirs -xdev -type d \
-exec chown 0:0 {} \; \
-exec chmod 0755 {} \;
# Create spool dir so that exim user doesn't have to.
# Dockerfile treats this as a volume.
mkdir -p /var/spool/exim
chown -R exim:exim /var/spool/exim
chmod 0755 /var/spool/exim
# Ensure exim can write its log files.
mkdir -p /var/log/exim
chown -R exim:exim /var/log/exim
chmod 0755 /var/log/exim
# Remove suid bit from exim.
chmod u-s /usr/sbin/exim
# Remove all suid files.
find $sysdirs -xdev -type f -a -perm +4000 -delete
# Remove other programs that could be dangerous.
find $sysdirs -xdev \( \
-name hexdump -o \
-name chgrp -o \
-name chmod -o \
-name chown -o \
-name ln -o \
-name od -o \
-name strings -o \
-name su \
\) -delete
# Remove init scripts since we do not use them.
rm -fr /etc/init.d
rm -fr /lib/rc
rm -fr /etc/conf.d
rm -fr /etc/inittab
rm -fr /etc/runlevels
rm -fr /etc/rc.conf
# Remove kernel tunables since we do not need them.
rm -fr /etc/sysctl*
rm -fr /etc/modprobe.d
rm -fr /etc/modules
rm -fr /etc/mdev.conf
rm -fr /etc/acpi
# Remove root homedir since we do not need it.
rm -fr /root
# Remove fstab since we do not need it.
rm -f /etc/fstab
# Remove broken symlinks (because we removed the targets above).
find $sysdirs -xdev -type l -exec test ! -e {} \; -delete
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment