Created
February 28, 2019 14:17
-
-
Save jumanjiman/9d75970b1ba5dc9542fa2c27ad75aa15 to your computer and use it in GitHub Desktop.
exim mail relay
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Default aliases file, installed by Exim. This file contains no real aliases. | |
# You should edit it to taste. | |
# The following alias is required by the mail RFCs 2821 and 2822. | |
# Set it to the address of a HUMAN who deals with this system's mail problems. | |
# postmaster: [email protected] | |
# It is also common to set the following alias so that if anybody replies to a | |
# bounce message from this host, the reply goes to the postmaster. | |
# mailer-daemon: postmaster | |
# You should also set up an alias for messages to root, because it is not | |
# usually a good idea to deliver mail as root. | |
# root: postmaster | |
# It is a good idea to redirect any messages sent to system accounts so that | |
# they don't just get ignored. Here are some common examples | |
# bin: root | |
# daemon: root | |
# ftp: root | |
# nobody: root | |
# operator: root | |
# uucp: root | |
# You should check your /etc/passwd for any others. | |
# Other commonly enountered aliases are: | |
# | |
# abuse: the person dealing with network and mail abuse | |
# hostmaster: the person dealing with DNS problems | |
# webmaster: the person dealing with your web site | |
#### |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
FROM alpine:3.9 | |
# docker build --rm -t relay --build-arg proxy=<something> . | |
ARG proxy | |
RUN http_proxy=${proxy} https_proxy=${proxy} \ | |
apk --no-cache --available upgrade | |
RUN http_proxy=${proxy} https_proxy=${proxy} \ | |
apk --no-cache add exim | |
COPY harden /usr/sbin | |
COPY aliases /etc/mail/ | |
# Leave the packaged config in place. | |
# Specify ours on the CLI below. | |
COPY example.com.conf /etc/mail/ | |
RUN /usr/sbin/harden | |
# Create volumes AFTER harden. | |
VOLUME ["/var/log/exim", "/var/spool/exim"] | |
USER exim | |
ENTRYPOINT ["exim"] | |
CMD ["-bd", "-v", "-oP", "/dev/null", "-C", "/etc/mail/example.com.conf"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
###################################################################### | |
# Runtime configuration file for Exim # | |
###################################################################### | |
# This is a default configuration file which will operate correctly in | |
# uncomplicated installations. Please see the manual for a complete list | |
# of all the runtime configuration options that can be included in a | |
# configuration file. There are many more than are mentioned here. The | |
# manual is in the file doc/spec.txt in the Exim distribution as a plain | |
# ASCII file. Other formats (PostScript, Texinfo, HTML, PDF) are available | |
# from the Exim ftp sites. The manual is also online at the Exim web sites. | |
# This file is divided into several parts, all but the first of which are | |
# headed by a line starting with the word "begin". Only those parts that | |
# are required need to be present. Blank lines, and lines starting with # | |
# are ignored. | |
########### IMPORTANT ########## IMPORTANT ########### IMPORTANT ########### | |
# # | |
# Whenever you change Exim's configuration file, you *must* remember to # | |
# HUP the Exim daemon, because it will not pick up the new configuration # | |
# until you do. However, any other Exim processes that are started, for # | |
# example, a process started by an MUA in order to send a message, will # | |
# see the new configuration as soon as it is in place. # | |
# # | |
# You do not need to HUP the daemon for changes in auxiliary files that # | |
# are referenced from this file. They are read every time they are used. # | |
# # | |
# It is usually a good idea to test a new configuration for syntactic # | |
# correctness before installing it (for example, by running the command # | |
# "exim -C /config/file.new -bV"). # | |
# # | |
########### IMPORTANT ########## IMPORTANT ########### IMPORTANT ########### | |
# Avoid any local log files because we start in Dockerfile to stdout. | |
log_file_path = syslog | |
# The next three settings create two lists of domains and one list of hosts. | |
# These lists are referred to later in this configuration using the syntax | |
# +local_domains, +relay_to_domains, and +relay_from_hosts, respectively. They | |
# are all colon-separated lists: | |
# We do not accept local delivery. We only relay. | |
domainlist local_domains = | |
# We relay TO these domains. | |
domainlist relay_to_domains = *.example.com | |
# We relay FROM these IP ranges. | |
# The "<;" means to use semicolon as separator. | |
hostlist relay_from_hosts = <; 127.0.0.1 ; ::1 ; 10.8.0.0/16 ; 10.188.0.0/16 | |
# The lists above are used in the ACLs for checking incoming messages. | |
# The names of these ACLs are defined here: | |
acl_smtp_rcpt = acl_check_rcpt | |
acl_smtp_data = acl_check_data | |
# Start daemon on high port so we can start unprivileged. | |
# Docker maps the port to 25 on the host to enable clients | |
# to use plain old port 25. | |
daemon_smtp_ports = 2525 | |
# If somebody sends email to "pmorgan", | |
# change the address to "[email protected]". | |
qualify_domain = example.com | |
# Disable RFC1413 (ident) callbacks for incoming smtp calls. | |
rfc1413_query_timeout = 0s | |
# Unfreeze bounce messages after one day, then try again to deliver. | |
# Remove frozen messages that are older than two days. | |
# See also the retry configuration elsewhere in this file. | |
ignore_bounce_errors_after = 1d | |
timeout_frozen_after = 2d | |
# By default, messages that are waiting on Exim's queue are all held in a | |
# single directory called "input" which it itself within Exim's spool | |
# directory. (The default spool directory is specified when Exim is built, and | |
# is often /var/spool/exim/.) Exim works best when its queue is kept short, but | |
# there are circumstances where this is not always possible. If you uncomment | |
# the setting below, messages on the queue are held in 62 subdirectories of | |
# "input" instead of all in the same directory. The subdirectories are called | |
# 0, 1, ... A, B, ... a, b, ... z. This has two benefits: (1) If your file | |
# system degrades with many files in one directory, this is less likely to | |
# happen; (2) Exim can process the queue one subdirectory at a time instead of | |
# all at once, which can give better performance with large queues. | |
# split_spool_directory = true | |
# If you're in a part of the world where ASCII is not sufficient for most | |
# text, then you're probably familiar with RFC2047 message header extensions. | |
# By default, Exim adheres to the specification, including a limit of 76 | |
# characters to a line, with encoded words fitting within a line. | |
# If you wish to use decoded headers in message filters in such a way | |
# that successful decoding of malformed messages matters, you may wish to | |
# configure Exim to be more lenient. | |
# | |
# check_rfc2047_length = false | |
# | |
# In particular, the Exim maintainers have had multiple reports of problems | |
# from Russian administrators of issues until they disable this check, | |
# because of some popular, yet buggy, mail composition software. | |
# If you wish to be strictly RFC compliant, or if you know you'll be | |
# exchanging email with systems that are not 8-bit clean, then you may | |
# wish to disable advertising 8BITMIME. Uncomment this option to do so. | |
# accept_8bitmime = false | |
###################################################################### | |
# ACL CONFIGURATION # | |
# Specifies access control lists for incoming SMTP mail # | |
###################################################################### | |
begin acl | |
# This access control list is used for every RCPT command in an incoming | |
# SMTP message. The tests are run in order until the address is either | |
# accepted or denied. | |
acl_check_rcpt: | |
# Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by | |
# testing for an empty sending host field. | |
accept hosts = : | |
control = dkim_disable_verify | |
############################################################################# | |
# The following section of the ACL is concerned with local parts that contain | |
# @ or % or ! or / or | or dots in unusual places. | |
# | |
# The characters other than dots are rarely found in genuine local parts, but | |
# are often tried by people looking to circumvent relaying restrictions. | |
# Therefore, although they are valid in local parts, these rules lock them | |
# out, as a precaution. | |
# | |
# Empty components (two dots in a row) are not valid in RFC 2822, but Exim | |
# allows them because they have been encountered. (Consider local parts | |
# constructed as "firstinitial.secondinitial.familyname" when applied to | |
# someone like me, who has no second initial.) However, a local part starting | |
# with a dot or containing /../ can cause trouble if it is used as part of a | |
# file name (e.g. for a mailing list). This is also true for local parts that | |
# contain slashes. A pipe symbol can also be troublesome if the local part is | |
# incorporated unthinkingly into a shell command line. | |
# | |
# Two different rules are used. The first one is stricter, and is applied to | |
# messages that are addressed to one of the local domains handled by this | |
# host. The line "domains = +local_domains" restricts it to domains that are | |
# defined by the "domainlist local_domains" setting above. The rule blocks | |
# local parts that begin with a dot or contain @ % ! / or |. If you have | |
# local accounts that include these characters, you will have to modify this | |
# rule. | |
deny message = Restricted characters in address | |
domains = +local_domains | |
local_parts = ^[.] : ^.*[@%!/|] | |
# The second rule applies to all other domains, and is less strict. The line | |
# "domains = !+local_domains" restricts it to domains that are NOT defined by | |
# the "domainlist local_domains" setting above. The exclamation mark is a | |
# negating operator. This rule allows your own users to send outgoing | |
# messages to sites that use slashes and vertical bars in their local parts. | |
# It blocks local parts that begin with a dot, slash, or vertical bar, but | |
# allows these characters within the local part. However, the sequence /../ | |
# is barred. The use of @ % and ! is blocked, as before. The motivation here | |
# is to prevent your users (or your users' viruses) from mounting certain | |
# kinds of attack on remote sites. | |
deny message = Restricted characters in address | |
domains = !+local_domains | |
local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./ | |
############################################################################# | |
# Accept mail to postmaster in any local domain, regardless of the source, | |
# and without verifying the sender. | |
accept local_parts = postmaster | |
domains = +local_domains | |
# Deny unless the sender address can be verified. | |
require verify = sender | |
# Accept if the message comes from one of the hosts for which we are an | |
# outgoing relay. It is assumed that such hosts are most likely to be MUAs, | |
# so we set control=submission to make Exim treat the message as a | |
# submission. It will fix up various errors in the message, for example, the | |
# lack of a Date: header line. If you are actually relaying out out from | |
# MTAs, you may want to disable this. If you are handling both relaying from | |
# MTAs and submissions from MUAs you should probably split them into two | |
# lists, and handle them differently. | |
# Recipient verification is omitted here, because in many cases the clients | |
# are dumb MUAs that don't cope well with SMTP error responses. If you are | |
# actually relaying out from MTAs, you should probably add recipient | |
# verification here. | |
# Note that, by putting this test before any DNS black list checks, you will | |
# always accept from these hosts, even if they end up on a black list. The | |
# assumption is that they are your friends, and if they get onto a black | |
# list, it is a mistake. | |
accept hosts = +relay_from_hosts | |
control = submission | |
control = dkim_disable_verify | |
# Accept if the message arrived over an authenticated connection, from | |
# any host. Again, these messages are usually from MUAs, so recipient | |
# verification is omitted, and submission mode is set. And again, we do this | |
# check before any black list tests. | |
accept authenticated = * | |
control = submission | |
control = dkim_disable_verify | |
# Insist that any other recipient address that we accept is either in one of | |
# our local domains, or is in a domain for which we explicitly allow | |
# relaying. Any other domain is rejected as being unacceptable for relaying. | |
require message = relay not permitted | |
domains = +local_domains : +relay_to_domains | |
# We also require all accepted addresses to be verifiable. This check will | |
# do local part verification for local domains, but only check the domain | |
# for remote domains. The only way to check local parts for the remote | |
# relay domains is to use a callout (add /callout), but please read the | |
# documentation about callouts before doing this. | |
require verify = recipient | |
############################################################################# | |
# There are no default checks on DNS black lists because the domains that | |
# contain these lists are changing all the time. However, here are two | |
# examples of how you can get Exim to perform a DNS black list lookup at this | |
# point. The first one denies, whereas the second just warns. | |
# | |
# deny message = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text | |
# dnslists = black.list.example | |
# | |
# warn dnslists = black.list.example | |
# add_header = X-Warning: $sender_host_address is in a black list at $dnslist_domain | |
# log_message = found in $dnslist_domain | |
############################################################################# | |
############################################################################# | |
# This check is commented out because it is recognized that not every | |
# sysadmin will want to do it. If you enable it, the check performs | |
# Client SMTP Authorization (csa) checks on the sending host. These checks | |
# do DNS lookups for SRV records. The CSA proposal is currently (May 2005) | |
# an Internet draft. You can, of course, add additional conditions to this | |
# ACL statement to restrict the CSA checks to certain hosts only. | |
# | |
# require verify = csa | |
############################################################################# | |
# At this point, the address has passed all the checks that have been | |
# configured, so we accept it unconditionally. | |
accept | |
# This ACL is used after the contents of a message have been received. This | |
# is the ACL in which you can test a message's headers or body, and in | |
# particular, this is where you can invoke external virus or spam scanners. | |
# Some suggested ways of configuring these tests are shown below, commented | |
# out. Without any tests, this ACL accepts all messages. If you want to use | |
# such tests, you must ensure that Exim is compiled with the content-scanning | |
# extension (WITH_CONTENT_SCAN=yes in Local/Makefile). | |
acl_check_data: | |
# Deny if the message contains a virus. Before enabling this check, you | |
# must install a virus scanner and set the av_scanner option above. | |
# | |
# deny malware = * | |
# message = This message contains a virus ($malware_name). | |
# Add headers to a message if it is judged to be spam. Before enabling this, | |
# you must install SpamAssassin. You may also need to set the spamd_address | |
# option above. | |
# | |
# warn spam = nobody | |
# add_header = X-Spam_score: $spam_score\n\ | |
# X-Spam_score_int: $spam_score_int\n\ | |
# X-Spam_bar: $spam_bar\n\ | |
# X-Spam_report: $spam_report | |
# Accept the message. | |
accept | |
###################################################################### | |
# ROUTERS CONFIGURATION # | |
# Specifies how addresses are handled # | |
###################################################################### | |
# THE ORDER IN WHICH THE ROUTERS ARE DEFINED IS IMPORTANT! # | |
# An address is passed to each router in turn until it is accepted. # | |
###################################################################### | |
begin routers | |
# This alternative router can be used when you want to send all mail to a | |
# server which handles DNS lookups for you; an ISP will typically run such | |
# a server for their customers. If you uncomment "smarthost" then you | |
# should comment out "dnslookup" above. Setting a real hostname in route_data | |
# wouldn't hurt either. | |
smarthost: | |
driver = manualroute | |
domains = ! +local_domains | |
transport = remote_smtp | |
# This is the public IP of our Threat Mgmt Gateway (TMG). | |
route_data = 74.120.84.40 | |
ignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; ::1 | |
no_more | |
###################################################################### | |
# TRANSPORTS CONFIGURATION # | |
###################################################################### | |
# ORDER DOES NOT MATTER # | |
# Only one appropriate transport is called for each delivery. # | |
###################################################################### | |
# A transport is used only when referenced from a router that successfully | |
# handles an address. | |
begin transports | |
# This transport is used for delivering messages over SMTP connections. | |
remote_smtp: | |
driver = smtp | |
###################################################################### | |
# RETRY CONFIGURATION # | |
###################################################################### | |
begin retry | |
# This single retry rule applies to all domains and all errors. It specifies | |
# retries every 15 minutes for 2 hours, then increasing retry intervals, | |
# starting at 1 hour and increasing each time by a factor of 1.5, up to 16 | |
# hours, then retries every 6 hours until 4 days have passed since the first | |
# failed delivery. | |
# WARNING: If you do not have any retry rules at all (this section of the | |
# configuration is non-existent or empty), Exim will not do any retries of | |
# messages that fail to get delivered at the first attempt. The effect will | |
# be to treat temporary errors as permanent. Therefore, DO NOT remove this | |
# retry rule unless you really don't want any retries. | |
# Address or Domain Error Retries | |
# ----------------- ----- ------- | |
* * F,2h,15m; G,16h,1h,1.5; F,4d,6h | |
###################################################################### | |
# REWRITE CONFIGURATION # | |
###################################################################### | |
# There are no rewriting specifications in this default configuration file. | |
begin rewrite | |
###################################################################### | |
# AUTHENTICATION CONFIGURATION # | |
###################################################################### | |
# The following authenticators support plaintext username/password | |
# authentication using the standard PLAIN mechanism and the traditional | |
# but non-standard LOGIN mechanism, with Exim acting as the server. | |
# PLAIN and LOGIN are enough to support most MUA software. | |
# | |
# These authenticators are not complete: you need to change the | |
# server_condition settings to specify how passwords are verified. | |
# They are set up to offer authentication to the client only if the | |
# connection is encrypted with TLS, so you also need to add support | |
# for TLS. See the global configuration options section at the start | |
# of this file for more about TLS. | |
# | |
# The default RCPT ACL checks for successful authentication, and will accept | |
# messages from authenticated users from anywhere on the Internet. | |
begin authenticators | |
# PLAIN authentication has no server prompts. The client sends its | |
# credentials in one lump, containing an authorization ID (which we do not | |
# use), an authentication ID, and a password. The latter two appear as | |
# $auth2 and $auth3 in the configuration and should be checked against a | |
# valid username and password. In a real configuration you would typically | |
# use $auth2 as a lookup key, and compare $auth3 against the result of the | |
# lookup, perhaps using the crypteq{}{} condition. | |
#PLAIN: | |
# driver = plaintext | |
# server_set_id = $auth2 | |
# server_prompts = : | |
# server_condition = Authentication is not yet configured | |
# server_advertise_condition = ${if def:tls_in_cipher } | |
# LOGIN authentication has traditional prompts and responses. There is no | |
# authorization ID in this mechanism, so unlike PLAIN the username and | |
# password are $auth1 and $auth2. Apart from that you can use the same | |
# server_condition setting for both authenticators. | |
#LOGIN: | |
# driver = plaintext | |
# server_set_id = $auth1 | |
# server_prompts = <| Username: | Password: | |
# server_condition = Authentication is not yet configured | |
# server_advertise_condition = ${if def:tls_in_cipher } | |
###################################################################### | |
# CONFIGURATION FOR local_scan() # | |
###################################################################### | |
# If you have built Exim to include a local_scan() function that contains | |
# tables for private options, you can define those options here. Remember to | |
# uncomment the "begin" line. It is commented by default because it provokes | |
# an error with Exim binaries that are not built with LOCAL_SCAN_HAS_OPTIONS | |
# set in the Local/Makefile. | |
# begin local_scan | |
# End of Exim configuration file |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
set -x | |
set -e | |
# | |
# Docker build calls this script to harden the image during build. | |
# | |
# NOTE: To build on CircleCI, you must take care to keep the `find` | |
# command out of the /proc filesystem to avoid errors like: | |
# | |
# find: /proc/tty/driver: Permission denied | |
# lxc-start: The container failed to start. | |
# lxc-start: Additional information can be obtained by \ | |
# setting the --logfile and --logpriority options. | |
# Remove existing crontabs, if any. | |
rm -fr /var/spool/cron | |
rm -fr /etc/crontabs | |
rm -fr /etc/periodic | |
# Remove all but a handful of admin commands. | |
find /sbin /usr/sbin ! -type d \ | |
-a ! -name exim \ | |
-a ! -name nologin \ | |
-delete | |
# Remove world-writable permissions. | |
# This breaks apps that need to write to /tmp, | |
# such as ssh-agent. | |
find / -xdev -type d -perm +0002 -not -path /dev/mqueue -exec chmod o-w {} + | |
find / -xdev -type f -perm +0002 -exec chmod o-w {} + | |
# Remove unnecessary user accounts, including root. | |
sed -i -r '/^(exim)/!d' /etc/group | |
sed -i -r '/^(exim)/!d' /etc/passwd | |
# Disable interactive login for everybody. | |
sed -i -r 's#^(.*):[^:]*$#\1:/sbin/nologin#' /etc/passwd | |
sysdirs=" | |
/bin | |
/etc | |
/lib | |
/sbin | |
/usr | |
" | |
# Remove apk configs. | |
find $sysdirs -xdev -regex '.*apk.*' -exec rm -fr {} + | |
# Remove crufty... | |
# /etc/shadow- | |
# /etc/passwd- | |
# /etc/group- | |
find $sysdirs -xdev -type f -regex '.*-$' -exec rm -f {} + | |
# Ensure system dirs are owned by root and not writable by anybody else. | |
find $sysdirs -xdev -type d \ | |
-exec chown 0:0 {} \; \ | |
-exec chmod 0755 {} \; | |
# Create spool dir so that exim user doesn't have to. | |
# Dockerfile treats this as a volume. | |
mkdir -p /var/spool/exim | |
chown -R exim:exim /var/spool/exim | |
chmod 0755 /var/spool/exim | |
# Ensure exim can write its log files. | |
mkdir -p /var/log/exim | |
chown -R exim:exim /var/log/exim | |
chmod 0755 /var/log/exim | |
# Remove suid bit from exim. | |
chmod u-s /usr/sbin/exim | |
# Remove all suid files. | |
find $sysdirs -xdev -type f -a -perm +4000 -delete | |
# Remove other programs that could be dangerous. | |
find $sysdirs -xdev \( \ | |
-name hexdump -o \ | |
-name chgrp -o \ | |
-name chmod -o \ | |
-name chown -o \ | |
-name ln -o \ | |
-name od -o \ | |
-name strings -o \ | |
-name su \ | |
\) -delete | |
# Remove init scripts since we do not use them. | |
rm -fr /etc/init.d | |
rm -fr /lib/rc | |
rm -fr /etc/conf.d | |
rm -fr /etc/inittab | |
rm -fr /etc/runlevels | |
rm -fr /etc/rc.conf | |
# Remove kernel tunables since we do not need them. | |
rm -fr /etc/sysctl* | |
rm -fr /etc/modprobe.d | |
rm -fr /etc/modules | |
rm -fr /etc/mdev.conf | |
rm -fr /etc/acpi | |
# Remove root homedir since we do not need it. | |
rm -fr /root | |
# Remove fstab since we do not need it. | |
rm -f /etc/fstab | |
# Remove broken symlinks (because we removed the targets above). | |
find $sysdirs -xdev -type l -exec test ! -e {} \; -delete |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment