daemon_smtp_ports = 25 : 465
tls_on_connect_ports = 465

# Send only via our public IPs
#REMOTE_SMTP_INTERFACE = <; 5.9.225.164 ; 2001:678:4d8:200::1a57
# Note: REMOTE_SMTP_INTERFACE introduced in bullseye we ship a compat addn

ROUTER_DNSLOOKUP_IGNORE_TARGET_HOSTS = \
 <; 0.0.0.0 \
  ; 10.0.0.0/8 \
  ; 127.0.0.0/8 \
  ; 192.168.0.0/16 \
  ; 172.16.0.0/12 \
  ; 169.254.0.0/16 \
  ; 255.255.255.255 \
  ; ::/128 \
  ; ::1/128 \
  ; fc00::/7 \
  ; fe80::/10 \
  ; 100::/64 \
  ; 2001:678:4d8:ac64::/96 \


DXLD_SELFSIGNED_CERT_PORT = 465

MAIN_TLS_ENABLE = true

DXLD_TLS = eq {$received_port}{DXLD_SELFSIGNED_CERT_PORT}

MAIN_TLS_VERIFY_CERTIFICATES = ${if DXLD_TLS \
 {/etc/ssl/dxld-selfsigned/trusted.crt} \
 {/etc/ssl/certs/ca-certificates.crt}}

# TODO: This is severely broken. For one we need to also reject unencrypted
# incoming emails and IIRC this also doesn't properly apply to the sending side
# I guess I never really tested it. FIX IT!
DXLD_STRICT_TLS_HOSTS \
  = 9elements.com \
  : gmail.com \
  : andy-morris.xyz \
  : niss.website \
  : rhiannon.website \
  : hoffmann-group.com \

# Hosts for which we send via migadu
domainlist dxld_hostile_domains \
  = creamsource.com \
  : lighticians.com \
  : hotmail.com \
  : gmail.com \
  : decemberlabs.com \
  : ovyl.io \
  : zx2c4.com \
  : nlnet.nl \
  : t-online.de \


# Friendly domains - bypass RDNS, sender verify, SPF, blacklist and
# header checks as long as SPF for envelope sender checks out
domainlist dxld_friendly_domains \
  = debian.org \
  : it-syndikat.org \
  : monostack.org \
  : groeber.at \



MAIN_TLS_VERIFY_HOSTS = ${if DXLD_TLS {*} {}} : DXLD_STRICT_TLS_HOSTS
REMOTE_SMTP_HOSTS_REQUIRE_TLS = DXLD_STRICT_TLS_HOSTS
REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS = *

MAIN_TLS_CERTIFICATE = ${if DXLD_TLS \
 {/etc/ssl/dxld-selfsigned/mail.crt} \
 {CONFDIR/exim.crt}}

MAIN_TLS_PRIVATEKEY = ${if DXLD_TLS \
 {/etc/ssl/dxld-selfsigned/mail.key} \
 {CONFDIR/exim.key}}

MAIN_ACL_CHECK_RCPT = ${if DXLD_TLS \
 {acl_check_rcpt_dxld_tls} \
 {acl_check_rcpt_dxld}}

MAIN_ACL_CHECK_DATA = acl_check_data_dxld

LOCAL_DENY_EXCEPTIONS_LOCAL_ACL_FILE = CONFDIR/local_deny_exceptions.acl

CHECK_RCPT_SPF = yes
CHECK_RCPT_VERIFY_SENDER = true
CHECK_RCPT_REVERSE_DNS = yes
CHECK_RCPT_IP_DNSBLS = zen.spamhaus.org

DEFAULT_RECEIVED_HEADER = Received: \
  ${if def:sender_rcvhost {from $sender_rcvhost\n\t}\
  {${if def:sender_ident \
  {from ${quote_local_part:$sender_ident} }}\
  ${if def:sender_helo_name {(helo=$sender_helo_name)\n\t}}}}\
  by $primary_hostname \
  ${if def:received_protocol {with $received_protocol}} \
  ${if def:tls_in_cipher {($tls_in_cipher)\n\t}}\
  (Exim $version_number)\n\t\
  ${if def:sender_address \
  {(envelope-from <$sender_address>)\n\t}}\
  id $message_exim_id\
  ${if def:received_for {\n\tfor $received_for}}

DXLD_RECEIVED_HEADER = Received: $primary_hostname

#  from tunnel.internal.dxld.at ([10.0.0.1])\n\t \
#  by $primary_hostname\n\t \
#  ($tls_in_cipher)\n\t \
#  (Exim $version_number)\n\t \
#  id $message_exim_id \
#  ${if def:received_for {\n\tfor $received_for}}

received_header_text = \
 ${if and {{DXLD_TLS}{eq {1}{$tls_in_certificate_verified}}} \
  {DXLD_RECEIVED_HEADER} \
  {DEFAULT_RECEIVED_HEADER}}

FIRST_USER_ACCOUNT_UID=1000
LOCAL_DELIVERY=dovecot_lmtp

delay_warning = 30m:6h:24h

smtp_accept_queue_per_connection = 100

