SRS support for Exim4

2025-07-05 20:41:53 -07:00 · 2024-11-08 18:07:38 +01:00 · 2024-11-08 18:07:38 +01:00 · 89fc5a1ebd
commit 89fc5a1ebd
parent afc6b62d5c
3 changed files with 114 additions and 3 deletions
--- a/install/debian/12/exim/exim4.conf.template
+++ b/install/debian/12/exim/exim4.conf.template
@ -13,6 +13,8 @@ add_environment=<; PATH=/bin:/usr/bin
 keep_environment=
 smtputf8_advertise_hosts =

+SRS_SECRET = ${readfile{/etc/exim4/srs.conf}}
+
 #local_interfaces =  0.0.0.0
 #smtp_active_hostname = ${lookup{$interface_address}lsearch{/etc/exim4/virtual/helo_data}{$value}}
 #smtp_banner = "$smtp_active_hostname ESMTP $tod_full"
@ -267,8 +269,11 @@ begin routers

 dnslookup:
  driver = dnslookup
-  domains = !+local_domains
-  transport = remote_smtp
+  # if outbound, and forwarding has been done, use an alternate transport
+  domains = ! +local_domains
+  transport = ${if eq {$local_part@$domain} \
+                      {$original_local_part@$original_domain} \
+                      {remote_smtp} {remote_forwarded_smtp}}
  no_more

 localuser_spam:
@ -305,6 +310,23 @@ autoreplay:
  transport = userautoreply
  unseen

+inbound_srs:
+    driver = redirect
+    senders = :
+    domains = +local_domains
+    # detect inbound bounces which are converted to SRS, and decode them
+    condition = ${if inbound_srs {$local_part} {SRS_SECRET}}
+    data = $srs_recipient
+
+inbound_srs_failure:
+    driver = redirect
+    senders = :
+    domains = +local_domains
+    # detect inbound bounces which look converted to SRS but are invalid
+    condition = ${if inbound_srs {$local_part} {}}
+    allow_fail
+    data = :fail: Invalid SRS recipient address
+
 aliases:
  driver = redirect
  headers_add = X-redirected: yes
@ -357,6 +379,20 @@ remote_smtp:
  hosts_try_chunking = !93.188.3.0/24
  message_linelength_limit = 1G

+remote_forwarded_smtp:
+  driver = smtp
+  dkim_domain = DKIM_DOMAIN
+  dkim_selector = mail
+  dkim_private_key = DKIM_PRIVATE_KEY
+  dkim_canon = relaxed
+  dkim_strict = 0
+  hosts_try_fastopen = 
+  hosts_try_chunking = !93.188.3.0/24
+  message_linelength_limit = 1G
+  # modify the envelope from, for mails that we forward
+  max_rcpt = 1
+  return_path = ${srs_encode {SRS_SECRET} {$return_path} {$original_domain}}
+
 procmail:
  driver = pipe
  command = "/usr/bin/procmail -d $local_part"
--- a/install/vst-install-debian.sh
+++ b/install/vst-install-debian.sh
@ -131,7 +131,11 @@ help() {
 # Defining password-gen function
 gen_pass() {
    MATRIX='0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'
-    LENGTH=32
+    if [ -z "$1" ]; then
+        LENGTH=32
+    else
+        LENGTH=$1
+    fi
    while [ ${n:=1} -le $LENGTH ]; do
        PASS="$PASS${MATRIX:$(($RANDOM%${#MATRIX})):1}"
        let n+=1
@ -1465,6 +1469,12 @@ if [ "$exim" = 'yes' ]; then
        sed -i "s/#CLAMD/CLAMD/g" /etc/exim4/exim4.conf.template
    fi

+    # Generating SRS KEY - the code is taken from HestiaCP
+    srs=$(gen_pass 16)
+    echo $srs > /etc/exim4/srs.conf
+    chmod 640 /etc/exim4/srs.conf
+    chown root:Debian-exim /etc/exim4/srs.conf
+
    chmod 640 /etc/exim4/exim4.conf.template
    rm -rf /etc/exim4/domains
    mkdir -p /etc/exim4/domains