# For spam scanning, there is a similar option that defines the interface to

   # Allow any client to use TLS.

   # Specify the location of the Exim server's TLS certificate and private key.

   # The private key must not be encrypted (password protected). You can put

   # need the first setting, or in separate files, in which case you need both

   # options.

   # For OpenSSL, prefer EC- over RSA-authenticated ciphers

   # tls_require_ciphers = ECDSA:RSA:!COMPLEMENTOFDEFAULT

   # them you should also allow TLS-on-connect on the traditional but

   # non-standard port 465.

   # Specify the domain you want to be added to all unqualified addresses

   host_lookup = *

   # The setting below causes Exim to try to initialize the system resolver

   # library with DNSSEC support.  It has no effect if your library lacks

   # Note that TZ is handled separately by the timezone runtime option

   # and TIMEZONE_DEFAULT buildtime option.

   begin acl

   # This access control list is used for every RCPT command in an incoming

   # SMTP message. The tests are run in order until the address is either

   # accepted or denied.

     accept  hosts = :

             control = dkim_disable_verify

     #############################################################################

     # The following section of the ACL is concerned with local parts that contain

     accept  local_parts   = postmaster

             domains       = +local_domains

     require verify        = sender

     accept  hosts         = +relay_from_hosts

             control       = submission

             control       = dkim_disable_verify

     # Accept if the message arrived over an authenticated connection, from

     # any host. Again, these messages are usually from MUAs, so recipient

     accept  authenticated = *

             control       = submission

             control       = dkim_disable_verify

     # Insist that a HELO/EHLO was accepted.

     # There are no default checks on DNS black lists because the domains that

     # contain these lists are changing all the time. However, here are two

     # examples of how you can get Exim to perform a DNS black list lookup at this

     #

     # deny    dnslists      = black.list.example

     #         message       = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text

     # warn    dnslists      = black.list.example

     #         add_header    = X-Warning: $sender_host_address is in a black list at $dnslist_domain

     #         log_message   = found in $dnslist_domain

     #############################################################################

     #############################################################################

     #        set acl_m_content_filter = ${lookup PER_RCPT_CONTENT_FILTER}

     #############################################################################

     # At this point, the address has passed all the checks that have been

     # configured, so we accept it unconditionally.

             message =     header syntax

             log_message = header syntax ($acl_verify_message)

  -  # Add headers to a message if it is judged to be spam. Before enabling this,

  -  # you must install SpamAssassin. You may also need to set the spamd_address

  -  # option above.

  -  # warn    spam       = nobody

  -  #         add_header = X-Spam_score: $spam_score\n\

  -  #                      X-Spam_score_int: $spam_score_int\n\

  -  #                      X-Spam_bar: $spam_bar\n\

  -  #                      X-Spam_report: $spam_report

  +  # accept  condition  = ${if >={$message_size}{100000} {1}}

  +  #         add_header = X-Spam-Note: SpamAssassin run bypassed due to message size

     #############################################################################

     # No more tests if PRDR was actively used.

     #           condition    = ...

     #############################################################################

   ######################################################################

     driver = redirect

     allow_fail

     allow_defer

   # user = exim

     file_transport = address_file

     pipe_transport = address_pipe

   # local_part_suffix = +* : -*

   # local_part_suffix_optional

     file = $home/.forward

     no_verify

     no_expn

     check_ancestor

     pipe_transport = address_pipe

     reply_transport = address_reply

   # This router matches local user mailboxes. If the router fails, the error

   # message is "Unknown user".

     driver = smtp

     message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}

   # This transport is used for delivering messages to a smarthost, if the

   # smarthost router is enabled.  This starts from the same basis as

     delivery_date_add

     envelope_to_add

     return_path_add

   # This transport is used for handling pipe deliveries generated by alias or

     driver = autoreply

   ######################################################################

   #                      RETRY CONFIGURATION                           #

   #                   AUTHENTICATION CONFIGURATION                     #

   ######################################################################

   # The following authenticators support plaintext username/password

   # authentication using the standard PLAIN mechanism and the traditional

   # but non-standard LOGIN mechanism, with Exim acting as the server.

   # The default RCPT ACL checks for successful authentication, and will accept

   # messages from authenticated users from anywhere on the Internet.

   # PLAIN authentication has no server prompts. The client sends its

   # credentials in one lump, containing an authorization ID (which we do not

   #  driver                     = plaintext

   #  server_set_id              = $auth2

   #  server_prompts             = :

   #  server_advertise_condition = ${if def:tls_in_cipher }

   # LOGIN authentication has traditional prompts and responses. There is no

   #  driver                     = plaintext

   #  server_set_id              = $auth1

   #  server_prompts             = <| Username: | Password:

  #

  # When a suspicious mail is seen, we temporarily reject it and wait to see

  # if the sender tries again. Most spam robots won't bother. Real mail hosts

  #

  greylist_mail:

    accept hosts = :

    accept authenticated = *

    # Secondly, there's _absolutely_ no point in greylisting mail from

    # hosts which are known to resend their mail. Just accept it.

  			       WHERE helo='${quote_sqlite:$sender_helo_name}' \

  			       AND host='$sender_host_address';} {1}}

    # Attempt to look up this mail in the greylist database. If it's there,

    # remember the expiry time for it; we need to make sure they've waited

    # long enough.

  				WHERE id='${quote_sqlite:$acl_m_greyident}';}{$value}}

    # If the mail isn't already the database -- i.e. if the $acl_m_greyexpiry

    # variable we just looked up is empty -- then try to add it now. This is 

    # where the 5 minute timeout is set ($tod_epoch + 300), should you wish

    # to change it.

    warn  condition = ${if eq {$acl_m_greyexpiry}{} {1}}

  					VALUES ( '$acl_m_greyident', \

  						 '${eval10:$tod_epoch+300}', \

  						 '$sender_host_address', \

    # Be paranoid, and check if the insertion succeeded (by doing another lookup).

    # Otherwise, if there's a database error we might end up deferring for ever.

    defer condition = ${if eq {$acl_m_greyexpiry}{} {1}}

  				WHERE id='${quote_sqlite:$acl_m_greyident}';} {1}}

          message = Your mail was considered suspicious for the following reason(s):\n$acl_m_greylistreasons \

  		  The mail has been greylisted for 5 minutes, after which it should be accepted. \

  		  You should wait another ${eval10:$acl_m_greyexpiry-$tod_epoch} seconds.\n\

  		  Reason(s) for greylisting: \n$acl_m_greylistreasons

    # The message was listed but it's been more than five minutes. Accept it now and whitelist

    # the _original_ sending host by its { IP, HELO } so that we don't delay its mail again.

  				WHERE id='${quote_sqlite:$acl_m_greyident}';}{$value}}

  				WHERE id='${quote_sqlite:$acl_m_greyident}';}{$value}}

  				VALUES ( '$acl_m_orighost', \

  					 '${quote_sqlite:$acl_m_orighelo}', \

  					 '$tod_epoch' ); }}