Commit | Line | Data |
---|---|---|
185b5456 MW |
1 | ### -*-m4-*- |
2 | ### | |
3 | ### Transmission to remote hosts for distorted.org.uk Exim configuration. | |
4 | ### | |
5 | ### (c) 2012 Mark Wooding | |
6 | ### | |
7 | ||
8 | ###----- Licensing notice --------------------------------------------------- | |
9 | ### | |
10 | ### This program is free software; you can redistribute it and/or modify | |
11 | ### it under the terms of the GNU General Public License as published by | |
12 | ### the Free Software Foundation; either version 2 of the License, or | |
13 | ### (at your option) any later version. | |
14 | ### | |
15 | ### This program is distributed in the hope that it will be useful, | |
16 | ### but WITHOUT ANY WARRANTY; without even the implied warranty of | |
17 | ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
18 | ### GNU General Public License for more details. | |
19 | ### | |
20 | ### You should have received a copy of the GNU General Public License | |
21 | ### along with this program; if not, write to the Free Software Foundation, | |
22 | ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. | |
23 | ||
24 | ###-------------------------------------------------------------------------- | |
25 | ### Listen for incoming connections. | |
26 | ||
27 | SECTION(global, tls)m4_dnl | |
28 | tls_certificate = CONF_sysconf_dir/server.cert | |
29 | tls_privatekey = CONF_sysconf_dir/server.key | |
30 | tls_advertise_hosts = * | |
31 | tls_dhparam = CONF_ca_dir/dh-param.pem | |
32 | tls_require_ciphers = ${if or {{={$received_port}{CONF_submission_port}} \ | |
33 | {match_ip {$sender_host_address}{+trusted}}} \ | |
34 | {CONF_good_ciphers} \ | |
35 | {CONF_acceptable_ciphers}} | |
36 | tls_verify_certificates = CONF_ca_dir/ca.cert | |
37 | tls_verify_hosts = ${if eq{$acl_c_mode}{submission} {} {+allnets}} | |
38 | ||
39 | DIVERT(null) | |
40 | ###-------------------------------------------------------------------------- | |
41 | ### Check source addresses for apparently local senders. | |
42 | ||
43 | SECTION(acl, mail-hooks)m4_dnl | |
44 | ## Check that a submitted message's sender address is allowable. | |
45 | require acl = mail_client_addr | |
46 | ||
47 | ## Insist that a local client connect through TLS. | |
48 | deny message = Hosts within CONF_master_domain must use TLS | |
49 | !condition = ${if eq{$acl_c_mode}{submission}} | |
50 | hosts = +allnets | |
51 | !encrypted = * | |
52 | ||
53 | SECTION(acl, misc)m4_dnl | |
54 | mail_client_addr: | |
55 | ||
56 | ## If this is a message submission then that's handled elsewhere. | |
57 | accept condition = ${if eq{$acl_c_mode}{submission}} | |
58 | ||
59 | ## Make sure that the sender matches the client address. | |
60 | require message = Client host invalid for sender domain | |
61 | hosts = ${LOOKUP_DOMAIN($sender_address_domain, | |
62 | {KV(hosts, {$value}{+allnets})}, | |
63 | {${if match_domain {$sender_address_domain} \ | |
64 | {+public} \ | |
65 | {+allnets}{! +allnets}}})} | |
66 | ||
67 | ## OK. | |
68 | accept | |
69 | ||
70 | DIVERT(null) | |
71 | ###-------------------------------------------------------------------------- | |
72 | ### The obvious trivial router. | |
73 | ||
74 | SECTION(routers, remote)m4_dnl | |
75 | ## Send mail on to a host in our own network. We must apply extra security. | |
76 | local: | |
77 | driver = dnslookup | |
78 | domains = ! +known : *.CONF_master_domain | |
79 | self = fail | |
80 | transport = smtp_local | |
81 | no_more | |
82 | ||
83 | ## Send mail on to unknown hosts. | |
84 | remote: | |
85 | driver = dnslookup | |
86 | domains = ! +known | |
87 | self = fail | |
88 | transport = smtp | |
89 | no_more | |
90 | ||
91 | DIVERT(null) | |
92 | ###----- That's all, folks -------------------------------------------------- |