auth.m4, base.m4, exchange.m4: Make sender-address checking universal.

[exim-config] / exchange.m4

### -*-m4-*-
###
### Transmission to remote hosts for distorted.org.uk Exim configuration.
###
### (c) 2012 Mark Wooding
###

###----- Licensing notice ---------------------------------------------------
###
### This program is free software; you can redistribute it and/or modify
### it under the terms of the GNU General Public License as published by
### the Free Software Foundation; either version 2 of the License, or
### (at your option) any later version.
###
### This program is distributed in the hope that it will be useful,
### but WITHOUT ANY WARRANTY; without even the implied warranty of
### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
### GNU General Public License for more details.
###
### You should have received a copy of the GNU General Public License
### along with this program; if not, write to the Free Software Foundation,
### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.

###--------------------------------------------------------------------------
### Listen for incoming connections.

SECTION(global, daemon)m4_dnl
daemon_smtp_ports = CONF_smtp_port : CONF_submission_port

SECTION(global, tls)m4_dnl
tls_certificate = CONF_sysconf_dir/server.cert
tls_privatekey = CONF_sysconf_dir/server.key
tls_advertise_hosts = *
tls_dhparam = CONF_ca_dir/dh-param-2048.pem
tls_require_ciphers = ${if or {{={$received_port}{CONF_submission_port}} \
                               {match_ip {$sender_host_address}{+trusted}}} \
                           {CONF_good_ciphers} \
                           {CONF_acceptable_ciphers}}
tls_verify_certificates = CONF_ca_dir/ca.cert
tls_verify_hosts = ${if eq{$acl_c_mode}{submission} {} {+allnets}}

DIVERT(null)
###--------------------------------------------------------------------------
### Check source addresses for apparently local senders.

SECTION(acl, mail-hooks)m4_dnl
        ## Check that a submitted message's sender address is allowable.
        require  acl = mail_client_addr

SECTION(acl, misc)m4_dnl
mail_client_addr:

        ## If this is a message submission then that's handled elsewhere.
        accept   condition = ${if eq{$acl_c_mode}{submission}}

        ## Make sure that the sender matches the client address.  I feel like
        ## I want to reject these, but that will break stuff.  For example,
        ## if I send mail to an externally hosted address which is really a
        ## distribution list containing some local address, then we'll
        ## (approximately legitimately) receive mail with an apparently-local
        ## sender from a remote host.
        warn    !hosts = ${LOOKUP_DOMAIN($sender_address_domain,
                           {KV(hosts, {$value}{+allnets})},
                           {${if match_domain {$sender_address_domain} \
                                              {+public} \
                                 {+allnets}{! +allnets}}})}
                 add_header = :after_received:X-Distorted-Warning: \
                        RCLNTLSNDR \
                        Apparently local sender, but received from remote \
                        server.\n\t\
                        sender=$sender_address, \
                        host=$sender_host_address

        ## OK.
        accept

DIVERT(null)
###--------------------------------------------------------------------------
### The obvious trivial router.

SECTION(routers, remote)m4_dnl
## Send mail on to a host in our own network.  We must apply extra security.
local:
        driver = dnslookup
        domains = ! +known : *.CONF_master_domain
        self = fail
        transport = smtp_local
        no_more

## Send mail on to unknown hosts.
remote:
        driver = dnslookup
        domains = ! +known
        self = fail
        transport = smtp
        no_more

DIVERT(null)
###----- That's all, folks --------------------------------------------------