### -*-m4-*- ### ### Transmission to remote hosts for distorted.org.uk Exim configuration. ### ### (c) 2012 Mark Wooding ### ###----- Licensing notice --------------------------------------------------- ### ### This program is free software; you can redistribute it and/or modify ### it under the terms of the GNU General Public License as published by ### the Free Software Foundation; either version 2 of the License, or ### (at your option) any later version. ### ### This program is distributed in the hope that it will be useful, ### but WITHOUT ANY WARRANTY; without even the implied warranty of ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ### GNU General Public License for more details. ### ### You should have received a copy of the GNU General Public License ### along with this program; if not, write to the Free Software Foundation, ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. ###-------------------------------------------------------------------------- ### Listen for incoming connections. SECTION(global, daemon)m4_dnl daemon_smtp_ports = CONF_smtp_port : CONF_submission_port SECTION(global, tls)m4_dnl tls_certificate = CONF_sysconf_dir/server.cert tls_privatekey = CONF_sysconf_dir/server.key tls_advertise_hosts = * tls_dhparam = CONF_ca_dir/dh-param-2048.pem tls_require_ciphers = ${if or {{={$received_port}{CONF_submission_port}} \ {match_ip {$sender_host_address}{+trusted}}} \ {CONF_good_ciphers} \ {CONF_acceptable_ciphers}} tls_verify_certificates = CONF_ca_dir/ca.cert tls_verify_hosts = ${if eq{$acl_c_mode}{submission} {} {+allnets}} DIVERT(null) ###-------------------------------------------------------------------------- ### Check source addresses for apparently local senders. SECTION(acl, mail-hooks)m4_dnl ## Check that a submitted message's sender address is allowable. require acl = mail_client_addr ## Insist that a local client connect through TLS. deny message = Hosts within CONF_master_domain must use TLS !condition = ${if eq{$acl_c_mode}{submission}} hosts = +allnets !encrypted = * SECTION(acl, misc)m4_dnl mail_client_addr: ## If this is a message submission then that's handled elsewhere. accept condition = ${if eq{$acl_c_mode}{submission}} ## Make sure that the sender matches the client address. I feel like ## I want to reject these, but that will break stuff. For example, ## if I send mail to an externally hosted address which is really a ## distribution list containing some local address, then we'll ## (approximately legitimately) receive mail with an apparently-local ## sender from a remote host. warn !hosts = ${LOOKUP_DOMAIN($sender_address_domain, {KV(hosts, {$value}{+allnets})}, {${if match_domain {$sender_address_domain} \ {+public} \ {+allnets}{! +allnets}}})} add_header = :after_received:X-Distorted-Warning: \ RCLNTLSNDR \ Apparently local sender, but received from remote \ server.\n\t\ sender=$sender_address, \ host=$sender_host_address ## OK. accept DIVERT(null) ###-------------------------------------------------------------------------- ### The obvious trivial router. SECTION(routers, remote)m4_dnl ## Send mail on to a host in our own network. We must apply extra security. local: driver = dnslookup domains = ! +known : *.CONF_master_domain self = fail transport = smtp_local no_more ## Send mail on to unknown hosts. remote: driver = dnslookup domains = ! +known self = fail transport = smtp no_more DIVERT(null) ###----- That's all, folks --------------------------------------------------