~mdw
/
exim-config
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
base.m4: Be slacker about DH lengths.
[exim-config]
/
base.m4
diff --git
a/base.m4
b/base.m4
index
39e302b
..
e78194a
100644
(file)
--- a/
base.m4
+++ b/
base.m4
@@
-73,7
+73,13
@@
received_header_text = Received: \
${if def:sender_address \
{(envelope-from $sender_address\
${if def:authenticated_id \
${if def:sender_address \
{(envelope-from $sender_address\
${if def:authenticated_id \
- {; auth=$authenticated_id}})\n\t}}\
+ {; auth=${quote_local_part:$authenticated_id}} \
+ {${if and {{def:authenticated_sender} \
+ {match_address{$authenticated_sender} \
+ {*@CONF_master_domain}}} \
+ {; auth=${quote_local_part:\
+ ${local_part:\
+ $authenticated_sender}}}}}})\n\t}}\
id $message_exim_id\
${if def:received_for {\n\tfor $received_for}}
id $message_exim_id\
${if def:received_for {\n\tfor $received_for}}
@@
-81,11
+87,16
@@
SECTION(global, smtp)m4_dnl
smtp_return_error_details = true
accept_8bitmime = true
smtp_return_error_details = true
accept_8bitmime = true
+SECTION(global, env)m4_dnl
+keep_environment =
+
SECTION(global, process)m4_dnl
extract_addresses_remove_arguments = false
headers_charset = utf-8
qualify_domain = CONF_master_domain
untrusted_set_sender = *
SECTION(global, process)m4_dnl
extract_addresses_remove_arguments = false
headers_charset = utf-8
qualify_domain = CONF_master_domain
untrusted_set_sender = *
+local_from_check = false
+local_sender_retain = true
SECTION(global, bounce)m4_dnl
delay_warning = 1h : 24h : 2d
SECTION(global, bounce)m4_dnl
delay_warning = 1h : 24h : 2d
@@
-142,6
+153,7
@@
SECTION(acl, misc)m4_dnl
not_smtp_start:
## Record the user's name.
warn set acl_c_user = $sender_ident
not_smtp_start:
## Record the user's name.
warn set acl_c_user = $sender_ident
+ set acl_m_user = $sender_ident
## Done.
accept
## Done.
accept
@@
-160,11
+172,10
@@
mail:
warn condition = $acl_c_helo_warning
!condition = ${if eq{$acl_c_mode}{submission}}
!hosts = +allnets
warn condition = $acl_c_helo_warning
!condition = ${if eq{$acl_c_mode}{submission}}
!hosts = +allnets
- ADD_HEADER(<:X-CONF_header_token-Warning: \
- BADHELO \
- Client's HELO doesn't match its IP address.\n\t\
- helo-name=$sender_helo_name \
- address=$sender_host_address:>)
+ WARNING_HEADER(BADHELO,
+ <:Client's HELO doesn't match its IP address.\n\t\
+ helo-name=$sender_helo_name \
+ address=$sender_host_address:>)
## Always allow the empty sender, so that we can receive bounces.
accept senders = :
## Always allow the empty sender, so that we can receive bounces.
accept senders = :
@@
-308,6
+319,10
@@
mail_check_auth:
deny message = Sender not authenticated
condition = ${if !def:acl_c_user}
deny message = Sender not authenticated
condition = ${if !def:acl_c_user}
+ ## Set the per-message authentication flag, since we now know that
+ ## there's a sensible value.
+ warn set acl_m_user = $acl_c_user
+
## All done.
accept
## All done.
accept
@@
-403,7
+418,7
@@
smtp:
driver = smtp
APPLY_HEADER_CHANGES
tls_require_ciphers = CONF_acceptable_ciphers
driver = smtp
APPLY_HEADER_CHANGES
tls_require_ciphers = CONF_acceptable_ciphers
- tls_dh_min_bits =
1020
+ tls_dh_min_bits =
508
tls_tempfail_tryclear = true
m4_define(<:SMTP_TRANS_DHBITS:>,
tls_tempfail_tryclear = true
m4_define(<:SMTP_TRANS_DHBITS:>,
@@
-426,10
+441,14
@@
m4_define(<:SMTP_TRANS_DHBITS:>,
{CONF_acceptable_ciphers})
tls_dh_min_bits = $1
tls_tempfail_tryclear = true:>)m4_dnl
{CONF_acceptable_ciphers})
tls_dh_min_bits = $1
tls_tempfail_tryclear = true:>)m4_dnl
+smtp_dhbits_512:
+ SMTP_TRANS_DHBITS(508)
+smtp_dhbits_768:
+ SMTP_TRANS_DHBITS(764)
smtp_dhbits_1024:
SMTP_TRANS_DHBITS(1020)
smtp_dhbits_2048:
smtp_dhbits_1024:
SMTP_TRANS_DHBITS(1020)
smtp_dhbits_2048:
- SMTP_TRANS_DHBITS(204
6
)
+ SMTP_TRANS_DHBITS(204
4
)
## Transport to a local SMTP server; use TLS and perform client
## authentication.
## Transport to a local SMTP server; use TLS and perform client
## authentication.
@@
-443,9
+462,11
@@
smtp_local:
tls_require_ciphers = CONF_good_ciphers
tls_dh_min_bits = 2046
tls_tempfail_tryclear = false
tls_require_ciphers = CONF_good_ciphers
tls_dh_min_bits = 2046
tls_tempfail_tryclear = false
- authenticated_sender = ${if def:authenticated_id \
- {$authenticated_id@CONF_master_domain} \
- fail}
+ authenticated_sender_force = true
+ authenticated_sender = \
+ ${if def:acl_m_user {$acl_m_user@CONF_master_domain} \
+ {${if def:authenticated_sender {$authenticated_sender} \
+ fail}}}
## A standard transport for local delivery.
deliver:
## A standard transport for local delivery.
deliver: