SECTION(global, priv)m4_dnl
admin_groups = CONF_admin_groups
+trusted_groups = CONF_trusted_groups
prod_requires_admin = false
SECTION(global, logging)m4_dnl
SECTION(global, daemon)m4_dnl
local_interfaces = <; CONF_interfaces
-extra_local_interfaces = <; 0.0.0.0 ; ::
+extra_local_interfaces = <; 0.0.0.0 ; ::0
SECTION(global, resource)m4_dnl
deliver_queue_load_max = 8
delay_warning = 1h : 24h : 2d
SECTION(global, tls)m4_dnl
-tls_certificate = CONF_sysconf_dir/server.cert
+tls_certificate = CONF_sysconf_dir/server.certlist
tls_privatekey = CONF_sysconf_dir/server.key
tls_advertise_hosts = ${if exists {CONF_sysconf_dir/server.key} {*}{}}
tls_dhparam = CONF_ca_dir/dh-param-2048.pem
{CONF_sysconf_dir/helo.conf} \
{${if match_ip \
{$sender_host_address} \
- {$value}}}}}}
+ {<; $value}}}}}}
!verify = helo
set acl_c_helo_warning = true
## Always allow the empty sender, so that we can receive bounces.
accept senders = :
- ## Ensure that the sender is routable. This is important to prevent
- ## undeliverable bounces.
- require message = Invalid sender; \
- ($sender_verify_failure; $acl_verify_message)
- verify = sender
+ ## Ensure that the sender looks valid.
+ require acl = mail_check_sender
## If this is directly from a client then hack on it for a while.
warn condition = ${if eq{$acl_c_mode}{submission}}
## And we're done.
accept
+SECTION(acl, misc)m4_dnl
+mail_check_sender:
+
+ ## See whether there's a special exception for this sender domain.
+ accept senders = ${LOOKUP_DOMAIN($sender_address_domain,
+ {KV(senders, {$value}{})},
+ {})}
+
+ ## Ensure that the sender is routable. This is important to prevent
+ ## undeliverable bounces.
+ require message = Invalid sender; \
+ ($sender_verify_failure; $acl_verify_message)
+ verify = sender
+
+ ## We're good, then.
+ accept
+
SECTION(global, acl)m4_dnl
acl_smtp_connect = connect
SECTION(acl, connect)m4_dnl
SECTION(global, acl)m4_dnl
acl_smtp_expn = expn_vrfy
acl_smtp_vrfy = expn_vrfy
-SECTION(acl)m4_dnl
+SECTION(acl, misc)m4_dnl
expn_vrfy:
accept hosts = +trusted
deny message = Suck it and see
smtp_local:
driver = smtp
hosts_require_tls = *
- tls_certificate = CONF_sysconf_dir/client.cert
+ tls_certificate = CONF_sysconf_dir/client.certlist
tls_privatekey = CONF_sysconf_dir/client.key
tls_verify_certificates = CONF_ca_dir/ca.cert
tls_require_ciphers = CONF_good_ciphers