X-Git-Url: https://git.distorted.org.uk/~mdw/exim-config/blobdiff_plain/185b5456076ca86959643ce2f19c98c0f82f281e..7c43ea06b0694c3a1f50cb1ef17f48271f28b8ce:/exchange.m4 diff --git a/exchange.m4 b/exchange.m4 index 08fe4a0..b4cb02b 100644 --- a/exchange.m4 +++ b/exchange.m4 @@ -24,17 +24,8 @@ ###-------------------------------------------------------------------------- ### Listen for incoming connections. -SECTION(global, tls)m4_dnl -tls_certificate = CONF_sysconf_dir/server.cert -tls_privatekey = CONF_sysconf_dir/server.key -tls_advertise_hosts = * -tls_dhparam = CONF_ca_dir/dh-param.pem -tls_require_ciphers = ${if or {{={$received_port}{CONF_submission_port}} \ - {match_ip {$sender_host_address}{+trusted}}} \ - {CONF_good_ciphers} \ - {CONF_acceptable_ciphers}} -tls_verify_certificates = CONF_ca_dir/ca.cert -tls_verify_hosts = ${if eq{$acl_c_mode}{submission} {} {+allnets}} +SECTION(global, daemon)m4_dnl +daemon_smtp_ports = CONF_smtp_port : CONF_submission_port DIVERT(null) ###-------------------------------------------------------------------------- @@ -44,38 +35,66 @@ SECTION(acl, mail-hooks)m4_dnl ## Check that a submitted message's sender address is allowable. require acl = mail_client_addr - ## Insist that a local client connect through TLS. - deny message = Hosts within CONF_master_domain must use TLS - !condition = ${if eq{$acl_c_mode}{submission}} - hosts = +allnets - !encrypted = * - SECTION(acl, misc)m4_dnl mail_client_addr: ## If this is a message submission then that's handled elsewhere. accept condition = ${if eq{$acl_c_mode}{submission}} - ## Make sure that the sender matches the client address. - require message = Client host invalid for sender domain - hosts = ${LOOKUP_DOMAIN($sender_address_domain, + ## Make sure that the sender matches the client address. I feel like + ## I want to reject these, but that will break stuff. For example, + ## if I send mail to an externally hosted address which is really a + ## distribution list containing some local address, then we'll + ## (approximately legitimately) receive mail with an apparently-local + ## sender from a remote host. + warn !hosts = ${LOOKUP_DOMAIN($sender_address_domain, {KV(hosts, {$value}{+allnets})}, {${if match_domain {$sender_address_domain} \ {+public} \ {+allnets}{! +allnets}}})} + WARNING_HEADER(RCLNTLSNDR, + <:Apparently local sender, but received from remote \ + server.\n\t\ + sender=$sender_address \ + host=$sender_host_address:>) ## OK. accept DIVERT(null) ###-------------------------------------------------------------------------- +### Rename locally-meaningful headers in mail from outside. + +m4_define(<:DISTORTED_HEADERS:>, +<:X-CONF_header_token-SpamAssassin-Score, +X-CONF_header_token-SpamAssassin-Status:>) + +SECTION(acl, data)m4_dnl + ## If this message is coming from outside then rename headers which + ## look like the ones we're likely to add. This is most relevant for + ## our spam-report headers, because I'm not sure I understand why + ## someone would want to fake an X-Distorted-Warning header. + warn !condition = ${if eq{$acl_c_mode}{submission}} + !hosts = +allnets + set acl_m_hdradd = ${if def:acl_m_hdradd{$acl_m_hdradd}}\ + RENAME_HEADERS_ADD(<:DISTORTED_HEADERS:>) + set acl_m_hdrrm = ${if def:acl_m_hdrrm{$acl_m_hdrrm:}}\ + RENAME_HEADERS_REMOVE(<:DISTORTED_HEADERS:>) + +DIVERT(null) +###-------------------------------------------------------------------------- ### The obvious trivial router. SECTION(routers, remote)m4_dnl ## Send mail on to a host in our own network. We must apply extra security. local: driver = dnslookup - domains = ! +known : *.CONF_master_domain + domains = ${if bool {${LOOKUP_DOMAIN($domain, + {KV(service, {$value}{true})}, + {false})}} \ + {}{ ! +public : \ + CONF_master_domain : \ + *.CONF_master_domain }} self = fail transport = smtp_local no_more @@ -83,7 +102,10 @@ local: ## Send mail on to unknown hosts. remote: driver = dnslookup - domains = ! +known + domains = ${if bool {${LOOKUP_DOMAIN($domain, + {KV(service, {$value}{true})}, + {false})}} \ + {}{ ! +public }} self = fail transport = smtp no_more