X-Git-Url: https://git.distorted.org.uk/~mdw/exim-config/blobdiff_plain/284c9d7ee4b07b87c8db9e85ae3e16511d3b6798..534d411b5c96107030e30da491e06734ea09a7b3:/base.m4 diff --git a/base.m4 b/base.m4 index ac6b95c..204be0a 100644 --- a/base.m4 +++ b/base.m4 @@ -60,9 +60,7 @@ gecos_pattern = ([^,:]*) SECTION(global, incoming)m4_dnl received_header_text = Received: \ ${if def:sender_rcvhost \ - {from $sender_rcvhost\ - ${if def:sender_helo_name \ - { (helo=$sender_helo_name)}}\n\t} \ + {from $sender_rcvhost\n\t} \ {${if def:sender_ident \ {from ${quote_local_part:$sender_ident} }}}}\ by $primary_hostname \ @@ -90,6 +88,18 @@ qualify_domain = CONF_master_domain SECTION(global, bounce)m4_dnl delay_warning = 1h : 24h : 2d +SECTION(global, tls)m4_dnl +tls_certificate = CONF_sysconf_dir/server.cert +tls_privatekey = CONF_sysconf_dir/server.key +tls_advertise_hosts = ${if exists {CONF_sysconf_dir/server.key} {*}{}} +tls_dhparam = CONF_ca_dir/dh-param-2048.pem +tls_require_ciphers = ${if or {{={$received_port}{CONF_submission_port}} \ + {match_ip {$sender_host_address}{+trusted}}} \ + {CONF_good_ciphers} \ + {CONF_acceptable_ciphers}} +tls_verify_certificates = CONF_ca_dir/ca.cert +tls_verify_hosts = ${if eq{$acl_c_mode}{submission} {} {+allnets}} + DIVERT(null) ###-------------------------------------------------------------------------- ### Access control lists. @@ -107,6 +117,11 @@ helo: ## and we should only care about the most recent one. warn set acl_c_helo_warning = false !condition = \ + ${if and {{match_ip {$sender_host_address} \ + {<; 127.0.0.0/8 ; ::1}} \ + {match_domain {$sender_helo_name} \ + {localhost : +thishost}}}} + !condition = \ ${if exists {CONF_sysconf_dir/helo.conf} \ {${lookup {$sender_helo_name} \ partial0-lsearch \ @@ -140,7 +155,7 @@ mail: add_header = :after_received:X-Distorted-Warning: \ BADHELO \ Client's HELO doesn't match its IP address.\n\t\ - HELO name=$sender_helo_name, \ + helo-name=$sender_helo_name \ address=$sender_host_address ## Always allow the empty sender, so that we can receive bounces. @@ -182,7 +197,7 @@ SECTION(acl, connect-tail)m4_dnl check_submission: ## See whether this message needs hacking on. - accept !hosts = +localnet + accept !hosts = +thishost !condition = ${if ={$received_port}{CONF_submission_port}} set acl_c_mode = relay @@ -243,13 +258,13 @@ mail_check_auth: ## loopback connection, then we can trust identd to tell us the right ## answer. So we should stash the right name somewhere consistent. warn set acl_c_user = $authenticated_id - hosts = +localnet + hosts = +thishost !authenticated = * set acl_c_user = $sender_ident ## User must be authenticated. deny message = Sender not authenticated - !hosts = +localnet + !hosts = +thishost !authenticated = * ## Make sure that the local part is one that the authenticated sender @@ -330,15 +345,42 @@ m4_define(<:USER_DELIVERY:>, return_path_add = true:>) SECTION(transports)m4_dnl -## A standard transport for remote delivery. Try to do TLS, and don't worry -## too much if it's not very secure: the alternative is sending in plaintext -## anyway. +## A standard transport for remote delivery. By default, try to do TLS, and +## don't worry too much if it's not very secure: the alternative is sending +## in plaintext anyway. But all of this can be overridden from the +## `domains.conf' file. Annoyingly, the `tls_dh_min_bits' setting isn't +## expanded before use, so we can't set it the obvious way. Instead, encode +## it into the transport name. This is very unpleasant, of course. smtp: driver = smtp tls_require_ciphers = CONF_acceptable_ciphers tls_dh_min_bits = 1020 tls_tempfail_tryclear = true +m4_define(<:SMTP_TRANS_DHBITS:>, + <:driver = smtp + hosts_try_auth = * + hosts_require_tls = DOMKV(tls-peer-ca, {*}{}) + hosts_require_auth = \ + ${if bool {DOMKV(require-auth, {$value}{false})} {*}{}} + tls_certificate = DOMKV(tls-certificate, {${expand:$value}}fail) + tls_privatekey = DOMKV(tls-private-key, {${expand:$value}}fail) + tls_verify_certificates = DOMKV(tls-peer-ca, {${expand:$value}}fail) + tls_require_ciphers = \ + DOMKV(tls-ciphers, + {${extract {${expand:$value}} \ + { good = CONF_good_ciphers \ + any = CONF_acceptable_ciphers } \ + {$value} \ + {${expand:$value}}}} \ + {CONF_acceptable_ciphers}) + tls_dh_min_bits = $1 + tls_tempfail_tryclear = true:>)m4_dnl +smtp_dhbits_1024: + SMTP_TRANS_DHBITS(1020) +smtp_dhbits_2048: + SMTP_TRANS_DHBITS(2046) + ## Transport to a local SMTP server; use TLS and perform client ## authentication. smtp_local: