X-Git-Url: https://git.distorted.org.uk/~mdw/exim-config/blobdiff_plain/43e6fc69a87f565ff769ac74e20423440e711080..3e031e77077b40a0334fd4c41ea1f0f25ee73158:/base.m4 diff --git a/base.m4 b/base.m4 index 467e82f..d43a6f0 100644 --- a/base.m4 +++ b/base.m4 @@ -26,6 +26,7 @@ SECTION(global, priv)m4_dnl admin_groups = CONF_admin_groups +trusted_groups = CONF_trusted_groups prod_requires_admin = false SECTION(global, logging)m4_dnl @@ -39,7 +40,7 @@ syslog_timestamp = false SECTION(global, daemon)m4_dnl local_interfaces = <; CONF_interfaces -extra_local_interfaces = <; 0.0.0.0 ; :: +extra_local_interfaces = <; 0.0.0.0 ; ::0 SECTION(global, resource)m4_dnl deliver_queue_load_max = 8 @@ -60,9 +61,7 @@ gecos_pattern = ([^,:]*) SECTION(global, incoming)m4_dnl received_header_text = Received: \ ${if def:sender_rcvhost \ - {from $sender_rcvhost\ - ${if def:sender_helo_name \ - { (helo=$sender_helo_name)}}\n\t} \ + {from $sender_rcvhost\n\t} \ {${if def:sender_ident \ {from ${quote_local_part:$sender_ident} }}}}\ by $primary_hostname \ @@ -90,6 +89,18 @@ qualify_domain = CONF_master_domain SECTION(global, bounce)m4_dnl delay_warning = 1h : 24h : 2d +SECTION(global, tls)m4_dnl +tls_certificate = CONF_sysconf_dir/server.certlist +tls_privatekey = CONF_sysconf_dir/server.key +tls_advertise_hosts = ${if exists {CONF_sysconf_dir/server.key} {*}{}} +tls_dhparam = CONF_ca_dir/dh-param-2048.pem +tls_require_ciphers = ${if or {{={$received_port}{CONF_submission_port}} \ + {match_ip {$sender_host_address}{+trusted}}} \ + {CONF_good_ciphers} \ + {CONF_acceptable_ciphers}} +tls_verify_certificates = CONF_ca_dir/ca.cert +tls_verify_hosts = ${if eq{$acl_c_mode}{submission} {} {+allnets}} + DIVERT(null) ###-------------------------------------------------------------------------- ### Access control lists. @@ -107,19 +118,34 @@ helo: ## and we should only care about the most recent one. warn set acl_c_helo_warning = false !condition = \ + ${if and {{match_ip {$sender_host_address} \ + {<; 127.0.0.0/8 ; ::1}} \ + {match_domain {$sender_helo_name} \ + {localhost : +thishost}}}} + !condition = \ ${if exists {CONF_sysconf_dir/helo.conf} \ {${lookup {$sender_helo_name} \ partial0-lsearch \ {CONF_sysconf_dir/helo.conf} \ {${if match_ip \ {$sender_host_address} \ - {$value}}}}}} + {<; $value}}}}}} !verify = helo set acl_c_helo_warning = true accept SECTION(global, acl)m4_dnl +acl_not_smtp_start = not_smtp_start +SECTION(acl, misc)m4_dnl +not_smtp_start: + ## Record the user's name. + warn set acl_c_user = $sender_ident + + ## Done. + accept + +SECTION(global, acl)m4_dnl acl_smtp_mail = mail SECTION(acl, mail)m4_dnl mail: @@ -130,26 +156,49 @@ mail: add_header = :after_received:X-Distorted-Warning: \ BADHELO \ Client's HELO doesn't match its IP address.\n\t\ - HELO name = $sender_helo_name, \ - address = $sender_host_address + helo-name=$sender_helo_name \ + address=$sender_host_address ## Always allow the empty sender, so that we can receive bounces. accept senders = : - ## Ensure that the sender is routable. This is important to prevent - ## undeliverable bounces. - require message = Invalid sender; \ - ($sender_verify_failure; $acl_verify_message) - verify = sender + ## Ensure that the sender looks valid. + require acl = mail_check_sender ## If this is directly from a client then hack on it for a while. warn condition = ${if eq{$acl_c_mode}{submission}} control = submission + ## Insist that a local client connect through TLS. + deny message = Hosts within CONF_master_domain must use TLS + !condition = ${if eq{$acl_c_mode}{submission}} + hosts = +allnets + !encrypted = * + + ## Check that a submitted message's sender address is allowable. + require acl = mail_check_auth + SECTION(acl, mail-tail)m4_dnl ## And we're done. accept +SECTION(acl, misc)m4_dnl +mail_check_sender: + + ## See whether there's a special exception for this sender domain. + accept senders = ${LOOKUP_DOMAIN($sender_address_domain, + {KV(senders, {$value}{})}, + {})} + + ## Ensure that the sender is routable. This is important to prevent + ## undeliverable bounces. + require message = Invalid sender; \ + ($sender_verify_failure; $acl_verify_message) + verify = sender + + ## We're good, then. + accept + SECTION(global, acl)m4_dnl acl_smtp_connect = connect SECTION(acl, connect)m4_dnl @@ -163,7 +212,7 @@ SECTION(acl, connect-tail)m4_dnl check_submission: ## See whether this message needs hacking on. - accept !hosts = +localnet + accept !hosts = +thishost !condition = ${if ={$received_port}{CONF_submission_port}} set acl_c_mode = relay @@ -180,16 +229,35 @@ rcpt: ## Reject if the client isn't allowed to relay and the recipient ## isn't in one of our known domains. - deny message = Relaying not permitted - !hosts = CONF_relay_clients - !authenticated = * - !domains = +known + require message = Relaying not permitted + acl = check_relay ## Ensure that the recipient is routable. require message = Invalid recipient \ ($recipient_verify_failure; $acl_verify_message) verify = recipient +SECTION(acl, misc)m4_dnl +check_relay: + ## Accept either if the client is allowed to relay through us, or if + ## we're the correct place to send this mail. + + ## Known clients and authenticated users are OK. + accept hosts = CONF_relay_clients + accept authenticated = * + + ## Known domains are OK. + accept domains = +public + + ## Finally, domains in our table are OK, unless they say they aren't. + accept domains = \ + ${if exists{CONF_sysconf_dir/domains.conf} \ + {partial0-lsearch; CONF_sysconf_dir/domains.conf}} + condition = DOMKV(service, {$value}{true}) + + ## Nope, that's not allowed. + deny + SECTION(acl, rcpt-tail)m4_dnl ## Everything checks out OK: let this one go through. accept @@ -205,13 +273,67 @@ SECTION(acl, data-tail)m4_dnl SECTION(global, acl)m4_dnl acl_smtp_expn = expn_vrfy acl_smtp_vrfy = expn_vrfy -SECTION(acl)m4_dnl +SECTION(acl, misc)m4_dnl expn_vrfy: accept hosts = +trusted deny message = Suck it and see DIVERT(null) ###-------------------------------------------------------------------------- +### Verification of sender address. + +SECTION(acl, misc)m4_dnl +mail_check_auth: + + ## If this isn't a submission then it doesn't need checking. + accept condition = ${if !eq{$acl_c_mode}{submission}} + + ## If the caller hasn't formally authenticated, but this is a + ## loopback connection, then we can trust identd to tell us the right + ## answer. So we should stash the right name somewhere consistent. + warn set acl_c_user = $authenticated_id + hosts = +thishost + !authenticated = * + condition = ${if def:sender_ident} + set acl_c_user = $sender_ident + + ## User must be authenticated by now. + deny message = Sender not authenticated + condition = ${if !def:acl_c_user} + + ## Make sure that the local part is one that the authenticated sender + ## is allowed to claim. + deny message = Sender address forbidden to calling user + !condition = \ + ${if exists {CONF_sysconf_dir/auth-sender.conf} \ + {${lookup {$acl_c_user} \ + lsearch \ + {CONF_sysconf_dir/auth-sender.conf} \ + {${if match_address \ + {$sender_address} \ + {+value}}} \ + {false}}}} + !condition = ${LOOKUP_DOMAIN($sender_address_domain, + {${if and {{match_local_part \ + {$acl_c_user} \ + {+dom_users}} \ + {match_local_part \ + {$sender_address_local_part} \ + {+dom_locals}}}}}, + {${if and {{match_local_part \ + {$sender_address_local_part} \ + {+user_extaddr}} \ + {or {{eq {$sender_address_domain} \ + {}} \ + {match_domain \ + {$sender_address_domain} \ + {+public}}}}}}})} + + ## All done. + accept + +DIVERT(null) +###-------------------------------------------------------------------------- ### Common options for forwarding routers. ## We're pretty permissive here. @@ -242,12 +364,36 @@ m4_define(<:FILTER_VERIFY:>, ## Transports for redirection filters. m4_define(<:FILTER_TRANSPORTS:>, - <:verify = false - file_transport = mailbox + <:file_transport = mailbox directory_transport = maildir pipe_transport = pipe reply_transport = reply:>) +m4_define(<:FILTER_ROUTER:>, +<:$1_vrf: + $2 + FILTER_VERIFY<::>$3 +$1: + $2 + verify = no + FILTER_TRANSPORTS<::>$4:>) + +DIVERT(null) +###-------------------------------------------------------------------------- +### Common routers. + +SECTION(routers, alias)m4_dnl +## Look up the local part in the address map. +alias: + driver = redirect + allow_fail = true + allow_defer = true + user = CONF_filter_user + FILTER_TRANSPORTS + local_parts = nwildlsearch; CONF_alias_file + data = ${expand:$local_part_data} +SECTION(routers, alias-opts)m4_dnl + DIVERT(null) ###-------------------------------------------------------------------------- ### Some standard transports. @@ -258,21 +404,48 @@ m4_define(<:USER_DELIVERY:>, return_path_add = true:>) SECTION(transports)m4_dnl -## A standard transport for remote delivery. Try to do TLS, and don't worry -## too much if it's not very secure: the alternative is sending in plaintext -## anyway. +## A standard transport for remote delivery. By default, try to do TLS, and +## don't worry too much if it's not very secure: the alternative is sending +## in plaintext anyway. But all of this can be overridden from the +## `domains.conf' file. Annoyingly, the `tls_dh_min_bits' setting isn't +## expanded before use, so we can't set it the obvious way. Instead, encode +## it into the transport name. This is very unpleasant, of course. smtp: driver = smtp tls_require_ciphers = CONF_acceptable_ciphers tls_dh_min_bits = 1020 tls_tempfail_tryclear = true +m4_define(<:SMTP_TRANS_DHBITS:>, + <:driver = smtp + hosts_try_auth = * + hosts_require_tls = DOMKV(tls-peer-ca, {*}{}) + hosts_require_auth = \ + ${if bool {DOMKV(require-auth, {$value}{false})} {*}{}} + tls_certificate = DOMKV(tls-certificate, {${expand:$value}}fail) + tls_privatekey = DOMKV(tls-private-key, {${expand:$value}}fail) + tls_verify_certificates = DOMKV(tls-peer-ca, {${expand:$value}}fail) + tls_require_ciphers = \ + DOMKV(tls-ciphers, + {${extract {${expand:$value}} \ + { good = CONF_good_ciphers \ + any = CONF_acceptable_ciphers } \ + {$value} \ + {${expand:$value}}}} \ + {CONF_acceptable_ciphers}) + tls_dh_min_bits = $1 + tls_tempfail_tryclear = true:>)m4_dnl +smtp_dhbits_1024: + SMTP_TRANS_DHBITS(1020) +smtp_dhbits_2048: + SMTP_TRANS_DHBITS(2046) + ## Transport to a local SMTP server; use TLS and perform client ## authentication. smtp_local: driver = smtp hosts_require_tls = * - tls_certificate = CONF_sysconf_dir/client.cert + tls_certificate = CONF_sysconf_dir/client.certlist tls_privatekey = CONF_sysconf_dir/client.key tls_verify_certificates = CONF_ca_dir/ca.cert tls_require_ciphers = CONF_good_ciphers