X-Git-Url: https://git.distorted.org.uk/~mdw/exim-config/blobdiff_plain/459abd49cc42a453248daa955678e01bc6e31492..4587a70452f5ce0212dd2345b78cab56b8cde025:/base.m4

diff --git a/base.m4 b/base.m4
index 90e20f2..e74803d 100644
--- a/base.m4
+++ b/base.m4
@@ -128,7 +128,7 @@ helo:
 				       {CONF_sysconf_dir/helo.conf} \
 				       {${if match_ip \
 					     {$sender_host_address} \
-					     {$value}}}}}}
+					     {<; $value}}}}}}
 		!verify = helo
 		 set acl_c_helo_warning = true
 
@@ -214,16 +214,35 @@ rcpt:
 
 	## Reject if the client isn't allowed to relay and the recipient
 	## isn't in one of our known domains.
-	deny	 message = Relaying not permitted
-		!hosts = CONF_relay_clients
-		!authenticated = *
-		!domains = +known
+	require	 message = Relaying not permitted
+		 acl = check_relay
 
 	## Ensure that the recipient is routable.
 	require	 message = Invalid recipient \
 			($recipient_verify_failure; $acl_verify_message)
 		 verify = recipient
 
+SECTION(acl, misc)m4_dnl
+check_relay:
+	## Accept either if the client is allowed to relay through us, or if
+	## we're the correct place to send this mail.
+
+	## Known clients and authenticated users are OK.
+	accept	  hosts = CONF_relay_clients
+	accept	  authenticated = *
+
+	## Known domains are OK.
+	accept	  domains = +public
+
+	## Finally, domains in our table are OK, unless they say they aren't.
+	accept	  domains = \
+		${if exists{CONF_sysconf_dir/domains.conf} \
+		     {partial0-lsearch;	CONF_sysconf_dir/domains.conf}}
+		  condition = DOMKV(service, {$value}{true})
+
+	## Nope, that's not allowed.
+	deny
+
 SECTION(acl, rcpt-tail)m4_dnl
 	## Everything checks out OK: let this one go through.
 	accept