X-Git-Url: https://git.distorted.org.uk/~mdw/exim-config/blobdiff_plain/6aae076feb9b8fc05099dc68fc00100472004701..534d411b5c96107030e30da491e06734ea09a7b3:/base.m4

diff --git a/base.m4 b/base.m4
index 8211506..204be0a 100644
--- a/base.m4
+++ b/base.m4
@@ -345,15 +345,42 @@ m4_define(<:USER_DELIVERY:>,
 	return_path_add = true:>)
 
 SECTION(transports)m4_dnl
-## A standard transport for remote delivery.  Try to do TLS, and don't worry
-## too much if it's not very secure: the alternative is sending in plaintext
-## anyway.
+## A standard transport for remote delivery.  By default, try to do TLS, and
+## don't worry too much if it's not very secure: the alternative is sending
+## in plaintext anyway.  But all of this can be overridden from the
+## `domains.conf' file.  Annoyingly, the `tls_dh_min_bits' setting isn't
+## expanded before use, so we can't set it the obvious way.  Instead, encode
+## it into the transport name.  This is very unpleasant, of course.
 smtp:
 	driver = smtp
 	tls_require_ciphers = CONF_acceptable_ciphers
 	tls_dh_min_bits = 1020
 	tls_tempfail_tryclear = true
 
+m4_define(<:SMTP_TRANS_DHBITS:>,
+	<:driver = smtp
+	hosts_try_auth = *
+	hosts_require_tls = DOMKV(tls-peer-ca, {*}{})
+	hosts_require_auth = \
+		${if bool {DOMKV(require-auth, {$value}{false})} {*}{}}
+	tls_certificate = DOMKV(tls-certificate, {${expand:$value}}fail)
+	tls_privatekey = DOMKV(tls-private-key, {${expand:$value}}fail)
+	tls_verify_certificates = DOMKV(tls-peer-ca, {${expand:$value}}fail)
+	tls_require_ciphers = \
+		DOMKV(tls-ciphers,
+		      {${extract {${expand:$value}} \
+				 { good = CONF_good_ciphers \
+				   any = CONF_acceptable_ciphers } \
+				 {$value} \
+				 {${expand:$value}}}} \
+		      {CONF_acceptable_ciphers})
+	tls_dh_min_bits = $1
+	tls_tempfail_tryclear = true:>)m4_dnl
+smtp_dhbits_1024:
+	SMTP_TRANS_DHBITS(1020)
+smtp_dhbits_2048:
+	SMTP_TRANS_DHBITS(2046)
+
 ## Transport to a local SMTP server; use TLS and perform client
 ## authentication.
 smtp_local: