X-Git-Url: https://git.distorted.org.uk/~mdw/exim-config/blobdiff_plain/a0375fd97549cd5492cd879cc1fed9ae0e789a0b..54341a709aa83dc80f23cc6a327e9c68dfd6e872:/base.m4

diff --git a/base.m4 b/base.m4
index d64f7a6..32cf73e 100644
--- a/base.m4
+++ b/base.m4
@@ -105,7 +105,7 @@ SECTION(global, bounce)m4_dnl
 delay_warning = 1h : 24h : 2d
 
 SECTION(global, tls)m4_dnl
-tls_certificate = CONF_sysconf_dir/server.certlist
+tls_certificate = CONF_certlist
 tls_privatekey = CONF_sysconf_dir/server.key
 tls_advertise_hosts = ${if exists {CONF_sysconf_dir/server.key} {*}{}}
 tls_dhparam = CONF_ca_dir/dh-param-2048.pem
@@ -125,6 +125,10 @@ SECTION(global, acl)m4_dnl
 acl_smtp_helo = helo
 SECTION(acl, misc)m4_dnl
 helo:
+	## Don't worry if this is local submission.  MUAs won't necessarily
+	## have a clear idea of their hostnames.  (For some reason.)
+	accept	 condition = ${if !eq{$acl_c_mode}{submission}}
+
 	## Check that the caller's claimed identity is actually plausible.
 	## This seems like it's a fairly effective filter on spamminess, but
 	## it's too blunt a tool.  Rather than reject, add a warning header.
@@ -239,6 +243,7 @@ check_submission:
 
 	## Remember to apply submission controls.
 	warn	 set acl_c_mode = submission
+		 control = no_enforce_sync
 
 	## Done.
 	accept
@@ -287,6 +292,10 @@ SECTION(global, acl)m4_dnl
 acl_smtp_data = data
 SECTION(acl, data)m4_dnl
 data:
+	## Don't accept messages with overly-long lines.
+	deny	 message = line length exceeds SMTP permitted maximum: \
+			$max_received_linelength > 998
+		 condition = ${if >{$max_received_linelength}{998}}
 
 SECTION(acl, data-tail)m4_dnl
 	accept
@@ -410,6 +419,11 @@ m4_define(<:APPLY_HEADER_CHANGES:>,
 		<:${if def:acl_m_hdrrm{$acl_m_hdrrm:}}\
 		$2:>):>)
 
+m4_define(<:SMTP_DELIVERY:>,
+	<:## Prevent sending messages with overly long lines.  The use of
+	## `message_size_limit' here is somewhat misleading.
+	message_size_limit = ${if >{$max_received_linelength}{998}{1}{0}}:>)
+
 SECTION(transports)m4_dnl
 ## A standard transport for remote delivery.  By default, try to do TLS, and
 ## don't worry too much if it's not very secure: the alternative is sending
@@ -426,6 +440,7 @@ smtp:
 
 m4_define(<:SMTP_TRANS_DHBITS:>,
 	<:driver = smtp
+	SMTP_DELIVERY
 	APPLY_HEADER_CHANGES
 	hosts_try_auth = *
 	hosts_require_tls = DOMKV(tls-peer-ca, {*}{})
@@ -457,6 +472,7 @@ smtp_dhbits_2048:
 ## authentication.
 smtp_local:
 	driver = smtp
+	SMTP_DELIVERY
 	APPLY_HEADER_CHANGES
 	hosts_require_tls = *
 	tls_certificate = CONF_sysconf_dir/client.certlist