X-Git-Url: https://git.distorted.org.uk/~mdw/exim-config/blobdiff_plain/ae9744ce099209f94e7a5b73e47d99af7e712163..08248c8fccb1e6a40d2034208a193e7535f7dc9c:/base.m4 diff --git a/base.m4 b/base.m4 index 523e475..adbc2fb 100644 --- a/base.m4 +++ b/base.m4 @@ -214,16 +214,35 @@ rcpt: ## Reject if the client isn't allowed to relay and the recipient ## isn't in one of our known domains. - deny message = Relaying not permitted - !hosts = CONF_relay_clients - !authenticated = * - !domains = +known + require message = Relaying not permitted + acl = check_relay ## Ensure that the recipient is routable. require message = Invalid recipient \ ($recipient_verify_failure; $acl_verify_message) verify = recipient +SECTION(acl, misc)m4_dnl +check_relay: + ## Accept either if the client is allowed to relay through us, or if + ## we're the correct place to send this mail. + + ## Known clients and authenticated users are OK. + accept hosts = CONF_relay_clients + accept authenticated = * + + ## Known domains are OK. + accept domains = +public + + ## Finally, domains in our table are OK, unless they say they aren't. + accept domains = \ + ${if exists{CONF_sysconf_dir/domains.conf} \ + {partial0-lsearch; CONF_sysconf_dir/domains.conf}} + condition = DOMKV(service, {$value}{true}) + + ## Nope, that's not allowed. + deny + SECTION(acl, rcpt-tail)m4_dnl ## Everything checks out OK: let this one go through. accept @@ -260,16 +279,25 @@ mail_check_auth: warn set acl_c_user = $authenticated_id hosts = +thishost !authenticated = * + condition = ${if def:sender_ident} set acl_c_user = $sender_ident - ## User must be authenticated. + ## User must be authenticated by now. deny message = Sender not authenticated - !hosts = +thishost - !authenticated = * + condition = ${if !def:acl_c_user} ## Make sure that the local part is one that the authenticated sender ## is allowed to claim. deny message = Sender address forbidden to calling user + !condition = \ + ${if exists {CONF_sysconf_dir/auth-sender.conf} \ + {${lookup {$acl_c_user} \ + lsearch \ + {CONF_sysconf_dir/auth-sender.conf} \ + {${if match_address \ + {$sender_address} \ + {+value}}} \ + {false}}}} !condition = ${LOOKUP_DOMAIN($sender_address_domain, {${if and {{match_local_part \ {$acl_c_user} \ @@ -348,9 +376,17 @@ SECTION(transports)m4_dnl ## A standard transport for remote delivery. By default, try to do TLS, and ## don't worry too much if it's not very secure: the alternative is sending ## in plaintext anyway. But all of this can be overridden from the -## `domains.conf' file. +## `domains.conf' file. Annoyingly, the `tls_dh_min_bits' setting isn't +## expanded before use, so we can't set it the obvious way. Instead, encode +## it into the transport name. This is very unpleasant, of course. smtp: driver = smtp + tls_require_ciphers = CONF_acceptable_ciphers + tls_dh_min_bits = 1020 + tls_tempfail_tryclear = true + +m4_define(<:SMTP_TRANS_DHBITS:>, + <:driver = smtp hosts_try_auth = * hosts_require_tls = DOMKV(tls-peer-ca, {*}{}) hosts_require_auth = \ @@ -366,10 +402,12 @@ smtp: {$value} \ {${expand:$value}}}} \ {CONF_acceptable_ciphers}) - ## Can't set this to an expansion. :-( - m4_dnl tls_dh_min_bits = DOMKV(dh-min-bits, {$value}{1020}) - tls_dh_min_bits = 1020 - tls_tempfail_tryclear = true + tls_dh_min_bits = $1 + tls_tempfail_tryclear = true:>)m4_dnl +smtp_dhbits_1024: + SMTP_TRANS_DHBITS(1020) +smtp_dhbits_2048: + SMTP_TRANS_DHBITS(2046) ## Transport to a local SMTP server; use TLS and perform client ## authentication.