X-Git-Url: https://git.distorted.org.uk/~mdw/exim-config/blobdiff_plain/beb15dae3f15ff993556b44897bed035d543c683..87afdfcd0186f0f455034c92257b46a015174335:/base.m4 diff --git a/base.m4 b/base.m4 index 4a925df..e74803d 100644 --- a/base.m4 +++ b/base.m4 @@ -128,7 +128,7 @@ helo: {CONF_sysconf_dir/helo.conf} \ {${if match_ip \ {$sender_host_address} \ - {$value}}}}}} + {<; $value}}}}}} !verify = helo set acl_c_helo_warning = true @@ -214,16 +214,35 @@ rcpt: ## Reject if the client isn't allowed to relay and the recipient ## isn't in one of our known domains. - deny message = Relaying not permitted - !hosts = CONF_relay_clients - !authenticated = * - !domains = +known + require message = Relaying not permitted + acl = check_relay ## Ensure that the recipient is routable. require message = Invalid recipient \ ($recipient_verify_failure; $acl_verify_message) verify = recipient +SECTION(acl, misc)m4_dnl +check_relay: + ## Accept either if the client is allowed to relay through us, or if + ## we're the correct place to send this mail. + + ## Known clients and authenticated users are OK. + accept hosts = CONF_relay_clients + accept authenticated = * + + ## Known domains are OK. + accept domains = +public + + ## Finally, domains in our table are OK, unless they say they aren't. + accept domains = \ + ${if exists{CONF_sysconf_dir/domains.conf} \ + {partial0-lsearch; CONF_sysconf_dir/domains.conf}} + condition = DOMKV(service, {$value}{true}) + + ## Nope, that's not allowed. + deny + SECTION(acl, rcpt-tail)m4_dnl ## Everything checks out OK: let this one go through. accept @@ -260,16 +279,25 @@ mail_check_auth: warn set acl_c_user = $authenticated_id hosts = +thishost !authenticated = * + condition = ${if def:sender_ident} set acl_c_user = $sender_ident - ## User must be authenticated. + ## User must be authenticated by now. deny message = Sender not authenticated - !hosts = +thishost - !authenticated = * + condition = ${if !def:acl_c_user} ## Make sure that the local part is one that the authenticated sender ## is allowed to claim. deny message = Sender address forbidden to calling user + !condition = \ + ${if exists {CONF_sysconf_dir/auth-sender.conf} \ + {${lookup {$acl_c_user} \ + lsearch \ + {CONF_sysconf_dir/auth-sender.conf} \ + {${if match_address \ + {$sender_address} \ + {+value}}} \ + {false}}}} !condition = ${LOOKUP_DOMAIN($sender_address_domain, {${if and {{match_local_part \ {$acl_c_user} \ @@ -351,6 +379,12 @@ SECTION(transports)m4_dnl ## `domains.conf' file. Annoyingly, the `tls_dh_min_bits' setting isn't ## expanded before use, so we can't set it the obvious way. Instead, encode ## it into the transport name. This is very unpleasant, of course. +smtp: + driver = smtp + tls_require_ciphers = CONF_acceptable_ciphers + tls_dh_min_bits = 1020 + tls_tempfail_tryclear = true + m4_define(<:SMTP_TRANS_DHBITS:>, <:driver = smtp hosts_try_auth = * @@ -370,8 +404,6 @@ m4_define(<:SMTP_TRANS_DHBITS:>, {CONF_acceptable_ciphers}) tls_dh_min_bits = $1 tls_tempfail_tryclear = true:>)m4_dnl -smtp: - SMTP_TRANS_DHBITS(1020) smtp_dhbits_1024: SMTP_TRANS_DHBITS(1020) smtp_dhbits_2048: