X-Git-Url: https://git.distorted.org.uk/~mdw/exim-config/blobdiff_plain/c1709c7f1a3c8dbc55ea5e2501e4433b5fea05a6..HEAD:/exchange.m4 diff --git a/exchange.m4 b/exchange.m4 index 3e771c6..cf2a81b 100644 --- a/exchange.m4 +++ b/exchange.m4 @@ -27,18 +27,6 @@ SECTION(global, daemon)m4_dnl daemon_smtp_ports = CONF_smtp_port : CONF_submission_port -SECTION(global, tls)m4_dnl -tls_certificate = CONF_sysconf_dir/server.cert -tls_privatekey = CONF_sysconf_dir/server.key -tls_advertise_hosts = * -tls_dhparam = CONF_ca_dir/dh-param-2048.pem -tls_require_ciphers = ${if or {{={$received_port}{CONF_submission_port}} \ - {match_ip {$sender_host_address}{+trusted}}} \ - {CONF_good_ciphers} \ - {CONF_acceptable_ciphers}} -tls_verify_certificates = CONF_ca_dir/ca.cert -tls_verify_hosts = ${if eq{$acl_c_mode}{submission} {} {+allnets}} - DIVERT(null) ###-------------------------------------------------------------------------- ### Check source addresses for apparently local senders. @@ -47,12 +35,6 @@ SECTION(acl, mail-hooks)m4_dnl ## Check that a submitted message's sender address is allowable. require acl = mail_client_addr - ## Insist that a local client connect through TLS. - deny message = Hosts within CONF_master_domain must use TLS - !condition = ${if eq{$acl_c_mode}{submission}} - hosts = +allnets - !encrypted = * - SECTION(acl, misc)m4_dnl mail_client_addr: @@ -70,34 +52,65 @@ mail_client_addr: {${if match_domain {$sender_address_domain} \ {+public} \ {+allnets}{! +allnets}}})} - add_header = :after_received:X-Distorted-Warning: \ - RCLNTLSNDR \ - Apparently local sender, but received from remote \ - server.\n\t\ - sender=$sender_address, \ - host=$sender_host_address + WARNING_HEADER(RCLNTLSNDR, + <:Apparently local sender, but received from remote \ + server.\n\t\ + sender=$sender_address \ + host=$sender_host_address:>) ## OK. accept DIVERT(null) ###-------------------------------------------------------------------------- +### Rename locally-meaningful headers in mail from outside. + +m4_define(<:DISTORTED_HEADERS:>, +<:X-CONF_header_token-SpamAssassin-Score, +X-CONF_header_token-SpamAssassin-Status:>) + +SECTION(acl, data)m4_dnl + ## If this message is coming from outside then rename headers which + ## look like the ones we're likely to add. This is most relevant for + ## our spam-report headers, because I'm not sure I understand why + ## someone would want to fake an X-Distorted-Warning header. + warn !condition = ${if eq{$acl_c_mode}{submission}} + !hosts = +allnets + set acl_m_hdradd = ${if def:acl_m_hdradd{$acl_m_hdradd}}\ + RENAME_HEADERS_ADD(<:DISTORTED_HEADERS:>) + set acl_m_hdrrm = ${if def:acl_m_hdrrm{$acl_m_hdrrm:}}\ + RENAME_HEADERS_REMOVE(<:DISTORTED_HEADERS:>) + +DIVERT(null) +###-------------------------------------------------------------------------- ### The obvious trivial router. SECTION(routers, remote)m4_dnl ## Send mail on to a host in our own network. We must apply extra security. local: driver = dnslookup - domains = ! +known : *.CONF_master_domain + domains = ${if bool {${LOOKUP_DOMAIN($domain, + {KV(service, {$value}{true})}, + {false})}} \ + {}{ ! +public : \ + CONF_master_domain : \ + *.CONF_master_domain }} self = fail + same_domain_copy_routing = yes + ignore_target_hosts = +bogus transport = smtp_local no_more ## Send mail on to unknown hosts. remote: driver = dnslookup - domains = ! +known + domains = ${if bool {${LOOKUP_DOMAIN($domain, + {KV(service, {$value}{true})}, + {false})}} \ + {}{ ! +public }} self = fail + same_domain_copy_routing = yes + ignore_target_hosts = +bogus_public transport = smtp no_more