X-Git-Url: https://git.distorted.org.uk/~mdw/exim-config/blobdiff_plain/d70f6d53afe0d485268ebc22ba37df2dd671251f..9384ef4f973dc22ca7e65b1710f1c486c4efad0c:/base.m4 diff --git a/base.m4 b/base.m4 index 0827835..62b46ab 100644 --- a/base.m4 +++ b/base.m4 @@ -60,9 +60,7 @@ gecos_pattern = ([^,:]*) SECTION(global, incoming)m4_dnl received_header_text = Received: \ ${if def:sender_rcvhost \ - {from $sender_rcvhost\ - ${if def:sender_helo_name \ - { (helo=$sender_helo_name)}}\n\t} \ + {from $sender_rcvhost\n\t} \ {${if def:sender_ident \ {from ${quote_local_part:$sender_ident} }}}}\ by $primary_hostname \ @@ -120,6 +118,16 @@ helo: accept SECTION(global, acl)m4_dnl +acl_not_smtp_start = not_smtp_start +SECTION(acl, misc)m4_dnl +not_smtp_start: + ## Record the user's name. + warn set acl_c_user = $sender_ident + + ## Done. + accept + +SECTION(global, acl)m4_dnl acl_smtp_mail = mail SECTION(acl, mail)m4_dnl mail: @@ -146,6 +154,15 @@ mail: warn condition = ${if eq{$acl_c_mode}{submission}} control = submission + ## Insist that a local client connect through TLS. + deny message = Hosts within CONF_master_domain must use TLS + !condition = ${if eq{$acl_c_mode}{submission}} + hosts = +allnets + !encrypted = * + + ## Check that a submitted message's sender address is allowable. + require acl = mail_check_auth + SECTION(acl, mail-tail)m4_dnl ## And we're done. accept @@ -212,6 +229,51 @@ expn_vrfy: DIVERT(null) ###-------------------------------------------------------------------------- +### Verification of sender address. + +SECTION(acl, misc)m4_dnl +mail_check_auth: + + ## If this isn't a submission then it doesn't need checking. + accept condition = ${if !eq{$acl_c_mode}{submission}} + + ## If the caller hasn't formally authenticated, but this is a + ## loopback connection, then we can trust identd to tell us the right + ## answer. So we should stash the right name somewhere consistent. + warn set acl_c_user = $authenticated_id + hosts = +localnet + !authenticated = * + set acl_c_user = $sender_ident + + ## User must be authenticated. + deny message = Sender not authenticated + !hosts = +localnet + !authenticated = * + + ## Make sure that the local part is one that the authenticated sender + ## is allowed to claim. + deny message = Sender address forbidden to calling user + !condition = ${LOOKUP_DOMAIN($sender_address_domain, + {${if and {{match_local_part \ + {$acl_c_user} \ + {+dom_users}} \ + {match_local_part \ + {$sender_address_local_part} \ + {+dom_locals}}}}}, + {${if and {{match_local_part \ + {$sender_address_local_part} \ + {+user_extaddr}} \ + {or {{eq {$sender_address_domain} \ + {}} \ + {match_domain \ + {$sender_address_domain} \ + {+public}}}}}}})} + + ## All done. + accept + +DIVERT(null) +###-------------------------------------------------------------------------- ### Common options for forwarding routers. ## We're pretty permissive here. @@ -242,12 +304,20 @@ m4_define(<:FILTER_VERIFY:>, ## Transports for redirection filters. m4_define(<:FILTER_TRANSPORTS:>, - <:verify = false - file_transport = mailbox + <:file_transport = mailbox directory_transport = maildir pipe_transport = pipe reply_transport = reply:>) +m4_define(<:FILTER_ROUTER:>, +<:$1_vrf: + $2 + FILTER_VERIFY<::>$3 +$1: + $2 + verify = no + FILTER_TRANSPORTS<::>$4:>) + DIVERT(null) ###-------------------------------------------------------------------------- ### Some standard transports.