X-Git-Url: https://git.distorted.org.uk/~mdw/exim-config/blobdiff_plain/e4fe89251d3ab7094ca4eb5a55b709f32d3e3e6e..11f6fa6e1c39dcc27fb7da0d77ac11589ddf9139:/base.m4 diff --git a/base.m4 b/base.m4 index d42d98d..22f6852 100644 --- a/base.m4 +++ b/base.m4 @@ -26,6 +26,7 @@ SECTION(global, priv)m4_dnl admin_groups = CONF_admin_groups +trusted_groups = CONF_trusted_groups prod_requires_admin = false SECTION(global, logging)m4_dnl @@ -39,7 +40,7 @@ syslog_timestamp = false SECTION(global, daemon)m4_dnl local_interfaces = <; CONF_interfaces -extra_local_interfaces = <; 0.0.0.0 ; :: +extra_local_interfaces = <; 0.0.0.0 ; ::0 SECTION(global, resource)m4_dnl deliver_queue_load_max = 8 @@ -89,7 +90,7 @@ SECTION(global, bounce)m4_dnl delay_warning = 1h : 24h : 2d SECTION(global, tls)m4_dnl -tls_certificate = CONF_sysconf_dir/server.cert +tls_certificate = CONF_sysconf_dir/server.certlist tls_privatekey = CONF_sysconf_dir/server.key tls_advertise_hosts = ${if exists {CONF_sysconf_dir/server.key} {*}{}} tls_dhparam = CONF_ca_dir/dh-param-2048.pem @@ -161,11 +162,8 @@ mail: ## Always allow the empty sender, so that we can receive bounces. accept senders = : - ## Ensure that the sender is routable. This is important to prevent - ## undeliverable bounces. - require message = Invalid sender; \ - ($sender_verify_failure; $acl_verify_message) - verify = sender + ## Ensure that the sender looks valid. + require acl = mail_check_sender ## If this is directly from a client then hack on it for a while. warn condition = ${if eq{$acl_c_mode}{submission}} @@ -184,6 +182,23 @@ SECTION(acl, mail-tail)m4_dnl ## And we're done. accept +SECTION(acl, misc)m4_dnl +mail_check_sender: + + ## See whether there's a special exception for this sender domain. + accept senders = ${LOOKUP_DOMAIN($sender_address_domain, + {KV(senders, {$value}{})}, + {})} + + ## Ensure that the sender is routable. This is important to prevent + ## undeliverable bounces. + require message = Invalid sender; \ + ($sender_verify_failure; $acl_verify_message) + verify = sender + + ## We're good, then. + accept + SECTION(global, acl)m4_dnl acl_smtp_connect = connect SECTION(acl, connect)m4_dnl @@ -286,34 +301,6 @@ mail_check_auth: deny message = Sender not authenticated condition = ${if !def:acl_c_user} - ## Make sure that the local part is one that the authenticated sender - ## is allowed to claim. - deny message = Sender address forbidden to calling user - !condition = \ - ${if exists {CONF_sysconf_dir/auth-sender.conf} \ - {${lookup {$acl_c_user} \ - lsearch \ - {CONF_sysconf_dir/auth-sender.conf} \ - {${if match_address \ - {$sender_address} \ - {+value}}} \ - {false}}}} - !condition = ${LOOKUP_DOMAIN($sender_address_domain, - {${if and {{match_local_part \ - {$acl_c_user} \ - {+dom_users}} \ - {match_local_part \ - {$sender_address_local_part} \ - {+dom_locals}}}}}, - {${if and {{match_local_part \ - {$sender_address_local_part} \ - {+user_extaddr}} \ - {or {{eq {$sender_address_domain} \ - {}} \ - {match_domain \ - {$sender_address_domain} \ - {+public}}}}}}})} - ## All done. accept @@ -365,6 +352,22 @@ $1: DIVERT(null) ###-------------------------------------------------------------------------- +### Common routers. + +SECTION(routers, alias)m4_dnl +## Look up the local part in the address map. +alias: + driver = redirect + allow_fail = true + allow_defer = true + user = CONF_filter_user + FILTER_TRANSPORTS + local_parts = nwildlsearch; CONF_alias_file + data = ${expand:$local_part_data} +SECTION(routers, alias-opts)m4_dnl + +DIVERT(null) +###-------------------------------------------------------------------------- ### Some standard transports. m4_define(<:USER_DELIVERY:>, @@ -414,7 +417,7 @@ smtp_dhbits_2048: smtp_local: driver = smtp hosts_require_tls = * - tls_certificate = CONF_sysconf_dir/client.cert + tls_certificate = CONF_sysconf_dir/client.certlist tls_privatekey = CONF_sysconf_dir/client.key tls_verify_certificates = CONF_ca_dir/ca.cert tls_require_ciphers = CONF_good_ciphers