X-Git-Url: https://git.distorted.org.uk/~mdw/exim-config/blobdiff_plain/e913c9991d2a69fb2f1ac5bafa2d9942eb2be60f..2d3b825d0876f639b68ee1d0cb5c356f7268991c:/exchange.m4

diff --git a/exchange.m4 b/exchange.m4
index 1e82249..cf2a81b 100644
--- a/exchange.m4
+++ b/exchange.m4
@@ -52,34 +52,65 @@ mail_client_addr:
 			   {${if match_domain {$sender_address_domain} \
 					      {+public} \
 				 {+allnets}{! +allnets}}})}
-		 add_header = :after_received:X-Distorted-Warning: \
-			RCLNTLSNDR \
-			Apparently local sender, but received from remote \
-			server.\n\t\
-			sender=$sender_address \
-			host=$sender_host_address
+		  WARNING_HEADER(RCLNTLSNDR,
+				 <:Apparently local sender, but received from remote \
+				   server.\n\t\
+				   sender=$sender_address \
+				   host=$sender_host_address:>)
 
 	## OK.
 	accept
 
 DIVERT(null)
 ###--------------------------------------------------------------------------
+### Rename locally-meaningful headers in mail from outside.
+
+m4_define(<:DISTORTED_HEADERS:>,
+<:X-CONF_header_token-SpamAssassin-Score,
+X-CONF_header_token-SpamAssassin-Status:>)
+
+SECTION(acl, data)m4_dnl
+	## If this message is coming from outside then rename headers which
+	## look like the ones we're likely to add.  This is most relevant for
+	## our spam-report headers, because I'm not sure I understand why
+	## someone would want to fake an X-Distorted-Warning header.
+	warn	!condition = ${if eq{$acl_c_mode}{submission}}
+		!hosts = +allnets
+		 set acl_m_hdradd = ${if def:acl_m_hdradd{$acl_m_hdradd}}\
+			RENAME_HEADERS_ADD(<:DISTORTED_HEADERS:>)
+		 set acl_m_hdrrm = ${if def:acl_m_hdrrm{$acl_m_hdrrm:}}\
+			RENAME_HEADERS_REMOVE(<:DISTORTED_HEADERS:>)
+
+DIVERT(null)
+###--------------------------------------------------------------------------
 ### The obvious trivial router.
 
 SECTION(routers, remote)m4_dnl
 ## Send mail on to a host in our own network.  We must apply extra security.
 local:
 	driver = dnslookup
-	domains = ! +known : CONF_master_domain : *.CONF_master_domain
+	domains = ${if bool {${LOOKUP_DOMAIN($domain,
+			       {KV(service, {$value}{true})},
+			       {false})}} \
+		       {}{ ! +public : \
+			   CONF_master_domain : \
+			   *.CONF_master_domain }}
 	self = fail
+	same_domain_copy_routing = yes
+	ignore_target_hosts = +bogus
 	transport = smtp_local
 	no_more
 
 ## Send mail on to unknown hosts.
 remote:
 	driver = dnslookup
-	domains = ! +known
+	domains = ${if bool {${LOOKUP_DOMAIN($domain,
+			       {KV(service, {$value}{true})},
+			       {false})}} \
+		       {}{ ! +public }}
 	self = fail
+	same_domain_copy_routing = yes
+	ignore_target_hosts = +bogus_public
 	transport = smtp
 	no_more