X-Git-Url: https://git.distorted.org.uk/~mdw/exim-config/blobdiff_plain/ff4c943d92bd663e5f4b2057f3282359fbd5e3c4..aa8d0e75d766748c223b52ae296b488eb4f98644:/base.m4 diff --git a/base.m4 b/base.m4 index d312eb5..adbc2fb 100644 --- a/base.m4 +++ b/base.m4 @@ -214,16 +214,35 @@ rcpt: ## Reject if the client isn't allowed to relay and the recipient ## isn't in one of our known domains. - deny message = Relaying not permitted - !hosts = CONF_relay_clients - !authenticated = * - !domains = +known + require message = Relaying not permitted + acl = check_relay ## Ensure that the recipient is routable. require message = Invalid recipient \ ($recipient_verify_failure; $acl_verify_message) verify = recipient +SECTION(acl, misc)m4_dnl +check_relay: + ## Accept either if the client is allowed to relay through us, or if + ## we're the correct place to send this mail. + + ## Known clients and authenticated users are OK. + accept hosts = CONF_relay_clients + accept authenticated = * + + ## Known domains are OK. + accept domains = +public + + ## Finally, domains in our table are OK, unless they say they aren't. + accept domains = \ + ${if exists{CONF_sysconf_dir/domains.conf} \ + {partial0-lsearch; CONF_sysconf_dir/domains.conf}} + condition = DOMKV(service, {$value}{true}) + + ## Nope, that's not allowed. + deny + SECTION(acl, rcpt-tail)m4_dnl ## Everything checks out OK: let this one go through. accept @@ -270,6 +289,15 @@ mail_check_auth: ## Make sure that the local part is one that the authenticated sender ## is allowed to claim. deny message = Sender address forbidden to calling user + !condition = \ + ${if exists {CONF_sysconf_dir/auth-sender.conf} \ + {${lookup {$acl_c_user} \ + lsearch \ + {CONF_sysconf_dir/auth-sender.conf} \ + {${if match_address \ + {$sender_address} \ + {+value}}} \ + {false}}}} !condition = ${LOOKUP_DOMAIN($sender_address_domain, {${if and {{match_local_part \ {$acl_c_user} \