From 4ff4ad42f953b335fd5006fe5965cd3e871f601d Mon Sep 17 00:00:00 2001
From: Mark Wooding <mdw@distorted.org.uk>
Date: Sun, 16 Mar 2014 14:06:27 +0000
Subject: [PATCH] auth.m4, base.m4, lists.m4: Allow local submission to port
 25.

Extend the current rules for submission to localhost port 25 to all of
the host's local addresses.  The server won't try to talk to itself on
this port, so this is sensible, and there's probably crappy software out
there which assume that it works.
---
 auth.m4  |  2 +-
 base.m4  | 11 ++++++++---
 lists.m4 |  2 ++
 3 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/auth.m4 b/auth.m4
index 3462c1a..074c6aa 100644
--- a/auth.m4
+++ b/auth.m4
@@ -30,7 +30,7 @@ m4_define(<:CHECK_PASSWD:>,
 	   {false}}:>)
 
 m4_define(<:ALLOW_PLAINTEXT_AUTH_P:>,
-<:or {{match_ip {$sender_host_address}{+localnet}} \
+<:or {{match_ip {$sender_host_address}{+thishost}} \
       {and {{def:tls_cipher} {eq{$acl_c_mode}{submission}}}}}:>)
 
 SECTION(auth)m4_dnl
diff --git a/base.m4 b/base.m4
index 62b46ab..c9c04ff 100644
--- a/base.m4
+++ b/base.m4
@@ -105,6 +105,11 @@ helo:
 	## and we should only care about the most recent one.
 	warn	 set acl_c_helo_warning = false
 		!condition = \
+			${if and {{match_ip {$sender_host_address} \
+					    {<; 127.0.0.0/8 ; ::1}} \
+				  {match_domain {$sender_helo_name} \
+						{localhost : +thishost}}}}
+		!condition = \
 			${if exists {CONF_sysconf_dir/helo.conf} \
 			     {${lookup {$sender_helo_name} \
 				       partial0-lsearch \
@@ -180,7 +185,7 @@ SECTION(acl, connect-tail)m4_dnl
 
 check_submission:
 	## See whether this message needs hacking on.
-	accept	!hosts = +localnet
+	accept	!hosts = +thishost
 		!condition = ${if ={$received_port}{CONF_submission_port}}
 		 set acl_c_mode = relay
 
@@ -241,13 +246,13 @@ mail_check_auth:
 	## loopback connection, then we can trust identd to tell us the right
 	## answer.  So we should stash the right name somewhere consistent.
 	warn	 set acl_c_user = $authenticated_id
-		 hosts = +localnet
+		 hosts = +thishost
 		!authenticated = *
 		 set acl_c_user = $sender_ident
 
 	## User must be authenticated.
 	deny	 message = Sender not authenticated
-		!hosts = +localnet
+		!hosts = +thishost
 		!authenticated = *
 
 	## Make sure that the local part is one that the authenticated sender
diff --git a/lists.m4 b/lists.m4
index 485663c..2c458c7 100644
--- a/lists.m4
+++ b/lists.m4
@@ -25,6 +25,8 @@ SECTION(global, lists)m4_dnl
 ## Definitions for known networks.
 hostlist localnet = <; \
 	127.0.0.0/8 ; ::1
+hostlist thishost = <; \
+	 +localnet ; @[]
 hostlist border = <; \
 	62.49.204.144/28 ; 2001:470:1f09:1b98::/64 ; \
 	212.13.198.64/28 ; 2001:ba8:0:1d9::/64
-- 
2.11.0