From e4666f2d8c607d476be779304b6b307377accf3f Mon Sep 17 00:00:00 2001
From: Mark Wooding <mdw@distorted.org.uk>
Date: Tue, 22 Apr 2014 18:18:03 +0100
Subject: [PATCH] base.m4: Overhaul the relay-permission check.

Don't provide public service to all domains in `domains.conf': check the
`service' property to see whether it should be allowed.
---
 base.m4 | 27 +++++++++++++++++++++++----
 1 file changed, 23 insertions(+), 4 deletions(-)

diff --git a/base.m4 b/base.m4
index 90e20f2..adbc2fb 100644
--- a/base.m4
+++ b/base.m4
@@ -214,16 +214,35 @@ rcpt:
 
 	## Reject if the client isn't allowed to relay and the recipient
 	## isn't in one of our known domains.
-	deny	 message = Relaying not permitted
-		!hosts = CONF_relay_clients
-		!authenticated = *
-		!domains = +known
+	require	 message = Relaying not permitted
+		 acl = check_relay
 
 	## Ensure that the recipient is routable.
 	require	 message = Invalid recipient \
 			($recipient_verify_failure; $acl_verify_message)
 		 verify = recipient
 
+SECTION(acl, misc)m4_dnl
+check_relay:
+	## Accept either if the client is allowed to relay through us, or if
+	## we're the correct place to send this mail.
+
+	## Known clients and authenticated users are OK.
+	accept	  hosts = CONF_relay_clients
+	accept	  authenticated = *
+
+	## Known domains are OK.
+	accept	  domains = +public
+
+	## Finally, domains in our table are OK, unless they say they aren't.
+	accept	  domains = \
+		${if exists{CONF_sysconf_dir/domains.conf} \
+		     {partial0-lsearch;	CONF_sysconf_dir/domains.conf}}
+		  condition = DOMKV(service, {$value}{true})
+
+	## Nope, that's not allowed.
+	deny
+
 SECTION(acl, rcpt-tail)m4_dnl
 	## Everything checks out OK: let this one go through.
 	accept
-- 
2.11.0