From cc17d19efb504ece9d430be570376da72ac151f9 Mon Sep 17 00:00:00 2001
From: Mark Wooding <mdw@distorted.org.uk>
Date: Tue, 7 May 2024 13:08:28 +0100
Subject: [PATCH 1/8] config.m4 (dkim_headers): Reinstate the spaces around the
 header names.

---
 config.m4 | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/config.m4 b/config.m4
index 52339b3..99ddc86 100644
--- a/config.m4
+++ b/config.m4
@@ -82,11 +82,12 @@ DEFCONF(relay_clients, <m4_dnl
 
 ## DKIM headers list.
 ## Surprise!  Internal whitespace isn't allowed here.
-DEFCONF(dkim_headers,m4_dnl
-References:In-Reply-To:Subject:To:Date:Message-ID:m4_dnl
-From:Sender:Reply-To:Cc:m4_dnl
-Content-Transfer-Encoding:Content-Type:MIME-Version:m4_dnl
-Content-ID:Content-Description)
+DEFCONF(dkim_headers, m4_dnl
+References : In-Reply-To : Subject : To : Date : Message-ID : m4_dnl
+From : Sender : Reply-To : Cc : m4_dnl
+Content-Transfer-Encoding : Content-Type : MIME-Version : m4_dnl
+Content-ID : Content-Description m4_dnl
+)
 
 ## TLS certificate list.
 DEFCONF(certlist,
-- 
2.11.0


From bd3b33748b19f99fc6005ef27aaadf321e1c030b Mon Sep 17 00:00:00 2001
From: Mark Wooding <mdw@distorted.org.uk>
Date: Sat, 11 May 2024 12:27:45 +0100
Subject: [PATCH 2/8] config.m4 (relay_hosts): Allow the entire internal
 network to relay.

Because, nowadays, we require relay hosts in the internal network to
hold a valid certificate before we accept their relayed mail.

I don't know why chiark is included in the list.
---
 config.m4 | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/config.m4 b/config.m4
index 99ddc86..8f2db96 100644
--- a/config.m4
+++ b/config.m4
@@ -75,9 +75,8 @@ DEFCONF(user_extaddr_fixup, ${sg {$local_part_suffix}{^[-+]}{}})
 
 ## Other hosts allowed to relay mail through us.
 DEFCONF(relay_clients, <m4_dnl
-; +trusted m4_dnl
+; +allnets m4_dnl
 ; 172.31.80.8 m4_dnl chiark (VPN)
-; 172.29.198.161 ; 2001:8b0:c92:a000::1:1 m4_dnl national
 )
 
 ## DKIM headers list.
-- 
2.11.0


From 25539fc65728696847f1127ccabbbd99886463c3 Mon Sep 17 00:00:00 2001
From: Mark Wooding <mdw@distorted.org.uk>
Date: Sat, 11 May 2024 12:35:34 +0100
Subject: [PATCH 3/8] Makefile, site.mk: Add a `site.mk' file with the
 essential definitions.

I'm fed up of skew over this.
---
 Makefile |  1 +
 site.mk  | 13 +++++++++++++
 2 files changed, 14 insertions(+)
 create mode 100644 site.mk

diff --git a/Makefile b/Makefile
index 46aa594..a779e41 100644
--- a/Makefile
+++ b/Makefile
@@ -70,6 +70,7 @@ OPTIONS_hub		+= user-spam.m4 vhost.m4 vhost-local.m4
 MODES			+= usersat
 OPTIONS_usersat		 = auth.m4 local.m4 satellite.m4
 
+-include site.mk
 -include local.mk
 
 ###--------------------------------------------------------------------------
diff --git a/site.mk b/site.mk
new file mode 100644
index 0000000..332c1db
--- /dev/null
+++ b/site.mk
@@ -0,0 +1,13 @@
+### -*-makefile-*-
+
+HOSTS_hub		+= stratocaster
+
+HOSTS_srv		+= telecaster
+
+HOSTS_usersat		+= jem artist jazz #vampire
+
+HOSTS_satellite		+= gibson spirit #crybaby
+HOSTS_satellite		+= ibanez radius roadstar universe
+HOSTS_satellite		+= fender precision
+HOSTS_satellite		+= eggle national
+HOSTS_satellite		+= groove
-- 
2.11.0


From 7cbe2e4724e463cf732edd95ac34f955a136dd1c Mon Sep 17 00:00:00 2001
From: Mark Wooding <mdw@distorted.org.uk>
Date: Sat, 11 May 2024 13:20:54 +0100
Subject: [PATCH 4/8] spam.m4: Skip SpamAssassin check for mail from relay
 clients.

The expectation is that relay clients use us as their primary path for
delivering mail to external users.  If we're going to allow them to do
that, it doesn't seem right to subject it to spam checks -- particularly
since there isn't a receiving user to set a spam score limit.

No, I'm not completely sure about this.
---
 spam.m4 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/spam.m4 b/spam.m4
index c51bc36..4570210 100644
--- a/spam.m4
+++ b/spam.m4
@@ -81,7 +81,7 @@ skip_spam_check:
 	## If the client is trusted, or this is a new submission, don't
 	## bother with any of this.  We will have verified the sender
 	## fairly aggressively before granting this level of trust.
-	accept	 hosts = +trusted
+	accept	 hosts = CONF_relay_clients
 	accept	 condition = ${if eq{$acl_c_mode}{submission}}
 
 	## If all domains have disabled spam checking then don't check.
-- 
2.11.0


From e74739f45609c4a3bca79c4229bde6edc57899b4 Mon Sep 17 00:00:00 2001
From: Mark Wooding <mdw@distorted.org.uk>
Date: Sat, 11 May 2024 14:30:28 +0100
Subject: [PATCH 5/8] base.m4: Line-wrap the DKIM warning header.

---
 base.m4 | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/base.m4 b/base.m4
index 1b671ef..0aadb78 100644
--- a/base.m4
+++ b/base.m4
@@ -469,11 +469,13 @@ m4_define(<:DKIM_SIGN:>,
 		${if DKIM_SIGN_P \
 			{DKIM_KEYS_INFO(<:m4_dnl
 				{X-CONF_header_token-DKIM-Key-Publication: \
-					DKIM signature not suitable for \
-					as evidence after delivery; \
+					DKIM signature not suitable \
+					as evidence after delivery;\n\t\
 					DKIM private key KV(k) will be \
-					published at KV(u) on or before \
-					KV(tpub)}:>)}}:>)
+					published\n\t\
+					at KV(u)\n\t\
+					on or before KV(tpub)}:>)}}:>)
+
 
 m4_define(<:SMTP_DELIVERY:>,
 	<:## Prevent sending messages with overly long lines.  The use of
-- 
2.11.0


From f16f8eeecc35465a1713ddf75088e518f1ffadca Mon Sep 17 00:00:00 2001
From: Mark Wooding <mdw@distorted.org.uk>
Date: Thu, 16 May 2024 02:04:25 +0100
Subject: [PATCH 6/8] satellite.m4: Apply `/etc/aliases' to
 master-domain-qualified addresses.

It's not much good otherwise.
---
 satellite.m4 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/satellite.m4 b/satellite.m4
index cae7066..b56b336 100644
--- a/satellite.m4
+++ b/satellite.m4
@@ -28,7 +28,7 @@ SECTION(acl, connect-hooks)m4_dnl
 
 SECTION(routers, alias-opts)m4_dnl
 	## Only expand aliases for our home domain.
-	domains = +thishost
+	domains = CONF_master_domain : +thishost
 
 SECTION(routers, smarthost)m4_dnl
 satellite:
-- 
2.11.0


From a6127611de9e7d36fecc4a59a0d1aad651e8092a Mon Sep 17 00:00:00 2001
From: Mark Wooding <mdw@distorted.org.uk>
Date: Thu, 23 May 2024 02:45:27 +0100
Subject: [PATCH 7/8] base.m4 (DKIM_SIGN_P): Check that the sending domain is
 actually listed.

---
 base.m4 | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/base.m4 b/base.m4
index 0aadb78..4f16e20 100644
--- a/base.m4
+++ b/base.m4
@@ -424,7 +424,8 @@ m4_define(<:DKIM_SIGN_P:>,
 	       {!def:h_DKIM-Signature:} \
 	       {!def:h_List-ID:} \
 	       {or {{def:authenticated_id} \
-		    {def:authenticated_sender}}}}:>)
+		    {def:authenticated_sender}}} \
+	       {bool {DKIM_KEYS_INSTANCE(<:{true}:>, <:{false}:>)}}}:>)
 
 m4_define(<:DKIM_KEYS_INSTANCE:>,
 	<:${lookup {${domain:$h_From:}} partial0-lsearch \
-- 
2.11.0


From 453e10fbf80044289faa8c427b0a85904c809d4b Mon Sep 17 00:00:00 2001
From: Mark Wooding <mdw@distorted.org.uk>
Date: Tue, 28 May 2024 02:35:51 +0100
Subject: [PATCH 8/8] base.m4: Nearly set DKIM expiry time.

Alas, Exim is too old to understand this.
---
 base.m4 | 1 +
 1 file changed, 1 insertion(+)

diff --git a/base.m4 b/base.m4
index 4f16e20..d64b88b 100644
--- a/base.m4
+++ b/base.m4
@@ -447,6 +447,7 @@ m4_define(<:DKIM_SIGN:>,
 		${if DKIM_SIGN_P \
 			{DKIM_KEYS_INSTANCE({${domain:$h_From:}})}}
 	dkim_selector = DKIM_KEYS_INFO(<:{KV(k)}:>)
+	##dkim_timestamps = m4_eval(<:7*24*60*60:>)
 	dkim_private_key = \
 		DKIM_KEYS_INSTANCE(<:m4_dnl
 			{CONF_dkim_keys_dir/$value/active/$dkim_selector.priv}:>)
-- 
2.11.0