Delay ACL header edits until transport time.

[exim-config] / base.m4

diff --git a/base.m4 b/base.m4
index e7036c7ffb56bae559158f9065134837ca86cf7a..39e302bf07f7f587e3969ac32555716754acf6e3 100644 (file)
--- a/base.m4
+++ b/base.m4
@@ -152,13 +152,19 @@ SECTION(acl, mail)m4_dnl
 mail:
 
        ## If we stashed a warning header about HELO from earlier, we should
-       ## add it now.
+       ## add it now.  Only don't bother if the client has authenticated
+       ## successfully for submission (because we can't expect mobile
+       ## clients to be properly set up knowing their names), or it's one of
+       ## our own satellites (because they're either properly set up anyway,
+       ## or satellites using us as a smarthost).
        warn     condition = $acl_c_helo_warning
-                add_header = :after_received:X-Distorted-Warning: \
+               !condition = ${if eq{$acl_c_mode}{submission}}
+               !hosts = +allnets
+                ADD_HEADER(<:X-CONF_header_token-Warning: \
                        BADHELO \
                        Client's HELO doesn't match its IP address.\n\t\
                        helo-name=$sender_helo_name \
-                       address=$sender_host_address
+                       address=$sender_host_address:>)
 
        ## Always allow the empty sender, so that we can receive bounces.
        accept   senders = :
@@ -376,6 +382,16 @@ m4_define(<:USER_DELIVERY:>,
        envelope_to_add = true
        return_path_add = true:>)
 
+m4_define(<:APPLY_HEADER_CHANGES:>,
+       <:headers_add = m4_ifelse(<:$1:>, <::>,
+               <:$acl_m_hdradd:>,
+               <:${if def:acl_m_hdradd{$acl_m_hdradd\n}}\
+               $1:>)
+       headers_remove = m4_ifelse(<:$2:>, <::>,
+               <:$acl_m_hdrrm:>,
+               <:${if def:acl_m_hdrrm{$acl_m_hdrrm:}}\
+               $2:>):>)
+
 SECTION(transports)m4_dnl
 ## A standard transport for remote delivery.  By default, try to do TLS, and
 ## don't worry too much if it's not very secure: the alternative is sending
@@ -385,12 +401,14 @@ SECTION(transports)m4_dnl
 ## it into the transport name.  This is very unpleasant, of course.
 smtp:
        driver = smtp
+       APPLY_HEADER_CHANGES
        tls_require_ciphers = CONF_acceptable_ciphers
        tls_dh_min_bits = 1020
        tls_tempfail_tryclear = true
 
 m4_define(<:SMTP_TRANS_DHBITS:>,
        <:driver = smtp
+       APPLY_HEADER_CHANGES
        hosts_try_auth = *
        hosts_require_tls = DOMKV(tls-peer-ca, {*}{})
        hosts_require_auth = \
@@ -417,6 +435,7 @@ smtp_dhbits_2048:
 ## authentication.
 smtp_local:
        driver = smtp
+       APPLY_HEADER_CHANGES
        hosts_require_tls = *
        tls_certificate = CONF_sysconf_dir/client.certlist
        tls_privatekey = CONF_sysconf_dir/client.key
@@ -431,6 +450,7 @@ smtp_local:
 ## A standard transport for local delivery.
 deliver:
        driver = appendfile
+       APPLY_HEADER_CHANGES
        file = /var/mail/$local_part
        group = mail
        mode = 0600
@@ -440,17 +460,20 @@ deliver:
 ## Transports for user filters.
 mailbox:
        driver = appendfile
+       APPLY_HEADER_CHANGES
        initgroups = true
        USER_DELIVERY
 
 maildir:
        driver = appendfile
+       APPLY_HEADER_CHANGES
        maildir_format = true
        initgroups = true
        USER_DELIVERY
 
 pipe:
        driver = pipe
+       APPLY_HEADER_CHANGES
        path = ${if and {{def:home} {exists{$home/bin}}} {$home/bin:} {}}\
                /usr/local/bin:/usr/local/sbin:\
                /usr/bin:/usr/sbin:/bin:/sbin