chiark / gitweb /
defs.m4: New macros for inserting separators into lists.
[exim-config] / base.m4
diff --git a/base.m4 b/base.m4
index 204be0aeec02aadfd62cbe8250de33bd5a8e65be..1c9dacf7a6cf1845af26546fd65cc435a9f50d00 100644 (file)
--- a/base.m4
+++ b/base.m4
@@ -26,6 +26,7 @@
 
 SECTION(global, priv)m4_dnl
 admin_groups = CONF_admin_groups
+trusted_groups = CONF_trusted_groups
 prod_requires_admin = false
 
 SECTION(global, logging)m4_dnl
@@ -39,7 +40,7 @@ syslog_timestamp = false
 
 SECTION(global, daemon)m4_dnl
 local_interfaces = <; CONF_interfaces
-extra_local_interfaces = <; 0.0.0.0 ; ::
+extra_local_interfaces = <; 0.0.0.0 ; ::0
 
 SECTION(global, resource)m4_dnl
 deliver_queue_load_max = 8
@@ -89,7 +90,7 @@ SECTION(global, bounce)m4_dnl
 delay_warning = 1h : 24h : 2d
 
 SECTION(global, tls)m4_dnl
-tls_certificate = CONF_sysconf_dir/server.cert
+tls_certificate = CONF_sysconf_dir/server.certlist
 tls_privatekey = CONF_sysconf_dir/server.key
 tls_advertise_hosts = ${if exists {CONF_sysconf_dir/server.key} {*}{}}
 tls_dhparam = CONF_ca_dir/dh-param-2048.pem
@@ -128,7 +129,7 @@ helo:
                                       {CONF_sysconf_dir/helo.conf} \
                                       {${if match_ip \
                                             {$sender_host_address} \
-                                            {$value}}}}}}
+                                            {<; $value}}}}}}
                !verify = helo
                 set acl_c_helo_warning = true
 
@@ -161,11 +162,8 @@ mail:
        ## Always allow the empty sender, so that we can receive bounces.
        accept   senders = :
 
-       ## Ensure that the sender is routable.  This is important to prevent
-       ## undeliverable bounces.
-       require  message = Invalid sender; \
-                       ($sender_verify_failure; $acl_verify_message)
-                verify = sender
+       ## Ensure that the sender looks valid.
+       require  acl = mail_check_sender
 
        ## If this is directly from a client then hack on it for a while.
        warn     condition = ${if eq{$acl_c_mode}{submission}}
@@ -184,6 +182,23 @@ SECTION(acl, mail-tail)m4_dnl
        ## And we're done.
        accept
 
+SECTION(acl, misc)m4_dnl
+mail_check_sender:
+
+       ## See whether there's a special exception for this sender domain.
+       accept   senders = ${LOOKUP_DOMAIN($sender_address_domain,
+                            {KV(senders, {$value}{})},
+                            {})}
+
+       ## Ensure that the sender is routable.  This is important to prevent
+       ## undeliverable bounces.
+       require  message = Invalid sender; \
+                       ($sender_verify_failure; $acl_verify_message)
+                verify = sender
+
+       ## We're good, then.
+       accept
+
 SECTION(global, acl)m4_dnl
 acl_smtp_connect = connect
 SECTION(acl, connect)m4_dnl
@@ -214,16 +229,35 @@ rcpt:
 
        ## Reject if the client isn't allowed to relay and the recipient
        ## isn't in one of our known domains.
-       deny     message = Relaying not permitted
-               !hosts = CONF_relay_clients
-               !authenticated = *
-               !domains = +known
+       require  message = Relaying not permitted
+                acl = check_relay
 
        ## Ensure that the recipient is routable.
        require  message = Invalid recipient \
                        ($recipient_verify_failure; $acl_verify_message)
                 verify = recipient
 
+SECTION(acl, misc)m4_dnl
+check_relay:
+       ## Accept either if the client is allowed to relay through us, or if
+       ## we're the correct place to send this mail.
+
+       ## Known clients and authenticated users are OK.
+       accept    hosts = CONF_relay_clients
+       accept    authenticated = *
+
+       ## Known domains are OK.
+       accept    domains = +public
+
+       ## Finally, domains in our table are OK, unless they say they aren't.
+       accept    domains = \
+               ${if exists{CONF_sysconf_dir/domains.conf} \
+                    {partial0-lsearch; CONF_sysconf_dir/domains.conf}}
+                 condition = DOMKV(service, {$value}{true})
+
+       ## Nope, that's not allowed.
+       deny
+
 SECTION(acl, rcpt-tail)m4_dnl
        ## Everything checks out OK: let this one go through.
        accept
@@ -239,7 +273,7 @@ SECTION(acl, data-tail)m4_dnl
 SECTION(global, acl)m4_dnl
 acl_smtp_expn = expn_vrfy
 acl_smtp_vrfy = expn_vrfy
-SECTION(acl)m4_dnl
+SECTION(acl, misc)m4_dnl
 expn_vrfy:
        accept   hosts = +trusted
        deny     message = Suck it and see
@@ -260,16 +294,25 @@ mail_check_auth:
        warn     set acl_c_user = $authenticated_id
                 hosts = +thishost
                !authenticated = *
+                condition = ${if def:sender_ident}
                 set acl_c_user = $sender_ident
 
-       ## User must be authenticated.
+       ## User must be authenticated by now.
        deny     message = Sender not authenticated
-               !hosts = +thishost
-               !authenticated = *
+                condition = ${if !def:acl_c_user}
 
        ## Make sure that the local part is one that the authenticated sender
        ## is allowed to claim.
        deny     message = Sender address forbidden to calling user
+               !condition = \
+                       ${if exists {CONF_sysconf_dir/auth-sender.conf} \
+                            {${lookup {$acl_c_user} \
+                                      lsearch \
+                                      {CONF_sysconf_dir/auth-sender.conf} \
+                                      {${if match_address \
+                                            {$sender_address} \
+                                            {+value}}} \
+                                      {false}}}}
                !condition = ${LOOKUP_DOMAIN($sender_address_domain,
                               {${if and {{match_local_part \
                                            {$acl_c_user} \
@@ -386,7 +429,7 @@ smtp_dhbits_2048:
 smtp_local:
        driver = smtp
        hosts_require_tls = *
-       tls_certificate = CONF_sysconf_dir/client.cert
+       tls_certificate = CONF_sysconf_dir/client.certlist
        tls_privatekey = CONF_sysconf_dir/client.key
        tls_verify_certificates = CONF_ca_dir/ca.cert
        tls_require_ciphers = CONF_good_ciphers