X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~mdw/git/exim-config/blobdiff_plain/12d3b444e8703fb16cc4d8e9fe267d3d0aa11c6e..e3c9c42730981542c7697a34f59cc95cd6281fec:/base.m4 diff --git a/base.m4 b/base.m4 index e7036c7..9e07bf7 100644 --- a/base.m4 +++ b/base.m4 @@ -59,6 +59,8 @@ gecos_name = $1 gecos_pattern = ([^,:]*) SECTION(global, incoming)m4_dnl +rfc1413_hosts = * +rfc1413_query_timeout = 10s received_header_text = Received: \ ${if def:sender_rcvhost \ {from $sender_rcvhost\n\t} \ @@ -73,19 +75,31 @@ received_header_text = Received: \ ${if def:sender_address \ {(envelope-from $sender_address\ ${if def:authenticated_id \ - {; auth=$authenticated_id}})\n\t}}\ + {; auth=${quote_local_part:$authenticated_id}} \ + {${if and {{def:authenticated_sender} \ + {match_address{$authenticated_sender} \ + {*@CONF_master_domain}}} \ + {; auth=${quote_local_part:\ + ${local_part:\ + $authenticated_sender}}}}}})\n\t}}\ id $message_exim_id\ ${if def:received_for {\n\tfor $received_for}} SECTION(global, smtp)m4_dnl smtp_return_error_details = true accept_8bitmime = true +chunking_advertise_hosts = + +SECTION(global, env)m4_dnl +keep_environment = SECTION(global, process)m4_dnl extract_addresses_remove_arguments = false headers_charset = utf-8 qualify_domain = CONF_master_domain untrusted_set_sender = * +local_from_check = false +local_sender_retain = true SECTION(global, bounce)m4_dnl delay_warning = 1h : 24h : 2d @@ -142,6 +156,7 @@ SECTION(acl, misc)m4_dnl not_smtp_start: ## Record the user's name. warn set acl_c_user = $sender_ident + set acl_m_user = $sender_ident ## Done. accept @@ -152,13 +167,18 @@ SECTION(acl, mail)m4_dnl mail: ## If we stashed a warning header about HELO from earlier, we should - ## add it now. + ## add it now. Only don't bother if the client has authenticated + ## successfully for submission (because we can't expect mobile + ## clients to be properly set up knowing their names), or it's one of + ## our own satellites (because they're either properly set up anyway, + ## or satellites using us as a smarthost). warn condition = $acl_c_helo_warning - add_header = :after_received:X-Distorted-Warning: \ - BADHELO \ - Client's HELO doesn't match its IP address.\n\t\ - helo-name=$sender_helo_name \ - address=$sender_host_address + !condition = ${if eq{$acl_c_mode}{submission}} + !hosts = +allnets + WARNING_HEADER(BADHELO, + <:Client's HELO doesn't match its IP address.\n\t\ + helo-name=$sender_helo_name \ + address=$sender_host_address:>) ## Always allow the empty sender, so that we can receive bounces. accept senders = : @@ -302,6 +322,10 @@ mail_check_auth: deny message = Sender not authenticated condition = ${if !def:acl_c_user} + ## Set the per-message authentication flag, since we now know that + ## there's a sensible value. + warn set acl_m_user = $acl_c_user + ## All done. accept @@ -376,6 +400,16 @@ m4_define(<:USER_DELIVERY:>, envelope_to_add = true return_path_add = true:>) +m4_define(<:APPLY_HEADER_CHANGES:>, + <:headers_add = m4_ifelse(<:$1:>, <::>, + <:$acl_m_hdradd:>, + <:${if def:acl_m_hdradd{$acl_m_hdradd\n}}\ + $1:>) + headers_remove = m4_ifelse(<:$2:>, <::>, + <:$acl_m_hdrrm:>, + <:${if def:acl_m_hdrrm{$acl_m_hdrrm:}}\ + $2:>):>) + SECTION(transports)m4_dnl ## A standard transport for remote delivery. By default, try to do TLS, and ## don't worry too much if it's not very secure: the alternative is sending @@ -385,12 +419,14 @@ SECTION(transports)m4_dnl ## it into the transport name. This is very unpleasant, of course. smtp: driver = smtp + APPLY_HEADER_CHANGES tls_require_ciphers = CONF_acceptable_ciphers - tls_dh_min_bits = 1020 + tls_dh_min_bits = 508 tls_tempfail_tryclear = true m4_define(<:SMTP_TRANS_DHBITS:>, <:driver = smtp + APPLY_HEADER_CHANGES hosts_try_auth = * hosts_require_tls = DOMKV(tls-peer-ca, {*}{}) hosts_require_auth = \ @@ -408,15 +444,20 @@ m4_define(<:SMTP_TRANS_DHBITS:>, {CONF_acceptable_ciphers}) tls_dh_min_bits = $1 tls_tempfail_tryclear = true:>)m4_dnl +smtp_dhbits_512: + SMTP_TRANS_DHBITS(508) +smtp_dhbits_768: + SMTP_TRANS_DHBITS(764) smtp_dhbits_1024: SMTP_TRANS_DHBITS(1020) smtp_dhbits_2048: - SMTP_TRANS_DHBITS(2046) + SMTP_TRANS_DHBITS(2044) ## Transport to a local SMTP server; use TLS and perform client ## authentication. smtp_local: driver = smtp + APPLY_HEADER_CHANGES hosts_require_tls = * tls_certificate = CONF_sysconf_dir/client.certlist tls_privatekey = CONF_sysconf_dir/client.key @@ -424,13 +465,16 @@ smtp_local: tls_require_ciphers = CONF_good_ciphers tls_dh_min_bits = 2046 tls_tempfail_tryclear = false - authenticated_sender = ${if def:authenticated_id \ - {$authenticated_id@CONF_master_domain} \ - fail} + authenticated_sender_force = true + authenticated_sender = \ + ${if def:acl_m_user {$acl_m_user@CONF_master_domain} \ + {${if def:authenticated_sender {$authenticated_sender} \ + fail}}} ## A standard transport for local delivery. deliver: driver = appendfile + APPLY_HEADER_CHANGES file = /var/mail/$local_part group = mail mode = 0600 @@ -440,17 +484,20 @@ deliver: ## Transports for user filters. mailbox: driver = appendfile + APPLY_HEADER_CHANGES initgroups = true USER_DELIVERY maildir: driver = appendfile + APPLY_HEADER_CHANGES maildir_format = true initgroups = true USER_DELIVERY pipe: driver = pipe + APPLY_HEADER_CHANGES path = ${if and {{def:home} {exists{$home/bin}}} {$home/bin:} {}}\ /usr/local/bin:/usr/local/sbin:\ /usr/bin:/usr/sbin:/bin:/sbin