X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~mdw/git/exim-config/blobdiff_plain/ad4e41911e909d146a3ae364f4de428785094277..1e5ccd7c52be79d1de45691a0bb46cbb1a686bf0:/base.m4 diff --git a/base.m4 b/base.m4 index 1c9dacf..39e302b 100644 --- a/base.m4 +++ b/base.m4 @@ -85,6 +85,7 @@ SECTION(global, process)m4_dnl extract_addresses_remove_arguments = false headers_charset = utf-8 qualify_domain = CONF_master_domain +untrusted_set_sender = * SECTION(global, bounce)m4_dnl delay_warning = 1h : 24h : 2d @@ -151,13 +152,19 @@ SECTION(acl, mail)m4_dnl mail: ## If we stashed a warning header about HELO from earlier, we should - ## add it now. + ## add it now. Only don't bother if the client has authenticated + ## successfully for submission (because we can't expect mobile + ## clients to be properly set up knowing their names), or it's one of + ## our own satellites (because they're either properly set up anyway, + ## or satellites using us as a smarthost). warn condition = $acl_c_helo_warning - add_header = :after_received:X-Distorted-Warning: \ + !condition = ${if eq{$acl_c_mode}{submission}} + !hosts = +allnets + ADD_HEADER(<:X-CONF_header_token-Warning: \ BADHELO \ Client's HELO doesn't match its IP address.\n\t\ helo-name=$sender_helo_name \ - address=$sender_host_address + address=$sender_host_address:>) ## Always allow the empty sender, so that we can receive bounces. accept senders = : @@ -167,7 +174,7 @@ mail: ## If this is directly from a client then hack on it for a while. warn condition = ${if eq{$acl_c_mode}{submission}} - control = submission + control = submission/sender_retain ## Insist that a local client connect through TLS. deny message = Hosts within CONF_master_domain must use TLS @@ -301,34 +308,6 @@ mail_check_auth: deny message = Sender not authenticated condition = ${if !def:acl_c_user} - ## Make sure that the local part is one that the authenticated sender - ## is allowed to claim. - deny message = Sender address forbidden to calling user - !condition = \ - ${if exists {CONF_sysconf_dir/auth-sender.conf} \ - {${lookup {$acl_c_user} \ - lsearch \ - {CONF_sysconf_dir/auth-sender.conf} \ - {${if match_address \ - {$sender_address} \ - {+value}}} \ - {false}}}} - !condition = ${LOOKUP_DOMAIN($sender_address_domain, - {${if and {{match_local_part \ - {$acl_c_user} \ - {+dom_users}} \ - {match_local_part \ - {$sender_address_local_part} \ - {+dom_locals}}}}}, - {${if and {{match_local_part \ - {$sender_address_local_part} \ - {+user_extaddr}} \ - {or {{eq {$sender_address_domain} \ - {}} \ - {match_domain \ - {$sender_address_domain} \ - {+public}}}}}}})} - ## All done. accept @@ -378,6 +357,22 @@ $1: verify = no FILTER_TRANSPORTS<::>$4:>) +DIVERT(null) +###-------------------------------------------------------------------------- +### Common routers. + +SECTION(routers, alias)m4_dnl +## Look up the local part in the address map. +alias: + driver = redirect + allow_fail = true + allow_defer = true + user = CONF_filter_user + FILTER_TRANSPORTS + local_parts = nwildlsearch; CONF_alias_file + data = ${expand:$local_part_data} +SECTION(routers, alias-opts)m4_dnl + DIVERT(null) ###-------------------------------------------------------------------------- ### Some standard transports. @@ -387,6 +382,16 @@ m4_define(<:USER_DELIVERY:>, envelope_to_add = true return_path_add = true:>) +m4_define(<:APPLY_HEADER_CHANGES:>, + <:headers_add = m4_ifelse(<:$1:>, <::>, + <:$acl_m_hdradd:>, + <:${if def:acl_m_hdradd{$acl_m_hdradd\n}}\ + $1:>) + headers_remove = m4_ifelse(<:$2:>, <::>, + <:$acl_m_hdrrm:>, + <:${if def:acl_m_hdrrm{$acl_m_hdrrm:}}\ + $2:>):>) + SECTION(transports)m4_dnl ## A standard transport for remote delivery. By default, try to do TLS, and ## don't worry too much if it's not very secure: the alternative is sending @@ -396,12 +401,14 @@ SECTION(transports)m4_dnl ## it into the transport name. This is very unpleasant, of course. smtp: driver = smtp + APPLY_HEADER_CHANGES tls_require_ciphers = CONF_acceptable_ciphers tls_dh_min_bits = 1020 tls_tempfail_tryclear = true m4_define(<:SMTP_TRANS_DHBITS:>, <:driver = smtp + APPLY_HEADER_CHANGES hosts_try_auth = * hosts_require_tls = DOMKV(tls-peer-ca, {*}{}) hosts_require_auth = \ @@ -428,6 +435,7 @@ smtp_dhbits_2048: ## authentication. smtp_local: driver = smtp + APPLY_HEADER_CHANGES hosts_require_tls = * tls_certificate = CONF_sysconf_dir/client.certlist tls_privatekey = CONF_sysconf_dir/client.key @@ -442,6 +450,7 @@ smtp_local: ## A standard transport for local delivery. deliver: driver = appendfile + APPLY_HEADER_CHANGES file = /var/mail/$local_part group = mail mode = 0600 @@ -451,17 +460,20 @@ deliver: ## Transports for user filters. mailbox: driver = appendfile + APPLY_HEADER_CHANGES initgroups = true USER_DELIVERY maildir: driver = appendfile + APPLY_HEADER_CHANGES maildir_format = true initgroups = true USER_DELIVERY pipe: driver = pipe + APPLY_HEADER_CHANGES path = ${if and {{def:home} {exists{$home/bin}}} {$home/bin:} {}}\ /usr/local/bin:/usr/local/sbin:\ /usr/bin:/usr/sbin:/bin:/sbin