auth.m4, base.m4, lists.m4: Allow local submission to port 25.

Extend the current rules for submission to localhost port 25 to all of
the host's local addresses.  The server won't try to talk to itself on
this port, so this is sensible, and there's probably crappy software out
there which assume that it works.

diff --git a/auth.m4 b/auth.m4
index 3462c1adfe094acd5fef8ed2f81a1bdb69c37f74..074c6aa1a70c090579abb26e234d92a78c4ba6d1 100644 (file)
--- a/auth.m4
+++ b/auth.m4
@@ -30,7 +30,7 @@ m4_define(<:CHECK_PASSWD:>,
           {false}}:>)
 
 m4_define(<:ALLOW_PLAINTEXT_AUTH_P:>,
-<:or {{match_ip {$sender_host_address}{+localnet}} \
+<:or {{match_ip {$sender_host_address}{+thishost}} \
       {and {{def:tls_cipher} {eq{$acl_c_mode}{submission}}}}}:>)
 
 SECTION(auth)m4_dnl

diff --git a/base.m4 b/base.m4
index 62b46ab8a4707243381f500d60d851b060360480..c9c04ffe8a3c79f8b059428f360627fe713e2f86 100644 (file)
--- a/base.m4
+++ b/base.m4
@@ -104,6 +104,11 @@ helo:
        ## Also, we're liable to get a subsequent HELO (e.g., after STARTTLS)
        ## and we should only care about the most recent one.
        warn     set acl_c_helo_warning = false
+               !condition = \
+                       ${if and {{match_ip {$sender_host_address} \
+                                           {<; 127.0.0.0/8 ; ::1}} \
+                                 {match_domain {$sender_helo_name} \
+                                               {localhost : +thishost}}}}
                !condition = \
                        ${if exists {CONF_sysconf_dir/helo.conf} \
                             {${lookup {$sender_helo_name} \
@@ -180,7 +185,7 @@ SECTION(acl, connect-tail)m4_dnl
 
 check_submission:
        ## See whether this message needs hacking on.
-       accept  !hosts = +localnet
+       accept  !hosts = +thishost
                !condition = ${if ={$received_port}{CONF_submission_port}}
                 set acl_c_mode = relay
 
@@ -241,13 +246,13 @@ mail_check_auth:
        ## loopback connection, then we can trust identd to tell us the right
        ## answer.  So we should stash the right name somewhere consistent.
        warn     set acl_c_user = $authenticated_id
-                hosts = +localnet
+                hosts = +thishost
                !authenticated = *
                 set acl_c_user = $sender_ident
 
        ## User must be authenticated.
        deny     message = Sender not authenticated
-               !hosts = +localnet
+               !hosts = +thishost
                !authenticated = *
 
        ## Make sure that the local part is one that the authenticated sender

diff --git a/lists.m4 b/lists.m4
index 485663c9b0501a7e0f9db73afc7590d166c4541f..2c458c7df5f581e1e4a718ab81b1d107d339ed78 100644 (file)
--- a/lists.m4
+++ b/lists.m4
@@ -25,6 +25,8 @@ SECTION(global, lists)m4_dnl
 ## Definitions for known networks.
 hostlist localnet = <; \
        127.0.0.0/8 ; ::1
+hostlist thishost = <; \
+        +localnet ; @[]
 hostlist border = <; \
        62.49.204.144/28 ; 2001:470:1f09:1b98::/64 ; \
        212.13.198.64/28 ; 2001:ba8:0:1d9::/64