chiark
/
gitweb
/
~mdw
/
exim-config
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
config.m4: Present a LetsEncrypt certificate to external clients.
[exim-config]
/
base.m4
diff --git
a/base.m4
b/base.m4
index a00757eae071953d3caf4394585faf793e1fe9fe..c0dd8921d4b953532eda24b19c7d7bdd6410b5ff 100644
(file)
--- a/
base.m4
+++ b/
base.m4
@@
-59,6
+59,8
@@
gecos_name = $1
gecos_pattern = ([^,:]*)
SECTION(global, incoming)m4_dnl
gecos_pattern = ([^,:]*)
SECTION(global, incoming)m4_dnl
+rfc1413_hosts = *
+rfc1413_query_timeout = 10s
received_header_text = Received: \
${if def:sender_rcvhost \
{from $sender_rcvhost\n\t} \
received_header_text = Received: \
${if def:sender_rcvhost \
{from $sender_rcvhost\n\t} \
@@
-73,13
+75,20
@@
received_header_text = Received: \
${if def:sender_address \
{(envelope-from $sender_address\
${if def:authenticated_id \
${if def:sender_address \
{(envelope-from $sender_address\
${if def:authenticated_id \
- {; auth=$authenticated_id}})\n\t}}\
+ {; auth=${quote_local_part:$authenticated_id}} \
+ {${if and {{def:authenticated_sender} \
+ {match_address{$authenticated_sender} \
+ {*@CONF_master_domain}}} \
+ {; auth=${quote_local_part:\
+ ${local_part:\
+ $authenticated_sender}}}}}})\n\t}}\
id $message_exim_id\
${if def:received_for {\n\tfor $received_for}}
SECTION(global, smtp)m4_dnl
smtp_return_error_details = true
accept_8bitmime = true
id $message_exim_id\
${if def:received_for {\n\tfor $received_for}}
SECTION(global, smtp)m4_dnl
smtp_return_error_details = true
accept_8bitmime = true
+chunking_advertise_hosts =
SECTION(global, env)m4_dnl
keep_environment =
SECTION(global, env)m4_dnl
keep_environment =
@@
-96,7
+105,7
@@
SECTION(global, bounce)m4_dnl
delay_warning = 1h : 24h : 2d
SECTION(global, tls)m4_dnl
delay_warning = 1h : 24h : 2d
SECTION(global, tls)m4_dnl
-tls_certificate = CONF_
sysconf_dir/server.
certlist
+tls_certificate = CONF_certlist
tls_privatekey = CONF_sysconf_dir/server.key
tls_advertise_hosts = ${if exists {CONF_sysconf_dir/server.key} {*}{}}
tls_dhparam = CONF_ca_dir/dh-param-2048.pem
tls_privatekey = CONF_sysconf_dir/server.key
tls_advertise_hosts = ${if exists {CONF_sysconf_dir/server.key} {*}{}}
tls_dhparam = CONF_ca_dir/dh-param-2048.pem
@@
-147,6
+156,7
@@
SECTION(acl, misc)m4_dnl
not_smtp_start:
## Record the user's name.
warn set acl_c_user = $sender_ident
not_smtp_start:
## Record the user's name.
warn set acl_c_user = $sender_ident
+ set acl_m_user = $sender_ident
## Done.
accept
## Done.
accept
@@
-254,17
+264,17
@@
check_relay:
## we're the correct place to send this mail.
## Known clients and authenticated users are OK.
## we're the correct place to send this mail.
## Known clients and authenticated users are OK.
- accept
hosts = CONF_relay_clients
- accept
authenticated = *
+ accept hosts = CONF_relay_clients
+ accept authenticated = *
## Known domains are OK.
## Known domains are OK.
- accept
domains = +public
+ accept domains = +public
## Finally, domains in our table are OK, unless they say they aren't.
## Finally, domains in our table are OK, unless they say they aren't.
- accept
domains = \
- ${if exists{CONF_sysconf_dir/domains.conf} \
+ accept domains = \
+
${if exists{CONF_sysconf_dir/domains.conf} \
{partial0-lsearch; CONF_sysconf_dir/domains.conf}}
{partial0-lsearch; CONF_sysconf_dir/domains.conf}}
-
condition = DOMKV(service, {$value}{true})
+ condition = DOMKV(service, {$value}{true})
## Nope, that's not allowed.
deny
## Nope, that's not allowed.
deny
@@
-277,6
+287,10
@@
SECTION(global, acl)m4_dnl
acl_smtp_data = data
SECTION(acl, data)m4_dnl
data:
acl_smtp_data = data
SECTION(acl, data)m4_dnl
data:
+ ## Don't accept messages with overly-long lines.
+ deny message = line length exceeds SMTP permitted maximum: \
+ $max_received_linelength > 998
+ condition = ${if >{$max_received_linelength}{998}}
SECTION(acl, data-tail)m4_dnl
accept
SECTION(acl, data-tail)m4_dnl
accept
@@
-312,6
+326,10
@@
mail_check_auth:
deny message = Sender not authenticated
condition = ${if !def:acl_c_user}
deny message = Sender not authenticated
condition = ${if !def:acl_c_user}
+ ## Set the per-message authentication flag, since we now know that
+ ## there's a sensible value.
+ warn set acl_m_user = $acl_c_user
+
## All done.
accept
## All done.
accept
@@
-396,6
+414,11
@@
m4_define(<:APPLY_HEADER_CHANGES:>,
<:${if def:acl_m_hdrrm{$acl_m_hdrrm:}}\
$2:>):>)
<:${if def:acl_m_hdrrm{$acl_m_hdrrm:}}\
$2:>):>)
+m4_define(<:SMTP_DELIVERY:>,
+ <:## Prevent sending messages with overly long lines. The use of
+ ## `message_size_limit' here is somewhat misleading.
+ message_size_limit = ${if >{$max_received_linelength}{998}{1}{0}}:>)
+
SECTION(transports)m4_dnl
## A standard transport for remote delivery. By default, try to do TLS, and
## don't worry too much if it's not very secure: the alternative is sending
SECTION(transports)m4_dnl
## A standard transport for remote delivery. By default, try to do TLS, and
## don't worry too much if it's not very secure: the alternative is sending
@@
-407,11
+430,12
@@
smtp:
driver = smtp
APPLY_HEADER_CHANGES
tls_require_ciphers = CONF_acceptable_ciphers
driver = smtp
APPLY_HEADER_CHANGES
tls_require_ciphers = CONF_acceptable_ciphers
- tls_dh_min_bits =
1020
+ tls_dh_min_bits =
508
tls_tempfail_tryclear = true
m4_define(<:SMTP_TRANS_DHBITS:>,
<:driver = smtp
tls_tempfail_tryclear = true
m4_define(<:SMTP_TRANS_DHBITS:>,
<:driver = smtp
+ SMTP_DELIVERY
APPLY_HEADER_CHANGES
hosts_try_auth = *
hosts_require_tls = DOMKV(tls-peer-ca, {*}{})
APPLY_HEADER_CHANGES
hosts_try_auth = *
hosts_require_tls = DOMKV(tls-peer-ca, {*}{})
@@
-430,15
+454,20
@@
m4_define(<:SMTP_TRANS_DHBITS:>,
{CONF_acceptable_ciphers})
tls_dh_min_bits = $1
tls_tempfail_tryclear = true:>)m4_dnl
{CONF_acceptable_ciphers})
tls_dh_min_bits = $1
tls_tempfail_tryclear = true:>)m4_dnl
+smtp_dhbits_512:
+ SMTP_TRANS_DHBITS(508)
+smtp_dhbits_768:
+ SMTP_TRANS_DHBITS(764)
smtp_dhbits_1024:
SMTP_TRANS_DHBITS(1020)
smtp_dhbits_2048:
smtp_dhbits_1024:
SMTP_TRANS_DHBITS(1020)
smtp_dhbits_2048:
- SMTP_TRANS_DHBITS(204
6
)
+ SMTP_TRANS_DHBITS(204
4
)
## Transport to a local SMTP server; use TLS and perform client
## authentication.
smtp_local:
driver = smtp
## Transport to a local SMTP server; use TLS and perform client
## authentication.
smtp_local:
driver = smtp
+ SMTP_DELIVERY
APPLY_HEADER_CHANGES
hosts_require_tls = *
tls_certificate = CONF_sysconf_dir/client.certlist
APPLY_HEADER_CHANGES
hosts_require_tls = *
tls_certificate = CONF_sysconf_dir/client.certlist
@@
-447,9
+476,11
@@
smtp_local:
tls_require_ciphers = CONF_good_ciphers
tls_dh_min_bits = 2046
tls_tempfail_tryclear = false
tls_require_ciphers = CONF_good_ciphers
tls_dh_min_bits = 2046
tls_tempfail_tryclear = false
- authenticated_sender = ${if def:authenticated_id \
- {$authenticated_id@CONF_master_domain} \
- fail}
+ authenticated_sender_force = true
+ authenticated_sender = \
+ ${if def:acl_m_user {$acl_m_user@CONF_master_domain} \
+ {${if def:authenticated_sender {$authenticated_sender} \
+ fail}}}
## A standard transport for local delivery.
deliver:
## A standard transport for local delivery.
deliver: