base.m4, exchange.m4: Move TLS tweaks to `base.m4'.

[exim-config] / base.m4

diff --git a/base.m4 b/base.m4
index 62b46ab8a4707243381f500d60d851b060360480..8211506c45e916065030288f58a7edc07ab2616d 100644 (file)
--- a/base.m4
+++ b/base.m4
@@ -88,6 +88,18 @@ qualify_domain = CONF_master_domain
 SECTION(global, bounce)m4_dnl
 delay_warning = 1h : 24h : 2d
 
+SECTION(global, tls)m4_dnl
+tls_certificate = CONF_sysconf_dir/server.cert
+tls_privatekey = CONF_sysconf_dir/server.key
+tls_advertise_hosts = ${if exists {CONF_sysconf_dir/server.key} {*}{}}
+tls_dhparam = CONF_ca_dir/dh-param-2048.pem
+tls_require_ciphers = ${if or {{={$received_port}{CONF_submission_port}} \
+                              {match_ip {$sender_host_address}{+trusted}}} \
+                          {CONF_good_ciphers} \
+                          {CONF_acceptable_ciphers}}
+tls_verify_certificates = CONF_ca_dir/ca.cert
+tls_verify_hosts = ${if eq{$acl_c_mode}{submission} {} {+allnets}}
+
 DIVERT(null)
 ###--------------------------------------------------------------------------
 ### Access control lists.
@@ -104,6 +116,11 @@ helo:
        ## Also, we're liable to get a subsequent HELO (e.g., after STARTTLS)
        ## and we should only care about the most recent one.
        warn     set acl_c_helo_warning = false
+               !condition = \
+                       ${if and {{match_ip {$sender_host_address} \
+                                           {<; 127.0.0.0/8 ; ::1}} \
+                                 {match_domain {$sender_helo_name} \
+                                               {localhost : +thishost}}}}
                !condition = \
                        ${if exists {CONF_sysconf_dir/helo.conf} \
                             {${lookup {$sender_helo_name} \
@@ -138,7 +155,7 @@ mail:
                 add_header = :after_received:X-Distorted-Warning: \
                        BADHELO \
                        Client's HELO doesn't match its IP address.\n\t\
-                       HELO name=$sender_helo_name, \
+                       helo-name=$sender_helo_name \
                        address=$sender_host_address
 
        ## Always allow the empty sender, so that we can receive bounces.
@@ -180,7 +197,7 @@ SECTION(acl, connect-tail)m4_dnl
 
 check_submission:
        ## See whether this message needs hacking on.
-       accept  !hosts = +localnet
+       accept  !hosts = +thishost
                !condition = ${if ={$received_port}{CONF_submission_port}}
                 set acl_c_mode = relay
 
@@ -241,13 +258,13 @@ mail_check_auth:
        ## loopback connection, then we can trust identd to tell us the right
        ## answer.  So we should stash the right name somewhere consistent.
        warn     set acl_c_user = $authenticated_id
-                hosts = +localnet
+                hosts = +thishost
                !authenticated = *
                 set acl_c_user = $sender_ident
 
        ## User must be authenticated.
        deny     message = Sender not authenticated
-               !hosts = +localnet
+               !hosts = +thishost
                !authenticated = *
 
        ## Make sure that the local part is one that the authenticated sender