chiark
/
gitweb
/
~mdw
/
exim-config
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
base.m4: Accept bad `HELO' hosts from `submission' clients.
[exim-config]
/
base.m4
diff --git
a/base.m4
b/base.m4
index 03dc4aae03663d3a60dcf57d9a64aa6b1adacba9..51cacc8a3e224fc9f6a2af70d920e3d889214f62 100644
(file)
--- a/
base.m4
+++ b/
base.m4
@@
-88,6
+88,7
@@
received_header_text = Received: \
SECTION(global, smtp)m4_dnl
smtp_return_error_details = true
accept_8bitmime = true
SECTION(global, smtp)m4_dnl
smtp_return_error_details = true
accept_8bitmime = true
+chunking_advertise_hosts =
SECTION(global, env)m4_dnl
keep_environment =
SECTION(global, env)m4_dnl
keep_environment =
@@
-104,7
+105,7
@@
SECTION(global, bounce)m4_dnl
delay_warning = 1h : 24h : 2d
SECTION(global, tls)m4_dnl
delay_warning = 1h : 24h : 2d
SECTION(global, tls)m4_dnl
-tls_certificate = CONF_
sysconf_dir/server.
certlist
+tls_certificate = CONF_certlist
tls_privatekey = CONF_sysconf_dir/server.key
tls_advertise_hosts = ${if exists {CONF_sysconf_dir/server.key} {*}{}}
tls_dhparam = CONF_ca_dir/dh-param-2048.pem
tls_privatekey = CONF_sysconf_dir/server.key
tls_advertise_hosts = ${if exists {CONF_sysconf_dir/server.key} {*}{}}
tls_dhparam = CONF_ca_dir/dh-param-2048.pem
@@
-124,6
+125,10
@@
SECTION(global, acl)m4_dnl
acl_smtp_helo = helo
SECTION(acl, misc)m4_dnl
helo:
acl_smtp_helo = helo
SECTION(acl, misc)m4_dnl
helo:
+ ## Don't worry if this is local submission. MUAs won't necessarily
+ ## have a clear idea of their hostnames. (For some reason.)
+ accept condition = ${if !eq{$acl_c_mode}{submission}}
+
## Check that the caller's claimed identity is actually plausible.
## This seems like it's a fairly effective filter on spamminess, but
## it's too blunt a tool. Rather than reject, add a warning header.
## Check that the caller's claimed identity is actually plausible.
## This seems like it's a fairly effective filter on spamminess, but
## it's too blunt a tool. Rather than reject, add a warning header.
@@
-263,17
+268,17
@@
check_relay:
## we're the correct place to send this mail.
## Known clients and authenticated users are OK.
## we're the correct place to send this mail.
## Known clients and authenticated users are OK.
- accept
hosts = CONF_relay_clients
- accept
authenticated = *
+ accept hosts = CONF_relay_clients
+ accept authenticated = *
## Known domains are OK.
## Known domains are OK.
- accept
domains = +public
+ accept domains = +public
## Finally, domains in our table are OK, unless they say they aren't.
## Finally, domains in our table are OK, unless they say they aren't.
- accept
domains = \
- ${if exists{CONF_sysconf_dir/domains.conf} \
+ accept domains = \
+
${if exists{CONF_sysconf_dir/domains.conf} \
{partial0-lsearch; CONF_sysconf_dir/domains.conf}}
{partial0-lsearch; CONF_sysconf_dir/domains.conf}}
-
condition = DOMKV(service, {$value}{true})
+ condition = DOMKV(service, {$value}{true})
## Nope, that's not allowed.
deny
## Nope, that's not allowed.
deny
@@
-286,6
+291,10
@@
SECTION(global, acl)m4_dnl
acl_smtp_data = data
SECTION(acl, data)m4_dnl
data:
acl_smtp_data = data
SECTION(acl, data)m4_dnl
data:
+ ## Don't accept messages with overly-long lines.
+ deny message = line length exceeds SMTP permitted maximum: \
+ $max_received_linelength > 998
+ condition = ${if >{$max_received_linelength}{998}}
SECTION(acl, data-tail)m4_dnl
accept
SECTION(acl, data-tail)m4_dnl
accept
@@
-409,6
+418,11
@@
m4_define(<:APPLY_HEADER_CHANGES:>,
<:${if def:acl_m_hdrrm{$acl_m_hdrrm:}}\
$2:>):>)
<:${if def:acl_m_hdrrm{$acl_m_hdrrm:}}\
$2:>):>)
+m4_define(<:SMTP_DELIVERY:>,
+ <:## Prevent sending messages with overly long lines. The use of
+ ## `message_size_limit' here is somewhat misleading.
+ message_size_limit = ${if >{$max_received_linelength}{998}{1}{0}}:>)
+
SECTION(transports)m4_dnl
## A standard transport for remote delivery. By default, try to do TLS, and
## don't worry too much if it's not very secure: the alternative is sending
SECTION(transports)m4_dnl
## A standard transport for remote delivery. By default, try to do TLS, and
## don't worry too much if it's not very secure: the alternative is sending
@@
-425,6
+439,7
@@
smtp:
m4_define(<:SMTP_TRANS_DHBITS:>,
<:driver = smtp
m4_define(<:SMTP_TRANS_DHBITS:>,
<:driver = smtp
+ SMTP_DELIVERY
APPLY_HEADER_CHANGES
hosts_try_auth = *
hosts_require_tls = DOMKV(tls-peer-ca, {*}{})
APPLY_HEADER_CHANGES
hosts_try_auth = *
hosts_require_tls = DOMKV(tls-peer-ca, {*}{})
@@
-456,6
+471,7
@@
smtp_dhbits_2048:
## authentication.
smtp_local:
driver = smtp
## authentication.
smtp_local:
driver = smtp
+ SMTP_DELIVERY
APPLY_HEADER_CHANGES
hosts_require_tls = *
tls_certificate = CONF_sysconf_dir/client.certlist
APPLY_HEADER_CHANGES
hosts_require_tls = *
tls_certificate = CONF_sysconf_dir/client.certlist