X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Fexim%2Ffiles%2Fcommon%2Fexim4.conf;h=3b87319b3e2aeebbcb98c2b30255fa7d5fdde8ad;hb=d21074d0a77d36f09ea70fbaa8cca30b94bdb2e5;hp=bb18c40c6e8c97582048aeef9bb5c33e5c8b9a3f;hpb=ebe440dc731db58f37a5c94326a2cee5442666ea;p=mirror%2Fdsa-puppet.git

diff --git a/modules/exim/files/common/exim4.conf b/modules/exim/files/common/exim4.conf
index bb18c40c6..3b87319b3 100644
--- a/modules/exim/files/common/exim4.conf
+++ b/modules/exim/files/common/exim4.conf
@@ -1,3 +1,8 @@
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
 # This is the main exim4 configuration file based on the 28.08.05 version by
 # ametzler
 # It is hand crafted, do not replace with anything generated by a config
@@ -119,6 +124,16 @@ RESERVEDADDRS = 0.0.0.0/8 : 127.0.0.0/8 : 10.0.0.0/8 : 169.254.0.0/16 : \
 
 hostlist reservedaddrs = RESERVEDADDRS
 
+.ifdef USE_TLS
+tls_certificate = /etc/exim4/ssl/thishost.crt
+tls_privatekey = /etc/exim4/ssl/thishost.key
+.ifdef RELAY_HOST
+tls_try_verify_hosts = *
+tls_verify_certificates = /etc/exim4/ssl/ca.crt
+tls_crl = /etc/exim4/ssl/ca.crl
+.endif
+.endif
+
 #system_filter = /etc/exim4/filter
 #system_filter_file_transport = address_file
 
@@ -185,6 +200,9 @@ admin_groups = adm
 remote_sort_domains = *.debian.org:*.debian.net
 
 pipelining_advertise_hosts = !*
+.ifdef USE_TLS
+tls_advertise_hosts = *
+.endif
 smtp_enforce_sync = true
 
 log_selector = +tls_cipher +tls_peerdn +queue_time +deliver_time +smtp_connection +smtp_incomplete_transaction +smtp_confirmation
@@ -408,7 +426,7 @@ check_recipient:
   defer   !hosts         = +debianhosts
           condition      = ${if >{${eval:$acl_c1}}{0}}
           ratelimit      = 10 / 60m / per_rcpt / $sender_host_address
-          message        = slow down (no reverse dns, or dialup)
+          message        = slow down (no reverse dns, mismatched ehlo, dialup, or in blacklists)
 
 .ifdef HAVE_POLICYD
   # Check with policyd-weight - this only works with a version after etch's,
@@ -627,10 +645,12 @@ check_message:
           message        = Blackisted URI found in body
 
   deny    condition      = ${if eq {$acl_m1}{DBSignedMail}}
-          condition      = ${if and {{!match {$message_body}{PGP MESSAGE}}        \
-                                     {!match {$message_body}{PGP SIGNED MESSAGE}} \
-                                     {!match {$message_body}{PGP SIGNATURE}}      \
-                                    }                                             \
+          condition      = ${if and {{!match {$message_body}{PGP MESSAGE}}              \
+                                     {!match {$message_body}{PGP SIGNED MESSAGE}}       \
+                                     {!match {$message_body}{PGP SIGNATURE}}            \
+                                     {!match {$header_content-type:}{multipart/signed}} \
+                                     {!match {$header_content-type:}{pgp}}              \
+                                    }                                                   \
                             }
           message        = Mail to this address needs to be PGP-signed
 
@@ -1110,7 +1130,11 @@ address_reply:
 remote_smtp:
   driver = smtp
   connect_timeout = 1m
-  hosts_avoid_tls = *
+.ifdef USE_TLS
+  tls_tempfail_tryclear = true
+  tls_certificate = /etc/exim4/ssl/thishost.crt
+  tls_privatekey = /etc/exim4/ssl/thishost.key
+.endif
 
 # Send the message to procmail
 procmail_pipe: