X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Fexim%2Ffiles%2Fcommon%2Fexim4.conf;h=979cefac47194496ba28eba757fd6b638da0eb64;hb=c3b45e9d62f33d4825f42829e150be6a6ab1a85f;hp=c9e1e0253b588ea30bd079a42480e6c8f11c5b74;hpb=4f85b7c40485b024bebeeed0c28745bc6c1deaf0;p=mirror%2Fdsa-puppet.git

diff --git a/modules/exim/files/common/exim4.conf b/modules/exim/files/common/exim4.conf
index c9e1e0253..979cefac4 100644
--- a/modules/exim/files/common/exim4.conf
+++ b/modules/exim/files/common/exim4.conf
@@ -39,6 +39,12 @@
 #           us. This is primarily only usefull for emergancy 'queue
 #           flushing' operations, but should be populated with a list
 #           of trusted machines. Wildcards are not permitted
+#  mailhubdomains - Domains for which we are the MX, but the mail is relayed
+#           elsewhere.  This is designed for use with small volume or
+#           restricted machines that need to use a smarthost for mail
+#           traffic.  We will relay for them based on ssl cert validation
+#           but we need to teach exim how to route the mail to them.  This is
+#           that list.
 # The division of files is designed so that all hosts may share rcpthosts
 # and relayhosts, these could be replicated automatically if necessary.
 
@@ -115,6 +121,7 @@ localpartlist local_only_users = lsearch;/etc/exim4/localusers
 # accept mail for them.
 domainlist rcpthosts = partial-lsearch;/etc/exim4/rcpthosts
 hostlist debianhosts = 127.0.0.1 : net-lsearch;/var/lib/misc/thishost/debianhosts
+domainlist mailhubdomains = lsearch;/etc/exim4/mailertable
 
 .ifndef RESERVEDADDRS
 RESERVEDADDRS = 0.0.0.0/8 : 127.0.0.0/8 : 10.0.0.0/8 : 169.254.0.0/16 : \
@@ -124,11 +131,12 @@ RESERVEDADDRS = 0.0.0.0/8 : 127.0.0.0/8 : 10.0.0.0/8 : 169.254.0.0/16 : \
 
 hostlist reservedaddrs = RESERVEDADDRS
 
+.ifdef USE_TLS
 tls_certificate = /etc/exim4/ssl/thishost.crt
 tls_privatekey = /etc/exim4/ssl/thishost.key
-.ifdef RELAY_HOST
 tls_try_verify_hosts = *
-tls_verify_certificates = /etc/exim4/ssl/client_certs.pem
+tls_verify_certificates = /etc/exim4/ssl/ca.crt
+tls_crl = /etc/exim4/ssl/ca.crl
 .endif
 
 #system_filter = /etc/exim4/filter
@@ -189,7 +197,7 @@ queue_list_requires_admin = false
 av_scanner = CLAMAV
 .endif
 
-.ifdef HAVE_USER_DEBBUGS
+.ifdef HAVE_USER_DEBBUGS MAIL_RELAY
 daemon_smtp_ports = 25 : 587
 .endif
 
@@ -197,7 +205,9 @@ admin_groups = adm
 remote_sort_domains = *.debian.org:*.debian.net
 
 pipelining_advertise_hosts = !*
+.ifdef USE_TLS
 tls_advertise_hosts = *
+.endif
 smtp_enforce_sync = true
 
 log_selector = +tls_cipher +tls_peerdn +queue_time +deliver_time +smtp_connection +smtp_incomplete_transaction +smtp_confirmation
@@ -309,6 +319,10 @@ check_submission:
   # Defer after too many bad RCPT TO's.  Legit MTAs will retry later.
   # This is a rough pass at preventing addres harvesting or other mail blasts.
 
+.ifdef MAIL_RELAY
+  accept  verify   = certificate
+.endif
+
   defer  log_message   = Too many bad recipients ${eval:$rcpt_fail_count} out of $rcpt_count
          message       = Too many bad recipients, try again later
          condition     = ${if > {${eval:$rcpt_fail_count}}{3}{yes}{no}}
@@ -327,6 +341,10 @@ check_submission:
 #!!# ACL that is used after the RCPT command
 check_recipient:
 
+.ifdef MAIL_RELAY
+  accept  verify   = certificate
+.endif
+
   # Defer after too many bad RCPT TO's.  Legit MTAs will retry later.
   # This is a rough pass at preventing addres harvesting or other mail blasts.
 
@@ -604,6 +622,11 @@ check_recipient:
           !hosts   = +debianhosts : WHITELIST
 	  !verify  = sender/callout
 
+  accept  domains  = +mailhubdomains
+          endpass
+	  message  = unknown user
+	  verify   = recipient/callout,defer_ok
+
   accept  domains  = +handled_domains
           endpass
 	  message  = unknown user
@@ -720,6 +743,13 @@ begin routers
 #     An address is passed to each in turn until it is accepted.     #
 ######################################################################
 
+relay_manualroute:
+  driver = manualroute
+  domains = +mailhubdomains
+  transport = remote_smtp
+  route_data = ${lookup{$domain}lsearch{/etc/exim4/mailertable}}
+  require_files = /etc/exim4/mailertable
+
 bsmtp:
   debug_print = "R: bsmtp for $local_part@$domain"
   driver = manualroute
@@ -1125,9 +1155,13 @@ address_reply:
 remote_smtp:
   driver = smtp
   connect_timeout = 1m
+.ifdef USE_TLS
   tls_tempfail_tryclear = true
   tls_certificate = /etc/exim4/ssl/thishost.crt
   tls_privatekey = /etc/exim4/ssl/thishost.key
+  tls_verify_certificates = /etc/exim4/ssl/ca.crt
+  tls_crl = /etc/exim4/ssl/ca.crl
+.endif
 
 # Send the message to procmail
 procmail_pipe: