eximconf: re-do "enable greylisting for users with default options"
authorAdam D. Barratt <adam@adam-barratt.org.uk>
Sat, 12 Oct 2019 21:05:07 +0000 (22:05 +0100)
committerAdam D. Barratt <adam@adam-barratt.org.uk>
Sat, 12 Oct 2019 21:05:07 +0000 (22:05 +0100)
The previous attempt failed due to the fact that the right-hand-side
of match_* conditions is not expanded, for security reasons.

Signed-off-by: Adam D. Barratt <adam@adam-barratt.org.uk>
modules/exim/templates/eximconf.erb

index 10038ad..d65b3c2 100644 (file)
@@ -601,6 +601,13 @@ check_recipient:
           message       = Different profile, please retry
           log_message   = Only one profile at a time, please
 
           message       = Different profile, please retry
           log_message   = Only one profile at a time, please
 
+  # Set a flag to indicate whether the current recipient
+  # has explicitly requested greylisting
+  warn    set acl_m_grey_recip = 0
+
+  warn    local_parts   = GREYLIST_LOCAL_PARTS
+          set acl_m_grey_recip = 1
+
   # Defer after too many bad RCPT TO's.  Legit MTAs will retry later.
   # This is a rough pass at preventing address harvesting or other mail blasts.
 
   # Defer after too many bad RCPT TO's.  Legit MTAs will retry later.
   # This is a rough pass at preventing address harvesting or other mail blasts.
 
@@ -781,7 +788,11 @@ check_recipient:
   defer
     message  = $sender_host_address is not yet authorized to deliver mail from <$sender_address> to <$local_part@$domain>.
     log_message = greylisted.
   defer
     message  = $sender_host_address is not yet authorized to deliver mail from <$sender_address> to <$local_part@$domain>.
     log_message = greylisted.
-    local_parts    = GREYLIST_LOCAL_PARTS
+    condition      = ${if or { \
+                                 {eq{$acl_m_grey_recip}{1}} \
+                                 {bool_lax{HAS_DEFAULT_OPTIONS}} \
+                             } \
+                      }
     !senders       = :
     !hosts         = : +debianhosts : WHITELIST : \
                      ${if exists {/etc/greylistd/whitelist-hosts}\
     !senders       = :
     !hosts         = : +debianhosts : WHITELIST : \
                      ${if exists {/etc/greylistd/whitelist-hosts}\
@@ -815,7 +826,11 @@ check_recipient:
     condition      = ${if !eq {$acl_m_prf}{PopconMail}}
     !authenticated = *
     domains        = +handled_domains
     condition      = ${if !eq {$acl_m_prf}{PopconMail}}
     !authenticated = *
     domains        = +handled_domains
-    local_parts    = GREYLIST_LOCAL_PARTS
+    condition      = ${if or { \
+                                 {eq{$acl_m_grey_recip}{1}} \
+                                 {bool_lax{HAS_DEFAULT_OPTIONS}} \
+                             } \
+                      }
     set acl_m_pgr  = request=smtpd_access_policy\n\
                      protocol_state=RCPT\n\
                      protocol_name=${uc:$received_protocol}\n\
     set acl_m_pgr  = request=smtpd_access_policy\n\
                      protocol_state=RCPT\n\
                      protocol_name=${uc:$received_protocol}\n\
@@ -840,7 +855,11 @@ check_recipient:
     condition      = ${if !eq {$acl_m_prf}{PopconMail}}
     !authenticated = *
     domains        = +handled_domains
     condition      = ${if !eq {$acl_m_prf}{PopconMail}}
     !authenticated = *
     domains        = +handled_domains
-    local_parts    = GREYLIST_LOCAL_PARTS
+    condition      = ${if or { \
+                                 {eq{$acl_m_grey_recip}{1}} \
+                                 {bool_lax{HAS_DEFAULT_OPTIONS}} \
+                             } \
+                      }
     condition      = ${if eq{${uc:${substr_0_7:$acl_m_pgr}}}{PREPEND}}
     message        = ${sg{$acl_m_pgr}{\N^\w+\s*\N}{}}
 
     condition      = ${if eq{${uc:${substr_0_7:$acl_m_pgr}}}{PREPEND}}
     message        = ${sg{$acl_m_pgr}{\N^\w+\s*\N}{}}