From 5321589156a326191f02125b89e15bbdaef5ea71 Mon Sep 17 00:00:00 2001
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Date: Sat, 12 Oct 2019 22:05:07 +0100
Subject: [PATCH] eximconf: re-do "enable greylisting for users with default
 options"

The previous attempt failed due to the fact that the right-hand-side
of match_* conditions is not expanded, for security reasons.

Signed-off-by: Adam D. Barratt <adam@adam-barratt.org.uk>
---
 modules/exim/templates/eximconf.erb | 25 ++++++++++++++++++++++---
 1 file changed, 22 insertions(+), 3 deletions(-)

diff --git a/modules/exim/templates/eximconf.erb b/modules/exim/templates/eximconf.erb
index 10038ade4..d65b3c2f6 100644
--- a/modules/exim/templates/eximconf.erb
+++ b/modules/exim/templates/eximconf.erb
@@ -601,6 +601,13 @@ check_recipient:
           message       = Different profile, please retry
           log_message   = Only one profile at a time, please
 
+  # Set a flag to indicate whether the current recipient
+  # has explicitly requested greylisting
+  warn    set acl_m_grey_recip = 0
+
+  warn    local_parts   = GREYLIST_LOCAL_PARTS
+          set acl_m_grey_recip = 1
+
   # Defer after too many bad RCPT TO's.  Legit MTAs will retry later.
   # This is a rough pass at preventing address harvesting or other mail blasts.
 
@@ -781,7 +788,11 @@ check_recipient:
   defer
     message  = $sender_host_address is not yet authorized to deliver mail from <$sender_address> to <$local_part@$domain>.
     log_message = greylisted.
-    local_parts    = GREYLIST_LOCAL_PARTS
+    condition      = ${if or { \
+                                 {eq{$acl_m_grey_recip}{1}} \
+                                 {bool_lax{HAS_DEFAULT_OPTIONS}} \
+                             } \
+                      }
     !senders       = :
     !hosts         = : +debianhosts : WHITELIST : \
                      ${if exists {/etc/greylistd/whitelist-hosts}\
@@ -815,7 +826,11 @@ check_recipient:
     condition      = ${if !eq {$acl_m_prf}{PopconMail}}
     !authenticated = *
     domains        = +handled_domains
-    local_parts    = GREYLIST_LOCAL_PARTS
+    condition      = ${if or { \
+                                 {eq{$acl_m_grey_recip}{1}} \
+                                 {bool_lax{HAS_DEFAULT_OPTIONS}} \
+                             } \
+                      }
     set acl_m_pgr  = request=smtpd_access_policy\n\
                      protocol_state=RCPT\n\
                      protocol_name=${uc:$received_protocol}\n\
@@ -840,7 +855,11 @@ check_recipient:
     condition      = ${if !eq {$acl_m_prf}{PopconMail}}
     !authenticated = *
     domains        = +handled_domains
-    local_parts    = GREYLIST_LOCAL_PARTS
+    condition      = ${if or { \
+                                 {eq{$acl_m_grey_recip}{1}} \
+                                 {bool_lax{HAS_DEFAULT_OPTIONS}} \
+                             } \
+                      }
     condition      = ${if eq{${uc:${substr_0_7:$acl_m_pgr}}}{PREPEND}}
     message        = ${sg{$acl_m_pgr}{\N^\w+\s*\N}{}}
 
-- 
2.20.1