diff options
Diffstat (limited to 'contrib/sendmail/cf/m4/proto.m4')
| -rw-r--r-- | contrib/sendmail/cf/m4/proto.m4 | 64 |
1 files changed, 49 insertions, 15 deletions
diff --git a/contrib/sendmail/cf/m4/proto.m4 b/contrib/sendmail/cf/m4/proto.m4 index 19a72f7..b3d81d1a 100644 --- a/contrib/sendmail/cf/m4/proto.m4 +++ b/contrib/sendmail/cf/m4/proto.m4 @@ -13,7 +13,7 @@ divert(-1) # divert(0) -VERSIONID(`$Id: proto.m4,v 8.649.2.5 2002/08/15 02:39:01 ca Exp $') +VERSIONID(`$Id: proto.m4,v 8.649.2.13 2002/12/04 00:12:18 ca Exp $') # level CF_LEVEL config file format V`'CF_LEVEL/ifdef(`VENDOR_NAME', `VENDOR_NAME', `Berkeley') @@ -205,11 +205,13 @@ ifdef(`_CERT_REGEX_SUBJECT_', `dnl KCERTSubject regex _CERT_REGEX_SUBJECT_', `dnl') ifdef(`LOCAL_RELAY', `dnl -# who I send unqualified names to (null means deliver locally) +# who I send unqualified names to if FEATURE(stickyhost) is used +# (null means deliver locally) DR`'LOCAL_RELAY') ifdef(`MAIL_HUB', `dnl -# who gets all local email traffic ($R has precedence for unqualified names) +# who gets all local email traffic +# ($R has precedence for unqualified names if FEATURE(stickyhost) is used) DH`'MAIL_HUB') # dequoting map @@ -630,9 +632,9 @@ _OPTION(Milter.macros.envfrom, `confMILTER_MACROS_ENVFROM', `') _OPTION(Milter.macros.envrcpt, `confMILTER_MACROS_ENVRCPT', `')') # CA directory -_OPTION(CACERTPath, `confCACERT_PATH', `') +_OPTION(CACertPath, `confCACERT_PATH', `') # CA file -_OPTION(CACERTFile, `confCACERT', `') +_OPTION(CACertFile, `confCACERT', `') # Server Cert _OPTION(ServerCertFile, `confSERVER_CERT', `') # Server private key @@ -1697,6 +1699,9 @@ ifdef(`_ACCESS_TABLE_', `dnl dnl workspace: {client_name} $| {client_addr} R$+ $| $+ $: $>D < $1 > <?> <+ Connect> < $2 > dnl workspace: <result-of-lookup> <{client_addr}> +dnl OR $| $+ if client_name is empty +R $| $+ $: $>A < $1 > <?> <+ Connect> <> empty client_name +dnl workspace: <result-of-lookup> <{client_addr}> R<?> <$+> $: $>A < $1 > <?> <+ Connect> <> no: another lookup dnl workspace: <result-of-lookup> (<>|<{client_addr}>) R<?> <$*> $: OK found nothing @@ -1841,7 +1846,7 @@ dnl accept unqualified sender: change mark to avoid test R$* u $* $| <?> $* $: <_RES_OK_> $3 dnl remove daemon_flags R$* $| $* $: $2 -R<?> $* $: < ? $&{client_name} > $1 +R<?> $* $: < ? $&{client_addr} > $1 R<?> $* $@ <_RES_OK_> ...local unqualed ok R<? $+> $* $#error $@ 5.5.4 $: "_CODE553 Domain name required for sender address " $&f ...remote is not') @@ -1896,7 +1901,7 @@ R$+ $: <?> $1 R<?> <$+> $: <@> <$1> R<?> $+ $: <@> <$1> R<@> < postmaster > $: postmaster -R<@> < $* @ $+ . $+ > $: < $3 @ $4 . $5 > +R<@> < $* @ $+ . $+ > $: < $1 @ $2 . $3 > dnl prepend daemon_flags R<@> $* $: $&{daemon_flags} $| <@> $1 dnl workspace: ${daemon_flags} $| <@> <address> @@ -2098,6 +2103,8 @@ SRelay_ok R$* $: $&{client_addr} R$@ $@ RELAY originated locally R0 $@ RELAY originated locally +R127.0.0.1 $@ RELAY originated locally +RIPv6:::1 $@ RELAY originated locally R$=R $* $@ RELAY relayable IP address ifdef(`_ACCESS_TABLE_', `dnl R$* $: $>A <$1> <?> <+ Connect> <$1> @@ -2147,7 +2154,11 @@ R<FAIL> $#error $@ 5.7.1 $: "550 Relaying denied. IP name lookup failed " $&{c dnl ${client_resolve} should be OK, so go ahead R$* $: <@> $&{client_name} dnl should not be necessary since it has been done for client_addr already -R<@> $@ RELAY +dnl this rule actually may cause a problem if {client_name} resolves to "" +dnl however, this should not happen since the forward lookup should fail +dnl and {client_resolve} should be TEMP or FAIL. +dnl nevertheless, removing the rule doesn't hurt. +dnl R<@> $@ RELAY dnl workspace: <@> ${client_name} (not empty) # pass to name server to make hostname canonical R<@> $* $=P $:<?> $1 $2 @@ -2180,14 +2191,37 @@ R$* <@ $+ . > $1 <@ $2 > R$* <@ $* > $@ $1 <@ $2 > R$+ $@ $1 <@ $j > +SDelay_TLS_Client +# authenticated? +dnl code repeated here from Basic_check_mail +dnl only called from check_rcpt in delay mode if checkrcpt returns $# +R$* $: $1 $| $>"tls_client" $&{verify} $| MAIL +R$* $| $#$+ $#$2 +dnl return result from checkrcpt +R$* $# $1 + +SDelay_TLS_Client2 +# authenticated? +dnl code repeated here from Basic_check_mail +dnl only called from check_rcpt in delay mode if stopping due to Friend/Hater +R$* $: $1 $| $>"tls_client" $&{verify} $| MAIL +R$* $| $#$+ $#$2 +dnl return result from friend/hater check +R$* $@ $1 + # call all necessary rulesets Scheck_rcpt dnl this test should be in the Basic_check_rcpt ruleset dnl which is the correct DSN code? # R$@ $#error $@ 5.1.3 $: "553 Recipient address required" + R$+ $: $1 $| $>checkrcpt $1 dnl now we can simply stop checks by returning "$# xyz" instead of just "ok" -R$+ $| $#$* $#$2 +dnl on error (or discard) stop now +R$+ $| $#error $* $#error $2 +R$+ $| $#discard $* $#discard $2 +dnl otherwise call tls_client; see above +R$+ $| $#$* $@ $>"Delay_TLS_Client" $2 R$+ $| $* $: <?> $>FullAddr $>CanonAddr $1 ifdef(`_SPAM_FH_', `dnl lookup user@ and user@address @@ -2207,15 +2241,15 @@ dnl', `dnl') ifdef(`_SPAM_FRIEND_', `# is the recipient a spam friend? ifdef(`_SPAM_HATER_', - `errprint(`*** ERROR: define either SpamHater or SpamFriend + `errprint(`*** ERROR: define either Hater or Friend -- not both. ')', `dnl') -R<FRIEND> $+ $@ SPAMFRIEND +R<FRIEND> $+ $@ $>"Delay_TLS_Client2" SPAMFRIEND R<$*> $+ $: $2', `dnl') ifdef(`_SPAM_HATER_', `# is the recipient no spam hater? R<HATER> $+ $: $1 spam hater: continue checks -R<$*> $+ $@ NOSPAMHATER everyone else: stop +R<$*> $+ $@ $>"Delay_TLS_Client2" NOSPAMHATER everyone else: stop dnl',`dnl') dnl run further checks: check_mail dnl should we "clean up" $&f? @@ -2685,12 +2719,12 @@ dnl cert subject R<CS:$&{cert_subject}> $* $| <$+> $@ $>"TLS_req" $1 $| <$2> dnl CS does not match dnl 1 2 3 4 -R<CS:$+> $* $| <$-:$+> $#error $@ $4 $: $3 " CERT Subject " $&{cert_subject} " does not match " $1 +R<CS:$+> $* $| <$-:$+> $#error $@ $4 $: $3 " Cert Subject " $&{cert_subject} " does not match " $1 dnl match, check rest R<CI:$&{cert_issuer}> $* $| <$+> $@ $>"TLS_req" $1 $| <$2> dnl CI does not match dnl 1 2 3 4 -R<CI:$+> $* $| <$-:$+> $#error $@ $4 $: $3 " CERT Issuer " $&{cert_issuer} " does not match " $1 +R<CI:$+> $* $| <$-:$+> $#error $@ $4 $: $3 " Cert Issuer " $&{cert_issuer} " does not match " $1 dnl return from recursive call ROK $@ OK @@ -2719,7 +2753,7 @@ SRelayTLS # authenticated? dnl we do not allow relaying for anyone who can present a cert dnl signed by a "trusted" CA. For example, even if we put verisigns -dnl CA in CERTPath so we can authenticate users, we do not allow +dnl CA in CertPath so we can authenticate users, we do not allow dnl them to abuse our server (they might be easier to get hold of, dnl but anyway). dnl so here is the trick: if the verification succeeded |
