Allow relaying by certs

[dsa-puppet.git] / modules / exim / files / common / exim4.conf

diff --git a/modules/exim/files/common/exim4.conf b/modules/exim/files/common/exim4.conf
index f9e3ad56ae6ceba2aafb0d153905aa35c9144aaa..979cefac47194496ba28eba757fd6b638da0eb64 100644 (file)
--- a/modules/exim/files/common/exim4.conf
+++ b/modules/exim/files/common/exim4.conf
@@ -39,6 +39,12 @@
 #           us. This is primarily only usefull for emergancy 'queue
 #           flushing' operations, but should be populated with a list
 #           of trusted machines. Wildcards are not permitted
+#  mailhubdomains - Domains for which we are the MX, but the mail is relayed
+#           elsewhere.  This is designed for use with small volume or
+#           restricted machines that need to use a smarthost for mail
+#           traffic.  We will relay for them based on ssl cert validation
+#           but we need to teach exim how to route the mail to them.  This is
+#           that list.
 # The division of files is designed so that all hosts may share rcpthosts
 # and relayhosts, these could be replicated automatically if necessary.
 
@@ -115,6 +121,7 @@ localpartlist local_only_users = lsearch;/etc/exim4/localusers
 # accept mail for them.
 domainlist rcpthosts = partial-lsearch;/etc/exim4/rcpthosts
 hostlist debianhosts = 127.0.0.1 : net-lsearch;/var/lib/misc/thishost/debianhosts
+domainlist mailhubdomains = lsearch;/etc/exim4/mailertable
 
 .ifndef RESERVEDADDRS
 RESERVEDADDRS = 0.0.0.0/8 : 127.0.0.0/8 : 10.0.0.0/8 : 169.254.0.0/16 : \
@@ -190,7 +197,7 @@ queue_list_requires_admin = false
 av_scanner = CLAMAV
 .endif
 
-.ifdef HAVE_USER_DEBBUGS
+.ifdef HAVE_USER_DEBBUGS MAIL_RELAY
 daemon_smtp_ports = 25 : 587
 .endif
 
@@ -312,6 +319,10 @@ check_submission:
   # Defer after too many bad RCPT TO's.  Legit MTAs will retry later.
   # This is a rough pass at preventing addres harvesting or other mail blasts.
 
+.ifdef MAIL_RELAY
+  accept  verify   = certificate
+.endif
+
   defer  log_message   = Too many bad recipients ${eval:$rcpt_fail_count} out of $rcpt_count
          message       = Too many bad recipients, try again later
          condition     = ${if > {${eval:$rcpt_fail_count}}{3}{yes}{no}}
@@ -330,6 +341,10 @@ check_submission:
 #!!# ACL that is used after the RCPT command
 check_recipient:
 
+.ifdef MAIL_RELAY
+  accept  verify   = certificate
+.endif
+
   # Defer after too many bad RCPT TO's.  Legit MTAs will retry later.
   # This is a rough pass at preventing addres harvesting or other mail blasts.
 
@@ -607,6 +622,11 @@ check_recipient:
           !hosts   = +debianhosts : WHITELIST
          !verify  = sender/callout
 
+  accept  domains  = +mailhubdomains
+          endpass
+         message  = unknown user
+         verify   = recipient/callout,defer_ok
+
   accept  domains  = +handled_domains
           endpass
          message  = unknown user
@@ -723,6 +743,13 @@ begin routers
 #     An address is passed to each in turn until it is accepted.     #
 ######################################################################
 
+relay_manualroute:
+  driver = manualroute
+  domains = +mailhubdomains
+  transport = remote_smtp
+  route_data = ${lookup{$domain}lsearch{/etc/exim4/mailertable}}
+  require_files = /etc/exim4/mailertable
+
 bsmtp:
   debug_print = "R: bsmtp for $local_part@$domain"
   driver = manualroute
@@ -1132,6 +1159,8 @@ remote_smtp:
   tls_tempfail_tryclear = true
   tls_certificate = /etc/exim4/ssl/thishost.crt
   tls_privatekey = /etc/exim4/ssl/thishost.key
+  tls_verify_certificates = /etc/exim4/ssl/ca.crt
+  tls_crl = /etc/exim4/ssl/ca.crl
 .endif
 
 # Send the message to procmail