From 5de37277102d8c5afce49171c75ced28af2363fe Mon Sep 17 00:00:00 2001 From: Philip Hazel Date: Tue, 11 Oct 2005 09:30:41 +0000 Subject: [PATCH] In the default configuration, move the relay_from_hosts and authenticated client checks to before the DNS black list checks. --- doc/doc-misc/WishList | 10 +------- doc/doc-txt/ChangeLog | 10 +++++++- src/src/configure.default | 49 ++++++++++++++++++++------------------- 3 files changed, 35 insertions(+), 34 deletions(-) diff --git a/doc/doc-misc/WishList b/doc/doc-misc/WishList index bd618be74..1fbe547bf 100644 --- a/doc/doc-misc/WishList +++ b/doc/doc-misc/WishList @@ -1,4 +1,4 @@ -$Cambridge: exim/doc/doc-misc/WishList,v 1.52 2005/10/10 08:23:44 ph10 Exp $ +$Cambridge: exim/doc/doc-misc/WishList,v 1.53 2005/10/11 09:30:41 ph10 Exp $ EXIM 4 WISH LIST ---------------- @@ -1928,14 +1928,6 @@ This is probably a longish-term thing at the moment. Quotas over 2G are now supported, but not individual messages; no doubt one day this will be wanted. ------------------------------------------------------------------------------ -(335) 14-Jun-05 T Re-arrange default configuration - -A small niggle which might be worth fixing is the ordering of the ACL in the -default configuration file. The relay_from_hosts and authenticated clauses -would be better off before the dnslists examples. However, this should be left -until a x.x0 release, because of the documentation implications. ------------------------------------------------------------------------------- - (336) 16-Jun-05 M Show recipient(s) after header check failure The mainlog line for "There is no valid sender in any header line" shows the diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 48cd6b2a3..ce07ecec2 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -1,8 +1,16 @@ -$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.245 2005/10/04 08:54:33 ph10 Exp $ +$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.246 2005/10/11 09:30:41 ph10 Exp $ Change log file for Exim from version 4.21 ------------------------------------------- +Exim version 4.60 +----------------- + +PH/01 In the default runtime configuration, move the checks for + relay_from_hosts and authenticated clients from after to before the + (commented out) DNS black list checks. + + Exim version 4.54 ----------------- diff --git a/src/src/configure.default b/src/src/configure.default index da3f99601..0a10ee9b9 100644 --- a/src/src/configure.default +++ b/src/src/configure.default @@ -1,4 +1,4 @@ -# $Cambridge: exim/src/src/configure.default,v 1.3 2005/05/10 14:48:07 ph10 Exp $ +# $Cambridge: exim/src/src/configure.default,v 1.4 2005/10/11 09:30:41 ph10 Exp $ ###################################################################### # Runtime configuration file for Exim # @@ -310,11 +310,29 @@ acl_check_rcpt: require verify = sender + # Accept if the message comes from one of the hosts for which we are an + # outgoing relay. Recipient verification is omitted here, because in many + # cases the clients are dumb MUAs that don't cope well with SMTP error + # responses. If you are actually relaying out from MTAs, you should probably + # add recipient verification here. Note that, by putting this test before + # any DNS black list checks, you will always accept from these hosts, even + # if they end up on a black list. The assumption is that they are your + # friends, and if they get onto a black list, it is a mistake. + + accept hosts = +relay_from_hosts + + # Accept if the message arrived over an authenticated connection, from + # any host. Again, these messages are usually from MUAs, so recipient + # verification is omitted. And again, we do this check before any black list + # tests. + + accept authenticated = * + ############################################################################# - # There are no checks on DNS "black" lists because the domains that contain - # these lists are changing all the time. However, here are two examples of - # how you could get Exim to perform a DNS black list lookup at this point. - # The first one denies, while the second just warns. + # There are no default checks on DNS black lists because the domains that + # contain these lists are changing all the time. However, here are two + # examples of how you can get Exim to perform a DNS black list lookup at this + # point. The first one denies, whereas the second just warns. # # deny message = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text # dnslists = black.list.example @@ -344,30 +362,13 @@ acl_check_rcpt: endpass verify = recipient - # Accept if the address is in a domain for which we are relaying, but again, - # only if the recipient can be verified. + # Accept if the address is in a domain for which we are an incoming relay, + # but again, only if the recipient can be verified. accept domains = +relay_to_domains endpass verify = recipient - # If control reaches this point, the domain is neither in +local_domains - # nor in +relay_to_domains. - - # Accept if the message comes from one of the hosts for which we are an - # outgoing relay. Recipient verification is omitted here, because in many - # cases the clients are dumb MUAs that don't cope well with SMTP error - # responses. If you are actually relaying out from MTAs, you should probably - # add recipient verification here. - - accept hosts = +relay_from_hosts - - # Accept if the message arrived over an authenticated connection, from - # any host. Again, these messages are usually from MUAs, so recipient - # verification is omitted. - - accept authenticated = * - # Reaching the end of the ACL causes a "deny", but we might as well give # an explicit message. -- 2.30.2