X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/aa6e77afb5ba7df42fcff06cac744b1f4a4105d2..a76f64c3d496f6e448db3fb0c88fb15c2d1d99db:/src/src/configure.default

diff --git a/src/src/configure.default b/src/src/configure.default
index 15ca3fdae..cf38305e5 100644
--- a/src/src/configure.default
+++ b/src/src/configure.default
@@ -9,7 +9,7 @@
 # configuration file. There are many more than are mentioned here. The
 # manual is in the file doc/spec.txt in the Exim distribution as a plain
 # ASCII file. Other formats (PostScript, Texinfo, HTML, PDF) are available
-# from the Exim ftp sites. The manual is also online at the Exim web sites.
+# from the Exim ftp sites. The manual is also online at the Exim website.
 
 
 # This file is divided into several parts, all but the first of which are
@@ -119,8 +119,11 @@ hostlist   relay_from_hosts = localhost
 # manual for details. The lists above are used in the access control lists for
 # checking incoming messages. The names of these ACLs are defined here:
 
-acl_smtp_rcpt = acl_check_rcpt
-acl_smtp_data = acl_check_data
+acl_smtp_rcpt =         acl_check_rcpt
+.ifdef _HAVE_PRDR
+acl_smtp_data_prdr =    acl_check_prdr
+.endif
+acl_smtp_data =         acl_check_data
 
 # You should not change those settings until you understand how ACLs work.
 
@@ -262,8 +265,15 @@ dns_dnssec_ok = 1
 # Enable an efficiency feature.  We advertise the feature; clients
 # may request to use it.  For multi-recipient mails we then can
 # reject or accept per-user after the message is received.
+# This supports recipient-dependent content filtering; without it
+# you have to temp-reject any recipients after the first that have
+# incompatible filtering, and do the filtering in the data ACL.
+# Even with this enabled, you must support the old style for peers
+# not flagging support for PRDR (visible via $prdr_requested).
 #
+.ifdef _HAVE_PRDR
 prdr_enable = true
+.endif
 
 
 # By default, Exim expects all envelope addresses to be fully qualified, that
@@ -283,7 +293,7 @@ prdr_enable = true
 # detail than the default.  Adjust to suit.
 
 log_selector = +smtp_protocol_error +smtp_syntax_error \
-	+tls_certificate_verified
+        +tls_certificate_verified
 
 
 # If you want Exim to support the "percent hack" for certain domains,
@@ -473,8 +483,8 @@ acl_check_rcpt:
 
   # Insist that a HELO/EHLO was accepted.
 
-  require message	= nice hosts say HELO first
-          condition	= ${if def:sender_helo_name}
+  require message       = nice hosts say HELO first
+          condition     = ${if def:sender_helo_name}
 
   # Insist that any other recipient address that we accept is either in one of
   # our local domains, or is in a domain for which we explicitly allow
@@ -516,12 +526,45 @@ acl_check_rcpt:
   # require verify = csa
   #############################################################################
 
+  #############################################################################
+  # If doing per-user content filtering then recipients with filters different
+  # to the first recipient must be deferred unless the sender talks PRDR.
+  #
+  # defer  !condition     = $prdr_requested
+  #        condition      = ${if > {0}{$receipients_count}}
+  #        condition      = ${if !eq {$acl_m_content_filter} \
+  #                                  {${lookup PER_RCPT_CONTENT_FILTER}}}
+  # warn   !condition     = $prdr_requested
+  #        condition      = ${if > {0}{$receipients_count}}
+  #        set acl_m_content_filter = ${lookup PER_RCPT_CONTENT_FILTER}
+  #############################################################################
+
   # At this point, the address has passed all the checks that have been
   # configured, so we accept it unconditionally.
 
   accept
 
 
+# This ACL is used once per recipient, for multi-recipient messages, if
+# we advertised PRDR.  It can be used to perform receipient-dependent
+# header- and body- based filtering and rejections.
+# We set a variable to record that PRDR was active used, so that checking
+# in the data ACL can be skipped.
+
+.ifdef _HAVE_PRDR
+acl_check_prdr:
+  warn  set acl_m_did_prdr = y
+
+  #############################################################################
+  # do lookup on filtering, with $local_part@$domain, deny on filter match
+  #
+  # deny      set acl_m_content_filter = ${lookup PER_RCPT_CONTENT_FILTER}
+  #           condition    = ...
+  #############################################################################
+
+  accept
+.endif
+
 # This ACL is used after the contents of a message have been received. This
 # is the ACL in which you can test a message's headers or body, and in
 # particular, this is where you can invoke external virus or spam scanners.
@@ -541,9 +584,9 @@ acl_check_data:
 
   # Deny if the headers contain badly-formed addresses.
   #
-  deny	  !verify =	header_syntax
-	  message =	header syntax
-	  log_message = header syntax ($acl_verify_message)
+  deny    !verify =     header_syntax
+          message =     header syntax
+          log_message = header syntax ($acl_verify_message)
 
   # Deny if the message contains a virus. Before enabling this check, you
   # must install a virus scanner and set the av_scanner option above.
@@ -561,6 +604,19 @@ acl_check_data:
   #                      X-Spam_bar: $spam_bar\n\
   #                      X-Spam_report: $spam_report
 
+  #############################################################################
+  # No more tests if PRDR was actively used.
+  # accept   condition  = ${if def:acl_m_did_prdr}
+  #
+  # To get here, all message recipients must have identical per-user
+  # content filtering (enforced by RCPT ACL).  Do lookup for filter
+  # and deny on match.
+  #
+  # deny      set acl_m_content_filter = ${lookup PER_RCPT_CONTENT_FILTER}
+  #           condition    = ...
+  #############################################################################
+
+
   # Accept the message.
 
   accept
@@ -631,7 +687,6 @@ dnslookup:
   ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
 # if ipv6-enabled then instead use:
 # ignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; ::1
-  dnssec_request_domains = *
   no_more
 
 # This closes the ROUTER_SMARTHOST ifdef around the choice of routing for
@@ -753,9 +808,8 @@ begin transports
 remote_smtp:
   driver = smtp
   message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
-.ifdef _HAVE_DANE
-  dnssec_request_domains = *
-  hosts_try_dane = *
+.ifdef _HAVE_PRDR
+  hosts_try_prdr = *
 .endif
 
 
@@ -795,6 +849,9 @@ smarthost_smtp:
   tls_require_ciphers = SECURE192:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1
 .endif
 .endif
+.ifdef _HAVE_PRDR
+  hosts_try_prdr = *
+.endif
 
 
 # This transport is used for local delivery to user mailboxes in traditional