From: Philip Hazel Date: Thu, 27 Jul 2006 10:36:34 +0000 (+0000) Subject: Re-jigged the order of the tests in the default configuration so that X-Git-Tag: exim-4_63~6 X-Git-Url: https://git.exim.org/exim.git/commitdiff_plain/9ecb03f392a171ae1f3f945e783c5d2c3b847c29 Re-jigged the order of the tests in the default configuration so that the tests for valid domains and recipients precede the DNS black list and CSA tests, on the grounds that those ones are more expensive. --- diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 8ec3d8865..c3f20ab70 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -1,4 +1,4 @@ -$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.381 2006/07/27 10:13:52 ph10 Exp $ +$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.382 2006/07/27 10:36:34 ph10 Exp $ Change log file for Exim from version 4.21 ------------------------------------------- @@ -131,6 +131,10 @@ PH/23 Made -oMaa and -oMt work with -bh and -bs to pretend the connection is values for $authenticated_id and $authenticated_sender (but permit -oMai and -oMas) when testing with -bh. +PH/24 Re-jigged the order of the tests in the default configuration so that the + tests for valid domains and recipients precede the DNS black list and CSA + tests, on the grounds that those ones are more expensive. + Exim version 4.62 ----------------- diff --git a/src/src/configure.default b/src/src/configure.default index 9ae20dae9..3fb0ffa28 100644 --- a/src/src/configure.default +++ b/src/src/configure.default @@ -1,4 +1,4 @@ -# $Cambridge: exim/src/src/configure.default,v 1.9 2006/07/07 13:54:32 ph10 Exp $ +# $Cambridge: exim/src/src/configure.default,v 1.10 2006/07/27 10:36:34 ph10 Exp $ ###################################################################### # Runtime configuration file for Exim # @@ -380,6 +380,21 @@ acl_check_rcpt: accept authenticated = * control = submission + # Insist that any other recipient address that we accept is either in one of + # our local domains, or is in a domain for which we explicitly allow + # relaying. Any other domain is rejected as being unacceptable for relaying. + + require message = relay not permitted + domains = +local_domains : +relay_domains + + # We also require all accepted addresses to be verifiable. This check will + # do local part verification for local domains, but only check the domain + # for remote domains. The only way to check local parts for the remote + # relay domains is to use a callout (add /callout), but please read the + # documentation about callouts before doing this. + + require verify = recipient + ############################################################################# # There are no default checks on DNS black lists because the domains that # contain these lists are changing all the time. However, here are two @@ -405,26 +420,10 @@ acl_check_rcpt: # require verify = csa ############################################################################# - # Accept if the address is in a local domain, but only if the recipient can - # be verified. Otherwise deny. The "endpass" line is the border between - # passing on to the next ACL statement (if tests above it fail) or denying - # access (if tests below it fail). - - accept domains = +local_domains - endpass - verify = recipient + # At this point, the address has passed all the checks that have been + # configured, so we accept it unconditionally. - # Accept if the address is in a domain for which we are an incoming relay, - # but again, only if the recipient can be verified. - - accept domains = +relay_to_domains - endpass - verify = recipient - - # Reaching the end of the ACL causes a "deny", but we might as well give - # an explicit message. - - deny message = relay not permitted + accept # This ACL is used after the contents of a message have been received. This