From f61543ea0f8fac424984d27b7effe4f26617eac3 Mon Sep 17 00:00:00 2001
From: Jim Hague <jim.hague@acm.org>
Date: Mon, 22 May 2023 17:04:54 +0100
Subject: [PATCH] Fix Exim SRS configuration - smarthost delivery now works.

---
 states/email/exim4/conf.d/router/180_srs      | 32 ++++++++--
 states/email/exim4/conf.d/transport/32_srs    |  7 ---
 .../exim4/conf.d/transport/32_srs_remote_smtp | 62 +++++++++++++++++++
 .../transport/32_srs_remote_smtp_smarthost    | 51 +++++++++++++++
 4 files changed, 140 insertions(+), 12 deletions(-)
 delete mode 100644 states/email/exim4/conf.d/transport/32_srs
 create mode 100644 states/email/exim4/conf.d/transport/32_srs_remote_smtp
 create mode 100644 states/email/exim4/conf.d/transport/32_srs_remote_smtp_smarthost

diff --git a/states/email/exim4/conf.d/router/180_srs b/states/email/exim4/conf.d/router/180_srs
index a2011e0..2b49d33 100644
--- a/states/email/exim4/conf.d/router/180_srs
+++ b/states/email/exim4/conf.d/router/180_srs
@@ -1,20 +1,40 @@
-  outbound:
+fdef SRS_SECRET
+
+  .ifdef DCconfig_internet
+
+  outbound_srs:
+    debug_print = "R: SRS outbound for $local_part@$domain original $original_local_part@$original_domain"
     driver =    dnslookup
     # if outbound, and forwarding has been done, use an alternate transport
     domains =   ! +local_domains
-    transport = ${if eq {$local_part@$domain} \
-                        {$original_local_part@$original_domain} \
-                     {remote_smtp} {remote_forwarded_smtp}}
+    condition = ${if !eq {$local_part@$domain} \
+                         {$original_local_part@$original_domain}}
+    transport = {remote_forwarded_smtp}
 
+  .elifdef DCconfig_smarthost DCconfig_satellite
+
+  outbound_srs_smarthost:
+    debug_print = "R: SRS outbound smarthost for $local_part@$domain original $original_local_part@$original_domain"
+    driver =    dnslookup
+    # if outbound, and forwarding has been done, use an alternate transport
+    domains =   ! +local_domains
+    condition = ${if !eq {$local_part@$domain} \
+                         {$original_local_part@$original_domain}}
+    transport = {remote_forwarded_smtp_smarthost}
+
+  .endif
+  
   inbound_srs:
+    debug_print = "R: inbound_srs for $local_part@$domain"
     driver =    redirect
     senders =   :
     domains =   +local_domains
     # detect inbound bounces which are SRS'd, and decode them
     condition = ${if inbound_srs {$local_part} {SRS_SECRET}}
     data =      $srs_recipient
-
+  
   inbound_srs_failure:
+    debug_print = "R: inbound_srs_failure for $local_part@$domain"
     driver =    redirect
     senders =   :
     domains =   +local_domains
@@ -22,3 +42,5 @@
     condition = ${if inbound_srs {$local_part} {}}
     allow_fail
     data =      :fail: Invalid SRS recipient address
+
+.endif
diff --git a/states/email/exim4/conf.d/transport/32_srs b/states/email/exim4/conf.d/transport/32_srs
deleted file mode 100644
index 8cc7678..0000000
--- a/states/email/exim4/conf.d/transport/32_srs
+++ /dev/null
@@ -1,7 +0,0 @@
-  # transport; should look like the non-forward outbound
-  # one, plus the max_rcpt and return_path options
-  remote_forwarded_smtp:
-    driver =              smtp
-    # modify the envelope from, for mails that we forward
-    max_rcpt =            1
-    return_path =         ${srs_encode {SRS_SECRET} {$return_path} {$original_domain}}
diff --git a/states/email/exim4/conf.d/transport/32_srs_remote_smtp b/states/email/exim4/conf.d/transport/32_srs_remote_smtp
new file mode 100644
index 0000000..00755a8
--- /dev/null
+++ b/states/email/exim4/conf.d/transport/32_srs_remote_smtp
@@ -0,0 +1,62 @@
+# transport; should look like the non-forward outbound
+# one, plus the max_rcpt and return_path options
+remote_forwarded_smtp:
+  debug_print = "T: remote_forwarded_smtp for $local_part@$domain original domain $original_domain"
+  driver =              smtp
+  # modify the envelope from, for mails that we forward
+  max_rcpt =            1
+  return_path =         ${srs_encode {SRS_SECRET} {$return_path} {$original_domain}}
+.ifndef IGNORE_SMTP_LINE_LENGTH_LIMIT
+  message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
+.endif
+.ifdef REMOTE_SMTP_HOSTS_AVOID_TLS
+  hosts_avoid_tls = REMOTE_SMTP_HOSTS_AVOID_TLS
+.endif
+.ifdef REMOTE_SMTP_HEADERS_REWRITE
+  headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE
+.endif
+.ifdef REMOTE_SMTP_RETURN_PATH
+  return_path = REMOTE_SMTP_RETURN_PATH
+.endif
+.ifdef REMOTE_SMTP_HELO_DATA
+  helo_data=REMOTE_SMTP_HELO_DATA
+.endif
+.ifdef REMOTE_SMTP_INTERFACE
+  interface = REMOTE_SMTP_INTERFACE
+.endif
+.ifdef DKIM_DOMAIN
+dkim_domain = DKIM_DOMAIN
+.endif
+.ifdef DKIM_SELECTOR
+dkim_selector = DKIM_SELECTOR
+.endif
+.ifdef DKIM_PRIVATE_KEY
+dkim_private_key = DKIM_PRIVATE_KEY
+.endif
+.ifdef DKIM_CANON
+dkim_canon = DKIM_CANON
+.endif
+.ifdef DKIM_STRICT
+dkim_strict = DKIM_STRICT
+.endif
+.ifdef DKIM_SIGN_HEADERS
+dkim_sign_headers = DKIM_SIGN_HEADERS
+.endif
+.ifdef DKIM_TIMESTAMPS
+dkim_timestamps = DKIM_TIMESTAMPS
+.endif
+.ifdef TLS_DH_MIN_BITS
+tls_dh_min_bits = TLS_DH_MIN_BITS
+.endif
+.ifdef REMOTE_SMTP_TLS_CERTIFICATE
+tls_certificate = REMOTE_SMTP_TLS_CERTIFICATE
+.endif
+.ifdef REMOTE_SMTP_PRIVATEKEY
+tls_privatekey = REMOTE_SMTP_PRIVATEKEY
+.endif
+.ifdef REMOTE_SMTP_HOSTS_REQUIRE_TLS
+  hosts_require_tls = REMOTE_SMTP_HOSTS_REQUIRE_TLS
+.endif
+.ifdef REMOTE_SMTP_TRANSPORTS_HEADERS_REMOVE
+  headers_remove = REMOTE_SMTP_TRANSPORTS_HEADERS_REMOVE
+.endif
diff --git a/states/email/exim4/conf.d/transport/32_srs_remote_smtp_smarthost b/states/email/exim4/conf.d/transport/32_srs_remote_smtp_smarthost
new file mode 100644
index 0000000..283ee83
--- /dev/null
+++ b/states/email/exim4/conf.d/transport/32_srs_remote_smtp_smarthost
@@ -0,0 +1,51 @@
+# transport; should look like the non-forward outbound
+# one, plus the max_rcpt and return_path options
+remote_forwarded_smtp_smarthost:
+  debug_print = "T: remote_forwarded_smtp_smarthost for $local_part@$domain original domain $original_domain"
+  driver =              smtp
+  # modify the envelope from, for mails that we forward
+  max_rcpt =            1
+  return_path =         ${srs_encode {SRS_SECRET} {$return_path} {$original_domain}}
+  multi_domain
+.ifndef IGNORE_SMTP_LINE_LENGTH_LIMIT
+  message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
+.endif
+  hosts_try_auth = <; ${if exists{CONFDIR/passwd.client} \
+        {\
+        ${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$host_address}}\
+        }\
+        {} \
+      }
+.ifdef REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS
+  hosts_avoid_tls = REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS
+.endif
+.ifdef REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS
+  hosts_require_tls = REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS
+.endif
+.ifdef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_CERTIFICATES
+  tls_verify_certificates = REMOTE_SMTP_SMARTHOST_TLS_VERIFY_CERTIFICATES
+.endif
+.ifdef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS
+  tls_verify_hosts = REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS
+.endif
+.ifdef REMOTE_SMTP_HEADERS_REWRITE
+  headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE
+.endif
+.ifdef REMOTE_SMTP_RETURN_PATH
+  return_path = REMOTE_SMTP_RETURN_PATH
+.endif
+.ifdef REMOTE_SMTP_HELO_DATA
+  helo_data=REMOTE_SMTP_HELO_DATA
+.endif
+.ifdef TLS_DH_MIN_BITS
+tls_dh_min_bits = TLS_DH_MIN_BITS
+.endif
+.ifdef REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE
+tls_certificate = REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE
+.endif
+.ifdef REMOTE_SMTP_SMARTHOST_PRIVATEKEY
+tls_privatekey = REMOTE_SMTP_SMARTHOST_PRIVATEKEY
+.endif
+.ifdef REMOTE_SMTP_TRANSPORTS_HEADERS_REMOVE
+  headers_remove = REMOTE_SMTP_TRANSPORTS_HEADERS_REMOVE
+.endif