Correct error message evaluation order

author: root 2017-03-29 16:15:05 +0200
committer: root 2017-03-29 16:15:05 +0200
commit: 331920130ed209be03c6dbd06b90ba34a6a4817b (patch)
tree: a79e5e1435163dc3d8329c7d7ea54f5416fb6011
parent: 14e2800f5242bdb1ecedb5253de2a43948e55e14 (diff)
download: exim-331920130ed209be03c6dbd06b90ba34a6a4817b.tar.gz
1 files changed, 41 insertions, 48 deletions
diff --git a/conf.d/020_acl.conf b/conf.d/020_acl.conf
index a909910..1701a12 100644
--- a/conf.d/020_acl.conf
+++ b/conf.d/020_acl.conf
@@ -10,22 +10,18 @@ begin acl
 # GENERAL CHECK ACLs #
 ######################
-# Ensures that the remote host has introduced itself.
 acl_check_rcpt_introduction:
-  # Insist that a HELO/EHLO was accepted.
+  require  set acl_m_msg = HELO/EHLO command required.
-  require  condition     = ${if def:sender_helo_name}
+           condition     = ${if def:sender_helo_name}
-           set acl_m_msg = HELO/EHLO command required.
  accept
-# Syntactic validation of fields.
 acl_check_rcpt_syntax:
-  # Deny if the local parts is malformed.
+  deny     set acl_m_msg = Invalid local part.
-  deny     local_parts   = ^[.] : ^.*[@%!/|]
+           local_parts   = ^[.] : ^.*[@%!/|]
-           set acl_m_msg = Invalid local part.
  accept
@@ -36,10 +32,8 @@ acl_check_rcpt_syntax:
 acl_check_alias:
  # Accept if the alias belongs to the user.
-  accept   condition     = ${lookup{$acl_arg1}lsearch{ALIASMAP} \
+  accept   condition     = ${lookup{$acl_arg1}lsearch{ALIASMAP} {${if eq{$value}{$acl_arg2} {yes}{no}}} {no}}
-                             {${if eq{$value}{$acl_arg2} {yes}{no}}} {no}}
-  # Deny otherwise
  deny
@@ -83,38 +77,38 @@ acl_check_rcpt_host_policy:
 acl_mua_rcpt:
-  require  encrypted     = *
+  require  message       = Encrypted session required for message submission.
-           message       = Encryption required.
+           encrypted     = *
-  require  acl           = acl_check_rcpt_introduction
+  require  message       = Courtesy protocol violation: $acl_m_msg
-           message       = Courtesy protocol violation: $acl_m_msg
+           acl           = acl_check_rcpt_introduction
-  require  authenticated = *
+  require  message       = Authentication required for message submission.
+           authenticated = *
           control       = submission
           control       = dkim_disable_verify
-           message       = Authentication required.
-  require  acl           = acl_check_rcpt_syntax
+  require  message       = Syntactic validation failed: $acl_m_msg
-           message       = Syntactic validation failed: $acl_m_msg
+           acl           = acl_check_rcpt_syntax
-  require  verify        = sender
+  require  message       = Sender verification failed.
-           message       = Sender verification failed.
+           verify        = sender
  accept
 acl_mua_mail:
-  require  acl           = acl_check_alias $sender_address $authenticated_id
+  require  message       = Envelope address mismatch: $authenticated_id is not authorized to use $sender_address.
-           message       = Envelope address mismatch: $authenticated_id is not authorized to use $sender_address.
+           acl           = acl_check_alias $sender_address $authenticated_id
  accept
 acl_mua_data:
-  require  acl           = acl_check_alias ${address:$h_from:} $authenticated_id
+  require  message       = Header address mismatch: $authenticated_id is not authorized to use ${address:$h_from:}.
-           message       = Header address mismatch: $authenticated_id is not authorized to use ${address:$h_from:}.
+           acl           = acl_check_alias ${address:$h_from:} $authenticated_id
  accept
@@ -125,49 +119,48 @@ acl_mua_data:
 acl_mta_rcpt:
-  require  acl           = acl_check_rcpt_introduction
+  require  message       = Courtesy protocol violation: $acl_m_msg
-           message       = Courtesy protocol violation: $acl_m_msg
+           acl           = acl_check_rcpt_introduction
-  require  acl           = acl_check_rcpt_host_policy
+  require  message       = $acl_m_msg
-           message       = $acl_m_msg
+           acl           = acl_check_rcpt_host_policy
-  require  acl           = acl_check_rcpt_syntax
+  require  message       = Syntactic validation failed: $acl_m_msg
-           message       = Syntactic validation failed: $acl_m_msg
+           acl           = acl_check_rcpt_syntax
-  require  verify        = sender
+  require  message       = Sender verification failed.
-           message       = Sender verification failed.
+           verify        = sender
-  require  domains       = +local_domains : +relay_to_domains
+  require  message       = Unhandled destination.
-           message       = Unhandled destination.
+           domains       = +local_domains : +relay_to_domains
-  require  verify        = recipient
+  require  message       = Recipient verification failed.
-           message       = Recipient verification failed.
+           verify        = recipient
  accept
 acl_mta_data:
-  # Deny if the message contains an overlong line. Per the standards we should never receive one such via SMTP.
+  deny     set acl_m_msg = Maximum allowed line length is 998 octets, got $max_received_linelength.
-  deny     condition     = ${if > {$max_received_linelength}{998}}
+           condition     = ${if > {$max_received_linelength}{998}}
-           set acl_m_msg = Maximum allowed line length is 998 octets, got $max_received_linelength.
  accept
-# Checks the validity of each signatures in the message, and the presence of a required signature for the sender domain.
+# Checks the validity of each signatures in the message,
-# Global var to enable mandatory signature check: dkim_verify_signers = $sender_address_domain:$dkim_signers
+# and the presence of a required signature for the sender domain.
+# Global var to enable mandatory signature check:
+#   dkim_verify_signers = $sender_address_domain:$dkim_signers
 acl_mta_dkim:
-  # Deny messages with invalid signatures.
+  deny     message       = [DKIM] invalid signature ($dkim_verify_reason).
-  deny     dkim_status   = fail
+           dkim_status   = fail
-           message       = [DKIM] invalid signature ($dkim_verify_reason).
-  # Deny messages with no signature for domains which are explicitely requiring one.
+  deny     message       = [DKIM] required signature is missing.
-  deny     dkim_status   = none
+           dkim_status   = none
           condition     = ${if match \
                             {${run{/usr/bin/dig +short TXT ${quote:_domainkey.$sender_host_address}}}}{/o=-/} \
                             {yes}{no}}
-           message       = [DKIM] required signature is missing.
  accept
author	root	2017-03-29 16:15:05 +0200
committer	root	2017-03-29 16:15:05 +0200
commit	331920130ed209be03c6dbd06b90ba34a6a4817b (patch)
tree	a79e5e1435163dc3d8329c7d7ea54f5416fb6011
parent	14e2800f5242bdb1ecedb5253de2a43948e55e14 (diff)
download	exim-331920130ed209be03c6dbd06b90ba34a6a4817b.tar.gz

diff --git a/conf.d/020_acl.conf b/conf.d/020_acl.conf index a909910..1701a12 100644 --- a/conf.d/020_acl.conf +++ b/conf.d/020_acl.conf
@@ -10,22 +10,18 @@ begin acl
10	# GENERAL CHECK ACLs #	10	# GENERAL CHECK ACLs #
11	######################	11	######################
12		12
13	# Ensures that the remote host has introduced itself.
14	acl_check_rcpt_introduction:	13	acl_check_rcpt_introduction:
15		14
16	# Insist that a HELO/EHLO was accepted.	15	require set acl_m_msg = HELO/EHLO command required.
17	require condition = ${if def:sender_helo_name}	16	condition = ${if def:sender_helo_name}
18	set acl_m_msg = HELO/EHLO command required.
19		17
20	accept	18	accept
21		19
22		20
23	# Syntactic validation of fields.
24	acl_check_rcpt_syntax:	21	acl_check_rcpt_syntax:
25		22
26	# Deny if the local parts is malformed.	23	deny set acl_m_msg = Invalid local part.
27	deny local_parts = ^[.] : ^.*[@%!/\|]	24	local_parts = ^[.] : ^.*[@%!/\|]
28	set acl_m_msg = Invalid local part.
29		25
30	accept	26	accept
31		27
@@ -36,10 +32,8 @@ acl_check_rcpt_syntax:
36	acl_check_alias:	32	acl_check_alias:
37		33
38	# Accept if the alias belongs to the user.	34	# Accept if the alias belongs to the user.
39	accept condition = ${lookup{$acl_arg1}lsearch{ALIASMAP} \	35	accept condition = ${lookup{$acl_arg1}lsearch{ALIASMAP} {${if eq{$value}{$acl_arg2} {yes}{no}}} {no}}
40	{${if eq{$value}{$acl_arg2} {yes}{no}}} {no}}
41		36
42	# Deny otherwise
43	deny	37	deny
44		38
45		39
@@ -83,38 +77,38 @@ acl_check_rcpt_host_policy:
83		77
84	acl_mua_rcpt:	78	acl_mua_rcpt:
85		79
86	require encrypted = *	80	require message = Encrypted session required for message submission.
87	message = Encryption required.	81	encrypted = *
88		82
89	require acl = acl_check_rcpt_introduction	83	require message = Courtesy protocol violation: $acl_m_msg
90	message = Courtesy protocol violation: $acl_m_msg	84	acl = acl_check_rcpt_introduction
91		85
92	require authenticated = *	86	require message = Authentication required for message submission.
		87	authenticated = *
93	control = submission	88	control = submission
94	control = dkim_disable_verify	89	control = dkim_disable_verify
95	message = Authentication required.
96		90
97	require acl = acl_check_rcpt_syntax	91	require message = Syntactic validation failed: $acl_m_msg
98	message = Syntactic validation failed: $acl_m_msg	92	acl = acl_check_rcpt_syntax
99		93
100	require verify = sender	94	require message = Sender verification failed.
101	message = Sender verification failed.	95	verify = sender
102		96
103	accept	97	accept
104		98
105		99
106	acl_mua_mail:	100	acl_mua_mail:
107		101
108	require acl = acl_check_alias $sender_address $authenticated_id	102	require message = Envelope address mismatch: $authenticated_id is not authorized to use $sender_address.
109	message = Envelope address mismatch: $authenticated_id is not authorized to use $sender_address.	103	acl = acl_check_alias $sender_address $authenticated_id
110		104
111	accept	105	accept
112		106
113		107
114	acl_mua_data:	108	acl_mua_data:
115		109
116	require acl = acl_check_alias ${address:$h_from:} $authenticated_id	110	require message = Header address mismatch: $authenticated_id is not authorized to use ${address:$h_from:}.
117	message = Header address mismatch: $authenticated_id is not authorized to use ${address:$h_from:}.	111	acl = acl_check_alias ${address:$h_from:} $authenticated_id
118		112
119	accept	113	accept
120		114
@@ -125,49 +119,48 @@ acl_mua_data:
125		119
126	acl_mta_rcpt:	120	acl_mta_rcpt:
127		121
128	require acl = acl_check_rcpt_introduction	122	require message = Courtesy protocol violation: $acl_m_msg
129	message = Courtesy protocol violation: $acl_m_msg	123	acl = acl_check_rcpt_introduction
130		124
131	require acl = acl_check_rcpt_host_policy	125	require message = $acl_m_msg
132	message = $acl_m_msg	126	acl = acl_check_rcpt_host_policy
133		127
134	require acl = acl_check_rcpt_syntax	128	require message = Syntactic validation failed: $acl_m_msg
135	message = Syntactic validation failed: $acl_m_msg	129	acl = acl_check_rcpt_syntax
136		130
137	require verify = sender	131	require message = Sender verification failed.
138	message = Sender verification failed.	132	verify = sender
139		133
140	require domains = +local_domains : +relay_to_domains	134	require message = Unhandled destination.
141	message = Unhandled destination.	135	domains = +local_domains : +relay_to_domains
142		136
143	require verify = recipient	137	require message = Recipient verification failed.
144	message = Recipient verification failed.	138	verify = recipient
145		139
146	accept	140	accept
147		141
148		142
149	acl_mta_data:	143	acl_mta_data:
150		144
151	# Deny if the message contains an overlong line. Per the standards we should never receive one such via SMTP.	145	deny set acl_m_msg = Maximum allowed line length is 998 octets, got $max_received_linelength.
152	deny condition = ${if > {$max_received_linelength}{998}}	146	condition = ${if > {$max_received_linelength}{998}}
153	set acl_m_msg = Maximum allowed line length is 998 octets, got $max_received_linelength.
154		147
155	accept	148	accept
156		149
157		150
158	# Checks the validity of each signatures in the message, and the presence of a required signature for the sender domain.	151	# Checks the validity of each signatures in the message,
159	# Global var to enable mandatory signature check: dkim_verify_signers = $sender_address_domain:$dkim_signers	152	# and the presence of a required signature for the sender domain.
		153	# Global var to enable mandatory signature check:
		154	# dkim_verify_signers = $sender_address_domain:$dkim_signers
160	acl_mta_dkim:	155	acl_mta_dkim:
161		156
162	# Deny messages with invalid signatures.	157	deny message = [DKIM] invalid signature ($dkim_verify_reason).
163	deny dkim_status = fail	158	dkim_status = fail
164	message = [DKIM] invalid signature ($dkim_verify_reason).
165		159
166	# Deny messages with no signature for domains which are explicitely requiring one.	160	deny message = [DKIM] required signature is missing.
167	deny dkim_status = none	161	dkim_status = none
168	condition = ${if match \	162	condition = ${if match \
169	{${run{/usr/bin/dig +short TXT ${quote:_domainkey.$sender_host_address}}}}{/o=-/} \	163	{${run{/usr/bin/dig +short TXT ${quote:_domainkey.$sender_host_address}}}}{/o=-/} \
170	{yes}{no}}	164	{yes}{no}}
171	message = [DKIM] required signature is missing.
172		165
173	accept	166	accept