diff options
author | pacien | 2019-08-22 19:11:10 +0200 |
---|---|---|
committer | pacien | 2019-08-22 19:11:10 +0200 |
commit | 3858216aca1d594849ea0866d7c02d4b35c6c103 (patch) | |
tree | 6fcb722c75d73cd824595ae9b1ea363e50e6fb32 | |
parent | 71a792f0aebc12b322dfc0acbd904ac413e6ae60 (diff) | |
download | exim-3858216aca1d594849ea0866d7c02d4b35c6c103.tar.gz |
acl: move checks to early mail command acl
-rw-r--r-- | conf.d/010_main.conf | 2 | ||||
-rw-r--r-- | conf.d/020_acl.conf | 34 |
2 files changed, 20 insertions, 16 deletions
diff --git a/conf.d/010_main.conf b/conf.d/010_main.conf index 5ad88ab..1a6d876 100644 --- a/conf.d/010_main.conf +++ b/conf.d/010_main.conf | |||
@@ -5,8 +5,8 @@ | |||
5 | # Access control lists for checking incoming messages. | 5 | # Access control lists for checking incoming messages. |
6 | # The names of these ACLs are defined here: | 6 | # The names of these ACLs are defined here: |
7 | 7 | ||
8 | acl_smtp_mail = ${if ={587}{$interface_port} {acl_mua_mail} {acl_mta_mail}} | ||
8 | acl_smtp_rcpt = ${if ={587}{$interface_port} {acl_mua_rcpt} {acl_mta_rcpt}} | 9 | acl_smtp_rcpt = ${if ={587}{$interface_port} {acl_mua_rcpt} {acl_mta_rcpt}} |
9 | acl_smtp_mail = ${if ={587}{$interface_port} {acl_mua_mail} {accept}} | ||
10 | acl_smtp_data = ${if ={587}{$interface_port} {acl_mua_data} {acl_mta_data}} | 10 | acl_smtp_data = ${if ={587}{$interface_port} {acl_mua_data} {acl_mta_data}} |
11 | acl_smtp_dkim = acl_mta_dkim | 11 | acl_smtp_dkim = acl_mta_dkim |
12 | 12 | ||
diff --git a/conf.d/020_acl.conf b/conf.d/020_acl.conf index c048b7d..9ad677b 100644 --- a/conf.d/020_acl.conf +++ b/conf.d/020_acl.conf | |||
@@ -10,7 +10,7 @@ begin acl | |||
10 | # GENERAL CHECK ACLs # | 10 | # GENERAL CHECK ACLs # |
11 | ###################### | 11 | ###################### |
12 | 12 | ||
13 | acl_check_rcpt_introduction: | 13 | acl_check_mail_introduction: |
14 | require condition = ${if def:sender_helo_name} | 14 | require condition = ${if def:sender_helo_name} |
15 | set acl_m_msg = HELO/EHLO command required. | 15 | set acl_m_msg = HELO/EHLO command required. |
16 | 16 | ||
@@ -34,7 +34,7 @@ acl_check_alias: | |||
34 | 34 | ||
35 | 35 | ||
36 | # Checks if the host is allowed to send messages according to the local whitelist, DNS blocklists and SPF policy. | 36 | # Checks if the host is allowed to send messages according to the local whitelist, DNS blocklists and SPF policy. |
37 | acl_check_rcpt_host_policy: | 37 | acl_check_mail_host_policy: |
38 | # Accept all messages from trusted hosts and relays. | 38 | # Accept all messages from trusted hosts and relays. |
39 | # Also disable DKIM signature check as mailing list servers may alter messages. | 39 | # Also disable DKIM signature check as mailing list servers may alter messages. |
40 | accept hosts = +trusted_relay_hosts | 40 | accept hosts = +trusted_relay_hosts |
@@ -71,13 +71,20 @@ acl_check_rcpt_host_policy: | |||
71 | # MUA ACLs (submission) # | 71 | # MUA ACLs (submission) # |
72 | ######################### | 72 | ######################### |
73 | 73 | ||
74 | acl_mua_mail: | ||
75 | require acl = acl_check_mail_introduction | ||
76 | message = Courtesy protocol violation: $acl_m_msg | ||
77 | |||
78 | require acl = acl_check_alias $sender_address $authenticated_id | ||
79 | message = Envelope address mismatch: $authenticated_id is not authorized to use $sender_address. | ||
80 | |||
81 | accept | ||
82 | |||
83 | |||
74 | acl_mua_rcpt: | 84 | acl_mua_rcpt: |
75 | require encrypted = * | 85 | require encrypted = * |
76 | message = Encrypted session required for message submission. | 86 | message = Encrypted session required for message submission. |
77 | 87 | ||
78 | require acl = acl_check_rcpt_introduction | ||
79 | message = Courtesy protocol violation: $acl_m_msg | ||
80 | |||
81 | require authenticated = * | 88 | require authenticated = * |
82 | control = submission | 89 | control = submission |
83 | control = dkim_disable_verify | 90 | control = dkim_disable_verify |
@@ -92,13 +99,6 @@ acl_mua_rcpt: | |||
92 | accept | 99 | accept |
93 | 100 | ||
94 | 101 | ||
95 | acl_mua_mail: | ||
96 | require acl = acl_check_alias $sender_address $authenticated_id | ||
97 | message = Envelope address mismatch: $authenticated_id is not authorized to use $sender_address. | ||
98 | |||
99 | accept | ||
100 | |||
101 | |||
102 | acl_mua_data: | 102 | acl_mua_data: |
103 | require acl = acl_check_alias ${address:$h_from:} $authenticated_id | 103 | require acl = acl_check_alias ${address:$h_from:} $authenticated_id |
104 | message = Header address mismatch: $authenticated_id is not authorized to use ${address:$h_from:}. | 104 | message = Header address mismatch: $authenticated_id is not authorized to use ${address:$h_from:}. |
@@ -110,12 +110,16 @@ acl_mua_data: | |||
110 | # MTA ACLs # | 110 | # MTA ACLs # |
111 | ############ | 111 | ############ |
112 | 112 | ||
113 | acl_mta_rcpt: | 113 | acl_mta_mail: |
114 | require acl = acl_check_rcpt_introduction | 114 | require acl = acl_check_mail_introduction |
115 | message = Courtesy protocol violation: $acl_m_msg | 115 | message = Courtesy protocol violation: $acl_m_msg |
116 | 116 | ||
117 | require acl = acl_check_rcpt_host_policy | 117 | require acl = acl_check_mail_host_policy |
118 | |||
119 | accept | ||
118 | 120 | ||
121 | |||
122 | acl_mta_rcpt: | ||
119 | require acl = acl_check_rcpt_syntax | 123 | require acl = acl_check_rcpt_syntax |
120 | message = Syntactic validation failed: $acl_m_msg | 124 | message = Syntactic validation failed: $acl_m_msg |
121 | 125 | ||