acl: reformat acls

author: pacien 2019-08-21 18:56:32 +0200
committer: pacien 2019-08-21 18:56:32 +0200
commit: 99c86fbcad0013c577ae020d2e65910ffbb44744 (patch)
tree: 2015d1856279108d6bec7f61986d8eb2681d4494 /conf.d
parent: 4360fa6651df3190c77ce52610f8e06db12096c5 (diff)
download: exim-99c86fbcad0013c577ae020d2e65910ffbb44744.tar.gz
1 files changed, 38 insertions, 50 deletions
diff --git a/conf.d/020_acl.conf b/conf.d/020_acl.conf
index 6d0b3e4..73a8fd3 100644
--- a/conf.d/020_acl.conf
+++ b/conf.d/020_acl.conf
@@ -11,17 +11,15 @@ begin acl
 ######################
 acl_check_rcpt_introduction:
+  require  condition     = ${if def:sender_helo_name}
-  require  set acl_m_msg = HELO/EHLO command required.
+           set acl_m_msg = HELO/EHLO command required.
-           condition     = ${if def:sender_helo_name}
  accept
 acl_check_rcpt_syntax:
+  deny     local_parts   = ^[.] : ^.*[@%!/|]
-  deny     set acl_m_msg = Invalid local part.
+           set acl_m_msg = Invalid local part.
-           local_parts   = ^[.] : ^.*[@%!/|]
  accept
@@ -30,16 +28,13 @@ acl_check_rcpt_syntax:
 # $acl_arg1: alias to check
 # $acl_arg2: user
 acl_check_alias:
+  require  condition     = ${lookup{$acl_arg1}lsearch{ALIASMAP} {${if eq{$value}{$acl_arg2} {yes}{no}}} {no}}
-  # Accept if the alias belongs to the user.
+  accept
-  accept   condition     = ${lookup{$acl_arg1}lsearch{ALIASMAP} {${if eq{$value}{$acl_arg2} {yes}{no}}} {no}}
-  deny
 # Checks if the host is allowed to send messages according to the local whitelist, DNS blocklists and SPF policy.
 acl_check_rcpt_host_policy:
  # Accept all messages from trusted hosts and relays.
  # Also disable DKIM signature check as mailing list servers may alter messages.
  accept   hosts         = +trusted_relay_hosts
@@ -69,7 +64,6 @@ acl_check_rcpt_host_policy:
  deny     dnslists      = pbl.spamhaus.org
           set acl_m_msg = Rejected: $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
-  # Accept otherwise
  accept
@@ -78,39 +72,36 @@ acl_check_rcpt_host_policy:
 #########################
 acl_mua_rcpt:
+  require  encrypted     = *
+           message       = Encrypted session required for message submission.
-  require  message       = Encrypted session required for message submission.
+  require  acl           = acl_check_rcpt_introduction
-           encrypted     = *
+           message       = Courtesy protocol violation: $acl_m_msg
-  require  message       = Courtesy protocol violation: $acl_m_msg
-           acl           = acl_check_rcpt_introduction
-  require  message       = Authentication required for message submission.
+  require  authenticated = *
-           authenticated = *
           control       = submission
           control       = dkim_disable_verify
+           message       = Authentication required for message submission.
-  require  message       = Syntactic validation failed: $acl_m_msg
+  require  acl           = acl_check_rcpt_syntax
-           acl           = acl_check_rcpt_syntax
+           message       = Syntactic validation failed: $acl_m_msg
-  require  message       = Sender verification failed.
+  require  verify        = sender
-           verify        = sender
+           message       = Sender verification failed.
  accept
 acl_mua_mail:
+  require  acl           = acl_check_alias $sender_address $authenticated_id
-  require  message       = Envelope address mismatch: $authenticated_id is not authorized to use $sender_address.
+           message       = Envelope address mismatch: $authenticated_id is not authorized to use $sender_address.
-           acl           = acl_check_alias $sender_address $authenticated_id
  accept
 acl_mua_data:
+  require  acl           = acl_check_alias ${address:$h_from:} $authenticated_id
-  require  message       = Header address mismatch: $authenticated_id is not authorized to use ${address:$h_from:}.
+           message       = Header address mismatch: $authenticated_id is not authorized to use ${address:$h_from:}.
-           acl           = acl_check_alias ${address:$h_from:} $authenticated_id
  accept
@@ -120,26 +111,25 @@ acl_mua_data:
 ############
 acl_mta_rcpt:
+  require  acl           = acl_check_rcpt_introduction
+           message       = Courtesy protocol violation: $acl_m_msg
-  require  message       = Courtesy protocol violation: $acl_m_msg
+  require  acl           = acl_check_rcpt_host_policy
-           acl           = acl_check_rcpt_introduction
+           message       = $acl_m_msg
-  require  message       = $acl_m_msg
-           acl           = acl_check_rcpt_host_policy
-  require  message       = Syntactic validation failed: $acl_m_msg
+  require  acl           = acl_check_rcpt_syntax
-           acl           = acl_check_rcpt_syntax
+           message       = Syntactic validation failed: $acl_m_msg
-  require  message       = Sender verification failed.
+  require  verify        = sender
-           verify        = sender
+           message       = Sender verification failed.
  accept   hosts         = +relay_from_hosts
-  require  message       = Unhandled destination.
+  require  domains       = +local_domains : +relay_to_domains
-           domains       = +local_domains : +relay_to_domains
+           message       = Unhandled destination.
-  require  message       = Recipient verification failed.
+  require  verify        = recipient
-           verify        = recipient
+           message       = Recipient verification failed.
  accept
@@ -151,9 +141,8 @@ SCAN_SPAM = no
 .endif
 acl_mta_data:
+  deny     condition     = ${if > {$max_received_linelength}{998}}
-  deny     set acl_m_msg = Maximum allowed line length is 998 octets, got $max_received_linelength.
+           set acl_m_msg = Maximum allowed line length is 998 octets, got $max_received_linelength.
-           condition     = ${if > {$max_received_linelength}{998}}
  warn     condition     = SCAN_SPAM
           spam          = nobody:true/defer_ok
@@ -170,14 +159,13 @@ acl_mta_data:
 # Global var to enable mandatory signature check:
 #   dkim_verify_signers = $sender_address_domain:$dkim_signers
 acl_mta_dkim:
+  deny     dkim_status   = fail
+           message       = [DKIM] invalid signature ($dkim_verify_reason).
-  deny     message       = [DKIM] invalid signature ($dkim_verify_reason).
+  deny     dkim_status   = none
-           dkim_status   = fail
-  deny     message       = [DKIM] required signature is missing.
-           dkim_status   = none
           condition     = ${if match \
                             {${run{DIG_QUERY_COMMAND +short TXT ${quote:_domainkey.$sender_host_address}}}}{/o=-/} \
                             {yes}{no}}
+           message       = [DKIM] required signature is missing.
  accept
author	pacien	2019-08-21 18:56:32 +0200
committer	pacien	2019-08-21 18:56:32 +0200
commit	99c86fbcad0013c577ae020d2e65910ffbb44744 (patch)
tree	2015d1856279108d6bec7f61986d8eb2681d4494 /conf.d
parent	4360fa6651df3190c77ce52610f8e06db12096c5 (diff)
download	exim-99c86fbcad0013c577ae020d2e65910ffbb44744.tar.gz

diff --git a/conf.d/020_acl.conf b/conf.d/020_acl.conf index 6d0b3e4..73a8fd3 100644 --- a/conf.d/020_acl.conf +++ b/conf.d/020_acl.conf
@@ -11,17 +11,15 @@ begin acl
11	######################	11	######################
12		12
13	acl_check_rcpt_introduction:	13	acl_check_rcpt_introduction:
14		14	require condition = ${if def:sender_helo_name}
15	require set acl_m_msg = HELO/EHLO command required.	15	set acl_m_msg = HELO/EHLO command required.
16	condition = ${if def:sender_helo_name}
17		16
18	accept	17	accept
19		18
20		19
21	acl_check_rcpt_syntax:	20	acl_check_rcpt_syntax:
22		21	deny local_parts = ^[.] : ^.*[@%!/\|]
23	deny set acl_m_msg = Invalid local part.	22	set acl_m_msg = Invalid local part.
24	local_parts = ^[.] : ^.*[@%!/\|]
25		23
26	accept	24	accept
27		25
@@ -30,16 +28,13 @@ acl_check_rcpt_syntax:
30	# $acl_arg1: alias to check	28	# $acl_arg1: alias to check
31	# $acl_arg2: user	29	# $acl_arg2: user
32	acl_check_alias:	30	acl_check_alias:
		31	require condition = ${lookup{$acl_arg1}lsearch{ALIASMAP} {${if eq{$value}{$acl_arg2} {yes}{no}}} {no}}
33		32
34	# Accept if the alias belongs to the user.	33	accept
35	accept condition = ${lookup{$acl_arg1}lsearch{ALIASMAP} {${if eq{$value}{$acl_arg2} {yes}{no}}} {no}}
36
37	deny
38		34
39		35
40	# Checks if the host is allowed to send messages according to the local whitelist, DNS blocklists and SPF policy.	36	# Checks if the host is allowed to send messages according to the local whitelist, DNS blocklists and SPF policy.
41	acl_check_rcpt_host_policy:	37	acl_check_rcpt_host_policy:
42
43	# Accept all messages from trusted hosts and relays.	38	# Accept all messages from trusted hosts and relays.
44	# Also disable DKIM signature check as mailing list servers may alter messages.	39	# Also disable DKIM signature check as mailing list servers may alter messages.
45	accept hosts = +trusted_relay_hosts	40	accept hosts = +trusted_relay_hosts
@@ -69,7 +64,6 @@ acl_check_rcpt_host_policy:
69	deny dnslists = pbl.spamhaus.org	64	deny dnslists = pbl.spamhaus.org
70	set acl_m_msg = Rejected: $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text	65	set acl_m_msg = Rejected: $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
71		66
72	# Accept otherwise
73	accept	67	accept
74		68
75		69
@@ -78,39 +72,36 @@ acl_check_rcpt_host_policy:
78	#########################	72	#########################
79		73
80	acl_mua_rcpt:	74	acl_mua_rcpt:
		75	require encrypted = *
		76	message = Encrypted session required for message submission.
81		77
82	require message = Encrypted session required for message submission.	78	require acl = acl_check_rcpt_introduction
83	encrypted = *	79	message = Courtesy protocol violation: $acl_m_msg
84
85	require message = Courtesy protocol violation: $acl_m_msg
86	acl = acl_check_rcpt_introduction
87		80
88	require message = Authentication required for message submission.	81	require authenticated = *
89	authenticated = *
90	control = submission	82	control = submission
91	control = dkim_disable_verify	83	control = dkim_disable_verify
		84	message = Authentication required for message submission.
92		85
93	require message = Syntactic validation failed: $acl_m_msg	86	require acl = acl_check_rcpt_syntax
94	acl = acl_check_rcpt_syntax	87	message = Syntactic validation failed: $acl_m_msg
95		88
96	require message = Sender verification failed.	89	require verify = sender
97	verify = sender	90	message = Sender verification failed.
98		91
99	accept	92	accept
100		93
101		94
102	acl_mua_mail:	95	acl_mua_mail:
103		96	require acl = acl_check_alias $sender_address $authenticated_id
104	require message = Envelope address mismatch: $authenticated_id is not authorized to use $sender_address.	97	message = Envelope address mismatch: $authenticated_id is not authorized to use $sender_address.
105	acl = acl_check_alias $sender_address $authenticated_id
106		98
107	accept	99	accept
108		100
109		101
110	acl_mua_data:	102	acl_mua_data:
111		103	require acl = acl_check_alias ${address:$h_from:} $authenticated_id
112	require message = Header address mismatch: $authenticated_id is not authorized to use ${address:$h_from:}.	104	message = Header address mismatch: $authenticated_id is not authorized to use ${address:$h_from:}.
113	acl = acl_check_alias ${address:$h_from:} $authenticated_id
114		105
115	accept	106	accept
116		107
@@ -120,26 +111,25 @@ acl_mua_data:
120	############	111	############
121		112
122	acl_mta_rcpt:	113	acl_mta_rcpt:
		114	require acl = acl_check_rcpt_introduction
		115	message = Courtesy protocol violation: $acl_m_msg
123		116
124	require message = Courtesy protocol violation: $acl_m_msg	117	require acl = acl_check_rcpt_host_policy
125	acl = acl_check_rcpt_introduction	118	message = $acl_m_msg
126
127	require message = $acl_m_msg
128	acl = acl_check_rcpt_host_policy
129		119
130	require message = Syntactic validation failed: $acl_m_msg	120	require acl = acl_check_rcpt_syntax
131	acl = acl_check_rcpt_syntax	121	message = Syntactic validation failed: $acl_m_msg
132		122
133	require message = Sender verification failed.	123	require verify = sender
134	verify = sender	124	message = Sender verification failed.
135		125
136	accept hosts = +relay_from_hosts	126	accept hosts = +relay_from_hosts
137		127
138	require message = Unhandled destination.	128	require domains = +local_domains : +relay_to_domains
139	domains = +local_domains : +relay_to_domains	129	message = Unhandled destination.
140		130
141	require message = Recipient verification failed.	131	require verify = recipient
142	verify = recipient	132	message = Recipient verification failed.
143		133
144	accept	134	accept
145		135
@@ -151,9 +141,8 @@ SCAN_SPAM = no
151	.endif	141	.endif
152		142
153	acl_mta_data:	143	acl_mta_data:
154		144	deny condition = ${if > {$max_received_linelength}{998}}
155	deny set acl_m_msg = Maximum allowed line length is 998 octets, got $max_received_linelength.	145	set acl_m_msg = Maximum allowed line length is 998 octets, got $max_received_linelength.
156	condition = ${if > {$max_received_linelength}{998}}
157		146
158	warn condition = SCAN_SPAM	147	warn condition = SCAN_SPAM
159	spam = nobody:true/defer_ok	148	spam = nobody:true/defer_ok
@@ -170,14 +159,13 @@ acl_mta_data:
170	# Global var to enable mandatory signature check:	159	# Global var to enable mandatory signature check:
171	# dkim_verify_signers = $sender_address_domain:$dkim_signers	160	# dkim_verify_signers = $sender_address_domain:$dkim_signers
172	acl_mta_dkim:	161	acl_mta_dkim:
		162	deny dkim_status = fail
		163	message = [DKIM] invalid signature ($dkim_verify_reason).
173		164
174	deny message = [DKIM] invalid signature ($dkim_verify_reason).	165	deny dkim_status = none
175	dkim_status = fail
176
177	deny message = [DKIM] required signature is missing.
178	dkim_status = none
179	condition = ${if match \	166	condition = ${if match \
180	{${run{DIG_QUERY_COMMAND +short TXT ${quote:_domainkey.$sender_host_address}}}}{/o=-/} \	167	{${run{DIG_QUERY_COMMAND +short TXT ${quote:_domainkey.$sender_host_address}}}}{/o=-/} \
181	{yes}{no}}	168	{yes}{no}}
		169	message = [DKIM] required signature is missing.
182		170
183	accept	171	accept