diff options
Diffstat (limited to 'conf.d/020_acl.conf')
-rw-r--r-- | conf.d/020_acl.conf | 74 |
1 files changed, 39 insertions, 35 deletions
diff --git a/conf.d/020_acl.conf b/conf.d/020_acl.conf index 9ad677b..d8668fb 100644 --- a/conf.d/020_acl.conf +++ b/conf.d/020_acl.conf | |||
@@ -33,40 +33,6 @@ acl_check_alias: | |||
33 | accept | 33 | accept |
34 | 34 | ||
35 | 35 | ||
36 | # Checks if the host is allowed to send messages according to the local whitelist, DNS blocklists and SPF policy. | ||
37 | acl_check_mail_host_policy: | ||
38 | # Accept all messages from trusted hosts and relays. | ||
39 | # Also disable DKIM signature check as mailing list servers may alter messages. | ||
40 | accept hosts = +trusted_relay_hosts | ||
41 | control = dkim_disable_verify | ||
42 | |||
43 | # Deny messages from hosts known to be bad. | ||
44 | drop dnslists = sbl-xbl.spamhaus.org : bl.spamcop.net | ||
45 | message = [RBL] $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text | ||
46 | |||
47 | # Accept if the host is an authorized sender according to the SPF policy for the domain (SPF pass). | ||
48 | accept set acl_m_spf = ${run{SPF_QUERY_COMMAND \ | ||
49 | --ip ${quote:$sender_host_address} \ | ||
50 | --identity ${if def:sender_address_domain \ | ||
51 | {--scope mfrom --identity ${quote:$sender_address}} \ | ||
52 | {--scope helo --identity ${quote:$sender_helo_name}}}}} | ||
53 | condition = ${if eq {$acl_m_spf}{0}{yes}{no}} | ||
54 | |||
55 | # Deny if the host is explicitely not an authorized sender according to the SPF policy for the domain (SPF fail). | ||
56 | drop condition = ${if eq {$acl_m_spf}{1}{yes}{no}} | ||
57 | message = [SPF] $sender_host_address is not allowed to send mail from \ | ||
58 | ${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}. \ | ||
59 | Please see http://www.openspf.org/Why?scope=${if def:sender_address_domain \ | ||
60 | {mfrom}{helo}};identity=${if def:sender_address_domain \ | ||
61 | {$sender_address}{$sender_helo_name}};ip=$sender_host_address | ||
62 | |||
63 | # Deny messages from hosts listed as non-MTA in the PBL, for which SPF couldn't determine a policy. | ||
64 | drop dnslists = pbl.spamhaus.org | ||
65 | message = [RBL] $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text | ||
66 | |||
67 | accept | ||
68 | |||
69 | |||
70 | ######################### | 36 | ######################### |
71 | # MUA ACLs (submission) # | 37 | # MUA ACLs (submission) # |
72 | ######################### | 38 | ######################### |
@@ -110,11 +76,49 @@ acl_mua_data: | |||
110 | # MTA ACLs # | 76 | # MTA ACLs # |
111 | ############ | 77 | ############ |
112 | 78 | ||
79 | acl_mta_connect: | ||
80 | # Accept all messages from trusted hosts and relays. | ||
81 | # Also disable DKIM signature check as mailing list servers may alter messages. | ||
82 | accept hosts = +trusted_relay_hosts | ||
83 | control = dkim_disable_verify | ||
84 | |||
85 | # Deny messages from hosts known to be bad. | ||
86 | drop dnslists = sbl-xbl.spamhaus.org : bl.spamcop.net | ||
87 | message = [RBL] $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text | ||
88 | |||
89 | accept | ||
90 | |||
91 | |||
113 | acl_mta_mail: | 92 | acl_mta_mail: |
114 | require acl = acl_check_mail_introduction | 93 | require acl = acl_check_mail_introduction |
115 | message = Courtesy protocol violation: $acl_m_msg | 94 | message = Courtesy protocol violation: $acl_m_msg |
116 | 95 | ||
117 | require acl = acl_check_mail_host_policy | 96 | # Accept all messages from trusted hosts and relays. |
97 | # Also disable DKIM signature check as mailing list servers may alter messages. | ||
98 | accept hosts = +trusted_relay_hosts | ||
99 | control = dkim_disable_verify | ||
100 | |||
101 | # Accept if the host is an authorized sender according to the SPF policy for the domain (SPF pass). | ||
102 | # TODO: switch to builtin exim SPF support | ||
103 | accept set acl_m_spf = ${run{SPF_QUERY_COMMAND \ | ||
104 | --ip ${quote:$sender_host_address} \ | ||
105 | --identity ${if def:sender_address_domain \ | ||
106 | {--scope mfrom --identity ${quote:$sender_address}} \ | ||
107 | {--scope helo --identity ${quote:$sender_helo_name}}}}} | ||
108 | condition = ${if eq {$acl_m_spf}{0}{yes}{no}} | ||
109 | |||
110 | # Deny if the host is explicitely not an authorized sender according to the SPF policy for the domain (SPF fail). | ||
111 | # TODO: switch to builtin exim SPF support | ||
112 | drop condition = ${if eq {$acl_m_spf}{1}{yes}{no}} | ||
113 | message = [SPF] $sender_host_address is not allowed to send mail from \ | ||
114 | ${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}. \ | ||
115 | Please see http://www.openspf.org/Why?scope=${if def:sender_address_domain \ | ||
116 | {mfrom}{helo}};identity=${if def:sender_address_domain \ | ||
117 | {$sender_address}{$sender_helo_name}};ip=$sender_host_address | ||
118 | |||
119 | # Deny messages from hosts listed as non-MTA in the PBL, for which SPF couldn't determine a policy. | ||
120 | drop dnslists = pbl.spamhaus.org | ||
121 | message = [RBL] $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text | ||
118 | 122 | ||
119 | accept | 123 | accept |
120 | 124 | ||