summaryrefslogtreecommitdiff
path: root/conf.d/020_acl.conf
diff options
context:
space:
mode:
Diffstat (limited to 'conf.d/020_acl.conf')
-rw-r--r--conf.d/020_acl.conf88
1 files changed, 38 insertions, 50 deletions
diff --git a/conf.d/020_acl.conf b/conf.d/020_acl.conf
index 6d0b3e4..73a8fd3 100644
--- a/conf.d/020_acl.conf
+++ b/conf.d/020_acl.conf
@@ -11,17 +11,15 @@ begin acl
11###################### 11######################
12 12
13acl_check_rcpt_introduction: 13acl_check_rcpt_introduction:
14 14 require condition = ${if def:sender_helo_name}
15 require set acl_m_msg = HELO/EHLO command required. 15 set acl_m_msg = HELO/EHLO command required.
16 condition = ${if def:sender_helo_name}
17 16
18 accept 17 accept
19 18
20 19
21acl_check_rcpt_syntax: 20acl_check_rcpt_syntax:
22 21 deny local_parts = ^[.] : ^.*[@%!/|]
23 deny set acl_m_msg = Invalid local part. 22 set acl_m_msg = Invalid local part.
24 local_parts = ^[.] : ^.*[@%!/|]
25 23
26 accept 24 accept
27 25
@@ -30,16 +28,13 @@ acl_check_rcpt_syntax:
30# $acl_arg1: alias to check 28# $acl_arg1: alias to check
31# $acl_arg2: user 29# $acl_arg2: user
32acl_check_alias: 30acl_check_alias:
31 require condition = ${lookup{$acl_arg1}lsearch{ALIASMAP} {${if eq{$value}{$acl_arg2} {yes}{no}}} {no}}
33 32
34 # Accept if the alias belongs to the user. 33 accept
35 accept condition = ${lookup{$acl_arg1}lsearch{ALIASMAP} {${if eq{$value}{$acl_arg2} {yes}{no}}} {no}}
36
37 deny
38 34
39 35
40# Checks if the host is allowed to send messages according to the local whitelist, DNS blocklists and SPF policy. 36# Checks if the host is allowed to send messages according to the local whitelist, DNS blocklists and SPF policy.
41acl_check_rcpt_host_policy: 37acl_check_rcpt_host_policy:
42
43 # Accept all messages from trusted hosts and relays. 38 # Accept all messages from trusted hosts and relays.
44 # Also disable DKIM signature check as mailing list servers may alter messages. 39 # Also disable DKIM signature check as mailing list servers may alter messages.
45 accept hosts = +trusted_relay_hosts 40 accept hosts = +trusted_relay_hosts
@@ -69,7 +64,6 @@ acl_check_rcpt_host_policy:
69 deny dnslists = pbl.spamhaus.org 64 deny dnslists = pbl.spamhaus.org
70 set acl_m_msg = Rejected: $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text 65 set acl_m_msg = Rejected: $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
71 66
72 # Accept otherwise
73 accept 67 accept
74 68
75 69
@@ -78,39 +72,36 @@ acl_check_rcpt_host_policy:
78######################### 72#########################
79 73
80acl_mua_rcpt: 74acl_mua_rcpt:
75 require encrypted = *
76 message = Encrypted session required for message submission.
81 77
82 require message = Encrypted session required for message submission. 78 require acl = acl_check_rcpt_introduction
83 encrypted = * 79 message = Courtesy protocol violation: $acl_m_msg
84
85 require message = Courtesy protocol violation: $acl_m_msg
86 acl = acl_check_rcpt_introduction
87 80
88 require message = Authentication required for message submission. 81 require authenticated = *
89 authenticated = *
90 control = submission 82 control = submission
91 control = dkim_disable_verify 83 control = dkim_disable_verify
84 message = Authentication required for message submission.
92 85
93 require message = Syntactic validation failed: $acl_m_msg 86 require acl = acl_check_rcpt_syntax
94 acl = acl_check_rcpt_syntax 87 message = Syntactic validation failed: $acl_m_msg
95 88
96 require message = Sender verification failed. 89 require verify = sender
97 verify = sender 90 message = Sender verification failed.
98 91
99 accept 92 accept
100 93
101 94
102acl_mua_mail: 95acl_mua_mail:
103 96 require acl = acl_check_alias $sender_address $authenticated_id
104 require message = Envelope address mismatch: $authenticated_id is not authorized to use $sender_address. 97 message = Envelope address mismatch: $authenticated_id is not authorized to use $sender_address.
105 acl = acl_check_alias $sender_address $authenticated_id
106 98
107 accept 99 accept
108 100
109 101
110acl_mua_data: 102acl_mua_data:
111 103 require acl = acl_check_alias ${address:$h_from:} $authenticated_id
112 require message = Header address mismatch: $authenticated_id is not authorized to use ${address:$h_from:}. 104 message = Header address mismatch: $authenticated_id is not authorized to use ${address:$h_from:}.
113 acl = acl_check_alias ${address:$h_from:} $authenticated_id
114 105
115 accept 106 accept
116 107
@@ -120,26 +111,25 @@ acl_mua_data:
120############ 111############
121 112
122acl_mta_rcpt: 113acl_mta_rcpt:
114 require acl = acl_check_rcpt_introduction
115 message = Courtesy protocol violation: $acl_m_msg
123 116
124 require message = Courtesy protocol violation: $acl_m_msg 117 require acl = acl_check_rcpt_host_policy
125 acl = acl_check_rcpt_introduction 118 message = $acl_m_msg
126
127 require message = $acl_m_msg
128 acl = acl_check_rcpt_host_policy
129 119
130 require message = Syntactic validation failed: $acl_m_msg 120 require acl = acl_check_rcpt_syntax
131 acl = acl_check_rcpt_syntax 121 message = Syntactic validation failed: $acl_m_msg
132 122
133 require message = Sender verification failed. 123 require verify = sender
134 verify = sender 124 message = Sender verification failed.
135 125
136 accept hosts = +relay_from_hosts 126 accept hosts = +relay_from_hosts
137 127
138 require message = Unhandled destination. 128 require domains = +local_domains : +relay_to_domains
139 domains = +local_domains : +relay_to_domains 129 message = Unhandled destination.
140 130
141 require message = Recipient verification failed. 131 require verify = recipient
142 verify = recipient 132 message = Recipient verification failed.
143 133
144 accept 134 accept
145 135
@@ -151,9 +141,8 @@ SCAN_SPAM = no
151.endif 141.endif
152 142
153acl_mta_data: 143acl_mta_data:
154 144 deny condition = ${if > {$max_received_linelength}{998}}
155 deny set acl_m_msg = Maximum allowed line length is 998 octets, got $max_received_linelength. 145 set acl_m_msg = Maximum allowed line length is 998 octets, got $max_received_linelength.
156 condition = ${if > {$max_received_linelength}{998}}
157 146
158 warn condition = SCAN_SPAM 147 warn condition = SCAN_SPAM
159 spam = nobody:true/defer_ok 148 spam = nobody:true/defer_ok
@@ -170,14 +159,13 @@ acl_mta_data:
170# Global var to enable mandatory signature check: 159# Global var to enable mandatory signature check:
171# dkim_verify_signers = $sender_address_domain:$dkim_signers 160# dkim_verify_signers = $sender_address_domain:$dkim_signers
172acl_mta_dkim: 161acl_mta_dkim:
162 deny dkim_status = fail
163 message = [DKIM] invalid signature ($dkim_verify_reason).
173 164
174 deny message = [DKIM] invalid signature ($dkim_verify_reason). 165 deny dkim_status = none
175 dkim_status = fail
176
177 deny message = [DKIM] required signature is missing.
178 dkim_status = none
179 condition = ${if match \ 166 condition = ${if match \
180 {${run{DIG_QUERY_COMMAND +short TXT ${quote:_domainkey.$sender_host_address}}}}{/o=-/} \ 167 {${run{DIG_QUERY_COMMAND +short TXT ${quote:_domainkey.$sender_host_address}}}}{/o=-/} \
181 {yes}{no}} 168 {yes}{no}}
169 message = [DKIM] required signature is missing.
182 170
183 accept 171 accept