diff options
Diffstat (limited to 'conf.d/020_acl.conf')
-rw-r--r-- | conf.d/020_acl.conf | 88 |
1 files changed, 38 insertions, 50 deletions
diff --git a/conf.d/020_acl.conf b/conf.d/020_acl.conf index 6d0b3e4..73a8fd3 100644 --- a/conf.d/020_acl.conf +++ b/conf.d/020_acl.conf | |||
@@ -11,17 +11,15 @@ begin acl | |||
11 | ###################### | 11 | ###################### |
12 | 12 | ||
13 | acl_check_rcpt_introduction: | 13 | acl_check_rcpt_introduction: |
14 | 14 | require condition = ${if def:sender_helo_name} | |
15 | require set acl_m_msg = HELO/EHLO command required. | 15 | set acl_m_msg = HELO/EHLO command required. |
16 | condition = ${if def:sender_helo_name} | ||
17 | 16 | ||
18 | accept | 17 | accept |
19 | 18 | ||
20 | 19 | ||
21 | acl_check_rcpt_syntax: | 20 | acl_check_rcpt_syntax: |
22 | 21 | deny local_parts = ^[.] : ^.*[@%!/|] | |
23 | deny set acl_m_msg = Invalid local part. | 22 | set acl_m_msg = Invalid local part. |
24 | local_parts = ^[.] : ^.*[@%!/|] | ||
25 | 23 | ||
26 | accept | 24 | accept |
27 | 25 | ||
@@ -30,16 +28,13 @@ acl_check_rcpt_syntax: | |||
30 | # $acl_arg1: alias to check | 28 | # $acl_arg1: alias to check |
31 | # $acl_arg2: user | 29 | # $acl_arg2: user |
32 | acl_check_alias: | 30 | acl_check_alias: |
31 | require condition = ${lookup{$acl_arg1}lsearch{ALIASMAP} {${if eq{$value}{$acl_arg2} {yes}{no}}} {no}} | ||
33 | 32 | ||
34 | # Accept if the alias belongs to the user. | 33 | accept |
35 | accept condition = ${lookup{$acl_arg1}lsearch{ALIASMAP} {${if eq{$value}{$acl_arg2} {yes}{no}}} {no}} | ||
36 | |||
37 | deny | ||
38 | 34 | ||
39 | 35 | ||
40 | # Checks if the host is allowed to send messages according to the local whitelist, DNS blocklists and SPF policy. | 36 | # Checks if the host is allowed to send messages according to the local whitelist, DNS blocklists and SPF policy. |
41 | acl_check_rcpt_host_policy: | 37 | acl_check_rcpt_host_policy: |
42 | |||
43 | # Accept all messages from trusted hosts and relays. | 38 | # Accept all messages from trusted hosts and relays. |
44 | # Also disable DKIM signature check as mailing list servers may alter messages. | 39 | # Also disable DKIM signature check as mailing list servers may alter messages. |
45 | accept hosts = +trusted_relay_hosts | 40 | accept hosts = +trusted_relay_hosts |
@@ -69,7 +64,6 @@ acl_check_rcpt_host_policy: | |||
69 | deny dnslists = pbl.spamhaus.org | 64 | deny dnslists = pbl.spamhaus.org |
70 | set acl_m_msg = Rejected: $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text | 65 | set acl_m_msg = Rejected: $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text |
71 | 66 | ||
72 | # Accept otherwise | ||
73 | accept | 67 | accept |
74 | 68 | ||
75 | 69 | ||
@@ -78,39 +72,36 @@ acl_check_rcpt_host_policy: | |||
78 | ######################### | 72 | ######################### |
79 | 73 | ||
80 | acl_mua_rcpt: | 74 | acl_mua_rcpt: |
75 | require encrypted = * | ||
76 | message = Encrypted session required for message submission. | ||
81 | 77 | ||
82 | require message = Encrypted session required for message submission. | 78 | require acl = acl_check_rcpt_introduction |
83 | encrypted = * | 79 | message = Courtesy protocol violation: $acl_m_msg |
84 | |||
85 | require message = Courtesy protocol violation: $acl_m_msg | ||
86 | acl = acl_check_rcpt_introduction | ||
87 | 80 | ||
88 | require message = Authentication required for message submission. | 81 | require authenticated = * |
89 | authenticated = * | ||
90 | control = submission | 82 | control = submission |
91 | control = dkim_disable_verify | 83 | control = dkim_disable_verify |
84 | message = Authentication required for message submission. | ||
92 | 85 | ||
93 | require message = Syntactic validation failed: $acl_m_msg | 86 | require acl = acl_check_rcpt_syntax |
94 | acl = acl_check_rcpt_syntax | 87 | message = Syntactic validation failed: $acl_m_msg |
95 | 88 | ||
96 | require message = Sender verification failed. | 89 | require verify = sender |
97 | verify = sender | 90 | message = Sender verification failed. |
98 | 91 | ||
99 | accept | 92 | accept |
100 | 93 | ||
101 | 94 | ||
102 | acl_mua_mail: | 95 | acl_mua_mail: |
103 | 96 | require acl = acl_check_alias $sender_address $authenticated_id | |
104 | require message = Envelope address mismatch: $authenticated_id is not authorized to use $sender_address. | 97 | message = Envelope address mismatch: $authenticated_id is not authorized to use $sender_address. |
105 | acl = acl_check_alias $sender_address $authenticated_id | ||
106 | 98 | ||
107 | accept | 99 | accept |
108 | 100 | ||
109 | 101 | ||
110 | acl_mua_data: | 102 | acl_mua_data: |
111 | 103 | require acl = acl_check_alias ${address:$h_from:} $authenticated_id | |
112 | require message = Header address mismatch: $authenticated_id is not authorized to use ${address:$h_from:}. | 104 | message = Header address mismatch: $authenticated_id is not authorized to use ${address:$h_from:}. |
113 | acl = acl_check_alias ${address:$h_from:} $authenticated_id | ||
114 | 105 | ||
115 | accept | 106 | accept |
116 | 107 | ||
@@ -120,26 +111,25 @@ acl_mua_data: | |||
120 | ############ | 111 | ############ |
121 | 112 | ||
122 | acl_mta_rcpt: | 113 | acl_mta_rcpt: |
114 | require acl = acl_check_rcpt_introduction | ||
115 | message = Courtesy protocol violation: $acl_m_msg | ||
123 | 116 | ||
124 | require message = Courtesy protocol violation: $acl_m_msg | 117 | require acl = acl_check_rcpt_host_policy |
125 | acl = acl_check_rcpt_introduction | 118 | message = $acl_m_msg |
126 | |||
127 | require message = $acl_m_msg | ||
128 | acl = acl_check_rcpt_host_policy | ||
129 | 119 | ||
130 | require message = Syntactic validation failed: $acl_m_msg | 120 | require acl = acl_check_rcpt_syntax |
131 | acl = acl_check_rcpt_syntax | 121 | message = Syntactic validation failed: $acl_m_msg |
132 | 122 | ||
133 | require message = Sender verification failed. | 123 | require verify = sender |
134 | verify = sender | 124 | message = Sender verification failed. |
135 | 125 | ||
136 | accept hosts = +relay_from_hosts | 126 | accept hosts = +relay_from_hosts |
137 | 127 | ||
138 | require message = Unhandled destination. | 128 | require domains = +local_domains : +relay_to_domains |
139 | domains = +local_domains : +relay_to_domains | 129 | message = Unhandled destination. |
140 | 130 | ||
141 | require message = Recipient verification failed. | 131 | require verify = recipient |
142 | verify = recipient | 132 | message = Recipient verification failed. |
143 | 133 | ||
144 | accept | 134 | accept |
145 | 135 | ||
@@ -151,9 +141,8 @@ SCAN_SPAM = no | |||
151 | .endif | 141 | .endif |
152 | 142 | ||
153 | acl_mta_data: | 143 | acl_mta_data: |
154 | 144 | deny condition = ${if > {$max_received_linelength}{998}} | |
155 | deny set acl_m_msg = Maximum allowed line length is 998 octets, got $max_received_linelength. | 145 | set acl_m_msg = Maximum allowed line length is 998 octets, got $max_received_linelength. |
156 | condition = ${if > {$max_received_linelength}{998}} | ||
157 | 146 | ||
158 | warn condition = SCAN_SPAM | 147 | warn condition = SCAN_SPAM |
159 | spam = nobody:true/defer_ok | 148 | spam = nobody:true/defer_ok |
@@ -170,14 +159,13 @@ acl_mta_data: | |||
170 | # Global var to enable mandatory signature check: | 159 | # Global var to enable mandatory signature check: |
171 | # dkim_verify_signers = $sender_address_domain:$dkim_signers | 160 | # dkim_verify_signers = $sender_address_domain:$dkim_signers |
172 | acl_mta_dkim: | 161 | acl_mta_dkim: |
162 | deny dkim_status = fail | ||
163 | message = [DKIM] invalid signature ($dkim_verify_reason). | ||
173 | 164 | ||
174 | deny message = [DKIM] invalid signature ($dkim_verify_reason). | 165 | deny dkim_status = none |
175 | dkim_status = fail | ||
176 | |||
177 | deny message = [DKIM] required signature is missing. | ||
178 | dkim_status = none | ||
179 | condition = ${if match \ | 166 | condition = ${if match \ |
180 | {${run{DIG_QUERY_COMMAND +short TXT ${quote:_domainkey.$sender_host_address}}}}{/o=-/} \ | 167 | {${run{DIG_QUERY_COMMAND +short TXT ${quote:_domainkey.$sender_host_address}}}}{/o=-/} \ |
181 | {yes}{no}} | 168 | {yes}{no}} |
169 | message = [DKIM] required signature is missing. | ||
182 | 170 | ||
183 | accept | 171 | accept |