From 07778fd0d6106b91d7232be050ec0bd68bd5d6ce Mon Sep 17 00:00:00 2001
From: pacien
Date: Fri, 23 Aug 2019 00:40:11 +0200
Subject: acl: move host verification in connect acl

---
 conf.d/010_main.conf |  1 +
 conf.d/020_acl.conf  | 74 +++++++++++++++++++++++++++-------------------------
 2 files changed, 40 insertions(+), 35 deletions(-)

diff --git a/conf.d/010_main.conf b/conf.d/010_main.conf
index 1a6d876..d2d1926 100644
--- a/conf.d/010_main.conf
+++ b/conf.d/010_main.conf
@@ -5,6 +5,7 @@
 # Access control lists for checking incoming messages.
 # The names of these ACLs are defined here:
 
+acl_smtp_connect = ${if ={587}{$interface_port} {accept} {acl_mta_connect}}
 acl_smtp_mail = ${if ={587}{$interface_port} {acl_mua_mail} {acl_mta_mail}}
 acl_smtp_rcpt = ${if ={587}{$interface_port} {acl_mua_rcpt} {acl_mta_rcpt}}
 acl_smtp_data = ${if ={587}{$interface_port} {acl_mua_data} {acl_mta_data}}
diff --git a/conf.d/020_acl.conf b/conf.d/020_acl.conf
index 9ad677b..d8668fb 100644
--- a/conf.d/020_acl.conf
+++ b/conf.d/020_acl.conf
@@ -33,40 +33,6 @@ acl_check_alias:
   accept
 
 
-# Checks if the host is allowed to send messages according to the local whitelist, DNS blocklists and SPF policy.
-acl_check_mail_host_policy:
-  # Accept all messages from trusted hosts and relays.
-  # Also disable DKIM signature check as mailing list servers may alter messages.
-  accept   hosts         = +trusted_relay_hosts
-           control       = dkim_disable_verify
-
-  # Deny messages from hosts known to be bad.
-  drop     dnslists      = sbl-xbl.spamhaus.org : bl.spamcop.net
-           message       = [RBL] $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
-
-  # Accept if the host is an authorized sender according to the SPF policy for the domain (SPF pass).
-  accept   set acl_m_spf = ${run{SPF_QUERY_COMMAND \
-                             --ip ${quote:$sender_host_address} \
-                             --identity ${if def:sender_address_domain \
-                               {--scope mfrom --identity ${quote:$sender_address}} \
-                               {--scope helo --identity ${quote:$sender_helo_name}}}}}
-           condition     = ${if eq {$acl_m_spf}{0}{yes}{no}}
-
-  # Deny if the host is explicitely not an authorized sender according to the SPF policy for the domain (SPF fail).
-  drop     condition     = ${if eq {$acl_m_spf}{1}{yes}{no}}
-           message       = [SPF] $sender_host_address is not allowed to send mail from \
-                           ${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}. \
-                           Please see http://www.openspf.org/Why?scope=${if def:sender_address_domain \
-                             {mfrom}{helo}};identity=${if def:sender_address_domain \
-                             {$sender_address}{$sender_helo_name}};ip=$sender_host_address
-
-  # Deny messages from hosts listed as non-MTA in the PBL, for which SPF couldn't determine a policy.
-  drop     dnslists      = pbl.spamhaus.org
-           message       = [RBL] $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
-
-  accept
-
-
 #########################
 # MUA ACLs (submission) #
 #########################
@@ -110,11 +76,49 @@ acl_mua_data:
 # MTA ACLs #
 ############
 
+acl_mta_connect:
+  # Accept all messages from trusted hosts and relays.
+  # Also disable DKIM signature check as mailing list servers may alter messages.
+  accept   hosts         = +trusted_relay_hosts
+           control       = dkim_disable_verify
+
+  # Deny messages from hosts known to be bad.
+  drop     dnslists      = sbl-xbl.spamhaus.org : bl.spamcop.net
+           message       = [RBL] $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
+
+  accept
+
+
 acl_mta_mail:
   require  acl           = acl_check_mail_introduction
            message       = Courtesy protocol violation: $acl_m_msg
 
-  require  acl           = acl_check_mail_host_policy
+  # Accept all messages from trusted hosts and relays.
+  # Also disable DKIM signature check as mailing list servers may alter messages.
+  accept   hosts         = +trusted_relay_hosts
+           control       = dkim_disable_verify
+
+  # Accept if the host is an authorized sender according to the SPF policy for the domain (SPF pass).
+  # TODO: switch to builtin exim SPF support
+  accept   set acl_m_spf = ${run{SPF_QUERY_COMMAND \
+                             --ip ${quote:$sender_host_address} \
+                             --identity ${if def:sender_address_domain \
+                               {--scope mfrom --identity ${quote:$sender_address}} \
+                               {--scope helo --identity ${quote:$sender_helo_name}}}}}
+           condition     = ${if eq {$acl_m_spf}{0}{yes}{no}}
+
+  # Deny if the host is explicitely not an authorized sender according to the SPF policy for the domain (SPF fail).
+  # TODO: switch to builtin exim SPF support
+  drop     condition     = ${if eq {$acl_m_spf}{1}{yes}{no}}
+           message       = [SPF] $sender_host_address is not allowed to send mail from \
+                           ${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}. \
+                           Please see http://www.openspf.org/Why?scope=${if def:sender_address_domain \
+                             {mfrom}{helo}};identity=${if def:sender_address_domain \
+                             {$sender_address}{$sender_helo_name}};ip=$sender_host_address
+
+  # Deny messages from hosts listed as non-MTA in the PBL, for which SPF couldn't determine a policy.
+  drop     dnslists      = pbl.spamhaus.org
+           message       = [RBL] $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
 
   accept
 
-- 
cgit v1.2.3