From 331920130ed209be03c6dbd06b90ba34a6a4817b Mon Sep 17 00:00:00 2001 From: root Date: Wed, 29 Mar 2017 16:15:05 +0200 Subject: Correct error message evaluation order --- conf.d/020_acl.conf | 89 ++++++++++++++++++++++++----------------------------- 1 file changed, 41 insertions(+), 48 deletions(-) diff --git a/conf.d/020_acl.conf b/conf.d/020_acl.conf index a909910..1701a12 100644 --- a/conf.d/020_acl.conf +++ b/conf.d/020_acl.conf @@ -10,22 +10,18 @@ begin acl # GENERAL CHECK ACLs # ###################### -# Ensures that the remote host has introduced itself. acl_check_rcpt_introduction: - # Insist that a HELO/EHLO was accepted. - require condition = ${if def:sender_helo_name} - set acl_m_msg = HELO/EHLO command required. + require set acl_m_msg = HELO/EHLO command required. + condition = ${if def:sender_helo_name} accept -# Syntactic validation of fields. acl_check_rcpt_syntax: - # Deny if the local parts is malformed. - deny local_parts = ^[.] : ^.*[@%!/|] - set acl_m_msg = Invalid local part. + deny set acl_m_msg = Invalid local part. + local_parts = ^[.] : ^.*[@%!/|] accept @@ -36,10 +32,8 @@ acl_check_rcpt_syntax: acl_check_alias: # Accept if the alias belongs to the user. - accept condition = ${lookup{$acl_arg1}lsearch{ALIASMAP} \ - {${if eq{$value}{$acl_arg2} {yes}{no}}} {no}} + accept condition = ${lookup{$acl_arg1}lsearch{ALIASMAP} {${if eq{$value}{$acl_arg2} {yes}{no}}} {no}} - # Deny otherwise deny @@ -83,38 +77,38 @@ acl_check_rcpt_host_policy: acl_mua_rcpt: - require encrypted = * - message = Encryption required. + require message = Encrypted session required for message submission. + encrypted = * - require acl = acl_check_rcpt_introduction - message = Courtesy protocol violation: $acl_m_msg + require message = Courtesy protocol violation: $acl_m_msg + acl = acl_check_rcpt_introduction - require authenticated = * + require message = Authentication required for message submission. + authenticated = * control = submission control = dkim_disable_verify - message = Authentication required. - require acl = acl_check_rcpt_syntax - message = Syntactic validation failed: $acl_m_msg + require message = Syntactic validation failed: $acl_m_msg + acl = acl_check_rcpt_syntax - require verify = sender - message = Sender verification failed. + require message = Sender verification failed. + verify = sender accept acl_mua_mail: - require acl = acl_check_alias $sender_address $authenticated_id - message = Envelope address mismatch: $authenticated_id is not authorized to use $sender_address. + require message = Envelope address mismatch: $authenticated_id is not authorized to use $sender_address. + acl = acl_check_alias $sender_address $authenticated_id accept acl_mua_data: - require acl = acl_check_alias ${address:$h_from:} $authenticated_id - message = Header address mismatch: $authenticated_id is not authorized to use ${address:$h_from:}. + require message = Header address mismatch: $authenticated_id is not authorized to use ${address:$h_from:}. + acl = acl_check_alias ${address:$h_from:} $authenticated_id accept @@ -125,49 +119,48 @@ acl_mua_data: acl_mta_rcpt: - require acl = acl_check_rcpt_introduction - message = Courtesy protocol violation: $acl_m_msg + require message = Courtesy protocol violation: $acl_m_msg + acl = acl_check_rcpt_introduction - require acl = acl_check_rcpt_host_policy - message = $acl_m_msg + require message = $acl_m_msg + acl = acl_check_rcpt_host_policy - require acl = acl_check_rcpt_syntax - message = Syntactic validation failed: $acl_m_msg + require message = Syntactic validation failed: $acl_m_msg + acl = acl_check_rcpt_syntax - require verify = sender - message = Sender verification failed. + require message = Sender verification failed. + verify = sender - require domains = +local_domains : +relay_to_domains - message = Unhandled destination. + require message = Unhandled destination. + domains = +local_domains : +relay_to_domains - require verify = recipient - message = Recipient verification failed. + require message = Recipient verification failed. + verify = recipient accept acl_mta_data: - # Deny if the message contains an overlong line. Per the standards we should never receive one such via SMTP. - deny condition = ${if > {$max_received_linelength}{998}} - set acl_m_msg = Maximum allowed line length is 998 octets, got $max_received_linelength. + deny set acl_m_msg = Maximum allowed line length is 998 octets, got $max_received_linelength. + condition = ${if > {$max_received_linelength}{998}} accept -# Checks the validity of each signatures in the message, and the presence of a required signature for the sender domain. -# Global var to enable mandatory signature check: dkim_verify_signers = $sender_address_domain:$dkim_signers +# Checks the validity of each signatures in the message, +# and the presence of a required signature for the sender domain. +# Global var to enable mandatory signature check: +# dkim_verify_signers = $sender_address_domain:$dkim_signers acl_mta_dkim: - # Deny messages with invalid signatures. - deny dkim_status = fail - message = [DKIM] invalid signature ($dkim_verify_reason). + deny message = [DKIM] invalid signature ($dkim_verify_reason). + dkim_status = fail - # Deny messages with no signature for domains which are explicitely requiring one. - deny dkim_status = none + deny message = [DKIM] required signature is missing. + dkim_status = none condition = ${if match \ {${run{/usr/bin/dig +short TXT ${quote:_domainkey.$sender_host_address}}}}{/o=-/} \ {yes}{no}} - message = [DKIM] required signature is missing. accept -- cgit v1.2.3