From 3858216aca1d594849ea0866d7c02d4b35c6c103 Mon Sep 17 00:00:00 2001
From: pacien
Date: Thu, 22 Aug 2019 19:11:10 +0200
Subject: acl: move checks to early mail command acl

---
 conf.d/010_main.conf |  2 +-
 conf.d/020_acl.conf  | 34 +++++++++++++++++++---------------
 2 files changed, 20 insertions(+), 16 deletions(-)

diff --git a/conf.d/010_main.conf b/conf.d/010_main.conf
index 5ad88ab..1a6d876 100644
--- a/conf.d/010_main.conf
+++ b/conf.d/010_main.conf
@@ -5,8 +5,8 @@
 # Access control lists for checking incoming messages.
 # The names of these ACLs are defined here:
 
+acl_smtp_mail = ${if ={587}{$interface_port} {acl_mua_mail} {acl_mta_mail}}
 acl_smtp_rcpt = ${if ={587}{$interface_port} {acl_mua_rcpt} {acl_mta_rcpt}}
-acl_smtp_mail = ${if ={587}{$interface_port} {acl_mua_mail} {accept}}
 acl_smtp_data = ${if ={587}{$interface_port} {acl_mua_data} {acl_mta_data}}
 acl_smtp_dkim = acl_mta_dkim
 
diff --git a/conf.d/020_acl.conf b/conf.d/020_acl.conf
index c048b7d..9ad677b 100644
--- a/conf.d/020_acl.conf
+++ b/conf.d/020_acl.conf
@@ -10,7 +10,7 @@ begin acl
 # GENERAL CHECK ACLs #
 ######################
 
-acl_check_rcpt_introduction:
+acl_check_mail_introduction:
   require  condition     = ${if def:sender_helo_name}
            set acl_m_msg = HELO/EHLO command required.
 
@@ -34,7 +34,7 @@ acl_check_alias:
 
 
 # Checks if the host is allowed to send messages according to the local whitelist, DNS blocklists and SPF policy.
-acl_check_rcpt_host_policy:
+acl_check_mail_host_policy:
   # Accept all messages from trusted hosts and relays.
   # Also disable DKIM signature check as mailing list servers may alter messages.
   accept   hosts         = +trusted_relay_hosts
@@ -71,13 +71,20 @@ acl_check_rcpt_host_policy:
 # MUA ACLs (submission) #
 #########################
 
+acl_mua_mail:
+  require  acl           = acl_check_mail_introduction
+           message       = Courtesy protocol violation: $acl_m_msg
+
+  require  acl           = acl_check_alias $sender_address $authenticated_id
+           message       = Envelope address mismatch: $authenticated_id is not authorized to use $sender_address.
+
+  accept
+
+
 acl_mua_rcpt:
   require  encrypted     = *
            message       = Encrypted session required for message submission.
 
-  require  acl           = acl_check_rcpt_introduction
-           message       = Courtesy protocol violation: $acl_m_msg
-
   require  authenticated = *
            control       = submission
            control       = dkim_disable_verify
@@ -92,13 +99,6 @@ acl_mua_rcpt:
   accept
 
 
-acl_mua_mail:
-  require  acl           = acl_check_alias $sender_address $authenticated_id
-           message       = Envelope address mismatch: $authenticated_id is not authorized to use $sender_address.
-
-  accept
-
-
 acl_mua_data:
   require  acl           = acl_check_alias ${address:$h_from:} $authenticated_id
            message       = Header address mismatch: $authenticated_id is not authorized to use ${address:$h_from:}.
@@ -110,12 +110,16 @@ acl_mua_data:
 # MTA ACLs #
 ############
 
-acl_mta_rcpt:
-  require  acl           = acl_check_rcpt_introduction
+acl_mta_mail:
+  require  acl           = acl_check_mail_introduction
            message       = Courtesy protocol violation: $acl_m_msg
 
-  require  acl           = acl_check_rcpt_host_policy
+  require  acl           = acl_check_mail_host_policy
+
+  accept
 
+
+acl_mta_rcpt:
   require  acl           = acl_check_rcpt_syntax
            message       = Syntactic validation failed: $acl_m_msg
 
-- 
cgit v1.2.3