From 99c86fbcad0013c577ae020d2e65910ffbb44744 Mon Sep 17 00:00:00 2001 From: pacien Date: Wed, 21 Aug 2019 18:56:32 +0200 Subject: acl: reformat acls --- conf.d/020_acl.conf | 88 +++++++++++++++++++++++------------------------------ 1 file changed, 38 insertions(+), 50 deletions(-) diff --git a/conf.d/020_acl.conf b/conf.d/020_acl.conf index 6d0b3e4..73a8fd3 100644 --- a/conf.d/020_acl.conf +++ b/conf.d/020_acl.conf @@ -11,17 +11,15 @@ begin acl ###################### acl_check_rcpt_introduction: - - require set acl_m_msg = HELO/EHLO command required. - condition = ${if def:sender_helo_name} + require condition = ${if def:sender_helo_name} + set acl_m_msg = HELO/EHLO command required. accept acl_check_rcpt_syntax: - - deny set acl_m_msg = Invalid local part. - local_parts = ^[.] : ^.*[@%!/|] + deny local_parts = ^[.] : ^.*[@%!/|] + set acl_m_msg = Invalid local part. accept @@ -30,16 +28,13 @@ acl_check_rcpt_syntax: # $acl_arg1: alias to check # $acl_arg2: user acl_check_alias: + require condition = ${lookup{$acl_arg1}lsearch{ALIASMAP} {${if eq{$value}{$acl_arg2} {yes}{no}}} {no}} - # Accept if the alias belongs to the user. - accept condition = ${lookup{$acl_arg1}lsearch{ALIASMAP} {${if eq{$value}{$acl_arg2} {yes}{no}}} {no}} - - deny + accept # Checks if the host is allowed to send messages according to the local whitelist, DNS blocklists and SPF policy. acl_check_rcpt_host_policy: - # Accept all messages from trusted hosts and relays. # Also disable DKIM signature check as mailing list servers may alter messages. accept hosts = +trusted_relay_hosts @@ -69,7 +64,6 @@ acl_check_rcpt_host_policy: deny dnslists = pbl.spamhaus.org set acl_m_msg = Rejected: $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text - # Accept otherwise accept @@ -78,39 +72,36 @@ acl_check_rcpt_host_policy: ######################### acl_mua_rcpt: + require encrypted = * + message = Encrypted session required for message submission. - require message = Encrypted session required for message submission. - encrypted = * - - require message = Courtesy protocol violation: $acl_m_msg - acl = acl_check_rcpt_introduction + require acl = acl_check_rcpt_introduction + message = Courtesy protocol violation: $acl_m_msg - require message = Authentication required for message submission. - authenticated = * + require authenticated = * control = submission control = dkim_disable_verify + message = Authentication required for message submission. - require message = Syntactic validation failed: $acl_m_msg - acl = acl_check_rcpt_syntax + require acl = acl_check_rcpt_syntax + message = Syntactic validation failed: $acl_m_msg - require message = Sender verification failed. - verify = sender + require verify = sender + message = Sender verification failed. accept acl_mua_mail: - - require message = Envelope address mismatch: $authenticated_id is not authorized to use $sender_address. - acl = acl_check_alias $sender_address $authenticated_id + require acl = acl_check_alias $sender_address $authenticated_id + message = Envelope address mismatch: $authenticated_id is not authorized to use $sender_address. accept acl_mua_data: - - require message = Header address mismatch: $authenticated_id is not authorized to use ${address:$h_from:}. - acl = acl_check_alias ${address:$h_from:} $authenticated_id + require acl = acl_check_alias ${address:$h_from:} $authenticated_id + message = Header address mismatch: $authenticated_id is not authorized to use ${address:$h_from:}. accept @@ -120,26 +111,25 @@ acl_mua_data: ############ acl_mta_rcpt: + require acl = acl_check_rcpt_introduction + message = Courtesy protocol violation: $acl_m_msg - require message = Courtesy protocol violation: $acl_m_msg - acl = acl_check_rcpt_introduction - - require message = $acl_m_msg - acl = acl_check_rcpt_host_policy + require acl = acl_check_rcpt_host_policy + message = $acl_m_msg - require message = Syntactic validation failed: $acl_m_msg - acl = acl_check_rcpt_syntax + require acl = acl_check_rcpt_syntax + message = Syntactic validation failed: $acl_m_msg - require message = Sender verification failed. - verify = sender + require verify = sender + message = Sender verification failed. accept hosts = +relay_from_hosts - require message = Unhandled destination. - domains = +local_domains : +relay_to_domains + require domains = +local_domains : +relay_to_domains + message = Unhandled destination. - require message = Recipient verification failed. - verify = recipient + require verify = recipient + message = Recipient verification failed. accept @@ -151,9 +141,8 @@ SCAN_SPAM = no .endif acl_mta_data: - - deny set acl_m_msg = Maximum allowed line length is 998 octets, got $max_received_linelength. - condition = ${if > {$max_received_linelength}{998}} + deny condition = ${if > {$max_received_linelength}{998}} + set acl_m_msg = Maximum allowed line length is 998 octets, got $max_received_linelength. warn condition = SCAN_SPAM spam = nobody:true/defer_ok @@ -170,14 +159,13 @@ acl_mta_data: # Global var to enable mandatory signature check: # dkim_verify_signers = $sender_address_domain:$dkim_signers acl_mta_dkim: + deny dkim_status = fail + message = [DKIM] invalid signature ($dkim_verify_reason). - deny message = [DKIM] invalid signature ($dkim_verify_reason). - dkim_status = fail - - deny message = [DKIM] required signature is missing. - dkim_status = none + deny dkim_status = none condition = ${if match \ {${run{DIG_QUERY_COMMAND +short TXT ${quote:_domainkey.$sender_host_address}}}}{/o=-/} \ {yes}{no}} + message = [DKIM] required signature is missing. accept -- cgit v1.2.3