From 07778fd0d6106b91d7232be050ec0bd68bd5d6ce Mon Sep 17 00:00:00 2001 From: pacien Date: Fri, 23 Aug 2019 00:40:11 +0200 Subject: acl: move host verification in connect acl --- conf.d/010_main.conf | 1 + conf.d/020_acl.conf | 74 +++++++++++++++++++++++++++------------------------- 2 files changed, 40 insertions(+), 35 deletions(-) (limited to 'conf.d') diff --git a/conf.d/010_main.conf b/conf.d/010_main.conf index 1a6d876..d2d1926 100644 --- a/conf.d/010_main.conf +++ b/conf.d/010_main.conf @@ -5,6 +5,7 @@ # Access control lists for checking incoming messages. # The names of these ACLs are defined here: +acl_smtp_connect = ${if ={587}{$interface_port} {accept} {acl_mta_connect}} acl_smtp_mail = ${if ={587}{$interface_port} {acl_mua_mail} {acl_mta_mail}} acl_smtp_rcpt = ${if ={587}{$interface_port} {acl_mua_rcpt} {acl_mta_rcpt}} acl_smtp_data = ${if ={587}{$interface_port} {acl_mua_data} {acl_mta_data}} diff --git a/conf.d/020_acl.conf b/conf.d/020_acl.conf index 9ad677b..d8668fb 100644 --- a/conf.d/020_acl.conf +++ b/conf.d/020_acl.conf @@ -33,40 +33,6 @@ acl_check_alias: accept -# Checks if the host is allowed to send messages according to the local whitelist, DNS blocklists and SPF policy. -acl_check_mail_host_policy: - # Accept all messages from trusted hosts and relays. - # Also disable DKIM signature check as mailing list servers may alter messages. - accept hosts = +trusted_relay_hosts - control = dkim_disable_verify - - # Deny messages from hosts known to be bad. - drop dnslists = sbl-xbl.spamhaus.org : bl.spamcop.net - message = [RBL] $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text - - # Accept if the host is an authorized sender according to the SPF policy for the domain (SPF pass). - accept set acl_m_spf = ${run{SPF_QUERY_COMMAND \ - --ip ${quote:$sender_host_address} \ - --identity ${if def:sender_address_domain \ - {--scope mfrom --identity ${quote:$sender_address}} \ - {--scope helo --identity ${quote:$sender_helo_name}}}}} - condition = ${if eq {$acl_m_spf}{0}{yes}{no}} - - # Deny if the host is explicitely not an authorized sender according to the SPF policy for the domain (SPF fail). - drop condition = ${if eq {$acl_m_spf}{1}{yes}{no}} - message = [SPF] $sender_host_address is not allowed to send mail from \ - ${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}. \ - Please see http://www.openspf.org/Why?scope=${if def:sender_address_domain \ - {mfrom}{helo}};identity=${if def:sender_address_domain \ - {$sender_address}{$sender_helo_name}};ip=$sender_host_address - - # Deny messages from hosts listed as non-MTA in the PBL, for which SPF couldn't determine a policy. - drop dnslists = pbl.spamhaus.org - message = [RBL] $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text - - accept - - ######################### # MUA ACLs (submission) # ######################### @@ -110,11 +76,49 @@ acl_mua_data: # MTA ACLs # ############ +acl_mta_connect: + # Accept all messages from trusted hosts and relays. + # Also disable DKIM signature check as mailing list servers may alter messages. + accept hosts = +trusted_relay_hosts + control = dkim_disable_verify + + # Deny messages from hosts known to be bad. + drop dnslists = sbl-xbl.spamhaus.org : bl.spamcop.net + message = [RBL] $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text + + accept + + acl_mta_mail: require acl = acl_check_mail_introduction message = Courtesy protocol violation: $acl_m_msg - require acl = acl_check_mail_host_policy + # Accept all messages from trusted hosts and relays. + # Also disable DKIM signature check as mailing list servers may alter messages. + accept hosts = +trusted_relay_hosts + control = dkim_disable_verify + + # Accept if the host is an authorized sender according to the SPF policy for the domain (SPF pass). + # TODO: switch to builtin exim SPF support + accept set acl_m_spf = ${run{SPF_QUERY_COMMAND \ + --ip ${quote:$sender_host_address} \ + --identity ${if def:sender_address_domain \ + {--scope mfrom --identity ${quote:$sender_address}} \ + {--scope helo --identity ${quote:$sender_helo_name}}}}} + condition = ${if eq {$acl_m_spf}{0}{yes}{no}} + + # Deny if the host is explicitely not an authorized sender according to the SPF policy for the domain (SPF fail). + # TODO: switch to builtin exim SPF support + drop condition = ${if eq {$acl_m_spf}{1}{yes}{no}} + message = [SPF] $sender_host_address is not allowed to send mail from \ + ${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}. \ + Please see http://www.openspf.org/Why?scope=${if def:sender_address_domain \ + {mfrom}{helo}};identity=${if def:sender_address_domain \ + {$sender_address}{$sender_helo_name}};ip=$sender_host_address + + # Deny messages from hosts listed as non-MTA in the PBL, for which SPF couldn't determine a policy. + drop dnslists = pbl.spamhaus.org + message = [RBL] $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text accept -- cgit v1.2.3