######################################################################
#                       ACL CONFIGURATION                            #
#         Specifies access control lists for incoming SMTP mail      #
######################################################################

begin acl


######################
# GENERAL CHECK ACLs #
######################

acl_check_rcpt_introduction:

  require  set acl_m_msg = HELO/EHLO command required.
           condition     = ${if def:sender_helo_name}

  accept


acl_check_rcpt_syntax:

  deny     set acl_m_msg = Invalid local part.
           local_parts   = ^[.] : ^.*[@%!/|]

  accept


# Checks the link between a given mail alias and a given user.
# $acl_arg1: alias to check
# $acl_arg2: user
acl_check_alias:

  # Accept if the alias belongs to the user.
  accept   condition     = ${lookup{$acl_arg1}lsearch{ALIASMAP} {${if eq{$value}{$acl_arg2} {yes}{no}}} {no}}

  deny


# Checks if the host is allowed to send messages according to the local whitelist, DNS blocklists and SPF policy.
acl_check_rcpt_host_policy:

  # Accept all messages from trusted hosts and relays.
  accept   hosts         = +trusted_relay_hosts

  # Deny messages from hosts known to be bad.
  deny     dnslists      = sbl-xbl.spamhaus.org : bl.spamcop.net
           set acl_m_msg = Rejected: $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text

  # Accept if the host is an authorized sender according to the SPF policy for the domain (SPF pass).
  accept   set acl_m_spf = ${run{/usr/bin/spfquery.mail-spf-perl \
                             --ip ${quote:$sender_host_address} \
                             --identity ${if def:sender_address_domain \
                               {--scope mfrom --identity ${quote:$sender_address}} \
                               {--scope helo --identity ${quote:$sender_helo_name}}}}}
           condition     = ${if eq {$acl_m_spf}{0}{yes}{no}}

  # Deny if the host is explicitely not an authorized sender according to the SPF policy for the domain (SPF fail).
  deny     condition     = ${if eq {$acl_m_spf}{1}{yes}{no}}
           set acl_m_msg = [SPF] $sender_host_address is not allowed to send mail from \
                           ${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}. \
                           Please see http://www.openspf.org/Why?scope=${if def:sender_address_domain \
                             {mfrom}{helo}};identity=${if def:sender_address_domain \
                             {$sender_address}{$sender_helo_name}};ip=$sender_host_address

  # Deny messages from hosts listed as non-MTA in the PBL, for which SPF couldn't determine a policy.
  deny     dnslists      = pbl.spamhaus.org
           set acl_m_msg = Rejected: $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text

  # Accept otherwise
  accept


#########################
# MUA ACLs (submission) #
#########################

acl_mua_rcpt:

  require  message       = Encrypted session required for message submission.
           encrypted     = *

  require  message       = Courtesy protocol violation: $acl_m_msg
           acl           = acl_check_rcpt_introduction

  require  message       = Authentication required for message submission.
           authenticated = *
           control       = submission
           control       = dkim_disable_verify

  require  message       = Syntactic validation failed: $acl_m_msg
           acl           = acl_check_rcpt_syntax

  require  message       = Sender verification failed.
           verify        = sender

  accept


acl_mua_mail:

  require  message       = Envelope address mismatch: $authenticated_id is not authorized to use $sender_address.
           acl           = acl_check_alias $sender_address $authenticated_id

  accept


acl_mua_data:

  require  message       = Header address mismatch: $authenticated_id is not authorized to use ${address:$h_from:}.
           acl           = acl_check_alias ${address:$h_from:} $authenticated_id

  accept


############
# MTA ACLs #
############

acl_mta_rcpt:

  require  message       = Courtesy protocol violation: $acl_m_msg
           acl           = acl_check_rcpt_introduction

  require  message       = $acl_m_msg
           acl           = acl_check_rcpt_host_policy

  require  message       = Syntactic validation failed: $acl_m_msg
           acl           = acl_check_rcpt_syntax

  require  message       = Sender verification failed.
           verify        = sender

  require  message       = Unhandled destination.
           domains       = +local_domains : +relay_to_domains

  require  message       = Recipient verification failed.
           verify        = recipient

  accept


acl_mta_data:

  deny     set acl_m_msg = Maximum allowed line length is 998 octets, got $max_received_linelength.
           condition     = ${if > {$max_received_linelength}{998}}

  accept


# Checks the validity of each signatures in the message,
# and the presence of a required signature for the sender domain.
# Global var to enable mandatory signature check:
#   dkim_verify_signers = $sender_address_domain:$dkim_signers
acl_mta_dkim:

  # Accept all messages from trusted relays and mailing list servers
  # which may alter messages, rendering DKIM signatures invalid.
  accept   hosts         = +trusted_relay_hosts

  deny     message       = [DKIM] invalid signature ($dkim_verify_reason).
           dkim_status   = fail

  deny     message       = [DKIM] required signature is missing.
           dkim_status   = none
           condition     = ${if match \
                             {${run{/usr/bin/dig +short TXT ${quote:_domainkey.$sender_host_address}}}}{/o=-/} \
                             {yes}{no}}

  accept