diff options
| author | pacien | 2019-08-22 19:11:10 +0200 |
|---|---|---|
| committer | pacien | 2019-08-22 19:11:10 +0200 |
| commit | 3858216aca1d594849ea0866d7c02d4b35c6c103 (patch) | |
| tree | 6fcb722c75d73cd824595ae9b1ea363e50e6fb32 | |
| parent | 71a792f0aebc12b322dfc0acbd904ac413e6ae60 (diff) | |
| download | exim-3858216aca1d594849ea0866d7c02d4b35c6c103.tar.gz | |
acl: move checks to early mail command acl
| -rw-r--r-- | conf.d/010_main.conf | 2 | ||||
| -rw-r--r-- | conf.d/020_acl.conf | 34 |
2 files changed, 20 insertions, 16 deletions
diff --git a/conf.d/010_main.conf b/conf.d/010_main.conf index 5ad88ab..1a6d876 100644 --- a/conf.d/010_main.conf +++ b/conf.d/010_main.conf | |||
| @@ -5,8 +5,8 @@ | |||
| 5 | # Access control lists for checking incoming messages. | 5 | # Access control lists for checking incoming messages. |
| 6 | # The names of these ACLs are defined here: | 6 | # The names of these ACLs are defined here: |
| 7 | 7 | ||
| 8 | acl_smtp_mail = ${if ={587}{$interface_port} {acl_mua_mail} {acl_mta_mail}} | ||
| 8 | acl_smtp_rcpt = ${if ={587}{$interface_port} {acl_mua_rcpt} {acl_mta_rcpt}} | 9 | acl_smtp_rcpt = ${if ={587}{$interface_port} {acl_mua_rcpt} {acl_mta_rcpt}} |
| 9 | acl_smtp_mail = ${if ={587}{$interface_port} {acl_mua_mail} {accept}} | ||
| 10 | acl_smtp_data = ${if ={587}{$interface_port} {acl_mua_data} {acl_mta_data}} | 10 | acl_smtp_data = ${if ={587}{$interface_port} {acl_mua_data} {acl_mta_data}} |
| 11 | acl_smtp_dkim = acl_mta_dkim | 11 | acl_smtp_dkim = acl_mta_dkim |
| 12 | 12 | ||
diff --git a/conf.d/020_acl.conf b/conf.d/020_acl.conf index c048b7d..9ad677b 100644 --- a/conf.d/020_acl.conf +++ b/conf.d/020_acl.conf | |||
| @@ -10,7 +10,7 @@ begin acl | |||
| 10 | # GENERAL CHECK ACLs # | 10 | # GENERAL CHECK ACLs # |
| 11 | ###################### | 11 | ###################### |
| 12 | 12 | ||
| 13 | acl_check_rcpt_introduction: | 13 | acl_check_mail_introduction: |
| 14 | require condition = ${if def:sender_helo_name} | 14 | require condition = ${if def:sender_helo_name} |
| 15 | set acl_m_msg = HELO/EHLO command required. | 15 | set acl_m_msg = HELO/EHLO command required. |
| 16 | 16 | ||
| @@ -34,7 +34,7 @@ acl_check_alias: | |||
| 34 | 34 | ||
| 35 | 35 | ||
| 36 | # Checks if the host is allowed to send messages according to the local whitelist, DNS blocklists and SPF policy. | 36 | # Checks if the host is allowed to send messages according to the local whitelist, DNS blocklists and SPF policy. |
| 37 | acl_check_rcpt_host_policy: | 37 | acl_check_mail_host_policy: |
| 38 | # Accept all messages from trusted hosts and relays. | 38 | # Accept all messages from trusted hosts and relays. |
| 39 | # Also disable DKIM signature check as mailing list servers may alter messages. | 39 | # Also disable DKIM signature check as mailing list servers may alter messages. |
| 40 | accept hosts = +trusted_relay_hosts | 40 | accept hosts = +trusted_relay_hosts |
| @@ -71,13 +71,20 @@ acl_check_rcpt_host_policy: | |||
| 71 | # MUA ACLs (submission) # | 71 | # MUA ACLs (submission) # |
| 72 | ######################### | 72 | ######################### |
| 73 | 73 | ||
| 74 | acl_mua_mail: | ||
| 75 | require acl = acl_check_mail_introduction | ||
| 76 | message = Courtesy protocol violation: $acl_m_msg | ||
| 77 | |||
| 78 | require acl = acl_check_alias $sender_address $authenticated_id | ||
| 79 | message = Envelope address mismatch: $authenticated_id is not authorized to use $sender_address. | ||
| 80 | |||
| 81 | accept | ||
| 82 | |||
| 83 | |||
| 74 | acl_mua_rcpt: | 84 | acl_mua_rcpt: |
| 75 | require encrypted = * | 85 | require encrypted = * |
| 76 | message = Encrypted session required for message submission. | 86 | message = Encrypted session required for message submission. |
| 77 | 87 | ||
| 78 | require acl = acl_check_rcpt_introduction | ||
| 79 | message = Courtesy protocol violation: $acl_m_msg | ||
| 80 | |||
| 81 | require authenticated = * | 88 | require authenticated = * |
| 82 | control = submission | 89 | control = submission |
| 83 | control = dkim_disable_verify | 90 | control = dkim_disable_verify |
| @@ -92,13 +99,6 @@ acl_mua_rcpt: | |||
| 92 | accept | 99 | accept |
| 93 | 100 | ||
| 94 | 101 | ||
| 95 | acl_mua_mail: | ||
| 96 | require acl = acl_check_alias $sender_address $authenticated_id | ||
| 97 | message = Envelope address mismatch: $authenticated_id is not authorized to use $sender_address. | ||
| 98 | |||
| 99 | accept | ||
| 100 | |||
| 101 | |||
| 102 | acl_mua_data: | 102 | acl_mua_data: |
| 103 | require acl = acl_check_alias ${address:$h_from:} $authenticated_id | 103 | require acl = acl_check_alias ${address:$h_from:} $authenticated_id |
| 104 | message = Header address mismatch: $authenticated_id is not authorized to use ${address:$h_from:}. | 104 | message = Header address mismatch: $authenticated_id is not authorized to use ${address:$h_from:}. |
| @@ -110,12 +110,16 @@ acl_mua_data: | |||
| 110 | # MTA ACLs # | 110 | # MTA ACLs # |
| 111 | ############ | 111 | ############ |
| 112 | 112 | ||
| 113 | acl_mta_rcpt: | 113 | acl_mta_mail: |
| 114 | require acl = acl_check_rcpt_introduction | 114 | require acl = acl_check_mail_introduction |
| 115 | message = Courtesy protocol violation: $acl_m_msg | 115 | message = Courtesy protocol violation: $acl_m_msg |
| 116 | 116 | ||
| 117 | require acl = acl_check_rcpt_host_policy | 117 | require acl = acl_check_mail_host_policy |
| 118 | |||
| 119 | accept | ||
| 118 | 120 | ||
| 121 | |||
| 122 | acl_mta_rcpt: | ||
| 119 | require acl = acl_check_rcpt_syntax | 123 | require acl = acl_check_rcpt_syntax |
| 120 | message = Syntactic validation failed: $acl_m_msg | 124 | message = Syntactic validation failed: $acl_m_msg |
| 121 | 125 | ||