On Tue, 15 Jun 2004, Konrad Michels wrote:
>
> Right now I'm doing the usual checks against one or two DNSBL's, which
> is, as expected, bouncing smtp connects appropriately. However, I'm
> also bouncing smtp connects from SMTP authenticated users, which was not
> my intention. From the manual, I gather I need to probably prefix my
> entire ACL section with something like:
>
> if !(authenticated = *)
>
> do I not?
Something like that. What I do on our servers is simlar to the following
(though with a few extra bells and whistles that I've omitted here):
check_sender:
# We check authorization early in order to simplify later ACLs.
accept hosts = +relay_hosts
set acl_m0 = true
accept verify = certificate
set acl_m0 = true
accept authenticated = *
set acl_m0 = true
# Not authorized.
accept set acl_m0 = false
check_recipient:
# Always accept local postmaster and non-network email.
accept recipients = postmaster@+our_domains
accept hosts = :
# Accept non-bounce messages from authorized senders,
# but ensure that the reverse path is valid.
accept condition = $acl_m0
!senders = :
endpass
message = Invalid sender address: ${acl_verify_message}
verify = sender/callout=postmaster
# If an authorized sender is sending a bounce, require the
# recipients to be valid. This is mainly to deal with the case
# where we have just rejected a message with an invalid sender,
# and the sending SMTP server is now trying to bounce it via us.
accept condition = $acl_m0
senders = :
endpass
message = Invalid bounce recipient address: ${acl_verify_message}
verify = recipient/callout=postmaster
# At this point we know the sending host is foreign.
# We do some anti-spam checking at this point.
# Then do anti-relay checks.
require message = Relaying is not permitted
domains = +our_domains
# All addresses must be valid. We do the sender callout after other
# checks to avoid unnecessarily irritating other email server admins.
require message = ${acl_verify_message}\n\
See http://www.cam.ac.uk/cs/email/bounce.html
verify = recipient/callout=defer_ok,use_sender
verify = sender/callout=postmaster
# Every check has been passed.
accept
--
Tony Finch <dot@???>
http://dotat.at/