On Wed, 14 Sep 2005, Cole Tuininga wrote:
>
> Is there a way I can set up an acl to run only *after* this router has
> been seen?
If you do verify=recipient or verify=sender in the ACL then the address is
run through the routers. I use this to record the final address, after
aliases have been resolved, in $address_data, in order to implement some
security restrictions.
# ...
HERMES_ADDRDATA = user=$local_part \
suffix=${if eq{}{$local_part_suffix} \
{""} {$local_part_suffix} } \
secure=${lookup {$local_part} \
cdb {USERS/insecure.cdb} \
{no} {yes} }
# ...
# If the connection is not authenticated, and the user is
# required to make secure connections, reject the message.
# If the routers could not identify the user then the result of
# the expansion will be blank so the message will not be rejected.
deny
message = Insecure access forbidden: turn on TLS+AUTH
! authenticated = *
condition = ${extract {secure}{$sender_address_data} }
# Check that authenticated users aren't pretending to be someone else.
deny
message = Sender address does not match authenticated user
authenticated = *
condition = ${extract {user}{$sender_address_data} \
{${if eq{$value}{$authenticated_id} \
{no} {yes} }} }
# ...
# most aliases eventually redirect to this router
hermes_verify:
driver = accept
local_part_suffix = +*
local_part_suffix_optional
verify_only
domains = hermes.cam.ac.uk
local_parts = +hermes_active
address_data = HERMES_ADDRDATA
# ...
Tony.
--
<fanf@???> <dot@???>
http://dotat.at/ ${sg{\N${sg{\
N\}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}\
\N}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}
