On 21 May 2006, at 15:37, Theo de Morée wrote:
> Hi,
>
> My mail ACL is as follows:
> acl_check_mail:
> require verify = sender
> drop condition = ${if eq{$sender_address_data}{$authenticated_id}
> {no} {yes} }
> message = Please authenticate first to use this mail address
> accept authenticated = *
> drop message = Please authenticate first
>
> It goes out on that last drop. I currently don't do any real
> recipient checking, so if you could give me a hint for that as well
> it would be great. Basically the server needs to act like this:
>
> - Outgoing mail: User needs to authenticate and use one of his own
> mail addresses (works now)
> - Incoming mail: No authentication of course, recipient(s) should
> be valid mail addresses on of the the server domains. If someone
> tries and send a mail to an unknown mail address the server should
> reply saying that it doesn't exist.
clearly you cannot, at the MAIL FROM stage, decide if a message is
for relaying or local delivery. You must do your authentication
enforcement at the RCPT TO stage and not apply it for recipients in
the local domains.
You can move all this to the rcpt acl and add a
!domains = +local_domains
condition to the authenticated_id check. But you could also revise
the logic as you first would accept authenticated users, then you
could accept for local_domains (except for some basic anti-spam rules
perhaps) and then you can just deny all the rest.
I do not think that using the deny verb is in general a good idea.
Giuliano