On Mon, Aug 02, 2010 at 10:24:12PM +0200, Axel Rau wrote:
> I have this acl, to refuse local senders, not coming from local
> outgoing relays:
> ----------
> deny message = "We don't like spoofed sender addresses"
> log_message = $sender_host_name [$sender_host_address] attempts to
> spoof local sender
> sender_domains = +local_domains
> hosts = !+own_outgoing_relay_hosts
> delay = 3m
>
> [snip]
>
> The definition of + local_domains is:
> -----------
> domainlist local_domains = \
> ${lookup pgsql {SELECT name FROM localdomain \
> WHERE name ='${lc:$domain}' }}
> -----------
>
> No doubt: a bug.
The documentation for the sender_domains ACL condition states:
This condition tests the domain of the sender of the message against the
given domain list. Note: The domain of the sender address is in
$sender_address_domain. It is not put in $domain during the testing of this
condition. This is an exception to the general rule for testing domain
lists. It is done this way so that, if this condition is used in an ACL for
a RCPT command, the recipient's domain (which is in $domain) can be used to
influence the sender checking.
In section 11.9, under the definition of the $domain variable, it states:
With one important exception, whenever a domain list is being scanned,
$domain contains the subject domain. Exception: When a domain list in a
sender_domains condition in an ACL is being processed, the subject
domain is in $sender_address_domain and not in $domain. It works this
way so that, in a RCPT ACL, the sender domain list can be dependent on
the recipient domain (which is what is in $domain at this time).
When using the sender_domains ACL condition, it doesn't look like you'll
be able to use +localhosts written the way that it is because of
the above described behavior.
You'll need to create a separate domain list that uses $sender_address_domain
instead of $domain.
At least it looks that way, I haven't tested any of this.
--
Dean Brooks
dean@???