From 1bbeb858db245ef1a95a298de704d384ca4aa4b8 Mon Sep 17 00:00:00 2001 From: tv Date: Mon, 16 Oct 2017 00:45:27 +0200 Subject: exim-{retiolum,smarthost} module: simplify ACL --- krebs/3modules/exim-retiolum.nix | 69 +++++++++------------------------------ krebs/3modules/exim-smarthost.nix | 45 ++++++++++--------------- 2 files changed, 33 insertions(+), 81 deletions(-) (limited to 'krebs/3modules') diff --git a/krebs/3modules/exim-retiolum.nix b/krebs/3modules/exim-retiolum.nix index ca363c8d7..e08024977 100644 --- a/krebs/3modules/exim-retiolum.nix +++ b/krebs/3modules/exim-retiolum.nix @@ -43,7 +43,6 @@ let primary_hostname = ${cfg.primary_hostname} domainlist local_domains = ${concatStringsSep ":" cfg.local_domains} domainlist relay_to_domains = ${concatStringsSep ":" cfg.relay_to_domains} - hostlist relay_from_hosts = <; 127.0.0.1 ; ::1 acl_smtp_rcpt = acl_check_rcpt acl_smtp_data = acl_check_data @@ -61,41 +60,15 @@ let begin acl acl_check_rcpt: - accept hosts = : - control = dkim_disable_verify - - deny message = Restricted characters in address - domains = +local_domains - local_parts = ^[.] : ^.*[@%!/|] - - deny message = Restricted characters in address - domains = !+local_domains - local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./ - - accept local_parts = postmaster - domains = +local_domains - - #accept - # hosts = *.r - # domains = *.r - # control = dkim_disable_verify - - #require verify = sender - - accept hosts = +relay_from_hosts - control = submission - control = dkim_disable_verify - - accept authenticated = * - control = submission - control = dkim_disable_verify - - require message = relay not permitted - domains = +local_domains : +relay_to_domains - - require verify = recipient + deny + local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./ + message = restricted characters in address accept + domains = +local_domains : +relay_to_domains + + deny + message = relay not permitted acl_check_data: @@ -104,29 +77,19 @@ let begin routers - retiolum: - driver = manualroute - domains = ! +local_domains : +relay_to_domains - transport = remote_smtp - route_list = ^.* $0 byname - no_more - - nonlocal: - debug_print = "R: nonlocal for $local_part@$domain" - driver = redirect - domains = ! +local_domains - allow_fail - data = :fail: Mailing to remote domains not supported - no_more - - local_user: - # debug_print = "R: local_user for $local_part@$domain" + local: driver = accept + domains = +local_domains check_local_user - # local_part_suffix = +* : -* + # local_part_suffix = +* # local_part_suffix_optional transport = home_maildir - cannot_route_message = Unknown user + + remote: + driver = manualroute + domains = +relay_to_domains + transport = remote_smtp + route_list = ^.* $0 byname begin transports diff --git a/krebs/3modules/exim-smarthost.nix b/krebs/3modules/exim-smarthost.nix index dd4a7ccc9..5f93ae937 100644 --- a/krebs/3modules/exim-smarthost.nix +++ b/krebs/3modules/exim-smarthost.nix @@ -157,39 +157,28 @@ let begin acl acl_check_rcpt: - accept hosts = : - control = dkim_disable_verify + deny + local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./ + message = restricted characters in address - deny message = Restricted characters in address - domains = +local_domains - local_parts = ^[.] : ^.*[@%!/|] - - deny message = Restricted characters in address - domains = !+local_domains - local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./ - - accept local_parts = postmaster - domains = +local_domains - - accept hosts = +relay_from_hosts - control = submission - control = dkim_disable_verify - - accept authenticated = * - control = submission - control = dkim_disable_verify - - accept message = relay not permitted 2 - recipients = lsearch*@;${lsearch.internet-aliases} + accept + recipients = lsearch*@;${lsearch.internet-aliases} - require message = relay not permitted - domains = +local_domains : +relay_to_domains + accept + authenticated = * + control = dkim_disable_verify + control = submission - require - message = unknown user - verify = recipient/callout + accept + control = dkim_disable_verify + control = submission + hosts = +relay_from_hosts accept + domains = +local_domains : +relay_to_domains + + deny + message = relay not permitted acl_check_data: -- cgit v1.2.3 From 8b55369fa72e1b4b518a41cc221420910c924108 Mon Sep 17 00:00:00 2001 From: tv Date: Mon, 16 Oct 2017 22:55:38 +0200 Subject: krebs exim-smarthost: add eloop2017@krebsco.de --- krebs/3modules/default.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'krebs/3modules') diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index 48cf7971b..c89f3229d 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -202,6 +202,7 @@ let "kontakt@eloop.org" = eloop-ml; "root@eloop.org" = eloop-ml; "eloop2016@krebsco.de" = eloop-ml; + "eloop2017@krebsco.de" = eloop-ml; "postmaster@krebsco.de" = spam-ml; # RFC 822 "lass@krebsco.de" = lass; "makefu@krebsco.de" = makefu; -- cgit v1.2.3