• AclList

ACL list

Regular Expression ACLs

Some ACLs just try to match simple text, so the have the exactly same behavior.

• sender - evaluated at least on smtpd_sender_restrictions
• recipient - evaluated at least on smtpd_recipient_restrictions
• client_name
• helo_name - evaluated at least on smtpd_helo_restrictions
• sasl_username - evaluated at least on smtpd_sender_restrictions
• sasl_method - evaluated at least on smtpd_sender_restrictions
• sasl_sender - evaluated at least on smtpd_sender_restrictions
• reverse_client_name

This ACLs supports regular expressions, so you can use the full power of the Python Regular Expression library.

Some examples:

acl bad_sender sender foo@bar.com
acl bad_domain sender @bar.com

acl trap recipient trap@
acl other_trap recipient (sales|contact)@bar.com

acl dyn_host client_name (.dynamic.|.dhcp.)

client_address

This ACL supports IPv4 and IPv6.

acl machine client_address 192.168.0.10
acl net1 client_address 192.168.1.0/24
acl net2 client_address 192.168.2.0/255.255.255.0
acl net3 client_address 192.168.3.0-192.168.3.255

day

This ACL can be evaluated at any time.

m - Monday
t - Tuesday
w - Wednesday
h - Thursday
f - Friday
a - Saturday
s - Sunday

acl weekend day sm

time

This ACL can be evaluated at any time.

acl work time 08:00-17:00

rbl

This ACL will query the RBL host supplied with the client IP address and it can be evaluated at any time.

acl spamhaus rbl zen.spamhaus.org

size

The value of this ACL is specified in bytes and can be evaluated at smtpd_sender_restrictions. Note that it is possible to know the size of a message if the client is using the SIZE extension of the ESMTP protocol. Although, use this ACL as the last verification on your policy, after RBL checks, greylisting, helo and sender verifications, etc, because it is much more probable that a legit server uses ESMTP and the SIZE extension. Refer to this thread on the postfix-users mailing list about this topic, very good information: http://thread.gmane.org/gmane.mail.postfix.user/182300. If you need 100% accuracy when controlling message sizes, then call the policy daemon from smtpd_end_of_data_restrictions.

acl 10mb size 10240000
acl 20mb size 20480000

greylisting

For more information about greylisting, check the links below:

• Wikipedia entry about it: http://en.wikipedia.org/wiki/Greylisting

• The "official" website: http://www.greylisting.org/

• The Next Step in the Spam Control War: Greylisting, by Evan Harris http://projects.puremagic.com/greylisting/whitepaper.html

The greylisting ACL doesn't receive any parameters. This ACL is configured in the main.conf file.

acl greylist greylisting

apolicy uses memcached as backend for greylisting. memcached is a high-performance, distributed memory object caching system, generic in nature, but intended for use in speeding up dynamic web applications by alleviating database load. Please read more about memcached on http://www.socialtext.net/memcached/index.cgi?faq.

One of the key advantages of using memcached is that you can share the greylisting database with many apolicy servers and keep memory usage under control, avoiding maintaining a relational database and reducing overhead.

When apolicy starts it tries to store a test object on the memcached daemon, if it fails apolicy will exit immediately and log the error. While apolicy is running, if it is not possible to store objects in the memcached daemon, the ACL will return false and an error will be logged.

spf

If the sender is authorized, neutral, or softfailed by the SPF record this ACL returns False.

If the sender is not authorized by an SPF record this ACL returns True.

For more information on how and why use SPF, check the links below:

• OpenSPF official site: http://www.openspf.org/

• A summary about SPF: http://old.openspf.org/for-mit-spam-conference.html

The spf ACL doesn't receive any parameters. This ACL is configured in the main.conf file.

acl check_spf spf

protocol_name

This ACL compares the current protocol used by the client, either SMTP, ESMTP and LMTP. Any value different from that will result in an error when apolicy starts.

acl smtp protocol_name SMTP
acl esmtp protocol_name esmtp

acl smtp protocol_name FOO # invalid value

log

Available in apolicy 0.72 and latter

When this ACL is processed it generates a log event with the requested parameters.

acl log_sender_helo log content=sender:helo
acl log_rbl log prefix=RBL,content=client_address:helo:sender

The first line logs the sender and the HELO message used during the SMTP transaction.

The second line logs the client IP, the HELO message and the sender, prefixed by the string RBL. The prefix parameter can help identify the log event in the log files.

Possible parameters:

• prefix: Adds a message before the requested content logged. Default: LOG:

• content: The actual content to be logged separated by colons. The parameters are exactly the same used in the policy protocol. There is a list the possible values: request, protocol_state, protocol_name, helo_name, queue_id, sender, recipient, recipient_count, client_address, client_name, reverse_client_name, instance sasl_method, sasl_username, sasl_sender, size, ccert_subject, ccert_issuer, ccert_fingerprint, encryption_protocol, encryption_cipher, encryption_keysize, etrn_domain, stress. Default: client_address:sender:recipient

• result: The default behavior of the log ACL is to return false to not interfere. But it is possible to change that using the parameter result. Possible values true or false. Default: false

country

Available in apolicy 0.73 and latter

This ACL will query hostip.info to geolocate client IP addresses. It receives a comma separated list of countries. This ACL is configured in the main.conf file.

The country must be match with the value returned from hostip.info. Generally it's ISO3166. But there are specific cases where obsolete or invalid codes are used, largely because the source of the information (the various NICs or the netblock owner) don't validate or update it. You can find the complete list of country code at http://www.hostip.info/bulk/countries.html

acl italy country IT 
acl sud_america country PE,PY,UY,BR

stress

Available in apolicy 0.73 and latter. Requires Postfix 2.5 or latter.

This ACL detect server overload. See the STRESS_README document for further information.

acl overload stress

sleep

Available in apolicy 0.80 and latter.

This ACL will just delay the response to Postfix. This could be useful to make some suspicious machines wait for a longer period for a response. Usually bots disconnects after 10 to 30 seconds without a response and legitimate servers will wait for the standard TCP timeout. The value is in seconds. Pay attention to the Postfix parameter smtpd_policy_service_timeout to make Postfix wait for a response.

acl zzz sleep 15