acl { # Allow connections from this IP address. allow [from] ip; # Deny connections from this IP address. deny [from] ip; # Log connections from this IP address. log [from] ip [string]; /* Execute supplied program if a connection from this IP address is requested. */ exec [from] ip program; /* Use program to decide whether to allow connection from ip. */ ifexec [from] ip program; }
The ACL statement defines an Access Control List, a special structure that controls who can access the given Mailutils resource.
The acl
block contains a list of access controls. Each control
can be regarded as a function that returns a tree-state value:
‘True’, ‘False’ and ‘Don't know’. When a
remote party connects to the server, each of controls is tried in
turn. If a control returns ‘False’, access is denied. If it
returns ‘True’, access is allowed. If it returns ‘Don't
know’, then the next control is tried. It is unclear whether to allow
access if the last control in list returned ‘Don't know’. GNU
Mailutils 2.99.97 issues a warning message and allows access.
This default may change in future versions. Users are advised to
write their ACLs so that the last control returns a definitive answer
(either True
or False
).
In the discussion below, wherever ip appears as an argument, it can be replaced by any of:
The following controls are understood:
When a connection from the cidr block is requested, execute the program program. If its exit code is ‘0’, then allow connection. Otherwise, deny it.
The following two controls are provided for logging purposes and as a means of extensions. They always return a ‘Don't know’ answer, and therefore should not be used at the end of an ACL:
Log connections from addresses in this cidr. The
MU_DIAG_INFO
channel is used. If the logging goes to syslog, it is translated to theLOG_INFO
priority.If string is not given, the format of the log entry depends on the connection family, as described in the table below:
- {AF_INET ip:port}
- For inet IPv4 connections. The variables ip and port are replaced by the remote IP address and port number, correspondingly.
- {AF_UNIX}
- For connections over UNIX sockets. The socket name, if available, may be printed before the closing curly brace.
If the string is specified, it undergoes macro expansion and the result of it is used as the log entry. The following macro variables are expanded:
aclno
- Ordinal number of the control in the ACL. Numbers begin from ‘0’.
family
- Connection family. Mailutils version 2.99.97 supports two families: ‘AF_INET’ and ‘AF_UNIX’.
address
- Remote IP address (for ‘AF_INET’) or socket name (for ‘AF_UNIX’). Notice that most Unixes return empty string instead of the ‘AF_UNIX’ socket name, so do not rely on it.
port
- Remote port number (for ‘AF_INET’).
For example, the following ACL makes a Mailutils server log every incoming connection:
acl { log from any "Connect from ${address}"; ... }This was the default behavior for the versions of Mailutils up to ‘1.2’, so if you got used to its logs you might wish to add the above in your configuration files.