Next: , Previous: Mailer Statement, Up: configuration


3.2.8 ACL Statement

Syntax

     acl {
       # Allow connections from this IP address.
       allow [from] ip;
       # Deny connections from this IP address.
       deny [from] ip;
       # Log connections from this IP address.
       log [from] ip [string];
       /* Execute supplied program if a connection from this
          IP address is requested. */
       exec [from] ip program;
       /* Use program to decide whether to allow connection
          from ip. */
       ifexec [from] ip program;
     }

Description

The ACL statement defines an Access Control List, a special structure that controls who can access the given Mailutils resource.

The acl block contains a list of access controls. Each control can be regarded as a function that returns a tree-state value: ‘True’, ‘False’ and ‘Don't know’. When a remote party connects to the server, each of controls is tried in turn. If a control returns ‘False’, access is denied. If it returns ‘True’, access is allowed. If it returns ‘Don't know’, then the next control is tried. It is unclear whether to allow access if the last control in list returned ‘Don't know’. GNU Mailutils 2.99.97 issues a warning message and allows access. This default may change in future versions. Users are advised to write their ACLs so that the last control returns a definitive answer (either True or False).

In the discussion below, wherever ip appears as an argument, it can be replaced by any of:

The following controls are understood:

— Configuration: allow [from] cidr

Allow connections from IP addresses matching this cidr block.

— Configuration: deny [from] cidr

Deny connections from IP addresses matching this cidr block.

— Configuration: ifexec [from] cidr program

When a connection from the cidr block is requested, execute the program program. If its exit code is ‘0’, then allow connection. Otherwise, deny it.

The following two controls are provided for logging purposes and as a means of extensions. They always return a ‘Don't know’ answer, and therefore should not be used at the end of an ACL:

— Configuration: log [from] cidr [string]

Log connections from addresses in this cidr. The MU_DIAG_INFO channel is used. If the logging goes to syslog, it is translated to the LOG_INFO priority.

If string is not given, the format of the log entry depends on the connection family, as described in the table below:

{AF_INET ip:port}
For inet IPv4 connections. The variables ip and port are replaced by the remote IP address and port number, correspondingly.
{AF_UNIX}
For connections over UNIX sockets. The socket name, if available, may be printed before the closing curly brace.

If the string is specified, it undergoes macro expansion and the result of it is used as the log entry. The following macro variables are expanded:

aclno
Ordinal number of the control in the ACL. Numbers begin from ‘0’.
family
Connection family. Mailutils version 2.99.97 supports two families: ‘AF_INET’ and ‘AF_UNIX’.
address
Remote IP address (for ‘AF_INET’) or socket name (for ‘AF_UNIX’). Notice that most Unixes return empty string instead of the ‘AF_UNIX’ socket name, so do not rely on it.
port
Remote port number (for ‘AF_INET’).

For example, the following ACL makes a Mailutils server log every incoming connection:

            acl {
               log from any "Connect from ${address}";
               ...
            }

This was the default behavior for the versions of Mailutils up to ‘1.2’, so if you got used to its logs you might wish to add the above in your configuration files.

— Configuration: exec [from] cidr program

If a connection from the cidr block is requested, execute the given program. Do not wait for it to terminate, and ignore its exit code.