GNU Mailutils Manual (split by node):   Section:   Chapter:FastBack: Programs   Up: configuration   FastForward: Libraries   Contents: Table of ContentsIndex: Function Index

3.2.11 The acl Statement

Syntax

acl {
  # Allow connections from this IP address.
  allow [from] ip;
  
  # Deny connections from this IP address.
  deny [from] ip;
  
  # Log connections from this IP address.
  log [from] ip [string];
  
  /* Execute supplied program if a connection from this
     IP address is requested. */
  exec [from] ip program;
  
  /* Use program to decide whether to allow connection
     from ip. */
  ifexec [from] ip program;
}

Description

The ACL statement defines an Access Control List, a special structure that controls who can access the given Mailutils resource.

The acl block contains a list of access controls. Each control can be regarded as a function that returns a tree-state value: ‘True’, ‘False’ and ‘Don't know’. When a remote party connects to the server, each of controls is tried in turn. If a control returns ‘False’, access is denied. If it returns ‘True’, access is allowed. If it returns ‘Don't know’, then the next control is tried. It is unclear whether to allow access if the last control in list returned ‘Don't know’. GNU Mailutils 3.14 issues a warning message and allows access. This default may change in future versions. Users are advised to write their ACLs so that the last control returns a definite answer (either True or False).

In the discussion below, wherever cidr appears as an argument, it can be replaced by any of:

The following controls are understood:

Configuration: allow [from] cidr

Allow connections from IP addresses matching this cidr block.

Configuration: deny [from] cidr

Deny connections from IP addresses matching this cidr block.

Configuration: ifexec [from] cidr program

When a connection from the cidr block is requested, execute the program program. If its exit code is ‘0’, then allow connection. Otherwise, deny it.

The program argument undergoes variable expansion and word splitting. The following variables are defined:

aclno

Ordinal number of the control in the ACL. Numbers begin from ‘1’.

family

Connection family. Mailutils version 3.14 supports the following families: ‘AF_INET’, ‘AF_INET6’ and ‘AF_UNIX’.

address

Remote IP address (for ‘AF_INET’ and ‘AF_INET6’) or socket name (for ‘AF_UNIX’). Notice that most Unixes return empty string instead of the ‘AF_UNIX’ socket name, so do not rely on it.

port

Remote port number (for ‘AF_INET’ and ‘AF_INET6’).

Configuration: exec [from] cidr program

If a connection from the cidr block is requested, execute the given program. Do not wait for it to terminate, and ignore its exit code. The program is subject for variable expansion as in ‘ifexec’.

The following two controls are provided for logging purposes and as a means of extensions. They always return a ‘Don't know’ answer, and therefore should not be used at the end of an ACL:

Configuration: log [from] cidr [string]

Log connections from addresses in this cidr. The MU_DIAG_INFO channel is used. If the logging goes to syslog, it is translated to the LOG_INFO priority.

If string is not given, the format of the log entry depends on the connection family, as described in the table below:

{AF_INET ip:port}

For inet IPv4 connections. The variables ip and port are replaced by the remote IP address and port number, correspondingly.

{AF_UNIX}

For connections over UNIX sockets. The socket name, if available, may be printed before the closing curly brace.

If string is supplied, it undergoes variable expansions as described for the ‘ifexec’.

For example, the following ACL makes a Mailutils server log every incoming connection:

  acl {
     log from any "Connect from ${address}";
     ...
  }

This was the default behavior for the versions of Mailutils up to ‘1.2’, so if you got used to its logs you might wish to add the above in your configuration files.

Configuration: exec [from] cidr program

If a connection from the cidr block is requested, execute the given program. Do not wait for it to terminate, and ignore its exit code.

GNU Mailutils Manual (split by node):   Section:   Chapter:FastBack: Programs   Up: configuration   FastForward: Libraries   Contents: Table of ContentsIndex: Function Index