![[MU Poststamp]](/graphics/mustamp.png)
|
|
GNU Mailutils |
General-Purpose Mail Package |
Official GNU Software |
GNU Mailutils Manual (split by node): 
acl Statementacl {
# Allow connections from this IP address.
allow [from] ip;
# Deny connections from this IP address.
deny [from] ip;
# Log connections from this IP address.
log [from] ip [string];
/* Execute supplied program if a connection from this
IP address is requested. */
exec [from] ip program;
/* Use program to decide whether to allow connection
from ip. */
ifexec [from] ip program;
}
The ACL statement defines an Access Control List, a special structure that controls who can access the given Mailutils resource.
The acl block contains a list of access controls. Each control
can be regarded as a function that returns a tree-state value:
‘True’, ‘False’ and ‘Don't know’. When a
remote party connects to the server, each of controls is tried in
turn. If a control returns ‘False’, access is denied. If it
returns ‘True’, access is allowed. If it returns ‘Don't
know’, then the next control is tried. It is unclear whether to allow
access if the last control in list returned ‘Don't know’. GNU
Mailutils 3.14 issues a warning message and allows access.
This default may change in future versions. Users are advised to
write their ACLs so that the last control returns a definite answer
(either True or False).
In the discussion below, wherever cidr appears as an argument, it can be replaced by any of:
The following controls are understood:
Allow connections from IP addresses matching this cidr block.
Deny connections from IP addresses matching this cidr block.
When a connection from the cidr block is requested, execute the program program. If its exit code is ‘0’, then allow connection. Otherwise, deny it.
The program argument undergoes variable expansion and word splitting. The following variables are defined:
aclnoOrdinal number of the control in the ACL. Numbers begin from ‘1’.
familyConnection family. Mailutils version 3.14 supports the following families: ‘AF_INET’, ‘AF_INET6’ and ‘AF_UNIX’.
addressRemote IP address (for ‘AF_INET’ and ‘AF_INET6’) or socket name (for ‘AF_UNIX’). Notice that most Unixes return empty string instead of the ‘AF_UNIX’ socket name, so do not rely on it.
portRemote port number (for ‘AF_INET’ and ‘AF_INET6’).
If a connection from the cidr block is requested, execute the given program. Do not wait for it to terminate, and ignore its exit code. The program is subject for variable expansion as in ‘ifexec’.
The following two controls are provided for logging purposes and as a means of extensions. They always return a ‘Don't know’ answer, and therefore should not be used at the end of an ACL:
Log connections from addresses in this cidr. The
MU_DIAG_INFO channel is used. If the logging goes to syslog,
it is translated to the LOG_INFO priority.
If string is not given, the format of the log entry depends on the connection family, as described in the table below:
For inet IPv4 connections. The variables ip and port are replaced by the remote IP address and port number, correspondingly.
For connections over UNIX sockets. The socket name, if available, may be printed before the closing curly brace.
If string is supplied, it undergoes variable expansions as described for the ‘ifexec’.
For example, the following ACL makes a Mailutils server log every incoming connection:
acl {
log from any "Connect from ${address}";
...
}
This was the default behavior for the versions of Mailutils up to ‘1.2’, so if you got used to its logs you might wish to add the above in your configuration files.
If a connection from the cidr block is requested, execute the given program. Do not wait for it to terminate, and ignore its exit code.
GNU Mailutils Manual (split by node):
This document was generated on January 2, 2022 using makeinfo.
Verbatim copying and distribution of this entire article is permitted in any medium, provided this notice is preserved.