Mailutils acl

From Mailutils
Jump to navigationJump to search

The mailutils acl command tests GNU Mailutils access control lists. By default it reads ACL from the Mailutils configiration file section "acl". The command takes a list of IP addresses as its arguments, applies the ACL to each of these addresses in turn and prints the result.

To select the ACL to test, two options are provided. The --file (-f) option supplies the name of configuration file to read instead of the default one. The --path (-p) option supplies the path to the ACL section to use instead of the default ".acl". For example, to test ACL in section server 198.51.100.33 of file /etc/pop3d.conf use:

 mailutils acl --file=/etc/pop3d.conf --path=/server="198.51.100.33"/acl address

As an example of its use, consider file test.conf with the following contents:

acl {
        deny from 10.10.10.1;
        deny from 10.10.1.0/24;
        log from any "Connect from ${address}";
        allow from 10.0.0.0/8;
        allow from 192.168.1.0/24;
        deny from any;
}

Then, running mailutils acl --file=test.conf 127.0.0.1 you will get:

 Testing 127.0.0.1:
 mailutils: Connect from 127.0.0.1
 127.0.0.1: deny

More examples:

 $ mailutils acl --file=test.conf 127.0.0.1 10.10.10.1 10.10.1.3 10.5.3.1 192.168.1.0 192.168.2.0
 Testing 127.0.0.1:
 mailutils: Connect from 127.0.0.1
 127.0.0.1: deny
 Testing 10.10.10.1:
 10.10.10.1: deny
 Testing 10.10.1.3:
 10.10.1.3: deny
 Testing 10.5.3.1:
 mailutils: Connect from 10.5.3.1
 10.5.3.1: accept
 Testing 192.168.1.0:
 mailutils: Connect from 192.168.1.0
 192.168.1.0: accept
 Testing 192.168.2.0:
 mailutils: Connect from 192.168.2.0
 192.168.2.0: accept

The mailutils option --debug-level will give you a deeper insight into the address matching algorithm:

 $ mailutils --debug-level=acl.trace9 acl --file test.conf 127.0.0.1
 Testing 127.0.0.1:
 mailutils: Checking sockaddr 127.0.0.1
 mailutils: 1:deny: Does 10.10.10.1/255.255.255.255 match 127.0.0.1? no; 
 mailutils: 2:deny: Does 10.10.1.0/255.255.255.0 match 127.0.0.1? no; 
 mailutils: 3:log: Does any match 127.0.0.1? yes; 
 mailutils: Expanding "Connect from ${address}"
 mailutils: Expansion: "Connect from 127.0.0.1". 
 mailutils: Connect from 127.0.0.1
 mailutils: 4:accept: Does 10.0.0.0/255.0.0.0 match 127.0.0.1? no; 
 mailutils: 5:accept: Does 192.168.0.0/255.255.0.0 match 127.0.0.1? no; 
 mailutils: 6:deny: Does any match 127.0.0.1? yes; 
 127.0.0.1: deny

See also