### acl/25_local-config_check_connect			-*-sh-*-
#####################################

# This access control list is used at the start of an incoming connection.

acl_local_connect:

  # Accept connections received over a local interface, and from hosts
  # for which we relay mail.
  accept
    hosts = : +relay_from_hosts

  # Accept connections received over the submission port
  accept
    condition = ${if eq {$interface_port}{587}}

  # Verify reverse DNS lookup of the sender's host. 
  # Disable piplining and delay on failure. 
  warn
    !verify = reverse_host_lookup
    control = no_pipelining
    !hosts = ${if exists{CONFDIR/local_host_whitelist}\
			{CONFDIR/local_host_whitelist}{}}
    delay = TG_SHORT

  # Defer if the DNS lookup deferred.  This may be a temporary DNS error,
  # otherwise it is a IP address or Domain without DNS servers.
  defer
    message = Connect rDNS host lookup deferred
    condition = ${if > {$host_lookup_deferred}{0}}
    delay = TG_STD

  # Delay if connecting host is in one of specified DNSbl's
  warn
    !dnslists = list.dnswl.org
    dnslists = zen.spamhaus.org:bl.spamcop.net
    control = no_pipelining
    delay = TG_LONG

  # CONFDIR/local_host_blacklist holds a list of host names, 
  # IP addresses, and networks (CIDR notation) that should have 
  # their access denied to.  Delay blacklisted servers.
  warn
    !hosts = ${if exists{CONFDIR/local_host_whitelist}\
			{CONFDIR/local_host_whitelist}{}}
    hosts  = ${if exists{CONFDIR/local_host_blacklist}\
			{CONFDIR/local_host_blacklist}{}}
    control = no_pipelining
    delay = TG_LONG
 
  # Accept the connection
  accept

# EOF