### acl/30_local-config_check_mail			-*-sh-*-
#####################################

# This access control list is used for every MAIL FROM command in an
# incoming SMTP message.  The tests are run in order until the 
# recipient address is either accepted or denied.

acl_local_mail_from:

  .ifdef CHECK_MAIL_HELO_ISSUED
  deny
    message = no HELO given before MAIL command $sender_helo_name
    condition = ${if def:sender_helo_name {no}{yes}}
  .endif

.ifndef STRICT_HELO_DOMAINS
  # Freeze message if the HELO domain is invalid
  warn
    message = {$sender_helo_name}} does not belong to a valid domain.\n\
	Please contact your ISP or system adminstrator.
    log_message = HELO host has a bogus domain
    !verify = helo
    !hosts = ${if exists{CONFDIR/local_broken_dns_whitelist}\
                        {CONFDIR/local_broken_dns_whitelist} {}}
    !condition = ${lookup dnsdb{defer_never,ns=\
		 ${extract{-2}{.}{$sender_helo_name}}.\
		 ${extract{-1}{.}{$sender_helo_name}}}{true}}
    control = freeze
    delay = TG_STD
.endif

#.ifdef STRICT_SENDER_DOMAINS
  # Accept if locally trusted.
  accept
    hosts = : +relay_from_hosts

  # Accept if the message arrived over an authenticated connection.
  accept
    authenticated = *

  # Deny if using local address for sender
  deny
    message = $sender_address is not authorized to send email \
	using the name $sender_helo_name.\n\
	Please contact your ISP or system adminstrator.
    log_message = Bogus use of local sender
    !hosts = ${if exists{CONFDIR/local_mailinglists}\
                        {CONFDIR/local_mailinglists} {}}
    sender_domains = $primary_hostname : +local_domains : +relay_to_domains
    delay = TG_LONG

  # Accept the null sender
  accept
    senders = :

  # Verify the sender and freeze if it is unrouteable
  warn
    message = $sender_address is not a valid email address
    log_message = MAIL invalid sender
    !acl = acl_local_deny_exceptions
    !verify = sender
    delay = TG_STD

  # Freeze if the sender address is forbidden by SPF.
  warn
    message = SPF prohits use of $sender_address from $sender_host_address
    log_message = MAIL forbidden by SPF
    set acl_m9 = --ip $sender_host_address \
                 --helo \"$sender_helo_name\" \
                 --mail-from \"$sender_address\"
    set acl_m9 = ${run{/usr/bin/spfquery $acl_m9}}
    condition = ${if ={$runrc}{1}{true}}
    !hosts = ${if exists{CONFDIR/local_broken_spf_whitelist}\
                        {CONFDIR/local_broken_spf_whitelist} {}}
    control = freeze
    delay = TG_LONG

  # Delay if Sender Address is not SPF approved
  warn
    condition = ${if or{ {={$runrc}{2}} {={$runrc}{3}} {={$runrc}{4}} }{true}}
    delay = TG_SHORT

  # Quietly add a long delay if host is DNS blacklisted
  warn
    !dnslists   = list.dnswl.org
    dnslists = zen.spamhaus.org:bl.spamcop.net
    delay = TG_LONG

  # Done logging accept
  accept

# EOF