/usr/share/doc/mailutils-doc/mailutils.html/ACL-Statement.html

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<!-- Published by the Free Software Foundation,
51 Franklin Street, Fifth Floor
Boston, MA 02110-1301, USA

Copyright (C) 1999-2004, 2008-2012, 2014-2015 Free Software
Foundation, Inc.

Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.2 or
any later version published by the Free Software Foundation; with no
Invariant Sections, no Front-Cover, and no Back-Cover texts.
A copy of the license is included in the section entitled "GNU Free
Documentation License". -->
<!-- Created by GNU Texinfo 6.1, http://www.gnu.org/software/texinfo/ -->
<head>
<title>GNU Mailutils Manual: ACL Statement</title>

<meta name="description" content="GNU Mailutils Manual: ACL Statement">
<meta name="keywords" content="GNU Mailutils Manual: ACL Statement">
<meta name="resource-type" content="document">
<meta name="distribution" content="global">
<meta name="Generator" content="makeinfo">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<link href="index.html#Top" rel="start" title="Top">
<link href="Function-Index.html#Function-Index" rel="index" title="Function Index">
<link href="index.html#SEC_Contents" rel="contents" title="Table of Contents">
<link href="configuration.html#configuration" rel="up" title="configuration">
<link href="Tcp_002dwrappers-Statement.html#Tcp_002dwrappers-Statement" rel="next" title="Tcp-wrappers Statement">
<link href="Mailer-Statement.html#Mailer-Statement" rel="prev" title="Mailer Statement">
<style type="text/css">
<!--
a.summary-letter {text-decoration: none}
blockquote.indentedblock {margin-right: 0em}
blockquote.smallindentedblock {margin-right: 0em; font-size: smaller}
blockquote.smallquotation {font-size: smaller}
div.display {margin-left: 3.2em}
div.example {margin-left: 3.2em}
div.lisp {margin-left: 3.2em}
div.smalldisplay {margin-left: 3.2em}
div.smallexample {margin-left: 3.2em}
div.smalllisp {margin-left: 3.2em}
kbd {font-style: oblique}
pre.display {font-family: inherit}
pre.format {font-family: inherit}
pre.menu-comment {font-family: serif}
pre.menu-preformatted {font-family: serif}
pre.smalldisplay {font-family: inherit; font-size: smaller}
pre.smallexample {font-size: smaller}
pre.smallformat {font-family: inherit; font-size: smaller}
pre.smalllisp {font-size: smaller}
span.nolinebreak {white-space: nowrap}
span.roman {font-family: initial; font-weight: normal}
span.sansserif {font-family: sans-serif; font-weight: normal}
ul.no-bullet {list-style: none}
-->
</style>


</head>

<body lang="en">
<a name="ACL-Statement"></a>
<div class="header">
<p>
Next: <a href="Tcp_002dwrappers-Statement.html#Tcp_002dwrappers-Statement" accesskey="n" rel="next">Tcp-wrappers Statement</a>, Previous: <a href="Mailer-Statement.html#Mailer-Statement" accesskey="p" rel="prev">Mailer Statement</a>, Up: <a href="configuration.html#configuration" accesskey="u" rel="up">configuration</a> &nbsp; [<a href="index.html#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="Function-Index.html#Function-Index" title="Index" rel="index">Index</a>]</p>
</div>
<hr>
<a name="ACL-Statement-1"></a>
<h4 class="subsection">2.2.8 ACL Statement</h4>
<a name="index-acl-1"></a>
<a name="Syntax-7"></a>
<h4 class="subheading">Syntax</h4>
<div class="example">
<pre class="example">acl {
  # <span class="roman">Allow connections from this IP address.</span>
  allow [from] <var>ip</var>;
  # <span class="roman">Deny connections from this IP address.</span>
  deny [from] <var>ip</var>;
  # <span class="roman">Log connections from this IP address.</span>
  log [from] <var>ip</var> [<var>string</var>];
  /* <span class="roman">Execute supplied program if a connection from this
     IP address is requested.</span> */
  exec [from] <var>ip</var> <var>program</var>;
  /* Use <var>program</var> to decide whether to allow connection
     from <var>ip</var>. */
  ifexec [from] <var>ip</var> <var>program</var>;
}
</pre></div>

<a name="Description-5"></a>
<h4 class="subheading">Description</h4>
<p>The ACL statement defines an <em>Access Control List</em>, a special
structure that controls who can access the given Mailutils resource.
</p>
<p>The <code>acl</code> block contains a list of access controls.  Each control
can be regarded as a function that returns a tree-state value:
&lsquo;<samp>True</samp>&rsquo;, &lsquo;<samp>False</samp>&rsquo; and &lsquo;<samp>Don't know</samp>&rsquo;.  When a
remote party connects to the server, each of controls is tried in
turn.  If a control returns &lsquo;<samp>False</samp>&rsquo;, access is denied.  If it
returns &lsquo;<samp>True</samp>&rsquo;, access is allowed.  If it returns &lsquo;<samp>Don't
know</samp>&rsquo;, then the next control is tried.  It is unclear whether to allow
access if the last control in list returned &lsquo;<samp>Don't know</samp>&rsquo;.  GNU
Mailutils 2.99.99 issues a warning message and allows access.
This default may change in future versions.  Users are advised to
write their ACLs so that the last control returns a definitive answer
(either <code>True</code> or <code>False</code>).
</p>
<p>In the discussion below, wherever <var>ip</var> appears as an argument, it
can be replaced by any of: 
</p>
<ul>
<li> An IPv4 address in dotted-quad notation.
</li><li> An IPv6 address in numeric notation
</li><li> A CIDR in the form &lsquo;<samp><var>ip</var>/<var>mask</var></samp>&rsquo;, where <var>ip</var> is
an IP address (either IPv4 or IPv6), and <var>mask</var> is the network mask.
</li><li> A symbolic host name.
</li><li> <a name="index-any"></a>
A word &lsquo;<samp>any</samp>&rsquo;, which matches any IP address.
</li></ul>

<p>The following controls are understood:
</p>
<dl>
<dt><a name="index-allow"></a>Configuration: <strong>allow</strong> <em>[from] <var>cidr</var></em></dt>
<dd><p>Allow connections from IP addresses matching this <var>cidr</var> block.
</p></dd></dl>

<dl>
<dt><a name="index-deny"></a>Configuration: <strong>deny</strong> <em>[from] <var>cidr</var></em></dt>
<dd><p>Deny connections from IP addresses matching this <var>cidr</var> block.
</p></dd></dl>

<dl>
<dt><a name="index-ifexec"></a>Configuration: <strong>ifexec</strong> <em>[from] <var>cidr</var> <var>program</var></em></dt>
<dd><p>When a connection from the <var>cidr</var> block is requested, execute
the program <var>program</var>.  If its exit code is &lsquo;<samp>0</samp>&rsquo;, then allow
connection.  Otherwise, deny it.
</p></dd></dl>

<p>The following two controls are provided for logging purposes and as a
means of extensions.  They always return a &lsquo;<samp>Don't know</samp>&rsquo; answer,
and therefore should not be used at the end of an ACL:
</p>
<dl>
<dt><a name="index-log"></a>Configuration: <strong>log</strong> <em>[from] <var>cidr</var> [<var>string</var>]</em></dt>
<dd><p>Log connections from addresses in this <var>cidr</var>.  The
<code>MU_DIAG_INFO</code> channel is used.  If the logging goes to syslog,
it is translated to the <code>LOG_INFO</code> priority.
</p>
<p>If <var>string</var> is not given, the format of the log entry depends on
the connection family, as described in the table below:
</p>
<dl compact="compact">
<dt>{AF_INET <var>ip</var>:<var>port</var>}</dt>
<dd><p>For inet IPv4 connections.  The variables <var>ip</var> and <var>port</var> are
replaced by the remote IP address and port number, correspondingly.
</p>
</dd>
<dt>{AF_UNIX}</dt>
<dd><p>For connections over UNIX sockets.  The socket name, if available, may
be printed before the closing curly brace.
</p></dd>
</dl>

<p>If the <var>string</var> is specified, it undergoes macro expansion and the
result of it is used as the log entry.  The following macro variables
are expanded:
</p>
<dl compact="compact">
<dt><code>aclno</code></dt>
<dd><p>Ordinal number of the control in the ACL.  Numbers begin from
&lsquo;<samp>0</samp>&rsquo;.
</p>
</dd>
<dt><code>family</code></dt>
<dd><p>Connection family.  Mailutils version 2.99.99 supports two
families: &lsquo;<samp>AF_INET</samp>&rsquo; and &lsquo;<samp>AF_UNIX</samp>&rsquo;.
</p>
</dd>
<dt><code>address</code></dt>
<dd><p>Remote IP address (for &lsquo;<samp>AF_INET</samp>&rsquo;) or socket name (for
&lsquo;<samp>AF_UNIX</samp>&rsquo;).  Notice that most Unixes return empty string instead
of the &lsquo;<samp>AF_UNIX</samp>&rsquo; socket name, so do not rely on it.
</p>
</dd>
<dt><code>port</code></dt>
<dd><p>Remote port number (for &lsquo;<samp>AF_INET</samp>&rsquo;).
</p></dd>
</dl>

<p>For example, the following ACL makes a Mailutils server log every
incoming connection:
</p>
<div class="example">
<pre class="example">  acl {
     log from any &quot;Connect from ${address}&quot;;
     ...
  }
</pre></div>

<p>This was the default behavior for the versions of Mailutils up to
&lsquo;<samp>1.2</samp>&rsquo;, so if you got used to its logs you might wish to add the
above in your configuration files.
</p></dd></dl>

<dl>
<dt><a name="index-exec"></a>Configuration: <strong>exec</strong> <em>[from] <var>cidr</var> <var>program</var></em></dt>
<dd><p>If a connection from the <var>cidr</var> block is requested, execute
the given <var>program</var>.  Do not wait for it to terminate, and ignore
its exit code.
</p></dd></dl>

<hr>
<div class="header">
<p>
Next: <a href="Tcp_002dwrappers-Statement.html#Tcp_002dwrappers-Statement" accesskey="n" rel="next">Tcp-wrappers Statement</a>, Previous: <a href="Mailer-Statement.html#Mailer-Statement" accesskey="p" rel="prev">Mailer Statement</a>, Up: <a href="configuration.html#configuration" accesskey="u" rel="up">configuration</a> &nbsp; [<a href="index.html#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="Function-Index.html#Function-Index" title="Index" rel="index">Index</a>]</p>
</div>



</body>
</html>
mailutils-doc 1:2.99.99-1ubuntu2 / usr / share / doc / mailutils-doc / mailutils.html / ACL-Statement.html
