/usr/share/doc/mailutils-doc/mailutils.html/ACL-Statement.html is in mailutils-doc 1:2.99.99-1ubuntu2.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 | <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<!-- Published by the Free Software Foundation,
51 Franklin Street, Fifth Floor
Boston, MA 02110-1301, USA
Copyright (C) 1999-2004, 2008-2012, 2014-2015 Free Software
Foundation, Inc.
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.2 or
any later version published by the Free Software Foundation; with no
Invariant Sections, no Front-Cover, and no Back-Cover texts.
A copy of the license is included in the section entitled "GNU Free
Documentation License". -->
<!-- Created by GNU Texinfo 6.1, http://www.gnu.org/software/texinfo/ -->
<head>
<title>GNU Mailutils Manual: ACL Statement</title>
<meta name="description" content="GNU Mailutils Manual: ACL Statement">
<meta name="keywords" content="GNU Mailutils Manual: ACL Statement">
<meta name="resource-type" content="document">
<meta name="distribution" content="global">
<meta name="Generator" content="makeinfo">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<link href="index.html#Top" rel="start" title="Top">
<link href="Function-Index.html#Function-Index" rel="index" title="Function Index">
<link href="index.html#SEC_Contents" rel="contents" title="Table of Contents">
<link href="configuration.html#configuration" rel="up" title="configuration">
<link href="Tcp_002dwrappers-Statement.html#Tcp_002dwrappers-Statement" rel="next" title="Tcp-wrappers Statement">
<link href="Mailer-Statement.html#Mailer-Statement" rel="prev" title="Mailer Statement">
<style type="text/css">
<!--
a.summary-letter {text-decoration: none}
blockquote.indentedblock {margin-right: 0em}
blockquote.smallindentedblock {margin-right: 0em; font-size: smaller}
blockquote.smallquotation {font-size: smaller}
div.display {margin-left: 3.2em}
div.example {margin-left: 3.2em}
div.lisp {margin-left: 3.2em}
div.smalldisplay {margin-left: 3.2em}
div.smallexample {margin-left: 3.2em}
div.smalllisp {margin-left: 3.2em}
kbd {font-style: oblique}
pre.display {font-family: inherit}
pre.format {font-family: inherit}
pre.menu-comment {font-family: serif}
pre.menu-preformatted {font-family: serif}
pre.smalldisplay {font-family: inherit; font-size: smaller}
pre.smallexample {font-size: smaller}
pre.smallformat {font-family: inherit; font-size: smaller}
pre.smalllisp {font-size: smaller}
span.nolinebreak {white-space: nowrap}
span.roman {font-family: initial; font-weight: normal}
span.sansserif {font-family: sans-serif; font-weight: normal}
ul.no-bullet {list-style: none}
-->
</style>
</head>
<body lang="en">
<a name="ACL-Statement"></a>
<div class="header">
<p>
Next: <a href="Tcp_002dwrappers-Statement.html#Tcp_002dwrappers-Statement" accesskey="n" rel="next">Tcp-wrappers Statement</a>, Previous: <a href="Mailer-Statement.html#Mailer-Statement" accesskey="p" rel="prev">Mailer Statement</a>, Up: <a href="configuration.html#configuration" accesskey="u" rel="up">configuration</a> [<a href="index.html#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="Function-Index.html#Function-Index" title="Index" rel="index">Index</a>]</p>
</div>
<hr>
<a name="ACL-Statement-1"></a>
<h4 class="subsection">2.2.8 ACL Statement</h4>
<a name="index-acl-1"></a>
<a name="Syntax-7"></a>
<h4 class="subheading">Syntax</h4>
<div class="example">
<pre class="example">acl {
# <span class="roman">Allow connections from this IP address.</span>
allow [from] <var>ip</var>;
# <span class="roman">Deny connections from this IP address.</span>
deny [from] <var>ip</var>;
# <span class="roman">Log connections from this IP address.</span>
log [from] <var>ip</var> [<var>string</var>];
/* <span class="roman">Execute supplied program if a connection from this
IP address is requested.</span> */
exec [from] <var>ip</var> <var>program</var>;
/* Use <var>program</var> to decide whether to allow connection
from <var>ip</var>. */
ifexec [from] <var>ip</var> <var>program</var>;
}
</pre></div>
<a name="Description-5"></a>
<h4 class="subheading">Description</h4>
<p>The ACL statement defines an <em>Access Control List</em>, a special
structure that controls who can access the given Mailutils resource.
</p>
<p>The <code>acl</code> block contains a list of access controls. Each control
can be regarded as a function that returns a tree-state value:
‘<samp>True</samp>’, ‘<samp>False</samp>’ and ‘<samp>Don't know</samp>’. When a
remote party connects to the server, each of controls is tried in
turn. If a control returns ‘<samp>False</samp>’, access is denied. If it
returns ‘<samp>True</samp>’, access is allowed. If it returns ‘<samp>Don't
know</samp>’, then the next control is tried. It is unclear whether to allow
access if the last control in list returned ‘<samp>Don't know</samp>’. GNU
Mailutils 2.99.99 issues a warning message and allows access.
This default may change in future versions. Users are advised to
write their ACLs so that the last control returns a definitive answer
(either <code>True</code> or <code>False</code>).
</p>
<p>In the discussion below, wherever <var>ip</var> appears as an argument, it
can be replaced by any of:
</p>
<ul>
<li> An IPv4 address in dotted-quad notation.
</li><li> An IPv6 address in numeric notation
</li><li> A CIDR in the form ‘<samp><var>ip</var>/<var>mask</var></samp>’, where <var>ip</var> is
an IP address (either IPv4 or IPv6), and <var>mask</var> is the network mask.
</li><li> A symbolic host name.
</li><li> <a name="index-any"></a>
A word ‘<samp>any</samp>’, which matches any IP address.
</li></ul>
<p>The following controls are understood:
</p>
<dl>
<dt><a name="index-allow"></a>Configuration: <strong>allow</strong> <em>[from] <var>cidr</var></em></dt>
<dd><p>Allow connections from IP addresses matching this <var>cidr</var> block.
</p></dd></dl>
<dl>
<dt><a name="index-deny"></a>Configuration: <strong>deny</strong> <em>[from] <var>cidr</var></em></dt>
<dd><p>Deny connections from IP addresses matching this <var>cidr</var> block.
</p></dd></dl>
<dl>
<dt><a name="index-ifexec"></a>Configuration: <strong>ifexec</strong> <em>[from] <var>cidr</var> <var>program</var></em></dt>
<dd><p>When a connection from the <var>cidr</var> block is requested, execute
the program <var>program</var>. If its exit code is ‘<samp>0</samp>’, then allow
connection. Otherwise, deny it.
</p></dd></dl>
<p>The following two controls are provided for logging purposes and as a
means of extensions. They always return a ‘<samp>Don't know</samp>’ answer,
and therefore should not be used at the end of an ACL:
</p>
<dl>
<dt><a name="index-log"></a>Configuration: <strong>log</strong> <em>[from] <var>cidr</var> [<var>string</var>]</em></dt>
<dd><p>Log connections from addresses in this <var>cidr</var>. The
<code>MU_DIAG_INFO</code> channel is used. If the logging goes to syslog,
it is translated to the <code>LOG_INFO</code> priority.
</p>
<p>If <var>string</var> is not given, the format of the log entry depends on
the connection family, as described in the table below:
</p>
<dl compact="compact">
<dt>{AF_INET <var>ip</var>:<var>port</var>}</dt>
<dd><p>For inet IPv4 connections. The variables <var>ip</var> and <var>port</var> are
replaced by the remote IP address and port number, correspondingly.
</p>
</dd>
<dt>{AF_UNIX}</dt>
<dd><p>For connections over UNIX sockets. The socket name, if available, may
be printed before the closing curly brace.
</p></dd>
</dl>
<p>If the <var>string</var> is specified, it undergoes macro expansion and the
result of it is used as the log entry. The following macro variables
are expanded:
</p>
<dl compact="compact">
<dt><code>aclno</code></dt>
<dd><p>Ordinal number of the control in the ACL. Numbers begin from
‘<samp>0</samp>’.
</p>
</dd>
<dt><code>family</code></dt>
<dd><p>Connection family. Mailutils version 2.99.99 supports two
families: ‘<samp>AF_INET</samp>’ and ‘<samp>AF_UNIX</samp>’.
</p>
</dd>
<dt><code>address</code></dt>
<dd><p>Remote IP address (for ‘<samp>AF_INET</samp>’) or socket name (for
‘<samp>AF_UNIX</samp>’). Notice that most Unixes return empty string instead
of the ‘<samp>AF_UNIX</samp>’ socket name, so do not rely on it.
</p>
</dd>
<dt><code>port</code></dt>
<dd><p>Remote port number (for ‘<samp>AF_INET</samp>’).
</p></dd>
</dl>
<p>For example, the following ACL makes a Mailutils server log every
incoming connection:
</p>
<div class="example">
<pre class="example"> acl {
log from any "Connect from ${address}";
...
}
</pre></div>
<p>This was the default behavior for the versions of Mailutils up to
‘<samp>1.2</samp>’, so if you got used to its logs you might wish to add the
above in your configuration files.
</p></dd></dl>
<dl>
<dt><a name="index-exec"></a>Configuration: <strong>exec</strong> <em>[from] <var>cidr</var> <var>program</var></em></dt>
<dd><p>If a connection from the <var>cidr</var> block is requested, execute
the given <var>program</var>. Do not wait for it to terminate, and ignore
its exit code.
</p></dd></dl>
<hr>
<div class="header">
<p>
Next: <a href="Tcp_002dwrappers-Statement.html#Tcp_002dwrappers-Statement" accesskey="n" rel="next">Tcp-wrappers Statement</a>, Previous: <a href="Mailer-Statement.html#Mailer-Statement" accesskey="p" rel="prev">Mailer Statement</a>, Up: <a href="configuration.html#configuration" accesskey="u" rel="up">configuration</a> [<a href="index.html#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="Function-Index.html#Function-Index" title="Index" rel="index">Index</a>]</p>
</div>
</body>
</html>
|