Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
policies [2012-07-16 14:16]
randerson [Specifications]
policies [2013-12-06 10:18] (current)
rspencer Fix formatting
Line 1: Line 1:
-=====About=====+====== ​Policies ​====== 
 This internal module is responsible for processing policy specifications. This internal module is responsible for processing policy specifications.
  
 Policy specifications can be specified for both Source and Destination. IP address specifications are however not valid in the Destination specification. Specifications can be formatted in the below manner and can be comma-separated to generate the equivalent of an AND. All specifications with the exception of the ANY match support negation by prefixing the specification with ! Policy specifications can be specified for both Source and Destination. IP address specifications are however not valid in the Destination specification. Specifications can be formatted in the below manner and can be comma-separated to generate the equivalent of an AND. All specifications with the exception of the ANY match support negation by prefixing the specification with !
  
-=====Priorities=====+===== Priorities ===== 
 Priorities are processed in an ascending fashion, this means that 0 will be processed before 1, 10 before 20 etc. Priorities are processed in an ascending fashion, this means that 0 will be processed before 1, 10 before 20 etc.
  
-=====Specifications=====+===== Specifications =====
  
-  * Match **anything** +Match **anything**
-  * <​code>​NULL +
-any</​code>​+
  
-  * Match all email @**domain** +<​code>​ 
-  * <​code>​@domain</​code>​+NULL 
 +any 
 +</​code>​
  
-  * Match all email user@domain +Match all email @**domain**
-  ​<​code>​user@domain</​code>​+
  
-  * Match < >. +<code
-  * <​code>​@</​code>​ +@domain 
-    * present in r412+ and v2.1.x+</​code>​
  
-  * Match a single sending server IP address +Match all email user@domain
-  * <​code>​a.b.c.d</​code>​+
  
-  * Match a CIDR formatted range of sending server IP addresses +<​code>​ 
-  * <​code>​a.b.c.d/e</​code>​ +user@domain 
-    * Additional options for r493+ and v2.1.x +</​code>​
-    * Refer to IP address specification+
  
-  * Match a single //peer// server IP address. This **does not** match the IP address of the server where the email came from, this matches the IP address of the server which requested the policy +Match < >.
-  * <code>[a.b.c.d]</​code>​ +
-    * present in r413+ and v2.1.x+
  
-  * Match a CIDR formatted range of peer server IP addresses. This **does not** match the IP address of the server where the email came from, this matches the IP address of the server which requested the policy +<​code>​ 
-  * <​code>​[a.b.c.d/e]</​code>​ +
-    * present in r413+ and v2.1.x +</​code>​
-    * Additional options for r493+ and v2.1.x +
-    * Refer to IP Address Specification.+
  
-  ​* Match an IPv6 range of sending server IP addresses. Bitmask is optional. The bitmask defaults to 128 if the IPv6 address contains all octets or if the right most octet is specified. If there is no octet on the right hand side of a :: , the bitmask is automatically calculated depending on how many bits are left out. Refer to IP Address Specification for additional formats. +  * present in r412+ and v2.1.x
-  *<​code>​a:​b:​c:​d:​e:​f:​g:​h[/​e]</​code>​ +
-    ​* present in r493+ and v2.1.x+
  
-  * Match an IPv6 range of peer server ​IP addresses. This DOES NOT match the IP address ​of the server where the email came from. this matches the IP address of the server which requested the policy. The bitmask defaults to 128 if the IPv6 address contains all octets or if the right most octet is specified. If there is no octet on the right hand side of a :: , the bitmask is automatically calculated depending on how many bits are left out. Refer to IP Address Specification for additional formats +Match a single sending ​server IP address
-  *<​code>​[a:​b:​c:​d:​e:​f:​g:​h[/​e]</​code>​ +
-    * present in r493+ and v2.1.x+
  
-  * Match group which, in turn, can comprise of a list of any of the above specification types including groupsPolicyd cycles through the group members recursively and looks for an item to matchMaking groups ideal for cases where  you could have any number of negative results before matching, or a large pool of matching members, depending on your set up. Effectively,​ this is a way to accomplish a type of OR "​select"​+<​code>​ 
-  * <​code>​%group</​code>​+a.b.c.d 
 +</​code>​
  
-  * Match a SASL username. You can also use $* to match any SASL username and $- to match no SASL username +Match a CIDR formatted range of sending server IP addresses
-  * <​code>​$sasl_username</​code>​+
  
-  * Match the reverse dns of the IP where the client is connecting from +<​code>​ 
-  * <​code>​whatever.example.com</​code>​ +a.b.c.d/e 
-    * You can use * as a wildcard match against anything except the ., for example hello.*.example.com +</​code>​
-    * Specifying example.com will only match example.com +
-    * Specifying .example.com will match anything.example.com and fu.bar.example.com +
-    * As a technical note, * is expanded into [a-z0-9\-_\.] and if . doesn'​t prefix the specification it gets ^. All reverse dns specifications are matched with end of line $+
  
-=====Examples===== +  * Additional options for r493+ and v2.1.x 
-The preconfigured default polices are defined as follows+  * Refer to IP address specification
  
-  ​* <​code>​Default System Policy+Match a single ​**peer** server IP address. This **does not** match the IP address of the server where the email came from, this matches the IP address of the server which requested the policy. 
 + 
 +<​code>​ 
 +[a.b.c.d] 
 +</​code>​ 
 + 
 +  * present in r413+ and v2.1.x 
 + 
 +Match a CIDR formatted range of peer server IP addresses. This **does not** match the IP address of the server where the email came from, this matches the IP address of the server which requested the policy. 
 + 
 +<​code>​ 
 +[a.b.c.d/​e] 
 +</​code>​ 
 + 
 +  * present in r413+ and v2.1.x 
 +  * Additional options for r493+ and v2.1.x 
 +  * Refer to IP Address Specification. 
 + 
 +Match an IPv6 range of sending server IP addresses. Bitmask is optional. The bitmask defaults to 128 if the IPv6 address contains all octets or if the right most octet is specified. If there is no octet on the right hand side of a :: , the bitmask is automatically calculated depending on how many bits are left out. Refer to IP Address Specification for additional formats. 
 + 
 +<​code>​ 
 +a:​b:​c:​d:​e:​f:​g:​h[/​e] 
 +</​code>​ 
 + 
 +  * present in r493+ and v2.1.x 
 + 
 +Match an IPv6 range of peer server IP addresses. This DOES NOT match the IP address of the server where the email came from. this matches the IP address of the server which requested the policy. The bitmask defaults to 128 if the IPv6 address contains all octets or if the right most octet is specified. If there is no octet on the right hand side of a :: , the bitmask is automatically calculated depending on how many bits are left out. Refer to IP Address Specification for additional formats. 
 + 
 +<​code>​ 
 +[a:​b:​c:​d:​e:​f:​g:​h[/​e] 
 +</​code>​ 
 + 
 +  * present in r493+ and v2.1.x 
 + 
 +Match a group which, in turn, can comprise of a list of any of the above specification types including groups. Policyd cycles through the group members recursively and looks for an item to match. Making groups ideal for cases where  you could have any number of negative results before matching, or a large pool of matching members, depending on your set up. Effectively,​ this is a way to accomplish a type of OR "​select"​. 
 + 
 +<​code>​ 
 +%group 
 +</​code>​ 
 + 
 +Match a SASL username. You can also use $* to match any SASL username and $- to match no SASL username. 
 + 
 +<​code>​ 
 +$sasl_username 
 +</​code>​ 
 + 
 +Match the reverse dns of the IP where the client is connecting from. 
 + 
 +<​code>​ 
 +whatever.example.com 
 +</​code>​ 
 + 
 +  * You can use * as a wildcard match against anything except the ., for example hello.*.example.com 
 +  * Specifying example.com will only match example.com 
 +  * Specifying .example.com will match anything.example.com and fu.bar.example.com 
 +  * As a technical note, * is expanded into [a-z0-9\-_\.] and if . doesn'​t prefix the specification it gets ^. All reverse dns specifications are matched with end of line $ 
 + 
 +===== Examples ===== 
 + 
 +The preconfigured default polices are defined as follows: 
 + 
 +<​code>​ 
 +Default System Policy
 Priority: 0 Priority: 0
 Source: ANY Source: ANY
-Desination: ANY</​code>​ +Desination: ANY 
-  ​* ​<​code>​Default Outbound Policy+</​code>​ 
 + 
 +<​code>​ 
 +Default Outbound Policy
 Priority: 10 Priority: 10
 Source: %internal_ips,​%internal_domains Source: %internal_ips,​%internal_domains
-Destination:​ !%internal_domains</​code>​ +Destination:​ !%internal_domains 
-  ​* ​<​code>​Default Inbound Policy+</​code>​ 
 + 
 +<​code>​ 
 +Default Inbound Policy
 Priority: 10 Priority: 10
 Source: !%internal_ips,​!%internal_domains Source: !%internal_ips,​!%internal_domains
-Destination:​ %internal_domains</​code>​ +Destination:​ %internal_domains 
-  ​* ​<​code>​Default Internal Policy+</​code>​ 
 + 
 +<​code>​ 
 +Default Internal Policy
 Priority: 20 Priority: 20
 Source: %internal_ips,​%internal_domains Source: %internal_ips,​%internal_domains
-Destination:​ %internal_domains</​code>​+Destination:​ %internal_domains 
 +</​code>​ 
 + 
 +These groups are defined in the following manner:
  
-These groups are defined in the following manner+<​code>​ 
 +internal_ips 
 +10.0.0.0/​8 
 +</​code>​
  
-  * <​code>​internal_ips +<​code>​ 
-10.0.0.0/​8</​code>​ +internal_domains
-  * <​code>​internal_domains+
 example.org example.org
 example.com example.com
-example.net</​code>​+example.net 
 +</​code>​