# Exim 4 CSA check. Written 2004 David Woodhouse <dwmw2@infradead.org>
#
# This is placed in the public domain. You may copy, modify, distribute
# and use it in any way you see fit.
#
# Use standalone with 'acl_smtp_helo = check_csv' or invoke from an 
# existing HELO ACL with 'require acl = check_csv'.

check_csv:
  # Don't force everyone to include localhost in their CSV record, 
  # just so that connections to the local MTA work properly.
  accept hosts = localhost

  # Find CSV record.
  require  set acl_m1 = ${lookup dnsdb{srv=_client._smtp.$sender_helo_name}}

  # If there's none, accept the HELO name.
  accept condition = ${if eq {$acl_m1}{} {1}}

  # Check the CSV record. Each SRV record should match {^1 [0123] 0} or we 
  # treat it as no record at all.
  accept condition = ${if !match{\n$acl_m1} {^(\n1 [0123] 0 [^\n]*)*\$} {1}}

  # Extract good hosts (1 2 0 <hostname>)
  require  set acl_m2 = ${sg {\n$acl_m1} \
			     {\n([0-9]+) ([0-9]+) ([0-9]+) ([^\n]*)} \
			     {\N${if eq{$1$2$3}{120} {:$4}}\N} \
			}
  # Extract hosts which are authorised, but not to be used for authentication
  # (1 3 0 <hostname>)
  require  set acl_m3 = ${sg {\n$acl_m1} \
			     {\n([0-9]+) ([0-9]+) ([0-9]+) ([^\n]*)} \
			     {\N${if eq{$1$2$3}{130} {:$4}}\N} \
			}
  # Extract explicitly denied hosts (1 [01] 0 <hostname>)
  require  set acl_m4 = ${sg {\n$acl_m1} \
			     {\n([0-9]+) ([0-9]+) ([0-9]+) ([^\n]*)} \
			     {\N${if match{$1$2$3.$4}{1[01]0\.(.*)} {:$1}}\N} \
			}
  # Note there's a leading colon on these, but we wouldn't have accepted an empty HELO anyway.
  deny	hosts = $acl_m4
	message = CSV record for $sender_helo_name explicitly forbids $sender_host_address

  deny	message = CSV record for $sender_helo_name does not include $sender_host_address
	!hosts = $acl_m2$acl_m3

  accept