# =========================================================================== # docker-mailserver broker allowlist # =========================================================================== # One extended-regex (ERE) rule per line. A client request is permitted only # if it matches a rule WHOLE-LINE (anchored ^…$). Blank lines and lines # starting with # are ignored. This file is re-read on every request, so # edits take effect without restarting the bastion. # # COMMAND_PREFIX in the compose file prepends "docker exec -i mailserver # setup", so the rules below describe only the `setup` sub-commands — clients # send e.g. email add jane@example.com and never see docker. # # Matched commands are word-split and run WITHOUT a shell, so ; | & $() are # literal arguments, not operators. Values that must arrive intact cannot # contain spaces — generate passwords from a space-free alphabet (hex / # base64url) on the caller side. # # Argument classes use [^[:space:]] ("any non-space run") rather than .* so a # rule can never match trailing junk. Tighten further to taste. # =========================================================================== # ---- email accounts ------------------------------------------------------- # add / update require an address and a password argument (no interactive # prompt is possible over a non-TTY transport, so the password is mandatory). email add [^[:space:]]+@[^[:space:]]+ [^[:space:]]+ email update [^[:space:]]+@[^[:space:]]+ [^[:space:]]+ email del [^[:space:]]+@[^[:space:]]+ email list email restrict (add|del|list) (send|receive)( [^[:space:]]+@[^[:space:]]+)? # ---- aliases -------------------------------------------------------------- alias add [^[:space:]]+@[^[:space:]]+ [^[:space:]]+ alias del [^[:space:]]+@[^[:space:]]+ [^[:space:]]+ alias list # ---- quotas --------------------------------------------------------------- # QUOTA is a size like 1G / 512M / 0 (0 = unlimited). quota set [^[:space:]]+@[^[:space:]]+ [0-9]+[KMGT]? quota del [^[:space:]]+@[^[:space:]]+