# Begin: Custom commands for incoming e-mails BEFORE decryption
log(1,'Begin: Custom commands for incoming e-mails BEFORE decryption');

# Begin: Tag all internally routed e-mails as SIGNED
log(1,'Begin: Tag all internally routed e-mails as SIGNED');

if (from_managed_domain()) {
	log(1,'E-mail is from managed domain...');
	if (!compareattr('connect_from', 'equal', '127.0.0.1')) {
		log(1,'...not form localhost...');
		if (check_sender(false, false, true)) {
			log(1,'...but is not allowed to relay, dropping');
			drop('554' '5.7.1 Relay access denied');
		} else {
			log(1,'...and is allowed to relay, tag as SIGNED');
			@TAGSIGNED@
		}
	} else {
		log(1,'...but generated on localhost, going on in standard ruleset');
	}
}

log(1,'End: Tag all internally routed e-mails as SIGNED');
# End: Tag all internally routed e-mails as SIGNED

log(1,'End: Custom commands for incoming e-mails BEFORE decryption');
# End: Custom commands for incoming e-mails BEFORE decryption