projects / exim.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Make -R and -S do something sensible when combined with -q<time>.
[exim.git] / src / src / acl.c
CommitLineData
6ea85e9a 1/* $Cambridge: exim/src/src/acl.c,v 1.66 2006/09/25 10:14:20 ph10 Exp $ */
059ec3d9
PH		 2
3/*************************************************
4* Exim - an Internet mail transport agent *
5*************************************************/
6
d7d7b7b9 7/* Copyright (c) University of Cambridge 1995 - 2006 */
059ec3d9
PH		 8/* See the file NOTICE for conditions of use and distribution. */
9
10/* Code for handling Access Control Lists (ACLs) */
11
12#include "exim.h"
13
14
15/* Default callout timeout */
16
17#define CALLOUT_TIMEOUT_DEFAULT 30
18
19/* ACL verb codes - keep in step with the table of verbs that follows */
20
21enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
22 ACL_WARN };
23
24/* ACL verbs */
25
26static uschar *verbs[] =
27 { US"accept", US"defer", US"deny", US"discard", US"drop", US"require",
28 US"warn" };
29
30/* For each verb, the condition for which "message" is used */
31
32static int msgcond[] = { FAIL, OK, OK, FAIL, OK, FAIL, OK };
33
34/* ACL condition and modifier codes - keep in step with the table that
71fafd95
PH		 35follows, and the cond_expand_at_top and uschar cond_modifiers tables lower
36down. */
059ec3d9 37
71fafd95
PH		 38enum { ACLC_ACL,
39 ACLC_ADD_HEADER,
40 ACLC_AUTHENTICATED,
8523533c
TK		 41#ifdef EXPERIMENTAL_BRIGHTMAIL
42 ACLC_BMI_OPTIN,
43#endif
71fafd95
PH		 44 ACLC_CONDITION,
45 ACLC_CONTROL,
8523533c
TK		 46#ifdef WITH_CONTENT_SCAN
47 ACLC_DECODE,
48#endif
49 ACLC_DELAY,
50#ifdef WITH_OLD_DEMIME
51 ACLC_DEMIME,
fb2274d4
TK		 52#endif
53#ifdef EXPERIMENTAL_DOMAINKEYS
54 ACLC_DK_DOMAIN_SOURCE,
55 ACLC_DK_POLICY,
56 ACLC_DK_SENDER_DOMAINS,
57 ACLC_DK_SENDER_LOCAL_PARTS,
58 ACLC_DK_SENDERS,
59 ACLC_DK_STATUS,
8e669ac1 60#endif
71fafd95
PH		 61 ACLC_DNSLISTS,
62 ACLC_DOMAINS,
63 ACLC_ENCRYPTED,
64 ACLC_ENDPASS,
65 ACLC_HOSTS,
66 ACLC_LOCAL_PARTS,
67 ACLC_LOG_MESSAGE,
6ea85e9a 68 ACLC_LOG_REJECT_TARGET,
71fafd95 69 ACLC_LOGWRITE,
8523533c
TK		 70#ifdef WITH_CONTENT_SCAN
71 ACLC_MALWARE,
72#endif
73 ACLC_MESSAGE,
74#ifdef WITH_CONTENT_SCAN
75 ACLC_MIME_REGEX,
76#endif
870f6ba8 77 ACLC_RATELIMIT,
8523533c
TK		 78 ACLC_RECIPIENTS,
79#ifdef WITH_CONTENT_SCAN
80 ACLC_REGEX,
81#endif
71fafd95
PH		 82 ACLC_SENDER_DOMAINS,
83 ACLC_SENDERS,
84 ACLC_SET,
8523533c 85#ifdef WITH_CONTENT_SCAN
8e669ac1 86 ACLC_SPAM,
8523533c
TK		 87#endif
88#ifdef EXPERIMENTAL_SPF
89 ACLC_SPF,
90#endif
91 ACLC_VERIFY };
059ec3d9
PH		 92
93/* ACL conditions/modifiers: "delay", "control", "endpass", "message",
6ea85e9a
PH		 94"log_message", "log_reject_target", "logwrite", and "set" are modifiers that
95look like conditions but always return TRUE. They are used for their side
96effects. */
059ec3d9 97
9a26b6b2
PH		 98static uschar *conditions[] = {
99 US"acl",
71fafd95 100 US"add_header",
9a26b6b2 101 US"authenticated",
8523533c
TK		 102#ifdef EXPERIMENTAL_BRIGHTMAIL
103 US"bmi_optin",
104#endif
105 US"condition",
8e669ac1 106 US"control",
8523533c
TK		 107#ifdef WITH_CONTENT_SCAN
108 US"decode",
109#endif
110 US"delay",
111#ifdef WITH_OLD_DEMIME
112 US"demime",
fb2274d4
TK		 113#endif
114#ifdef EXPERIMENTAL_DOMAINKEYS
7f45268c
PH		 115 US"dk_domain_source",
116 US"dk_policy",
117 US"dk_sender_domains",
118 US"dk_sender_local_parts",
119 US"dk_senders",
120 US"dk_status",
8523533c 121#endif
6ea85e9a
PH		 122 US"dnslists",
123 US"domains",
124 US"encrypted",
125 US"endpass",
126 US"hosts",
127 US"local_parts",
128 US"log_message",
129 US"log_reject_target",
130 US"logwrite",
8523533c
TK		 131#ifdef WITH_CONTENT_SCAN
132 US"malware",
133#endif
134 US"message",
135#ifdef WITH_CONTENT_SCAN
136 US"mime_regex",
137#endif
870f6ba8 138 US"ratelimit",
8523533c
TK		 139 US"recipients",
140#ifdef WITH_CONTENT_SCAN
141 US"regex",
142#endif
143 US"sender_domains", US"senders", US"set",
144#ifdef WITH_CONTENT_SCAN
145 US"spam",
146#endif
147#ifdef EXPERIMENTAL_SPF
148 US"spf",
149#endif
059ec3d9 150 US"verify" };
8e669ac1 151
c5fcb476 152
9a26b6b2
PH		 153/* Return values from decode_control(); keep in step with the table of names
154that follows! */
155
156enum {
c46782ef
PH		 157 CONTROL_AUTH_UNADVERTISED,
158 #ifdef EXPERIMENTAL_BRIGHTMAIL
9a26b6b2 159 CONTROL_BMI_RUN,
c46782ef
PH		 160 #endif
161 #ifdef EXPERIMENTAL_DOMAINKEYS
9a26b6b2 162 CONTROL_DK_VERIFY,
c46782ef
PH		 163 #endif
164 CONTROL_ERROR,
165 CONTROL_CASEFUL_LOCAL_PART,
166 CONTROL_CASELOWER_LOCAL_PART,
167 CONTROL_ENFORCE_SYNC,
168 CONTROL_NO_ENFORCE_SYNC,
169 CONTROL_FREEZE,
170 CONTROL_QUEUE_ONLY,
171 CONTROL_SUBMISSION,
172 CONTROL_SUPPRESS_LOCAL_FIXUPS,
173 #ifdef WITH_CONTENT_SCAN
9a26b6b2 174 CONTROL_NO_MBOX_UNSPOOL,
c46782ef
PH		 175 #endif
176 CONTROL_FAKEDEFER,
177 CONTROL_FAKEREJECT,
178 CONTROL_NO_MULTILINE
179};
9a26b6b2 180
8800895a
PH		 181/* ACL control names; keep in step with the table above! This list is used for
182turning ids into names. The actual list of recognized names is in the variable
183control_def controls_list[] below. The fact that there are two lists is a mess
184and should be tidied up. */
9a26b6b2
PH		 185
186static uschar *controls[] = {
c46782ef 187 US"allow_auth_unadvertised",
9a26b6b2
PH		 188 #ifdef EXPERIMENTAL_BRIGHTMAIL
189 US"bmi_run",
190 #endif
191 #ifdef EXPERIMENTAL_DOMAINKEYS
192 US"dk_verify",
193 #endif
c46782ef
PH		 194 US"error",
195 US"caseful_local_part",
196 US"caselower_local_part",
197 US"enforce_sync",
198 US"no_enforce_sync",
199 US"freeze",
200 US"queue_only",
201 US"submission",
202 US"suppress_local_fixups",
9a26b6b2
PH		 203 #ifdef WITH_CONTENT_SCAN
204 US"no_mbox_unspool",
205 #endif
c46782ef
PH		 206 US"no_multiline"
207};
059ec3d9
PH		 208
209/* Flags to indicate for which conditions /modifiers a string expansion is done
210at the outer level. In the other cases, expansion already occurs in the
211checking functions. */
212
213static uschar cond_expand_at_top[] = {
214 TRUE, /* acl */
3e536984 215 TRUE, /* add_header */
059ec3d9 216 FALSE, /* authenticated */
8523533c
TK		 217#ifdef EXPERIMENTAL_BRIGHTMAIL
218 TRUE, /* bmi_optin */
8e669ac1 219#endif
059ec3d9
PH		 220 TRUE, /* condition */
221 TRUE, /* control */
8523533c
TK		 222#ifdef WITH_CONTENT_SCAN
223 TRUE, /* decode */
224#endif
059ec3d9 225 TRUE, /* delay */
8523533c
TK		 226#ifdef WITH_OLD_DEMIME
227 TRUE, /* demime */
fb2274d4
TK		 228#endif
229#ifdef EXPERIMENTAL_DOMAINKEYS
7f45268c
PH		 230 TRUE, /* dk_domain_source */
231 TRUE, /* dk_policy */
232 TRUE, /* dk_sender_domains */
e715ad22 233 TRUE, /* dk_sender_local_parts */
7f45268c
PH		 234 TRUE, /* dk_senders */
235 TRUE, /* dk_status */
8523533c 236#endif
059ec3d9
PH		 237 TRUE, /* dnslists */
238 FALSE, /* domains */
239 FALSE, /* encrypted */
240 TRUE, /* endpass */
241 FALSE, /* hosts */
242 FALSE, /* local_parts */
243 TRUE, /* log_message */
6ea85e9a 244 TRUE, /* log_reject_target */
059ec3d9 245 TRUE, /* logwrite */
8523533c
TK		 246#ifdef WITH_CONTENT_SCAN
247 TRUE, /* malware */
248#endif
059ec3d9 249 TRUE, /* message */
8523533c
TK		 250#ifdef WITH_CONTENT_SCAN
251 TRUE, /* mime_regex */
252#endif
870f6ba8 253 TRUE, /* ratelimit */
059ec3d9 254 FALSE, /* recipients */
8523533c
TK		 255#ifdef WITH_CONTENT_SCAN
256 TRUE, /* regex */
257#endif
059ec3d9
PH		 258 FALSE, /* sender_domains */
259 FALSE, /* senders */
260 TRUE, /* set */
8523533c
TK		 261#ifdef WITH_CONTENT_SCAN
262 TRUE, /* spam */
263#endif
264#ifdef EXPERIMENTAL_SPF
265 TRUE, /* spf */
266#endif
059ec3d9
PH		 267 TRUE /* verify */
268};
269
270/* Flags to identify the modifiers */
271
272static uschar cond_modifiers[] = {
273 FALSE, /* acl */
3e536984 274 TRUE, /* add_header */
059ec3d9 275 FALSE, /* authenticated */
8523533c
TK		 276#ifdef EXPERIMENTAL_BRIGHTMAIL
277 TRUE, /* bmi_optin */
8e669ac1 278#endif
059ec3d9
PH		 279 FALSE, /* condition */
280 TRUE, /* control */
8523533c
TK		 281#ifdef WITH_CONTENT_SCAN
282 FALSE, /* decode */
283#endif
059ec3d9 284 TRUE, /* delay */
8523533c
TK		 285#ifdef WITH_OLD_DEMIME
286 FALSE, /* demime */
fb2274d4
TK		 287#endif
288#ifdef EXPERIMENTAL_DOMAINKEYS
7f45268c
PH		 289 FALSE, /* dk_domain_source */
290 FALSE, /* dk_policy */
291 FALSE, /* dk_sender_domains */
e715ad22 292 FALSE, /* dk_sender_local_parts */
7f45268c
PH		 293 FALSE, /* dk_senders */
294 FALSE, /* dk_status */
8523533c 295#endif
059ec3d9
PH		 296 FALSE, /* dnslists */
297 FALSE, /* domains */
298 FALSE, /* encrypted */
299 TRUE, /* endpass */
300 FALSE, /* hosts */
301 FALSE, /* local_parts */
302 TRUE, /* log_message */
6ea85e9a 303 TRUE, /* log_reject_target */
8523533c
TK		 304 TRUE, /* logwrite */
305#ifdef WITH_CONTENT_SCAN
306 FALSE, /* malware */
307#endif
059ec3d9 308 TRUE, /* message */
8523533c
TK		 309#ifdef WITH_CONTENT_SCAN
310 FALSE, /* mime_regex */
311#endif
870f6ba8 312 FALSE, /* ratelimit */
059ec3d9 313 FALSE, /* recipients */
8523533c
TK		 314#ifdef WITH_CONTENT_SCAN
315 FALSE, /* regex */
316#endif
059ec3d9
PH		 317 FALSE, /* sender_domains */
318 FALSE, /* senders */
319 TRUE, /* set */
8523533c
TK		 320#ifdef WITH_CONTENT_SCAN
321 FALSE, /* spam */
322#endif
323#ifdef EXPERIMENTAL_SPF
324 FALSE, /* spf */
325#endif
059ec3d9
PH		 326 FALSE /* verify */
327};
328
c5fcb476 329/* Bit map vector of which conditions are not allowed at certain times. For
2f079f46
PH		 330each condition, there's a bitmap of dis-allowed times. For some, it is easier
331to specify the negation of a small number of allowed times. */
059ec3d9
PH		 332
333static unsigned int cond_forbids[] = {
334 0, /* acl */
8e669ac1 335
71fafd95 336 (unsigned int)
45b91596 337 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* add_header */
71fafd95 338 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
45b91596
PH		 339 (1<<ACL_WHERE_MIME)|(1<<ACL_WHERE_NOTSMTP)|
340 (1<<ACL_WHERE_NOTSMTP_START)),
71fafd95 341
45b91596
PH		 342 (1<<ACL_WHERE_NOTSMTP)| /* authenticated */
343 (1<<ACL_WHERE_NOTSMTP_START)|
344 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO),
8e669ac1 345
71fafd95 346 #ifdef EXPERIMENTAL_BRIGHTMAIL
3864bb8e 347 (1<<ACL_WHERE_AUTH)| /* bmi_optin */
8523533c
TK		 348 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
349 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_MIME)|
8e669ac1 350 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
8523533c
TK		 351 (1<<ACL_WHERE_MAILAUTH)|
352 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
45b91596
PH		 353 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_PREDATA)|
354 (1<<ACL_WHERE_NOTSMTP_START),
71fafd95 355 #endif
8e669ac1 356
059ec3d9 357 0, /* condition */
8e669ac1 358
059ec3d9 359 /* Certain types of control are always allowed, so we let it through
2f079f46 360 always and check in the control processing itself. */
8e669ac1 361
059ec3d9 362 0, /* control */
8e669ac1 363
71fafd95 364 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 365 (unsigned int)
366 ~(1<<ACL_WHERE_MIME), /* decode */
71fafd95 367 #endif
8523533c 368
059ec3d9 369 0, /* delay */
8e669ac1 370
71fafd95 371 #ifdef WITH_OLD_DEMIME
2f079f46
PH		 372 (unsigned int)
373 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* demime */
71fafd95 374 #endif
8e669ac1 375
71fafd95 376 #ifdef EXPERIMENTAL_DOMAINKEYS
2f079f46 377 (1<<ACL_WHERE_AUTH)| /* dk_domain_source */
fb2274d4
TK		 378 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
379 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
380 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
381 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
382 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
45b91596 383 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
84330b7b 384
2f079f46 385 (1<<ACL_WHERE_AUTH)| /* dk_policy */
fb2274d4
TK		 386 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
387 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
388 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
389 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
390 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
45b91596 391 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
84330b7b 392
2f079f46 393 (1<<ACL_WHERE_AUTH)| /* dk_sender_domains */
fb2274d4
TK		 394 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
395 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
396 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
397 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
398 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
45b91596 399 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
84330b7b 400
2f079f46 401 (1<<ACL_WHERE_AUTH)| /* dk_sender_local_parts */
fb2274d4
TK		 402 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
403 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
404 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
405 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
406 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
45b91596 407 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
84330b7b 408
2f079f46 409 (1<<ACL_WHERE_AUTH)| /* dk_senders */
fb2274d4
TK		 410 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
411 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
412 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
413 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
414 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
45b91596 415 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
84330b7b 416
2f079f46 417 (1<<ACL_WHERE_AUTH)| /* dk_status */
fb2274d4
TK		 418 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
419 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
420 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
421 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
422 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
45b91596 423 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
71fafd95 424 #endif
fb2274d4 425
45b91596
PH		 426 (1<<ACL_WHERE_NOTSMTP)| /* dnslists */
427 (1<<ACL_WHERE_NOTSMTP_START),
059ec3d9 428
2f079f46
PH		 429 (unsigned int)
430 ~(1<<ACL_WHERE_RCPT), /* domains */
059ec3d9 431
45b91596
PH		 432 (1<<ACL_WHERE_NOTSMTP)| /* encrypted */
433 (1<<ACL_WHERE_CONNECT)|
434 (1<<ACL_WHERE_NOTSMTP_START)|
059ec3d9 435 (1<<ACL_WHERE_HELO),
8e669ac1 436
059ec3d9 437 0, /* endpass */
8e669ac1 438
45b91596
PH		 439 (1<<ACL_WHERE_NOTSMTP)| /* hosts */
440 (1<<ACL_WHERE_NOTSMTP_START),
059ec3d9 441
2f079f46
PH		 442 (unsigned int)
443 ~(1<<ACL_WHERE_RCPT), /* local_parts */
059ec3d9
PH		 444
445 0, /* log_message */
8e669ac1 446
6ea85e9a
PH		 447 0, /* log_reject_target */
448
059ec3d9 449 0, /* logwrite */
8e669ac1 450
71fafd95 451 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 452 (unsigned int)
453 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* malware */
71fafd95 454 #endif
8523533c 455
059ec3d9
PH		 456 0, /* message */
457
71fafd95 458 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 459 (unsigned int)
460 ~(1<<ACL_WHERE_MIME), /* mime_regex */
71fafd95 461 #endif
8523533c 462
870f6ba8
TF		 463 0, /* ratelimit */
464
2f079f46
PH		 465 (unsigned int)
466 ~(1<<ACL_WHERE_RCPT), /* recipients */
059ec3d9 467
71fafd95 468 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 469 (unsigned int)
470 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* regex */
471 (1<<ACL_WHERE_MIME)),
71fafd95 472 #endif
8523533c 473
059ec3d9
PH		 474 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* sender_domains */
475 (1<<ACL_WHERE_HELO)|
476 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
477 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
478 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
479
480 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* senders */
481 (1<<ACL_WHERE_HELO)|
482 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
483 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
484 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
485
486 0, /* set */
487
71fafd95 488 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 489 (unsigned int)
490 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* spam */
71fafd95 491 #endif
8523533c 492
71fafd95 493 #ifdef EXPERIMENTAL_SPF
8523533c
TK		 494 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf */
495 (1<<ACL_WHERE_HELO)|
496 (1<<ACL_WHERE_MAILAUTH)|
497 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
45b91596
PH		 498 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY)|
499 (1<<ACL_WHERE_NOTSMTP)|
500 (1<<ACL_WHERE_NOTSMTP_START),
71fafd95 501 #endif
8523533c 502
059ec3d9
PH		 503 /* Certain types of verify are always allowed, so we let it through
504 always and check in the verify function itself */
505
506 0 /* verify */
059ec3d9
PH		 507};
508
509
c5fcb476
PH		 510/* Bit map vector of which controls are not allowed at certain times. For
511each control, there's a bitmap of dis-allowed times. For some, it is easier to
512specify the negation of a small number of allowed times. */
513
514static unsigned int control_forbids[] = {
c46782ef
PH		 515 (unsigned int)
516 ~((1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)), /* allow_auth_unadvertised */
517
518 #ifdef EXPERIMENTAL_BRIGHTMAIL
8523533c 519 0, /* bmi_run */
c46782ef
PH		 520 #endif
521
522 #ifdef EXPERIMENTAL_DOMAINKEYS
45b91596
PH		 523 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* dk_verify */
524 (1<<ACL_WHERE_NOTSMTP_START),
c46782ef 525 #endif
3e11c26b 526
c5fcb476 527 0, /* error */
8e669ac1
PH		 528
529 (unsigned int)
c5fcb476 530 ~(1<<ACL_WHERE_RCPT), /* caseful_local_part */
8e669ac1
PH		 531
532 (unsigned int)
c5fcb476 533 ~(1<<ACL_WHERE_RCPT), /* caselower_local_part */
8e669ac1 534
45b91596
PH		 535 (1<<ACL_WHERE_NOTSMTP)| /* enforce_sync */
536 (1<<ACL_WHERE_NOTSMTP_START),
8e669ac1 537
45b91596
PH		 538 (1<<ACL_WHERE_NOTSMTP)| /* no_enforce_sync */
539 (1<<ACL_WHERE_NOTSMTP_START),
8e669ac1
PH		 540
541 (unsigned int)
c5fcb476
PH		 542 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* freeze */
543 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
e715ad22 544 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
8e669ac1
PH		 545
546 (unsigned int)
c5fcb476
PH		 547 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* queue_only */
548 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
e715ad22 549 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
8e669ac1
PH		 550
551 (unsigned int)
c5fcb476 552 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* submission */
8e669ac1 553 (1<<ACL_WHERE_PREDATA)),
8523533c 554
8800895a
PH		 555 (unsigned int)
556 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* suppress_local_fixups */
45b91596
PH		 557 (1<<ACL_WHERE_PREDATA)|
558 (1<<ACL_WHERE_NOTSMTP_START)),
8800895a 559
c46782ef 560 #ifdef WITH_CONTENT_SCAN
8e669ac1 561 (unsigned int)
14d57970 562 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* no_mbox_unspool */
e715ad22
TK		 563 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
564 (1<<ACL_WHERE_MIME)),
c46782ef 565 #endif
a6c4ab60 566
29aba418
TF		 567 (unsigned int)
568 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakedefer */
569 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
570 (1<<ACL_WHERE_MIME)),
571
8e669ac1 572 (unsigned int)
a6c4ab60 573 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakereject */
e715ad22
TK		 574 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
575 (1<<ACL_WHERE_MIME)),
8523533c 576
45b91596
PH		 577 (1<<ACL_WHERE_NOTSMTP)| /* no_multiline */
578 (1<<ACL_WHERE_NOTSMTP_START)
c5fcb476
PH		 579};
580
581/* Structure listing various control arguments, with their characteristics. */
059ec3d9
PH		 582
583typedef struct control_def {
584 uschar *name;
585 int value; /* CONTROL_xxx value */
059ec3d9
PH		 586 BOOL has_option; /* Has /option(s) following */
587} control_def;
588
589static control_def controls_list[] = {
c46782ef 590 { US"allow_auth_unadvertised", CONTROL_AUTH_UNADVERTISED, FALSE },
8523533c 591#ifdef EXPERIMENTAL_BRIGHTMAIL
c46782ef 592 { US"bmi_run", CONTROL_BMI_RUN, FALSE },
fb2274d4
TK		 593#endif
594#ifdef EXPERIMENTAL_DOMAINKEYS
c46782ef 595 { US"dk_verify", CONTROL_DK_VERIFY, FALSE },
8523533c 596#endif
c46782ef
PH		 597 { US"caseful_local_part", CONTROL_CASEFUL_LOCAL_PART, FALSE },
598 { US"caselower_local_part", CONTROL_CASELOWER_LOCAL_PART, FALSE },
599 { US"enforce_sync", CONTROL_ENFORCE_SYNC, FALSE },
600 { US"freeze", CONTROL_FREEZE, TRUE },
601 { US"no_enforce_sync", CONTROL_NO_ENFORCE_SYNC, FALSE },
602 { US"no_multiline_responses", CONTROL_NO_MULTILINE, FALSE },
603 { US"queue_only", CONTROL_QUEUE_ONLY, FALSE },
8523533c 604#ifdef WITH_CONTENT_SCAN
c46782ef 605 { US"no_mbox_unspool", CONTROL_NO_MBOX_UNSPOOL, FALSE },
8523533c 606#endif
c46782ef
PH		 607 { US"fakedefer", CONTROL_FAKEDEFER, TRUE },
608 { US"fakereject", CONTROL_FAKEREJECT, TRUE },
609 { US"submission", CONTROL_SUBMISSION, TRUE },
610 { US"suppress_local_fixups", CONTROL_SUPPRESS_LOCAL_FIXUPS, FALSE }
059ec3d9
PH		 611 };
612
e5a9dba6
PH		 613/* Support data structures for Client SMTP Authorization. acl_verify_csa()
614caches its result in a tree to avoid repeated DNS queries. The result is an
615integer code which is used as an index into the following tables of
616explanatory strings and verification return codes. */
617
618static tree_node *csa_cache = NULL;
619
620enum { CSA_UNKNOWN, CSA_OK, CSA_DEFER_SRV, CSA_DEFER_ADDR,
621 CSA_FAIL_EXPLICIT, CSA_FAIL_DOMAIN, CSA_FAIL_NOADDR, CSA_FAIL_MISMATCH };
622
623/* The acl_verify_csa() return code is translated into an acl_verify() return
624code using the following table. It is OK unless the client is definitely not
625authorized. This is because CSA is supposed to be optional for sending sites,
626so recipients should not be too strict about checking it - especially because
627DNS problems are quite likely to occur. It's possible to use $csa_status in
628further ACL conditions to distinguish ok, unknown, and defer if required, but
629the aim is to make the usual configuration simple. */
630
631static int csa_return_code[] = {
632 OK, OK, OK, OK,
633 FAIL, FAIL, FAIL, FAIL
634};
635
636static uschar *csa_status_string[] = {
637 US"unknown", US"ok", US"defer", US"defer",
638 US"fail", US"fail", US"fail", US"fail"
639};
640
641static uschar *csa_reason_string[] = {
642 US"unknown",
643 US"ok",
644 US"deferred (SRV lookup failed)",
645 US"deferred (target address lookup failed)",
646 US"failed (explicit authorization required)",
647 US"failed (host name not authorized)",
648 US"failed (no authorized addresses)",
649 US"failed (client address mismatch)"
650};
651
059ec3d9
PH		 652/* Enable recursion between acl_check_internal() and acl_check_condition() */
653
654static int acl_check_internal(int, address_item *, uschar *, int, uschar **,
655 uschar **);
656
657
658/*************************************************
659* Pick out name from list *
660*************************************************/
661
662/* Use a binary chop method
663
664Arguments:
665 name name to find
666 list list of names
667 end size of list
668
669Returns: offset in list, or -1 if not found
670*/
671
672static int
673acl_checkname(uschar *name, uschar **list, int end)
674{
675int start = 0;
676
677while (start < end)
678 {
679 int mid = (start + end)/2;
680 int c = Ustrcmp(name, list[mid]);
681 if (c == 0) return mid;
682 if (c < 0) end = mid; else start = mid + 1;
683 }
684
685return -1;
686}
687
688
689/*************************************************
690* Read and parse one ACL *
691*************************************************/
692
693/* This function is called both from readconf in order to parse the ACLs in the
694configuration file, and also when an ACL is encountered dynamically (e.g. as
695the result of an expansion). It is given a function to call in order to
696retrieve the lines of the ACL. This function handles skipping comments and
697blank lines (where relevant).
698
699Arguments:
700 func function to get next line of ACL
701 error where to put an error message
702
703Returns: pointer to ACL, or NULL
704 NULL can be legal (empty ACL); in this case error will be NULL
705*/
706
707acl_block *
708acl_read(uschar *(*func)(void), uschar **error)
709{
710acl_block *yield = NULL;
711acl_block **lastp = &yield;
712acl_block *this = NULL;
713acl_condition_block *cond;
714acl_condition_block **condp = NULL;
715uschar *s;
716
717*error = NULL;
718
719while ((s = (*func)()) != NULL)
720 {
721 int v, c;
722 BOOL negated = FALSE;
723 uschar *saveline = s;
724 uschar name[64];
725
726 /* Conditions (but not verbs) are allowed to be negated by an initial
727 exclamation mark. */
728
729 while (isspace(*s)) s++;
730 if (*s == '!')
731 {
732 negated = TRUE;
733 s++;
734 }
735
cf00dad6
PH		 736 /* Read the name of a verb or a condition, or the start of a new ACL, which
737 can be started by a name, or by a macro definition. */
059ec3d9
PH		 738
739 s = readconf_readname(name, sizeof(name), s);
b8dc3e4a 740 if (*s == ':' || (isupper(name[0]) && *s == '=')) return yield;
059ec3d9
PH		 741
742 /* If a verb is unrecognized, it may be another condition or modifier that
743 continues the previous verb. */
744
745 v = acl_checkname(name, verbs, sizeof(verbs)/sizeof(char *));
746 if (v < 0)
747 {
748 if (this == NULL)
749 {
4e167a8c
PH		 750 *error = string_sprintf("unknown ACL verb \"%s\" in \"%s\"", name,
751 saveline);
059ec3d9
PH		 752 return NULL;
753 }
754 }
755
756 /* New verb */
757
758 else
759 {
760 if (negated)
761 {
762 *error = string_sprintf("malformed ACL line \"%s\"", saveline);
763 return NULL;
764 }
765 this = store_get(sizeof(acl_block));
766 *lastp = this;
767 lastp = &(this->next);
768 this->next = NULL;
769 this->verb = v;
770 this->condition = NULL;
771 condp = &(this->condition);
772 if (*s == 0) continue; /* No condition on this line */
773 if (*s == '!')
774 {
775 negated = TRUE;
776 s++;
777 }
778 s = readconf_readname(name, sizeof(name), s); /* Condition name */
779 }
780
781 /* Handle a condition or modifier. */
782
783 c = acl_checkname(name, conditions, sizeof(conditions)/sizeof(char *));
784 if (c < 0)
785 {
786 *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
787 saveline);
788 return NULL;
789 }
790
791 /* The modifiers may not be negated */
792
793 if (negated && cond_modifiers[c])
794 {
795 *error = string_sprintf("ACL error: negation is not allowed with "
796 "\"%s\"", conditions[c]);
797 return NULL;
798 }
799
800 /* ENDPASS may occur only with ACCEPT or DISCARD. */
801
802 if (c == ACLC_ENDPASS &&
803 this->verb != ACL_ACCEPT &&
804 this->verb != ACL_DISCARD)
805 {
806 *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
807 conditions[c], verbs[this->verb]);
808 return NULL;
809 }
810
811 cond = store_get(sizeof(acl_condition_block));
812 cond->next = NULL;
813 cond->type = c;
814 cond->u.negated = negated;
815
816 *condp = cond;
817 condp = &(cond->next);
818
819 /* The "set" modifier is different in that its argument is "name=value"
820 rather than just a value, and we can check the validity of the name, which
38a0a95f
PH		 821 gives us a variable name to insert into the data block. The original ACL
822 variable names were acl_c0 ... acl_c9 and acl_m0 ... acl_m9. This was
823 extended to 20 of each type, but after that people successfully argued for
641cb756
PH		 824 arbitrary names. In the new scheme, the names must start with acl_c or acl_m.
825 After that, we allow alphanumerics and underscores, but the first character
826 after c or m must be a digit or an underscore. This retains backwards
827 compatibility. */
059ec3d9
PH		 828
829 if (c == ACLC_SET)
830 {
47ca6d6c
PH		 831 uschar *endptr;
832
38a0a95f
PH		 833 if (Ustrncmp(s, "acl_c", 5) != 0 &&
834 Ustrncmp(s, "acl_m", 5) != 0)
47ca6d6c 835 {
38a0a95f
PH		 836 *error = string_sprintf("invalid variable name after \"set\" in ACL "
837 "modifier \"set %s\" (must start \"acl_c\" or \"acl_m\")", s);
838 return NULL;
47ca6d6c 839 }
38a0a95f
PH		 840
841 endptr = s + 5;
641cb756
PH		 842 if (!isdigit(*endptr) && *endptr != '_')
843 {
844 *error = string_sprintf("invalid variable name after \"set\" in ACL "
845 "modifier \"set %s\" (digit or underscore must follow acl_c or acl_m)",
846 s);
847 return NULL;
848 }
849
38a0a95f 850 while (*endptr != 0 && *endptr != '=' && !isspace(*endptr))
47ca6d6c 851 {
38a0a95f
PH		 852 if (!isalnum(*endptr) && *endptr != '_')
853 {
854 *error = string_sprintf("invalid character \"%c\" in variable name "
855 "in ACL modifier \"set %s\"", *endptr, s);
856 return NULL;
857 }
858 endptr++;
47ca6d6c 859 }
47ca6d6c 860
38a0a95f 861 cond->u.varname = string_copyn(s + 4, endptr - s - 4);
47ca6d6c 862 s = endptr;
059ec3d9
PH		 863 while (isspace(*s)) s++;
864 }
865
866 /* For "set", we are now positioned for the data. For the others, only
867 "endpass" has no data */
868
869 if (c != ACLC_ENDPASS)
870 {
871 if (*s++ != '=')
872 {
873 *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
874 cond_modifiers[c]? US"modifier" : US"condition");
875 return NULL;
876 }
877 while (isspace(*s)) s++;
878 cond->arg = string_copy(s);
879 }
880 }
881
882return yield;
883}
884
885
886
71fafd95
PH		 887/*************************************************
888* Set up added header line(s) *
889*************************************************/
890
891/* This function is called by the add_header modifier, and also from acl_warn()
892to implement the now-deprecated way of adding header lines using "message" on a
893"warn" verb. The argument is treated as a sequence of header lines which are
894added to a chain, provided there isn't an identical one already there.
895
896Argument: string of header lines
897Returns: nothing
898*/
899
900static void
901setup_header(uschar *hstring)
902{
903uschar *p, *q;
904int hlen = Ustrlen(hstring);
905
906/* An empty string does nothing; otherwise add a final newline if necessary. */
907
908if (hlen <= 0) return;
909if (hstring[hlen-1] != '\n') hstring = string_sprintf("%s\n", hstring);
910
911/* Loop for multiple header lines, taking care about continuations */
912
913for (p = q = hstring; *p != 0; )
914 {
915 uschar *s;
916 int newtype = htype_add_bot;
917 header_line **hptr = &acl_added_headers;
918
919 /* Find next header line within the string */
920
921 for (;;)
922 {
923 q = Ustrchr(q, '\n');
924 if (*(++q) != ' ' && *q != '\t') break;
925 }
926
927 /* If the line starts with a colon, interpret the instruction for where to
928 add it. This temporarily sets up a new type. */
929
930 if (*p == ':')
931 {
932 if (strncmpic(p, US":after_received:", 16) == 0)
933 {
934 newtype = htype_add_rec;
935 p += 16;
936 }
937 else if (strncmpic(p, US":at_start_rfc:", 14) == 0)
938 {
939 newtype = htype_add_rfc;
940 p += 14;
941 }
942 else if (strncmpic(p, US":at_start:", 10) == 0)
943 {
944 newtype = htype_add_top;
945 p += 10;
946 }
947 else if (strncmpic(p, US":at_end:", 8) == 0)
948 {
949 newtype = htype_add_bot;
950 p += 8;
951 }
952 while (*p == ' ' || *p == '\t') p++;
953 }
954
955 /* See if this line starts with a header name, and if not, add X-ACL-Warn:
956 to the front of it. */
957
958 for (s = p; s < q - 1; s++)
959 {
960 if (*s == ':' || !isgraph(*s)) break;
961 }
962
963 s = string_sprintf("%s%.*s", (*s == ':')? "" : "X-ACL-Warn: ", q - p, p);
964 hlen = Ustrlen(s);
965
966 /* See if this line has already been added */
967
968 while (*hptr != NULL)
969 {
970 if (Ustrncmp((*hptr)->text, s, hlen) == 0) break;
971 hptr = &((*hptr)->next);
972 }
973
974 /* Add if not previously present */
975
976 if (*hptr == NULL)
977 {
978 header_line *h = store_get(sizeof(header_line));
979 h->text = s;
980 h->next = NULL;
981 h->type = newtype;
982 h->slen = hlen;
983 *hptr = h;
984 hptr = &(h->next);
985 }
986
987 /* Advance for next header line within the string */
988
989 p = q;
990 }
991}
992
993
994
995
059ec3d9
PH		 996/*************************************************
997* Handle warnings *
998*************************************************/
999
1000/* This function is called when a WARN verb's conditions are true. It adds to
1001the message's headers, and/or writes information to the log. In each case, this
1002only happens once (per message for headers, per connection for log).
1003
71fafd95
PH		 1004** NOTE: The header adding action using the "message" setting is historic, and
1005its use is now deprecated. The new add_header modifier should be used instead.
1006
059ec3d9
PH		 1007Arguments:
1008 where ACL_WHERE_xxxx indicating which ACL this is
1009 user_message message for adding to headers
1010 log_message message for logging, if different
1011
1012Returns: nothing
1013*/
1014
1015static void
1016acl_warn(int where, uschar *user_message, uschar *log_message)
1017{
059ec3d9
PH		 1018if (log_message != NULL && log_message != user_message)
1019 {
1020 uschar *text;
1021 string_item *logged;
1022
1023 text = string_sprintf("%s Warning: %s", host_and_ident(TRUE),
1024 string_printing(log_message));
1025
1026 /* If a sender verification has failed, and the log message is "sender verify
1027 failed", add the failure message. */
1028
1029 if (sender_verified_failed != NULL &&
1030 sender_verified_failed->message != NULL &&
1031 strcmpic(log_message, US"sender verify failed") == 0)
1032 text = string_sprintf("%s: %s", text, sender_verified_failed->message);
1033
9c7a242c
PH		 1034 /* Search previously logged warnings. They are kept in malloc
1035 store so they can be freed at the start of a new message. */
059ec3d9
PH		 1036
1037 for (logged = acl_warn_logged; logged != NULL; logged = logged->next)
1038 if (Ustrcmp(logged->text, text) == 0) break;
1039
1040 if (logged == NULL)
1041 {
1042 int length = Ustrlen(text) + 1;
1043 log_write(0, LOG_MAIN, "%s", text);
1044 logged = store_malloc(sizeof(string_item) + length);
1045 logged->text = (uschar *)logged + sizeof(string_item);
1046 memcpy(logged->text, text, length);
1047 logged->next = acl_warn_logged;
1048 acl_warn_logged = logged;
1049 }
1050 }
1051
1052/* If there's no user message, we are done. */
1053
1054if (user_message == NULL) return;
1055
1056/* If this isn't a message ACL, we can't do anything with a user message.
1057Log an error. */
1058
1059if (where > ACL_WHERE_NOTSMTP)
1060 {
1061 log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
1062 "found in a non-message (%s) ACL: cannot specify header lines here: "
1063 "message ignored", acl_wherenames[where]);
1064 return;
1065 }
1066
71fafd95
PH		 1067/* The code for setting up header lines is now abstracted into a separate
1068function so that it can be used for the add_header modifier as well. */
059ec3d9 1069
71fafd95 1070setup_header(user_message);
059ec3d9
PH		 1071}
1072
1073
1074
1075/*************************************************
1076* Verify and check reverse DNS *
1077*************************************************/
1078
1079/* Called from acl_verify() below. We look up the host name(s) of the client IP
1080address if this has not yet been done. The host_name_lookup() function checks
1081that one of these names resolves to an address list that contains the client IP
1082address, so we don't actually have to do the check here.
1083
1084Arguments:
1085 user_msgptr pointer for user message
1086 log_msgptr pointer for log message
1087
1088Returns: OK verification condition succeeded
1089 FAIL verification failed
1090 DEFER there was a problem verifying
1091*/
1092
1093static int
1094acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
1095{
1096int rc;
1097
1098user_msgptr = user_msgptr; /* stop compiler warning */
1099
1100/* Previous success */
1101
1102if (sender_host_name != NULL) return OK;
1103
1104/* Previous failure */
1105
1106if (host_lookup_failed)
1107 {
1108 *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
1109 return FAIL;
1110 }
1111
1112/* Need to do a lookup */
1113
1114HDEBUG(D_acl)
1115 debug_printf("looking up host name to force name/address consistency check\n");
1116
1117if ((rc = host_name_lookup()) != OK)
1118 {
1119 *log_msgptr = (rc == DEFER)?
1120 US"host lookup deferred for reverse lookup check"
1121 :
1122 string_sprintf("host lookup failed for reverse lookup check%s",
1123 host_lookup_msg);
1124 return rc; /* DEFER or FAIL */
1125 }
1126
1127host_build_sender_fullhost();
1128return OK;
1129}
1130
1131
1132
e5a9dba6
PH		 1133/*************************************************
1134* Check client IP address matches CSA target *
1135*************************************************/
1136
1137/* Called from acl_verify_csa() below. This routine scans a section of a DNS
1138response for address records belonging to the CSA target hostname. The section
1139is specified by the reset argument, either RESET_ADDITIONAL or RESET_ANSWERS.
1140If one of the addresses matches the client's IP address, then the client is
1141authorized by CSA. If there are target IP addresses but none of them match
1142then the client is using an unauthorized IP address. If there are no target IP
1143addresses then the client cannot be using an authorized IP address. (This is
1144an odd configuration - why didn't the SRV record have a weight of 1 instead?)
1145
1146Arguments:
1147 dnsa the DNS answer block
1148 dnss a DNS scan block for us to use
1149 reset option specifing what portion to scan, as described above
1150 target the target hostname to use for matching RR names
1151
1152Returns: CSA_OK successfully authorized
1153 CSA_FAIL_MISMATCH addresses found but none matched
1154 CSA_FAIL_NOADDR no target addresses found
1155*/
1156
1157static int
1158acl_verify_csa_address(dns_answer *dnsa, dns_scan *dnss, int reset,
1159 uschar *target)
1160{
1161dns_record *rr;
1162dns_address *da;
1163
1164BOOL target_found = FALSE;
1165
1166for (rr = dns_next_rr(dnsa, dnss, reset);
1167 rr != NULL;
1168 rr = dns_next_rr(dnsa, dnss, RESET_NEXT))
1169 {
1170 /* Check this is an address RR for the target hostname. */
1171
1172 if (rr->type != T_A
1173 #if HAVE_IPV6
1174 && rr->type != T_AAAA
1175 #ifdef SUPPORT_A6
1176 && rr->type != T_A6
1177 #endif
1178 #endif
1179 ) continue;
1180
1181 if (strcmpic(target, rr->name) != 0) continue;
1182
1183 target_found = TRUE;
1184
1185 /* Turn the target address RR into a list of textual IP addresses and scan
1186 the list. There may be more than one if it is an A6 RR. */
1187
1188 for (da = dns_address_from_rr(dnsa, rr); da != NULL; da = da->next)
1189 {
1190 /* If the client IP address matches the target IP address, it's good! */
1191
1192 DEBUG(D_acl) debug_printf("CSA target address is %s\n", da->address);
1193
1194 if (strcmpic(sender_host_address, da->address) == 0) return CSA_OK;
1195 }
1196 }
1197
1198/* If we found some target addresses but none of them matched, the client is
1199using an unauthorized IP address, otherwise the target has no authorized IP
1200addresses. */
1201
1202if (target_found) return CSA_FAIL_MISMATCH;
1203else return CSA_FAIL_NOADDR;
1204}
1205
1206
1207
1208/*************************************************
1209* Verify Client SMTP Authorization *
1210*************************************************/
1211
1212/* Called from acl_verify() below. This routine calls dns_lookup_special()
1213to find the CSA SRV record corresponding to the domain argument, or
1214$sender_helo_name if no argument is provided. It then checks that the
1215client is authorized, and that its IP address corresponds to the SRV
1216target's address by calling acl_verify_csa_address() above. The address
1217should have been returned in the DNS response's ADDITIONAL section, but if
1218not we perform another DNS lookup to get it.
1219
1220Arguments:
1221 domain pointer to optional parameter following verify = csa
1222
1223Returns: CSA_UNKNOWN no valid CSA record found
1224 CSA_OK successfully authorized
1225 CSA_FAIL_* client is definitely not authorized
1226 CSA_DEFER_* there was a DNS problem
1227*/
1228
1229static int
1230acl_verify_csa(uschar *domain)
1231{
1232tree_node *t;
1233uschar *found, *p;
1234int priority, weight, port;
1235dns_answer dnsa;
1236dns_scan dnss;
1237dns_record *rr;
1238int rc, type;
1239uschar target[256];
1240
1241/* Work out the domain we are using for the CSA lookup. The default is the
1242client's HELO domain. If the client has not said HELO, use its IP address
1243instead. If it's a local client (exim -bs), CSA isn't applicable. */
1244
1245while (isspace(*domain) && *domain != '\0') ++domain;
1246if (*domain == '\0') domain = sender_helo_name;
1247if (domain == NULL) domain = sender_host_address;
1248if (sender_host_address == NULL) return CSA_UNKNOWN;
1249
1250/* If we have an address literal, strip off the framing ready for turning it
1251into a domain. The framing consists of matched square brackets possibly
1252containing a keyword and a colon before the actual IP address. */
1253
1254if (domain[0] == '[')
1255 {
1256 uschar *start = Ustrchr(domain, ':');
1257 if (start == NULL) start = domain;
1258 domain = string_copyn(start + 1, Ustrlen(start) - 2);
1259 }
1260
1261/* Turn domains that look like bare IP addresses into domains in the reverse
1262DNS. This code also deals with address literals and $sender_host_address. It's
1263not quite kosher to treat bare domains such as EHLO 192.0.2.57 the same as
1264address literals, but it's probably the most friendly thing to do. This is an
1265extension to CSA, so we allow it to be turned off for proper conformance. */
1266
7e66e54d 1267if (string_is_ip_address(domain, NULL) != 0)
e5a9dba6
PH		 1268 {
1269 if (!dns_csa_use_reverse) return CSA_UNKNOWN;
1270 dns_build_reverse(domain, target);
1271 domain = target;
1272 }
1273
1274/* Find out if we've already done the CSA check for this domain. If we have,
1275return the same result again. Otherwise build a new cached result structure
1276for this domain. The name is filled in now, and the value is filled in when
1277we return from this function. */
1278
1279t = tree_search(csa_cache, domain);
1280if (t != NULL) return t->data.val;
1281
1282t = store_get_perm(sizeof(tree_node) + Ustrlen(domain));
1283Ustrcpy(t->name, domain);
1284(void)tree_insertnode(&csa_cache, t);
1285
1286/* Now we are ready to do the actual DNS lookup(s). */
1287
28e6ef29 1288found = domain;
e5a9dba6
PH		 1289switch (dns_special_lookup(&dnsa, domain, T_CSA, &found))
1290 {
1291 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1292
1293 default:
1294 return t->data.val = CSA_DEFER_SRV;
1295
1296 /* If we found nothing, the client's authorization is unknown. */
1297
1298 case DNS_NOMATCH:
1299 case DNS_NODATA:
1300 return t->data.val = CSA_UNKNOWN;
1301
1302 /* We got something! Go on to look at the reply in more detail. */
1303
1304 case DNS_SUCCEED:
1305 break;
1306 }
1307
1308/* Scan the reply for well-formed CSA SRV records. */
1309
1310for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
1311 rr != NULL;
1312 rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
1313 {
1314 if (rr->type != T_SRV) continue;
1315
1316 /* Extract the numerical SRV fields (p is incremented) */
1317
1318 p = rr->data;
1319 GETSHORT(priority, p);
1320 GETSHORT(weight, p);
1321 GETSHORT(port, p);
1322
1323 DEBUG(D_acl)
1324 debug_printf("CSA priority=%d weight=%d port=%d\n", priority, weight, port);
1325
1326 /* Check the CSA version number */
1327
1328 if (priority != 1) continue;
1329
1330 /* If the domain does not have a CSA SRV record of its own (i.e. the domain
1331 found by dns_special_lookup() is a parent of the one we asked for), we check
1332 the subdomain assertions in the port field. At the moment there's only one
1333 assertion: legitimate SMTP clients are all explicitly authorized with CSA
1334 SRV records of their own. */
1335
1336 if (found != domain)
1337 {
1338 if (port & 1)
1339 return t->data.val = CSA_FAIL_EXPLICIT;
1340 else
1341 return t->data.val = CSA_UNKNOWN;
1342 }
1343
1344 /* This CSA SRV record refers directly to our domain, so we check the value
1345 in the weight field to work out the domain's authorization. 0 and 1 are
1346 unauthorized; 3 means the client is authorized but we can't check the IP
1347 address in order to authenticate it, so we treat it as unknown; values
1348 greater than 3 are undefined. */
1349
1350 if (weight < 2) return t->data.val = CSA_FAIL_DOMAIN;
1351
1352 if (weight > 2) continue;
1353
1354 /* Weight == 2, which means the domain is authorized. We must check that the
1355 client's IP address is listed as one of the SRV target addresses. Save the
1356 target hostname then break to scan the additional data for its addresses. */
1357
1358 (void)dn_expand(dnsa.answer, dnsa.answer + dnsa.answerlen, p,
1359 (DN_EXPAND_ARG4_TYPE)target, sizeof(target));
1360
1361 DEBUG(D_acl) debug_printf("CSA target is %s\n", target);
1362
1363 break;
1364 }
1365
1366/* If we didn't break the loop then no appropriate records were found. */
1367
1368if (rr == NULL) return t->data.val = CSA_UNKNOWN;
1369
1370/* Do not check addresses if the target is ".", in accordance with RFC 2782.
1371A target of "." indicates there are no valid addresses, so the client cannot
1372be authorized. (This is an odd configuration because weight=2 target=. is
1373equivalent to weight=1, but we check for it in order to keep load off the
1374root name servers.) Note that dn_expand() turns "." into "". */
1375
1376if (Ustrcmp(target, "") == 0) return t->data.val = CSA_FAIL_NOADDR;
1377
1378/* Scan the additional section of the CSA SRV reply for addresses belonging
1379to the target. If the name server didn't return any additional data (e.g.
1380because it does not fully support SRV records), we need to do another lookup
1381to obtain the target addresses; otherwise we have a definitive result. */
1382
1383rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ADDITIONAL, target);
1384if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1385
1386/* The DNS lookup type corresponds to the IP version used by the client. */
1387
1388#if HAVE_IPV6
1389if (Ustrchr(sender_host_address, ':') != NULL)
1390 type = T_AAAA;
1391else
1392#endif /* HAVE_IPV6 */
1393 type = T_A;
1394
1395
1396#if HAVE_IPV6 && defined(SUPPORT_A6)
1397DNS_LOOKUP_AGAIN:
1398#endif
1399
1400switch (dns_lookup(&dnsa, target, type, NULL))
1401 {
1402 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1403
1404 default:
1405 return t->data.val = CSA_DEFER_ADDR;
1406
1407 /* If the query succeeded, scan the addresses and return the result. */
1408
1409 case DNS_SUCCEED:
1410 rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ANSWERS, target);
1411 if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1412 /* else fall through */
1413
1414 /* If the target has no IP addresses, the client cannot have an authorized
1415 IP address. However, if the target site uses A6 records (not AAAA records)
1416 we have to do yet another lookup in order to check them. */
1417
1418 case DNS_NOMATCH:
1419 case DNS_NODATA:
1420
1421 #if HAVE_IPV6 && defined(SUPPORT_A6)
1422 if (type == T_AAAA) { type = T_A6; goto DNS_LOOKUP_AGAIN; }
1423 #endif
1424
1425 return t->data.val = CSA_FAIL_NOADDR;
1426 }
1427}
1428
1429
1430
059ec3d9
PH		 1431/*************************************************
1432* Handle verification (address & other) *
1433*************************************************/
1434
1435/* This function implements the "verify" condition. It is called when
1436encountered in any ACL, because some tests are almost always permitted. Some
1437just don't make sense, and always fail (for example, an attempt to test a host
1438lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
1439
1440Arguments:
1441 where where called from
1442 addr the recipient address that the ACL is handling, or NULL
1443 arg the argument of "verify"
1444 user_msgptr pointer for user message
1445 log_msgptr pointer for log message
1446 basic_errno where to put verify errno
1447
1448Returns: OK verification condition succeeded
1449 FAIL verification failed
1450 DEFER there was a problem verifying
1451 ERROR syntax error
1452*/
1453
1454static int
1455acl_verify(int where, address_item *addr, uschar *arg,
1456 uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
1457{
1458int sep = '/';
1459int callout = -1;
1460int callout_overall = -1;
4deaf07d 1461int callout_connect = -1;
059ec3d9
PH		 1462int verify_options = 0;
1463int rc;
1464BOOL verify_header_sender = FALSE;
1465BOOL defer_ok = FALSE;
1466BOOL callout_defer_ok = FALSE;
1467BOOL no_details = FALSE;
eafd343b 1468BOOL success_on_redirect = FALSE;
059ec3d9
PH		 1469address_item *sender_vaddr = NULL;
1470uschar *verify_sender_address = NULL;
1471uschar *pm_mailfrom = NULL;
1472uschar *se_mailfrom = NULL;
596875b3
PH		 1473
1474/* Some of the verify items have slash-separated options; some do not. Diagnose
1475an error if options are given for items that don't expect them. This code has
1476now got very message. Refactoring to use a table would be a good idea one day.
1477*/
1478
1479uschar *slash = Ustrchr(arg, '/');
059ec3d9
PH		 1480uschar *list = arg;
1481uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
1482
1483if (ss == NULL) goto BAD_VERIFY;
1484
1485/* Handle name/address consistency verification in a separate function. */
1486
1487if (strcmpic(ss, US"reverse_host_lookup") == 0)
1488 {
596875b3 1489 if (slash != NULL) goto NO_OPTIONS;
059ec3d9
PH		 1490 if (sender_host_address == NULL) return OK;
1491 return acl_verify_reverse(user_msgptr, log_msgptr);
1492 }
1493
1494/* TLS certificate verification is done at STARTTLS time; here we just
1495test whether it was successful or not. (This is for optional verification; for
1496mandatory verification, the connection doesn't last this long.) */
1497
1498if (strcmpic(ss, US"certificate") == 0)
1499 {
596875b3 1500 if (slash != NULL) goto NO_OPTIONS;
059ec3d9
PH		 1501 if (tls_certificate_verified) return OK;
1502 *user_msgptr = US"no verified certificate";
1503 return FAIL;
1504 }
1505
d7b47fd0
PH		 1506/* We can test the result of optional HELO verification that might have
1507occurred earlier. If not, we can attempt the verification now. */
059ec3d9 1508
596875b3
PH		 1509if (strcmpic(ss, US"helo") == 0)
1510 {
1511 if (slash != NULL) goto NO_OPTIONS;
0154e85a
TF		 1512 if (!helo_verified && !helo_verify_failed) smtp_verify_helo();
1513 return helo_verified? OK : FAIL;
596875b3 1514 }
059ec3d9 1515
e5a9dba6
PH		 1516/* Do Client SMTP Authorization checks in a separate function, and turn the
1517result code into user-friendly strings. */
1518
1519if (strcmpic(ss, US"csa") == 0)
1520 {
1521 rc = acl_verify_csa(list);
1522 *log_msgptr = *user_msgptr = string_sprintf("client SMTP authorization %s",
1523 csa_reason_string[rc]);
1524 csa_status = csa_status_string[rc];
1525 DEBUG(D_acl) debug_printf("CSA result %s\n", csa_status);
1526 return csa_return_code[rc];
1527 }
1528
596875b3
PH		 1529/* Check that all relevant header lines have the correct syntax. If there is
1530a syntax error, we return details of the error to the sender if configured to
1531send out full details. (But a "message" setting on the ACL can override, as
1532always). */
059ec3d9 1533
596875b3 1534if (strcmpic(ss, US"header_syntax") == 0)
059ec3d9 1535 {
596875b3 1536 if (slash != NULL) goto NO_OPTIONS;
1c41c9cc 1537 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP) goto WRONG_ACL;
596875b3
PH		 1538 rc = verify_check_headers(log_msgptr);
1539 if (rc != OK && smtp_return_error_details && *log_msgptr != NULL)
1540 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1541 return rc;
1542 }
059ec3d9 1543
1c41c9cc
PH		 1544/* Check that no recipient of this message is "blind", that is, every envelope
1545recipient must be mentioned in either To: or Cc:. */
1546
1547if (strcmpic(ss, US"not_blind") == 0)
1548 {
1549 if (slash != NULL) goto NO_OPTIONS;
1550 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP) goto WRONG_ACL;
1551 rc = verify_check_notblind();
1552 if (rc != OK)
1553 {
1554 *log_msgptr = string_sprintf("bcc recipient detected");
1555 if (smtp_return_error_details)
1556 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1557 }
1558 return rc;
1559 }
059ec3d9 1560
596875b3
PH		 1561/* The remaining verification tests check recipient and sender addresses,
1562either from the envelope or from the header. There are a number of
1563slash-separated options that are common to all of them. */
059ec3d9 1564
059ec3d9 1565
596875b3
PH		 1566/* Check that there is at least one verifiable sender address in the relevant
1567header lines. This can be followed by callout and defer options, just like
1568sender and recipient. */
059ec3d9 1569
596875b3
PH		 1570if (strcmpic(ss, US"header_sender") == 0)
1571 {
1c41c9cc 1572 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP) goto WRONG_ACL;
596875b3 1573 verify_header_sender = TRUE;
059ec3d9
PH		 1574 }
1575
1576/* Otherwise, first item in verify argument must be "sender" or "recipient".
1577In the case of a sender, this can optionally be followed by an address to use
1578in place of the actual sender (rare special-case requirement). */
1579
1580else if (strncmpic(ss, US"sender", 6) == 0)
1581 {
1582 uschar *s = ss + 6;
1583 if (where > ACL_WHERE_NOTSMTP)
1584 {
1585 *log_msgptr = string_sprintf("cannot verify sender in ACL for %s "
1586 "(only possible for MAIL, RCPT, PREDATA, or DATA)",
1587 acl_wherenames[where]);
1588 return ERROR;
1589 }
1590 if (*s == 0)
1591 verify_sender_address = sender_address;
1592 else
1593 {
1594 while (isspace(*s)) s++;
1595 if (*s++ != '=') goto BAD_VERIFY;
1596 while (isspace(*s)) s++;
1597 verify_sender_address = string_copy(s);
1598 }
1599 }
1600else
1601 {
1602 if (strcmpic(ss, US"recipient") != 0) goto BAD_VERIFY;
1603 if (addr == NULL)
1604 {
1605 *log_msgptr = string_sprintf("cannot verify recipient in ACL for %s "
1606 "(only possible for RCPT)", acl_wherenames[where]);
1607 return ERROR;
1608 }
1609 }
1610
596875b3
PH		 1611/* Remaining items are optional; they apply to sender and recipient
1612verification, including "header sender" verification. */
059ec3d9
PH		 1613
1614while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))
1615 != NULL)
1616 {
1617 if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
1618 else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
eafd343b 1619 else if (strcmpic(ss, US"success_on_redirect") == 0) success_on_redirect = TRUE;
059ec3d9
PH		 1620
1621 /* These two old options are left for backwards compatibility */
1622
1623 else if (strcmpic(ss, US"callout_defer_ok") == 0)
1624 {
1625 callout_defer_ok = TRUE;
1626 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1627 }
1628
1629 else if (strcmpic(ss, US"check_postmaster") == 0)
1630 {
1631 pm_mailfrom = US"";
1632 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1633 }
1634
1635 /* The callout option has a number of sub-options, comma separated */
1636
1637 else if (strncmpic(ss, US"callout", 7) == 0)
1638 {
1639 callout = CALLOUT_TIMEOUT_DEFAULT;
1640 ss += 7;
1641 if (*ss != 0)
1642 {
1643 while (isspace(*ss)) ss++;
1644 if (*ss++ == '=')
1645 {
1646 int optsep = ',';
1647 uschar *opt;
1648 uschar buffer[256];
1649 while (isspace(*ss)) ss++;
8e669ac1
PH		 1650
1651 /* This callout option handling code has become a mess as new options
1652 have been added in an ad hoc manner. It should be tidied up into some
4deaf07d 1653 kind of table-driven thing. */
8e669ac1 1654
059ec3d9
PH		 1655 while ((opt = string_nextinlist(&ss, &optsep, buffer, sizeof(buffer)))
1656 != NULL)
1657 {
1658 if (strcmpic(opt, US"defer_ok") == 0) callout_defer_ok = TRUE;
1659 else if (strcmpic(opt, US"no_cache") == 0)
1660 verify_options |= vopt_callout_no_cache;
1661 else if (strcmpic(opt, US"random") == 0)
1662 verify_options |= vopt_callout_random;
1663 else if (strcmpic(opt, US"use_sender") == 0)
1664 verify_options |= vopt_callout_recipsender;
1665 else if (strcmpic(opt, US"use_postmaster") == 0)
1666 verify_options |= vopt_callout_recippmaster;
1667 else if (strcmpic(opt, US"postmaster") == 0) pm_mailfrom = US"";
2a4be8f9
PH		 1668 else if (strcmpic(opt, US"fullpostmaster") == 0)
1669 {
1670 pm_mailfrom = US"";
1671 verify_options |= vopt_callout_fullpm;
1672 }
059ec3d9
PH		 1673
1674 else if (strncmpic(opt, US"mailfrom", 8) == 0)
1675 {
1676 if (!verify_header_sender)
1677 {
1678 *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
1679 "callout option only for verify=header_sender (detected in ACL "
1680 "condition \"%s\")", arg);
1681 return ERROR;
1682 }
1683 opt += 8;
1684 while (isspace(*opt)) opt++;
1685 if (*opt++ != '=')
1686 {
1687 *log_msgptr = string_sprintf("'=' expected after "
1688 "\"mailfrom\" in ACL condition \"%s\"", arg);
1689 return ERROR;
1690 }
1691 while (isspace(*opt)) opt++;
1692 se_mailfrom = string_copy(opt);
1693 }
1694
1695 else if (strncmpic(opt, US"postmaster_mailfrom", 19) == 0)
1696 {
1697 opt += 19;
1698 while (isspace(*opt)) opt++;
1699 if (*opt++ != '=')
1700 {
1701 *log_msgptr = string_sprintf("'=' expected after "
1702 "\"postmaster_mailfrom\" in ACL condition \"%s\"", arg);
1703 return ERROR;
1704 }
1705 while (isspace(*opt)) opt++;
1706 pm_mailfrom = string_copy(opt);
1707 }
1708
1709 else if (strncmpic(opt, US"maxwait", 7) == 0)
1710 {
1711 opt += 7;
1712 while (isspace(*opt)) opt++;
1713 if (*opt++ != '=')
1714 {
1715 *log_msgptr = string_sprintf("'=' expected after \"maxwait\" in "
1716 "ACL condition \"%s\"", arg);
1717 return ERROR;
1718 }
1719 while (isspace(*opt)) opt++;
1720 callout_overall = readconf_readtime(opt, 0, FALSE);
1721 if (callout_overall < 0)
1722 {
1723 *log_msgptr = string_sprintf("bad time value in ACL condition "
1724 "\"verify %s\"", arg);
1725 return ERROR;
1726 }
1727 }
4deaf07d
PH		 1728 else if (strncmpic(opt, US"connect", 7) == 0)
1729 {
1730 opt += 7;
1731 while (isspace(*opt)) opt++;
1732 if (*opt++ != '=')
1733 {
1734 *log_msgptr = string_sprintf("'=' expected after "
1735 "\"callout_overaall\" in ACL condition \"%s\"", arg);
1736 return ERROR;
1737 }
1738 while (isspace(*opt)) opt++;
1739 callout_connect = readconf_readtime(opt, 0, FALSE);
1740 if (callout_connect < 0)
1741 {
1742 *log_msgptr = string_sprintf("bad time value in ACL condition "
1743 "\"verify %s\"", arg);
1744 return ERROR;
1745 }
1746 }
059ec3d9
PH		 1747 else /* Plain time is callout connect/command timeout */
1748 {
1749 callout = readconf_readtime(opt, 0, FALSE);
1750 if (callout < 0)
1751 {
1752 *log_msgptr = string_sprintf("bad time value in ACL condition "
1753 "\"verify %s\"", arg);
1754 return ERROR;
1755 }
1756 }
1757 }
1758 }
1759 else
1760 {
1761 *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
1762 "ACL condition \"%s\"", arg);
1763 return ERROR;
1764 }
1765 }
1766 }
1767
1768 /* Option not recognized */
1769
1770 else
1771 {
1772 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
1773 "condition \"verify %s\"", ss, arg);
1774 return ERROR;
1775 }
1776 }
1777
1778if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
1779 (vopt_callout_recipsender|vopt_callout_recippmaster))
1780 {
1781 *log_msgptr = US"only one of use_sender and use_postmaster can be set "
1782 "for a recipient callout";
1783 return ERROR;
1784 }
1785
1786/* Handle sender-in-header verification. Default the user message to the log
1787message if giving out verification details. */
1788
1789if (verify_header_sender)
1790 {
8e669ac1 1791 int verrno;
059ec3d9 1792 rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
fe5b5d0b
PH		 1793 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, verify_options,
1794 &verrno);
1795 if (rc != OK)
8e669ac1 1796 {
fe5b5d0b
PH		 1797 *basic_errno = verrno;
1798 if (smtp_return_error_details)
1799 {
1800 if (*user_msgptr == NULL && *log_msgptr != NULL)
1801 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1802 if (rc == DEFER) acl_temp_details = TRUE;
1803 }
8e669ac1 1804 }
059ec3d9
PH		 1805 }
1806
1807/* Handle a sender address. The default is to verify *the* sender address, but
1808optionally a different address can be given, for special requirements. If the
1809address is empty, we are dealing with a bounce message that has no sender, so
1810we cannot do any checking. If the real sender address gets rewritten during
1811verification (e.g. DNS widening), set the flag to stop it being rewritten again
1812during message reception.
1813
1814A list of verified "sender" addresses is kept to try to avoid doing to much
1815work repetitively when there are multiple recipients in a message and they all
1816require sender verification. However, when callouts are involved, it gets too
1817complicated because different recipients may require different callout options.
1818Therefore, we always do a full sender verify when any kind of callout is
1819specified. Caching elsewhere, for instance in the DNS resolver and in the
1820callout handling, should ensure that this is not terribly inefficient. */
1821
1822else if (verify_sender_address != NULL)
1823 {
1824 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster))
1825 != 0)
1826 {
1827 *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
1828 "sender verify callout";
1829 return ERROR;
1830 }
1831
1832 sender_vaddr = verify_checked_sender(verify_sender_address);
1833 if (sender_vaddr != NULL && /* Previously checked */
1834 callout <= 0) /* No callout needed this time */
1835 {
1836 /* If the "routed" flag is set, it means that routing worked before, so
1837 this check can give OK (the saved return code value, if set, belongs to a
1838 callout that was done previously). If the "routed" flag is not set, routing
1839 must have failed, so we use the saved return code. */
1840
1841 if (testflag(sender_vaddr, af_verify_routed)) rc = OK; else
1842 {
1843 rc = sender_vaddr->special_action;
1844 *basic_errno = sender_vaddr->basic_errno;
1845 }
1846 HDEBUG(D_acl) debug_printf("using cached sender verify result\n");
1847 }
1848
1849 /* Do a new verification, and cache the result. The cache is used to avoid
1850 verifying the sender multiple times for multiple RCPTs when callouts are not
1851 specified (see comments above).
1852
1853 The cache is also used on failure to give details in response to the first
1854 RCPT that gets bounced for this reason. However, this can be suppressed by
1855 the no_details option, which sets the flag that says "this detail has already
1856 been sent". The cache normally contains just one address, but there may be
1857 more in esoteric circumstances. */
1858
1859 else
1860 {
1861 BOOL routed = TRUE;
2a3eea10 1862 uschar *save_address_data = deliver_address_data;
8e669ac1 1863
059ec3d9
PH		 1864 sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
1865 if (no_details) setflag(sender_vaddr, af_sverify_told);
1866 if (verify_sender_address[0] != 0)
1867 {
1868 /* If this is the real sender address, save the unrewritten version
1869 for use later in receive. Otherwise, set a flag so that rewriting the
1870 sender in verify_address() does not update sender_address. */
1871
1872 if (verify_sender_address == sender_address)
1873 sender_address_unrewritten = sender_address;
1874 else
1875 verify_options |= vopt_fake_sender;
1876
eafd343b
TK		 1877 if (success_on_redirect)
1878 verify_options |= vopt_success_on_redirect;
1879
059ec3d9
PH		 1880 /* The recipient, qualify, and expn options are never set in
1881 verify_options. */
1882
1883 rc = verify_address(sender_vaddr, NULL, verify_options, callout,
4deaf07d 1884 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, &routed);
059ec3d9
PH		 1885
1886 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1887
1888 if (rc == OK)
1889 {
1890 if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
1891 {
1892 DEBUG(D_acl) debug_printf("sender %s verified ok as %s\n",
1893 verify_sender_address, sender_vaddr->address);
1894 }
1895 else
1896 {
1897 DEBUG(D_acl) debug_printf("sender %s verified ok\n",
1898 verify_sender_address);
1899 }
1900 }
1901 else *basic_errno = sender_vaddr->basic_errno;
1902 }
1903 else rc = OK; /* Null sender */
1904
1905 /* Cache the result code */
1906
1907 if (routed) setflag(sender_vaddr, af_verify_routed);
1908 if (callout > 0) setflag(sender_vaddr, af_verify_callout);
1909 sender_vaddr->special_action = rc;
1910 sender_vaddr->next = sender_verified_list;
1911 sender_verified_list = sender_vaddr;
8e669ac1
PH		 1912
1913 /* Restore the recipient address data, which might have been clobbered by
2a3eea10 1914 the sender verification. */
8e669ac1 1915
2a3eea10 1916 deliver_address_data = save_address_data;
059ec3d9 1917 }
8e669ac1 1918
2a3eea10
PH		 1919 /* Put the sender address_data value into $sender_address_data */
1920
8e669ac1 1921 sender_address_data = sender_vaddr->p.address_data;
059ec3d9
PH		 1922 }
1923
1924/* A recipient address just gets a straightforward verify; again we must handle
1925the DEFER overrides. */
1926
1927else
1928 {
1929 address_item addr2;
1930
eafd343b
TK		 1931 if (success_on_redirect)
1932 verify_options |= vopt_success_on_redirect;
1933
059ec3d9
PH		 1934 /* We must use a copy of the address for verification, because it might
1935 get rewritten. */
1936
1937 addr2 = *addr;
1938 rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
4deaf07d 1939 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, NULL);
059ec3d9 1940 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
8e669ac1 1941
059ec3d9 1942 *log_msgptr = addr2.message;
8e669ac1 1943 *user_msgptr = (addr2.user_message != NULL)?
6729cf78 1944 addr2.user_message : addr2.message;
059ec3d9
PH		 1945 *basic_errno = addr2.basic_errno;
1946
1947 /* Make $address_data visible */
1948 deliver_address_data = addr2.p.address_data;
1949 }
1950
1951/* We have a result from the relevant test. Handle defer overrides first. */
1952
1953if (rc == DEFER && (defer_ok ||
1954 (callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER)))
1955 {
1956 HDEBUG(D_acl) debug_printf("verify defer overridden by %s\n",
1957 defer_ok? "defer_ok" : "callout_defer_ok");
1958 rc = OK;
1959 }
1960
1961/* If we've failed a sender, set up a recipient message, and point
1962sender_verified_failed to the address item that actually failed. */
1963
1964if (rc != OK && verify_sender_address != NULL)
1965 {
1966 if (rc != DEFER)
1967 {
1968 *log_msgptr = *user_msgptr = US"Sender verify failed";
1969 }
1970 else if (*basic_errno != ERRNO_CALLOUTDEFER)
1971 {
1972 *log_msgptr = *user_msgptr = US"Could not complete sender verify";
1973 }
1974 else
1975 {
1976 *log_msgptr = US"Could not complete sender verify callout";
1977 *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
1978 *log_msgptr;
1979 }
1980
1981 sender_verified_failed = sender_vaddr;
1982 }
1983
1984/* Verifying an address messes up the values of $domain and $local_part,
1985so reset them before returning if this is a RCPT ACL. */
1986
1987if (addr != NULL)
1988 {
1989 deliver_domain = addr->domain;
1990 deliver_localpart = addr->local_part;
1991 }
1992return rc;
1993
1994/* Syntax errors in the verify argument come here. */
1995
1996BAD_VERIFY:
1997*log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
596875b3
PH		 1998 "\"helo\", \"header_syntax\", \"header_sender\" or "
1999 "\"reverse_host_lookup\" at start of ACL condition "
059ec3d9
PH		 2000 "\"verify %s\"", arg);
2001return ERROR;
596875b3
PH		 2002
2003/* Options supplied when not allowed come here */
2004
2005NO_OPTIONS:
2006*log_msgptr = string_sprintf("unexpected '/' found in \"%s\" "
2007 "(this verify item has no options)", arg);
2008return ERROR;
1c41c9cc
PH		 2009
2010/* Calls in the wrong ACL come here */
2011
2012WRONG_ACL:
2013*log_msgptr = string_sprintf("cannot check header contents in ACL for %s "
2014 "(only possible in ACL for DATA)", acl_wherenames[where]);
2015return ERROR;
059ec3d9
PH		 2016}
2017
2018
2019
2020
2021/*************************************************
2022* Check argument for control= modifier *
2023*************************************************/
2024
2025/* Called from acl_check_condition() below
2026
2027Arguments:
2028 arg the argument string for control=
2029 pptr set to point to the terminating character
2030 where which ACL we are in
2031 log_msgptr for error messages
2032
2033Returns: CONTROL_xxx value
2034*/
2035
2036static int
2037decode_control(uschar *arg, uschar **pptr, int where, uschar **log_msgptr)
2038{
2039int len;
2040control_def *d;
2041
2042for (d = controls_list;
2043 d < controls_list + sizeof(controls_list)/sizeof(control_def);
2044 d++)
2045 {
2046 len = Ustrlen(d->name);
2047 if (Ustrncmp(d->name, arg, len) == 0) break;
2048 }
2049
2050if (d >= controls_list + sizeof(controls_list)/sizeof(control_def) ||
2051 (arg[len] != 0 && (!d->has_option || arg[len] != '/')))
2052 {
2053 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2054 return CONTROL_ERROR;
2055 }
2056
059ec3d9
PH		 2057*pptr = arg + len;
2058return d->value;
2059}
2060
2061
2062
870f6ba8
TF		 2063/*************************************************
2064* Handle rate limiting *
2065*************************************************/
2066
2067/* Called by acl_check_condition() below to calculate the result
2068of the ACL ratelimit condition.
2069
2070Note that the return value might be slightly unexpected: if the
2071sender's rate is above the limit then the result is OK. This is
2072similar to the dnslists condition, and is so that you can write
2073ACL clauses like: defer ratelimit = 15 / 1h
2074
2075Arguments:
2076 arg the option string for ratelimit=
90fc3069 2077 where ACL_WHERE_xxxx indicating which ACL this is
870f6ba8
TF		 2078 log_msgptr for error messages
2079
2080Returns: OK - Sender's rate is above limit
2081 FAIL - Sender's rate is below limit
2082 DEFER - Problem opening ratelimit database
2083 ERROR - Syntax error in options.
2084*/
2085
2086static int
90fc3069 2087acl_ratelimit(uschar *arg, int where, uschar **log_msgptr)
870f6ba8
TF		 2088{
2089double limit, period;
f3dcf4a2 2090uschar *ss, *key;
870f6ba8
TF		 2091int sep = '/';
2092BOOL have_key = FALSE, leaky = FALSE, strict = FALSE;
2093BOOL per_byte = FALSE, per_cmd = FALSE, per_conn = FALSE, per_mail = FALSE;
2094int old_pool, rc;
2095tree_node **anchor, *t;
2096open_db dbblock, *dbm;
2097dbdata_ratelimit *dbd;
2098struct timeval tv;
2099
2100/* Parse the first two options and record their values in expansion
2101variables. These variables allow the configuration to have informative
2102error messages based on rate limits obtained from a table lookup. */
2103
2104/* First is the maximum number of messages per period and maximum burst
2105size, which must be greater than or equal to zero. Zero is useful for
2106rate measurement as opposed to rate limiting. */
2107
2108sender_rate_limit = string_nextinlist(&arg, &sep, NULL, 0);
2109if (sender_rate_limit == NULL)
2110 limit = -1.0;
2111else
2112 {
2113 limit = Ustrtod(sender_rate_limit, &ss);
2114 if (tolower(*ss) == 'k') { limit *= 1024.0; ss++; }
2115 else if (tolower(*ss) == 'm') { limit *= 1024.0*1024.0; ss++; }
2116 else if (tolower(*ss) == 'g') { limit *= 1024.0*1024.0*1024.0; ss++; }
2117 }
2118if (limit < 0.0 || *ss != 0)
2119 {
2120 *log_msgptr = string_sprintf("syntax error in argument for "
2121 "\"ratelimit\" condition: \"%s\" is not a positive number",
2122 sender_rate_limit);
2123 return ERROR;
2124 }
2125
f3dcf4a2
TF		 2126/* We use the rest of the argument list following the limit as the
2127lookup key, because it doesn't make sense to use the same stored data
2128if the period or options are different. */
2129
2130key = arg;
2131
870f6ba8
TF		 2132/* Second is the rate measurement period and exponential smoothing time
2133constant. This must be strictly greater than zero, because zero leads to
2134run-time division errors. */
2135
2136sender_rate_period = string_nextinlist(&arg, &sep, NULL, 0);
2137if (sender_rate_period == NULL) period = -1.0;
2138else period = readconf_readtime(sender_rate_period, 0, FALSE);
2139if (period <= 0.0)
2140 {
2141 *log_msgptr = string_sprintf("syntax error in argument for "
2142 "\"ratelimit\" condition: \"%s\" is not a time value",
2143 sender_rate_period);
2144 return ERROR;
2145 }
2146
2147/* Parse the other options. Should we check if the per_* options are being
2148used in ACLs where they don't make sense, e.g. per_mail in the connect ACL? */
2149
2150while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2151 != NULL)
2152 {
2153 if (strcmpic(ss, US"leaky") == 0) leaky = TRUE;
2154 else if (strcmpic(ss, US"strict") == 0) strict = TRUE;
2155 else if (strcmpic(ss, US"per_byte") == 0) per_byte = TRUE;
2156 else if (strcmpic(ss, US"per_cmd") == 0) per_cmd = TRUE;
2157 else if (strcmpic(ss, US"per_conn") == 0) per_conn = TRUE;
2158 else if (strcmpic(ss, US"per_mail") == 0) per_mail = TRUE;
2159 else if (strcmpic(ss, US"per_rcpt") == 0) per_cmd = TRUE; /* alias */
2160 else have_key = TRUE;
2161 }
2162if (leaky + strict > 1 || per_byte + per_cmd + per_conn + per_mail > 1)
2163 {
2164 *log_msgptr = US"conflicting options for \"ratelimit\" condition";
2165 return ERROR;
2166 }
2167
2168/* Default option values */
2169if (!strict) leaky = TRUE;
2170if (!per_byte && !per_cmd && !per_conn) per_mail = TRUE;
2171
f3dcf4a2 2172/* If there is no explicit key, use the sender_host_address. If there is no
870f6ba8
TF		 2173sender_host_address (e.g. -bs or acl_not_smtp) then we simply omit it. */
2174
2175if (!have_key && sender_host_address != NULL)
2176 key = string_sprintf("%s / %s", key, sender_host_address);
2177
2178HDEBUG(D_acl) debug_printf("ratelimit condition limit=%.0f period=%.0f key=%s\n",
2179 limit, period, key);
2180
fe0dab11 2181/* See if we have already computed the rate by looking in the relevant tree. For
870f6ba8
TF		 2182per-connection rate limiting, store tree nodes and dbdata in the permanent pool
2183so that they survive across resets. */
2184
2185anchor = NULL;
2186old_pool = store_pool;
2187
2188if (per_conn)
2189 {
2190 anchor = &ratelimiters_conn;
2191 store_pool = POOL_PERM;
2192 }
fe0dab11 2193else if (per_mail || per_byte)
870f6ba8 2194 anchor = &ratelimiters_mail;
fe0dab11
TF		 2195else if (per_cmd)
2196 anchor = &ratelimiters_cmd;
870f6ba8
TF		 2197
2198if (anchor != NULL && (t = tree_search(*anchor, key)) != NULL)
2199 {
2200 dbd = t->data.ptr;
2201 /* The following few lines duplicate some of the code below. */
3348576f
TF		 2202 if (dbd->rate < limit) rc = FAIL;
2203 else rc = OK;
870f6ba8
TF		 2204 store_pool = old_pool;
2205 sender_rate = string_sprintf("%.1f", dbd->rate);
2206 HDEBUG(D_acl)
2207 debug_printf("ratelimit found pre-computed rate %s\n", sender_rate);
2208 return rc;
2209 }
2210
2211/* We aren't using a pre-computed rate, so get a previously recorded
2212rate from the database, update it, and write it back. If there's no
2213previous rate for this key, create one. */
2214
2215dbm = dbfn_open(US"ratelimit", O_RDWR, &dbblock, TRUE);
2216if (dbm == NULL)
2217 {
2218 store_pool = old_pool;
2219 sender_rate = NULL;
2220 HDEBUG(D_acl) debug_printf("ratelimit database not available\n");
2221 *log_msgptr = US"ratelimit database not available";
2222 return DEFER;
2223 }
2224dbd = dbfn_read(dbm, key);
2225
2226gettimeofday(&tv, NULL);
2227
2228if (dbd == NULL)
2229 {
2230 HDEBUG(D_acl) debug_printf("ratelimit initializing new key's data\n");
2231 dbd = store_get(sizeof(dbdata_ratelimit));
2232 dbd->time_stamp = tv.tv_sec;
2233 dbd->time_usec = tv.tv_usec;
2234 dbd->rate = 0.0;
2235 }
2236else
2237 {
2238 /* The smoothed rate is computed using an exponentially weighted moving
2239 average adjusted for variable sampling intervals. The standard EWMA for
2240 a fixed sampling interval is: f'(t) = (1 - a) * f(t) + a * f'(t - 1)
2241 where f() is the measured value and f'() is the smoothed value.
2242
2243 Old data decays out of the smoothed value exponentially, such that data n
2244 samples old is multiplied by a^n. The exponential decay time constant p
2245 is defined such that data p samples old is multiplied by 1/e, which means
2246 that a = exp(-1/p). We can maintain the same time constant for a variable
2247 sampling interval i by using a = exp(-i/p).
2248
2249 The rate we are measuring is messages per period, suitable for directly
2250 comparing with the limit. The average rate between now and the previous
2251 message is period / interval, which we feed into the EWMA as the sample.
2252
2253 It turns out that the number of messages required for the smoothed rate
2254 to reach the limit when they are sent in a burst is equal to the limit.
2255 This can be seen by analysing the value of the smoothed rate after N
2256 messages sent at even intervals. Let k = (1 - a) * p/i
2257
2258 rate_1 = (1 - a) * p/i + a * rate_0
2259 = k + a * rate_0
2260 rate_2 = k + a * rate_1
2261 = k + a * k + a^2 * rate_0
2262 rate_3 = k + a * k + a^2 * k + a^3 * rate_0
2263 rate_N = rate_0 * a^N + k * SUM(x=0..N-1)(a^x)
2264 = rate_0 * a^N + k * (1 - a^N) / (1 - a)
2265 = rate_0 * a^N + p/i * (1 - a^N)
2266
2267 When N is large, a^N -> 0 so rate_N -> p/i as desired.
2268
2269 rate_N = p/i + (rate_0 - p/i) * a^N
2270 a^N = (rate_N - p/i) / (rate_0 - p/i)
2271 N * -i/p = log((rate_N - p/i) / (rate_0 - p/i))
2272 N = p/i * log((rate_0 - p/i) / (rate_N - p/i))
2273
2274 Numerical analysis of the above equation, setting the computed rate to
2275 increase from rate_0 = 0 to rate_N = limit, shows that for large sending
2276 rates, p/i, the number of messages N = limit. So limit serves as both the
2277 maximum rate measured in messages per period, and the maximum number of
2278 messages that can be sent in a fast burst. */
2279
2280 double this_time = (double)tv.tv_sec
2281 + (double)tv.tv_usec / 1000000.0;
2282 double prev_time = (double)dbd->time_stamp
2283 + (double)dbd->time_usec / 1000000.0;
870f6ba8
TF		 2284
2285 /* We must avoid division by zero, and deal gracefully with the clock going
2286 backwards. If we blunder ahead when time is in reverse then the computed
e5d5a95f 2287 rate will be bogus. To be safe we clamp interval to a very small number. */
870f6ba8 2288
e5d5a95f
TF		 2289 double interval = this_time - prev_time <= 0.0 ? 1e-9
2290 : this_time - prev_time;
2291
2292 double i_over_p = interval / period;
2293 double a = exp(-i_over_p);
870f6ba8
TF		 2294
2295 dbd->time_stamp = tv.tv_sec;
2296 dbd->time_usec = tv.tv_usec;
2297
2298 /* If we are measuring the rate in bytes per period, multiply the
2299 measured rate by the message size. If we don't know the message size
2300 then it's safe to just use a value of zero and let the recorded rate
2301 decay as if nothing happened. */
2302
2303 if (per_byte)
2304 dbd->rate = (message_size < 0 ? 0.0 : (double)message_size)
2305 * (1 - a) / i_over_p + a * dbd->rate;
90fc3069
TF		 2306 else if (per_cmd && where == ACL_WHERE_NOTSMTP)
2307 dbd->rate = (double)recipients_count
2308 * (1 - a) / i_over_p + a * dbd->rate;
870f6ba8
TF		 2309 else
2310 dbd->rate = (1 - a) / i_over_p + a * dbd->rate;
2311 }
2312
3348576f
TF		 2313/* Clients sending at the limit are considered to be over the limit. This
2314matters for edge cases such the first message sent by a client (which gets
2315the initial rate of 0.0) when the rate limit is zero (i.e. the client should
2316be completely blocked). */
2317
2318if (dbd->rate < limit) rc = FAIL;
2319 else rc = OK;
870f6ba8
TF		 2320
2321/* Update the state if the rate is low or if we are being strict. If we
2322are in leaky mode and the sender's rate is too high, we do not update
2323the recorded rate in order to avoid an over-aggressive sender's retry
2324rate preventing them from getting any email through. */
2325
2326if (rc == FAIL || !leaky)
2327 dbfn_write(dbm, key, dbd, sizeof(dbdata_ratelimit));
2328dbfn_close(dbm);
2329
2330/* Store the result in the tree for future reference, if necessary. */
2331
2332if (anchor != NULL)
2333 {
2334 t = store_get(sizeof(tree_node) + Ustrlen(key));
2335 t->data.ptr = dbd;
2336 Ustrcpy(t->name, key);
2337 (void)tree_insertnode(anchor, t);
2338 }
2339
2340/* We create the formatted version of the sender's rate very late in
2341order to ensure that it is done using the correct storage pool. */
2342
2343store_pool = old_pool;
2344sender_rate = string_sprintf("%.1f", dbd->rate);
2345
2346HDEBUG(D_acl)
2347 debug_printf("ratelimit computed rate %s\n", sender_rate);
2348
2349return rc;
2350}
2351
2352
2353
059ec3d9
PH		 2354/*************************************************
2355* Handle conditions/modifiers on an ACL item *
2356*************************************************/
2357
2358/* Called from acl_check() below.
2359
2360Arguments:
2361 verb ACL verb
2362 cb ACL condition block - if NULL, result is OK
2363 where where called from
2364 addr the address being checked for RCPT, or NULL
2365 level the nesting level
2366 epp pointer to pass back TRUE if "endpass" encountered
2367 (applies only to "accept" and "discard")
2368 user_msgptr user message pointer
2369 log_msgptr log message pointer
2370 basic_errno pointer to where to put verify error
2371
2372Returns: OK - all conditions are met
2373 DISCARD - an "acl" condition returned DISCARD - only allowed
2374 for "accept" or "discard" verbs
2375 FAIL - at least one condition fails
2376 FAIL_DROP - an "acl" condition returned FAIL_DROP
2377 DEFER - can't tell at the moment (typically, lookup defer,
2378 but can be temporary callout problem)
2379 ERROR - ERROR from nested ACL or expansion failure or other
2380 error
2381*/
2382
2383static int
2384acl_check_condition(int verb, acl_condition_block *cb, int where,
2385 address_item *addr, int level, BOOL *epp, uschar **user_msgptr,
2386 uschar **log_msgptr, int *basic_errno)
2387{
2388uschar *user_message = NULL;
2389uschar *log_message = NULL;
91ecef39 2390uschar *p = NULL;
059ec3d9 2391int rc = OK;
8523533c
TK		 2392#ifdef WITH_CONTENT_SCAN
2393int sep = '/';
2394#endif
059ec3d9
PH		 2395
2396for (; cb != NULL; cb = cb->next)
2397 {
2398 uschar *arg;
8e669ac1 2399 int control_type;
059ec3d9
PH		 2400
2401 /* The message and log_message items set up messages to be used in
2402 case of rejection. They are expanded later. */
2403
2404 if (cb->type == ACLC_MESSAGE)
2405 {
2406 user_message = cb->arg;
2407 continue;
2408 }
2409
2410 if (cb->type == ACLC_LOG_MESSAGE)
2411 {
2412 log_message = cb->arg;
2413 continue;
2414 }
2415
2416 /* The endpass "condition" just sets a flag to show it occurred. This is
2417 checked at compile time to be on an "accept" or "discard" item. */
2418
2419 if (cb->type == ACLC_ENDPASS)
2420 {
2421 *epp = TRUE;
2422 continue;
2423 }
2424
2425 /* For other conditions and modifiers, the argument is expanded now for some
2426 of them, but not for all, because expansion happens down in some lower level
2427 checking functions in some cases. */
2428
2429 if (cond_expand_at_top[cb->type])
2430 {
2431 arg = expand_string(cb->arg);
2432 if (arg == NULL)
2433 {
2434 if (expand_string_forcedfail) continue;
2435 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
2436 cb->arg, expand_string_message);
2437 return search_find_defer? DEFER : ERROR;
2438 }
2439 }
2440 else arg = cb->arg;
2441
2442 /* Show condition, and expanded condition if it's different */
2443
2444 HDEBUG(D_acl)
2445 {
2446 int lhswidth = 0;
2447 debug_printf("check %s%s %n",
2448 (!cond_modifiers[cb->type] && cb->u.negated)? "!":"",
2449 conditions[cb->type], &lhswidth);
2450
2451 if (cb->type == ACLC_SET)
2452 {
38a0a95f
PH		 2453 debug_printf("acl_%s ", cb->u.varname);
2454 lhswidth += 5 + Ustrlen(cb->u.varname);
059ec3d9
PH		 2455 }
2456
2457 debug_printf("= %s\n", cb->arg);
2458
2459 if (arg != cb->arg)
2460 debug_printf("%.*s= %s\n", lhswidth,
2461 US" ", CS arg);
2462 }
2463
2464 /* Check that this condition makes sense at this time */
2465
2466 if ((cond_forbids[cb->type] & (1 << where)) != 0)
2467 {
2468 *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
2469 cond_modifiers[cb->type]? "use" : "test",
2470 conditions[cb->type], acl_wherenames[where]);
2471 return ERROR;
2472 }
2473
2474 /* Run the appropriate test for each condition, or take the appropriate
2475 action for the remaining modifiers. */
2476
2477 switch(cb->type)
2478 {
71fafd95
PH		 2479 case ACLC_ADD_HEADER:
2480 setup_header(arg);
2481 break;
2482
059ec3d9
PH		 2483 /* A nested ACL that returns "discard" makes sense only for an "accept" or
2484 "discard" verb. */
71fafd95 2485
059ec3d9
PH		 2486 case ACLC_ACL:
2487 rc = acl_check_internal(where, addr, arg, level+1, user_msgptr, log_msgptr);
2488 if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
2489 {
2490 *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
2491 "\"%s\" command (only allowed with \"accept\" or \"discard\")",
2492 verbs[verb]);
2493 return ERROR;
2494 }
2495 break;
2496
2497 case ACLC_AUTHENTICATED:
2498 rc = (sender_host_authenticated == NULL)? FAIL :
2499 match_isinlist(sender_host_authenticated, &arg, 0, NULL, NULL, MCL_STRING,
2500 TRUE, NULL);
2501 break;
2502
71fafd95 2503 #ifdef EXPERIMENTAL_BRIGHTMAIL
8523533c
TK		 2504 case ACLC_BMI_OPTIN:
2505 {
2506 int old_pool = store_pool;
2507 store_pool = POOL_PERM;
2508 bmi_current_optin = string_copy(arg);
2509 store_pool = old_pool;
2510 }
2511 break;
71fafd95 2512 #endif
8523533c 2513
059ec3d9
PH		 2514 case ACLC_CONDITION:
2515 if (Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
2516 rc = (Uatoi(arg) == 0)? FAIL : OK;
2517 else
2518 rc = (strcmpic(arg, US"no") == 0 ||
2519 strcmpic(arg, US"false") == 0)? FAIL :
2520 (strcmpic(arg, US"yes") == 0 ||
2521 strcmpic(arg, US"true") == 0)? OK : DEFER;
2522 if (rc == DEFER)
2523 *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
2524 break;
2525
2526 case ACLC_CONTROL:
c5fcb476
PH		 2527 control_type = decode_control(arg, &p, where, log_msgptr);
2528
8523533c 2529 /* Check if this control makes sense at this time */
c5fcb476
PH		 2530
2531 if ((control_forbids[control_type] & (1 << where)) != 0)
2532 {
2533 *log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
2534 controls[control_type], acl_wherenames[where]);
2535 return ERROR;
8e669ac1 2536 }
c5fcb476
PH		 2537
2538 switch(control_type)
059ec3d9 2539 {
c46782ef
PH		 2540 case CONTROL_AUTH_UNADVERTISED:
2541 allow_auth_unadvertised = TRUE;
2542 break;
2543
2544 #ifdef EXPERIMENTAL_BRIGHTMAIL
8523533c
TK		 2545 case CONTROL_BMI_RUN:
2546 bmi_run = 1;
2547 break;
c46782ef
PH		 2548 #endif
2549
2550 #ifdef EXPERIMENTAL_DOMAINKEYS
fb2274d4
TK		 2551 case CONTROL_DK_VERIFY:
2552 dk_do_verify = 1;
2553 break;
c46782ef
PH		 2554 #endif
2555
059ec3d9
PH		 2556 case CONTROL_ERROR:
2557 return ERROR;
2558
2559 case CONTROL_CASEFUL_LOCAL_PART:
2560 deliver_localpart = addr->cc_local_part;
2561 break;
2562
2563 case CONTROL_CASELOWER_LOCAL_PART:
2564 deliver_localpart = addr->lc_local_part;
2565 break;
2566
2567 case CONTROL_ENFORCE_SYNC:
2568 smtp_enforce_sync = TRUE;
2569 break;
2570
2571 case CONTROL_NO_ENFORCE_SYNC:
2572 smtp_enforce_sync = FALSE;
2573 break;
2574
c46782ef 2575 #ifdef WITH_CONTENT_SCAN
8523533c
TK		 2576 case CONTROL_NO_MBOX_UNSPOOL:
2577 no_mbox_unspool = TRUE;
2578 break;
c46782ef 2579 #endif
8523533c 2580
059ec3d9
PH		 2581 case CONTROL_NO_MULTILINE:
2582 no_multiline_responses = TRUE;
2583 break;
2584
29aba418 2585 case CONTROL_FAKEDEFER:
8523533c 2586 case CONTROL_FAKEREJECT:
29aba418 2587 fake_response = (control_type == CONTROL_FAKEDEFER) ? DEFER : FAIL;
8523533c 2588 if (*p == '/')
8e669ac1 2589 {
8523533c 2590 uschar *pp = p + 1;
8e669ac1 2591 while (*pp != 0) pp++;
29aba418 2592 fake_response_text = expand_string(string_copyn(p+1, pp-p-1));
8523533c
TK		 2593 p = pp;
2594 }
2595 else
2596 {
2597 /* Explicitly reset to default string */
29aba418 2598 fake_response_text = US"Your message has been rejected but is being kept for evaluation.\nIf it was a legitimate message, it may still be delivered to the target recipient(s).";
8523533c
TK		 2599 }
2600 break;
8523533c 2601
059ec3d9
PH		 2602 case CONTROL_FREEZE:
2603 deliver_freeze = TRUE;
2604 deliver_frozen_at = time(NULL);
6a3f1455
PH		 2605 freeze_tell = freeze_tell_config; /* Reset to configured value */
2606 if (Ustrncmp(p, "/no_tell", 8) == 0)
2607 {
2608 p += 8;
2609 freeze_tell = NULL;
2610 }
2611 if (*p != 0)
2612 {
2613 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2614 return ERROR;
2615 }
059ec3d9
PH		 2616 break;
2617
2618 case CONTROL_QUEUE_ONLY:
2619 queue_only_policy = TRUE;
2620 break;
2621
2622 case CONTROL_SUBMISSION:
87ba3f5f 2623 originator_name = US"";
059ec3d9 2624 submission_mode = TRUE;
69358f02 2625 while (*p == '/')
8e669ac1 2626 {
69358f02
PH		 2627 if (Ustrncmp(p, "/sender_retain", 14) == 0)
2628 {
2629 p += 14;
2630 active_local_sender_retain = TRUE;
8e669ac1
PH		 2631 active_local_from_check = FALSE;
2632 }
69358f02
PH		 2633 else if (Ustrncmp(p, "/domain=", 8) == 0)
2634 {
2635 uschar *pp = p + 8;
8e669ac1 2636 while (*pp != 0 && *pp != '/') pp++;
87ba3f5f
PH		 2637 submission_domain = string_copyn(p+8, pp-p-8);
2638 p = pp;
2639 }
8857ccfd
PH		 2640 /* The name= option must be last, because it swallows the rest of
2641 the string. */
87ba3f5f
PH		 2642 else if (Ustrncmp(p, "/name=", 6) == 0)
2643 {
2644 uschar *pp = p + 6;
8857ccfd 2645 while (*pp != 0) pp++;
2fe1a124 2646 submission_name = string_copy(parse_fix_phrase(p+6, pp-p-6,
87ba3f5f 2647 big_buffer, big_buffer_size));
8e669ac1 2648 p = pp;
69358f02 2649 }
8e669ac1
PH		 2650 else break;
2651 }
69358f02 2652 if (*p != 0)
059ec3d9 2653 {
69358f02 2654 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
059ec3d9
PH		 2655 return ERROR;
2656 }
2657 break;
8800895a
PH		 2658
2659 case CONTROL_SUPPRESS_LOCAL_FIXUPS:
2660 suppress_local_fixups = TRUE;
2661 break;
059ec3d9
PH		 2662 }
2663 break;
2664
71fafd95 2665 #ifdef WITH_CONTENT_SCAN
8523533c
TK		 2666 case ACLC_DECODE:
2667 rc = mime_decode(&arg);
2668 break;
71fafd95 2669 #endif
8523533c 2670
059ec3d9
PH		 2671 case ACLC_DELAY:
2672 {
2673 int delay = readconf_readtime(arg, 0, FALSE);
2674 if (delay < 0)
2675 {
2676 *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
2677 "modifier: \"%s\" is not a time value", arg);
2678 return ERROR;
2679 }
2680 else
2681 {
2682 HDEBUG(D_acl) debug_printf("delay modifier requests %d-second delay\n",
2683 delay);
2684 if (host_checking)
2685 {
2686 HDEBUG(D_acl)
2687 debug_printf("delay skipped in -bh checking mode\n");
2688 }
010c2d14
PH		 2689
2690 /* It appears to be impossible to detect that a TCP/IP connection has
2691 gone away without reading from it. This means that we cannot shorten
2692 the delay below if the client goes away, because we cannot discover
2693 that the client has closed its end of the connection. (The connection
2694 is actually in a half-closed state, waiting for the server to close its
2695 end.) It would be nice to be able to detect this state, so that the
2696 Exim process is not held up unnecessarily. However, it seems that we
2697 can't. The poll() function does not do the right thing, and in any case
2698 it is not always available.
2699
2700 NOTE: If ever this state of affairs changes, remember that we may be
2701 dealing with stdin/stdout here, in addition to TCP/IP connections.
2702 Whatever is done must work in both cases. To detected the stdin/stdout
2703 case, check for smtp_in or smtp_out being NULL. */
2704
8e669ac1 2705 else
86b8287f
PH		 2706 {
2707 while (delay > 0) delay = sleep(delay);
8e669ac1 2708 }
059ec3d9
PH		 2709 }
2710 }
2711 break;
2712
71fafd95 2713 #ifdef WITH_OLD_DEMIME
8523533c
TK		 2714 case ACLC_DEMIME:
2715 rc = demime(&arg);
2716 break;
71fafd95 2717 #endif
8523533c 2718
71fafd95
PH		 2719 #ifdef EXPERIMENTAL_DOMAINKEYS
2720 case ACLC_DK_DOMAIN_SOURCE:
fb2274d4
TK		 2721 if (dk_verify_block == NULL) { rc = FAIL; break; };
2722 /* check header source of domain against given string */
2723 switch (dk_verify_block->address_source) {
2724 case DK_EXIM_ADDRESS_FROM_FROM:
2725 rc = match_isinlist(US"from", &arg, 0, NULL,
2726 NULL, MCL_STRING, TRUE, NULL);
2727 break;
2728 case DK_EXIM_ADDRESS_FROM_SENDER:
2729 rc = match_isinlist(US"sender", &arg, 0, NULL,
2730 NULL, MCL_STRING, TRUE, NULL);
2731 break;
2732 case DK_EXIM_ADDRESS_NONE:
2733 rc = match_isinlist(US"none", &arg, 0, NULL,
2734 NULL, MCL_STRING, TRUE, NULL);
2735 break;
71fafd95
PH		 2736 }
2737 break;
2738
2739 case ACLC_DK_POLICY:
fb2274d4
TK		 2740 if (dk_verify_block == NULL) { rc = FAIL; break; };
2741 /* check policy against given string, default FAIL */
2742 rc = FAIL;
2743 if (dk_verify_block->signsall)
2744 rc = match_isinlist(US"signsall", &arg, 0, NULL,
2745 NULL, MCL_STRING, TRUE, NULL);
2746 if (dk_verify_block->testing)
2747 rc = match_isinlist(US"testing", &arg, 0, NULL,
2748 NULL, MCL_STRING, TRUE, NULL);
71fafd95
PH		 2749 break;
2750
2751 case ACLC_DK_SENDER_DOMAINS:
fb2274d4
TK		 2752 if (dk_verify_block == NULL) { rc = FAIL; break; };
2753 if (dk_verify_block->domain != NULL)
2754 rc = match_isinlist(dk_verify_block->domain, &arg, 0, &domainlist_anchor,
2755 NULL, MCL_DOMAIN, TRUE, NULL);
2756 else rc = FAIL;
71fafd95
PH		 2757 break;
2758
2759 case ACLC_DK_SENDER_LOCAL_PARTS:
fb2274d4
TK		 2760 if (dk_verify_block == NULL) { rc = FAIL; break; };
2761 if (dk_verify_block->local_part != NULL)
2762 rc = match_isinlist(dk_verify_block->local_part, &arg, 0, &localpartlist_anchor,
2763 NULL, MCL_LOCALPART, TRUE, NULL);
2764 else rc = FAIL;
71fafd95
PH		 2765 break;
2766
2767 case ACLC_DK_SENDERS:
fb2274d4
TK		 2768 if (dk_verify_block == NULL) { rc = FAIL; break; };
2769 if (dk_verify_block->address != NULL)
2770 rc = match_address_list(dk_verify_block->address, TRUE, TRUE, &arg, NULL, -1, 0, NULL);
2771 else rc = FAIL;
71fafd95
PH		 2772 break;
2773
2774 case ACLC_DK_STATUS:
fb2274d4
TK		 2775 if (dk_verify_block == NULL) { rc = FAIL; break; };
2776 if (dk_verify_block->result > 0) {
2777 switch(dk_verify_block->result) {
2778 case DK_EXIM_RESULT_BAD_FORMAT:
2779 rc = match_isinlist(US"bad format", &arg, 0, NULL,
2780 NULL, MCL_STRING, TRUE, NULL);
2781 break;
2782 case DK_EXIM_RESULT_NO_KEY:
2783 rc = match_isinlist(US"no key", &arg, 0, NULL,
2784 NULL, MCL_STRING, TRUE, NULL);
2785 break;
2786 case DK_EXIM_RESULT_NO_SIGNATURE:
2787 rc = match_isinlist(US"no signature", &arg, 0, NULL,
2788 NULL, MCL_STRING, TRUE, NULL);
2789 break;
2790 case DK_EXIM_RESULT_REVOKED:
2791 rc = match_isinlist(US"revoked", &arg, 0, NULL,
2792 NULL, MCL_STRING, TRUE, NULL);
2793 break;
2794 case DK_EXIM_RESULT_NON_PARTICIPANT:
2795 rc = match_isinlist(US"non-participant", &arg, 0, NULL,
2796 NULL, MCL_STRING, TRUE, NULL);
2797 break;
2798 case DK_EXIM_RESULT_GOOD:
2799 rc = match_isinlist(US"good", &arg, 0, NULL,
2800 NULL, MCL_STRING, TRUE, NULL);
2801 break;
2802 case DK_EXIM_RESULT_BAD:
2803 rc = match_isinlist(US"bad", &arg, 0, NULL,
2804 NULL, MCL_STRING, TRUE, NULL);
2805 break;
71fafd95 2806 }
fb2274d4 2807 }
71fafd95
PH		 2808 break;
2809 #endif
fb2274d4 2810
059ec3d9
PH		 2811 case ACLC_DNSLISTS:
2812 rc = verify_check_dnsbl(&arg);
2813 break;
2814
2815 case ACLC_DOMAINS:
2816 rc = match_isinlist(addr->domain, &arg, 0, &domainlist_anchor,
2817 addr->domain_cache, MCL_DOMAIN, TRUE, &deliver_domain_data);
2818 break;
2819
2820 /* The value in tls_cipher is the full cipher name, for example,
2821 TLSv1:DES-CBC3-SHA:168, whereas the values to test for are just the
2822 cipher names such as DES-CBC3-SHA. But program defensively. We don't know
2823 what may in practice come out of the SSL library - which at the time of
2824 writing is poorly documented. */
2825
2826 case ACLC_ENCRYPTED:
2827 if (tls_cipher == NULL) rc = FAIL; else
2828 {
2829 uschar *endcipher = NULL;
2830 uschar *cipher = Ustrchr(tls_cipher, ':');
2831 if (cipher == NULL) cipher = tls_cipher; else
2832 {
2833 endcipher = Ustrchr(++cipher, ':');
2834 if (endcipher != NULL) *endcipher = 0;
2835 }
2836 rc = match_isinlist(cipher, &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
2837 if (endcipher != NULL) *endcipher = ':';
2838 }
2839 break;
2840
2841 /* Use verify_check_this_host() instead of verify_check_host() so that
2842 we can pass over &host_data to catch any looked up data. Once it has been
2843 set, it retains its value so that it's still there if another ACL verb
2844 comes through here and uses the cache. However, we must put it into
2845 permanent store in case it is also expected to be used in a subsequent
2846 message in the same SMTP connection. */
2847
2848 case ACLC_HOSTS:
2849 rc = verify_check_this_host(&arg, sender_host_cache, NULL,
2850 (sender_host_address == NULL)? US"" : sender_host_address, &host_data);
2851 if (host_data != NULL) host_data = string_copy_malloc(host_data);
2852 break;
2853
2854 case ACLC_LOCAL_PARTS:
2855 rc = match_isinlist(addr->cc_local_part, &arg, 0,
2856 &localpartlist_anchor, addr->localpart_cache, MCL_LOCALPART, TRUE,
2857 &deliver_localpart_data);
2858 break;
2859
6ea85e9a
PH		 2860 case ACLC_LOG_REJECT_TARGET:
2861 {
2862 int logbits = 0;
2863 int sep = 0;
2864 uschar *s = arg;
2865 uschar *ss;
2866 while ((ss = string_nextinlist(&s, &sep, big_buffer, big_buffer_size))
2867 != NULL)
2868 {
2869 if (Ustrcmp(ss, "main") == 0) logbits |= LOG_MAIN;
2870 else if (Ustrcmp(ss, "panic") == 0) logbits |= LOG_PANIC;
2871 else if (Ustrcmp(ss, "reject") == 0) logbits |= LOG_REJECT;
2872 else
2873 {
2874 logbits |= LOG_MAIN|LOG_REJECT;
2875 log_write(0, LOG_MAIN|LOG_PANIC, "unknown log name \"%s\" in "
2876 "\"log_reject_target\" in %s ACL", ss, acl_wherenames[where]);
2877 }
2878 }
2879 log_reject_target = logbits;
2880 }
2881 break;
2882
059ec3d9
PH		 2883 case ACLC_LOGWRITE:
2884 {
2885 int logbits = 0;
2886 uschar *s = arg;
2887 if (*s == ':')
2888 {
2889 s++;
2890 while (*s != ':')
2891 {
2892 if (Ustrncmp(s, "main", 4) == 0)
2893 { logbits |= LOG_MAIN; s += 4; }
2894 else if (Ustrncmp(s, "panic", 5) == 0)
2895 { logbits |= LOG_PANIC; s += 5; }
2896 else if (Ustrncmp(s, "reject", 6) == 0)
2897 { logbits |= LOG_REJECT; s += 6; }
2898 else
2899 {
2900 logbits = LOG_MAIN|LOG_PANIC;
2901 s = string_sprintf(":unknown log name in \"%s\" in "
2902 "\"logwrite\" in %s ACL", arg, acl_wherenames[where]);
2903 }
2904 if (*s == ',') s++;
2905 }
2906 s++;
2907 }
2908 while (isspace(*s)) s++;
6ea85e9a
PH		 2909
2910
059ec3d9
PH		 2911 if (logbits == 0) logbits = LOG_MAIN;
2912 log_write(0, logbits, "%s", string_printing(s));
2913 }
2914 break;
8e669ac1 2915
71fafd95 2916 #ifdef WITH_CONTENT_SCAN
8523533c
TK		 2917 case ACLC_MALWARE:
2918 {
6ea85e9a 2919 /* Separate the regular expression and any optional parameters. */
8523533c
TK		 2920 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
2921 /* Run the malware backend. */
2922 rc = malware(&ss);
2923 /* Modify return code based upon the existance of options. */
2924 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2925 != NULL) {
2926 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
2927 {
2928 /* FAIL so that the message is passed to the next ACL */
2929 rc = FAIL;
2930 }
2931 }
2932 }
2933 break;
2934
2935 case ACLC_MIME_REGEX:
71fafd95 2936 rc = mime_regex(&arg);
8523533c 2937 break;
71fafd95 2938 #endif
059ec3d9 2939
870f6ba8 2940 case ACLC_RATELIMIT:
90fc3069 2941 rc = acl_ratelimit(arg, where, log_msgptr);
870f6ba8
TF		 2942 break;
2943
059ec3d9
PH		 2944 case ACLC_RECIPIENTS:
2945 rc = match_address_list(addr->address, TRUE, TRUE, &arg, NULL, -1, 0,
2946 &recipient_data);
2947 break;
2948
71fafd95
PH		 2949 #ifdef WITH_CONTENT_SCAN
2950 case ACLC_REGEX:
2951 rc = regex(&arg);
8523533c 2952 break;
71fafd95 2953 #endif
8523533c 2954
059ec3d9
PH		 2955 case ACLC_SENDER_DOMAINS:
2956 {
2957 uschar *sdomain;
2958 sdomain = Ustrrchr(sender_address, '@');
2959 sdomain = (sdomain == NULL)? US"" : sdomain + 1;
2960 rc = match_isinlist(sdomain, &arg, 0, &domainlist_anchor,
2961 sender_domain_cache, MCL_DOMAIN, TRUE, NULL);
2962 }
2963 break;
2964
2965 case ACLC_SENDERS:
2966 rc = match_address_list(sender_address, TRUE, TRUE, &arg,
2967 sender_address_cache, -1, 0, &sender_data);
2968 break;
2969
2970 /* Connection variables must persist forever */
2971
2972 case ACLC_SET:
2973 {
2974 int old_pool = store_pool;
38a0a95f
PH		 2975 if (cb->u.varname[0] == 'c') store_pool = POOL_PERM;
2976 acl_var_create(cb->u.varname)->data.ptr = string_copy(arg);
059ec3d9
PH		 2977 store_pool = old_pool;
2978 }
2979 break;
2980
71fafd95 2981 #ifdef WITH_CONTENT_SCAN
8523533c
TK		 2982 case ACLC_SPAM:
2983 {
2984 /* Seperate the regular expression and any optional parameters. */
2985 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
2986 /* Run the spam backend. */
2987 rc = spam(&ss);
2988 /* Modify return code based upon the existance of options. */
2989 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2990 != NULL) {
2991 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
2992 {
2993 /* FAIL so that the message is passed to the next ACL */
2994 rc = FAIL;
2995 }
2996 }
2997 }
2998 break;
71fafd95 2999 #endif
8523533c 3000
71fafd95 3001 #ifdef EXPERIMENTAL_SPF
8523533c
TK		 3002 case ACLC_SPF:
3003 rc = spf_process(&arg, sender_address);
3004 break;
71fafd95 3005 #endif
8523533c 3006
059ec3d9
PH		 3007 /* If the verb is WARN, discard any user message from verification, because
3008 such messages are SMTP responses, not header additions. The latter come
475fe28a
PH		 3009 only from explicit "message" modifiers. However, put the user message into
3010 $acl_verify_message so it can be used in subsequent conditions or modifiers
3011 (until something changes it). */
059ec3d9
PH		 3012
3013 case ACLC_VERIFY:
3014 rc = acl_verify(where, addr, arg, user_msgptr, log_msgptr, basic_errno);
475fe28a 3015 acl_verify_message = *user_msgptr;
059ec3d9
PH		 3016 if (verb == ACL_WARN) *user_msgptr = NULL;
3017 break;
3018
3019 default:
3020 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown "
3021 "condition %d", cb->type);
3022 break;
3023 }
3024
3025 /* If a condition was negated, invert OK/FAIL. */
3026
3027 if (!cond_modifiers[cb->type] && cb->u.negated)
3028 {
3029 if (rc == OK) rc = FAIL;
3030 else if (rc == FAIL || rc == FAIL_DROP) rc = OK;
3031 }
3032
3033 if (rc != OK) break; /* Conditions loop */
3034 }
3035
3036
3037/* If the result is the one for which "message" and/or "log_message" are used,
3038handle the values of these options. Most verbs have but a single return for
3039which the messages are relevant, but for "discard", it's useful to have the log
3040message both when it succeeds and when it fails. Also, for an "accept" that
3041appears in a QUIT ACL, we want to handle the user message. Since only "accept"
3042and "warn" are permitted in that ACL, we don't need to test the verb.
3043
3044These modifiers act in different ways:
3045
3046"message" is a user message that will be included in an SMTP response. Unless
3047it is empty, it overrides any previously set user message.
3048
3049"log_message" is a non-user message, and it adds to any existing non-user
3050message that is already set.
3051
3052If there isn't a log message set, we make it the same as the user message. */
3053
3054if (((rc == FAIL_DROP)? FAIL : rc) == msgcond[verb] ||
3055 (verb == ACL_DISCARD && rc == OK) ||
3056 (where == ACL_WHERE_QUIT))
3057 {
3058 uschar *expmessage;
3059
3060 /* If the verb is "warn", messages generated by conditions (verification or
3061 nested ACLs) are discarded. Only messages specified at this level are used.
3062 However, the value of an existing message is available in $acl_verify_message
3063 during expansions. */
3064
3065 uschar *old_user_msgptr = *user_msgptr;
3066 uschar *old_log_msgptr = (*log_msgptr != NULL)? *log_msgptr : old_user_msgptr;
3067
3068 if (verb == ACL_WARN) *log_msgptr = *user_msgptr = NULL;
3069
3070 if (user_message != NULL)
3071 {
3072 acl_verify_message = old_user_msgptr;
3073 expmessage = expand_string(user_message);
3074 if (expmessage == NULL)
3075 {
3076 if (!expand_string_forcedfail)
3077 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
3078 user_message, expand_string_message);
3079 }
3080 else if (expmessage[0] != 0) *user_msgptr = expmessage;
3081 }
3082
3083 if (log_message != NULL)
3084 {
3085 acl_verify_message = old_log_msgptr;
3086 expmessage = expand_string(log_message);
3087 if (expmessage == NULL)
3088 {
3089 if (!expand_string_forcedfail)
3090 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
3091 log_message, expand_string_message);
3092 }
3093 else if (expmessage[0] != 0)
3094 {
3095 *log_msgptr = (*log_msgptr == NULL)? expmessage :
3096 string_sprintf("%s: %s", expmessage, *log_msgptr);
3097 }
3098 }
3099
3100 /* If no log message, default it to the user message */
3101
3102 if (*log_msgptr == NULL) *log_msgptr = *user_msgptr;
3103 }
3104
3105acl_verify_message = NULL;
3106return rc;
3107}
3108
3109
3110
3111
3112
3113/*************************************************
3114* Get line from a literal ACL *
3115*************************************************/
3116
3117/* This function is passed to acl_read() in order to extract individual lines
3118of a literal ACL, which we access via static pointers. We can destroy the
3119contents because this is called only once (the compiled ACL is remembered).
3120
3121This code is intended to treat the data in the same way as lines in the main
3122Exim configuration file. That is:
3123
3124 . Leading spaces are ignored.
3125
3126 . A \ at the end of a line is a continuation - trailing spaces after the \
3127 are permitted (this is because I don't believe in making invisible things
3128 significant). Leading spaces on the continued part of a line are ignored.
3129
3130 . Physical lines starting (significantly) with # are totally ignored, and
3131 may appear within a sequence of backslash-continued lines.
3132
3133 . Blank lines are ignored, but will end a sequence of continuations.
3134
3135Arguments: none
3136Returns: a pointer to the next line
3137*/
3138
3139
3140static uschar *acl_text; /* Current pointer in the text */
3141static uschar *acl_text_end; /* Points one past the terminating '0' */
3142
3143
3144static uschar *
3145acl_getline(void)
3146{
3147uschar *yield;
3148
3149/* This loop handles leading blank lines and comments. */
3150
3151for(;;)
3152 {
3153 while (isspace(*acl_text)) acl_text++; /* Leading spaces/empty lines */
3154 if (*acl_text == 0) return NULL; /* No more data */
3155 yield = acl_text; /* Potential data line */
3156
3157 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
3158
3159 /* If we hit the end before a newline, we have the whole logical line. If
3160 it's a comment, there's no more data to be given. Otherwise, yield it. */
3161
3162 if (*acl_text == 0) return (*yield == '#')? NULL : yield;
3163
3164 /* After reaching a newline, end this loop if the physical line does not
3165 start with '#'. If it does, it's a comment, and the loop continues. */
3166
3167 if (*yield != '#') break;
3168 }
3169
3170/* This loop handles continuations. We know we have some real data, ending in
3171newline. See if there is a continuation marker at the end (ignoring trailing
3172white space). We know that *yield is not white space, so no need to test for
3173cont > yield in the backwards scanning loop. */
3174
3175for(;;)
3176 {
3177 uschar *cont;
3178 for (cont = acl_text - 1; isspace(*cont); cont--);
3179
3180 /* If no continuation follows, we are done. Mark the end of the line and
3181 return it. */
3182
3183 if (*cont != '\\')
3184 {
3185 *acl_text++ = 0;
3186 return yield;
3187 }
3188
3189 /* We have encountered a continuation. Skip over whitespace at the start of
3190 the next line, and indeed the whole of the next line or lines if they are
3191 comment lines. */
3192
3193 for (;;)
3194 {
3195 while (*(++acl_text) == ' ' || *acl_text == '\t');
3196 if (*acl_text != '#') break;
3197 while (*(++acl_text) != 0 && *acl_text != '\n');
3198 }
3199
3200 /* We have the start of a continuation line. Move all the rest of the data
3201 to join onto the previous line, and then find its end. If the end is not a
3202 newline, we are done. Otherwise loop to look for another continuation. */
3203
3204 memmove(cont, acl_text, acl_text_end - acl_text);
3205 acl_text_end -= acl_text - cont;
3206 acl_text = cont;
3207 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
3208 if (*acl_text == 0) return yield;
3209 }
3210
3211/* Control does not reach here */
3212}
3213
3214
3215
3216
3217
3218/*************************************************
3219* Check access using an ACL *
3220*************************************************/
3221
3222/* This function is called from address_check. It may recurse via
3223acl_check_condition() - hence the use of a level to stop looping. The ACL is
3224passed as a string which is expanded. A forced failure implies no access check
3225is required. If the result is a single word, it is taken as the name of an ACL
3226which is sought in the global ACL tree. Otherwise, it is taken as literal ACL
3227text, complete with newlines, and parsed as such. In both cases, the ACL check
3228is then run. This function uses an auxiliary function for acl_read() to call
3229for reading individual lines of a literal ACL. This is acl_getline(), which
3230appears immediately above.
3231
3232Arguments:
3233 where where called from
3234 addr address item when called from RCPT; otherwise NULL
3235 s the input string; NULL is the same as an empty ACL => DENY
3236 level the nesting level
3237 user_msgptr where to put a user error (for SMTP response)
3238 log_msgptr where to put a logging message (not for SMTP response)
3239
3240Returns: OK access is granted
3241 DISCARD access is apparently granted...
3242 FAIL access is denied
3243 FAIL_DROP access is denied; drop the connection
3244 DEFER can't tell at the moment
3245 ERROR disaster
3246*/
3247
3248static int
3249acl_check_internal(int where, address_item *addr, uschar *s, int level,
3250 uschar **user_msgptr, uschar **log_msgptr)
3251{
3252int fd = -1;
3253acl_block *acl = NULL;
3254uschar *acl_name = US"inline ACL";
3255uschar *ss;
3256
3257/* Catch configuration loops */
3258
3259if (level > 20)
3260 {
3261 *log_msgptr = US"ACL nested too deep: possible loop";
3262 return ERROR;
3263 }
3264
3265if (s == NULL)
3266 {
3267 HDEBUG(D_acl) debug_printf("ACL is NULL: implicit DENY\n");
3268 return FAIL;
3269 }
3270
3271/* At top level, we expand the incoming string. At lower levels, it has already
3272been expanded as part of condition processing. */
3273
3274if (level == 0)
3275 {
3276 ss = expand_string(s);
3277 if (ss == NULL)
3278 {
3279 if (expand_string_forcedfail) return OK;
3280 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s", s,
3281 expand_string_message);
3282 return ERROR;
3283 }
3284 }
3285else ss = s;
3286
3287while (isspace(*ss))ss++;
3288
3289/* If we can't find a named ACL, the default is to parse it as an inline one.
3290(Unless it begins with a slash; non-existent files give rise to an error.) */
3291
3292acl_text = ss;
3293
3294/* Handle the case of a string that does not contain any spaces. Look for a
3295named ACL among those read from the configuration, or a previously read file.
3296It is possible that the pointer to the ACL is NULL if the configuration
3297contains a name with no data. If not found, and the text begins with '/',
3298read an ACL from a file, and save it so it can be re-used. */
3299
3300if (Ustrchr(ss, ' ') == NULL)
3301 {
3302 tree_node *t = tree_search(acl_anchor, ss);
3303 if (t != NULL)
3304 {
3305 acl = (acl_block *)(t->data.ptr);
3306 if (acl == NULL)
3307 {
3308 HDEBUG(D_acl) debug_printf("ACL \"%s\" is empty: implicit DENY\n", ss);
3309 return FAIL;
3310 }
3311 acl_name = string_sprintf("ACL \"%s\"", ss);
3312 HDEBUG(D_acl) debug_printf("using ACL \"%s\"\n", ss);
3313 }
3314
3315 else if (*ss == '/')
3316 {
3317 struct stat statbuf;
3318 fd = Uopen(ss, O_RDONLY, 0);
3319 if (fd < 0)
3320 {
3321 *log_msgptr = string_sprintf("failed to open ACL file \"%s\": %s", ss,
3322 strerror(errno));
3323 return ERROR;
3324 }
3325
3326 if (fstat(fd, &statbuf) != 0)
3327 {
3328 *log_msgptr = string_sprintf("failed to fstat ACL file \"%s\": %s", ss,
3329 strerror(errno));
3330 return ERROR;
3331 }
3332
3333 acl_text = store_get(statbuf.st_size + 1);
3334 acl_text_end = acl_text + statbuf.st_size + 1;
3335
3336 if (read(fd, acl_text, statbuf.st_size) != statbuf.st_size)
3337 {
3338 *log_msgptr = string_sprintf("failed to read ACL file \"%s\": %s",
3339 ss, strerror(errno));
3340 return ERROR;
3341 }
3342 acl_text[statbuf.st_size] = 0;
f1e894f3 3343 (void)close(fd);
059ec3d9
PH		 3344
3345 acl_name = string_sprintf("ACL \"%s\"", ss);
3346 HDEBUG(D_acl) debug_printf("read ACL from file %s\n", ss);
3347 }
3348 }
3349
3350/* Parse an ACL that is still in text form. If it came from a file, remember it
3351in the ACL tree, having read it into the POOL_PERM store pool so that it
3352persists between multiple messages. */
3353
3354if (acl == NULL)
3355 {
3356 int old_pool = store_pool;
3357 if (fd >= 0) store_pool = POOL_PERM;
3358 acl = acl_read(acl_getline, log_msgptr);
3359 store_pool = old_pool;
3360 if (acl == NULL && *log_msgptr != NULL) return ERROR;
3361 if (fd >= 0)
3362 {
3363 tree_node *t = store_get_perm(sizeof(tree_node) + Ustrlen(ss));
3364 Ustrcpy(t->name, ss);
3365 t->data.ptr = acl;
3366 (void)tree_insertnode(&acl_anchor, t);
3367 }
3368 }
3369
3370/* Now we have an ACL to use. It's possible it may be NULL. */
3371
3372while (acl != NULL)
3373 {
3374 int cond;
3375 int basic_errno = 0;
3376 BOOL endpass_seen = FALSE;
3377
3378 *log_msgptr = *user_msgptr = NULL;
3379 acl_temp_details = FALSE;
3380
3381 if (where == ACL_WHERE_QUIT &&
3382 acl->verb != ACL_ACCEPT &&
3383 acl->verb != ACL_WARN)
3384 {
3385 *log_msgptr = string_sprintf("\"%s\" is not allowed in a QUIT ACL",
3386 verbs[acl->verb]);
3387 return ERROR;
3388 }
3389
3390 HDEBUG(D_acl) debug_printf("processing \"%s\"\n", verbs[acl->verb]);
3391
3392 /* Clear out any search error message from a previous check before testing
3393 this condition. */
3394
3395 search_error_message = NULL;
3396 cond = acl_check_condition(acl->verb, acl->condition, where, addr, level,
3397 &endpass_seen, user_msgptr, log_msgptr, &basic_errno);
3398
3399 /* Handle special returns: DEFER causes a return except on a WARN verb;
3400 ERROR always causes a return. */
3401
3402 switch (cond)
3403 {
3404 case DEFER:
3405 HDEBUG(D_acl) debug_printf("%s: condition test deferred\n", verbs[acl->verb]);
3406 if (basic_errno != ERRNO_CALLOUTDEFER)
3407 {
3408 if (search_error_message != NULL && *search_error_message != 0)
3409 *log_msgptr = search_error_message;
3410 if (smtp_return_error_details) acl_temp_details = TRUE;
3411 }
3412 else
3413 {
3414 acl_temp_details = TRUE;
3415 }
3416 if (acl->verb != ACL_WARN) return DEFER;
3417 break;
3418
3419 default: /* Paranoia */
3420 case ERROR:
3421 HDEBUG(D_acl) debug_printf("%s: condition test error\n", verbs[acl->verb]);
3422 return ERROR;
3423
3424 case OK:
3425 HDEBUG(D_acl) debug_printf("%s: condition test succeeded\n",
3426 verbs[acl->verb]);
3427 break;
3428
3429 case FAIL:
3430 HDEBUG(D_acl) debug_printf("%s: condition test failed\n", verbs[acl->verb]);
3431 break;
3432
3433 /* DISCARD and DROP can happen only from a nested ACL condition, and
3434 DISCARD can happen only for an "accept" or "discard" verb. */
3435
3436 case DISCARD:
3437 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"discard\"\n",
3438 verbs[acl->verb]);
3439 break;
3440
3441 case FAIL_DROP:
3442 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"drop\"\n",
3443 verbs[acl->verb]);
3444 break;
3445 }
3446
3447 /* At this point, cond for most verbs is either OK or FAIL or (as a result of
3448 a nested ACL condition) FAIL_DROP. However, for WARN, cond may be DEFER, and
3449 for ACCEPT and DISCARD, it may be DISCARD after a nested ACL call. */
3450
3451 switch(acl->verb)
3452 {
3453 case ACL_ACCEPT:
3454 if (cond == OK || cond == DISCARD) return cond;
3455 if (endpass_seen)
3456 {
3457 HDEBUG(D_acl) debug_printf("accept: endpass encountered - denying access\n");
3458 return cond;
3459 }
3460 break;
3461
3462 case ACL_DEFER:
3463 if (cond == OK)
3464 {
3465 acl_temp_details = TRUE;
3466 return DEFER;
3467 }
3468 break;
3469
3470 case ACL_DENY:
3471 if (cond == OK) return FAIL;
3472 break;
3473
3474 case ACL_DISCARD:
3475 if (cond == OK || cond == DISCARD) return DISCARD;
3476 if (endpass_seen)
3477 {
3478 HDEBUG(D_acl) debug_printf("discard: endpass encountered - denying access\n");
3479 return cond;
3480 }
3481 break;
3482
3483 case ACL_DROP:
3484 if (cond == OK) return FAIL_DROP;
3485 break;
3486
3487 case ACL_REQUIRE:
3488 if (cond != OK) return cond;
3489 break;
3490
3491 case ACL_WARN:
3492 if (cond == OK)
3493 acl_warn(where, *user_msgptr, *log_msgptr);
49826d12 3494 else if (cond == DEFER && (log_extra_selector & LX_acl_warn_skipped) != 0)
9c7a242c
PH		 3495 log_write(0, LOG_MAIN, "%s Warning: ACL \"warn\" statement skipped: "
3496 "condition test deferred%s%s", host_and_ident(TRUE),
3497 (*log_msgptr == NULL)? US"" : US": ",
3498 (*log_msgptr == NULL)? US"" : *log_msgptr);
059ec3d9
PH		 3499 *log_msgptr = *user_msgptr = NULL; /* In case implicit DENY follows */
3500 break;
3501
3502 default:
3503 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown verb %d",
3504 acl->verb);
3505 break;
3506 }
3507
3508 /* Pass to the next ACL item */
3509
3510 acl = acl->next;
3511 }
3512
3513/* We have reached the end of the ACL. This is an implicit DENY. */
3514
3515HDEBUG(D_acl) debug_printf("end of %s: implicit DENY\n", acl_name);
3516return FAIL;
3517}
3518
3519
3520/*************************************************
3521* Check access using an ACL *
3522*************************************************/
3523
3524/* This is the external interface for ACL checks. It sets up an address and the
3525expansions for $domain and $local_part when called after RCPT, then calls
3526acl_check_internal() to do the actual work.
3527
3528Arguments:
3529 where ACL_WHERE_xxxx indicating where called from
64ffc24f 3530 recipient RCPT address for RCPT check, else NULL
059ec3d9
PH		 3531 s the input string; NULL is the same as an empty ACL => DENY
3532 user_msgptr where to put a user error (for SMTP response)
3533 log_msgptr where to put a logging message (not for SMTP response)
3534
3535Returns: OK access is granted by an ACCEPT verb
3536 DISCARD access is granted by a DISCARD verb
3537 FAIL access is denied
3538 FAIL_DROP access is denied; drop the connection
3539 DEFER can't tell at the moment
3540 ERROR disaster
3541*/
3542
3543int
64ffc24f 3544acl_check(int where, uschar *recipient, uschar *s, uschar **user_msgptr,
059ec3d9
PH		 3545 uschar **log_msgptr)
3546{
3547int rc;
3548address_item adb;
64ffc24f 3549address_item *addr = NULL;
059ec3d9
PH		 3550
3551*user_msgptr = *log_msgptr = NULL;
3552sender_verified_failed = NULL;
fe0dab11 3553ratelimiters_cmd = NULL;
6ea85e9a 3554log_reject_target = LOG_MAIN|LOG_REJECT;
059ec3d9
PH		 3555
3556if (where == ACL_WHERE_RCPT)
3557 {
3558 adb = address_defaults;
3559 addr = &adb;
64ffc24f 3560 addr->address = recipient;
059ec3d9
PH		 3561 if (deliver_split_address(addr) == DEFER)
3562 {
3563 *log_msgptr = US"defer in percent_hack_domains check";
3564 return DEFER;
3565 }
3566 deliver_domain = addr->domain;
3567 deliver_localpart = addr->local_part;
3568 }
059ec3d9
PH		 3569
3570rc = acl_check_internal(where, addr, s, 0, user_msgptr, log_msgptr);
3571
64ffc24f
PH		 3572deliver_domain = deliver_localpart = deliver_address_data =
3573 sender_address_data = NULL;
059ec3d9
PH		 3574
3575/* A DISCARD response is permitted only for message ACLs, excluding the PREDATA
3576ACL, which is really in the middle of an SMTP command. */
3577
3578if (rc == DISCARD)
3579 {
3580 if (where > ACL_WHERE_NOTSMTP || where == ACL_WHERE_PREDATA)
3581 {
3582 log_write(0, LOG_MAIN|LOG_PANIC, "\"discard\" verb not allowed in %s "
3583 "ACL", acl_wherenames[where]);
3584 return ERROR;
3585 }
3586 return DISCARD;
3587 }
3588
3589/* A DROP response is not permitted from MAILAUTH */
3590
3591if (rc == FAIL_DROP && where == ACL_WHERE_MAILAUTH)
3592 {
3593 log_write(0, LOG_MAIN|LOG_PANIC, "\"drop\" verb not allowed in %s "
3594 "ACL", acl_wherenames[where]);
3595 return ERROR;
3596 }
3597
3598/* Before giving an error response, take a look at the length of any user
3599message, and split it up into multiple lines if possible. */
3600
3601if (rc != OK && *user_msgptr != NULL && Ustrlen(*user_msgptr) > 75)
3602 {
3603 uschar *s = *user_msgptr = string_copy(*user_msgptr);
3604 uschar *ss = s;
3605
3606 for (;;)
3607 {
3608 int i = 0;
3609 while (i < 75 && *ss != 0 && *ss != '\n') ss++, i++;
3610 if (*ss == 0) break;
3611 if (*ss == '\n')
3612 s = ++ss;
3613 else
3614 {
3615 uschar *t = ss + 1;
3616 uschar *tt = NULL;
3617 while (--t > s + 35)
3618 {
3619 if (*t == ' ')
3620 {
3621 if (t[-1] == ':') { tt = t; break; }
3622 if (tt == NULL) tt = t;
3623 }
3624 }
3625
3626 if (tt == NULL) /* Can't split behind - try ahead */
3627 {
3628 t = ss + 1;
3629 while (*t != 0)
3630 {
3631 if (*t == ' ' || *t == '\n')
3632 { tt = t; break; }
3633 t++;
3634 }
3635 }
3636
3637 if (tt == NULL) break; /* Can't find anywhere to split */
3638 *tt = '\n';
3639 s = ss = tt+1;
3640 }
3641 }
3642 }
3643
3644return rc;
3645}
3646
38a0a95f
PH		 3647
3648
3649/*************************************************
3650* Create ACL variable *
3651*************************************************/
3652
3653/* Create an ACL variable or reuse an existing one. ACL variables are in a
3654binary tree (see tree.c) with acl_var_c and acl_var_m as root nodes.
3655
3656Argument:
3657 name pointer to the variable's name, starting with c or m
3658
3659Returns the pointer to variable's tree node
3660*/
3661
3662tree_node *
3663acl_var_create(uschar *name)
3664{
3665tree_node *node, **root;
3666root = (name[0] == 'c')? &acl_var_c : &acl_var_m;
3667node = tree_search(*root, name);
3668if (node == NULL)
3669 {
3670 node = store_get(sizeof(tree_node) + Ustrlen(name));
3671 Ustrcpy(node->name, name);
3672 (void)tree_insertnode(root, node);
3673 }
3674node->data.ptr = NULL;
3675return node;
3676}
3677
3678
3679
3680/*************************************************
3681* Write an ACL variable in spool format *
3682*************************************************/
3683
3684/* This function is used as a callback for tree_walk when writing variables to
3685the spool file. To retain spool file compatibility, what is written is -aclc or
3686-aclm followed by the rest of the name and the data length, space separated,
3687then the value itself, starting on a new line, and terminated by an additional
3688newline. When we had only numbered ACL variables, the first line might look
3689like this: "-aclc 5 20". Now it might be "-aclc foo 20" for the variable called
3690acl_cfoo.
3691
3692Arguments:
3693 name of the variable
3694 value of the variable
3695 ctx FILE pointer (as a void pointer)
3696
3697Returns: nothing
3698*/
3699
3700void
3701acl_var_write(uschar *name, uschar *value, void *ctx)
3702{
3703FILE *f = (FILE *)ctx;
3704fprintf(f, "-acl%c %s %d\n%s\n", name[0], name+1, Ustrlen(value), value);
3705}
3706
059ec3d9 3707/* End of acl.c */
Unnamed repository; edit this file 'description' to name the repository.