projects / exim.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Update to 4.63.
[exim.git] / src / src / acl.c
CommitLineData
90fc3069 1/* $Cambridge: exim/src/src/acl.c,v 1.59 2006/06/07 15:06:26 fanf2 Exp $ */
059ec3d9
PH		 2
3/*************************************************
4* Exim - an Internet mail transport agent *
5*************************************************/
6
d7d7b7b9 7/* Copyright (c) University of Cambridge 1995 - 2006 */
059ec3d9
PH		 8/* See the file NOTICE for conditions of use and distribution. */
9
10/* Code for handling Access Control Lists (ACLs) */
11
12#include "exim.h"
13
14
15/* Default callout timeout */
16
17#define CALLOUT_TIMEOUT_DEFAULT 30
18
19/* ACL verb codes - keep in step with the table of verbs that follows */
20
21enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
22 ACL_WARN };
23
24/* ACL verbs */
25
26static uschar *verbs[] =
27 { US"accept", US"defer", US"deny", US"discard", US"drop", US"require",
28 US"warn" };
29
30/* For each verb, the condition for which "message" is used */
31
32static int msgcond[] = { FAIL, OK, OK, FAIL, OK, FAIL, OK };
33
34/* ACL condition and modifier codes - keep in step with the table that
71fafd95
PH		 35follows, and the cond_expand_at_top and uschar cond_modifiers tables lower
36down. */
059ec3d9 37
71fafd95
PH		 38enum { ACLC_ACL,
39 ACLC_ADD_HEADER,
40 ACLC_AUTHENTICATED,
8523533c
TK		 41#ifdef EXPERIMENTAL_BRIGHTMAIL
42 ACLC_BMI_OPTIN,
43#endif
71fafd95
PH		 44 ACLC_CONDITION,
45 ACLC_CONTROL,
8523533c
TK		 46#ifdef WITH_CONTENT_SCAN
47 ACLC_DECODE,
48#endif
49 ACLC_DELAY,
50#ifdef WITH_OLD_DEMIME
51 ACLC_DEMIME,
fb2274d4
TK		 52#endif
53#ifdef EXPERIMENTAL_DOMAINKEYS
54 ACLC_DK_DOMAIN_SOURCE,
55 ACLC_DK_POLICY,
56 ACLC_DK_SENDER_DOMAINS,
57 ACLC_DK_SENDER_LOCAL_PARTS,
58 ACLC_DK_SENDERS,
59 ACLC_DK_STATUS,
8e669ac1 60#endif
71fafd95
PH		 61 ACLC_DNSLISTS,
62 ACLC_DOMAINS,
63 ACLC_ENCRYPTED,
64 ACLC_ENDPASS,
65 ACLC_HOSTS,
66 ACLC_LOCAL_PARTS,
67 ACLC_LOG_MESSAGE,
68 ACLC_LOGWRITE,
8523533c
TK		 69#ifdef WITH_CONTENT_SCAN
70 ACLC_MALWARE,
71#endif
72 ACLC_MESSAGE,
73#ifdef WITH_CONTENT_SCAN
74 ACLC_MIME_REGEX,
75#endif
870f6ba8 76 ACLC_RATELIMIT,
8523533c
TK		 77 ACLC_RECIPIENTS,
78#ifdef WITH_CONTENT_SCAN
79 ACLC_REGEX,
80#endif
71fafd95
PH		 81 ACLC_SENDER_DOMAINS,
82 ACLC_SENDERS,
83 ACLC_SET,
8523533c 84#ifdef WITH_CONTENT_SCAN
8e669ac1 85 ACLC_SPAM,
8523533c
TK		 86#endif
87#ifdef EXPERIMENTAL_SPF
88 ACLC_SPF,
89#endif
90 ACLC_VERIFY };
059ec3d9
PH		 91
92/* ACL conditions/modifiers: "delay", "control", "endpass", "message",
93"log_message", "logwrite", and "set" are modifiers that look like conditions
94but always return TRUE. They are used for their side effects. */
95
9a26b6b2
PH		 96static uschar *conditions[] = {
97 US"acl",
71fafd95 98 US"add_header",
9a26b6b2 99 US"authenticated",
8523533c
TK		 100#ifdef EXPERIMENTAL_BRIGHTMAIL
101 US"bmi_optin",
102#endif
103 US"condition",
8e669ac1 104 US"control",
8523533c
TK		 105#ifdef WITH_CONTENT_SCAN
106 US"decode",
107#endif
108 US"delay",
109#ifdef WITH_OLD_DEMIME
110 US"demime",
fb2274d4
TK		 111#endif
112#ifdef EXPERIMENTAL_DOMAINKEYS
7f45268c
PH		 113 US"dk_domain_source",
114 US"dk_policy",
115 US"dk_sender_domains",
116 US"dk_sender_local_parts",
117 US"dk_senders",
118 US"dk_status",
8523533c
TK		 119#endif
120 US"dnslists", US"domains", US"encrypted",
059ec3d9 121 US"endpass", US"hosts", US"local_parts", US"log_message", US"logwrite",
8523533c
TK		 122#ifdef WITH_CONTENT_SCAN
123 US"malware",
124#endif
125 US"message",
126#ifdef WITH_CONTENT_SCAN
127 US"mime_regex",
128#endif
870f6ba8 129 US"ratelimit",
8523533c
TK		 130 US"recipients",
131#ifdef WITH_CONTENT_SCAN
132 US"regex",
133#endif
134 US"sender_domains", US"senders", US"set",
135#ifdef WITH_CONTENT_SCAN
136 US"spam",
137#endif
138#ifdef EXPERIMENTAL_SPF
139 US"spf",
140#endif
059ec3d9 141 US"verify" };
8e669ac1 142
c5fcb476 143
9a26b6b2
PH		 144/* Return values from decode_control(); keep in step with the table of names
145that follows! */
146
147enum {
c46782ef
PH		 148 CONTROL_AUTH_UNADVERTISED,
149 #ifdef EXPERIMENTAL_BRIGHTMAIL
9a26b6b2 150 CONTROL_BMI_RUN,
c46782ef
PH		 151 #endif
152 #ifdef EXPERIMENTAL_DOMAINKEYS
9a26b6b2 153 CONTROL_DK_VERIFY,
c46782ef
PH		 154 #endif
155 CONTROL_ERROR,
156 CONTROL_CASEFUL_LOCAL_PART,
157 CONTROL_CASELOWER_LOCAL_PART,
158 CONTROL_ENFORCE_SYNC,
159 CONTROL_NO_ENFORCE_SYNC,
160 CONTROL_FREEZE,
161 CONTROL_QUEUE_ONLY,
162 CONTROL_SUBMISSION,
163 CONTROL_SUPPRESS_LOCAL_FIXUPS,
164 #ifdef WITH_CONTENT_SCAN
9a26b6b2 165 CONTROL_NO_MBOX_UNSPOOL,
c46782ef
PH		 166 #endif
167 CONTROL_FAKEDEFER,
168 CONTROL_FAKEREJECT,
169 CONTROL_NO_MULTILINE
170};
9a26b6b2 171
8800895a
PH		 172/* ACL control names; keep in step with the table above! This list is used for
173turning ids into names. The actual list of recognized names is in the variable
174control_def controls_list[] below. The fact that there are two lists is a mess
175and should be tidied up. */
9a26b6b2
PH		 176
177static uschar *controls[] = {
c46782ef 178 US"allow_auth_unadvertised",
9a26b6b2
PH		 179 #ifdef EXPERIMENTAL_BRIGHTMAIL
180 US"bmi_run",
181 #endif
182 #ifdef EXPERIMENTAL_DOMAINKEYS
183 US"dk_verify",
184 #endif
c46782ef
PH		 185 US"error",
186 US"caseful_local_part",
187 US"caselower_local_part",
188 US"enforce_sync",
189 US"no_enforce_sync",
190 US"freeze",
191 US"queue_only",
192 US"submission",
193 US"suppress_local_fixups",
9a26b6b2
PH		 194 #ifdef WITH_CONTENT_SCAN
195 US"no_mbox_unspool",
196 #endif
c46782ef
PH		 197 US"no_multiline"
198};
059ec3d9
PH		 199
200/* Flags to indicate for which conditions /modifiers a string expansion is done
201at the outer level. In the other cases, expansion already occurs in the
202checking functions. */
203
204static uschar cond_expand_at_top[] = {
205 TRUE, /* acl */
3e536984 206 TRUE, /* add_header */
059ec3d9 207 FALSE, /* authenticated */
8523533c
TK		 208#ifdef EXPERIMENTAL_BRIGHTMAIL
209 TRUE, /* bmi_optin */
8e669ac1 210#endif
059ec3d9
PH		 211 TRUE, /* condition */
212 TRUE, /* control */
8523533c
TK		 213#ifdef WITH_CONTENT_SCAN
214 TRUE, /* decode */
215#endif
059ec3d9 216 TRUE, /* delay */
8523533c
TK		 217#ifdef WITH_OLD_DEMIME
218 TRUE, /* demime */
fb2274d4
TK		 219#endif
220#ifdef EXPERIMENTAL_DOMAINKEYS
7f45268c
PH		 221 TRUE, /* dk_domain_source */
222 TRUE, /* dk_policy */
223 TRUE, /* dk_sender_domains */
e715ad22 224 TRUE, /* dk_sender_local_parts */
7f45268c
PH		 225 TRUE, /* dk_senders */
226 TRUE, /* dk_status */
8523533c 227#endif
059ec3d9
PH		 228 TRUE, /* dnslists */
229 FALSE, /* domains */
230 FALSE, /* encrypted */
231 TRUE, /* endpass */
232 FALSE, /* hosts */
233 FALSE, /* local_parts */
234 TRUE, /* log_message */
235 TRUE, /* logwrite */
8523533c
TK		 236#ifdef WITH_CONTENT_SCAN
237 TRUE, /* malware */
238#endif
059ec3d9 239 TRUE, /* message */
8523533c
TK		 240#ifdef WITH_CONTENT_SCAN
241 TRUE, /* mime_regex */
242#endif
870f6ba8 243 TRUE, /* ratelimit */
059ec3d9 244 FALSE, /* recipients */
8523533c
TK		 245#ifdef WITH_CONTENT_SCAN
246 TRUE, /* regex */
247#endif
059ec3d9
PH		 248 FALSE, /* sender_domains */
249 FALSE, /* senders */
250 TRUE, /* set */
8523533c
TK		 251#ifdef WITH_CONTENT_SCAN
252 TRUE, /* spam */
253#endif
254#ifdef EXPERIMENTAL_SPF
255 TRUE, /* spf */
256#endif
059ec3d9
PH		 257 TRUE /* verify */
258};
259
260/* Flags to identify the modifiers */
261
262static uschar cond_modifiers[] = {
263 FALSE, /* acl */
3e536984 264 TRUE, /* add_header */
059ec3d9 265 FALSE, /* authenticated */
8523533c
TK		 266#ifdef EXPERIMENTAL_BRIGHTMAIL
267 TRUE, /* bmi_optin */
8e669ac1 268#endif
059ec3d9
PH		 269 FALSE, /* condition */
270 TRUE, /* control */
8523533c
TK		 271#ifdef WITH_CONTENT_SCAN
272 FALSE, /* decode */
273#endif
059ec3d9 274 TRUE, /* delay */
8523533c
TK		 275#ifdef WITH_OLD_DEMIME
276 FALSE, /* demime */
fb2274d4
TK		 277#endif
278#ifdef EXPERIMENTAL_DOMAINKEYS
7f45268c
PH		 279 FALSE, /* dk_domain_source */
280 FALSE, /* dk_policy */
281 FALSE, /* dk_sender_domains */
e715ad22 282 FALSE, /* dk_sender_local_parts */
7f45268c
PH		 283 FALSE, /* dk_senders */
284 FALSE, /* dk_status */
8523533c 285#endif
059ec3d9
PH		 286 FALSE, /* dnslists */
287 FALSE, /* domains */
288 FALSE, /* encrypted */
289 TRUE, /* endpass */
290 FALSE, /* hosts */
291 FALSE, /* local_parts */
292 TRUE, /* log_message */
8523533c
TK		 293 TRUE, /* logwrite */
294#ifdef WITH_CONTENT_SCAN
295 FALSE, /* malware */
296#endif
059ec3d9 297 TRUE, /* message */
8523533c
TK		 298#ifdef WITH_CONTENT_SCAN
299 FALSE, /* mime_regex */
300#endif
870f6ba8 301 FALSE, /* ratelimit */
059ec3d9 302 FALSE, /* recipients */
8523533c
TK		 303#ifdef WITH_CONTENT_SCAN
304 FALSE, /* regex */
305#endif
059ec3d9
PH		 306 FALSE, /* sender_domains */
307 FALSE, /* senders */
308 TRUE, /* set */
8523533c
TK		 309#ifdef WITH_CONTENT_SCAN
310 FALSE, /* spam */
311#endif
312#ifdef EXPERIMENTAL_SPF
313 FALSE, /* spf */
314#endif
059ec3d9
PH		 315 FALSE /* verify */
316};
317
c5fcb476 318/* Bit map vector of which conditions are not allowed at certain times. For
2f079f46
PH		 319each condition, there's a bitmap of dis-allowed times. For some, it is easier
320to specify the negation of a small number of allowed times. */
059ec3d9
PH		 321
322static unsigned int cond_forbids[] = {
323 0, /* acl */
8e669ac1 324
71fafd95
PH		 325 (unsigned int)
326 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* add_header */
327 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
328 (1<<ACL_WHERE_MIME)|(1<<ACL_WHERE_NOTSMTP)),
329
059ec3d9
PH		 330 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_CONNECT)| /* authenticated */
331 (1<<ACL_WHERE_HELO),
8e669ac1 332
71fafd95 333 #ifdef EXPERIMENTAL_BRIGHTMAIL
3864bb8e 334 (1<<ACL_WHERE_AUTH)| /* bmi_optin */
8523533c
TK		 335 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
336 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_MIME)|
8e669ac1 337 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
8523533c
TK		 338 (1<<ACL_WHERE_MAILAUTH)|
339 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
340 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_PREDATA),
71fafd95 341 #endif
8e669ac1 342
059ec3d9 343 0, /* condition */
8e669ac1 344
059ec3d9 345 /* Certain types of control are always allowed, so we let it through
2f079f46 346 always and check in the control processing itself. */
8e669ac1 347
059ec3d9 348 0, /* control */
8e669ac1 349
71fafd95 350 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 351 (unsigned int)
352 ~(1<<ACL_WHERE_MIME), /* decode */
71fafd95 353 #endif
8523533c 354
059ec3d9 355 0, /* delay */
8e669ac1 356
71fafd95 357 #ifdef WITH_OLD_DEMIME
2f079f46
PH		 358 (unsigned int)
359 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* demime */
71fafd95 360 #endif
8e669ac1 361
71fafd95 362 #ifdef EXPERIMENTAL_DOMAINKEYS
2f079f46 363 (1<<ACL_WHERE_AUTH)| /* dk_domain_source */
fb2274d4
TK		 364 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
365 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
366 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
367 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
368 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
369 (1<<ACL_WHERE_VRFY),
84330b7b 370
2f079f46 371 (1<<ACL_WHERE_AUTH)| /* dk_policy */
fb2274d4
TK		 372 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
373 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
374 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
375 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
376 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
377 (1<<ACL_WHERE_VRFY),
84330b7b 378
2f079f46 379 (1<<ACL_WHERE_AUTH)| /* dk_sender_domains */
fb2274d4
TK		 380 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
381 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
382 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
383 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
384 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
385 (1<<ACL_WHERE_VRFY),
84330b7b 386
2f079f46 387 (1<<ACL_WHERE_AUTH)| /* dk_sender_local_parts */
fb2274d4
TK		 388 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
389 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
390 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
391 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
392 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
393 (1<<ACL_WHERE_VRFY),
84330b7b 394
2f079f46 395 (1<<ACL_WHERE_AUTH)| /* dk_senders */
fb2274d4
TK		 396 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
397 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
398 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
399 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
400 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
401 (1<<ACL_WHERE_VRFY),
84330b7b 402
2f079f46 403 (1<<ACL_WHERE_AUTH)| /* dk_status */
fb2274d4
TK		 404 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
405 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
406 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
407 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
408 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
409 (1<<ACL_WHERE_VRFY),
71fafd95 410 #endif
fb2274d4 411
059ec3d9
PH		 412 (1<<ACL_WHERE_NOTSMTP), /* dnslists */
413
2f079f46
PH		 414 (unsigned int)
415 ~(1<<ACL_WHERE_RCPT), /* domains */
059ec3d9
PH		 416
417 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_CONNECT)| /* encrypted */
418 (1<<ACL_WHERE_HELO),
8e669ac1 419
059ec3d9 420 0, /* endpass */
8e669ac1 421
059ec3d9
PH		 422 (1<<ACL_WHERE_NOTSMTP), /* hosts */
423
2f079f46
PH		 424 (unsigned int)
425 ~(1<<ACL_WHERE_RCPT), /* local_parts */
059ec3d9
PH		 426
427 0, /* log_message */
8e669ac1 428
059ec3d9 429 0, /* logwrite */
8e669ac1 430
71fafd95 431 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 432 (unsigned int)
433 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* malware */
71fafd95 434 #endif
8523533c 435
059ec3d9
PH		 436 0, /* message */
437
71fafd95 438 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 439 (unsigned int)
440 ~(1<<ACL_WHERE_MIME), /* mime_regex */
71fafd95 441 #endif
8523533c 442
870f6ba8
TF		 443 0, /* ratelimit */
444
2f079f46
PH		 445 (unsigned int)
446 ~(1<<ACL_WHERE_RCPT), /* recipients */
059ec3d9 447
71fafd95 448 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 449 (unsigned int)
450 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* regex */
451 (1<<ACL_WHERE_MIME)),
71fafd95 452 #endif
8523533c 453
059ec3d9
PH		 454 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* sender_domains */
455 (1<<ACL_WHERE_HELO)|
456 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
457 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
458 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
459
460 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* senders */
461 (1<<ACL_WHERE_HELO)|
462 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
463 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
464 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
465
466 0, /* set */
467
71fafd95 468 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 469 (unsigned int)
470 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* spam */
71fafd95 471 #endif
8523533c 472
71fafd95 473 #ifdef EXPERIMENTAL_SPF
8523533c
TK		 474 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf */
475 (1<<ACL_WHERE_HELO)|
476 (1<<ACL_WHERE_MAILAUTH)|
477 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
478 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
71fafd95 479 #endif
8523533c 480
059ec3d9
PH		 481 /* Certain types of verify are always allowed, so we let it through
482 always and check in the verify function itself */
483
484 0 /* verify */
059ec3d9
PH		 485};
486
487
c5fcb476
PH		 488/* Bit map vector of which controls are not allowed at certain times. For
489each control, there's a bitmap of dis-allowed times. For some, it is easier to
490specify the negation of a small number of allowed times. */
491
492static unsigned int control_forbids[] = {
c46782ef
PH		 493 (unsigned int)
494 ~((1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)), /* allow_auth_unadvertised */
495
496 #ifdef EXPERIMENTAL_BRIGHTMAIL
8523533c 497 0, /* bmi_run */
c46782ef
PH		 498 #endif
499
500 #ifdef EXPERIMENTAL_DOMAINKEYS
e715ad22 501 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), /* dk_verify */
c46782ef 502 #endif
3e11c26b 503
c5fcb476 504 0, /* error */
8e669ac1
PH		 505
506 (unsigned int)
c5fcb476 507 ~(1<<ACL_WHERE_RCPT), /* caseful_local_part */
8e669ac1
PH		 508
509 (unsigned int)
c5fcb476 510 ~(1<<ACL_WHERE_RCPT), /* caselower_local_part */
8e669ac1 511
c5fcb476 512 (1<<ACL_WHERE_NOTSMTP), /* enforce_sync */
8e669ac1 513
c5fcb476 514 (1<<ACL_WHERE_NOTSMTP), /* no_enforce_sync */
8e669ac1
PH		 515
516 (unsigned int)
c5fcb476
PH		 517 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* freeze */
518 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
e715ad22 519 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
8e669ac1
PH		 520
521 (unsigned int)
c5fcb476
PH		 522 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* queue_only */
523 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
e715ad22 524 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
8e669ac1
PH		 525
526 (unsigned int)
c5fcb476 527 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* submission */
8e669ac1 528 (1<<ACL_WHERE_PREDATA)),
8523533c 529
8800895a
PH		 530 (unsigned int)
531 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* suppress_local_fixups */
532 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_PREDATA)),
533
c46782ef 534 #ifdef WITH_CONTENT_SCAN
8e669ac1 535 (unsigned int)
14d57970 536 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* no_mbox_unspool */
e715ad22
TK		 537 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
538 (1<<ACL_WHERE_MIME)),
c46782ef 539 #endif
a6c4ab60 540
29aba418
TF		 541 (unsigned int)
542 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakedefer */
543 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
544 (1<<ACL_WHERE_MIME)),
545
8e669ac1 546 (unsigned int)
a6c4ab60 547 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakereject */
e715ad22
TK		 548 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
549 (1<<ACL_WHERE_MIME)),
8523533c 550
c5fcb476
PH		 551 (1<<ACL_WHERE_NOTSMTP) /* no_multiline */
552};
553
554/* Structure listing various control arguments, with their characteristics. */
059ec3d9
PH		 555
556typedef struct control_def {
557 uschar *name;
558 int value; /* CONTROL_xxx value */
059ec3d9
PH		 559 BOOL has_option; /* Has /option(s) following */
560} control_def;
561
562static control_def controls_list[] = {
c46782ef 563 { US"allow_auth_unadvertised", CONTROL_AUTH_UNADVERTISED, FALSE },
8523533c 564#ifdef EXPERIMENTAL_BRIGHTMAIL
c46782ef 565 { US"bmi_run", CONTROL_BMI_RUN, FALSE },
fb2274d4
TK		 566#endif
567#ifdef EXPERIMENTAL_DOMAINKEYS
c46782ef 568 { US"dk_verify", CONTROL_DK_VERIFY, FALSE },
8523533c 569#endif
c46782ef
PH		 570 { US"caseful_local_part", CONTROL_CASEFUL_LOCAL_PART, FALSE },
571 { US"caselower_local_part", CONTROL_CASELOWER_LOCAL_PART, FALSE },
572 { US"enforce_sync", CONTROL_ENFORCE_SYNC, FALSE },
573 { US"freeze", CONTROL_FREEZE, TRUE },
574 { US"no_enforce_sync", CONTROL_NO_ENFORCE_SYNC, FALSE },
575 { US"no_multiline_responses", CONTROL_NO_MULTILINE, FALSE },
576 { US"queue_only", CONTROL_QUEUE_ONLY, FALSE },
8523533c 577#ifdef WITH_CONTENT_SCAN
c46782ef 578 { US"no_mbox_unspool", CONTROL_NO_MBOX_UNSPOOL, FALSE },
8523533c 579#endif
c46782ef
PH		 580 { US"fakedefer", CONTROL_FAKEDEFER, TRUE },
581 { US"fakereject", CONTROL_FAKEREJECT, TRUE },
582 { US"submission", CONTROL_SUBMISSION, TRUE },
583 { US"suppress_local_fixups", CONTROL_SUPPRESS_LOCAL_FIXUPS, FALSE }
059ec3d9
PH		 584 };
585
e5a9dba6
PH		 586/* Support data structures for Client SMTP Authorization. acl_verify_csa()
587caches its result in a tree to avoid repeated DNS queries. The result is an
588integer code which is used as an index into the following tables of
589explanatory strings and verification return codes. */
590
591static tree_node *csa_cache = NULL;
592
593enum { CSA_UNKNOWN, CSA_OK, CSA_DEFER_SRV, CSA_DEFER_ADDR,
594 CSA_FAIL_EXPLICIT, CSA_FAIL_DOMAIN, CSA_FAIL_NOADDR, CSA_FAIL_MISMATCH };
595
596/* The acl_verify_csa() return code is translated into an acl_verify() return
597code using the following table. It is OK unless the client is definitely not
598authorized. This is because CSA is supposed to be optional for sending sites,
599so recipients should not be too strict about checking it - especially because
600DNS problems are quite likely to occur. It's possible to use $csa_status in
601further ACL conditions to distinguish ok, unknown, and defer if required, but
602the aim is to make the usual configuration simple. */
603
604static int csa_return_code[] = {
605 OK, OK, OK, OK,
606 FAIL, FAIL, FAIL, FAIL
607};
608
609static uschar *csa_status_string[] = {
610 US"unknown", US"ok", US"defer", US"defer",
611 US"fail", US"fail", US"fail", US"fail"
612};
613
614static uschar *csa_reason_string[] = {
615 US"unknown",
616 US"ok",
617 US"deferred (SRV lookup failed)",
618 US"deferred (target address lookup failed)",
619 US"failed (explicit authorization required)",
620 US"failed (host name not authorized)",
621 US"failed (no authorized addresses)",
622 US"failed (client address mismatch)"
623};
624
059ec3d9
PH		 625/* Enable recursion between acl_check_internal() and acl_check_condition() */
626
627static int acl_check_internal(int, address_item *, uschar *, int, uschar **,
628 uschar **);
629
630
631/*************************************************
632* Pick out name from list *
633*************************************************/
634
635/* Use a binary chop method
636
637Arguments:
638 name name to find
639 list list of names
640 end size of list
641
642Returns: offset in list, or -1 if not found
643*/
644
645static int
646acl_checkname(uschar *name, uschar **list, int end)
647{
648int start = 0;
649
650while (start < end)
651 {
652 int mid = (start + end)/2;
653 int c = Ustrcmp(name, list[mid]);
654 if (c == 0) return mid;
655 if (c < 0) end = mid; else start = mid + 1;
656 }
657
658return -1;
659}
660
661
662/*************************************************
663* Read and parse one ACL *
664*************************************************/
665
666/* This function is called both from readconf in order to parse the ACLs in the
667configuration file, and also when an ACL is encountered dynamically (e.g. as
668the result of an expansion). It is given a function to call in order to
669retrieve the lines of the ACL. This function handles skipping comments and
670blank lines (where relevant).
671
672Arguments:
673 func function to get next line of ACL
674 error where to put an error message
675
676Returns: pointer to ACL, or NULL
677 NULL can be legal (empty ACL); in this case error will be NULL
678*/
679
680acl_block *
681acl_read(uschar *(*func)(void), uschar **error)
682{
683acl_block *yield = NULL;
684acl_block **lastp = &yield;
685acl_block *this = NULL;
686acl_condition_block *cond;
687acl_condition_block **condp = NULL;
688uschar *s;
689
690*error = NULL;
691
692while ((s = (*func)()) != NULL)
693 {
694 int v, c;
695 BOOL negated = FALSE;
696 uschar *saveline = s;
697 uschar name[64];
698
699 /* Conditions (but not verbs) are allowed to be negated by an initial
700 exclamation mark. */
701
702 while (isspace(*s)) s++;
703 if (*s == '!')
704 {
705 negated = TRUE;
706 s++;
707 }
708
cf00dad6
PH		 709 /* Read the name of a verb or a condition, or the start of a new ACL, which
710 can be started by a name, or by a macro definition. */
059ec3d9
PH		 711
712 s = readconf_readname(name, sizeof(name), s);
cf00dad6 713 if (*s == ':' || isupper(name[0] && *s == '=')) return yield;
059ec3d9
PH		 714
715 /* If a verb is unrecognized, it may be another condition or modifier that
716 continues the previous verb. */
717
718 v = acl_checkname(name, verbs, sizeof(verbs)/sizeof(char *));
719 if (v < 0)
720 {
721 if (this == NULL)
722 {
723 *error = string_sprintf("unknown ACL verb in \"%s\"", saveline);
724 return NULL;
725 }
726 }
727
728 /* New verb */
729
730 else
731 {
732 if (negated)
733 {
734 *error = string_sprintf("malformed ACL line \"%s\"", saveline);
735 return NULL;
736 }
737 this = store_get(sizeof(acl_block));
738 *lastp = this;
739 lastp = &(this->next);
740 this->next = NULL;
741 this->verb = v;
742 this->condition = NULL;
743 condp = &(this->condition);
744 if (*s == 0) continue; /* No condition on this line */
745 if (*s == '!')
746 {
747 negated = TRUE;
748 s++;
749 }
750 s = readconf_readname(name, sizeof(name), s); /* Condition name */
751 }
752
753 /* Handle a condition or modifier. */
754
755 c = acl_checkname(name, conditions, sizeof(conditions)/sizeof(char *));
756 if (c < 0)
757 {
758 *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
759 saveline);
760 return NULL;
761 }
762
763 /* The modifiers may not be negated */
764
765 if (negated && cond_modifiers[c])
766 {
767 *error = string_sprintf("ACL error: negation is not allowed with "
768 "\"%s\"", conditions[c]);
769 return NULL;
770 }
771
772 /* ENDPASS may occur only with ACCEPT or DISCARD. */
773
774 if (c == ACLC_ENDPASS &&
775 this->verb != ACL_ACCEPT &&
776 this->verb != ACL_DISCARD)
777 {
778 *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
779 conditions[c], verbs[this->verb]);
780 return NULL;
781 }
782
783 cond = store_get(sizeof(acl_condition_block));
784 cond->next = NULL;
785 cond->type = c;
786 cond->u.negated = negated;
787
788 *condp = cond;
789 condp = &(cond->next);
790
791 /* The "set" modifier is different in that its argument is "name=value"
792 rather than just a value, and we can check the validity of the name, which
793 gives us a variable number to insert into the data block. */
794
795 if (c == ACLC_SET)
796 {
47ca6d6c
PH		 797 int offset, max, n;
798 uschar *endptr;
799
800 if (Ustrncmp(s, "acl_", 4) != 0) goto BAD_ACL_VAR;
801 if (s[4] == 'c')
802 {
803 offset = 0;
804 max = ACL_CVARS;
805 }
806 else if (s[4] == 'm')
807 {
808 offset = ACL_CVARS;
809 max = ACL_MVARS;
810 }
811 else goto BAD_ACL_VAR;
812
813 n = Ustrtoul(s + 5, &endptr, 10);
814 if ((*endptr != 0 && *endptr != '=' && !isspace(*endptr)) || n >= max)
059ec3d9 815 {
47ca6d6c
PH		 816 BAD_ACL_VAR:
817 *error = string_sprintf("syntax error or unrecognized name after "
818 "\"set\" in ACL modifier \"set %s\"", s);
059ec3d9
PH		 819 return NULL;
820 }
821
47ca6d6c
PH		 822 cond->u.varnumber = n + offset;
823 s = endptr;
059ec3d9
PH		 824 while (isspace(*s)) s++;
825 }
826
827 /* For "set", we are now positioned for the data. For the others, only
828 "endpass" has no data */
829
830 if (c != ACLC_ENDPASS)
831 {
832 if (*s++ != '=')
833 {
834 *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
835 cond_modifiers[c]? US"modifier" : US"condition");
836 return NULL;
837 }
838 while (isspace(*s)) s++;
839 cond->arg = string_copy(s);
840 }
841 }
842
843return yield;
844}
845
846
847
71fafd95
PH		 848/*************************************************
849* Set up added header line(s) *
850*************************************************/
851
852/* This function is called by the add_header modifier, and also from acl_warn()
853to implement the now-deprecated way of adding header lines using "message" on a
854"warn" verb. The argument is treated as a sequence of header lines which are
855added to a chain, provided there isn't an identical one already there.
856
857Argument: string of header lines
858Returns: nothing
859*/
860
861static void
862setup_header(uschar *hstring)
863{
864uschar *p, *q;
865int hlen = Ustrlen(hstring);
866
867/* An empty string does nothing; otherwise add a final newline if necessary. */
868
869if (hlen <= 0) return;
870if (hstring[hlen-1] != '\n') hstring = string_sprintf("%s\n", hstring);
871
872/* Loop for multiple header lines, taking care about continuations */
873
874for (p = q = hstring; *p != 0; )
875 {
876 uschar *s;
877 int newtype = htype_add_bot;
878 header_line **hptr = &acl_added_headers;
879
880 /* Find next header line within the string */
881
882 for (;;)
883 {
884 q = Ustrchr(q, '\n');
885 if (*(++q) != ' ' && *q != '\t') break;
886 }
887
888 /* If the line starts with a colon, interpret the instruction for where to
889 add it. This temporarily sets up a new type. */
890
891 if (*p == ':')
892 {
893 if (strncmpic(p, US":after_received:", 16) == 0)
894 {
895 newtype = htype_add_rec;
896 p += 16;
897 }
898 else if (strncmpic(p, US":at_start_rfc:", 14) == 0)
899 {
900 newtype = htype_add_rfc;
901 p += 14;
902 }
903 else if (strncmpic(p, US":at_start:", 10) == 0)
904 {
905 newtype = htype_add_top;
906 p += 10;
907 }
908 else if (strncmpic(p, US":at_end:", 8) == 0)
909 {
910 newtype = htype_add_bot;
911 p += 8;
912 }
913 while (*p == ' ' || *p == '\t') p++;
914 }
915
916 /* See if this line starts with a header name, and if not, add X-ACL-Warn:
917 to the front of it. */
918
919 for (s = p; s < q - 1; s++)
920 {
921 if (*s == ':' || !isgraph(*s)) break;
922 }
923
924 s = string_sprintf("%s%.*s", (*s == ':')? "" : "X-ACL-Warn: ", q - p, p);
925 hlen = Ustrlen(s);
926
927 /* See if this line has already been added */
928
929 while (*hptr != NULL)
930 {
931 if (Ustrncmp((*hptr)->text, s, hlen) == 0) break;
932 hptr = &((*hptr)->next);
933 }
934
935 /* Add if not previously present */
936
937 if (*hptr == NULL)
938 {
939 header_line *h = store_get(sizeof(header_line));
940 h->text = s;
941 h->next = NULL;
942 h->type = newtype;
943 h->slen = hlen;
944 *hptr = h;
945 hptr = &(h->next);
946 }
947
948 /* Advance for next header line within the string */
949
950 p = q;
951 }
952}
953
954
955
956
059ec3d9
PH		 957/*************************************************
958* Handle warnings *
959*************************************************/
960
961/* This function is called when a WARN verb's conditions are true. It adds to
962the message's headers, and/or writes information to the log. In each case, this
963only happens once (per message for headers, per connection for log).
964
71fafd95
PH		 965** NOTE: The header adding action using the "message" setting is historic, and
966its use is now deprecated. The new add_header modifier should be used instead.
967
059ec3d9
PH		 968Arguments:
969 where ACL_WHERE_xxxx indicating which ACL this is
970 user_message message for adding to headers
971 log_message message for logging, if different
972
973Returns: nothing
974*/
975
976static void
977acl_warn(int where, uschar *user_message, uschar *log_message)
978{
059ec3d9
PH		 979if (log_message != NULL && log_message != user_message)
980 {
981 uschar *text;
982 string_item *logged;
983
984 text = string_sprintf("%s Warning: %s", host_and_ident(TRUE),
985 string_printing(log_message));
986
987 /* If a sender verification has failed, and the log message is "sender verify
988 failed", add the failure message. */
989
990 if (sender_verified_failed != NULL &&
991 sender_verified_failed->message != NULL &&
992 strcmpic(log_message, US"sender verify failed") == 0)
993 text = string_sprintf("%s: %s", text, sender_verified_failed->message);
994
9c7a242c
PH		 995 /* Search previously logged warnings. They are kept in malloc
996 store so they can be freed at the start of a new message. */
059ec3d9
PH		 997
998 for (logged = acl_warn_logged; logged != NULL; logged = logged->next)
999 if (Ustrcmp(logged->text, text) == 0) break;
1000
1001 if (logged == NULL)
1002 {
1003 int length = Ustrlen(text) + 1;
1004 log_write(0, LOG_MAIN, "%s", text);
1005 logged = store_malloc(sizeof(string_item) + length);
1006 logged->text = (uschar *)logged + sizeof(string_item);
1007 memcpy(logged->text, text, length);
1008 logged->next = acl_warn_logged;
1009 acl_warn_logged = logged;
1010 }
1011 }
1012
1013/* If there's no user message, we are done. */
1014
1015if (user_message == NULL) return;
1016
1017/* If this isn't a message ACL, we can't do anything with a user message.
1018Log an error. */
1019
1020if (where > ACL_WHERE_NOTSMTP)
1021 {
1022 log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
1023 "found in a non-message (%s) ACL: cannot specify header lines here: "
1024 "message ignored", acl_wherenames[where]);
1025 return;
1026 }
1027
71fafd95
PH		 1028/* The code for setting up header lines is now abstracted into a separate
1029function so that it can be used for the add_header modifier as well. */
059ec3d9 1030
71fafd95 1031setup_header(user_message);
059ec3d9
PH		 1032}
1033
1034
1035
1036/*************************************************
1037* Verify and check reverse DNS *
1038*************************************************/
1039
1040/* Called from acl_verify() below. We look up the host name(s) of the client IP
1041address if this has not yet been done. The host_name_lookup() function checks
1042that one of these names resolves to an address list that contains the client IP
1043address, so we don't actually have to do the check here.
1044
1045Arguments:
1046 user_msgptr pointer for user message
1047 log_msgptr pointer for log message
1048
1049Returns: OK verification condition succeeded
1050 FAIL verification failed
1051 DEFER there was a problem verifying
1052*/
1053
1054static int
1055acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
1056{
1057int rc;
1058
1059user_msgptr = user_msgptr; /* stop compiler warning */
1060
1061/* Previous success */
1062
1063if (sender_host_name != NULL) return OK;
1064
1065/* Previous failure */
1066
1067if (host_lookup_failed)
1068 {
1069 *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
1070 return FAIL;
1071 }
1072
1073/* Need to do a lookup */
1074
1075HDEBUG(D_acl)
1076 debug_printf("looking up host name to force name/address consistency check\n");
1077
1078if ((rc = host_name_lookup()) != OK)
1079 {
1080 *log_msgptr = (rc == DEFER)?
1081 US"host lookup deferred for reverse lookup check"
1082 :
1083 string_sprintf("host lookup failed for reverse lookup check%s",
1084 host_lookup_msg);
1085 return rc; /* DEFER or FAIL */
1086 }
1087
1088host_build_sender_fullhost();
1089return OK;
1090}
1091
1092
1093
e5a9dba6
PH		 1094/*************************************************
1095* Check client IP address matches CSA target *
1096*************************************************/
1097
1098/* Called from acl_verify_csa() below. This routine scans a section of a DNS
1099response for address records belonging to the CSA target hostname. The section
1100is specified by the reset argument, either RESET_ADDITIONAL or RESET_ANSWERS.
1101If one of the addresses matches the client's IP address, then the client is
1102authorized by CSA. If there are target IP addresses but none of them match
1103then the client is using an unauthorized IP address. If there are no target IP
1104addresses then the client cannot be using an authorized IP address. (This is
1105an odd configuration - why didn't the SRV record have a weight of 1 instead?)
1106
1107Arguments:
1108 dnsa the DNS answer block
1109 dnss a DNS scan block for us to use
1110 reset option specifing what portion to scan, as described above
1111 target the target hostname to use for matching RR names
1112
1113Returns: CSA_OK successfully authorized
1114 CSA_FAIL_MISMATCH addresses found but none matched
1115 CSA_FAIL_NOADDR no target addresses found
1116*/
1117
1118static int
1119acl_verify_csa_address(dns_answer *dnsa, dns_scan *dnss, int reset,
1120 uschar *target)
1121{
1122dns_record *rr;
1123dns_address *da;
1124
1125BOOL target_found = FALSE;
1126
1127for (rr = dns_next_rr(dnsa, dnss, reset);
1128 rr != NULL;
1129 rr = dns_next_rr(dnsa, dnss, RESET_NEXT))
1130 {
1131 /* Check this is an address RR for the target hostname. */
1132
1133 if (rr->type != T_A
1134 #if HAVE_IPV6
1135 && rr->type != T_AAAA
1136 #ifdef SUPPORT_A6
1137 && rr->type != T_A6
1138 #endif
1139 #endif
1140 ) continue;
1141
1142 if (strcmpic(target, rr->name) != 0) continue;
1143
1144 target_found = TRUE;
1145
1146 /* Turn the target address RR into a list of textual IP addresses and scan
1147 the list. There may be more than one if it is an A6 RR. */
1148
1149 for (da = dns_address_from_rr(dnsa, rr); da != NULL; da = da->next)
1150 {
1151 /* If the client IP address matches the target IP address, it's good! */
1152
1153 DEBUG(D_acl) debug_printf("CSA target address is %s\n", da->address);
1154
1155 if (strcmpic(sender_host_address, da->address) == 0) return CSA_OK;
1156 }
1157 }
1158
1159/* If we found some target addresses but none of them matched, the client is
1160using an unauthorized IP address, otherwise the target has no authorized IP
1161addresses. */
1162
1163if (target_found) return CSA_FAIL_MISMATCH;
1164else return CSA_FAIL_NOADDR;
1165}
1166
1167
1168
1169/*************************************************
1170* Verify Client SMTP Authorization *
1171*************************************************/
1172
1173/* Called from acl_verify() below. This routine calls dns_lookup_special()
1174to find the CSA SRV record corresponding to the domain argument, or
1175$sender_helo_name if no argument is provided. It then checks that the
1176client is authorized, and that its IP address corresponds to the SRV
1177target's address by calling acl_verify_csa_address() above. The address
1178should have been returned in the DNS response's ADDITIONAL section, but if
1179not we perform another DNS lookup to get it.
1180
1181Arguments:
1182 domain pointer to optional parameter following verify = csa
1183
1184Returns: CSA_UNKNOWN no valid CSA record found
1185 CSA_OK successfully authorized
1186 CSA_FAIL_* client is definitely not authorized
1187 CSA_DEFER_* there was a DNS problem
1188*/
1189
1190static int
1191acl_verify_csa(uschar *domain)
1192{
1193tree_node *t;
1194uschar *found, *p;
1195int priority, weight, port;
1196dns_answer dnsa;
1197dns_scan dnss;
1198dns_record *rr;
1199int rc, type;
1200uschar target[256];
1201
1202/* Work out the domain we are using for the CSA lookup. The default is the
1203client's HELO domain. If the client has not said HELO, use its IP address
1204instead. If it's a local client (exim -bs), CSA isn't applicable. */
1205
1206while (isspace(*domain) && *domain != '\0') ++domain;
1207if (*domain == '\0') domain = sender_helo_name;
1208if (domain == NULL) domain = sender_host_address;
1209if (sender_host_address == NULL) return CSA_UNKNOWN;
1210
1211/* If we have an address literal, strip off the framing ready for turning it
1212into a domain. The framing consists of matched square brackets possibly
1213containing a keyword and a colon before the actual IP address. */
1214
1215if (domain[0] == '[')
1216 {
1217 uschar *start = Ustrchr(domain, ':');
1218 if (start == NULL) start = domain;
1219 domain = string_copyn(start + 1, Ustrlen(start) - 2);
1220 }
1221
1222/* Turn domains that look like bare IP addresses into domains in the reverse
1223DNS. This code also deals with address literals and $sender_host_address. It's
1224not quite kosher to treat bare domains such as EHLO 192.0.2.57 the same as
1225address literals, but it's probably the most friendly thing to do. This is an
1226extension to CSA, so we allow it to be turned off for proper conformance. */
1227
7e66e54d 1228if (string_is_ip_address(domain, NULL) != 0)
e5a9dba6
PH		 1229 {
1230 if (!dns_csa_use_reverse) return CSA_UNKNOWN;
1231 dns_build_reverse(domain, target);
1232 domain = target;
1233 }
1234
1235/* Find out if we've already done the CSA check for this domain. If we have,
1236return the same result again. Otherwise build a new cached result structure
1237for this domain. The name is filled in now, and the value is filled in when
1238we return from this function. */
1239
1240t = tree_search(csa_cache, domain);
1241if (t != NULL) return t->data.val;
1242
1243t = store_get_perm(sizeof(tree_node) + Ustrlen(domain));
1244Ustrcpy(t->name, domain);
1245(void)tree_insertnode(&csa_cache, t);
1246
1247/* Now we are ready to do the actual DNS lookup(s). */
1248
28e6ef29 1249found = domain;
e5a9dba6
PH		 1250switch (dns_special_lookup(&dnsa, domain, T_CSA, &found))
1251 {
1252 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1253
1254 default:
1255 return t->data.val = CSA_DEFER_SRV;
1256
1257 /* If we found nothing, the client's authorization is unknown. */
1258
1259 case DNS_NOMATCH:
1260 case DNS_NODATA:
1261 return t->data.val = CSA_UNKNOWN;
1262
1263 /* We got something! Go on to look at the reply in more detail. */
1264
1265 case DNS_SUCCEED:
1266 break;
1267 }
1268
1269/* Scan the reply for well-formed CSA SRV records. */
1270
1271for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
1272 rr != NULL;
1273 rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
1274 {
1275 if (rr->type != T_SRV) continue;
1276
1277 /* Extract the numerical SRV fields (p is incremented) */
1278
1279 p = rr->data;
1280 GETSHORT(priority, p);
1281 GETSHORT(weight, p);
1282 GETSHORT(port, p);
1283
1284 DEBUG(D_acl)
1285 debug_printf("CSA priority=%d weight=%d port=%d\n", priority, weight, port);
1286
1287 /* Check the CSA version number */
1288
1289 if (priority != 1) continue;
1290
1291 /* If the domain does not have a CSA SRV record of its own (i.e. the domain
1292 found by dns_special_lookup() is a parent of the one we asked for), we check
1293 the subdomain assertions in the port field. At the moment there's only one
1294 assertion: legitimate SMTP clients are all explicitly authorized with CSA
1295 SRV records of their own. */
1296
1297 if (found != domain)
1298 {
1299 if (port & 1)
1300 return t->data.val = CSA_FAIL_EXPLICIT;
1301 else
1302 return t->data.val = CSA_UNKNOWN;
1303 }
1304
1305 /* This CSA SRV record refers directly to our domain, so we check the value
1306 in the weight field to work out the domain's authorization. 0 and 1 are
1307 unauthorized; 3 means the client is authorized but we can't check the IP
1308 address in order to authenticate it, so we treat it as unknown; values
1309 greater than 3 are undefined. */
1310
1311 if (weight < 2) return t->data.val = CSA_FAIL_DOMAIN;
1312
1313 if (weight > 2) continue;
1314
1315 /* Weight == 2, which means the domain is authorized. We must check that the
1316 client's IP address is listed as one of the SRV target addresses. Save the
1317 target hostname then break to scan the additional data for its addresses. */
1318
1319 (void)dn_expand(dnsa.answer, dnsa.answer + dnsa.answerlen, p,
1320 (DN_EXPAND_ARG4_TYPE)target, sizeof(target));
1321
1322 DEBUG(D_acl) debug_printf("CSA target is %s\n", target);
1323
1324 break;
1325 }
1326
1327/* If we didn't break the loop then no appropriate records were found. */
1328
1329if (rr == NULL) return t->data.val = CSA_UNKNOWN;
1330
1331/* Do not check addresses if the target is ".", in accordance with RFC 2782.
1332A target of "." indicates there are no valid addresses, so the client cannot
1333be authorized. (This is an odd configuration because weight=2 target=. is
1334equivalent to weight=1, but we check for it in order to keep load off the
1335root name servers.) Note that dn_expand() turns "." into "". */
1336
1337if (Ustrcmp(target, "") == 0) return t->data.val = CSA_FAIL_NOADDR;
1338
1339/* Scan the additional section of the CSA SRV reply for addresses belonging
1340to the target. If the name server didn't return any additional data (e.g.
1341because it does not fully support SRV records), we need to do another lookup
1342to obtain the target addresses; otherwise we have a definitive result. */
1343
1344rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ADDITIONAL, target);
1345if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1346
1347/* The DNS lookup type corresponds to the IP version used by the client. */
1348
1349#if HAVE_IPV6
1350if (Ustrchr(sender_host_address, ':') != NULL)
1351 type = T_AAAA;
1352else
1353#endif /* HAVE_IPV6 */
1354 type = T_A;
1355
1356
1357#if HAVE_IPV6 && defined(SUPPORT_A6)
1358DNS_LOOKUP_AGAIN:
1359#endif
1360
1361switch (dns_lookup(&dnsa, target, type, NULL))
1362 {
1363 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1364
1365 default:
1366 return t->data.val = CSA_DEFER_ADDR;
1367
1368 /* If the query succeeded, scan the addresses and return the result. */
1369
1370 case DNS_SUCCEED:
1371 rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ANSWERS, target);
1372 if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1373 /* else fall through */
1374
1375 /* If the target has no IP addresses, the client cannot have an authorized
1376 IP address. However, if the target site uses A6 records (not AAAA records)
1377 we have to do yet another lookup in order to check them. */
1378
1379 case DNS_NOMATCH:
1380 case DNS_NODATA:
1381
1382 #if HAVE_IPV6 && defined(SUPPORT_A6)
1383 if (type == T_AAAA) { type = T_A6; goto DNS_LOOKUP_AGAIN; }
1384 #endif
1385
1386 return t->data.val = CSA_FAIL_NOADDR;
1387 }
1388}
1389
1390
1391
059ec3d9
PH		 1392/*************************************************
1393* Handle verification (address & other) *
1394*************************************************/
1395
1396/* This function implements the "verify" condition. It is called when
1397encountered in any ACL, because some tests are almost always permitted. Some
1398just don't make sense, and always fail (for example, an attempt to test a host
1399lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
1400
1401Arguments:
1402 where where called from
1403 addr the recipient address that the ACL is handling, or NULL
1404 arg the argument of "verify"
1405 user_msgptr pointer for user message
1406 log_msgptr pointer for log message
1407 basic_errno where to put verify errno
1408
1409Returns: OK verification condition succeeded
1410 FAIL verification failed
1411 DEFER there was a problem verifying
1412 ERROR syntax error
1413*/
1414
1415static int
1416acl_verify(int where, address_item *addr, uschar *arg,
1417 uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
1418{
1419int sep = '/';
1420int callout = -1;
1421int callout_overall = -1;
4deaf07d 1422int callout_connect = -1;
059ec3d9
PH		 1423int verify_options = 0;
1424int rc;
1425BOOL verify_header_sender = FALSE;
1426BOOL defer_ok = FALSE;
1427BOOL callout_defer_ok = FALSE;
1428BOOL no_details = FALSE;
eafd343b 1429BOOL success_on_redirect = FALSE;
059ec3d9
PH		 1430address_item *sender_vaddr = NULL;
1431uschar *verify_sender_address = NULL;
1432uschar *pm_mailfrom = NULL;
1433uschar *se_mailfrom = NULL;
596875b3
PH		 1434
1435/* Some of the verify items have slash-separated options; some do not. Diagnose
1436an error if options are given for items that don't expect them. This code has
1437now got very message. Refactoring to use a table would be a good idea one day.
1438*/
1439
1440uschar *slash = Ustrchr(arg, '/');
059ec3d9
PH		 1441uschar *list = arg;
1442uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
1443
1444if (ss == NULL) goto BAD_VERIFY;
1445
1446/* Handle name/address consistency verification in a separate function. */
1447
1448if (strcmpic(ss, US"reverse_host_lookup") == 0)
1449 {
596875b3 1450 if (slash != NULL) goto NO_OPTIONS;
059ec3d9
PH		 1451 if (sender_host_address == NULL) return OK;
1452 return acl_verify_reverse(user_msgptr, log_msgptr);
1453 }
1454
1455/* TLS certificate verification is done at STARTTLS time; here we just
1456test whether it was successful or not. (This is for optional verification; for
1457mandatory verification, the connection doesn't last this long.) */
1458
1459if (strcmpic(ss, US"certificate") == 0)
1460 {
596875b3 1461 if (slash != NULL) goto NO_OPTIONS;
059ec3d9
PH		 1462 if (tls_certificate_verified) return OK;
1463 *user_msgptr = US"no verified certificate";
1464 return FAIL;
1465 }
1466
d7b47fd0
PH		 1467/* We can test the result of optional HELO verification that might have
1468occurred earlier. If not, we can attempt the verification now. */
059ec3d9 1469
596875b3
PH		 1470if (strcmpic(ss, US"helo") == 0)
1471 {
1472 if (slash != NULL) goto NO_OPTIONS;
0154e85a
TF		 1473 if (!helo_verified && !helo_verify_failed) smtp_verify_helo();
1474 return helo_verified? OK : FAIL;
596875b3 1475 }
059ec3d9 1476
e5a9dba6
PH		 1477/* Do Client SMTP Authorization checks in a separate function, and turn the
1478result code into user-friendly strings. */
1479
1480if (strcmpic(ss, US"csa") == 0)
1481 {
1482 rc = acl_verify_csa(list);
1483 *log_msgptr = *user_msgptr = string_sprintf("client SMTP authorization %s",
1484 csa_reason_string[rc]);
1485 csa_status = csa_status_string[rc];
1486 DEBUG(D_acl) debug_printf("CSA result %s\n", csa_status);
1487 return csa_return_code[rc];
1488 }
1489
596875b3
PH		 1490/* Check that all relevant header lines have the correct syntax. If there is
1491a syntax error, we return details of the error to the sender if configured to
1492send out full details. (But a "message" setting on the ACL can override, as
1493always). */
059ec3d9 1494
596875b3 1495if (strcmpic(ss, US"header_syntax") == 0)
059ec3d9 1496 {
596875b3 1497 if (slash != NULL) goto NO_OPTIONS;
1c41c9cc 1498 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP) goto WRONG_ACL;
596875b3
PH		 1499 rc = verify_check_headers(log_msgptr);
1500 if (rc != OK && smtp_return_error_details && *log_msgptr != NULL)
1501 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1502 return rc;
1503 }
059ec3d9 1504
1c41c9cc
PH		 1505/* Check that no recipient of this message is "blind", that is, every envelope
1506recipient must be mentioned in either To: or Cc:. */
1507
1508if (strcmpic(ss, US"not_blind") == 0)
1509 {
1510 if (slash != NULL) goto NO_OPTIONS;
1511 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP) goto WRONG_ACL;
1512 rc = verify_check_notblind();
1513 if (rc != OK)
1514 {
1515 *log_msgptr = string_sprintf("bcc recipient detected");
1516 if (smtp_return_error_details)
1517 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1518 }
1519 return rc;
1520 }
059ec3d9 1521
596875b3
PH		 1522/* The remaining verification tests check recipient and sender addresses,
1523either from the envelope or from the header. There are a number of
1524slash-separated options that are common to all of them. */
059ec3d9 1525
059ec3d9 1526
596875b3
PH		 1527/* Check that there is at least one verifiable sender address in the relevant
1528header lines. This can be followed by callout and defer options, just like
1529sender and recipient. */
059ec3d9 1530
596875b3
PH		 1531if (strcmpic(ss, US"header_sender") == 0)
1532 {
1c41c9cc 1533 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP) goto WRONG_ACL;
596875b3 1534 verify_header_sender = TRUE;
059ec3d9
PH		 1535 }
1536
1537/* Otherwise, first item in verify argument must be "sender" or "recipient".
1538In the case of a sender, this can optionally be followed by an address to use
1539in place of the actual sender (rare special-case requirement). */
1540
1541else if (strncmpic(ss, US"sender", 6) == 0)
1542 {
1543 uschar *s = ss + 6;
1544 if (where > ACL_WHERE_NOTSMTP)
1545 {
1546 *log_msgptr = string_sprintf("cannot verify sender in ACL for %s "
1547 "(only possible for MAIL, RCPT, PREDATA, or DATA)",
1548 acl_wherenames[where]);
1549 return ERROR;
1550 }
1551 if (*s == 0)
1552 verify_sender_address = sender_address;
1553 else
1554 {
1555 while (isspace(*s)) s++;
1556 if (*s++ != '=') goto BAD_VERIFY;
1557 while (isspace(*s)) s++;
1558 verify_sender_address = string_copy(s);
1559 }
1560 }
1561else
1562 {
1563 if (strcmpic(ss, US"recipient") != 0) goto BAD_VERIFY;
1564 if (addr == NULL)
1565 {
1566 *log_msgptr = string_sprintf("cannot verify recipient in ACL for %s "
1567 "(only possible for RCPT)", acl_wherenames[where]);
1568 return ERROR;
1569 }
1570 }
1571
596875b3
PH		 1572/* Remaining items are optional; they apply to sender and recipient
1573verification, including "header sender" verification. */
059ec3d9
PH		 1574
1575while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))
1576 != NULL)
1577 {
1578 if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
1579 else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
eafd343b 1580 else if (strcmpic(ss, US"success_on_redirect") == 0) success_on_redirect = TRUE;
059ec3d9
PH		 1581
1582 /* These two old options are left for backwards compatibility */
1583
1584 else if (strcmpic(ss, US"callout_defer_ok") == 0)
1585 {
1586 callout_defer_ok = TRUE;
1587 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1588 }
1589
1590 else if (strcmpic(ss, US"check_postmaster") == 0)
1591 {
1592 pm_mailfrom = US"";
1593 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1594 }
1595
1596 /* The callout option has a number of sub-options, comma separated */
1597
1598 else if (strncmpic(ss, US"callout", 7) == 0)
1599 {
1600 callout = CALLOUT_TIMEOUT_DEFAULT;
1601 ss += 7;
1602 if (*ss != 0)
1603 {
1604 while (isspace(*ss)) ss++;
1605 if (*ss++ == '=')
1606 {
1607 int optsep = ',';
1608 uschar *opt;
1609 uschar buffer[256];
1610 while (isspace(*ss)) ss++;
8e669ac1
PH		 1611
1612 /* This callout option handling code has become a mess as new options
1613 have been added in an ad hoc manner. It should be tidied up into some
4deaf07d 1614 kind of table-driven thing. */
8e669ac1 1615
059ec3d9
PH		 1616 while ((opt = string_nextinlist(&ss, &optsep, buffer, sizeof(buffer)))
1617 != NULL)
1618 {
1619 if (strcmpic(opt, US"defer_ok") == 0) callout_defer_ok = TRUE;
1620 else if (strcmpic(opt, US"no_cache") == 0)
1621 verify_options |= vopt_callout_no_cache;
1622 else if (strcmpic(opt, US"random") == 0)
1623 verify_options |= vopt_callout_random;
1624 else if (strcmpic(opt, US"use_sender") == 0)
1625 verify_options |= vopt_callout_recipsender;
1626 else if (strcmpic(opt, US"use_postmaster") == 0)
1627 verify_options |= vopt_callout_recippmaster;
1628 else if (strcmpic(opt, US"postmaster") == 0) pm_mailfrom = US"";
2a4be8f9
PH		 1629 else if (strcmpic(opt, US"fullpostmaster") == 0)
1630 {
1631 pm_mailfrom = US"";
1632 verify_options |= vopt_callout_fullpm;
1633 }
059ec3d9
PH		 1634
1635 else if (strncmpic(opt, US"mailfrom", 8) == 0)
1636 {
1637 if (!verify_header_sender)
1638 {
1639 *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
1640 "callout option only for verify=header_sender (detected in ACL "
1641 "condition \"%s\")", arg);
1642 return ERROR;
1643 }
1644 opt += 8;
1645 while (isspace(*opt)) opt++;
1646 if (*opt++ != '=')
1647 {
1648 *log_msgptr = string_sprintf("'=' expected after "
1649 "\"mailfrom\" in ACL condition \"%s\"", arg);
1650 return ERROR;
1651 }
1652 while (isspace(*opt)) opt++;
1653 se_mailfrom = string_copy(opt);
1654 }
1655
1656 else if (strncmpic(opt, US"postmaster_mailfrom", 19) == 0)
1657 {
1658 opt += 19;
1659 while (isspace(*opt)) opt++;
1660 if (*opt++ != '=')
1661 {
1662 *log_msgptr = string_sprintf("'=' expected after "
1663 "\"postmaster_mailfrom\" in ACL condition \"%s\"", arg);
1664 return ERROR;
1665 }
1666 while (isspace(*opt)) opt++;
1667 pm_mailfrom = string_copy(opt);
1668 }
1669
1670 else if (strncmpic(opt, US"maxwait", 7) == 0)
1671 {
1672 opt += 7;
1673 while (isspace(*opt)) opt++;
1674 if (*opt++ != '=')
1675 {
1676 *log_msgptr = string_sprintf("'=' expected after \"maxwait\" in "
1677 "ACL condition \"%s\"", arg);
1678 return ERROR;
1679 }
1680 while (isspace(*opt)) opt++;
1681 callout_overall = readconf_readtime(opt, 0, FALSE);
1682 if (callout_overall < 0)
1683 {
1684 *log_msgptr = string_sprintf("bad time value in ACL condition "
1685 "\"verify %s\"", arg);
1686 return ERROR;
1687 }
1688 }
4deaf07d
PH		 1689 else if (strncmpic(opt, US"connect", 7) == 0)
1690 {
1691 opt += 7;
1692 while (isspace(*opt)) opt++;
1693 if (*opt++ != '=')
1694 {
1695 *log_msgptr = string_sprintf("'=' expected after "
1696 "\"callout_overaall\" in ACL condition \"%s\"", arg);
1697 return ERROR;
1698 }
1699 while (isspace(*opt)) opt++;
1700 callout_connect = readconf_readtime(opt, 0, FALSE);
1701 if (callout_connect < 0)
1702 {
1703 *log_msgptr = string_sprintf("bad time value in ACL condition "
1704 "\"verify %s\"", arg);
1705 return ERROR;
1706 }
1707 }
059ec3d9
PH		 1708 else /* Plain time is callout connect/command timeout */
1709 {
1710 callout = readconf_readtime(opt, 0, FALSE);
1711 if (callout < 0)
1712 {
1713 *log_msgptr = string_sprintf("bad time value in ACL condition "
1714 "\"verify %s\"", arg);
1715 return ERROR;
1716 }
1717 }
1718 }
1719 }
1720 else
1721 {
1722 *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
1723 "ACL condition \"%s\"", arg);
1724 return ERROR;
1725 }
1726 }
1727 }
1728
1729 /* Option not recognized */
1730
1731 else
1732 {
1733 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
1734 "condition \"verify %s\"", ss, arg);
1735 return ERROR;
1736 }
1737 }
1738
1739if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
1740 (vopt_callout_recipsender|vopt_callout_recippmaster))
1741 {
1742 *log_msgptr = US"only one of use_sender and use_postmaster can be set "
1743 "for a recipient callout";
1744 return ERROR;
1745 }
1746
1747/* Handle sender-in-header verification. Default the user message to the log
1748message if giving out verification details. */
1749
1750if (verify_header_sender)
1751 {
8e669ac1 1752 int verrno;
059ec3d9 1753 rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
fe5b5d0b
PH		 1754 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, verify_options,
1755 &verrno);
1756 if (rc != OK)
8e669ac1 1757 {
fe5b5d0b
PH		 1758 *basic_errno = verrno;
1759 if (smtp_return_error_details)
1760 {
1761 if (*user_msgptr == NULL && *log_msgptr != NULL)
1762 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1763 if (rc == DEFER) acl_temp_details = TRUE;
1764 }
8e669ac1 1765 }
059ec3d9
PH		 1766 }
1767
1768/* Handle a sender address. The default is to verify *the* sender address, but
1769optionally a different address can be given, for special requirements. If the
1770address is empty, we are dealing with a bounce message that has no sender, so
1771we cannot do any checking. If the real sender address gets rewritten during
1772verification (e.g. DNS widening), set the flag to stop it being rewritten again
1773during message reception.
1774
1775A list of verified "sender" addresses is kept to try to avoid doing to much
1776work repetitively when there are multiple recipients in a message and they all
1777require sender verification. However, when callouts are involved, it gets too
1778complicated because different recipients may require different callout options.
1779Therefore, we always do a full sender verify when any kind of callout is
1780specified. Caching elsewhere, for instance in the DNS resolver and in the
1781callout handling, should ensure that this is not terribly inefficient. */
1782
1783else if (verify_sender_address != NULL)
1784 {
1785 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster))
1786 != 0)
1787 {
1788 *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
1789 "sender verify callout";
1790 return ERROR;
1791 }
1792
1793 sender_vaddr = verify_checked_sender(verify_sender_address);
1794 if (sender_vaddr != NULL && /* Previously checked */
1795 callout <= 0) /* No callout needed this time */
1796 {
1797 /* If the "routed" flag is set, it means that routing worked before, so
1798 this check can give OK (the saved return code value, if set, belongs to a
1799 callout that was done previously). If the "routed" flag is not set, routing
1800 must have failed, so we use the saved return code. */
1801
1802 if (testflag(sender_vaddr, af_verify_routed)) rc = OK; else
1803 {
1804 rc = sender_vaddr->special_action;
1805 *basic_errno = sender_vaddr->basic_errno;
1806 }
1807 HDEBUG(D_acl) debug_printf("using cached sender verify result\n");
1808 }
1809
1810 /* Do a new verification, and cache the result. The cache is used to avoid
1811 verifying the sender multiple times for multiple RCPTs when callouts are not
1812 specified (see comments above).
1813
1814 The cache is also used on failure to give details in response to the first
1815 RCPT that gets bounced for this reason. However, this can be suppressed by
1816 the no_details option, which sets the flag that says "this detail has already
1817 been sent". The cache normally contains just one address, but there may be
1818 more in esoteric circumstances. */
1819
1820 else
1821 {
1822 BOOL routed = TRUE;
2a3eea10 1823 uschar *save_address_data = deliver_address_data;
8e669ac1 1824
059ec3d9
PH		 1825 sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
1826 if (no_details) setflag(sender_vaddr, af_sverify_told);
1827 if (verify_sender_address[0] != 0)
1828 {
1829 /* If this is the real sender address, save the unrewritten version
1830 for use later in receive. Otherwise, set a flag so that rewriting the
1831 sender in verify_address() does not update sender_address. */
1832
1833 if (verify_sender_address == sender_address)
1834 sender_address_unrewritten = sender_address;
1835 else
1836 verify_options |= vopt_fake_sender;
1837
eafd343b
TK		 1838 if (success_on_redirect)
1839 verify_options |= vopt_success_on_redirect;
1840
059ec3d9
PH		 1841 /* The recipient, qualify, and expn options are never set in
1842 verify_options. */
1843
1844 rc = verify_address(sender_vaddr, NULL, verify_options, callout,
4deaf07d 1845 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, &routed);
059ec3d9
PH		 1846
1847 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1848
1849 if (rc == OK)
1850 {
1851 if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
1852 {
1853 DEBUG(D_acl) debug_printf("sender %s verified ok as %s\n",
1854 verify_sender_address, sender_vaddr->address);
1855 }
1856 else
1857 {
1858 DEBUG(D_acl) debug_printf("sender %s verified ok\n",
1859 verify_sender_address);
1860 }
1861 }
1862 else *basic_errno = sender_vaddr->basic_errno;
1863 }
1864 else rc = OK; /* Null sender */
1865
1866 /* Cache the result code */
1867
1868 if (routed) setflag(sender_vaddr, af_verify_routed);
1869 if (callout > 0) setflag(sender_vaddr, af_verify_callout);
1870 sender_vaddr->special_action = rc;
1871 sender_vaddr->next = sender_verified_list;
1872 sender_verified_list = sender_vaddr;
8e669ac1
PH		 1873
1874 /* Restore the recipient address data, which might have been clobbered by
2a3eea10 1875 the sender verification. */
8e669ac1 1876
2a3eea10 1877 deliver_address_data = save_address_data;
059ec3d9 1878 }
8e669ac1 1879
2a3eea10
PH		 1880 /* Put the sender address_data value into $sender_address_data */
1881
8e669ac1 1882 sender_address_data = sender_vaddr->p.address_data;
059ec3d9
PH		 1883 }
1884
1885/* A recipient address just gets a straightforward verify; again we must handle
1886the DEFER overrides. */
1887
1888else
1889 {
1890 address_item addr2;
1891
eafd343b
TK		 1892 if (success_on_redirect)
1893 verify_options |= vopt_success_on_redirect;
1894
059ec3d9
PH		 1895 /* We must use a copy of the address for verification, because it might
1896 get rewritten. */
1897
1898 addr2 = *addr;
1899 rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
4deaf07d 1900 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, NULL);
059ec3d9 1901 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
8e669ac1 1902
059ec3d9 1903 *log_msgptr = addr2.message;
8e669ac1 1904 *user_msgptr = (addr2.user_message != NULL)?
6729cf78 1905 addr2.user_message : addr2.message;
059ec3d9
PH		 1906 *basic_errno = addr2.basic_errno;
1907
1908 /* Make $address_data visible */
1909 deliver_address_data = addr2.p.address_data;
1910 }
1911
1912/* We have a result from the relevant test. Handle defer overrides first. */
1913
1914if (rc == DEFER && (defer_ok ||
1915 (callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER)))
1916 {
1917 HDEBUG(D_acl) debug_printf("verify defer overridden by %s\n",
1918 defer_ok? "defer_ok" : "callout_defer_ok");
1919 rc = OK;
1920 }
1921
1922/* If we've failed a sender, set up a recipient message, and point
1923sender_verified_failed to the address item that actually failed. */
1924
1925if (rc != OK && verify_sender_address != NULL)
1926 {
1927 if (rc != DEFER)
1928 {
1929 *log_msgptr = *user_msgptr = US"Sender verify failed";
1930 }
1931 else if (*basic_errno != ERRNO_CALLOUTDEFER)
1932 {
1933 *log_msgptr = *user_msgptr = US"Could not complete sender verify";
1934 }
1935 else
1936 {
1937 *log_msgptr = US"Could not complete sender verify callout";
1938 *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
1939 *log_msgptr;
1940 }
1941
1942 sender_verified_failed = sender_vaddr;
1943 }
1944
1945/* Verifying an address messes up the values of $domain and $local_part,
1946so reset them before returning if this is a RCPT ACL. */
1947
1948if (addr != NULL)
1949 {
1950 deliver_domain = addr->domain;
1951 deliver_localpart = addr->local_part;
1952 }
1953return rc;
1954
1955/* Syntax errors in the verify argument come here. */
1956
1957BAD_VERIFY:
1958*log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
596875b3
PH		 1959 "\"helo\", \"header_syntax\", \"header_sender\" or "
1960 "\"reverse_host_lookup\" at start of ACL condition "
059ec3d9
PH		 1961 "\"verify %s\"", arg);
1962return ERROR;
596875b3
PH		 1963
1964/* Options supplied when not allowed come here */
1965
1966NO_OPTIONS:
1967*log_msgptr = string_sprintf("unexpected '/' found in \"%s\" "
1968 "(this verify item has no options)", arg);
1969return ERROR;
1c41c9cc
PH		 1970
1971/* Calls in the wrong ACL come here */
1972
1973WRONG_ACL:
1974*log_msgptr = string_sprintf("cannot check header contents in ACL for %s "
1975 "(only possible in ACL for DATA)", acl_wherenames[where]);
1976return ERROR;
059ec3d9
PH		 1977}
1978
1979
1980
1981
1982/*************************************************
1983* Check argument for control= modifier *
1984*************************************************/
1985
1986/* Called from acl_check_condition() below
1987
1988Arguments:
1989 arg the argument string for control=
1990 pptr set to point to the terminating character
1991 where which ACL we are in
1992 log_msgptr for error messages
1993
1994Returns: CONTROL_xxx value
1995*/
1996
1997static int
1998decode_control(uschar *arg, uschar **pptr, int where, uschar **log_msgptr)
1999{
2000int len;
2001control_def *d;
2002
2003for (d = controls_list;
2004 d < controls_list + sizeof(controls_list)/sizeof(control_def);
2005 d++)
2006 {
2007 len = Ustrlen(d->name);
2008 if (Ustrncmp(d->name, arg, len) == 0) break;
2009 }
2010
2011if (d >= controls_list + sizeof(controls_list)/sizeof(control_def) ||
2012 (arg[len] != 0 && (!d->has_option || arg[len] != '/')))
2013 {
2014 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2015 return CONTROL_ERROR;
2016 }
2017
059ec3d9
PH		 2018*pptr = arg + len;
2019return d->value;
2020}
2021
2022
2023
870f6ba8
TF		 2024/*************************************************
2025* Handle rate limiting *
2026*************************************************/
2027
2028/* Called by acl_check_condition() below to calculate the result
2029of the ACL ratelimit condition.
2030
2031Note that the return value might be slightly unexpected: if the
2032sender's rate is above the limit then the result is OK. This is
2033similar to the dnslists condition, and is so that you can write
2034ACL clauses like: defer ratelimit = 15 / 1h
2035
2036Arguments:
2037 arg the option string for ratelimit=
90fc3069 2038 where ACL_WHERE_xxxx indicating which ACL this is
870f6ba8
TF		 2039 log_msgptr for error messages
2040
2041Returns: OK - Sender's rate is above limit
2042 FAIL - Sender's rate is below limit
2043 DEFER - Problem opening ratelimit database
2044 ERROR - Syntax error in options.
2045*/
2046
2047static int
90fc3069 2048acl_ratelimit(uschar *arg, int where, uschar **log_msgptr)
870f6ba8
TF		 2049{
2050double limit, period;
f3dcf4a2 2051uschar *ss, *key;
870f6ba8
TF		 2052int sep = '/';
2053BOOL have_key = FALSE, leaky = FALSE, strict = FALSE;
2054BOOL per_byte = FALSE, per_cmd = FALSE, per_conn = FALSE, per_mail = FALSE;
2055int old_pool, rc;
2056tree_node **anchor, *t;
2057open_db dbblock, *dbm;
2058dbdata_ratelimit *dbd;
2059struct timeval tv;
2060
2061/* Parse the first two options and record their values in expansion
2062variables. These variables allow the configuration to have informative
2063error messages based on rate limits obtained from a table lookup. */
2064
2065/* First is the maximum number of messages per period and maximum burst
2066size, which must be greater than or equal to zero. Zero is useful for
2067rate measurement as opposed to rate limiting. */
2068
2069sender_rate_limit = string_nextinlist(&arg, &sep, NULL, 0);
2070if (sender_rate_limit == NULL)
2071 limit = -1.0;
2072else
2073 {
2074 limit = Ustrtod(sender_rate_limit, &ss);
2075 if (tolower(*ss) == 'k') { limit *= 1024.0; ss++; }
2076 else if (tolower(*ss) == 'm') { limit *= 1024.0*1024.0; ss++; }
2077 else if (tolower(*ss) == 'g') { limit *= 1024.0*1024.0*1024.0; ss++; }
2078 }
2079if (limit < 0.0 || *ss != 0)
2080 {
2081 *log_msgptr = string_sprintf("syntax error in argument for "
2082 "\"ratelimit\" condition: \"%s\" is not a positive number",
2083 sender_rate_limit);
2084 return ERROR;
2085 }
2086
f3dcf4a2
TF		 2087/* We use the rest of the argument list following the limit as the
2088lookup key, because it doesn't make sense to use the same stored data
2089if the period or options are different. */
2090
2091key = arg;
2092
870f6ba8
TF		 2093/* Second is the rate measurement period and exponential smoothing time
2094constant. This must be strictly greater than zero, because zero leads to
2095run-time division errors. */
2096
2097sender_rate_period = string_nextinlist(&arg, &sep, NULL, 0);
2098if (sender_rate_period == NULL) period = -1.0;
2099else period = readconf_readtime(sender_rate_period, 0, FALSE);
2100if (period <= 0.0)
2101 {
2102 *log_msgptr = string_sprintf("syntax error in argument for "
2103 "\"ratelimit\" condition: \"%s\" is not a time value",
2104 sender_rate_period);
2105 return ERROR;
2106 }
2107
2108/* Parse the other options. Should we check if the per_* options are being
2109used in ACLs where they don't make sense, e.g. per_mail in the connect ACL? */
2110
2111while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2112 != NULL)
2113 {
2114 if (strcmpic(ss, US"leaky") == 0) leaky = TRUE;
2115 else if (strcmpic(ss, US"strict") == 0) strict = TRUE;
2116 else if (strcmpic(ss, US"per_byte") == 0) per_byte = TRUE;
2117 else if (strcmpic(ss, US"per_cmd") == 0) per_cmd = TRUE;
2118 else if (strcmpic(ss, US"per_conn") == 0) per_conn = TRUE;
2119 else if (strcmpic(ss, US"per_mail") == 0) per_mail = TRUE;
2120 else if (strcmpic(ss, US"per_rcpt") == 0) per_cmd = TRUE; /* alias */
2121 else have_key = TRUE;
2122 }
2123if (leaky + strict > 1 || per_byte + per_cmd + per_conn + per_mail > 1)
2124 {
2125 *log_msgptr = US"conflicting options for \"ratelimit\" condition";
2126 return ERROR;
2127 }
2128
2129/* Default option values */
2130if (!strict) leaky = TRUE;
2131if (!per_byte && !per_cmd && !per_conn) per_mail = TRUE;
2132
f3dcf4a2 2133/* If there is no explicit key, use the sender_host_address. If there is no
870f6ba8
TF		 2134sender_host_address (e.g. -bs or acl_not_smtp) then we simply omit it. */
2135
2136if (!have_key && sender_host_address != NULL)
2137 key = string_sprintf("%s / %s", key, sender_host_address);
2138
2139HDEBUG(D_acl) debug_printf("ratelimit condition limit=%.0f period=%.0f key=%s\n",
2140 limit, period, key);
2141
fe0dab11 2142/* See if we have already computed the rate by looking in the relevant tree. For
870f6ba8
TF		 2143per-connection rate limiting, store tree nodes and dbdata in the permanent pool
2144so that they survive across resets. */
2145
2146anchor = NULL;
2147old_pool = store_pool;
2148
2149if (per_conn)
2150 {
2151 anchor = &ratelimiters_conn;
2152 store_pool = POOL_PERM;
2153 }
fe0dab11 2154else if (per_mail || per_byte)
870f6ba8 2155 anchor = &ratelimiters_mail;
fe0dab11
TF		 2156else if (per_cmd)
2157 anchor = &ratelimiters_cmd;
870f6ba8
TF		 2158
2159if (anchor != NULL && (t = tree_search(*anchor, key)) != NULL)
2160 {
2161 dbd = t->data.ptr;
2162 /* The following few lines duplicate some of the code below. */
3348576f
TF		 2163 if (dbd->rate < limit) rc = FAIL;
2164 else rc = OK;
870f6ba8
TF		 2165 store_pool = old_pool;
2166 sender_rate = string_sprintf("%.1f", dbd->rate);
2167 HDEBUG(D_acl)
2168 debug_printf("ratelimit found pre-computed rate %s\n", sender_rate);
2169 return rc;
2170 }
2171
2172/* We aren't using a pre-computed rate, so get a previously recorded
2173rate from the database, update it, and write it back. If there's no
2174previous rate for this key, create one. */
2175
2176dbm = dbfn_open(US"ratelimit", O_RDWR, &dbblock, TRUE);
2177if (dbm == NULL)
2178 {
2179 store_pool = old_pool;
2180 sender_rate = NULL;
2181 HDEBUG(D_acl) debug_printf("ratelimit database not available\n");
2182 *log_msgptr = US"ratelimit database not available";
2183 return DEFER;
2184 }
2185dbd = dbfn_read(dbm, key);
2186
2187gettimeofday(&tv, NULL);
2188
2189if (dbd == NULL)
2190 {
2191 HDEBUG(D_acl) debug_printf("ratelimit initializing new key's data\n");
2192 dbd = store_get(sizeof(dbdata_ratelimit));
2193 dbd->time_stamp = tv.tv_sec;
2194 dbd->time_usec = tv.tv_usec;
2195 dbd->rate = 0.0;
2196 }
2197else
2198 {
2199 /* The smoothed rate is computed using an exponentially weighted moving
2200 average adjusted for variable sampling intervals. The standard EWMA for
2201 a fixed sampling interval is: f'(t) = (1 - a) * f(t) + a * f'(t - 1)
2202 where f() is the measured value and f'() is the smoothed value.
2203
2204 Old data decays out of the smoothed value exponentially, such that data n
2205 samples old is multiplied by a^n. The exponential decay time constant p
2206 is defined such that data p samples old is multiplied by 1/e, which means
2207 that a = exp(-1/p). We can maintain the same time constant for a variable
2208 sampling interval i by using a = exp(-i/p).
2209
2210 The rate we are measuring is messages per period, suitable for directly
2211 comparing with the limit. The average rate between now and the previous
2212 message is period / interval, which we feed into the EWMA as the sample.
2213
2214 It turns out that the number of messages required for the smoothed rate
2215 to reach the limit when they are sent in a burst is equal to the limit.
2216 This can be seen by analysing the value of the smoothed rate after N
2217 messages sent at even intervals. Let k = (1 - a) * p/i
2218
2219 rate_1 = (1 - a) * p/i + a * rate_0
2220 = k + a * rate_0
2221 rate_2 = k + a * rate_1
2222 = k + a * k + a^2 * rate_0
2223 rate_3 = k + a * k + a^2 * k + a^3 * rate_0
2224 rate_N = rate_0 * a^N + k * SUM(x=0..N-1)(a^x)
2225 = rate_0 * a^N + k * (1 - a^N) / (1 - a)
2226 = rate_0 * a^N + p/i * (1 - a^N)
2227
2228 When N is large, a^N -> 0 so rate_N -> p/i as desired.
2229
2230 rate_N = p/i + (rate_0 - p/i) * a^N
2231 a^N = (rate_N - p/i) / (rate_0 - p/i)
2232 N * -i/p = log((rate_N - p/i) / (rate_0 - p/i))
2233 N = p/i * log((rate_0 - p/i) / (rate_N - p/i))
2234
2235 Numerical analysis of the above equation, setting the computed rate to
2236 increase from rate_0 = 0 to rate_N = limit, shows that for large sending
2237 rates, p/i, the number of messages N = limit. So limit serves as both the
2238 maximum rate measured in messages per period, and the maximum number of
2239 messages that can be sent in a fast burst. */
2240
2241 double this_time = (double)tv.tv_sec
2242 + (double)tv.tv_usec / 1000000.0;
2243 double prev_time = (double)dbd->time_stamp
2244 + (double)dbd->time_usec / 1000000.0;
870f6ba8
TF		 2245
2246 /* We must avoid division by zero, and deal gracefully with the clock going
2247 backwards. If we blunder ahead when time is in reverse then the computed
e5d5a95f 2248 rate will be bogus. To be safe we clamp interval to a very small number. */
870f6ba8 2249
e5d5a95f
TF		 2250 double interval = this_time - prev_time <= 0.0 ? 1e-9
2251 : this_time - prev_time;
2252
2253 double i_over_p = interval / period;
2254 double a = exp(-i_over_p);
870f6ba8
TF		 2255
2256 dbd->time_stamp = tv.tv_sec;
2257 dbd->time_usec = tv.tv_usec;
2258
2259 /* If we are measuring the rate in bytes per period, multiply the
2260 measured rate by the message size. If we don't know the message size
2261 then it's safe to just use a value of zero and let the recorded rate
2262 decay as if nothing happened. */
2263
2264 if (per_byte)
2265 dbd->rate = (message_size < 0 ? 0.0 : (double)message_size)
2266 * (1 - a) / i_over_p + a * dbd->rate;
90fc3069
TF		 2267 else if (per_cmd && where == ACL_WHERE_NOTSMTP)
2268 dbd->rate = (double)recipients_count
2269 * (1 - a) / i_over_p + a * dbd->rate;
870f6ba8
TF		 2270 else
2271 dbd->rate = (1 - a) / i_over_p + a * dbd->rate;
2272 }
2273
3348576f
TF		 2274/* Clients sending at the limit are considered to be over the limit. This
2275matters for edge cases such the first message sent by a client (which gets
2276the initial rate of 0.0) when the rate limit is zero (i.e. the client should
2277be completely blocked). */
2278
2279if (dbd->rate < limit) rc = FAIL;
2280 else rc = OK;
870f6ba8
TF		 2281
2282/* Update the state if the rate is low or if we are being strict. If we
2283are in leaky mode and the sender's rate is too high, we do not update
2284the recorded rate in order to avoid an over-aggressive sender's retry
2285rate preventing them from getting any email through. */
2286
2287if (rc == FAIL || !leaky)
2288 dbfn_write(dbm, key, dbd, sizeof(dbdata_ratelimit));
2289dbfn_close(dbm);
2290
2291/* Store the result in the tree for future reference, if necessary. */
2292
2293if (anchor != NULL)
2294 {
2295 t = store_get(sizeof(tree_node) + Ustrlen(key));
2296 t->data.ptr = dbd;
2297 Ustrcpy(t->name, key);
2298 (void)tree_insertnode(anchor, t);
2299 }
2300
2301/* We create the formatted version of the sender's rate very late in
2302order to ensure that it is done using the correct storage pool. */
2303
2304store_pool = old_pool;
2305sender_rate = string_sprintf("%.1f", dbd->rate);
2306
2307HDEBUG(D_acl)
2308 debug_printf("ratelimit computed rate %s\n", sender_rate);
2309
2310return rc;
2311}
2312
2313
2314
059ec3d9
PH		 2315/*************************************************
2316* Handle conditions/modifiers on an ACL item *
2317*************************************************/
2318
2319/* Called from acl_check() below.
2320
2321Arguments:
2322 verb ACL verb
2323 cb ACL condition block - if NULL, result is OK
2324 where where called from
2325 addr the address being checked for RCPT, or NULL
2326 level the nesting level
2327 epp pointer to pass back TRUE if "endpass" encountered
2328 (applies only to "accept" and "discard")
2329 user_msgptr user message pointer
2330 log_msgptr log message pointer
2331 basic_errno pointer to where to put verify error
2332
2333Returns: OK - all conditions are met
2334 DISCARD - an "acl" condition returned DISCARD - only allowed
2335 for "accept" or "discard" verbs
2336 FAIL - at least one condition fails
2337 FAIL_DROP - an "acl" condition returned FAIL_DROP
2338 DEFER - can't tell at the moment (typically, lookup defer,
2339 but can be temporary callout problem)
2340 ERROR - ERROR from nested ACL or expansion failure or other
2341 error
2342*/
2343
2344static int
2345acl_check_condition(int verb, acl_condition_block *cb, int where,
2346 address_item *addr, int level, BOOL *epp, uschar **user_msgptr,
2347 uschar **log_msgptr, int *basic_errno)
2348{
2349uschar *user_message = NULL;
2350uschar *log_message = NULL;
2351uschar *p;
2352int rc = OK;
8523533c
TK		 2353#ifdef WITH_CONTENT_SCAN
2354int sep = '/';
2355#endif
059ec3d9
PH		 2356
2357for (; cb != NULL; cb = cb->next)
2358 {
2359 uschar *arg;
8e669ac1 2360 int control_type;
059ec3d9
PH		 2361
2362 /* The message and log_message items set up messages to be used in
2363 case of rejection. They are expanded later. */
2364
2365 if (cb->type == ACLC_MESSAGE)
2366 {
2367 user_message = cb->arg;
2368 continue;
2369 }
2370
2371 if (cb->type == ACLC_LOG_MESSAGE)
2372 {
2373 log_message = cb->arg;
2374 continue;
2375 }
2376
2377 /* The endpass "condition" just sets a flag to show it occurred. This is
2378 checked at compile time to be on an "accept" or "discard" item. */
2379
2380 if (cb->type == ACLC_ENDPASS)
2381 {
2382 *epp = TRUE;
2383 continue;
2384 }
2385
2386 /* For other conditions and modifiers, the argument is expanded now for some
2387 of them, but not for all, because expansion happens down in some lower level
2388 checking functions in some cases. */
2389
2390 if (cond_expand_at_top[cb->type])
2391 {
2392 arg = expand_string(cb->arg);
2393 if (arg == NULL)
2394 {
2395 if (expand_string_forcedfail) continue;
2396 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
2397 cb->arg, expand_string_message);
2398 return search_find_defer? DEFER : ERROR;
2399 }
2400 }
2401 else arg = cb->arg;
2402
2403 /* Show condition, and expanded condition if it's different */
2404
2405 HDEBUG(D_acl)
2406 {
2407 int lhswidth = 0;
2408 debug_printf("check %s%s %n",
2409 (!cond_modifiers[cb->type] && cb->u.negated)? "!":"",
2410 conditions[cb->type], &lhswidth);
2411
2412 if (cb->type == ACLC_SET)
2413 {
2414 int n = cb->u.varnumber;
47ca6d6c
PH		 2415 int t = (n < ACL_CVARS)? 'c' : 'm';
2416 if (n >= ACL_CVARS) n -= ACL_CVARS;
059ec3d9
PH		 2417 debug_printf("acl_%c%d ", t, n);
2418 lhswidth += 7;
2419 }
2420
2421 debug_printf("= %s\n", cb->arg);
2422
2423 if (arg != cb->arg)
2424 debug_printf("%.*s= %s\n", lhswidth,
2425 US" ", CS arg);
2426 }
2427
2428 /* Check that this condition makes sense at this time */
2429
2430 if ((cond_forbids[cb->type] & (1 << where)) != 0)
2431 {
2432 *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
2433 cond_modifiers[cb->type]? "use" : "test",
2434 conditions[cb->type], acl_wherenames[where]);
2435 return ERROR;
2436 }
2437
2438 /* Run the appropriate test for each condition, or take the appropriate
2439 action for the remaining modifiers. */
2440
2441 switch(cb->type)
2442 {
71fafd95
PH		 2443 case ACLC_ADD_HEADER:
2444 setup_header(arg);
2445 break;
2446
059ec3d9
PH		 2447 /* A nested ACL that returns "discard" makes sense only for an "accept" or
2448 "discard" verb. */
71fafd95 2449
059ec3d9
PH		 2450 case ACLC_ACL:
2451 rc = acl_check_internal(where, addr, arg, level+1, user_msgptr, log_msgptr);
2452 if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
2453 {
2454 *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
2455 "\"%s\" command (only allowed with \"accept\" or \"discard\")",
2456 verbs[verb]);
2457 return ERROR;
2458 }
2459 break;
2460
2461 case ACLC_AUTHENTICATED:
2462 rc = (sender_host_authenticated == NULL)? FAIL :
2463 match_isinlist(sender_host_authenticated, &arg, 0, NULL, NULL, MCL_STRING,
2464 TRUE, NULL);
2465 break;
2466
71fafd95 2467 #ifdef EXPERIMENTAL_BRIGHTMAIL
8523533c
TK		 2468 case ACLC_BMI_OPTIN:
2469 {
2470 int old_pool = store_pool;
2471 store_pool = POOL_PERM;
2472 bmi_current_optin = string_copy(arg);
2473 store_pool = old_pool;
2474 }
2475 break;
71fafd95 2476 #endif
8523533c 2477
059ec3d9
PH		 2478 case ACLC_CONDITION:
2479 if (Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
2480 rc = (Uatoi(arg) == 0)? FAIL : OK;
2481 else
2482 rc = (strcmpic(arg, US"no") == 0 ||
2483 strcmpic(arg, US"false") == 0)? FAIL :
2484 (strcmpic(arg, US"yes") == 0 ||
2485 strcmpic(arg, US"true") == 0)? OK : DEFER;
2486 if (rc == DEFER)
2487 *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
2488 break;
2489
2490 case ACLC_CONTROL:
c5fcb476
PH		 2491 control_type = decode_control(arg, &p, where, log_msgptr);
2492
8523533c 2493 /* Check if this control makes sense at this time */
c5fcb476
PH		 2494
2495 if ((control_forbids[control_type] & (1 << where)) != 0)
2496 {
2497 *log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
2498 controls[control_type], acl_wherenames[where]);
2499 return ERROR;
8e669ac1 2500 }
c5fcb476
PH		 2501
2502 switch(control_type)
059ec3d9 2503 {
c46782ef
PH		 2504 case CONTROL_AUTH_UNADVERTISED:
2505 allow_auth_unadvertised = TRUE;
2506 break;
2507
2508 #ifdef EXPERIMENTAL_BRIGHTMAIL
8523533c
TK		 2509 case CONTROL_BMI_RUN:
2510 bmi_run = 1;
2511 break;
c46782ef
PH		 2512 #endif
2513
2514 #ifdef EXPERIMENTAL_DOMAINKEYS
fb2274d4
TK		 2515 case CONTROL_DK_VERIFY:
2516 dk_do_verify = 1;
2517 break;
c46782ef
PH		 2518 #endif
2519
059ec3d9
PH		 2520 case CONTROL_ERROR:
2521 return ERROR;
2522
2523 case CONTROL_CASEFUL_LOCAL_PART:
2524 deliver_localpart = addr->cc_local_part;
2525 break;
2526
2527 case CONTROL_CASELOWER_LOCAL_PART:
2528 deliver_localpart = addr->lc_local_part;
2529 break;
2530
2531 case CONTROL_ENFORCE_SYNC:
2532 smtp_enforce_sync = TRUE;
2533 break;
2534
2535 case CONTROL_NO_ENFORCE_SYNC:
2536 smtp_enforce_sync = FALSE;
2537 break;
2538
c46782ef 2539 #ifdef WITH_CONTENT_SCAN
8523533c
TK		 2540 case CONTROL_NO_MBOX_UNSPOOL:
2541 no_mbox_unspool = TRUE;
2542 break;
c46782ef 2543 #endif
8523533c 2544
059ec3d9
PH		 2545 case CONTROL_NO_MULTILINE:
2546 no_multiline_responses = TRUE;
2547 break;
2548
29aba418 2549 case CONTROL_FAKEDEFER:
8523533c 2550 case CONTROL_FAKEREJECT:
29aba418 2551 fake_response = (control_type == CONTROL_FAKEDEFER) ? DEFER : FAIL;
8523533c 2552 if (*p == '/')
8e669ac1 2553 {
8523533c 2554 uschar *pp = p + 1;
8e669ac1 2555 while (*pp != 0) pp++;
29aba418 2556 fake_response_text = expand_string(string_copyn(p+1, pp-p-1));
8523533c
TK		 2557 p = pp;
2558 }
2559 else
2560 {
2561 /* Explicitly reset to default string */
29aba418 2562 fake_response_text = US"Your message has been rejected but is being kept for evaluation.\nIf it was a legitimate message, it may still be delivered to the target recipient(s).";
8523533c
TK		 2563 }
2564 break;
8523533c 2565
059ec3d9
PH		 2566 case CONTROL_FREEZE:
2567 deliver_freeze = TRUE;
2568 deliver_frozen_at = time(NULL);
6a3f1455
PH		 2569 freeze_tell = freeze_tell_config; /* Reset to configured value */
2570 if (Ustrncmp(p, "/no_tell", 8) == 0)
2571 {
2572 p += 8;
2573 freeze_tell = NULL;
2574 }
2575 if (*p != 0)
2576 {
2577 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2578 return ERROR;
2579 }
059ec3d9
PH		 2580 break;
2581
2582 case CONTROL_QUEUE_ONLY:
2583 queue_only_policy = TRUE;
2584 break;
2585
2586 case CONTROL_SUBMISSION:
87ba3f5f 2587 originator_name = US"";
059ec3d9 2588 submission_mode = TRUE;
69358f02 2589 while (*p == '/')
8e669ac1 2590 {
69358f02
PH		 2591 if (Ustrncmp(p, "/sender_retain", 14) == 0)
2592 {
2593 p += 14;
2594 active_local_sender_retain = TRUE;
8e669ac1
PH		 2595 active_local_from_check = FALSE;
2596 }
69358f02
PH		 2597 else if (Ustrncmp(p, "/domain=", 8) == 0)
2598 {
2599 uschar *pp = p + 8;
8e669ac1 2600 while (*pp != 0 && *pp != '/') pp++;
87ba3f5f
PH		 2601 submission_domain = string_copyn(p+8, pp-p-8);
2602 p = pp;
2603 }
8857ccfd
PH		 2604 /* The name= option must be last, because it swallows the rest of
2605 the string. */
87ba3f5f
PH		 2606 else if (Ustrncmp(p, "/name=", 6) == 0)
2607 {
2608 uschar *pp = p + 6;
8857ccfd 2609 while (*pp != 0) pp++;
2fe1a124 2610 submission_name = string_copy(parse_fix_phrase(p+6, pp-p-6,
87ba3f5f 2611 big_buffer, big_buffer_size));
8e669ac1 2612 p = pp;
69358f02 2613 }
8e669ac1
PH		 2614 else break;
2615 }
69358f02 2616 if (*p != 0)
059ec3d9 2617 {
69358f02 2618 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
059ec3d9
PH		 2619 return ERROR;
2620 }
2621 break;
8800895a
PH		 2622
2623 case CONTROL_SUPPRESS_LOCAL_FIXUPS:
2624 suppress_local_fixups = TRUE;
2625 break;
059ec3d9
PH		 2626 }
2627 break;
2628
71fafd95 2629 #ifdef WITH_CONTENT_SCAN
8523533c
TK		 2630 case ACLC_DECODE:
2631 rc = mime_decode(&arg);
2632 break;
71fafd95 2633 #endif
8523533c 2634
059ec3d9
PH		 2635 case ACLC_DELAY:
2636 {
2637 int delay = readconf_readtime(arg, 0, FALSE);
2638 if (delay < 0)
2639 {
2640 *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
2641 "modifier: \"%s\" is not a time value", arg);
2642 return ERROR;
2643 }
2644 else
2645 {
2646 HDEBUG(D_acl) debug_printf("delay modifier requests %d-second delay\n",
2647 delay);
2648 if (host_checking)
2649 {
2650 HDEBUG(D_acl)
2651 debug_printf("delay skipped in -bh checking mode\n");
2652 }
010c2d14
PH		 2653
2654 /* It appears to be impossible to detect that a TCP/IP connection has
2655 gone away without reading from it. This means that we cannot shorten
2656 the delay below if the client goes away, because we cannot discover
2657 that the client has closed its end of the connection. (The connection
2658 is actually in a half-closed state, waiting for the server to close its
2659 end.) It would be nice to be able to detect this state, so that the
2660 Exim process is not held up unnecessarily. However, it seems that we
2661 can't. The poll() function does not do the right thing, and in any case
2662 it is not always available.
2663
2664 NOTE: If ever this state of affairs changes, remember that we may be
2665 dealing with stdin/stdout here, in addition to TCP/IP connections.
2666 Whatever is done must work in both cases. To detected the stdin/stdout
2667 case, check for smtp_in or smtp_out being NULL. */
2668
8e669ac1 2669 else
86b8287f
PH		 2670 {
2671 while (delay > 0) delay = sleep(delay);
8e669ac1 2672 }
059ec3d9
PH		 2673 }
2674 }
2675 break;
2676
71fafd95 2677 #ifdef WITH_OLD_DEMIME
8523533c
TK		 2678 case ACLC_DEMIME:
2679 rc = demime(&arg);
2680 break;
71fafd95 2681 #endif
8523533c 2682
71fafd95
PH		 2683 #ifdef EXPERIMENTAL_DOMAINKEYS
2684 case ACLC_DK_DOMAIN_SOURCE:
fb2274d4
TK		 2685 if (dk_verify_block == NULL) { rc = FAIL; break; };
2686 /* check header source of domain against given string */
2687 switch (dk_verify_block->address_source) {
2688 case DK_EXIM_ADDRESS_FROM_FROM:
2689 rc = match_isinlist(US"from", &arg, 0, NULL,
2690 NULL, MCL_STRING, TRUE, NULL);
2691 break;
2692 case DK_EXIM_ADDRESS_FROM_SENDER:
2693 rc = match_isinlist(US"sender", &arg, 0, NULL,
2694 NULL, MCL_STRING, TRUE, NULL);
2695 break;
2696 case DK_EXIM_ADDRESS_NONE:
2697 rc = match_isinlist(US"none", &arg, 0, NULL,
2698 NULL, MCL_STRING, TRUE, NULL);
2699 break;
71fafd95
PH		 2700 }
2701 break;
2702
2703 case ACLC_DK_POLICY:
fb2274d4
TK		 2704 if (dk_verify_block == NULL) { rc = FAIL; break; };
2705 /* check policy against given string, default FAIL */
2706 rc = FAIL;
2707 if (dk_verify_block->signsall)
2708 rc = match_isinlist(US"signsall", &arg, 0, NULL,
2709 NULL, MCL_STRING, TRUE, NULL);
2710 if (dk_verify_block->testing)
2711 rc = match_isinlist(US"testing", &arg, 0, NULL,
2712 NULL, MCL_STRING, TRUE, NULL);
71fafd95
PH		 2713 break;
2714
2715 case ACLC_DK_SENDER_DOMAINS:
fb2274d4
TK		 2716 if (dk_verify_block == NULL) { rc = FAIL; break; };
2717 if (dk_verify_block->domain != NULL)
2718 rc = match_isinlist(dk_verify_block->domain, &arg, 0, &domainlist_anchor,
2719 NULL, MCL_DOMAIN, TRUE, NULL);
2720 else rc = FAIL;
71fafd95
PH		 2721 break;
2722
2723 case ACLC_DK_SENDER_LOCAL_PARTS:
fb2274d4
TK		 2724 if (dk_verify_block == NULL) { rc = FAIL; break; };
2725 if (dk_verify_block->local_part != NULL)
2726 rc = match_isinlist(dk_verify_block->local_part, &arg, 0, &localpartlist_anchor,
2727 NULL, MCL_LOCALPART, TRUE, NULL);
2728 else rc = FAIL;
71fafd95
PH		 2729 break;
2730
2731 case ACLC_DK_SENDERS:
fb2274d4
TK		 2732 if (dk_verify_block == NULL) { rc = FAIL; break; };
2733 if (dk_verify_block->address != NULL)
2734 rc = match_address_list(dk_verify_block->address, TRUE, TRUE, &arg, NULL, -1, 0, NULL);
2735 else rc = FAIL;
71fafd95
PH		 2736 break;
2737
2738 case ACLC_DK_STATUS:
fb2274d4
TK		 2739 if (dk_verify_block == NULL) { rc = FAIL; break; };
2740 if (dk_verify_block->result > 0) {
2741 switch(dk_verify_block->result) {
2742 case DK_EXIM_RESULT_BAD_FORMAT:
2743 rc = match_isinlist(US"bad format", &arg, 0, NULL,
2744 NULL, MCL_STRING, TRUE, NULL);
2745 break;
2746 case DK_EXIM_RESULT_NO_KEY:
2747 rc = match_isinlist(US"no key", &arg, 0, NULL,
2748 NULL, MCL_STRING, TRUE, NULL);
2749 break;
2750 case DK_EXIM_RESULT_NO_SIGNATURE:
2751 rc = match_isinlist(US"no signature", &arg, 0, NULL,
2752 NULL, MCL_STRING, TRUE, NULL);
2753 break;
2754 case DK_EXIM_RESULT_REVOKED:
2755 rc = match_isinlist(US"revoked", &arg, 0, NULL,
2756 NULL, MCL_STRING, TRUE, NULL);
2757 break;
2758 case DK_EXIM_RESULT_NON_PARTICIPANT:
2759 rc = match_isinlist(US"non-participant", &arg, 0, NULL,
2760 NULL, MCL_STRING, TRUE, NULL);
2761 break;
2762 case DK_EXIM_RESULT_GOOD:
2763 rc = match_isinlist(US"good", &arg, 0, NULL,
2764 NULL, MCL_STRING, TRUE, NULL);
2765 break;
2766 case DK_EXIM_RESULT_BAD:
2767 rc = match_isinlist(US"bad", &arg, 0, NULL,
2768 NULL, MCL_STRING, TRUE, NULL);
2769 break;
71fafd95 2770 }
fb2274d4 2771 }
71fafd95
PH		 2772 break;
2773 #endif
fb2274d4 2774
059ec3d9
PH		 2775 case ACLC_DNSLISTS:
2776 rc = verify_check_dnsbl(&arg);
2777 break;
2778
2779 case ACLC_DOMAINS:
2780 rc = match_isinlist(addr->domain, &arg, 0, &domainlist_anchor,
2781 addr->domain_cache, MCL_DOMAIN, TRUE, &deliver_domain_data);
2782 break;
2783
2784 /* The value in tls_cipher is the full cipher name, for example,
2785 TLSv1:DES-CBC3-SHA:168, whereas the values to test for are just the
2786 cipher names such as DES-CBC3-SHA. But program defensively. We don't know
2787 what may in practice come out of the SSL library - which at the time of
2788 writing is poorly documented. */
2789
2790 case ACLC_ENCRYPTED:
2791 if (tls_cipher == NULL) rc = FAIL; else
2792 {
2793 uschar *endcipher = NULL;
2794 uschar *cipher = Ustrchr(tls_cipher, ':');
2795 if (cipher == NULL) cipher = tls_cipher; else
2796 {
2797 endcipher = Ustrchr(++cipher, ':');
2798 if (endcipher != NULL) *endcipher = 0;
2799 }
2800 rc = match_isinlist(cipher, &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
2801 if (endcipher != NULL) *endcipher = ':';
2802 }
2803 break;
2804
2805 /* Use verify_check_this_host() instead of verify_check_host() so that
2806 we can pass over &host_data to catch any looked up data. Once it has been
2807 set, it retains its value so that it's still there if another ACL verb
2808 comes through here and uses the cache. However, we must put it into
2809 permanent store in case it is also expected to be used in a subsequent
2810 message in the same SMTP connection. */
2811
2812 case ACLC_HOSTS:
2813 rc = verify_check_this_host(&arg, sender_host_cache, NULL,
2814 (sender_host_address == NULL)? US"" : sender_host_address, &host_data);
2815 if (host_data != NULL) host_data = string_copy_malloc(host_data);
2816 break;
2817
2818 case ACLC_LOCAL_PARTS:
2819 rc = match_isinlist(addr->cc_local_part, &arg, 0,
2820 &localpartlist_anchor, addr->localpart_cache, MCL_LOCALPART, TRUE,
2821 &deliver_localpart_data);
2822 break;
2823
2824 case ACLC_LOGWRITE:
2825 {
2826 int logbits = 0;
2827 uschar *s = arg;
2828 if (*s == ':')
2829 {
2830 s++;
2831 while (*s != ':')
2832 {
2833 if (Ustrncmp(s, "main", 4) == 0)
2834 { logbits |= LOG_MAIN; s += 4; }
2835 else if (Ustrncmp(s, "panic", 5) == 0)
2836 { logbits |= LOG_PANIC; s += 5; }
2837 else if (Ustrncmp(s, "reject", 6) == 0)
2838 { logbits |= LOG_REJECT; s += 6; }
2839 else
2840 {
2841 logbits = LOG_MAIN|LOG_PANIC;
2842 s = string_sprintf(":unknown log name in \"%s\" in "
2843 "\"logwrite\" in %s ACL", arg, acl_wherenames[where]);
2844 }
2845 if (*s == ',') s++;
2846 }
2847 s++;
2848 }
2849 while (isspace(*s)) s++;
2850 if (logbits == 0) logbits = LOG_MAIN;
2851 log_write(0, logbits, "%s", string_printing(s));
2852 }
2853 break;
8e669ac1 2854
71fafd95 2855 #ifdef WITH_CONTENT_SCAN
8523533c
TK		 2856 case ACLC_MALWARE:
2857 {
2858 /* Seperate the regular expression and any optional parameters. */
2859 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
2860 /* Run the malware backend. */
2861 rc = malware(&ss);
2862 /* Modify return code based upon the existance of options. */
2863 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2864 != NULL) {
2865 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
2866 {
2867 /* FAIL so that the message is passed to the next ACL */
2868 rc = FAIL;
2869 }
2870 }
2871 }
2872 break;
2873
2874 case ACLC_MIME_REGEX:
71fafd95 2875 rc = mime_regex(&arg);
8523533c 2876 break;
71fafd95 2877 #endif
059ec3d9 2878
870f6ba8 2879 case ACLC_RATELIMIT:
90fc3069 2880 rc = acl_ratelimit(arg, where, log_msgptr);
870f6ba8
TF		 2881 break;
2882
059ec3d9
PH		 2883 case ACLC_RECIPIENTS:
2884 rc = match_address_list(addr->address, TRUE, TRUE, &arg, NULL, -1, 0,
2885 &recipient_data);
2886 break;
2887
71fafd95
PH		 2888 #ifdef WITH_CONTENT_SCAN
2889 case ACLC_REGEX:
2890 rc = regex(&arg);
8523533c 2891 break;
71fafd95 2892 #endif
8523533c 2893
059ec3d9
PH		 2894 case ACLC_SENDER_DOMAINS:
2895 {
2896 uschar *sdomain;
2897 sdomain = Ustrrchr(sender_address, '@');
2898 sdomain = (sdomain == NULL)? US"" : sdomain + 1;
2899 rc = match_isinlist(sdomain, &arg, 0, &domainlist_anchor,
2900 sender_domain_cache, MCL_DOMAIN, TRUE, NULL);
2901 }
2902 break;
2903
2904 case ACLC_SENDERS:
2905 rc = match_address_list(sender_address, TRUE, TRUE, &arg,
2906 sender_address_cache, -1, 0, &sender_data);
2907 break;
2908
2909 /* Connection variables must persist forever */
2910
2911 case ACLC_SET:
2912 {
2913 int old_pool = store_pool;
47ca6d6c 2914 if (cb->u.varnumber < ACL_CVARS) store_pool = POOL_PERM;
059ec3d9
PH		 2915 acl_var[cb->u.varnumber] = string_copy(arg);
2916 store_pool = old_pool;
2917 }
2918 break;
2919
71fafd95 2920 #ifdef WITH_CONTENT_SCAN
8523533c
TK		 2921 case ACLC_SPAM:
2922 {
2923 /* Seperate the regular expression and any optional parameters. */
2924 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
2925 /* Run the spam backend. */
2926 rc = spam(&ss);
2927 /* Modify return code based upon the existance of options. */
2928 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2929 != NULL) {
2930 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
2931 {
2932 /* FAIL so that the message is passed to the next ACL */
2933 rc = FAIL;
2934 }
2935 }
2936 }
2937 break;
71fafd95 2938 #endif
8523533c 2939
71fafd95 2940 #ifdef EXPERIMENTAL_SPF
8523533c
TK		 2941 case ACLC_SPF:
2942 rc = spf_process(&arg, sender_address);
2943 break;
71fafd95 2944 #endif
8523533c 2945
059ec3d9
PH		 2946 /* If the verb is WARN, discard any user message from verification, because
2947 such messages are SMTP responses, not header additions. The latter come
475fe28a
PH		 2948 only from explicit "message" modifiers. However, put the user message into
2949 $acl_verify_message so it can be used in subsequent conditions or modifiers
2950 (until something changes it). */
059ec3d9
PH		 2951
2952 case ACLC_VERIFY:
2953 rc = acl_verify(where, addr, arg, user_msgptr, log_msgptr, basic_errno);
475fe28a 2954 acl_verify_message = *user_msgptr;
059ec3d9
PH		 2955 if (verb == ACL_WARN) *user_msgptr = NULL;
2956 break;
2957
2958 default:
2959 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown "
2960 "condition %d", cb->type);
2961 break;
2962 }
2963
2964 /* If a condition was negated, invert OK/FAIL. */
2965
2966 if (!cond_modifiers[cb->type] && cb->u.negated)
2967 {
2968 if (rc == OK) rc = FAIL;
2969 else if (rc == FAIL || rc == FAIL_DROP) rc = OK;
2970 }
2971
2972 if (rc != OK) break; /* Conditions loop */
2973 }
2974
2975
2976/* If the result is the one for which "message" and/or "log_message" are used,
2977handle the values of these options. Most verbs have but a single return for
2978which the messages are relevant, but for "discard", it's useful to have the log
2979message both when it succeeds and when it fails. Also, for an "accept" that
2980appears in a QUIT ACL, we want to handle the user message. Since only "accept"
2981and "warn" are permitted in that ACL, we don't need to test the verb.
2982
2983These modifiers act in different ways:
2984
2985"message" is a user message that will be included in an SMTP response. Unless
2986it is empty, it overrides any previously set user message.
2987
2988"log_message" is a non-user message, and it adds to any existing non-user
2989message that is already set.
2990
2991If there isn't a log message set, we make it the same as the user message. */
2992
2993if (((rc == FAIL_DROP)? FAIL : rc) == msgcond[verb] ||
2994 (verb == ACL_DISCARD && rc == OK) ||
2995 (where == ACL_WHERE_QUIT))
2996 {
2997 uschar *expmessage;
2998
2999 /* If the verb is "warn", messages generated by conditions (verification or
3000 nested ACLs) are discarded. Only messages specified at this level are used.
3001 However, the value of an existing message is available in $acl_verify_message
3002 during expansions. */
3003
3004 uschar *old_user_msgptr = *user_msgptr;
3005 uschar *old_log_msgptr = (*log_msgptr != NULL)? *log_msgptr : old_user_msgptr;
3006
3007 if (verb == ACL_WARN) *log_msgptr = *user_msgptr = NULL;
3008
3009 if (user_message != NULL)
3010 {
3011 acl_verify_message = old_user_msgptr;
3012 expmessage = expand_string(user_message);
3013 if (expmessage == NULL)
3014 {
3015 if (!expand_string_forcedfail)
3016 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
3017 user_message, expand_string_message);
3018 }
3019 else if (expmessage[0] != 0) *user_msgptr = expmessage;
3020 }
3021
3022 if (log_message != NULL)
3023 {
3024 acl_verify_message = old_log_msgptr;
3025 expmessage = expand_string(log_message);
3026 if (expmessage == NULL)
3027 {
3028 if (!expand_string_forcedfail)
3029 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
3030 log_message, expand_string_message);
3031 }
3032 else if (expmessage[0] != 0)
3033 {
3034 *log_msgptr = (*log_msgptr == NULL)? expmessage :
3035 string_sprintf("%s: %s", expmessage, *log_msgptr);
3036 }
3037 }
3038
3039 /* If no log message, default it to the user message */
3040
3041 if (*log_msgptr == NULL) *log_msgptr = *user_msgptr;
3042 }
3043
3044acl_verify_message = NULL;
3045return rc;
3046}
3047
3048
3049
3050
3051
3052/*************************************************
3053* Get line from a literal ACL *
3054*************************************************/
3055
3056/* This function is passed to acl_read() in order to extract individual lines
3057of a literal ACL, which we access via static pointers. We can destroy the
3058contents because this is called only once (the compiled ACL is remembered).
3059
3060This code is intended to treat the data in the same way as lines in the main
3061Exim configuration file. That is:
3062
3063 . Leading spaces are ignored.
3064
3065 . A \ at the end of a line is a continuation - trailing spaces after the \
3066 are permitted (this is because I don't believe in making invisible things
3067 significant). Leading spaces on the continued part of a line are ignored.
3068
3069 . Physical lines starting (significantly) with # are totally ignored, and
3070 may appear within a sequence of backslash-continued lines.
3071
3072 . Blank lines are ignored, but will end a sequence of continuations.
3073
3074Arguments: none
3075Returns: a pointer to the next line
3076*/
3077
3078
3079static uschar *acl_text; /* Current pointer in the text */
3080static uschar *acl_text_end; /* Points one past the terminating '0' */
3081
3082
3083static uschar *
3084acl_getline(void)
3085{
3086uschar *yield;
3087
3088/* This loop handles leading blank lines and comments. */
3089
3090for(;;)
3091 {
3092 while (isspace(*acl_text)) acl_text++; /* Leading spaces/empty lines */
3093 if (*acl_text == 0) return NULL; /* No more data */
3094 yield = acl_text; /* Potential data line */
3095
3096 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
3097
3098 /* If we hit the end before a newline, we have the whole logical line. If
3099 it's a comment, there's no more data to be given. Otherwise, yield it. */
3100
3101 if (*acl_text == 0) return (*yield == '#')? NULL : yield;
3102
3103 /* After reaching a newline, end this loop if the physical line does not
3104 start with '#'. If it does, it's a comment, and the loop continues. */
3105
3106 if (*yield != '#') break;
3107 }
3108
3109/* This loop handles continuations. We know we have some real data, ending in
3110newline. See if there is a continuation marker at the end (ignoring trailing
3111white space). We know that *yield is not white space, so no need to test for
3112cont > yield in the backwards scanning loop. */
3113
3114for(;;)
3115 {
3116 uschar *cont;
3117 for (cont = acl_text - 1; isspace(*cont); cont--);
3118
3119 /* If no continuation follows, we are done. Mark the end of the line and
3120 return it. */
3121
3122 if (*cont != '\\')
3123 {
3124 *acl_text++ = 0;
3125 return yield;
3126 }
3127
3128 /* We have encountered a continuation. Skip over whitespace at the start of
3129 the next line, and indeed the whole of the next line or lines if they are
3130 comment lines. */
3131
3132 for (;;)
3133 {
3134 while (*(++acl_text) == ' ' || *acl_text == '\t');
3135 if (*acl_text != '#') break;
3136 while (*(++acl_text) != 0 && *acl_text != '\n');
3137 }
3138
3139 /* We have the start of a continuation line. Move all the rest of the data
3140 to join onto the previous line, and then find its end. If the end is not a
3141 newline, we are done. Otherwise loop to look for another continuation. */
3142
3143 memmove(cont, acl_text, acl_text_end - acl_text);
3144 acl_text_end -= acl_text - cont;
3145 acl_text = cont;
3146 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
3147 if (*acl_text == 0) return yield;
3148 }
3149
3150/* Control does not reach here */
3151}
3152
3153
3154
3155
3156
3157/*************************************************
3158* Check access using an ACL *
3159*************************************************/
3160
3161/* This function is called from address_check. It may recurse via
3162acl_check_condition() - hence the use of a level to stop looping. The ACL is
3163passed as a string which is expanded. A forced failure implies no access check
3164is required. If the result is a single word, it is taken as the name of an ACL
3165which is sought in the global ACL tree. Otherwise, it is taken as literal ACL
3166text, complete with newlines, and parsed as such. In both cases, the ACL check
3167is then run. This function uses an auxiliary function for acl_read() to call
3168for reading individual lines of a literal ACL. This is acl_getline(), which
3169appears immediately above.
3170
3171Arguments:
3172 where where called from
3173 addr address item when called from RCPT; otherwise NULL
3174 s the input string; NULL is the same as an empty ACL => DENY
3175 level the nesting level
3176 user_msgptr where to put a user error (for SMTP response)
3177 log_msgptr where to put a logging message (not for SMTP response)
3178
3179Returns: OK access is granted
3180 DISCARD access is apparently granted...
3181 FAIL access is denied
3182 FAIL_DROP access is denied; drop the connection
3183 DEFER can't tell at the moment
3184 ERROR disaster
3185*/
3186
3187static int
3188acl_check_internal(int where, address_item *addr, uschar *s, int level,
3189 uschar **user_msgptr, uschar **log_msgptr)
3190{
3191int fd = -1;
3192acl_block *acl = NULL;
3193uschar *acl_name = US"inline ACL";
3194uschar *ss;
3195
3196/* Catch configuration loops */
3197
3198if (level > 20)
3199 {
3200 *log_msgptr = US"ACL nested too deep: possible loop";
3201 return ERROR;
3202 }
3203
3204if (s == NULL)
3205 {
3206 HDEBUG(D_acl) debug_printf("ACL is NULL: implicit DENY\n");
3207 return FAIL;
3208 }
3209
3210/* At top level, we expand the incoming string. At lower levels, it has already
3211been expanded as part of condition processing. */
3212
3213if (level == 0)
3214 {
3215 ss = expand_string(s);
3216 if (ss == NULL)
3217 {
3218 if (expand_string_forcedfail) return OK;
3219 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s", s,
3220 expand_string_message);
3221 return ERROR;
3222 }
3223 }
3224else ss = s;
3225
3226while (isspace(*ss))ss++;
3227
3228/* If we can't find a named ACL, the default is to parse it as an inline one.
3229(Unless it begins with a slash; non-existent files give rise to an error.) */
3230
3231acl_text = ss;
3232
3233/* Handle the case of a string that does not contain any spaces. Look for a
3234named ACL among those read from the configuration, or a previously read file.
3235It is possible that the pointer to the ACL is NULL if the configuration
3236contains a name with no data. If not found, and the text begins with '/',
3237read an ACL from a file, and save it so it can be re-used. */
3238
3239if (Ustrchr(ss, ' ') == NULL)
3240 {
3241 tree_node *t = tree_search(acl_anchor, ss);
3242 if (t != NULL)
3243 {
3244 acl = (acl_block *)(t->data.ptr);
3245 if (acl == NULL)
3246 {
3247 HDEBUG(D_acl) debug_printf("ACL \"%s\" is empty: implicit DENY\n", ss);
3248 return FAIL;
3249 }
3250 acl_name = string_sprintf("ACL \"%s\"", ss);
3251 HDEBUG(D_acl) debug_printf("using ACL \"%s\"\n", ss);
3252 }
3253
3254 else if (*ss == '/')
3255 {
3256 struct stat statbuf;
3257 fd = Uopen(ss, O_RDONLY, 0);
3258 if (fd < 0)
3259 {
3260 *log_msgptr = string_sprintf("failed to open ACL file \"%s\": %s", ss,
3261 strerror(errno));
3262 return ERROR;
3263 }
3264
3265 if (fstat(fd, &statbuf) != 0)
3266 {
3267 *log_msgptr = string_sprintf("failed to fstat ACL file \"%s\": %s", ss,
3268 strerror(errno));
3269 return ERROR;
3270 }
3271
3272 acl_text = store_get(statbuf.st_size + 1);
3273 acl_text_end = acl_text + statbuf.st_size + 1;
3274
3275 if (read(fd, acl_text, statbuf.st_size) != statbuf.st_size)
3276 {
3277 *log_msgptr = string_sprintf("failed to read ACL file \"%s\": %s",
3278 ss, strerror(errno));
3279 return ERROR;
3280 }
3281 acl_text[statbuf.st_size] = 0;
f1e894f3 3282 (void)close(fd);
059ec3d9
PH		 3283
3284 acl_name = string_sprintf("ACL \"%s\"", ss);
3285 HDEBUG(D_acl) debug_printf("read ACL from file %s\n", ss);
3286 }
3287 }
3288
3289/* Parse an ACL that is still in text form. If it came from a file, remember it
3290in the ACL tree, having read it into the POOL_PERM store pool so that it
3291persists between multiple messages. */
3292
3293if (acl == NULL)
3294 {
3295 int old_pool = store_pool;
3296 if (fd >= 0) store_pool = POOL_PERM;
3297 acl = acl_read(acl_getline, log_msgptr);
3298 store_pool = old_pool;
3299 if (acl == NULL && *log_msgptr != NULL) return ERROR;
3300 if (fd >= 0)
3301 {
3302 tree_node *t = store_get_perm(sizeof(tree_node) + Ustrlen(ss));
3303 Ustrcpy(t->name, ss);
3304 t->data.ptr = acl;
3305 (void)tree_insertnode(&acl_anchor, t);
3306 }
3307 }
3308
3309/* Now we have an ACL to use. It's possible it may be NULL. */
3310
3311while (acl != NULL)
3312 {
3313 int cond;
3314 int basic_errno = 0;
3315 BOOL endpass_seen = FALSE;
3316
3317 *log_msgptr = *user_msgptr = NULL;
3318 acl_temp_details = FALSE;
3319
3320 if (where == ACL_WHERE_QUIT &&
3321 acl->verb != ACL_ACCEPT &&
3322 acl->verb != ACL_WARN)
3323 {
3324 *log_msgptr = string_sprintf("\"%s\" is not allowed in a QUIT ACL",
3325 verbs[acl->verb]);
3326 return ERROR;
3327 }
3328
3329 HDEBUG(D_acl) debug_printf("processing \"%s\"\n", verbs[acl->verb]);
3330
3331 /* Clear out any search error message from a previous check before testing
3332 this condition. */
3333
3334 search_error_message = NULL;
3335 cond = acl_check_condition(acl->verb, acl->condition, where, addr, level,
3336 &endpass_seen, user_msgptr, log_msgptr, &basic_errno);
3337
3338 /* Handle special returns: DEFER causes a return except on a WARN verb;
3339 ERROR always causes a return. */
3340
3341 switch (cond)
3342 {
3343 case DEFER:
3344 HDEBUG(D_acl) debug_printf("%s: condition test deferred\n", verbs[acl->verb]);
3345 if (basic_errno != ERRNO_CALLOUTDEFER)
3346 {
3347 if (search_error_message != NULL && *search_error_message != 0)
3348 *log_msgptr = search_error_message;
3349 if (smtp_return_error_details) acl_temp_details = TRUE;
3350 }
3351 else
3352 {
3353 acl_temp_details = TRUE;
3354 }
3355 if (acl->verb != ACL_WARN) return DEFER;
3356 break;
3357
3358 default: /* Paranoia */
3359 case ERROR:
3360 HDEBUG(D_acl) debug_printf("%s: condition test error\n", verbs[acl->verb]);
3361 return ERROR;
3362
3363 case OK:
3364 HDEBUG(D_acl) debug_printf("%s: condition test succeeded\n",
3365 verbs[acl->verb]);
3366 break;
3367
3368 case FAIL:
3369 HDEBUG(D_acl) debug_printf("%s: condition test failed\n", verbs[acl->verb]);
3370 break;
3371
3372 /* DISCARD and DROP can happen only from a nested ACL condition, and
3373 DISCARD can happen only for an "accept" or "discard" verb. */
3374
3375 case DISCARD:
3376 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"discard\"\n",
3377 verbs[acl->verb]);
3378 break;
3379
3380 case FAIL_DROP:
3381 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"drop\"\n",
3382 verbs[acl->verb]);
3383 break;
3384 }
3385
3386 /* At this point, cond for most verbs is either OK or FAIL or (as a result of
3387 a nested ACL condition) FAIL_DROP. However, for WARN, cond may be DEFER, and
3388 for ACCEPT and DISCARD, it may be DISCARD after a nested ACL call. */
3389
3390 switch(acl->verb)
3391 {
3392 case ACL_ACCEPT:
3393 if (cond == OK || cond == DISCARD) return cond;
3394 if (endpass_seen)
3395 {
3396 HDEBUG(D_acl) debug_printf("accept: endpass encountered - denying access\n");
3397 return cond;
3398 }
3399 break;
3400
3401 case ACL_DEFER:
3402 if (cond == OK)
3403 {
3404 acl_temp_details = TRUE;
3405 return DEFER;
3406 }
3407 break;
3408
3409 case ACL_DENY:
3410 if (cond == OK) return FAIL;
3411 break;
3412
3413 case ACL_DISCARD:
3414 if (cond == OK || cond == DISCARD) return DISCARD;
3415 if (endpass_seen)
3416 {
3417 HDEBUG(D_acl) debug_printf("discard: endpass encountered - denying access\n");
3418 return cond;
3419 }
3420 break;
3421
3422 case ACL_DROP:
3423 if (cond == OK) return FAIL_DROP;
3424 break;
3425
3426 case ACL_REQUIRE:
3427 if (cond != OK) return cond;
3428 break;
3429
3430 case ACL_WARN:
3431 if (cond == OK)
3432 acl_warn(where, *user_msgptr, *log_msgptr);
49826d12 3433 else if (cond == DEFER && (log_extra_selector & LX_acl_warn_skipped) != 0)
9c7a242c
PH		 3434 log_write(0, LOG_MAIN, "%s Warning: ACL \"warn\" statement skipped: "
3435 "condition test deferred%s%s", host_and_ident(TRUE),
3436 (*log_msgptr == NULL)? US"" : US": ",
3437 (*log_msgptr == NULL)? US"" : *log_msgptr);
059ec3d9
PH		 3438 *log_msgptr = *user_msgptr = NULL; /* In case implicit DENY follows */
3439 break;
3440
3441 default:
3442 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown verb %d",
3443 acl->verb);
3444 break;
3445 }
3446
3447 /* Pass to the next ACL item */
3448
3449 acl = acl->next;
3450 }
3451
3452/* We have reached the end of the ACL. This is an implicit DENY. */
3453
3454HDEBUG(D_acl) debug_printf("end of %s: implicit DENY\n", acl_name);
3455return FAIL;
3456}
3457
3458
3459/*************************************************
3460* Check access using an ACL *
3461*************************************************/
3462
3463/* This is the external interface for ACL checks. It sets up an address and the
3464expansions for $domain and $local_part when called after RCPT, then calls
3465acl_check_internal() to do the actual work.
3466
3467Arguments:
3468 where ACL_WHERE_xxxx indicating where called from
64ffc24f 3469 recipient RCPT address for RCPT check, else NULL
059ec3d9
PH		 3470 s the input string; NULL is the same as an empty ACL => DENY
3471 user_msgptr where to put a user error (for SMTP response)
3472 log_msgptr where to put a logging message (not for SMTP response)
3473
3474Returns: OK access is granted by an ACCEPT verb
3475 DISCARD access is granted by a DISCARD verb
3476 FAIL access is denied
3477 FAIL_DROP access is denied; drop the connection
3478 DEFER can't tell at the moment
3479 ERROR disaster
3480*/
3481
3482int
64ffc24f 3483acl_check(int where, uschar *recipient, uschar *s, uschar **user_msgptr,
059ec3d9
PH		 3484 uschar **log_msgptr)
3485{
3486int rc;
3487address_item adb;
64ffc24f 3488address_item *addr = NULL;
059ec3d9
PH		 3489
3490*user_msgptr = *log_msgptr = NULL;
3491sender_verified_failed = NULL;
fe0dab11 3492ratelimiters_cmd = NULL;
059ec3d9
PH		 3493
3494if (where == ACL_WHERE_RCPT)
3495 {
3496 adb = address_defaults;
3497 addr = &adb;
64ffc24f 3498 addr->address = recipient;
059ec3d9
PH		 3499 if (deliver_split_address(addr) == DEFER)
3500 {
3501 *log_msgptr = US"defer in percent_hack_domains check";
3502 return DEFER;
3503 }
3504 deliver_domain = addr->domain;
3505 deliver_localpart = addr->local_part;
3506 }
059ec3d9
PH		 3507
3508rc = acl_check_internal(where, addr, s, 0, user_msgptr, log_msgptr);
3509
64ffc24f
PH		 3510deliver_domain = deliver_localpart = deliver_address_data =
3511 sender_address_data = NULL;
059ec3d9
PH		 3512
3513/* A DISCARD response is permitted only for message ACLs, excluding the PREDATA
3514ACL, which is really in the middle of an SMTP command. */
3515
3516if (rc == DISCARD)
3517 {
3518 if (where > ACL_WHERE_NOTSMTP || where == ACL_WHERE_PREDATA)
3519 {
3520 log_write(0, LOG_MAIN|LOG_PANIC, "\"discard\" verb not allowed in %s "
3521 "ACL", acl_wherenames[where]);
3522 return ERROR;
3523 }
3524 return DISCARD;
3525 }
3526
3527/* A DROP response is not permitted from MAILAUTH */
3528
3529if (rc == FAIL_DROP && where == ACL_WHERE_MAILAUTH)
3530 {
3531 log_write(0, LOG_MAIN|LOG_PANIC, "\"drop\" verb not allowed in %s "
3532 "ACL", acl_wherenames[where]);
3533 return ERROR;
3534 }
3535
3536/* Before giving an error response, take a look at the length of any user
3537message, and split it up into multiple lines if possible. */
3538
3539if (rc != OK && *user_msgptr != NULL && Ustrlen(*user_msgptr) > 75)
3540 {
3541 uschar *s = *user_msgptr = string_copy(*user_msgptr);
3542 uschar *ss = s;
3543
3544 for (;;)
3545 {
3546 int i = 0;
3547 while (i < 75 && *ss != 0 && *ss != '\n') ss++, i++;
3548 if (*ss == 0) break;
3549 if (*ss == '\n')
3550 s = ++ss;
3551 else
3552 {
3553 uschar *t = ss + 1;
3554 uschar *tt = NULL;
3555 while (--t > s + 35)
3556 {
3557 if (*t == ' ')
3558 {
3559 if (t[-1] == ':') { tt = t; break; }
3560 if (tt == NULL) tt = t;
3561 }
3562 }
3563
3564 if (tt == NULL) /* Can't split behind - try ahead */
3565 {
3566 t = ss + 1;
3567 while (*t != 0)
3568 {
3569 if (*t == ' ' || *t == '\n')
3570 { tt = t; break; }
3571 t++;
3572 }
3573 }
3574
3575 if (tt == NULL) break; /* Can't find anywhere to split */
3576 *tt = '\n';
3577 s = ss = tt+1;
3578 }
3579 }
3580 }
3581
3582return rc;
3583}
3584
3585/* End of acl.c */
Unnamed repository; edit this file 'description' to name the repository.