projects / exim.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Apply Jakob Hirsch's patch for arbitrary ACL variable names, tidied up
[exim.git] / src / src / acl.c
CommitLineData
38a0a95f 1/* $Cambridge: exim/src/src/acl.c,v 1.64 2006/09/19 11:28:45 ph10 Exp $ */
059ec3d9
PH		 2
3/*************************************************
4* Exim - an Internet mail transport agent *
5*************************************************/
6
d7d7b7b9 7/* Copyright (c) University of Cambridge 1995 - 2006 */
059ec3d9
PH		 8/* See the file NOTICE for conditions of use and distribution. */
9
10/* Code for handling Access Control Lists (ACLs) */
11
12#include "exim.h"
13
14
15/* Default callout timeout */
16
17#define CALLOUT_TIMEOUT_DEFAULT 30
18
19/* ACL verb codes - keep in step with the table of verbs that follows */
20
21enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
22 ACL_WARN };
23
24/* ACL verbs */
25
26static uschar *verbs[] =
27 { US"accept", US"defer", US"deny", US"discard", US"drop", US"require",
28 US"warn" };
29
30/* For each verb, the condition for which "message" is used */
31
32static int msgcond[] = { FAIL, OK, OK, FAIL, OK, FAIL, OK };
33
34/* ACL condition and modifier codes - keep in step with the table that
71fafd95
PH		 35follows, and the cond_expand_at_top and uschar cond_modifiers tables lower
36down. */
059ec3d9 37
71fafd95
PH		 38enum { ACLC_ACL,
39 ACLC_ADD_HEADER,
40 ACLC_AUTHENTICATED,
8523533c
TK		 41#ifdef EXPERIMENTAL_BRIGHTMAIL
42 ACLC_BMI_OPTIN,
43#endif
71fafd95
PH		 44 ACLC_CONDITION,
45 ACLC_CONTROL,
8523533c
TK		 46#ifdef WITH_CONTENT_SCAN
47 ACLC_DECODE,
48#endif
49 ACLC_DELAY,
50#ifdef WITH_OLD_DEMIME
51 ACLC_DEMIME,
fb2274d4
TK		 52#endif
53#ifdef EXPERIMENTAL_DOMAINKEYS
54 ACLC_DK_DOMAIN_SOURCE,
55 ACLC_DK_POLICY,
56 ACLC_DK_SENDER_DOMAINS,
57 ACLC_DK_SENDER_LOCAL_PARTS,
58 ACLC_DK_SENDERS,
59 ACLC_DK_STATUS,
8e669ac1 60#endif
71fafd95
PH		 61 ACLC_DNSLISTS,
62 ACLC_DOMAINS,
63 ACLC_ENCRYPTED,
64 ACLC_ENDPASS,
65 ACLC_HOSTS,
66 ACLC_LOCAL_PARTS,
67 ACLC_LOG_MESSAGE,
68 ACLC_LOGWRITE,
8523533c
TK		 69#ifdef WITH_CONTENT_SCAN
70 ACLC_MALWARE,
71#endif
72 ACLC_MESSAGE,
73#ifdef WITH_CONTENT_SCAN
74 ACLC_MIME_REGEX,
75#endif
870f6ba8 76 ACLC_RATELIMIT,
8523533c
TK		 77 ACLC_RECIPIENTS,
78#ifdef WITH_CONTENT_SCAN
79 ACLC_REGEX,
80#endif
71fafd95
PH		 81 ACLC_SENDER_DOMAINS,
82 ACLC_SENDERS,
83 ACLC_SET,
8523533c 84#ifdef WITH_CONTENT_SCAN
8e669ac1 85 ACLC_SPAM,
8523533c
TK		 86#endif
87#ifdef EXPERIMENTAL_SPF
88 ACLC_SPF,
89#endif
90 ACLC_VERIFY };
059ec3d9
PH		 91
92/* ACL conditions/modifiers: "delay", "control", "endpass", "message",
93"log_message", "logwrite", and "set" are modifiers that look like conditions
94but always return TRUE. They are used for their side effects. */
95
9a26b6b2
PH		 96static uschar *conditions[] = {
97 US"acl",
71fafd95 98 US"add_header",
9a26b6b2 99 US"authenticated",
8523533c
TK		 100#ifdef EXPERIMENTAL_BRIGHTMAIL
101 US"bmi_optin",
102#endif
103 US"condition",
8e669ac1 104 US"control",
8523533c
TK		 105#ifdef WITH_CONTENT_SCAN
106 US"decode",
107#endif
108 US"delay",
109#ifdef WITH_OLD_DEMIME
110 US"demime",
fb2274d4
TK		 111#endif
112#ifdef EXPERIMENTAL_DOMAINKEYS
7f45268c
PH		 113 US"dk_domain_source",
114 US"dk_policy",
115 US"dk_sender_domains",
116 US"dk_sender_local_parts",
117 US"dk_senders",
118 US"dk_status",
8523533c
TK		 119#endif
120 US"dnslists", US"domains", US"encrypted",
059ec3d9 121 US"endpass", US"hosts", US"local_parts", US"log_message", US"logwrite",
8523533c
TK		 122#ifdef WITH_CONTENT_SCAN
123 US"malware",
124#endif
125 US"message",
126#ifdef WITH_CONTENT_SCAN
127 US"mime_regex",
128#endif
870f6ba8 129 US"ratelimit",
8523533c
TK		 130 US"recipients",
131#ifdef WITH_CONTENT_SCAN
132 US"regex",
133#endif
134 US"sender_domains", US"senders", US"set",
135#ifdef WITH_CONTENT_SCAN
136 US"spam",
137#endif
138#ifdef EXPERIMENTAL_SPF
139 US"spf",
140#endif
059ec3d9 141 US"verify" };
8e669ac1 142
c5fcb476 143
9a26b6b2
PH		 144/* Return values from decode_control(); keep in step with the table of names
145that follows! */
146
147enum {
c46782ef
PH		 148 CONTROL_AUTH_UNADVERTISED,
149 #ifdef EXPERIMENTAL_BRIGHTMAIL
9a26b6b2 150 CONTROL_BMI_RUN,
c46782ef
PH		 151 #endif
152 #ifdef EXPERIMENTAL_DOMAINKEYS
9a26b6b2 153 CONTROL_DK_VERIFY,
c46782ef
PH		 154 #endif
155 CONTROL_ERROR,
156 CONTROL_CASEFUL_LOCAL_PART,
157 CONTROL_CASELOWER_LOCAL_PART,
158 CONTROL_ENFORCE_SYNC,
159 CONTROL_NO_ENFORCE_SYNC,
160 CONTROL_FREEZE,
161 CONTROL_QUEUE_ONLY,
162 CONTROL_SUBMISSION,
163 CONTROL_SUPPRESS_LOCAL_FIXUPS,
164 #ifdef WITH_CONTENT_SCAN
9a26b6b2 165 CONTROL_NO_MBOX_UNSPOOL,
c46782ef
PH		 166 #endif
167 CONTROL_FAKEDEFER,
168 CONTROL_FAKEREJECT,
169 CONTROL_NO_MULTILINE
170};
9a26b6b2 171
8800895a
PH		 172/* ACL control names; keep in step with the table above! This list is used for
173turning ids into names. The actual list of recognized names is in the variable
174control_def controls_list[] below. The fact that there are two lists is a mess
175and should be tidied up. */
9a26b6b2
PH		 176
177static uschar *controls[] = {
c46782ef 178 US"allow_auth_unadvertised",
9a26b6b2
PH		 179 #ifdef EXPERIMENTAL_BRIGHTMAIL
180 US"bmi_run",
181 #endif
182 #ifdef EXPERIMENTAL_DOMAINKEYS
183 US"dk_verify",
184 #endif
c46782ef
PH		 185 US"error",
186 US"caseful_local_part",
187 US"caselower_local_part",
188 US"enforce_sync",
189 US"no_enforce_sync",
190 US"freeze",
191 US"queue_only",
192 US"submission",
193 US"suppress_local_fixups",
9a26b6b2
PH		 194 #ifdef WITH_CONTENT_SCAN
195 US"no_mbox_unspool",
196 #endif
c46782ef
PH		 197 US"no_multiline"
198};
059ec3d9
PH		 199
200/* Flags to indicate for which conditions /modifiers a string expansion is done
201at the outer level. In the other cases, expansion already occurs in the
202checking functions. */
203
204static uschar cond_expand_at_top[] = {
205 TRUE, /* acl */
3e536984 206 TRUE, /* add_header */
059ec3d9 207 FALSE, /* authenticated */
8523533c
TK		 208#ifdef EXPERIMENTAL_BRIGHTMAIL
209 TRUE, /* bmi_optin */
8e669ac1 210#endif
059ec3d9
PH		 211 TRUE, /* condition */
212 TRUE, /* control */
8523533c
TK		 213#ifdef WITH_CONTENT_SCAN
214 TRUE, /* decode */
215#endif
059ec3d9 216 TRUE, /* delay */
8523533c
TK		 217#ifdef WITH_OLD_DEMIME
218 TRUE, /* demime */
fb2274d4
TK		 219#endif
220#ifdef EXPERIMENTAL_DOMAINKEYS
7f45268c
PH		 221 TRUE, /* dk_domain_source */
222 TRUE, /* dk_policy */
223 TRUE, /* dk_sender_domains */
e715ad22 224 TRUE, /* dk_sender_local_parts */
7f45268c
PH		 225 TRUE, /* dk_senders */
226 TRUE, /* dk_status */
8523533c 227#endif
059ec3d9
PH		 228 TRUE, /* dnslists */
229 FALSE, /* domains */
230 FALSE, /* encrypted */
231 TRUE, /* endpass */
232 FALSE, /* hosts */
233 FALSE, /* local_parts */
234 TRUE, /* log_message */
235 TRUE, /* logwrite */
8523533c
TK		 236#ifdef WITH_CONTENT_SCAN
237 TRUE, /* malware */
238#endif
059ec3d9 239 TRUE, /* message */
8523533c
TK		 240#ifdef WITH_CONTENT_SCAN
241 TRUE, /* mime_regex */
242#endif
870f6ba8 243 TRUE, /* ratelimit */
059ec3d9 244 FALSE, /* recipients */
8523533c
TK		 245#ifdef WITH_CONTENT_SCAN
246 TRUE, /* regex */
247#endif
059ec3d9
PH		 248 FALSE, /* sender_domains */
249 FALSE, /* senders */
250 TRUE, /* set */
8523533c
TK		 251#ifdef WITH_CONTENT_SCAN
252 TRUE, /* spam */
253#endif
254#ifdef EXPERIMENTAL_SPF
255 TRUE, /* spf */
256#endif
059ec3d9
PH		 257 TRUE /* verify */
258};
259
260/* Flags to identify the modifiers */
261
262static uschar cond_modifiers[] = {
263 FALSE, /* acl */
3e536984 264 TRUE, /* add_header */
059ec3d9 265 FALSE, /* authenticated */
8523533c
TK		 266#ifdef EXPERIMENTAL_BRIGHTMAIL
267 TRUE, /* bmi_optin */
8e669ac1 268#endif
059ec3d9
PH		 269 FALSE, /* condition */
270 TRUE, /* control */
8523533c
TK		 271#ifdef WITH_CONTENT_SCAN
272 FALSE, /* decode */
273#endif
059ec3d9 274 TRUE, /* delay */
8523533c
TK		 275#ifdef WITH_OLD_DEMIME
276 FALSE, /* demime */
fb2274d4
TK		 277#endif
278#ifdef EXPERIMENTAL_DOMAINKEYS
7f45268c
PH		 279 FALSE, /* dk_domain_source */
280 FALSE, /* dk_policy */
281 FALSE, /* dk_sender_domains */
e715ad22 282 FALSE, /* dk_sender_local_parts */
7f45268c
PH		 283 FALSE, /* dk_senders */
284 FALSE, /* dk_status */
8523533c 285#endif
059ec3d9
PH		 286 FALSE, /* dnslists */
287 FALSE, /* domains */
288 FALSE, /* encrypted */
289 TRUE, /* endpass */
290 FALSE, /* hosts */
291 FALSE, /* local_parts */
292 TRUE, /* log_message */
8523533c
TK		 293 TRUE, /* logwrite */
294#ifdef WITH_CONTENT_SCAN
295 FALSE, /* malware */
296#endif
059ec3d9 297 TRUE, /* message */
8523533c
TK		 298#ifdef WITH_CONTENT_SCAN
299 FALSE, /* mime_regex */
300#endif
870f6ba8 301 FALSE, /* ratelimit */
059ec3d9 302 FALSE, /* recipients */
8523533c
TK		 303#ifdef WITH_CONTENT_SCAN
304 FALSE, /* regex */
305#endif
059ec3d9
PH		 306 FALSE, /* sender_domains */
307 FALSE, /* senders */
308 TRUE, /* set */
8523533c
TK		 309#ifdef WITH_CONTENT_SCAN
310 FALSE, /* spam */
311#endif
312#ifdef EXPERIMENTAL_SPF
313 FALSE, /* spf */
314#endif
059ec3d9
PH		 315 FALSE /* verify */
316};
317
c5fcb476 318/* Bit map vector of which conditions are not allowed at certain times. For
2f079f46
PH		 319each condition, there's a bitmap of dis-allowed times. For some, it is easier
320to specify the negation of a small number of allowed times. */
059ec3d9
PH		 321
322static unsigned int cond_forbids[] = {
323 0, /* acl */
8e669ac1 324
71fafd95 325 (unsigned int)
45b91596 326 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* add_header */
71fafd95 327 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
45b91596
PH		 328 (1<<ACL_WHERE_MIME)|(1<<ACL_WHERE_NOTSMTP)|
329 (1<<ACL_WHERE_NOTSMTP_START)),
71fafd95 330
45b91596
PH		 331 (1<<ACL_WHERE_NOTSMTP)| /* authenticated */
332 (1<<ACL_WHERE_NOTSMTP_START)|
333 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO),
8e669ac1 334
71fafd95 335 #ifdef EXPERIMENTAL_BRIGHTMAIL
3864bb8e 336 (1<<ACL_WHERE_AUTH)| /* bmi_optin */
8523533c
TK		 337 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
338 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_MIME)|
8e669ac1 339 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
8523533c
TK		 340 (1<<ACL_WHERE_MAILAUTH)|
341 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
45b91596
PH		 342 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_PREDATA)|
343 (1<<ACL_WHERE_NOTSMTP_START),
71fafd95 344 #endif
8e669ac1 345
059ec3d9 346 0, /* condition */
8e669ac1 347
059ec3d9 348 /* Certain types of control are always allowed, so we let it through
2f079f46 349 always and check in the control processing itself. */
8e669ac1 350
059ec3d9 351 0, /* control */
8e669ac1 352
71fafd95 353 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 354 (unsigned int)
355 ~(1<<ACL_WHERE_MIME), /* decode */
71fafd95 356 #endif
8523533c 357
059ec3d9 358 0, /* delay */
8e669ac1 359
71fafd95 360 #ifdef WITH_OLD_DEMIME
2f079f46
PH		 361 (unsigned int)
362 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* demime */
71fafd95 363 #endif
8e669ac1 364
71fafd95 365 #ifdef EXPERIMENTAL_DOMAINKEYS
2f079f46 366 (1<<ACL_WHERE_AUTH)| /* dk_domain_source */
fb2274d4
TK		 367 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
368 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
369 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
370 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
371 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
45b91596 372 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
84330b7b 373
2f079f46 374 (1<<ACL_WHERE_AUTH)| /* dk_policy */
fb2274d4
TK		 375 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
376 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
377 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
378 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
379 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
45b91596 380 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
84330b7b 381
2f079f46 382 (1<<ACL_WHERE_AUTH)| /* dk_sender_domains */
fb2274d4
TK		 383 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
384 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
385 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
386 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
387 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
45b91596 388 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
84330b7b 389
2f079f46 390 (1<<ACL_WHERE_AUTH)| /* dk_sender_local_parts */
fb2274d4
TK		 391 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
392 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
393 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
394 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
395 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
45b91596 396 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
84330b7b 397
2f079f46 398 (1<<ACL_WHERE_AUTH)| /* dk_senders */
fb2274d4
TK		 399 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
400 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
401 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
402 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
403 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
45b91596 404 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
84330b7b 405
2f079f46 406 (1<<ACL_WHERE_AUTH)| /* dk_status */
fb2274d4
TK		 407 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
408 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
409 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
410 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
411 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
45b91596 412 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
71fafd95 413 #endif
fb2274d4 414
45b91596
PH		 415 (1<<ACL_WHERE_NOTSMTP)| /* dnslists */
416 (1<<ACL_WHERE_NOTSMTP_START),
059ec3d9 417
2f079f46
PH		 418 (unsigned int)
419 ~(1<<ACL_WHERE_RCPT), /* domains */
059ec3d9 420
45b91596
PH		 421 (1<<ACL_WHERE_NOTSMTP)| /* encrypted */
422 (1<<ACL_WHERE_CONNECT)|
423 (1<<ACL_WHERE_NOTSMTP_START)|
059ec3d9 424 (1<<ACL_WHERE_HELO),
8e669ac1 425
059ec3d9 426 0, /* endpass */
8e669ac1 427
45b91596
PH		 428 (1<<ACL_WHERE_NOTSMTP)| /* hosts */
429 (1<<ACL_WHERE_NOTSMTP_START),
059ec3d9 430
2f079f46
PH		 431 (unsigned int)
432 ~(1<<ACL_WHERE_RCPT), /* local_parts */
059ec3d9
PH		 433
434 0, /* log_message */
8e669ac1 435
059ec3d9 436 0, /* logwrite */
8e669ac1 437
71fafd95 438 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 439 (unsigned int)
440 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* malware */
71fafd95 441 #endif
8523533c 442
059ec3d9
PH		 443 0, /* message */
444
71fafd95 445 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 446 (unsigned int)
447 ~(1<<ACL_WHERE_MIME), /* mime_regex */
71fafd95 448 #endif
8523533c 449
870f6ba8
TF		 450 0, /* ratelimit */
451
2f079f46
PH		 452 (unsigned int)
453 ~(1<<ACL_WHERE_RCPT), /* recipients */
059ec3d9 454
71fafd95 455 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 456 (unsigned int)
457 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* regex */
458 (1<<ACL_WHERE_MIME)),
71fafd95 459 #endif
8523533c 460
059ec3d9
PH		 461 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* sender_domains */
462 (1<<ACL_WHERE_HELO)|
463 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
464 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
465 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
466
467 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* senders */
468 (1<<ACL_WHERE_HELO)|
469 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
470 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
471 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
472
473 0, /* set */
474
71fafd95 475 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 476 (unsigned int)
477 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* spam */
71fafd95 478 #endif
8523533c 479
71fafd95 480 #ifdef EXPERIMENTAL_SPF
8523533c
TK		 481 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf */
482 (1<<ACL_WHERE_HELO)|
483 (1<<ACL_WHERE_MAILAUTH)|
484 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
45b91596
PH		 485 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY)|
486 (1<<ACL_WHERE_NOTSMTP)|
487 (1<<ACL_WHERE_NOTSMTP_START),
71fafd95 488 #endif
8523533c 489
059ec3d9
PH		 490 /* Certain types of verify are always allowed, so we let it through
491 always and check in the verify function itself */
492
493 0 /* verify */
059ec3d9
PH		 494};
495
496
c5fcb476
PH		 497/* Bit map vector of which controls are not allowed at certain times. For
498each control, there's a bitmap of dis-allowed times. For some, it is easier to
499specify the negation of a small number of allowed times. */
500
501static unsigned int control_forbids[] = {
c46782ef
PH		 502 (unsigned int)
503 ~((1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)), /* allow_auth_unadvertised */
504
505 #ifdef EXPERIMENTAL_BRIGHTMAIL
8523533c 506 0, /* bmi_run */
c46782ef
PH		 507 #endif
508
509 #ifdef EXPERIMENTAL_DOMAINKEYS
45b91596
PH		 510 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* dk_verify */
511 (1<<ACL_WHERE_NOTSMTP_START),
c46782ef 512 #endif
3e11c26b 513
c5fcb476 514 0, /* error */
8e669ac1
PH		 515
516 (unsigned int)
c5fcb476 517 ~(1<<ACL_WHERE_RCPT), /* caseful_local_part */
8e669ac1
PH		 518
519 (unsigned int)
c5fcb476 520 ~(1<<ACL_WHERE_RCPT), /* caselower_local_part */
8e669ac1 521
45b91596
PH		 522 (1<<ACL_WHERE_NOTSMTP)| /* enforce_sync */
523 (1<<ACL_WHERE_NOTSMTP_START),
8e669ac1 524
45b91596
PH		 525 (1<<ACL_WHERE_NOTSMTP)| /* no_enforce_sync */
526 (1<<ACL_WHERE_NOTSMTP_START),
8e669ac1
PH		 527
528 (unsigned int)
c5fcb476
PH		 529 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* freeze */
530 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
e715ad22 531 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
8e669ac1
PH		 532
533 (unsigned int)
c5fcb476
PH		 534 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* queue_only */
535 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
e715ad22 536 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
8e669ac1
PH		 537
538 (unsigned int)
c5fcb476 539 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* submission */
8e669ac1 540 (1<<ACL_WHERE_PREDATA)),
8523533c 541
8800895a
PH		 542 (unsigned int)
543 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* suppress_local_fixups */
45b91596
PH		 544 (1<<ACL_WHERE_PREDATA)|
545 (1<<ACL_WHERE_NOTSMTP_START)),
8800895a 546
c46782ef 547 #ifdef WITH_CONTENT_SCAN
8e669ac1 548 (unsigned int)
14d57970 549 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* no_mbox_unspool */
e715ad22
TK		 550 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
551 (1<<ACL_WHERE_MIME)),
c46782ef 552 #endif
a6c4ab60 553
29aba418
TF		 554 (unsigned int)
555 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakedefer */
556 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
557 (1<<ACL_WHERE_MIME)),
558
8e669ac1 559 (unsigned int)
a6c4ab60 560 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakereject */
e715ad22
TK		 561 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
562 (1<<ACL_WHERE_MIME)),
8523533c 563
45b91596
PH		 564 (1<<ACL_WHERE_NOTSMTP)| /* no_multiline */
565 (1<<ACL_WHERE_NOTSMTP_START)
c5fcb476
PH		 566};
567
568/* Structure listing various control arguments, with their characteristics. */
059ec3d9
PH		 569
570typedef struct control_def {
571 uschar *name;
572 int value; /* CONTROL_xxx value */
059ec3d9
PH		 573 BOOL has_option; /* Has /option(s) following */
574} control_def;
575
576static control_def controls_list[] = {
c46782ef 577 { US"allow_auth_unadvertised", CONTROL_AUTH_UNADVERTISED, FALSE },
8523533c 578#ifdef EXPERIMENTAL_BRIGHTMAIL
c46782ef 579 { US"bmi_run", CONTROL_BMI_RUN, FALSE },
fb2274d4
TK		 580#endif
581#ifdef EXPERIMENTAL_DOMAINKEYS
c46782ef 582 { US"dk_verify", CONTROL_DK_VERIFY, FALSE },
8523533c 583#endif
c46782ef
PH		 584 { US"caseful_local_part", CONTROL_CASEFUL_LOCAL_PART, FALSE },
585 { US"caselower_local_part", CONTROL_CASELOWER_LOCAL_PART, FALSE },
586 { US"enforce_sync", CONTROL_ENFORCE_SYNC, FALSE },
587 { US"freeze", CONTROL_FREEZE, TRUE },
588 { US"no_enforce_sync", CONTROL_NO_ENFORCE_SYNC, FALSE },
589 { US"no_multiline_responses", CONTROL_NO_MULTILINE, FALSE },
590 { US"queue_only", CONTROL_QUEUE_ONLY, FALSE },
8523533c 591#ifdef WITH_CONTENT_SCAN
c46782ef 592 { US"no_mbox_unspool", CONTROL_NO_MBOX_UNSPOOL, FALSE },
8523533c 593#endif
c46782ef
PH		 594 { US"fakedefer", CONTROL_FAKEDEFER, TRUE },
595 { US"fakereject", CONTROL_FAKEREJECT, TRUE },
596 { US"submission", CONTROL_SUBMISSION, TRUE },
597 { US"suppress_local_fixups", CONTROL_SUPPRESS_LOCAL_FIXUPS, FALSE }
059ec3d9
PH		 598 };
599
e5a9dba6
PH		 600/* Support data structures for Client SMTP Authorization. acl_verify_csa()
601caches its result in a tree to avoid repeated DNS queries. The result is an
602integer code which is used as an index into the following tables of
603explanatory strings and verification return codes. */
604
605static tree_node *csa_cache = NULL;
606
607enum { CSA_UNKNOWN, CSA_OK, CSA_DEFER_SRV, CSA_DEFER_ADDR,
608 CSA_FAIL_EXPLICIT, CSA_FAIL_DOMAIN, CSA_FAIL_NOADDR, CSA_FAIL_MISMATCH };
609
610/* The acl_verify_csa() return code is translated into an acl_verify() return
611code using the following table. It is OK unless the client is definitely not
612authorized. This is because CSA is supposed to be optional for sending sites,
613so recipients should not be too strict about checking it - especially because
614DNS problems are quite likely to occur. It's possible to use $csa_status in
615further ACL conditions to distinguish ok, unknown, and defer if required, but
616the aim is to make the usual configuration simple. */
617
618static int csa_return_code[] = {
619 OK, OK, OK, OK,
620 FAIL, FAIL, FAIL, FAIL
621};
622
623static uschar *csa_status_string[] = {
624 US"unknown", US"ok", US"defer", US"defer",
625 US"fail", US"fail", US"fail", US"fail"
626};
627
628static uschar *csa_reason_string[] = {
629 US"unknown",
630 US"ok",
631 US"deferred (SRV lookup failed)",
632 US"deferred (target address lookup failed)",
633 US"failed (explicit authorization required)",
634 US"failed (host name not authorized)",
635 US"failed (no authorized addresses)",
636 US"failed (client address mismatch)"
637};
638
059ec3d9
PH		 639/* Enable recursion between acl_check_internal() and acl_check_condition() */
640
641static int acl_check_internal(int, address_item *, uschar *, int, uschar **,
642 uschar **);
643
644
645/*************************************************
646* Pick out name from list *
647*************************************************/
648
649/* Use a binary chop method
650
651Arguments:
652 name name to find
653 list list of names
654 end size of list
655
656Returns: offset in list, or -1 if not found
657*/
658
659static int
660acl_checkname(uschar *name, uschar **list, int end)
661{
662int start = 0;
663
664while (start < end)
665 {
666 int mid = (start + end)/2;
667 int c = Ustrcmp(name, list[mid]);
668 if (c == 0) return mid;
669 if (c < 0) end = mid; else start = mid + 1;
670 }
671
672return -1;
673}
674
675
676/*************************************************
677* Read and parse one ACL *
678*************************************************/
679
680/* This function is called both from readconf in order to parse the ACLs in the
681configuration file, and also when an ACL is encountered dynamically (e.g. as
682the result of an expansion). It is given a function to call in order to
683retrieve the lines of the ACL. This function handles skipping comments and
684blank lines (where relevant).
685
686Arguments:
687 func function to get next line of ACL
688 error where to put an error message
689
690Returns: pointer to ACL, or NULL
691 NULL can be legal (empty ACL); in this case error will be NULL
692*/
693
694acl_block *
695acl_read(uschar *(*func)(void), uschar **error)
696{
697acl_block *yield = NULL;
698acl_block **lastp = &yield;
699acl_block *this = NULL;
700acl_condition_block *cond;
701acl_condition_block **condp = NULL;
702uschar *s;
703
704*error = NULL;
705
706while ((s = (*func)()) != NULL)
707 {
708 int v, c;
709 BOOL negated = FALSE;
710 uschar *saveline = s;
711 uschar name[64];
712
713 /* Conditions (but not verbs) are allowed to be negated by an initial
714 exclamation mark. */
715
716 while (isspace(*s)) s++;
717 if (*s == '!')
718 {
719 negated = TRUE;
720 s++;
721 }
722
cf00dad6
PH		 723 /* Read the name of a verb or a condition, or the start of a new ACL, which
724 can be started by a name, or by a macro definition. */
059ec3d9
PH		 725
726 s = readconf_readname(name, sizeof(name), s);
b8dc3e4a 727 if (*s == ':' || (isupper(name[0]) && *s == '=')) return yield;
059ec3d9
PH		 728
729 /* If a verb is unrecognized, it may be another condition or modifier that
730 continues the previous verb. */
731
732 v = acl_checkname(name, verbs, sizeof(verbs)/sizeof(char *));
733 if (v < 0)
734 {
735 if (this == NULL)
736 {
4e167a8c
PH		 737 *error = string_sprintf("unknown ACL verb \"%s\" in \"%s\"", name,
738 saveline);
059ec3d9
PH		 739 return NULL;
740 }
741 }
742
743 /* New verb */
744
745 else
746 {
747 if (negated)
748 {
749 *error = string_sprintf("malformed ACL line \"%s\"", saveline);
750 return NULL;
751 }
752 this = store_get(sizeof(acl_block));
753 *lastp = this;
754 lastp = &(this->next);
755 this->next = NULL;
756 this->verb = v;
757 this->condition = NULL;
758 condp = &(this->condition);
759 if (*s == 0) continue; /* No condition on this line */
760 if (*s == '!')
761 {
762 negated = TRUE;
763 s++;
764 }
765 s = readconf_readname(name, sizeof(name), s); /* Condition name */
766 }
767
768 /* Handle a condition or modifier. */
769
770 c = acl_checkname(name, conditions, sizeof(conditions)/sizeof(char *));
771 if (c < 0)
772 {
773 *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
774 saveline);
775 return NULL;
776 }
777
778 /* The modifiers may not be negated */
779
780 if (negated && cond_modifiers[c])
781 {
782 *error = string_sprintf("ACL error: negation is not allowed with "
783 "\"%s\"", conditions[c]);
784 return NULL;
785 }
786
787 /* ENDPASS may occur only with ACCEPT or DISCARD. */
788
789 if (c == ACLC_ENDPASS &&
790 this->verb != ACL_ACCEPT &&
791 this->verb != ACL_DISCARD)
792 {
793 *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
794 conditions[c], verbs[this->verb]);
795 return NULL;
796 }
797
798 cond = store_get(sizeof(acl_condition_block));
799 cond->next = NULL;
800 cond->type = c;
801 cond->u.negated = negated;
802
803 *condp = cond;
804 condp = &(cond->next);
805
806 /* The "set" modifier is different in that its argument is "name=value"
807 rather than just a value, and we can check the validity of the name, which
38a0a95f
PH		 808 gives us a variable name to insert into the data block. The original ACL
809 variable names were acl_c0 ... acl_c9 and acl_m0 ... acl_m9. This was
810 extended to 20 of each type, but after that people successfully argued for
811 arbitrary names. For compatibility, however, the names must still start with
812 acl_c or acl_m. After that, we allow alphanumerics and underscores. */
059ec3d9
PH		 813
814 if (c == ACLC_SET)
815 {
47ca6d6c
PH		 816 uschar *endptr;
817
38a0a95f
PH		 818 if (Ustrncmp(s, "acl_c", 5) != 0 &&
819 Ustrncmp(s, "acl_m", 5) != 0)
47ca6d6c 820 {
38a0a95f
PH		 821 *error = string_sprintf("invalid variable name after \"set\" in ACL "
822 "modifier \"set %s\" (must start \"acl_c\" or \"acl_m\")", s);
823 return NULL;
47ca6d6c 824 }
38a0a95f
PH		 825
826 endptr = s + 5;
827 while (*endptr != 0 && *endptr != '=' && !isspace(*endptr))
47ca6d6c 828 {
38a0a95f
PH		 829 if (!isalnum(*endptr) && *endptr != '_')
830 {
831 *error = string_sprintf("invalid character \"%c\" in variable name "
832 "in ACL modifier \"set %s\"", *endptr, s);
833 return NULL;
834 }
835 endptr++;
47ca6d6c 836 }
47ca6d6c 837
38a0a95f 838 if (endptr - s < 6)
059ec3d9 839 {
38a0a95f
PH		 840 *error = string_sprintf("invalid variable name after \"set\" in ACL "
841 "modifier \"set %s\" (must be at least 6 characters)", s);
059ec3d9
PH		 842 return NULL;
843 }
844
38a0a95f 845 cond->u.varname = string_copyn(s + 4, endptr - s - 4);
47ca6d6c 846 s = endptr;
059ec3d9
PH		 847 while (isspace(*s)) s++;
848 }
849
850 /* For "set", we are now positioned for the data. For the others, only
851 "endpass" has no data */
852
853 if (c != ACLC_ENDPASS)
854 {
855 if (*s++ != '=')
856 {
857 *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
858 cond_modifiers[c]? US"modifier" : US"condition");
859 return NULL;
860 }
861 while (isspace(*s)) s++;
862 cond->arg = string_copy(s);
863 }
864 }
865
866return yield;
867}
868
869
870
71fafd95
PH		 871/*************************************************
872* Set up added header line(s) *
873*************************************************/
874
875/* This function is called by the add_header modifier, and also from acl_warn()
876to implement the now-deprecated way of adding header lines using "message" on a
877"warn" verb. The argument is treated as a sequence of header lines which are
878added to a chain, provided there isn't an identical one already there.
879
880Argument: string of header lines
881Returns: nothing
882*/
883
884static void
885setup_header(uschar *hstring)
886{
887uschar *p, *q;
888int hlen = Ustrlen(hstring);
889
890/* An empty string does nothing; otherwise add a final newline if necessary. */
891
892if (hlen <= 0) return;
893if (hstring[hlen-1] != '\n') hstring = string_sprintf("%s\n", hstring);
894
895/* Loop for multiple header lines, taking care about continuations */
896
897for (p = q = hstring; *p != 0; )
898 {
899 uschar *s;
900 int newtype = htype_add_bot;
901 header_line **hptr = &acl_added_headers;
902
903 /* Find next header line within the string */
904
905 for (;;)
906 {
907 q = Ustrchr(q, '\n');
908 if (*(++q) != ' ' && *q != '\t') break;
909 }
910
911 /* If the line starts with a colon, interpret the instruction for where to
912 add it. This temporarily sets up a new type. */
913
914 if (*p == ':')
915 {
916 if (strncmpic(p, US":after_received:", 16) == 0)
917 {
918 newtype = htype_add_rec;
919 p += 16;
920 }
921 else if (strncmpic(p, US":at_start_rfc:", 14) == 0)
922 {
923 newtype = htype_add_rfc;
924 p += 14;
925 }
926 else if (strncmpic(p, US":at_start:", 10) == 0)
927 {
928 newtype = htype_add_top;
929 p += 10;
930 }
931 else if (strncmpic(p, US":at_end:", 8) == 0)
932 {
933 newtype = htype_add_bot;
934 p += 8;
935 }
936 while (*p == ' ' || *p == '\t') p++;
937 }
938
939 /* See if this line starts with a header name, and if not, add X-ACL-Warn:
940 to the front of it. */
941
942 for (s = p; s < q - 1; s++)
943 {
944 if (*s == ':' || !isgraph(*s)) break;
945 }
946
947 s = string_sprintf("%s%.*s", (*s == ':')? "" : "X-ACL-Warn: ", q - p, p);
948 hlen = Ustrlen(s);
949
950 /* See if this line has already been added */
951
952 while (*hptr != NULL)
953 {
954 if (Ustrncmp((*hptr)->text, s, hlen) == 0) break;
955 hptr = &((*hptr)->next);
956 }
957
958 /* Add if not previously present */
959
960 if (*hptr == NULL)
961 {
962 header_line *h = store_get(sizeof(header_line));
963 h->text = s;
964 h->next = NULL;
965 h->type = newtype;
966 h->slen = hlen;
967 *hptr = h;
968 hptr = &(h->next);
969 }
970
971 /* Advance for next header line within the string */
972
973 p = q;
974 }
975}
976
977
978
979
059ec3d9
PH		 980/*************************************************
981* Handle warnings *
982*************************************************/
983
984/* This function is called when a WARN verb's conditions are true. It adds to
985the message's headers, and/or writes information to the log. In each case, this
986only happens once (per message for headers, per connection for log).
987
71fafd95
PH		 988** NOTE: The header adding action using the "message" setting is historic, and
989its use is now deprecated. The new add_header modifier should be used instead.
990
059ec3d9
PH		 991Arguments:
992 where ACL_WHERE_xxxx indicating which ACL this is
993 user_message message for adding to headers
994 log_message message for logging, if different
995
996Returns: nothing
997*/
998
999static void
1000acl_warn(int where, uschar *user_message, uschar *log_message)
1001{
059ec3d9
PH		 1002if (log_message != NULL && log_message != user_message)
1003 {
1004 uschar *text;
1005 string_item *logged;
1006
1007 text = string_sprintf("%s Warning: %s", host_and_ident(TRUE),
1008 string_printing(log_message));
1009
1010 /* If a sender verification has failed, and the log message is "sender verify
1011 failed", add the failure message. */
1012
1013 if (sender_verified_failed != NULL &&
1014 sender_verified_failed->message != NULL &&
1015 strcmpic(log_message, US"sender verify failed") == 0)
1016 text = string_sprintf("%s: %s", text, sender_verified_failed->message);
1017
9c7a242c
PH		 1018 /* Search previously logged warnings. They are kept in malloc
1019 store so they can be freed at the start of a new message. */
059ec3d9
PH		 1020
1021 for (logged = acl_warn_logged; logged != NULL; logged = logged->next)
1022 if (Ustrcmp(logged->text, text) == 0) break;
1023
1024 if (logged == NULL)
1025 {
1026 int length = Ustrlen(text) + 1;
1027 log_write(0, LOG_MAIN, "%s", text);
1028 logged = store_malloc(sizeof(string_item) + length);
1029 logged->text = (uschar *)logged + sizeof(string_item);
1030 memcpy(logged->text, text, length);
1031 logged->next = acl_warn_logged;
1032 acl_warn_logged = logged;
1033 }
1034 }
1035
1036/* If there's no user message, we are done. */
1037
1038if (user_message == NULL) return;
1039
1040/* If this isn't a message ACL, we can't do anything with a user message.
1041Log an error. */
1042
1043if (where > ACL_WHERE_NOTSMTP)
1044 {
1045 log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
1046 "found in a non-message (%s) ACL: cannot specify header lines here: "
1047 "message ignored", acl_wherenames[where]);
1048 return;
1049 }
1050
71fafd95
PH		 1051/* The code for setting up header lines is now abstracted into a separate
1052function so that it can be used for the add_header modifier as well. */
059ec3d9 1053
71fafd95 1054setup_header(user_message);
059ec3d9
PH		 1055}
1056
1057
1058
1059/*************************************************
1060* Verify and check reverse DNS *
1061*************************************************/
1062
1063/* Called from acl_verify() below. We look up the host name(s) of the client IP
1064address if this has not yet been done. The host_name_lookup() function checks
1065that one of these names resolves to an address list that contains the client IP
1066address, so we don't actually have to do the check here.
1067
1068Arguments:
1069 user_msgptr pointer for user message
1070 log_msgptr pointer for log message
1071
1072Returns: OK verification condition succeeded
1073 FAIL verification failed
1074 DEFER there was a problem verifying
1075*/
1076
1077static int
1078acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
1079{
1080int rc;
1081
1082user_msgptr = user_msgptr; /* stop compiler warning */
1083
1084/* Previous success */
1085
1086if (sender_host_name != NULL) return OK;
1087
1088/* Previous failure */
1089
1090if (host_lookup_failed)
1091 {
1092 *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
1093 return FAIL;
1094 }
1095
1096/* Need to do a lookup */
1097
1098HDEBUG(D_acl)
1099 debug_printf("looking up host name to force name/address consistency check\n");
1100
1101if ((rc = host_name_lookup()) != OK)
1102 {
1103 *log_msgptr = (rc == DEFER)?
1104 US"host lookup deferred for reverse lookup check"
1105 :
1106 string_sprintf("host lookup failed for reverse lookup check%s",
1107 host_lookup_msg);
1108 return rc; /* DEFER or FAIL */
1109 }
1110
1111host_build_sender_fullhost();
1112return OK;
1113}
1114
1115
1116
e5a9dba6
PH		 1117/*************************************************
1118* Check client IP address matches CSA target *
1119*************************************************/
1120
1121/* Called from acl_verify_csa() below. This routine scans a section of a DNS
1122response for address records belonging to the CSA target hostname. The section
1123is specified by the reset argument, either RESET_ADDITIONAL or RESET_ANSWERS.
1124If one of the addresses matches the client's IP address, then the client is
1125authorized by CSA. If there are target IP addresses but none of them match
1126then the client is using an unauthorized IP address. If there are no target IP
1127addresses then the client cannot be using an authorized IP address. (This is
1128an odd configuration - why didn't the SRV record have a weight of 1 instead?)
1129
1130Arguments:
1131 dnsa the DNS answer block
1132 dnss a DNS scan block for us to use
1133 reset option specifing what portion to scan, as described above
1134 target the target hostname to use for matching RR names
1135
1136Returns: CSA_OK successfully authorized
1137 CSA_FAIL_MISMATCH addresses found but none matched
1138 CSA_FAIL_NOADDR no target addresses found
1139*/
1140
1141static int
1142acl_verify_csa_address(dns_answer *dnsa, dns_scan *dnss, int reset,
1143 uschar *target)
1144{
1145dns_record *rr;
1146dns_address *da;
1147
1148BOOL target_found = FALSE;
1149
1150for (rr = dns_next_rr(dnsa, dnss, reset);
1151 rr != NULL;
1152 rr = dns_next_rr(dnsa, dnss, RESET_NEXT))
1153 {
1154 /* Check this is an address RR for the target hostname. */
1155
1156 if (rr->type != T_A
1157 #if HAVE_IPV6
1158 && rr->type != T_AAAA
1159 #ifdef SUPPORT_A6
1160 && rr->type != T_A6
1161 #endif
1162 #endif
1163 ) continue;
1164
1165 if (strcmpic(target, rr->name) != 0) continue;
1166
1167 target_found = TRUE;
1168
1169 /* Turn the target address RR into a list of textual IP addresses and scan
1170 the list. There may be more than one if it is an A6 RR. */
1171
1172 for (da = dns_address_from_rr(dnsa, rr); da != NULL; da = da->next)
1173 {
1174 /* If the client IP address matches the target IP address, it's good! */
1175
1176 DEBUG(D_acl) debug_printf("CSA target address is %s\n", da->address);
1177
1178 if (strcmpic(sender_host_address, da->address) == 0) return CSA_OK;
1179 }
1180 }
1181
1182/* If we found some target addresses but none of them matched, the client is
1183using an unauthorized IP address, otherwise the target has no authorized IP
1184addresses. */
1185
1186if (target_found) return CSA_FAIL_MISMATCH;
1187else return CSA_FAIL_NOADDR;
1188}
1189
1190
1191
1192/*************************************************
1193* Verify Client SMTP Authorization *
1194*************************************************/
1195
1196/* Called from acl_verify() below. This routine calls dns_lookup_special()
1197to find the CSA SRV record corresponding to the domain argument, or
1198$sender_helo_name if no argument is provided. It then checks that the
1199client is authorized, and that its IP address corresponds to the SRV
1200target's address by calling acl_verify_csa_address() above. The address
1201should have been returned in the DNS response's ADDITIONAL section, but if
1202not we perform another DNS lookup to get it.
1203
1204Arguments:
1205 domain pointer to optional parameter following verify = csa
1206
1207Returns: CSA_UNKNOWN no valid CSA record found
1208 CSA_OK successfully authorized
1209 CSA_FAIL_* client is definitely not authorized
1210 CSA_DEFER_* there was a DNS problem
1211*/
1212
1213static int
1214acl_verify_csa(uschar *domain)
1215{
1216tree_node *t;
1217uschar *found, *p;
1218int priority, weight, port;
1219dns_answer dnsa;
1220dns_scan dnss;
1221dns_record *rr;
1222int rc, type;
1223uschar target[256];
1224
1225/* Work out the domain we are using for the CSA lookup. The default is the
1226client's HELO domain. If the client has not said HELO, use its IP address
1227instead. If it's a local client (exim -bs), CSA isn't applicable. */
1228
1229while (isspace(*domain) && *domain != '\0') ++domain;
1230if (*domain == '\0') domain = sender_helo_name;
1231if (domain == NULL) domain = sender_host_address;
1232if (sender_host_address == NULL) return CSA_UNKNOWN;
1233
1234/* If we have an address literal, strip off the framing ready for turning it
1235into a domain. The framing consists of matched square brackets possibly
1236containing a keyword and a colon before the actual IP address. */
1237
1238if (domain[0] == '[')
1239 {
1240 uschar *start = Ustrchr(domain, ':');
1241 if (start == NULL) start = domain;
1242 domain = string_copyn(start + 1, Ustrlen(start) - 2);
1243 }
1244
1245/* Turn domains that look like bare IP addresses into domains in the reverse
1246DNS. This code also deals with address literals and $sender_host_address. It's
1247not quite kosher to treat bare domains such as EHLO 192.0.2.57 the same as
1248address literals, but it's probably the most friendly thing to do. This is an
1249extension to CSA, so we allow it to be turned off for proper conformance. */
1250
7e66e54d 1251if (string_is_ip_address(domain, NULL) != 0)
e5a9dba6
PH		 1252 {
1253 if (!dns_csa_use_reverse) return CSA_UNKNOWN;
1254 dns_build_reverse(domain, target);
1255 domain = target;
1256 }
1257
1258/* Find out if we've already done the CSA check for this domain. If we have,
1259return the same result again. Otherwise build a new cached result structure
1260for this domain. The name is filled in now, and the value is filled in when
1261we return from this function. */
1262
1263t = tree_search(csa_cache, domain);
1264if (t != NULL) return t->data.val;
1265
1266t = store_get_perm(sizeof(tree_node) + Ustrlen(domain));
1267Ustrcpy(t->name, domain);
1268(void)tree_insertnode(&csa_cache, t);
1269
1270/* Now we are ready to do the actual DNS lookup(s). */
1271
28e6ef29 1272found = domain;
e5a9dba6
PH		 1273switch (dns_special_lookup(&dnsa, domain, T_CSA, &found))
1274 {
1275 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1276
1277 default:
1278 return t->data.val = CSA_DEFER_SRV;
1279
1280 /* If we found nothing, the client's authorization is unknown. */
1281
1282 case DNS_NOMATCH:
1283 case DNS_NODATA:
1284 return t->data.val = CSA_UNKNOWN;
1285
1286 /* We got something! Go on to look at the reply in more detail. */
1287
1288 case DNS_SUCCEED:
1289 break;
1290 }
1291
1292/* Scan the reply for well-formed CSA SRV records. */
1293
1294for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
1295 rr != NULL;
1296 rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
1297 {
1298 if (rr->type != T_SRV) continue;
1299
1300 /* Extract the numerical SRV fields (p is incremented) */
1301
1302 p = rr->data;
1303 GETSHORT(priority, p);
1304 GETSHORT(weight, p);
1305 GETSHORT(port, p);
1306
1307 DEBUG(D_acl)
1308 debug_printf("CSA priority=%d weight=%d port=%d\n", priority, weight, port);
1309
1310 /* Check the CSA version number */
1311
1312 if (priority != 1) continue;
1313
1314 /* If the domain does not have a CSA SRV record of its own (i.e. the domain
1315 found by dns_special_lookup() is a parent of the one we asked for), we check
1316 the subdomain assertions in the port field. At the moment there's only one
1317 assertion: legitimate SMTP clients are all explicitly authorized with CSA
1318 SRV records of their own. */
1319
1320 if (found != domain)
1321 {
1322 if (port & 1)
1323 return t->data.val = CSA_FAIL_EXPLICIT;
1324 else
1325 return t->data.val = CSA_UNKNOWN;
1326 }
1327
1328 /* This CSA SRV record refers directly to our domain, so we check the value
1329 in the weight field to work out the domain's authorization. 0 and 1 are
1330 unauthorized; 3 means the client is authorized but we can't check the IP
1331 address in order to authenticate it, so we treat it as unknown; values
1332 greater than 3 are undefined. */
1333
1334 if (weight < 2) return t->data.val = CSA_FAIL_DOMAIN;
1335
1336 if (weight > 2) continue;
1337
1338 /* Weight == 2, which means the domain is authorized. We must check that the
1339 client's IP address is listed as one of the SRV target addresses. Save the
1340 target hostname then break to scan the additional data for its addresses. */
1341
1342 (void)dn_expand(dnsa.answer, dnsa.answer + dnsa.answerlen, p,
1343 (DN_EXPAND_ARG4_TYPE)target, sizeof(target));
1344
1345 DEBUG(D_acl) debug_printf("CSA target is %s\n", target);
1346
1347 break;
1348 }
1349
1350/* If we didn't break the loop then no appropriate records were found. */
1351
1352if (rr == NULL) return t->data.val = CSA_UNKNOWN;
1353
1354/* Do not check addresses if the target is ".", in accordance with RFC 2782.
1355A target of "." indicates there are no valid addresses, so the client cannot
1356be authorized. (This is an odd configuration because weight=2 target=. is
1357equivalent to weight=1, but we check for it in order to keep load off the
1358root name servers.) Note that dn_expand() turns "." into "". */
1359
1360if (Ustrcmp(target, "") == 0) return t->data.val = CSA_FAIL_NOADDR;
1361
1362/* Scan the additional section of the CSA SRV reply for addresses belonging
1363to the target. If the name server didn't return any additional data (e.g.
1364because it does not fully support SRV records), we need to do another lookup
1365to obtain the target addresses; otherwise we have a definitive result. */
1366
1367rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ADDITIONAL, target);
1368if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1369
1370/* The DNS lookup type corresponds to the IP version used by the client. */
1371
1372#if HAVE_IPV6
1373if (Ustrchr(sender_host_address, ':') != NULL)
1374 type = T_AAAA;
1375else
1376#endif /* HAVE_IPV6 */
1377 type = T_A;
1378
1379
1380#if HAVE_IPV6 && defined(SUPPORT_A6)
1381DNS_LOOKUP_AGAIN:
1382#endif
1383
1384switch (dns_lookup(&dnsa, target, type, NULL))
1385 {
1386 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1387
1388 default:
1389 return t->data.val = CSA_DEFER_ADDR;
1390
1391 /* If the query succeeded, scan the addresses and return the result. */
1392
1393 case DNS_SUCCEED:
1394 rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ANSWERS, target);
1395 if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1396 /* else fall through */
1397
1398 /* If the target has no IP addresses, the client cannot have an authorized
1399 IP address. However, if the target site uses A6 records (not AAAA records)
1400 we have to do yet another lookup in order to check them. */
1401
1402 case DNS_NOMATCH:
1403 case DNS_NODATA:
1404
1405 #if HAVE_IPV6 && defined(SUPPORT_A6)
1406 if (type == T_AAAA) { type = T_A6; goto DNS_LOOKUP_AGAIN; }
1407 #endif
1408
1409 return t->data.val = CSA_FAIL_NOADDR;
1410 }
1411}
1412
1413
1414
059ec3d9
PH		 1415/*************************************************
1416* Handle verification (address & other) *
1417*************************************************/
1418
1419/* This function implements the "verify" condition. It is called when
1420encountered in any ACL, because some tests are almost always permitted. Some
1421just don't make sense, and always fail (for example, an attempt to test a host
1422lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
1423
1424Arguments:
1425 where where called from
1426 addr the recipient address that the ACL is handling, or NULL
1427 arg the argument of "verify"
1428 user_msgptr pointer for user message
1429 log_msgptr pointer for log message
1430 basic_errno where to put verify errno
1431
1432Returns: OK verification condition succeeded
1433 FAIL verification failed
1434 DEFER there was a problem verifying
1435 ERROR syntax error
1436*/
1437
1438static int
1439acl_verify(int where, address_item *addr, uschar *arg,
1440 uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
1441{
1442int sep = '/';
1443int callout = -1;
1444int callout_overall = -1;
4deaf07d 1445int callout_connect = -1;
059ec3d9
PH		 1446int verify_options = 0;
1447int rc;
1448BOOL verify_header_sender = FALSE;
1449BOOL defer_ok = FALSE;
1450BOOL callout_defer_ok = FALSE;
1451BOOL no_details = FALSE;
eafd343b 1452BOOL success_on_redirect = FALSE;
059ec3d9
PH		 1453address_item *sender_vaddr = NULL;
1454uschar *verify_sender_address = NULL;
1455uschar *pm_mailfrom = NULL;
1456uschar *se_mailfrom = NULL;
596875b3
PH		 1457
1458/* Some of the verify items have slash-separated options; some do not. Diagnose
1459an error if options are given for items that don't expect them. This code has
1460now got very message. Refactoring to use a table would be a good idea one day.
1461*/
1462
1463uschar *slash = Ustrchr(arg, '/');
059ec3d9
PH		 1464uschar *list = arg;
1465uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
1466
1467if (ss == NULL) goto BAD_VERIFY;
1468
1469/* Handle name/address consistency verification in a separate function. */
1470
1471if (strcmpic(ss, US"reverse_host_lookup") == 0)
1472 {
596875b3 1473 if (slash != NULL) goto NO_OPTIONS;
059ec3d9
PH		 1474 if (sender_host_address == NULL) return OK;
1475 return acl_verify_reverse(user_msgptr, log_msgptr);
1476 }
1477
1478/* TLS certificate verification is done at STARTTLS time; here we just
1479test whether it was successful or not. (This is for optional verification; for
1480mandatory verification, the connection doesn't last this long.) */
1481
1482if (strcmpic(ss, US"certificate") == 0)
1483 {
596875b3 1484 if (slash != NULL) goto NO_OPTIONS;
059ec3d9
PH		 1485 if (tls_certificate_verified) return OK;
1486 *user_msgptr = US"no verified certificate";
1487 return FAIL;
1488 }
1489
d7b47fd0
PH		 1490/* We can test the result of optional HELO verification that might have
1491occurred earlier. If not, we can attempt the verification now. */
059ec3d9 1492
596875b3
PH		 1493if (strcmpic(ss, US"helo") == 0)
1494 {
1495 if (slash != NULL) goto NO_OPTIONS;
0154e85a
TF		 1496 if (!helo_verified && !helo_verify_failed) smtp_verify_helo();
1497 return helo_verified? OK : FAIL;
596875b3 1498 }
059ec3d9 1499
e5a9dba6
PH		 1500/* Do Client SMTP Authorization checks in a separate function, and turn the
1501result code into user-friendly strings. */
1502
1503if (strcmpic(ss, US"csa") == 0)
1504 {
1505 rc = acl_verify_csa(list);
1506 *log_msgptr = *user_msgptr = string_sprintf("client SMTP authorization %s",
1507 csa_reason_string[rc]);
1508 csa_status = csa_status_string[rc];
1509 DEBUG(D_acl) debug_printf("CSA result %s\n", csa_status);
1510 return csa_return_code[rc];
1511 }
1512
596875b3
PH		 1513/* Check that all relevant header lines have the correct syntax. If there is
1514a syntax error, we return details of the error to the sender if configured to
1515send out full details. (But a "message" setting on the ACL can override, as
1516always). */
059ec3d9 1517
596875b3 1518if (strcmpic(ss, US"header_syntax") == 0)
059ec3d9 1519 {
596875b3 1520 if (slash != NULL) goto NO_OPTIONS;
1c41c9cc 1521 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP) goto WRONG_ACL;
596875b3
PH		 1522 rc = verify_check_headers(log_msgptr);
1523 if (rc != OK && smtp_return_error_details && *log_msgptr != NULL)
1524 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1525 return rc;
1526 }
059ec3d9 1527
1c41c9cc
PH		 1528/* Check that no recipient of this message is "blind", that is, every envelope
1529recipient must be mentioned in either To: or Cc:. */
1530
1531if (strcmpic(ss, US"not_blind") == 0)
1532 {
1533 if (slash != NULL) goto NO_OPTIONS;
1534 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP) goto WRONG_ACL;
1535 rc = verify_check_notblind();
1536 if (rc != OK)
1537 {
1538 *log_msgptr = string_sprintf("bcc recipient detected");
1539 if (smtp_return_error_details)
1540 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1541 }
1542 return rc;
1543 }
059ec3d9 1544
596875b3
PH		 1545/* The remaining verification tests check recipient and sender addresses,
1546either from the envelope or from the header. There are a number of
1547slash-separated options that are common to all of them. */
059ec3d9 1548
059ec3d9 1549
596875b3
PH		 1550/* Check that there is at least one verifiable sender address in the relevant
1551header lines. This can be followed by callout and defer options, just like
1552sender and recipient. */
059ec3d9 1553
596875b3
PH		 1554if (strcmpic(ss, US"header_sender") == 0)
1555 {
1c41c9cc 1556 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP) goto WRONG_ACL;
596875b3 1557 verify_header_sender = TRUE;
059ec3d9
PH		 1558 }
1559
1560/* Otherwise, first item in verify argument must be "sender" or "recipient".
1561In the case of a sender, this can optionally be followed by an address to use
1562in place of the actual sender (rare special-case requirement). */
1563
1564else if (strncmpic(ss, US"sender", 6) == 0)
1565 {
1566 uschar *s = ss + 6;
1567 if (where > ACL_WHERE_NOTSMTP)
1568 {
1569 *log_msgptr = string_sprintf("cannot verify sender in ACL for %s "
1570 "(only possible for MAIL, RCPT, PREDATA, or DATA)",
1571 acl_wherenames[where]);
1572 return ERROR;
1573 }
1574 if (*s == 0)
1575 verify_sender_address = sender_address;
1576 else
1577 {
1578 while (isspace(*s)) s++;
1579 if (*s++ != '=') goto BAD_VERIFY;
1580 while (isspace(*s)) s++;
1581 verify_sender_address = string_copy(s);
1582 }
1583 }
1584else
1585 {
1586 if (strcmpic(ss, US"recipient") != 0) goto BAD_VERIFY;
1587 if (addr == NULL)
1588 {
1589 *log_msgptr = string_sprintf("cannot verify recipient in ACL for %s "
1590 "(only possible for RCPT)", acl_wherenames[where]);
1591 return ERROR;
1592 }
1593 }
1594
596875b3
PH		 1595/* Remaining items are optional; they apply to sender and recipient
1596verification, including "header sender" verification. */
059ec3d9
PH		 1597
1598while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))
1599 != NULL)
1600 {
1601 if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
1602 else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
eafd343b 1603 else if (strcmpic(ss, US"success_on_redirect") == 0) success_on_redirect = TRUE;
059ec3d9
PH		 1604
1605 /* These two old options are left for backwards compatibility */
1606
1607 else if (strcmpic(ss, US"callout_defer_ok") == 0)
1608 {
1609 callout_defer_ok = TRUE;
1610 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1611 }
1612
1613 else if (strcmpic(ss, US"check_postmaster") == 0)
1614 {
1615 pm_mailfrom = US"";
1616 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1617 }
1618
1619 /* The callout option has a number of sub-options, comma separated */
1620
1621 else if (strncmpic(ss, US"callout", 7) == 0)
1622 {
1623 callout = CALLOUT_TIMEOUT_DEFAULT;
1624 ss += 7;
1625 if (*ss != 0)
1626 {
1627 while (isspace(*ss)) ss++;
1628 if (*ss++ == '=')
1629 {
1630 int optsep = ',';
1631 uschar *opt;
1632 uschar buffer[256];
1633 while (isspace(*ss)) ss++;
8e669ac1
PH		 1634
1635 /* This callout option handling code has become a mess as new options
1636 have been added in an ad hoc manner. It should be tidied up into some
4deaf07d 1637 kind of table-driven thing. */
8e669ac1 1638
059ec3d9
PH		 1639 while ((opt = string_nextinlist(&ss, &optsep, buffer, sizeof(buffer)))
1640 != NULL)
1641 {
1642 if (strcmpic(opt, US"defer_ok") == 0) callout_defer_ok = TRUE;
1643 else if (strcmpic(opt, US"no_cache") == 0)
1644 verify_options |= vopt_callout_no_cache;
1645 else if (strcmpic(opt, US"random") == 0)
1646 verify_options |= vopt_callout_random;
1647 else if (strcmpic(opt, US"use_sender") == 0)
1648 verify_options |= vopt_callout_recipsender;
1649 else if (strcmpic(opt, US"use_postmaster") == 0)
1650 verify_options |= vopt_callout_recippmaster;
1651 else if (strcmpic(opt, US"postmaster") == 0) pm_mailfrom = US"";
2a4be8f9
PH		 1652 else if (strcmpic(opt, US"fullpostmaster") == 0)
1653 {
1654 pm_mailfrom = US"";
1655 verify_options |= vopt_callout_fullpm;
1656 }
059ec3d9
PH		 1657
1658 else if (strncmpic(opt, US"mailfrom", 8) == 0)
1659 {
1660 if (!verify_header_sender)
1661 {
1662 *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
1663 "callout option only for verify=header_sender (detected in ACL "
1664 "condition \"%s\")", arg);
1665 return ERROR;
1666 }
1667 opt += 8;
1668 while (isspace(*opt)) opt++;
1669 if (*opt++ != '=')
1670 {
1671 *log_msgptr = string_sprintf("'=' expected after "
1672 "\"mailfrom\" in ACL condition \"%s\"", arg);
1673 return ERROR;
1674 }
1675 while (isspace(*opt)) opt++;
1676 se_mailfrom = string_copy(opt);
1677 }
1678
1679 else if (strncmpic(opt, US"postmaster_mailfrom", 19) == 0)
1680 {
1681 opt += 19;
1682 while (isspace(*opt)) opt++;
1683 if (*opt++ != '=')
1684 {
1685 *log_msgptr = string_sprintf("'=' expected after "
1686 "\"postmaster_mailfrom\" in ACL condition \"%s\"", arg);
1687 return ERROR;
1688 }
1689 while (isspace(*opt)) opt++;
1690 pm_mailfrom = string_copy(opt);
1691 }
1692
1693 else if (strncmpic(opt, US"maxwait", 7) == 0)
1694 {
1695 opt += 7;
1696 while (isspace(*opt)) opt++;
1697 if (*opt++ != '=')
1698 {
1699 *log_msgptr = string_sprintf("'=' expected after \"maxwait\" in "
1700 "ACL condition \"%s\"", arg);
1701 return ERROR;
1702 }
1703 while (isspace(*opt)) opt++;
1704 callout_overall = readconf_readtime(opt, 0, FALSE);
1705 if (callout_overall < 0)
1706 {
1707 *log_msgptr = string_sprintf("bad time value in ACL condition "
1708 "\"verify %s\"", arg);
1709 return ERROR;
1710 }
1711 }
4deaf07d
PH		 1712 else if (strncmpic(opt, US"connect", 7) == 0)
1713 {
1714 opt += 7;
1715 while (isspace(*opt)) opt++;
1716 if (*opt++ != '=')
1717 {
1718 *log_msgptr = string_sprintf("'=' expected after "
1719 "\"callout_overaall\" in ACL condition \"%s\"", arg);
1720 return ERROR;
1721 }
1722 while (isspace(*opt)) opt++;
1723 callout_connect = readconf_readtime(opt, 0, FALSE);
1724 if (callout_connect < 0)
1725 {
1726 *log_msgptr = string_sprintf("bad time value in ACL condition "
1727 "\"verify %s\"", arg);
1728 return ERROR;
1729 }
1730 }
059ec3d9
PH		 1731 else /* Plain time is callout connect/command timeout */
1732 {
1733 callout = readconf_readtime(opt, 0, FALSE);
1734 if (callout < 0)
1735 {
1736 *log_msgptr = string_sprintf("bad time value in ACL condition "
1737 "\"verify %s\"", arg);
1738 return ERROR;
1739 }
1740 }
1741 }
1742 }
1743 else
1744 {
1745 *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
1746 "ACL condition \"%s\"", arg);
1747 return ERROR;
1748 }
1749 }
1750 }
1751
1752 /* Option not recognized */
1753
1754 else
1755 {
1756 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
1757 "condition \"verify %s\"", ss, arg);
1758 return ERROR;
1759 }
1760 }
1761
1762if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
1763 (vopt_callout_recipsender|vopt_callout_recippmaster))
1764 {
1765 *log_msgptr = US"only one of use_sender and use_postmaster can be set "
1766 "for a recipient callout";
1767 return ERROR;
1768 }
1769
1770/* Handle sender-in-header verification. Default the user message to the log
1771message if giving out verification details. */
1772
1773if (verify_header_sender)
1774 {
8e669ac1 1775 int verrno;
059ec3d9 1776 rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
fe5b5d0b
PH		 1777 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, verify_options,
1778 &verrno);
1779 if (rc != OK)
8e669ac1 1780 {
fe5b5d0b
PH		 1781 *basic_errno = verrno;
1782 if (smtp_return_error_details)
1783 {
1784 if (*user_msgptr == NULL && *log_msgptr != NULL)
1785 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1786 if (rc == DEFER) acl_temp_details = TRUE;
1787 }
8e669ac1 1788 }
059ec3d9
PH		 1789 }
1790
1791/* Handle a sender address. The default is to verify *the* sender address, but
1792optionally a different address can be given, for special requirements. If the
1793address is empty, we are dealing with a bounce message that has no sender, so
1794we cannot do any checking. If the real sender address gets rewritten during
1795verification (e.g. DNS widening), set the flag to stop it being rewritten again
1796during message reception.
1797
1798A list of verified "sender" addresses is kept to try to avoid doing to much
1799work repetitively when there are multiple recipients in a message and they all
1800require sender verification. However, when callouts are involved, it gets too
1801complicated because different recipients may require different callout options.
1802Therefore, we always do a full sender verify when any kind of callout is
1803specified. Caching elsewhere, for instance in the DNS resolver and in the
1804callout handling, should ensure that this is not terribly inefficient. */
1805
1806else if (verify_sender_address != NULL)
1807 {
1808 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster))
1809 != 0)
1810 {
1811 *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
1812 "sender verify callout";
1813 return ERROR;
1814 }
1815
1816 sender_vaddr = verify_checked_sender(verify_sender_address);
1817 if (sender_vaddr != NULL && /* Previously checked */
1818 callout <= 0) /* No callout needed this time */
1819 {
1820 /* If the "routed" flag is set, it means that routing worked before, so
1821 this check can give OK (the saved return code value, if set, belongs to a
1822 callout that was done previously). If the "routed" flag is not set, routing
1823 must have failed, so we use the saved return code. */
1824
1825 if (testflag(sender_vaddr, af_verify_routed)) rc = OK; else
1826 {
1827 rc = sender_vaddr->special_action;
1828 *basic_errno = sender_vaddr->basic_errno;
1829 }
1830 HDEBUG(D_acl) debug_printf("using cached sender verify result\n");
1831 }
1832
1833 /* Do a new verification, and cache the result. The cache is used to avoid
1834 verifying the sender multiple times for multiple RCPTs when callouts are not
1835 specified (see comments above).
1836
1837 The cache is also used on failure to give details in response to the first
1838 RCPT that gets bounced for this reason. However, this can be suppressed by
1839 the no_details option, which sets the flag that says "this detail has already
1840 been sent". The cache normally contains just one address, but there may be
1841 more in esoteric circumstances. */
1842
1843 else
1844 {
1845 BOOL routed = TRUE;
2a3eea10 1846 uschar *save_address_data = deliver_address_data;
8e669ac1 1847
059ec3d9
PH		 1848 sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
1849 if (no_details) setflag(sender_vaddr, af_sverify_told);
1850 if (verify_sender_address[0] != 0)
1851 {
1852 /* If this is the real sender address, save the unrewritten version
1853 for use later in receive. Otherwise, set a flag so that rewriting the
1854 sender in verify_address() does not update sender_address. */
1855
1856 if (verify_sender_address == sender_address)
1857 sender_address_unrewritten = sender_address;
1858 else
1859 verify_options |= vopt_fake_sender;
1860
eafd343b
TK		 1861 if (success_on_redirect)
1862 verify_options |= vopt_success_on_redirect;
1863
059ec3d9
PH		 1864 /* The recipient, qualify, and expn options are never set in
1865 verify_options. */
1866
1867 rc = verify_address(sender_vaddr, NULL, verify_options, callout,
4deaf07d 1868 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, &routed);
059ec3d9
PH		 1869
1870 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1871
1872 if (rc == OK)
1873 {
1874 if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
1875 {
1876 DEBUG(D_acl) debug_printf("sender %s verified ok as %s\n",
1877 verify_sender_address, sender_vaddr->address);
1878 }
1879 else
1880 {
1881 DEBUG(D_acl) debug_printf("sender %s verified ok\n",
1882 verify_sender_address);
1883 }
1884 }
1885 else *basic_errno = sender_vaddr->basic_errno;
1886 }
1887 else rc = OK; /* Null sender */
1888
1889 /* Cache the result code */
1890
1891 if (routed) setflag(sender_vaddr, af_verify_routed);
1892 if (callout > 0) setflag(sender_vaddr, af_verify_callout);
1893 sender_vaddr->special_action = rc;
1894 sender_vaddr->next = sender_verified_list;
1895 sender_verified_list = sender_vaddr;
8e669ac1
PH		 1896
1897 /* Restore the recipient address data, which might have been clobbered by
2a3eea10 1898 the sender verification. */
8e669ac1 1899
2a3eea10 1900 deliver_address_data = save_address_data;
059ec3d9 1901 }
8e669ac1 1902
2a3eea10
PH		 1903 /* Put the sender address_data value into $sender_address_data */
1904
8e669ac1 1905 sender_address_data = sender_vaddr->p.address_data;
059ec3d9
PH		 1906 }
1907
1908/* A recipient address just gets a straightforward verify; again we must handle
1909the DEFER overrides. */
1910
1911else
1912 {
1913 address_item addr2;
1914
eafd343b
TK		 1915 if (success_on_redirect)
1916 verify_options |= vopt_success_on_redirect;
1917
059ec3d9
PH		 1918 /* We must use a copy of the address for verification, because it might
1919 get rewritten. */
1920
1921 addr2 = *addr;
1922 rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
4deaf07d 1923 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, NULL);
059ec3d9 1924 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
8e669ac1 1925
059ec3d9 1926 *log_msgptr = addr2.message;
8e669ac1 1927 *user_msgptr = (addr2.user_message != NULL)?
6729cf78 1928 addr2.user_message : addr2.message;
059ec3d9
PH		 1929 *basic_errno = addr2.basic_errno;
1930
1931 /* Make $address_data visible */
1932 deliver_address_data = addr2.p.address_data;
1933 }
1934
1935/* We have a result from the relevant test. Handle defer overrides first. */
1936
1937if (rc == DEFER && (defer_ok ||
1938 (callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER)))
1939 {
1940 HDEBUG(D_acl) debug_printf("verify defer overridden by %s\n",
1941 defer_ok? "defer_ok" : "callout_defer_ok");
1942 rc = OK;
1943 }
1944
1945/* If we've failed a sender, set up a recipient message, and point
1946sender_verified_failed to the address item that actually failed. */
1947
1948if (rc != OK && verify_sender_address != NULL)
1949 {
1950 if (rc != DEFER)
1951 {
1952 *log_msgptr = *user_msgptr = US"Sender verify failed";
1953 }
1954 else if (*basic_errno != ERRNO_CALLOUTDEFER)
1955 {
1956 *log_msgptr = *user_msgptr = US"Could not complete sender verify";
1957 }
1958 else
1959 {
1960 *log_msgptr = US"Could not complete sender verify callout";
1961 *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
1962 *log_msgptr;
1963 }
1964
1965 sender_verified_failed = sender_vaddr;
1966 }
1967
1968/* Verifying an address messes up the values of $domain and $local_part,
1969so reset them before returning if this is a RCPT ACL. */
1970
1971if (addr != NULL)
1972 {
1973 deliver_domain = addr->domain;
1974 deliver_localpart = addr->local_part;
1975 }
1976return rc;
1977
1978/* Syntax errors in the verify argument come here. */
1979
1980BAD_VERIFY:
1981*log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
596875b3
PH		 1982 "\"helo\", \"header_syntax\", \"header_sender\" or "
1983 "\"reverse_host_lookup\" at start of ACL condition "
059ec3d9
PH		 1984 "\"verify %s\"", arg);
1985return ERROR;
596875b3
PH		 1986
1987/* Options supplied when not allowed come here */
1988
1989NO_OPTIONS:
1990*log_msgptr = string_sprintf("unexpected '/' found in \"%s\" "
1991 "(this verify item has no options)", arg);
1992return ERROR;
1c41c9cc
PH		 1993
1994/* Calls in the wrong ACL come here */
1995
1996WRONG_ACL:
1997*log_msgptr = string_sprintf("cannot check header contents in ACL for %s "
1998 "(only possible in ACL for DATA)", acl_wherenames[where]);
1999return ERROR;
059ec3d9
PH		 2000}
2001
2002
2003
2004
2005/*************************************************
2006* Check argument for control= modifier *
2007*************************************************/
2008
2009/* Called from acl_check_condition() below
2010
2011Arguments:
2012 arg the argument string for control=
2013 pptr set to point to the terminating character
2014 where which ACL we are in
2015 log_msgptr for error messages
2016
2017Returns: CONTROL_xxx value
2018*/
2019
2020static int
2021decode_control(uschar *arg, uschar **pptr, int where, uschar **log_msgptr)
2022{
2023int len;
2024control_def *d;
2025
2026for (d = controls_list;
2027 d < controls_list + sizeof(controls_list)/sizeof(control_def);
2028 d++)
2029 {
2030 len = Ustrlen(d->name);
2031 if (Ustrncmp(d->name, arg, len) == 0) break;
2032 }
2033
2034if (d >= controls_list + sizeof(controls_list)/sizeof(control_def) ||
2035 (arg[len] != 0 && (!d->has_option || arg[len] != '/')))
2036 {
2037 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2038 return CONTROL_ERROR;
2039 }
2040
059ec3d9
PH		 2041*pptr = arg + len;
2042return d->value;
2043}
2044
2045
2046
870f6ba8
TF		 2047/*************************************************
2048* Handle rate limiting *
2049*************************************************/
2050
2051/* Called by acl_check_condition() below to calculate the result
2052of the ACL ratelimit condition.
2053
2054Note that the return value might be slightly unexpected: if the
2055sender's rate is above the limit then the result is OK. This is
2056similar to the dnslists condition, and is so that you can write
2057ACL clauses like: defer ratelimit = 15 / 1h
2058
2059Arguments:
2060 arg the option string for ratelimit=
90fc3069 2061 where ACL_WHERE_xxxx indicating which ACL this is
870f6ba8
TF		 2062 log_msgptr for error messages
2063
2064Returns: OK - Sender's rate is above limit
2065 FAIL - Sender's rate is below limit
2066 DEFER - Problem opening ratelimit database
2067 ERROR - Syntax error in options.
2068*/
2069
2070static int
90fc3069 2071acl_ratelimit(uschar *arg, int where, uschar **log_msgptr)
870f6ba8
TF		 2072{
2073double limit, period;
f3dcf4a2 2074uschar *ss, *key;
870f6ba8
TF		 2075int sep = '/';
2076BOOL have_key = FALSE, leaky = FALSE, strict = FALSE;
2077BOOL per_byte = FALSE, per_cmd = FALSE, per_conn = FALSE, per_mail = FALSE;
2078int old_pool, rc;
2079tree_node **anchor, *t;
2080open_db dbblock, *dbm;
2081dbdata_ratelimit *dbd;
2082struct timeval tv;
2083
2084/* Parse the first two options and record their values in expansion
2085variables. These variables allow the configuration to have informative
2086error messages based on rate limits obtained from a table lookup. */
2087
2088/* First is the maximum number of messages per period and maximum burst
2089size, which must be greater than or equal to zero. Zero is useful for
2090rate measurement as opposed to rate limiting. */
2091
2092sender_rate_limit = string_nextinlist(&arg, &sep, NULL, 0);
2093if (sender_rate_limit == NULL)
2094 limit = -1.0;
2095else
2096 {
2097 limit = Ustrtod(sender_rate_limit, &ss);
2098 if (tolower(*ss) == 'k') { limit *= 1024.0; ss++; }
2099 else if (tolower(*ss) == 'm') { limit *= 1024.0*1024.0; ss++; }
2100 else if (tolower(*ss) == 'g') { limit *= 1024.0*1024.0*1024.0; ss++; }
2101 }
2102if (limit < 0.0 || *ss != 0)
2103 {
2104 *log_msgptr = string_sprintf("syntax error in argument for "
2105 "\"ratelimit\" condition: \"%s\" is not a positive number",
2106 sender_rate_limit);
2107 return ERROR;
2108 }
2109
f3dcf4a2
TF		 2110/* We use the rest of the argument list following the limit as the
2111lookup key, because it doesn't make sense to use the same stored data
2112if the period or options are different. */
2113
2114key = arg;
2115
870f6ba8
TF		 2116/* Second is the rate measurement period and exponential smoothing time
2117constant. This must be strictly greater than zero, because zero leads to
2118run-time division errors. */
2119
2120sender_rate_period = string_nextinlist(&arg, &sep, NULL, 0);
2121if (sender_rate_period == NULL) period = -1.0;
2122else period = readconf_readtime(sender_rate_period, 0, FALSE);
2123if (period <= 0.0)
2124 {
2125 *log_msgptr = string_sprintf("syntax error in argument for "
2126 "\"ratelimit\" condition: \"%s\" is not a time value",
2127 sender_rate_period);
2128 return ERROR;
2129 }
2130
2131/* Parse the other options. Should we check if the per_* options are being
2132used in ACLs where they don't make sense, e.g. per_mail in the connect ACL? */
2133
2134while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2135 != NULL)
2136 {
2137 if (strcmpic(ss, US"leaky") == 0) leaky = TRUE;
2138 else if (strcmpic(ss, US"strict") == 0) strict = TRUE;
2139 else if (strcmpic(ss, US"per_byte") == 0) per_byte = TRUE;
2140 else if (strcmpic(ss, US"per_cmd") == 0) per_cmd = TRUE;
2141 else if (strcmpic(ss, US"per_conn") == 0) per_conn = TRUE;
2142 else if (strcmpic(ss, US"per_mail") == 0) per_mail = TRUE;
2143 else if (strcmpic(ss, US"per_rcpt") == 0) per_cmd = TRUE; /* alias */
2144 else have_key = TRUE;
2145 }
2146if (leaky + strict > 1 || per_byte + per_cmd + per_conn + per_mail > 1)
2147 {
2148 *log_msgptr = US"conflicting options for \"ratelimit\" condition";
2149 return ERROR;
2150 }
2151
2152/* Default option values */
2153if (!strict) leaky = TRUE;
2154if (!per_byte && !per_cmd && !per_conn) per_mail = TRUE;
2155
f3dcf4a2 2156/* If there is no explicit key, use the sender_host_address. If there is no
870f6ba8
TF		 2157sender_host_address (e.g. -bs or acl_not_smtp) then we simply omit it. */
2158
2159if (!have_key && sender_host_address != NULL)
2160 key = string_sprintf("%s / %s", key, sender_host_address);
2161
2162HDEBUG(D_acl) debug_printf("ratelimit condition limit=%.0f period=%.0f key=%s\n",
2163 limit, period, key);
2164
fe0dab11 2165/* See if we have already computed the rate by looking in the relevant tree. For
870f6ba8
TF		 2166per-connection rate limiting, store tree nodes and dbdata in the permanent pool
2167so that they survive across resets. */
2168
2169anchor = NULL;
2170old_pool = store_pool;
2171
2172if (per_conn)
2173 {
2174 anchor = &ratelimiters_conn;
2175 store_pool = POOL_PERM;
2176 }
fe0dab11 2177else if (per_mail || per_byte)
870f6ba8 2178 anchor = &ratelimiters_mail;
fe0dab11
TF		 2179else if (per_cmd)
2180 anchor = &ratelimiters_cmd;
870f6ba8
TF		 2181
2182if (anchor != NULL && (t = tree_search(*anchor, key)) != NULL)
2183 {
2184 dbd = t->data.ptr;
2185 /* The following few lines duplicate some of the code below. */
3348576f
TF		 2186 if (dbd->rate < limit) rc = FAIL;
2187 else rc = OK;
870f6ba8
TF		 2188 store_pool = old_pool;
2189 sender_rate = string_sprintf("%.1f", dbd->rate);
2190 HDEBUG(D_acl)
2191 debug_printf("ratelimit found pre-computed rate %s\n", sender_rate);
2192 return rc;
2193 }
2194
2195/* We aren't using a pre-computed rate, so get a previously recorded
2196rate from the database, update it, and write it back. If there's no
2197previous rate for this key, create one. */
2198
2199dbm = dbfn_open(US"ratelimit", O_RDWR, &dbblock, TRUE);
2200if (dbm == NULL)
2201 {
2202 store_pool = old_pool;
2203 sender_rate = NULL;
2204 HDEBUG(D_acl) debug_printf("ratelimit database not available\n");
2205 *log_msgptr = US"ratelimit database not available";
2206 return DEFER;
2207 }
2208dbd = dbfn_read(dbm, key);
2209
2210gettimeofday(&tv, NULL);
2211
2212if (dbd == NULL)
2213 {
2214 HDEBUG(D_acl) debug_printf("ratelimit initializing new key's data\n");
2215 dbd = store_get(sizeof(dbdata_ratelimit));
2216 dbd->time_stamp = tv.tv_sec;
2217 dbd->time_usec = tv.tv_usec;
2218 dbd->rate = 0.0;
2219 }
2220else
2221 {
2222 /* The smoothed rate is computed using an exponentially weighted moving
2223 average adjusted for variable sampling intervals. The standard EWMA for
2224 a fixed sampling interval is: f'(t) = (1 - a) * f(t) + a * f'(t - 1)
2225 where f() is the measured value and f'() is the smoothed value.
2226
2227 Old data decays out of the smoothed value exponentially, such that data n
2228 samples old is multiplied by a^n. The exponential decay time constant p
2229 is defined such that data p samples old is multiplied by 1/e, which means
2230 that a = exp(-1/p). We can maintain the same time constant for a variable
2231 sampling interval i by using a = exp(-i/p).
2232
2233 The rate we are measuring is messages per period, suitable for directly
2234 comparing with the limit. The average rate between now and the previous
2235 message is period / interval, which we feed into the EWMA as the sample.
2236
2237 It turns out that the number of messages required for the smoothed rate
2238 to reach the limit when they are sent in a burst is equal to the limit.
2239 This can be seen by analysing the value of the smoothed rate after N
2240 messages sent at even intervals. Let k = (1 - a) * p/i
2241
2242 rate_1 = (1 - a) * p/i + a * rate_0
2243 = k + a * rate_0
2244 rate_2 = k + a * rate_1
2245 = k + a * k + a^2 * rate_0
2246 rate_3 = k + a * k + a^2 * k + a^3 * rate_0
2247 rate_N = rate_0 * a^N + k * SUM(x=0..N-1)(a^x)
2248 = rate_0 * a^N + k * (1 - a^N) / (1 - a)
2249 = rate_0 * a^N + p/i * (1 - a^N)
2250
2251 When N is large, a^N -> 0 so rate_N -> p/i as desired.
2252
2253 rate_N = p/i + (rate_0 - p/i) * a^N
2254 a^N = (rate_N - p/i) / (rate_0 - p/i)
2255 N * -i/p = log((rate_N - p/i) / (rate_0 - p/i))
2256 N = p/i * log((rate_0 - p/i) / (rate_N - p/i))
2257
2258 Numerical analysis of the above equation, setting the computed rate to
2259 increase from rate_0 = 0 to rate_N = limit, shows that for large sending
2260 rates, p/i, the number of messages N = limit. So limit serves as both the
2261 maximum rate measured in messages per period, and the maximum number of
2262 messages that can be sent in a fast burst. */
2263
2264 double this_time = (double)tv.tv_sec
2265 + (double)tv.tv_usec / 1000000.0;
2266 double prev_time = (double)dbd->time_stamp
2267 + (double)dbd->time_usec / 1000000.0;
870f6ba8
TF		 2268
2269 /* We must avoid division by zero, and deal gracefully with the clock going
2270 backwards. If we blunder ahead when time is in reverse then the computed
e5d5a95f 2271 rate will be bogus. To be safe we clamp interval to a very small number. */
870f6ba8 2272
e5d5a95f
TF		 2273 double interval = this_time - prev_time <= 0.0 ? 1e-9
2274 : this_time - prev_time;
2275
2276 double i_over_p = interval / period;
2277 double a = exp(-i_over_p);
870f6ba8
TF		 2278
2279 dbd->time_stamp = tv.tv_sec;
2280 dbd->time_usec = tv.tv_usec;
2281
2282 /* If we are measuring the rate in bytes per period, multiply the
2283 measured rate by the message size. If we don't know the message size
2284 then it's safe to just use a value of zero and let the recorded rate
2285 decay as if nothing happened. */
2286
2287 if (per_byte)
2288 dbd->rate = (message_size < 0 ? 0.0 : (double)message_size)
2289 * (1 - a) / i_over_p + a * dbd->rate;
90fc3069
TF		 2290 else if (per_cmd && where == ACL_WHERE_NOTSMTP)
2291 dbd->rate = (double)recipients_count
2292 * (1 - a) / i_over_p + a * dbd->rate;
870f6ba8
TF		 2293 else
2294 dbd->rate = (1 - a) / i_over_p + a * dbd->rate;
2295 }
2296
3348576f
TF		 2297/* Clients sending at the limit are considered to be over the limit. This
2298matters for edge cases such the first message sent by a client (which gets
2299the initial rate of 0.0) when the rate limit is zero (i.e. the client should
2300be completely blocked). */
2301
2302if (dbd->rate < limit) rc = FAIL;
2303 else rc = OK;
870f6ba8
TF		 2304
2305/* Update the state if the rate is low or if we are being strict. If we
2306are in leaky mode and the sender's rate is too high, we do not update
2307the recorded rate in order to avoid an over-aggressive sender's retry
2308rate preventing them from getting any email through. */
2309
2310if (rc == FAIL || !leaky)
2311 dbfn_write(dbm, key, dbd, sizeof(dbdata_ratelimit));
2312dbfn_close(dbm);
2313
2314/* Store the result in the tree for future reference, if necessary. */
2315
2316if (anchor != NULL)
2317 {
2318 t = store_get(sizeof(tree_node) + Ustrlen(key));
2319 t->data.ptr = dbd;
2320 Ustrcpy(t->name, key);
2321 (void)tree_insertnode(anchor, t);
2322 }
2323
2324/* We create the formatted version of the sender's rate very late in
2325order to ensure that it is done using the correct storage pool. */
2326
2327store_pool = old_pool;
2328sender_rate = string_sprintf("%.1f", dbd->rate);
2329
2330HDEBUG(D_acl)
2331 debug_printf("ratelimit computed rate %s\n", sender_rate);
2332
2333return rc;
2334}
2335
2336
2337
059ec3d9
PH		 2338/*************************************************
2339* Handle conditions/modifiers on an ACL item *
2340*************************************************/
2341
2342/* Called from acl_check() below.
2343
2344Arguments:
2345 verb ACL verb
2346 cb ACL condition block - if NULL, result is OK
2347 where where called from
2348 addr the address being checked for RCPT, or NULL
2349 level the nesting level
2350 epp pointer to pass back TRUE if "endpass" encountered
2351 (applies only to "accept" and "discard")
2352 user_msgptr user message pointer
2353 log_msgptr log message pointer
2354 basic_errno pointer to where to put verify error
2355
2356Returns: OK - all conditions are met
2357 DISCARD - an "acl" condition returned DISCARD - only allowed
2358 for "accept" or "discard" verbs
2359 FAIL - at least one condition fails
2360 FAIL_DROP - an "acl" condition returned FAIL_DROP
2361 DEFER - can't tell at the moment (typically, lookup defer,
2362 but can be temporary callout problem)
2363 ERROR - ERROR from nested ACL or expansion failure or other
2364 error
2365*/
2366
2367static int
2368acl_check_condition(int verb, acl_condition_block *cb, int where,
2369 address_item *addr, int level, BOOL *epp, uschar **user_msgptr,
2370 uschar **log_msgptr, int *basic_errno)
2371{
2372uschar *user_message = NULL;
2373uschar *log_message = NULL;
91ecef39 2374uschar *p = NULL;
059ec3d9 2375int rc = OK;
8523533c
TK		 2376#ifdef WITH_CONTENT_SCAN
2377int sep = '/';
2378#endif
059ec3d9
PH		 2379
2380for (; cb != NULL; cb = cb->next)
2381 {
2382 uschar *arg;
8e669ac1 2383 int control_type;
059ec3d9
PH		 2384
2385 /* The message and log_message items set up messages to be used in
2386 case of rejection. They are expanded later. */
2387
2388 if (cb->type == ACLC_MESSAGE)
2389 {
2390 user_message = cb->arg;
2391 continue;
2392 }
2393
2394 if (cb->type == ACLC_LOG_MESSAGE)
2395 {
2396 log_message = cb->arg;
2397 continue;
2398 }
2399
2400 /* The endpass "condition" just sets a flag to show it occurred. This is
2401 checked at compile time to be on an "accept" or "discard" item. */
2402
2403 if (cb->type == ACLC_ENDPASS)
2404 {
2405 *epp = TRUE;
2406 continue;
2407 }
2408
2409 /* For other conditions and modifiers, the argument is expanded now for some
2410 of them, but not for all, because expansion happens down in some lower level
2411 checking functions in some cases. */
2412
2413 if (cond_expand_at_top[cb->type])
2414 {
2415 arg = expand_string(cb->arg);
2416 if (arg == NULL)
2417 {
2418 if (expand_string_forcedfail) continue;
2419 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
2420 cb->arg, expand_string_message);
2421 return search_find_defer? DEFER : ERROR;
2422 }
2423 }
2424 else arg = cb->arg;
2425
2426 /* Show condition, and expanded condition if it's different */
2427
2428 HDEBUG(D_acl)
2429 {
2430 int lhswidth = 0;
2431 debug_printf("check %s%s %n",
2432 (!cond_modifiers[cb->type] && cb->u.negated)? "!":"",
2433 conditions[cb->type], &lhswidth);
2434
2435 if (cb->type == ACLC_SET)
2436 {
38a0a95f
PH		 2437 debug_printf("acl_%s ", cb->u.varname);
2438 lhswidth += 5 + Ustrlen(cb->u.varname);
059ec3d9
PH		 2439 }
2440
2441 debug_printf("= %s\n", cb->arg);
2442
2443 if (arg != cb->arg)
2444 debug_printf("%.*s= %s\n", lhswidth,
2445 US" ", CS arg);
2446 }
2447
2448 /* Check that this condition makes sense at this time */
2449
2450 if ((cond_forbids[cb->type] & (1 << where)) != 0)
2451 {
2452 *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
2453 cond_modifiers[cb->type]? "use" : "test",
2454 conditions[cb->type], acl_wherenames[where]);
2455 return ERROR;
2456 }
2457
2458 /* Run the appropriate test for each condition, or take the appropriate
2459 action for the remaining modifiers. */
2460
2461 switch(cb->type)
2462 {
71fafd95
PH		 2463 case ACLC_ADD_HEADER:
2464 setup_header(arg);
2465 break;
2466
059ec3d9
PH		 2467 /* A nested ACL that returns "discard" makes sense only for an "accept" or
2468 "discard" verb. */
71fafd95 2469
059ec3d9
PH		 2470 case ACLC_ACL:
2471 rc = acl_check_internal(where, addr, arg, level+1, user_msgptr, log_msgptr);
2472 if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
2473 {
2474 *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
2475 "\"%s\" command (only allowed with \"accept\" or \"discard\")",
2476 verbs[verb]);
2477 return ERROR;
2478 }
2479 break;
2480
2481 case ACLC_AUTHENTICATED:
2482 rc = (sender_host_authenticated == NULL)? FAIL :
2483 match_isinlist(sender_host_authenticated, &arg, 0, NULL, NULL, MCL_STRING,
2484 TRUE, NULL);
2485 break;
2486
71fafd95 2487 #ifdef EXPERIMENTAL_BRIGHTMAIL
8523533c
TK		 2488 case ACLC_BMI_OPTIN:
2489 {
2490 int old_pool = store_pool;
2491 store_pool = POOL_PERM;
2492 bmi_current_optin = string_copy(arg);
2493 store_pool = old_pool;
2494 }
2495 break;
71fafd95 2496 #endif
8523533c 2497
059ec3d9
PH		 2498 case ACLC_CONDITION:
2499 if (Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
2500 rc = (Uatoi(arg) == 0)? FAIL : OK;
2501 else
2502 rc = (strcmpic(arg, US"no") == 0 ||
2503 strcmpic(arg, US"false") == 0)? FAIL :
2504 (strcmpic(arg, US"yes") == 0 ||
2505 strcmpic(arg, US"true") == 0)? OK : DEFER;
2506 if (rc == DEFER)
2507 *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
2508 break;
2509
2510 case ACLC_CONTROL:
c5fcb476
PH		 2511 control_type = decode_control(arg, &p, where, log_msgptr);
2512
8523533c 2513 /* Check if this control makes sense at this time */
c5fcb476
PH		 2514
2515 if ((control_forbids[control_type] & (1 << where)) != 0)
2516 {
2517 *log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
2518 controls[control_type], acl_wherenames[where]);
2519 return ERROR;
8e669ac1 2520 }
c5fcb476
PH		 2521
2522 switch(control_type)
059ec3d9 2523 {
c46782ef
PH		 2524 case CONTROL_AUTH_UNADVERTISED:
2525 allow_auth_unadvertised = TRUE;
2526 break;
2527
2528 #ifdef EXPERIMENTAL_BRIGHTMAIL
8523533c
TK		 2529 case CONTROL_BMI_RUN:
2530 bmi_run = 1;
2531 break;
c46782ef
PH		 2532 #endif
2533
2534 #ifdef EXPERIMENTAL_DOMAINKEYS
fb2274d4
TK		 2535 case CONTROL_DK_VERIFY:
2536 dk_do_verify = 1;
2537 break;
c46782ef
PH		 2538 #endif
2539
059ec3d9
PH		 2540 case CONTROL_ERROR:
2541 return ERROR;
2542
2543 case CONTROL_CASEFUL_LOCAL_PART:
2544 deliver_localpart = addr->cc_local_part;
2545 break;
2546
2547 case CONTROL_CASELOWER_LOCAL_PART:
2548 deliver_localpart = addr->lc_local_part;
2549 break;
2550
2551 case CONTROL_ENFORCE_SYNC:
2552 smtp_enforce_sync = TRUE;
2553 break;
2554
2555 case CONTROL_NO_ENFORCE_SYNC:
2556 smtp_enforce_sync = FALSE;
2557 break;
2558
c46782ef 2559 #ifdef WITH_CONTENT_SCAN
8523533c
TK		 2560 case CONTROL_NO_MBOX_UNSPOOL:
2561 no_mbox_unspool = TRUE;
2562 break;
c46782ef 2563 #endif
8523533c 2564
059ec3d9
PH		 2565 case CONTROL_NO_MULTILINE:
2566 no_multiline_responses = TRUE;
2567 break;
2568
29aba418 2569 case CONTROL_FAKEDEFER:
8523533c 2570 case CONTROL_FAKEREJECT:
29aba418 2571 fake_response = (control_type == CONTROL_FAKEDEFER) ? DEFER : FAIL;
8523533c 2572 if (*p == '/')
8e669ac1 2573 {
8523533c 2574 uschar *pp = p + 1;
8e669ac1 2575 while (*pp != 0) pp++;
29aba418 2576 fake_response_text = expand_string(string_copyn(p+1, pp-p-1));
8523533c
TK		 2577 p = pp;
2578 }
2579 else
2580 {
2581 /* Explicitly reset to default string */
29aba418 2582 fake_response_text = US"Your message has been rejected but is being kept for evaluation.\nIf it was a legitimate message, it may still be delivered to the target recipient(s).";
8523533c
TK		 2583 }
2584 break;
8523533c 2585
059ec3d9
PH		 2586 case CONTROL_FREEZE:
2587 deliver_freeze = TRUE;
2588 deliver_frozen_at = time(NULL);
6a3f1455
PH		 2589 freeze_tell = freeze_tell_config; /* Reset to configured value */
2590 if (Ustrncmp(p, "/no_tell", 8) == 0)
2591 {
2592 p += 8;
2593 freeze_tell = NULL;
2594 }
2595 if (*p != 0)
2596 {
2597 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2598 return ERROR;
2599 }
059ec3d9
PH		 2600 break;
2601
2602 case CONTROL_QUEUE_ONLY:
2603 queue_only_policy = TRUE;
2604 break;
2605
2606 case CONTROL_SUBMISSION:
87ba3f5f 2607 originator_name = US"";
059ec3d9 2608 submission_mode = TRUE;
69358f02 2609 while (*p == '/')
8e669ac1 2610 {
69358f02
PH		 2611 if (Ustrncmp(p, "/sender_retain", 14) == 0)
2612 {
2613 p += 14;
2614 active_local_sender_retain = TRUE;
8e669ac1
PH		 2615 active_local_from_check = FALSE;
2616 }
69358f02
PH		 2617 else if (Ustrncmp(p, "/domain=", 8) == 0)
2618 {
2619 uschar *pp = p + 8;
8e669ac1 2620 while (*pp != 0 && *pp != '/') pp++;
87ba3f5f
PH		 2621 submission_domain = string_copyn(p+8, pp-p-8);
2622 p = pp;
2623 }
8857ccfd
PH		 2624 /* The name= option must be last, because it swallows the rest of
2625 the string. */
87ba3f5f
PH		 2626 else if (Ustrncmp(p, "/name=", 6) == 0)
2627 {
2628 uschar *pp = p + 6;
8857ccfd 2629 while (*pp != 0) pp++;
2fe1a124 2630 submission_name = string_copy(parse_fix_phrase(p+6, pp-p-6,
87ba3f5f 2631 big_buffer, big_buffer_size));
8e669ac1 2632 p = pp;
69358f02 2633 }
8e669ac1
PH		 2634 else break;
2635 }
69358f02 2636 if (*p != 0)
059ec3d9 2637 {
69358f02 2638 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
059ec3d9
PH		 2639 return ERROR;
2640 }
2641 break;
8800895a
PH		 2642
2643 case CONTROL_SUPPRESS_LOCAL_FIXUPS:
2644 suppress_local_fixups = TRUE;
2645 break;
059ec3d9
PH		 2646 }
2647 break;
2648
71fafd95 2649 #ifdef WITH_CONTENT_SCAN
8523533c
TK		 2650 case ACLC_DECODE:
2651 rc = mime_decode(&arg);
2652 break;
71fafd95 2653 #endif
8523533c 2654
059ec3d9
PH		 2655 case ACLC_DELAY:
2656 {
2657 int delay = readconf_readtime(arg, 0, FALSE);
2658 if (delay < 0)
2659 {
2660 *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
2661 "modifier: \"%s\" is not a time value", arg);
2662 return ERROR;
2663 }
2664 else
2665 {
2666 HDEBUG(D_acl) debug_printf("delay modifier requests %d-second delay\n",
2667 delay);
2668 if (host_checking)
2669 {
2670 HDEBUG(D_acl)
2671 debug_printf("delay skipped in -bh checking mode\n");
2672 }
010c2d14
PH		 2673
2674 /* It appears to be impossible to detect that a TCP/IP connection has
2675 gone away without reading from it. This means that we cannot shorten
2676 the delay below if the client goes away, because we cannot discover
2677 that the client has closed its end of the connection. (The connection
2678 is actually in a half-closed state, waiting for the server to close its
2679 end.) It would be nice to be able to detect this state, so that the
2680 Exim process is not held up unnecessarily. However, it seems that we
2681 can't. The poll() function does not do the right thing, and in any case
2682 it is not always available.
2683
2684 NOTE: If ever this state of affairs changes, remember that we may be
2685 dealing with stdin/stdout here, in addition to TCP/IP connections.
2686 Whatever is done must work in both cases. To detected the stdin/stdout
2687 case, check for smtp_in or smtp_out being NULL. */
2688
8e669ac1 2689 else
86b8287f
PH		 2690 {
2691 while (delay > 0) delay = sleep(delay);
8e669ac1 2692 }
059ec3d9
PH		 2693 }
2694 }
2695 break;
2696
71fafd95 2697 #ifdef WITH_OLD_DEMIME
8523533c
TK		 2698 case ACLC_DEMIME:
2699 rc = demime(&arg);
2700 break;
71fafd95 2701 #endif
8523533c 2702
71fafd95
PH		 2703 #ifdef EXPERIMENTAL_DOMAINKEYS
2704 case ACLC_DK_DOMAIN_SOURCE:
fb2274d4
TK		 2705 if (dk_verify_block == NULL) { rc = FAIL; break; };
2706 /* check header source of domain against given string */
2707 switch (dk_verify_block->address_source) {
2708 case DK_EXIM_ADDRESS_FROM_FROM:
2709 rc = match_isinlist(US"from", &arg, 0, NULL,
2710 NULL, MCL_STRING, TRUE, NULL);
2711 break;
2712 case DK_EXIM_ADDRESS_FROM_SENDER:
2713 rc = match_isinlist(US"sender", &arg, 0, NULL,
2714 NULL, MCL_STRING, TRUE, NULL);
2715 break;
2716 case DK_EXIM_ADDRESS_NONE:
2717 rc = match_isinlist(US"none", &arg, 0, NULL,
2718 NULL, MCL_STRING, TRUE, NULL);
2719 break;
71fafd95
PH		 2720 }
2721 break;
2722
2723 case ACLC_DK_POLICY:
fb2274d4
TK		 2724 if (dk_verify_block == NULL) { rc = FAIL; break; };
2725 /* check policy against given string, default FAIL */
2726 rc = FAIL;
2727 if (dk_verify_block->signsall)
2728 rc = match_isinlist(US"signsall", &arg, 0, NULL,
2729 NULL, MCL_STRING, TRUE, NULL);
2730 if (dk_verify_block->testing)
2731 rc = match_isinlist(US"testing", &arg, 0, NULL,
2732 NULL, MCL_STRING, TRUE, NULL);
71fafd95
PH		 2733 break;
2734
2735 case ACLC_DK_SENDER_DOMAINS:
fb2274d4
TK		 2736 if (dk_verify_block == NULL) { rc = FAIL; break; };
2737 if (dk_verify_block->domain != NULL)
2738 rc = match_isinlist(dk_verify_block->domain, &arg, 0, &domainlist_anchor,
2739 NULL, MCL_DOMAIN, TRUE, NULL);
2740 else rc = FAIL;
71fafd95
PH		 2741 break;
2742
2743 case ACLC_DK_SENDER_LOCAL_PARTS:
fb2274d4
TK		 2744 if (dk_verify_block == NULL) { rc = FAIL; break; };
2745 if (dk_verify_block->local_part != NULL)
2746 rc = match_isinlist(dk_verify_block->local_part, &arg, 0, &localpartlist_anchor,
2747 NULL, MCL_LOCALPART, TRUE, NULL);
2748 else rc = FAIL;
71fafd95
PH		 2749 break;
2750
2751 case ACLC_DK_SENDERS:
fb2274d4
TK		 2752 if (dk_verify_block == NULL) { rc = FAIL; break; };
2753 if (dk_verify_block->address != NULL)
2754 rc = match_address_list(dk_verify_block->address, TRUE, TRUE, &arg, NULL, -1, 0, NULL);
2755 else rc = FAIL;
71fafd95
PH		 2756 break;
2757
2758 case ACLC_DK_STATUS:
fb2274d4
TK		 2759 if (dk_verify_block == NULL) { rc = FAIL; break; };
2760 if (dk_verify_block->result > 0) {
2761 switch(dk_verify_block->result) {
2762 case DK_EXIM_RESULT_BAD_FORMAT:
2763 rc = match_isinlist(US"bad format", &arg, 0, NULL,
2764 NULL, MCL_STRING, TRUE, NULL);
2765 break;
2766 case DK_EXIM_RESULT_NO_KEY:
2767 rc = match_isinlist(US"no key", &arg, 0, NULL,
2768 NULL, MCL_STRING, TRUE, NULL);
2769 break;
2770 case DK_EXIM_RESULT_NO_SIGNATURE:
2771 rc = match_isinlist(US"no signature", &arg, 0, NULL,
2772 NULL, MCL_STRING, TRUE, NULL);
2773 break;
2774 case DK_EXIM_RESULT_REVOKED:
2775 rc = match_isinlist(US"revoked", &arg, 0, NULL,
2776 NULL, MCL_STRING, TRUE, NULL);
2777 break;
2778 case DK_EXIM_RESULT_NON_PARTICIPANT:
2779 rc = match_isinlist(US"non-participant", &arg, 0, NULL,
2780 NULL, MCL_STRING, TRUE, NULL);
2781 break;
2782 case DK_EXIM_RESULT_GOOD:
2783 rc = match_isinlist(US"good", &arg, 0, NULL,
2784 NULL, MCL_STRING, TRUE, NULL);
2785 break;
2786 case DK_EXIM_RESULT_BAD:
2787 rc = match_isinlist(US"bad", &arg, 0, NULL,
2788 NULL, MCL_STRING, TRUE, NULL);
2789 break;
71fafd95 2790 }
fb2274d4 2791 }
71fafd95
PH		 2792 break;
2793 #endif
fb2274d4 2794
059ec3d9
PH		 2795 case ACLC_DNSLISTS:
2796 rc = verify_check_dnsbl(&arg);
2797 break;
2798
2799 case ACLC_DOMAINS:
2800 rc = match_isinlist(addr->domain, &arg, 0, &domainlist_anchor,
2801 addr->domain_cache, MCL_DOMAIN, TRUE, &deliver_domain_data);
2802 break;
2803
2804 /* The value in tls_cipher is the full cipher name, for example,
2805 TLSv1:DES-CBC3-SHA:168, whereas the values to test for are just the
2806 cipher names such as DES-CBC3-SHA. But program defensively. We don't know
2807 what may in practice come out of the SSL library - which at the time of
2808 writing is poorly documented. */
2809
2810 case ACLC_ENCRYPTED:
2811 if (tls_cipher == NULL) rc = FAIL; else
2812 {
2813 uschar *endcipher = NULL;
2814 uschar *cipher = Ustrchr(tls_cipher, ':');
2815 if (cipher == NULL) cipher = tls_cipher; else
2816 {
2817 endcipher = Ustrchr(++cipher, ':');
2818 if (endcipher != NULL) *endcipher = 0;
2819 }
2820 rc = match_isinlist(cipher, &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
2821 if (endcipher != NULL) *endcipher = ':';
2822 }
2823 break;
2824
2825 /* Use verify_check_this_host() instead of verify_check_host() so that
2826 we can pass over &host_data to catch any looked up data. Once it has been
2827 set, it retains its value so that it's still there if another ACL verb
2828 comes through here and uses the cache. However, we must put it into
2829 permanent store in case it is also expected to be used in a subsequent
2830 message in the same SMTP connection. */
2831
2832 case ACLC_HOSTS:
2833 rc = verify_check_this_host(&arg, sender_host_cache, NULL,
2834 (sender_host_address == NULL)? US"" : sender_host_address, &host_data);
2835 if (host_data != NULL) host_data = string_copy_malloc(host_data);
2836 break;
2837
2838 case ACLC_LOCAL_PARTS:
2839 rc = match_isinlist(addr->cc_local_part, &arg, 0,
2840 &localpartlist_anchor, addr->localpart_cache, MCL_LOCALPART, TRUE,
2841 &deliver_localpart_data);
2842 break;
2843
2844 case ACLC_LOGWRITE:
2845 {
2846 int logbits = 0;
2847 uschar *s = arg;
2848 if (*s == ':')
2849 {
2850 s++;
2851 while (*s != ':')
2852 {
2853 if (Ustrncmp(s, "main", 4) == 0)
2854 { logbits |= LOG_MAIN; s += 4; }
2855 else if (Ustrncmp(s, "panic", 5) == 0)
2856 { logbits |= LOG_PANIC; s += 5; }
2857 else if (Ustrncmp(s, "reject", 6) == 0)
2858 { logbits |= LOG_REJECT; s += 6; }
2859 else
2860 {
2861 logbits = LOG_MAIN|LOG_PANIC;
2862 s = string_sprintf(":unknown log name in \"%s\" in "
2863 "\"logwrite\" in %s ACL", arg, acl_wherenames[where]);
2864 }
2865 if (*s == ',') s++;
2866 }
2867 s++;
2868 }
2869 while (isspace(*s)) s++;
2870 if (logbits == 0) logbits = LOG_MAIN;
2871 log_write(0, logbits, "%s", string_printing(s));
2872 }
2873 break;
8e669ac1 2874
71fafd95 2875 #ifdef WITH_CONTENT_SCAN
8523533c
TK		 2876 case ACLC_MALWARE:
2877 {
2878 /* Seperate the regular expression and any optional parameters. */
2879 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
2880 /* Run the malware backend. */
2881 rc = malware(&ss);
2882 /* Modify return code based upon the existance of options. */
2883 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2884 != NULL) {
2885 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
2886 {
2887 /* FAIL so that the message is passed to the next ACL */
2888 rc = FAIL;
2889 }
2890 }
2891 }
2892 break;
2893
2894 case ACLC_MIME_REGEX:
71fafd95 2895 rc = mime_regex(&arg);
8523533c 2896 break;
71fafd95 2897 #endif
059ec3d9 2898
870f6ba8 2899 case ACLC_RATELIMIT:
90fc3069 2900 rc = acl_ratelimit(arg, where, log_msgptr);
870f6ba8
TF		 2901 break;
2902
059ec3d9
PH		 2903 case ACLC_RECIPIENTS:
2904 rc = match_address_list(addr->address, TRUE, TRUE, &arg, NULL, -1, 0,
2905 &recipient_data);
2906 break;
2907
71fafd95
PH		 2908 #ifdef WITH_CONTENT_SCAN
2909 case ACLC_REGEX:
2910 rc = regex(&arg);
8523533c 2911 break;
71fafd95 2912 #endif
8523533c 2913
059ec3d9
PH		 2914 case ACLC_SENDER_DOMAINS:
2915 {
2916 uschar *sdomain;
2917 sdomain = Ustrrchr(sender_address, '@');
2918 sdomain = (sdomain == NULL)? US"" : sdomain + 1;
2919 rc = match_isinlist(sdomain, &arg, 0, &domainlist_anchor,
2920 sender_domain_cache, MCL_DOMAIN, TRUE, NULL);
2921 }
2922 break;
2923
2924 case ACLC_SENDERS:
2925 rc = match_address_list(sender_address, TRUE, TRUE, &arg,
2926 sender_address_cache, -1, 0, &sender_data);
2927 break;
2928
2929 /* Connection variables must persist forever */
2930
2931 case ACLC_SET:
2932 {
2933 int old_pool = store_pool;
38a0a95f
PH		 2934 if (cb->u.varname[0] == 'c') store_pool = POOL_PERM;
2935 acl_var_create(cb->u.varname)->data.ptr = string_copy(arg);
059ec3d9
PH		 2936 store_pool = old_pool;
2937 }
2938 break;
2939
71fafd95 2940 #ifdef WITH_CONTENT_SCAN
8523533c
TK		 2941 case ACLC_SPAM:
2942 {
2943 /* Seperate the regular expression and any optional parameters. */
2944 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
2945 /* Run the spam backend. */
2946 rc = spam(&ss);
2947 /* Modify return code based upon the existance of options. */
2948 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2949 != NULL) {
2950 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
2951 {
2952 /* FAIL so that the message is passed to the next ACL */
2953 rc = FAIL;
2954 }
2955 }
2956 }
2957 break;
71fafd95 2958 #endif
8523533c 2959
71fafd95 2960 #ifdef EXPERIMENTAL_SPF
8523533c
TK		 2961 case ACLC_SPF:
2962 rc = spf_process(&arg, sender_address);
2963 break;
71fafd95 2964 #endif
8523533c 2965
059ec3d9
PH		 2966 /* If the verb is WARN, discard any user message from verification, because
2967 such messages are SMTP responses, not header additions. The latter come
475fe28a
PH		 2968 only from explicit "message" modifiers. However, put the user message into
2969 $acl_verify_message so it can be used in subsequent conditions or modifiers
2970 (until something changes it). */
059ec3d9
PH		 2971
2972 case ACLC_VERIFY:
2973 rc = acl_verify(where, addr, arg, user_msgptr, log_msgptr, basic_errno);
475fe28a 2974 acl_verify_message = *user_msgptr;
059ec3d9
PH		 2975 if (verb == ACL_WARN) *user_msgptr = NULL;
2976 break;
2977
2978 default:
2979 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown "
2980 "condition %d", cb->type);
2981 break;
2982 }
2983
2984 /* If a condition was negated, invert OK/FAIL. */
2985
2986 if (!cond_modifiers[cb->type] && cb->u.negated)
2987 {
2988 if (rc == OK) rc = FAIL;
2989 else if (rc == FAIL || rc == FAIL_DROP) rc = OK;
2990 }
2991
2992 if (rc != OK) break; /* Conditions loop */
2993 }
2994
2995
2996/* If the result is the one for which "message" and/or "log_message" are used,
2997handle the values of these options. Most verbs have but a single return for
2998which the messages are relevant, but for "discard", it's useful to have the log
2999message both when it succeeds and when it fails. Also, for an "accept" that
3000appears in a QUIT ACL, we want to handle the user message. Since only "accept"
3001and "warn" are permitted in that ACL, we don't need to test the verb.
3002
3003These modifiers act in different ways:
3004
3005"message" is a user message that will be included in an SMTP response. Unless
3006it is empty, it overrides any previously set user message.
3007
3008"log_message" is a non-user message, and it adds to any existing non-user
3009message that is already set.
3010
3011If there isn't a log message set, we make it the same as the user message. */
3012
3013if (((rc == FAIL_DROP)? FAIL : rc) == msgcond[verb] ||
3014 (verb == ACL_DISCARD && rc == OK) ||
3015 (where == ACL_WHERE_QUIT))
3016 {
3017 uschar *expmessage;
3018
3019 /* If the verb is "warn", messages generated by conditions (verification or
3020 nested ACLs) are discarded. Only messages specified at this level are used.
3021 However, the value of an existing message is available in $acl_verify_message
3022 during expansions. */
3023
3024 uschar *old_user_msgptr = *user_msgptr;
3025 uschar *old_log_msgptr = (*log_msgptr != NULL)? *log_msgptr : old_user_msgptr;
3026
3027 if (verb == ACL_WARN) *log_msgptr = *user_msgptr = NULL;
3028
3029 if (user_message != NULL)
3030 {
3031 acl_verify_message = old_user_msgptr;
3032 expmessage = expand_string(user_message);
3033 if (expmessage == NULL)
3034 {
3035 if (!expand_string_forcedfail)
3036 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
3037 user_message, expand_string_message);
3038 }
3039 else if (expmessage[0] != 0) *user_msgptr = expmessage;
3040 }
3041
3042 if (log_message != NULL)
3043 {
3044 acl_verify_message = old_log_msgptr;
3045 expmessage = expand_string(log_message);
3046 if (expmessage == NULL)
3047 {
3048 if (!expand_string_forcedfail)
3049 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
3050 log_message, expand_string_message);
3051 }
3052 else if (expmessage[0] != 0)
3053 {
3054 *log_msgptr = (*log_msgptr == NULL)? expmessage :
3055 string_sprintf("%s: %s", expmessage, *log_msgptr);
3056 }
3057 }
3058
3059 /* If no log message, default it to the user message */
3060
3061 if (*log_msgptr == NULL) *log_msgptr = *user_msgptr;
3062 }
3063
3064acl_verify_message = NULL;
3065return rc;
3066}
3067
3068
3069
3070
3071
3072/*************************************************
3073* Get line from a literal ACL *
3074*************************************************/
3075
3076/* This function is passed to acl_read() in order to extract individual lines
3077of a literal ACL, which we access via static pointers. We can destroy the
3078contents because this is called only once (the compiled ACL is remembered).
3079
3080This code is intended to treat the data in the same way as lines in the main
3081Exim configuration file. That is:
3082
3083 . Leading spaces are ignored.
3084
3085 . A \ at the end of a line is a continuation - trailing spaces after the \
3086 are permitted (this is because I don't believe in making invisible things
3087 significant). Leading spaces on the continued part of a line are ignored.
3088
3089 . Physical lines starting (significantly) with # are totally ignored, and
3090 may appear within a sequence of backslash-continued lines.
3091
3092 . Blank lines are ignored, but will end a sequence of continuations.
3093
3094Arguments: none
3095Returns: a pointer to the next line
3096*/
3097
3098
3099static uschar *acl_text; /* Current pointer in the text */
3100static uschar *acl_text_end; /* Points one past the terminating '0' */
3101
3102
3103static uschar *
3104acl_getline(void)
3105{
3106uschar *yield;
3107
3108/* This loop handles leading blank lines and comments. */
3109
3110for(;;)
3111 {
3112 while (isspace(*acl_text)) acl_text++; /* Leading spaces/empty lines */
3113 if (*acl_text == 0) return NULL; /* No more data */
3114 yield = acl_text; /* Potential data line */
3115
3116 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
3117
3118 /* If we hit the end before a newline, we have the whole logical line. If
3119 it's a comment, there's no more data to be given. Otherwise, yield it. */
3120
3121 if (*acl_text == 0) return (*yield == '#')? NULL : yield;
3122
3123 /* After reaching a newline, end this loop if the physical line does not
3124 start with '#'. If it does, it's a comment, and the loop continues. */
3125
3126 if (*yield != '#') break;
3127 }
3128
3129/* This loop handles continuations. We know we have some real data, ending in
3130newline. See if there is a continuation marker at the end (ignoring trailing
3131white space). We know that *yield is not white space, so no need to test for
3132cont > yield in the backwards scanning loop. */
3133
3134for(;;)
3135 {
3136 uschar *cont;
3137 for (cont = acl_text - 1; isspace(*cont); cont--);
3138
3139 /* If no continuation follows, we are done. Mark the end of the line and
3140 return it. */
3141
3142 if (*cont != '\\')
3143 {
3144 *acl_text++ = 0;
3145 return yield;
3146 }
3147
3148 /* We have encountered a continuation. Skip over whitespace at the start of
3149 the next line, and indeed the whole of the next line or lines if they are
3150 comment lines. */
3151
3152 for (;;)
3153 {
3154 while (*(++acl_text) == ' ' || *acl_text == '\t');
3155 if (*acl_text != '#') break;
3156 while (*(++acl_text) != 0 && *acl_text != '\n');
3157 }
3158
3159 /* We have the start of a continuation line. Move all the rest of the data
3160 to join onto the previous line, and then find its end. If the end is not a
3161 newline, we are done. Otherwise loop to look for another continuation. */
3162
3163 memmove(cont, acl_text, acl_text_end - acl_text);
3164 acl_text_end -= acl_text - cont;
3165 acl_text = cont;
3166 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
3167 if (*acl_text == 0) return yield;
3168 }
3169
3170/* Control does not reach here */
3171}
3172
3173
3174
3175
3176
3177/*************************************************
3178* Check access using an ACL *
3179*************************************************/
3180
3181/* This function is called from address_check. It may recurse via
3182acl_check_condition() - hence the use of a level to stop looping. The ACL is
3183passed as a string which is expanded. A forced failure implies no access check
3184is required. If the result is a single word, it is taken as the name of an ACL
3185which is sought in the global ACL tree. Otherwise, it is taken as literal ACL
3186text, complete with newlines, and parsed as such. In both cases, the ACL check
3187is then run. This function uses an auxiliary function for acl_read() to call
3188for reading individual lines of a literal ACL. This is acl_getline(), which
3189appears immediately above.
3190
3191Arguments:
3192 where where called from
3193 addr address item when called from RCPT; otherwise NULL
3194 s the input string; NULL is the same as an empty ACL => DENY
3195 level the nesting level
3196 user_msgptr where to put a user error (for SMTP response)
3197 log_msgptr where to put a logging message (not for SMTP response)
3198
3199Returns: OK access is granted
3200 DISCARD access is apparently granted...
3201 FAIL access is denied
3202 FAIL_DROP access is denied; drop the connection
3203 DEFER can't tell at the moment
3204 ERROR disaster
3205*/
3206
3207static int
3208acl_check_internal(int where, address_item *addr, uschar *s, int level,
3209 uschar **user_msgptr, uschar **log_msgptr)
3210{
3211int fd = -1;
3212acl_block *acl = NULL;
3213uschar *acl_name = US"inline ACL";
3214uschar *ss;
3215
3216/* Catch configuration loops */
3217
3218if (level > 20)
3219 {
3220 *log_msgptr = US"ACL nested too deep: possible loop";
3221 return ERROR;
3222 }
3223
3224if (s == NULL)
3225 {
3226 HDEBUG(D_acl) debug_printf("ACL is NULL: implicit DENY\n");
3227 return FAIL;
3228 }
3229
3230/* At top level, we expand the incoming string. At lower levels, it has already
3231been expanded as part of condition processing. */
3232
3233if (level == 0)
3234 {
3235 ss = expand_string(s);
3236 if (ss == NULL)
3237 {
3238 if (expand_string_forcedfail) return OK;
3239 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s", s,
3240 expand_string_message);
3241 return ERROR;
3242 }
3243 }
3244else ss = s;
3245
3246while (isspace(*ss))ss++;
3247
3248/* If we can't find a named ACL, the default is to parse it as an inline one.
3249(Unless it begins with a slash; non-existent files give rise to an error.) */
3250
3251acl_text = ss;
3252
3253/* Handle the case of a string that does not contain any spaces. Look for a
3254named ACL among those read from the configuration, or a previously read file.
3255It is possible that the pointer to the ACL is NULL if the configuration
3256contains a name with no data. If not found, and the text begins with '/',
3257read an ACL from a file, and save it so it can be re-used. */
3258
3259if (Ustrchr(ss, ' ') == NULL)
3260 {
3261 tree_node *t = tree_search(acl_anchor, ss);
3262 if (t != NULL)
3263 {
3264 acl = (acl_block *)(t->data.ptr);
3265 if (acl == NULL)
3266 {
3267 HDEBUG(D_acl) debug_printf("ACL \"%s\" is empty: implicit DENY\n", ss);
3268 return FAIL;
3269 }
3270 acl_name = string_sprintf("ACL \"%s\"", ss);
3271 HDEBUG(D_acl) debug_printf("using ACL \"%s\"\n", ss);
3272 }
3273
3274 else if (*ss == '/')
3275 {
3276 struct stat statbuf;
3277 fd = Uopen(ss, O_RDONLY, 0);
3278 if (fd < 0)
3279 {
3280 *log_msgptr = string_sprintf("failed to open ACL file \"%s\": %s", ss,
3281 strerror(errno));
3282 return ERROR;
3283 }
3284
3285 if (fstat(fd, &statbuf) != 0)
3286 {
3287 *log_msgptr = string_sprintf("failed to fstat ACL file \"%s\": %s", ss,
3288 strerror(errno));
3289 return ERROR;
3290 }
3291
3292 acl_text = store_get(statbuf.st_size + 1);
3293 acl_text_end = acl_text + statbuf.st_size + 1;
3294
3295 if (read(fd, acl_text, statbuf.st_size) != statbuf.st_size)
3296 {
3297 *log_msgptr = string_sprintf("failed to read ACL file \"%s\": %s",
3298 ss, strerror(errno));
3299 return ERROR;
3300 }
3301 acl_text[statbuf.st_size] = 0;
f1e894f3 3302 (void)close(fd);
059ec3d9
PH		 3303
3304 acl_name = string_sprintf("ACL \"%s\"", ss);
3305 HDEBUG(D_acl) debug_printf("read ACL from file %s\n", ss);
3306 }
3307 }
3308
3309/* Parse an ACL that is still in text form. If it came from a file, remember it
3310in the ACL tree, having read it into the POOL_PERM store pool so that it
3311persists between multiple messages. */
3312
3313if (acl == NULL)
3314 {
3315 int old_pool = store_pool;
3316 if (fd >= 0) store_pool = POOL_PERM;
3317 acl = acl_read(acl_getline, log_msgptr);
3318 store_pool = old_pool;
3319 if (acl == NULL && *log_msgptr != NULL) return ERROR;
3320 if (fd >= 0)
3321 {
3322 tree_node *t = store_get_perm(sizeof(tree_node) + Ustrlen(ss));
3323 Ustrcpy(t->name, ss);
3324 t->data.ptr = acl;
3325 (void)tree_insertnode(&acl_anchor, t);
3326 }
3327 }
3328
3329/* Now we have an ACL to use. It's possible it may be NULL. */
3330
3331while (acl != NULL)
3332 {
3333 int cond;
3334 int basic_errno = 0;
3335 BOOL endpass_seen = FALSE;
3336
3337 *log_msgptr = *user_msgptr = NULL;
3338 acl_temp_details = FALSE;
3339
3340 if (where == ACL_WHERE_QUIT &&
3341 acl->verb != ACL_ACCEPT &&
3342 acl->verb != ACL_WARN)
3343 {
3344 *log_msgptr = string_sprintf("\"%s\" is not allowed in a QUIT ACL",
3345 verbs[acl->verb]);
3346 return ERROR;
3347 }
3348
3349 HDEBUG(D_acl) debug_printf("processing \"%s\"\n", verbs[acl->verb]);
3350
3351 /* Clear out any search error message from a previous check before testing
3352 this condition. */
3353
3354 search_error_message = NULL;
3355 cond = acl_check_condition(acl->verb, acl->condition, where, addr, level,
3356 &endpass_seen, user_msgptr, log_msgptr, &basic_errno);
3357
3358 /* Handle special returns: DEFER causes a return except on a WARN verb;
3359 ERROR always causes a return. */
3360
3361 switch (cond)
3362 {
3363 case DEFER:
3364 HDEBUG(D_acl) debug_printf("%s: condition test deferred\n", verbs[acl->verb]);
3365 if (basic_errno != ERRNO_CALLOUTDEFER)
3366 {
3367 if (search_error_message != NULL && *search_error_message != 0)
3368 *log_msgptr = search_error_message;
3369 if (smtp_return_error_details) acl_temp_details = TRUE;
3370 }
3371 else
3372 {
3373 acl_temp_details = TRUE;
3374 }
3375 if (acl->verb != ACL_WARN) return DEFER;
3376 break;
3377
3378 default: /* Paranoia */
3379 case ERROR:
3380 HDEBUG(D_acl) debug_printf("%s: condition test error\n", verbs[acl->verb]);
3381 return ERROR;
3382
3383 case OK:
3384 HDEBUG(D_acl) debug_printf("%s: condition test succeeded\n",
3385 verbs[acl->verb]);
3386 break;
3387
3388 case FAIL:
3389 HDEBUG(D_acl) debug_printf("%s: condition test failed\n", verbs[acl->verb]);
3390 break;
3391
3392 /* DISCARD and DROP can happen only from a nested ACL condition, and
3393 DISCARD can happen only for an "accept" or "discard" verb. */
3394
3395 case DISCARD:
3396 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"discard\"\n",
3397 verbs[acl->verb]);
3398 break;
3399
3400 case FAIL_DROP:
3401 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"drop\"\n",
3402 verbs[acl->verb]);
3403 break;
3404 }
3405
3406 /* At this point, cond for most verbs is either OK or FAIL or (as a result of
3407 a nested ACL condition) FAIL_DROP. However, for WARN, cond may be DEFER, and
3408 for ACCEPT and DISCARD, it may be DISCARD after a nested ACL call. */
3409
3410 switch(acl->verb)
3411 {
3412 case ACL_ACCEPT:
3413 if (cond == OK || cond == DISCARD) return cond;
3414 if (endpass_seen)
3415 {
3416 HDEBUG(D_acl) debug_printf("accept: endpass encountered - denying access\n");
3417 return cond;
3418 }
3419 break;
3420
3421 case ACL_DEFER:
3422 if (cond == OK)
3423 {
3424 acl_temp_details = TRUE;
3425 return DEFER;
3426 }
3427 break;
3428
3429 case ACL_DENY:
3430 if (cond == OK) return FAIL;
3431 break;
3432
3433 case ACL_DISCARD:
3434 if (cond == OK || cond == DISCARD) return DISCARD;
3435 if (endpass_seen)
3436 {
3437 HDEBUG(D_acl) debug_printf("discard: endpass encountered - denying access\n");
3438 return cond;
3439 }
3440 break;
3441
3442 case ACL_DROP:
3443 if (cond == OK) return FAIL_DROP;
3444 break;
3445
3446 case ACL_REQUIRE:
3447 if (cond != OK) return cond;
3448 break;
3449
3450 case ACL_WARN:
3451 if (cond == OK)
3452 acl_warn(where, *user_msgptr, *log_msgptr);
49826d12 3453 else if (cond == DEFER && (log_extra_selector & LX_acl_warn_skipped) != 0)
9c7a242c
PH		 3454 log_write(0, LOG_MAIN, "%s Warning: ACL \"warn\" statement skipped: "
3455 "condition test deferred%s%s", host_and_ident(TRUE),
3456 (*log_msgptr == NULL)? US"" : US": ",
3457 (*log_msgptr == NULL)? US"" : *log_msgptr);
059ec3d9
PH		 3458 *log_msgptr = *user_msgptr = NULL; /* In case implicit DENY follows */
3459 break;
3460
3461 default:
3462 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown verb %d",
3463 acl->verb);
3464 break;
3465 }
3466
3467 /* Pass to the next ACL item */
3468
3469 acl = acl->next;
3470 }
3471
3472/* We have reached the end of the ACL. This is an implicit DENY. */
3473
3474HDEBUG(D_acl) debug_printf("end of %s: implicit DENY\n", acl_name);
3475return FAIL;
3476}
3477
3478
3479/*************************************************
3480* Check access using an ACL *
3481*************************************************/
3482
3483/* This is the external interface for ACL checks. It sets up an address and the
3484expansions for $domain and $local_part when called after RCPT, then calls
3485acl_check_internal() to do the actual work.
3486
3487Arguments:
3488 where ACL_WHERE_xxxx indicating where called from
64ffc24f 3489 recipient RCPT address for RCPT check, else NULL
059ec3d9
PH		 3490 s the input string; NULL is the same as an empty ACL => DENY
3491 user_msgptr where to put a user error (for SMTP response)
3492 log_msgptr where to put a logging message (not for SMTP response)
3493
3494Returns: OK access is granted by an ACCEPT verb
3495 DISCARD access is granted by a DISCARD verb
3496 FAIL access is denied
3497 FAIL_DROP access is denied; drop the connection
3498 DEFER can't tell at the moment
3499 ERROR disaster
3500*/
3501
3502int
64ffc24f 3503acl_check(int where, uschar *recipient, uschar *s, uschar **user_msgptr,
059ec3d9
PH		 3504 uschar **log_msgptr)
3505{
3506int rc;
3507address_item adb;
64ffc24f 3508address_item *addr = NULL;
059ec3d9
PH		 3509
3510*user_msgptr = *log_msgptr = NULL;
3511sender_verified_failed = NULL;
fe0dab11 3512ratelimiters_cmd = NULL;
059ec3d9
PH		 3513
3514if (where == ACL_WHERE_RCPT)
3515 {
3516 adb = address_defaults;
3517 addr = &adb;
64ffc24f 3518 addr->address = recipient;
059ec3d9
PH		 3519 if (deliver_split_address(addr) == DEFER)
3520 {
3521 *log_msgptr = US"defer in percent_hack_domains check";
3522 return DEFER;
3523 }
3524 deliver_domain = addr->domain;
3525 deliver_localpart = addr->local_part;
3526 }
059ec3d9
PH		 3527
3528rc = acl_check_internal(where, addr, s, 0, user_msgptr, log_msgptr);
3529
64ffc24f
PH		 3530deliver_domain = deliver_localpart = deliver_address_data =
3531 sender_address_data = NULL;
059ec3d9
PH		 3532
3533/* A DISCARD response is permitted only for message ACLs, excluding the PREDATA
3534ACL, which is really in the middle of an SMTP command. */
3535
3536if (rc == DISCARD)
3537 {
3538 if (where > ACL_WHERE_NOTSMTP || where == ACL_WHERE_PREDATA)
3539 {
3540 log_write(0, LOG_MAIN|LOG_PANIC, "\"discard\" verb not allowed in %s "
3541 "ACL", acl_wherenames[where]);
3542 return ERROR;
3543 }
3544 return DISCARD;
3545 }
3546
3547/* A DROP response is not permitted from MAILAUTH */
3548
3549if (rc == FAIL_DROP && where == ACL_WHERE_MAILAUTH)
3550 {
3551 log_write(0, LOG_MAIN|LOG_PANIC, "\"drop\" verb not allowed in %s "
3552 "ACL", acl_wherenames[where]);
3553 return ERROR;
3554 }
3555
3556/* Before giving an error response, take a look at the length of any user
3557message, and split it up into multiple lines if possible. */
3558
3559if (rc != OK && *user_msgptr != NULL && Ustrlen(*user_msgptr) > 75)
3560 {
3561 uschar *s = *user_msgptr = string_copy(*user_msgptr);
3562 uschar *ss = s;
3563
3564 for (;;)
3565 {
3566 int i = 0;
3567 while (i < 75 && *ss != 0 && *ss != '\n') ss++, i++;
3568 if (*ss == 0) break;
3569 if (*ss == '\n')
3570 s = ++ss;
3571 else
3572 {
3573 uschar *t = ss + 1;
3574 uschar *tt = NULL;
3575 while (--t > s + 35)
3576 {
3577 if (*t == ' ')
3578 {
3579 if (t[-1] == ':') { tt = t; break; }
3580 if (tt == NULL) tt = t;
3581 }
3582 }
3583
3584 if (tt == NULL) /* Can't split behind - try ahead */
3585 {
3586 t = ss + 1;
3587 while (*t != 0)
3588 {
3589 if (*t == ' ' || *t == '\n')
3590 { tt = t; break; }
3591 t++;
3592 }
3593 }
3594
3595 if (tt == NULL) break; /* Can't find anywhere to split */
3596 *tt = '\n';
3597 s = ss = tt+1;
3598 }
3599 }
3600 }
3601
3602return rc;
3603}
3604
38a0a95f
PH		 3605
3606
3607/*************************************************
3608* Create ACL variable *
3609*************************************************/
3610
3611/* Create an ACL variable or reuse an existing one. ACL variables are in a
3612binary tree (see tree.c) with acl_var_c and acl_var_m as root nodes.
3613
3614Argument:
3615 name pointer to the variable's name, starting with c or m
3616
3617Returns the pointer to variable's tree node
3618*/
3619
3620tree_node *
3621acl_var_create(uschar *name)
3622{
3623tree_node *node, **root;
3624root = (name[0] == 'c')? &acl_var_c : &acl_var_m;
3625node = tree_search(*root, name);
3626if (node == NULL)
3627 {
3628 node = store_get(sizeof(tree_node) + Ustrlen(name));
3629 Ustrcpy(node->name, name);
3630 (void)tree_insertnode(root, node);
3631 }
3632node->data.ptr = NULL;
3633return node;
3634}
3635
3636
3637
3638/*************************************************
3639* Write an ACL variable in spool format *
3640*************************************************/
3641
3642/* This function is used as a callback for tree_walk when writing variables to
3643the spool file. To retain spool file compatibility, what is written is -aclc or
3644-aclm followed by the rest of the name and the data length, space separated,
3645then the value itself, starting on a new line, and terminated by an additional
3646newline. When we had only numbered ACL variables, the first line might look
3647like this: "-aclc 5 20". Now it might be "-aclc foo 20" for the variable called
3648acl_cfoo.
3649
3650Arguments:
3651 name of the variable
3652 value of the variable
3653 ctx FILE pointer (as a void pointer)
3654
3655Returns: nothing
3656*/
3657
3658void
3659acl_var_write(uschar *name, uschar *value, void *ctx)
3660{
3661FILE *f = (FILE *)ctx;
3662fprintf(f, "-acl%c %s %d\n%s\n", name[0], name+1, Ustrlen(value), value);
3663}
3664
059ec3d9 3665/* End of acl.c */
Unnamed repository; edit this file 'description' to name the repository.