projects / exim.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
${hexquote: expansion operator
[exim.git] / src / src / acl.c
CommitLineData
059ec3d9
PH		 1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
c4ceed07 5/* Copyright (c) University of Cambridge 1995 - 2012 */
059ec3d9
PH		 6/* See the file NOTICE for conditions of use and distribution. */
7
8/* Code for handling Access Control Lists (ACLs) */
9
10#include "exim.h"
11
12
13/* Default callout timeout */
14
15#define CALLOUT_TIMEOUT_DEFAULT 30
16
17/* ACL verb codes - keep in step with the table of verbs that follows */
18
19enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
20 ACL_WARN };
21
22/* ACL verbs */
23
f9d04f08
JH		 24static uschar *verbs[] = {
25 US"accept",
26 US"defer",
27 US"deny",
28 US"discard",
29 US"drop",
30 US"require",
059ec3d9
PH		 31 US"warn" };
32
4e88a19f
PH		 33/* For each verb, the conditions for which "message" or "log_message" are used
34are held as a bitmap. This is to avoid expanding the strings unnecessarily. For
35"accept", the FAIL case is used only after "endpass", but that is selected in
36the code. */
37
38static int msgcond[] = {
39 (1<<OK) | (1<<FAIL) | (1<<FAIL_DROP), /* accept */
40 (1<<OK), /* defer */
41 (1<<OK), /* deny */
42 (1<<OK) | (1<<FAIL) | (1<<FAIL_DROP), /* discard */
43 (1<<OK), /* drop */
44 (1<<FAIL) | (1<<FAIL_DROP), /* require */
45 (1<<OK) /* warn */
46 };
059ec3d9
PH		 47
48/* ACL condition and modifier codes - keep in step with the table that
71fafd95
PH		 49follows, and the cond_expand_at_top and uschar cond_modifiers tables lower
50down. */
059ec3d9 51
71fafd95
PH		 52enum { ACLC_ACL,
53 ACLC_ADD_HEADER,
54 ACLC_AUTHENTICATED,
8523533c
TK		 55#ifdef EXPERIMENTAL_BRIGHTMAIL
56 ACLC_BMI_OPTIN,
57#endif
71fafd95 58 ACLC_CONDITION,
c3611384 59 ACLC_CONTINUE,
71fafd95 60 ACLC_CONTROL,
6a8f9482
TK		 61#ifdef EXPERIMENTAL_DCC
62 ACLC_DCC,
63#endif
8523533c
TK		 64#ifdef WITH_CONTENT_SCAN
65 ACLC_DECODE,
66#endif
67 ACLC_DELAY,
68#ifdef WITH_OLD_DEMIME
69 ACLC_DEMIME,
fb2274d4 70#endif
80a47a2c
TK		 71#ifndef DISABLE_DKIM
72 ACLC_DKIM_SIGNER,
73 ACLC_DKIM_STATUS,
4840604e
TL		 74#endif
75#ifdef EXPERIMENTAL_DMARC
76 ACLC_DMARC_STATUS,
8e669ac1 77#endif
71fafd95
PH		 78 ACLC_DNSLISTS,
79 ACLC_DOMAINS,
80 ACLC_ENCRYPTED,
81 ACLC_ENDPASS,
82 ACLC_HOSTS,
83 ACLC_LOCAL_PARTS,
84 ACLC_LOG_MESSAGE,
6ea85e9a 85 ACLC_LOG_REJECT_TARGET,
71fafd95 86 ACLC_LOGWRITE,
8523533c
TK		 87#ifdef WITH_CONTENT_SCAN
88 ACLC_MALWARE,
89#endif
90 ACLC_MESSAGE,
91#ifdef WITH_CONTENT_SCAN
92 ACLC_MIME_REGEX,
93#endif
870f6ba8 94 ACLC_RATELIMIT,
8523533c
TK		 95 ACLC_RECIPIENTS,
96#ifdef WITH_CONTENT_SCAN
97 ACLC_REGEX,
98#endif
e7568d51 99 ACLC_REMOVE_HEADER,
71fafd95
PH		 100 ACLC_SENDER_DOMAINS,
101 ACLC_SENDERS,
102 ACLC_SET,
8523533c 103#ifdef WITH_CONTENT_SCAN
8e669ac1 104 ACLC_SPAM,
8523533c
TK		 105#endif
106#ifdef EXPERIMENTAL_SPF
107 ACLC_SPF,
65a7d8c3 108 ACLC_SPF_GUESS,
8523533c
TK		 109#endif
110 ACLC_VERIFY };
059ec3d9 111
c3611384
PH		 112/* ACL conditions/modifiers: "delay", "control", "continue", "endpass",
113"message", "log_message", "log_reject_target", "logwrite", and "set" are
114modifiers that look like conditions but always return TRUE. They are used for
115their side effects. */
059ec3d9 116
9a26b6b2
PH		 117static uschar *conditions[] = {
118 US"acl",
71fafd95 119 US"add_header",
9a26b6b2 120 US"authenticated",
8523533c
TK		 121#ifdef EXPERIMENTAL_BRIGHTMAIL
122 US"bmi_optin",
123#endif
124 US"condition",
c3611384 125 US"continue",
8e669ac1 126 US"control",
6a8f9482
TK		 127#ifdef EXPERIMENTAL_DCC
128 US"dcc",
129#endif
8523533c
TK		 130#ifdef WITH_CONTENT_SCAN
131 US"decode",
132#endif
133 US"delay",
134#ifdef WITH_OLD_DEMIME
135 US"demime",
fb2274d4 136#endif
80a47a2c
TK		 137#ifndef DISABLE_DKIM
138 US"dkim_signers",
139 US"dkim_status",
4840604e
TL		 140#endif
141#ifdef EXPERIMENTAL_DMARC
142 US"dmarc_status",
8523533c 143#endif
6ea85e9a
PH		 144 US"dnslists",
145 US"domains",
146 US"encrypted",
147 US"endpass",
148 US"hosts",
149 US"local_parts",
150 US"log_message",
151 US"log_reject_target",
152 US"logwrite",
8523533c
TK		 153#ifdef WITH_CONTENT_SCAN
154 US"malware",
155#endif
156 US"message",
157#ifdef WITH_CONTENT_SCAN
158 US"mime_regex",
159#endif
870f6ba8 160 US"ratelimit",
8523533c
TK		 161 US"recipients",
162#ifdef WITH_CONTENT_SCAN
163 US"regex",
164#endif
e7568d51 165 US"remove_header",
8523533c
TK		 166 US"sender_domains", US"senders", US"set",
167#ifdef WITH_CONTENT_SCAN
168 US"spam",
169#endif
170#ifdef EXPERIMENTAL_SPF
171 US"spf",
65a7d8c3 172 US"spf_guess",
8523533c 173#endif
059ec3d9 174 US"verify" };
8e669ac1 175
c5fcb476 176
9a26b6b2
PH		 177/* Return values from decode_control(); keep in step with the table of names
178that follows! */
179
180enum {
c46782ef
PH		 181 CONTROL_AUTH_UNADVERTISED,
182 #ifdef EXPERIMENTAL_BRIGHTMAIL
9a26b6b2 183 CONTROL_BMI_RUN,
c46782ef 184 #endif
ed7f7860 185 CONTROL_DEBUG,
80a47a2c 186 #ifndef DISABLE_DKIM
f7572e5a
TK		 187 CONTROL_DKIM_VERIFY,
188 #endif
4840604e
TL		 189 #ifdef EXPERIMENTAL_DMARC
190 CONTROL_DMARC_VERIFY,
191 CONTROL_DMARC_FORENSIC,
192 #endif
13363eba 193 CONTROL_DSCP,
c46782ef
PH		 194 CONTROL_ERROR,
195 CONTROL_CASEFUL_LOCAL_PART,
196 CONTROL_CASELOWER_LOCAL_PART,
e4bdf652 197 CONTROL_CUTTHROUGH_DELIVERY,
c46782ef
PH		 198 CONTROL_ENFORCE_SYNC,
199 CONTROL_NO_ENFORCE_SYNC,
200 CONTROL_FREEZE,
201 CONTROL_QUEUE_ONLY,
202 CONTROL_SUBMISSION,
203 CONTROL_SUPPRESS_LOCAL_FIXUPS,
204 #ifdef WITH_CONTENT_SCAN
9a26b6b2 205 CONTROL_NO_MBOX_UNSPOOL,
c46782ef
PH		 206 #endif
207 CONTROL_FAKEDEFER,
208 CONTROL_FAKEREJECT,
cf8b11a5 209 CONTROL_NO_MULTILINE,
047bdd8c 210 CONTROL_NO_PIPELINING,
4c590bd1
PH		 211 CONTROL_NO_DELAY_FLUSH,
212 CONTROL_NO_CALLOUT_FLUSH
c46782ef 213};
9a26b6b2 214
8800895a
PH		 215/* ACL control names; keep in step with the table above! This list is used for
216turning ids into names. The actual list of recognized names is in the variable
217control_def controls_list[] below. The fact that there are two lists is a mess
218and should be tidied up. */
9a26b6b2
PH		 219
220static uschar *controls[] = {
c46782ef 221 US"allow_auth_unadvertised",
9a26b6b2
PH		 222 #ifdef EXPERIMENTAL_BRIGHTMAIL
223 US"bmi_run",
224 #endif
ed7f7860 225 US"debug",
80a47a2c
TK		 226 #ifndef DISABLE_DKIM
227 US"dkim_disable_verify",
f7572e5a 228 #endif
4840604e
TL		 229 #ifdef EXPERIMENTAL_DMARC
230 US"dmarc_disable_verify",
231 US"dmarc_enable_forensic",
232 #endif
13363eba 233 US"dscp",
c46782ef
PH		 234 US"error",
235 US"caseful_local_part",
236 US"caselower_local_part",
e4bdf652 237 US"cutthrough_delivery",
c46782ef
PH		 238 US"enforce_sync",
239 US"no_enforce_sync",
240 US"freeze",
241 US"queue_only",
242 US"submission",
243 US"suppress_local_fixups",
9a26b6b2
PH		 244 #ifdef WITH_CONTENT_SCAN
245 US"no_mbox_unspool",
246 #endif
cf8b11a5
PH		 247 US"fakedefer",
248 US"fakereject",
aa6dc513 249 US"no_multiline_responses",
cf8b11a5 250 US"no_pipelining",
4c590bd1
PH		 251 US"no_delay_flush",
252 US"no_callout_flush"
c46782ef 253};
059ec3d9 254
047bdd8c 255/* Flags to indicate for which conditions/modifiers a string expansion is done
059ec3d9
PH		 256at the outer level. In the other cases, expansion already occurs in the
257checking functions. */
258
259static uschar cond_expand_at_top[] = {
7421ecab 260 FALSE, /* acl */
3e536984 261 TRUE, /* add_header */
059ec3d9 262 FALSE, /* authenticated */
8523533c
TK		 263#ifdef EXPERIMENTAL_BRIGHTMAIL
264 TRUE, /* bmi_optin */
8e669ac1 265#endif
059ec3d9 266 TRUE, /* condition */
c3611384 267 TRUE, /* continue */
059ec3d9 268 TRUE, /* control */
6a8f9482
TK		 269#ifdef EXPERIMENTAL_DCC
270 TRUE, /* dcc */
271#endif
8523533c
TK		 272#ifdef WITH_CONTENT_SCAN
273 TRUE, /* decode */
274#endif
059ec3d9 275 TRUE, /* delay */
8523533c
TK		 276#ifdef WITH_OLD_DEMIME
277 TRUE, /* demime */
fb2274d4 278#endif
80a47a2c
TK		 279#ifndef DISABLE_DKIM
280 TRUE, /* dkim_signers */
281 TRUE, /* dkim_status */
4840604e
TL		 282#endif
283#ifdef EXPERIMENTAL_DMARC
284 TRUE, /* dmarc_status */
8523533c 285#endif
059ec3d9
PH		 286 TRUE, /* dnslists */
287 FALSE, /* domains */
288 FALSE, /* encrypted */
289 TRUE, /* endpass */
290 FALSE, /* hosts */
291 FALSE, /* local_parts */
292 TRUE, /* log_message */
6ea85e9a 293 TRUE, /* log_reject_target */
059ec3d9 294 TRUE, /* logwrite */
8523533c
TK		 295#ifdef WITH_CONTENT_SCAN
296 TRUE, /* malware */
297#endif
059ec3d9 298 TRUE, /* message */
8523533c
TK		 299#ifdef WITH_CONTENT_SCAN
300 TRUE, /* mime_regex */
301#endif
870f6ba8 302 TRUE, /* ratelimit */
059ec3d9 303 FALSE, /* recipients */
8523533c
TK		 304#ifdef WITH_CONTENT_SCAN
305 TRUE, /* regex */
306#endif
e7568d51 307 TRUE, /* remove_header */
059ec3d9
PH		 308 FALSE, /* sender_domains */
309 FALSE, /* senders */
310 TRUE, /* set */
8523533c
TK		 311#ifdef WITH_CONTENT_SCAN
312 TRUE, /* spam */
313#endif
314#ifdef EXPERIMENTAL_SPF
315 TRUE, /* spf */
65a7d8c3 316 TRUE, /* spf_guess */
8523533c 317#endif
059ec3d9
PH		 318 TRUE /* verify */
319};
320
321/* Flags to identify the modifiers */
322
323static uschar cond_modifiers[] = {
324 FALSE, /* acl */
3e536984 325 TRUE, /* add_header */
059ec3d9 326 FALSE, /* authenticated */
8523533c
TK		 327#ifdef EXPERIMENTAL_BRIGHTMAIL
328 TRUE, /* bmi_optin */
8e669ac1 329#endif
059ec3d9 330 FALSE, /* condition */
c3611384 331 TRUE, /* continue */
059ec3d9 332 TRUE, /* control */
6a8f9482
TK		 333#ifdef EXPERIMENTAL_DCC
334 FALSE, /* dcc */
335#endif
8523533c
TK		 336#ifdef WITH_CONTENT_SCAN
337 FALSE, /* decode */
338#endif
059ec3d9 339 TRUE, /* delay */
8523533c
TK		 340#ifdef WITH_OLD_DEMIME
341 FALSE, /* demime */
fb2274d4 342#endif
80a47a2c
TK		 343#ifndef DISABLE_DKIM
344 FALSE, /* dkim_signers */
345 FALSE, /* dkim_status */
4840604e
TL		 346#endif
347#ifdef EXPERIMENTAL_DMARC
348 FALSE, /* dmarc_status */
8523533c 349#endif
059ec3d9
PH		 350 FALSE, /* dnslists */
351 FALSE, /* domains */
352 FALSE, /* encrypted */
353 TRUE, /* endpass */
354 FALSE, /* hosts */
355 FALSE, /* local_parts */
356 TRUE, /* log_message */
6ea85e9a 357 TRUE, /* log_reject_target */
8523533c
TK		 358 TRUE, /* logwrite */
359#ifdef WITH_CONTENT_SCAN
360 FALSE, /* malware */
361#endif
059ec3d9 362 TRUE, /* message */
8523533c
TK		 363#ifdef WITH_CONTENT_SCAN
364 FALSE, /* mime_regex */
365#endif
870f6ba8 366 FALSE, /* ratelimit */
059ec3d9 367 FALSE, /* recipients */
8523533c
TK		 368#ifdef WITH_CONTENT_SCAN
369 FALSE, /* regex */
370#endif
e7568d51 371 TRUE, /* remove_header */
059ec3d9
PH		 372 FALSE, /* sender_domains */
373 FALSE, /* senders */
374 TRUE, /* set */
8523533c
TK		 375#ifdef WITH_CONTENT_SCAN
376 FALSE, /* spam */
377#endif
378#ifdef EXPERIMENTAL_SPF
379 FALSE, /* spf */
65a7d8c3 380 FALSE, /* spf_guess */
8523533c 381#endif
059ec3d9
PH		 382 FALSE /* verify */
383};
384
c3611384 385/* Bit map vector of which conditions and modifiers are not allowed at certain
8f128379
PH		 386times. For each condition and modifier, there's a bitmap of dis-allowed times.
387For some, it is easier to specify the negation of a small number of allowed
388times. */
059ec3d9
PH		 389
390static unsigned int cond_forbids[] = {
391 0, /* acl */
8e669ac1 392
71fafd95 393 (unsigned int)
45b91596 394 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* add_header */
71fafd95 395 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
fd98a5c6
JH		 396 #ifdef EXPERIMENTAL_PRDR
397 (1<<ACL_WHERE_PRDR)|
398 #endif
45b91596 399 (1<<ACL_WHERE_MIME)|(1<<ACL_WHERE_NOTSMTP)|
67caae1f 400 (1<<ACL_WHERE_DKIM)|
45b91596 401 (1<<ACL_WHERE_NOTSMTP_START)),
71fafd95 402
45b91596
PH		 403 (1<<ACL_WHERE_NOTSMTP)| /* authenticated */
404 (1<<ACL_WHERE_NOTSMTP_START)|
405 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO),
8e669ac1 406
71fafd95 407 #ifdef EXPERIMENTAL_BRIGHTMAIL
3864bb8e 408 (1<<ACL_WHERE_AUTH)| /* bmi_optin */
8523533c
TK		 409 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
410 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_MIME)|
fd98a5c6
JH		 411 #ifdef EXPERIMENTAL_PRDR
412 (1<<ACL_WHERE_PRDR)|
413 #endif
8e669ac1 414 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
8523533c
TK		 415 (1<<ACL_WHERE_MAILAUTH)|
416 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
45b91596
PH		 417 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_PREDATA)|
418 (1<<ACL_WHERE_NOTSMTP_START),
71fafd95 419 #endif
8e669ac1 420
059ec3d9 421 0, /* condition */
8e669ac1 422
c3611384
PH		 423 0, /* continue */
424
059ec3d9 425 /* Certain types of control are always allowed, so we let it through
2f079f46 426 always and check in the control processing itself. */
8e669ac1 427
059ec3d9 428 0, /* control */
8e669ac1 429
6a8f9482
TK		 430 #ifdef EXPERIMENTAL_DCC
431 (unsigned int)
fd98a5c6
JH		 432 ~((1<<ACL_WHERE_DATA)| /* dcc */
433 #ifdef EXPERIMENTAL_PRDR
434 (1<<ACL_WHERE_PRDR)|
435 #endif /* EXPERIMENTAL_PRDR */
436 (1<<ACL_WHERE_NOTSMTP)),
6a8f9482
TK		 437 #endif
438
71fafd95 439 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 440 (unsigned int)
441 ~(1<<ACL_WHERE_MIME), /* decode */
71fafd95 442 #endif
8523533c 443
8f128379 444 (1<<ACL_WHERE_NOTQUIT), /* delay */
8e669ac1 445
71fafd95 446 #ifdef WITH_OLD_DEMIME
2f079f46 447 (unsigned int)
fd98a5c6
JH		 448 ~((1<<ACL_WHERE_DATA)| /* demime */
449 #ifdef EXPERIMENTAL_PRDR
450 (1<<ACL_WHERE_PRDR)|
451 #endif /* EXPERIMENTAL_PRDR */
452 (1<<ACL_WHERE_NOTSMTP)),
71fafd95 453 #endif
8e669ac1 454
80a47a2c
TK		 455 #ifndef DISABLE_DKIM
456 (unsigned int)
457 ~(1<<ACL_WHERE_DKIM), /* dkim_signers */
84330b7b 458
80a47a2c
TK		 459 (unsigned int)
460 ~(1<<ACL_WHERE_DKIM), /* dkim_status */
71fafd95 461 #endif
fb2274d4 462
4840604e
TL		 463 #ifdef EXPERIMENTAL_DMARC
464 (unsigned int)
465 ~(1<<ACL_WHERE_DATA), /* dmarc_status */
466 #endif
467
45b91596
PH		 468 (1<<ACL_WHERE_NOTSMTP)| /* dnslists */
469 (1<<ACL_WHERE_NOTSMTP_START),
059ec3d9 470
2f079f46 471 (unsigned int)
fd98a5c6
JH		 472 ~((1<<ACL_WHERE_RCPT) /* domains */
473 #ifdef EXPERIMENTAL_PRDR
474 |(1<<ACL_WHERE_PRDR)
475 #endif
476 ),
059ec3d9 477
45b91596
PH		 478 (1<<ACL_WHERE_NOTSMTP)| /* encrypted */
479 (1<<ACL_WHERE_CONNECT)|
480 (1<<ACL_WHERE_NOTSMTP_START)|
059ec3d9 481 (1<<ACL_WHERE_HELO),
8e669ac1 482
059ec3d9 483 0, /* endpass */
8e669ac1 484
45b91596
PH		 485 (1<<ACL_WHERE_NOTSMTP)| /* hosts */
486 (1<<ACL_WHERE_NOTSMTP_START),
059ec3d9 487
2f079f46 488 (unsigned int)
fd98a5c6
JH		 489 ~((1<<ACL_WHERE_RCPT) /* local_parts */
490 #ifdef EXPERIMENTAL_PRDR
491 |(1<<ACL_WHERE_PRDR)
492 #endif
493 ),
059ec3d9
PH		 494
495 0, /* log_message */
8e669ac1 496
6ea85e9a
PH		 497 0, /* log_reject_target */
498
059ec3d9 499 0, /* logwrite */
8e669ac1 500
71fafd95 501 #ifdef WITH_CONTENT_SCAN
2f079f46 502 (unsigned int)
fd98a5c6
JH		 503 ~((1<<ACL_WHERE_DATA)| /* malware */
504 #ifdef EXPERIMENTAL_PRDR
505 (1<<ACL_WHERE_PRDR)|
506 #endif /* EXPERIMENTAL_PRDR */
507 (1<<ACL_WHERE_NOTSMTP)),
71fafd95 508 #endif
8523533c 509
059ec3d9
PH		 510 0, /* message */
511
71fafd95 512 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 513 (unsigned int)
514 ~(1<<ACL_WHERE_MIME), /* mime_regex */
71fafd95 515 #endif
8523533c 516
870f6ba8
TF		 517 0, /* ratelimit */
518
2f079f46
PH		 519 (unsigned int)
520 ~(1<<ACL_WHERE_RCPT), /* recipients */
059ec3d9 521
71fafd95 522 #ifdef WITH_CONTENT_SCAN
2f079f46 523 (unsigned int)
fd98a5c6
JH		 524 ~((1<<ACL_WHERE_DATA)| /* regex */
525 #ifdef EXPERIMENTAL_PRDR
526 (1<<ACL_WHERE_PRDR)|
527 #endif /* EXPERIMENTAL_PRDR */
528 (1<<ACL_WHERE_NOTSMTP)|
2f079f46 529 (1<<ACL_WHERE_MIME)),
71fafd95 530 #endif
8523533c 531
e7568d51
TL		 532 (unsigned int)
533 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* remove_header */
534 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
fd98a5c6
JH		 535 #ifdef EXPERIMENTAL_PRDR
536 (1<<ACL_WHERE_PRDR)|
537 #endif
e7568d51
TL		 538 (1<<ACL_WHERE_MIME)|(1<<ACL_WHERE_NOTSMTP)|
539 (1<<ACL_WHERE_NOTSMTP_START)),
540
059ec3d9
PH		 541 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* sender_domains */
542 (1<<ACL_WHERE_HELO)|
543 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
544 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
545 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
546
547 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* senders */
548 (1<<ACL_WHERE_HELO)|
549 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
550 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
551 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
552
553 0, /* set */
554
71fafd95 555 #ifdef WITH_CONTENT_SCAN
2f079f46 556 (unsigned int)
fd98a5c6
JH		 557 ~((1<<ACL_WHERE_DATA)| /* spam */
558 #ifdef EXPERIMENTAL_PRDR
559 (1<<ACL_WHERE_PRDR)|
560 #endif /* EXPERIMENTAL_PRDR */
561 (1<<ACL_WHERE_NOTSMTP)),
71fafd95 562 #endif
8523533c 563
71fafd95 564 #ifdef EXPERIMENTAL_SPF
8523533c
TK		 565 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf */
566 (1<<ACL_WHERE_HELO)|
567 (1<<ACL_WHERE_MAILAUTH)|
568 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
45b91596
PH		 569 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY)|
570 (1<<ACL_WHERE_NOTSMTP)|
571 (1<<ACL_WHERE_NOTSMTP_START),
65a7d8c3
NM		 572
573 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf_guess */
574 (1<<ACL_WHERE_HELO)|
575 (1<<ACL_WHERE_MAILAUTH)|
576 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
577 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY)|
578 (1<<ACL_WHERE_NOTSMTP)|
579 (1<<ACL_WHERE_NOTSMTP_START),
71fafd95 580 #endif
8523533c 581
059ec3d9
PH		 582 /* Certain types of verify are always allowed, so we let it through
583 always and check in the verify function itself */
584
585 0 /* verify */
059ec3d9
PH		 586};
587
588
c5fcb476
PH		 589/* Bit map vector of which controls are not allowed at certain times. For
590each control, there's a bitmap of dis-allowed times. For some, it is easier to
591specify the negation of a small number of allowed times. */
592
593static unsigned int control_forbids[] = {
c46782ef
PH		 594 (unsigned int)
595 ~((1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)), /* allow_auth_unadvertised */
596
597 #ifdef EXPERIMENTAL_BRIGHTMAIL
8523533c 598 0, /* bmi_run */
c46782ef
PH		 599 #endif
600
ed7f7860
PP		 601 0, /* debug */
602
80a47a2c
TK		 603 #ifndef DISABLE_DKIM
604 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* dkim_disable_verify */
fd98a5c6
JH		 605 #ifdef EXPERIMENTAL_PRDR
606 (1<<ACL_WHERE_PRDR)|
607 #endif /* EXPERIMENTAL_PRDR */
f7572e5a
TK		 608 (1<<ACL_WHERE_NOTSMTP_START),
609 #endif
610
4840604e
TL		 611 #ifdef EXPERIMENTAL_DMARC
612 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* dmarc_disable_verify */
613 (1<<ACL_WHERE_NOTSMTP_START),
614 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* dmarc_enable_forensic */
615 (1<<ACL_WHERE_NOTSMTP_START),
616 #endif
617
13363eba
PP		 618 (1<<ACL_WHERE_NOTSMTP)|
619 (1<<ACL_WHERE_NOTSMTP_START)|
620 (1<<ACL_WHERE_NOTQUIT), /* dscp */
621
c5fcb476 622 0, /* error */
8e669ac1
PH		 623
624 (unsigned int)
c5fcb476 625 ~(1<<ACL_WHERE_RCPT), /* caseful_local_part */
8e669ac1
PH		 626
627 (unsigned int)
c5fcb476 628 ~(1<<ACL_WHERE_RCPT), /* caselower_local_part */
8e669ac1 629
e4bdf652
JH		 630 (unsigned int)
631 0, /* cutthrough_delivery */
632
45b91596
PH		 633 (1<<ACL_WHERE_NOTSMTP)| /* enforce_sync */
634 (1<<ACL_WHERE_NOTSMTP_START),
8e669ac1 635
45b91596
PH		 636 (1<<ACL_WHERE_NOTSMTP)| /* no_enforce_sync */
637 (1<<ACL_WHERE_NOTSMTP_START),
8e669ac1
PH		 638
639 (unsigned int)
c5fcb476
PH		 640 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* freeze */
641 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
fd98a5c6 642 // (1<<ACL_WHERE_PRDR)| /* Not allow one user to freeze for all */
e715ad22 643 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
8e669ac1
PH		 644
645 (unsigned int)
c5fcb476
PH		 646 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* queue_only */
647 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
fd98a5c6 648 // (1<<ACL_WHERE_PRDR)| /* Not allow one user to freeze for all */
e715ad22 649 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
8e669ac1
PH		 650
651 (unsigned int)
c5fcb476 652 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* submission */
8e669ac1 653 (1<<ACL_WHERE_PREDATA)),
8523533c 654
8800895a
PH		 655 (unsigned int)
656 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* suppress_local_fixups */
45b91596
PH		 657 (1<<ACL_WHERE_PREDATA)|
658 (1<<ACL_WHERE_NOTSMTP_START)),
8800895a 659
c46782ef 660 #ifdef WITH_CONTENT_SCAN
8e669ac1 661 (unsigned int)
14d57970 662 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* no_mbox_unspool */
e715ad22 663 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
fd98a5c6 664 // (1<<ACL_WHERE_PRDR)| /* Not allow one user to freeze for all */
e715ad22 665 (1<<ACL_WHERE_MIME)),
c46782ef 666 #endif
a6c4ab60 667
29aba418
TF		 668 (unsigned int)
669 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakedefer */
670 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
fd98a5c6
JH		 671 #ifdef EXPERIMENTAL_PRDR
672 (1<<ACL_WHERE_PRDR)|
673 #endif /* EXPERIMENTAL_PRDR */
29aba418
TF		 674 (1<<ACL_WHERE_MIME)),
675
8e669ac1 676 (unsigned int)
a6c4ab60 677 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakereject */
e715ad22 678 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
fd98a5c6
JH		 679 #ifdef EXPERIMENTAL_PRDR
680 (1<<ACL_WHERE_PRDR)|
681 #endif /* EXPERIMENTAL_PRDR */
e715ad22 682 (1<<ACL_WHERE_MIME)),
8523533c 683
45b91596 684 (1<<ACL_WHERE_NOTSMTP)| /* no_multiline */
cf8b11a5
PH		 685 (1<<ACL_WHERE_NOTSMTP_START),
686
687 (1<<ACL_WHERE_NOTSMTP)| /* no_pipelining */
047bdd8c
PH		 688 (1<<ACL_WHERE_NOTSMTP_START),
689
690 (1<<ACL_WHERE_NOTSMTP)| /* no_delay_flush */
4c590bd1
PH		 691 (1<<ACL_WHERE_NOTSMTP_START),
692
693 (1<<ACL_WHERE_NOTSMTP)| /* no_callout_flush */
45b91596 694 (1<<ACL_WHERE_NOTSMTP_START)
c5fcb476
PH		 695};
696
697/* Structure listing various control arguments, with their characteristics. */
059ec3d9
PH		 698
699typedef struct control_def {
700 uschar *name;
701 int value; /* CONTROL_xxx value */
059ec3d9
PH		 702 BOOL has_option; /* Has /option(s) following */
703} control_def;
704
705static control_def controls_list[] = {
c46782ef 706 { US"allow_auth_unadvertised", CONTROL_AUTH_UNADVERTISED, FALSE },
8523533c 707#ifdef EXPERIMENTAL_BRIGHTMAIL
c46782ef 708 { US"bmi_run", CONTROL_BMI_RUN, FALSE },
fb2274d4 709#endif
ed7f7860 710 { US"debug", CONTROL_DEBUG, TRUE },
80a47a2c
TK		 711#ifndef DISABLE_DKIM
712 { US"dkim_disable_verify", CONTROL_DKIM_VERIFY, FALSE },
4840604e
TL		 713#endif
714#ifdef EXPERIMENTAL_DMARC
715 { US"dmarc_disable_verify", CONTROL_DMARC_VERIFY, FALSE },
716 { US"dmarc_enable_forensic", CONTROL_DMARC_FORENSIC, FALSE },
8523533c 717#endif
13363eba 718 { US"dscp", CONTROL_DSCP, TRUE },
c46782ef
PH		 719 { US"caseful_local_part", CONTROL_CASEFUL_LOCAL_PART, FALSE },
720 { US"caselower_local_part", CONTROL_CASELOWER_LOCAL_PART, FALSE },
721 { US"enforce_sync", CONTROL_ENFORCE_SYNC, FALSE },
722 { US"freeze", CONTROL_FREEZE, TRUE },
4c590bd1 723 { US"no_callout_flush", CONTROL_NO_CALLOUT_FLUSH, FALSE },
047bdd8c 724 { US"no_delay_flush", CONTROL_NO_DELAY_FLUSH, FALSE },
c46782ef
PH		 725 { US"no_enforce_sync", CONTROL_NO_ENFORCE_SYNC, FALSE },
726 { US"no_multiline_responses", CONTROL_NO_MULTILINE, FALSE },
cf8b11a5 727 { US"no_pipelining", CONTROL_NO_PIPELINING, FALSE },
c46782ef 728 { US"queue_only", CONTROL_QUEUE_ONLY, FALSE },
8523533c 729#ifdef WITH_CONTENT_SCAN
c46782ef 730 { US"no_mbox_unspool", CONTROL_NO_MBOX_UNSPOOL, FALSE },
8523533c 731#endif
c46782ef
PH		 732 { US"fakedefer", CONTROL_FAKEDEFER, TRUE },
733 { US"fakereject", CONTROL_FAKEREJECT, TRUE },
734 { US"submission", CONTROL_SUBMISSION, TRUE },
e4bdf652
JH		 735 { US"suppress_local_fixups", CONTROL_SUPPRESS_LOCAL_FIXUPS, FALSE },
736 { US"cutthrough_delivery", CONTROL_CUTTHROUGH_DELIVERY, FALSE }
059ec3d9
PH		 737 };
738
e5a9dba6
PH		 739/* Support data structures for Client SMTP Authorization. acl_verify_csa()
740caches its result in a tree to avoid repeated DNS queries. The result is an
741integer code which is used as an index into the following tables of
742explanatory strings and verification return codes. */
743
744static tree_node *csa_cache = NULL;
745
746enum { CSA_UNKNOWN, CSA_OK, CSA_DEFER_SRV, CSA_DEFER_ADDR,
747 CSA_FAIL_EXPLICIT, CSA_FAIL_DOMAIN, CSA_FAIL_NOADDR, CSA_FAIL_MISMATCH };
748
749/* The acl_verify_csa() return code is translated into an acl_verify() return
750code using the following table. It is OK unless the client is definitely not
751authorized. This is because CSA is supposed to be optional for sending sites,
752so recipients should not be too strict about checking it - especially because
753DNS problems are quite likely to occur. It's possible to use $csa_status in
754further ACL conditions to distinguish ok, unknown, and defer if required, but
755the aim is to make the usual configuration simple. */
756
757static int csa_return_code[] = {
758 OK, OK, OK, OK,
759 FAIL, FAIL, FAIL, FAIL
760};
761
762static uschar *csa_status_string[] = {
763 US"unknown", US"ok", US"defer", US"defer",
764 US"fail", US"fail", US"fail", US"fail"
765};
766
767static uschar *csa_reason_string[] = {
768 US"unknown",
769 US"ok",
770 US"deferred (SRV lookup failed)",
771 US"deferred (target address lookup failed)",
772 US"failed (explicit authorization required)",
773 US"failed (host name not authorized)",
774 US"failed (no authorized addresses)",
775 US"failed (client address mismatch)"
776};
777
c99ce5c9
TF		 778/* Options for the ratelimit condition. Note that there are two variants of
779the per_rcpt option, depending on the ACL that is used to measure the rate.
780However any ACL must be able to look up per_rcpt rates in /noupdate mode,
781so the two variants must have the same internal representation as well as
782the same configuration string. */
783
784enum {
785 RATE_PER_WHAT, RATE_PER_CLASH, RATE_PER_ADDR, RATE_PER_BYTE, RATE_PER_CMD,
786 RATE_PER_CONN, RATE_PER_MAIL, RATE_PER_RCPT, RATE_PER_ALLRCPTS
787};
788
789#define RATE_SET(var,new) \
790 (((var) == RATE_PER_WHAT) ? ((var) = RATE_##new) : ((var) = RATE_PER_CLASH))
791
792static uschar *ratelimit_option_string[] = {
793 US"?", US"!", US"per_addr", US"per_byte", US"per_cmd",
794 US"per_conn", US"per_mail", US"per_rcpt", US"per_rcpt"
795};
796
059ec3d9
PH		 797/* Enable recursion between acl_check_internal() and acl_check_condition() */
798
f60d98e8
JH		 799static int acl_check_wargs(int, address_item *, uschar *, int, uschar **,
800 uschar **);
059ec3d9
PH		 801
802
803/*************************************************
804* Pick out name from list *
805*************************************************/
806
807/* Use a binary chop method
808
809Arguments:
810 name name to find
811 list list of names
812 end size of list
813
814Returns: offset in list, or -1 if not found
815*/
816
817static int
818acl_checkname(uschar *name, uschar **list, int end)
819{
820int start = 0;
821
822while (start < end)
823 {
824 int mid = (start + end)/2;
825 int c = Ustrcmp(name, list[mid]);
826 if (c == 0) return mid;
827 if (c < 0) end = mid; else start = mid + 1;
828 }
829
830return -1;
831}
832
833
834/*************************************************
835* Read and parse one ACL *
836*************************************************/
837
838/* This function is called both from readconf in order to parse the ACLs in the
839configuration file, and also when an ACL is encountered dynamically (e.g. as
840the result of an expansion). It is given a function to call in order to
841retrieve the lines of the ACL. This function handles skipping comments and
842blank lines (where relevant).
843
844Arguments:
845 func function to get next line of ACL
846 error where to put an error message
847
848Returns: pointer to ACL, or NULL
849 NULL can be legal (empty ACL); in this case error will be NULL
850*/
851
852acl_block *
853acl_read(uschar *(*func)(void), uschar **error)
854{
855acl_block *yield = NULL;
856acl_block **lastp = &yield;
857acl_block *this = NULL;
858acl_condition_block *cond;
859acl_condition_block **condp = NULL;
860uschar *s;
861
862*error = NULL;
863
864while ((s = (*func)()) != NULL)
865 {
866 int v, c;
867 BOOL negated = FALSE;
868 uschar *saveline = s;
869 uschar name[64];
870
871 /* Conditions (but not verbs) are allowed to be negated by an initial
872 exclamation mark. */
873
874 while (isspace(*s)) s++;
875 if (*s == '!')
876 {
877 negated = TRUE;
878 s++;
879 }
880
cf00dad6
PH		 881 /* Read the name of a verb or a condition, or the start of a new ACL, which
882 can be started by a name, or by a macro definition. */
059ec3d9
PH		 883
884 s = readconf_readname(name, sizeof(name), s);
b8dc3e4a 885 if (*s == ':' || (isupper(name[0]) && *s == '=')) return yield;
059ec3d9
PH		 886
887 /* If a verb is unrecognized, it may be another condition or modifier that
888 continues the previous verb. */
889
890 v = acl_checkname(name, verbs, sizeof(verbs)/sizeof(char *));
891 if (v < 0)
892 {
893 if (this == NULL)
894 {
4e167a8c
PH		 895 *error = string_sprintf("unknown ACL verb \"%s\" in \"%s\"", name,
896 saveline);
059ec3d9
PH		 897 return NULL;
898 }
899 }
900
901 /* New verb */
902
903 else
904 {
905 if (negated)
906 {
907 *error = string_sprintf("malformed ACL line \"%s\"", saveline);
908 return NULL;
909 }
910 this = store_get(sizeof(acl_block));
911 *lastp = this;
912 lastp = &(this->next);
913 this->next = NULL;
914 this->verb = v;
915 this->condition = NULL;
916 condp = &(this->condition);
917 if (*s == 0) continue; /* No condition on this line */
918 if (*s == '!')
919 {
920 negated = TRUE;
921 s++;
922 }
923 s = readconf_readname(name, sizeof(name), s); /* Condition name */
924 }
925
926 /* Handle a condition or modifier. */
927
928 c = acl_checkname(name, conditions, sizeof(conditions)/sizeof(char *));
929 if (c < 0)
930 {
931 *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
932 saveline);
933 return NULL;
934 }
935
936 /* The modifiers may not be negated */
937
938 if (negated && cond_modifiers[c])
939 {
940 *error = string_sprintf("ACL error: negation is not allowed with "
941 "\"%s\"", conditions[c]);
942 return NULL;
943 }
944
945 /* ENDPASS may occur only with ACCEPT or DISCARD. */
946
947 if (c == ACLC_ENDPASS &&
948 this->verb != ACL_ACCEPT &&
949 this->verb != ACL_DISCARD)
950 {
951 *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
952 conditions[c], verbs[this->verb]);
953 return NULL;
954 }
955
956 cond = store_get(sizeof(acl_condition_block));
957 cond->next = NULL;
958 cond->type = c;
959 cond->u.negated = negated;
960
961 *condp = cond;
962 condp = &(cond->next);
963
964 /* The "set" modifier is different in that its argument is "name=value"
965 rather than just a value, and we can check the validity of the name, which
38a0a95f
PH		 966 gives us a variable name to insert into the data block. The original ACL
967 variable names were acl_c0 ... acl_c9 and acl_m0 ... acl_m9. This was
968 extended to 20 of each type, but after that people successfully argued for
641cb756
PH		 969 arbitrary names. In the new scheme, the names must start with acl_c or acl_m.
970 After that, we allow alphanumerics and underscores, but the first character
971 after c or m must be a digit or an underscore. This retains backwards
972 compatibility. */
059ec3d9
PH		 973
974 if (c == ACLC_SET)
975 {
47ca6d6c
PH		 976 uschar *endptr;
977
38a0a95f
PH		 978 if (Ustrncmp(s, "acl_c", 5) != 0 &&
979 Ustrncmp(s, "acl_m", 5) != 0)
47ca6d6c 980 {
38a0a95f
PH		 981 *error = string_sprintf("invalid variable name after \"set\" in ACL "
982 "modifier \"set %s\" (must start \"acl_c\" or \"acl_m\")", s);
983 return NULL;
47ca6d6c 984 }
38a0a95f
PH		 985
986 endptr = s + 5;
641cb756
PH		 987 if (!isdigit(*endptr) && *endptr != '_')
988 {
989 *error = string_sprintf("invalid variable name after \"set\" in ACL "
990 "modifier \"set %s\" (digit or underscore must follow acl_c or acl_m)",
991 s);
992 return NULL;
993 }
994
38a0a95f 995 while (*endptr != 0 && *endptr != '=' && !isspace(*endptr))
47ca6d6c 996 {
38a0a95f
PH		 997 if (!isalnum(*endptr) && *endptr != '_')
998 {
999 *error = string_sprintf("invalid character \"%c\" in variable name "
1000 "in ACL modifier \"set %s\"", *endptr, s);
1001 return NULL;
1002 }
1003 endptr++;
47ca6d6c 1004 }
47ca6d6c 1005
38a0a95f 1006 cond->u.varname = string_copyn(s + 4, endptr - s - 4);
47ca6d6c 1007 s = endptr;
059ec3d9
PH		 1008 while (isspace(*s)) s++;
1009 }
1010
1011 /* For "set", we are now positioned for the data. For the others, only
1012 "endpass" has no data */
1013
1014 if (c != ACLC_ENDPASS)
1015 {
1016 if (*s++ != '=')
1017 {
1018 *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
1019 cond_modifiers[c]? US"modifier" : US"condition");
1020 return NULL;
1021 }
1022 while (isspace(*s)) s++;
1023 cond->arg = string_copy(s);
1024 }
1025 }
1026
1027return yield;
1028}
1029
1030
1031
71fafd95
PH		 1032/*************************************************
1033* Set up added header line(s) *
1034*************************************************/
1035
1036/* This function is called by the add_header modifier, and also from acl_warn()
1037to implement the now-deprecated way of adding header lines using "message" on a
1038"warn" verb. The argument is treated as a sequence of header lines which are
1039added to a chain, provided there isn't an identical one already there.
1040
1041Argument: string of header lines
1042Returns: nothing
1043*/
1044
1045static void
1046setup_header(uschar *hstring)
1047{
1048uschar *p, *q;
1049int hlen = Ustrlen(hstring);
1050
b1b05573
JH		 1051/* Ignore any leading newlines */
1052while (*hstring == '\n') hstring++, hlen--;
71fafd95 1053
b1b05573 1054/* An empty string does nothing; ensure exactly one final newline. */
71fafd95 1055if (hlen <= 0) return;
b1b05573
JH		 1056if (hstring[--hlen] != '\n') hstring = string_sprintf("%s\n", hstring);
1057else while(hstring[--hlen] == '\n') hstring[hlen+1] = '\0';
71fafd95
PH		 1058
1059/* Loop for multiple header lines, taking care about continuations */
1060
1061for (p = q = hstring; *p != 0; )
1062 {
1063 uschar *s;
1064 int newtype = htype_add_bot;
1065 header_line **hptr = &acl_added_headers;
1066
1067 /* Find next header line within the string */
1068
1069 for (;;)
1070 {
1071 q = Ustrchr(q, '\n');
1072 if (*(++q) != ' ' && *q != '\t') break;
1073 }
1074
1075 /* If the line starts with a colon, interpret the instruction for where to
1076 add it. This temporarily sets up a new type. */
1077
1078 if (*p == ':')
1079 {
1080 if (strncmpic(p, US":after_received:", 16) == 0)
1081 {
1082 newtype = htype_add_rec;
1083 p += 16;
1084 }
1085 else if (strncmpic(p, US":at_start_rfc:", 14) == 0)
1086 {
1087 newtype = htype_add_rfc;
1088 p += 14;
1089 }
1090 else if (strncmpic(p, US":at_start:", 10) == 0)
1091 {
1092 newtype = htype_add_top;
1093 p += 10;
1094 }
1095 else if (strncmpic(p, US":at_end:", 8) == 0)
1096 {
1097 newtype = htype_add_bot;
1098 p += 8;
1099 }
1100 while (*p == ' ' || *p == '\t') p++;
1101 }
1102
1103 /* See if this line starts with a header name, and if not, add X-ACL-Warn:
1104 to the front of it. */
1105
1106 for (s = p; s < q - 1; s++)
1107 {
1108 if (*s == ':' || !isgraph(*s)) break;
1109 }
1110
438257ba 1111 s = string_sprintf("%s%.*s", (*s == ':')? "" : "X-ACL-Warn: ", (int) (q - p), p);
71fafd95
PH		 1112 hlen = Ustrlen(s);
1113
1114 /* See if this line has already been added */
1115
1116 while (*hptr != NULL)
1117 {
1118 if (Ustrncmp((*hptr)->text, s, hlen) == 0) break;
1119 hptr = &((*hptr)->next);
1120 }
1121
1122 /* Add if not previously present */
1123
1124 if (*hptr == NULL)
1125 {
1126 header_line *h = store_get(sizeof(header_line));
1127 h->text = s;
1128 h->next = NULL;
1129 h->type = newtype;
1130 h->slen = hlen;
1131 *hptr = h;
1132 hptr = &(h->next);
1133 }
1134
1135 /* Advance for next header line within the string */
1136
1137 p = q;
1138 }
1139}
1140
1141
1142
362145b5
JH		 1143/*************************************************
1144* List the added header lines *
1145*************************************************/
1146uschar *
1147fn_hdrs_added(void)
1148{
1149uschar * ret = NULL;
1150header_line * h = acl_added_headers;
1151uschar * s;
1152uschar * cp;
1153int size = 0;
1154int ptr = 0;
1155
1156if (!h) return NULL;
1157
1158do
1159 {
1160 s = h->text;
1161 while ((cp = Ustrchr(s, '\n')) != NULL)
1162 {
1163 if (cp[1] == '\0') break;
1164
1165 /* contains embedded newline; needs doubling */
1166 ret = string_cat(ret, &size, &ptr, s, cp-s+1);
6d9cfc47 1167 ret = string_cat(ret, &size, &ptr, US"\n", 1);
362145b5
JH		 1168 s = cp+1;
1169 }
1170 /* last bit of header */
1171
1172 ret = string_cat(ret, &size, &ptr, s, cp-s+1); /* newline-sep list */
1173 }
6d9cfc47 1174while((h = h->next));
362145b5
JH		 1175
1176ret[ptr-1] = '\0'; /* overwrite last newline */
1177return ret;
1178}
1179
1180
e7568d51
TL		 1181/*************************************************
1182* Set up removed header line(s) *
1183*************************************************/
1184
1185/* This function is called by the remove_header modifier. The argument is
1186treated as a sequence of header names which are added to a colon separated
1187list, provided there isn't an identical one already there.
1188
1189Argument: string of header names
1190Returns: nothing
1191*/
1192
1193static void
1194setup_remove_header(uschar *hnames)
1195{
1196if (*hnames != 0)
1197 {
1198 if (acl_removed_headers == NULL)
1199 acl_removed_headers = hnames;
1200 else
1201 acl_removed_headers = string_sprintf("%s : %s", acl_removed_headers, hnames);
1202 }
1203}
1204
1205
71fafd95 1206
059ec3d9
PH		 1207/*************************************************
1208* Handle warnings *
1209*************************************************/
1210
1211/* This function is called when a WARN verb's conditions are true. It adds to
1212the message's headers, and/or writes information to the log. In each case, this
1213only happens once (per message for headers, per connection for log).
1214
71fafd95
PH		 1215** NOTE: The header adding action using the "message" setting is historic, and
1216its use is now deprecated. The new add_header modifier should be used instead.
1217
059ec3d9
PH		 1218Arguments:
1219 where ACL_WHERE_xxxx indicating which ACL this is
1220 user_message message for adding to headers
1221 log_message message for logging, if different
1222
1223Returns: nothing
1224*/
1225
1226static void
1227acl_warn(int where, uschar *user_message, uschar *log_message)
1228{
059ec3d9
PH		 1229if (log_message != NULL && log_message != user_message)
1230 {
1231 uschar *text;
1232 string_item *logged;
1233
1234 text = string_sprintf("%s Warning: %s", host_and_ident(TRUE),
1235 string_printing(log_message));
1236
1237 /* If a sender verification has failed, and the log message is "sender verify
1238 failed", add the failure message. */
1239
1240 if (sender_verified_failed != NULL &&
1241 sender_verified_failed->message != NULL &&
1242 strcmpic(log_message, US"sender verify failed") == 0)
1243 text = string_sprintf("%s: %s", text, sender_verified_failed->message);
1244
9c7a242c
PH		 1245 /* Search previously logged warnings. They are kept in malloc
1246 store so they can be freed at the start of a new message. */
059ec3d9
PH		 1247
1248 for (logged = acl_warn_logged; logged != NULL; logged = logged->next)
1249 if (Ustrcmp(logged->text, text) == 0) break;
1250
1251 if (logged == NULL)
1252 {
1253 int length = Ustrlen(text) + 1;
1254 log_write(0, LOG_MAIN, "%s", text);
1255 logged = store_malloc(sizeof(string_item) + length);
1256 logged->text = (uschar *)logged + sizeof(string_item);
1257 memcpy(logged->text, text, length);
1258 logged->next = acl_warn_logged;
1259 acl_warn_logged = logged;
1260 }
1261 }
1262
1263/* If there's no user message, we are done. */
1264
1265if (user_message == NULL) return;
1266
1267/* If this isn't a message ACL, we can't do anything with a user message.
1268Log an error. */
1269
1270if (where > ACL_WHERE_NOTSMTP)
1271 {
1272 log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
1273 "found in a non-message (%s) ACL: cannot specify header lines here: "
1274 "message ignored", acl_wherenames[where]);
1275 return;
1276 }
1277
71fafd95
PH		 1278/* The code for setting up header lines is now abstracted into a separate
1279function so that it can be used for the add_header modifier as well. */
059ec3d9 1280
71fafd95 1281setup_header(user_message);
059ec3d9
PH		 1282}
1283
1284
1285
1286/*************************************************
1287* Verify and check reverse DNS *
1288*************************************************/
1289
1290/* Called from acl_verify() below. We look up the host name(s) of the client IP
1291address if this has not yet been done. The host_name_lookup() function checks
1292that one of these names resolves to an address list that contains the client IP
1293address, so we don't actually have to do the check here.
1294
1295Arguments:
1296 user_msgptr pointer for user message
1297 log_msgptr pointer for log message
1298
1299Returns: OK verification condition succeeded
1300 FAIL verification failed
1301 DEFER there was a problem verifying
1302*/
1303
1304static int
1305acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
1306{
1307int rc;
1308
1309user_msgptr = user_msgptr; /* stop compiler warning */
1310
1311/* Previous success */
1312
1313if (sender_host_name != NULL) return OK;
1314
1315/* Previous failure */
1316
1317if (host_lookup_failed)
1318 {
1319 *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
1320 return FAIL;
1321 }
1322
1323/* Need to do a lookup */
1324
1325HDEBUG(D_acl)
1326 debug_printf("looking up host name to force name/address consistency check\n");
1327
1328if ((rc = host_name_lookup()) != OK)
1329 {
1330 *log_msgptr = (rc == DEFER)?
1331 US"host lookup deferred for reverse lookup check"
1332 :
1333 string_sprintf("host lookup failed for reverse lookup check%s",
1334 host_lookup_msg);
1335 return rc; /* DEFER or FAIL */
1336 }
1337
1338host_build_sender_fullhost();
1339return OK;
1340}
1341
1342
1343
e5a9dba6
PH		 1344/*************************************************
1345* Check client IP address matches CSA target *
1346*************************************************/
1347
1348/* Called from acl_verify_csa() below. This routine scans a section of a DNS
1349response for address records belonging to the CSA target hostname. The section
1350is specified by the reset argument, either RESET_ADDITIONAL or RESET_ANSWERS.
1351If one of the addresses matches the client's IP address, then the client is
1352authorized by CSA. If there are target IP addresses but none of them match
1353then the client is using an unauthorized IP address. If there are no target IP
1354addresses then the client cannot be using an authorized IP address. (This is
1355an odd configuration - why didn't the SRV record have a weight of 1 instead?)
1356
1357Arguments:
1358 dnsa the DNS answer block
1359 dnss a DNS scan block for us to use
1360 reset option specifing what portion to scan, as described above
1361 target the target hostname to use for matching RR names
1362
1363Returns: CSA_OK successfully authorized
1364 CSA_FAIL_MISMATCH addresses found but none matched
1365 CSA_FAIL_NOADDR no target addresses found
1366*/
1367
1368static int
1369acl_verify_csa_address(dns_answer *dnsa, dns_scan *dnss, int reset,
1370 uschar *target)
1371{
1372dns_record *rr;
1373dns_address *da;
1374
1375BOOL target_found = FALSE;
1376
1377for (rr = dns_next_rr(dnsa, dnss, reset);
1378 rr != NULL;
1379 rr = dns_next_rr(dnsa, dnss, RESET_NEXT))
1380 {
1381 /* Check this is an address RR for the target hostname. */
1382
1383 if (rr->type != T_A
1384 #if HAVE_IPV6
1385 && rr->type != T_AAAA
1386 #ifdef SUPPORT_A6
1387 && rr->type != T_A6
1388 #endif
1389 #endif
1390 ) continue;
1391
1392 if (strcmpic(target, rr->name) != 0) continue;
1393
1394 target_found = TRUE;
1395
1396 /* Turn the target address RR into a list of textual IP addresses and scan
1397 the list. There may be more than one if it is an A6 RR. */
1398
1399 for (da = dns_address_from_rr(dnsa, rr); da != NULL; da = da->next)
1400 {
1401 /* If the client IP address matches the target IP address, it's good! */
1402
1403 DEBUG(D_acl) debug_printf("CSA target address is %s\n", da->address);
1404
1405 if (strcmpic(sender_host_address, da->address) == 0) return CSA_OK;
1406 }
1407 }
1408
1409/* If we found some target addresses but none of them matched, the client is
1410using an unauthorized IP address, otherwise the target has no authorized IP
1411addresses. */
1412
1413if (target_found) return CSA_FAIL_MISMATCH;
1414else return CSA_FAIL_NOADDR;
1415}
1416
1417
1418
1419/*************************************************
1420* Verify Client SMTP Authorization *
1421*************************************************/
1422
1423/* Called from acl_verify() below. This routine calls dns_lookup_special()
1424to find the CSA SRV record corresponding to the domain argument, or
1425$sender_helo_name if no argument is provided. It then checks that the
1426client is authorized, and that its IP address corresponds to the SRV
1427target's address by calling acl_verify_csa_address() above. The address
1428should have been returned in the DNS response's ADDITIONAL section, but if
1429not we perform another DNS lookup to get it.
1430
1431Arguments:
1432 domain pointer to optional parameter following verify = csa
1433
1434Returns: CSA_UNKNOWN no valid CSA record found
1435 CSA_OK successfully authorized
1436 CSA_FAIL_* client is definitely not authorized
1437 CSA_DEFER_* there was a DNS problem
1438*/
1439
1440static int
1441acl_verify_csa(uschar *domain)
1442{
1443tree_node *t;
1444uschar *found, *p;
1445int priority, weight, port;
1446dns_answer dnsa;
1447dns_scan dnss;
1448dns_record *rr;
1449int rc, type;
1450uschar target[256];
1451
1452/* Work out the domain we are using for the CSA lookup. The default is the
1453client's HELO domain. If the client has not said HELO, use its IP address
1454instead. If it's a local client (exim -bs), CSA isn't applicable. */
1455
1456while (isspace(*domain) && *domain != '\0') ++domain;
1457if (*domain == '\0') domain = sender_helo_name;
1458if (domain == NULL) domain = sender_host_address;
1459if (sender_host_address == NULL) return CSA_UNKNOWN;
1460
1461/* If we have an address literal, strip off the framing ready for turning it
1462into a domain. The framing consists of matched square brackets possibly
1463containing a keyword and a colon before the actual IP address. */
1464
1465if (domain[0] == '[')
1466 {
1467 uschar *start = Ustrchr(domain, ':');
1468 if (start == NULL) start = domain;
1469 domain = string_copyn(start + 1, Ustrlen(start) - 2);
1470 }
1471
1472/* Turn domains that look like bare IP addresses into domains in the reverse
1473DNS. This code also deals with address literals and $sender_host_address. It's
1474not quite kosher to treat bare domains such as EHLO 192.0.2.57 the same as
1475address literals, but it's probably the most friendly thing to do. This is an
1476extension to CSA, so we allow it to be turned off for proper conformance. */
1477
7e66e54d 1478if (string_is_ip_address(domain, NULL) != 0)
e5a9dba6
PH		 1479 {
1480 if (!dns_csa_use_reverse) return CSA_UNKNOWN;
1481 dns_build_reverse(domain, target);
1482 domain = target;
1483 }
1484
1485/* Find out if we've already done the CSA check for this domain. If we have,
1486return the same result again. Otherwise build a new cached result structure
1487for this domain. The name is filled in now, and the value is filled in when
1488we return from this function. */
1489
1490t = tree_search(csa_cache, domain);
1491if (t != NULL) return t->data.val;
1492
1493t = store_get_perm(sizeof(tree_node) + Ustrlen(domain));
1494Ustrcpy(t->name, domain);
1495(void)tree_insertnode(&csa_cache, t);
1496
1497/* Now we are ready to do the actual DNS lookup(s). */
1498
28e6ef29 1499found = domain;
e5a9dba6
PH		 1500switch (dns_special_lookup(&dnsa, domain, T_CSA, &found))
1501 {
1502 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1503
1504 default:
1505 return t->data.val = CSA_DEFER_SRV;
1506
1507 /* If we found nothing, the client's authorization is unknown. */
1508
1509 case DNS_NOMATCH:
1510 case DNS_NODATA:
1511 return t->data.val = CSA_UNKNOWN;
1512
1513 /* We got something! Go on to look at the reply in more detail. */
1514
1515 case DNS_SUCCEED:
1516 break;
1517 }
1518
1519/* Scan the reply for well-formed CSA SRV records. */
1520
1521for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
1522 rr != NULL;
1523 rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
1524 {
1525 if (rr->type != T_SRV) continue;
1526
1527 /* Extract the numerical SRV fields (p is incremented) */
1528
1529 p = rr->data;
1530 GETSHORT(priority, p);
1531 GETSHORT(weight, p);
1532 GETSHORT(port, p);
1533
1534 DEBUG(D_acl)
1535 debug_printf("CSA priority=%d weight=%d port=%d\n", priority, weight, port);
1536
1537 /* Check the CSA version number */
1538
1539 if (priority != 1) continue;
1540
1541 /* If the domain does not have a CSA SRV record of its own (i.e. the domain
1542 found by dns_special_lookup() is a parent of the one we asked for), we check
1543 the subdomain assertions in the port field. At the moment there's only one
1544 assertion: legitimate SMTP clients are all explicitly authorized with CSA
1545 SRV records of their own. */
1546
1547 if (found != domain)
1548 {
1549 if (port & 1)
1550 return t->data.val = CSA_FAIL_EXPLICIT;
1551 else
1552 return t->data.val = CSA_UNKNOWN;
1553 }
1554
1555 /* This CSA SRV record refers directly to our domain, so we check the value
1556 in the weight field to work out the domain's authorization. 0 and 1 are
1557 unauthorized; 3 means the client is authorized but we can't check the IP
1558 address in order to authenticate it, so we treat it as unknown; values
1559 greater than 3 are undefined. */
1560
1561 if (weight < 2) return t->data.val = CSA_FAIL_DOMAIN;
1562
1563 if (weight > 2) continue;
1564
1565 /* Weight == 2, which means the domain is authorized. We must check that the
1566 client's IP address is listed as one of the SRV target addresses. Save the
1567 target hostname then break to scan the additional data for its addresses. */
1568
1569 (void)dn_expand(dnsa.answer, dnsa.answer + dnsa.answerlen, p,
1570 (DN_EXPAND_ARG4_TYPE)target, sizeof(target));
1571
1572 DEBUG(D_acl) debug_printf("CSA target is %s\n", target);
1573
1574 break;
1575 }
1576
1577/* If we didn't break the loop then no appropriate records were found. */
1578
1579if (rr == NULL) return t->data.val = CSA_UNKNOWN;
1580
1581/* Do not check addresses if the target is ".", in accordance with RFC 2782.
1582A target of "." indicates there are no valid addresses, so the client cannot
1583be authorized. (This is an odd configuration because weight=2 target=. is
1584equivalent to weight=1, but we check for it in order to keep load off the
1585root name servers.) Note that dn_expand() turns "." into "". */
1586
1587if (Ustrcmp(target, "") == 0) return t->data.val = CSA_FAIL_NOADDR;
1588
1589/* Scan the additional section of the CSA SRV reply for addresses belonging
1590to the target. If the name server didn't return any additional data (e.g.
1591because it does not fully support SRV records), we need to do another lookup
1592to obtain the target addresses; otherwise we have a definitive result. */
1593
1594rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ADDITIONAL, target);
1595if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1596
1597/* The DNS lookup type corresponds to the IP version used by the client. */
1598
1599#if HAVE_IPV6
1600if (Ustrchr(sender_host_address, ':') != NULL)
1601 type = T_AAAA;
1602else
1603#endif /* HAVE_IPV6 */
1604 type = T_A;
1605
1606
1607#if HAVE_IPV6 && defined(SUPPORT_A6)
1608DNS_LOOKUP_AGAIN:
1609#endif
1610
1611switch (dns_lookup(&dnsa, target, type, NULL))
1612 {
1613 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1614
1615 default:
1616 return t->data.val = CSA_DEFER_ADDR;
1617
1618 /* If the query succeeded, scan the addresses and return the result. */
1619
1620 case DNS_SUCCEED:
1621 rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ANSWERS, target);
1622 if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1623 /* else fall through */
1624
1625 /* If the target has no IP addresses, the client cannot have an authorized
1626 IP address. However, if the target site uses A6 records (not AAAA records)
1627 we have to do yet another lookup in order to check them. */
1628
1629 case DNS_NOMATCH:
1630 case DNS_NODATA:
1631
1632 #if HAVE_IPV6 && defined(SUPPORT_A6)
1633 if (type == T_AAAA) { type = T_A6; goto DNS_LOOKUP_AGAIN; }
1634 #endif
1635
1636 return t->data.val = CSA_FAIL_NOADDR;
1637 }
1638}
1639
1640
1641
059ec3d9
PH		 1642/*************************************************
1643* Handle verification (address & other) *
1644*************************************************/
1645
89583014
JH		 1646enum { VERIFY_REV_HOST_LKUP, VERIFY_CERT, VERIFY_HELO, VERIFY_CSA, VERIFY_HDR_SYNTAX,
1647 VERIFY_NOT_BLIND, VERIFY_HDR_SNDR, VERIFY_SNDR, VERIFY_RCPT
1648 };
1649typedef struct {
1650 uschar * name;
1651 int value;
1652 unsigned where_allowed; /* bitmap */
1653 BOOL no_options; /* Never has /option(s) following */
1654 unsigned alt_opt_sep; /* >0 Non-/ option separator (custom parser) */
1655 } verify_type_t;
1656static verify_type_t verify_type_list[] = {
1657 { US"reverse_host_lookup", VERIFY_REV_HOST_LKUP, ~0, TRUE, 0 },
1658 { US"certificate", VERIFY_CERT, ~0, TRUE, 0 },
1659 { US"helo", VERIFY_HELO, ~0, TRUE, 0 },
1660 { US"csa", VERIFY_CSA, ~0, FALSE, 0 },
1661 { US"header_syntax", VERIFY_HDR_SYNTAX, (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), TRUE, 0 },
1662 { US"not_blind", VERIFY_NOT_BLIND, (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), TRUE, 0 },
1663 { US"header_sender", VERIFY_HDR_SNDR, (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), FALSE, 0 },
1664 { US"sender", VERIFY_SNDR, (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)
1665 |(1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP),
1666 FALSE, 6 },
1667 { US"recipient", VERIFY_RCPT, (1<<ACL_WHERE_RCPT), FALSE, 0 }
1668 };
1669
1670
1671enum { CALLOUT_DEFER_OK, CALLOUT_NOCACHE, CALLOUT_RANDOM, CALLOUT_USE_SENDER,
1672 CALLOUT_USE_POSTMASTER, CALLOUT_POSTMASTER, CALLOUT_FULLPOSTMASTER,
1673 CALLOUT_MAILFROM, CALLOUT_POSTMASTER_MAILFROM, CALLOUT_MAXWAIT, CALLOUT_CONNECT,
1674 CALLOUT_TIME
1675 };
1676typedef struct {
1677 uschar * name;
1678 int value;
1679 int flag;
1680 BOOL has_option; /* Has =option(s) following */
1681 BOOL timeval; /* Has a time value */
1682 } callout_opt_t;
1683static callout_opt_t callout_opt_list[] = {
1684 { US"defer_ok", CALLOUT_DEFER_OK, 0, FALSE, FALSE },
1685 { US"no_cache", CALLOUT_NOCACHE, vopt_callout_no_cache, FALSE, FALSE },
1686 { US"random", CALLOUT_RANDOM, vopt_callout_random, FALSE, FALSE },
1687 { US"use_sender", CALLOUT_USE_SENDER, vopt_callout_recipsender, FALSE, FALSE },
1688 { US"use_postmaster", CALLOUT_USE_POSTMASTER,vopt_callout_recippmaster, FALSE, FALSE },
1689 { US"postmaster_mailfrom",CALLOUT_POSTMASTER_MAILFROM,0, TRUE, FALSE },
1690 { US"postmaster", CALLOUT_POSTMASTER, 0, FALSE, FALSE },
1691 { US"fullpostmaster", CALLOUT_FULLPOSTMASTER,vopt_callout_fullpm, FALSE, FALSE },
1692 { US"mailfrom", CALLOUT_MAILFROM, 0, TRUE, FALSE },
1693 { US"maxwait", CALLOUT_MAXWAIT, 0, TRUE, TRUE },
1694 { US"connect", CALLOUT_CONNECT, 0, TRUE, TRUE },
1695 { NULL, CALLOUT_TIME, 0, FALSE, TRUE }
1696 };
1697
1698
1699
059ec3d9
PH		 1700/* This function implements the "verify" condition. It is called when
1701encountered in any ACL, because some tests are almost always permitted. Some
1702just don't make sense, and always fail (for example, an attempt to test a host
1703lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
1704
1705Arguments:
1706 where where called from
1707 addr the recipient address that the ACL is handling, or NULL
1708 arg the argument of "verify"
1709 user_msgptr pointer for user message
1710 log_msgptr pointer for log message
1711 basic_errno where to put verify errno
1712
1713Returns: OK verification condition succeeded
1714 FAIL verification failed
1715 DEFER there was a problem verifying
1716 ERROR syntax error
1717*/
1718
1719static int
1720acl_verify(int where, address_item *addr, uschar *arg,
1721 uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
1722{
1723int sep = '/';
1724int callout = -1;
1725int callout_overall = -1;
4deaf07d 1726int callout_connect = -1;
059ec3d9
PH		 1727int verify_options = 0;
1728int rc;
1729BOOL verify_header_sender = FALSE;
1730BOOL defer_ok = FALSE;
1731BOOL callout_defer_ok = FALSE;
1732BOOL no_details = FALSE;
eafd343b 1733BOOL success_on_redirect = FALSE;
059ec3d9
PH		 1734address_item *sender_vaddr = NULL;
1735uschar *verify_sender_address = NULL;
1736uschar *pm_mailfrom = NULL;
1737uschar *se_mailfrom = NULL;
596875b3
PH		 1738
1739/* Some of the verify items have slash-separated options; some do not. Diagnose
89583014 1740an error if options are given for items that don't expect them.
596875b3
PH		 1741*/
1742
1743uschar *slash = Ustrchr(arg, '/');
059ec3d9
PH		 1744uschar *list = arg;
1745uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
89583014 1746verify_type_t * vp;
059ec3d9
PH		 1747
1748if (ss == NULL) goto BAD_VERIFY;
1749
1750/* Handle name/address consistency verification in a separate function. */
1751
89583014
JH		 1752for (vp= verify_type_list;
1753 (char *)vp < (char *)verify_type_list + sizeof(verify_type_list);
1754 vp++
1755 )
1756 if (vp->alt_opt_sep ? strncmpic(ss, vp->name, vp->alt_opt_sep) == 0
1757 : strcmpic (ss, vp->name) == 0)
1758 break;
1759if ((char *)vp >= (char *)verify_type_list + sizeof(verify_type_list))
1760 goto BAD_VERIFY;
1761
1762if (vp->no_options && slash != NULL)
059ec3d9 1763 {
89583014
JH		 1764 *log_msgptr = string_sprintf("unexpected '/' found in \"%s\" "
1765 "(this verify item has no options)", arg);
1766 return ERROR;
059ec3d9 1767 }
89583014 1768if (!(vp->where_allowed & (1<<where)))
059ec3d9 1769 {
89583014
JH		 1770 *log_msgptr = string_sprintf("cannot verify %s in ACL for %s", vp->name, acl_wherenames[where]);
1771 return ERROR;
059ec3d9 1772 }
89583014 1773switch(vp->value)
596875b3 1774 {
89583014
JH		 1775 case VERIFY_REV_HOST_LKUP:
1776 if (sender_host_address == NULL) return OK;
1777 return acl_verify_reverse(user_msgptr, log_msgptr);
059ec3d9 1778
89583014
JH		 1779 case VERIFY_CERT:
1780 /* TLS certificate verification is done at STARTTLS time; here we just
1781 test whether it was successful or not. (This is for optional verification; for
1782 mandatory verification, the connection doesn't last this long.) */
e5a9dba6 1783
817d9f57 1784 if (tls_in.certificate_verified) return OK;
89583014
JH		 1785 *user_msgptr = US"no verified certificate";
1786 return FAIL;
e5a9dba6 1787
89583014
JH		 1788 case VERIFY_HELO:
1789 /* We can test the result of optional HELO verification that might have
1790 occurred earlier. If not, we can attempt the verification now. */
059ec3d9 1791
89583014
JH		 1792 if (!helo_verified && !helo_verify_failed) smtp_verify_helo();
1793 return helo_verified? OK : FAIL;
059ec3d9 1794
89583014
JH		 1795 case VERIFY_CSA:
1796 /* Do Client SMTP Authorization checks in a separate function, and turn the
1797 result code into user-friendly strings. */
1c41c9cc 1798
89583014
JH		 1799 rc = acl_verify_csa(list);
1800 *log_msgptr = *user_msgptr = string_sprintf("client SMTP authorization %s",
1801 csa_reason_string[rc]);
1802 csa_status = csa_status_string[rc];
1803 DEBUG(D_acl) debug_printf("CSA result %s\n", csa_status);
1804 return csa_return_code[rc];
1805
1806 case VERIFY_HDR_SYNTAX:
1807 /* Check that all relevant header lines have the correct syntax. If there is
1808 a syntax error, we return details of the error to the sender if configured to
1809 send out full details. (But a "message" setting on the ACL can override, as
1810 always). */
1811
1812 rc = verify_check_headers(log_msgptr);
1813 if (rc != OK && smtp_return_error_details && *log_msgptr != NULL)
1c41c9cc 1814 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
89583014 1815 return rc;
059ec3d9 1816
89583014
JH		 1817 case VERIFY_NOT_BLIND:
1818 /* Check that no recipient of this message is "blind", that is, every envelope
1819 recipient must be mentioned in either To: or Cc:. */
059ec3d9 1820
89583014
JH		 1821 rc = verify_check_notblind();
1822 if (rc != OK)
1823 {
1824 *log_msgptr = string_sprintf("bcc recipient detected");
1825 if (smtp_return_error_details)
1826 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1827 }
1828 return rc;
059ec3d9 1829
89583014
JH		 1830 /* The remaining verification tests check recipient and sender addresses,
1831 either from the envelope or from the header. There are a number of
1832 slash-separated options that are common to all of them. */
059ec3d9 1833
89583014
JH		 1834 case VERIFY_HDR_SNDR:
1835 verify_header_sender = TRUE;
1836 break;
059ec3d9 1837
89583014
JH		 1838 case VERIFY_SNDR:
1839 /* In the case of a sender, this can optionally be followed by an address to use
1840 in place of the actual sender (rare special-case requirement). */
059ec3d9 1841 {
89583014
JH		 1842 uschar *s = ss + 6;
1843 if (*s == 0)
1844 verify_sender_address = sender_address;
1845 else
1846 {
1847 while (isspace(*s)) s++;
1848 if (*s++ != '=') goto BAD_VERIFY;
1849 while (isspace(*s)) s++;
1850 verify_sender_address = string_copy(s);
1851 }
059ec3d9 1852 }
89583014
JH		 1853 break;
1854
1855 case VERIFY_RCPT:
1856 break;
059ec3d9
PH		 1857 }
1858
89583014
JH		 1859
1860
596875b3
PH		 1861/* Remaining items are optional; they apply to sender and recipient
1862verification, including "header sender" verification. */
059ec3d9
PH		 1863
1864while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))
1865 != NULL)
1866 {
1867 if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
1868 else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
eafd343b 1869 else if (strcmpic(ss, US"success_on_redirect") == 0) success_on_redirect = TRUE;
059ec3d9
PH		 1870
1871 /* These two old options are left for backwards compatibility */
1872
1873 else if (strcmpic(ss, US"callout_defer_ok") == 0)
1874 {
1875 callout_defer_ok = TRUE;
1876 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1877 }
1878
1879 else if (strcmpic(ss, US"check_postmaster") == 0)
1880 {
1881 pm_mailfrom = US"";
1882 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1883 }
1884
1885 /* The callout option has a number of sub-options, comma separated */
1886
1887 else if (strncmpic(ss, US"callout", 7) == 0)
1888 {
1889 callout = CALLOUT_TIMEOUT_DEFAULT;
1890 ss += 7;
1891 if (*ss != 0)
1892 {
1893 while (isspace(*ss)) ss++;
1894 if (*ss++ == '=')
1895 {
1896 int optsep = ',';
1897 uschar *opt;
1898 uschar buffer[256];
1899 while (isspace(*ss)) ss++;
8e669ac1 1900
059ec3d9
PH		 1901 while ((opt = string_nextinlist(&ss, &optsep, buffer, sizeof(buffer)))
1902 != NULL)
1903 {
89583014 1904 callout_opt_t * op;
438257ba 1905 double period = 1.0F;
059ec3d9 1906
89583014 1907 for (op= callout_opt_list; op->name; op++)
438257ba 1908 if (strncmpic(opt, op->name, Ustrlen(op->name)) == 0)
89583014 1909 break;
059ec3d9 1910
89583014
JH		 1911 verify_options |= op->flag;
1912 if (op->has_option)
1913 {
438257ba 1914 opt += Ustrlen(op->name);
4deaf07d
PH		 1915 while (isspace(*opt)) opt++;
1916 if (*opt++ != '=')
1917 {
1918 *log_msgptr = string_sprintf("'=' expected after "
89583014 1919 "\"%s\" in ACL verify condition \"%s\"", op->name, arg);
4deaf07d
PH		 1920 return ERROR;
1921 }
1922 while (isspace(*opt)) opt++;
89583014
JH		 1923 }
1924 if (op->timeval)
1925 {
1926 period = readconf_readtime(opt, 0, FALSE);
1927 if (period < 0)
4deaf07d
PH		 1928 {
1929 *log_msgptr = string_sprintf("bad time value in ACL condition "
1930 "\"verify %s\"", arg);
1931 return ERROR;
1932 }
89583014
JH		 1933 }
1934
1935 switch(op->value)
1936 {
1937 case CALLOUT_DEFER_OK: callout_defer_ok = TRUE; break;
1938 case CALLOUT_POSTMASTER: pm_mailfrom = US""; break;
1939 case CALLOUT_FULLPOSTMASTER: pm_mailfrom = US""; break;
1940 case CALLOUT_MAILFROM:
1941 if (!verify_header_sender)
1942 {
1943 *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
1944 "callout option only for verify=header_sender (detected in ACL "
1945 "condition \"%s\")", arg);
1946 return ERROR;
1947 }
1948 se_mailfrom = string_copy(opt);
1949 break;
1950 case CALLOUT_POSTMASTER_MAILFROM: pm_mailfrom = string_copy(opt); break;
1951 case CALLOUT_MAXWAIT: callout_overall = period; break;
1952 case CALLOUT_CONNECT: callout_connect = period; break;
1953 case CALLOUT_TIME: callout = period; break;
1954 }
059ec3d9
PH		 1955 }
1956 }
1957 else
1958 {
1959 *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
1960 "ACL condition \"%s\"", arg);
1961 return ERROR;
1962 }
1963 }
1964 }
1965
1966 /* Option not recognized */
1967
1968 else
1969 {
1970 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
1971 "condition \"verify %s\"", ss, arg);
1972 return ERROR;
1973 }
1974 }
1975
1976if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
1977 (vopt_callout_recipsender|vopt_callout_recippmaster))
1978 {
1979 *log_msgptr = US"only one of use_sender and use_postmaster can be set "
1980 "for a recipient callout";
1981 return ERROR;
1982 }
1983
1984/* Handle sender-in-header verification. Default the user message to the log
1985message if giving out verification details. */
1986
1987if (verify_header_sender)
1988 {
8e669ac1 1989 int verrno;
059ec3d9 1990 rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
fe5b5d0b
PH		 1991 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, verify_options,
1992 &verrno);
1993 if (rc != OK)
8e669ac1 1994 {
fe5b5d0b
PH		 1995 *basic_errno = verrno;
1996 if (smtp_return_error_details)
1997 {
1998 if (*user_msgptr == NULL && *log_msgptr != NULL)
1999 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
2000 if (rc == DEFER) acl_temp_details = TRUE;
2001 }
8e669ac1 2002 }
059ec3d9
PH		 2003 }
2004
2005/* Handle a sender address. The default is to verify *the* sender address, but
2006optionally a different address can be given, for special requirements. If the
2007address is empty, we are dealing with a bounce message that has no sender, so
2008we cannot do any checking. If the real sender address gets rewritten during
2009verification (e.g. DNS widening), set the flag to stop it being rewritten again
2010during message reception.
2011
2012A list of verified "sender" addresses is kept to try to avoid doing to much
2013work repetitively when there are multiple recipients in a message and they all
2014require sender verification. However, when callouts are involved, it gets too
2015complicated because different recipients may require different callout options.
2016Therefore, we always do a full sender verify when any kind of callout is
2017specified. Caching elsewhere, for instance in the DNS resolver and in the
2018callout handling, should ensure that this is not terribly inefficient. */
2019
2020else if (verify_sender_address != NULL)
2021 {
2022 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster))
2023 != 0)
2024 {
2025 *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
2026 "sender verify callout";
2027 return ERROR;
2028 }
2029
2030 sender_vaddr = verify_checked_sender(verify_sender_address);
2031 if (sender_vaddr != NULL && /* Previously checked */
2032 callout <= 0) /* No callout needed this time */
2033 {
2034 /* If the "routed" flag is set, it means that routing worked before, so
2035 this check can give OK (the saved return code value, if set, belongs to a
2036 callout that was done previously). If the "routed" flag is not set, routing
2037 must have failed, so we use the saved return code. */
2038
2039 if (testflag(sender_vaddr, af_verify_routed)) rc = OK; else
2040 {
2041 rc = sender_vaddr->special_action;
2042 *basic_errno = sender_vaddr->basic_errno;
2043 }
2044 HDEBUG(D_acl) debug_printf("using cached sender verify result\n");
2045 }
2046
2047 /* Do a new verification, and cache the result. The cache is used to avoid
2048 verifying the sender multiple times for multiple RCPTs when callouts are not
2049 specified (see comments above).
2050
2051 The cache is also used on failure to give details in response to the first
2052 RCPT that gets bounced for this reason. However, this can be suppressed by
2053 the no_details option, which sets the flag that says "this detail has already
2054 been sent". The cache normally contains just one address, but there may be
2055 more in esoteric circumstances. */
2056
2057 else
2058 {
2059 BOOL routed = TRUE;
2a3eea10 2060 uschar *save_address_data = deliver_address_data;
8e669ac1 2061
059ec3d9
PH		 2062 sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
2063 if (no_details) setflag(sender_vaddr, af_sverify_told);
2064 if (verify_sender_address[0] != 0)
2065 {
2066 /* If this is the real sender address, save the unrewritten version
2067 for use later in receive. Otherwise, set a flag so that rewriting the
2068 sender in verify_address() does not update sender_address. */
2069
2070 if (verify_sender_address == sender_address)
2071 sender_address_unrewritten = sender_address;
2072 else
2073 verify_options |= vopt_fake_sender;
2074
eafd343b
TK		 2075 if (success_on_redirect)
2076 verify_options |= vopt_success_on_redirect;
2077
059ec3d9
PH		 2078 /* The recipient, qualify, and expn options are never set in
2079 verify_options. */
2080
2081 rc = verify_address(sender_vaddr, NULL, verify_options, callout,
4deaf07d 2082 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, &routed);
059ec3d9
PH		 2083
2084 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
2085
2086 if (rc == OK)
2087 {
2088 if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
2089 {
2090 DEBUG(D_acl) debug_printf("sender %s verified ok as %s\n",
2091 verify_sender_address, sender_vaddr->address);
2092 }
2093 else
2094 {
2095 DEBUG(D_acl) debug_printf("sender %s verified ok\n",
2096 verify_sender_address);
2097 }
2098 }
2099 else *basic_errno = sender_vaddr->basic_errno;
2100 }
2101 else rc = OK; /* Null sender */
2102
2103 /* Cache the result code */
2104
2105 if (routed) setflag(sender_vaddr, af_verify_routed);
2106 if (callout > 0) setflag(sender_vaddr, af_verify_callout);
2107 sender_vaddr->special_action = rc;
2108 sender_vaddr->next = sender_verified_list;
2109 sender_verified_list = sender_vaddr;
8e669ac1
PH		 2110
2111 /* Restore the recipient address data, which might have been clobbered by
2a3eea10 2112 the sender verification. */
8e669ac1 2113
2a3eea10 2114 deliver_address_data = save_address_data;
059ec3d9 2115 }
8e669ac1 2116
2a3eea10
PH		 2117 /* Put the sender address_data value into $sender_address_data */
2118
8e669ac1 2119 sender_address_data = sender_vaddr->p.address_data;
059ec3d9
PH		 2120 }
2121
2122/* A recipient address just gets a straightforward verify; again we must handle
2123the DEFER overrides. */
2124
2125else
2126 {
2127 address_item addr2;
2128
eafd343b
TK		 2129 if (success_on_redirect)
2130 verify_options |= vopt_success_on_redirect;
2131
059ec3d9
PH		 2132 /* We must use a copy of the address for verification, because it might
2133 get rewritten. */
2134
2135 addr2 = *addr;
2136 rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
4deaf07d 2137 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, NULL);
059ec3d9 2138 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
8e669ac1 2139
42855d71 2140 *basic_errno = addr2.basic_errno;
059ec3d9 2141 *log_msgptr = addr2.message;
8e669ac1 2142 *user_msgptr = (addr2.user_message != NULL)?
6729cf78 2143 addr2.user_message : addr2.message;
42855d71
PH		 2144
2145 /* Allow details for temporary error if the address is so flagged. */
2146 if (testflag((&addr2), af_pass_message)) acl_temp_details = TRUE;
059ec3d9
PH		 2147
2148 /* Make $address_data visible */
2149 deliver_address_data = addr2.p.address_data;
2150 }
2151
2152/* We have a result from the relevant test. Handle defer overrides first. */
2153
2154if (rc == DEFER && (defer_ok ||
2155 (callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER)))
2156 {
2157 HDEBUG(D_acl) debug_printf("verify defer overridden by %s\n",
2158 defer_ok? "defer_ok" : "callout_defer_ok");
2159 rc = OK;
2160 }
2161
2162/* If we've failed a sender, set up a recipient message, and point
2163sender_verified_failed to the address item that actually failed. */
2164
2165if (rc != OK && verify_sender_address != NULL)
2166 {
2167 if (rc != DEFER)
2168 {
2169 *log_msgptr = *user_msgptr = US"Sender verify failed";
2170 }
2171 else if (*basic_errno != ERRNO_CALLOUTDEFER)
2172 {
2173 *log_msgptr = *user_msgptr = US"Could not complete sender verify";
2174 }
2175 else
2176 {
2177 *log_msgptr = US"Could not complete sender verify callout";
2178 *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
2179 *log_msgptr;
2180 }
2181
2182 sender_verified_failed = sender_vaddr;
2183 }
2184
2185/* Verifying an address messes up the values of $domain and $local_part,
2186so reset them before returning if this is a RCPT ACL. */
2187
2188if (addr != NULL)
2189 {
2190 deliver_domain = addr->domain;
2191 deliver_localpart = addr->local_part;
2192 }
2193return rc;
2194
2195/* Syntax errors in the verify argument come here. */
2196
2197BAD_VERIFY:
2198*log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
596875b3
PH		 2199 "\"helo\", \"header_syntax\", \"header_sender\" or "
2200 "\"reverse_host_lookup\" at start of ACL condition "
059ec3d9
PH		 2201 "\"verify %s\"", arg);
2202return ERROR;
2203}
2204
2205
2206
2207
2208/*************************************************
2209* Check argument for control= modifier *
2210*************************************************/
2211
2212/* Called from acl_check_condition() below
2213
2214Arguments:
2215 arg the argument string for control=
2216 pptr set to point to the terminating character
2217 where which ACL we are in
2218 log_msgptr for error messages
2219
2220Returns: CONTROL_xxx value
2221*/
2222
2223static int
2224decode_control(uschar *arg, uschar **pptr, int where, uschar **log_msgptr)
2225{
2226int len;
2227control_def *d;
2228
2229for (d = controls_list;
2230 d < controls_list + sizeof(controls_list)/sizeof(control_def);
2231 d++)
2232 {
2233 len = Ustrlen(d->name);
2234 if (Ustrncmp(d->name, arg, len) == 0) break;
2235 }
2236
2237if (d >= controls_list + sizeof(controls_list)/sizeof(control_def) ||
2238 (arg[len] != 0 && (!d->has_option || arg[len] != '/')))
2239 {
2240 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2241 return CONTROL_ERROR;
2242 }
2243
059ec3d9
PH		 2244*pptr = arg + len;
2245return d->value;
2246}
2247
2248
2249
c99ce5c9
TF		 2250
2251/*************************************************
2252* Return a ratelimit error *
2253*************************************************/
2254
2255/* Called from acl_ratelimit() below
2256
2257Arguments:
2258 log_msgptr for error messages
2259 format format string
2260 ... supplementary arguments
2261 ss ratelimit option name
2262 where ACL_WHERE_xxxx indicating which ACL this is
2263
2264Returns: ERROR
2265*/
2266
2267static int
2268ratelimit_error(uschar **log_msgptr, const char *format, ...)
2269{
2270va_list ap;
2271uschar buffer[STRING_SPRINTF_BUFFER_SIZE];
2272va_start(ap, format);
2273if (!string_vformat(buffer, sizeof(buffer), format, ap))
2274 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
ef840681 2275 "string_sprintf expansion was longer than " SIZE_T_FMT, sizeof(buffer));
c99ce5c9
TF		 2276va_end(ap);
2277*log_msgptr = string_sprintf(
2278 "error in arguments to \"ratelimit\" condition: %s", buffer);
2279return ERROR;
2280}
2281
2282
2283
2284
870f6ba8
TF		 2285/*************************************************
2286* Handle rate limiting *
2287*************************************************/
2288
2289/* Called by acl_check_condition() below to calculate the result
2290of the ACL ratelimit condition.
2291
2292Note that the return value might be slightly unexpected: if the
2293sender's rate is above the limit then the result is OK. This is
2294similar to the dnslists condition, and is so that you can write
2295ACL clauses like: defer ratelimit = 15 / 1h
2296
2297Arguments:
2298 arg the option string for ratelimit=
90fc3069 2299 where ACL_WHERE_xxxx indicating which ACL this is
870f6ba8
TF		 2300 log_msgptr for error messages
2301
2302Returns: OK - Sender's rate is above limit
2303 FAIL - Sender's rate is below limit
2304 DEFER - Problem opening ratelimit database
2305 ERROR - Syntax error in options.
2306*/
2307
2308static int
90fc3069 2309acl_ratelimit(uschar *arg, int where, uschar **log_msgptr)
870f6ba8 2310{
c99ce5c9 2311double limit, period, count;
8f240103
PH		 2312uschar *ss;
2313uschar *key = NULL;
c99ce5c9 2314uschar *unique = NULL;
870f6ba8 2315int sep = '/';
c99ce5c9
TF		 2316BOOL leaky = FALSE, strict = FALSE, readonly = FALSE;
2317BOOL noupdate = FALSE, badacl = FALSE;
2318int mode = RATE_PER_WHAT;
870f6ba8
TF		 2319int old_pool, rc;
2320tree_node **anchor, *t;
2321open_db dbblock, *dbm;
c99ce5c9 2322int dbdb_size;
870f6ba8 2323dbdata_ratelimit *dbd;
c99ce5c9 2324dbdata_ratelimit_unique *dbdb;
870f6ba8
TF		 2325struct timeval tv;
2326
2327/* Parse the first two options and record their values in expansion
2328variables. These variables allow the configuration to have informative
2329error messages based on rate limits obtained from a table lookup. */
2330
c99ce5c9 2331/* First is the maximum number of messages per period / maximum burst
870f6ba8
TF		 2332size, which must be greater than or equal to zero. Zero is useful for
2333rate measurement as opposed to rate limiting. */
2334
2335sender_rate_limit = string_nextinlist(&arg, &sep, NULL, 0);
2336if (sender_rate_limit == NULL)
2337 limit = -1.0;
2338else
2339 {
2340 limit = Ustrtod(sender_rate_limit, &ss);
2341 if (tolower(*ss) == 'k') { limit *= 1024.0; ss++; }
2342 else if (tolower(*ss) == 'm') { limit *= 1024.0*1024.0; ss++; }
2343 else if (tolower(*ss) == 'g') { limit *= 1024.0*1024.0*1024.0; ss++; }
2344 }
c99ce5c9
TF		 2345if (limit < 0.0 || *ss != '\0')
2346 return ratelimit_error(log_msgptr,
2347 "\"%s\" is not a positive number", sender_rate_limit);
870f6ba8 2348
c99ce5c9 2349/* Second is the rate measurement period / exponential smoothing time
870f6ba8
TF		 2350constant. This must be strictly greater than zero, because zero leads to
2351run-time division errors. */
2352
2353sender_rate_period = string_nextinlist(&arg, &sep, NULL, 0);
2354if (sender_rate_period == NULL) period = -1.0;
2355else period = readconf_readtime(sender_rate_period, 0, FALSE);
2356if (period <= 0.0)
c99ce5c9
TF		 2357 return ratelimit_error(log_msgptr,
2358 "\"%s\" is not a time value", sender_rate_period);
2359
2360/* By default we are counting one of something, but the per_rcpt,
2361per_byte, and count options can change this. */
2362
2363count = 1.0;
870f6ba8 2364
c99ce5c9 2365/* Parse the other options. */
870f6ba8
TF		 2366
2367while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2368 != NULL)
2369 {
2370 if (strcmpic(ss, US"leaky") == 0) leaky = TRUE;
2371 else if (strcmpic(ss, US"strict") == 0) strict = TRUE;
8f240103 2372 else if (strcmpic(ss, US"noupdate") == 0) noupdate = TRUE;
c99ce5c9
TF		 2373 else if (strcmpic(ss, US"readonly") == 0) readonly = TRUE;
2374 else if (strcmpic(ss, US"per_cmd") == 0) RATE_SET(mode, PER_CMD);
2375 else if (strcmpic(ss, US"per_conn") == 0)
2376 {
2377 RATE_SET(mode, PER_CONN);
2378 if (where == ACL_WHERE_NOTSMTP || where == ACL_WHERE_NOTSMTP_START)
2379 badacl = TRUE;
2380 }
2381 else if (strcmpic(ss, US"per_mail") == 0)
2382 {
2383 RATE_SET(mode, PER_MAIL);
2384 if (where > ACL_WHERE_NOTSMTP) badacl = TRUE;
2385 }
2386 else if (strcmpic(ss, US"per_rcpt") == 0)
2387 {
2388 /* If we are running in the RCPT ACL, then we'll count the recipients
2389 one by one, but if we are running when we have accumulated the whole
2390 list then we'll add them all in one batch. */
2391 if (where == ACL_WHERE_RCPT)
2392 RATE_SET(mode, PER_RCPT);
2393 else if (where >= ACL_WHERE_PREDATA && where <= ACL_WHERE_NOTSMTP)
2394 RATE_SET(mode, PER_ALLRCPTS), count = (double)recipients_count;
2395 else if (where == ACL_WHERE_MAIL || where > ACL_WHERE_NOTSMTP)
2396 RATE_SET(mode, PER_RCPT), badacl = TRUE;
2397 }
2398 else if (strcmpic(ss, US"per_byte") == 0)
2399 {
2400 /* If we have not yet received the message data and there was no SIZE
2401 declaration on the MAIL comand, then it's safe to just use a value of
2402 zero and let the recorded rate decay as if nothing happened. */
2403 RATE_SET(mode, PER_MAIL);
2404 if (where > ACL_WHERE_NOTSMTP) badacl = TRUE;
2405 else count = message_size < 0 ? 0.0 : (double)message_size;
2406 }
2407 else if (strcmpic(ss, US"per_addr") == 0)
2408 {
2409 RATE_SET(mode, PER_RCPT);
438257ba 2410 if (where != ACL_WHERE_RCPT) badacl = TRUE, unique = US"*";
c99ce5c9
TF		 2411 else unique = string_sprintf("%s@%s", deliver_localpart, deliver_domain);
2412 }
2413 else if (strncmpic(ss, US"count=", 6) == 0)
2414 {
2415 uschar *e;
2416 count = Ustrtod(ss+6, &e);
2417 if (count < 0.0 || *e != '\0')
2418 return ratelimit_error(log_msgptr,
2419 "\"%s\" is not a positive number", ss);
2420 }
2421 else if (strncmpic(ss, US"unique=", 7) == 0)
2422 unique = string_copy(ss + 7);
2423 else if (key == NULL)
2424 key = string_copy(ss);
2425 else
2426 key = string_sprintf("%s/%s", key, ss);
870f6ba8
TF		 2427 }
2428
c99ce5c9
TF		 2429/* Sanity check. When the badacl flag is set the update mode must either
2430be readonly (which is the default if it is omitted) or, for backwards
2431compatibility, a combination of noupdate and strict or leaky. */
2432
2433if (mode == RATE_PER_CLASH)
2434 return ratelimit_error(log_msgptr, "conflicting per_* options");
2435if (leaky + strict + readonly > 1)
2436 return ratelimit_error(log_msgptr, "conflicting update modes");
2437if (badacl && (leaky || strict) && !noupdate)
2438 return ratelimit_error(log_msgptr,
2439 "\"%s\" must not have /leaky or /strict option in %s ACL",
2440 ratelimit_option_string[mode], acl_wherenames[where]);
2441
2442/* Set the default values of any unset options. In readonly mode we
2443perform the rate computation without any increment so that its value
2444decays to eventually allow over-limit senders through. */
2445
2446if (noupdate) readonly = TRUE, leaky = strict = FALSE;
2447if (badacl) readonly = TRUE;
2448if (readonly) count = 0.0;
2449if (!strict && !readonly) leaky = TRUE;
2450if (mode == RATE_PER_WHAT) mode = RATE_PER_MAIL;
870f6ba8 2451
8f240103
PH		 2452/* Create the lookup key. If there is no explicit key, use sender_host_address.
2453If there is no sender_host_address (e.g. -bs or acl_not_smtp) then we simply
2454omit it. The smoothing constant (sender_rate_period) and the per_xxx options
2455are added to the key because they alter the meaning of the stored data. */
2456
2457if (key == NULL)
2458 key = (sender_host_address == NULL)? US"" : sender_host_address;
870f6ba8 2459
c99ce5c9 2460key = string_sprintf("%s/%s/%s%s",
8f240103 2461 sender_rate_period,
c99ce5c9
TF		 2462 ratelimit_option_string[mode],
2463 unique == NULL ? "" : "unique/",
8f240103 2464 key);
870f6ba8 2465
c99ce5c9
TF		 2466HDEBUG(D_acl)
2467 debug_printf("ratelimit condition count=%.0f %.1f/%s\n", count, limit, key);
870f6ba8 2468
8f240103
PH		 2469/* See if we have already computed the rate by looking in the relevant tree.
2470For per-connection rate limiting, store tree nodes and dbdata in the permanent
c99ce5c9
TF		 2471pool so that they survive across resets. In readonly mode we only remember the
2472result for the rest of this command in case a later command changes it. After
2473this bit of logic the code is independent of the per_* mode. */
870f6ba8 2474
870f6ba8
TF		 2475old_pool = store_pool;
2476
c99ce5c9
TF		 2477if (readonly)
2478 anchor = &ratelimiters_cmd;
2479else switch(mode) {
2480case RATE_PER_CONN:
870f6ba8
TF		 2481 anchor = &ratelimiters_conn;
2482 store_pool = POOL_PERM;
c99ce5c9
TF		 2483 break;
2484case RATE_PER_BYTE:
2485case RATE_PER_MAIL:
2486case RATE_PER_ALLRCPTS:
870f6ba8 2487 anchor = &ratelimiters_mail;
c99ce5c9
TF		 2488 break;
2489case RATE_PER_ADDR:
2490case RATE_PER_CMD:
2491case RATE_PER_RCPT:
fe0dab11 2492 anchor = &ratelimiters_cmd;
c99ce5c9
TF		 2493 break;
2494default:
3399bb60 2495 anchor = NULL; /* silence an "unused" complaint */
c99ce5c9
TF		 2496 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
2497 "internal ACL error: unknown ratelimit mode %d", mode);
2498 break;
2499}
870f6ba8 2500
c99ce5c9
TF		 2501t = tree_search(*anchor, key);
2502if (t != NULL)
870f6ba8
TF		 2503 {
2504 dbd = t->data.ptr;
2505 /* The following few lines duplicate some of the code below. */
8f240103 2506 rc = (dbd->rate < limit)? FAIL : OK;
870f6ba8
TF		 2507 store_pool = old_pool;
2508 sender_rate = string_sprintf("%.1f", dbd->rate);
2509 HDEBUG(D_acl)
2510 debug_printf("ratelimit found pre-computed rate %s\n", sender_rate);
2511 return rc;
2512 }
2513
c99ce5c9
TF		 2514/* We aren't using a pre-computed rate, so get a previously recorded rate
2515from the database, which will be updated and written back if required. */
870f6ba8
TF		 2516
2517dbm = dbfn_open(US"ratelimit", O_RDWR, &dbblock, TRUE);
2518if (dbm == NULL)
2519 {
2520 store_pool = old_pool;
2521 sender_rate = NULL;
2522 HDEBUG(D_acl) debug_printf("ratelimit database not available\n");
2523 *log_msgptr = US"ratelimit database not available";
2524 return DEFER;
2525 }
c99ce5c9
TF		 2526dbdb = dbfn_read_with_length(dbm, key, &dbdb_size);
2527dbd = NULL;
870f6ba8
TF		 2528
2529gettimeofday(&tv, NULL);
2530
c99ce5c9
TF		 2531if (dbdb != NULL)
2532 {
2533 /* Locate the basic ratelimit block inside the DB data. */
2534 HDEBUG(D_acl) debug_printf("ratelimit found key in database\n");
2535 dbd = &dbdb->dbd;
2536
2537 /* Forget the old Bloom filter if it is too old, so that we count each
2538 repeating event once per period. We don't simply clear and re-use the old
2539 filter because we want its size to change if the limit changes. Note that
2540 we keep the dbd pointer for copying the rate into the new data block. */
2541
2542 if(unique != NULL && tv.tv_sec > dbdb->bloom_epoch + period)
2543 {
2544 HDEBUG(D_acl) debug_printf("ratelimit discarding old Bloom filter\n");
2545 dbdb = NULL;
2546 }
2547
2548 /* Sanity check. */
2549
2550 if(unique != NULL && dbdb_size < sizeof(*dbdb))
2551 {
2552 HDEBUG(D_acl) debug_printf("ratelimit discarding undersize Bloom filter\n");
2553 dbdb = NULL;
2554 }
2555 }
2556
2557/* Allocate a new data block if the database lookup failed
2558or the Bloom filter passed its age limit. */
2559
2560if (dbdb == NULL)
2561 {
2562 if (unique == NULL)
2563 {
2564 /* No Bloom filter. This basic ratelimit block is initialized below. */
2565 HDEBUG(D_acl) debug_printf("ratelimit creating new rate data block\n");
2566 dbdb_size = sizeof(*dbd);
2567 dbdb = store_get(dbdb_size);
2568 }
2569 else
2570 {
2571 int extra;
2572 HDEBUG(D_acl) debug_printf("ratelimit creating new Bloom filter\n");
2573
2574 /* See the long comment below for an explanation of the magic number 2.
2575 The filter has a minimum size in case the rate limit is very small;
2576 this is determined by the definition of dbdata_ratelimit_unique. */
2577
2578 extra = (int)limit * 2 - sizeof(dbdb->bloom);
2579 if (extra < 0) extra = 0;
2580 dbdb_size = sizeof(*dbdb) + extra;
2581 dbdb = store_get(dbdb_size);
2582 dbdb->bloom_epoch = tv.tv_sec;
2583 dbdb->bloom_size = sizeof(dbdb->bloom) + extra;
2584 memset(dbdb->bloom, 0, dbdb->bloom_size);
2585
2586 /* Preserve any basic ratelimit data (which is our longer-term memory)
2587 by copying it from the discarded block. */
2588
2589 if (dbd != NULL)
2590 {
2591 dbdb->dbd = *dbd;
2592 dbd = &dbdb->dbd;
2593 }
2594 }
2595 }
2596
2597/* If we are counting unique events, find out if this event is new or not.
2598If the client repeats the event during the current period then it should be
2599counted. We skip this code in readonly mode for efficiency, because any
2600changes to the filter will be discarded and because count is already set to
2601zero. */
2602
2603if (unique != NULL && !readonly)
2604 {
2605 /* We identify unique events using a Bloom filter. (You can find my
2606 notes on Bloom filters at http://fanf.livejournal.com/81696.html)
2607 With the per_addr option, an "event" is a recipient address, though the
2608 user can use the unique option to define their own events. We only count
2609 an event if we have not seen it before.
2610
2611 We size the filter according to the rate limit, which (in leaky mode)
2612 is the limit on the population of the filter. We allow 16 bits of space
2613 per entry (see the construction code above) and we set (up to) 8 of them
2614 when inserting an element (see the loop below). The probability of a false
2615 positive (an event we have not seen before but which we fail to count) is
2616
2617 size = limit * 16
2618 numhash = 8
2619 allzero = exp(-numhash * pop / size)
2620 = exp(-0.5 * pop / limit)
2621 fpr = pow(1 - allzero, numhash)
2622
2623 For senders at the limit the fpr is 0.06% or 1 in 1700
2624 and for senders at half the limit it is 0.0006% or 1 in 170000
2625
2626 In strict mode the Bloom filter can fill up beyond the normal limit, in
2627 which case the false positive rate will rise. This means that the
2628 measured rate for very fast senders can bogusly drop off after a while.
2629
2630 At twice the limit, the fpr is 2.5% or 1 in 40
2631 At four times the limit, it is 31% or 1 in 3.2
2632
2633 It takes ln(pop/limit) periods for an over-limit burst of pop events to
2634 decay below the limit, and if this is more than one then the Bloom filter
2635 will be discarded before the decay gets that far. The false positive rate
2636 at this threshold is 9.3% or 1 in 10.7. */
2637
2638 BOOL seen;
2639 unsigned n, hash, hinc;
2640 uschar md5sum[16];
2641 md5 md5info;
2642
2643 /* Instead of using eight independent hash values, we combine two values
2644 using the formula h1 + n * h2. This does not harm the Bloom filter's
2645 performance, and means the amount of hash we need is independent of the
2646 number of bits we set in the filter. */
2647
2648 md5_start(&md5info);
2649 md5_end(&md5info, unique, Ustrlen(unique), md5sum);
2650 hash = md5sum[0] | md5sum[1] << 8 | md5sum[2] << 16 | md5sum[3] << 24;
2651 hinc = md5sum[4] | md5sum[5] << 8 | md5sum[6] << 16 | md5sum[7] << 24;
2652
2653 /* Scan the bits corresponding to this event. A zero bit means we have
2654 not seen it before. Ensure all bits are set to record this event. */
2655
2656 HDEBUG(D_acl) debug_printf("ratelimit checking uniqueness of %s\n", unique);
2657
2658 seen = TRUE;
2659 for (n = 0; n < 8; n++, hash += hinc)
2660 {
2661 int bit = 1 << (hash % 8);
2662 int byte = (hash / 8) % dbdb->bloom_size;
2663 if ((dbdb->bloom[byte] & bit) == 0)
2664 {
2665 dbdb->bloom[byte] |= bit;
2666 seen = FALSE;
2667 }
2668 }
2669
2670 /* If this event has occurred before, do not count it. */
2671
2672 if (seen)
2673 {
2674 HDEBUG(D_acl) debug_printf("ratelimit event found in Bloom filter\n");
2675 count = 0.0;
2676 }
2677 else
2678 HDEBUG(D_acl) debug_printf("ratelimit event added to Bloom filter\n");
2679 }
2680
2681/* If there was no previous ratelimit data block for this key, initialize
2682the new one, otherwise update the block from the database. The initial rate
2683is what would be computed by the code below for an infinite interval. */
2684
870f6ba8
TF		 2685if (dbd == NULL)
2686 {
c99ce5c9
TF		 2687 HDEBUG(D_acl) debug_printf("ratelimit initializing new key's rate data\n");
2688 dbd = &dbdb->dbd;
870f6ba8
TF		 2689 dbd->time_stamp = tv.tv_sec;
2690 dbd->time_usec = tv.tv_usec;
c99ce5c9 2691 dbd->rate = count;
870f6ba8
TF		 2692 }
2693else
2694 {
2695 /* The smoothed rate is computed using an exponentially weighted moving
2696 average adjusted for variable sampling intervals. The standard EWMA for
2697 a fixed sampling interval is: f'(t) = (1 - a) * f(t) + a * f'(t - 1)
2698 where f() is the measured value and f'() is the smoothed value.
2699
2700 Old data decays out of the smoothed value exponentially, such that data n
2701 samples old is multiplied by a^n. The exponential decay time constant p
2702 is defined such that data p samples old is multiplied by 1/e, which means
2703 that a = exp(-1/p). We can maintain the same time constant for a variable
2704 sampling interval i by using a = exp(-i/p).
2705
2706 The rate we are measuring is messages per period, suitable for directly
2707 comparing with the limit. The average rate between now and the previous
2708 message is period / interval, which we feed into the EWMA as the sample.
2709
2710 It turns out that the number of messages required for the smoothed rate
2711 to reach the limit when they are sent in a burst is equal to the limit.
2712 This can be seen by analysing the value of the smoothed rate after N
2713 messages sent at even intervals. Let k = (1 - a) * p/i
2714
2715 rate_1 = (1 - a) * p/i + a * rate_0
2716 = k + a * rate_0
2717 rate_2 = k + a * rate_1
2718 = k + a * k + a^2 * rate_0
2719 rate_3 = k + a * k + a^2 * k + a^3 * rate_0
2720 rate_N = rate_0 * a^N + k * SUM(x=0..N-1)(a^x)
2721 = rate_0 * a^N + k * (1 - a^N) / (1 - a)
2722 = rate_0 * a^N + p/i * (1 - a^N)
2723
2724 When N is large, a^N -> 0 so rate_N -> p/i as desired.
2725
2726 rate_N = p/i + (rate_0 - p/i) * a^N
2727 a^N = (rate_N - p/i) / (rate_0 - p/i)
2728 N * -i/p = log((rate_N - p/i) / (rate_0 - p/i))
2729 N = p/i * log((rate_0 - p/i) / (rate_N - p/i))
2730
2731 Numerical analysis of the above equation, setting the computed rate to
2732 increase from rate_0 = 0 to rate_N = limit, shows that for large sending
2733 rates, p/i, the number of messages N = limit. So limit serves as both the
2734 maximum rate measured in messages per period, and the maximum number of
2735 messages that can be sent in a fast burst. */
2736
2737 double this_time = (double)tv.tv_sec
2738 + (double)tv.tv_usec / 1000000.0;
2739 double prev_time = (double)dbd->time_stamp
2740 + (double)dbd->time_usec / 1000000.0;
870f6ba8
TF		 2741
2742 /* We must avoid division by zero, and deal gracefully with the clock going
2743 backwards. If we blunder ahead when time is in reverse then the computed
e5d5a95f 2744 rate will be bogus. To be safe we clamp interval to a very small number. */
870f6ba8 2745
e5d5a95f
TF		 2746 double interval = this_time - prev_time <= 0.0 ? 1e-9
2747 : this_time - prev_time;
2748
2749 double i_over_p = interval / period;
2750 double a = exp(-i_over_p);
870f6ba8 2751
c99ce5c9
TF		 2752 /* Combine the instantaneous rate (period / interval) with the previous rate
2753 using the smoothing factor a. In order to measure sized events, multiply the
2754 instantaneous rate by the count of bytes or recipients etc. */
2755
870f6ba8
TF		 2756 dbd->time_stamp = tv.tv_sec;
2757 dbd->time_usec = tv.tv_usec;
c99ce5c9
TF		 2758 dbd->rate = (1 - a) * count / i_over_p + a * dbd->rate;
2759
2760 /* When events are very widely spaced the computed rate tends towards zero.
2761 Although this is accurate it turns out not to be useful for our purposes,
2762 especially when the first event after a long silence is the start of a spam
2763 run. A more useful model is that the rate for an isolated event should be the
2764 size of the event per the period size, ignoring the lack of events outside
2765 the current period and regardless of where the event falls in the period. So,
2766 if the interval was so long that the calculated rate is unhelpfully small, we
2767 re-intialize the rate. In the absence of higher-rate bursts, the condition
2768 below is true if the interval is greater than the period. */
2769
2770 if (dbd->rate < count) dbd->rate = count;
870f6ba8
TF		 2771 }
2772
c99ce5c9
TF		 2773/* Clients sending at the limit are considered to be over the limit.
2774This matters for edge cases such as a limit of zero, when the client
2775should be completely blocked. */
3348576f 2776
8f240103 2777rc = (dbd->rate < limit)? FAIL : OK;
870f6ba8
TF		 2778
2779/* Update the state if the rate is low or if we are being strict. If we
2780are in leaky mode and the sender's rate is too high, we do not update
2781the recorded rate in order to avoid an over-aggressive sender's retry
c99ce5c9
TF		 2782rate preventing them from getting any email through. If readonly is set,
2783neither leaky nor strict are set, so we do not do any updates. */
870f6ba8 2784
c99ce5c9 2785if ((rc == FAIL && leaky) || strict)
8f240103 2786 {
c99ce5c9 2787 dbfn_write(dbm, key, dbdb, dbdb_size);
8f240103
PH		 2788 HDEBUG(D_acl) debug_printf("ratelimit db updated\n");
2789 }
2790else
2791 {
2792 HDEBUG(D_acl) debug_printf("ratelimit db not updated: %s\n",
c99ce5c9 2793 readonly? "readonly mode" : "over the limit, but leaky");
8f240103
PH		 2794 }
2795
870f6ba8
TF		 2796dbfn_close(dbm);
2797
c99ce5c9 2798/* Store the result in the tree for future reference. */
870f6ba8 2799
c99ce5c9
TF		 2800t = store_get(sizeof(tree_node) + Ustrlen(key));
2801t->data.ptr = dbd;
2802Ustrcpy(t->name, key);
2803(void)tree_insertnode(anchor, t);
870f6ba8
TF		 2804
2805/* We create the formatted version of the sender's rate very late in
2806order to ensure that it is done using the correct storage pool. */
2807
2808store_pool = old_pool;
2809sender_rate = string_sprintf("%.1f", dbd->rate);
2810
2811HDEBUG(D_acl)
2812 debug_printf("ratelimit computed rate %s\n", sender_rate);
2813
2814return rc;
2815}
2816
2817
2818
059ec3d9
PH		 2819/*************************************************
2820* Handle conditions/modifiers on an ACL item *
2821*************************************************/
2822
2823/* Called from acl_check() below.
2824
2825Arguments:
2826 verb ACL verb
2827 cb ACL condition block - if NULL, result is OK
2828 where where called from
2829 addr the address being checked for RCPT, or NULL
2830 level the nesting level
2831 epp pointer to pass back TRUE if "endpass" encountered
2832 (applies only to "accept" and "discard")
2833 user_msgptr user message pointer
2834 log_msgptr log message pointer
2835 basic_errno pointer to where to put verify error
2836
2837Returns: OK - all conditions are met
2838 DISCARD - an "acl" condition returned DISCARD - only allowed
2839 for "accept" or "discard" verbs
2840 FAIL - at least one condition fails
2841 FAIL_DROP - an "acl" condition returned FAIL_DROP
2842 DEFER - can't tell at the moment (typically, lookup defer,
2843 but can be temporary callout problem)
2844 ERROR - ERROR from nested ACL or expansion failure or other
2845 error
2846*/
2847
2848static int
2849acl_check_condition(int verb, acl_condition_block *cb, int where,
2850 address_item *addr, int level, BOOL *epp, uschar **user_msgptr,
2851 uschar **log_msgptr, int *basic_errno)
2852{
2853uschar *user_message = NULL;
2854uschar *log_message = NULL;
ed7f7860
PP		 2855uschar *debug_tag = NULL;
2856uschar *debug_opts = NULL;
91ecef39 2857uschar *p = NULL;
059ec3d9 2858int rc = OK;
8523533c
TK		 2859#ifdef WITH_CONTENT_SCAN
2860int sep = '/';
2861#endif
059ec3d9
PH		 2862
2863for (; cb != NULL; cb = cb->next)
2864 {
2865 uschar *arg;
8e669ac1 2866 int control_type;
059ec3d9
PH		 2867
2868 /* The message and log_message items set up messages to be used in
2869 case of rejection. They are expanded later. */
2870
2871 if (cb->type == ACLC_MESSAGE)
2872 {
2873 user_message = cb->arg;
2874 continue;
2875 }
2876
2877 if (cb->type == ACLC_LOG_MESSAGE)
2878 {
2879 log_message = cb->arg;
2880 continue;
2881 }
2882
2883 /* The endpass "condition" just sets a flag to show it occurred. This is
2884 checked at compile time to be on an "accept" or "discard" item. */
2885
2886 if (cb->type == ACLC_ENDPASS)
2887 {
2888 *epp = TRUE;
2889 continue;
2890 }
2891
2892 /* For other conditions and modifiers, the argument is expanded now for some
2893 of them, but not for all, because expansion happens down in some lower level
2894 checking functions in some cases. */
2895
2896 if (cond_expand_at_top[cb->type])
2897 {
2898 arg = expand_string(cb->arg);
2899 if (arg == NULL)
2900 {
2901 if (expand_string_forcedfail) continue;
2902 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
2903 cb->arg, expand_string_message);
2904 return search_find_defer? DEFER : ERROR;
2905 }
2906 }
2907 else arg = cb->arg;
2908
2909 /* Show condition, and expanded condition if it's different */
2910
2911 HDEBUG(D_acl)
2912 {
2913 int lhswidth = 0;
2914 debug_printf("check %s%s %n",
2915 (!cond_modifiers[cb->type] && cb->u.negated)? "!":"",
2916 conditions[cb->type], &lhswidth);
2917
2918 if (cb->type == ACLC_SET)
2919 {
38a0a95f
PH		 2920 debug_printf("acl_%s ", cb->u.varname);
2921 lhswidth += 5 + Ustrlen(cb->u.varname);
059ec3d9
PH		 2922 }
2923
2924 debug_printf("= %s\n", cb->arg);
2925
2926 if (arg != cb->arg)
2927 debug_printf("%.*s= %s\n", lhswidth,
2928 US" ", CS arg);
2929 }
2930
2931 /* Check that this condition makes sense at this time */
2932
2933 if ((cond_forbids[cb->type] & (1 << where)) != 0)
2934 {
2935 *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
2936 cond_modifiers[cb->type]? "use" : "test",
2937 conditions[cb->type], acl_wherenames[where]);
2938 return ERROR;
2939 }
2940
2941 /* Run the appropriate test for each condition, or take the appropriate
2942 action for the remaining modifiers. */
2943
2944 switch(cb->type)
2945 {
71fafd95
PH		 2946 case ACLC_ADD_HEADER:
2947 setup_header(arg);
2948 break;
2949
059ec3d9
PH		 2950 /* A nested ACL that returns "discard" makes sense only for an "accept" or
2951 "discard" verb. */
71fafd95 2952
059ec3d9 2953 case ACLC_ACL:
f60d98e8 2954 rc = acl_check_wargs(where, addr, arg, level+1, user_msgptr, log_msgptr);
7421ecab
JH		 2955 if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
2956 {
2957 *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
2958 "\"%s\" command (only allowed with \"accept\" or \"discard\")",
2959 verbs[verb]);
2960 return ERROR;
2961 }
059ec3d9
PH		 2962 break;
2963
2964 case ACLC_AUTHENTICATED:
2965 rc = (sender_host_authenticated == NULL)? FAIL :
2966 match_isinlist(sender_host_authenticated, &arg, 0, NULL, NULL, MCL_STRING,
2967 TRUE, NULL);
2968 break;
2969
71fafd95 2970 #ifdef EXPERIMENTAL_BRIGHTMAIL
8523533c
TK		 2971 case ACLC_BMI_OPTIN:
2972 {
2973 int old_pool = store_pool;
2974 store_pool = POOL_PERM;
2975 bmi_current_optin = string_copy(arg);
2976 store_pool = old_pool;
2977 }
2978 break;
71fafd95 2979 #endif
8523533c 2980
059ec3d9 2981 case ACLC_CONDITION:
f3766eb5
NM		 2982 /* The true/false parsing here should be kept in sync with that used in
2983 expand.c when dealing with ECOND_BOOL so that we don't have too many
2984 different definitions of what can be a boolean. */
059ec3d9
PH		 2985 if (Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
2986 rc = (Uatoi(arg) == 0)? FAIL : OK;
2987 else
2988 rc = (strcmpic(arg, US"no") == 0 ||
2989 strcmpic(arg, US"false") == 0)? FAIL :
2990 (strcmpic(arg, US"yes") == 0 ||
2991 strcmpic(arg, US"true") == 0)? OK : DEFER;
2992 if (rc == DEFER)
2993 *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
2994 break;
2995
c3611384
PH		 2996 case ACLC_CONTINUE: /* Always succeeds */
2997 break;
2998
059ec3d9 2999 case ACLC_CONTROL:
c5fcb476
PH		 3000 control_type = decode_control(arg, &p, where, log_msgptr);
3001
8523533c 3002 /* Check if this control makes sense at this time */
c5fcb476
PH		 3003
3004 if ((control_forbids[control_type] & (1 << where)) != 0)
3005 {
3006 *log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
3007 controls[control_type], acl_wherenames[where]);
3008 return ERROR;
8e669ac1 3009 }
c5fcb476
PH		 3010
3011 switch(control_type)
059ec3d9 3012 {
c46782ef
PH		 3013 case CONTROL_AUTH_UNADVERTISED:
3014 allow_auth_unadvertised = TRUE;
3015 break;
3016
3017 #ifdef EXPERIMENTAL_BRIGHTMAIL
8523533c
TK		 3018 case CONTROL_BMI_RUN:
3019 bmi_run = 1;
3020 break;
c46782ef
PH		 3021 #endif
3022
80a47a2c 3023 #ifndef DISABLE_DKIM
f7572e5a 3024 case CONTROL_DKIM_VERIFY:
80a47a2c 3025 dkim_disable_verify = TRUE;
4840604e
TL		 3026 #ifdef EXPERIMENTAL_DMARC
3027 /* Since DKIM was blocked, skip DMARC too */
3028 dmarc_disable_verify = TRUE;
3029 dmarc_enable_forensic = FALSE;
3030 #endif
3031 break;
3032 #endif
3033
3034 #ifdef EXPERIMENTAL_DMARC
3035 case CONTROL_DMARC_VERIFY:
3036 dmarc_disable_verify = TRUE;
3037 break;
3038
3039 case CONTROL_DMARC_FORENSIC:
3040 dmarc_enable_forensic = TRUE;
f7572e5a
TK		 3041 break;
3042 #endif
3043
13363eba
PP		 3044 case CONTROL_DSCP:
3045 if (*p == '/')
3046 {
3047 int fd, af, level, optname, value;
3048 /* If we are acting on stdin, the setsockopt may fail if stdin is not
3049 a socket; we can accept that, we'll just debug-log failures anyway. */
3050 fd = fileno(smtp_in);
3051 af = ip_get_address_family(fd);
3052 if (af < 0)
3053 {
3054 HDEBUG(D_acl)
3055 debug_printf("smtp input is probably not a socket [%s], not setting DSCP\n",
3056 strerror(errno));
3057 break;
3058 }
3059 if (dscp_lookup(p+1, af, &level, &optname, &value))
3060 {
3061 if (setsockopt(fd, level, optname, &value, sizeof(value)) < 0)
3062 {
3063 HDEBUG(D_acl) debug_printf("failed to set input DSCP[%s]: %s\n",
3064 p+1, strerror(errno));
3065 }
3066 else
3067 {
3068 HDEBUG(D_acl) debug_printf("set input DSCP to \"%s\"\n", p+1);
3069 }
3070 }
3071 else
3072 {
3073 *log_msgptr = string_sprintf("unrecognised DSCP value in \"control=%s\"", arg);
3074 return ERROR;
3075 }
3076 }
3077 else
3078 {
3079 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
3080 return ERROR;
3081 }
3082 break;
3083
059ec3d9
PH		 3084 case CONTROL_ERROR:
3085 return ERROR;
3086
3087 case CONTROL_CASEFUL_LOCAL_PART:
3088 deliver_localpart = addr->cc_local_part;
3089 break;
3090
3091 case CONTROL_CASELOWER_LOCAL_PART:
3092 deliver_localpart = addr->lc_local_part;
3093 break;
3094
3095 case CONTROL_ENFORCE_SYNC:
3096 smtp_enforce_sync = TRUE;
3097 break;
3098
3099 case CONTROL_NO_ENFORCE_SYNC:
3100 smtp_enforce_sync = FALSE;
3101 break;
3102
c46782ef 3103 #ifdef WITH_CONTENT_SCAN
8523533c
TK		 3104 case CONTROL_NO_MBOX_UNSPOOL:
3105 no_mbox_unspool = TRUE;
3106 break;
c46782ef 3107 #endif
8523533c 3108
059ec3d9
PH		 3109 case CONTROL_NO_MULTILINE:
3110 no_multiline_responses = TRUE;
3111 break;
3112
cf8b11a5
PH		 3113 case CONTROL_NO_PIPELINING:
3114 pipelining_enable = FALSE;
3115 break;
3116
047bdd8c
PH		 3117 case CONTROL_NO_DELAY_FLUSH:
3118 disable_delay_flush = TRUE;
3119 break;
3120
4c590bd1
PH		 3121 case CONTROL_NO_CALLOUT_FLUSH:
3122 disable_callout_flush = TRUE;
3123 break;
3124
29aba418 3125 case CONTROL_FAKEDEFER:
8523533c 3126 case CONTROL_FAKEREJECT:
29aba418 3127 fake_response = (control_type == CONTROL_FAKEDEFER) ? DEFER : FAIL;
8523533c 3128 if (*p == '/')
8e669ac1 3129 {
8523533c 3130 uschar *pp = p + 1;
8e669ac1 3131 while (*pp != 0) pp++;
29aba418 3132 fake_response_text = expand_string(string_copyn(p+1, pp-p-1));
8523533c
TK		 3133 p = pp;
3134 }
3135 else
3136 {
3137 /* Explicitly reset to default string */
29aba418 3138 fake_response_text = US"Your message has been rejected but is being kept for evaluation.\nIf it was a legitimate message, it may still be delivered to the target recipient(s).";
8523533c
TK		 3139 }
3140 break;
8523533c 3141
059ec3d9
PH		 3142 case CONTROL_FREEZE:
3143 deliver_freeze = TRUE;
3144 deliver_frozen_at = time(NULL);
6a3f1455
PH		 3145 freeze_tell = freeze_tell_config; /* Reset to configured value */
3146 if (Ustrncmp(p, "/no_tell", 8) == 0)
3147 {
3148 p += 8;
3149 freeze_tell = NULL;
3150 }
3151 if (*p != 0)
3152 {
3153 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
3154 return ERROR;
3155 }
059ec3d9
PH		 3156 break;
3157
3158 case CONTROL_QUEUE_ONLY:
3159 queue_only_policy = TRUE;
3160 break;
3161
3162 case CONTROL_SUBMISSION:
87ba3f5f 3163 originator_name = US"";
059ec3d9 3164 submission_mode = TRUE;
69358f02 3165 while (*p == '/')
8e669ac1 3166 {
69358f02
PH		 3167 if (Ustrncmp(p, "/sender_retain", 14) == 0)
3168 {
3169 p += 14;
3170 active_local_sender_retain = TRUE;
8e669ac1
PH		 3171 active_local_from_check = FALSE;
3172 }
69358f02
PH		 3173 else if (Ustrncmp(p, "/domain=", 8) == 0)
3174 {
3175 uschar *pp = p + 8;
8e669ac1 3176 while (*pp != 0 && *pp != '/') pp++;
87ba3f5f
PH		 3177 submission_domain = string_copyn(p+8, pp-p-8);
3178 p = pp;
3179 }
8857ccfd
PH		 3180 /* The name= option must be last, because it swallows the rest of
3181 the string. */
87ba3f5f
PH		 3182 else if (Ustrncmp(p, "/name=", 6) == 0)
3183 {
3184 uschar *pp = p + 6;
8857ccfd 3185 while (*pp != 0) pp++;
2fe1a124 3186 submission_name = string_copy(parse_fix_phrase(p+6, pp-p-6,
87ba3f5f 3187 big_buffer, big_buffer_size));
8e669ac1 3188 p = pp;
69358f02 3189 }
8e669ac1
PH		 3190 else break;
3191 }
69358f02 3192 if (*p != 0)
059ec3d9 3193 {
69358f02 3194 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
059ec3d9
PH		 3195 return ERROR;
3196 }
3197 break;
8800895a 3198
ed7f7860
PP		 3199 case CONTROL_DEBUG:
3200 while (*p == '/')
3201 {
3202 if (Ustrncmp(p, "/tag=", 5) == 0)
3203 {
3204 uschar *pp = p + 5;
3205 while (*pp != '\0' && *pp != '/') pp++;
3206 debug_tag = string_copyn(p+5, pp-p-5);
3207 p = pp;
3208 }
3209 else if (Ustrncmp(p, "/opts=", 6) == 0)
3210 {
3211 uschar *pp = p + 6;
3212 while (*pp != '\0' && *pp != '/') pp++;
3213 debug_opts = string_copyn(p+6, pp-p-6);
3214 p = pp;
3215 }
3216 }
3217 debug_logging_activate(debug_tag, debug_opts);
3218 break;
3219
8800895a
PH		 3220 case CONTROL_SUPPRESS_LOCAL_FIXUPS:
3221 suppress_local_fixups = TRUE;
3222 break;
e4bdf652
JH		 3223
3224 case CONTROL_CUTTHROUGH_DELIVERY:
3225 if (deliver_freeze)
3226 {
3227 *log_msgptr = string_sprintf("\"control=%s\" on frozen item", arg);
3228 return ERROR;
3229 }
3230 if (queue_only_policy)
3231 {
3232 *log_msgptr = string_sprintf("\"control=%s\" on queue-only item", arg);
3233 return ERROR;
3234 }
3235 cutthrough_delivery = TRUE;
3236 break;
059ec3d9
PH		 3237 }
3238 break;
3239
6a8f9482
TK		 3240 #ifdef EXPERIMENTAL_DCC
3241 case ACLC_DCC:
3242 {
3243 /* Seperate the regular expression and any optional parameters. */
3244 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
3245 /* Run the dcc backend. */
3246 rc = dcc_process(&ss);
3247 /* Modify return code based upon the existance of options. */
3248 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
3249 != NULL) {
3250 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
3251 {
3252 /* FAIL so that the message is passed to the next ACL */
3253 rc = FAIL;
3254 }
3255 }
3256 }
3257 break;
3258 #endif
3259
71fafd95 3260 #ifdef WITH_CONTENT_SCAN
8523533c
TK		 3261 case ACLC_DECODE:
3262 rc = mime_decode(&arg);
3263 break;
71fafd95 3264 #endif
8523533c 3265
059ec3d9
PH		 3266 case ACLC_DELAY:
3267 {
3268 int delay = readconf_readtime(arg, 0, FALSE);
3269 if (delay < 0)
3270 {
3271 *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
3272 "modifier: \"%s\" is not a time value", arg);
3273 return ERROR;
3274 }
3275 else
3276 {
3277 HDEBUG(D_acl) debug_printf("delay modifier requests %d-second delay\n",
3278 delay);
3279 if (host_checking)
3280 {
3281 HDEBUG(D_acl)
3282 debug_printf("delay skipped in -bh checking mode\n");
3283 }
010c2d14
PH		 3284
3285 /* It appears to be impossible to detect that a TCP/IP connection has
3286 gone away without reading from it. This means that we cannot shorten
3287 the delay below if the client goes away, because we cannot discover
3288 that the client has closed its end of the connection. (The connection
3289 is actually in a half-closed state, waiting for the server to close its
3290 end.) It would be nice to be able to detect this state, so that the
3291 Exim process is not held up unnecessarily. However, it seems that we
3292 can't. The poll() function does not do the right thing, and in any case
3293 it is not always available.
3294
047bdd8c 3295 NOTE 1: If ever this state of affairs changes, remember that we may be
010c2d14 3296 dealing with stdin/stdout here, in addition to TCP/IP connections.
047bdd8c
PH		 3297 Also, delays may be specified for non-SMTP input, where smtp_out and
3298 smtp_in will be NULL. Whatever is done must work in all cases.
3299
3300 NOTE 2: The added feature of flushing the output before a delay must
3301 apply only to SMTP input. Hence the test for smtp_out being non-NULL.
3302 */
010c2d14 3303
8e669ac1 3304 else
86b8287f 3305 {
14f4a80d 3306 if (smtp_out != NULL && !disable_delay_flush) mac_smtp_fflush();
86b8287f 3307 while (delay > 0) delay = sleep(delay);
8e669ac1 3308 }
059ec3d9
PH		 3309 }
3310 }
3311 break;
3312
71fafd95 3313 #ifdef WITH_OLD_DEMIME
8523533c
TK		 3314 case ACLC_DEMIME:
3315 rc = demime(&arg);
3316 break;
71fafd95 3317 #endif
8523533c 3318
80a47a2c
TK		 3319 #ifndef DISABLE_DKIM
3320 case ACLC_DKIM_SIGNER:
9e5d6b55
TK		 3321 if (dkim_cur_signer != NULL)
3322 rc = match_isinlist(dkim_cur_signer,
80a47a2c 3323 &arg,0,NULL,NULL,MCL_STRING,TRUE,NULL);
80a47a2c 3324 else
80a47a2c 3325 rc = FAIL;
71fafd95
PH		 3326 break;
3327
80a47a2c
TK		 3328 case ACLC_DKIM_STATUS:
3329 rc = match_isinlist(dkim_exim_expand_query(DKIM_VERIFY_STATUS),
3330 &arg,0,NULL,NULL,MCL_STRING,TRUE,NULL);
71fafd95
PH		 3331 break;
3332 #endif
fb2274d4 3333
4840604e
TL		 3334 #ifdef EXPERIMENTAL_DMARC
3335 case ACLC_DMARC_STATUS:
4a8ce2d8 3336 if (!dmarc_has_been_checked)
4840604e 3337 dmarc_process();
4a8ce2d8 3338 dmarc_has_been_checked = TRUE;
4840604e
TL		 3339 /* used long way of dmarc_exim_expand_query() in case we need more
3340 * view into the process in the future. */
3341 rc = match_isinlist(dmarc_exim_expand_query(DMARC_VERIFY_STATUS),
3342 &arg,0,NULL,NULL,MCL_STRING,TRUE,NULL);
3343 break;
3344 #endif
3345
059ec3d9
PH		 3346 case ACLC_DNSLISTS:
3347 rc = verify_check_dnsbl(&arg);
3348 break;
3349
3350 case ACLC_DOMAINS:
3351 rc = match_isinlist(addr->domain, &arg, 0, &domainlist_anchor,
3352 addr->domain_cache, MCL_DOMAIN, TRUE, &deliver_domain_data);
3353 break;
3354
3355 /* The value in tls_cipher is the full cipher name, for example,
3356 TLSv1:DES-CBC3-SHA:168, whereas the values to test for are just the
3357 cipher names such as DES-CBC3-SHA. But program defensively. We don't know
3358 what may in practice come out of the SSL library - which at the time of
3359 writing is poorly documented. */
3360
3361 case ACLC_ENCRYPTED:
817d9f57 3362 if (tls_in.cipher == NULL) rc = FAIL; else
059ec3d9
PH		 3363 {
3364 uschar *endcipher = NULL;
817d9f57
JH		 3365 uschar *cipher = Ustrchr(tls_in.cipher, ':');
3366 if (cipher == NULL) cipher = tls_in.cipher; else
059ec3d9
PH		 3367 {
3368 endcipher = Ustrchr(++cipher, ':');
3369 if (endcipher != NULL) *endcipher = 0;
3370 }
3371 rc = match_isinlist(cipher, &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
3372 if (endcipher != NULL) *endcipher = ':';
3373 }
3374 break;
3375
3376 /* Use verify_check_this_host() instead of verify_check_host() so that
3377 we can pass over &host_data to catch any looked up data. Once it has been
3378 set, it retains its value so that it's still there if another ACL verb
3379 comes through here and uses the cache. However, we must put it into
3380 permanent store in case it is also expected to be used in a subsequent
3381 message in the same SMTP connection. */
3382
3383 case ACLC_HOSTS:
3384 rc = verify_check_this_host(&arg, sender_host_cache, NULL,
3385 (sender_host_address == NULL)? US"" : sender_host_address, &host_data);
3386 if (host_data != NULL) host_data = string_copy_malloc(host_data);
3387 break;
3388
3389 case ACLC_LOCAL_PARTS:
3390 rc = match_isinlist(addr->cc_local_part, &arg, 0,
3391 &localpartlist_anchor, addr->localpart_cache, MCL_LOCALPART, TRUE,
3392 &deliver_localpart_data);
3393 break;
3394
6ea85e9a
PH		 3395 case ACLC_LOG_REJECT_TARGET:
3396 {
3397 int logbits = 0;
3398 int sep = 0;
3399 uschar *s = arg;
3400 uschar *ss;
3401 while ((ss = string_nextinlist(&s, &sep, big_buffer, big_buffer_size))
3402 != NULL)
3403 {
3404 if (Ustrcmp(ss, "main") == 0) logbits |= LOG_MAIN;
3405 else if (Ustrcmp(ss, "panic") == 0) logbits |= LOG_PANIC;
3406 else if (Ustrcmp(ss, "reject") == 0) logbits |= LOG_REJECT;
3407 else
3408 {
3409 logbits |= LOG_MAIN|LOG_REJECT;
3410 log_write(0, LOG_MAIN|LOG_PANIC, "unknown log name \"%s\" in "
3411 "\"log_reject_target\" in %s ACL", ss, acl_wherenames[where]);
3412 }
3413 }
3414 log_reject_target = logbits;
3415 }
3416 break;
3417
059ec3d9
PH		 3418 case ACLC_LOGWRITE:
3419 {
3420 int logbits = 0;
3421 uschar *s = arg;
3422 if (*s == ':')
3423 {
3424 s++;
3425 while (*s != ':')
3426 {
3427 if (Ustrncmp(s, "main", 4) == 0)
3428 { logbits |= LOG_MAIN; s += 4; }
3429 else if (Ustrncmp(s, "panic", 5) == 0)
3430 { logbits |= LOG_PANIC; s += 5; }
3431 else if (Ustrncmp(s, "reject", 6) == 0)
3432 { logbits |= LOG_REJECT; s += 6; }
3433 else
3434 {
3435 logbits = LOG_MAIN|LOG_PANIC;
3436 s = string_sprintf(":unknown log name in \"%s\" in "
3437 "\"logwrite\" in %s ACL", arg, acl_wherenames[where]);
3438 }
3439 if (*s == ',') s++;
3440 }
3441 s++;
3442 }
3443 while (isspace(*s)) s++;
6ea85e9a
PH		 3444
3445
059ec3d9
PH		 3446 if (logbits == 0) logbits = LOG_MAIN;
3447 log_write(0, logbits, "%s", string_printing(s));
3448 }
3449 break;
8e669ac1 3450
71fafd95 3451 #ifdef WITH_CONTENT_SCAN
8523533c
TK		 3452 case ACLC_MALWARE:
3453 {
6ea85e9a 3454 /* Separate the regular expression and any optional parameters. */
8523533c
TK		 3455 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
3456 /* Run the malware backend. */
3457 rc = malware(&ss);
3458 /* Modify return code based upon the existance of options. */
3459 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
3460 != NULL) {
3461 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
3462 {
3463 /* FAIL so that the message is passed to the next ACL */
3464 rc = FAIL;
3465 }
3466 }
3467 }
3468 break;
3469
3470 case ACLC_MIME_REGEX:
71fafd95 3471 rc = mime_regex(&arg);
8523533c 3472 break;
71fafd95 3473 #endif
059ec3d9 3474
870f6ba8 3475 case ACLC_RATELIMIT:
90fc3069 3476 rc = acl_ratelimit(arg, where, log_msgptr);
870f6ba8
TF		 3477 break;
3478
059ec3d9
PH		 3479 case ACLC_RECIPIENTS:
3480 rc = match_address_list(addr->address, TRUE, TRUE, &arg, NULL, -1, 0,
3481 &recipient_data);
3482 break;
3483
71fafd95
PH		 3484 #ifdef WITH_CONTENT_SCAN
3485 case ACLC_REGEX:
3486 rc = regex(&arg);
8523533c 3487 break;
71fafd95 3488 #endif
8523533c 3489
e7568d51
TL		 3490 case ACLC_REMOVE_HEADER:
3491 setup_remove_header(arg);
3492 break;
3493
059ec3d9
PH		 3494 case ACLC_SENDER_DOMAINS:
3495 {
3496 uschar *sdomain;
3497 sdomain = Ustrrchr(sender_address, '@');
3498 sdomain = (sdomain == NULL)? US"" : sdomain + 1;
3499 rc = match_isinlist(sdomain, &arg, 0, &domainlist_anchor,
3500 sender_domain_cache, MCL_DOMAIN, TRUE, NULL);
3501 }
3502 break;
3503
3504 case ACLC_SENDERS:
3505 rc = match_address_list(sender_address, TRUE, TRUE, &arg,
3506 sender_address_cache, -1, 0, &sender_data);
3507 break;
3508
3509 /* Connection variables must persist forever */
3510
3511 case ACLC_SET:
3512 {
3513 int old_pool = store_pool;
38a0a95f
PH		 3514 if (cb->u.varname[0] == 'c') store_pool = POOL_PERM;
3515 acl_var_create(cb->u.varname)->data.ptr = string_copy(arg);
059ec3d9
PH		 3516 store_pool = old_pool;
3517 }
3518 break;
3519
71fafd95 3520 #ifdef WITH_CONTENT_SCAN
8523533c
TK		 3521 case ACLC_SPAM:
3522 {
3523 /* Seperate the regular expression and any optional parameters. */
3524 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
3525 /* Run the spam backend. */
3526 rc = spam(&ss);
3527 /* Modify return code based upon the existance of options. */
3528 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
3529 != NULL) {
3530 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
3531 {
3532 /* FAIL so that the message is passed to the next ACL */
3533 rc = FAIL;
3534 }
3535 }
3536 }
3537 break;
71fafd95 3538 #endif
8523533c 3539
71fafd95 3540 #ifdef EXPERIMENTAL_SPF
8523533c 3541 case ACLC_SPF:
65a7d8c3
NM		 3542 rc = spf_process(&arg, sender_address, SPF_PROCESS_NORMAL);
3543 break;
3544 case ACLC_SPF_GUESS:
3545 rc = spf_process(&arg, sender_address, SPF_PROCESS_GUESS);
8523533c 3546 break;
71fafd95 3547 #endif
8523533c 3548
059ec3d9
PH		 3549 /* If the verb is WARN, discard any user message from verification, because
3550 such messages are SMTP responses, not header additions. The latter come
475fe28a
PH		 3551 only from explicit "message" modifiers. However, put the user message into
3552 $acl_verify_message so it can be used in subsequent conditions or modifiers
3553 (until something changes it). */
059ec3d9
PH		 3554
3555 case ACLC_VERIFY:
3556 rc = acl_verify(where, addr, arg, user_msgptr, log_msgptr, basic_errno);
475fe28a 3557 acl_verify_message = *user_msgptr;
059ec3d9
PH		 3558 if (verb == ACL_WARN) *user_msgptr = NULL;
3559 break;
3560
3561 default:
3562 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown "
3563 "condition %d", cb->type);
3564 break;
3565 }
3566
3567 /* If a condition was negated, invert OK/FAIL. */
3568
3569 if (!cond_modifiers[cb->type] && cb->u.negated)
3570 {
3571 if (rc == OK) rc = FAIL;
3572 else if (rc == FAIL || rc == FAIL_DROP) rc = OK;
3573 }
3574
3575 if (rc != OK) break; /* Conditions loop */
3576 }
3577
3578
3579/* If the result is the one for which "message" and/or "log_message" are used,
4e88a19f
PH		 3580handle the values of these modifiers. If there isn't a log message set, we make
3581it the same as the user message.
059ec3d9
PH		 3582
3583"message" is a user message that will be included in an SMTP response. Unless
3584it is empty, it overrides any previously set user message.
3585
3586"log_message" is a non-user message, and it adds to any existing non-user
3587message that is already set.
3588
4e88a19f
PH		 3589Most verbs have but a single return for which the messages are relevant, but
3590for "discard", it's useful to have the log message both when it succeeds and
3591when it fails. For "accept", the message is used in the OK case if there is no
3592"endpass", but (for backwards compatibility) in the FAIL case if "endpass" is
3593present. */
059ec3d9 3594
4e88a19f
PH		 3595if (*epp && rc == OK) user_message = NULL;
3596
3597if (((1<<rc) & msgcond[verb]) != 0)
059ec3d9
PH		 3598 {
3599 uschar *expmessage;
4e88a19f
PH		 3600 uschar *old_user_msgptr = *user_msgptr;
3601 uschar *old_log_msgptr = (*log_msgptr != NULL)? *log_msgptr : old_user_msgptr;
059ec3d9
PH		 3602
3603 /* If the verb is "warn", messages generated by conditions (verification or
4e88a19f
PH		 3604 nested ACLs) are always discarded. This also happens for acceptance verbs
3605 when they actually do accept. Only messages specified at this level are used.
059ec3d9
PH		 3606 However, the value of an existing message is available in $acl_verify_message
3607 during expansions. */
3608
4e88a19f
PH		 3609 if (verb == ACL_WARN ||
3610 (rc == OK && (verb == ACL_ACCEPT || verb == ACL_DISCARD)))
3611 *log_msgptr = *user_msgptr = NULL;
059ec3d9
PH		 3612
3613 if (user_message != NULL)
3614 {
3615 acl_verify_message = old_user_msgptr;
3616 expmessage = expand_string(user_message);
3617 if (expmessage == NULL)
3618 {
3619 if (!expand_string_forcedfail)
3620 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
3621 user_message, expand_string_message);
3622 }
3623 else if (expmessage[0] != 0) *user_msgptr = expmessage;
3624 }
3625
3626 if (log_message != NULL)
3627 {
3628 acl_verify_message = old_log_msgptr;
3629 expmessage = expand_string(log_message);
3630 if (expmessage == NULL)
3631 {
3632 if (!expand_string_forcedfail)
3633 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
3634 log_message, expand_string_message);
3635 }
3636 else if (expmessage[0] != 0)
3637 {
3638 *log_msgptr = (*log_msgptr == NULL)? expmessage :
3639 string_sprintf("%s: %s", expmessage, *log_msgptr);
3640 }
3641 }
3642
3643 /* If no log message, default it to the user message */
3644
3645 if (*log_msgptr == NULL) *log_msgptr = *user_msgptr;
3646 }
3647
3648acl_verify_message = NULL;
3649return rc;
3650}
3651
3652
3653
3654
3655
3656/*************************************************
3657* Get line from a literal ACL *
3658*************************************************/
3659
3660/* This function is passed to acl_read() in order to extract individual lines
3661of a literal ACL, which we access via static pointers. We can destroy the
3662contents because this is called only once (the compiled ACL is remembered).
3663
3664This code is intended to treat the data in the same way as lines in the main
3665Exim configuration file. That is:
3666
3667 . Leading spaces are ignored.
3668
3669 . A \ at the end of a line is a continuation - trailing spaces after the \
3670 are permitted (this is because I don't believe in making invisible things
3671 significant). Leading spaces on the continued part of a line are ignored.
3672
3673 . Physical lines starting (significantly) with # are totally ignored, and
3674 may appear within a sequence of backslash-continued lines.
3675
3676 . Blank lines are ignored, but will end a sequence of continuations.
3677
3678Arguments: none
3679Returns: a pointer to the next line
3680*/
3681
3682
3683static uschar *acl_text; /* Current pointer in the text */
3684static uschar *acl_text_end; /* Points one past the terminating '0' */
3685
3686
3687static uschar *
3688acl_getline(void)
3689{
3690uschar *yield;
3691
3692/* This loop handles leading blank lines and comments. */
3693
3694for(;;)
3695 {
3696 while (isspace(*acl_text)) acl_text++; /* Leading spaces/empty lines */
3697 if (*acl_text == 0) return NULL; /* No more data */
3698 yield = acl_text; /* Potential data line */
3699
3700 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
3701
3702 /* If we hit the end before a newline, we have the whole logical line. If
3703 it's a comment, there's no more data to be given. Otherwise, yield it. */
3704
3705 if (*acl_text == 0) return (*yield == '#')? NULL : yield;
3706
3707 /* After reaching a newline, end this loop if the physical line does not
3708 start with '#'. If it does, it's a comment, and the loop continues. */
3709
3710 if (*yield != '#') break;
3711 }
3712
3713/* This loop handles continuations. We know we have some real data, ending in
3714newline. See if there is a continuation marker at the end (ignoring trailing
3715white space). We know that *yield is not white space, so no need to test for
3716cont > yield in the backwards scanning loop. */
3717
3718for(;;)
3719 {
3720 uschar *cont;
3721 for (cont = acl_text - 1; isspace(*cont); cont--);
3722
3723 /* If no continuation follows, we are done. Mark the end of the line and
3724 return it. */
3725
3726 if (*cont != '\\')
3727 {
3728 *acl_text++ = 0;
3729 return yield;
3730 }
3731
3732 /* We have encountered a continuation. Skip over whitespace at the start of
3733 the next line, and indeed the whole of the next line or lines if they are
3734 comment lines. */
3735
3736 for (;;)
3737 {
3738 while (*(++acl_text) == ' ' || *acl_text == '\t');
3739 if (*acl_text != '#') break;
3740 while (*(++acl_text) != 0 && *acl_text != '\n');
3741 }
3742
3743 /* We have the start of a continuation line. Move all the rest of the data
3744 to join onto the previous line, and then find its end. If the end is not a
3745 newline, we are done. Otherwise loop to look for another continuation. */
3746
3747 memmove(cont, acl_text, acl_text_end - acl_text);
3748 acl_text_end -= acl_text - cont;
3749 acl_text = cont;
3750 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
3751 if (*acl_text == 0) return yield;
3752 }
3753
3754/* Control does not reach here */
3755}
3756
3757
3758
3759
3760
3761/*************************************************
3762* Check access using an ACL *
3763*************************************************/
3764
3765/* This function is called from address_check. It may recurse via
3766acl_check_condition() - hence the use of a level to stop looping. The ACL is
3767passed as a string which is expanded. A forced failure implies no access check
3768is required. If the result is a single word, it is taken as the name of an ACL
3769which is sought in the global ACL tree. Otherwise, it is taken as literal ACL
3770text, complete with newlines, and parsed as such. In both cases, the ACL check
3771is then run. This function uses an auxiliary function for acl_read() to call
3772for reading individual lines of a literal ACL. This is acl_getline(), which
3773appears immediately above.
3774
3775Arguments:
3776 where where called from
3777 addr address item when called from RCPT; otherwise NULL
3778 s the input string; NULL is the same as an empty ACL => DENY
3779 level the nesting level
3780 user_msgptr where to put a user error (for SMTP response)
3781 log_msgptr where to put a logging message (not for SMTP response)
3782
3783Returns: OK access is granted
3784 DISCARD access is apparently granted...
3785 FAIL access is denied
3786 FAIL_DROP access is denied; drop the connection
3787 DEFER can't tell at the moment
3788 ERROR disaster
3789*/
3790
3791static int
3792acl_check_internal(int where, address_item *addr, uschar *s, int level,
3793 uschar **user_msgptr, uschar **log_msgptr)
3794{
3795int fd = -1;
3796acl_block *acl = NULL;
3797uschar *acl_name = US"inline ACL";
3798uschar *ss;
3799
3800/* Catch configuration loops */
3801
3802if (level > 20)
3803 {
3804 *log_msgptr = US"ACL nested too deep: possible loop";
3805 return ERROR;
3806 }
3807
3808if (s == NULL)
3809 {
3810 HDEBUG(D_acl) debug_printf("ACL is NULL: implicit DENY\n");
3811 return FAIL;
3812 }
3813
3814/* At top level, we expand the incoming string. At lower levels, it has already
3815been expanded as part of condition processing. */
3816
3817if (level == 0)
3818 {
3819 ss = expand_string(s);
3820 if (ss == NULL)
3821 {
3822 if (expand_string_forcedfail) return OK;
3823 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s", s,
3824 expand_string_message);
3825 return ERROR;
3826 }
3827 }
3828else ss = s;
3829
3830while (isspace(*ss))ss++;
3831
3832/* If we can't find a named ACL, the default is to parse it as an inline one.
3833(Unless it begins with a slash; non-existent files give rise to an error.) */
3834
3835acl_text = ss;
3836
3837/* Handle the case of a string that does not contain any spaces. Look for a
3838named ACL among those read from the configuration, or a previously read file.
3839It is possible that the pointer to the ACL is NULL if the configuration
3840contains a name with no data. If not found, and the text begins with '/',
3841read an ACL from a file, and save it so it can be re-used. */
3842
3843if (Ustrchr(ss, ' ') == NULL)
3844 {
3845 tree_node *t = tree_search(acl_anchor, ss);
3846 if (t != NULL)
3847 {
3848 acl = (acl_block *)(t->data.ptr);
3849 if (acl == NULL)
3850 {
3851 HDEBUG(D_acl) debug_printf("ACL \"%s\" is empty: implicit DENY\n", ss);
3852 return FAIL;
3853 }
3854 acl_name = string_sprintf("ACL \"%s\"", ss);
3855 HDEBUG(D_acl) debug_printf("using ACL \"%s\"\n", ss);
3856 }
3857
3858 else if (*ss == '/')
3859 {
3860 struct stat statbuf;
3861 fd = Uopen(ss, O_RDONLY, 0);
3862 if (fd < 0)
3863 {
3864 *log_msgptr = string_sprintf("failed to open ACL file \"%s\": %s", ss,
3865 strerror(errno));
3866 return ERROR;
3867 }
3868
3869 if (fstat(fd, &statbuf) != 0)
3870 {
3871 *log_msgptr = string_sprintf("failed to fstat ACL file \"%s\": %s", ss,
3872 strerror(errno));
3873 return ERROR;
3874 }
3875
3876 acl_text = store_get(statbuf.st_size + 1);
3877 acl_text_end = acl_text + statbuf.st_size + 1;
3878
3879 if (read(fd, acl_text, statbuf.st_size) != statbuf.st_size)
3880 {
3881 *log_msgptr = string_sprintf("failed to read ACL file \"%s\": %s",
3882 ss, strerror(errno));
3883 return ERROR;
3884 }
3885 acl_text[statbuf.st_size] = 0;
f1e894f3 3886 (void)close(fd);
059ec3d9
PH		 3887
3888 acl_name = string_sprintf("ACL \"%s\"", ss);
3889 HDEBUG(D_acl) debug_printf("read ACL from file %s\n", ss);
3890 }
3891 }
3892
3893/* Parse an ACL that is still in text form. If it came from a file, remember it
3894in the ACL tree, having read it into the POOL_PERM store pool so that it
3895persists between multiple messages. */
3896
3897if (acl == NULL)
3898 {
3899 int old_pool = store_pool;
3900 if (fd >= 0) store_pool = POOL_PERM;
3901 acl = acl_read(acl_getline, log_msgptr);
3902 store_pool = old_pool;
3903 if (acl == NULL && *log_msgptr != NULL) return ERROR;
3904 if (fd >= 0)
3905 {
3906 tree_node *t = store_get_perm(sizeof(tree_node) + Ustrlen(ss));
3907 Ustrcpy(t->name, ss);
3908 t->data.ptr = acl;
3909 (void)tree_insertnode(&acl_anchor, t);
3910 }
3911 }
3912
3913/* Now we have an ACL to use. It's possible it may be NULL. */
3914
3915while (acl != NULL)
3916 {
3917 int cond;
3918 int basic_errno = 0;
3919 BOOL endpass_seen = FALSE;
3920
3921 *log_msgptr = *user_msgptr = NULL;
3922 acl_temp_details = FALSE;
3923
7353285c 3924 if ((where == ACL_WHERE_QUIT || where == ACL_WHERE_NOTQUIT) &&
059ec3d9
PH		 3925 acl->verb != ACL_ACCEPT &&
3926 acl->verb != ACL_WARN)
3927 {
7353285c 3928 *log_msgptr = string_sprintf("\"%s\" is not allowed in a QUIT or not-QUIT ACL",
059ec3d9
PH		 3929 verbs[acl->verb]);
3930 return ERROR;
3931 }
3932
3933 HDEBUG(D_acl) debug_printf("processing \"%s\"\n", verbs[acl->verb]);
3934
3935 /* Clear out any search error message from a previous check before testing
3936 this condition. */
3937
3938 search_error_message = NULL;
3939 cond = acl_check_condition(acl->verb, acl->condition, where, addr, level,
3940 &endpass_seen, user_msgptr, log_msgptr, &basic_errno);
3941
3942 /* Handle special returns: DEFER causes a return except on a WARN verb;
3943 ERROR always causes a return. */
3944
3945 switch (cond)
3946 {
3947 case DEFER:
6968512f 3948 HDEBUG(D_acl) debug_printf("%s: condition test deferred in %s\n", verbs[acl->verb], acl_name);
059ec3d9
PH		 3949 if (basic_errno != ERRNO_CALLOUTDEFER)
3950 {
3951 if (search_error_message != NULL && *search_error_message != 0)
3952 *log_msgptr = search_error_message;
3953 if (smtp_return_error_details) acl_temp_details = TRUE;
3954 }
3955 else
3956 {
3957 acl_temp_details = TRUE;
3958 }
3959 if (acl->verb != ACL_WARN) return DEFER;
3960 break;
3961
3962 default: /* Paranoia */
3963 case ERROR:
6968512f 3964 HDEBUG(D_acl) debug_printf("%s: condition test error in %s\n", verbs[acl->verb], acl_name);
059ec3d9
PH		 3965 return ERROR;
3966
3967 case OK:
6968512f
JH		 3968 HDEBUG(D_acl) debug_printf("%s: condition test succeeded in %s\n",
3969 verbs[acl->verb], acl_name);
059ec3d9
PH		 3970 break;
3971
3972 case FAIL:
6968512f 3973 HDEBUG(D_acl) debug_printf("%s: condition test failed in %s\n", verbs[acl->verb], acl_name);
059ec3d9
PH		 3974 break;
3975
3976 /* DISCARD and DROP can happen only from a nested ACL condition, and
3977 DISCARD can happen only for an "accept" or "discard" verb. */
3978
3979 case DISCARD:
6968512f
JH		 3980 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"discard\" in %s\n",
3981 verbs[acl->verb], acl_name);
059ec3d9
PH		 3982 break;
3983
3984 case FAIL_DROP:
6968512f
JH		 3985 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"drop\" in %s\n",
3986 verbs[acl->verb], acl_name);
059ec3d9
PH		 3987 break;
3988 }
3989
3990 /* At this point, cond for most verbs is either OK or FAIL or (as a result of
3991 a nested ACL condition) FAIL_DROP. However, for WARN, cond may be DEFER, and
3992 for ACCEPT and DISCARD, it may be DISCARD after a nested ACL call. */
3993
3994 switch(acl->verb)
3995 {
3996 case ACL_ACCEPT:
3997 if (cond == OK || cond == DISCARD) return cond;
3998 if (endpass_seen)
3999 {
4000 HDEBUG(D_acl) debug_printf("accept: endpass encountered - denying access\n");
4001 return cond;
4002 }
4003 break;
4004
4005 case ACL_DEFER:
4006 if (cond == OK)
4007 {
4008 acl_temp_details = TRUE;
4009 return DEFER;
4010 }
4011 break;
4012
4013 case ACL_DENY:
4014 if (cond == OK) return FAIL;
4015 break;
4016
4017 case ACL_DISCARD:
4018 if (cond == OK || cond == DISCARD) return DISCARD;
4019 if (endpass_seen)
4020 {
4021 HDEBUG(D_acl) debug_printf("discard: endpass encountered - denying access\n");
4022 return cond;
4023 }
4024 break;
4025
4026 case ACL_DROP:
4027 if (cond == OK) return FAIL_DROP;
4028 break;
4029
4030 case ACL_REQUIRE:
4031 if (cond != OK) return cond;
4032 break;
4033
4034 case ACL_WARN:
4035 if (cond == OK)
4036 acl_warn(where, *user_msgptr, *log_msgptr);
49826d12 4037 else if (cond == DEFER && (log_extra_selector & LX_acl_warn_skipped) != 0)
9c7a242c
PH		 4038 log_write(0, LOG_MAIN, "%s Warning: ACL \"warn\" statement skipped: "
4039 "condition test deferred%s%s", host_and_ident(TRUE),
4040 (*log_msgptr == NULL)? US"" : US": ",
4041 (*log_msgptr == NULL)? US"" : *log_msgptr);
059ec3d9
PH		 4042 *log_msgptr = *user_msgptr = NULL; /* In case implicit DENY follows */
4043 break;
4044
4045 default:
4046 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown verb %d",
4047 acl->verb);
4048 break;
4049 }
4050
4051 /* Pass to the next ACL item */
4052
4053 acl = acl->next;
4054 }
4055
4056/* We have reached the end of the ACL. This is an implicit DENY. */
4057
4058HDEBUG(D_acl) debug_printf("end of %s: implicit DENY\n", acl_name);
4059return FAIL;
4060}
4061
4062
333eea9c
JH		 4063
4064
4065/* Same args as acl_check_internal() above, but the string s is
4066the name of an ACL followed optionally by up to 9 space-separated arguments.
4067The name and args are separately expanded. Args go into $acl_arg globals. */
f60d98e8
JH		 4068static int
4069acl_check_wargs(int where, address_item *addr, uschar *s, int level,
333eea9c
JH		 4070 uschar **user_msgptr, uschar **log_msgptr)
4071{
4072uschar * tmp;
bef3ea7f 4073uschar * tmp_arg[9]; /* must match acl_arg[] */
ef21c07d
JH		 4074uschar * sav_arg[9]; /* must match acl_arg[] */
4075int sav_narg;
333eea9c 4076uschar * name;
bef3ea7f 4077int i;
ef21c07d 4078int ret;
333eea9c
JH		 4079
4080if (!(tmp = string_dequote(&s)) || !(name = expand_string(tmp)))
4081 goto bad;
4082
bef3ea7f 4083for (i = 0; i < 9; i++)
333eea9c
JH		 4084 {
4085 while (*s && isspace(*s)) s++;
4086 if (!*s) break;
bef3ea7f 4087 if (!(tmp = string_dequote(&s)) || !(tmp_arg[i] = expand_string(tmp)))
333eea9c
JH		 4088 {
4089 tmp = name;
4090 goto bad;
4091 }
4092 }
ef21c07d
JH		 4093
4094sav_narg = acl_narg;
bef3ea7f 4095acl_narg = i;
ef21c07d
JH		 4096for (i = 0; i < acl_narg; i++)
4097 {
4098 sav_arg[i] = acl_arg[i];
4099 acl_arg[i] = tmp_arg[i];
4100 }
4101while (i < 9)
4102 {
4103 sav_arg[i] = acl_arg[i];
4104 acl_arg[i++] = NULL;
4105 }
4106
4107ret = acl_check_internal(where, addr, name, level, user_msgptr, log_msgptr);
333eea9c 4108
ef21c07d
JH		 4109acl_narg = sav_narg;
4110for (i = 0; i < 9; i++) acl_arg[i] = sav_arg[i];
4111return ret;
333eea9c
JH		 4112
4113bad:
4114if (expand_string_forcedfail) return ERROR;
4115*log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
4116 tmp, expand_string_message);
4117return search_find_defer?DEFER:ERROR;
4118}
4119
4120
4121
059ec3d9
PH		 4122/*************************************************
4123* Check access using an ACL *
4124*************************************************/
4125
faa05a93
JH		 4126/* Alternate interface for ACL, used by expansions */
4127int
05caaeaa 4128acl_eval(int where, uschar *s, uschar **user_msgptr, uschar **log_msgptr)
faa05a93 4129{
faa05a93
JH		 4130address_item adb;
4131address_item *addr = NULL;
4132
4133*user_msgptr = *log_msgptr = NULL;
4134sender_verified_failed = NULL;
4135ratelimiters_cmd = NULL;
4136log_reject_target = LOG_MAIN|LOG_REJECT;
4137
4138if (where == ACL_WHERE_RCPT)
4139 {
4140 adb = address_defaults;
4141 addr = &adb;
05caaeaa
JH		 4142 addr->address = expand_string(US"$local_part@$domain");
4143 addr->domain = deliver_domain;
4144 addr->local_part = deliver_localpart;
4145 addr->cc_local_part = deliver_localpart;
4146 addr->lc_local_part = deliver_localpart;
faa05a93
JH		 4147 }
4148
4149return acl_check_internal(where, addr, s, 0, user_msgptr, log_msgptr);
4150}
4151
4152
4153
059ec3d9
PH		 4154/* This is the external interface for ACL checks. It sets up an address and the
4155expansions for $domain and $local_part when called after RCPT, then calls
4156acl_check_internal() to do the actual work.
4157
4158Arguments:
4159 where ACL_WHERE_xxxx indicating where called from
64ffc24f 4160 recipient RCPT address for RCPT check, else NULL
059ec3d9
PH		 4161 s the input string; NULL is the same as an empty ACL => DENY
4162 user_msgptr where to put a user error (for SMTP response)
4163 log_msgptr where to put a logging message (not for SMTP response)
4164
4165Returns: OK access is granted by an ACCEPT verb
4166 DISCARD access is granted by a DISCARD verb
4167 FAIL access is denied
4168 FAIL_DROP access is denied; drop the connection
4169 DEFER can't tell at the moment
4170 ERROR disaster
4171*/
faa05a93 4172int acl_where = ACL_WHERE_UNKNOWN;
059ec3d9
PH		 4173
4174int
64ffc24f 4175acl_check(int where, uschar *recipient, uschar *s, uschar **user_msgptr,
059ec3d9
PH		 4176 uschar **log_msgptr)
4177{
4178int rc;
4179address_item adb;
64ffc24f 4180address_item *addr = NULL;
059ec3d9
PH		 4181
4182*user_msgptr = *log_msgptr = NULL;
4183sender_verified_failed = NULL;
fe0dab11 4184ratelimiters_cmd = NULL;
6ea85e9a 4185log_reject_target = LOG_MAIN|LOG_REJECT;
059ec3d9 4186
fd98a5c6
JH		 4187#ifdef EXPERIMENTAL_PRDR
4188if (where == ACL_WHERE_RCPT || where == ACL_WHERE_PRDR )
4189#else
4190if (where == ACL_WHERE_RCPT )
4191#endif
059ec3d9
PH		 4192 {
4193 adb = address_defaults;
4194 addr = &adb;
64ffc24f 4195 addr->address = recipient;
059ec3d9
PH		 4196 if (deliver_split_address(addr) == DEFER)
4197 {
4198 *log_msgptr = US"defer in percent_hack_domains check";
4199 return DEFER;
4200 }
4201 deliver_domain = addr->domain;
4202 deliver_localpart = addr->local_part;
4203 }
059ec3d9 4204
faa05a93 4205acl_where = where;
059ec3d9 4206rc = acl_check_internal(where, addr, s, 0, user_msgptr, log_msgptr);
faa05a93 4207acl_where = ACL_WHERE_UNKNOWN;
059ec3d9 4208
817d9f57
JH		 4209/* Cutthrough - if requested,
4210and WHERE_RCPT and not yet opened conn as result of recipient-verify,
4211and rcpt acl returned accept,
4212and first recipient (cancel on any subsequents)
e4bdf652 4213open one now and run it up to RCPT acceptance.
e4bdf652 4214A failed verify should cancel cutthrough request.
e4bdf652 4215
817d9f57 4216Initial implementation: dual-write to spool.
e4bdf652
JH		 4217Assume the rxd datastream is now being copied byte-for-byte to an open cutthrough connection.
4218
4219Cease cutthrough copy on rxd final dot; do not send one.
4220
4221On a data acl, if not accept and a cutthrough conn is open, hard-close it (no SMTP niceness).
4222
4223On data acl accept, terminate the dataphase on an open cutthrough conn. If accepted or
4224perm-rejected, reflect that to the original sender - and dump the spooled copy.
4225If temp-reject, close the conn (and keep the spooled copy).
4226If conn-failure, no action (and keep the spooled copy).
e4bdf652
JH		 4227*/
4228switch (where)
4229{
4230case ACL_WHERE_RCPT:
fd98a5c6
JH		 4231#ifdef EXPERIMENTAL_PRDR
4232case ACL_WHERE_PRDR:
4233#endif
e4bdf652 4234 if( rcpt_count > 1 )
2e5b33cd 4235 cancel_cutthrough_connection("more than one recipient");
e4bdf652
JH		 4236 else if (rc == OK && cutthrough_delivery && cutthrough_fd < 0)
4237 open_cutthrough_connection(addr);
4238 break;
4239
4240case ACL_WHERE_PREDATA:
4241 if( rc == OK )
4242 cutthrough_predata();
4243 else
2e5b33cd 4244 cancel_cutthrough_connection("predata acl not ok");
e4bdf652
JH		 4245 break;
4246
4247case ACL_WHERE_QUIT:
4248case ACL_WHERE_NOTQUIT:
2e5b33cd 4249 cancel_cutthrough_connection("quit or notquit");
e4bdf652
JH		 4250 break;
4251
4252default:
4253 break;
4254}
4255
64ffc24f
PH		 4256deliver_domain = deliver_localpart = deliver_address_data =
4257 sender_address_data = NULL;
059ec3d9
PH		 4258
4259/* A DISCARD response is permitted only for message ACLs, excluding the PREDATA
4260ACL, which is really in the middle of an SMTP command. */
4261
4262if (rc == DISCARD)
4263 {
4264 if (where > ACL_WHERE_NOTSMTP || where == ACL_WHERE_PREDATA)
4265 {
4266 log_write(0, LOG_MAIN|LOG_PANIC, "\"discard\" verb not allowed in %s "
4267 "ACL", acl_wherenames[where]);
4268 return ERROR;
4269 }
4270 return DISCARD;
4271 }
4272
4273/* A DROP response is not permitted from MAILAUTH */
4274
4275if (rc == FAIL_DROP && where == ACL_WHERE_MAILAUTH)
4276 {
4277 log_write(0, LOG_MAIN|LOG_PANIC, "\"drop\" verb not allowed in %s "
4278 "ACL", acl_wherenames[where]);
4279 return ERROR;
4280 }
4281
4e88a19f
PH		 4282/* Before giving a response, take a look at the length of any user message, and
4283split it up into multiple lines if possible. */
059ec3d9 4284
e28326d8
PH		 4285*user_msgptr = string_split_message(*user_msgptr);
4286if (fake_response != OK)
4287 fake_response_text = string_split_message(fake_response_text);
059ec3d9
PH		 4288
4289return rc;
4290}
4291
38a0a95f 4292
38a0a95f
PH		 4293/*************************************************
4294* Create ACL variable *
4295*************************************************/
4296
4297/* Create an ACL variable or reuse an existing one. ACL variables are in a
4298binary tree (see tree.c) with acl_var_c and acl_var_m as root nodes.
4299
4300Argument:
4301 name pointer to the variable's name, starting with c or m
4302
4303Returns the pointer to variable's tree node
4304*/
4305
4306tree_node *
4307acl_var_create(uschar *name)
4308{
4309tree_node *node, **root;
4310root = (name[0] == 'c')? &acl_var_c : &acl_var_m;
4311node = tree_search(*root, name);
4312if (node == NULL)
4313 {
4314 node = store_get(sizeof(tree_node) + Ustrlen(name));
4315 Ustrcpy(node->name, name);
4316 (void)tree_insertnode(root, node);
4317 }
4318node->data.ptr = NULL;
4319return node;
4320}
4321
4322
4323
4324/*************************************************
4325* Write an ACL variable in spool format *
4326*************************************************/
4327
4328/* This function is used as a callback for tree_walk when writing variables to
4329the spool file. To retain spool file compatibility, what is written is -aclc or
4330-aclm followed by the rest of the name and the data length, space separated,
4331then the value itself, starting on a new line, and terminated by an additional
4332newline. When we had only numbered ACL variables, the first line might look
4333like this: "-aclc 5 20". Now it might be "-aclc foo 20" for the variable called
4334acl_cfoo.
4335
4336Arguments:
4337 name of the variable
4338 value of the variable
4339 ctx FILE pointer (as a void pointer)
4340
4341Returns: nothing
4342*/
4343
4344void
4345acl_var_write(uschar *name, uschar *value, void *ctx)
4346{
4347FILE *f = (FILE *)ctx;
4348fprintf(f, "-acl%c %s %d\n%s\n", name[0], name+1, Ustrlen(value), value);
4349}
4350
059ec3d9 4351/* End of acl.c */
Unnamed repository; edit this file 'description' to name the repository.