projects / exim.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge branch 'acl-args' into acl
[exim.git] / src / src / acl.c
CommitLineData
059ec3d9
PH		 1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
c4ceed07 5/* Copyright (c) University of Cambridge 1995 - 2012 */
059ec3d9
PH		 6/* See the file NOTICE for conditions of use and distribution. */
7
8/* Code for handling Access Control Lists (ACLs) */
9
10#include "exim.h"
11
12
13/* Default callout timeout */
14
15#define CALLOUT_TIMEOUT_DEFAULT 30
16
17/* ACL verb codes - keep in step with the table of verbs that follows */
18
19enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
20 ACL_WARN };
21
22/* ACL verbs */
23
24static uschar *verbs[] =
25 { US"accept", US"defer", US"deny", US"discard", US"drop", US"require",
26 US"warn" };
27
4e88a19f
PH		 28/* For each verb, the conditions for which "message" or "log_message" are used
29are held as a bitmap. This is to avoid expanding the strings unnecessarily. For
30"accept", the FAIL case is used only after "endpass", but that is selected in
31the code. */
32
33static int msgcond[] = {
34 (1<<OK) | (1<<FAIL) | (1<<FAIL_DROP), /* accept */
35 (1<<OK), /* defer */
36 (1<<OK), /* deny */
37 (1<<OK) | (1<<FAIL) | (1<<FAIL_DROP), /* discard */
38 (1<<OK), /* drop */
39 (1<<FAIL) | (1<<FAIL_DROP), /* require */
40 (1<<OK) /* warn */
41 };
059ec3d9
PH		 42
43/* ACL condition and modifier codes - keep in step with the table that
71fafd95
PH		 44follows, and the cond_expand_at_top and uschar cond_modifiers tables lower
45down. */
059ec3d9 46
71fafd95
PH		 47enum { ACLC_ACL,
48 ACLC_ADD_HEADER,
49 ACLC_AUTHENTICATED,
8523533c
TK		 50#ifdef EXPERIMENTAL_BRIGHTMAIL
51 ACLC_BMI_OPTIN,
52#endif
71fafd95 53 ACLC_CONDITION,
c3611384 54 ACLC_CONTINUE,
71fafd95 55 ACLC_CONTROL,
6a8f9482
TK		 56#ifdef EXPERIMENTAL_DCC
57 ACLC_DCC,
58#endif
8523533c
TK		 59#ifdef WITH_CONTENT_SCAN
60 ACLC_DECODE,
61#endif
62 ACLC_DELAY,
63#ifdef WITH_OLD_DEMIME
64 ACLC_DEMIME,
fb2274d4 65#endif
80a47a2c
TK		 66#ifndef DISABLE_DKIM
67 ACLC_DKIM_SIGNER,
68 ACLC_DKIM_STATUS,
8e669ac1 69#endif
71fafd95
PH		 70 ACLC_DNSLISTS,
71 ACLC_DOMAINS,
72 ACLC_ENCRYPTED,
73 ACLC_ENDPASS,
74 ACLC_HOSTS,
75 ACLC_LOCAL_PARTS,
76 ACLC_LOG_MESSAGE,
6ea85e9a 77 ACLC_LOG_REJECT_TARGET,
71fafd95 78 ACLC_LOGWRITE,
8523533c
TK		 79#ifdef WITH_CONTENT_SCAN
80 ACLC_MALWARE,
81#endif
82 ACLC_MESSAGE,
83#ifdef WITH_CONTENT_SCAN
84 ACLC_MIME_REGEX,
85#endif
870f6ba8 86 ACLC_RATELIMIT,
8523533c
TK		 87 ACLC_RECIPIENTS,
88#ifdef WITH_CONTENT_SCAN
89 ACLC_REGEX,
90#endif
71fafd95
PH		 91 ACLC_SENDER_DOMAINS,
92 ACLC_SENDERS,
93 ACLC_SET,
8523533c 94#ifdef WITH_CONTENT_SCAN
8e669ac1 95 ACLC_SPAM,
8523533c
TK		 96#endif
97#ifdef EXPERIMENTAL_SPF
98 ACLC_SPF,
65a7d8c3 99 ACLC_SPF_GUESS,
8523533c
TK		 100#endif
101 ACLC_VERIFY };
059ec3d9 102
c3611384
PH		 103/* ACL conditions/modifiers: "delay", "control", "continue", "endpass",
104"message", "log_message", "log_reject_target", "logwrite", and "set" are
105modifiers that look like conditions but always return TRUE. They are used for
106their side effects. */
059ec3d9 107
9a26b6b2
PH		 108static uschar *conditions[] = {
109 US"acl",
71fafd95 110 US"add_header",
9a26b6b2 111 US"authenticated",
8523533c
TK		 112#ifdef EXPERIMENTAL_BRIGHTMAIL
113 US"bmi_optin",
114#endif
115 US"condition",
c3611384 116 US"continue",
8e669ac1 117 US"control",
6a8f9482
TK		 118#ifdef EXPERIMENTAL_DCC
119 US"dcc",
120#endif
8523533c
TK		 121#ifdef WITH_CONTENT_SCAN
122 US"decode",
123#endif
124 US"delay",
125#ifdef WITH_OLD_DEMIME
126 US"demime",
fb2274d4 127#endif
80a47a2c
TK		 128#ifndef DISABLE_DKIM
129 US"dkim_signers",
130 US"dkim_status",
8523533c 131#endif
6ea85e9a
PH		 132 US"dnslists",
133 US"domains",
134 US"encrypted",
135 US"endpass",
136 US"hosts",
137 US"local_parts",
138 US"log_message",
139 US"log_reject_target",
140 US"logwrite",
8523533c
TK		 141#ifdef WITH_CONTENT_SCAN
142 US"malware",
143#endif
144 US"message",
145#ifdef WITH_CONTENT_SCAN
146 US"mime_regex",
147#endif
870f6ba8 148 US"ratelimit",
8523533c
TK		 149 US"recipients",
150#ifdef WITH_CONTENT_SCAN
151 US"regex",
152#endif
153 US"sender_domains", US"senders", US"set",
154#ifdef WITH_CONTENT_SCAN
155 US"spam",
156#endif
157#ifdef EXPERIMENTAL_SPF
158 US"spf",
65a7d8c3 159 US"spf_guess",
8523533c 160#endif
059ec3d9 161 US"verify" };
8e669ac1 162
c5fcb476 163
9a26b6b2
PH		 164/* Return values from decode_control(); keep in step with the table of names
165that follows! */
166
167enum {
c46782ef
PH		 168 CONTROL_AUTH_UNADVERTISED,
169 #ifdef EXPERIMENTAL_BRIGHTMAIL
9a26b6b2 170 CONTROL_BMI_RUN,
c46782ef 171 #endif
ed7f7860 172 CONTROL_DEBUG,
80a47a2c 173 #ifndef DISABLE_DKIM
f7572e5a
TK		 174 CONTROL_DKIM_VERIFY,
175 #endif
13363eba 176 CONTROL_DSCP,
c46782ef
PH		 177 CONTROL_ERROR,
178 CONTROL_CASEFUL_LOCAL_PART,
179 CONTROL_CASELOWER_LOCAL_PART,
e4bdf652 180 CONTROL_CUTTHROUGH_DELIVERY,
c46782ef
PH		 181 CONTROL_ENFORCE_SYNC,
182 CONTROL_NO_ENFORCE_SYNC,
183 CONTROL_FREEZE,
184 CONTROL_QUEUE_ONLY,
185 CONTROL_SUBMISSION,
186 CONTROL_SUPPRESS_LOCAL_FIXUPS,
187 #ifdef WITH_CONTENT_SCAN
9a26b6b2 188 CONTROL_NO_MBOX_UNSPOOL,
c46782ef
PH		 189 #endif
190 CONTROL_FAKEDEFER,
191 CONTROL_FAKEREJECT,
cf8b11a5 192 CONTROL_NO_MULTILINE,
047bdd8c 193 CONTROL_NO_PIPELINING,
4c590bd1
PH		 194 CONTROL_NO_DELAY_FLUSH,
195 CONTROL_NO_CALLOUT_FLUSH
c46782ef 196};
9a26b6b2 197
8800895a
PH		 198/* ACL control names; keep in step with the table above! This list is used for
199turning ids into names. The actual list of recognized names is in the variable
200control_def controls_list[] below. The fact that there are two lists is a mess
201and should be tidied up. */
9a26b6b2
PH		 202
203static uschar *controls[] = {
c46782ef 204 US"allow_auth_unadvertised",
9a26b6b2
PH		 205 #ifdef EXPERIMENTAL_BRIGHTMAIL
206 US"bmi_run",
207 #endif
ed7f7860 208 US"debug",
80a47a2c
TK		 209 #ifndef DISABLE_DKIM
210 US"dkim_disable_verify",
f7572e5a 211 #endif
13363eba 212 US"dscp",
c46782ef
PH		 213 US"error",
214 US"caseful_local_part",
215 US"caselower_local_part",
e4bdf652 216 US"cutthrough_delivery",
c46782ef
PH		 217 US"enforce_sync",
218 US"no_enforce_sync",
219 US"freeze",
220 US"queue_only",
221 US"submission",
222 US"suppress_local_fixups",
9a26b6b2
PH		 223 #ifdef WITH_CONTENT_SCAN
224 US"no_mbox_unspool",
225 #endif
cf8b11a5
PH		 226 US"fakedefer",
227 US"fakereject",
aa6dc513 228 US"no_multiline_responses",
cf8b11a5 229 US"no_pipelining",
4c590bd1
PH		 230 US"no_delay_flush",
231 US"no_callout_flush"
c46782ef 232};
059ec3d9 233
047bdd8c 234/* Flags to indicate for which conditions/modifiers a string expansion is done
059ec3d9
PH		 235at the outer level. In the other cases, expansion already occurs in the
236checking functions. */
237
238static uschar cond_expand_at_top[] = {
7421ecab 239 FALSE, /* acl */
3e536984 240 TRUE, /* add_header */
059ec3d9 241 FALSE, /* authenticated */
8523533c
TK		 242#ifdef EXPERIMENTAL_BRIGHTMAIL
243 TRUE, /* bmi_optin */
8e669ac1 244#endif
059ec3d9 245 TRUE, /* condition */
c3611384 246 TRUE, /* continue */
059ec3d9 247 TRUE, /* control */
6a8f9482
TK		 248#ifdef EXPERIMENTAL_DCC
249 TRUE, /* dcc */
250#endif
8523533c
TK		 251#ifdef WITH_CONTENT_SCAN
252 TRUE, /* decode */
253#endif
059ec3d9 254 TRUE, /* delay */
8523533c
TK		 255#ifdef WITH_OLD_DEMIME
256 TRUE, /* demime */
fb2274d4 257#endif
80a47a2c
TK		 258#ifndef DISABLE_DKIM
259 TRUE, /* dkim_signers */
260 TRUE, /* dkim_status */
8523533c 261#endif
059ec3d9
PH		 262 TRUE, /* dnslists */
263 FALSE, /* domains */
264 FALSE, /* encrypted */
265 TRUE, /* endpass */
266 FALSE, /* hosts */
267 FALSE, /* local_parts */
268 TRUE, /* log_message */
6ea85e9a 269 TRUE, /* log_reject_target */
059ec3d9 270 TRUE, /* logwrite */
8523533c
TK		 271#ifdef WITH_CONTENT_SCAN
272 TRUE, /* malware */
273#endif
059ec3d9 274 TRUE, /* message */
8523533c
TK		 275#ifdef WITH_CONTENT_SCAN
276 TRUE, /* mime_regex */
277#endif
870f6ba8 278 TRUE, /* ratelimit */
059ec3d9 279 FALSE, /* recipients */
8523533c
TK		 280#ifdef WITH_CONTENT_SCAN
281 TRUE, /* regex */
282#endif
059ec3d9
PH		 283 FALSE, /* sender_domains */
284 FALSE, /* senders */
285 TRUE, /* set */
8523533c
TK		 286#ifdef WITH_CONTENT_SCAN
287 TRUE, /* spam */
288#endif
289#ifdef EXPERIMENTAL_SPF
290 TRUE, /* spf */
65a7d8c3 291 TRUE, /* spf_guess */
8523533c 292#endif
059ec3d9
PH		 293 TRUE /* verify */
294};
295
296/* Flags to identify the modifiers */
297
298static uschar cond_modifiers[] = {
299 FALSE, /* acl */
3e536984 300 TRUE, /* add_header */
059ec3d9 301 FALSE, /* authenticated */
8523533c
TK		 302#ifdef EXPERIMENTAL_BRIGHTMAIL
303 TRUE, /* bmi_optin */
8e669ac1 304#endif
059ec3d9 305 FALSE, /* condition */
c3611384 306 TRUE, /* continue */
059ec3d9 307 TRUE, /* control */
6a8f9482
TK		 308#ifdef EXPERIMENTAL_DCC
309 FALSE, /* dcc */
310#endif
8523533c
TK		 311#ifdef WITH_CONTENT_SCAN
312 FALSE, /* decode */
313#endif
059ec3d9 314 TRUE, /* delay */
8523533c
TK		 315#ifdef WITH_OLD_DEMIME
316 FALSE, /* demime */
fb2274d4 317#endif
80a47a2c
TK		 318#ifndef DISABLE_DKIM
319 FALSE, /* dkim_signers */
320 FALSE, /* dkim_status */
8523533c 321#endif
059ec3d9
PH		 322 FALSE, /* dnslists */
323 FALSE, /* domains */
324 FALSE, /* encrypted */
325 TRUE, /* endpass */
326 FALSE, /* hosts */
327 FALSE, /* local_parts */
328 TRUE, /* log_message */
6ea85e9a 329 TRUE, /* log_reject_target */
8523533c
TK		 330 TRUE, /* logwrite */
331#ifdef WITH_CONTENT_SCAN
332 FALSE, /* malware */
333#endif
059ec3d9 334 TRUE, /* message */
8523533c
TK		 335#ifdef WITH_CONTENT_SCAN
336 FALSE, /* mime_regex */
337#endif
870f6ba8 338 FALSE, /* ratelimit */
059ec3d9 339 FALSE, /* recipients */
8523533c
TK		 340#ifdef WITH_CONTENT_SCAN
341 FALSE, /* regex */
342#endif
059ec3d9
PH		 343 FALSE, /* sender_domains */
344 FALSE, /* senders */
345 TRUE, /* set */
8523533c
TK		 346#ifdef WITH_CONTENT_SCAN
347 FALSE, /* spam */
348#endif
349#ifdef EXPERIMENTAL_SPF
350 FALSE, /* spf */
65a7d8c3 351 FALSE, /* spf_guess */
8523533c 352#endif
059ec3d9
PH		 353 FALSE /* verify */
354};
355
c3611384 356/* Bit map vector of which conditions and modifiers are not allowed at certain
8f128379
PH		 357times. For each condition and modifier, there's a bitmap of dis-allowed times.
358For some, it is easier to specify the negation of a small number of allowed
359times. */
059ec3d9
PH		 360
361static unsigned int cond_forbids[] = {
362 0, /* acl */
8e669ac1 363
71fafd95 364 (unsigned int)
45b91596 365 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* add_header */
71fafd95 366 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
45b91596 367 (1<<ACL_WHERE_MIME)|(1<<ACL_WHERE_NOTSMTP)|
67caae1f 368 (1<<ACL_WHERE_DKIM)|
45b91596 369 (1<<ACL_WHERE_NOTSMTP_START)),
71fafd95 370
45b91596
PH		 371 (1<<ACL_WHERE_NOTSMTP)| /* authenticated */
372 (1<<ACL_WHERE_NOTSMTP_START)|
373 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO),
8e669ac1 374
71fafd95 375 #ifdef EXPERIMENTAL_BRIGHTMAIL
3864bb8e 376 (1<<ACL_WHERE_AUTH)| /* bmi_optin */
8523533c
TK		 377 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
378 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_MIME)|
8e669ac1 379 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
8523533c
TK		 380 (1<<ACL_WHERE_MAILAUTH)|
381 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
45b91596
PH		 382 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_PREDATA)|
383 (1<<ACL_WHERE_NOTSMTP_START),
71fafd95 384 #endif
8e669ac1 385
059ec3d9 386 0, /* condition */
8e669ac1 387
c3611384
PH		 388 0, /* continue */
389
059ec3d9 390 /* Certain types of control are always allowed, so we let it through
2f079f46 391 always and check in the control processing itself. */
8e669ac1 392
059ec3d9 393 0, /* control */
8e669ac1 394
6a8f9482
TK		 395 #ifdef EXPERIMENTAL_DCC
396 (unsigned int)
397 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* dcc */
398 #endif
399
71fafd95 400 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 401 (unsigned int)
402 ~(1<<ACL_WHERE_MIME), /* decode */
71fafd95 403 #endif
8523533c 404
8f128379 405 (1<<ACL_WHERE_NOTQUIT), /* delay */
8e669ac1 406
71fafd95 407 #ifdef WITH_OLD_DEMIME
2f079f46
PH		 408 (unsigned int)
409 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* demime */
71fafd95 410 #endif
8e669ac1 411
80a47a2c
TK		 412 #ifndef DISABLE_DKIM
413 (unsigned int)
414 ~(1<<ACL_WHERE_DKIM), /* dkim_signers */
84330b7b 415
80a47a2c
TK		 416 (unsigned int)
417 ~(1<<ACL_WHERE_DKIM), /* dkim_status */
71fafd95 418 #endif
fb2274d4 419
45b91596
PH		 420 (1<<ACL_WHERE_NOTSMTP)| /* dnslists */
421 (1<<ACL_WHERE_NOTSMTP_START),
059ec3d9 422
2f079f46
PH		 423 (unsigned int)
424 ~(1<<ACL_WHERE_RCPT), /* domains */
059ec3d9 425
45b91596
PH		 426 (1<<ACL_WHERE_NOTSMTP)| /* encrypted */
427 (1<<ACL_WHERE_CONNECT)|
428 (1<<ACL_WHERE_NOTSMTP_START)|
059ec3d9 429 (1<<ACL_WHERE_HELO),
8e669ac1 430
059ec3d9 431 0, /* endpass */
8e669ac1 432
45b91596
PH		 433 (1<<ACL_WHERE_NOTSMTP)| /* hosts */
434 (1<<ACL_WHERE_NOTSMTP_START),
059ec3d9 435
2f079f46
PH		 436 (unsigned int)
437 ~(1<<ACL_WHERE_RCPT), /* local_parts */
059ec3d9
PH		 438
439 0, /* log_message */
8e669ac1 440
6ea85e9a
PH		 441 0, /* log_reject_target */
442
059ec3d9 443 0, /* logwrite */
8e669ac1 444
71fafd95 445 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 446 (unsigned int)
447 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* malware */
71fafd95 448 #endif
8523533c 449
059ec3d9
PH		 450 0, /* message */
451
71fafd95 452 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 453 (unsigned int)
454 ~(1<<ACL_WHERE_MIME), /* mime_regex */
71fafd95 455 #endif
8523533c 456
870f6ba8
TF		 457 0, /* ratelimit */
458
2f079f46
PH		 459 (unsigned int)
460 ~(1<<ACL_WHERE_RCPT), /* recipients */
059ec3d9 461
71fafd95 462 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 463 (unsigned int)
464 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* regex */
465 (1<<ACL_WHERE_MIME)),
71fafd95 466 #endif
8523533c 467
059ec3d9
PH		 468 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* sender_domains */
469 (1<<ACL_WHERE_HELO)|
470 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
471 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
472 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
473
474 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* senders */
475 (1<<ACL_WHERE_HELO)|
476 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
477 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
478 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
479
480 0, /* set */
481
71fafd95 482 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 483 (unsigned int)
484 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* spam */
71fafd95 485 #endif
8523533c 486
71fafd95 487 #ifdef EXPERIMENTAL_SPF
8523533c
TK		 488 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf */
489 (1<<ACL_WHERE_HELO)|
490 (1<<ACL_WHERE_MAILAUTH)|
491 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
45b91596
PH		 492 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY)|
493 (1<<ACL_WHERE_NOTSMTP)|
494 (1<<ACL_WHERE_NOTSMTP_START),
65a7d8c3
NM		 495
496 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf_guess */
497 (1<<ACL_WHERE_HELO)|
498 (1<<ACL_WHERE_MAILAUTH)|
499 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
500 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY)|
501 (1<<ACL_WHERE_NOTSMTP)|
502 (1<<ACL_WHERE_NOTSMTP_START),
71fafd95 503 #endif
8523533c 504
059ec3d9
PH		 505 /* Certain types of verify are always allowed, so we let it through
506 always and check in the verify function itself */
507
508 0 /* verify */
059ec3d9
PH		 509};
510
511
c5fcb476
PH		 512/* Bit map vector of which controls are not allowed at certain times. For
513each control, there's a bitmap of dis-allowed times. For some, it is easier to
514specify the negation of a small number of allowed times. */
515
516static unsigned int control_forbids[] = {
c46782ef
PH		 517 (unsigned int)
518 ~((1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)), /* allow_auth_unadvertised */
519
520 #ifdef EXPERIMENTAL_BRIGHTMAIL
8523533c 521 0, /* bmi_run */
c46782ef
PH		 522 #endif
523
ed7f7860
PP		 524 0, /* debug */
525
80a47a2c
TK		 526 #ifndef DISABLE_DKIM
527 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* dkim_disable_verify */
f7572e5a
TK		 528 (1<<ACL_WHERE_NOTSMTP_START),
529 #endif
530
13363eba
PP		 531 (1<<ACL_WHERE_NOTSMTP)|
532 (1<<ACL_WHERE_NOTSMTP_START)|
533 (1<<ACL_WHERE_NOTQUIT), /* dscp */
534
c5fcb476 535 0, /* error */
8e669ac1
PH		 536
537 (unsigned int)
c5fcb476 538 ~(1<<ACL_WHERE_RCPT), /* caseful_local_part */
8e669ac1
PH		 539
540 (unsigned int)
c5fcb476 541 ~(1<<ACL_WHERE_RCPT), /* caselower_local_part */
8e669ac1 542
e4bdf652
JH		 543 (unsigned int)
544 0, /* cutthrough_delivery */
545
45b91596
PH		 546 (1<<ACL_WHERE_NOTSMTP)| /* enforce_sync */
547 (1<<ACL_WHERE_NOTSMTP_START),
8e669ac1 548
45b91596
PH		 549 (1<<ACL_WHERE_NOTSMTP)| /* no_enforce_sync */
550 (1<<ACL_WHERE_NOTSMTP_START),
8e669ac1
PH		 551
552 (unsigned int)
c5fcb476
PH		 553 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* freeze */
554 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
e715ad22 555 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
8e669ac1
PH		 556
557 (unsigned int)
c5fcb476
PH		 558 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* queue_only */
559 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
e715ad22 560 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
8e669ac1
PH		 561
562 (unsigned int)
c5fcb476 563 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* submission */
8e669ac1 564 (1<<ACL_WHERE_PREDATA)),
8523533c 565
8800895a
PH		 566 (unsigned int)
567 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* suppress_local_fixups */
45b91596
PH		 568 (1<<ACL_WHERE_PREDATA)|
569 (1<<ACL_WHERE_NOTSMTP_START)),
8800895a 570
c46782ef 571 #ifdef WITH_CONTENT_SCAN
8e669ac1 572 (unsigned int)
14d57970 573 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* no_mbox_unspool */
e715ad22
TK		 574 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
575 (1<<ACL_WHERE_MIME)),
c46782ef 576 #endif
a6c4ab60 577
29aba418
TF		 578 (unsigned int)
579 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakedefer */
580 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
581 (1<<ACL_WHERE_MIME)),
582
8e669ac1 583 (unsigned int)
a6c4ab60 584 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakereject */
e715ad22
TK		 585 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
586 (1<<ACL_WHERE_MIME)),
8523533c 587
45b91596 588 (1<<ACL_WHERE_NOTSMTP)| /* no_multiline */
cf8b11a5
PH		 589 (1<<ACL_WHERE_NOTSMTP_START),
590
591 (1<<ACL_WHERE_NOTSMTP)| /* no_pipelining */
047bdd8c
PH		 592 (1<<ACL_WHERE_NOTSMTP_START),
593
594 (1<<ACL_WHERE_NOTSMTP)| /* no_delay_flush */
4c590bd1
PH		 595 (1<<ACL_WHERE_NOTSMTP_START),
596
597 (1<<ACL_WHERE_NOTSMTP)| /* no_callout_flush */
45b91596 598 (1<<ACL_WHERE_NOTSMTP_START)
c5fcb476
PH		 599};
600
601/* Structure listing various control arguments, with their characteristics. */
059ec3d9
PH		 602
603typedef struct control_def {
604 uschar *name;
605 int value; /* CONTROL_xxx value */
059ec3d9
PH		 606 BOOL has_option; /* Has /option(s) following */
607} control_def;
608
609static control_def controls_list[] = {
c46782ef 610 { US"allow_auth_unadvertised", CONTROL_AUTH_UNADVERTISED, FALSE },
8523533c 611#ifdef EXPERIMENTAL_BRIGHTMAIL
c46782ef 612 { US"bmi_run", CONTROL_BMI_RUN, FALSE },
fb2274d4 613#endif
ed7f7860 614 { US"debug", CONTROL_DEBUG, TRUE },
80a47a2c
TK		 615#ifndef DISABLE_DKIM
616 { US"dkim_disable_verify", CONTROL_DKIM_VERIFY, FALSE },
8523533c 617#endif
13363eba 618 { US"dscp", CONTROL_DSCP, TRUE },
c46782ef
PH		 619 { US"caseful_local_part", CONTROL_CASEFUL_LOCAL_PART, FALSE },
620 { US"caselower_local_part", CONTROL_CASELOWER_LOCAL_PART, FALSE },
621 { US"enforce_sync", CONTROL_ENFORCE_SYNC, FALSE },
622 { US"freeze", CONTROL_FREEZE, TRUE },
4c590bd1 623 { US"no_callout_flush", CONTROL_NO_CALLOUT_FLUSH, FALSE },
047bdd8c 624 { US"no_delay_flush", CONTROL_NO_DELAY_FLUSH, FALSE },
c46782ef
PH		 625 { US"no_enforce_sync", CONTROL_NO_ENFORCE_SYNC, FALSE },
626 { US"no_multiline_responses", CONTROL_NO_MULTILINE, FALSE },
cf8b11a5 627 { US"no_pipelining", CONTROL_NO_PIPELINING, FALSE },
c46782ef 628 { US"queue_only", CONTROL_QUEUE_ONLY, FALSE },
8523533c 629#ifdef WITH_CONTENT_SCAN
c46782ef 630 { US"no_mbox_unspool", CONTROL_NO_MBOX_UNSPOOL, FALSE },
8523533c 631#endif
c46782ef
PH		 632 { US"fakedefer", CONTROL_FAKEDEFER, TRUE },
633 { US"fakereject", CONTROL_FAKEREJECT, TRUE },
634 { US"submission", CONTROL_SUBMISSION, TRUE },
e4bdf652
JH		 635 { US"suppress_local_fixups", CONTROL_SUPPRESS_LOCAL_FIXUPS, FALSE },
636 { US"cutthrough_delivery", CONTROL_CUTTHROUGH_DELIVERY, FALSE }
059ec3d9
PH		 637 };
638
e5a9dba6
PH		 639/* Support data structures for Client SMTP Authorization. acl_verify_csa()
640caches its result in a tree to avoid repeated DNS queries. The result is an
641integer code which is used as an index into the following tables of
642explanatory strings and verification return codes. */
643
644static tree_node *csa_cache = NULL;
645
646enum { CSA_UNKNOWN, CSA_OK, CSA_DEFER_SRV, CSA_DEFER_ADDR,
647 CSA_FAIL_EXPLICIT, CSA_FAIL_DOMAIN, CSA_FAIL_NOADDR, CSA_FAIL_MISMATCH };
648
649/* The acl_verify_csa() return code is translated into an acl_verify() return
650code using the following table. It is OK unless the client is definitely not
651authorized. This is because CSA is supposed to be optional for sending sites,
652so recipients should not be too strict about checking it - especially because
653DNS problems are quite likely to occur. It's possible to use $csa_status in
654further ACL conditions to distinguish ok, unknown, and defer if required, but
655the aim is to make the usual configuration simple. */
656
657static int csa_return_code[] = {
658 OK, OK, OK, OK,
659 FAIL, FAIL, FAIL, FAIL
660};
661
662static uschar *csa_status_string[] = {
663 US"unknown", US"ok", US"defer", US"defer",
664 US"fail", US"fail", US"fail", US"fail"
665};
666
667static uschar *csa_reason_string[] = {
668 US"unknown",
669 US"ok",
670 US"deferred (SRV lookup failed)",
671 US"deferred (target address lookup failed)",
672 US"failed (explicit authorization required)",
673 US"failed (host name not authorized)",
674 US"failed (no authorized addresses)",
675 US"failed (client address mismatch)"
676};
677
c99ce5c9
TF		 678/* Options for the ratelimit condition. Note that there are two variants of
679the per_rcpt option, depending on the ACL that is used to measure the rate.
680However any ACL must be able to look up per_rcpt rates in /noupdate mode,
681so the two variants must have the same internal representation as well as
682the same configuration string. */
683
684enum {
685 RATE_PER_WHAT, RATE_PER_CLASH, RATE_PER_ADDR, RATE_PER_BYTE, RATE_PER_CMD,
686 RATE_PER_CONN, RATE_PER_MAIL, RATE_PER_RCPT, RATE_PER_ALLRCPTS
687};
688
689#define RATE_SET(var,new) \
690 (((var) == RATE_PER_WHAT) ? ((var) = RATE_##new) : ((var) = RATE_PER_CLASH))
691
692static uschar *ratelimit_option_string[] = {
693 US"?", US"!", US"per_addr", US"per_byte", US"per_cmd",
694 US"per_conn", US"per_mail", US"per_rcpt", US"per_rcpt"
695};
696
059ec3d9
PH		 697/* Enable recursion between acl_check_internal() and acl_check_condition() */
698
699static int acl_check_internal(int, address_item *, uschar *, int, uschar **,
700 uschar **);
701
702
703/*************************************************
704* Pick out name from list *
705*************************************************/
706
707/* Use a binary chop method
708
709Arguments:
710 name name to find
711 list list of names
712 end size of list
713
714Returns: offset in list, or -1 if not found
715*/
716
717static int
718acl_checkname(uschar *name, uschar **list, int end)
719{
720int start = 0;
721
722while (start < end)
723 {
724 int mid = (start + end)/2;
725 int c = Ustrcmp(name, list[mid]);
726 if (c == 0) return mid;
727 if (c < 0) end = mid; else start = mid + 1;
728 }
729
730return -1;
731}
732
733
734/*************************************************
735* Read and parse one ACL *
736*************************************************/
737
738/* This function is called both from readconf in order to parse the ACLs in the
739configuration file, and also when an ACL is encountered dynamically (e.g. as
740the result of an expansion). It is given a function to call in order to
741retrieve the lines of the ACL. This function handles skipping comments and
742blank lines (where relevant).
743
744Arguments:
745 func function to get next line of ACL
746 error where to put an error message
747
748Returns: pointer to ACL, or NULL
749 NULL can be legal (empty ACL); in this case error will be NULL
750*/
751
752acl_block *
753acl_read(uschar *(*func)(void), uschar **error)
754{
755acl_block *yield = NULL;
756acl_block **lastp = &yield;
757acl_block *this = NULL;
758acl_condition_block *cond;
759acl_condition_block **condp = NULL;
760uschar *s;
761
762*error = NULL;
763
764while ((s = (*func)()) != NULL)
765 {
766 int v, c;
767 BOOL negated = FALSE;
768 uschar *saveline = s;
769 uschar name[64];
770
771 /* Conditions (but not verbs) are allowed to be negated by an initial
772 exclamation mark. */
773
774 while (isspace(*s)) s++;
775 if (*s == '!')
776 {
777 negated = TRUE;
778 s++;
779 }
780
cf00dad6
PH		 781 /* Read the name of a verb or a condition, or the start of a new ACL, which
782 can be started by a name, or by a macro definition. */
059ec3d9
PH		 783
784 s = readconf_readname(name, sizeof(name), s);
b8dc3e4a 785 if (*s == ':' || (isupper(name[0]) && *s == '=')) return yield;
059ec3d9
PH		 786
787 /* If a verb is unrecognized, it may be another condition or modifier that
788 continues the previous verb. */
789
790 v = acl_checkname(name, verbs, sizeof(verbs)/sizeof(char *));
791 if (v < 0)
792 {
793 if (this == NULL)
794 {
4e167a8c
PH		 795 *error = string_sprintf("unknown ACL verb \"%s\" in \"%s\"", name,
796 saveline);
059ec3d9
PH		 797 return NULL;
798 }
799 }
800
801 /* New verb */
802
803 else
804 {
805 if (negated)
806 {
807 *error = string_sprintf("malformed ACL line \"%s\"", saveline);
808 return NULL;
809 }
810 this = store_get(sizeof(acl_block));
811 *lastp = this;
812 lastp = &(this->next);
813 this->next = NULL;
814 this->verb = v;
815 this->condition = NULL;
816 condp = &(this->condition);
817 if (*s == 0) continue; /* No condition on this line */
818 if (*s == '!')
819 {
820 negated = TRUE;
821 s++;
822 }
823 s = readconf_readname(name, sizeof(name), s); /* Condition name */
824 }
825
826 /* Handle a condition or modifier. */
827
828 c = acl_checkname(name, conditions, sizeof(conditions)/sizeof(char *));
829 if (c < 0)
830 {
831 *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
832 saveline);
833 return NULL;
834 }
835
836 /* The modifiers may not be negated */
837
838 if (negated && cond_modifiers[c])
839 {
840 *error = string_sprintf("ACL error: negation is not allowed with "
841 "\"%s\"", conditions[c]);
842 return NULL;
843 }
844
845 /* ENDPASS may occur only with ACCEPT or DISCARD. */
846
847 if (c == ACLC_ENDPASS &&
848 this->verb != ACL_ACCEPT &&
849 this->verb != ACL_DISCARD)
850 {
851 *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
852 conditions[c], verbs[this->verb]);
853 return NULL;
854 }
855
856 cond = store_get(sizeof(acl_condition_block));
857 cond->next = NULL;
858 cond->type = c;
859 cond->u.negated = negated;
860
861 *condp = cond;
862 condp = &(cond->next);
863
864 /* The "set" modifier is different in that its argument is "name=value"
865 rather than just a value, and we can check the validity of the name, which
38a0a95f
PH		 866 gives us a variable name to insert into the data block. The original ACL
867 variable names were acl_c0 ... acl_c9 and acl_m0 ... acl_m9. This was
868 extended to 20 of each type, but after that people successfully argued for
641cb756
PH		 869 arbitrary names. In the new scheme, the names must start with acl_c or acl_m.
870 After that, we allow alphanumerics and underscores, but the first character
871 after c or m must be a digit or an underscore. This retains backwards
872 compatibility. */
059ec3d9
PH		 873
874 if (c == ACLC_SET)
875 {
47ca6d6c
PH		 876 uschar *endptr;
877
38a0a95f
PH		 878 if (Ustrncmp(s, "acl_c", 5) != 0 &&
879 Ustrncmp(s, "acl_m", 5) != 0)
47ca6d6c 880 {
38a0a95f
PH		 881 *error = string_sprintf("invalid variable name after \"set\" in ACL "
882 "modifier \"set %s\" (must start \"acl_c\" or \"acl_m\")", s);
883 return NULL;
47ca6d6c 884 }
38a0a95f
PH		 885
886 endptr = s + 5;
641cb756
PH		 887 if (!isdigit(*endptr) && *endptr != '_')
888 {
889 *error = string_sprintf("invalid variable name after \"set\" in ACL "
890 "modifier \"set %s\" (digit or underscore must follow acl_c or acl_m)",
891 s);
892 return NULL;
893 }
894
38a0a95f 895 while (*endptr != 0 && *endptr != '=' && !isspace(*endptr))
47ca6d6c 896 {
38a0a95f
PH		 897 if (!isalnum(*endptr) && *endptr != '_')
898 {
899 *error = string_sprintf("invalid character \"%c\" in variable name "
900 "in ACL modifier \"set %s\"", *endptr, s);
901 return NULL;
902 }
903 endptr++;
47ca6d6c 904 }
47ca6d6c 905
38a0a95f 906 cond->u.varname = string_copyn(s + 4, endptr - s - 4);
47ca6d6c 907 s = endptr;
059ec3d9
PH		 908 while (isspace(*s)) s++;
909 }
910
911 /* For "set", we are now positioned for the data. For the others, only
912 "endpass" has no data */
913
914 if (c != ACLC_ENDPASS)
915 {
916 if (*s++ != '=')
917 {
918 *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
919 cond_modifiers[c]? US"modifier" : US"condition");
920 return NULL;
921 }
922 while (isspace(*s)) s++;
923 cond->arg = string_copy(s);
924 }
925 }
926
927return yield;
928}
929
930
931
71fafd95
PH		 932/*************************************************
933* Set up added header line(s) *
934*************************************************/
935
936/* This function is called by the add_header modifier, and also from acl_warn()
937to implement the now-deprecated way of adding header lines using "message" on a
938"warn" verb. The argument is treated as a sequence of header lines which are
939added to a chain, provided there isn't an identical one already there.
940
941Argument: string of header lines
942Returns: nothing
943*/
944
945static void
946setup_header(uschar *hstring)
947{
948uschar *p, *q;
949int hlen = Ustrlen(hstring);
950
951/* An empty string does nothing; otherwise add a final newline if necessary. */
952
953if (hlen <= 0) return;
954if (hstring[hlen-1] != '\n') hstring = string_sprintf("%s\n", hstring);
955
956/* Loop for multiple header lines, taking care about continuations */
957
958for (p = q = hstring; *p != 0; )
959 {
960 uschar *s;
961 int newtype = htype_add_bot;
962 header_line **hptr = &acl_added_headers;
963
964 /* Find next header line within the string */
965
966 for (;;)
967 {
968 q = Ustrchr(q, '\n');
969 if (*(++q) != ' ' && *q != '\t') break;
970 }
971
972 /* If the line starts with a colon, interpret the instruction for where to
973 add it. This temporarily sets up a new type. */
974
975 if (*p == ':')
976 {
977 if (strncmpic(p, US":after_received:", 16) == 0)
978 {
979 newtype = htype_add_rec;
980 p += 16;
981 }
982 else if (strncmpic(p, US":at_start_rfc:", 14) == 0)
983 {
984 newtype = htype_add_rfc;
985 p += 14;
986 }
987 else if (strncmpic(p, US":at_start:", 10) == 0)
988 {
989 newtype = htype_add_top;
990 p += 10;
991 }
992 else if (strncmpic(p, US":at_end:", 8) == 0)
993 {
994 newtype = htype_add_bot;
995 p += 8;
996 }
997 while (*p == ' ' || *p == '\t') p++;
998 }
999
1000 /* See if this line starts with a header name, and if not, add X-ACL-Warn:
1001 to the front of it. */
1002
1003 for (s = p; s < q - 1; s++)
1004 {
1005 if (*s == ':' || !isgraph(*s)) break;
1006 }
1007
438257ba 1008 s = string_sprintf("%s%.*s", (*s == ':')? "" : "X-ACL-Warn: ", (int) (q - p), p);
71fafd95
PH		 1009 hlen = Ustrlen(s);
1010
1011 /* See if this line has already been added */
1012
1013 while (*hptr != NULL)
1014 {
1015 if (Ustrncmp((*hptr)->text, s, hlen) == 0) break;
1016 hptr = &((*hptr)->next);
1017 }
1018
1019 /* Add if not previously present */
1020
1021 if (*hptr == NULL)
1022 {
1023 header_line *h = store_get(sizeof(header_line));
1024 h->text = s;
1025 h->next = NULL;
1026 h->type = newtype;
1027 h->slen = hlen;
1028 *hptr = h;
1029 hptr = &(h->next);
1030 }
1031
1032 /* Advance for next header line within the string */
1033
1034 p = q;
1035 }
1036}
1037
1038
1039
1040
059ec3d9
PH		 1041/*************************************************
1042* Handle warnings *
1043*************************************************/
1044
1045/* This function is called when a WARN verb's conditions are true. It adds to
1046the message's headers, and/or writes information to the log. In each case, this
1047only happens once (per message for headers, per connection for log).
1048
71fafd95
PH		 1049** NOTE: The header adding action using the "message" setting is historic, and
1050its use is now deprecated. The new add_header modifier should be used instead.
1051
059ec3d9
PH		 1052Arguments:
1053 where ACL_WHERE_xxxx indicating which ACL this is
1054 user_message message for adding to headers
1055 log_message message for logging, if different
1056
1057Returns: nothing
1058*/
1059
1060static void
1061acl_warn(int where, uschar *user_message, uschar *log_message)
1062{
059ec3d9
PH		 1063if (log_message != NULL && log_message != user_message)
1064 {
1065 uschar *text;
1066 string_item *logged;
1067
1068 text = string_sprintf("%s Warning: %s", host_and_ident(TRUE),
1069 string_printing(log_message));
1070
1071 /* If a sender verification has failed, and the log message is "sender verify
1072 failed", add the failure message. */
1073
1074 if (sender_verified_failed != NULL &&
1075 sender_verified_failed->message != NULL &&
1076 strcmpic(log_message, US"sender verify failed") == 0)
1077 text = string_sprintf("%s: %s", text, sender_verified_failed->message);
1078
9c7a242c
PH		 1079 /* Search previously logged warnings. They are kept in malloc
1080 store so they can be freed at the start of a new message. */
059ec3d9
PH		 1081
1082 for (logged = acl_warn_logged; logged != NULL; logged = logged->next)
1083 if (Ustrcmp(logged->text, text) == 0) break;
1084
1085 if (logged == NULL)
1086 {
1087 int length = Ustrlen(text) + 1;
1088 log_write(0, LOG_MAIN, "%s", text);
1089 logged = store_malloc(sizeof(string_item) + length);
1090 logged->text = (uschar *)logged + sizeof(string_item);
1091 memcpy(logged->text, text, length);
1092 logged->next = acl_warn_logged;
1093 acl_warn_logged = logged;
1094 }
1095 }
1096
1097/* If there's no user message, we are done. */
1098
1099if (user_message == NULL) return;
1100
1101/* If this isn't a message ACL, we can't do anything with a user message.
1102Log an error. */
1103
1104if (where > ACL_WHERE_NOTSMTP)
1105 {
1106 log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
1107 "found in a non-message (%s) ACL: cannot specify header lines here: "
1108 "message ignored", acl_wherenames[where]);
1109 return;
1110 }
1111
71fafd95
PH		 1112/* The code for setting up header lines is now abstracted into a separate
1113function so that it can be used for the add_header modifier as well. */
059ec3d9 1114
71fafd95 1115setup_header(user_message);
059ec3d9
PH		 1116}
1117
1118
1119
1120/*************************************************
1121* Verify and check reverse DNS *
1122*************************************************/
1123
1124/* Called from acl_verify() below. We look up the host name(s) of the client IP
1125address if this has not yet been done. The host_name_lookup() function checks
1126that one of these names resolves to an address list that contains the client IP
1127address, so we don't actually have to do the check here.
1128
1129Arguments:
1130 user_msgptr pointer for user message
1131 log_msgptr pointer for log message
1132
1133Returns: OK verification condition succeeded
1134 FAIL verification failed
1135 DEFER there was a problem verifying
1136*/
1137
1138static int
1139acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
1140{
1141int rc;
1142
1143user_msgptr = user_msgptr; /* stop compiler warning */
1144
1145/* Previous success */
1146
1147if (sender_host_name != NULL) return OK;
1148
1149/* Previous failure */
1150
1151if (host_lookup_failed)
1152 {
1153 *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
1154 return FAIL;
1155 }
1156
1157/* Need to do a lookup */
1158
1159HDEBUG(D_acl)
1160 debug_printf("looking up host name to force name/address consistency check\n");
1161
1162if ((rc = host_name_lookup()) != OK)
1163 {
1164 *log_msgptr = (rc == DEFER)?
1165 US"host lookup deferred for reverse lookup check"
1166 :
1167 string_sprintf("host lookup failed for reverse lookup check%s",
1168 host_lookup_msg);
1169 return rc; /* DEFER or FAIL */
1170 }
1171
1172host_build_sender_fullhost();
1173return OK;
1174}
1175
1176
1177
e5a9dba6
PH		 1178/*************************************************
1179* Check client IP address matches CSA target *
1180*************************************************/
1181
1182/* Called from acl_verify_csa() below. This routine scans a section of a DNS
1183response for address records belonging to the CSA target hostname. The section
1184is specified by the reset argument, either RESET_ADDITIONAL or RESET_ANSWERS.
1185If one of the addresses matches the client's IP address, then the client is
1186authorized by CSA. If there are target IP addresses but none of them match
1187then the client is using an unauthorized IP address. If there are no target IP
1188addresses then the client cannot be using an authorized IP address. (This is
1189an odd configuration - why didn't the SRV record have a weight of 1 instead?)
1190
1191Arguments:
1192 dnsa the DNS answer block
1193 dnss a DNS scan block for us to use
1194 reset option specifing what portion to scan, as described above
1195 target the target hostname to use for matching RR names
1196
1197Returns: CSA_OK successfully authorized
1198 CSA_FAIL_MISMATCH addresses found but none matched
1199 CSA_FAIL_NOADDR no target addresses found
1200*/
1201
1202static int
1203acl_verify_csa_address(dns_answer *dnsa, dns_scan *dnss, int reset,
1204 uschar *target)
1205{
1206dns_record *rr;
1207dns_address *da;
1208
1209BOOL target_found = FALSE;
1210
1211for (rr = dns_next_rr(dnsa, dnss, reset);
1212 rr != NULL;
1213 rr = dns_next_rr(dnsa, dnss, RESET_NEXT))
1214 {
1215 /* Check this is an address RR for the target hostname. */
1216
1217 if (rr->type != T_A
1218 #if HAVE_IPV6
1219 && rr->type != T_AAAA
1220 #ifdef SUPPORT_A6
1221 && rr->type != T_A6
1222 #endif
1223 #endif
1224 ) continue;
1225
1226 if (strcmpic(target, rr->name) != 0) continue;
1227
1228 target_found = TRUE;
1229
1230 /* Turn the target address RR into a list of textual IP addresses and scan
1231 the list. There may be more than one if it is an A6 RR. */
1232
1233 for (da = dns_address_from_rr(dnsa, rr); da != NULL; da = da->next)
1234 {
1235 /* If the client IP address matches the target IP address, it's good! */
1236
1237 DEBUG(D_acl) debug_printf("CSA target address is %s\n", da->address);
1238
1239 if (strcmpic(sender_host_address, da->address) == 0) return CSA_OK;
1240 }
1241 }
1242
1243/* If we found some target addresses but none of them matched, the client is
1244using an unauthorized IP address, otherwise the target has no authorized IP
1245addresses. */
1246
1247if (target_found) return CSA_FAIL_MISMATCH;
1248else return CSA_FAIL_NOADDR;
1249}
1250
1251
1252
1253/*************************************************
1254* Verify Client SMTP Authorization *
1255*************************************************/
1256
1257/* Called from acl_verify() below. This routine calls dns_lookup_special()
1258to find the CSA SRV record corresponding to the domain argument, or
1259$sender_helo_name if no argument is provided. It then checks that the
1260client is authorized, and that its IP address corresponds to the SRV
1261target's address by calling acl_verify_csa_address() above. The address
1262should have been returned in the DNS response's ADDITIONAL section, but if
1263not we perform another DNS lookup to get it.
1264
1265Arguments:
1266 domain pointer to optional parameter following verify = csa
1267
1268Returns: CSA_UNKNOWN no valid CSA record found
1269 CSA_OK successfully authorized
1270 CSA_FAIL_* client is definitely not authorized
1271 CSA_DEFER_* there was a DNS problem
1272*/
1273
1274static int
1275acl_verify_csa(uschar *domain)
1276{
1277tree_node *t;
1278uschar *found, *p;
1279int priority, weight, port;
1280dns_answer dnsa;
1281dns_scan dnss;
1282dns_record *rr;
1283int rc, type;
1284uschar target[256];
1285
1286/* Work out the domain we are using for the CSA lookup. The default is the
1287client's HELO domain. If the client has not said HELO, use its IP address
1288instead. If it's a local client (exim -bs), CSA isn't applicable. */
1289
1290while (isspace(*domain) && *domain != '\0') ++domain;
1291if (*domain == '\0') domain = sender_helo_name;
1292if (domain == NULL) domain = sender_host_address;
1293if (sender_host_address == NULL) return CSA_UNKNOWN;
1294
1295/* If we have an address literal, strip off the framing ready for turning it
1296into a domain. The framing consists of matched square brackets possibly
1297containing a keyword and a colon before the actual IP address. */
1298
1299if (domain[0] == '[')
1300 {
1301 uschar *start = Ustrchr(domain, ':');
1302 if (start == NULL) start = domain;
1303 domain = string_copyn(start + 1, Ustrlen(start) - 2);
1304 }
1305
1306/* Turn domains that look like bare IP addresses into domains in the reverse
1307DNS. This code also deals with address literals and $sender_host_address. It's
1308not quite kosher to treat bare domains such as EHLO 192.0.2.57 the same as
1309address literals, but it's probably the most friendly thing to do. This is an
1310extension to CSA, so we allow it to be turned off for proper conformance. */
1311
7e66e54d 1312if (string_is_ip_address(domain, NULL) != 0)
e5a9dba6
PH		 1313 {
1314 if (!dns_csa_use_reverse) return CSA_UNKNOWN;
1315 dns_build_reverse(domain, target);
1316 domain = target;
1317 }
1318
1319/* Find out if we've already done the CSA check for this domain. If we have,
1320return the same result again. Otherwise build a new cached result structure
1321for this domain. The name is filled in now, and the value is filled in when
1322we return from this function. */
1323
1324t = tree_search(csa_cache, domain);
1325if (t != NULL) return t->data.val;
1326
1327t = store_get_perm(sizeof(tree_node) + Ustrlen(domain));
1328Ustrcpy(t->name, domain);
1329(void)tree_insertnode(&csa_cache, t);
1330
1331/* Now we are ready to do the actual DNS lookup(s). */
1332
28e6ef29 1333found = domain;
e5a9dba6
PH		 1334switch (dns_special_lookup(&dnsa, domain, T_CSA, &found))
1335 {
1336 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1337
1338 default:
1339 return t->data.val = CSA_DEFER_SRV;
1340
1341 /* If we found nothing, the client's authorization is unknown. */
1342
1343 case DNS_NOMATCH:
1344 case DNS_NODATA:
1345 return t->data.val = CSA_UNKNOWN;
1346
1347 /* We got something! Go on to look at the reply in more detail. */
1348
1349 case DNS_SUCCEED:
1350 break;
1351 }
1352
1353/* Scan the reply for well-formed CSA SRV records. */
1354
1355for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
1356 rr != NULL;
1357 rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
1358 {
1359 if (rr->type != T_SRV) continue;
1360
1361 /* Extract the numerical SRV fields (p is incremented) */
1362
1363 p = rr->data;
1364 GETSHORT(priority, p);
1365 GETSHORT(weight, p);
1366 GETSHORT(port, p);
1367
1368 DEBUG(D_acl)
1369 debug_printf("CSA priority=%d weight=%d port=%d\n", priority, weight, port);
1370
1371 /* Check the CSA version number */
1372
1373 if (priority != 1) continue;
1374
1375 /* If the domain does not have a CSA SRV record of its own (i.e. the domain
1376 found by dns_special_lookup() is a parent of the one we asked for), we check
1377 the subdomain assertions in the port field. At the moment there's only one
1378 assertion: legitimate SMTP clients are all explicitly authorized with CSA
1379 SRV records of their own. */
1380
1381 if (found != domain)
1382 {
1383 if (port & 1)
1384 return t->data.val = CSA_FAIL_EXPLICIT;
1385 else
1386 return t->data.val = CSA_UNKNOWN;
1387 }
1388
1389 /* This CSA SRV record refers directly to our domain, so we check the value
1390 in the weight field to work out the domain's authorization. 0 and 1 are
1391 unauthorized; 3 means the client is authorized but we can't check the IP
1392 address in order to authenticate it, so we treat it as unknown; values
1393 greater than 3 are undefined. */
1394
1395 if (weight < 2) return t->data.val = CSA_FAIL_DOMAIN;
1396
1397 if (weight > 2) continue;
1398
1399 /* Weight == 2, which means the domain is authorized. We must check that the
1400 client's IP address is listed as one of the SRV target addresses. Save the
1401 target hostname then break to scan the additional data for its addresses. */
1402
1403 (void)dn_expand(dnsa.answer, dnsa.answer + dnsa.answerlen, p,
1404 (DN_EXPAND_ARG4_TYPE)target, sizeof(target));
1405
1406 DEBUG(D_acl) debug_printf("CSA target is %s\n", target);
1407
1408 break;
1409 }
1410
1411/* If we didn't break the loop then no appropriate records were found. */
1412
1413if (rr == NULL) return t->data.val = CSA_UNKNOWN;
1414
1415/* Do not check addresses if the target is ".", in accordance with RFC 2782.
1416A target of "." indicates there are no valid addresses, so the client cannot
1417be authorized. (This is an odd configuration because weight=2 target=. is
1418equivalent to weight=1, but we check for it in order to keep load off the
1419root name servers.) Note that dn_expand() turns "." into "". */
1420
1421if (Ustrcmp(target, "") == 0) return t->data.val = CSA_FAIL_NOADDR;
1422
1423/* Scan the additional section of the CSA SRV reply for addresses belonging
1424to the target. If the name server didn't return any additional data (e.g.
1425because it does not fully support SRV records), we need to do another lookup
1426to obtain the target addresses; otherwise we have a definitive result. */
1427
1428rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ADDITIONAL, target);
1429if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1430
1431/* The DNS lookup type corresponds to the IP version used by the client. */
1432
1433#if HAVE_IPV6
1434if (Ustrchr(sender_host_address, ':') != NULL)
1435 type = T_AAAA;
1436else
1437#endif /* HAVE_IPV6 */
1438 type = T_A;
1439
1440
1441#if HAVE_IPV6 && defined(SUPPORT_A6)
1442DNS_LOOKUP_AGAIN:
1443#endif
1444
1445switch (dns_lookup(&dnsa, target, type, NULL))
1446 {
1447 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1448
1449 default:
1450 return t->data.val = CSA_DEFER_ADDR;
1451
1452 /* If the query succeeded, scan the addresses and return the result. */
1453
1454 case DNS_SUCCEED:
1455 rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ANSWERS, target);
1456 if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1457 /* else fall through */
1458
1459 /* If the target has no IP addresses, the client cannot have an authorized
1460 IP address. However, if the target site uses A6 records (not AAAA records)
1461 we have to do yet another lookup in order to check them. */
1462
1463 case DNS_NOMATCH:
1464 case DNS_NODATA:
1465
1466 #if HAVE_IPV6 && defined(SUPPORT_A6)
1467 if (type == T_AAAA) { type = T_A6; goto DNS_LOOKUP_AGAIN; }
1468 #endif
1469
1470 return t->data.val = CSA_FAIL_NOADDR;
1471 }
1472}
1473
1474
1475
059ec3d9
PH		 1476/*************************************************
1477* Handle verification (address & other) *
1478*************************************************/
1479
89583014
JH		 1480enum { VERIFY_REV_HOST_LKUP, VERIFY_CERT, VERIFY_HELO, VERIFY_CSA, VERIFY_HDR_SYNTAX,
1481 VERIFY_NOT_BLIND, VERIFY_HDR_SNDR, VERIFY_SNDR, VERIFY_RCPT
1482 };
1483typedef struct {
1484 uschar * name;
1485 int value;
1486 unsigned where_allowed; /* bitmap */
1487 BOOL no_options; /* Never has /option(s) following */
1488 unsigned alt_opt_sep; /* >0 Non-/ option separator (custom parser) */
1489 } verify_type_t;
1490static verify_type_t verify_type_list[] = {
1491 { US"reverse_host_lookup", VERIFY_REV_HOST_LKUP, ~0, TRUE, 0 },
1492 { US"certificate", VERIFY_CERT, ~0, TRUE, 0 },
1493 { US"helo", VERIFY_HELO, ~0, TRUE, 0 },
1494 { US"csa", VERIFY_CSA, ~0, FALSE, 0 },
1495 { US"header_syntax", VERIFY_HDR_SYNTAX, (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), TRUE, 0 },
1496 { US"not_blind", VERIFY_NOT_BLIND, (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), TRUE, 0 },
1497 { US"header_sender", VERIFY_HDR_SNDR, (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), FALSE, 0 },
1498 { US"sender", VERIFY_SNDR, (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)
1499 |(1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP),
1500 FALSE, 6 },
1501 { US"recipient", VERIFY_RCPT, (1<<ACL_WHERE_RCPT), FALSE, 0 }
1502 };
1503
1504
1505enum { CALLOUT_DEFER_OK, CALLOUT_NOCACHE, CALLOUT_RANDOM, CALLOUT_USE_SENDER,
1506 CALLOUT_USE_POSTMASTER, CALLOUT_POSTMASTER, CALLOUT_FULLPOSTMASTER,
1507 CALLOUT_MAILFROM, CALLOUT_POSTMASTER_MAILFROM, CALLOUT_MAXWAIT, CALLOUT_CONNECT,
1508 CALLOUT_TIME
1509 };
1510typedef struct {
1511 uschar * name;
1512 int value;
1513 int flag;
1514 BOOL has_option; /* Has =option(s) following */
1515 BOOL timeval; /* Has a time value */
1516 } callout_opt_t;
1517static callout_opt_t callout_opt_list[] = {
1518 { US"defer_ok", CALLOUT_DEFER_OK, 0, FALSE, FALSE },
1519 { US"no_cache", CALLOUT_NOCACHE, vopt_callout_no_cache, FALSE, FALSE },
1520 { US"random", CALLOUT_RANDOM, vopt_callout_random, FALSE, FALSE },
1521 { US"use_sender", CALLOUT_USE_SENDER, vopt_callout_recipsender, FALSE, FALSE },
1522 { US"use_postmaster", CALLOUT_USE_POSTMASTER,vopt_callout_recippmaster, FALSE, FALSE },
1523 { US"postmaster_mailfrom",CALLOUT_POSTMASTER_MAILFROM,0, TRUE, FALSE },
1524 { US"postmaster", CALLOUT_POSTMASTER, 0, FALSE, FALSE },
1525 { US"fullpostmaster", CALLOUT_FULLPOSTMASTER,vopt_callout_fullpm, FALSE, FALSE },
1526 { US"mailfrom", CALLOUT_MAILFROM, 0, TRUE, FALSE },
1527 { US"maxwait", CALLOUT_MAXWAIT, 0, TRUE, TRUE },
1528 { US"connect", CALLOUT_CONNECT, 0, TRUE, TRUE },
1529 { NULL, CALLOUT_TIME, 0, FALSE, TRUE }
1530 };
1531
1532
1533
059ec3d9
PH		 1534/* This function implements the "verify" condition. It is called when
1535encountered in any ACL, because some tests are almost always permitted. Some
1536just don't make sense, and always fail (for example, an attempt to test a host
1537lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
1538
1539Arguments:
1540 where where called from
1541 addr the recipient address that the ACL is handling, or NULL
1542 arg the argument of "verify"
1543 user_msgptr pointer for user message
1544 log_msgptr pointer for log message
1545 basic_errno where to put verify errno
1546
1547Returns: OK verification condition succeeded
1548 FAIL verification failed
1549 DEFER there was a problem verifying
1550 ERROR syntax error
1551*/
1552
1553static int
1554acl_verify(int where, address_item *addr, uschar *arg,
1555 uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
1556{
1557int sep = '/';
1558int callout = -1;
1559int callout_overall = -1;
4deaf07d 1560int callout_connect = -1;
059ec3d9
PH		 1561int verify_options = 0;
1562int rc;
1563BOOL verify_header_sender = FALSE;
1564BOOL defer_ok = FALSE;
1565BOOL callout_defer_ok = FALSE;
1566BOOL no_details = FALSE;
eafd343b 1567BOOL success_on_redirect = FALSE;
059ec3d9
PH		 1568address_item *sender_vaddr = NULL;
1569uschar *verify_sender_address = NULL;
1570uschar *pm_mailfrom = NULL;
1571uschar *se_mailfrom = NULL;
596875b3
PH		 1572
1573/* Some of the verify items have slash-separated options; some do not. Diagnose
89583014 1574an error if options are given for items that don't expect them.
596875b3
PH		 1575*/
1576
1577uschar *slash = Ustrchr(arg, '/');
059ec3d9
PH		 1578uschar *list = arg;
1579uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
89583014 1580verify_type_t * vp;
059ec3d9
PH		 1581
1582if (ss == NULL) goto BAD_VERIFY;
1583
1584/* Handle name/address consistency verification in a separate function. */
1585
89583014
JH		 1586for (vp= verify_type_list;
1587 (char *)vp < (char *)verify_type_list + sizeof(verify_type_list);
1588 vp++
1589 )
1590 if (vp->alt_opt_sep ? strncmpic(ss, vp->name, vp->alt_opt_sep) == 0
1591 : strcmpic (ss, vp->name) == 0)
1592 break;
1593if ((char *)vp >= (char *)verify_type_list + sizeof(verify_type_list))
1594 goto BAD_VERIFY;
1595
1596if (vp->no_options && slash != NULL)
059ec3d9 1597 {
89583014
JH		 1598 *log_msgptr = string_sprintf("unexpected '/' found in \"%s\" "
1599 "(this verify item has no options)", arg);
1600 return ERROR;
059ec3d9 1601 }
89583014 1602if (!(vp->where_allowed & (1<<where)))
059ec3d9 1603 {
89583014
JH		 1604 *log_msgptr = string_sprintf("cannot verify %s in ACL for %s", vp->name, acl_wherenames[where]);
1605 return ERROR;
059ec3d9 1606 }
89583014 1607switch(vp->value)
596875b3 1608 {
89583014
JH		 1609 case VERIFY_REV_HOST_LKUP:
1610 if (sender_host_address == NULL) return OK;
1611 return acl_verify_reverse(user_msgptr, log_msgptr);
059ec3d9 1612
89583014
JH		 1613 case VERIFY_CERT:
1614 /* TLS certificate verification is done at STARTTLS time; here we just
1615 test whether it was successful or not. (This is for optional verification; for
1616 mandatory verification, the connection doesn't last this long.) */
e5a9dba6 1617
817d9f57 1618 if (tls_in.certificate_verified) return OK;
89583014
JH		 1619 *user_msgptr = US"no verified certificate";
1620 return FAIL;
e5a9dba6 1621
89583014
JH		 1622 case VERIFY_HELO:
1623 /* We can test the result of optional HELO verification that might have
1624 occurred earlier. If not, we can attempt the verification now. */
059ec3d9 1625
89583014
JH		 1626 if (!helo_verified && !helo_verify_failed) smtp_verify_helo();
1627 return helo_verified? OK : FAIL;
059ec3d9 1628
89583014
JH		 1629 case VERIFY_CSA:
1630 /* Do Client SMTP Authorization checks in a separate function, and turn the
1631 result code into user-friendly strings. */
1c41c9cc 1632
89583014
JH		 1633 rc = acl_verify_csa(list);
1634 *log_msgptr = *user_msgptr = string_sprintf("client SMTP authorization %s",
1635 csa_reason_string[rc]);
1636 csa_status = csa_status_string[rc];
1637 DEBUG(D_acl) debug_printf("CSA result %s\n", csa_status);
1638 return csa_return_code[rc];
1639
1640 case VERIFY_HDR_SYNTAX:
1641 /* Check that all relevant header lines have the correct syntax. If there is
1642 a syntax error, we return details of the error to the sender if configured to
1643 send out full details. (But a "message" setting on the ACL can override, as
1644 always). */
1645
1646 rc = verify_check_headers(log_msgptr);
1647 if (rc != OK && smtp_return_error_details && *log_msgptr != NULL)
1c41c9cc 1648 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
89583014 1649 return rc;
059ec3d9 1650
89583014
JH		 1651 case VERIFY_NOT_BLIND:
1652 /* Check that no recipient of this message is "blind", that is, every envelope
1653 recipient must be mentioned in either To: or Cc:. */
059ec3d9 1654
89583014
JH		 1655 rc = verify_check_notblind();
1656 if (rc != OK)
1657 {
1658 *log_msgptr = string_sprintf("bcc recipient detected");
1659 if (smtp_return_error_details)
1660 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1661 }
1662 return rc;
059ec3d9 1663
89583014
JH		 1664 /* The remaining verification tests check recipient and sender addresses,
1665 either from the envelope or from the header. There are a number of
1666 slash-separated options that are common to all of them. */
059ec3d9 1667
89583014
JH		 1668 case VERIFY_HDR_SNDR:
1669 verify_header_sender = TRUE;
1670 break;
059ec3d9 1671
89583014
JH		 1672 case VERIFY_SNDR:
1673 /* In the case of a sender, this can optionally be followed by an address to use
1674 in place of the actual sender (rare special-case requirement). */
059ec3d9 1675 {
89583014
JH		 1676 uschar *s = ss + 6;
1677 if (*s == 0)
1678 verify_sender_address = sender_address;
1679 else
1680 {
1681 while (isspace(*s)) s++;
1682 if (*s++ != '=') goto BAD_VERIFY;
1683 while (isspace(*s)) s++;
1684 verify_sender_address = string_copy(s);
1685 }
059ec3d9 1686 }
89583014
JH		 1687 break;
1688
1689 case VERIFY_RCPT:
1690 break;
059ec3d9
PH		 1691 }
1692
89583014
JH		 1693
1694
596875b3
PH		 1695/* Remaining items are optional; they apply to sender and recipient
1696verification, including "header sender" verification. */
059ec3d9
PH		 1697
1698while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))
1699 != NULL)
1700 {
1701 if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
1702 else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
eafd343b 1703 else if (strcmpic(ss, US"success_on_redirect") == 0) success_on_redirect = TRUE;
059ec3d9
PH		 1704
1705 /* These two old options are left for backwards compatibility */
1706
1707 else if (strcmpic(ss, US"callout_defer_ok") == 0)
1708 {
1709 callout_defer_ok = TRUE;
1710 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1711 }
1712
1713 else if (strcmpic(ss, US"check_postmaster") == 0)
1714 {
1715 pm_mailfrom = US"";
1716 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1717 }
1718
1719 /* The callout option has a number of sub-options, comma separated */
1720
1721 else if (strncmpic(ss, US"callout", 7) == 0)
1722 {
1723 callout = CALLOUT_TIMEOUT_DEFAULT;
1724 ss += 7;
1725 if (*ss != 0)
1726 {
1727 while (isspace(*ss)) ss++;
1728 if (*ss++ == '=')
1729 {
1730 int optsep = ',';
1731 uschar *opt;
1732 uschar buffer[256];
1733 while (isspace(*ss)) ss++;
8e669ac1 1734
059ec3d9
PH		 1735 while ((opt = string_nextinlist(&ss, &optsep, buffer, sizeof(buffer)))
1736 != NULL)
1737 {
89583014 1738 callout_opt_t * op;
438257ba 1739 double period = 1.0F;
059ec3d9 1740
89583014 1741 for (op= callout_opt_list; op->name; op++)
438257ba 1742 if (strncmpic(opt, op->name, Ustrlen(op->name)) == 0)
89583014 1743 break;
059ec3d9 1744
89583014
JH		 1745 verify_options |= op->flag;
1746 if (op->has_option)
1747 {
438257ba 1748 opt += Ustrlen(op->name);
4deaf07d
PH		 1749 while (isspace(*opt)) opt++;
1750 if (*opt++ != '=')
1751 {
1752 *log_msgptr = string_sprintf("'=' expected after "
89583014 1753 "\"%s\" in ACL verify condition \"%s\"", op->name, arg);
4deaf07d
PH		 1754 return ERROR;
1755 }
1756 while (isspace(*opt)) opt++;
89583014
JH		 1757 }
1758 if (op->timeval)
1759 {
1760 period = readconf_readtime(opt, 0, FALSE);
1761 if (period < 0)
4deaf07d
PH		 1762 {
1763 *log_msgptr = string_sprintf("bad time value in ACL condition "
1764 "\"verify %s\"", arg);
1765 return ERROR;
1766 }
89583014
JH		 1767 }
1768
1769 switch(op->value)
1770 {
1771 case CALLOUT_DEFER_OK: callout_defer_ok = TRUE; break;
1772 case CALLOUT_POSTMASTER: pm_mailfrom = US""; break;
1773 case CALLOUT_FULLPOSTMASTER: pm_mailfrom = US""; break;
1774 case CALLOUT_MAILFROM:
1775 if (!verify_header_sender)
1776 {
1777 *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
1778 "callout option only for verify=header_sender (detected in ACL "
1779 "condition \"%s\")", arg);
1780 return ERROR;
1781 }
1782 se_mailfrom = string_copy(opt);
1783 break;
1784 case CALLOUT_POSTMASTER_MAILFROM: pm_mailfrom = string_copy(opt); break;
1785 case CALLOUT_MAXWAIT: callout_overall = period; break;
1786 case CALLOUT_CONNECT: callout_connect = period; break;
1787 case CALLOUT_TIME: callout = period; break;
1788 }
059ec3d9
PH		 1789 }
1790 }
1791 else
1792 {
1793 *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
1794 "ACL condition \"%s\"", arg);
1795 return ERROR;
1796 }
1797 }
1798 }
1799
1800 /* Option not recognized */
1801
1802 else
1803 {
1804 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
1805 "condition \"verify %s\"", ss, arg);
1806 return ERROR;
1807 }
1808 }
1809
1810if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
1811 (vopt_callout_recipsender|vopt_callout_recippmaster))
1812 {
1813 *log_msgptr = US"only one of use_sender and use_postmaster can be set "
1814 "for a recipient callout";
1815 return ERROR;
1816 }
1817
1818/* Handle sender-in-header verification. Default the user message to the log
1819message if giving out verification details. */
1820
1821if (verify_header_sender)
1822 {
8e669ac1 1823 int verrno;
059ec3d9 1824 rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
fe5b5d0b
PH		 1825 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, verify_options,
1826 &verrno);
1827 if (rc != OK)
8e669ac1 1828 {
fe5b5d0b
PH		 1829 *basic_errno = verrno;
1830 if (smtp_return_error_details)
1831 {
1832 if (*user_msgptr == NULL && *log_msgptr != NULL)
1833 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1834 if (rc == DEFER) acl_temp_details = TRUE;
1835 }
8e669ac1 1836 }
059ec3d9
PH		 1837 }
1838
1839/* Handle a sender address. The default is to verify *the* sender address, but
1840optionally a different address can be given, for special requirements. If the
1841address is empty, we are dealing with a bounce message that has no sender, so
1842we cannot do any checking. If the real sender address gets rewritten during
1843verification (e.g. DNS widening), set the flag to stop it being rewritten again
1844during message reception.
1845
1846A list of verified "sender" addresses is kept to try to avoid doing to much
1847work repetitively when there are multiple recipients in a message and they all
1848require sender verification. However, when callouts are involved, it gets too
1849complicated because different recipients may require different callout options.
1850Therefore, we always do a full sender verify when any kind of callout is
1851specified. Caching elsewhere, for instance in the DNS resolver and in the
1852callout handling, should ensure that this is not terribly inefficient. */
1853
1854else if (verify_sender_address != NULL)
1855 {
1856 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster))
1857 != 0)
1858 {
1859 *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
1860 "sender verify callout";
1861 return ERROR;
1862 }
1863
1864 sender_vaddr = verify_checked_sender(verify_sender_address);
1865 if (sender_vaddr != NULL && /* Previously checked */
1866 callout <= 0) /* No callout needed this time */
1867 {
1868 /* If the "routed" flag is set, it means that routing worked before, so
1869 this check can give OK (the saved return code value, if set, belongs to a
1870 callout that was done previously). If the "routed" flag is not set, routing
1871 must have failed, so we use the saved return code. */
1872
1873 if (testflag(sender_vaddr, af_verify_routed)) rc = OK; else
1874 {
1875 rc = sender_vaddr->special_action;
1876 *basic_errno = sender_vaddr->basic_errno;
1877 }
1878 HDEBUG(D_acl) debug_printf("using cached sender verify result\n");
1879 }
1880
1881 /* Do a new verification, and cache the result. The cache is used to avoid
1882 verifying the sender multiple times for multiple RCPTs when callouts are not
1883 specified (see comments above).
1884
1885 The cache is also used on failure to give details in response to the first
1886 RCPT that gets bounced for this reason. However, this can be suppressed by
1887 the no_details option, which sets the flag that says "this detail has already
1888 been sent". The cache normally contains just one address, but there may be
1889 more in esoteric circumstances. */
1890
1891 else
1892 {
1893 BOOL routed = TRUE;
2a3eea10 1894 uschar *save_address_data = deliver_address_data;
8e669ac1 1895
059ec3d9
PH		 1896 sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
1897 if (no_details) setflag(sender_vaddr, af_sverify_told);
1898 if (verify_sender_address[0] != 0)
1899 {
1900 /* If this is the real sender address, save the unrewritten version
1901 for use later in receive. Otherwise, set a flag so that rewriting the
1902 sender in verify_address() does not update sender_address. */
1903
1904 if (verify_sender_address == sender_address)
1905 sender_address_unrewritten = sender_address;
1906 else
1907 verify_options |= vopt_fake_sender;
1908
eafd343b
TK		 1909 if (success_on_redirect)
1910 verify_options |= vopt_success_on_redirect;
1911
059ec3d9
PH		 1912 /* The recipient, qualify, and expn options are never set in
1913 verify_options. */
1914
1915 rc = verify_address(sender_vaddr, NULL, verify_options, callout,
4deaf07d 1916 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, &routed);
059ec3d9
PH		 1917
1918 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1919
1920 if (rc == OK)
1921 {
1922 if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
1923 {
1924 DEBUG(D_acl) debug_printf("sender %s verified ok as %s\n",
1925 verify_sender_address, sender_vaddr->address);
1926 }
1927 else
1928 {
1929 DEBUG(D_acl) debug_printf("sender %s verified ok\n",
1930 verify_sender_address);
1931 }
1932 }
1933 else *basic_errno = sender_vaddr->basic_errno;
1934 }
1935 else rc = OK; /* Null sender */
1936
1937 /* Cache the result code */
1938
1939 if (routed) setflag(sender_vaddr, af_verify_routed);
1940 if (callout > 0) setflag(sender_vaddr, af_verify_callout);
1941 sender_vaddr->special_action = rc;
1942 sender_vaddr->next = sender_verified_list;
1943 sender_verified_list = sender_vaddr;
8e669ac1
PH		 1944
1945 /* Restore the recipient address data, which might have been clobbered by
2a3eea10 1946 the sender verification. */
8e669ac1 1947
2a3eea10 1948 deliver_address_data = save_address_data;
059ec3d9 1949 }
8e669ac1 1950
2a3eea10
PH		 1951 /* Put the sender address_data value into $sender_address_data */
1952
8e669ac1 1953 sender_address_data = sender_vaddr->p.address_data;
059ec3d9
PH		 1954 }
1955
1956/* A recipient address just gets a straightforward verify; again we must handle
1957the DEFER overrides. */
1958
1959else
1960 {
1961 address_item addr2;
1962
eafd343b
TK		 1963 if (success_on_redirect)
1964 verify_options |= vopt_success_on_redirect;
1965
059ec3d9
PH		 1966 /* We must use a copy of the address for verification, because it might
1967 get rewritten. */
1968
1969 addr2 = *addr;
1970 rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
4deaf07d 1971 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, NULL);
059ec3d9 1972 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
8e669ac1 1973
42855d71 1974 *basic_errno = addr2.basic_errno;
059ec3d9 1975 *log_msgptr = addr2.message;
8e669ac1 1976 *user_msgptr = (addr2.user_message != NULL)?
6729cf78 1977 addr2.user_message : addr2.message;
42855d71
PH		 1978
1979 /* Allow details for temporary error if the address is so flagged. */
1980 if (testflag((&addr2), af_pass_message)) acl_temp_details = TRUE;
059ec3d9
PH		 1981
1982 /* Make $address_data visible */
1983 deliver_address_data = addr2.p.address_data;
1984 }
1985
1986/* We have a result from the relevant test. Handle defer overrides first. */
1987
1988if (rc == DEFER && (defer_ok ||
1989 (callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER)))
1990 {
1991 HDEBUG(D_acl) debug_printf("verify defer overridden by %s\n",
1992 defer_ok? "defer_ok" : "callout_defer_ok");
1993 rc = OK;
1994 }
1995
1996/* If we've failed a sender, set up a recipient message, and point
1997sender_verified_failed to the address item that actually failed. */
1998
1999if (rc != OK && verify_sender_address != NULL)
2000 {
2001 if (rc != DEFER)
2002 {
2003 *log_msgptr = *user_msgptr = US"Sender verify failed";
2004 }
2005 else if (*basic_errno != ERRNO_CALLOUTDEFER)
2006 {
2007 *log_msgptr = *user_msgptr = US"Could not complete sender verify";
2008 }
2009 else
2010 {
2011 *log_msgptr = US"Could not complete sender verify callout";
2012 *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
2013 *log_msgptr;
2014 }
2015
2016 sender_verified_failed = sender_vaddr;
2017 }
2018
2019/* Verifying an address messes up the values of $domain and $local_part,
2020so reset them before returning if this is a RCPT ACL. */
2021
2022if (addr != NULL)
2023 {
2024 deliver_domain = addr->domain;
2025 deliver_localpart = addr->local_part;
2026 }
2027return rc;
2028
2029/* Syntax errors in the verify argument come here. */
2030
2031BAD_VERIFY:
2032*log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
596875b3
PH		 2033 "\"helo\", \"header_syntax\", \"header_sender\" or "
2034 "\"reverse_host_lookup\" at start of ACL condition "
059ec3d9
PH		 2035 "\"verify %s\"", arg);
2036return ERROR;
2037}
2038
2039
2040
2041
2042/*************************************************
2043* Check argument for control= modifier *
2044*************************************************/
2045
2046/* Called from acl_check_condition() below
2047
2048Arguments:
2049 arg the argument string for control=
2050 pptr set to point to the terminating character
2051 where which ACL we are in
2052 log_msgptr for error messages
2053
2054Returns: CONTROL_xxx value
2055*/
2056
2057static int
2058decode_control(uschar *arg, uschar **pptr, int where, uschar **log_msgptr)
2059{
2060int len;
2061control_def *d;
2062
2063for (d = controls_list;
2064 d < controls_list + sizeof(controls_list)/sizeof(control_def);
2065 d++)
2066 {
2067 len = Ustrlen(d->name);
2068 if (Ustrncmp(d->name, arg, len) == 0) break;
2069 }
2070
2071if (d >= controls_list + sizeof(controls_list)/sizeof(control_def) ||
2072 (arg[len] != 0 && (!d->has_option || arg[len] != '/')))
2073 {
2074 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2075 return CONTROL_ERROR;
2076 }
2077
059ec3d9
PH		 2078*pptr = arg + len;
2079return d->value;
2080}
2081
2082
2083
c99ce5c9
TF		 2084
2085/*************************************************
2086* Return a ratelimit error *
2087*************************************************/
2088
2089/* Called from acl_ratelimit() below
2090
2091Arguments:
2092 log_msgptr for error messages
2093 format format string
2094 ... supplementary arguments
2095 ss ratelimit option name
2096 where ACL_WHERE_xxxx indicating which ACL this is
2097
2098Returns: ERROR
2099*/
2100
2101static int
2102ratelimit_error(uschar **log_msgptr, const char *format, ...)
2103{
2104va_list ap;
2105uschar buffer[STRING_SPRINTF_BUFFER_SIZE];
2106va_start(ap, format);
2107if (!string_vformat(buffer, sizeof(buffer), format, ap))
2108 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
ef840681 2109 "string_sprintf expansion was longer than " SIZE_T_FMT, sizeof(buffer));
c99ce5c9
TF		 2110va_end(ap);
2111*log_msgptr = string_sprintf(
2112 "error in arguments to \"ratelimit\" condition: %s", buffer);
2113return ERROR;
2114}
2115
2116
2117
2118
870f6ba8
TF		 2119/*************************************************
2120* Handle rate limiting *
2121*************************************************/
2122
2123/* Called by acl_check_condition() below to calculate the result
2124of the ACL ratelimit condition.
2125
2126Note that the return value might be slightly unexpected: if the
2127sender's rate is above the limit then the result is OK. This is
2128similar to the dnslists condition, and is so that you can write
2129ACL clauses like: defer ratelimit = 15 / 1h
2130
2131Arguments:
2132 arg the option string for ratelimit=
90fc3069 2133 where ACL_WHERE_xxxx indicating which ACL this is
870f6ba8
TF		 2134 log_msgptr for error messages
2135
2136Returns: OK - Sender's rate is above limit
2137 FAIL - Sender's rate is below limit
2138 DEFER - Problem opening ratelimit database
2139 ERROR - Syntax error in options.
2140*/
2141
2142static int
90fc3069 2143acl_ratelimit(uschar *arg, int where, uschar **log_msgptr)
870f6ba8 2144{
c99ce5c9 2145double limit, period, count;
8f240103
PH		 2146uschar *ss;
2147uschar *key = NULL;
c99ce5c9 2148uschar *unique = NULL;
870f6ba8 2149int sep = '/';
c99ce5c9
TF		 2150BOOL leaky = FALSE, strict = FALSE, readonly = FALSE;
2151BOOL noupdate = FALSE, badacl = FALSE;
2152int mode = RATE_PER_WHAT;
870f6ba8
TF		 2153int old_pool, rc;
2154tree_node **anchor, *t;
2155open_db dbblock, *dbm;
c99ce5c9 2156int dbdb_size;
870f6ba8 2157dbdata_ratelimit *dbd;
c99ce5c9 2158dbdata_ratelimit_unique *dbdb;
870f6ba8
TF		 2159struct timeval tv;
2160
2161/* Parse the first two options and record their values in expansion
2162variables. These variables allow the configuration to have informative
2163error messages based on rate limits obtained from a table lookup. */
2164
c99ce5c9 2165/* First is the maximum number of messages per period / maximum burst
870f6ba8
TF		 2166size, which must be greater than or equal to zero. Zero is useful for
2167rate measurement as opposed to rate limiting. */
2168
2169sender_rate_limit = string_nextinlist(&arg, &sep, NULL, 0);
2170if (sender_rate_limit == NULL)
2171 limit = -1.0;
2172else
2173 {
2174 limit = Ustrtod(sender_rate_limit, &ss);
2175 if (tolower(*ss) == 'k') { limit *= 1024.0; ss++; }
2176 else if (tolower(*ss) == 'm') { limit *= 1024.0*1024.0; ss++; }
2177 else if (tolower(*ss) == 'g') { limit *= 1024.0*1024.0*1024.0; ss++; }
2178 }
c99ce5c9
TF		 2179if (limit < 0.0 || *ss != '\0')
2180 return ratelimit_error(log_msgptr,
2181 "\"%s\" is not a positive number", sender_rate_limit);
870f6ba8 2182
c99ce5c9 2183/* Second is the rate measurement period / exponential smoothing time
870f6ba8
TF		 2184constant. This must be strictly greater than zero, because zero leads to
2185run-time division errors. */
2186
2187sender_rate_period = string_nextinlist(&arg, &sep, NULL, 0);
2188if (sender_rate_period == NULL) period = -1.0;
2189else period = readconf_readtime(sender_rate_period, 0, FALSE);
2190if (period <= 0.0)
c99ce5c9
TF		 2191 return ratelimit_error(log_msgptr,
2192 "\"%s\" is not a time value", sender_rate_period);
2193
2194/* By default we are counting one of something, but the per_rcpt,
2195per_byte, and count options can change this. */
2196
2197count = 1.0;
870f6ba8 2198
c99ce5c9 2199/* Parse the other options. */
870f6ba8
TF		 2200
2201while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2202 != NULL)
2203 {
2204 if (strcmpic(ss, US"leaky") == 0) leaky = TRUE;
2205 else if (strcmpic(ss, US"strict") == 0) strict = TRUE;
8f240103 2206 else if (strcmpic(ss, US"noupdate") == 0) noupdate = TRUE;
c99ce5c9
TF		 2207 else if (strcmpic(ss, US"readonly") == 0) readonly = TRUE;
2208 else if (strcmpic(ss, US"per_cmd") == 0) RATE_SET(mode, PER_CMD);
2209 else if (strcmpic(ss, US"per_conn") == 0)
2210 {
2211 RATE_SET(mode, PER_CONN);
2212 if (where == ACL_WHERE_NOTSMTP || where == ACL_WHERE_NOTSMTP_START)
2213 badacl = TRUE;
2214 }
2215 else if (strcmpic(ss, US"per_mail") == 0)
2216 {
2217 RATE_SET(mode, PER_MAIL);
2218 if (where > ACL_WHERE_NOTSMTP) badacl = TRUE;
2219 }
2220 else if (strcmpic(ss, US"per_rcpt") == 0)
2221 {
2222 /* If we are running in the RCPT ACL, then we'll count the recipients
2223 one by one, but if we are running when we have accumulated the whole
2224 list then we'll add them all in one batch. */
2225 if (where == ACL_WHERE_RCPT)
2226 RATE_SET(mode, PER_RCPT);
2227 else if (where >= ACL_WHERE_PREDATA && where <= ACL_WHERE_NOTSMTP)
2228 RATE_SET(mode, PER_ALLRCPTS), count = (double)recipients_count;
2229 else if (where == ACL_WHERE_MAIL || where > ACL_WHERE_NOTSMTP)
2230 RATE_SET(mode, PER_RCPT), badacl = TRUE;
2231 }
2232 else if (strcmpic(ss, US"per_byte") == 0)
2233 {
2234 /* If we have not yet received the message data and there was no SIZE
2235 declaration on the MAIL comand, then it's safe to just use a value of
2236 zero and let the recorded rate decay as if nothing happened. */
2237 RATE_SET(mode, PER_MAIL);
2238 if (where > ACL_WHERE_NOTSMTP) badacl = TRUE;
2239 else count = message_size < 0 ? 0.0 : (double)message_size;
2240 }
2241 else if (strcmpic(ss, US"per_addr") == 0)
2242 {
2243 RATE_SET(mode, PER_RCPT);
438257ba 2244 if (where != ACL_WHERE_RCPT) badacl = TRUE, unique = US"*";
c99ce5c9
TF		 2245 else unique = string_sprintf("%s@%s", deliver_localpart, deliver_domain);
2246 }
2247 else if (strncmpic(ss, US"count=", 6) == 0)
2248 {
2249 uschar *e;
2250 count = Ustrtod(ss+6, &e);
2251 if (count < 0.0 || *e != '\0')
2252 return ratelimit_error(log_msgptr,
2253 "\"%s\" is not a positive number", ss);
2254 }
2255 else if (strncmpic(ss, US"unique=", 7) == 0)
2256 unique = string_copy(ss + 7);
2257 else if (key == NULL)
2258 key = string_copy(ss);
2259 else
2260 key = string_sprintf("%s/%s", key, ss);
870f6ba8
TF		 2261 }
2262
c99ce5c9
TF		 2263/* Sanity check. When the badacl flag is set the update mode must either
2264be readonly (which is the default if it is omitted) or, for backwards
2265compatibility, a combination of noupdate and strict or leaky. */
2266
2267if (mode == RATE_PER_CLASH)
2268 return ratelimit_error(log_msgptr, "conflicting per_* options");
2269if (leaky + strict + readonly > 1)
2270 return ratelimit_error(log_msgptr, "conflicting update modes");
2271if (badacl && (leaky || strict) && !noupdate)
2272 return ratelimit_error(log_msgptr,
2273 "\"%s\" must not have /leaky or /strict option in %s ACL",
2274 ratelimit_option_string[mode], acl_wherenames[where]);
2275
2276/* Set the default values of any unset options. In readonly mode we
2277perform the rate computation without any increment so that its value
2278decays to eventually allow over-limit senders through. */
2279
2280if (noupdate) readonly = TRUE, leaky = strict = FALSE;
2281if (badacl) readonly = TRUE;
2282if (readonly) count = 0.0;
2283if (!strict && !readonly) leaky = TRUE;
2284if (mode == RATE_PER_WHAT) mode = RATE_PER_MAIL;
870f6ba8 2285
8f240103
PH		 2286/* Create the lookup key. If there is no explicit key, use sender_host_address.
2287If there is no sender_host_address (e.g. -bs or acl_not_smtp) then we simply
2288omit it. The smoothing constant (sender_rate_period) and the per_xxx options
2289are added to the key because they alter the meaning of the stored data. */
2290
2291if (key == NULL)
2292 key = (sender_host_address == NULL)? US"" : sender_host_address;
870f6ba8 2293
c99ce5c9 2294key = string_sprintf("%s/%s/%s%s",
8f240103 2295 sender_rate_period,
c99ce5c9
TF		 2296 ratelimit_option_string[mode],
2297 unique == NULL ? "" : "unique/",
8f240103 2298 key);
870f6ba8 2299
c99ce5c9
TF		 2300HDEBUG(D_acl)
2301 debug_printf("ratelimit condition count=%.0f %.1f/%s\n", count, limit, key);
870f6ba8 2302
8f240103
PH		 2303/* See if we have already computed the rate by looking in the relevant tree.
2304For per-connection rate limiting, store tree nodes and dbdata in the permanent
c99ce5c9
TF		 2305pool so that they survive across resets. In readonly mode we only remember the
2306result for the rest of this command in case a later command changes it. After
2307this bit of logic the code is independent of the per_* mode. */
870f6ba8 2308
870f6ba8
TF		 2309old_pool = store_pool;
2310
c99ce5c9
TF		 2311if (readonly)
2312 anchor = &ratelimiters_cmd;
2313else switch(mode) {
2314case RATE_PER_CONN:
870f6ba8
TF		 2315 anchor = &ratelimiters_conn;
2316 store_pool = POOL_PERM;
c99ce5c9
TF		 2317 break;
2318case RATE_PER_BYTE:
2319case RATE_PER_MAIL:
2320case RATE_PER_ALLRCPTS:
870f6ba8 2321 anchor = &ratelimiters_mail;
c99ce5c9
TF		 2322 break;
2323case RATE_PER_ADDR:
2324case RATE_PER_CMD:
2325case RATE_PER_RCPT:
fe0dab11 2326 anchor = &ratelimiters_cmd;
c99ce5c9
TF		 2327 break;
2328default:
3399bb60 2329 anchor = NULL; /* silence an "unused" complaint */
c99ce5c9
TF		 2330 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
2331 "internal ACL error: unknown ratelimit mode %d", mode);
2332 break;
2333}
870f6ba8 2334
c99ce5c9
TF		 2335t = tree_search(*anchor, key);
2336if (t != NULL)
870f6ba8
TF		 2337 {
2338 dbd = t->data.ptr;
2339 /* The following few lines duplicate some of the code below. */
8f240103 2340 rc = (dbd->rate < limit)? FAIL : OK;
870f6ba8
TF		 2341 store_pool = old_pool;
2342 sender_rate = string_sprintf("%.1f", dbd->rate);
2343 HDEBUG(D_acl)
2344 debug_printf("ratelimit found pre-computed rate %s\n", sender_rate);
2345 return rc;
2346 }
2347
c99ce5c9
TF		 2348/* We aren't using a pre-computed rate, so get a previously recorded rate
2349from the database, which will be updated and written back if required. */
870f6ba8
TF		 2350
2351dbm = dbfn_open(US"ratelimit", O_RDWR, &dbblock, TRUE);
2352if (dbm == NULL)
2353 {
2354 store_pool = old_pool;
2355 sender_rate = NULL;
2356 HDEBUG(D_acl) debug_printf("ratelimit database not available\n");
2357 *log_msgptr = US"ratelimit database not available";
2358 return DEFER;
2359 }
c99ce5c9
TF		 2360dbdb = dbfn_read_with_length(dbm, key, &dbdb_size);
2361dbd = NULL;
870f6ba8
TF		 2362
2363gettimeofday(&tv, NULL);
2364
c99ce5c9
TF		 2365if (dbdb != NULL)
2366 {
2367 /* Locate the basic ratelimit block inside the DB data. */
2368 HDEBUG(D_acl) debug_printf("ratelimit found key in database\n");
2369 dbd = &dbdb->dbd;
2370
2371 /* Forget the old Bloom filter if it is too old, so that we count each
2372 repeating event once per period. We don't simply clear and re-use the old
2373 filter because we want its size to change if the limit changes. Note that
2374 we keep the dbd pointer for copying the rate into the new data block. */
2375
2376 if(unique != NULL && tv.tv_sec > dbdb->bloom_epoch + period)
2377 {
2378 HDEBUG(D_acl) debug_printf("ratelimit discarding old Bloom filter\n");
2379 dbdb = NULL;
2380 }
2381
2382 /* Sanity check. */
2383
2384 if(unique != NULL && dbdb_size < sizeof(*dbdb))
2385 {
2386 HDEBUG(D_acl) debug_printf("ratelimit discarding undersize Bloom filter\n");
2387 dbdb = NULL;
2388 }
2389 }
2390
2391/* Allocate a new data block if the database lookup failed
2392or the Bloom filter passed its age limit. */
2393
2394if (dbdb == NULL)
2395 {
2396 if (unique == NULL)
2397 {
2398 /* No Bloom filter. This basic ratelimit block is initialized below. */
2399 HDEBUG(D_acl) debug_printf("ratelimit creating new rate data block\n");
2400 dbdb_size = sizeof(*dbd);
2401 dbdb = store_get(dbdb_size);
2402 }
2403 else
2404 {
2405 int extra;
2406 HDEBUG(D_acl) debug_printf("ratelimit creating new Bloom filter\n");
2407
2408 /* See the long comment below for an explanation of the magic number 2.
2409 The filter has a minimum size in case the rate limit is very small;
2410 this is determined by the definition of dbdata_ratelimit_unique. */
2411
2412 extra = (int)limit * 2 - sizeof(dbdb->bloom);
2413 if (extra < 0) extra = 0;
2414 dbdb_size = sizeof(*dbdb) + extra;
2415 dbdb = store_get(dbdb_size);
2416 dbdb->bloom_epoch = tv.tv_sec;
2417 dbdb->bloom_size = sizeof(dbdb->bloom) + extra;
2418 memset(dbdb->bloom, 0, dbdb->bloom_size);
2419
2420 /* Preserve any basic ratelimit data (which is our longer-term memory)
2421 by copying it from the discarded block. */
2422
2423 if (dbd != NULL)
2424 {
2425 dbdb->dbd = *dbd;
2426 dbd = &dbdb->dbd;
2427 }
2428 }
2429 }
2430
2431/* If we are counting unique events, find out if this event is new or not.
2432If the client repeats the event during the current period then it should be
2433counted. We skip this code in readonly mode for efficiency, because any
2434changes to the filter will be discarded and because count is already set to
2435zero. */
2436
2437if (unique != NULL && !readonly)
2438 {
2439 /* We identify unique events using a Bloom filter. (You can find my
2440 notes on Bloom filters at http://fanf.livejournal.com/81696.html)
2441 With the per_addr option, an "event" is a recipient address, though the
2442 user can use the unique option to define their own events. We only count
2443 an event if we have not seen it before.
2444
2445 We size the filter according to the rate limit, which (in leaky mode)
2446 is the limit on the population of the filter. We allow 16 bits of space
2447 per entry (see the construction code above) and we set (up to) 8 of them
2448 when inserting an element (see the loop below). The probability of a false
2449 positive (an event we have not seen before but which we fail to count) is
2450
2451 size = limit * 16
2452 numhash = 8
2453 allzero = exp(-numhash * pop / size)
2454 = exp(-0.5 * pop / limit)
2455 fpr = pow(1 - allzero, numhash)
2456
2457 For senders at the limit the fpr is 0.06% or 1 in 1700
2458 and for senders at half the limit it is 0.0006% or 1 in 170000
2459
2460 In strict mode the Bloom filter can fill up beyond the normal limit, in
2461 which case the false positive rate will rise. This means that the
2462 measured rate for very fast senders can bogusly drop off after a while.
2463
2464 At twice the limit, the fpr is 2.5% or 1 in 40
2465 At four times the limit, it is 31% or 1 in 3.2
2466
2467 It takes ln(pop/limit) periods for an over-limit burst of pop events to
2468 decay below the limit, and if this is more than one then the Bloom filter
2469 will be discarded before the decay gets that far. The false positive rate
2470 at this threshold is 9.3% or 1 in 10.7. */
2471
2472 BOOL seen;
2473 unsigned n, hash, hinc;
2474 uschar md5sum[16];
2475 md5 md5info;
2476
2477 /* Instead of using eight independent hash values, we combine two values
2478 using the formula h1 + n * h2. This does not harm the Bloom filter's
2479 performance, and means the amount of hash we need is independent of the
2480 number of bits we set in the filter. */
2481
2482 md5_start(&md5info);
2483 md5_end(&md5info, unique, Ustrlen(unique), md5sum);
2484 hash = md5sum[0] | md5sum[1] << 8 | md5sum[2] << 16 | md5sum[3] << 24;
2485 hinc = md5sum[4] | md5sum[5] << 8 | md5sum[6] << 16 | md5sum[7] << 24;
2486
2487 /* Scan the bits corresponding to this event. A zero bit means we have
2488 not seen it before. Ensure all bits are set to record this event. */
2489
2490 HDEBUG(D_acl) debug_printf("ratelimit checking uniqueness of %s\n", unique);
2491
2492 seen = TRUE;
2493 for (n = 0; n < 8; n++, hash += hinc)
2494 {
2495 int bit = 1 << (hash % 8);
2496 int byte = (hash / 8) % dbdb->bloom_size;
2497 if ((dbdb->bloom[byte] & bit) == 0)
2498 {
2499 dbdb->bloom[byte] |= bit;
2500 seen = FALSE;
2501 }
2502 }
2503
2504 /* If this event has occurred before, do not count it. */
2505
2506 if (seen)
2507 {
2508 HDEBUG(D_acl) debug_printf("ratelimit event found in Bloom filter\n");
2509 count = 0.0;
2510 }
2511 else
2512 HDEBUG(D_acl) debug_printf("ratelimit event added to Bloom filter\n");
2513 }
2514
2515/* If there was no previous ratelimit data block for this key, initialize
2516the new one, otherwise update the block from the database. The initial rate
2517is what would be computed by the code below for an infinite interval. */
2518
870f6ba8
TF		 2519if (dbd == NULL)
2520 {
c99ce5c9
TF		 2521 HDEBUG(D_acl) debug_printf("ratelimit initializing new key's rate data\n");
2522 dbd = &dbdb->dbd;
870f6ba8
TF		 2523 dbd->time_stamp = tv.tv_sec;
2524 dbd->time_usec = tv.tv_usec;
c99ce5c9 2525 dbd->rate = count;
870f6ba8
TF		 2526 }
2527else
2528 {
2529 /* The smoothed rate is computed using an exponentially weighted moving
2530 average adjusted for variable sampling intervals. The standard EWMA for
2531 a fixed sampling interval is: f'(t) = (1 - a) * f(t) + a * f'(t - 1)
2532 where f() is the measured value and f'() is the smoothed value.
2533
2534 Old data decays out of the smoothed value exponentially, such that data n
2535 samples old is multiplied by a^n. The exponential decay time constant p
2536 is defined such that data p samples old is multiplied by 1/e, which means
2537 that a = exp(-1/p). We can maintain the same time constant for a variable
2538 sampling interval i by using a = exp(-i/p).
2539
2540 The rate we are measuring is messages per period, suitable for directly
2541 comparing with the limit. The average rate between now and the previous
2542 message is period / interval, which we feed into the EWMA as the sample.
2543
2544 It turns out that the number of messages required for the smoothed rate
2545 to reach the limit when they are sent in a burst is equal to the limit.
2546 This can be seen by analysing the value of the smoothed rate after N
2547 messages sent at even intervals. Let k = (1 - a) * p/i
2548
2549 rate_1 = (1 - a) * p/i + a * rate_0
2550 = k + a * rate_0
2551 rate_2 = k + a * rate_1
2552 = k + a * k + a^2 * rate_0
2553 rate_3 = k + a * k + a^2 * k + a^3 * rate_0
2554 rate_N = rate_0 * a^N + k * SUM(x=0..N-1)(a^x)
2555 = rate_0 * a^N + k * (1 - a^N) / (1 - a)
2556 = rate_0 * a^N + p/i * (1 - a^N)
2557
2558 When N is large, a^N -> 0 so rate_N -> p/i as desired.
2559
2560 rate_N = p/i + (rate_0 - p/i) * a^N
2561 a^N = (rate_N - p/i) / (rate_0 - p/i)
2562 N * -i/p = log((rate_N - p/i) / (rate_0 - p/i))
2563 N = p/i * log((rate_0 - p/i) / (rate_N - p/i))
2564
2565 Numerical analysis of the above equation, setting the computed rate to
2566 increase from rate_0 = 0 to rate_N = limit, shows that for large sending
2567 rates, p/i, the number of messages N = limit. So limit serves as both the
2568 maximum rate measured in messages per period, and the maximum number of
2569 messages that can be sent in a fast burst. */
2570
2571 double this_time = (double)tv.tv_sec
2572 + (double)tv.tv_usec / 1000000.0;
2573 double prev_time = (double)dbd->time_stamp
2574 + (double)dbd->time_usec / 1000000.0;
870f6ba8
TF		 2575
2576 /* We must avoid division by zero, and deal gracefully with the clock going
2577 backwards. If we blunder ahead when time is in reverse then the computed
e5d5a95f 2578 rate will be bogus. To be safe we clamp interval to a very small number. */
870f6ba8 2579
e5d5a95f
TF		 2580 double interval = this_time - prev_time <= 0.0 ? 1e-9
2581 : this_time - prev_time;
2582
2583 double i_over_p = interval / period;
2584 double a = exp(-i_over_p);
870f6ba8 2585
c99ce5c9
TF		 2586 /* Combine the instantaneous rate (period / interval) with the previous rate
2587 using the smoothing factor a. In order to measure sized events, multiply the
2588 instantaneous rate by the count of bytes or recipients etc. */
2589
870f6ba8
TF		 2590 dbd->time_stamp = tv.tv_sec;
2591 dbd->time_usec = tv.tv_usec;
c99ce5c9
TF		 2592 dbd->rate = (1 - a) * count / i_over_p + a * dbd->rate;
2593
2594 /* When events are very widely spaced the computed rate tends towards zero.
2595 Although this is accurate it turns out not to be useful for our purposes,
2596 especially when the first event after a long silence is the start of a spam
2597 run. A more useful model is that the rate for an isolated event should be the
2598 size of the event per the period size, ignoring the lack of events outside
2599 the current period and regardless of where the event falls in the period. So,
2600 if the interval was so long that the calculated rate is unhelpfully small, we
2601 re-intialize the rate. In the absence of higher-rate bursts, the condition
2602 below is true if the interval is greater than the period. */
2603
2604 if (dbd->rate < count) dbd->rate = count;
870f6ba8
TF		 2605 }
2606
c99ce5c9
TF		 2607/* Clients sending at the limit are considered to be over the limit.
2608This matters for edge cases such as a limit of zero, when the client
2609should be completely blocked. */
3348576f 2610
8f240103 2611rc = (dbd->rate < limit)? FAIL : OK;
870f6ba8
TF		 2612
2613/* Update the state if the rate is low or if we are being strict. If we
2614are in leaky mode and the sender's rate is too high, we do not update
2615the recorded rate in order to avoid an over-aggressive sender's retry
c99ce5c9
TF		 2616rate preventing them from getting any email through. If readonly is set,
2617neither leaky nor strict are set, so we do not do any updates. */
870f6ba8 2618
c99ce5c9 2619if ((rc == FAIL && leaky) || strict)
8f240103 2620 {
c99ce5c9 2621 dbfn_write(dbm, key, dbdb, dbdb_size);
8f240103
PH		 2622 HDEBUG(D_acl) debug_printf("ratelimit db updated\n");
2623 }
2624else
2625 {
2626 HDEBUG(D_acl) debug_printf("ratelimit db not updated: %s\n",
c99ce5c9 2627 readonly? "readonly mode" : "over the limit, but leaky");
8f240103
PH		 2628 }
2629
870f6ba8
TF		 2630dbfn_close(dbm);
2631
c99ce5c9 2632/* Store the result in the tree for future reference. */
870f6ba8 2633
c99ce5c9
TF		 2634t = store_get(sizeof(tree_node) + Ustrlen(key));
2635t->data.ptr = dbd;
2636Ustrcpy(t->name, key);
2637(void)tree_insertnode(anchor, t);
870f6ba8
TF		 2638
2639/* We create the formatted version of the sender's rate very late in
2640order to ensure that it is done using the correct storage pool. */
2641
2642store_pool = old_pool;
2643sender_rate = string_sprintf("%.1f", dbd->rate);
2644
2645HDEBUG(D_acl)
2646 debug_printf("ratelimit computed rate %s\n", sender_rate);
2647
2648return rc;
2649}
2650
2651
2652
059ec3d9
PH		 2653/*************************************************
2654* Handle conditions/modifiers on an ACL item *
2655*************************************************/
2656
2657/* Called from acl_check() below.
2658
2659Arguments:
2660 verb ACL verb
2661 cb ACL condition block - if NULL, result is OK
2662 where where called from
2663 addr the address being checked for RCPT, or NULL
2664 level the nesting level
2665 epp pointer to pass back TRUE if "endpass" encountered
2666 (applies only to "accept" and "discard")
2667 user_msgptr user message pointer
2668 log_msgptr log message pointer
2669 basic_errno pointer to where to put verify error
2670
2671Returns: OK - all conditions are met
2672 DISCARD - an "acl" condition returned DISCARD - only allowed
2673 for "accept" or "discard" verbs
2674 FAIL - at least one condition fails
2675 FAIL_DROP - an "acl" condition returned FAIL_DROP
2676 DEFER - can't tell at the moment (typically, lookup defer,
2677 but can be temporary callout problem)
2678 ERROR - ERROR from nested ACL or expansion failure or other
2679 error
2680*/
2681
2682static int
2683acl_check_condition(int verb, acl_condition_block *cb, int where,
2684 address_item *addr, int level, BOOL *epp, uschar **user_msgptr,
2685 uschar **log_msgptr, int *basic_errno)
2686{
2687uschar *user_message = NULL;
2688uschar *log_message = NULL;
ed7f7860
PP		 2689uschar *debug_tag = NULL;
2690uschar *debug_opts = NULL;
91ecef39 2691uschar *p = NULL;
059ec3d9 2692int rc = OK;
8523533c
TK		 2693#ifdef WITH_CONTENT_SCAN
2694int sep = '/';
2695#endif
059ec3d9
PH		 2696
2697for (; cb != NULL; cb = cb->next)
2698 {
2699 uschar *arg;
8e669ac1 2700 int control_type;
059ec3d9
PH		 2701
2702 /* The message and log_message items set up messages to be used in
2703 case of rejection. They are expanded later. */
2704
2705 if (cb->type == ACLC_MESSAGE)
2706 {
2707 user_message = cb->arg;
2708 continue;
2709 }
2710
2711 if (cb->type == ACLC_LOG_MESSAGE)
2712 {
2713 log_message = cb->arg;
2714 continue;
2715 }
2716
2717 /* The endpass "condition" just sets a flag to show it occurred. This is
2718 checked at compile time to be on an "accept" or "discard" item. */
2719
2720 if (cb->type == ACLC_ENDPASS)
2721 {
2722 *epp = TRUE;
2723 continue;
2724 }
2725
2726 /* For other conditions and modifiers, the argument is expanded now for some
2727 of them, but not for all, because expansion happens down in some lower level
2728 checking functions in some cases. */
2729
2730 if (cond_expand_at_top[cb->type])
2731 {
2732 arg = expand_string(cb->arg);
2733 if (arg == NULL)
2734 {
2735 if (expand_string_forcedfail) continue;
2736 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
2737 cb->arg, expand_string_message);
2738 return search_find_defer? DEFER : ERROR;
2739 }
2740 }
2741 else arg = cb->arg;
2742
2743 /* Show condition, and expanded condition if it's different */
2744
2745 HDEBUG(D_acl)
2746 {
2747 int lhswidth = 0;
2748 debug_printf("check %s%s %n",
2749 (!cond_modifiers[cb->type] && cb->u.negated)? "!":"",
2750 conditions[cb->type], &lhswidth);
2751
2752 if (cb->type == ACLC_SET)
2753 {
38a0a95f
PH		 2754 debug_printf("acl_%s ", cb->u.varname);
2755 lhswidth += 5 + Ustrlen(cb->u.varname);
059ec3d9
PH		 2756 }
2757
2758 debug_printf("= %s\n", cb->arg);
2759
2760 if (arg != cb->arg)
2761 debug_printf("%.*s= %s\n", lhswidth,
2762 US" ", CS arg);
2763 }
2764
2765 /* Check that this condition makes sense at this time */
2766
2767 if ((cond_forbids[cb->type] & (1 << where)) != 0)
2768 {
2769 *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
2770 cond_modifiers[cb->type]? "use" : "test",
2771 conditions[cb->type], acl_wherenames[where]);
2772 return ERROR;
2773 }
2774
2775 /* Run the appropriate test for each condition, or take the appropriate
2776 action for the remaining modifiers. */
2777
2778 switch(cb->type)
2779 {
71fafd95
PH		 2780 case ACLC_ADD_HEADER:
2781 setup_header(arg);
2782 break;
2783
059ec3d9
PH		 2784 /* A nested ACL that returns "discard" makes sense only for an "accept" or
2785 "discard" verb. */
71fafd95 2786
059ec3d9 2787 case ACLC_ACL:
059ec3d9 2788 {
7421ecab
JH		 2789 uschar * cp = arg;
2790 uschar * tmp;
2791 uschar * name;
2792
2793 if (!(tmp = string_dequote(&cp)) || !(name = expand_string(tmp)))
2794 {
2795 if (expand_string_forcedfail) continue;
2796 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
2797 tmp, expand_string_message);
2798 return search_find_defer? DEFER : ERROR;
2799 }
2800
2801 for (acl_narg = 0; acl_narg < sizeof(acl_arg)/sizeof(*acl_arg); acl_narg++)
2802 {
2803 while (*cp && isspace(*cp)) cp++;
2804 if (!*cp) break;
2805 if (!(tmp = string_dequote(&cp)) || !(acl_arg[acl_narg] = expand_string(tmp)))
2806 {
2807 if (expand_string_forcedfail) continue;
2808 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
2809 arg, expand_string_message);
2810 return search_find_defer? DEFER : ERROR;
2811 }
2812 }
2813
2814 rc = acl_check_internal(where, addr, name, level+1, user_msgptr, log_msgptr);
2815 if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
2816 {
2817 *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
2818 "\"%s\" command (only allowed with \"accept\" or \"discard\")",
2819 verbs[verb]);
2820 return ERROR;
2821 }
059ec3d9
PH		 2822 }
2823 break;
2824
2825 case ACLC_AUTHENTICATED:
2826 rc = (sender_host_authenticated == NULL)? FAIL :
2827 match_isinlist(sender_host_authenticated, &arg, 0, NULL, NULL, MCL_STRING,
2828 TRUE, NULL);
2829 break;
2830
71fafd95 2831 #ifdef EXPERIMENTAL_BRIGHTMAIL
8523533c
TK		 2832 case ACLC_BMI_OPTIN:
2833 {
2834 int old_pool = store_pool;
2835 store_pool = POOL_PERM;
2836 bmi_current_optin = string_copy(arg);
2837 store_pool = old_pool;
2838 }
2839 break;
71fafd95 2840 #endif
8523533c 2841
059ec3d9 2842 case ACLC_CONDITION:
f3766eb5
NM		 2843 /* The true/false parsing here should be kept in sync with that used in
2844 expand.c when dealing with ECOND_BOOL so that we don't have too many
2845 different definitions of what can be a boolean. */
059ec3d9
PH		 2846 if (Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
2847 rc = (Uatoi(arg) == 0)? FAIL : OK;
2848 else
2849 rc = (strcmpic(arg, US"no") == 0 ||
2850 strcmpic(arg, US"false") == 0)? FAIL :
2851 (strcmpic(arg, US"yes") == 0 ||
2852 strcmpic(arg, US"true") == 0)? OK : DEFER;
2853 if (rc == DEFER)
2854 *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
2855 break;
2856
c3611384
PH		 2857 case ACLC_CONTINUE: /* Always succeeds */
2858 break;
2859
059ec3d9 2860 case ACLC_CONTROL:
c5fcb476
PH		 2861 control_type = decode_control(arg, &p, where, log_msgptr);
2862
8523533c 2863 /* Check if this control makes sense at this time */
c5fcb476
PH		 2864
2865 if ((control_forbids[control_type] & (1 << where)) != 0)
2866 {
2867 *log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
2868 controls[control_type], acl_wherenames[where]);
2869 return ERROR;
8e669ac1 2870 }
c5fcb476
PH		 2871
2872 switch(control_type)
059ec3d9 2873 {
c46782ef
PH		 2874 case CONTROL_AUTH_UNADVERTISED:
2875 allow_auth_unadvertised = TRUE;
2876 break;
2877
2878 #ifdef EXPERIMENTAL_BRIGHTMAIL
8523533c
TK		 2879 case CONTROL_BMI_RUN:
2880 bmi_run = 1;
2881 break;
c46782ef
PH		 2882 #endif
2883
80a47a2c 2884 #ifndef DISABLE_DKIM
f7572e5a 2885 case CONTROL_DKIM_VERIFY:
80a47a2c 2886 dkim_disable_verify = TRUE;
f7572e5a
TK		 2887 break;
2888 #endif
2889
13363eba
PP		 2890 case CONTROL_DSCP:
2891 if (*p == '/')
2892 {
2893 int fd, af, level, optname, value;
2894 /* If we are acting on stdin, the setsockopt may fail if stdin is not
2895 a socket; we can accept that, we'll just debug-log failures anyway. */
2896 fd = fileno(smtp_in);
2897 af = ip_get_address_family(fd);
2898 if (af < 0)
2899 {
2900 HDEBUG(D_acl)
2901 debug_printf("smtp input is probably not a socket [%s], not setting DSCP\n",
2902 strerror(errno));
2903 break;
2904 }
2905 if (dscp_lookup(p+1, af, &level, &optname, &value))
2906 {
2907 if (setsockopt(fd, level, optname, &value, sizeof(value)) < 0)
2908 {
2909 HDEBUG(D_acl) debug_printf("failed to set input DSCP[%s]: %s\n",
2910 p+1, strerror(errno));
2911 }
2912 else
2913 {
2914 HDEBUG(D_acl) debug_printf("set input DSCP to \"%s\"\n", p+1);
2915 }
2916 }
2917 else
2918 {
2919 *log_msgptr = string_sprintf("unrecognised DSCP value in \"control=%s\"", arg);
2920 return ERROR;
2921 }
2922 }
2923 else
2924 {
2925 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2926 return ERROR;
2927 }
2928 break;
2929
059ec3d9
PH		 2930 case CONTROL_ERROR:
2931 return ERROR;
2932
2933 case CONTROL_CASEFUL_LOCAL_PART:
2934 deliver_localpart = addr->cc_local_part;
2935 break;
2936
2937 case CONTROL_CASELOWER_LOCAL_PART:
2938 deliver_localpart = addr->lc_local_part;
2939 break;
2940
2941 case CONTROL_ENFORCE_SYNC:
2942 smtp_enforce_sync = TRUE;
2943 break;
2944
2945 case CONTROL_NO_ENFORCE_SYNC:
2946 smtp_enforce_sync = FALSE;
2947 break;
2948
c46782ef 2949 #ifdef WITH_CONTENT_SCAN
8523533c
TK		 2950 case CONTROL_NO_MBOX_UNSPOOL:
2951 no_mbox_unspool = TRUE;
2952 break;
c46782ef 2953 #endif
8523533c 2954
059ec3d9
PH		 2955 case CONTROL_NO_MULTILINE:
2956 no_multiline_responses = TRUE;
2957 break;
2958
cf8b11a5
PH		 2959 case CONTROL_NO_PIPELINING:
2960 pipelining_enable = FALSE;
2961 break;
2962
047bdd8c
PH		 2963 case CONTROL_NO_DELAY_FLUSH:
2964 disable_delay_flush = TRUE;
2965 break;
2966
4c590bd1
PH		 2967 case CONTROL_NO_CALLOUT_FLUSH:
2968 disable_callout_flush = TRUE;
2969 break;
2970
29aba418 2971 case CONTROL_FAKEDEFER:
8523533c 2972 case CONTROL_FAKEREJECT:
29aba418 2973 fake_response = (control_type == CONTROL_FAKEDEFER) ? DEFER : FAIL;
8523533c 2974 if (*p == '/')
8e669ac1 2975 {
8523533c 2976 uschar *pp = p + 1;
8e669ac1 2977 while (*pp != 0) pp++;
29aba418 2978 fake_response_text = expand_string(string_copyn(p+1, pp-p-1));
8523533c
TK		 2979 p = pp;
2980 }
2981 else
2982 {
2983 /* Explicitly reset to default string */
29aba418 2984 fake_response_text = US"Your message has been rejected but is being kept for evaluation.\nIf it was a legitimate message, it may still be delivered to the target recipient(s).";
8523533c
TK		 2985 }
2986 break;
8523533c 2987
059ec3d9
PH		 2988 case CONTROL_FREEZE:
2989 deliver_freeze = TRUE;
2990 deliver_frozen_at = time(NULL);
6a3f1455
PH		 2991 freeze_tell = freeze_tell_config; /* Reset to configured value */
2992 if (Ustrncmp(p, "/no_tell", 8) == 0)
2993 {
2994 p += 8;
2995 freeze_tell = NULL;
2996 }
2997 if (*p != 0)
2998 {
2999 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
3000 return ERROR;
3001 }
059ec3d9
PH		 3002 break;
3003
3004 case CONTROL_QUEUE_ONLY:
3005 queue_only_policy = TRUE;
3006 break;
3007
3008 case CONTROL_SUBMISSION:
87ba3f5f 3009 originator_name = US"";
059ec3d9 3010 submission_mode = TRUE;
69358f02 3011 while (*p == '/')
8e669ac1 3012 {
69358f02
PH		 3013 if (Ustrncmp(p, "/sender_retain", 14) == 0)
3014 {
3015 p += 14;
3016 active_local_sender_retain = TRUE;
8e669ac1
PH		 3017 active_local_from_check = FALSE;
3018 }
69358f02
PH		 3019 else if (Ustrncmp(p, "/domain=", 8) == 0)
3020 {
3021 uschar *pp = p + 8;
8e669ac1 3022 while (*pp != 0 && *pp != '/') pp++;
87ba3f5f
PH		 3023 submission_domain = string_copyn(p+8, pp-p-8);
3024 p = pp;
3025 }
8857ccfd
PH		 3026 /* The name= option must be last, because it swallows the rest of
3027 the string. */
87ba3f5f
PH		 3028 else if (Ustrncmp(p, "/name=", 6) == 0)
3029 {
3030 uschar *pp = p + 6;
8857ccfd 3031 while (*pp != 0) pp++;
2fe1a124 3032 submission_name = string_copy(parse_fix_phrase(p+6, pp-p-6,
87ba3f5f 3033 big_buffer, big_buffer_size));
8e669ac1 3034 p = pp;
69358f02 3035 }
8e669ac1
PH		 3036 else break;
3037 }
69358f02 3038 if (*p != 0)
059ec3d9 3039 {
69358f02 3040 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
059ec3d9
PH		 3041 return ERROR;
3042 }
3043 break;
8800895a 3044
ed7f7860
PP		 3045 case CONTROL_DEBUG:
3046 while (*p == '/')
3047 {
3048 if (Ustrncmp(p, "/tag=", 5) == 0)
3049 {
3050 uschar *pp = p + 5;
3051 while (*pp != '\0' && *pp != '/') pp++;
3052 debug_tag = string_copyn(p+5, pp-p-5);
3053 p = pp;
3054 }
3055 else if (Ustrncmp(p, "/opts=", 6) == 0)
3056 {
3057 uschar *pp = p + 6;
3058 while (*pp != '\0' && *pp != '/') pp++;
3059 debug_opts = string_copyn(p+6, pp-p-6);
3060 p = pp;
3061 }
3062 }
3063 debug_logging_activate(debug_tag, debug_opts);
3064 break;
3065
8800895a
PH		 3066 case CONTROL_SUPPRESS_LOCAL_FIXUPS:
3067 suppress_local_fixups = TRUE;
3068 break;
e4bdf652
JH		 3069
3070 case CONTROL_CUTTHROUGH_DELIVERY:
3071 if (deliver_freeze)
3072 {
3073 *log_msgptr = string_sprintf("\"control=%s\" on frozen item", arg);
3074 return ERROR;
3075 }
3076 if (queue_only_policy)
3077 {
3078 *log_msgptr = string_sprintf("\"control=%s\" on queue-only item", arg);
3079 return ERROR;
3080 }
3081 cutthrough_delivery = TRUE;
3082 break;
059ec3d9
PH		 3083 }
3084 break;
3085
6a8f9482
TK		 3086 #ifdef EXPERIMENTAL_DCC
3087 case ACLC_DCC:
3088 {
3089 /* Seperate the regular expression and any optional parameters. */
3090 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
3091 /* Run the dcc backend. */
3092 rc = dcc_process(&ss);
3093 /* Modify return code based upon the existance of options. */
3094 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
3095 != NULL) {
3096 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
3097 {
3098 /* FAIL so that the message is passed to the next ACL */
3099 rc = FAIL;
3100 }
3101 }
3102 }
3103 break;
3104 #endif
3105
71fafd95 3106 #ifdef WITH_CONTENT_SCAN
8523533c
TK		 3107 case ACLC_DECODE:
3108 rc = mime_decode(&arg);
3109 break;
71fafd95 3110 #endif
8523533c 3111
059ec3d9
PH		 3112 case ACLC_DELAY:
3113 {
3114 int delay = readconf_readtime(arg, 0, FALSE);
3115 if (delay < 0)
3116 {
3117 *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
3118 "modifier: \"%s\" is not a time value", arg);
3119 return ERROR;
3120 }
3121 else
3122 {
3123 HDEBUG(D_acl) debug_printf("delay modifier requests %d-second delay\n",
3124 delay);
3125 if (host_checking)
3126 {
3127 HDEBUG(D_acl)
3128 debug_printf("delay skipped in -bh checking mode\n");
3129 }
010c2d14
PH		 3130
3131 /* It appears to be impossible to detect that a TCP/IP connection has
3132 gone away without reading from it. This means that we cannot shorten
3133 the delay below if the client goes away, because we cannot discover
3134 that the client has closed its end of the connection. (The connection
3135 is actually in a half-closed state, waiting for the server to close its
3136 end.) It would be nice to be able to detect this state, so that the
3137 Exim process is not held up unnecessarily. However, it seems that we
3138 can't. The poll() function does not do the right thing, and in any case
3139 it is not always available.
3140
047bdd8c 3141 NOTE 1: If ever this state of affairs changes, remember that we may be
010c2d14 3142 dealing with stdin/stdout here, in addition to TCP/IP connections.
047bdd8c
PH		 3143 Also, delays may be specified for non-SMTP input, where smtp_out and
3144 smtp_in will be NULL. Whatever is done must work in all cases.
3145
3146 NOTE 2: The added feature of flushing the output before a delay must
3147 apply only to SMTP input. Hence the test for smtp_out being non-NULL.
3148 */
010c2d14 3149
8e669ac1 3150 else
86b8287f 3151 {
14f4a80d 3152 if (smtp_out != NULL && !disable_delay_flush) mac_smtp_fflush();
86b8287f 3153 while (delay > 0) delay = sleep(delay);
8e669ac1 3154 }
059ec3d9
PH		 3155 }
3156 }
3157 break;
3158
71fafd95 3159 #ifdef WITH_OLD_DEMIME
8523533c
TK		 3160 case ACLC_DEMIME:
3161 rc = demime(&arg);
3162 break;
71fafd95 3163 #endif
8523533c 3164
80a47a2c
TK		 3165 #ifndef DISABLE_DKIM
3166 case ACLC_DKIM_SIGNER:
9e5d6b55
TK		 3167 if (dkim_cur_signer != NULL)
3168 rc = match_isinlist(dkim_cur_signer,
80a47a2c 3169 &arg,0,NULL,NULL,MCL_STRING,TRUE,NULL);
80a47a2c 3170 else
80a47a2c 3171 rc = FAIL;
71fafd95
PH		 3172 break;
3173
80a47a2c
TK		 3174 case ACLC_DKIM_STATUS:
3175 rc = match_isinlist(dkim_exim_expand_query(DKIM_VERIFY_STATUS),
3176 &arg,0,NULL,NULL,MCL_STRING,TRUE,NULL);
71fafd95
PH		 3177 break;
3178 #endif
fb2274d4 3179
059ec3d9
PH		 3180 case ACLC_DNSLISTS:
3181 rc = verify_check_dnsbl(&arg);
3182 break;
3183
3184 case ACLC_DOMAINS:
3185 rc = match_isinlist(addr->domain, &arg, 0, &domainlist_anchor,
3186 addr->domain_cache, MCL_DOMAIN, TRUE, &deliver_domain_data);
3187 break;
3188
3189 /* The value in tls_cipher is the full cipher name, for example,
3190 TLSv1:DES-CBC3-SHA:168, whereas the values to test for are just the
3191 cipher names such as DES-CBC3-SHA. But program defensively. We don't know
3192 what may in practice come out of the SSL library - which at the time of
3193 writing is poorly documented. */
3194
3195 case ACLC_ENCRYPTED:
817d9f57 3196 if (tls_in.cipher == NULL) rc = FAIL; else
059ec3d9
PH		 3197 {
3198 uschar *endcipher = NULL;
817d9f57
JH		 3199 uschar *cipher = Ustrchr(tls_in.cipher, ':');
3200 if (cipher == NULL) cipher = tls_in.cipher; else
059ec3d9
PH		 3201 {
3202 endcipher = Ustrchr(++cipher, ':');
3203 if (endcipher != NULL) *endcipher = 0;
3204 }
3205 rc = match_isinlist(cipher, &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
3206 if (endcipher != NULL) *endcipher = ':';
3207 }
3208 break;
3209
3210 /* Use verify_check_this_host() instead of verify_check_host() so that
3211 we can pass over &host_data to catch any looked up data. Once it has been
3212 set, it retains its value so that it's still there if another ACL verb
3213 comes through here and uses the cache. However, we must put it into
3214 permanent store in case it is also expected to be used in a subsequent
3215 message in the same SMTP connection. */
3216
3217 case ACLC_HOSTS:
3218 rc = verify_check_this_host(&arg, sender_host_cache, NULL,
3219 (sender_host_address == NULL)? US"" : sender_host_address, &host_data);
3220 if (host_data != NULL) host_data = string_copy_malloc(host_data);
3221 break;
3222
3223 case ACLC_LOCAL_PARTS:
3224 rc = match_isinlist(addr->cc_local_part, &arg, 0,
3225 &localpartlist_anchor, addr->localpart_cache, MCL_LOCALPART, TRUE,
3226 &deliver_localpart_data);
3227 break;
3228
6ea85e9a
PH		 3229 case ACLC_LOG_REJECT_TARGET:
3230 {
3231 int logbits = 0;
3232 int sep = 0;
3233 uschar *s = arg;
3234 uschar *ss;
3235 while ((ss = string_nextinlist(&s, &sep, big_buffer, big_buffer_size))
3236 != NULL)
3237 {
3238 if (Ustrcmp(ss, "main") == 0) logbits |= LOG_MAIN;
3239 else if (Ustrcmp(ss, "panic") == 0) logbits |= LOG_PANIC;
3240 else if (Ustrcmp(ss, "reject") == 0) logbits |= LOG_REJECT;
3241 else
3242 {
3243 logbits |= LOG_MAIN|LOG_REJECT;
3244 log_write(0, LOG_MAIN|LOG_PANIC, "unknown log name \"%s\" in "
3245 "\"log_reject_target\" in %s ACL", ss, acl_wherenames[where]);
3246 }
3247 }
3248 log_reject_target = logbits;
3249 }
3250 break;
3251
059ec3d9
PH		 3252 case ACLC_LOGWRITE:
3253 {
3254 int logbits = 0;
3255 uschar *s = arg;
3256 if (*s == ':')
3257 {
3258 s++;
3259 while (*s != ':')
3260 {
3261 if (Ustrncmp(s, "main", 4) == 0)
3262 { logbits |= LOG_MAIN; s += 4; }
3263 else if (Ustrncmp(s, "panic", 5) == 0)
3264 { logbits |= LOG_PANIC; s += 5; }
3265 else if (Ustrncmp(s, "reject", 6) == 0)
3266 { logbits |= LOG_REJECT; s += 6; }
3267 else
3268 {
3269 logbits = LOG_MAIN|LOG_PANIC;
3270 s = string_sprintf(":unknown log name in \"%s\" in "
3271 "\"logwrite\" in %s ACL", arg, acl_wherenames[where]);
3272 }
3273 if (*s == ',') s++;
3274 }
3275 s++;
3276 }
3277 while (isspace(*s)) s++;
6ea85e9a
PH		 3278
3279
059ec3d9
PH		 3280 if (logbits == 0) logbits = LOG_MAIN;
3281 log_write(0, logbits, "%s", string_printing(s));
3282 }
3283 break;
8e669ac1 3284
71fafd95 3285 #ifdef WITH_CONTENT_SCAN
8523533c
TK		 3286 case ACLC_MALWARE:
3287 {
6ea85e9a 3288 /* Separate the regular expression and any optional parameters. */
8523533c
TK		 3289 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
3290 /* Run the malware backend. */
3291 rc = malware(&ss);
3292 /* Modify return code based upon the existance of options. */
3293 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
3294 != NULL) {
3295 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
3296 {
3297 /* FAIL so that the message is passed to the next ACL */
3298 rc = FAIL;
3299 }
3300 }
3301 }
3302 break;
3303
3304 case ACLC_MIME_REGEX:
71fafd95 3305 rc = mime_regex(&arg);
8523533c 3306 break;
71fafd95 3307 #endif
059ec3d9 3308
870f6ba8 3309 case ACLC_RATELIMIT:
90fc3069 3310 rc = acl_ratelimit(arg, where, log_msgptr);
870f6ba8
TF		 3311 break;
3312
059ec3d9
PH		 3313 case ACLC_RECIPIENTS:
3314 rc = match_address_list(addr->address, TRUE, TRUE, &arg, NULL, -1, 0,
3315 &recipient_data);
3316 break;
3317
71fafd95
PH		 3318 #ifdef WITH_CONTENT_SCAN
3319 case ACLC_REGEX:
3320 rc = regex(&arg);
8523533c 3321 break;
71fafd95 3322 #endif
8523533c 3323
059ec3d9
PH		 3324 case ACLC_SENDER_DOMAINS:
3325 {
3326 uschar *sdomain;
3327 sdomain = Ustrrchr(sender_address, '@');
3328 sdomain = (sdomain == NULL)? US"" : sdomain + 1;
3329 rc = match_isinlist(sdomain, &arg, 0, &domainlist_anchor,
3330 sender_domain_cache, MCL_DOMAIN, TRUE, NULL);
3331 }
3332 break;
3333
3334 case ACLC_SENDERS:
3335 rc = match_address_list(sender_address, TRUE, TRUE, &arg,
3336 sender_address_cache, -1, 0, &sender_data);
3337 break;
3338
3339 /* Connection variables must persist forever */
3340
3341 case ACLC_SET:
3342 {
3343 int old_pool = store_pool;
38a0a95f
PH		 3344 if (cb->u.varname[0] == 'c') store_pool = POOL_PERM;
3345 acl_var_create(cb->u.varname)->data.ptr = string_copy(arg);
059ec3d9
PH		 3346 store_pool = old_pool;
3347 }
3348 break;
3349
71fafd95 3350 #ifdef WITH_CONTENT_SCAN
8523533c
TK		 3351 case ACLC_SPAM:
3352 {
3353 /* Seperate the regular expression and any optional parameters. */
3354 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
3355 /* Run the spam backend. */
3356 rc = spam(&ss);
3357 /* Modify return code based upon the existance of options. */
3358 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
3359 != NULL) {
3360 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
3361 {
3362 /* FAIL so that the message is passed to the next ACL */
3363 rc = FAIL;
3364 }
3365 }
3366 }
3367 break;
71fafd95 3368 #endif
8523533c 3369
71fafd95 3370 #ifdef EXPERIMENTAL_SPF
8523533c 3371 case ACLC_SPF:
65a7d8c3
NM		 3372 rc = spf_process(&arg, sender_address, SPF_PROCESS_NORMAL);
3373 break;
3374 case ACLC_SPF_GUESS:
3375 rc = spf_process(&arg, sender_address, SPF_PROCESS_GUESS);
8523533c 3376 break;
71fafd95 3377 #endif
8523533c 3378
059ec3d9
PH		 3379 /* If the verb is WARN, discard any user message from verification, because
3380 such messages are SMTP responses, not header additions. The latter come
475fe28a
PH		 3381 only from explicit "message" modifiers. However, put the user message into
3382 $acl_verify_message so it can be used in subsequent conditions or modifiers
3383 (until something changes it). */
059ec3d9
PH		 3384
3385 case ACLC_VERIFY:
3386 rc = acl_verify(where, addr, arg, user_msgptr, log_msgptr, basic_errno);
475fe28a 3387 acl_verify_message = *user_msgptr;
059ec3d9
PH		 3388 if (verb == ACL_WARN) *user_msgptr = NULL;
3389 break;
3390
3391 default:
3392 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown "
3393 "condition %d", cb->type);
3394 break;
3395 }
3396
3397 /* If a condition was negated, invert OK/FAIL. */
3398
3399 if (!cond_modifiers[cb->type] && cb->u.negated)
3400 {
3401 if (rc == OK) rc = FAIL;
3402 else if (rc == FAIL || rc == FAIL_DROP) rc = OK;
3403 }
3404
3405 if (rc != OK) break; /* Conditions loop */
3406 }
3407
3408
3409/* If the result is the one for which "message" and/or "log_message" are used,
4e88a19f
PH		 3410handle the values of these modifiers. If there isn't a log message set, we make
3411it the same as the user message.
059ec3d9
PH		 3412
3413"message" is a user message that will be included in an SMTP response. Unless
3414it is empty, it overrides any previously set user message.
3415
3416"log_message" is a non-user message, and it adds to any existing non-user
3417message that is already set.
3418
4e88a19f
PH		 3419Most verbs have but a single return for which the messages are relevant, but
3420for "discard", it's useful to have the log message both when it succeeds and
3421when it fails. For "accept", the message is used in the OK case if there is no
3422"endpass", but (for backwards compatibility) in the FAIL case if "endpass" is
3423present. */
059ec3d9 3424
4e88a19f
PH		 3425if (*epp && rc == OK) user_message = NULL;
3426
3427if (((1<<rc) & msgcond[verb]) != 0)
059ec3d9
PH		 3428 {
3429 uschar *expmessage;
4e88a19f
PH		 3430 uschar *old_user_msgptr = *user_msgptr;
3431 uschar *old_log_msgptr = (*log_msgptr != NULL)? *log_msgptr : old_user_msgptr;
059ec3d9
PH		 3432
3433 /* If the verb is "warn", messages generated by conditions (verification or
4e88a19f
PH		 3434 nested ACLs) are always discarded. This also happens for acceptance verbs
3435 when they actually do accept. Only messages specified at this level are used.
059ec3d9
PH		 3436 However, the value of an existing message is available in $acl_verify_message
3437 during expansions. */
3438
4e88a19f
PH		 3439 if (verb == ACL_WARN ||
3440 (rc == OK && (verb == ACL_ACCEPT || verb == ACL_DISCARD)))
3441 *log_msgptr = *user_msgptr = NULL;
059ec3d9
PH		 3442
3443 if (user_message != NULL)
3444 {
3445 acl_verify_message = old_user_msgptr;
3446 expmessage = expand_string(user_message);
3447 if (expmessage == NULL)
3448 {
3449 if (!expand_string_forcedfail)
3450 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
3451 user_message, expand_string_message);
3452 }
3453 else if (expmessage[0] != 0) *user_msgptr = expmessage;
3454 }
3455
3456 if (log_message != NULL)
3457 {
3458 acl_verify_message = old_log_msgptr;
3459 expmessage = expand_string(log_message);
3460 if (expmessage == NULL)
3461 {
3462 if (!expand_string_forcedfail)
3463 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
3464 log_message, expand_string_message);
3465 }
3466 else if (expmessage[0] != 0)
3467 {
3468 *log_msgptr = (*log_msgptr == NULL)? expmessage :
3469 string_sprintf("%s: %s", expmessage, *log_msgptr);
3470 }
3471 }
3472
3473 /* If no log message, default it to the user message */
3474
3475 if (*log_msgptr == NULL) *log_msgptr = *user_msgptr;
3476 }
3477
3478acl_verify_message = NULL;
3479return rc;
3480}
3481
3482
3483
3484
3485
3486/*************************************************
3487* Get line from a literal ACL *
3488*************************************************/
3489
3490/* This function is passed to acl_read() in order to extract individual lines
3491of a literal ACL, which we access via static pointers. We can destroy the
3492contents because this is called only once (the compiled ACL is remembered).
3493
3494This code is intended to treat the data in the same way as lines in the main
3495Exim configuration file. That is:
3496
3497 . Leading spaces are ignored.
3498
3499 . A \ at the end of a line is a continuation - trailing spaces after the \
3500 are permitted (this is because I don't believe in making invisible things
3501 significant). Leading spaces on the continued part of a line are ignored.
3502
3503 . Physical lines starting (significantly) with # are totally ignored, and
3504 may appear within a sequence of backslash-continued lines.
3505
3506 . Blank lines are ignored, but will end a sequence of continuations.
3507
3508Arguments: none
3509Returns: a pointer to the next line
3510*/
3511
3512
3513static uschar *acl_text; /* Current pointer in the text */
3514static uschar *acl_text_end; /* Points one past the terminating '0' */
3515
3516
3517static uschar *
3518acl_getline(void)
3519{
3520uschar *yield;
3521
3522/* This loop handles leading blank lines and comments. */
3523
3524for(;;)
3525 {
3526 while (isspace(*acl_text)) acl_text++; /* Leading spaces/empty lines */
3527 if (*acl_text == 0) return NULL; /* No more data */
3528 yield = acl_text; /* Potential data line */
3529
3530 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
3531
3532 /* If we hit the end before a newline, we have the whole logical line. If
3533 it's a comment, there's no more data to be given. Otherwise, yield it. */
3534
3535 if (*acl_text == 0) return (*yield == '#')? NULL : yield;
3536
3537 /* After reaching a newline, end this loop if the physical line does not
3538 start with '#'. If it does, it's a comment, and the loop continues. */
3539
3540 if (*yield != '#') break;
3541 }
3542
3543/* This loop handles continuations. We know we have some real data, ending in
3544newline. See if there is a continuation marker at the end (ignoring trailing
3545white space). We know that *yield is not white space, so no need to test for
3546cont > yield in the backwards scanning loop. */
3547
3548for(;;)
3549 {
3550 uschar *cont;
3551 for (cont = acl_text - 1; isspace(*cont); cont--);
3552
3553 /* If no continuation follows, we are done. Mark the end of the line and
3554 return it. */
3555
3556 if (*cont != '\\')
3557 {
3558 *acl_text++ = 0;
3559 return yield;
3560 }
3561
3562 /* We have encountered a continuation. Skip over whitespace at the start of
3563 the next line, and indeed the whole of the next line or lines if they are
3564 comment lines. */
3565
3566 for (;;)
3567 {
3568 while (*(++acl_text) == ' ' || *acl_text == '\t');
3569 if (*acl_text != '#') break;
3570 while (*(++acl_text) != 0 && *acl_text != '\n');
3571 }
3572
3573 /* We have the start of a continuation line. Move all the rest of the data
3574 to join onto the previous line, and then find its end. If the end is not a
3575 newline, we are done. Otherwise loop to look for another continuation. */
3576
3577 memmove(cont, acl_text, acl_text_end - acl_text);
3578 acl_text_end -= acl_text - cont;
3579 acl_text = cont;
3580 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
3581 if (*acl_text == 0) return yield;
3582 }
3583
3584/* Control does not reach here */
3585}
3586
3587
3588
3589
3590
3591/*************************************************
3592* Check access using an ACL *
3593*************************************************/
3594
3595/* This function is called from address_check. It may recurse via
3596acl_check_condition() - hence the use of a level to stop looping. The ACL is
3597passed as a string which is expanded. A forced failure implies no access check
3598is required. If the result is a single word, it is taken as the name of an ACL
3599which is sought in the global ACL tree. Otherwise, it is taken as literal ACL
3600text, complete with newlines, and parsed as such. In both cases, the ACL check
3601is then run. This function uses an auxiliary function for acl_read() to call
3602for reading individual lines of a literal ACL. This is acl_getline(), which
3603appears immediately above.
3604
3605Arguments:
3606 where where called from
3607 addr address item when called from RCPT; otherwise NULL
3608 s the input string; NULL is the same as an empty ACL => DENY
3609 level the nesting level
3610 user_msgptr where to put a user error (for SMTP response)
3611 log_msgptr where to put a logging message (not for SMTP response)
3612
3613Returns: OK access is granted
3614 DISCARD access is apparently granted...
3615 FAIL access is denied
3616 FAIL_DROP access is denied; drop the connection
3617 DEFER can't tell at the moment
3618 ERROR disaster
3619*/
3620
3621static int
3622acl_check_internal(int where, address_item *addr, uschar *s, int level,
3623 uschar **user_msgptr, uschar **log_msgptr)
3624{
3625int fd = -1;
3626acl_block *acl = NULL;
3627uschar *acl_name = US"inline ACL";
3628uschar *ss;
3629
3630/* Catch configuration loops */
3631
3632if (level > 20)
3633 {
3634 *log_msgptr = US"ACL nested too deep: possible loop";
3635 return ERROR;
3636 }
3637
3638if (s == NULL)
3639 {
3640 HDEBUG(D_acl) debug_printf("ACL is NULL: implicit DENY\n");
3641 return FAIL;
3642 }
3643
3644/* At top level, we expand the incoming string. At lower levels, it has already
3645been expanded as part of condition processing. */
3646
3647if (level == 0)
3648 {
3649 ss = expand_string(s);
3650 if (ss == NULL)
3651 {
3652 if (expand_string_forcedfail) return OK;
3653 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s", s,
3654 expand_string_message);
3655 return ERROR;
3656 }
3657 }
3658else ss = s;
3659
3660while (isspace(*ss))ss++;
3661
3662/* If we can't find a named ACL, the default is to parse it as an inline one.
3663(Unless it begins with a slash; non-existent files give rise to an error.) */
3664
3665acl_text = ss;
3666
3667/* Handle the case of a string that does not contain any spaces. Look for a
3668named ACL among those read from the configuration, or a previously read file.
3669It is possible that the pointer to the ACL is NULL if the configuration
3670contains a name with no data. If not found, and the text begins with '/',
3671read an ACL from a file, and save it so it can be re-used. */
3672
3673if (Ustrchr(ss, ' ') == NULL)
3674 {
3675 tree_node *t = tree_search(acl_anchor, ss);
3676 if (t != NULL)
3677 {
3678 acl = (acl_block *)(t->data.ptr);
3679 if (acl == NULL)
3680 {
3681 HDEBUG(D_acl) debug_printf("ACL \"%s\" is empty: implicit DENY\n", ss);
3682 return FAIL;
3683 }
3684 acl_name = string_sprintf("ACL \"%s\"", ss);
3685 HDEBUG(D_acl) debug_printf("using ACL \"%s\"\n", ss);
3686 }
3687
3688 else if (*ss == '/')
3689 {
3690 struct stat statbuf;
3691 fd = Uopen(ss, O_RDONLY, 0);
3692 if (fd < 0)
3693 {
3694 *log_msgptr = string_sprintf("failed to open ACL file \"%s\": %s", ss,
3695 strerror(errno));
3696 return ERROR;
3697 }
3698
3699 if (fstat(fd, &statbuf) != 0)
3700 {
3701 *log_msgptr = string_sprintf("failed to fstat ACL file \"%s\": %s", ss,
3702 strerror(errno));
3703 return ERROR;
3704 }
3705
3706 acl_text = store_get(statbuf.st_size + 1);
3707 acl_text_end = acl_text + statbuf.st_size + 1;
3708
3709 if (read(fd, acl_text, statbuf.st_size) != statbuf.st_size)
3710 {
3711 *log_msgptr = string_sprintf("failed to read ACL file \"%s\": %s",
3712 ss, strerror(errno));
3713 return ERROR;
3714 }
3715 acl_text[statbuf.st_size] = 0;
f1e894f3 3716 (void)close(fd);
059ec3d9
PH		 3717
3718 acl_name = string_sprintf("ACL \"%s\"", ss);
3719 HDEBUG(D_acl) debug_printf("read ACL from file %s\n", ss);
3720 }
3721 }
3722
3723/* Parse an ACL that is still in text form. If it came from a file, remember it
3724in the ACL tree, having read it into the POOL_PERM store pool so that it
3725persists between multiple messages. */
3726
3727if (acl == NULL)
3728 {
3729 int old_pool = store_pool;
3730 if (fd >= 0) store_pool = POOL_PERM;
3731 acl = acl_read(acl_getline, log_msgptr);
3732 store_pool = old_pool;
3733 if (acl == NULL && *log_msgptr != NULL) return ERROR;
3734 if (fd >= 0)
3735 {
3736 tree_node *t = store_get_perm(sizeof(tree_node) + Ustrlen(ss));
3737 Ustrcpy(t->name, ss);
3738 t->data.ptr = acl;
3739 (void)tree_insertnode(&acl_anchor, t);
3740 }
3741 }
3742
3743/* Now we have an ACL to use. It's possible it may be NULL. */
3744
3745while (acl != NULL)
3746 {
3747 int cond;
3748 int basic_errno = 0;
3749 BOOL endpass_seen = FALSE;
3750
3751 *log_msgptr = *user_msgptr = NULL;
3752 acl_temp_details = FALSE;
3753
7353285c 3754 if ((where == ACL_WHERE_QUIT || where == ACL_WHERE_NOTQUIT) &&
059ec3d9
PH		 3755 acl->verb != ACL_ACCEPT &&
3756 acl->verb != ACL_WARN)
3757 {
7353285c 3758 *log_msgptr = string_sprintf("\"%s\" is not allowed in a QUIT or not-QUIT ACL",
059ec3d9
PH		 3759 verbs[acl->verb]);
3760 return ERROR;
3761 }
3762
3763 HDEBUG(D_acl) debug_printf("processing \"%s\"\n", verbs[acl->verb]);
3764
3765 /* Clear out any search error message from a previous check before testing
3766 this condition. */
3767
3768 search_error_message = NULL;
3769 cond = acl_check_condition(acl->verb, acl->condition, where, addr, level,
3770 &endpass_seen, user_msgptr, log_msgptr, &basic_errno);
3771
3772 /* Handle special returns: DEFER causes a return except on a WARN verb;
3773 ERROR always causes a return. */
3774
3775 switch (cond)
3776 {
3777 case DEFER:
6968512f 3778 HDEBUG(D_acl) debug_printf("%s: condition test deferred in %s\n", verbs[acl->verb], acl_name);
059ec3d9
PH		 3779 if (basic_errno != ERRNO_CALLOUTDEFER)
3780 {
3781 if (search_error_message != NULL && *search_error_message != 0)
3782 *log_msgptr = search_error_message;
3783 if (smtp_return_error_details) acl_temp_details = TRUE;
3784 }
3785 else
3786 {
3787 acl_temp_details = TRUE;
3788 }
3789 if (acl->verb != ACL_WARN) return DEFER;
3790 break;
3791
3792 default: /* Paranoia */
3793 case ERROR:
6968512f 3794 HDEBUG(D_acl) debug_printf("%s: condition test error in %s\n", verbs[acl->verb], acl_name);
059ec3d9
PH		 3795 return ERROR;
3796
3797 case OK:
6968512f
JH		 3798 HDEBUG(D_acl) debug_printf("%s: condition test succeeded in %s\n",
3799 verbs[acl->verb], acl_name);
059ec3d9
PH		 3800 break;
3801
3802 case FAIL:
6968512f 3803 HDEBUG(D_acl) debug_printf("%s: condition test failed in %s\n", verbs[acl->verb], acl_name);
059ec3d9
PH		 3804 break;
3805
3806 /* DISCARD and DROP can happen only from a nested ACL condition, and
3807 DISCARD can happen only for an "accept" or "discard" verb. */
3808
3809 case DISCARD:
6968512f
JH		 3810 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"discard\" in %s\n",
3811 verbs[acl->verb], acl_name);
059ec3d9
PH		 3812 break;
3813
3814 case FAIL_DROP:
6968512f
JH		 3815 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"drop\" in %s\n",
3816 verbs[acl->verb], acl_name);
059ec3d9
PH		 3817 break;
3818 }
3819
3820 /* At this point, cond for most verbs is either OK or FAIL or (as a result of
3821 a nested ACL condition) FAIL_DROP. However, for WARN, cond may be DEFER, and
3822 for ACCEPT and DISCARD, it may be DISCARD after a nested ACL call. */
3823
3824 switch(acl->verb)
3825 {
3826 case ACL_ACCEPT:
3827 if (cond == OK || cond == DISCARD) return cond;
3828 if (endpass_seen)
3829 {
3830 HDEBUG(D_acl) debug_printf("accept: endpass encountered - denying access\n");
3831 return cond;
3832 }
3833 break;
3834
3835 case ACL_DEFER:
3836 if (cond == OK)
3837 {
3838 acl_temp_details = TRUE;
3839 return DEFER;
3840 }
3841 break;
3842
3843 case ACL_DENY:
3844 if (cond == OK) return FAIL;
3845 break;
3846
3847 case ACL_DISCARD:
3848 if (cond == OK || cond == DISCARD) return DISCARD;
3849 if (endpass_seen)
3850 {
3851 HDEBUG(D_acl) debug_printf("discard: endpass encountered - denying access\n");
3852 return cond;
3853 }
3854 break;
3855
3856 case ACL_DROP:
3857 if (cond == OK) return FAIL_DROP;
3858 break;
3859
3860 case ACL_REQUIRE:
3861 if (cond != OK) return cond;
3862 break;
3863
3864 case ACL_WARN:
3865 if (cond == OK)
3866 acl_warn(where, *user_msgptr, *log_msgptr);
49826d12 3867 else if (cond == DEFER && (log_extra_selector & LX_acl_warn_skipped) != 0)
9c7a242c
PH		 3868 log_write(0, LOG_MAIN, "%s Warning: ACL \"warn\" statement skipped: "
3869 "condition test deferred%s%s", host_and_ident(TRUE),
3870 (*log_msgptr == NULL)? US"" : US": ",
3871 (*log_msgptr == NULL)? US"" : *log_msgptr);
059ec3d9
PH		 3872 *log_msgptr = *user_msgptr = NULL; /* In case implicit DENY follows */
3873 break;
3874
3875 default:
3876 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown verb %d",
3877 acl->verb);
3878 break;
3879 }
3880
3881 /* Pass to the next ACL item */
3882
3883 acl = acl->next;
3884 }
3885
3886/* We have reached the end of the ACL. This is an implicit DENY. */
3887
3888HDEBUG(D_acl) debug_printf("end of %s: implicit DENY\n", acl_name);
3889return FAIL;
3890}
3891
3892
333eea9c
JH		 3893
3894
3895/* Same args as acl_check_internal() above, but the string s is
3896the name of an ACL followed optionally by up to 9 space-separated arguments.
3897The name and args are separately expanded. Args go into $acl_arg globals. */
3898int
3899acl_check_args(int where, address_item *addr, uschar *s, int level,
3900 uschar **user_msgptr, uschar **log_msgptr)
3901{
3902uschar * tmp;
3903uschar * name;
3904
3905if (!(tmp = string_dequote(&s)) || !(name = expand_string(tmp)))
3906 goto bad;
3907
3908for (acl_narg = 0; acl_narg < sizeof(acl_arg)/sizeof(*acl_arg); acl_narg++)
3909 {
3910 while (*s && isspace(*s)) s++;
3911 if (!*s) break;
3912 if (!(tmp = string_dequote(&s)) || !(acl_arg[acl_narg] = expand_string(tmp)))
3913 {
3914 tmp = name;
3915 goto bad;
3916 }
3917 }
3918
3919return acl_check_internal(where, addr, name, level+1, user_msgptr, log_msgptr);
3920
3921bad:
3922if (expand_string_forcedfail) return ERROR;
3923*log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
3924 tmp, expand_string_message);
3925return search_find_defer?DEFER:ERROR;
3926}
3927
3928
3929
059ec3d9
PH		 3930/*************************************************
3931* Check access using an ACL *
3932*************************************************/
3933
3934/* This is the external interface for ACL checks. It sets up an address and the
3935expansions for $domain and $local_part when called after RCPT, then calls
3936acl_check_internal() to do the actual work.
3937
3938Arguments:
3939 where ACL_WHERE_xxxx indicating where called from
64ffc24f 3940 recipient RCPT address for RCPT check, else NULL
059ec3d9
PH		 3941 s the input string; NULL is the same as an empty ACL => DENY
3942 user_msgptr where to put a user error (for SMTP response)
3943 log_msgptr where to put a logging message (not for SMTP response)
3944
3945Returns: OK access is granted by an ACCEPT verb
3946 DISCARD access is granted by a DISCARD verb
3947 FAIL access is denied
3948 FAIL_DROP access is denied; drop the connection
3949 DEFER can't tell at the moment
3950 ERROR disaster
3951*/
3952
3953int
64ffc24f 3954acl_check(int where, uschar *recipient, uschar *s, uschar **user_msgptr,
059ec3d9
PH		 3955 uschar **log_msgptr)
3956{
3957int rc;
3958address_item adb;
64ffc24f 3959address_item *addr = NULL;
059ec3d9
PH		 3960
3961*user_msgptr = *log_msgptr = NULL;
3962sender_verified_failed = NULL;
fe0dab11 3963ratelimiters_cmd = NULL;
6ea85e9a 3964log_reject_target = LOG_MAIN|LOG_REJECT;
059ec3d9
PH		 3965
3966if (where == ACL_WHERE_RCPT)
3967 {
3968 adb = address_defaults;
3969 addr = &adb;
64ffc24f 3970 addr->address = recipient;
059ec3d9
PH		 3971 if (deliver_split_address(addr) == DEFER)
3972 {
3973 *log_msgptr = US"defer in percent_hack_domains check";
3974 return DEFER;
3975 }
3976 deliver_domain = addr->domain;
3977 deliver_localpart = addr->local_part;
3978 }
059ec3d9
PH		 3979
3980rc = acl_check_internal(where, addr, s, 0, user_msgptr, log_msgptr);
3981
817d9f57
JH		 3982/* Cutthrough - if requested,
3983and WHERE_RCPT and not yet opened conn as result of recipient-verify,
3984and rcpt acl returned accept,
3985and first recipient (cancel on any subsequents)
e4bdf652 3986open one now and run it up to RCPT acceptance.
e4bdf652 3987A failed verify should cancel cutthrough request.
e4bdf652 3988
817d9f57 3989Initial implementation: dual-write to spool.
e4bdf652
JH		 3990Assume the rxd datastream is now being copied byte-for-byte to an open cutthrough connection.
3991
3992Cease cutthrough copy on rxd final dot; do not send one.
3993
3994On a data acl, if not accept and a cutthrough conn is open, hard-close it (no SMTP niceness).
3995
3996On data acl accept, terminate the dataphase on an open cutthrough conn. If accepted or
3997perm-rejected, reflect that to the original sender - and dump the spooled copy.
3998If temp-reject, close the conn (and keep the spooled copy).
3999If conn-failure, no action (and keep the spooled copy).
e4bdf652
JH		 4000*/
4001switch (where)
4002{
4003case ACL_WHERE_RCPT:
4004 if( rcpt_count > 1 )
2e5b33cd 4005 cancel_cutthrough_connection("more than one recipient");
e4bdf652
JH		 4006 else if (rc == OK && cutthrough_delivery && cutthrough_fd < 0)
4007 open_cutthrough_connection(addr);
4008 break;
4009
4010case ACL_WHERE_PREDATA:
4011 if( rc == OK )
4012 cutthrough_predata();
4013 else
2e5b33cd 4014 cancel_cutthrough_connection("predata acl not ok");
e4bdf652
JH		 4015 break;
4016
4017case ACL_WHERE_QUIT:
4018case ACL_WHERE_NOTQUIT:
2e5b33cd 4019 cancel_cutthrough_connection("quit or notquit");
e4bdf652
JH		 4020 break;
4021
4022default:
4023 break;
4024}
4025
64ffc24f
PH		 4026deliver_domain = deliver_localpart = deliver_address_data =
4027 sender_address_data = NULL;
059ec3d9
PH		 4028
4029/* A DISCARD response is permitted only for message ACLs, excluding the PREDATA
4030ACL, which is really in the middle of an SMTP command. */
4031
4032if (rc == DISCARD)
4033 {
4034 if (where > ACL_WHERE_NOTSMTP || where == ACL_WHERE_PREDATA)
4035 {
4036 log_write(0, LOG_MAIN|LOG_PANIC, "\"discard\" verb not allowed in %s "
4037 "ACL", acl_wherenames[where]);
4038 return ERROR;
4039 }
4040 return DISCARD;
4041 }
4042
4043/* A DROP response is not permitted from MAILAUTH */
4044
4045if (rc == FAIL_DROP && where == ACL_WHERE_MAILAUTH)
4046 {
4047 log_write(0, LOG_MAIN|LOG_PANIC, "\"drop\" verb not allowed in %s "
4048 "ACL", acl_wherenames[where]);
4049 return ERROR;
4050 }
4051
4e88a19f
PH		 4052/* Before giving a response, take a look at the length of any user message, and
4053split it up into multiple lines if possible. */
059ec3d9 4054
e28326d8
PH		 4055*user_msgptr = string_split_message(*user_msgptr);
4056if (fake_response != OK)
4057 fake_response_text = string_split_message(fake_response_text);
059ec3d9
PH		 4058
4059return rc;
4060}
4061
38a0a95f
PH		 4062
4063
4064/*************************************************
4065* Create ACL variable *
4066*************************************************/
4067
4068/* Create an ACL variable or reuse an existing one. ACL variables are in a
4069binary tree (see tree.c) with acl_var_c and acl_var_m as root nodes.
4070
4071Argument:
4072 name pointer to the variable's name, starting with c or m
4073
4074Returns the pointer to variable's tree node
4075*/
4076
4077tree_node *
4078acl_var_create(uschar *name)
4079{
4080tree_node *node, **root;
4081root = (name[0] == 'c')? &acl_var_c : &acl_var_m;
4082node = tree_search(*root, name);
4083if (node == NULL)
4084 {
4085 node = store_get(sizeof(tree_node) + Ustrlen(name));
4086 Ustrcpy(node->name, name);
4087 (void)tree_insertnode(root, node);
4088 }
4089node->data.ptr = NULL;
4090return node;
4091}
4092
4093
4094
4095/*************************************************
4096* Write an ACL variable in spool format *
4097*************************************************/
4098
4099/* This function is used as a callback for tree_walk when writing variables to
4100the spool file. To retain spool file compatibility, what is written is -aclc or
4101-aclm followed by the rest of the name and the data length, space separated,
4102then the value itself, starting on a new line, and terminated by an additional
4103newline. When we had only numbered ACL variables, the first line might look
4104like this: "-aclc 5 20". Now it might be "-aclc foo 20" for the variable called
4105acl_cfoo.
4106
4107Arguments:
4108 name of the variable
4109 value of the variable
4110 ctx FILE pointer (as a void pointer)
4111
4112Returns: nothing
4113*/
4114
4115void
4116acl_var_write(uschar *name, uschar *value, void *ctx)
4117{
4118FILE *f = (FILE *)ctx;
4119fprintf(f, "-acl%c %s %d\n%s\n", name[0], name+1, Ustrlen(value), value);
4120}
4121
059ec3d9 4122/* End of acl.c */
Unnamed repository; edit this file 'description' to name the repository.