projects / exim.git / blob
? search:


5ea8535219201b6f315c4530b318a825e7b3f44f
[exim.git] / src / src / acl.c
1 /* $Cambridge: exim/src/src/acl.c,v 1.33 2005/05/23 15:28:38 fanf2 Exp $ */
2
3 /*************************************************
4 * Exim - an Internet mail transport agent *
5 *************************************************/
6
7 /* Copyright (c) University of Cambridge 1995 - 2005 */
8 /* See the file NOTICE for conditions of use and distribution. */
9
10 /* Code for handling Access Control Lists (ACLs) */
11
12 #include "exim.h"
13
14
15 /* Default callout timeout */
16
17 #define CALLOUT_TIMEOUT_DEFAULT 30
18
19 /* ACL verb codes - keep in step with the table of verbs that follows */
20
21 enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
22 ACL_WARN };
23
24 /* ACL verbs */
25
26 static uschar *verbs[] =
27 { US"accept", US"defer", US"deny", US"discard", US"drop", US"require",
28 US"warn" };
29
30 /* For each verb, the condition for which "message" is used */
31
32 static int msgcond[] = { FAIL, OK, OK, FAIL, OK, FAIL, OK };
33
34 /* ACL condition and modifier codes - keep in step with the table that
35 follows. */
36
37 enum { ACLC_ACL, ACLC_AUTHENTICATED,
38 #ifdef EXPERIMENTAL_BRIGHTMAIL
39 ACLC_BMI_OPTIN,
40 #endif
41 ACLC_CONDITION, ACLC_CONTROL,
42 #ifdef WITH_CONTENT_SCAN
43 ACLC_DECODE,
44 #endif
45 ACLC_DELAY,
46 #ifdef WITH_OLD_DEMIME
47 ACLC_DEMIME,
48 #endif
49 #ifdef EXPERIMENTAL_DOMAINKEYS
50 ACLC_DK_DOMAIN_SOURCE,
51 ACLC_DK_POLICY,
52 ACLC_DK_SENDER_DOMAINS,
53 ACLC_DK_SENDER_LOCAL_PARTS,
54 ACLC_DK_SENDERS,
55 ACLC_DK_STATUS,
56 #endif
57 ACLC_DNSLISTS, ACLC_DOMAINS, ACLC_ENCRYPTED, ACLC_ENDPASS,
58 ACLC_HOSTS, ACLC_LOCAL_PARTS, ACLC_LOG_MESSAGE, ACLC_LOGWRITE,
59 #ifdef WITH_CONTENT_SCAN
60 ACLC_MALWARE,
61 #endif
62 ACLC_MESSAGE,
63 #ifdef WITH_CONTENT_SCAN
64 ACLC_MIME_REGEX,
65 #endif
66 ACLC_RECIPIENTS,
67 #ifdef WITH_CONTENT_SCAN
68 ACLC_REGEX,
69 #endif
70 ACLC_SENDER_DOMAINS, ACLC_SENDERS, ACLC_SET,
71 #ifdef WITH_CONTENT_SCAN
72 ACLC_SPAM,
73 #endif
74 #ifdef EXPERIMENTAL_SPF
75 ACLC_SPF,
76 #endif
77 ACLC_VERIFY };
78
79 /* ACL conditions/modifiers: "delay", "control", "endpass", "message",
80 "log_message", "logwrite", and "set" are modifiers that look like conditions
81 but always return TRUE. They are used for their side effects. */
82
83 static uschar *conditions[] = { US"acl", US"authenticated",
84 #ifdef EXPERIMENTAL_BRIGHTMAIL
85 US"bmi_optin",
86 #endif
87 US"condition",
88 US"control",
89 #ifdef WITH_CONTENT_SCAN
90 US"decode",
91 #endif
92 US"delay",
93 #ifdef WITH_OLD_DEMIME
94 US"demime",
95 #endif
96 #ifdef EXPERIMENTAL_DOMAINKEYS
97 US"dk_domain_source",
98 US"dk_policy",
99 US"dk_sender_domains",
100 US"dk_sender_local_parts",
101 US"dk_senders",
102 US"dk_status",
103 #endif
104 US"dnslists", US"domains", US"encrypted",
105 US"endpass", US"hosts", US"local_parts", US"log_message", US"logwrite",
106 #ifdef WITH_CONTENT_SCAN
107 US"malware",
108 #endif
109 US"message",
110 #ifdef WITH_CONTENT_SCAN
111 US"mime_regex",
112 #endif
113 US"recipients",
114 #ifdef WITH_CONTENT_SCAN
115 US"regex",
116 #endif
117 US"sender_domains", US"senders", US"set",
118 #ifdef WITH_CONTENT_SCAN
119 US"spam",
120 #endif
121 #ifdef EXPERIMENTAL_SPF
122 US"spf",
123 #endif
124 US"verify" };
125
126 /* ACL control names */
127
128 static uschar *controls[] = { US"error", US"caseful_local_part",
129 US"caselower_local_part", US"enforce_sync", US"no_enforce_sync", US"freeze",
130 US"queue_only", US"submission", US"no_multiline"};
131
132 /* Flags to indicate for which conditions /modifiers a string expansion is done
133 at the outer level. In the other cases, expansion already occurs in the
134 checking functions. */
135
136 static uschar cond_expand_at_top[] = {
137 TRUE, /* acl */
138 FALSE, /* authenticated */
139 #ifdef EXPERIMENTAL_BRIGHTMAIL
140 TRUE, /* bmi_optin */
141 #endif
142 TRUE, /* condition */
143 TRUE, /* control */
144 #ifdef WITH_CONTENT_SCAN
145 TRUE, /* decode */
146 #endif
147 TRUE, /* delay */
148 #ifdef WITH_OLD_DEMIME
149 TRUE, /* demime */
150 #endif
151 #ifdef EXPERIMENTAL_DOMAINKEYS
152 TRUE, /* dk_domain_source */
153 TRUE, /* dk_policy */
154 TRUE, /* dk_sender_domains */
155 TRUE, /* dk_sender_local_parts */
156 TRUE, /* dk_senders */
157 TRUE, /* dk_status */
158 #endif
159 TRUE, /* dnslists */
160 FALSE, /* domains */
161 FALSE, /* encrypted */
162 TRUE, /* endpass */
163 FALSE, /* hosts */
164 FALSE, /* local_parts */
165 TRUE, /* log_message */
166 TRUE, /* logwrite */
167 #ifdef WITH_CONTENT_SCAN
168 TRUE, /* malware */
169 #endif
170 TRUE, /* message */
171 #ifdef WITH_CONTENT_SCAN
172 TRUE, /* mime_regex */
173 #endif
174 FALSE, /* recipients */
175 #ifdef WITH_CONTENT_SCAN
176 TRUE, /* regex */
177 #endif
178 FALSE, /* sender_domains */
179 FALSE, /* senders */
180 TRUE, /* set */
181 #ifdef WITH_CONTENT_SCAN
182 TRUE, /* spam */
183 #endif
184 #ifdef EXPERIMENTAL_SPF
185 TRUE, /* spf */
186 #endif
187 TRUE /* verify */
188 };
189
190 /* Flags to identify the modifiers */
191
192 static uschar cond_modifiers[] = {
193 FALSE, /* acl */
194 FALSE, /* authenticated */
195 #ifdef EXPERIMENTAL_BRIGHTMAIL
196 TRUE, /* bmi_optin */
197 #endif
198 FALSE, /* condition */
199 TRUE, /* control */
200 #ifdef WITH_CONTENT_SCAN
201 FALSE, /* decode */
202 #endif
203 TRUE, /* delay */
204 #ifdef WITH_OLD_DEMIME
205 FALSE, /* demime */
206 #endif
207 #ifdef EXPERIMENTAL_DOMAINKEYS
208 FALSE, /* dk_domain_source */
209 FALSE, /* dk_policy */
210 FALSE, /* dk_sender_domains */
211 FALSE, /* dk_sender_local_parts */
212 FALSE, /* dk_senders */
213 FALSE, /* dk_status */
214 #endif
215 FALSE, /* dnslists */
216 FALSE, /* domains */
217 FALSE, /* encrypted */
218 TRUE, /* endpass */
219 FALSE, /* hosts */
220 FALSE, /* local_parts */
221 TRUE, /* log_message */
222 TRUE, /* logwrite */
223 #ifdef WITH_CONTENT_SCAN
224 FALSE, /* malware */
225 #endif
226 TRUE, /* message */
227 #ifdef WITH_CONTENT_SCAN
228 FALSE, /* mime_regex */
229 #endif
230 FALSE, /* recipients */
231 #ifdef WITH_CONTENT_SCAN
232 FALSE, /* regex */
233 #endif
234 FALSE, /* sender_domains */
235 FALSE, /* senders */
236 TRUE, /* set */
237 #ifdef WITH_CONTENT_SCAN
238 FALSE, /* spam */
239 #endif
240 #ifdef EXPERIMENTAL_SPF
241 FALSE, /* spf */
242 #endif
243 FALSE /* verify */
244 };
245
246 /* Bit map vector of which conditions are not allowed at certain times. For
247 each condition, there's a bitmap of dis-allowed times. For some, it is easier
248 to specify the negation of a small number of allowed times. */
249
250 static unsigned int cond_forbids[] = {
251 0, /* acl */
252
253 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_CONNECT)| /* authenticated */
254 (1<<ACL_WHERE_HELO),
255
256 #ifdef EXPERIMENTAL_BRIGHTMAIL
257 (1<<ACL_WHERE_AUTH)| /* bmi_optin */
258 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
259 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_MIME)|
260 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
261 (1<<ACL_WHERE_MAILAUTH)|
262 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
263 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_PREDATA),
264 #endif
265
266 0, /* condition */
267
268 /* Certain types of control are always allowed, so we let it through
269 always and check in the control processing itself. */
270
271 0, /* control */
272
273 #ifdef WITH_CONTENT_SCAN
274 (unsigned int)
275 ~(1<<ACL_WHERE_MIME), /* decode */
276 #endif
277
278 0, /* delay */
279
280 #ifdef WITH_OLD_DEMIME
281 (unsigned int)
282 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* demime */
283 #endif
284
285 #ifdef EXPERIMENTAL_DOMAINKEYS
286 (1<<ACL_WHERE_AUTH)| /* dk_domain_source */
287 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
288 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
289 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
290 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
291 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
292 (1<<ACL_WHERE_VRFY),
293
294 (1<<ACL_WHERE_AUTH)| /* dk_policy */
295 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
296 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
297 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
298 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
299 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
300 (1<<ACL_WHERE_VRFY),
301
302 (1<<ACL_WHERE_AUTH)| /* dk_sender_domains */
303 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
304 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
305 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
306 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
307 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
308 (1<<ACL_WHERE_VRFY),
309
310 (1<<ACL_WHERE_AUTH)| /* dk_sender_local_parts */
311 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
312 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
313 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
314 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
315 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
316 (1<<ACL_WHERE_VRFY),
317
318 (1<<ACL_WHERE_AUTH)| /* dk_senders */
319 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
320 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
321 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
322 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
323 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
324 (1<<ACL_WHERE_VRFY),
325
326 (1<<ACL_WHERE_AUTH)| /* dk_status */
327 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
328 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
329 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
330 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
331 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
332 (1<<ACL_WHERE_VRFY),
333 #endif
334
335 (1<<ACL_WHERE_NOTSMTP), /* dnslists */
336
337 (unsigned int)
338 ~(1<<ACL_WHERE_RCPT), /* domains */
339
340 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_CONNECT)| /* encrypted */
341 (1<<ACL_WHERE_HELO),
342
343 0, /* endpass */
344
345 (1<<ACL_WHERE_NOTSMTP), /* hosts */
346
347 (unsigned int)
348 ~(1<<ACL_WHERE_RCPT), /* local_parts */
349
350 0, /* log_message */
351
352 0, /* logwrite */
353
354 #ifdef WITH_CONTENT_SCAN
355 (unsigned int)
356 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* malware */
357 #endif
358
359 0, /* message */
360
361 #ifdef WITH_CONTENT_SCAN
362 (unsigned int)
363 ~(1<<ACL_WHERE_MIME), /* mime_regex */
364 #endif
365
366 (unsigned int)
367 ~(1<<ACL_WHERE_RCPT), /* recipients */
368
369 #ifdef WITH_CONTENT_SCAN
370 (unsigned int)
371 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* regex */
372 (1<<ACL_WHERE_MIME)),
373 #endif
374
375 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* sender_domains */
376 (1<<ACL_WHERE_HELO)|
377 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
378 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
379 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
380
381 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* senders */
382 (1<<ACL_WHERE_HELO)|
383 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
384 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
385 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
386
387 0, /* set */
388
389 #ifdef WITH_CONTENT_SCAN
390 (unsigned int)
391 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* spam */
392 #endif
393
394 #ifdef EXPERIMENTAL_SPF
395 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf */
396 (1<<ACL_WHERE_HELO)|
397 (1<<ACL_WHERE_MAILAUTH)|
398 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
399 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
400 #endif
401
402 /* Certain types of verify are always allowed, so we let it through
403 always and check in the verify function itself */
404
405 0 /* verify */
406 };
407
408
409 /* Return values from decode_control() */
410
411 enum {
412 #ifdef EXPERIMENTAL_BRIGHTMAIL
413 CONTROL_BMI_RUN,
414 #endif
415 #ifdef EXPERIMENTAL_DOMAINKEYS
416 CONTROL_DK_VERIFY,
417 #endif
418 CONTROL_ERROR, CONTROL_CASEFUL_LOCAL_PART, CONTROL_CASELOWER_LOCAL_PART,
419 CONTROL_ENFORCE_SYNC, CONTROL_NO_ENFORCE_SYNC, CONTROL_FREEZE,
420 CONTROL_QUEUE_ONLY, CONTROL_SUBMISSION,
421 #ifdef WITH_CONTENT_SCAN
422 CONTROL_NO_MBOX_UNSPOOL,
423 #endif
424 CONTROL_FAKEDEFER, CONTROL_FAKEREJECT, CONTROL_NO_MULTILINE };
425
426 /* Bit map vector of which controls are not allowed at certain times. For
427 each control, there's a bitmap of dis-allowed times. For some, it is easier to
428 specify the negation of a small number of allowed times. */
429
430 static unsigned int control_forbids[] = {
431 #ifdef EXPERIMENTAL_BRIGHTMAIL
432 0, /* bmi_run */
433 #endif
434 #ifdef EXPERIMENTAL_DOMAINKEYS
435 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), /* dk_verify */
436 #endif
437
438 0, /* error */
439
440 (unsigned int)
441 ~(1<<ACL_WHERE_RCPT), /* caseful_local_part */
442
443 (unsigned int)
444 ~(1<<ACL_WHERE_RCPT), /* caselower_local_part */
445
446 (1<<ACL_WHERE_NOTSMTP), /* enforce_sync */
447
448 (1<<ACL_WHERE_NOTSMTP), /* no_enforce_sync */
449
450 (unsigned int)
451 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* freeze */
452 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
453 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
454
455 (unsigned int)
456 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* queue_only */
457 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
458 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
459
460 (unsigned int)
461 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* submission */
462 (1<<ACL_WHERE_PREDATA)),
463
464 #ifdef WITH_CONTENT_SCAN
465 (unsigned int)
466 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* no_mbox_unspool */
467 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
468 (1<<ACL_WHERE_MIME)),
469 #endif
470
471 (unsigned int)
472 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakedefer */
473 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
474 (1<<ACL_WHERE_MIME)),
475
476 (unsigned int)
477 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakereject */
478 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
479 (1<<ACL_WHERE_MIME)),
480
481 (1<<ACL_WHERE_NOTSMTP) /* no_multiline */
482 };
483
484 /* Structure listing various control arguments, with their characteristics. */
485
486 typedef struct control_def {
487 uschar *name;
488 int value; /* CONTROL_xxx value */
489 BOOL has_option; /* Has /option(s) following */
490 } control_def;
491
492 static control_def controls_list[] = {
493 #ifdef EXPERIMENTAL_BRIGHTMAIL
494 { US"bmi_run", CONTROL_BMI_RUN, FALSE},
495 #endif
496 #ifdef EXPERIMENTAL_DOMAINKEYS
497 { US"dk_verify", CONTROL_DK_VERIFY, FALSE},
498 #endif
499 { US"caseful_local_part", CONTROL_CASEFUL_LOCAL_PART, FALSE},
500 { US"caselower_local_part", CONTROL_CASELOWER_LOCAL_PART, FALSE},
501 { US"enforce_sync", CONTROL_ENFORCE_SYNC, FALSE},
502 { US"freeze", CONTROL_FREEZE, FALSE},
503 { US"no_enforce_sync", CONTROL_NO_ENFORCE_SYNC, FALSE},
504 { US"no_multiline_responses", CONTROL_NO_MULTILINE, FALSE},
505 { US"queue_only", CONTROL_QUEUE_ONLY, FALSE},
506 #ifdef WITH_CONTENT_SCAN
507 { US"no_mbox_unspool", CONTROL_NO_MBOX_UNSPOOL, FALSE},
508 #endif
509 { US"fakedefer", CONTROL_FAKEDEFER, TRUE},
510 { US"fakereject", CONTROL_FAKEREJECT, TRUE},
511 { US"submission", CONTROL_SUBMISSION, TRUE}
512 };
513
514 /* Support data structures for Client SMTP Authorization. acl_verify_csa()
515 caches its result in a tree to avoid repeated DNS queries. The result is an
516 integer code which is used as an index into the following tables of
517 explanatory strings and verification return codes. */
518
519 static tree_node *csa_cache = NULL;
520
521 enum { CSA_UNKNOWN, CSA_OK, CSA_DEFER_SRV, CSA_DEFER_ADDR,
522 CSA_FAIL_EXPLICIT, CSA_FAIL_DOMAIN, CSA_FAIL_NOADDR, CSA_FAIL_MISMATCH };
523
524 /* The acl_verify_csa() return code is translated into an acl_verify() return
525 code using the following table. It is OK unless the client is definitely not
526 authorized. This is because CSA is supposed to be optional for sending sites,
527 so recipients should not be too strict about checking it - especially because
528 DNS problems are quite likely to occur. It's possible to use $csa_status in
529 further ACL conditions to distinguish ok, unknown, and defer if required, but
530 the aim is to make the usual configuration simple. */
531
532 static int csa_return_code[] = {
533 OK, OK, OK, OK,
534 FAIL, FAIL, FAIL, FAIL
535 };
536
537 static uschar *csa_status_string[] = {
538 US"unknown", US"ok", US"defer", US"defer",
539 US"fail", US"fail", US"fail", US"fail"
540 };
541
542 static uschar *csa_reason_string[] = {
543 US"unknown",
544 US"ok",
545 US"deferred (SRV lookup failed)",
546 US"deferred (target address lookup failed)",
547 US"failed (explicit authorization required)",
548 US"failed (host name not authorized)",
549 US"failed (no authorized addresses)",
550 US"failed (client address mismatch)"
551 };
552
553 /* Enable recursion between acl_check_internal() and acl_check_condition() */
554
555 static int acl_check_internal(int, address_item *, uschar *, int, uschar **,
556 uschar **);
557
558
559 /*************************************************
560 * Pick out name from list *
561 *************************************************/
562
563 /* Use a binary chop method
564
565 Arguments:
566 name name to find
567 list list of names
568 end size of list
569
570 Returns: offset in list, or -1 if not found
571 */
572
573 static int
574 acl_checkname(uschar *name, uschar **list, int end)
575 {
576 int start = 0;
577
578 while (start < end)
579 {
580 int mid = (start + end)/2;
581 int c = Ustrcmp(name, list[mid]);
582 if (c == 0) return mid;
583 if (c < 0) end = mid; else start = mid + 1;
584 }
585
586 return -1;
587 }
588
589
590 /*************************************************
591 * Read and parse one ACL *
592 *************************************************/
593
594 /* This function is called both from readconf in order to parse the ACLs in the
595 configuration file, and also when an ACL is encountered dynamically (e.g. as
596 the result of an expansion). It is given a function to call in order to
597 retrieve the lines of the ACL. This function handles skipping comments and
598 blank lines (where relevant).
599
600 Arguments:
601 func function to get next line of ACL
602 error where to put an error message
603
604 Returns: pointer to ACL, or NULL
605 NULL can be legal (empty ACL); in this case error will be NULL
606 */
607
608 acl_block *
609 acl_read(uschar *(*func)(void), uschar **error)
610 {
611 acl_block *yield = NULL;
612 acl_block **lastp = &yield;
613 acl_block *this = NULL;
614 acl_condition_block *cond;
615 acl_condition_block **condp = NULL;
616 uschar *s;
617
618 *error = NULL;
619
620 while ((s = (*func)()) != NULL)
621 {
622 int v, c;
623 BOOL negated = FALSE;
624 uschar *saveline = s;
625 uschar name[64];
626
627 /* Conditions (but not verbs) are allowed to be negated by an initial
628 exclamation mark. */
629
630 while (isspace(*s)) s++;
631 if (*s == '!')
632 {
633 negated = TRUE;
634 s++;
635 }
636
637 /* Read the name of a verb or a condition, or the start of a new ACL, which
638 can be started by a name, or by a macro definition. */
639
640 s = readconf_readname(name, sizeof(name), s);
641 if (*s == ':' || isupper(name[0] && *s == '=')) return yield;
642
643 /* If a verb is unrecognized, it may be another condition or modifier that
644 continues the previous verb. */
645
646 v = acl_checkname(name, verbs, sizeof(verbs)/sizeof(char *));
647 if (v < 0)
648 {
649 if (this == NULL)
650 {
651 *error = string_sprintf("unknown ACL verb in \"%s\"", saveline);
652 return NULL;
653 }
654 }
655
656 /* New verb */
657
658 else
659 {
660 if (negated)
661 {
662 *error = string_sprintf("malformed ACL line \"%s\"", saveline);
663 return NULL;
664 }
665 this = store_get(sizeof(acl_block));
666 *lastp = this;
667 lastp = &(this->next);
668 this->next = NULL;
669 this->verb = v;
670 this->condition = NULL;
671 condp = &(this->condition);
672 if (*s == 0) continue; /* No condition on this line */
673 if (*s == '!')
674 {
675 negated = TRUE;
676 s++;
677 }
678 s = readconf_readname(name, sizeof(name), s); /* Condition name */
679 }
680
681 /* Handle a condition or modifier. */
682
683 c = acl_checkname(name, conditions, sizeof(conditions)/sizeof(char *));
684 if (c < 0)
685 {
686 *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
687 saveline);
688 return NULL;
689 }
690
691 /* The modifiers may not be negated */
692
693 if (negated && cond_modifiers[c])
694 {
695 *error = string_sprintf("ACL error: negation is not allowed with "
696 "\"%s\"", conditions[c]);
697 return NULL;
698 }
699
700 /* ENDPASS may occur only with ACCEPT or DISCARD. */
701
702 if (c == ACLC_ENDPASS &&
703 this->verb != ACL_ACCEPT &&
704 this->verb != ACL_DISCARD)
705 {
706 *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
707 conditions[c], verbs[this->verb]);
708 return NULL;
709 }
710
711 cond = store_get(sizeof(acl_condition_block));
712 cond->next = NULL;
713 cond->type = c;
714 cond->u.negated = negated;
715
716 *condp = cond;
717 condp = &(cond->next);
718
719 /* The "set" modifier is different in that its argument is "name=value"
720 rather than just a value, and we can check the validity of the name, which
721 gives us a variable number to insert into the data block. */
722
723 if (c == ACLC_SET)
724 {
725 if (Ustrncmp(s, "acl_", 4) != 0 || (s[4] != 'c' && s[4] != 'm') ||
726 !isdigit(s[5]) || (!isspace(s[6]) && s[6] != '='))
727 {
728 *error = string_sprintf("unrecognized name after \"set\" in ACL "
729 "modifier \"set %s\"", s);
730 return NULL;
731 }
732
733 cond->u.varnumber = s[5] - '0';
734 if (s[4] == 'm') cond->u.varnumber += ACL_C_MAX;
735 s += 6;
736 while (isspace(*s)) s++;
737 }
738
739 /* For "set", we are now positioned for the data. For the others, only
740 "endpass" has no data */
741
742 if (c != ACLC_ENDPASS)
743 {
744 if (*s++ != '=')
745 {
746 *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
747 cond_modifiers[c]? US"modifier" : US"condition");
748 return NULL;
749 }
750 while (isspace(*s)) s++;
751 cond->arg = string_copy(s);
752 }
753 }
754
755 return yield;
756 }
757
758
759
760 /*************************************************
761 * Handle warnings *
762 *************************************************/
763
764 /* This function is called when a WARN verb's conditions are true. It adds to
765 the message's headers, and/or writes information to the log. In each case, this
766 only happens once (per message for headers, per connection for log).
767
768 Arguments:
769 where ACL_WHERE_xxxx indicating which ACL this is
770 user_message message for adding to headers
771 log_message message for logging, if different
772
773 Returns: nothing
774 */
775
776 static void
777 acl_warn(int where, uschar *user_message, uschar *log_message)
778 {
779 int hlen;
780
781 if (log_message != NULL && log_message != user_message)
782 {
783 uschar *text;
784 string_item *logged;
785
786 text = string_sprintf("%s Warning: %s", host_and_ident(TRUE),
787 string_printing(log_message));
788
789 /* If a sender verification has failed, and the log message is "sender verify
790 failed", add the failure message. */
791
792 if (sender_verified_failed != NULL &&
793 sender_verified_failed->message != NULL &&
794 strcmpic(log_message, US"sender verify failed") == 0)
795 text = string_sprintf("%s: %s", text, sender_verified_failed->message);
796
797 /* Search previously logged warnings. They are kept in malloc
798 store so they can be freed at the start of a new message. */
799
800 for (logged = acl_warn_logged; logged != NULL; logged = logged->next)
801 if (Ustrcmp(logged->text, text) == 0) break;
802
803 if (logged == NULL)
804 {
805 int length = Ustrlen(text) + 1;
806 log_write(0, LOG_MAIN, "%s", text);
807 logged = store_malloc(sizeof(string_item) + length);
808 logged->text = (uschar *)logged + sizeof(string_item);
809 memcpy(logged->text, text, length);
810 logged->next = acl_warn_logged;
811 acl_warn_logged = logged;
812 }
813 }
814
815 /* If there's no user message, we are done. */
816
817 if (user_message == NULL) return;
818
819 /* If this isn't a message ACL, we can't do anything with a user message.
820 Log an error. */
821
822 if (where > ACL_WHERE_NOTSMTP)
823 {
824 log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
825 "found in a non-message (%s) ACL: cannot specify header lines here: "
826 "message ignored", acl_wherenames[where]);
827 return;
828 }
829
830 /* Treat the user message as a sequence of one or more header lines. */
831
832 hlen = Ustrlen(user_message);
833 if (hlen > 0)
834 {
835 uschar *text, *p, *q;
836
837 /* Add a final newline if not present */
838
839 text = ((user_message)[hlen-1] == '\n')? user_message :
840 string_sprintf("%s\n", user_message);
841
842 /* Loop for multiple header lines, taking care about continuations */
843
844 for (p = q = text; *p != 0; )
845 {
846 uschar *s;
847 int newtype = htype_add_bot;
848 header_line **hptr = &acl_warn_headers;
849
850 /* Find next header line within the string */
851
852 for (;;)
853 {
854 q = Ustrchr(q, '\n');
855 if (*(++q) != ' ' && *q != '\t') break;
856 }
857
858 /* If the line starts with a colon, interpret the instruction for where to
859 add it. This temporarily sets up a new type. */
860
861 if (*p == ':')
862 {
863 if (strncmpic(p, US":after_received:", 16) == 0)
864 {
865 newtype = htype_add_rec;
866 p += 16;
867 }
868 else if (strncmpic(p, US":at_start_rfc:", 14) == 0)
869 {
870 newtype = htype_add_rfc;
871 p += 14;
872 }
873 else if (strncmpic(p, US":at_start:", 10) == 0)
874 {
875 newtype = htype_add_top;
876 p += 10;
877 }
878 else if (strncmpic(p, US":at_end:", 8) == 0)
879 {
880 newtype = htype_add_bot;
881 p += 8;
882 }
883 while (*p == ' ' || *p == '\t') p++;
884 }
885
886 /* See if this line starts with a header name, and if not, add X-ACL-Warn:
887 to the front of it. */
888
889 for (s = p; s < q - 1; s++)
890 {
891 if (*s == ':' || !isgraph(*s)) break;
892 }
893
894 s = string_sprintf("%s%.*s", (*s == ':')? "" : "X-ACL-Warn: ", q - p, p);
895 hlen = Ustrlen(s);
896
897 /* See if this line has already been added */
898
899 while (*hptr != NULL)
900 {
901 if (Ustrncmp((*hptr)->text, s, hlen) == 0) break;
902 hptr = &((*hptr)->next);
903 }
904
905 /* Add if not previously present */
906
907 if (*hptr == NULL)
908 {
909 header_line *h = store_get(sizeof(header_line));
910 h->text = s;
911 h->next = NULL;
912 h->type = newtype;
913 h->slen = hlen;
914 *hptr = h;
915 hptr = &(h->next);
916 }
917
918 /* Advance for next header line within the string */
919
920 p = q;
921 }
922 }
923 }
924
925
926
927 /*************************************************
928 * Verify and check reverse DNS *
929 *************************************************/
930
931 /* Called from acl_verify() below. We look up the host name(s) of the client IP
932 address if this has not yet been done. The host_name_lookup() function checks
933 that one of these names resolves to an address list that contains the client IP
934 address, so we don't actually have to do the check here.
935
936 Arguments:
937 user_msgptr pointer for user message
938 log_msgptr pointer for log message
939
940 Returns: OK verification condition succeeded
941 FAIL verification failed
942 DEFER there was a problem verifying
943 */
944
945 static int
946 acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
947 {
948 int rc;
949
950 user_msgptr = user_msgptr; /* stop compiler warning */
951
952 /* Previous success */
953
954 if (sender_host_name != NULL) return OK;
955
956 /* Previous failure */
957
958 if (host_lookup_failed)
959 {
960 *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
961 return FAIL;
962 }
963
964 /* Need to do a lookup */
965
966 HDEBUG(D_acl)
967 debug_printf("looking up host name to force name/address consistency check\n");
968
969 if ((rc = host_name_lookup()) != OK)
970 {
971 *log_msgptr = (rc == DEFER)?
972 US"host lookup deferred for reverse lookup check"
973 :
974 string_sprintf("host lookup failed for reverse lookup check%s",
975 host_lookup_msg);
976 return rc; /* DEFER or FAIL */
977 }
978
979 host_build_sender_fullhost();
980 return OK;
981 }
982
983
984
985 /*************************************************
986 * Check client IP address matches CSA target *
987 *************************************************/
988
989 /* Called from acl_verify_csa() below. This routine scans a section of a DNS
990 response for address records belonging to the CSA target hostname. The section
991 is specified by the reset argument, either RESET_ADDITIONAL or RESET_ANSWERS.
992 If one of the addresses matches the client's IP address, then the client is
993 authorized by CSA. If there are target IP addresses but none of them match
994 then the client is using an unauthorized IP address. If there are no target IP
995 addresses then the client cannot be using an authorized IP address. (This is
996 an odd configuration - why didn't the SRV record have a weight of 1 instead?)
997
998 Arguments:
999 dnsa the DNS answer block
1000 dnss a DNS scan block for us to use
1001 reset option specifing what portion to scan, as described above
1002 target the target hostname to use for matching RR names
1003
1004 Returns: CSA_OK successfully authorized
1005 CSA_FAIL_MISMATCH addresses found but none matched
1006 CSA_FAIL_NOADDR no target addresses found
1007 */
1008
1009 static int
1010 acl_verify_csa_address(dns_answer *dnsa, dns_scan *dnss, int reset,
1011 uschar *target)
1012 {
1013 dns_record *rr;
1014 dns_address *da;
1015
1016 BOOL target_found = FALSE;
1017
1018 for (rr = dns_next_rr(dnsa, dnss, reset);
1019 rr != NULL;
1020 rr = dns_next_rr(dnsa, dnss, RESET_NEXT))
1021 {
1022 /* Check this is an address RR for the target hostname. */
1023
1024 if (rr->type != T_A
1025 #if HAVE_IPV6
1026 && rr->type != T_AAAA
1027 #ifdef SUPPORT_A6
1028 && rr->type != T_A6
1029 #endif
1030 #endif
1031 ) continue;
1032
1033 if (strcmpic(target, rr->name) != 0) continue;
1034
1035 target_found = TRUE;
1036
1037 /* Turn the target address RR into a list of textual IP addresses and scan
1038 the list. There may be more than one if it is an A6 RR. */
1039
1040 for (da = dns_address_from_rr(dnsa, rr); da != NULL; da = da->next)
1041 {
1042 /* If the client IP address matches the target IP address, it's good! */
1043
1044 DEBUG(D_acl) debug_printf("CSA target address is %s\n", da->address);
1045
1046 if (strcmpic(sender_host_address, da->address) == 0) return CSA_OK;
1047 }
1048 }
1049
1050 /* If we found some target addresses but none of them matched, the client is
1051 using an unauthorized IP address, otherwise the target has no authorized IP
1052 addresses. */
1053
1054 if (target_found) return CSA_FAIL_MISMATCH;
1055 else return CSA_FAIL_NOADDR;
1056 }
1057
1058
1059
1060 /*************************************************
1061 * Verify Client SMTP Authorization *
1062 *************************************************/
1063
1064 /* Called from acl_verify() below. This routine calls dns_lookup_special()
1065 to find the CSA SRV record corresponding to the domain argument, or
1066 $sender_helo_name if no argument is provided. It then checks that the
1067 client is authorized, and that its IP address corresponds to the SRV
1068 target's address by calling acl_verify_csa_address() above. The address
1069 should have been returned in the DNS response's ADDITIONAL section, but if
1070 not we perform another DNS lookup to get it.
1071
1072 Arguments:
1073 domain pointer to optional parameter following verify = csa
1074
1075 Returns: CSA_UNKNOWN no valid CSA record found
1076 CSA_OK successfully authorized
1077 CSA_FAIL_* client is definitely not authorized
1078 CSA_DEFER_* there was a DNS problem
1079 */
1080
1081 static int
1082 acl_verify_csa(uschar *domain)
1083 {
1084 tree_node *t;
1085 uschar *found, *p;
1086 int priority, weight, port;
1087 dns_answer dnsa;
1088 dns_scan dnss;
1089 dns_record *rr;
1090 int rc, type;
1091 uschar target[256];
1092
1093 /* Work out the domain we are using for the CSA lookup. The default is the
1094 client's HELO domain. If the client has not said HELO, use its IP address
1095 instead. If it's a local client (exim -bs), CSA isn't applicable. */
1096
1097 while (isspace(*domain) && *domain != '\0') ++domain;
1098 if (*domain == '\0') domain = sender_helo_name;
1099 if (domain == NULL) domain = sender_host_address;
1100 if (sender_host_address == NULL) return CSA_UNKNOWN;
1101
1102 /* If we have an address literal, strip off the framing ready for turning it
1103 into a domain. The framing consists of matched square brackets possibly
1104 containing a keyword and a colon before the actual IP address. */
1105
1106 if (domain[0] == '[')
1107 {
1108 uschar *start = Ustrchr(domain, ':');
1109 if (start == NULL) start = domain;
1110 domain = string_copyn(start + 1, Ustrlen(start) - 2);
1111 }
1112
1113 /* Turn domains that look like bare IP addresses into domains in the reverse
1114 DNS. This code also deals with address literals and $sender_host_address. It's
1115 not quite kosher to treat bare domains such as EHLO 192.0.2.57 the same as
1116 address literals, but it's probably the most friendly thing to do. This is an
1117 extension to CSA, so we allow it to be turned off for proper conformance. */
1118
1119 if (string_is_ip_address(domain, NULL))
1120 {
1121 if (!dns_csa_use_reverse) return CSA_UNKNOWN;
1122 dns_build_reverse(domain, target);
1123 domain = target;
1124 }
1125
1126 /* Find out if we've already done the CSA check for this domain. If we have,
1127 return the same result again. Otherwise build a new cached result structure
1128 for this domain. The name is filled in now, and the value is filled in when
1129 we return from this function. */
1130
1131 t = tree_search(csa_cache, domain);
1132 if (t != NULL) return t->data.val;
1133
1134 t = store_get_perm(sizeof(tree_node) + Ustrlen(domain));
1135 Ustrcpy(t->name, domain);
1136 (void)tree_insertnode(&csa_cache, t);
1137
1138 /* Now we are ready to do the actual DNS lookup(s). */
1139
1140 switch (dns_special_lookup(&dnsa, domain, T_CSA, &found))
1141 {
1142 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1143
1144 default:
1145 return t->data.val = CSA_DEFER_SRV;
1146
1147 /* If we found nothing, the client's authorization is unknown. */
1148
1149 case DNS_NOMATCH:
1150 case DNS_NODATA:
1151 return t->data.val = CSA_UNKNOWN;
1152
1153 /* We got something! Go on to look at the reply in more detail. */
1154
1155 case DNS_SUCCEED:
1156 break;
1157 }
1158
1159 /* Scan the reply for well-formed CSA SRV records. */
1160
1161 for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
1162 rr != NULL;
1163 rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
1164 {
1165 if (rr->type != T_SRV) continue;
1166
1167 /* Extract the numerical SRV fields (p is incremented) */
1168
1169 p = rr->data;
1170 GETSHORT(priority, p);
1171 GETSHORT(weight, p);
1172 GETSHORT(port, p);
1173
1174 DEBUG(D_acl)
1175 debug_printf("CSA priority=%d weight=%d port=%d\n", priority, weight, port);
1176
1177 /* Check the CSA version number */
1178
1179 if (priority != 1) continue;
1180
1181 /* If the domain does not have a CSA SRV record of its own (i.e. the domain
1182 found by dns_special_lookup() is a parent of the one we asked for), we check
1183 the subdomain assertions in the port field. At the moment there's only one
1184 assertion: legitimate SMTP clients are all explicitly authorized with CSA
1185 SRV records of their own. */
1186
1187 if (found != domain)
1188 {
1189 if (port & 1)
1190 return t->data.val = CSA_FAIL_EXPLICIT;
1191 else
1192 return t->data.val = CSA_UNKNOWN;
1193 }
1194
1195 /* This CSA SRV record refers directly to our domain, so we check the value
1196 in the weight field to work out the domain's authorization. 0 and 1 are
1197 unauthorized; 3 means the client is authorized but we can't check the IP
1198 address in order to authenticate it, so we treat it as unknown; values
1199 greater than 3 are undefined. */
1200
1201 if (weight < 2) return t->data.val = CSA_FAIL_DOMAIN;
1202
1203 if (weight > 2) continue;
1204
1205 /* Weight == 2, which means the domain is authorized. We must check that the
1206 client's IP address is listed as one of the SRV target addresses. Save the
1207 target hostname then break to scan the additional data for its addresses. */
1208
1209 (void)dn_expand(dnsa.answer, dnsa.answer + dnsa.answerlen, p,
1210 (DN_EXPAND_ARG4_TYPE)target, sizeof(target));
1211
1212 DEBUG(D_acl) debug_printf("CSA target is %s\n", target);
1213
1214 break;
1215 }
1216
1217 /* If we didn't break the loop then no appropriate records were found. */
1218
1219 if (rr == NULL) return t->data.val = CSA_UNKNOWN;
1220
1221 /* Do not check addresses if the target is ".", in accordance with RFC 2782.
1222 A target of "." indicates there are no valid addresses, so the client cannot
1223 be authorized. (This is an odd configuration because weight=2 target=. is
1224 equivalent to weight=1, but we check for it in order to keep load off the
1225 root name servers.) Note that dn_expand() turns "." into "". */
1226
1227 if (Ustrcmp(target, "") == 0) return t->data.val = CSA_FAIL_NOADDR;
1228
1229 /* Scan the additional section of the CSA SRV reply for addresses belonging
1230 to the target. If the name server didn't return any additional data (e.g.
1231 because it does not fully support SRV records), we need to do another lookup
1232 to obtain the target addresses; otherwise we have a definitive result. */
1233
1234 rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ADDITIONAL, target);
1235 if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1236
1237 /* The DNS lookup type corresponds to the IP version used by the client. */
1238
1239 #if HAVE_IPV6
1240 if (Ustrchr(sender_host_address, ':') != NULL)
1241 type = T_AAAA;
1242 else
1243 #endif /* HAVE_IPV6 */
1244 type = T_A;
1245
1246
1247 #if HAVE_IPV6 && defined(SUPPORT_A6)
1248 DNS_LOOKUP_AGAIN:
1249 #endif
1250
1251 switch (dns_lookup(&dnsa, target, type, NULL))
1252 {
1253 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1254
1255 default:
1256 return t->data.val = CSA_DEFER_ADDR;
1257
1258 /* If the query succeeded, scan the addresses and return the result. */
1259
1260 case DNS_SUCCEED:
1261 rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ANSWERS, target);
1262 if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1263 /* else fall through */
1264
1265 /* If the target has no IP addresses, the client cannot have an authorized
1266 IP address. However, if the target site uses A6 records (not AAAA records)
1267 we have to do yet another lookup in order to check them. */
1268
1269 case DNS_NOMATCH:
1270 case DNS_NODATA:
1271
1272 #if HAVE_IPV6 && defined(SUPPORT_A6)
1273 if (type == T_AAAA) { type = T_A6; goto DNS_LOOKUP_AGAIN; }
1274 #endif
1275
1276 return t->data.val = CSA_FAIL_NOADDR;
1277 }
1278 }
1279
1280
1281
1282 /*************************************************
1283 * Handle verification (address & other) *
1284 *************************************************/
1285
1286 /* This function implements the "verify" condition. It is called when
1287 encountered in any ACL, because some tests are almost always permitted. Some
1288 just don't make sense, and always fail (for example, an attempt to test a host
1289 lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
1290
1291 Arguments:
1292 where where called from
1293 addr the recipient address that the ACL is handling, or NULL
1294 arg the argument of "verify"
1295 user_msgptr pointer for user message
1296 log_msgptr pointer for log message
1297 basic_errno where to put verify errno
1298
1299 Returns: OK verification condition succeeded
1300 FAIL verification failed
1301 DEFER there was a problem verifying
1302 ERROR syntax error
1303 */
1304
1305 static int
1306 acl_verify(int where, address_item *addr, uschar *arg,
1307 uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
1308 {
1309 int sep = '/';
1310 int callout = -1;
1311 int callout_overall = -1;
1312 int callout_connect = -1;
1313 int verify_options = 0;
1314 int rc;
1315 BOOL verify_header_sender = FALSE;
1316 BOOL defer_ok = FALSE;
1317 BOOL callout_defer_ok = FALSE;
1318 BOOL no_details = FALSE;
1319 address_item *sender_vaddr = NULL;
1320 uschar *verify_sender_address = NULL;
1321 uschar *pm_mailfrom = NULL;
1322 uschar *se_mailfrom = NULL;
1323
1324 /* Some of the verify items have slash-separated options; some do not. Diagnose
1325 an error if options are given for items that don't expect them. This code has
1326 now got very message. Refactoring to use a table would be a good idea one day.
1327 */
1328
1329 uschar *slash = Ustrchr(arg, '/');
1330 uschar *list = arg;
1331 uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
1332
1333 if (ss == NULL) goto BAD_VERIFY;
1334
1335 /* Handle name/address consistency verification in a separate function. */
1336
1337 if (strcmpic(ss, US"reverse_host_lookup") == 0)
1338 {
1339 if (slash != NULL) goto NO_OPTIONS;
1340 if (sender_host_address == NULL) return OK;
1341 return acl_verify_reverse(user_msgptr, log_msgptr);
1342 }
1343
1344 /* TLS certificate verification is done at STARTTLS time; here we just
1345 test whether it was successful or not. (This is for optional verification; for
1346 mandatory verification, the connection doesn't last this long.) */
1347
1348 if (strcmpic(ss, US"certificate") == 0)
1349 {
1350 if (slash != NULL) goto NO_OPTIONS;
1351 if (tls_certificate_verified) return OK;
1352 *user_msgptr = US"no verified certificate";
1353 return FAIL;
1354 }
1355
1356 /* We can test the result of optional HELO verification */
1357
1358 if (strcmpic(ss, US"helo") == 0)
1359 {
1360 if (slash != NULL) goto NO_OPTIONS;
1361 return helo_verified? OK : FAIL;
1362 }
1363
1364 /* Do Client SMTP Authorization checks in a separate function, and turn the
1365 result code into user-friendly strings. */
1366
1367 if (strcmpic(ss, US"csa") == 0)
1368 {
1369 rc = acl_verify_csa(list);
1370 *log_msgptr = *user_msgptr = string_sprintf("client SMTP authorization %s",
1371 csa_reason_string[rc]);
1372 csa_status = csa_status_string[rc];
1373 DEBUG(D_acl) debug_printf("CSA result %s\n", csa_status);
1374 return csa_return_code[rc];
1375 }
1376
1377 /* Check that all relevant header lines have the correct syntax. If there is
1378 a syntax error, we return details of the error to the sender if configured to
1379 send out full details. (But a "message" setting on the ACL can override, as
1380 always). */
1381
1382 if (strcmpic(ss, US"header_syntax") == 0)
1383 {
1384 if (slash != NULL) goto NO_OPTIONS;
1385 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP)
1386 {
1387 *log_msgptr = string_sprintf("cannot check header contents in ACL for %s "
1388 "(only possible in ACL for DATA)", acl_wherenames[where]);
1389 return ERROR;
1390 }
1391 rc = verify_check_headers(log_msgptr);
1392 if (rc != OK && smtp_return_error_details && *log_msgptr != NULL)
1393 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1394 return rc;
1395 }
1396
1397
1398 /* The remaining verification tests check recipient and sender addresses,
1399 either from the envelope or from the header. There are a number of
1400 slash-separated options that are common to all of them. */
1401
1402
1403 /* Check that there is at least one verifiable sender address in the relevant
1404 header lines. This can be followed by callout and defer options, just like
1405 sender and recipient. */
1406
1407 if (strcmpic(ss, US"header_sender") == 0)
1408 {
1409 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP)
1410 {
1411 *log_msgptr = string_sprintf("cannot check header contents in ACL for %s "
1412 "(only possible in ACL for DATA)", acl_wherenames[where]);
1413 return ERROR;
1414 }
1415 verify_header_sender = TRUE;
1416 }
1417
1418 /* Otherwise, first item in verify argument must be "sender" or "recipient".
1419 In the case of a sender, this can optionally be followed by an address to use
1420 in place of the actual sender (rare special-case requirement). */
1421
1422 else if (strncmpic(ss, US"sender", 6) == 0)
1423 {
1424 uschar *s = ss + 6;
1425 if (where > ACL_WHERE_NOTSMTP)
1426 {
1427 *log_msgptr = string_sprintf("cannot verify sender in ACL for %s "
1428 "(only possible for MAIL, RCPT, PREDATA, or DATA)",
1429 acl_wherenames[where]);
1430 return ERROR;
1431 }
1432 if (*s == 0)
1433 verify_sender_address = sender_address;
1434 else
1435 {
1436 while (isspace(*s)) s++;
1437 if (*s++ != '=') goto BAD_VERIFY;
1438 while (isspace(*s)) s++;
1439 verify_sender_address = string_copy(s);
1440 }
1441 }
1442 else
1443 {
1444 if (strcmpic(ss, US"recipient") != 0) goto BAD_VERIFY;
1445 if (addr == NULL)
1446 {
1447 *log_msgptr = string_sprintf("cannot verify recipient in ACL for %s "
1448 "(only possible for RCPT)", acl_wherenames[where]);
1449 return ERROR;
1450 }
1451 }
1452
1453 /* Remaining items are optional; they apply to sender and recipient
1454 verification, including "header sender" verification. */
1455
1456 while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))
1457 != NULL)
1458 {
1459 if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
1460 else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
1461
1462 /* These two old options are left for backwards compatibility */
1463
1464 else if (strcmpic(ss, US"callout_defer_ok") == 0)
1465 {
1466 callout_defer_ok = TRUE;
1467 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1468 }
1469
1470 else if (strcmpic(ss, US"check_postmaster") == 0)
1471 {
1472 pm_mailfrom = US"";
1473 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1474 }
1475
1476 /* The callout option has a number of sub-options, comma separated */
1477
1478 else if (strncmpic(ss, US"callout", 7) == 0)
1479 {
1480 callout = CALLOUT_TIMEOUT_DEFAULT;
1481 ss += 7;
1482 if (*ss != 0)
1483 {
1484 while (isspace(*ss)) ss++;
1485 if (*ss++ == '=')
1486 {
1487 int optsep = ',';
1488 uschar *opt;
1489 uschar buffer[256];
1490 while (isspace(*ss)) ss++;
1491
1492 /* This callout option handling code has become a mess as new options
1493 have been added in an ad hoc manner. It should be tidied up into some
1494 kind of table-driven thing. */
1495
1496 while ((opt = string_nextinlist(&ss, &optsep, buffer, sizeof(buffer)))
1497 != NULL)
1498 {
1499 if (strcmpic(opt, US"defer_ok") == 0) callout_defer_ok = TRUE;
1500 else if (strcmpic(opt, US"no_cache") == 0)
1501 verify_options |= vopt_callout_no_cache;
1502 else if (strcmpic(opt, US"random") == 0)
1503 verify_options |= vopt_callout_random;
1504 else if (strcmpic(opt, US"use_sender") == 0)
1505 verify_options |= vopt_callout_recipsender;
1506 else if (strcmpic(opt, US"use_postmaster") == 0)
1507 verify_options |= vopt_callout_recippmaster;
1508 else if (strcmpic(opt, US"postmaster") == 0) pm_mailfrom = US"";
1509
1510 else if (strncmpic(opt, US"mailfrom", 8) == 0)
1511 {
1512 if (!verify_header_sender)
1513 {
1514 *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
1515 "callout option only for verify=header_sender (detected in ACL "
1516 "condition \"%s\")", arg);
1517 return ERROR;
1518 }
1519 opt += 8;
1520 while (isspace(*opt)) opt++;
1521 if (*opt++ != '=')
1522 {
1523 *log_msgptr = string_sprintf("'=' expected after "
1524 "\"mailfrom\" in ACL condition \"%s\"", arg);
1525 return ERROR;
1526 }
1527 while (isspace(*opt)) opt++;
1528 se_mailfrom = string_copy(opt);
1529 }
1530
1531 else if (strncmpic(opt, US"postmaster_mailfrom", 19) == 0)
1532 {
1533 opt += 19;
1534 while (isspace(*opt)) opt++;
1535 if (*opt++ != '=')
1536 {
1537 *log_msgptr = string_sprintf("'=' expected after "
1538 "\"postmaster_mailfrom\" in ACL condition \"%s\"", arg);
1539 return ERROR;
1540 }
1541 while (isspace(*opt)) opt++;
1542 pm_mailfrom = string_copy(opt);
1543 }
1544
1545 else if (strncmpic(opt, US"maxwait", 7) == 0)
1546 {
1547 opt += 7;
1548 while (isspace(*opt)) opt++;
1549 if (*opt++ != '=')
1550 {
1551 *log_msgptr = string_sprintf("'=' expected after \"maxwait\" in "
1552 "ACL condition \"%s\"", arg);
1553 return ERROR;
1554 }
1555 while (isspace(*opt)) opt++;
1556 callout_overall = readconf_readtime(opt, 0, FALSE);
1557 if (callout_overall < 0)
1558 {
1559 *log_msgptr = string_sprintf("bad time value in ACL condition "
1560 "\"verify %s\"", arg);
1561 return ERROR;
1562 }
1563 }
1564 else if (strncmpic(opt, US"connect", 7) == 0)
1565 {
1566 opt += 7;
1567 while (isspace(*opt)) opt++;
1568 if (*opt++ != '=')
1569 {
1570 *log_msgptr = string_sprintf("'=' expected after "
1571 "\"callout_overaall\" in ACL condition \"%s\"", arg);
1572 return ERROR;
1573 }
1574 while (isspace(*opt)) opt++;
1575 callout_connect = readconf_readtime(opt, 0, FALSE);
1576 if (callout_connect < 0)
1577 {
1578 *log_msgptr = string_sprintf("bad time value in ACL condition "
1579 "\"verify %s\"", arg);
1580 return ERROR;
1581 }
1582 }
1583 else /* Plain time is callout connect/command timeout */
1584 {
1585 callout = readconf_readtime(opt, 0, FALSE);
1586 if (callout < 0)
1587 {
1588 *log_msgptr = string_sprintf("bad time value in ACL condition "
1589 "\"verify %s\"", arg);
1590 return ERROR;
1591 }
1592 }
1593 }
1594 }
1595 else
1596 {
1597 *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
1598 "ACL condition \"%s\"", arg);
1599 return ERROR;
1600 }
1601 }
1602 }
1603
1604 /* Option not recognized */
1605
1606 else
1607 {
1608 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
1609 "condition \"verify %s\"", ss, arg);
1610 return ERROR;
1611 }
1612 }
1613
1614 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
1615 (vopt_callout_recipsender|vopt_callout_recippmaster))
1616 {
1617 *log_msgptr = US"only one of use_sender and use_postmaster can be set "
1618 "for a recipient callout";
1619 return ERROR;
1620 }
1621
1622 /* Handle sender-in-header verification. Default the user message to the log
1623 message if giving out verification details. */
1624
1625 if (verify_header_sender)
1626 {
1627 int verrno;
1628 rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
1629 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, verify_options,
1630 &verrno);
1631 if (rc != OK)
1632 {
1633 *basic_errno = verrno;
1634 if (smtp_return_error_details)
1635 {
1636 if (*user_msgptr == NULL && *log_msgptr != NULL)
1637 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1638 if (rc == DEFER) acl_temp_details = TRUE;
1639 }
1640 }
1641 }
1642
1643 /* Handle a sender address. The default is to verify *the* sender address, but
1644 optionally a different address can be given, for special requirements. If the
1645 address is empty, we are dealing with a bounce message that has no sender, so
1646 we cannot do any checking. If the real sender address gets rewritten during
1647 verification (e.g. DNS widening), set the flag to stop it being rewritten again
1648 during message reception.
1649
1650 A list of verified "sender" addresses is kept to try to avoid doing to much
1651 work repetitively when there are multiple recipients in a message and they all
1652 require sender verification. However, when callouts are involved, it gets too
1653 complicated because different recipients may require different callout options.
1654 Therefore, we always do a full sender verify when any kind of callout is
1655 specified. Caching elsewhere, for instance in the DNS resolver and in the
1656 callout handling, should ensure that this is not terribly inefficient. */
1657
1658 else if (verify_sender_address != NULL)
1659 {
1660 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster))
1661 != 0)
1662 {
1663 *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
1664 "sender verify callout";
1665 return ERROR;
1666 }
1667
1668 sender_vaddr = verify_checked_sender(verify_sender_address);
1669 if (sender_vaddr != NULL && /* Previously checked */
1670 callout <= 0) /* No callout needed this time */
1671 {
1672 /* If the "routed" flag is set, it means that routing worked before, so
1673 this check can give OK (the saved return code value, if set, belongs to a
1674 callout that was done previously). If the "routed" flag is not set, routing
1675 must have failed, so we use the saved return code. */
1676
1677 if (testflag(sender_vaddr, af_verify_routed)) rc = OK; else
1678 {
1679 rc = sender_vaddr->special_action;
1680 *basic_errno = sender_vaddr->basic_errno;
1681 }
1682 HDEBUG(D_acl) debug_printf("using cached sender verify result\n");
1683 }
1684
1685 /* Do a new verification, and cache the result. The cache is used to avoid
1686 verifying the sender multiple times for multiple RCPTs when callouts are not
1687 specified (see comments above).
1688
1689 The cache is also used on failure to give details in response to the first
1690 RCPT that gets bounced for this reason. However, this can be suppressed by
1691 the no_details option, which sets the flag that says "this detail has already
1692 been sent". The cache normally contains just one address, but there may be
1693 more in esoteric circumstances. */
1694
1695 else
1696 {
1697 BOOL routed = TRUE;
1698 uschar *save_address_data = deliver_address_data;
1699
1700 sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
1701 if (no_details) setflag(sender_vaddr, af_sverify_told);
1702 if (verify_sender_address[0] != 0)
1703 {
1704 /* If this is the real sender address, save the unrewritten version
1705 for use later in receive. Otherwise, set a flag so that rewriting the
1706 sender in verify_address() does not update sender_address. */
1707
1708 if (verify_sender_address == sender_address)
1709 sender_address_unrewritten = sender_address;
1710 else
1711 verify_options |= vopt_fake_sender;
1712
1713 /* The recipient, qualify, and expn options are never set in
1714 verify_options. */
1715
1716 rc = verify_address(sender_vaddr, NULL, verify_options, callout,
1717 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, &routed);
1718
1719 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1720
1721 if (rc == OK)
1722 {
1723 if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
1724 {
1725 DEBUG(D_acl) debug_printf("sender %s verified ok as %s\n",
1726 verify_sender_address, sender_vaddr->address);
1727 }
1728 else
1729 {
1730 DEBUG(D_acl) debug_printf("sender %s verified ok\n",
1731 verify_sender_address);
1732 }
1733 }
1734 else *basic_errno = sender_vaddr->basic_errno;
1735 }
1736 else rc = OK; /* Null sender */
1737
1738 /* Cache the result code */
1739
1740 if (routed) setflag(sender_vaddr, af_verify_routed);
1741 if (callout > 0) setflag(sender_vaddr, af_verify_callout);
1742 sender_vaddr->special_action = rc;
1743 sender_vaddr->next = sender_verified_list;
1744 sender_verified_list = sender_vaddr;
1745
1746 /* Restore the recipient address data, which might have been clobbered by
1747 the sender verification. */
1748
1749 deliver_address_data = save_address_data;
1750 }
1751
1752 /* Put the sender address_data value into $sender_address_data */
1753
1754 sender_address_data = sender_vaddr->p.address_data;
1755 }
1756
1757 /* A recipient address just gets a straightforward verify; again we must handle
1758 the DEFER overrides. */
1759
1760 else
1761 {
1762 address_item addr2;
1763
1764 /* We must use a copy of the address for verification, because it might
1765 get rewritten. */
1766
1767 addr2 = *addr;
1768 rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
1769 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, NULL);
1770 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1771
1772 *log_msgptr = addr2.message;
1773 *user_msgptr = (addr2.user_message != NULL)?
1774 addr2.user_message : addr2.message;
1775 *basic_errno = addr2.basic_errno;
1776
1777 /* Make $address_data visible */
1778 deliver_address_data = addr2.p.address_data;
1779 }
1780
1781 /* We have a result from the relevant test. Handle defer overrides first. */
1782
1783 if (rc == DEFER && (defer_ok ||
1784 (callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER)))
1785 {
1786 HDEBUG(D_acl) debug_printf("verify defer overridden by %s\n",
1787 defer_ok? "defer_ok" : "callout_defer_ok");
1788 rc = OK;
1789 }
1790
1791 /* If we've failed a sender, set up a recipient message, and point
1792 sender_verified_failed to the address item that actually failed. */
1793
1794 if (rc != OK && verify_sender_address != NULL)
1795 {
1796 if (rc != DEFER)
1797 {
1798 *log_msgptr = *user_msgptr = US"Sender verify failed";
1799 }
1800 else if (*basic_errno != ERRNO_CALLOUTDEFER)
1801 {
1802 *log_msgptr = *user_msgptr = US"Could not complete sender verify";
1803 }
1804 else
1805 {
1806 *log_msgptr = US"Could not complete sender verify callout";
1807 *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
1808 *log_msgptr;
1809 }
1810
1811 sender_verified_failed = sender_vaddr;
1812 }
1813
1814 /* Verifying an address messes up the values of $domain and $local_part,
1815 so reset them before returning if this is a RCPT ACL. */
1816
1817 if (addr != NULL)
1818 {
1819 deliver_domain = addr->domain;
1820 deliver_localpart = addr->local_part;
1821 }
1822 return rc;
1823
1824 /* Syntax errors in the verify argument come here. */
1825
1826 BAD_VERIFY:
1827 *log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
1828 "\"helo\", \"header_syntax\", \"header_sender\" or "
1829 "\"reverse_host_lookup\" at start of ACL condition "
1830 "\"verify %s\"", arg);
1831 return ERROR;
1832
1833 /* Options supplied when not allowed come here */
1834
1835 NO_OPTIONS:
1836 *log_msgptr = string_sprintf("unexpected '/' found in \"%s\" "
1837 "(this verify item has no options)", arg);
1838 return ERROR;
1839 }
1840
1841
1842
1843
1844 /*************************************************
1845 * Check argument for control= modifier *
1846 *************************************************/
1847
1848 /* Called from acl_check_condition() below
1849
1850 Arguments:
1851 arg the argument string for control=
1852 pptr set to point to the terminating character
1853 where which ACL we are in
1854 log_msgptr for error messages
1855
1856 Returns: CONTROL_xxx value
1857 */
1858
1859 static int
1860 decode_control(uschar *arg, uschar **pptr, int where, uschar **log_msgptr)
1861 {
1862 int len;
1863 control_def *d;
1864
1865 for (d = controls_list;
1866 d < controls_list + sizeof(controls_list)/sizeof(control_def);
1867 d++)
1868 {
1869 len = Ustrlen(d->name);
1870 if (Ustrncmp(d->name, arg, len) == 0) break;
1871 }
1872
1873 if (d >= controls_list + sizeof(controls_list)/sizeof(control_def) ||
1874 (arg[len] != 0 && (!d->has_option || arg[len] != '/')))
1875 {
1876 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
1877 return CONTROL_ERROR;
1878 }
1879
1880 *pptr = arg + len;
1881 return d->value;
1882 }
1883
1884
1885
1886 /*************************************************
1887 * Handle conditions/modifiers on an ACL item *
1888 *************************************************/
1889
1890 /* Called from acl_check() below.
1891
1892 Arguments:
1893 verb ACL verb
1894 cb ACL condition block - if NULL, result is OK
1895 where where called from
1896 addr the address being checked for RCPT, or NULL
1897 level the nesting level
1898 epp pointer to pass back TRUE if "endpass" encountered
1899 (applies only to "accept" and "discard")
1900 user_msgptr user message pointer
1901 log_msgptr log message pointer
1902 basic_errno pointer to where to put verify error
1903
1904 Returns: OK - all conditions are met
1905 DISCARD - an "acl" condition returned DISCARD - only allowed
1906 for "accept" or "discard" verbs
1907 FAIL - at least one condition fails
1908 FAIL_DROP - an "acl" condition returned FAIL_DROP
1909 DEFER - can't tell at the moment (typically, lookup defer,
1910 but can be temporary callout problem)
1911 ERROR - ERROR from nested ACL or expansion failure or other
1912 error
1913 */
1914
1915 static int
1916 acl_check_condition(int verb, acl_condition_block *cb, int where,
1917 address_item *addr, int level, BOOL *epp, uschar **user_msgptr,
1918 uschar **log_msgptr, int *basic_errno)
1919 {
1920 uschar *user_message = NULL;
1921 uschar *log_message = NULL;
1922 uschar *p;
1923 int rc = OK;
1924 #ifdef WITH_CONTENT_SCAN
1925 int sep = '/';
1926 #endif
1927
1928 for (; cb != NULL; cb = cb->next)
1929 {
1930 uschar *arg;
1931 int control_type;
1932
1933 /* The message and log_message items set up messages to be used in
1934 case of rejection. They are expanded later. */
1935
1936 if (cb->type == ACLC_MESSAGE)
1937 {
1938 user_message = cb->arg;
1939 continue;
1940 }
1941
1942 if (cb->type == ACLC_LOG_MESSAGE)
1943 {
1944 log_message = cb->arg;
1945 continue;
1946 }
1947
1948 /* The endpass "condition" just sets a flag to show it occurred. This is
1949 checked at compile time to be on an "accept" or "discard" item. */
1950
1951 if (cb->type == ACLC_ENDPASS)
1952 {
1953 *epp = TRUE;
1954 continue;
1955 }
1956
1957 /* For other conditions and modifiers, the argument is expanded now for some
1958 of them, but not for all, because expansion happens down in some lower level
1959 checking functions in some cases. */
1960
1961 if (cond_expand_at_top[cb->type])
1962 {
1963 arg = expand_string(cb->arg);
1964 if (arg == NULL)
1965 {
1966 if (expand_string_forcedfail) continue;
1967 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
1968 cb->arg, expand_string_message);
1969 return search_find_defer? DEFER : ERROR;
1970 }
1971 }
1972 else arg = cb->arg;
1973
1974 /* Show condition, and expanded condition if it's different */
1975
1976 HDEBUG(D_acl)
1977 {
1978 int lhswidth = 0;
1979 debug_printf("check %s%s %n",
1980 (!cond_modifiers[cb->type] && cb->u.negated)? "!":"",
1981 conditions[cb->type], &lhswidth);
1982
1983 if (cb->type == ACLC_SET)
1984 {
1985 int n = cb->u.varnumber;
1986 int t = (n < ACL_C_MAX)? 'c' : 'm';
1987 if (n >= ACL_C_MAX) n -= ACL_C_MAX;
1988 debug_printf("acl_%c%d ", t, n);
1989 lhswidth += 7;
1990 }
1991
1992 debug_printf("= %s\n", cb->arg);
1993
1994 if (arg != cb->arg)
1995 debug_printf("%.*s= %s\n", lhswidth,
1996 US" ", CS arg);
1997 }
1998
1999 /* Check that this condition makes sense at this time */
2000
2001 if ((cond_forbids[cb->type] & (1 << where)) != 0)
2002 {
2003 *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
2004 cond_modifiers[cb->type]? "use" : "test",
2005 conditions[cb->type], acl_wherenames[where]);
2006 return ERROR;
2007 }
2008
2009 /* Run the appropriate test for each condition, or take the appropriate
2010 action for the remaining modifiers. */
2011
2012 switch(cb->type)
2013 {
2014 /* A nested ACL that returns "discard" makes sense only for an "accept" or
2015 "discard" verb. */
2016
2017 case ACLC_ACL:
2018 rc = acl_check_internal(where, addr, arg, level+1, user_msgptr, log_msgptr);
2019 if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
2020 {
2021 *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
2022 "\"%s\" command (only allowed with \"accept\" or \"discard\")",
2023 verbs[verb]);
2024 return ERROR;
2025 }
2026 break;
2027
2028 case ACLC_AUTHENTICATED:
2029 rc = (sender_host_authenticated == NULL)? FAIL :
2030 match_isinlist(sender_host_authenticated, &arg, 0, NULL, NULL, MCL_STRING,
2031 TRUE, NULL);
2032 break;
2033
2034 #ifdef EXPERIMENTAL_BRIGHTMAIL
2035 case ACLC_BMI_OPTIN:
2036 {
2037 int old_pool = store_pool;
2038 store_pool = POOL_PERM;
2039 bmi_current_optin = string_copy(arg);
2040 store_pool = old_pool;
2041 }
2042 break;
2043 #endif
2044
2045 case ACLC_CONDITION:
2046 if (Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
2047 rc = (Uatoi(arg) == 0)? FAIL : OK;
2048 else
2049 rc = (strcmpic(arg, US"no") == 0 ||
2050 strcmpic(arg, US"false") == 0)? FAIL :
2051 (strcmpic(arg, US"yes") == 0 ||
2052 strcmpic(arg, US"true") == 0)? OK : DEFER;
2053 if (rc == DEFER)
2054 *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
2055 break;
2056
2057 case ACLC_CONTROL:
2058 control_type = decode_control(arg, &p, where, log_msgptr);
2059
2060 /* Check if this control makes sense at this time */
2061
2062 if ((control_forbids[control_type] & (1 << where)) != 0)
2063 {
2064 *log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
2065 controls[control_type], acl_wherenames[where]);
2066 return ERROR;
2067 }
2068
2069 switch(control_type)
2070 {
2071 #ifdef EXPERIMENTAL_BRIGHTMAIL
2072 case CONTROL_BMI_RUN:
2073 bmi_run = 1;
2074 break;
2075 #endif
2076 #ifdef EXPERIMENTAL_DOMAINKEYS
2077 case CONTROL_DK_VERIFY:
2078 dk_do_verify = 1;
2079 break;
2080 #endif
2081 case CONTROL_ERROR:
2082 return ERROR;
2083
2084 case CONTROL_CASEFUL_LOCAL_PART:
2085 deliver_localpart = addr->cc_local_part;
2086 break;
2087
2088 case CONTROL_CASELOWER_LOCAL_PART:
2089 deliver_localpart = addr->lc_local_part;
2090 break;
2091
2092 case CONTROL_ENFORCE_SYNC:
2093 smtp_enforce_sync = TRUE;
2094 break;
2095
2096 case CONTROL_NO_ENFORCE_SYNC:
2097 smtp_enforce_sync = FALSE;
2098 break;
2099
2100 #ifdef WITH_CONTENT_SCAN
2101 case CONTROL_NO_MBOX_UNSPOOL:
2102 no_mbox_unspool = TRUE;
2103 break;
2104 #endif
2105
2106 case CONTROL_NO_MULTILINE:
2107 no_multiline_responses = TRUE;
2108 break;
2109
2110 case CONTROL_FAKEDEFER:
2111 case CONTROL_FAKEREJECT:
2112 fake_response = (control_type == CONTROL_FAKEDEFER) ? DEFER : FAIL;
2113 if (*p == '/')
2114 {
2115 uschar *pp = p + 1;
2116 while (*pp != 0) pp++;
2117 fake_response_text = expand_string(string_copyn(p+1, pp-p-1));
2118 p = pp;
2119 }
2120 else
2121 {
2122 /* Explicitly reset to default string */
2123 fake_response_text = US"Your message has been rejected but is being kept for evaluation.\nIf it was a legitimate message, it may still be delivered to the target recipient(s).";
2124 }
2125 break;
2126
2127 case CONTROL_FREEZE:
2128 deliver_freeze = TRUE;
2129 deliver_frozen_at = time(NULL);
2130 break;
2131
2132 case CONTROL_QUEUE_ONLY:
2133 queue_only_policy = TRUE;
2134 break;
2135
2136 case CONTROL_SUBMISSION:
2137 originator_name = US"";
2138 submission_mode = TRUE;
2139 while (*p == '/')
2140 {
2141 if (Ustrncmp(p, "/sender_retain", 14) == 0)
2142 {
2143 p += 14;
2144 active_local_sender_retain = TRUE;
2145 active_local_from_check = FALSE;
2146 }
2147 else if (Ustrncmp(p, "/domain=", 8) == 0)
2148 {
2149 uschar *pp = p + 8;
2150 while (*pp != 0 && *pp != '/') pp++;
2151 submission_domain = string_copyn(p+8, pp-p-8);
2152 p = pp;
2153 }
2154 else if (Ustrncmp(p, "/name=", 6) == 0)
2155 {
2156 uschar *pp = p + 6;
2157 while (*pp != 0 && *pp != '/') pp++;
2158 originator_name = string_copy(parse_fix_phrase(p+6, pp-p-6,
2159 big_buffer, big_buffer_size));
2160 p = pp;
2161 }
2162 else break;
2163 }
2164 if (*p != 0)
2165 {
2166 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2167 return ERROR;
2168 }
2169 break;
2170 }
2171 break;
2172
2173 #ifdef WITH_CONTENT_SCAN
2174 case ACLC_DECODE:
2175 rc = mime_decode(&arg);
2176 break;
2177 #endif
2178
2179 case ACLC_DELAY:
2180 {
2181 int delay = readconf_readtime(arg, 0, FALSE);
2182 if (delay < 0)
2183 {
2184 *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
2185 "modifier: \"%s\" is not a time value", arg);
2186 return ERROR;
2187 }
2188 else
2189 {
2190 HDEBUG(D_acl) debug_printf("delay modifier requests %d-second delay\n",
2191 delay);
2192 if (host_checking)
2193 {
2194 HDEBUG(D_acl)
2195 debug_printf("delay skipped in -bh checking mode\n");
2196 }
2197
2198 /* It appears to be impossible to detect that a TCP/IP connection has
2199 gone away without reading from it. This means that we cannot shorten
2200 the delay below if the client goes away, because we cannot discover
2201 that the client has closed its end of the connection. (The connection
2202 is actually in a half-closed state, waiting for the server to close its
2203 end.) It would be nice to be able to detect this state, so that the
2204 Exim process is not held up unnecessarily. However, it seems that we
2205 can't. The poll() function does not do the right thing, and in any case
2206 it is not always available.
2207
2208 NOTE: If ever this state of affairs changes, remember that we may be
2209 dealing with stdin/stdout here, in addition to TCP/IP connections.
2210 Whatever is done must work in both cases. To detected the stdin/stdout
2211 case, check for smtp_in or smtp_out being NULL. */
2212
2213 else
2214 {
2215 while (delay > 0) delay = sleep(delay);
2216 }
2217 }
2218 }
2219 break;
2220
2221 #ifdef WITH_OLD_DEMIME
2222 case ACLC_DEMIME:
2223 rc = demime(&arg);
2224 break;
2225 #endif
2226
2227 #ifdef EXPERIMENTAL_DOMAINKEYS
2228 case ACLC_DK_DOMAIN_SOURCE:
2229 if (dk_verify_block == NULL) { rc = FAIL; break; };
2230 /* check header source of domain against given string */
2231 switch (dk_verify_block->address_source) {
2232 case DK_EXIM_ADDRESS_FROM_FROM:
2233 rc = match_isinlist(US"from", &arg, 0, NULL,
2234 NULL, MCL_STRING, TRUE, NULL);
2235 break;
2236 case DK_EXIM_ADDRESS_FROM_SENDER:
2237 rc = match_isinlist(US"sender", &arg, 0, NULL,
2238 NULL, MCL_STRING, TRUE, NULL);
2239 break;
2240 case DK_EXIM_ADDRESS_NONE:
2241 rc = match_isinlist(US"none", &arg, 0, NULL,
2242 NULL, MCL_STRING, TRUE, NULL);
2243 break;
2244 }
2245 break;
2246 case ACLC_DK_POLICY:
2247 if (dk_verify_block == NULL) { rc = FAIL; break; };
2248 /* check policy against given string, default FAIL */
2249 rc = FAIL;
2250 if (dk_verify_block->signsall)
2251 rc = match_isinlist(US"signsall", &arg, 0, NULL,
2252 NULL, MCL_STRING, TRUE, NULL);
2253 if (dk_verify_block->testing)
2254 rc = match_isinlist(US"testing", &arg, 0, NULL,
2255 NULL, MCL_STRING, TRUE, NULL);
2256 break;
2257 case ACLC_DK_SENDER_DOMAINS:
2258 if (dk_verify_block == NULL) { rc = FAIL; break; };
2259 if (dk_verify_block->domain != NULL)
2260 rc = match_isinlist(dk_verify_block->domain, &arg, 0, &domainlist_anchor,
2261 NULL, MCL_DOMAIN, TRUE, NULL);
2262 else rc = FAIL;
2263 break;
2264 case ACLC_DK_SENDER_LOCAL_PARTS:
2265 if (dk_verify_block == NULL) { rc = FAIL; break; };
2266 if (dk_verify_block->local_part != NULL)
2267 rc = match_isinlist(dk_verify_block->local_part, &arg, 0, &localpartlist_anchor,
2268 NULL, MCL_LOCALPART, TRUE, NULL);
2269 else rc = FAIL;
2270 break;
2271 case ACLC_DK_SENDERS:
2272 if (dk_verify_block == NULL) { rc = FAIL; break; };
2273 if (dk_verify_block->address != NULL)
2274 rc = match_address_list(dk_verify_block->address, TRUE, TRUE, &arg, NULL, -1, 0, NULL);
2275 else rc = FAIL;
2276 break;
2277 case ACLC_DK_STATUS:
2278 if (dk_verify_block == NULL) { rc = FAIL; break; };
2279 if (dk_verify_block->result > 0) {
2280 switch(dk_verify_block->result) {
2281 case DK_EXIM_RESULT_BAD_FORMAT:
2282 rc = match_isinlist(US"bad format", &arg, 0, NULL,
2283 NULL, MCL_STRING, TRUE, NULL);
2284 break;
2285 case DK_EXIM_RESULT_NO_KEY:
2286 rc = match_isinlist(US"no key", &arg, 0, NULL,
2287 NULL, MCL_STRING, TRUE, NULL);
2288 break;
2289 case DK_EXIM_RESULT_NO_SIGNATURE:
2290 rc = match_isinlist(US"no signature", &arg, 0, NULL,
2291 NULL, MCL_STRING, TRUE, NULL);
2292 break;
2293 case DK_EXIM_RESULT_REVOKED:
2294 rc = match_isinlist(US"revoked", &arg, 0, NULL,
2295 NULL, MCL_STRING, TRUE, NULL);
2296 break;
2297 case DK_EXIM_RESULT_NON_PARTICIPANT:
2298 rc = match_isinlist(US"non-participant", &arg, 0, NULL,
2299 NULL, MCL_STRING, TRUE, NULL);
2300 break;
2301 case DK_EXIM_RESULT_GOOD:
2302 rc = match_isinlist(US"good", &arg, 0, NULL,
2303 NULL, MCL_STRING, TRUE, NULL);
2304 break;
2305 case DK_EXIM_RESULT_BAD:
2306 rc = match_isinlist(US"bad", &arg, 0, NULL,
2307 NULL, MCL_STRING, TRUE, NULL);
2308 break;
2309 }
2310 }
2311 break;
2312 #endif
2313
2314 case ACLC_DNSLISTS:
2315 rc = verify_check_dnsbl(&arg);
2316 break;
2317
2318 case ACLC_DOMAINS:
2319 rc = match_isinlist(addr->domain, &arg, 0, &domainlist_anchor,
2320 addr->domain_cache, MCL_DOMAIN, TRUE, &deliver_domain_data);
2321 break;
2322
2323 /* The value in tls_cipher is the full cipher name, for example,
2324 TLSv1:DES-CBC3-SHA:168, whereas the values to test for are just the
2325 cipher names such as DES-CBC3-SHA. But program defensively. We don't know
2326 what may in practice come out of the SSL library - which at the time of
2327 writing is poorly documented. */
2328
2329 case ACLC_ENCRYPTED:
2330 if (tls_cipher == NULL) rc = FAIL; else
2331 {
2332 uschar *endcipher = NULL;
2333 uschar *cipher = Ustrchr(tls_cipher, ':');
2334 if (cipher == NULL) cipher = tls_cipher; else
2335 {
2336 endcipher = Ustrchr(++cipher, ':');
2337 if (endcipher != NULL) *endcipher = 0;
2338 }
2339 rc = match_isinlist(cipher, &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
2340 if (endcipher != NULL) *endcipher = ':';
2341 }
2342 break;
2343
2344 /* Use verify_check_this_host() instead of verify_check_host() so that
2345 we can pass over &host_data to catch any looked up data. Once it has been
2346 set, it retains its value so that it's still there if another ACL verb
2347 comes through here and uses the cache. However, we must put it into
2348 permanent store in case it is also expected to be used in a subsequent
2349 message in the same SMTP connection. */
2350
2351 case ACLC_HOSTS:
2352 rc = verify_check_this_host(&arg, sender_host_cache, NULL,
2353 (sender_host_address == NULL)? US"" : sender_host_address, &host_data);
2354 if (host_data != NULL) host_data = string_copy_malloc(host_data);
2355 break;
2356
2357 case ACLC_LOCAL_PARTS:
2358 rc = match_isinlist(addr->cc_local_part, &arg, 0,
2359 &localpartlist_anchor, addr->localpart_cache, MCL_LOCALPART, TRUE,
2360 &deliver_localpart_data);
2361 break;
2362
2363 case ACLC_LOGWRITE:
2364 {
2365 int logbits = 0;
2366 uschar *s = arg;
2367 if (*s == ':')
2368 {
2369 s++;
2370 while (*s != ':')
2371 {
2372 if (Ustrncmp(s, "main", 4) == 0)
2373 { logbits |= LOG_MAIN; s += 4; }
2374 else if (Ustrncmp(s, "panic", 5) == 0)
2375 { logbits |= LOG_PANIC; s += 5; }
2376 else if (Ustrncmp(s, "reject", 6) == 0)
2377 { logbits |= LOG_REJECT; s += 6; }
2378 else
2379 {
2380 logbits = LOG_MAIN|LOG_PANIC;
2381 s = string_sprintf(":unknown log name in \"%s\" in "
2382 "\"logwrite\" in %s ACL", arg, acl_wherenames[where]);
2383 }
2384 if (*s == ',') s++;
2385 }
2386 s++;
2387 }
2388 while (isspace(*s)) s++;
2389 if (logbits == 0) logbits = LOG_MAIN;
2390 log_write(0, logbits, "%s", string_printing(s));
2391 }
2392 break;
2393
2394 #ifdef WITH_CONTENT_SCAN
2395 case ACLC_MALWARE:
2396 {
2397 /* Seperate the regular expression and any optional parameters. */
2398 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
2399 /* Run the malware backend. */
2400 rc = malware(&ss);
2401 /* Modify return code based upon the existance of options. */
2402 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2403 != NULL) {
2404 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
2405 {
2406 /* FAIL so that the message is passed to the next ACL */
2407 rc = FAIL;
2408 }
2409 }
2410 }
2411 break;
2412
2413 case ACLC_MIME_REGEX:
2414 rc = mime_regex(&arg);
2415 break;
2416 #endif
2417
2418 case ACLC_RECIPIENTS:
2419 rc = match_address_list(addr->address, TRUE, TRUE, &arg, NULL, -1, 0,
2420 &recipient_data);
2421 break;
2422
2423 #ifdef WITH_CONTENT_SCAN
2424 case ACLC_REGEX:
2425 rc = regex(&arg);
2426 break;
2427 #endif
2428
2429 case ACLC_SENDER_DOMAINS:
2430 {
2431 uschar *sdomain;
2432 sdomain = Ustrrchr(sender_address, '@');
2433 sdomain = (sdomain == NULL)? US"" : sdomain + 1;
2434 rc = match_isinlist(sdomain, &arg, 0, &domainlist_anchor,
2435 sender_domain_cache, MCL_DOMAIN, TRUE, NULL);
2436 }
2437 break;
2438
2439 case ACLC_SENDERS:
2440 rc = match_address_list(sender_address, TRUE, TRUE, &arg,
2441 sender_address_cache, -1, 0, &sender_data);
2442 break;
2443
2444 /* Connection variables must persist forever */
2445
2446 case ACLC_SET:
2447 {
2448 int old_pool = store_pool;
2449 if (cb->u.varnumber < ACL_C_MAX) store_pool = POOL_PERM;
2450 acl_var[cb->u.varnumber] = string_copy(arg);
2451 store_pool = old_pool;
2452 }
2453 break;
2454
2455 #ifdef WITH_CONTENT_SCAN
2456 case ACLC_SPAM:
2457 {
2458 /* Seperate the regular expression and any optional parameters. */
2459 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
2460 /* Run the spam backend. */
2461 rc = spam(&ss);
2462 /* Modify return code based upon the existance of options. */
2463 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2464 != NULL) {
2465 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
2466 {
2467 /* FAIL so that the message is passed to the next ACL */
2468 rc = FAIL;
2469 }
2470 }
2471 }
2472 break;
2473 #endif
2474
2475 #ifdef EXPERIMENTAL_SPF
2476 case ACLC_SPF:
2477 rc = spf_process(&arg, sender_address);
2478 break;
2479 #endif
2480
2481 /* If the verb is WARN, discard any user message from verification, because
2482 such messages are SMTP responses, not header additions. The latter come
2483 only from explicit "message" modifiers. However, put the user message into
2484 $acl_verify_message so it can be used in subsequent conditions or modifiers
2485 (until something changes it). */
2486
2487 case ACLC_VERIFY:
2488 rc = acl_verify(where, addr, arg, user_msgptr, log_msgptr, basic_errno);
2489 acl_verify_message = *user_msgptr;
2490 if (verb == ACL_WARN) *user_msgptr = NULL;
2491 break;
2492
2493 default:
2494 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown "
2495 "condition %d", cb->type);
2496 break;
2497 }
2498
2499 /* If a condition was negated, invert OK/FAIL. */
2500
2501 if (!cond_modifiers[cb->type] && cb->u.negated)
2502 {
2503 if (rc == OK) rc = FAIL;
2504 else if (rc == FAIL || rc == FAIL_DROP) rc = OK;
2505 }
2506
2507 if (rc != OK) break; /* Conditions loop */
2508 }
2509
2510
2511 /* If the result is the one for which "message" and/or "log_message" are used,
2512 handle the values of these options. Most verbs have but a single return for
2513 which the messages are relevant, but for "discard", it's useful to have the log
2514 message both when it succeeds and when it fails. Also, for an "accept" that
2515 appears in a QUIT ACL, we want to handle the user message. Since only "accept"
2516 and "warn" are permitted in that ACL, we don't need to test the verb.
2517
2518 These modifiers act in different ways:
2519
2520 "message" is a user message that will be included in an SMTP response. Unless
2521 it is empty, it overrides any previously set user message.
2522
2523 "log_message" is a non-user message, and it adds to any existing non-user
2524 message that is already set.
2525
2526 If there isn't a log message set, we make it the same as the user message. */
2527
2528 if (((rc == FAIL_DROP)? FAIL : rc) == msgcond[verb] ||
2529 (verb == ACL_DISCARD && rc == OK) ||
2530 (where == ACL_WHERE_QUIT))
2531 {
2532 uschar *expmessage;
2533
2534 /* If the verb is "warn", messages generated by conditions (verification or
2535 nested ACLs) are discarded. Only messages specified at this level are used.
2536 However, the value of an existing message is available in $acl_verify_message
2537 during expansions. */
2538
2539 uschar *old_user_msgptr = *user_msgptr;
2540 uschar *old_log_msgptr = (*log_msgptr != NULL)? *log_msgptr : old_user_msgptr;
2541
2542 if (verb == ACL_WARN) *log_msgptr = *user_msgptr = NULL;
2543
2544 if (user_message != NULL)
2545 {
2546 acl_verify_message = old_user_msgptr;
2547 expmessage = expand_string(user_message);
2548 if (expmessage == NULL)
2549 {
2550 if (!expand_string_forcedfail)
2551 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
2552 user_message, expand_string_message);
2553 }
2554 else if (expmessage[0] != 0) *user_msgptr = expmessage;
2555 }
2556
2557 if (log_message != NULL)
2558 {
2559 acl_verify_message = old_log_msgptr;
2560 expmessage = expand_string(log_message);
2561 if (expmessage == NULL)
2562 {
2563 if (!expand_string_forcedfail)
2564 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
2565 log_message, expand_string_message);
2566 }
2567 else if (expmessage[0] != 0)
2568 {
2569 *log_msgptr = (*log_msgptr == NULL)? expmessage :
2570 string_sprintf("%s: %s", expmessage, *log_msgptr);
2571 }
2572 }
2573
2574 /* If no log message, default it to the user message */
2575
2576 if (*log_msgptr == NULL) *log_msgptr = *user_msgptr;
2577 }
2578
2579 acl_verify_message = NULL;
2580 return rc;
2581 }
2582
2583
2584
2585
2586
2587 /*************************************************
2588 * Get line from a literal ACL *
2589 *************************************************/
2590
2591 /* This function is passed to acl_read() in order to extract individual lines
2592 of a literal ACL, which we access via static pointers. We can destroy the
2593 contents because this is called only once (the compiled ACL is remembered).
2594
2595 This code is intended to treat the data in the same way as lines in the main
2596 Exim configuration file. That is:
2597
2598 . Leading spaces are ignored.
2599
2600 . A \ at the end of a line is a continuation - trailing spaces after the \
2601 are permitted (this is because I don't believe in making invisible things
2602 significant). Leading spaces on the continued part of a line are ignored.
2603
2604 . Physical lines starting (significantly) with # are totally ignored, and
2605 may appear within a sequence of backslash-continued lines.
2606
2607 . Blank lines are ignored, but will end a sequence of continuations.
2608
2609 Arguments: none
2610 Returns: a pointer to the next line
2611 */
2612
2613
2614 static uschar *acl_text; /* Current pointer in the text */
2615 static uschar *acl_text_end; /* Points one past the terminating '0' */
2616
2617
2618 static uschar *
2619 acl_getline(void)
2620 {
2621 uschar *yield;
2622
2623 /* This loop handles leading blank lines and comments. */
2624
2625 for(;;)
2626 {
2627 while (isspace(*acl_text)) acl_text++; /* Leading spaces/empty lines */
2628 if (*acl_text == 0) return NULL; /* No more data */
2629 yield = acl_text; /* Potential data line */
2630
2631 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
2632
2633 /* If we hit the end before a newline, we have the whole logical line. If
2634 it's a comment, there's no more data to be given. Otherwise, yield it. */
2635
2636 if (*acl_text == 0) return (*yield == '#')? NULL : yield;
2637
2638 /* After reaching a newline, end this loop if the physical line does not
2639 start with '#'. If it does, it's a comment, and the loop continues. */
2640
2641 if (*yield != '#') break;
2642 }
2643
2644 /* This loop handles continuations. We know we have some real data, ending in
2645 newline. See if there is a continuation marker at the end (ignoring trailing
2646 white space). We know that *yield is not white space, so no need to test for
2647 cont > yield in the backwards scanning loop. */
2648
2649 for(;;)
2650 {
2651 uschar *cont;
2652 for (cont = acl_text - 1; isspace(*cont); cont--);
2653
2654 /* If no continuation follows, we are done. Mark the end of the line and
2655 return it. */
2656
2657 if (*cont != '\\')
2658 {
2659 *acl_text++ = 0;
2660 return yield;
2661 }
2662
2663 /* We have encountered a continuation. Skip over whitespace at the start of
2664 the next line, and indeed the whole of the next line or lines if they are
2665 comment lines. */
2666
2667 for (;;)
2668 {
2669 while (*(++acl_text) == ' ' || *acl_text == '\t');
2670 if (*acl_text != '#') break;
2671 while (*(++acl_text) != 0 && *acl_text != '\n');
2672 }
2673
2674 /* We have the start of a continuation line. Move all the rest of the data
2675 to join onto the previous line, and then find its end. If the end is not a
2676 newline, we are done. Otherwise loop to look for another continuation. */
2677
2678 memmove(cont, acl_text, acl_text_end - acl_text);
2679 acl_text_end -= acl_text - cont;
2680 acl_text = cont;
2681 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
2682 if (*acl_text == 0) return yield;
2683 }
2684
2685 /* Control does not reach here */
2686 }
2687
2688
2689
2690
2691
2692 /*************************************************
2693 * Check access using an ACL *
2694 *************************************************/
2695
2696 /* This function is called from address_check. It may recurse via
2697 acl_check_condition() - hence the use of a level to stop looping. The ACL is
2698 passed as a string which is expanded. A forced failure implies no access check
2699 is required. If the result is a single word, it is taken as the name of an ACL
2700 which is sought in the global ACL tree. Otherwise, it is taken as literal ACL
2701 text, complete with newlines, and parsed as such. In both cases, the ACL check
2702 is then run. This function uses an auxiliary function for acl_read() to call
2703 for reading individual lines of a literal ACL. This is acl_getline(), which
2704 appears immediately above.
2705
2706 Arguments:
2707 where where called from
2708 addr address item when called from RCPT; otherwise NULL
2709 s the input string; NULL is the same as an empty ACL => DENY
2710 level the nesting level
2711 user_msgptr where to put a user error (for SMTP response)
2712 log_msgptr where to put a logging message (not for SMTP response)
2713
2714 Returns: OK access is granted
2715 DISCARD access is apparently granted...
2716 FAIL access is denied
2717 FAIL_DROP access is denied; drop the connection
2718 DEFER can't tell at the moment
2719 ERROR disaster
2720 */
2721
2722 static int
2723 acl_check_internal(int where, address_item *addr, uschar *s, int level,
2724 uschar **user_msgptr, uschar **log_msgptr)
2725 {
2726 int fd = -1;
2727 acl_block *acl = NULL;
2728 uschar *acl_name = US"inline ACL";
2729 uschar *ss;
2730
2731 /* Catch configuration loops */
2732
2733 if (level > 20)
2734 {
2735 *log_msgptr = US"ACL nested too deep: possible loop";
2736 return ERROR;
2737 }
2738
2739 if (s == NULL)
2740 {
2741 HDEBUG(D_acl) debug_printf("ACL is NULL: implicit DENY\n");
2742 return FAIL;
2743 }
2744
2745 /* At top level, we expand the incoming string. At lower levels, it has already
2746 been expanded as part of condition processing. */
2747
2748 if (level == 0)
2749 {
2750 ss = expand_string(s);
2751 if (ss == NULL)
2752 {
2753 if (expand_string_forcedfail) return OK;
2754 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s", s,
2755 expand_string_message);
2756 return ERROR;
2757 }
2758 }
2759 else ss = s;
2760
2761 while (isspace(*ss))ss++;
2762
2763 /* If we can't find a named ACL, the default is to parse it as an inline one.
2764 (Unless it begins with a slash; non-existent files give rise to an error.) */
2765
2766 acl_text = ss;
2767
2768 /* Handle the case of a string that does not contain any spaces. Look for a
2769 named ACL among those read from the configuration, or a previously read file.
2770 It is possible that the pointer to the ACL is NULL if the configuration
2771 contains a name with no data. If not found, and the text begins with '/',
2772 read an ACL from a file, and save it so it can be re-used. */
2773
2774 if (Ustrchr(ss, ' ') == NULL)
2775 {
2776 tree_node *t = tree_search(acl_anchor, ss);
2777 if (t != NULL)
2778 {
2779 acl = (acl_block *)(t->data.ptr);
2780 if (acl == NULL)
2781 {
2782 HDEBUG(D_acl) debug_printf("ACL \"%s\" is empty: implicit DENY\n", ss);
2783 return FAIL;
2784 }
2785 acl_name = string_sprintf("ACL \"%s\"", ss);
2786 HDEBUG(D_acl) debug_printf("using ACL \"%s\"\n", ss);
2787 }
2788
2789 else if (*ss == '/')
2790 {
2791 struct stat statbuf;
2792 fd = Uopen(ss, O_RDONLY, 0);
2793 if (fd < 0)
2794 {
2795 *log_msgptr = string_sprintf("failed to open ACL file \"%s\": %s", ss,
2796 strerror(errno));
2797 return ERROR;
2798 }
2799
2800 if (fstat(fd, &statbuf) != 0)
2801 {
2802 *log_msgptr = string_sprintf("failed to fstat ACL file \"%s\": %s", ss,
2803 strerror(errno));
2804 return ERROR;
2805 }
2806
2807 acl_text = store_get(statbuf.st_size + 1);
2808 acl_text_end = acl_text + statbuf.st_size + 1;
2809
2810 if (read(fd, acl_text, statbuf.st_size) != statbuf.st_size)
2811 {
2812 *log_msgptr = string_sprintf("failed to read ACL file \"%s\": %s",
2813 ss, strerror(errno));
2814 return ERROR;
2815 }
2816 acl_text[statbuf.st_size] = 0;
2817 close(fd);
2818
2819 acl_name = string_sprintf("ACL \"%s\"", ss);
2820 HDEBUG(D_acl) debug_printf("read ACL from file %s\n", ss);
2821 }
2822 }
2823
2824 /* Parse an ACL that is still in text form. If it came from a file, remember it
2825 in the ACL tree, having read it into the POOL_PERM store pool so that it
2826 persists between multiple messages. */
2827
2828 if (acl == NULL)
2829 {
2830 int old_pool = store_pool;
2831 if (fd >= 0) store_pool = POOL_PERM;
2832 acl = acl_read(acl_getline, log_msgptr);
2833 store_pool = old_pool;
2834 if (acl == NULL && *log_msgptr != NULL) return ERROR;
2835 if (fd >= 0)
2836 {
2837 tree_node *t = store_get_perm(sizeof(tree_node) + Ustrlen(ss));
2838 Ustrcpy(t->name, ss);
2839 t->data.ptr = acl;
2840 (void)tree_insertnode(&acl_anchor, t);
2841 }
2842 }
2843
2844 /* Now we have an ACL to use. It's possible it may be NULL. */
2845
2846 while (acl != NULL)
2847 {
2848 int cond;
2849 int basic_errno = 0;
2850 BOOL endpass_seen = FALSE;
2851
2852 *log_msgptr = *user_msgptr = NULL;
2853 acl_temp_details = FALSE;
2854
2855 if (where == ACL_WHERE_QUIT &&
2856 acl->verb != ACL_ACCEPT &&
2857 acl->verb != ACL_WARN)
2858 {
2859 *log_msgptr = string_sprintf("\"%s\" is not allowed in a QUIT ACL",
2860 verbs[acl->verb]);
2861 return ERROR;
2862 }
2863
2864 HDEBUG(D_acl) debug_printf("processing \"%s\"\n", verbs[acl->verb]);
2865
2866 /* Clear out any search error message from a previous check before testing
2867 this condition. */
2868
2869 search_error_message = NULL;
2870 cond = acl_check_condition(acl->verb, acl->condition, where, addr, level,
2871 &endpass_seen, user_msgptr, log_msgptr, &basic_errno);
2872
2873 /* Handle special returns: DEFER causes a return except on a WARN verb;
2874 ERROR always causes a return. */
2875
2876 switch (cond)
2877 {
2878 case DEFER:
2879 HDEBUG(D_acl) debug_printf("%s: condition test deferred\n", verbs[acl->verb]);
2880 if (basic_errno != ERRNO_CALLOUTDEFER)
2881 {
2882 if (search_error_message != NULL && *search_error_message != 0)
2883 *log_msgptr = search_error_message;
2884 if (smtp_return_error_details) acl_temp_details = TRUE;
2885 }
2886 else
2887 {
2888 acl_temp_details = TRUE;
2889 }
2890 if (acl->verb != ACL_WARN) return DEFER;
2891 break;
2892
2893 default: /* Paranoia */
2894 case ERROR:
2895 HDEBUG(D_acl) debug_printf("%s: condition test error\n", verbs[acl->verb]);
2896 return ERROR;
2897
2898 case OK:
2899 HDEBUG(D_acl) debug_printf("%s: condition test succeeded\n",
2900 verbs[acl->verb]);
2901 break;
2902
2903 case FAIL:
2904 HDEBUG(D_acl) debug_printf("%s: condition test failed\n", verbs[acl->verb]);
2905 break;
2906
2907 /* DISCARD and DROP can happen only from a nested ACL condition, and
2908 DISCARD can happen only for an "accept" or "discard" verb. */
2909
2910 case DISCARD:
2911 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"discard\"\n",
2912 verbs[acl->verb]);
2913 break;
2914
2915 case FAIL_DROP:
2916 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"drop\"\n",
2917 verbs[acl->verb]);
2918 break;
2919 }
2920
2921 /* At this point, cond for most verbs is either OK or FAIL or (as a result of
2922 a nested ACL condition) FAIL_DROP. However, for WARN, cond may be DEFER, and
2923 for ACCEPT and DISCARD, it may be DISCARD after a nested ACL call. */
2924
2925 switch(acl->verb)
2926 {
2927 case ACL_ACCEPT:
2928 if (cond == OK || cond == DISCARD) return cond;
2929 if (endpass_seen)
2930 {
2931 HDEBUG(D_acl) debug_printf("accept: endpass encountered - denying access\n");
2932 return cond;
2933 }
2934 break;
2935
2936 case ACL_DEFER:
2937 if (cond == OK)
2938 {
2939 acl_temp_details = TRUE;
2940 return DEFER;
2941 }
2942 break;
2943
2944 case ACL_DENY:
2945 if (cond == OK) return FAIL;
2946 break;
2947
2948 case ACL_DISCARD:
2949 if (cond == OK || cond == DISCARD) return DISCARD;
2950 if (endpass_seen)
2951 {
2952 HDEBUG(D_acl) debug_printf("discard: endpass encountered - denying access\n");
2953 return cond;
2954 }
2955 break;
2956
2957 case ACL_DROP:
2958 if (cond == OK) return FAIL_DROP;
2959 break;
2960
2961 case ACL_REQUIRE:
2962 if (cond != OK) return cond;
2963 break;
2964
2965 case ACL_WARN:
2966 if (cond == OK)
2967 acl_warn(where, *user_msgptr, *log_msgptr);
2968 else if (cond == DEFER)
2969 log_write(0, LOG_MAIN, "%s Warning: ACL \"warn\" statement skipped: "
2970 "condition test deferred%s%s", host_and_ident(TRUE),
2971 (*log_msgptr == NULL)? US"" : US": ",
2972 (*log_msgptr == NULL)? US"" : *log_msgptr);
2973 *log_msgptr = *user_msgptr = NULL; /* In case implicit DENY follows */
2974 break;
2975
2976 default:
2977 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown verb %d",
2978 acl->verb);
2979 break;
2980 }
2981
2982 /* Pass to the next ACL item */
2983
2984 acl = acl->next;
2985 }
2986
2987 /* We have reached the end of the ACL. This is an implicit DENY. */
2988
2989 HDEBUG(D_acl) debug_printf("end of %s: implicit DENY\n", acl_name);
2990 return FAIL;
2991 }
2992
2993
2994 /*************************************************
2995 * Check access using an ACL *
2996 *************************************************/
2997
2998 /* This is the external interface for ACL checks. It sets up an address and the
2999 expansions for $domain and $local_part when called after RCPT, then calls
3000 acl_check_internal() to do the actual work.
3001
3002 Arguments:
3003 where ACL_WHERE_xxxx indicating where called from
3004 data_string RCPT address, or SMTP command argument, or NULL
3005 s the input string; NULL is the same as an empty ACL => DENY
3006 user_msgptr where to put a user error (for SMTP response)
3007 log_msgptr where to put a logging message (not for SMTP response)
3008
3009 Returns: OK access is granted by an ACCEPT verb
3010 DISCARD access is granted by a DISCARD verb
3011 FAIL access is denied
3012 FAIL_DROP access is denied; drop the connection
3013 DEFER can't tell at the moment
3014 ERROR disaster
3015 */
3016
3017 int
3018 acl_check(int where, uschar *data_string, uschar *s, uschar **user_msgptr,
3019 uschar **log_msgptr)
3020 {
3021 int rc;
3022 address_item adb;
3023 address_item *addr;
3024
3025 *user_msgptr = *log_msgptr = NULL;
3026 sender_verified_failed = NULL;
3027
3028 if (where == ACL_WHERE_RCPT)
3029 {
3030 adb = address_defaults;
3031 addr = &adb;
3032 addr->address = data_string;
3033 if (deliver_split_address(addr) == DEFER)
3034 {
3035 *log_msgptr = US"defer in percent_hack_domains check";
3036 return DEFER;
3037 }
3038 deliver_domain = addr->domain;
3039 deliver_localpart = addr->local_part;
3040 }
3041 else
3042 {
3043 addr = NULL;
3044 smtp_command_argument = data_string;
3045 }
3046
3047 rc = acl_check_internal(where, addr, s, 0, user_msgptr, log_msgptr);
3048
3049 smtp_command_argument = deliver_domain =
3050 deliver_localpart = deliver_address_data = sender_address_data = NULL;
3051
3052 /* A DISCARD response is permitted only for message ACLs, excluding the PREDATA
3053 ACL, which is really in the middle of an SMTP command. */
3054
3055 if (rc == DISCARD)
3056 {
3057 if (where > ACL_WHERE_NOTSMTP || where == ACL_WHERE_PREDATA)
3058 {
3059 log_write(0, LOG_MAIN|LOG_PANIC, "\"discard\" verb not allowed in %s "
3060 "ACL", acl_wherenames[where]);
3061 return ERROR;
3062 }
3063 return DISCARD;
3064 }
3065
3066 /* A DROP response is not permitted from MAILAUTH */
3067
3068 if (rc == FAIL_DROP && where == ACL_WHERE_MAILAUTH)
3069 {
3070 log_write(0, LOG_MAIN|LOG_PANIC, "\"drop\" verb not allowed in %s "
3071 "ACL", acl_wherenames[where]);
3072 return ERROR;
3073 }
3074
3075 /* Before giving an error response, take a look at the length of any user
3076 message, and split it up into multiple lines if possible. */
3077
3078 if (rc != OK && *user_msgptr != NULL && Ustrlen(*user_msgptr) > 75)
3079 {
3080 uschar *s = *user_msgptr = string_copy(*user_msgptr);
3081 uschar *ss = s;
3082
3083 for (;;)
3084 {
3085 int i = 0;
3086 while (i < 75 && *ss != 0 && *ss != '\n') ss++, i++;
3087 if (*ss == 0) break;
3088 if (*ss == '\n')
3089 s = ++ss;
3090 else
3091 {
3092 uschar *t = ss + 1;
3093 uschar *tt = NULL;
3094 while (--t > s + 35)
3095 {
3096 if (*t == ' ')
3097 {
3098 if (t[-1] == ':') { tt = t; break; }
3099 if (tt == NULL) tt = t;
3100 }
3101 }
3102
3103 if (tt == NULL) /* Can't split behind - try ahead */
3104 {
3105 t = ss + 1;
3106 while (*t != 0)
3107 {
3108 if (*t == ' ' || *t == '\n')
3109 { tt = t; break; }
3110 t++;
3111 }
3112 }
3113
3114 if (tt == NULL) break; /* Can't find anywhere to split */
3115 *tt = '\n';
3116 s = ss = tt+1;
3117 }
3118 }
3119 }
3120
3121 return rc;
3122 }
3123
3124 /* End of acl.c */
Unnamed repository; edit this file 'description' to name the repository.