projects / exim.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Further tidies and minor fixes to the tables that control which ACL
[exim.git] / src / src / acl.c
1 /* $Cambridge: exim/src/src/acl.c,v 1.26 2005/03/29 10:56:48 ph10 Exp $ */
2
3 /*************************************************
4 * Exim - an Internet mail transport agent *
5 *************************************************/
6
7 /* Copyright (c) University of Cambridge 1995 - 2005 */
8 /* See the file NOTICE for conditions of use and distribution. */
9
10 /* Code for handling Access Control Lists (ACLs) */
11
12 #include "exim.h"
13
14
15 /* Default callout timeout */
16
17 #define CALLOUT_TIMEOUT_DEFAULT 30
18
19 /* ACL verb codes - keep in step with the table of verbs that follows */
20
21 enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
22 ACL_WARN };
23
24 /* ACL verbs */
25
26 static uschar *verbs[] =
27 { US"accept", US"defer", US"deny", US"discard", US"drop", US"require",
28 US"warn" };
29
30 /* For each verb, the condition for which "message" is used */
31
32 static int msgcond[] = { FAIL, OK, OK, FAIL, OK, FAIL, OK };
33
34 /* ACL condition and modifier codes - keep in step with the table that
35 follows. */
36
37 enum { ACLC_ACL, ACLC_AUTHENTICATED,
38 #ifdef EXPERIMENTAL_BRIGHTMAIL
39 ACLC_BMI_OPTIN,
40 #endif
41 ACLC_CONDITION, ACLC_CONTROL,
42 #ifdef WITH_CONTENT_SCAN
43 ACLC_DECODE,
44 #endif
45 ACLC_DELAY,
46 #ifdef WITH_OLD_DEMIME
47 ACLC_DEMIME,
48 #endif
49 #ifdef EXPERIMENTAL_DOMAINKEYS
50 ACLC_DK_DOMAIN_SOURCE,
51 ACLC_DK_POLICY,
52 ACLC_DK_SENDER_DOMAINS,
53 ACLC_DK_SENDER_LOCAL_PARTS,
54 ACLC_DK_SENDERS,
55 ACLC_DK_STATUS,
56 #endif
57 ACLC_DNSLISTS, ACLC_DOMAINS, ACLC_ENCRYPTED, ACLC_ENDPASS,
58 ACLC_HOSTS, ACLC_LOCAL_PARTS, ACLC_LOG_MESSAGE, ACLC_LOGWRITE,
59 #ifdef WITH_CONTENT_SCAN
60 ACLC_MALWARE,
61 #endif
62 ACLC_MESSAGE,
63 #ifdef WITH_CONTENT_SCAN
64 ACLC_MIME_REGEX,
65 #endif
66 ACLC_RECIPIENTS,
67 #ifdef WITH_CONTENT_SCAN
68 ACLC_REGEX,
69 #endif
70 ACLC_SENDER_DOMAINS, ACLC_SENDERS, ACLC_SET,
71 #ifdef WITH_CONTENT_SCAN
72 ACLC_SPAM,
73 #endif
74 #ifdef EXPERIMENTAL_SPF
75 ACLC_SPF,
76 #endif
77 ACLC_VERIFY };
78
79 /* ACL conditions/modifiers: "delay", "control", "endpass", "message",
80 "log_message", "logwrite", and "set" are modifiers that look like conditions
81 but always return TRUE. They are used for their side effects. */
82
83 static uschar *conditions[] = { US"acl", US"authenticated",
84 #ifdef EXPERIMENTAL_BRIGHTMAIL
85 US"bmi_optin",
86 #endif
87 US"condition",
88 US"control",
89 #ifdef WITH_CONTENT_SCAN
90 US"decode",
91 #endif
92 US"delay",
93 #ifdef WITH_OLD_DEMIME
94 US"demime",
95 #endif
96 #ifdef EXPERIMENTAL_DOMAINKEYS
97 US"dk_domain_source",
98 US"dk_policy",
99 US"dk_sender_domains",
100 US"dk_sender_local_parts",
101 US"dk_senders",
102 US"dk_status",
103 #endif
104 US"dnslists", US"domains", US"encrypted",
105 US"endpass", US"hosts", US"local_parts", US"log_message", US"logwrite",
106 #ifdef WITH_CONTENT_SCAN
107 US"malware",
108 #endif
109 US"message",
110 #ifdef WITH_CONTENT_SCAN
111 US"mime_regex",
112 #endif
113 US"recipients",
114 #ifdef WITH_CONTENT_SCAN
115 US"regex",
116 #endif
117 US"sender_domains", US"senders", US"set",
118 #ifdef WITH_CONTENT_SCAN
119 US"spam",
120 #endif
121 #ifdef EXPERIMENTAL_SPF
122 US"spf",
123 #endif
124 US"verify" };
125
126 /* ACL control names */
127
128 static uschar *controls[] = { US"error", US"caseful_local_part",
129 US"caselower_local_part", US"enforce_sync", US"no_enforce_sync", US"freeze",
130 US"queue_only", US"submission", US"no_multiline"};
131
132 /* Flags to indicate for which conditions /modifiers a string expansion is done
133 at the outer level. In the other cases, expansion already occurs in the
134 checking functions. */
135
136 static uschar cond_expand_at_top[] = {
137 TRUE, /* acl */
138 FALSE, /* authenticated */
139 #ifdef EXPERIMENTAL_BRIGHTMAIL
140 TRUE, /* bmi_optin */
141 #endif
142 TRUE, /* condition */
143 TRUE, /* control */
144 #ifdef WITH_CONTENT_SCAN
145 TRUE, /* decode */
146 #endif
147 TRUE, /* delay */
148 #ifdef WITH_OLD_DEMIME
149 TRUE, /* demime */
150 #endif
151 #ifdef EXPERIMENTAL_DOMAINKEYS
152 TRUE, /* dk_domain_source */
153 TRUE, /* dk_policy */
154 TRUE, /* dk_sender_domains */
155 TRUE, /* dk_sender_local_parts */
156 TRUE, /* dk_senders */
157 TRUE, /* dk_status */
158 #endif
159 TRUE, /* dnslists */
160 FALSE, /* domains */
161 FALSE, /* encrypted */
162 TRUE, /* endpass */
163 FALSE, /* hosts */
164 FALSE, /* local_parts */
165 TRUE, /* log_message */
166 TRUE, /* logwrite */
167 #ifdef WITH_CONTENT_SCAN
168 TRUE, /* malware */
169 #endif
170 TRUE, /* message */
171 #ifdef WITH_CONTENT_SCAN
172 TRUE, /* mime_regex */
173 #endif
174 FALSE, /* recipients */
175 #ifdef WITH_CONTENT_SCAN
176 TRUE, /* regex */
177 #endif
178 FALSE, /* sender_domains */
179 FALSE, /* senders */
180 TRUE, /* set */
181 #ifdef WITH_CONTENT_SCAN
182 TRUE, /* spam */
183 #endif
184 #ifdef EXPERIMENTAL_SPF
185 TRUE, /* spf */
186 #endif
187 TRUE /* verify */
188 };
189
190 /* Flags to identify the modifiers */
191
192 static uschar cond_modifiers[] = {
193 FALSE, /* acl */
194 FALSE, /* authenticated */
195 #ifdef EXPERIMENTAL_BRIGHTMAIL
196 TRUE, /* bmi_optin */
197 #endif
198 FALSE, /* condition */
199 TRUE, /* control */
200 #ifdef WITH_CONTENT_SCAN
201 FALSE, /* decode */
202 #endif
203 TRUE, /* delay */
204 #ifdef WITH_OLD_DEMIME
205 FALSE, /* demime */
206 #endif
207 #ifdef EXPERIMENTAL_DOMAINKEYS
208 FALSE, /* dk_domain_source */
209 FALSE, /* dk_policy */
210 FALSE, /* dk_sender_domains */
211 FALSE, /* dk_sender_local_parts */
212 FALSE, /* dk_senders */
213 FALSE, /* dk_status */
214 #endif
215 FALSE, /* dnslists */
216 FALSE, /* domains */
217 FALSE, /* encrypted */
218 TRUE, /* endpass */
219 FALSE, /* hosts */
220 FALSE, /* local_parts */
221 TRUE, /* log_message */
222 TRUE, /* logwrite */
223 #ifdef WITH_CONTENT_SCAN
224 FALSE, /* malware */
225 #endif
226 TRUE, /* message */
227 #ifdef WITH_CONTENT_SCAN
228 FALSE, /* mime_regex */
229 #endif
230 FALSE, /* recipients */
231 #ifdef WITH_CONTENT_SCAN
232 FALSE, /* regex */
233 #endif
234 FALSE, /* sender_domains */
235 FALSE, /* senders */
236 TRUE, /* set */
237 #ifdef WITH_CONTENT_SCAN
238 FALSE, /* spam */
239 #endif
240 #ifdef EXPERIMENTAL_SPF
241 FALSE, /* spf */
242 #endif
243 FALSE /* verify */
244 };
245
246 /* Bit map vector of which conditions are not allowed at certain times. For
247 each condition, there's a bitmap of dis-allowed times. For some, it is easier
248 to specify the negation of a small number of allowed times. */
249
250 static unsigned int cond_forbids[] = {
251 0, /* acl */
252
253 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_CONNECT)| /* authenticated */
254 (1<<ACL_WHERE_HELO),
255
256 #ifdef EXPERIMENTAL_BRIGHTMAIL
257 (1<<ACL_WHERE_AUTH)| /* bmi_optin */
258 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
259 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_MIME)|
260 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
261 (1<<ACL_WHERE_MAILAUTH)|
262 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
263 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_PREDATA),
264 #endif
265
266 0, /* condition */
267
268 /* Certain types of control are always allowed, so we let it through
269 always and check in the control processing itself. */
270
271 0, /* control */
272
273 #ifdef WITH_CONTENT_SCAN
274 (unsigned int)
275 ~(1<<ACL_WHERE_MIME), /* decode */
276 #endif
277
278 0, /* delay */
279
280 #ifdef WITH_OLD_DEMIME
281 (unsigned int)
282 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* demime */
283 #endif
284
285 #ifdef EXPERIMENTAL_DOMAINKEYS
286 (1<<ACL_WHERE_AUTH)| /* dk_domain_source */
287 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
288 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
289 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
290 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
291 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
292 (1<<ACL_WHERE_VRFY),
293
294 (1<<ACL_WHERE_AUTH)| /* dk_policy */
295 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
296 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
297 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
298 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
299 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
300 (1<<ACL_WHERE_VRFY),
301
302 (1<<ACL_WHERE_AUTH)| /* dk_sender_domains */
303 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
304 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
305 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
306 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
307 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
308 (1<<ACL_WHERE_VRFY),
309
310 (1<<ACL_WHERE_AUTH)| /* dk_sender_local_parts */
311 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
312 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
313 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
314 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
315 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
316 (1<<ACL_WHERE_VRFY),
317
318 (1<<ACL_WHERE_AUTH)| /* dk_senders */
319 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
320 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
321 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
322 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
323 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
324 (1<<ACL_WHERE_VRFY),
325
326 (1<<ACL_WHERE_AUTH)| /* dk_status */
327 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
328 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
329 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
330 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
331 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
332 (1<<ACL_WHERE_VRFY),
333 #endif
334
335 (1<<ACL_WHERE_NOTSMTP), /* dnslists */
336
337 (unsigned int)
338 ~(1<<ACL_WHERE_RCPT), /* domains */
339
340 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_CONNECT)| /* encrypted */
341 (1<<ACL_WHERE_HELO),
342
343 0, /* endpass */
344
345 (1<<ACL_WHERE_NOTSMTP), /* hosts */
346
347 (unsigned int)
348 ~(1<<ACL_WHERE_RCPT), /* local_parts */
349
350 0, /* log_message */
351
352 0, /* logwrite */
353
354 #ifdef WITH_CONTENT_SCAN
355 (unsigned int)
356 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* malware */
357 #endif
358
359 0, /* message */
360
361 #ifdef WITH_CONTENT_SCAN
362 (unsigned int)
363 ~(1<<ACL_WHERE_MIME), /* mime_regex */
364 #endif
365
366 (unsigned int)
367 ~(1<<ACL_WHERE_RCPT), /* recipients */
368
369 #ifdef WITH_CONTENT_SCAN
370 (unsigned int)
371 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* regex */
372 (1<<ACL_WHERE_MIME)),
373 #endif
374
375 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* sender_domains */
376 (1<<ACL_WHERE_HELO)|
377 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
378 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
379 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
380
381 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* senders */
382 (1<<ACL_WHERE_HELO)|
383 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
384 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
385 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
386
387 0, /* set */
388
389 #ifdef WITH_CONTENT_SCAN
390 (unsigned int)
391 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* spam */
392 #endif
393
394 #ifdef EXPERIMENTAL_SPF
395 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf */
396 (1<<ACL_WHERE_HELO)|
397 (1<<ACL_WHERE_MAILAUTH)|
398 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
399 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
400 #endif
401
402 /* Certain types of verify are always allowed, so we let it through
403 always and check in the verify function itself */
404
405 0 /* verify */
406 };
407
408
409 /* Return values from decode_control() */
410
411 enum {
412 #ifdef EXPERIMENTAL_BRIGHTMAIL
413 CONTROL_BMI_RUN,
414 #endif
415 #ifdef EXPERIMENTAL_DOMAINKEYS
416 CONTROL_DK_VERIFY,
417 #endif
418 CONTROL_ERROR, CONTROL_CASEFUL_LOCAL_PART, CONTROL_CASELOWER_LOCAL_PART,
419 CONTROL_ENFORCE_SYNC, CONTROL_NO_ENFORCE_SYNC, CONTROL_FREEZE,
420 CONTROL_QUEUE_ONLY, CONTROL_SUBMISSION,
421 #ifdef WITH_CONTENT_SCAN
422 CONTROL_NO_MBOX_UNSPOOL,
423 #endif
424 CONTROL_FAKEREJECT, CONTROL_NO_MULTILINE };
425
426 /* Bit map vector of which controls are not allowed at certain times. For
427 each control, there's a bitmap of dis-allowed times. For some, it is easier to
428 specify the negation of a small number of allowed times. */
429
430 static unsigned int control_forbids[] = {
431 #ifdef EXPERIMENTAL_BRIGHTMAIL
432 0, /* bmi_run */
433 #endif
434 #ifdef EXPERIMENTAL_DOMAINKEYS
435 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), /* dk_verify */
436 #endif
437
438 0, /* error */
439
440 (unsigned int)
441 ~(1<<ACL_WHERE_RCPT), /* caseful_local_part */
442
443 (unsigned int)
444 ~(1<<ACL_WHERE_RCPT), /* caselower_local_part */
445
446 (1<<ACL_WHERE_NOTSMTP), /* enforce_sync */
447
448 (1<<ACL_WHERE_NOTSMTP), /* no_enforce_sync */
449
450 (unsigned int)
451 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* freeze */
452 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
453 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
454
455 (unsigned int)
456 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* queue_only */
457 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
458 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
459
460 (unsigned int)
461 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* submission */
462 (1<<ACL_WHERE_PREDATA)),
463
464 #ifdef WITH_CONTENT_SCAN
465 (unsigned int)
466 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* no_mbox_unspool */
467 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
468 (1<<ACL_WHERE_MIME)),
469 #endif
470
471 (unsigned int)
472 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakereject */
473 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
474 (1<<ACL_WHERE_MIME)),
475
476 (1<<ACL_WHERE_NOTSMTP) /* no_multiline */
477 };
478
479 /* Structure listing various control arguments, with their characteristics. */
480
481 typedef struct control_def {
482 uschar *name;
483 int value; /* CONTROL_xxx value */
484 BOOL has_option; /* Has /option(s) following */
485 } control_def;
486
487 static control_def controls_list[] = {
488 #ifdef EXPERIMENTAL_BRIGHTMAIL
489 { US"bmi_run", CONTROL_BMI_RUN, FALSE},
490 #endif
491 #ifdef EXPERIMENTAL_DOMAINKEYS
492 { US"dk_verify", CONTROL_DK_VERIFY, FALSE},
493 #endif
494 { US"caseful_local_part", CONTROL_CASEFUL_LOCAL_PART, FALSE},
495 { US"caselower_local_part", CONTROL_CASELOWER_LOCAL_PART, FALSE},
496 { US"enforce_sync", CONTROL_ENFORCE_SYNC, FALSE},
497 { US"freeze", CONTROL_FREEZE, FALSE},
498 { US"no_enforce_sync", CONTROL_NO_ENFORCE_SYNC, FALSE},
499 { US"no_multiline_responses", CONTROL_NO_MULTILINE, FALSE},
500 { US"queue_only", CONTROL_QUEUE_ONLY, FALSE},
501 #ifdef WITH_CONTENT_SCAN
502 { US"no_mbox_unspool", CONTROL_NO_MBOX_UNSPOOL, FALSE},
503 #endif
504 { US"fakereject", CONTROL_FAKEREJECT, TRUE},
505 { US"submission", CONTROL_SUBMISSION, TRUE}
506 };
507
508 /* Enable recursion between acl_check_internal() and acl_check_condition() */
509
510 static int acl_check_internal(int, address_item *, uschar *, int, uschar **,
511 uschar **);
512
513
514 /*************************************************
515 * Pick out name from list *
516 *************************************************/
517
518 /* Use a binary chop method
519
520 Arguments:
521 name name to find
522 list list of names
523 end size of list
524
525 Returns: offset in list, or -1 if not found
526 */
527
528 static int
529 acl_checkname(uschar *name, uschar **list, int end)
530 {
531 int start = 0;
532
533 while (start < end)
534 {
535 int mid = (start + end)/2;
536 int c = Ustrcmp(name, list[mid]);
537 if (c == 0) return mid;
538 if (c < 0) end = mid; else start = mid + 1;
539 }
540
541 return -1;
542 }
543
544
545 /*************************************************
546 * Read and parse one ACL *
547 *************************************************/
548
549 /* This function is called both from readconf in order to parse the ACLs in the
550 configuration file, and also when an ACL is encountered dynamically (e.g. as
551 the result of an expansion). It is given a function to call in order to
552 retrieve the lines of the ACL. This function handles skipping comments and
553 blank lines (where relevant).
554
555 Arguments:
556 func function to get next line of ACL
557 error where to put an error message
558
559 Returns: pointer to ACL, or NULL
560 NULL can be legal (empty ACL); in this case error will be NULL
561 */
562
563 acl_block *
564 acl_read(uschar *(*func)(void), uschar **error)
565 {
566 acl_block *yield = NULL;
567 acl_block **lastp = &yield;
568 acl_block *this = NULL;
569 acl_condition_block *cond;
570 acl_condition_block **condp = NULL;
571 uschar *s;
572
573 *error = NULL;
574
575 while ((s = (*func)()) != NULL)
576 {
577 int v, c;
578 BOOL negated = FALSE;
579 uschar *saveline = s;
580 uschar name[64];
581
582 /* Conditions (but not verbs) are allowed to be negated by an initial
583 exclamation mark. */
584
585 while (isspace(*s)) s++;
586 if (*s == '!')
587 {
588 negated = TRUE;
589 s++;
590 }
591
592 /* Read the name of a verb or a condition, or the start of a new ACL */
593
594 s = readconf_readname(name, sizeof(name), s);
595 if (*s == ':')
596 {
597 if (negated || name[0] == 0)
598 {
599 *error = string_sprintf("malformed ACL name in \"%s\"", saveline);
600 return NULL;
601 }
602 break;
603 }
604
605 /* If a verb is unrecognized, it may be another condition or modifier that
606 continues the previous verb. */
607
608 v = acl_checkname(name, verbs, sizeof(verbs)/sizeof(char *));
609 if (v < 0)
610 {
611 if (this == NULL)
612 {
613 *error = string_sprintf("unknown ACL verb in \"%s\"", saveline);
614 return NULL;
615 }
616 }
617
618 /* New verb */
619
620 else
621 {
622 if (negated)
623 {
624 *error = string_sprintf("malformed ACL line \"%s\"", saveline);
625 return NULL;
626 }
627 this = store_get(sizeof(acl_block));
628 *lastp = this;
629 lastp = &(this->next);
630 this->next = NULL;
631 this->verb = v;
632 this->condition = NULL;
633 condp = &(this->condition);
634 if (*s == 0) continue; /* No condition on this line */
635 if (*s == '!')
636 {
637 negated = TRUE;
638 s++;
639 }
640 s = readconf_readname(name, sizeof(name), s); /* Condition name */
641 }
642
643 /* Handle a condition or modifier. */
644
645 c = acl_checkname(name, conditions, sizeof(conditions)/sizeof(char *));
646 if (c < 0)
647 {
648 *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
649 saveline);
650 return NULL;
651 }
652
653 /* The modifiers may not be negated */
654
655 if (negated && cond_modifiers[c])
656 {
657 *error = string_sprintf("ACL error: negation is not allowed with "
658 "\"%s\"", conditions[c]);
659 return NULL;
660 }
661
662 /* ENDPASS may occur only with ACCEPT or DISCARD. */
663
664 if (c == ACLC_ENDPASS &&
665 this->verb != ACL_ACCEPT &&
666 this->verb != ACL_DISCARD)
667 {
668 *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
669 conditions[c], verbs[this->verb]);
670 return NULL;
671 }
672
673 cond = store_get(sizeof(acl_condition_block));
674 cond->next = NULL;
675 cond->type = c;
676 cond->u.negated = negated;
677
678 *condp = cond;
679 condp = &(cond->next);
680
681 /* The "set" modifier is different in that its argument is "name=value"
682 rather than just a value, and we can check the validity of the name, which
683 gives us a variable number to insert into the data block. */
684
685 if (c == ACLC_SET)
686 {
687 if (Ustrncmp(s, "acl_", 4) != 0 || (s[4] != 'c' && s[4] != 'm') ||
688 !isdigit(s[5]) || (!isspace(s[6]) && s[6] != '='))
689 {
690 *error = string_sprintf("unrecognized name after \"set\" in ACL "
691 "modifier \"set %s\"", s);
692 return NULL;
693 }
694
695 cond->u.varnumber = s[5] - '0';
696 if (s[4] == 'm') cond->u.varnumber += ACL_C_MAX;
697 s += 6;
698 while (isspace(*s)) s++;
699 }
700
701 /* For "set", we are now positioned for the data. For the others, only
702 "endpass" has no data */
703
704 if (c != ACLC_ENDPASS)
705 {
706 if (*s++ != '=')
707 {
708 *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
709 cond_modifiers[c]? US"modifier" : US"condition");
710 return NULL;
711 }
712 while (isspace(*s)) s++;
713 cond->arg = string_copy(s);
714 }
715 }
716
717 return yield;
718 }
719
720
721
722 /*************************************************
723 * Handle warnings *
724 *************************************************/
725
726 /* This function is called when a WARN verb's conditions are true. It adds to
727 the message's headers, and/or writes information to the log. In each case, this
728 only happens once (per message for headers, per connection for log).
729
730 Arguments:
731 where ACL_WHERE_xxxx indicating which ACL this is
732 user_message message for adding to headers
733 log_message message for logging, if different
734
735 Returns: nothing
736 */
737
738 static void
739 acl_warn(int where, uschar *user_message, uschar *log_message)
740 {
741 int hlen;
742
743 if (log_message != NULL && log_message != user_message)
744 {
745 uschar *text;
746 string_item *logged;
747
748 text = string_sprintf("%s Warning: %s", host_and_ident(TRUE),
749 string_printing(log_message));
750
751 /* If a sender verification has failed, and the log message is "sender verify
752 failed", add the failure message. */
753
754 if (sender_verified_failed != NULL &&
755 sender_verified_failed->message != NULL &&
756 strcmpic(log_message, US"sender verify failed") == 0)
757 text = string_sprintf("%s: %s", text, sender_verified_failed->message);
758
759 /* Search previously logged warnings. They are kept in malloc store so they
760 can be freed at the start of a new message. */
761
762 for (logged = acl_warn_logged; logged != NULL; logged = logged->next)
763 if (Ustrcmp(logged->text, text) == 0) break;
764
765 if (logged == NULL)
766 {
767 int length = Ustrlen(text) + 1;
768 log_write(0, LOG_MAIN, "%s", text);
769 logged = store_malloc(sizeof(string_item) + length);
770 logged->text = (uschar *)logged + sizeof(string_item);
771 memcpy(logged->text, text, length);
772 logged->next = acl_warn_logged;
773 acl_warn_logged = logged;
774 }
775 }
776
777 /* If there's no user message, we are done. */
778
779 if (user_message == NULL) return;
780
781 /* If this isn't a message ACL, we can't do anything with a user message.
782 Log an error. */
783
784 if (where > ACL_WHERE_NOTSMTP)
785 {
786 log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
787 "found in a non-message (%s) ACL: cannot specify header lines here: "
788 "message ignored", acl_wherenames[where]);
789 return;
790 }
791
792 /* Treat the user message as a sequence of one or more header lines. */
793
794 hlen = Ustrlen(user_message);
795 if (hlen > 0)
796 {
797 uschar *text, *p, *q;
798
799 /* Add a final newline if not present */
800
801 text = ((user_message)[hlen-1] == '\n')? user_message :
802 string_sprintf("%s\n", user_message);
803
804 /* Loop for multiple header lines, taking care about continuations */
805
806 for (p = q = text; *p != 0; )
807 {
808 uschar *s;
809 int newtype = htype_add_bot;
810 header_line **hptr = &acl_warn_headers;
811
812 /* Find next header line within the string */
813
814 for (;;)
815 {
816 q = Ustrchr(q, '\n');
817 if (*(++q) != ' ' && *q != '\t') break;
818 }
819
820 /* If the line starts with a colon, interpret the instruction for where to
821 add it. This temporarily sets up a new type. */
822
823 if (*p == ':')
824 {
825 if (strncmpic(p, US":after_received:", 16) == 0)
826 {
827 newtype = htype_add_rec;
828 p += 16;
829 }
830 else if (strncmpic(p, US":at_start_rfc:", 14) == 0)
831 {
832 newtype = htype_add_rfc;
833 p += 14;
834 }
835 else if (strncmpic(p, US":at_start:", 10) == 0)
836 {
837 newtype = htype_add_top;
838 p += 10;
839 }
840 else if (strncmpic(p, US":at_end:", 8) == 0)
841 {
842 newtype = htype_add_bot;
843 p += 8;
844 }
845 while (*p == ' ' || *p == '\t') p++;
846 }
847
848 /* See if this line starts with a header name, and if not, add X-ACL-Warn:
849 to the front of it. */
850
851 for (s = p; s < q - 1; s++)
852 {
853 if (*s == ':' || !isgraph(*s)) break;
854 }
855
856 s = string_sprintf("%s%.*s", (*s == ':')? "" : "X-ACL-Warn: ", q - p, p);
857 hlen = Ustrlen(s);
858
859 /* See if this line has already been added */
860
861 while (*hptr != NULL)
862 {
863 if (Ustrncmp((*hptr)->text, s, hlen) == 0) break;
864 hptr = &((*hptr)->next);
865 }
866
867 /* Add if not previously present */
868
869 if (*hptr == NULL)
870 {
871 header_line *h = store_get(sizeof(header_line));
872 h->text = s;
873 h->next = NULL;
874 h->type = newtype;
875 h->slen = hlen;
876 *hptr = h;
877 hptr = &(h->next);
878 }
879
880 /* Advance for next header line within the string */
881
882 p = q;
883 }
884 }
885 }
886
887
888
889 /*************************************************
890 * Verify and check reverse DNS *
891 *************************************************/
892
893 /* Called from acl_verify() below. We look up the host name(s) of the client IP
894 address if this has not yet been done. The host_name_lookup() function checks
895 that one of these names resolves to an address list that contains the client IP
896 address, so we don't actually have to do the check here.
897
898 Arguments:
899 user_msgptr pointer for user message
900 log_msgptr pointer for log message
901
902 Returns: OK verification condition succeeded
903 FAIL verification failed
904 DEFER there was a problem verifying
905 */
906
907 static int
908 acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
909 {
910 int rc;
911
912 user_msgptr = user_msgptr; /* stop compiler warning */
913
914 /* Previous success */
915
916 if (sender_host_name != NULL) return OK;
917
918 /* Previous failure */
919
920 if (host_lookup_failed)
921 {
922 *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
923 return FAIL;
924 }
925
926 /* Need to do a lookup */
927
928 HDEBUG(D_acl)
929 debug_printf("looking up host name to force name/address consistency check\n");
930
931 if ((rc = host_name_lookup()) != OK)
932 {
933 *log_msgptr = (rc == DEFER)?
934 US"host lookup deferred for reverse lookup check"
935 :
936 string_sprintf("host lookup failed for reverse lookup check%s",
937 host_lookup_msg);
938 return rc; /* DEFER or FAIL */
939 }
940
941 host_build_sender_fullhost();
942 return OK;
943 }
944
945
946
947 /*************************************************
948 * Handle verification (address & other) *
949 *************************************************/
950
951 /* This function implements the "verify" condition. It is called when
952 encountered in any ACL, because some tests are almost always permitted. Some
953 just don't make sense, and always fail (for example, an attempt to test a host
954 lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
955
956 Arguments:
957 where where called from
958 addr the recipient address that the ACL is handling, or NULL
959 arg the argument of "verify"
960 user_msgptr pointer for user message
961 log_msgptr pointer for log message
962 basic_errno where to put verify errno
963
964 Returns: OK verification condition succeeded
965 FAIL verification failed
966 DEFER there was a problem verifying
967 ERROR syntax error
968 */
969
970 static int
971 acl_verify(int where, address_item *addr, uschar *arg,
972 uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
973 {
974 int sep = '/';
975 int callout = -1;
976 int callout_overall = -1;
977 int callout_connect = -1;
978 int verify_options = 0;
979 int rc;
980 BOOL verify_header_sender = FALSE;
981 BOOL defer_ok = FALSE;
982 BOOL callout_defer_ok = FALSE;
983 BOOL no_details = FALSE;
984 address_item *sender_vaddr = NULL;
985 uschar *verify_sender_address = NULL;
986 uschar *pm_mailfrom = NULL;
987 uschar *se_mailfrom = NULL;
988
989 /* Some of the verify items have slash-separated options; some do not. Diagnose
990 an error if options are given for items that don't expect them. This code has
991 now got very message. Refactoring to use a table would be a good idea one day.
992 */
993
994 uschar *slash = Ustrchr(arg, '/');
995 uschar *list = arg;
996 uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
997
998 if (ss == NULL) goto BAD_VERIFY;
999
1000 /* Handle name/address consistency verification in a separate function. */
1001
1002 if (strcmpic(ss, US"reverse_host_lookup") == 0)
1003 {
1004 if (slash != NULL) goto NO_OPTIONS;
1005 if (sender_host_address == NULL) return OK;
1006 return acl_verify_reverse(user_msgptr, log_msgptr);
1007 }
1008
1009 /* TLS certificate verification is done at STARTTLS time; here we just
1010 test whether it was successful or not. (This is for optional verification; for
1011 mandatory verification, the connection doesn't last this long.) */
1012
1013 if (strcmpic(ss, US"certificate") == 0)
1014 {
1015 if (slash != NULL) goto NO_OPTIONS;
1016 if (tls_certificate_verified) return OK;
1017 *user_msgptr = US"no verified certificate";
1018 return FAIL;
1019 }
1020
1021 /* We can test the result of optional HELO verification */
1022
1023 if (strcmpic(ss, US"helo") == 0)
1024 {
1025 if (slash != NULL) goto NO_OPTIONS;
1026 return helo_verified? OK : FAIL;
1027 }
1028
1029 /* Check that all relevant header lines have the correct syntax. If there is
1030 a syntax error, we return details of the error to the sender if configured to
1031 send out full details. (But a "message" setting on the ACL can override, as
1032 always). */
1033
1034 if (strcmpic(ss, US"header_syntax") == 0)
1035 {
1036 if (slash != NULL) goto NO_OPTIONS;
1037 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP)
1038 {
1039 *log_msgptr = string_sprintf("cannot check header contents in ACL for %s "
1040 "(only possible in ACL for DATA)", acl_wherenames[where]);
1041 return ERROR;
1042 }
1043 rc = verify_check_headers(log_msgptr);
1044 if (rc != OK && smtp_return_error_details && *log_msgptr != NULL)
1045 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1046 return rc;
1047 }
1048
1049
1050 /* The remaining verification tests check recipient and sender addresses,
1051 either from the envelope or from the header. There are a number of
1052 slash-separated options that are common to all of them. */
1053
1054
1055 /* Check that there is at least one verifiable sender address in the relevant
1056 header lines. This can be followed by callout and defer options, just like
1057 sender and recipient. */
1058
1059 if (strcmpic(ss, US"header_sender") == 0)
1060 {
1061 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP)
1062 {
1063 *log_msgptr = string_sprintf("cannot check header contents in ACL for %s "
1064 "(only possible in ACL for DATA)", acl_wherenames[where]);
1065 return ERROR;
1066 }
1067 verify_header_sender = TRUE;
1068 }
1069
1070 /* Otherwise, first item in verify argument must be "sender" or "recipient".
1071 In the case of a sender, this can optionally be followed by an address to use
1072 in place of the actual sender (rare special-case requirement). */
1073
1074 else if (strncmpic(ss, US"sender", 6) == 0)
1075 {
1076 uschar *s = ss + 6;
1077 if (where > ACL_WHERE_NOTSMTP)
1078 {
1079 *log_msgptr = string_sprintf("cannot verify sender in ACL for %s "
1080 "(only possible for MAIL, RCPT, PREDATA, or DATA)",
1081 acl_wherenames[where]);
1082 return ERROR;
1083 }
1084 if (*s == 0)
1085 verify_sender_address = sender_address;
1086 else
1087 {
1088 while (isspace(*s)) s++;
1089 if (*s++ != '=') goto BAD_VERIFY;
1090 while (isspace(*s)) s++;
1091 verify_sender_address = string_copy(s);
1092 }
1093 }
1094 else
1095 {
1096 if (strcmpic(ss, US"recipient") != 0) goto BAD_VERIFY;
1097 if (addr == NULL)
1098 {
1099 *log_msgptr = string_sprintf("cannot verify recipient in ACL for %s "
1100 "(only possible for RCPT)", acl_wherenames[where]);
1101 return ERROR;
1102 }
1103 }
1104
1105 /* Remaining items are optional; they apply to sender and recipient
1106 verification, including "header sender" verification. */
1107
1108 while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))
1109 != NULL)
1110 {
1111 if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
1112 else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
1113
1114 /* These two old options are left for backwards compatibility */
1115
1116 else if (strcmpic(ss, US"callout_defer_ok") == 0)
1117 {
1118 callout_defer_ok = TRUE;
1119 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1120 }
1121
1122 else if (strcmpic(ss, US"check_postmaster") == 0)
1123 {
1124 pm_mailfrom = US"";
1125 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1126 }
1127
1128 /* The callout option has a number of sub-options, comma separated */
1129
1130 else if (strncmpic(ss, US"callout", 7) == 0)
1131 {
1132 callout = CALLOUT_TIMEOUT_DEFAULT;
1133 ss += 7;
1134 if (*ss != 0)
1135 {
1136 while (isspace(*ss)) ss++;
1137 if (*ss++ == '=')
1138 {
1139 int optsep = ',';
1140 uschar *opt;
1141 uschar buffer[256];
1142 while (isspace(*ss)) ss++;
1143
1144 /* This callout option handling code has become a mess as new options
1145 have been added in an ad hoc manner. It should be tidied up into some
1146 kind of table-driven thing. */
1147
1148 while ((opt = string_nextinlist(&ss, &optsep, buffer, sizeof(buffer)))
1149 != NULL)
1150 {
1151 if (strcmpic(opt, US"defer_ok") == 0) callout_defer_ok = TRUE;
1152 else if (strcmpic(opt, US"no_cache") == 0)
1153 verify_options |= vopt_callout_no_cache;
1154 else if (strcmpic(opt, US"random") == 0)
1155 verify_options |= vopt_callout_random;
1156 else if (strcmpic(opt, US"use_sender") == 0)
1157 verify_options |= vopt_callout_recipsender;
1158 else if (strcmpic(opt, US"use_postmaster") == 0)
1159 verify_options |= vopt_callout_recippmaster;
1160 else if (strcmpic(opt, US"postmaster") == 0) pm_mailfrom = US"";
1161
1162 else if (strncmpic(opt, US"mailfrom", 8) == 0)
1163 {
1164 if (!verify_header_sender)
1165 {
1166 *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
1167 "callout option only for verify=header_sender (detected in ACL "
1168 "condition \"%s\")", arg);
1169 return ERROR;
1170 }
1171 opt += 8;
1172 while (isspace(*opt)) opt++;
1173 if (*opt++ != '=')
1174 {
1175 *log_msgptr = string_sprintf("'=' expected after "
1176 "\"mailfrom\" in ACL condition \"%s\"", arg);
1177 return ERROR;
1178 }
1179 while (isspace(*opt)) opt++;
1180 se_mailfrom = string_copy(opt);
1181 }
1182
1183 else if (strncmpic(opt, US"postmaster_mailfrom", 19) == 0)
1184 {
1185 opt += 19;
1186 while (isspace(*opt)) opt++;
1187 if (*opt++ != '=')
1188 {
1189 *log_msgptr = string_sprintf("'=' expected after "
1190 "\"postmaster_mailfrom\" in ACL condition \"%s\"", arg);
1191 return ERROR;
1192 }
1193 while (isspace(*opt)) opt++;
1194 pm_mailfrom = string_copy(opt);
1195 }
1196
1197 else if (strncmpic(opt, US"maxwait", 7) == 0)
1198 {
1199 opt += 7;
1200 while (isspace(*opt)) opt++;
1201 if (*opt++ != '=')
1202 {
1203 *log_msgptr = string_sprintf("'=' expected after \"maxwait\" in "
1204 "ACL condition \"%s\"", arg);
1205 return ERROR;
1206 }
1207 while (isspace(*opt)) opt++;
1208 callout_overall = readconf_readtime(opt, 0, FALSE);
1209 if (callout_overall < 0)
1210 {
1211 *log_msgptr = string_sprintf("bad time value in ACL condition "
1212 "\"verify %s\"", arg);
1213 return ERROR;
1214 }
1215 }
1216 else if (strncmpic(opt, US"connect", 7) == 0)
1217 {
1218 opt += 7;
1219 while (isspace(*opt)) opt++;
1220 if (*opt++ != '=')
1221 {
1222 *log_msgptr = string_sprintf("'=' expected after "
1223 "\"callout_overaall\" in ACL condition \"%s\"", arg);
1224 return ERROR;
1225 }
1226 while (isspace(*opt)) opt++;
1227 callout_connect = readconf_readtime(opt, 0, FALSE);
1228 if (callout_connect < 0)
1229 {
1230 *log_msgptr = string_sprintf("bad time value in ACL condition "
1231 "\"verify %s\"", arg);
1232 return ERROR;
1233 }
1234 }
1235 else /* Plain time is callout connect/command timeout */
1236 {
1237 callout = readconf_readtime(opt, 0, FALSE);
1238 if (callout < 0)
1239 {
1240 *log_msgptr = string_sprintf("bad time value in ACL condition "
1241 "\"verify %s\"", arg);
1242 return ERROR;
1243 }
1244 }
1245 }
1246 }
1247 else
1248 {
1249 *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
1250 "ACL condition \"%s\"", arg);
1251 return ERROR;
1252 }
1253 }
1254 }
1255
1256 /* Option not recognized */
1257
1258 else
1259 {
1260 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
1261 "condition \"verify %s\"", ss, arg);
1262 return ERROR;
1263 }
1264 }
1265
1266 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
1267 (vopt_callout_recipsender|vopt_callout_recippmaster))
1268 {
1269 *log_msgptr = US"only one of use_sender and use_postmaster can be set "
1270 "for a recipient callout";
1271 return ERROR;
1272 }
1273
1274 /* Handle sender-in-header verification. Default the user message to the log
1275 message if giving out verification details. */
1276
1277 if (verify_header_sender)
1278 {
1279 int verrno;
1280 rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
1281 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, verify_options,
1282 &verrno);
1283 if (rc != OK)
1284 {
1285 *basic_errno = verrno;
1286 if (smtp_return_error_details)
1287 {
1288 if (*user_msgptr == NULL && *log_msgptr != NULL)
1289 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1290 if (rc == DEFER) acl_temp_details = TRUE;
1291 }
1292 }
1293 }
1294
1295 /* Handle a sender address. The default is to verify *the* sender address, but
1296 optionally a different address can be given, for special requirements. If the
1297 address is empty, we are dealing with a bounce message that has no sender, so
1298 we cannot do any checking. If the real sender address gets rewritten during
1299 verification (e.g. DNS widening), set the flag to stop it being rewritten again
1300 during message reception.
1301
1302 A list of verified "sender" addresses is kept to try to avoid doing to much
1303 work repetitively when there are multiple recipients in a message and they all
1304 require sender verification. However, when callouts are involved, it gets too
1305 complicated because different recipients may require different callout options.
1306 Therefore, we always do a full sender verify when any kind of callout is
1307 specified. Caching elsewhere, for instance in the DNS resolver and in the
1308 callout handling, should ensure that this is not terribly inefficient. */
1309
1310 else if (verify_sender_address != NULL)
1311 {
1312 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster))
1313 != 0)
1314 {
1315 *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
1316 "sender verify callout";
1317 return ERROR;
1318 }
1319
1320 sender_vaddr = verify_checked_sender(verify_sender_address);
1321 if (sender_vaddr != NULL && /* Previously checked */
1322 callout <= 0) /* No callout needed this time */
1323 {
1324 /* If the "routed" flag is set, it means that routing worked before, so
1325 this check can give OK (the saved return code value, if set, belongs to a
1326 callout that was done previously). If the "routed" flag is not set, routing
1327 must have failed, so we use the saved return code. */
1328
1329 if (testflag(sender_vaddr, af_verify_routed)) rc = OK; else
1330 {
1331 rc = sender_vaddr->special_action;
1332 *basic_errno = sender_vaddr->basic_errno;
1333 }
1334 HDEBUG(D_acl) debug_printf("using cached sender verify result\n");
1335 }
1336
1337 /* Do a new verification, and cache the result. The cache is used to avoid
1338 verifying the sender multiple times for multiple RCPTs when callouts are not
1339 specified (see comments above).
1340
1341 The cache is also used on failure to give details in response to the first
1342 RCPT that gets bounced for this reason. However, this can be suppressed by
1343 the no_details option, which sets the flag that says "this detail has already
1344 been sent". The cache normally contains just one address, but there may be
1345 more in esoteric circumstances. */
1346
1347 else
1348 {
1349 BOOL routed = TRUE;
1350 uschar *save_address_data = deliver_address_data;
1351
1352 sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
1353 if (no_details) setflag(sender_vaddr, af_sverify_told);
1354 if (verify_sender_address[0] != 0)
1355 {
1356 /* If this is the real sender address, save the unrewritten version
1357 for use later in receive. Otherwise, set a flag so that rewriting the
1358 sender in verify_address() does not update sender_address. */
1359
1360 if (verify_sender_address == sender_address)
1361 sender_address_unrewritten = sender_address;
1362 else
1363 verify_options |= vopt_fake_sender;
1364
1365 /* The recipient, qualify, and expn options are never set in
1366 verify_options. */
1367
1368 rc = verify_address(sender_vaddr, NULL, verify_options, callout,
1369 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, &routed);
1370
1371 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1372
1373 if (rc == OK)
1374 {
1375 if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
1376 {
1377 DEBUG(D_acl) debug_printf("sender %s verified ok as %s\n",
1378 verify_sender_address, sender_vaddr->address);
1379 }
1380 else
1381 {
1382 DEBUG(D_acl) debug_printf("sender %s verified ok\n",
1383 verify_sender_address);
1384 }
1385 }
1386 else *basic_errno = sender_vaddr->basic_errno;
1387 }
1388 else rc = OK; /* Null sender */
1389
1390 /* Cache the result code */
1391
1392 if (routed) setflag(sender_vaddr, af_verify_routed);
1393 if (callout > 0) setflag(sender_vaddr, af_verify_callout);
1394 sender_vaddr->special_action = rc;
1395 sender_vaddr->next = sender_verified_list;
1396 sender_verified_list = sender_vaddr;
1397
1398 /* Restore the recipient address data, which might have been clobbered by
1399 the sender verification. */
1400
1401 deliver_address_data = save_address_data;
1402 }
1403
1404 /* Put the sender address_data value into $sender_address_data */
1405
1406 sender_address_data = sender_vaddr->p.address_data;
1407 }
1408
1409 /* A recipient address just gets a straightforward verify; again we must handle
1410 the DEFER overrides. */
1411
1412 else
1413 {
1414 address_item addr2;
1415
1416 /* We must use a copy of the address for verification, because it might
1417 get rewritten. */
1418
1419 addr2 = *addr;
1420 rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
1421 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, NULL);
1422 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1423
1424 *log_msgptr = addr2.message;
1425 *user_msgptr = (addr2.user_message != NULL)?
1426 addr2.user_message : addr2.message;
1427 *basic_errno = addr2.basic_errno;
1428
1429 /* Make $address_data visible */
1430 deliver_address_data = addr2.p.address_data;
1431 }
1432
1433 /* We have a result from the relevant test. Handle defer overrides first. */
1434
1435 if (rc == DEFER && (defer_ok ||
1436 (callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER)))
1437 {
1438 HDEBUG(D_acl) debug_printf("verify defer overridden by %s\n",
1439 defer_ok? "defer_ok" : "callout_defer_ok");
1440 rc = OK;
1441 }
1442
1443 /* If we've failed a sender, set up a recipient message, and point
1444 sender_verified_failed to the address item that actually failed. */
1445
1446 if (rc != OK && verify_sender_address != NULL)
1447 {
1448 if (rc != DEFER)
1449 {
1450 *log_msgptr = *user_msgptr = US"Sender verify failed";
1451 }
1452 else if (*basic_errno != ERRNO_CALLOUTDEFER)
1453 {
1454 *log_msgptr = *user_msgptr = US"Could not complete sender verify";
1455 }
1456 else
1457 {
1458 *log_msgptr = US"Could not complete sender verify callout";
1459 *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
1460 *log_msgptr;
1461 }
1462
1463 sender_verified_failed = sender_vaddr;
1464 }
1465
1466 /* Verifying an address messes up the values of $domain and $local_part,
1467 so reset them before returning if this is a RCPT ACL. */
1468
1469 if (addr != NULL)
1470 {
1471 deliver_domain = addr->domain;
1472 deliver_localpart = addr->local_part;
1473 }
1474 return rc;
1475
1476 /* Syntax errors in the verify argument come here. */
1477
1478 BAD_VERIFY:
1479 *log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
1480 "\"helo\", \"header_syntax\", \"header_sender\" or "
1481 "\"reverse_host_lookup\" at start of ACL condition "
1482 "\"verify %s\"", arg);
1483 return ERROR;
1484
1485 /* Options supplied when not allowed come here */
1486
1487 NO_OPTIONS:
1488 *log_msgptr = string_sprintf("unexpected '/' found in \"%s\" "
1489 "(this verify item has no options)", arg);
1490 return ERROR;
1491 }
1492
1493
1494
1495
1496 /*************************************************
1497 * Check argument for control= modifier *
1498 *************************************************/
1499
1500 /* Called from acl_check_condition() below
1501
1502 Arguments:
1503 arg the argument string for control=
1504 pptr set to point to the terminating character
1505 where which ACL we are in
1506 log_msgptr for error messages
1507
1508 Returns: CONTROL_xxx value
1509 */
1510
1511 static int
1512 decode_control(uschar *arg, uschar **pptr, int where, uschar **log_msgptr)
1513 {
1514 int len;
1515 control_def *d;
1516
1517 for (d = controls_list;
1518 d < controls_list + sizeof(controls_list)/sizeof(control_def);
1519 d++)
1520 {
1521 len = Ustrlen(d->name);
1522 if (Ustrncmp(d->name, arg, len) == 0) break;
1523 }
1524
1525 if (d >= controls_list + sizeof(controls_list)/sizeof(control_def) ||
1526 (arg[len] != 0 && (!d->has_option || arg[len] != '/')))
1527 {
1528 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
1529 return CONTROL_ERROR;
1530 }
1531
1532 *pptr = arg + len;
1533 return d->value;
1534 }
1535
1536
1537
1538 /*************************************************
1539 * Handle conditions/modifiers on an ACL item *
1540 *************************************************/
1541
1542 /* Called from acl_check() below.
1543
1544 Arguments:
1545 verb ACL verb
1546 cb ACL condition block - if NULL, result is OK
1547 where where called from
1548 addr the address being checked for RCPT, or NULL
1549 level the nesting level
1550 epp pointer to pass back TRUE if "endpass" encountered
1551 (applies only to "accept" and "discard")
1552 user_msgptr user message pointer
1553 log_msgptr log message pointer
1554 basic_errno pointer to where to put verify error
1555
1556 Returns: OK - all conditions are met
1557 DISCARD - an "acl" condition returned DISCARD - only allowed
1558 for "accept" or "discard" verbs
1559 FAIL - at least one condition fails
1560 FAIL_DROP - an "acl" condition returned FAIL_DROP
1561 DEFER - can't tell at the moment (typically, lookup defer,
1562 but can be temporary callout problem)
1563 ERROR - ERROR from nested ACL or expansion failure or other
1564 error
1565 */
1566
1567 static int
1568 acl_check_condition(int verb, acl_condition_block *cb, int where,
1569 address_item *addr, int level, BOOL *epp, uschar **user_msgptr,
1570 uschar **log_msgptr, int *basic_errno)
1571 {
1572 uschar *user_message = NULL;
1573 uschar *log_message = NULL;
1574 uschar *p;
1575 int rc = OK;
1576 #ifdef WITH_CONTENT_SCAN
1577 int sep = '/';
1578 #endif
1579
1580 for (; cb != NULL; cb = cb->next)
1581 {
1582 uschar *arg;
1583 int control_type;
1584
1585 /* The message and log_message items set up messages to be used in
1586 case of rejection. They are expanded later. */
1587
1588 if (cb->type == ACLC_MESSAGE)
1589 {
1590 user_message = cb->arg;
1591 continue;
1592 }
1593
1594 if (cb->type == ACLC_LOG_MESSAGE)
1595 {
1596 log_message = cb->arg;
1597 continue;
1598 }
1599
1600 /* The endpass "condition" just sets a flag to show it occurred. This is
1601 checked at compile time to be on an "accept" or "discard" item. */
1602
1603 if (cb->type == ACLC_ENDPASS)
1604 {
1605 *epp = TRUE;
1606 continue;
1607 }
1608
1609 /* For other conditions and modifiers, the argument is expanded now for some
1610 of them, but not for all, because expansion happens down in some lower level
1611 checking functions in some cases. */
1612
1613 if (cond_expand_at_top[cb->type])
1614 {
1615 arg = expand_string(cb->arg);
1616 if (arg == NULL)
1617 {
1618 if (expand_string_forcedfail) continue;
1619 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
1620 cb->arg, expand_string_message);
1621 return search_find_defer? DEFER : ERROR;
1622 }
1623 }
1624 else arg = cb->arg;
1625
1626 /* Show condition, and expanded condition if it's different */
1627
1628 HDEBUG(D_acl)
1629 {
1630 int lhswidth = 0;
1631 debug_printf("check %s%s %n",
1632 (!cond_modifiers[cb->type] && cb->u.negated)? "!":"",
1633 conditions[cb->type], &lhswidth);
1634
1635 if (cb->type == ACLC_SET)
1636 {
1637 int n = cb->u.varnumber;
1638 int t = (n < ACL_C_MAX)? 'c' : 'm';
1639 if (n >= ACL_C_MAX) n -= ACL_C_MAX;
1640 debug_printf("acl_%c%d ", t, n);
1641 lhswidth += 7;
1642 }
1643
1644 debug_printf("= %s\n", cb->arg);
1645
1646 if (arg != cb->arg)
1647 debug_printf("%.*s= %s\n", lhswidth,
1648 US" ", CS arg);
1649 }
1650
1651 /* Check that this condition makes sense at this time */
1652
1653 if ((cond_forbids[cb->type] & (1 << where)) != 0)
1654 {
1655 *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
1656 cond_modifiers[cb->type]? "use" : "test",
1657 conditions[cb->type], acl_wherenames[where]);
1658 return ERROR;
1659 }
1660
1661 /* Run the appropriate test for each condition, or take the appropriate
1662 action for the remaining modifiers. */
1663
1664 switch(cb->type)
1665 {
1666 /* A nested ACL that returns "discard" makes sense only for an "accept" or
1667 "discard" verb. */
1668
1669 case ACLC_ACL:
1670 rc = acl_check_internal(where, addr, arg, level+1, user_msgptr, log_msgptr);
1671 if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
1672 {
1673 *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
1674 "\"%s\" command (only allowed with \"accept\" or \"discard\")",
1675 verbs[verb]);
1676 return ERROR;
1677 }
1678 break;
1679
1680 case ACLC_AUTHENTICATED:
1681 rc = (sender_host_authenticated == NULL)? FAIL :
1682 match_isinlist(sender_host_authenticated, &arg, 0, NULL, NULL, MCL_STRING,
1683 TRUE, NULL);
1684 break;
1685
1686 #ifdef EXPERIMENTAL_BRIGHTMAIL
1687 case ACLC_BMI_OPTIN:
1688 {
1689 int old_pool = store_pool;
1690 store_pool = POOL_PERM;
1691 bmi_current_optin = string_copy(arg);
1692 store_pool = old_pool;
1693 }
1694 break;
1695 #endif
1696
1697 case ACLC_CONDITION:
1698 if (Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
1699 rc = (Uatoi(arg) == 0)? FAIL : OK;
1700 else
1701 rc = (strcmpic(arg, US"no") == 0 ||
1702 strcmpic(arg, US"false") == 0)? FAIL :
1703 (strcmpic(arg, US"yes") == 0 ||
1704 strcmpic(arg, US"true") == 0)? OK : DEFER;
1705 if (rc == DEFER)
1706 *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
1707 break;
1708
1709 case ACLC_CONTROL:
1710 control_type = decode_control(arg, &p, where, log_msgptr);
1711
1712 /* Check if this control makes sense at this time */
1713
1714 if ((control_forbids[control_type] & (1 << where)) != 0)
1715 {
1716 *log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
1717 controls[control_type], acl_wherenames[where]);
1718 return ERROR;
1719 }
1720
1721 switch(control_type)
1722 {
1723 #ifdef EXPERIMENTAL_BRIGHTMAIL
1724 case CONTROL_BMI_RUN:
1725 bmi_run = 1;
1726 break;
1727 #endif
1728 #ifdef EXPERIMENTAL_DOMAINKEYS
1729 case CONTROL_DK_VERIFY:
1730 dk_do_verify = 1;
1731 break;
1732 #endif
1733 case CONTROL_ERROR:
1734 return ERROR;
1735
1736 case CONTROL_CASEFUL_LOCAL_PART:
1737 deliver_localpart = addr->cc_local_part;
1738 break;
1739
1740 case CONTROL_CASELOWER_LOCAL_PART:
1741 deliver_localpart = addr->lc_local_part;
1742 break;
1743
1744 case CONTROL_ENFORCE_SYNC:
1745 smtp_enforce_sync = TRUE;
1746 break;
1747
1748 case CONTROL_NO_ENFORCE_SYNC:
1749 smtp_enforce_sync = FALSE;
1750 break;
1751
1752 #ifdef WITH_CONTENT_SCAN
1753 case CONTROL_NO_MBOX_UNSPOOL:
1754 no_mbox_unspool = TRUE;
1755 break;
1756 #endif
1757
1758 case CONTROL_NO_MULTILINE:
1759 no_multiline_responses = TRUE;
1760 break;
1761
1762 case CONTROL_FAKEREJECT:
1763 fake_reject = TRUE;
1764 if (*p == '/')
1765 {
1766 uschar *pp = p + 1;
1767 while (*pp != 0) pp++;
1768 fake_reject_text = expand_string(string_copyn(p+1, pp-p));
1769 p = pp;
1770 }
1771 else
1772 {
1773 /* Explicitly reset to default string */
1774 fake_reject_text = US"Your message has been rejected but is being kept for evaluation.\nIf it was a legitimate message, it may still be delivered to the target recipient(s).";
1775 }
1776 break;
1777
1778 case CONTROL_FREEZE:
1779 deliver_freeze = TRUE;
1780 deliver_frozen_at = time(NULL);
1781 break;
1782
1783 case CONTROL_QUEUE_ONLY:
1784 queue_only_policy = TRUE;
1785 break;
1786
1787 case CONTROL_SUBMISSION:
1788 submission_mode = TRUE;
1789 while (*p == '/')
1790 {
1791 if (Ustrncmp(p, "/sender_retain", 14) == 0)
1792 {
1793 p += 14;
1794 active_local_sender_retain = TRUE;
1795 active_local_from_check = FALSE;
1796 }
1797 else if (Ustrncmp(p, "/domain=", 8) == 0)
1798 {
1799 uschar *pp = p + 8;
1800 while (*pp != 0 && *pp != '/') pp++;
1801 submission_domain = string_copyn(p+8, pp-p);
1802 p = pp;
1803 }
1804 else break;
1805 }
1806 if (*p != 0)
1807 {
1808 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
1809 return ERROR;
1810 }
1811 break;
1812 }
1813 break;
1814
1815 #ifdef WITH_CONTENT_SCAN
1816 case ACLC_DECODE:
1817 rc = mime_decode(&arg);
1818 break;
1819 #endif
1820
1821 case ACLC_DELAY:
1822 {
1823 int delay = readconf_readtime(arg, 0, FALSE);
1824 if (delay < 0)
1825 {
1826 *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
1827 "modifier: \"%s\" is not a time value", arg);
1828 return ERROR;
1829 }
1830 else
1831 {
1832 HDEBUG(D_acl) debug_printf("delay modifier requests %d-second delay\n",
1833 delay);
1834 if (host_checking)
1835 {
1836 HDEBUG(D_acl)
1837 debug_printf("delay skipped in -bh checking mode\n");
1838 }
1839 else
1840 {
1841 while (delay > 0) delay = sleep(delay);
1842 }
1843 }
1844 }
1845 break;
1846
1847 #ifdef WITH_OLD_DEMIME
1848 case ACLC_DEMIME:
1849 rc = demime(&arg);
1850 break;
1851 #endif
1852
1853 #ifdef EXPERIMENTAL_DOMAINKEYS
1854 case ACLC_DK_DOMAIN_SOURCE:
1855 if (dk_verify_block == NULL) { rc = FAIL; break; };
1856 /* check header source of domain against given string */
1857 switch (dk_verify_block->address_source) {
1858 case DK_EXIM_ADDRESS_FROM_FROM:
1859 rc = match_isinlist(US"from", &arg, 0, NULL,
1860 NULL, MCL_STRING, TRUE, NULL);
1861 break;
1862 case DK_EXIM_ADDRESS_FROM_SENDER:
1863 rc = match_isinlist(US"sender", &arg, 0, NULL,
1864 NULL, MCL_STRING, TRUE, NULL);
1865 break;
1866 case DK_EXIM_ADDRESS_NONE:
1867 rc = match_isinlist(US"none", &arg, 0, NULL,
1868 NULL, MCL_STRING, TRUE, NULL);
1869 break;
1870 }
1871 break;
1872 case ACLC_DK_POLICY:
1873 if (dk_verify_block == NULL) { rc = FAIL; break; };
1874 /* check policy against given string, default FAIL */
1875 rc = FAIL;
1876 if (dk_verify_block->signsall)
1877 rc = match_isinlist(US"signsall", &arg, 0, NULL,
1878 NULL, MCL_STRING, TRUE, NULL);
1879 if (dk_verify_block->testing)
1880 rc = match_isinlist(US"testing", &arg, 0, NULL,
1881 NULL, MCL_STRING, TRUE, NULL);
1882 break;
1883 case ACLC_DK_SENDER_DOMAINS:
1884 if (dk_verify_block == NULL) { rc = FAIL; break; };
1885 if (dk_verify_block->domain != NULL)
1886 rc = match_isinlist(dk_verify_block->domain, &arg, 0, &domainlist_anchor,
1887 NULL, MCL_DOMAIN, TRUE, NULL);
1888 else rc = FAIL;
1889 break;
1890 case ACLC_DK_SENDER_LOCAL_PARTS:
1891 if (dk_verify_block == NULL) { rc = FAIL; break; };
1892 if (dk_verify_block->local_part != NULL)
1893 rc = match_isinlist(dk_verify_block->local_part, &arg, 0, &localpartlist_anchor,
1894 NULL, MCL_LOCALPART, TRUE, NULL);
1895 else rc = FAIL;
1896 break;
1897 case ACLC_DK_SENDERS:
1898 if (dk_verify_block == NULL) { rc = FAIL; break; };
1899 if (dk_verify_block->address != NULL)
1900 rc = match_address_list(dk_verify_block->address, TRUE, TRUE, &arg, NULL, -1, 0, NULL);
1901 else rc = FAIL;
1902 break;
1903 case ACLC_DK_STATUS:
1904 if (dk_verify_block == NULL) { rc = FAIL; break; };
1905 if (dk_verify_block->result > 0) {
1906 switch(dk_verify_block->result) {
1907 case DK_EXIM_RESULT_BAD_FORMAT:
1908 rc = match_isinlist(US"bad format", &arg, 0, NULL,
1909 NULL, MCL_STRING, TRUE, NULL);
1910 break;
1911 case DK_EXIM_RESULT_NO_KEY:
1912 rc = match_isinlist(US"no key", &arg, 0, NULL,
1913 NULL, MCL_STRING, TRUE, NULL);
1914 break;
1915 case DK_EXIM_RESULT_NO_SIGNATURE:
1916 rc = match_isinlist(US"no signature", &arg, 0, NULL,
1917 NULL, MCL_STRING, TRUE, NULL);
1918 break;
1919 case DK_EXIM_RESULT_REVOKED:
1920 rc = match_isinlist(US"revoked", &arg, 0, NULL,
1921 NULL, MCL_STRING, TRUE, NULL);
1922 break;
1923 case DK_EXIM_RESULT_NON_PARTICIPANT:
1924 rc = match_isinlist(US"non-participant", &arg, 0, NULL,
1925 NULL, MCL_STRING, TRUE, NULL);
1926 break;
1927 case DK_EXIM_RESULT_GOOD:
1928 rc = match_isinlist(US"good", &arg, 0, NULL,
1929 NULL, MCL_STRING, TRUE, NULL);
1930 break;
1931 case DK_EXIM_RESULT_BAD:
1932 rc = match_isinlist(US"bad", &arg, 0, NULL,
1933 NULL, MCL_STRING, TRUE, NULL);
1934 break;
1935 }
1936 }
1937 break;
1938 #endif
1939
1940 case ACLC_DNSLISTS:
1941 rc = verify_check_dnsbl(&arg);
1942 break;
1943
1944 case ACLC_DOMAINS:
1945 rc = match_isinlist(addr->domain, &arg, 0, &domainlist_anchor,
1946 addr->domain_cache, MCL_DOMAIN, TRUE, &deliver_domain_data);
1947 break;
1948
1949 /* The value in tls_cipher is the full cipher name, for example,
1950 TLSv1:DES-CBC3-SHA:168, whereas the values to test for are just the
1951 cipher names such as DES-CBC3-SHA. But program defensively. We don't know
1952 what may in practice come out of the SSL library - which at the time of
1953 writing is poorly documented. */
1954
1955 case ACLC_ENCRYPTED:
1956 if (tls_cipher == NULL) rc = FAIL; else
1957 {
1958 uschar *endcipher = NULL;
1959 uschar *cipher = Ustrchr(tls_cipher, ':');
1960 if (cipher == NULL) cipher = tls_cipher; else
1961 {
1962 endcipher = Ustrchr(++cipher, ':');
1963 if (endcipher != NULL) *endcipher = 0;
1964 }
1965 rc = match_isinlist(cipher, &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
1966 if (endcipher != NULL) *endcipher = ':';
1967 }
1968 break;
1969
1970 /* Use verify_check_this_host() instead of verify_check_host() so that
1971 we can pass over &host_data to catch any looked up data. Once it has been
1972 set, it retains its value so that it's still there if another ACL verb
1973 comes through here and uses the cache. However, we must put it into
1974 permanent store in case it is also expected to be used in a subsequent
1975 message in the same SMTP connection. */
1976
1977 case ACLC_HOSTS:
1978 rc = verify_check_this_host(&arg, sender_host_cache, NULL,
1979 (sender_host_address == NULL)? US"" : sender_host_address, &host_data);
1980 if (host_data != NULL) host_data = string_copy_malloc(host_data);
1981 break;
1982
1983 case ACLC_LOCAL_PARTS:
1984 rc = match_isinlist(addr->cc_local_part, &arg, 0,
1985 &localpartlist_anchor, addr->localpart_cache, MCL_LOCALPART, TRUE,
1986 &deliver_localpart_data);
1987 break;
1988
1989 case ACLC_LOGWRITE:
1990 {
1991 int logbits = 0;
1992 uschar *s = arg;
1993 if (*s == ':')
1994 {
1995 s++;
1996 while (*s != ':')
1997 {
1998 if (Ustrncmp(s, "main", 4) == 0)
1999 { logbits |= LOG_MAIN; s += 4; }
2000 else if (Ustrncmp(s, "panic", 5) == 0)
2001 { logbits |= LOG_PANIC; s += 5; }
2002 else if (Ustrncmp(s, "reject", 6) == 0)
2003 { logbits |= LOG_REJECT; s += 6; }
2004 else
2005 {
2006 logbits = LOG_MAIN|LOG_PANIC;
2007 s = string_sprintf(":unknown log name in \"%s\" in "
2008 "\"logwrite\" in %s ACL", arg, acl_wherenames[where]);
2009 }
2010 if (*s == ',') s++;
2011 }
2012 s++;
2013 }
2014 while (isspace(*s)) s++;
2015 if (logbits == 0) logbits = LOG_MAIN;
2016 log_write(0, logbits, "%s", string_printing(s));
2017 }
2018 break;
2019
2020 #ifdef WITH_CONTENT_SCAN
2021 case ACLC_MALWARE:
2022 {
2023 /* Seperate the regular expression and any optional parameters. */
2024 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
2025 /* Run the malware backend. */
2026 rc = malware(&ss);
2027 /* Modify return code based upon the existance of options. */
2028 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2029 != NULL) {
2030 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
2031 {
2032 /* FAIL so that the message is passed to the next ACL */
2033 rc = FAIL;
2034 }
2035 }
2036 }
2037 break;
2038
2039 case ACLC_MIME_REGEX:
2040 rc = mime_regex(&arg);
2041 break;
2042 #endif
2043
2044 case ACLC_RECIPIENTS:
2045 rc = match_address_list(addr->address, TRUE, TRUE, &arg, NULL, -1, 0,
2046 &recipient_data);
2047 break;
2048
2049 #ifdef WITH_CONTENT_SCAN
2050 case ACLC_REGEX:
2051 rc = regex(&arg);
2052 break;
2053 #endif
2054
2055 case ACLC_SENDER_DOMAINS:
2056 {
2057 uschar *sdomain;
2058 sdomain = Ustrrchr(sender_address, '@');
2059 sdomain = (sdomain == NULL)? US"" : sdomain + 1;
2060 rc = match_isinlist(sdomain, &arg, 0, &domainlist_anchor,
2061 sender_domain_cache, MCL_DOMAIN, TRUE, NULL);
2062 }
2063 break;
2064
2065 case ACLC_SENDERS:
2066 rc = match_address_list(sender_address, TRUE, TRUE, &arg,
2067 sender_address_cache, -1, 0, &sender_data);
2068 break;
2069
2070 /* Connection variables must persist forever */
2071
2072 case ACLC_SET:
2073 {
2074 int old_pool = store_pool;
2075 if (cb->u.varnumber < ACL_C_MAX) store_pool = POOL_PERM;
2076 acl_var[cb->u.varnumber] = string_copy(arg);
2077 store_pool = old_pool;
2078 }
2079 break;
2080
2081 #ifdef WITH_CONTENT_SCAN
2082 case ACLC_SPAM:
2083 {
2084 /* Seperate the regular expression and any optional parameters. */
2085 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
2086 /* Run the spam backend. */
2087 rc = spam(&ss);
2088 /* Modify return code based upon the existance of options. */
2089 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2090 != NULL) {
2091 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
2092 {
2093 /* FAIL so that the message is passed to the next ACL */
2094 rc = FAIL;
2095 }
2096 }
2097 }
2098 break;
2099 #endif
2100
2101 #ifdef EXPERIMENTAL_SPF
2102 case ACLC_SPF:
2103 rc = spf_process(&arg, sender_address);
2104 break;
2105 #endif
2106
2107 /* If the verb is WARN, discard any user message from verification, because
2108 such messages are SMTP responses, not header additions. The latter come
2109 only from explicit "message" modifiers. */
2110
2111 case ACLC_VERIFY:
2112 rc = acl_verify(where, addr, arg, user_msgptr, log_msgptr, basic_errno);
2113 if (verb == ACL_WARN) *user_msgptr = NULL;
2114 break;
2115
2116 default:
2117 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown "
2118 "condition %d", cb->type);
2119 break;
2120 }
2121
2122 /* If a condition was negated, invert OK/FAIL. */
2123
2124 if (!cond_modifiers[cb->type] && cb->u.negated)
2125 {
2126 if (rc == OK) rc = FAIL;
2127 else if (rc == FAIL || rc == FAIL_DROP) rc = OK;
2128 }
2129
2130 if (rc != OK) break; /* Conditions loop */
2131 }
2132
2133
2134 /* If the result is the one for which "message" and/or "log_message" are used,
2135 handle the values of these options. Most verbs have but a single return for
2136 which the messages are relevant, but for "discard", it's useful to have the log
2137 message both when it succeeds and when it fails. Also, for an "accept" that
2138 appears in a QUIT ACL, we want to handle the user message. Since only "accept"
2139 and "warn" are permitted in that ACL, we don't need to test the verb.
2140
2141 These modifiers act in different ways:
2142
2143 "message" is a user message that will be included in an SMTP response. Unless
2144 it is empty, it overrides any previously set user message.
2145
2146 "log_message" is a non-user message, and it adds to any existing non-user
2147 message that is already set.
2148
2149 If there isn't a log message set, we make it the same as the user message. */
2150
2151 if (((rc == FAIL_DROP)? FAIL : rc) == msgcond[verb] ||
2152 (verb == ACL_DISCARD && rc == OK) ||
2153 (where == ACL_WHERE_QUIT))
2154 {
2155 uschar *expmessage;
2156
2157 /* If the verb is "warn", messages generated by conditions (verification or
2158 nested ACLs) are discarded. Only messages specified at this level are used.
2159 However, the value of an existing message is available in $acl_verify_message
2160 during expansions. */
2161
2162 uschar *old_user_msgptr = *user_msgptr;
2163 uschar *old_log_msgptr = (*log_msgptr != NULL)? *log_msgptr : old_user_msgptr;
2164
2165 if (verb == ACL_WARN) *log_msgptr = *user_msgptr = NULL;
2166
2167 if (user_message != NULL)
2168 {
2169 acl_verify_message = old_user_msgptr;
2170 expmessage = expand_string(user_message);
2171 if (expmessage == NULL)
2172 {
2173 if (!expand_string_forcedfail)
2174 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
2175 user_message, expand_string_message);
2176 }
2177 else if (expmessage[0] != 0) *user_msgptr = expmessage;
2178 }
2179
2180 if (log_message != NULL)
2181 {
2182 acl_verify_message = old_log_msgptr;
2183 expmessage = expand_string(log_message);
2184 if (expmessage == NULL)
2185 {
2186 if (!expand_string_forcedfail)
2187 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
2188 log_message, expand_string_message);
2189 }
2190 else if (expmessage[0] != 0)
2191 {
2192 *log_msgptr = (*log_msgptr == NULL)? expmessage :
2193 string_sprintf("%s: %s", expmessage, *log_msgptr);
2194 }
2195 }
2196
2197 /* If no log message, default it to the user message */
2198
2199 if (*log_msgptr == NULL) *log_msgptr = *user_msgptr;
2200 }
2201
2202 acl_verify_message = NULL;
2203 return rc;
2204 }
2205
2206
2207
2208
2209
2210 /*************************************************
2211 * Get line from a literal ACL *
2212 *************************************************/
2213
2214 /* This function is passed to acl_read() in order to extract individual lines
2215 of a literal ACL, which we access via static pointers. We can destroy the
2216 contents because this is called only once (the compiled ACL is remembered).
2217
2218 This code is intended to treat the data in the same way as lines in the main
2219 Exim configuration file. That is:
2220
2221 . Leading spaces are ignored.
2222
2223 . A \ at the end of a line is a continuation - trailing spaces after the \
2224 are permitted (this is because I don't believe in making invisible things
2225 significant). Leading spaces on the continued part of a line are ignored.
2226
2227 . Physical lines starting (significantly) with # are totally ignored, and
2228 may appear within a sequence of backslash-continued lines.
2229
2230 . Blank lines are ignored, but will end a sequence of continuations.
2231
2232 Arguments: none
2233 Returns: a pointer to the next line
2234 */
2235
2236
2237 static uschar *acl_text; /* Current pointer in the text */
2238 static uschar *acl_text_end; /* Points one past the terminating '0' */
2239
2240
2241 static uschar *
2242 acl_getline(void)
2243 {
2244 uschar *yield;
2245
2246 /* This loop handles leading blank lines and comments. */
2247
2248 for(;;)
2249 {
2250 while (isspace(*acl_text)) acl_text++; /* Leading spaces/empty lines */
2251 if (*acl_text == 0) return NULL; /* No more data */
2252 yield = acl_text; /* Potential data line */
2253
2254 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
2255
2256 /* If we hit the end before a newline, we have the whole logical line. If
2257 it's a comment, there's no more data to be given. Otherwise, yield it. */
2258
2259 if (*acl_text == 0) return (*yield == '#')? NULL : yield;
2260
2261 /* After reaching a newline, end this loop if the physical line does not
2262 start with '#'. If it does, it's a comment, and the loop continues. */
2263
2264 if (*yield != '#') break;
2265 }
2266
2267 /* This loop handles continuations. We know we have some real data, ending in
2268 newline. See if there is a continuation marker at the end (ignoring trailing
2269 white space). We know that *yield is not white space, so no need to test for
2270 cont > yield in the backwards scanning loop. */
2271
2272 for(;;)
2273 {
2274 uschar *cont;
2275 for (cont = acl_text - 1; isspace(*cont); cont--);
2276
2277 /* If no continuation follows, we are done. Mark the end of the line and
2278 return it. */
2279
2280 if (*cont != '\\')
2281 {
2282 *acl_text++ = 0;
2283 return yield;
2284 }
2285
2286 /* We have encountered a continuation. Skip over whitespace at the start of
2287 the next line, and indeed the whole of the next line or lines if they are
2288 comment lines. */
2289
2290 for (;;)
2291 {
2292 while (*(++acl_text) == ' ' || *acl_text == '\t');
2293 if (*acl_text != '#') break;
2294 while (*(++acl_text) != 0 && *acl_text != '\n');
2295 }
2296
2297 /* We have the start of a continuation line. Move all the rest of the data
2298 to join onto the previous line, and then find its end. If the end is not a
2299 newline, we are done. Otherwise loop to look for another continuation. */
2300
2301 memmove(cont, acl_text, acl_text_end - acl_text);
2302 acl_text_end -= acl_text - cont;
2303 acl_text = cont;
2304 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
2305 if (*acl_text == 0) return yield;
2306 }
2307
2308 /* Control does not reach here */
2309 }
2310
2311
2312
2313
2314
2315 /*************************************************
2316 * Check access using an ACL *
2317 *************************************************/
2318
2319 /* This function is called from address_check. It may recurse via
2320 acl_check_condition() - hence the use of a level to stop looping. The ACL is
2321 passed as a string which is expanded. A forced failure implies no access check
2322 is required. If the result is a single word, it is taken as the name of an ACL
2323 which is sought in the global ACL tree. Otherwise, it is taken as literal ACL
2324 text, complete with newlines, and parsed as such. In both cases, the ACL check
2325 is then run. This function uses an auxiliary function for acl_read() to call
2326 for reading individual lines of a literal ACL. This is acl_getline(), which
2327 appears immediately above.
2328
2329 Arguments:
2330 where where called from
2331 addr address item when called from RCPT; otherwise NULL
2332 s the input string; NULL is the same as an empty ACL => DENY
2333 level the nesting level
2334 user_msgptr where to put a user error (for SMTP response)
2335 log_msgptr where to put a logging message (not for SMTP response)
2336
2337 Returns: OK access is granted
2338 DISCARD access is apparently granted...
2339 FAIL access is denied
2340 FAIL_DROP access is denied; drop the connection
2341 DEFER can't tell at the moment
2342 ERROR disaster
2343 */
2344
2345 static int
2346 acl_check_internal(int where, address_item *addr, uschar *s, int level,
2347 uschar **user_msgptr, uschar **log_msgptr)
2348 {
2349 int fd = -1;
2350 acl_block *acl = NULL;
2351 uschar *acl_name = US"inline ACL";
2352 uschar *ss;
2353
2354 /* Catch configuration loops */
2355
2356 if (level > 20)
2357 {
2358 *log_msgptr = US"ACL nested too deep: possible loop";
2359 return ERROR;
2360 }
2361
2362 if (s == NULL)
2363 {
2364 HDEBUG(D_acl) debug_printf("ACL is NULL: implicit DENY\n");
2365 return FAIL;
2366 }
2367
2368 /* At top level, we expand the incoming string. At lower levels, it has already
2369 been expanded as part of condition processing. */
2370
2371 if (level == 0)
2372 {
2373 ss = expand_string(s);
2374 if (ss == NULL)
2375 {
2376 if (expand_string_forcedfail) return OK;
2377 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s", s,
2378 expand_string_message);
2379 return ERROR;
2380 }
2381 }
2382 else ss = s;
2383
2384 while (isspace(*ss))ss++;
2385
2386 /* If we can't find a named ACL, the default is to parse it as an inline one.
2387 (Unless it begins with a slash; non-existent files give rise to an error.) */
2388
2389 acl_text = ss;
2390
2391 /* Handle the case of a string that does not contain any spaces. Look for a
2392 named ACL among those read from the configuration, or a previously read file.
2393 It is possible that the pointer to the ACL is NULL if the configuration
2394 contains a name with no data. If not found, and the text begins with '/',
2395 read an ACL from a file, and save it so it can be re-used. */
2396
2397 if (Ustrchr(ss, ' ') == NULL)
2398 {
2399 tree_node *t = tree_search(acl_anchor, ss);
2400 if (t != NULL)
2401 {
2402 acl = (acl_block *)(t->data.ptr);
2403 if (acl == NULL)
2404 {
2405 HDEBUG(D_acl) debug_printf("ACL \"%s\" is empty: implicit DENY\n", ss);
2406 return FAIL;
2407 }
2408 acl_name = string_sprintf("ACL \"%s\"", ss);
2409 HDEBUG(D_acl) debug_printf("using ACL \"%s\"\n", ss);
2410 }
2411
2412 else if (*ss == '/')
2413 {
2414 struct stat statbuf;
2415 fd = Uopen(ss, O_RDONLY, 0);
2416 if (fd < 0)
2417 {
2418 *log_msgptr = string_sprintf("failed to open ACL file \"%s\": %s", ss,
2419 strerror(errno));
2420 return ERROR;
2421 }
2422
2423 if (fstat(fd, &statbuf) != 0)
2424 {
2425 *log_msgptr = string_sprintf("failed to fstat ACL file \"%s\": %s", ss,
2426 strerror(errno));
2427 return ERROR;
2428 }
2429
2430 acl_text = store_get(statbuf.st_size + 1);
2431 acl_text_end = acl_text + statbuf.st_size + 1;
2432
2433 if (read(fd, acl_text, statbuf.st_size) != statbuf.st_size)
2434 {
2435 *log_msgptr = string_sprintf("failed to read ACL file \"%s\": %s",
2436 ss, strerror(errno));
2437 return ERROR;
2438 }
2439 acl_text[statbuf.st_size] = 0;
2440 close(fd);
2441
2442 acl_name = string_sprintf("ACL \"%s\"", ss);
2443 HDEBUG(D_acl) debug_printf("read ACL from file %s\n", ss);
2444 }
2445 }
2446
2447 /* Parse an ACL that is still in text form. If it came from a file, remember it
2448 in the ACL tree, having read it into the POOL_PERM store pool so that it
2449 persists between multiple messages. */
2450
2451 if (acl == NULL)
2452 {
2453 int old_pool = store_pool;
2454 if (fd >= 0) store_pool = POOL_PERM;
2455 acl = acl_read(acl_getline, log_msgptr);
2456 store_pool = old_pool;
2457 if (acl == NULL && *log_msgptr != NULL) return ERROR;
2458 if (fd >= 0)
2459 {
2460 tree_node *t = store_get_perm(sizeof(tree_node) + Ustrlen(ss));
2461 Ustrcpy(t->name, ss);
2462 t->data.ptr = acl;
2463 (void)tree_insertnode(&acl_anchor, t);
2464 }
2465 }
2466
2467 /* Now we have an ACL to use. It's possible it may be NULL. */
2468
2469 while (acl != NULL)
2470 {
2471 int cond;
2472 int basic_errno = 0;
2473 BOOL endpass_seen = FALSE;
2474
2475 *log_msgptr = *user_msgptr = NULL;
2476 acl_temp_details = FALSE;
2477
2478 if (where == ACL_WHERE_QUIT &&
2479 acl->verb != ACL_ACCEPT &&
2480 acl->verb != ACL_WARN)
2481 {
2482 *log_msgptr = string_sprintf("\"%s\" is not allowed in a QUIT ACL",
2483 verbs[acl->verb]);
2484 return ERROR;
2485 }
2486
2487 HDEBUG(D_acl) debug_printf("processing \"%s\"\n", verbs[acl->verb]);
2488
2489 /* Clear out any search error message from a previous check before testing
2490 this condition. */
2491
2492 search_error_message = NULL;
2493 cond = acl_check_condition(acl->verb, acl->condition, where, addr, level,
2494 &endpass_seen, user_msgptr, log_msgptr, &basic_errno);
2495
2496 /* Handle special returns: DEFER causes a return except on a WARN verb;
2497 ERROR always causes a return. */
2498
2499 switch (cond)
2500 {
2501 case DEFER:
2502 HDEBUG(D_acl) debug_printf("%s: condition test deferred\n", verbs[acl->verb]);
2503 if (basic_errno != ERRNO_CALLOUTDEFER)
2504 {
2505 if (search_error_message != NULL && *search_error_message != 0)
2506 *log_msgptr = search_error_message;
2507 if (smtp_return_error_details) acl_temp_details = TRUE;
2508 }
2509 else
2510 {
2511 acl_temp_details = TRUE;
2512 }
2513 if (acl->verb != ACL_WARN) return DEFER;
2514 break;
2515
2516 default: /* Paranoia */
2517 case ERROR:
2518 HDEBUG(D_acl) debug_printf("%s: condition test error\n", verbs[acl->verb]);
2519 return ERROR;
2520
2521 case OK:
2522 HDEBUG(D_acl) debug_printf("%s: condition test succeeded\n",
2523 verbs[acl->verb]);
2524 break;
2525
2526 case FAIL:
2527 HDEBUG(D_acl) debug_printf("%s: condition test failed\n", verbs[acl->verb]);
2528 break;
2529
2530 /* DISCARD and DROP can happen only from a nested ACL condition, and
2531 DISCARD can happen only for an "accept" or "discard" verb. */
2532
2533 case DISCARD:
2534 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"discard\"\n",
2535 verbs[acl->verb]);
2536 break;
2537
2538 case FAIL_DROP:
2539 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"drop\"\n",
2540 verbs[acl->verb]);
2541 break;
2542 }
2543
2544 /* At this point, cond for most verbs is either OK or FAIL or (as a result of
2545 a nested ACL condition) FAIL_DROP. However, for WARN, cond may be DEFER, and
2546 for ACCEPT and DISCARD, it may be DISCARD after a nested ACL call. */
2547
2548 switch(acl->verb)
2549 {
2550 case ACL_ACCEPT:
2551 if (cond == OK || cond == DISCARD) return cond;
2552 if (endpass_seen)
2553 {
2554 HDEBUG(D_acl) debug_printf("accept: endpass encountered - denying access\n");
2555 return cond;
2556 }
2557 break;
2558
2559 case ACL_DEFER:
2560 if (cond == OK)
2561 {
2562 acl_temp_details = TRUE;
2563 return DEFER;
2564 }
2565 break;
2566
2567 case ACL_DENY:
2568 if (cond == OK) return FAIL;
2569 break;
2570
2571 case ACL_DISCARD:
2572 if (cond == OK || cond == DISCARD) return DISCARD;
2573 if (endpass_seen)
2574 {
2575 HDEBUG(D_acl) debug_printf("discard: endpass encountered - denying access\n");
2576 return cond;
2577 }
2578 break;
2579
2580 case ACL_DROP:
2581 if (cond == OK) return FAIL_DROP;
2582 break;
2583
2584 case ACL_REQUIRE:
2585 if (cond != OK) return cond;
2586 break;
2587
2588 case ACL_WARN:
2589 if (cond == OK)
2590 acl_warn(where, *user_msgptr, *log_msgptr);
2591 else if (cond == DEFER)
2592 acl_warn(where, NULL, string_sprintf("ACL \"warn\" statement skipped: "
2593 "condition test deferred: %s",
2594 (*log_msgptr == NULL)? US"" : *log_msgptr));
2595 *log_msgptr = *user_msgptr = NULL; /* In case implicit DENY follows */
2596 break;
2597
2598 default:
2599 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown verb %d",
2600 acl->verb);
2601 break;
2602 }
2603
2604 /* Pass to the next ACL item */
2605
2606 acl = acl->next;
2607 }
2608
2609 /* We have reached the end of the ACL. This is an implicit DENY. */
2610
2611 HDEBUG(D_acl) debug_printf("end of %s: implicit DENY\n", acl_name);
2612 return FAIL;
2613 }
2614
2615
2616 /*************************************************
2617 * Check access using an ACL *
2618 *************************************************/
2619
2620 /* This is the external interface for ACL checks. It sets up an address and the
2621 expansions for $domain and $local_part when called after RCPT, then calls
2622 acl_check_internal() to do the actual work.
2623
2624 Arguments:
2625 where ACL_WHERE_xxxx indicating where called from
2626 data_string RCPT address, or SMTP command argument, or NULL
2627 s the input string; NULL is the same as an empty ACL => DENY
2628 user_msgptr where to put a user error (for SMTP response)
2629 log_msgptr where to put a logging message (not for SMTP response)
2630
2631 Returns: OK access is granted by an ACCEPT verb
2632 DISCARD access is granted by a DISCARD verb
2633 FAIL access is denied
2634 FAIL_DROP access is denied; drop the connection
2635 DEFER can't tell at the moment
2636 ERROR disaster
2637 */
2638
2639 int
2640 acl_check(int where, uschar *data_string, uschar *s, uschar **user_msgptr,
2641 uschar **log_msgptr)
2642 {
2643 int rc;
2644 address_item adb;
2645 address_item *addr;
2646
2647 *user_msgptr = *log_msgptr = NULL;
2648 sender_verified_failed = NULL;
2649
2650 if (where == ACL_WHERE_RCPT)
2651 {
2652 adb = address_defaults;
2653 addr = &adb;
2654 addr->address = data_string;
2655 if (deliver_split_address(addr) == DEFER)
2656 {
2657 *log_msgptr = US"defer in percent_hack_domains check";
2658 return DEFER;
2659 }
2660 deliver_domain = addr->domain;
2661 deliver_localpart = addr->local_part;
2662 }
2663 else
2664 {
2665 addr = NULL;
2666 smtp_command_argument = data_string;
2667 }
2668
2669 rc = acl_check_internal(where, addr, s, 0, user_msgptr, log_msgptr);
2670
2671 smtp_command_argument = deliver_domain =
2672 deliver_localpart = deliver_address_data = sender_address_data = NULL;
2673
2674 /* A DISCARD response is permitted only for message ACLs, excluding the PREDATA
2675 ACL, which is really in the middle of an SMTP command. */
2676
2677 if (rc == DISCARD)
2678 {
2679 if (where > ACL_WHERE_NOTSMTP || where == ACL_WHERE_PREDATA)
2680 {
2681 log_write(0, LOG_MAIN|LOG_PANIC, "\"discard\" verb not allowed in %s "
2682 "ACL", acl_wherenames[where]);
2683 return ERROR;
2684 }
2685 return DISCARD;
2686 }
2687
2688 /* A DROP response is not permitted from MAILAUTH */
2689
2690 if (rc == FAIL_DROP && where == ACL_WHERE_MAILAUTH)
2691 {
2692 log_write(0, LOG_MAIN|LOG_PANIC, "\"drop\" verb not allowed in %s "
2693 "ACL", acl_wherenames[where]);
2694 return ERROR;
2695 }
2696
2697 /* Before giving an error response, take a look at the length of any user
2698 message, and split it up into multiple lines if possible. */
2699
2700 if (rc != OK && *user_msgptr != NULL && Ustrlen(*user_msgptr) > 75)
2701 {
2702 uschar *s = *user_msgptr = string_copy(*user_msgptr);
2703 uschar *ss = s;
2704
2705 for (;;)
2706 {
2707 int i = 0;
2708 while (i < 75 && *ss != 0 && *ss != '\n') ss++, i++;
2709 if (*ss == 0) break;
2710 if (*ss == '\n')
2711 s = ++ss;
2712 else
2713 {
2714 uschar *t = ss + 1;
2715 uschar *tt = NULL;
2716 while (--t > s + 35)
2717 {
2718 if (*t == ' ')
2719 {
2720 if (t[-1] == ':') { tt = t; break; }
2721 if (tt == NULL) tt = t;
2722 }
2723 }
2724
2725 if (tt == NULL) /* Can't split behind - try ahead */
2726 {
2727 t = ss + 1;
2728 while (*t != 0)
2729 {
2730 if (*t == ' ' || *t == '\n')
2731 { tt = t; break; }
2732 t++;
2733 }
2734 }
2735
2736 if (tt == NULL) break; /* Can't find anywhere to split */
2737 *tt = '\n';
2738 s = ss = tt+1;
2739 }
2740 }
2741 }
2742
2743 return rc;
2744 }
2745
2746 /* End of acl.c */
Unnamed repository; edit this file 'description' to name the repository.