projects / exim.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Reset locale after calling embedded Perl, in case it was changed.
[exim.git] / src / src / acl.c
CommitLineData
f7b63901 1/* $Cambridge: exim/src/src/acl.c,v 1.7 2004/12/17 14:52:44 ph10 Exp $ */
059ec3d9
PH		 2
3/*************************************************
4* Exim - an Internet mail transport agent *
5*************************************************/
6
7/* Copyright (c) University of Cambridge 1995 - 2004 */
8/* See the file NOTICE for conditions of use and distribution. */
9
10/* Code for handling Access Control Lists (ACLs) */
11
12#include "exim.h"
13
14
15/* Default callout timeout */
16
17#define CALLOUT_TIMEOUT_DEFAULT 30
18
19/* ACL verb codes - keep in step with the table of verbs that follows */
20
21enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
22 ACL_WARN };
23
24/* ACL verbs */
25
26static uschar *verbs[] =
27 { US"accept", US"defer", US"deny", US"discard", US"drop", US"require",
28 US"warn" };
29
30/* For each verb, the condition for which "message" is used */
31
32static int msgcond[] = { FAIL, OK, OK, FAIL, OK, FAIL, OK };
33
34/* ACL condition and modifier codes - keep in step with the table that
35follows. */
36
8523533c
TK		 37enum { ACLC_ACL, ACLC_AUTHENTICATED,
38#ifdef EXPERIMENTAL_BRIGHTMAIL
39 ACLC_BMI_OPTIN,
40#endif
41ACLC_CONDITION, ACLC_CONTROL,
42#ifdef WITH_CONTENT_SCAN
43 ACLC_DECODE,
44#endif
45 ACLC_DELAY,
46#ifdef WITH_OLD_DEMIME
47 ACLC_DEMIME,
48#endif
49 ACLC_DNSLISTS, ACLC_DOMAINS, ACLC_ENCRYPTED, ACLC_ENDPASS,
50 ACLC_HOSTS, ACLC_LOCAL_PARTS, ACLC_LOG_MESSAGE, ACLC_LOGWRITE,
51#ifdef WITH_CONTENT_SCAN
52 ACLC_MALWARE,
53#endif
54 ACLC_MESSAGE,
55#ifdef WITH_CONTENT_SCAN
56 ACLC_MIME_REGEX,
57#endif
58 ACLC_RECIPIENTS,
59#ifdef WITH_CONTENT_SCAN
60 ACLC_REGEX,
61#endif
62 ACLC_SENDER_DOMAINS, ACLC_SENDERS, ACLC_SET,
63#ifdef WITH_CONTENT_SCAN
64 ACLC_SPAM,
65#endif
66#ifdef EXPERIMENTAL_SPF
67 ACLC_SPF,
68#endif
69 ACLC_VERIFY };
059ec3d9
PH		 70
71/* ACL conditions/modifiers: "delay", "control", "endpass", "message",
72"log_message", "logwrite", and "set" are modifiers that look like conditions
73but always return TRUE. They are used for their side effects. */
74
8523533c
TK		 75static uschar *conditions[] = { US"acl", US"authenticated",
76#ifdef EXPERIMENTAL_BRIGHTMAIL
77 US"bmi_optin",
78#endif
79 US"condition",
80 US"control",
81#ifdef WITH_CONTENT_SCAN
82 US"decode",
83#endif
84 US"delay",
85#ifdef WITH_OLD_DEMIME
86 US"demime",
87#endif
88 US"dnslists", US"domains", US"encrypted",
059ec3d9 89 US"endpass", US"hosts", US"local_parts", US"log_message", US"logwrite",
8523533c
TK		 90#ifdef WITH_CONTENT_SCAN
91 US"malware",
92#endif
93 US"message",
94#ifdef WITH_CONTENT_SCAN
95 US"mime_regex",
96#endif
97 US"recipients",
98#ifdef WITH_CONTENT_SCAN
99 US"regex",
100#endif
101 US"sender_domains", US"senders", US"set",
102#ifdef WITH_CONTENT_SCAN
103 US"spam",
104#endif
105#ifdef EXPERIMENTAL_SPF
106 US"spf",
107#endif
059ec3d9 108 US"verify" };
c5fcb476
PH		 109
110/* ACL control names */
111
112static uschar *controls[] = { US"error", US"caseful_local_part",
113 US"caselower_local_part", US"enforce_sync", US"no_enforce_sync", US"freeze",
114 US"queue_only", US"submission", US"no_multiline"};
059ec3d9
PH		 115
116/* Flags to indicate for which conditions /modifiers a string expansion is done
117at the outer level. In the other cases, expansion already occurs in the
118checking functions. */
119
120static uschar cond_expand_at_top[] = {
121 TRUE, /* acl */
122 FALSE, /* authenticated */
8523533c
TK		 123#ifdef EXPERIMENTAL_BRIGHTMAIL
124 TRUE, /* bmi_optin */
125#endif
059ec3d9
PH		 126 TRUE, /* condition */
127 TRUE, /* control */
8523533c
TK		 128#ifdef WITH_CONTENT_SCAN
129 TRUE, /* decode */
130#endif
059ec3d9 131 TRUE, /* delay */
8523533c
TK		 132#ifdef WITH_OLD_DEMIME
133 TRUE, /* demime */
134#endif
059ec3d9
PH		 135 TRUE, /* dnslists */
136 FALSE, /* domains */
137 FALSE, /* encrypted */
138 TRUE, /* endpass */
139 FALSE, /* hosts */
140 FALSE, /* local_parts */
141 TRUE, /* log_message */
142 TRUE, /* logwrite */
8523533c
TK		 143#ifdef WITH_CONTENT_SCAN
144 TRUE, /* malware */
145#endif
059ec3d9 146 TRUE, /* message */
8523533c
TK		 147#ifdef WITH_CONTENT_SCAN
148 TRUE, /* mime_regex */
149#endif
059ec3d9 150 FALSE, /* recipients */
8523533c
TK		 151#ifdef WITH_CONTENT_SCAN
152 TRUE, /* regex */
153#endif
059ec3d9
PH		 154 FALSE, /* sender_domains */
155 FALSE, /* senders */
156 TRUE, /* set */
8523533c
TK		 157#ifdef WITH_CONTENT_SCAN
158 TRUE, /* spam */
159#endif
160#ifdef EXPERIMENTAL_SPF
161 TRUE, /* spf */
162#endif
059ec3d9
PH		 163 TRUE /* verify */
164};
165
166/* Flags to identify the modifiers */
167
168static uschar cond_modifiers[] = {
169 FALSE, /* acl */
170 FALSE, /* authenticated */
8523533c
TK		 171#ifdef EXPERIMENTAL_BRIGHTMAIL
172 TRUE, /* bmi_optin */
173#endif
059ec3d9
PH		 174 FALSE, /* condition */
175 TRUE, /* control */
8523533c
TK		 176#ifdef WITH_CONTENT_SCAN
177 FALSE, /* decode */
178#endif
059ec3d9 179 TRUE, /* delay */
8523533c
TK		 180#ifdef WITH_OLD_DEMIME
181 FALSE, /* demime */
182#endif
059ec3d9
PH		 183 FALSE, /* dnslists */
184 FALSE, /* domains */
185 FALSE, /* encrypted */
186 TRUE, /* endpass */
187 FALSE, /* hosts */
188 FALSE, /* local_parts */
189 TRUE, /* log_message */
8523533c
TK		 190 TRUE, /* logwrite */
191#ifdef WITH_CONTENT_SCAN
192 FALSE, /* malware */
193#endif
059ec3d9 194 TRUE, /* message */
8523533c
TK		 195#ifdef WITH_CONTENT_SCAN
196 FALSE, /* mime_regex */
197#endif
059ec3d9 198 FALSE, /* recipients */
8523533c
TK		 199#ifdef WITH_CONTENT_SCAN
200 FALSE, /* regex */
201#endif
059ec3d9
PH		 202 FALSE, /* sender_domains */
203 FALSE, /* senders */
204 TRUE, /* set */
8523533c
TK		 205#ifdef WITH_CONTENT_SCAN
206 FALSE, /* spam */
207#endif
208#ifdef EXPERIMENTAL_SPF
209 FALSE, /* spf */
210#endif
059ec3d9
PH		 211 FALSE /* verify */
212};
213
c5fcb476
PH		 214/* Bit map vector of which conditions are not allowed at certain times. For
215each condition, there's a bitmap of dis-allowed times. */
059ec3d9
PH		 216
217static unsigned int cond_forbids[] = {
218 0, /* acl */
219 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_CONNECT)| /* authenticated */
220 (1<<ACL_WHERE_HELO),
8523533c
TK		 221
222#ifdef EXPERIMENTAL_BRIGHTMAIL
223 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* bmi_optin */
224 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
225 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_MIME)|
226 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
227 (1<<ACL_WHERE_MAILAUTH)|
228 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
229 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_PREDATA),
230#endif
231
059ec3d9 232 0, /* condition */
8523533c 233
059ec3d9
PH		 234 /* Certain types of control are always allowed, so we let it through
235 always and check in the control processing itself */
8523533c 236
059ec3d9 237 0, /* control */
8523533c
TK		 238
239#ifdef WITH_CONTENT_SCAN
240 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* decode */
241 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
242 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
243 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
244 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
245 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
246 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_RCPT),
247#endif
248
059ec3d9 249 0, /* delay */
8523533c 250
f7b63901 251#ifdef WITH_OLD_DEMIME
8523533c
TK		 252 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* demime */
253 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
254 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
255 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
256 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
257 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
258 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_MIME),
259#endif
260
059ec3d9
PH		 261 (1<<ACL_WHERE_NOTSMTP), /* dnslists */
262
263 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* domains */
264 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
265 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
266 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
267 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
268 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
269 (1<<ACL_WHERE_VRFY),
270
271 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_CONNECT)| /* encrypted */
272 (1<<ACL_WHERE_HELO),
273 0, /* endpass */
274 (1<<ACL_WHERE_NOTSMTP), /* hosts */
275
276 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* local_parts */
277 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
278 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
279 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
280 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
281 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
282 (1<<ACL_WHERE_VRFY),
283
284 0, /* log_message */
285 0, /* logwrite */
8523533c
TK		 286
287#ifdef WITH_CONTENT_SCAN
288 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* malware */
289 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
290 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
291 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
292 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
293 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
294 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_MIME),
295#endif
296
059ec3d9
PH		 297 0, /* message */
298
8523533c
TK		 299#ifdef WITH_CONTENT_SCAN
300 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* mime_regex */
301 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
302 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
303 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
304 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
305 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
306 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_RCPT),
307#endif
308
059ec3d9
PH		 309 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* recipients */
310 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
311 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
312 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
313 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
314 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
315 (1<<ACL_WHERE_VRFY),
316
8523533c
TK		 317#ifdef WITH_CONTENT_SCAN
318 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* regex */
319 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
320 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
321 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
322 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
323 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
324 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_MIME),
325#endif
326
059ec3d9
PH		 327 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* sender_domains */
328 (1<<ACL_WHERE_HELO)|
329 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
330 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
331 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
332
333 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* senders */
334 (1<<ACL_WHERE_HELO)|
335 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
336 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
337 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
338
339 0, /* set */
340
8523533c
TK		 341#ifdef WITH_CONTENT_SCAN
342 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* spam */
343 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
344 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
345 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
346 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
347 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
348 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_MIME),
349#endif
350
351#ifdef EXPERIMENTAL_SPF
352 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf */
353 (1<<ACL_WHERE_HELO)|
354 (1<<ACL_WHERE_MAILAUTH)|
355 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
356 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
357#endif
358
059ec3d9
PH		 359 /* Certain types of verify are always allowed, so we let it through
360 always and check in the verify function itself */
361
362 0 /* verify */
059ec3d9
PH		 363};
364
365
366/* Return values from decode_control() */
367
8523533c
TK		 368enum {
369#ifdef EXPERIMENTAL_BRIGHTMAIL
370 CONTROL_BMI_RUN,
371#endif
372 CONTROL_ERROR, CONTROL_CASEFUL_LOCAL_PART, CONTROL_CASELOWER_LOCAL_PART,
059ec3d9 373 CONTROL_ENFORCE_SYNC, CONTROL_NO_ENFORCE_SYNC, CONTROL_FREEZE,
8523533c
TK		 374 CONTROL_QUEUE_ONLY, CONTROL_SUBMISSION,
375#ifdef WITH_CONTENT_SCAN
376 CONTROL_NO_MBOX_UNSPOOL, CONTROL_FAKEREJECT,
377#endif
378 CONTROL_NO_MULTILINE };
059ec3d9 379
c5fcb476
PH		 380/* Bit map vector of which controls are not allowed at certain times. For
381each control, there's a bitmap of dis-allowed times. For some, it is easier to
382specify the negation of a small number of allowed times. */
383
384static unsigned int control_forbids[] = {
8523533c
TK		 385#ifdef EXPERIMENTAL_BRIGHTMAIL
386 0, /* bmi_run */
387#endif
c5fcb476
PH		 388 0, /* error */
389 ~(1<<ACL_WHERE_RCPT), /* caseful_local_part */
390 ~(1<<ACL_WHERE_RCPT), /* caselower_local_part */
391 (1<<ACL_WHERE_NOTSMTP), /* enforce_sync */
392 (1<<ACL_WHERE_NOTSMTP), /* no_enforce_sync */
393
394 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* freeze */
395 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
396 (1<<ACL_WHERE_NOTSMTP)),
397
398 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* queue_only */
399 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
400 (1<<ACL_WHERE_NOTSMTP)),
401
402 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* submission */
403 (1<<ACL_WHERE_PREDATA)),
8523533c
TK		 404
405#ifdef WITH_CONTENT_SCAN
406 (1<<ACL_WHERE_NOTSMTP), /* no_mbox_unspool */
407 (1<<ACL_WHERE_NOTSMTP), /* fakereject */
408#endif
409
c5fcb476
PH		 410 (1<<ACL_WHERE_NOTSMTP) /* no_multiline */
411};
412
413/* Structure listing various control arguments, with their characteristics. */
059ec3d9
PH		 414
415typedef struct control_def {
416 uschar *name;
417 int value; /* CONTROL_xxx value */
059ec3d9
PH		 418 BOOL has_option; /* Has /option(s) following */
419} control_def;
420
421static control_def controls_list[] = {
8523533c
TK		 422#ifdef EXPERIMENTAL_BRIGHTMAIL
423 { US"bmi_run", CONTROL_BMI_RUN, FALSE},
424#endif
c5fcb476
PH		 425 { US"caseful_local_part", CONTROL_CASEFUL_LOCAL_PART, FALSE},
426 { US"caselower_local_part", CONTROL_CASELOWER_LOCAL_PART, FALSE},
427 { US"enforce_sync", CONTROL_ENFORCE_SYNC, FALSE},
428 { US"freeze", CONTROL_FREEZE, FALSE},
429 { US"no_enforce_sync", CONTROL_NO_ENFORCE_SYNC, FALSE},
430 { US"no_multiline_responses", CONTROL_NO_MULTILINE, FALSE},
431 { US"queue_only", CONTROL_QUEUE_ONLY, FALSE},
8523533c
TK		 432#ifdef WITH_CONTENT_SCAN
433 { US"no_mbox_unspool", CONTROL_NO_MBOX_UNSPOOL, FALSE},
434 { US"fakereject", CONTROL_FAKEREJECT, TRUE},
435#endif
c5fcb476 436 { US"submission", CONTROL_SUBMISSION, TRUE}
059ec3d9
PH		 437 };
438
439/* Enable recursion between acl_check_internal() and acl_check_condition() */
440
441static int acl_check_internal(int, address_item *, uschar *, int, uschar **,
442 uschar **);
443
444
445/*************************************************
446* Pick out name from list *
447*************************************************/
448
449/* Use a binary chop method
450
451Arguments:
452 name name to find
453 list list of names
454 end size of list
455
456Returns: offset in list, or -1 if not found
457*/
458
459static int
460acl_checkname(uschar *name, uschar **list, int end)
461{
462int start = 0;
463
464while (start < end)
465 {
466 int mid = (start + end)/2;
467 int c = Ustrcmp(name, list[mid]);
468 if (c == 0) return mid;
469 if (c < 0) end = mid; else start = mid + 1;
470 }
471
472return -1;
473}
474
475
476/*************************************************
477* Read and parse one ACL *
478*************************************************/
479
480/* This function is called both from readconf in order to parse the ACLs in the
481configuration file, and also when an ACL is encountered dynamically (e.g. as
482the result of an expansion). It is given a function to call in order to
483retrieve the lines of the ACL. This function handles skipping comments and
484blank lines (where relevant).
485
486Arguments:
487 func function to get next line of ACL
488 error where to put an error message
489
490Returns: pointer to ACL, or NULL
491 NULL can be legal (empty ACL); in this case error will be NULL
492*/
493
494acl_block *
495acl_read(uschar *(*func)(void), uschar **error)
496{
497acl_block *yield = NULL;
498acl_block **lastp = &yield;
499acl_block *this = NULL;
500acl_condition_block *cond;
501acl_condition_block **condp = NULL;
502uschar *s;
503
504*error = NULL;
505
506while ((s = (*func)()) != NULL)
507 {
508 int v, c;
509 BOOL negated = FALSE;
510 uschar *saveline = s;
511 uschar name[64];
512
513 /* Conditions (but not verbs) are allowed to be negated by an initial
514 exclamation mark. */
515
516 while (isspace(*s)) s++;
517 if (*s == '!')
518 {
519 negated = TRUE;
520 s++;
521 }
522
523 /* Read the name of a verb or a condition, or the start of a new ACL */
524
525 s = readconf_readname(name, sizeof(name), s);
526 if (*s == ':')
527 {
528 if (negated || name[0] == 0)
529 {
530 *error = string_sprintf("malformed ACL name in \"%s\"", saveline);
531 return NULL;
532 }
533 break;
534 }
535
536 /* If a verb is unrecognized, it may be another condition or modifier that
537 continues the previous verb. */
538
539 v = acl_checkname(name, verbs, sizeof(verbs)/sizeof(char *));
540 if (v < 0)
541 {
542 if (this == NULL)
543 {
544 *error = string_sprintf("unknown ACL verb in \"%s\"", saveline);
545 return NULL;
546 }
547 }
548
549 /* New verb */
550
551 else
552 {
553 if (negated)
554 {
555 *error = string_sprintf("malformed ACL line \"%s\"", saveline);
556 return NULL;
557 }
558 this = store_get(sizeof(acl_block));
559 *lastp = this;
560 lastp = &(this->next);
561 this->next = NULL;
562 this->verb = v;
563 this->condition = NULL;
564 condp = &(this->condition);
565 if (*s == 0) continue; /* No condition on this line */
566 if (*s == '!')
567 {
568 negated = TRUE;
569 s++;
570 }
571 s = readconf_readname(name, sizeof(name), s); /* Condition name */
572 }
573
574 /* Handle a condition or modifier. */
575
576 c = acl_checkname(name, conditions, sizeof(conditions)/sizeof(char *));
577 if (c < 0)
578 {
579 *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
580 saveline);
581 return NULL;
582 }
583
584 /* The modifiers may not be negated */
585
586 if (negated && cond_modifiers[c])
587 {
588 *error = string_sprintf("ACL error: negation is not allowed with "
589 "\"%s\"", conditions[c]);
590 return NULL;
591 }
592
593 /* ENDPASS may occur only with ACCEPT or DISCARD. */
594
595 if (c == ACLC_ENDPASS &&
596 this->verb != ACL_ACCEPT &&
597 this->verb != ACL_DISCARD)
598 {
599 *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
600 conditions[c], verbs[this->verb]);
601 return NULL;
602 }
603
604 cond = store_get(sizeof(acl_condition_block));
605 cond->next = NULL;
606 cond->type = c;
607 cond->u.negated = negated;
608
609 *condp = cond;
610 condp = &(cond->next);
611
612 /* The "set" modifier is different in that its argument is "name=value"
613 rather than just a value, and we can check the validity of the name, which
614 gives us a variable number to insert into the data block. */
615
616 if (c == ACLC_SET)
617 {
618 if (Ustrncmp(s, "acl_", 4) != 0 || (s[4] != 'c' && s[4] != 'm') ||
619 !isdigit(s[5]) || (!isspace(s[6]) && s[6] != '='))
620 {
621 *error = string_sprintf("unrecognized name after \"set\" in ACL "
622 "modifier \"set %s\"", s);
623 return NULL;
624 }
625
626 cond->u.varnumber = s[5] - '0';
627 if (s[4] == 'm') cond->u.varnumber += ACL_C_MAX;
628 s += 6;
629 while (isspace(*s)) s++;
630 }
631
632 /* For "set", we are now positioned for the data. For the others, only
633 "endpass" has no data */
634
635 if (c != ACLC_ENDPASS)
636 {
637 if (*s++ != '=')
638 {
639 *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
640 cond_modifiers[c]? US"modifier" : US"condition");
641 return NULL;
642 }
643 while (isspace(*s)) s++;
644 cond->arg = string_copy(s);
645 }
646 }
647
648return yield;
649}
650
651
652
653/*************************************************
654* Handle warnings *
655*************************************************/
656
657/* This function is called when a WARN verb's conditions are true. It adds to
658the message's headers, and/or writes information to the log. In each case, this
659only happens once (per message for headers, per connection for log).
660
661Arguments:
662 where ACL_WHERE_xxxx indicating which ACL this is
663 user_message message for adding to headers
664 log_message message for logging, if different
665
666Returns: nothing
667*/
668
669static void
670acl_warn(int where, uschar *user_message, uschar *log_message)
671{
672int hlen;
673
674if (log_message != NULL && log_message != user_message)
675 {
676 uschar *text;
677 string_item *logged;
678
679 text = string_sprintf("%s Warning: %s", host_and_ident(TRUE),
680 string_printing(log_message));
681
682 /* If a sender verification has failed, and the log message is "sender verify
683 failed", add the failure message. */
684
685 if (sender_verified_failed != NULL &&
686 sender_verified_failed->message != NULL &&
687 strcmpic(log_message, US"sender verify failed") == 0)
688 text = string_sprintf("%s: %s", text, sender_verified_failed->message);
689
690 /* Search previously logged warnings. They are kept in malloc store so they
691 can be freed at the start of a new message. */
692
693 for (logged = acl_warn_logged; logged != NULL; logged = logged->next)
694 if (Ustrcmp(logged->text, text) == 0) break;
695
696 if (logged == NULL)
697 {
698 int length = Ustrlen(text) + 1;
699 log_write(0, LOG_MAIN, "%s", text);
700 logged = store_malloc(sizeof(string_item) + length);
701 logged->text = (uschar *)logged + sizeof(string_item);
702 memcpy(logged->text, text, length);
703 logged->next = acl_warn_logged;
704 acl_warn_logged = logged;
705 }
706 }
707
708/* If there's no user message, we are done. */
709
710if (user_message == NULL) return;
711
712/* If this isn't a message ACL, we can't do anything with a user message.
713Log an error. */
714
715if (where > ACL_WHERE_NOTSMTP)
716 {
717 log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
718 "found in a non-message (%s) ACL: cannot specify header lines here: "
719 "message ignored", acl_wherenames[where]);
720 return;
721 }
722
723/* Treat the user message as a sequence of one or more header lines. */
724
725hlen = Ustrlen(user_message);
726if (hlen > 0)
727 {
728 uschar *text, *p, *q;
729
730 /* Add a final newline if not present */
731
732 text = ((user_message)[hlen-1] == '\n')? user_message :
733 string_sprintf("%s\n", user_message);
734
735 /* Loop for multiple header lines, taking care about continuations */
736
737 for (p = q = text; *p != 0; )
738 {
739 uschar *s;
740 int newtype = htype_add_bot;
741 header_line **hptr = &acl_warn_headers;
742
743 /* Find next header line within the string */
744
745 for (;;)
746 {
747 q = Ustrchr(q, '\n');
748 if (*(++q) != ' ' && *q != '\t') break;
749 }
750
751 /* If the line starts with a colon, interpret the instruction for where to
752 add it. This temporarily sets up a new type. */
753
754 if (*p == ':')
755 {
756 if (strncmpic(p, US":after_received:", 16) == 0)
757 {
758 newtype = htype_add_rec;
759 p += 16;
760 }
8523533c
TK		 761 else if (strncmpic(p, US":at_start_rfc:", 14) == 0)
762 {
763 newtype = htype_add_rfc;
764 p += 14;
765 }
059ec3d9
PH		 766 else if (strncmpic(p, US":at_start:", 10) == 0)
767 {
768 newtype = htype_add_top;
769 p += 10;
770 }
771 else if (strncmpic(p, US":at_end:", 8) == 0)
772 {
773 newtype = htype_add_bot;
774 p += 8;
775 }
776 while (*p == ' ' || *p == '\t') p++;
777 }
778
779 /* See if this line starts with a header name, and if not, add X-ACL-Warn:
780 to the front of it. */
781
782 for (s = p; s < q - 1; s++)
783 {
784 if (*s == ':' || !isgraph(*s)) break;
785 }
786
787 s = string_sprintf("%s%.*s", (*s == ':')? "" : "X-ACL-Warn: ", q - p, p);
788 hlen = Ustrlen(s);
789
790 /* See if this line has already been added */
791
792 while (*hptr != NULL)
793 {
794 if (Ustrncmp((*hptr)->text, s, hlen) == 0) break;
795 hptr = &((*hptr)->next);
796 }
797
798 /* Add if not previously present */
799
800 if (*hptr == NULL)
801 {
802 header_line *h = store_get(sizeof(header_line));
803 h->text = s;
804 h->next = NULL;
805 h->type = newtype;
806 h->slen = hlen;
807 *hptr = h;
808 hptr = &(h->next);
809 }
810
811 /* Advance for next header line within the string */
812
813 p = q;
814 }
815 }
816}
817
818
819
820/*************************************************
821* Verify and check reverse DNS *
822*************************************************/
823
824/* Called from acl_verify() below. We look up the host name(s) of the client IP
825address if this has not yet been done. The host_name_lookup() function checks
826that one of these names resolves to an address list that contains the client IP
827address, so we don't actually have to do the check here.
828
829Arguments:
830 user_msgptr pointer for user message
831 log_msgptr pointer for log message
832
833Returns: OK verification condition succeeded
834 FAIL verification failed
835 DEFER there was a problem verifying
836*/
837
838static int
839acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
840{
841int rc;
842
843user_msgptr = user_msgptr; /* stop compiler warning */
844
845/* Previous success */
846
847if (sender_host_name != NULL) return OK;
848
849/* Previous failure */
850
851if (host_lookup_failed)
852 {
853 *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
854 return FAIL;
855 }
856
857/* Need to do a lookup */
858
859HDEBUG(D_acl)
860 debug_printf("looking up host name to force name/address consistency check\n");
861
862if ((rc = host_name_lookup()) != OK)
863 {
864 *log_msgptr = (rc == DEFER)?
865 US"host lookup deferred for reverse lookup check"
866 :
867 string_sprintf("host lookup failed for reverse lookup check%s",
868 host_lookup_msg);
869 return rc; /* DEFER or FAIL */
870 }
871
872host_build_sender_fullhost();
873return OK;
874}
875
876
877
878/*************************************************
879* Handle verification (address & other) *
880*************************************************/
881
882/* This function implements the "verify" condition. It is called when
883encountered in any ACL, because some tests are almost always permitted. Some
884just don't make sense, and always fail (for example, an attempt to test a host
885lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
886
887Arguments:
888 where where called from
889 addr the recipient address that the ACL is handling, or NULL
890 arg the argument of "verify"
891 user_msgptr pointer for user message
892 log_msgptr pointer for log message
893 basic_errno where to put verify errno
894
895Returns: OK verification condition succeeded
896 FAIL verification failed
897 DEFER there was a problem verifying
898 ERROR syntax error
899*/
900
901static int
902acl_verify(int where, address_item *addr, uschar *arg,
903 uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
904{
905int sep = '/';
906int callout = -1;
907int callout_overall = -1;
4deaf07d 908int callout_connect = -1;
059ec3d9
PH		 909int verify_options = 0;
910int rc;
911BOOL verify_header_sender = FALSE;
912BOOL defer_ok = FALSE;
913BOOL callout_defer_ok = FALSE;
914BOOL no_details = FALSE;
915address_item *sender_vaddr = NULL;
916uschar *verify_sender_address = NULL;
917uschar *pm_mailfrom = NULL;
918uschar *se_mailfrom = NULL;
919uschar *list = arg;
920uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
921
922if (ss == NULL) goto BAD_VERIFY;
923
924/* Handle name/address consistency verification in a separate function. */
925
926if (strcmpic(ss, US"reverse_host_lookup") == 0)
927 {
928 if (sender_host_address == NULL) return OK;
929 return acl_verify_reverse(user_msgptr, log_msgptr);
930 }
931
932/* TLS certificate verification is done at STARTTLS time; here we just
933test whether it was successful or not. (This is for optional verification; for
934mandatory verification, the connection doesn't last this long.) */
935
936if (strcmpic(ss, US"certificate") == 0)
937 {
938 if (tls_certificate_verified) return OK;
939 *user_msgptr = US"no verified certificate";
940 return FAIL;
941 }
942
943/* We can test the result of optional HELO verification */
944
945if (strcmpic(ss, US"helo") == 0) return helo_verified? OK : FAIL;
946
947/* Handle header verification options - permitted only after DATA or a non-SMTP
948message. */
949
950if (strncmpic(ss, US"header_", 7) == 0)
951 {
952 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP)
953 {
954 *log_msgptr = string_sprintf("cannot check header contents in ACL for %s "
955 "(only possible in ACL for DATA)", acl_wherenames[where]);
956 return ERROR;
957 }
958
959 /* Check that all relevant header lines have the correct syntax. If there is
960 a syntax error, we return details of the error to the sender if configured to
961 send out full details. (But a "message" setting on the ACL can override, as
962 always). */
963
964 if (strcmpic(ss+7, US"syntax") == 0)
965 {
966 int rc = verify_check_headers(log_msgptr);
967 if (rc != OK && smtp_return_error_details && *log_msgptr != NULL)
968 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
969 return rc;
970 }
971
972 /* Check that there is at least one verifiable sender address in the relevant
973 header lines. This can be followed by callout and defer options, just like
974 sender and recipient. */
975
976 else if (strcmpic(ss+7, US"sender") == 0) verify_header_sender = TRUE;
977
978 /* Unknown verify argument starting with "header_" */
979
980 else goto BAD_VERIFY;
981 }
982
983/* Otherwise, first item in verify argument must be "sender" or "recipient".
984In the case of a sender, this can optionally be followed by an address to use
985in place of the actual sender (rare special-case requirement). */
986
987else if (strncmpic(ss, US"sender", 6) == 0)
988 {
989 uschar *s = ss + 6;
990 if (where > ACL_WHERE_NOTSMTP)
991 {
992 *log_msgptr = string_sprintf("cannot verify sender in ACL for %s "
993 "(only possible for MAIL, RCPT, PREDATA, or DATA)",
994 acl_wherenames[where]);
995 return ERROR;
996 }
997 if (*s == 0)
998 verify_sender_address = sender_address;
999 else
1000 {
1001 while (isspace(*s)) s++;
1002 if (*s++ != '=') goto BAD_VERIFY;
1003 while (isspace(*s)) s++;
1004 verify_sender_address = string_copy(s);
1005 }
1006 }
1007else
1008 {
1009 if (strcmpic(ss, US"recipient") != 0) goto BAD_VERIFY;
1010 if (addr == NULL)
1011 {
1012 *log_msgptr = string_sprintf("cannot verify recipient in ACL for %s "
1013 "(only possible for RCPT)", acl_wherenames[where]);
1014 return ERROR;
1015 }
1016 }
1017
1018/* Remaining items are optional */
1019
1020while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))
1021 != NULL)
1022 {
1023 if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
1024 else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
1025
1026 /* These two old options are left for backwards compatibility */
1027
1028 else if (strcmpic(ss, US"callout_defer_ok") == 0)
1029 {
1030 callout_defer_ok = TRUE;
1031 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1032 }
1033
1034 else if (strcmpic(ss, US"check_postmaster") == 0)
1035 {
1036 pm_mailfrom = US"";
1037 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1038 }
1039
1040 /* The callout option has a number of sub-options, comma separated */
1041
1042 else if (strncmpic(ss, US"callout", 7) == 0)
1043 {
1044 callout = CALLOUT_TIMEOUT_DEFAULT;
1045 ss += 7;
1046 if (*ss != 0)
1047 {
1048 while (isspace(*ss)) ss++;
1049 if (*ss++ == '=')
1050 {
1051 int optsep = ',';
1052 uschar *opt;
1053 uschar buffer[256];
1054 while (isspace(*ss)) ss++;
4deaf07d
PH		 1055
1056 /* This callout option handling code has become a mess as new options
1057 have been added in an ad hoc manner. It should be tidied up into some
1058 kind of table-driven thing. */
1059
059ec3d9
PH		 1060 while ((opt = string_nextinlist(&ss, &optsep, buffer, sizeof(buffer)))
1061 != NULL)
1062 {
1063 if (strcmpic(opt, US"defer_ok") == 0) callout_defer_ok = TRUE;
1064 else if (strcmpic(opt, US"no_cache") == 0)
1065 verify_options |= vopt_callout_no_cache;
1066 else if (strcmpic(opt, US"random") == 0)
1067 verify_options |= vopt_callout_random;
1068 else if (strcmpic(opt, US"use_sender") == 0)
1069 verify_options |= vopt_callout_recipsender;
1070 else if (strcmpic(opt, US"use_postmaster") == 0)
1071 verify_options |= vopt_callout_recippmaster;
1072 else if (strcmpic(opt, US"postmaster") == 0) pm_mailfrom = US"";
1073
1074 else if (strncmpic(opt, US"mailfrom", 8) == 0)
1075 {
1076 if (!verify_header_sender)
1077 {
1078 *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
1079 "callout option only for verify=header_sender (detected in ACL "
1080 "condition \"%s\")", arg);
1081 return ERROR;
1082 }
1083 opt += 8;
1084 while (isspace(*opt)) opt++;
1085 if (*opt++ != '=')
1086 {
1087 *log_msgptr = string_sprintf("'=' expected after "
1088 "\"mailfrom\" in ACL condition \"%s\"", arg);
1089 return ERROR;
1090 }
1091 while (isspace(*opt)) opt++;
1092 se_mailfrom = string_copy(opt);
1093 }
1094
1095 else if (strncmpic(opt, US"postmaster_mailfrom", 19) == 0)
1096 {
1097 opt += 19;
1098 while (isspace(*opt)) opt++;
1099 if (*opt++ != '=')
1100 {
1101 *log_msgptr = string_sprintf("'=' expected after "
1102 "\"postmaster_mailfrom\" in ACL condition \"%s\"", arg);
1103 return ERROR;
1104 }
1105 while (isspace(*opt)) opt++;
1106 pm_mailfrom = string_copy(opt);
1107 }
1108
1109 else if (strncmpic(opt, US"maxwait", 7) == 0)
1110 {
1111 opt += 7;
1112 while (isspace(*opt)) opt++;
1113 if (*opt++ != '=')
1114 {
1115 *log_msgptr = string_sprintf("'=' expected after \"maxwait\" in "
1116 "ACL condition \"%s\"", arg);
1117 return ERROR;
1118 }
1119 while (isspace(*opt)) opt++;
1120 callout_overall = readconf_readtime(opt, 0, FALSE);
1121 if (callout_overall < 0)
1122 {
1123 *log_msgptr = string_sprintf("bad time value in ACL condition "
1124 "\"verify %s\"", arg);
1125 return ERROR;
1126 }
1127 }
4deaf07d
PH		 1128 else if (strncmpic(opt, US"connect", 7) == 0)
1129 {
1130 opt += 7;
1131 while (isspace(*opt)) opt++;
1132 if (*opt++ != '=')
1133 {
1134 *log_msgptr = string_sprintf("'=' expected after "
1135 "\"callout_overaall\" in ACL condition \"%s\"", arg);
1136 return ERROR;
1137 }
1138 while (isspace(*opt)) opt++;
1139 callout_connect = readconf_readtime(opt, 0, FALSE);
1140 if (callout_connect < 0)
1141 {
1142 *log_msgptr = string_sprintf("bad time value in ACL condition "
1143 "\"verify %s\"", arg);
1144 return ERROR;
1145 }
1146 }
059ec3d9
PH		 1147 else /* Plain time is callout connect/command timeout */
1148 {
1149 callout = readconf_readtime(opt, 0, FALSE);
1150 if (callout < 0)
1151 {
1152 *log_msgptr = string_sprintf("bad time value in ACL condition "
1153 "\"verify %s\"", arg);
1154 return ERROR;
1155 }
1156 }
1157 }
1158 }
1159 else
1160 {
1161 *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
1162 "ACL condition \"%s\"", arg);
1163 return ERROR;
1164 }
1165 }
1166 }
1167
1168 /* Option not recognized */
1169
1170 else
1171 {
1172 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
1173 "condition \"verify %s\"", ss, arg);
1174 return ERROR;
1175 }
1176 }
1177
1178if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
1179 (vopt_callout_recipsender|vopt_callout_recippmaster))
1180 {
1181 *log_msgptr = US"only one of use_sender and use_postmaster can be set "
1182 "for a recipient callout";
1183 return ERROR;
1184 }
1185
1186/* Handle sender-in-header verification. Default the user message to the log
1187message if giving out verification details. */
1188
1189if (verify_header_sender)
1190 {
1191 rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
4deaf07d 1192 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, verify_options);
059ec3d9
PH		 1193 if (smtp_return_error_details)
1194 {
1195 if (*user_msgptr == NULL && *log_msgptr != NULL)
1196 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1197 if (rc == DEFER) acl_temp_details = TRUE;
1198 }
1199 }
1200
1201/* Handle a sender address. The default is to verify *the* sender address, but
1202optionally a different address can be given, for special requirements. If the
1203address is empty, we are dealing with a bounce message that has no sender, so
1204we cannot do any checking. If the real sender address gets rewritten during
1205verification (e.g. DNS widening), set the flag to stop it being rewritten again
1206during message reception.
1207
1208A list of verified "sender" addresses is kept to try to avoid doing to much
1209work repetitively when there are multiple recipients in a message and they all
1210require sender verification. However, when callouts are involved, it gets too
1211complicated because different recipients may require different callout options.
1212Therefore, we always do a full sender verify when any kind of callout is
1213specified. Caching elsewhere, for instance in the DNS resolver and in the
1214callout handling, should ensure that this is not terribly inefficient. */
1215
1216else if (verify_sender_address != NULL)
1217 {
1218 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster))
1219 != 0)
1220 {
1221 *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
1222 "sender verify callout";
1223 return ERROR;
1224 }
1225
1226 sender_vaddr = verify_checked_sender(verify_sender_address);
1227 if (sender_vaddr != NULL && /* Previously checked */
1228 callout <= 0) /* No callout needed this time */
1229 {
1230 /* If the "routed" flag is set, it means that routing worked before, so
1231 this check can give OK (the saved return code value, if set, belongs to a
1232 callout that was done previously). If the "routed" flag is not set, routing
1233 must have failed, so we use the saved return code. */
1234
1235 if (testflag(sender_vaddr, af_verify_routed)) rc = OK; else
1236 {
1237 rc = sender_vaddr->special_action;
1238 *basic_errno = sender_vaddr->basic_errno;
1239 }
1240 HDEBUG(D_acl) debug_printf("using cached sender verify result\n");
1241 }
1242
1243 /* Do a new verification, and cache the result. The cache is used to avoid
1244 verifying the sender multiple times for multiple RCPTs when callouts are not
1245 specified (see comments above).
1246
1247 The cache is also used on failure to give details in response to the first
1248 RCPT that gets bounced for this reason. However, this can be suppressed by
1249 the no_details option, which sets the flag that says "this detail has already
1250 been sent". The cache normally contains just one address, but there may be
1251 more in esoteric circumstances. */
1252
1253 else
1254 {
1255 BOOL routed = TRUE;
2a3eea10
PH		 1256 uschar *save_address_data = deliver_address_data;
1257
059ec3d9
PH		 1258 sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
1259 if (no_details) setflag(sender_vaddr, af_sverify_told);
1260 if (verify_sender_address[0] != 0)
1261 {
1262 /* If this is the real sender address, save the unrewritten version
1263 for use later in receive. Otherwise, set a flag so that rewriting the
1264 sender in verify_address() does not update sender_address. */
1265
1266 if (verify_sender_address == sender_address)
1267 sender_address_unrewritten = sender_address;
1268 else
1269 verify_options |= vopt_fake_sender;
1270
1271 /* The recipient, qualify, and expn options are never set in
1272 verify_options. */
1273
1274 rc = verify_address(sender_vaddr, NULL, verify_options, callout,
4deaf07d 1275 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, &routed);
059ec3d9
PH		 1276
1277 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1278
1279 if (rc == OK)
1280 {
1281 if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
1282 {
1283 DEBUG(D_acl) debug_printf("sender %s verified ok as %s\n",
1284 verify_sender_address, sender_vaddr->address);
1285 }
1286 else
1287 {
1288 DEBUG(D_acl) debug_printf("sender %s verified ok\n",
1289 verify_sender_address);
1290 }
1291 }
1292 else *basic_errno = sender_vaddr->basic_errno;
1293 }
1294 else rc = OK; /* Null sender */
1295
1296 /* Cache the result code */
1297
1298 if (routed) setflag(sender_vaddr, af_verify_routed);
1299 if (callout > 0) setflag(sender_vaddr, af_verify_callout);
1300 sender_vaddr->special_action = rc;
1301 sender_vaddr->next = sender_verified_list;
1302 sender_verified_list = sender_vaddr;
2a3eea10
PH		 1303
1304 /* Restore the recipient address data, which might have been clobbered by
1305 the sender verification. */
1306
1307 deliver_address_data = save_address_data;
059ec3d9 1308 }
2a3eea10
PH		 1309
1310 /* Put the sender address_data value into $sender_address_data */
1311
1312 sender_address_data = sender_vaddr->p.address_data;
059ec3d9
PH		 1313 }
1314
1315/* A recipient address just gets a straightforward verify; again we must handle
1316the DEFER overrides. */
1317
1318else
1319 {
1320 address_item addr2;
1321
1322 /* We must use a copy of the address for verification, because it might
1323 get rewritten. */
1324
1325 addr2 = *addr;
1326 rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
4deaf07d 1327 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, NULL);
059ec3d9
PH		 1328 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1329 *log_msgptr = addr2.message;
1330 *user_msgptr = addr2.user_message;
1331 *basic_errno = addr2.basic_errno;
1332
1333 /* Make $address_data visible */
1334 deliver_address_data = addr2.p.address_data;
1335 }
1336
1337/* We have a result from the relevant test. Handle defer overrides first. */
1338
1339if (rc == DEFER && (defer_ok ||
1340 (callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER)))
1341 {
1342 HDEBUG(D_acl) debug_printf("verify defer overridden by %s\n",
1343 defer_ok? "defer_ok" : "callout_defer_ok");
1344 rc = OK;
1345 }
1346
1347/* If we've failed a sender, set up a recipient message, and point
1348sender_verified_failed to the address item that actually failed. */
1349
1350if (rc != OK && verify_sender_address != NULL)
1351 {
1352 if (rc != DEFER)
1353 {
1354 *log_msgptr = *user_msgptr = US"Sender verify failed";
1355 }
1356 else if (*basic_errno != ERRNO_CALLOUTDEFER)
1357 {
1358 *log_msgptr = *user_msgptr = US"Could not complete sender verify";
1359 }
1360 else
1361 {
1362 *log_msgptr = US"Could not complete sender verify callout";
1363 *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
1364 *log_msgptr;
1365 }
1366
1367 sender_verified_failed = sender_vaddr;
1368 }
1369
1370/* Verifying an address messes up the values of $domain and $local_part,
1371so reset them before returning if this is a RCPT ACL. */
1372
1373if (addr != NULL)
1374 {
1375 deliver_domain = addr->domain;
1376 deliver_localpart = addr->local_part;
1377 }
1378return rc;
1379
1380/* Syntax errors in the verify argument come here. */
1381
1382BAD_VERIFY:
1383*log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
1384 "\"header_syntax\" or \"header_sender\" at start of ACL condition "
1385 "\"verify %s\"", arg);
1386return ERROR;
1387}
1388
1389
1390
1391
1392/*************************************************
1393* Check argument for control= modifier *
1394*************************************************/
1395
1396/* Called from acl_check_condition() below
1397
1398Arguments:
1399 arg the argument string for control=
1400 pptr set to point to the terminating character
1401 where which ACL we are in
1402 log_msgptr for error messages
1403
1404Returns: CONTROL_xxx value
1405*/
1406
1407static int
1408decode_control(uschar *arg, uschar **pptr, int where, uschar **log_msgptr)
1409{
1410int len;
1411control_def *d;
1412
1413for (d = controls_list;
1414 d < controls_list + sizeof(controls_list)/sizeof(control_def);
1415 d++)
1416 {
1417 len = Ustrlen(d->name);
1418 if (Ustrncmp(d->name, arg, len) == 0) break;
1419 }
1420
1421if (d >= controls_list + sizeof(controls_list)/sizeof(control_def) ||
1422 (arg[len] != 0 && (!d->has_option || arg[len] != '/')))
1423 {
1424 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
1425 return CONTROL_ERROR;
1426 }
1427
059ec3d9
PH		 1428*pptr = arg + len;
1429return d->value;
1430}
1431
1432
1433
1434/*************************************************
1435* Handle conditions/modifiers on an ACL item *
1436*************************************************/
1437
1438/* Called from acl_check() below.
1439
1440Arguments:
1441 verb ACL verb
1442 cb ACL condition block - if NULL, result is OK
1443 where where called from
1444 addr the address being checked for RCPT, or NULL
1445 level the nesting level
1446 epp pointer to pass back TRUE if "endpass" encountered
1447 (applies only to "accept" and "discard")
1448 user_msgptr user message pointer
1449 log_msgptr log message pointer
1450 basic_errno pointer to where to put verify error
1451
1452Returns: OK - all conditions are met
1453 DISCARD - an "acl" condition returned DISCARD - only allowed
1454 for "accept" or "discard" verbs
1455 FAIL - at least one condition fails
1456 FAIL_DROP - an "acl" condition returned FAIL_DROP
1457 DEFER - can't tell at the moment (typically, lookup defer,
1458 but can be temporary callout problem)
1459 ERROR - ERROR from nested ACL or expansion failure or other
1460 error
1461*/
1462
1463static int
1464acl_check_condition(int verb, acl_condition_block *cb, int where,
1465 address_item *addr, int level, BOOL *epp, uschar **user_msgptr,
1466 uschar **log_msgptr, int *basic_errno)
1467{
1468uschar *user_message = NULL;
1469uschar *log_message = NULL;
1470uschar *p;
1471int rc = OK;
8523533c
TK		 1472#ifdef WITH_CONTENT_SCAN
1473int sep = '/';
1474#endif
059ec3d9
PH		 1475
1476for (; cb != NULL; cb = cb->next)
1477 {
1478 uschar *arg;
c5fcb476 1479 int control_type;
059ec3d9
PH		 1480
1481 /* The message and log_message items set up messages to be used in
1482 case of rejection. They are expanded later. */
1483
1484 if (cb->type == ACLC_MESSAGE)
1485 {
1486 user_message = cb->arg;
1487 continue;
1488 }
1489
1490 if (cb->type == ACLC_LOG_MESSAGE)
1491 {
1492 log_message = cb->arg;
1493 continue;
1494 }
1495
1496 /* The endpass "condition" just sets a flag to show it occurred. This is
1497 checked at compile time to be on an "accept" or "discard" item. */
1498
1499 if (cb->type == ACLC_ENDPASS)
1500 {
1501 *epp = TRUE;
1502 continue;
1503 }
1504
1505 /* For other conditions and modifiers, the argument is expanded now for some
1506 of them, but not for all, because expansion happens down in some lower level
1507 checking functions in some cases. */
1508
1509 if (cond_expand_at_top[cb->type])
1510 {
1511 arg = expand_string(cb->arg);
1512 if (arg == NULL)
1513 {
1514 if (expand_string_forcedfail) continue;
1515 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
1516 cb->arg, expand_string_message);
1517 return search_find_defer? DEFER : ERROR;
1518 }
1519 }
1520 else arg = cb->arg;
1521
1522 /* Show condition, and expanded condition if it's different */
1523
1524 HDEBUG(D_acl)
1525 {
1526 int lhswidth = 0;
1527 debug_printf("check %s%s %n",
1528 (!cond_modifiers[cb->type] && cb->u.negated)? "!":"",
1529 conditions[cb->type], &lhswidth);
1530
1531 if (cb->type == ACLC_SET)
1532 {
1533 int n = cb->u.varnumber;
1534 int t = (n < ACL_C_MAX)? 'c' : 'm';
1535 if (n >= ACL_C_MAX) n -= ACL_C_MAX;
1536 debug_printf("acl_%c%d ", t, n);
1537 lhswidth += 7;
1538 }
1539
1540 debug_printf("= %s\n", cb->arg);
1541
1542 if (arg != cb->arg)
1543 debug_printf("%.*s= %s\n", lhswidth,
1544 US" ", CS arg);
1545 }
1546
1547 /* Check that this condition makes sense at this time */
1548
1549 if ((cond_forbids[cb->type] & (1 << where)) != 0)
1550 {
1551 *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
1552 cond_modifiers[cb->type]? "use" : "test",
1553 conditions[cb->type], acl_wherenames[where]);
1554 return ERROR;
1555 }
1556
1557 /* Run the appropriate test for each condition, or take the appropriate
1558 action for the remaining modifiers. */
1559
1560 switch(cb->type)
1561 {
1562 /* A nested ACL that returns "discard" makes sense only for an "accept" or
1563 "discard" verb. */
1564
1565 case ACLC_ACL:
1566 rc = acl_check_internal(where, addr, arg, level+1, user_msgptr, log_msgptr);
1567 if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
1568 {
1569 *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
1570 "\"%s\" command (only allowed with \"accept\" or \"discard\")",
1571 verbs[verb]);
1572 return ERROR;
1573 }
1574 break;
1575
1576 case ACLC_AUTHENTICATED:
1577 rc = (sender_host_authenticated == NULL)? FAIL :
1578 match_isinlist(sender_host_authenticated, &arg, 0, NULL, NULL, MCL_STRING,
1579 TRUE, NULL);
1580 break;
1581
8523533c
TK		 1582#ifdef EXPERIMENTAL_BRIGHTMAIL
1583 case ACLC_BMI_OPTIN:
1584 {
1585 int old_pool = store_pool;
1586 store_pool = POOL_PERM;
1587 bmi_current_optin = string_copy(arg);
1588 store_pool = old_pool;
1589 }
1590 break;
1591#endif
1592
059ec3d9
PH		 1593 case ACLC_CONDITION:
1594 if (Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
1595 rc = (Uatoi(arg) == 0)? FAIL : OK;
1596 else
1597 rc = (strcmpic(arg, US"no") == 0 ||
1598 strcmpic(arg, US"false") == 0)? FAIL :
1599 (strcmpic(arg, US"yes") == 0 ||
1600 strcmpic(arg, US"true") == 0)? OK : DEFER;
1601 if (rc == DEFER)
1602 *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
1603 break;
1604
1605 case ACLC_CONTROL:
c5fcb476
PH		 1606 control_type = decode_control(arg, &p, where, log_msgptr);
1607
8523533c 1608 /* Check if this control makes sense at this time */
c5fcb476
PH		 1609
1610 if ((control_forbids[control_type] & (1 << where)) != 0)
1611 {
1612 *log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
1613 controls[control_type], acl_wherenames[where]);
1614 return ERROR;
1615 }
1616
1617 switch(control_type)
059ec3d9 1618 {
8523533c
TK		 1619#ifdef EXPERIMENTAL_BRIGHTMAIL
1620 case CONTROL_BMI_RUN:
1621 bmi_run = 1;
1622 break;
1623#endif
1624
059ec3d9
PH		 1625 case CONTROL_ERROR:
1626 return ERROR;
1627
1628 case CONTROL_CASEFUL_LOCAL_PART:
1629 deliver_localpart = addr->cc_local_part;
1630 break;
1631
1632 case CONTROL_CASELOWER_LOCAL_PART:
1633 deliver_localpart = addr->lc_local_part;
1634 break;
1635
1636 case CONTROL_ENFORCE_SYNC:
1637 smtp_enforce_sync = TRUE;
1638 break;
1639
1640 case CONTROL_NO_ENFORCE_SYNC:
1641 smtp_enforce_sync = FALSE;
1642 break;
1643
8523533c
TK		 1644#ifdef WITH_CONTENT_SCAN
1645 case CONTROL_NO_MBOX_UNSPOOL:
1646 no_mbox_unspool = TRUE;
1647 break;
1648#endif
1649
059ec3d9
PH		 1650 case CONTROL_NO_MULTILINE:
1651 no_multiline_responses = TRUE;
1652 break;
1653
8523533c
TK		 1654#ifdef WITH_CONTENT_SCAN
1655 case CONTROL_FAKEREJECT:
1656 fake_reject = TRUE;
1657 if (*p == '/')
1658 {
1659 uschar *pp = p + 1;
1660 while (*pp != 0) pp++;
1661 fake_reject_text = expand_string(string_copyn(p+1, pp-p));
1662 p = pp;
1663 }
1664 else
1665 {
1666 /* Explicitly reset to default string */
1667 fake_reject_text = US"Your message has been rejected but is being kept for evaluation.\nIf it was a legit message, it may still be delivered to the target recipient(s).";
1668 }
1669 break;
1670#endif
1671
059ec3d9
PH		 1672 case CONTROL_FREEZE:
1673 deliver_freeze = TRUE;
1674 deliver_frozen_at = time(NULL);
1675 break;
1676
1677 case CONTROL_QUEUE_ONLY:
1678 queue_only_policy = TRUE;
1679 break;
1680
1681 case CONTROL_SUBMISSION:
1682 submission_mode = TRUE;
69358f02
PH		 1683 while (*p == '/')
1684 {
1685 if (Ustrncmp(p, "/sender_retain", 14) == 0)
1686 {
1687 p += 14;
1688 active_local_sender_retain = TRUE;
1689 active_local_from_check = FALSE;
1690 }
1691 else if (Ustrncmp(p, "/domain=", 8) == 0)
1692 {
1693 uschar *pp = p + 8;
1694 while (*pp != 0 && *pp != '/') pp++;
1695 submission_domain = string_copyn(p+8, pp-p);
1696 p = pp;
1697 }
1698 else break;
1699 }
1700 if (*p != 0)
059ec3d9 1701 {
69358f02 1702 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
059ec3d9
PH		 1703 return ERROR;
1704 }
1705 break;
1706 }
1707 break;
1708
8523533c
TK		 1709#ifdef WITH_CONTENT_SCAN
1710 case ACLC_DECODE:
1711 rc = mime_decode(&arg);
1712 break;
1713#endif
1714
059ec3d9
PH		 1715 case ACLC_DELAY:
1716 {
1717 int delay = readconf_readtime(arg, 0, FALSE);
1718 if (delay < 0)
1719 {
1720 *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
1721 "modifier: \"%s\" is not a time value", arg);
1722 return ERROR;
1723 }
1724 else
1725 {
1726 HDEBUG(D_acl) debug_printf("delay modifier requests %d-second delay\n",
1727 delay);
1728 if (host_checking)
1729 {
1730 HDEBUG(D_acl)
1731 debug_printf("delay skipped in -bh checking mode\n");
1732 }
1733 else sleep(delay);
1734 }
1735 }
1736 break;
1737
8523533c
TK		 1738#ifdef WITH_OLD_DEMIME
1739 case ACLC_DEMIME:
1740 rc = demime(&arg);
1741 break;
1742#endif
1743
059ec3d9
PH		 1744 case ACLC_DNSLISTS:
1745 rc = verify_check_dnsbl(&arg);
1746 break;
1747
1748 case ACLC_DOMAINS:
1749 rc = match_isinlist(addr->domain, &arg, 0, &domainlist_anchor,
1750 addr->domain_cache, MCL_DOMAIN, TRUE, &deliver_domain_data);
1751 break;
1752
1753 /* The value in tls_cipher is the full cipher name, for example,
1754 TLSv1:DES-CBC3-SHA:168, whereas the values to test for are just the
1755 cipher names such as DES-CBC3-SHA. But program defensively. We don't know
1756 what may in practice come out of the SSL library - which at the time of
1757 writing is poorly documented. */
1758
1759 case ACLC_ENCRYPTED:
1760 if (tls_cipher == NULL) rc = FAIL; else
1761 {
1762 uschar *endcipher = NULL;
1763 uschar *cipher = Ustrchr(tls_cipher, ':');
1764 if (cipher == NULL) cipher = tls_cipher; else
1765 {
1766 endcipher = Ustrchr(++cipher, ':');
1767 if (endcipher != NULL) *endcipher = 0;
1768 }
1769 rc = match_isinlist(cipher, &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
1770 if (endcipher != NULL) *endcipher = ':';
1771 }
1772 break;
1773
1774 /* Use verify_check_this_host() instead of verify_check_host() so that
1775 we can pass over &host_data to catch any looked up data. Once it has been
1776 set, it retains its value so that it's still there if another ACL verb
1777 comes through here and uses the cache. However, we must put it into
1778 permanent store in case it is also expected to be used in a subsequent
1779 message in the same SMTP connection. */
1780
1781 case ACLC_HOSTS:
1782 rc = verify_check_this_host(&arg, sender_host_cache, NULL,
1783 (sender_host_address == NULL)? US"" : sender_host_address, &host_data);
1784 if (host_data != NULL) host_data = string_copy_malloc(host_data);
1785 break;
1786
1787 case ACLC_LOCAL_PARTS:
1788 rc = match_isinlist(addr->cc_local_part, &arg, 0,
1789 &localpartlist_anchor, addr->localpart_cache, MCL_LOCALPART, TRUE,
1790 &deliver_localpart_data);
1791 break;
1792
1793 case ACLC_LOGWRITE:
1794 {
1795 int logbits = 0;
1796 uschar *s = arg;
1797 if (*s == ':')
1798 {
1799 s++;
1800 while (*s != ':')
1801 {
1802 if (Ustrncmp(s, "main", 4) == 0)
1803 { logbits |= LOG_MAIN; s += 4; }
1804 else if (Ustrncmp(s, "panic", 5) == 0)
1805 { logbits |= LOG_PANIC; s += 5; }
1806 else if (Ustrncmp(s, "reject", 6) == 0)
1807 { logbits |= LOG_REJECT; s += 6; }
1808 else
1809 {
1810 logbits = LOG_MAIN|LOG_PANIC;
1811 s = string_sprintf(":unknown log name in \"%s\" in "
1812 "\"logwrite\" in %s ACL", arg, acl_wherenames[where]);
1813 }
1814 if (*s == ',') s++;
1815 }
1816 s++;
1817 }
1818 while (isspace(*s)) s++;
1819 if (logbits == 0) logbits = LOG_MAIN;
1820 log_write(0, logbits, "%s", string_printing(s));
1821 }
1822 break;
8523533c
TK		 1823
1824#ifdef WITH_CONTENT_SCAN
1825 case ACLC_MALWARE:
1826 {
1827 /* Seperate the regular expression and any optional parameters. */
1828 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
1829 /* Run the malware backend. */
1830 rc = malware(&ss);
1831 /* Modify return code based upon the existance of options. */
1832 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
1833 != NULL) {
1834 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
1835 {
1836 /* FAIL so that the message is passed to the next ACL */
1837 rc = FAIL;
1838 }
1839 }
1840 }
1841 break;
1842
1843 case ACLC_MIME_REGEX:
1844 rc = mime_regex(&arg);
1845 break;
1846#endif
059ec3d9
PH		 1847
1848 case ACLC_RECIPIENTS:
1849 rc = match_address_list(addr->address, TRUE, TRUE, &arg, NULL, -1, 0,
1850 &recipient_data);
1851 break;
1852
8523533c
TK		 1853#ifdef WITH_CONTENT_SCAN
1854 case ACLC_REGEX:
1855 rc = regex(&arg);
1856 break;
1857#endif
1858
059ec3d9
PH		 1859 case ACLC_SENDER_DOMAINS:
1860 {
1861 uschar *sdomain;
1862 sdomain = Ustrrchr(sender_address, '@');
1863 sdomain = (sdomain == NULL)? US"" : sdomain + 1;
1864 rc = match_isinlist(sdomain, &arg, 0, &domainlist_anchor,
1865 sender_domain_cache, MCL_DOMAIN, TRUE, NULL);
1866 }
1867 break;
1868
1869 case ACLC_SENDERS:
1870 rc = match_address_list(sender_address, TRUE, TRUE, &arg,
1871 sender_address_cache, -1, 0, &sender_data);
1872 break;
1873
1874 /* Connection variables must persist forever */
1875
1876 case ACLC_SET:
1877 {
1878 int old_pool = store_pool;
1879 if (cb->u.varnumber < ACL_C_MAX) store_pool = POOL_PERM;
1880 acl_var[cb->u.varnumber] = string_copy(arg);
1881 store_pool = old_pool;
1882 }
1883 break;
1884
8523533c
TK		 1885#ifdef WITH_CONTENT_SCAN
1886 case ACLC_SPAM:
1887 {
1888 /* Seperate the regular expression and any optional parameters. */
1889 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
1890 /* Run the spam backend. */
1891 rc = spam(&ss);
1892 /* Modify return code based upon the existance of options. */
1893 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
1894 != NULL) {
1895 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
1896 {
1897 /* FAIL so that the message is passed to the next ACL */
1898 rc = FAIL;
1899 }
1900 }
1901 }
1902 break;
1903#endif
1904
1905#ifdef EXPERIMENTAL_SPF
1906 case ACLC_SPF:
1907 rc = spf_process(&arg, sender_address);
1908 break;
1909#endif
1910
059ec3d9
PH		 1911 /* If the verb is WARN, discard any user message from verification, because
1912 such messages are SMTP responses, not header additions. The latter come
1913 only from explicit "message" modifiers. */
1914
1915 case ACLC_VERIFY:
1916 rc = acl_verify(where, addr, arg, user_msgptr, log_msgptr, basic_errno);
1917 if (verb == ACL_WARN) *user_msgptr = NULL;
1918 break;
1919
1920 default:
1921 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown "
1922 "condition %d", cb->type);
1923 break;
1924 }
1925
1926 /* If a condition was negated, invert OK/FAIL. */
1927
1928 if (!cond_modifiers[cb->type] && cb->u.negated)
1929 {
1930 if (rc == OK) rc = FAIL;
1931 else if (rc == FAIL || rc == FAIL_DROP) rc = OK;
1932 }
1933
1934 if (rc != OK) break; /* Conditions loop */
1935 }
1936
1937
1938/* If the result is the one for which "message" and/or "log_message" are used,
1939handle the values of these options. Most verbs have but a single return for
1940which the messages are relevant, but for "discard", it's useful to have the log
1941message both when it succeeds and when it fails. Also, for an "accept" that
1942appears in a QUIT ACL, we want to handle the user message. Since only "accept"
1943and "warn" are permitted in that ACL, we don't need to test the verb.
1944
1945These modifiers act in different ways:
1946
1947"message" is a user message that will be included in an SMTP response. Unless
1948it is empty, it overrides any previously set user message.
1949
1950"log_message" is a non-user message, and it adds to any existing non-user
1951message that is already set.
1952
1953If there isn't a log message set, we make it the same as the user message. */
1954
1955if (((rc == FAIL_DROP)? FAIL : rc) == msgcond[verb] ||
1956 (verb == ACL_DISCARD && rc == OK) ||
1957 (where == ACL_WHERE_QUIT))
1958 {
1959 uschar *expmessage;
1960
1961 /* If the verb is "warn", messages generated by conditions (verification or
1962 nested ACLs) are discarded. Only messages specified at this level are used.
1963 However, the value of an existing message is available in $acl_verify_message
1964 during expansions. */
1965
1966 uschar *old_user_msgptr = *user_msgptr;
1967 uschar *old_log_msgptr = (*log_msgptr != NULL)? *log_msgptr : old_user_msgptr;
1968
1969 if (verb == ACL_WARN) *log_msgptr = *user_msgptr = NULL;
1970
1971 if (user_message != NULL)
1972 {
1973 acl_verify_message = old_user_msgptr;
1974 expmessage = expand_string(user_message);
1975 if (expmessage == NULL)
1976 {
1977 if (!expand_string_forcedfail)
1978 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
1979 user_message, expand_string_message);
1980 }
1981 else if (expmessage[0] != 0) *user_msgptr = expmessage;
1982 }
1983
1984 if (log_message != NULL)
1985 {
1986 acl_verify_message = old_log_msgptr;
1987 expmessage = expand_string(log_message);
1988 if (expmessage == NULL)
1989 {
1990 if (!expand_string_forcedfail)
1991 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
1992 log_message, expand_string_message);
1993 }
1994 else if (expmessage[0] != 0)
1995 {
1996 *log_msgptr = (*log_msgptr == NULL)? expmessage :
1997 string_sprintf("%s: %s", expmessage, *log_msgptr);
1998 }
1999 }
2000
2001 /* If no log message, default it to the user message */
2002
2003 if (*log_msgptr == NULL) *log_msgptr = *user_msgptr;
2004 }
2005
2006acl_verify_message = NULL;
2007return rc;
2008}
2009
2010
2011
2012
2013
2014/*************************************************
2015* Get line from a literal ACL *
2016*************************************************/
2017
2018/* This function is passed to acl_read() in order to extract individual lines
2019of a literal ACL, which we access via static pointers. We can destroy the
2020contents because this is called only once (the compiled ACL is remembered).
2021
2022This code is intended to treat the data in the same way as lines in the main
2023Exim configuration file. That is:
2024
2025 . Leading spaces are ignored.
2026
2027 . A \ at the end of a line is a continuation - trailing spaces after the \
2028 are permitted (this is because I don't believe in making invisible things
2029 significant). Leading spaces on the continued part of a line are ignored.
2030
2031 . Physical lines starting (significantly) with # are totally ignored, and
2032 may appear within a sequence of backslash-continued lines.
2033
2034 . Blank lines are ignored, but will end a sequence of continuations.
2035
2036Arguments: none
2037Returns: a pointer to the next line
2038*/
2039
2040
2041static uschar *acl_text; /* Current pointer in the text */
2042static uschar *acl_text_end; /* Points one past the terminating '0' */
2043
2044
2045static uschar *
2046acl_getline(void)
2047{
2048uschar *yield;
2049
2050/* This loop handles leading blank lines and comments. */
2051
2052for(;;)
2053 {
2054 while (isspace(*acl_text)) acl_text++; /* Leading spaces/empty lines */
2055 if (*acl_text == 0) return NULL; /* No more data */
2056 yield = acl_text; /* Potential data line */
2057
2058 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
2059
2060 /* If we hit the end before a newline, we have the whole logical line. If
2061 it's a comment, there's no more data to be given. Otherwise, yield it. */
2062
2063 if (*acl_text == 0) return (*yield == '#')? NULL : yield;
2064
2065 /* After reaching a newline, end this loop if the physical line does not
2066 start with '#'. If it does, it's a comment, and the loop continues. */
2067
2068 if (*yield != '#') break;
2069 }
2070
2071/* This loop handles continuations. We know we have some real data, ending in
2072newline. See if there is a continuation marker at the end (ignoring trailing
2073white space). We know that *yield is not white space, so no need to test for
2074cont > yield in the backwards scanning loop. */
2075
2076for(;;)
2077 {
2078 uschar *cont;
2079 for (cont = acl_text - 1; isspace(*cont); cont--);
2080
2081 /* If no continuation follows, we are done. Mark the end of the line and
2082 return it. */
2083
2084 if (*cont != '\\')
2085 {
2086 *acl_text++ = 0;
2087 return yield;
2088 }
2089
2090 /* We have encountered a continuation. Skip over whitespace at the start of
2091 the next line, and indeed the whole of the next line or lines if they are
2092 comment lines. */
2093
2094 for (;;)
2095 {
2096 while (*(++acl_text) == ' ' || *acl_text == '\t');
2097 if (*acl_text != '#') break;
2098 while (*(++acl_text) != 0 && *acl_text != '\n');
2099 }
2100
2101 /* We have the start of a continuation line. Move all the rest of the data
2102 to join onto the previous line, and then find its end. If the end is not a
2103 newline, we are done. Otherwise loop to look for another continuation. */
2104
2105 memmove(cont, acl_text, acl_text_end - acl_text);
2106 acl_text_end -= acl_text - cont;
2107 acl_text = cont;
2108 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
2109 if (*acl_text == 0) return yield;
2110 }
2111
2112/* Control does not reach here */
2113}
2114
2115
2116
2117
2118
2119/*************************************************
2120* Check access using an ACL *
2121*************************************************/
2122
2123/* This function is called from address_check. It may recurse via
2124acl_check_condition() - hence the use of a level to stop looping. The ACL is
2125passed as a string which is expanded. A forced failure implies no access check
2126is required. If the result is a single word, it is taken as the name of an ACL
2127which is sought in the global ACL tree. Otherwise, it is taken as literal ACL
2128text, complete with newlines, and parsed as such. In both cases, the ACL check
2129is then run. This function uses an auxiliary function for acl_read() to call
2130for reading individual lines of a literal ACL. This is acl_getline(), which
2131appears immediately above.
2132
2133Arguments:
2134 where where called from
2135 addr address item when called from RCPT; otherwise NULL
2136 s the input string; NULL is the same as an empty ACL => DENY
2137 level the nesting level
2138 user_msgptr where to put a user error (for SMTP response)
2139 log_msgptr where to put a logging message (not for SMTP response)
2140
2141Returns: OK access is granted
2142 DISCARD access is apparently granted...
2143 FAIL access is denied
2144 FAIL_DROP access is denied; drop the connection
2145 DEFER can't tell at the moment
2146 ERROR disaster
2147*/
2148
2149static int
2150acl_check_internal(int where, address_item *addr, uschar *s, int level,
2151 uschar **user_msgptr, uschar **log_msgptr)
2152{
2153int fd = -1;
2154acl_block *acl = NULL;
2155uschar *acl_name = US"inline ACL";
2156uschar *ss;
2157
2158/* Catch configuration loops */
2159
2160if (level > 20)
2161 {
2162 *log_msgptr = US"ACL nested too deep: possible loop";
2163 return ERROR;
2164 }
2165
2166if (s == NULL)
2167 {
2168 HDEBUG(D_acl) debug_printf("ACL is NULL: implicit DENY\n");
2169 return FAIL;
2170 }
2171
2172/* At top level, we expand the incoming string. At lower levels, it has already
2173been expanded as part of condition processing. */
2174
2175if (level == 0)
2176 {
2177 ss = expand_string(s);
2178 if (ss == NULL)
2179 {
2180 if (expand_string_forcedfail) return OK;
2181 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s", s,
2182 expand_string_message);
2183 return ERROR;
2184 }
2185 }
2186else ss = s;
2187
2188while (isspace(*ss))ss++;
2189
2190/* If we can't find a named ACL, the default is to parse it as an inline one.
2191(Unless it begins with a slash; non-existent files give rise to an error.) */
2192
2193acl_text = ss;
2194
2195/* Handle the case of a string that does not contain any spaces. Look for a
2196named ACL among those read from the configuration, or a previously read file.
2197It is possible that the pointer to the ACL is NULL if the configuration
2198contains a name with no data. If not found, and the text begins with '/',
2199read an ACL from a file, and save it so it can be re-used. */
2200
2201if (Ustrchr(ss, ' ') == NULL)
2202 {
2203 tree_node *t = tree_search(acl_anchor, ss);
2204 if (t != NULL)
2205 {
2206 acl = (acl_block *)(t->data.ptr);
2207 if (acl == NULL)
2208 {
2209 HDEBUG(D_acl) debug_printf("ACL \"%s\" is empty: implicit DENY\n", ss);
2210 return FAIL;
2211 }
2212 acl_name = string_sprintf("ACL \"%s\"", ss);
2213 HDEBUG(D_acl) debug_printf("using ACL \"%s\"\n", ss);
2214 }
2215
2216 else if (*ss == '/')
2217 {
2218 struct stat statbuf;
2219 fd = Uopen(ss, O_RDONLY, 0);
2220 if (fd < 0)
2221 {
2222 *log_msgptr = string_sprintf("failed to open ACL file \"%s\": %s", ss,
2223 strerror(errno));
2224 return ERROR;
2225 }
2226
2227 if (fstat(fd, &statbuf) != 0)
2228 {
2229 *log_msgptr = string_sprintf("failed to fstat ACL file \"%s\": %s", ss,
2230 strerror(errno));
2231 return ERROR;
2232 }
2233
2234 acl_text = store_get(statbuf.st_size + 1);
2235 acl_text_end = acl_text + statbuf.st_size + 1;
2236
2237 if (read(fd, acl_text, statbuf.st_size) != statbuf.st_size)
2238 {
2239 *log_msgptr = string_sprintf("failed to read ACL file \"%s\": %s",
2240 ss, strerror(errno));
2241 return ERROR;
2242 }
2243 acl_text[statbuf.st_size] = 0;
2244 close(fd);
2245
2246 acl_name = string_sprintf("ACL \"%s\"", ss);
2247 HDEBUG(D_acl) debug_printf("read ACL from file %s\n", ss);
2248 }
2249 }
2250
2251/* Parse an ACL that is still in text form. If it came from a file, remember it
2252in the ACL tree, having read it into the POOL_PERM store pool so that it
2253persists between multiple messages. */
2254
2255if (acl == NULL)
2256 {
2257 int old_pool = store_pool;
2258 if (fd >= 0) store_pool = POOL_PERM;
2259 acl = acl_read(acl_getline, log_msgptr);
2260 store_pool = old_pool;
2261 if (acl == NULL && *log_msgptr != NULL) return ERROR;
2262 if (fd >= 0)
2263 {
2264 tree_node *t = store_get_perm(sizeof(tree_node) + Ustrlen(ss));
2265 Ustrcpy(t->name, ss);
2266 t->data.ptr = acl;
2267 (void)tree_insertnode(&acl_anchor, t);
2268 }
2269 }
2270
2271/* Now we have an ACL to use. It's possible it may be NULL. */
2272
2273while (acl != NULL)
2274 {
2275 int cond;
2276 int basic_errno = 0;
2277 BOOL endpass_seen = FALSE;
2278
2279 *log_msgptr = *user_msgptr = NULL;
2280 acl_temp_details = FALSE;
2281
2282 if (where == ACL_WHERE_QUIT &&
2283 acl->verb != ACL_ACCEPT &&
2284 acl->verb != ACL_WARN)
2285 {
2286 *log_msgptr = string_sprintf("\"%s\" is not allowed in a QUIT ACL",
2287 verbs[acl->verb]);
2288 return ERROR;
2289 }
2290
2291 HDEBUG(D_acl) debug_printf("processing \"%s\"\n", verbs[acl->verb]);
2292
2293 /* Clear out any search error message from a previous check before testing
2294 this condition. */
2295
2296 search_error_message = NULL;
2297 cond = acl_check_condition(acl->verb, acl->condition, where, addr, level,
2298 &endpass_seen, user_msgptr, log_msgptr, &basic_errno);
2299
2300 /* Handle special returns: DEFER causes a return except on a WARN verb;
2301 ERROR always causes a return. */
2302
2303 switch (cond)
2304 {
2305 case DEFER:
2306 HDEBUG(D_acl) debug_printf("%s: condition test deferred\n", verbs[acl->verb]);
2307 if (basic_errno != ERRNO_CALLOUTDEFER)
2308 {
2309 if (search_error_message != NULL && *search_error_message != 0)
2310 *log_msgptr = search_error_message;
2311 if (smtp_return_error_details) acl_temp_details = TRUE;
2312 }
2313 else
2314 {
2315 acl_temp_details = TRUE;
2316 }
2317 if (acl->verb != ACL_WARN) return DEFER;
2318 break;
2319
2320 default: /* Paranoia */
2321 case ERROR:
2322 HDEBUG(D_acl) debug_printf("%s: condition test error\n", verbs[acl->verb]);
2323 return ERROR;
2324
2325 case OK:
2326 HDEBUG(D_acl) debug_printf("%s: condition test succeeded\n",
2327 verbs[acl->verb]);
2328 break;
2329
2330 case FAIL:
2331 HDEBUG(D_acl) debug_printf("%s: condition test failed\n", verbs[acl->verb]);
2332 break;
2333
2334 /* DISCARD and DROP can happen only from a nested ACL condition, and
2335 DISCARD can happen only for an "accept" or "discard" verb. */
2336
2337 case DISCARD:
2338 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"discard\"\n",
2339 verbs[acl->verb]);
2340 break;
2341
2342 case FAIL_DROP:
2343 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"drop\"\n",
2344 verbs[acl->verb]);
2345 break;
2346 }
2347
2348 /* At this point, cond for most verbs is either OK or FAIL or (as a result of
2349 a nested ACL condition) FAIL_DROP. However, for WARN, cond may be DEFER, and
2350 for ACCEPT and DISCARD, it may be DISCARD after a nested ACL call. */
2351
2352 switch(acl->verb)
2353 {
2354 case ACL_ACCEPT:
2355 if (cond == OK || cond == DISCARD) return cond;
2356 if (endpass_seen)
2357 {
2358 HDEBUG(D_acl) debug_printf("accept: endpass encountered - denying access\n");
2359 return cond;
2360 }
2361 break;
2362
2363 case ACL_DEFER:
2364 if (cond == OK)
2365 {
2366 acl_temp_details = TRUE;
2367 return DEFER;
2368 }
2369 break;
2370
2371 case ACL_DENY:
2372 if (cond == OK) return FAIL;
2373 break;
2374
2375 case ACL_DISCARD:
2376 if (cond == OK || cond == DISCARD) return DISCARD;
2377 if (endpass_seen)
2378 {
2379 HDEBUG(D_acl) debug_printf("discard: endpass encountered - denying access\n");
2380 return cond;
2381 }
2382 break;
2383
2384 case ACL_DROP:
2385 if (cond == OK) return FAIL_DROP;
2386 break;
2387
2388 case ACL_REQUIRE:
2389 if (cond != OK) return cond;
2390 break;
2391
2392 case ACL_WARN:
2393 if (cond == OK)
2394 acl_warn(where, *user_msgptr, *log_msgptr);
2395 else if (cond == DEFER)
2396 acl_warn(where, NULL, string_sprintf("ACL \"warn\" statement skipped: "
2397 "condition test deferred: %s",
2398 (*log_msgptr == NULL)? US"" : *log_msgptr));
2399 *log_msgptr = *user_msgptr = NULL; /* In case implicit DENY follows */
2400 break;
2401
2402 default:
2403 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown verb %d",
2404 acl->verb);
2405 break;
2406 }
2407
2408 /* Pass to the next ACL item */
2409
2410 acl = acl->next;
2411 }
2412
2413/* We have reached the end of the ACL. This is an implicit DENY. */
2414
2415HDEBUG(D_acl) debug_printf("end of %s: implicit DENY\n", acl_name);
2416return FAIL;
2417}
2418
2419
2420/*************************************************
2421* Check access using an ACL *
2422*************************************************/
2423
2424/* This is the external interface for ACL checks. It sets up an address and the
2425expansions for $domain and $local_part when called after RCPT, then calls
2426acl_check_internal() to do the actual work.
2427
2428Arguments:
2429 where ACL_WHERE_xxxx indicating where called from
2430 data_string RCPT address, or SMTP command argument, or NULL
2431 s the input string; NULL is the same as an empty ACL => DENY
2432 user_msgptr where to put a user error (for SMTP response)
2433 log_msgptr where to put a logging message (not for SMTP response)
2434
2435Returns: OK access is granted by an ACCEPT verb
2436 DISCARD access is granted by a DISCARD verb
2437 FAIL access is denied
2438 FAIL_DROP access is denied; drop the connection
2439 DEFER can't tell at the moment
2440 ERROR disaster
2441*/
2442
2443int
2444acl_check(int where, uschar *data_string, uschar *s, uschar **user_msgptr,
2445 uschar **log_msgptr)
2446{
2447int rc;
2448address_item adb;
2449address_item *addr;
2450
2451*user_msgptr = *log_msgptr = NULL;
2452sender_verified_failed = NULL;
2453
2454if (where == ACL_WHERE_RCPT)
2455 {
2456 adb = address_defaults;
2457 addr = &adb;
2458 addr->address = data_string;
2459 if (deliver_split_address(addr) == DEFER)
2460 {
2461 *log_msgptr = US"defer in percent_hack_domains check";
2462 return DEFER;
2463 }
2464 deliver_domain = addr->domain;
2465 deliver_localpart = addr->local_part;
2466 }
2467else
2468 {
2469 addr = NULL;
2470 smtp_command_argument = data_string;
2471 }
2472
2473rc = acl_check_internal(where, addr, s, 0, user_msgptr, log_msgptr);
2474
2475smtp_command_argument = deliver_domain =
2a3eea10 2476 deliver_localpart = deliver_address_data = sender_address_data = NULL;
059ec3d9
PH		 2477
2478/* A DISCARD response is permitted only for message ACLs, excluding the PREDATA
2479ACL, which is really in the middle of an SMTP command. */
2480
2481if (rc == DISCARD)
2482 {
2483 if (where > ACL_WHERE_NOTSMTP || where == ACL_WHERE_PREDATA)
2484 {
2485 log_write(0, LOG_MAIN|LOG_PANIC, "\"discard\" verb not allowed in %s "
2486 "ACL", acl_wherenames[where]);
2487 return ERROR;
2488 }
2489 return DISCARD;
2490 }
2491
2492/* A DROP response is not permitted from MAILAUTH */
2493
2494if (rc == FAIL_DROP && where == ACL_WHERE_MAILAUTH)
2495 {
2496 log_write(0, LOG_MAIN|LOG_PANIC, "\"drop\" verb not allowed in %s "
2497 "ACL", acl_wherenames[where]);
2498 return ERROR;
2499 }
2500
2501/* Before giving an error response, take a look at the length of any user
2502message, and split it up into multiple lines if possible. */
2503
2504if (rc != OK && *user_msgptr != NULL && Ustrlen(*user_msgptr) > 75)
2505 {
2506 uschar *s = *user_msgptr = string_copy(*user_msgptr);
2507 uschar *ss = s;
2508
2509 for (;;)
2510 {
2511 int i = 0;
2512 while (i < 75 && *ss != 0 && *ss != '\n') ss++, i++;
2513 if (*ss == 0) break;
2514 if (*ss == '\n')
2515 s = ++ss;
2516 else
2517 {
2518 uschar *t = ss + 1;
2519 uschar *tt = NULL;
2520 while (--t > s + 35)
2521 {
2522 if (*t == ' ')
2523 {
2524 if (t[-1] == ':') { tt = t; break; }
2525 if (tt == NULL) tt = t;
2526 }
2527 }
2528
2529 if (tt == NULL) /* Can't split behind - try ahead */
2530 {
2531 t = ss + 1;
2532 while (*t != 0)
2533 {
2534 if (*t == ' ' || *t == '\n')
2535 { tt = t; break; }
2536 t++;
2537 }
2538 }
2539
2540 if (tt == NULL) break; /* Can't find anywhere to split */
2541 *tt = '\n';
2542 s = ss = tt+1;
2543 }
2544 }
2545 }
2546
2547return rc;
2548}
2549
2550/* End of acl.c */
Unnamed repository; edit this file 'description' to name the repository.