projects / exim.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Typo in debug output.
[exim.git] / src / src / acl.c
CommitLineData
059ec3d9
PH		 1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
c4ceed07 5/* Copyright (c) University of Cambridge 1995 - 2012 */
059ec3d9
PH		 6/* See the file NOTICE for conditions of use and distribution. */
7
8/* Code for handling Access Control Lists (ACLs) */
9
10#include "exim.h"
11
12
13/* Default callout timeout */
14
15#define CALLOUT_TIMEOUT_DEFAULT 30
16
17/* ACL verb codes - keep in step with the table of verbs that follows */
18
19enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
20 ACL_WARN };
21
22/* ACL verbs */
23
24static uschar *verbs[] =
25 { US"accept", US"defer", US"deny", US"discard", US"drop", US"require",
26 US"warn" };
27
4e88a19f
PH		 28/* For each verb, the conditions for which "message" or "log_message" are used
29are held as a bitmap. This is to avoid expanding the strings unnecessarily. For
30"accept", the FAIL case is used only after "endpass", but that is selected in
31the code. */
32
33static int msgcond[] = {
34 (1<<OK) | (1<<FAIL) | (1<<FAIL_DROP), /* accept */
35 (1<<OK), /* defer */
36 (1<<OK), /* deny */
37 (1<<OK) | (1<<FAIL) | (1<<FAIL_DROP), /* discard */
38 (1<<OK), /* drop */
39 (1<<FAIL) | (1<<FAIL_DROP), /* require */
40 (1<<OK) /* warn */
41 };
059ec3d9
PH		 42
43/* ACL condition and modifier codes - keep in step with the table that
71fafd95
PH		 44follows, and the cond_expand_at_top and uschar cond_modifiers tables lower
45down. */
059ec3d9 46
71fafd95
PH		 47enum { ACLC_ACL,
48 ACLC_ADD_HEADER,
49 ACLC_AUTHENTICATED,
8523533c
TK		 50#ifdef EXPERIMENTAL_BRIGHTMAIL
51 ACLC_BMI_OPTIN,
52#endif
71fafd95 53 ACLC_CONDITION,
c3611384 54 ACLC_CONTINUE,
71fafd95 55 ACLC_CONTROL,
6a8f9482
TK		 56#ifdef EXPERIMENTAL_DCC
57 ACLC_DCC,
58#endif
8523533c
TK		 59#ifdef WITH_CONTENT_SCAN
60 ACLC_DECODE,
61#endif
62 ACLC_DELAY,
63#ifdef WITH_OLD_DEMIME
64 ACLC_DEMIME,
fb2274d4 65#endif
80a47a2c
TK		 66#ifndef DISABLE_DKIM
67 ACLC_DKIM_SIGNER,
68 ACLC_DKIM_STATUS,
8e669ac1 69#endif
71fafd95
PH		 70 ACLC_DNSLISTS,
71 ACLC_DOMAINS,
72 ACLC_ENCRYPTED,
73 ACLC_ENDPASS,
74 ACLC_HOSTS,
75 ACLC_LOCAL_PARTS,
76 ACLC_LOG_MESSAGE,
6ea85e9a 77 ACLC_LOG_REJECT_TARGET,
71fafd95 78 ACLC_LOGWRITE,
8523533c
TK		 79#ifdef WITH_CONTENT_SCAN
80 ACLC_MALWARE,
81#endif
82 ACLC_MESSAGE,
83#ifdef WITH_CONTENT_SCAN
84 ACLC_MIME_REGEX,
85#endif
870f6ba8 86 ACLC_RATELIMIT,
8523533c
TK		 87 ACLC_RECIPIENTS,
88#ifdef WITH_CONTENT_SCAN
89 ACLC_REGEX,
90#endif
e7568d51 91 ACLC_REMOVE_HEADER,
71fafd95
PH		 92 ACLC_SENDER_DOMAINS,
93 ACLC_SENDERS,
94 ACLC_SET,
8523533c 95#ifdef WITH_CONTENT_SCAN
8e669ac1 96 ACLC_SPAM,
8523533c
TK		 97#endif
98#ifdef EXPERIMENTAL_SPF
99 ACLC_SPF,
65a7d8c3 100 ACLC_SPF_GUESS,
8523533c
TK		 101#endif
102 ACLC_VERIFY };
059ec3d9 103
c3611384
PH		 104/* ACL conditions/modifiers: "delay", "control", "continue", "endpass",
105"message", "log_message", "log_reject_target", "logwrite", and "set" are
106modifiers that look like conditions but always return TRUE. They are used for
107their side effects. */
059ec3d9 108
9a26b6b2
PH		 109static uschar *conditions[] = {
110 US"acl",
71fafd95 111 US"add_header",
9a26b6b2 112 US"authenticated",
8523533c
TK		 113#ifdef EXPERIMENTAL_BRIGHTMAIL
114 US"bmi_optin",
115#endif
116 US"condition",
c3611384 117 US"continue",
8e669ac1 118 US"control",
6a8f9482
TK		 119#ifdef EXPERIMENTAL_DCC
120 US"dcc",
121#endif
8523533c
TK		 122#ifdef WITH_CONTENT_SCAN
123 US"decode",
124#endif
125 US"delay",
126#ifdef WITH_OLD_DEMIME
127 US"demime",
fb2274d4 128#endif
80a47a2c
TK		 129#ifndef DISABLE_DKIM
130 US"dkim_signers",
131 US"dkim_status",
8523533c 132#endif
6ea85e9a
PH		 133 US"dnslists",
134 US"domains",
135 US"encrypted",
136 US"endpass",
137 US"hosts",
138 US"local_parts",
139 US"log_message",
140 US"log_reject_target",
141 US"logwrite",
8523533c
TK		 142#ifdef WITH_CONTENT_SCAN
143 US"malware",
144#endif
145 US"message",
146#ifdef WITH_CONTENT_SCAN
147 US"mime_regex",
148#endif
870f6ba8 149 US"ratelimit",
8523533c
TK		 150 US"recipients",
151#ifdef WITH_CONTENT_SCAN
152 US"regex",
153#endif
e7568d51 154 US"remove_header",
8523533c
TK		 155 US"sender_domains", US"senders", US"set",
156#ifdef WITH_CONTENT_SCAN
157 US"spam",
158#endif
159#ifdef EXPERIMENTAL_SPF
160 US"spf",
65a7d8c3 161 US"spf_guess",
8523533c 162#endif
059ec3d9 163 US"verify" };
8e669ac1 164
c5fcb476 165
9a26b6b2
PH		 166/* Return values from decode_control(); keep in step with the table of names
167that follows! */
168
169enum {
c46782ef
PH		 170 CONTROL_AUTH_UNADVERTISED,
171 #ifdef EXPERIMENTAL_BRIGHTMAIL
9a26b6b2 172 CONTROL_BMI_RUN,
c46782ef 173 #endif
ed7f7860 174 CONTROL_DEBUG,
80a47a2c 175 #ifndef DISABLE_DKIM
f7572e5a
TK		 176 CONTROL_DKIM_VERIFY,
177 #endif
13363eba 178 CONTROL_DSCP,
c46782ef
PH		 179 CONTROL_ERROR,
180 CONTROL_CASEFUL_LOCAL_PART,
181 CONTROL_CASELOWER_LOCAL_PART,
e4bdf652 182 CONTROL_CUTTHROUGH_DELIVERY,
c46782ef
PH		 183 CONTROL_ENFORCE_SYNC,
184 CONTROL_NO_ENFORCE_SYNC,
185 CONTROL_FREEZE,
186 CONTROL_QUEUE_ONLY,
187 CONTROL_SUBMISSION,
188 CONTROL_SUPPRESS_LOCAL_FIXUPS,
189 #ifdef WITH_CONTENT_SCAN
9a26b6b2 190 CONTROL_NO_MBOX_UNSPOOL,
c46782ef
PH		 191 #endif
192 CONTROL_FAKEDEFER,
193 CONTROL_FAKEREJECT,
cf8b11a5 194 CONTROL_NO_MULTILINE,
047bdd8c 195 CONTROL_NO_PIPELINING,
4c590bd1
PH		 196 CONTROL_NO_DELAY_FLUSH,
197 CONTROL_NO_CALLOUT_FLUSH
c46782ef 198};
9a26b6b2 199
8800895a
PH		 200/* ACL control names; keep in step with the table above! This list is used for
201turning ids into names. The actual list of recognized names is in the variable
202control_def controls_list[] below. The fact that there are two lists is a mess
203and should be tidied up. */
9a26b6b2
PH		 204
205static uschar *controls[] = {
c46782ef 206 US"allow_auth_unadvertised",
9a26b6b2
PH		 207 #ifdef EXPERIMENTAL_BRIGHTMAIL
208 US"bmi_run",
209 #endif
ed7f7860 210 US"debug",
80a47a2c
TK		 211 #ifndef DISABLE_DKIM
212 US"dkim_disable_verify",
f7572e5a 213 #endif
13363eba 214 US"dscp",
c46782ef
PH		 215 US"error",
216 US"caseful_local_part",
217 US"caselower_local_part",
e4bdf652 218 US"cutthrough_delivery",
c46782ef
PH		 219 US"enforce_sync",
220 US"no_enforce_sync",
221 US"freeze",
222 US"queue_only",
223 US"submission",
224 US"suppress_local_fixups",
9a26b6b2
PH		 225 #ifdef WITH_CONTENT_SCAN
226 US"no_mbox_unspool",
227 #endif
cf8b11a5
PH		 228 US"fakedefer",
229 US"fakereject",
aa6dc513 230 US"no_multiline_responses",
cf8b11a5 231 US"no_pipelining",
4c590bd1
PH		 232 US"no_delay_flush",
233 US"no_callout_flush"
c46782ef 234};
059ec3d9 235
047bdd8c 236/* Flags to indicate for which conditions/modifiers a string expansion is done
059ec3d9
PH		 237at the outer level. In the other cases, expansion already occurs in the
238checking functions. */
239
240static uschar cond_expand_at_top[] = {
7421ecab 241 FALSE, /* acl */
3e536984 242 TRUE, /* add_header */
059ec3d9 243 FALSE, /* authenticated */
8523533c
TK		 244#ifdef EXPERIMENTAL_BRIGHTMAIL
245 TRUE, /* bmi_optin */
8e669ac1 246#endif
059ec3d9 247 TRUE, /* condition */
c3611384 248 TRUE, /* continue */
059ec3d9 249 TRUE, /* control */
6a8f9482
TK		 250#ifdef EXPERIMENTAL_DCC
251 TRUE, /* dcc */
252#endif
8523533c
TK		 253#ifdef WITH_CONTENT_SCAN
254 TRUE, /* decode */
255#endif
059ec3d9 256 TRUE, /* delay */
8523533c
TK		 257#ifdef WITH_OLD_DEMIME
258 TRUE, /* demime */
fb2274d4 259#endif
80a47a2c
TK		 260#ifndef DISABLE_DKIM
261 TRUE, /* dkim_signers */
262 TRUE, /* dkim_status */
8523533c 263#endif
059ec3d9
PH		 264 TRUE, /* dnslists */
265 FALSE, /* domains */
266 FALSE, /* encrypted */
267 TRUE, /* endpass */
268 FALSE, /* hosts */
269 FALSE, /* local_parts */
270 TRUE, /* log_message */
6ea85e9a 271 TRUE, /* log_reject_target */
059ec3d9 272 TRUE, /* logwrite */
8523533c
TK		 273#ifdef WITH_CONTENT_SCAN
274 TRUE, /* malware */
275#endif
059ec3d9 276 TRUE, /* message */
8523533c
TK		 277#ifdef WITH_CONTENT_SCAN
278 TRUE, /* mime_regex */
279#endif
870f6ba8 280 TRUE, /* ratelimit */
059ec3d9 281 FALSE, /* recipients */
8523533c
TK		 282#ifdef WITH_CONTENT_SCAN
283 TRUE, /* regex */
284#endif
e7568d51 285 TRUE, /* remove_header */
059ec3d9
PH		 286 FALSE, /* sender_domains */
287 FALSE, /* senders */
288 TRUE, /* set */
8523533c
TK		 289#ifdef WITH_CONTENT_SCAN
290 TRUE, /* spam */
291#endif
292#ifdef EXPERIMENTAL_SPF
293 TRUE, /* spf */
65a7d8c3 294 TRUE, /* spf_guess */
8523533c 295#endif
059ec3d9
PH		 296 TRUE /* verify */
297};
298
299/* Flags to identify the modifiers */
300
301static uschar cond_modifiers[] = {
302 FALSE, /* acl */
3e536984 303 TRUE, /* add_header */
059ec3d9 304 FALSE, /* authenticated */
8523533c
TK		 305#ifdef EXPERIMENTAL_BRIGHTMAIL
306 TRUE, /* bmi_optin */
8e669ac1 307#endif
059ec3d9 308 FALSE, /* condition */
c3611384 309 TRUE, /* continue */
059ec3d9 310 TRUE, /* control */
6a8f9482
TK		 311#ifdef EXPERIMENTAL_DCC
312 FALSE, /* dcc */
313#endif
8523533c
TK		 314#ifdef WITH_CONTENT_SCAN
315 FALSE, /* decode */
316#endif
059ec3d9 317 TRUE, /* delay */
8523533c
TK		 318#ifdef WITH_OLD_DEMIME
319 FALSE, /* demime */
fb2274d4 320#endif
80a47a2c
TK		 321#ifndef DISABLE_DKIM
322 FALSE, /* dkim_signers */
323 FALSE, /* dkim_status */
8523533c 324#endif
059ec3d9
PH		 325 FALSE, /* dnslists */
326 FALSE, /* domains */
327 FALSE, /* encrypted */
328 TRUE, /* endpass */
329 FALSE, /* hosts */
330 FALSE, /* local_parts */
331 TRUE, /* log_message */
6ea85e9a 332 TRUE, /* log_reject_target */
8523533c
TK		 333 TRUE, /* logwrite */
334#ifdef WITH_CONTENT_SCAN
335 FALSE, /* malware */
336#endif
059ec3d9 337 TRUE, /* message */
8523533c
TK		 338#ifdef WITH_CONTENT_SCAN
339 FALSE, /* mime_regex */
340#endif
870f6ba8 341 FALSE, /* ratelimit */
059ec3d9 342 FALSE, /* recipients */
8523533c
TK		 343#ifdef WITH_CONTENT_SCAN
344 FALSE, /* regex */
345#endif
e7568d51 346 TRUE, /* remove_header */
059ec3d9
PH		 347 FALSE, /* sender_domains */
348 FALSE, /* senders */
349 TRUE, /* set */
8523533c
TK		 350#ifdef WITH_CONTENT_SCAN
351 FALSE, /* spam */
352#endif
353#ifdef EXPERIMENTAL_SPF
354 FALSE, /* spf */
65a7d8c3 355 FALSE, /* spf_guess */
8523533c 356#endif
059ec3d9
PH		 357 FALSE /* verify */
358};
359
c3611384 360/* Bit map vector of which conditions and modifiers are not allowed at certain
8f128379
PH		 361times. For each condition and modifier, there's a bitmap of dis-allowed times.
362For some, it is easier to specify the negation of a small number of allowed
363times. */
059ec3d9
PH		 364
365static unsigned int cond_forbids[] = {
366 0, /* acl */
8e669ac1 367
71fafd95 368 (unsigned int)
45b91596 369 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* add_header */
71fafd95 370 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
45b91596 371 (1<<ACL_WHERE_MIME)|(1<<ACL_WHERE_NOTSMTP)|
67caae1f 372 (1<<ACL_WHERE_DKIM)|
45b91596 373 (1<<ACL_WHERE_NOTSMTP_START)),
71fafd95 374
45b91596
PH		 375 (1<<ACL_WHERE_NOTSMTP)| /* authenticated */
376 (1<<ACL_WHERE_NOTSMTP_START)|
377 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO),
8e669ac1 378
71fafd95 379 #ifdef EXPERIMENTAL_BRIGHTMAIL
3864bb8e 380 (1<<ACL_WHERE_AUTH)| /* bmi_optin */
8523533c
TK		 381 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
382 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_MIME)|
8e669ac1 383 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
8523533c
TK		 384 (1<<ACL_WHERE_MAILAUTH)|
385 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
45b91596
PH		 386 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_PREDATA)|
387 (1<<ACL_WHERE_NOTSMTP_START),
71fafd95 388 #endif
8e669ac1 389
059ec3d9 390 0, /* condition */
8e669ac1 391
c3611384
PH		 392 0, /* continue */
393
059ec3d9 394 /* Certain types of control are always allowed, so we let it through
2f079f46 395 always and check in the control processing itself. */
8e669ac1 396
059ec3d9 397 0, /* control */
8e669ac1 398
6a8f9482
TK		 399 #ifdef EXPERIMENTAL_DCC
400 (unsigned int)
401 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* dcc */
402 #endif
403
71fafd95 404 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 405 (unsigned int)
406 ~(1<<ACL_WHERE_MIME), /* decode */
71fafd95 407 #endif
8523533c 408
8f128379 409 (1<<ACL_WHERE_NOTQUIT), /* delay */
8e669ac1 410
71fafd95 411 #ifdef WITH_OLD_DEMIME
2f079f46
PH		 412 (unsigned int)
413 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* demime */
71fafd95 414 #endif
8e669ac1 415
80a47a2c
TK		 416 #ifndef DISABLE_DKIM
417 (unsigned int)
418 ~(1<<ACL_WHERE_DKIM), /* dkim_signers */
84330b7b 419
80a47a2c
TK		 420 (unsigned int)
421 ~(1<<ACL_WHERE_DKIM), /* dkim_status */
71fafd95 422 #endif
fb2274d4 423
45b91596
PH		 424 (1<<ACL_WHERE_NOTSMTP)| /* dnslists */
425 (1<<ACL_WHERE_NOTSMTP_START),
059ec3d9 426
2f079f46
PH		 427 (unsigned int)
428 ~(1<<ACL_WHERE_RCPT), /* domains */
059ec3d9 429
45b91596
PH		 430 (1<<ACL_WHERE_NOTSMTP)| /* encrypted */
431 (1<<ACL_WHERE_CONNECT)|
432 (1<<ACL_WHERE_NOTSMTP_START)|
059ec3d9 433 (1<<ACL_WHERE_HELO),
8e669ac1 434
059ec3d9 435 0, /* endpass */
8e669ac1 436
45b91596
PH		 437 (1<<ACL_WHERE_NOTSMTP)| /* hosts */
438 (1<<ACL_WHERE_NOTSMTP_START),
059ec3d9 439
2f079f46
PH		 440 (unsigned int)
441 ~(1<<ACL_WHERE_RCPT), /* local_parts */
059ec3d9
PH		 442
443 0, /* log_message */
8e669ac1 444
6ea85e9a
PH		 445 0, /* log_reject_target */
446
059ec3d9 447 0, /* logwrite */
8e669ac1 448
71fafd95 449 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 450 (unsigned int)
451 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* malware */
71fafd95 452 #endif
8523533c 453
059ec3d9
PH		 454 0, /* message */
455
71fafd95 456 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 457 (unsigned int)
458 ~(1<<ACL_WHERE_MIME), /* mime_regex */
71fafd95 459 #endif
8523533c 460
870f6ba8
TF		 461 0, /* ratelimit */
462
2f079f46
PH		 463 (unsigned int)
464 ~(1<<ACL_WHERE_RCPT), /* recipients */
059ec3d9 465
71fafd95 466 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 467 (unsigned int)
468 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* regex */
469 (1<<ACL_WHERE_MIME)),
71fafd95 470 #endif
8523533c 471
e7568d51
TL		 472 (unsigned int)
473 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* remove_header */
474 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
475 (1<<ACL_WHERE_MIME)|(1<<ACL_WHERE_NOTSMTP)|
476 (1<<ACL_WHERE_NOTSMTP_START)),
477
059ec3d9
PH		 478 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* sender_domains */
479 (1<<ACL_WHERE_HELO)|
480 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
481 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
482 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
483
484 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* senders */
485 (1<<ACL_WHERE_HELO)|
486 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
487 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
488 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
489
490 0, /* set */
491
71fafd95 492 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 493 (unsigned int)
494 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* spam */
71fafd95 495 #endif
8523533c 496
71fafd95 497 #ifdef EXPERIMENTAL_SPF
8523533c
TK		 498 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf */
499 (1<<ACL_WHERE_HELO)|
500 (1<<ACL_WHERE_MAILAUTH)|
501 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
45b91596
PH		 502 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY)|
503 (1<<ACL_WHERE_NOTSMTP)|
504 (1<<ACL_WHERE_NOTSMTP_START),
65a7d8c3
NM		 505
506 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf_guess */
507 (1<<ACL_WHERE_HELO)|
508 (1<<ACL_WHERE_MAILAUTH)|
509 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
510 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY)|
511 (1<<ACL_WHERE_NOTSMTP)|
512 (1<<ACL_WHERE_NOTSMTP_START),
71fafd95 513 #endif
8523533c 514
059ec3d9
PH		 515 /* Certain types of verify are always allowed, so we let it through
516 always and check in the verify function itself */
517
518 0 /* verify */
059ec3d9
PH		 519};
520
521
c5fcb476
PH		 522/* Bit map vector of which controls are not allowed at certain times. For
523each control, there's a bitmap of dis-allowed times. For some, it is easier to
524specify the negation of a small number of allowed times. */
525
526static unsigned int control_forbids[] = {
c46782ef
PH		 527 (unsigned int)
528 ~((1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)), /* allow_auth_unadvertised */
529
530 #ifdef EXPERIMENTAL_BRIGHTMAIL
8523533c 531 0, /* bmi_run */
c46782ef
PH		 532 #endif
533
ed7f7860
PP		 534 0, /* debug */
535
80a47a2c
TK		 536 #ifndef DISABLE_DKIM
537 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* dkim_disable_verify */
f7572e5a
TK		 538 (1<<ACL_WHERE_NOTSMTP_START),
539 #endif
540
13363eba
PP		 541 (1<<ACL_WHERE_NOTSMTP)|
542 (1<<ACL_WHERE_NOTSMTP_START)|
543 (1<<ACL_WHERE_NOTQUIT), /* dscp */
544
c5fcb476 545 0, /* error */
8e669ac1
PH		 546
547 (unsigned int)
c5fcb476 548 ~(1<<ACL_WHERE_RCPT), /* caseful_local_part */
8e669ac1
PH		 549
550 (unsigned int)
c5fcb476 551 ~(1<<ACL_WHERE_RCPT), /* caselower_local_part */
8e669ac1 552
e4bdf652
JH		 553 (unsigned int)
554 0, /* cutthrough_delivery */
555
45b91596
PH		 556 (1<<ACL_WHERE_NOTSMTP)| /* enforce_sync */
557 (1<<ACL_WHERE_NOTSMTP_START),
8e669ac1 558
45b91596
PH		 559 (1<<ACL_WHERE_NOTSMTP)| /* no_enforce_sync */
560 (1<<ACL_WHERE_NOTSMTP_START),
8e669ac1
PH		 561
562 (unsigned int)
c5fcb476
PH		 563 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* freeze */
564 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
e715ad22 565 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
8e669ac1
PH		 566
567 (unsigned int)
c5fcb476
PH		 568 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* queue_only */
569 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
e715ad22 570 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
8e669ac1
PH		 571
572 (unsigned int)
c5fcb476 573 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* submission */
8e669ac1 574 (1<<ACL_WHERE_PREDATA)),
8523533c 575
8800895a
PH		 576 (unsigned int)
577 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* suppress_local_fixups */
45b91596
PH		 578 (1<<ACL_WHERE_PREDATA)|
579 (1<<ACL_WHERE_NOTSMTP_START)),
8800895a 580
c46782ef 581 #ifdef WITH_CONTENT_SCAN
8e669ac1 582 (unsigned int)
14d57970 583 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* no_mbox_unspool */
e715ad22
TK		 584 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
585 (1<<ACL_WHERE_MIME)),
c46782ef 586 #endif
a6c4ab60 587
29aba418
TF		 588 (unsigned int)
589 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakedefer */
590 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
591 (1<<ACL_WHERE_MIME)),
592
8e669ac1 593 (unsigned int)
a6c4ab60 594 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakereject */
e715ad22
TK		 595 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
596 (1<<ACL_WHERE_MIME)),
8523533c 597
45b91596 598 (1<<ACL_WHERE_NOTSMTP)| /* no_multiline */
cf8b11a5
PH		 599 (1<<ACL_WHERE_NOTSMTP_START),
600
601 (1<<ACL_WHERE_NOTSMTP)| /* no_pipelining */
047bdd8c
PH		 602 (1<<ACL_WHERE_NOTSMTP_START),
603
604 (1<<ACL_WHERE_NOTSMTP)| /* no_delay_flush */
4c590bd1
PH		 605 (1<<ACL_WHERE_NOTSMTP_START),
606
607 (1<<ACL_WHERE_NOTSMTP)| /* no_callout_flush */
45b91596 608 (1<<ACL_WHERE_NOTSMTP_START)
c5fcb476
PH		 609};
610
611/* Structure listing various control arguments, with their characteristics. */
059ec3d9
PH		 612
613typedef struct control_def {
614 uschar *name;
615 int value; /* CONTROL_xxx value */
059ec3d9
PH		 616 BOOL has_option; /* Has /option(s) following */
617} control_def;
618
619static control_def controls_list[] = {
c46782ef 620 { US"allow_auth_unadvertised", CONTROL_AUTH_UNADVERTISED, FALSE },
8523533c 621#ifdef EXPERIMENTAL_BRIGHTMAIL
c46782ef 622 { US"bmi_run", CONTROL_BMI_RUN, FALSE },
fb2274d4 623#endif
ed7f7860 624 { US"debug", CONTROL_DEBUG, TRUE },
80a47a2c
TK		 625#ifndef DISABLE_DKIM
626 { US"dkim_disable_verify", CONTROL_DKIM_VERIFY, FALSE },
8523533c 627#endif
13363eba 628 { US"dscp", CONTROL_DSCP, TRUE },
c46782ef
PH		 629 { US"caseful_local_part", CONTROL_CASEFUL_LOCAL_PART, FALSE },
630 { US"caselower_local_part", CONTROL_CASELOWER_LOCAL_PART, FALSE },
631 { US"enforce_sync", CONTROL_ENFORCE_SYNC, FALSE },
632 { US"freeze", CONTROL_FREEZE, TRUE },
4c590bd1 633 { US"no_callout_flush", CONTROL_NO_CALLOUT_FLUSH, FALSE },
047bdd8c 634 { US"no_delay_flush", CONTROL_NO_DELAY_FLUSH, FALSE },
c46782ef
PH		 635 { US"no_enforce_sync", CONTROL_NO_ENFORCE_SYNC, FALSE },
636 { US"no_multiline_responses", CONTROL_NO_MULTILINE, FALSE },
cf8b11a5 637 { US"no_pipelining", CONTROL_NO_PIPELINING, FALSE },
c46782ef 638 { US"queue_only", CONTROL_QUEUE_ONLY, FALSE },
8523533c 639#ifdef WITH_CONTENT_SCAN
c46782ef 640 { US"no_mbox_unspool", CONTROL_NO_MBOX_UNSPOOL, FALSE },
8523533c 641#endif
c46782ef
PH		 642 { US"fakedefer", CONTROL_FAKEDEFER, TRUE },
643 { US"fakereject", CONTROL_FAKEREJECT, TRUE },
644 { US"submission", CONTROL_SUBMISSION, TRUE },
e4bdf652
JH		 645 { US"suppress_local_fixups", CONTROL_SUPPRESS_LOCAL_FIXUPS, FALSE },
646 { US"cutthrough_delivery", CONTROL_CUTTHROUGH_DELIVERY, FALSE }
059ec3d9
PH		 647 };
648
e5a9dba6
PH		 649/* Support data structures for Client SMTP Authorization. acl_verify_csa()
650caches its result in a tree to avoid repeated DNS queries. The result is an
651integer code which is used as an index into the following tables of
652explanatory strings and verification return codes. */
653
654static tree_node *csa_cache = NULL;
655
656enum { CSA_UNKNOWN, CSA_OK, CSA_DEFER_SRV, CSA_DEFER_ADDR,
657 CSA_FAIL_EXPLICIT, CSA_FAIL_DOMAIN, CSA_FAIL_NOADDR, CSA_FAIL_MISMATCH };
658
659/* The acl_verify_csa() return code is translated into an acl_verify() return
660code using the following table. It is OK unless the client is definitely not
661authorized. This is because CSA is supposed to be optional for sending sites,
662so recipients should not be too strict about checking it - especially because
663DNS problems are quite likely to occur. It's possible to use $csa_status in
664further ACL conditions to distinguish ok, unknown, and defer if required, but
665the aim is to make the usual configuration simple. */
666
667static int csa_return_code[] = {
668 OK, OK, OK, OK,
669 FAIL, FAIL, FAIL, FAIL
670};
671
672static uschar *csa_status_string[] = {
673 US"unknown", US"ok", US"defer", US"defer",
674 US"fail", US"fail", US"fail", US"fail"
675};
676
677static uschar *csa_reason_string[] = {
678 US"unknown",
679 US"ok",
680 US"deferred (SRV lookup failed)",
681 US"deferred (target address lookup failed)",
682 US"failed (explicit authorization required)",
683 US"failed (host name not authorized)",
684 US"failed (no authorized addresses)",
685 US"failed (client address mismatch)"
686};
687
c99ce5c9
TF		 688/* Options for the ratelimit condition. Note that there are two variants of
689the per_rcpt option, depending on the ACL that is used to measure the rate.
690However any ACL must be able to look up per_rcpt rates in /noupdate mode,
691so the two variants must have the same internal representation as well as
692the same configuration string. */
693
694enum {
695 RATE_PER_WHAT, RATE_PER_CLASH, RATE_PER_ADDR, RATE_PER_BYTE, RATE_PER_CMD,
696 RATE_PER_CONN, RATE_PER_MAIL, RATE_PER_RCPT, RATE_PER_ALLRCPTS
697};
698
699#define RATE_SET(var,new) \
700 (((var) == RATE_PER_WHAT) ? ((var) = RATE_##new) : ((var) = RATE_PER_CLASH))
701
702static uschar *ratelimit_option_string[] = {
703 US"?", US"!", US"per_addr", US"per_byte", US"per_cmd",
704 US"per_conn", US"per_mail", US"per_rcpt", US"per_rcpt"
705};
706
059ec3d9
PH		 707/* Enable recursion between acl_check_internal() and acl_check_condition() */
708
f60d98e8
JH		 709static int acl_check_wargs(int, address_item *, uschar *, int, uschar **,
710 uschar **);
059ec3d9
PH		 711
712
713/*************************************************
714* Pick out name from list *
715*************************************************/
716
717/* Use a binary chop method
718
719Arguments:
720 name name to find
721 list list of names
722 end size of list
723
724Returns: offset in list, or -1 if not found
725*/
726
727static int
728acl_checkname(uschar *name, uschar **list, int end)
729{
730int start = 0;
731
732while (start < end)
733 {
734 int mid = (start + end)/2;
735 int c = Ustrcmp(name, list[mid]);
736 if (c == 0) return mid;
737 if (c < 0) end = mid; else start = mid + 1;
738 }
739
740return -1;
741}
742
743
744/*************************************************
745* Read and parse one ACL *
746*************************************************/
747
748/* This function is called both from readconf in order to parse the ACLs in the
749configuration file, and also when an ACL is encountered dynamically (e.g. as
750the result of an expansion). It is given a function to call in order to
751retrieve the lines of the ACL. This function handles skipping comments and
752blank lines (where relevant).
753
754Arguments:
755 func function to get next line of ACL
756 error where to put an error message
757
758Returns: pointer to ACL, or NULL
759 NULL can be legal (empty ACL); in this case error will be NULL
760*/
761
762acl_block *
763acl_read(uschar *(*func)(void), uschar **error)
764{
765acl_block *yield = NULL;
766acl_block **lastp = &yield;
767acl_block *this = NULL;
768acl_condition_block *cond;
769acl_condition_block **condp = NULL;
770uschar *s;
771
772*error = NULL;
773
774while ((s = (*func)()) != NULL)
775 {
776 int v, c;
777 BOOL negated = FALSE;
778 uschar *saveline = s;
779 uschar name[64];
780
781 /* Conditions (but not verbs) are allowed to be negated by an initial
782 exclamation mark. */
783
784 while (isspace(*s)) s++;
785 if (*s == '!')
786 {
787 negated = TRUE;
788 s++;
789 }
790
cf00dad6
PH		 791 /* Read the name of a verb or a condition, or the start of a new ACL, which
792 can be started by a name, or by a macro definition. */
059ec3d9
PH		 793
794 s = readconf_readname(name, sizeof(name), s);
b8dc3e4a 795 if (*s == ':' || (isupper(name[0]) && *s == '=')) return yield;
059ec3d9
PH		 796
797 /* If a verb is unrecognized, it may be another condition or modifier that
798 continues the previous verb. */
799
800 v = acl_checkname(name, verbs, sizeof(verbs)/sizeof(char *));
801 if (v < 0)
802 {
803 if (this == NULL)
804 {
4e167a8c
PH		 805 *error = string_sprintf("unknown ACL verb \"%s\" in \"%s\"", name,
806 saveline);
059ec3d9
PH		 807 return NULL;
808 }
809 }
810
811 /* New verb */
812
813 else
814 {
815 if (negated)
816 {
817 *error = string_sprintf("malformed ACL line \"%s\"", saveline);
818 return NULL;
819 }
820 this = store_get(sizeof(acl_block));
821 *lastp = this;
822 lastp = &(this->next);
823 this->next = NULL;
824 this->verb = v;
825 this->condition = NULL;
826 condp = &(this->condition);
827 if (*s == 0) continue; /* No condition on this line */
828 if (*s == '!')
829 {
830 negated = TRUE;
831 s++;
832 }
833 s = readconf_readname(name, sizeof(name), s); /* Condition name */
834 }
835
836 /* Handle a condition or modifier. */
837
838 c = acl_checkname(name, conditions, sizeof(conditions)/sizeof(char *));
839 if (c < 0)
840 {
841 *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
842 saveline);
843 return NULL;
844 }
845
846 /* The modifiers may not be negated */
847
848 if (negated && cond_modifiers[c])
849 {
850 *error = string_sprintf("ACL error: negation is not allowed with "
851 "\"%s\"", conditions[c]);
852 return NULL;
853 }
854
855 /* ENDPASS may occur only with ACCEPT or DISCARD. */
856
857 if (c == ACLC_ENDPASS &&
858 this->verb != ACL_ACCEPT &&
859 this->verb != ACL_DISCARD)
860 {
861 *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
862 conditions[c], verbs[this->verb]);
863 return NULL;
864 }
865
866 cond = store_get(sizeof(acl_condition_block));
867 cond->next = NULL;
868 cond->type = c;
869 cond->u.negated = negated;
870
871 *condp = cond;
872 condp = &(cond->next);
873
874 /* The "set" modifier is different in that its argument is "name=value"
875 rather than just a value, and we can check the validity of the name, which
38a0a95f
PH		 876 gives us a variable name to insert into the data block. The original ACL
877 variable names were acl_c0 ... acl_c9 and acl_m0 ... acl_m9. This was
878 extended to 20 of each type, but after that people successfully argued for
641cb756
PH		 879 arbitrary names. In the new scheme, the names must start with acl_c or acl_m.
880 After that, we allow alphanumerics and underscores, but the first character
881 after c or m must be a digit or an underscore. This retains backwards
882 compatibility. */
059ec3d9
PH		 883
884 if (c == ACLC_SET)
885 {
47ca6d6c
PH		 886 uschar *endptr;
887
38a0a95f
PH		 888 if (Ustrncmp(s, "acl_c", 5) != 0 &&
889 Ustrncmp(s, "acl_m", 5) != 0)
47ca6d6c 890 {
38a0a95f
PH		 891 *error = string_sprintf("invalid variable name after \"set\" in ACL "
892 "modifier \"set %s\" (must start \"acl_c\" or \"acl_m\")", s);
893 return NULL;
47ca6d6c 894 }
38a0a95f
PH		 895
896 endptr = s + 5;
641cb756
PH		 897 if (!isdigit(*endptr) && *endptr != '_')
898 {
899 *error = string_sprintf("invalid variable name after \"set\" in ACL "
900 "modifier \"set %s\" (digit or underscore must follow acl_c or acl_m)",
901 s);
902 return NULL;
903 }
904
38a0a95f 905 while (*endptr != 0 && *endptr != '=' && !isspace(*endptr))
47ca6d6c 906 {
38a0a95f
PH		 907 if (!isalnum(*endptr) && *endptr != '_')
908 {
909 *error = string_sprintf("invalid character \"%c\" in variable name "
910 "in ACL modifier \"set %s\"", *endptr, s);
911 return NULL;
912 }
913 endptr++;
47ca6d6c 914 }
47ca6d6c 915
38a0a95f 916 cond->u.varname = string_copyn(s + 4, endptr - s - 4);
47ca6d6c 917 s = endptr;
059ec3d9
PH		 918 while (isspace(*s)) s++;
919 }
920
921 /* For "set", we are now positioned for the data. For the others, only
922 "endpass" has no data */
923
924 if (c != ACLC_ENDPASS)
925 {
926 if (*s++ != '=')
927 {
928 *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
929 cond_modifiers[c]? US"modifier" : US"condition");
930 return NULL;
931 }
932 while (isspace(*s)) s++;
933 cond->arg = string_copy(s);
934 }
935 }
936
937return yield;
938}
939
940
941
71fafd95
PH		 942/*************************************************
943* Set up added header line(s) *
944*************************************************/
945
946/* This function is called by the add_header modifier, and also from acl_warn()
947to implement the now-deprecated way of adding header lines using "message" on a
948"warn" verb. The argument is treated as a sequence of header lines which are
949added to a chain, provided there isn't an identical one already there.
950
951Argument: string of header lines
952Returns: nothing
953*/
954
955static void
956setup_header(uschar *hstring)
957{
958uschar *p, *q;
959int hlen = Ustrlen(hstring);
960
961/* An empty string does nothing; otherwise add a final newline if necessary. */
962
963if (hlen <= 0) return;
964if (hstring[hlen-1] != '\n') hstring = string_sprintf("%s\n", hstring);
965
966/* Loop for multiple header lines, taking care about continuations */
967
968for (p = q = hstring; *p != 0; )
969 {
970 uschar *s;
971 int newtype = htype_add_bot;
972 header_line **hptr = &acl_added_headers;
973
974 /* Find next header line within the string */
975
976 for (;;)
977 {
978 q = Ustrchr(q, '\n');
979 if (*(++q) != ' ' && *q != '\t') break;
980 }
981
982 /* If the line starts with a colon, interpret the instruction for where to
983 add it. This temporarily sets up a new type. */
984
985 if (*p == ':')
986 {
987 if (strncmpic(p, US":after_received:", 16) == 0)
988 {
989 newtype = htype_add_rec;
990 p += 16;
991 }
992 else if (strncmpic(p, US":at_start_rfc:", 14) == 0)
993 {
994 newtype = htype_add_rfc;
995 p += 14;
996 }
997 else if (strncmpic(p, US":at_start:", 10) == 0)
998 {
999 newtype = htype_add_top;
1000 p += 10;
1001 }
1002 else if (strncmpic(p, US":at_end:", 8) == 0)
1003 {
1004 newtype = htype_add_bot;
1005 p += 8;
1006 }
1007 while (*p == ' ' || *p == '\t') p++;
1008 }
1009
1010 /* See if this line starts with a header name, and if not, add X-ACL-Warn:
1011 to the front of it. */
1012
1013 for (s = p; s < q - 1; s++)
1014 {
1015 if (*s == ':' || !isgraph(*s)) break;
1016 }
1017
438257ba 1018 s = string_sprintf("%s%.*s", (*s == ':')? "" : "X-ACL-Warn: ", (int) (q - p), p);
71fafd95
PH		 1019 hlen = Ustrlen(s);
1020
1021 /* See if this line has already been added */
1022
1023 while (*hptr != NULL)
1024 {
1025 if (Ustrncmp((*hptr)->text, s, hlen) == 0) break;
1026 hptr = &((*hptr)->next);
1027 }
1028
1029 /* Add if not previously present */
1030
1031 if (*hptr == NULL)
1032 {
1033 header_line *h = store_get(sizeof(header_line));
1034 h->text = s;
1035 h->next = NULL;
1036 h->type = newtype;
1037 h->slen = hlen;
1038 *hptr = h;
1039 hptr = &(h->next);
1040 }
1041
1042 /* Advance for next header line within the string */
1043
1044 p = q;
1045 }
1046}
1047
1048
1049
e7568d51
TL		 1050/*************************************************
1051* Set up removed header line(s) *
1052*************************************************/
1053
1054/* This function is called by the remove_header modifier. The argument is
1055treated as a sequence of header names which are added to a colon separated
1056list, provided there isn't an identical one already there.
1057
1058Argument: string of header names
1059Returns: nothing
1060*/
1061
1062static void
1063setup_remove_header(uschar *hnames)
1064{
1065if (*hnames != 0)
1066 {
1067 if (acl_removed_headers == NULL)
1068 acl_removed_headers = hnames;
1069 else
1070 acl_removed_headers = string_sprintf("%s : %s", acl_removed_headers, hnames);
1071 }
1072}
1073
1074
71fafd95 1075
059ec3d9
PH		 1076/*************************************************
1077* Handle warnings *
1078*************************************************/
1079
1080/* This function is called when a WARN verb's conditions are true. It adds to
1081the message's headers, and/or writes information to the log. In each case, this
1082only happens once (per message for headers, per connection for log).
1083
71fafd95
PH		 1084** NOTE: The header adding action using the "message" setting is historic, and
1085its use is now deprecated. The new add_header modifier should be used instead.
1086
059ec3d9
PH		 1087Arguments:
1088 where ACL_WHERE_xxxx indicating which ACL this is
1089 user_message message for adding to headers
1090 log_message message for logging, if different
1091
1092Returns: nothing
1093*/
1094
1095static void
1096acl_warn(int where, uschar *user_message, uschar *log_message)
1097{
059ec3d9
PH		 1098if (log_message != NULL && log_message != user_message)
1099 {
1100 uschar *text;
1101 string_item *logged;
1102
1103 text = string_sprintf("%s Warning: %s", host_and_ident(TRUE),
1104 string_printing(log_message));
1105
1106 /* If a sender verification has failed, and the log message is "sender verify
1107 failed", add the failure message. */
1108
1109 if (sender_verified_failed != NULL &&
1110 sender_verified_failed->message != NULL &&
1111 strcmpic(log_message, US"sender verify failed") == 0)
1112 text = string_sprintf("%s: %s", text, sender_verified_failed->message);
1113
9c7a242c
PH		 1114 /* Search previously logged warnings. They are kept in malloc
1115 store so they can be freed at the start of a new message. */
059ec3d9
PH		 1116
1117 for (logged = acl_warn_logged; logged != NULL; logged = logged->next)
1118 if (Ustrcmp(logged->text, text) == 0) break;
1119
1120 if (logged == NULL)
1121 {
1122 int length = Ustrlen(text) + 1;
1123 log_write(0, LOG_MAIN, "%s", text);
1124 logged = store_malloc(sizeof(string_item) + length);
1125 logged->text = (uschar *)logged + sizeof(string_item);
1126 memcpy(logged->text, text, length);
1127 logged->next = acl_warn_logged;
1128 acl_warn_logged = logged;
1129 }
1130 }
1131
1132/* If there's no user message, we are done. */
1133
1134if (user_message == NULL) return;
1135
1136/* If this isn't a message ACL, we can't do anything with a user message.
1137Log an error. */
1138
1139if (where > ACL_WHERE_NOTSMTP)
1140 {
1141 log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
1142 "found in a non-message (%s) ACL: cannot specify header lines here: "
1143 "message ignored", acl_wherenames[where]);
1144 return;
1145 }
1146
71fafd95
PH		 1147/* The code for setting up header lines is now abstracted into a separate
1148function so that it can be used for the add_header modifier as well. */
059ec3d9 1149
71fafd95 1150setup_header(user_message);
059ec3d9
PH		 1151}
1152
1153
1154
1155/*************************************************
1156* Verify and check reverse DNS *
1157*************************************************/
1158
1159/* Called from acl_verify() below. We look up the host name(s) of the client IP
1160address if this has not yet been done. The host_name_lookup() function checks
1161that one of these names resolves to an address list that contains the client IP
1162address, so we don't actually have to do the check here.
1163
1164Arguments:
1165 user_msgptr pointer for user message
1166 log_msgptr pointer for log message
1167
1168Returns: OK verification condition succeeded
1169 FAIL verification failed
1170 DEFER there was a problem verifying
1171*/
1172
1173static int
1174acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
1175{
1176int rc;
1177
1178user_msgptr = user_msgptr; /* stop compiler warning */
1179
1180/* Previous success */
1181
1182if (sender_host_name != NULL) return OK;
1183
1184/* Previous failure */
1185
1186if (host_lookup_failed)
1187 {
1188 *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
1189 return FAIL;
1190 }
1191
1192/* Need to do a lookup */
1193
1194HDEBUG(D_acl)
1195 debug_printf("looking up host name to force name/address consistency check\n");
1196
1197if ((rc = host_name_lookup()) != OK)
1198 {
1199 *log_msgptr = (rc == DEFER)?
1200 US"host lookup deferred for reverse lookup check"
1201 :
1202 string_sprintf("host lookup failed for reverse lookup check%s",
1203 host_lookup_msg);
1204 return rc; /* DEFER or FAIL */
1205 }
1206
1207host_build_sender_fullhost();
1208return OK;
1209}
1210
1211
1212
e5a9dba6
PH		 1213/*************************************************
1214* Check client IP address matches CSA target *
1215*************************************************/
1216
1217/* Called from acl_verify_csa() below. This routine scans a section of a DNS
1218response for address records belonging to the CSA target hostname. The section
1219is specified by the reset argument, either RESET_ADDITIONAL or RESET_ANSWERS.
1220If one of the addresses matches the client's IP address, then the client is
1221authorized by CSA. If there are target IP addresses but none of them match
1222then the client is using an unauthorized IP address. If there are no target IP
1223addresses then the client cannot be using an authorized IP address. (This is
1224an odd configuration - why didn't the SRV record have a weight of 1 instead?)
1225
1226Arguments:
1227 dnsa the DNS answer block
1228 dnss a DNS scan block for us to use
1229 reset option specifing what portion to scan, as described above
1230 target the target hostname to use for matching RR names
1231
1232Returns: CSA_OK successfully authorized
1233 CSA_FAIL_MISMATCH addresses found but none matched
1234 CSA_FAIL_NOADDR no target addresses found
1235*/
1236
1237static int
1238acl_verify_csa_address(dns_answer *dnsa, dns_scan *dnss, int reset,
1239 uschar *target)
1240{
1241dns_record *rr;
1242dns_address *da;
1243
1244BOOL target_found = FALSE;
1245
1246for (rr = dns_next_rr(dnsa, dnss, reset);
1247 rr != NULL;
1248 rr = dns_next_rr(dnsa, dnss, RESET_NEXT))
1249 {
1250 /* Check this is an address RR for the target hostname. */
1251
1252 if (rr->type != T_A
1253 #if HAVE_IPV6
1254 && rr->type != T_AAAA
1255 #ifdef SUPPORT_A6
1256 && rr->type != T_A6
1257 #endif
1258 #endif
1259 ) continue;
1260
1261 if (strcmpic(target, rr->name) != 0) continue;
1262
1263 target_found = TRUE;
1264
1265 /* Turn the target address RR into a list of textual IP addresses and scan
1266 the list. There may be more than one if it is an A6 RR. */
1267
1268 for (da = dns_address_from_rr(dnsa, rr); da != NULL; da = da->next)
1269 {
1270 /* If the client IP address matches the target IP address, it's good! */
1271
1272 DEBUG(D_acl) debug_printf("CSA target address is %s\n", da->address);
1273
1274 if (strcmpic(sender_host_address, da->address) == 0) return CSA_OK;
1275 }
1276 }
1277
1278/* If we found some target addresses but none of them matched, the client is
1279using an unauthorized IP address, otherwise the target has no authorized IP
1280addresses. */
1281
1282if (target_found) return CSA_FAIL_MISMATCH;
1283else return CSA_FAIL_NOADDR;
1284}
1285
1286
1287
1288/*************************************************
1289* Verify Client SMTP Authorization *
1290*************************************************/
1291
1292/* Called from acl_verify() below. This routine calls dns_lookup_special()
1293to find the CSA SRV record corresponding to the domain argument, or
1294$sender_helo_name if no argument is provided. It then checks that the
1295client is authorized, and that its IP address corresponds to the SRV
1296target's address by calling acl_verify_csa_address() above. The address
1297should have been returned in the DNS response's ADDITIONAL section, but if
1298not we perform another DNS lookup to get it.
1299
1300Arguments:
1301 domain pointer to optional parameter following verify = csa
1302
1303Returns: CSA_UNKNOWN no valid CSA record found
1304 CSA_OK successfully authorized
1305 CSA_FAIL_* client is definitely not authorized
1306 CSA_DEFER_* there was a DNS problem
1307*/
1308
1309static int
1310acl_verify_csa(uschar *domain)
1311{
1312tree_node *t;
1313uschar *found, *p;
1314int priority, weight, port;
1315dns_answer dnsa;
1316dns_scan dnss;
1317dns_record *rr;
1318int rc, type;
1319uschar target[256];
1320
1321/* Work out the domain we are using for the CSA lookup. The default is the
1322client's HELO domain. If the client has not said HELO, use its IP address
1323instead. If it's a local client (exim -bs), CSA isn't applicable. */
1324
1325while (isspace(*domain) && *domain != '\0') ++domain;
1326if (*domain == '\0') domain = sender_helo_name;
1327if (domain == NULL) domain = sender_host_address;
1328if (sender_host_address == NULL) return CSA_UNKNOWN;
1329
1330/* If we have an address literal, strip off the framing ready for turning it
1331into a domain. The framing consists of matched square brackets possibly
1332containing a keyword and a colon before the actual IP address. */
1333
1334if (domain[0] == '[')
1335 {
1336 uschar *start = Ustrchr(domain, ':');
1337 if (start == NULL) start = domain;
1338 domain = string_copyn(start + 1, Ustrlen(start) - 2);
1339 }
1340
1341/* Turn domains that look like bare IP addresses into domains in the reverse
1342DNS. This code also deals with address literals and $sender_host_address. It's
1343not quite kosher to treat bare domains such as EHLO 192.0.2.57 the same as
1344address literals, but it's probably the most friendly thing to do. This is an
1345extension to CSA, so we allow it to be turned off for proper conformance. */
1346
7e66e54d 1347if (string_is_ip_address(domain, NULL) != 0)
e5a9dba6
PH		 1348 {
1349 if (!dns_csa_use_reverse) return CSA_UNKNOWN;
1350 dns_build_reverse(domain, target);
1351 domain = target;
1352 }
1353
1354/* Find out if we've already done the CSA check for this domain. If we have,
1355return the same result again. Otherwise build a new cached result structure
1356for this domain. The name is filled in now, and the value is filled in when
1357we return from this function. */
1358
1359t = tree_search(csa_cache, domain);
1360if (t != NULL) return t->data.val;
1361
1362t = store_get_perm(sizeof(tree_node) + Ustrlen(domain));
1363Ustrcpy(t->name, domain);
1364(void)tree_insertnode(&csa_cache, t);
1365
1366/* Now we are ready to do the actual DNS lookup(s). */
1367
28e6ef29 1368found = domain;
e5a9dba6
PH		 1369switch (dns_special_lookup(&dnsa, domain, T_CSA, &found))
1370 {
1371 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1372
1373 default:
1374 return t->data.val = CSA_DEFER_SRV;
1375
1376 /* If we found nothing, the client's authorization is unknown. */
1377
1378 case DNS_NOMATCH:
1379 case DNS_NODATA:
1380 return t->data.val = CSA_UNKNOWN;
1381
1382 /* We got something! Go on to look at the reply in more detail. */
1383
1384 case DNS_SUCCEED:
1385 break;
1386 }
1387
1388/* Scan the reply for well-formed CSA SRV records. */
1389
1390for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
1391 rr != NULL;
1392 rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
1393 {
1394 if (rr->type != T_SRV) continue;
1395
1396 /* Extract the numerical SRV fields (p is incremented) */
1397
1398 p = rr->data;
1399 GETSHORT(priority, p);
1400 GETSHORT(weight, p);
1401 GETSHORT(port, p);
1402
1403 DEBUG(D_acl)
1404 debug_printf("CSA priority=%d weight=%d port=%d\n", priority, weight, port);
1405
1406 /* Check the CSA version number */
1407
1408 if (priority != 1) continue;
1409
1410 /* If the domain does not have a CSA SRV record of its own (i.e. the domain
1411 found by dns_special_lookup() is a parent of the one we asked for), we check
1412 the subdomain assertions in the port field. At the moment there's only one
1413 assertion: legitimate SMTP clients are all explicitly authorized with CSA
1414 SRV records of their own. */
1415
1416 if (found != domain)
1417 {
1418 if (port & 1)
1419 return t->data.val = CSA_FAIL_EXPLICIT;
1420 else
1421 return t->data.val = CSA_UNKNOWN;
1422 }
1423
1424 /* This CSA SRV record refers directly to our domain, so we check the value
1425 in the weight field to work out the domain's authorization. 0 and 1 are
1426 unauthorized; 3 means the client is authorized but we can't check the IP
1427 address in order to authenticate it, so we treat it as unknown; values
1428 greater than 3 are undefined. */
1429
1430 if (weight < 2) return t->data.val = CSA_FAIL_DOMAIN;
1431
1432 if (weight > 2) continue;
1433
1434 /* Weight == 2, which means the domain is authorized. We must check that the
1435 client's IP address is listed as one of the SRV target addresses. Save the
1436 target hostname then break to scan the additional data for its addresses. */
1437
1438 (void)dn_expand(dnsa.answer, dnsa.answer + dnsa.answerlen, p,
1439 (DN_EXPAND_ARG4_TYPE)target, sizeof(target));
1440
1441 DEBUG(D_acl) debug_printf("CSA target is %s\n", target);
1442
1443 break;
1444 }
1445
1446/* If we didn't break the loop then no appropriate records were found. */
1447
1448if (rr == NULL) return t->data.val = CSA_UNKNOWN;
1449
1450/* Do not check addresses if the target is ".", in accordance with RFC 2782.
1451A target of "." indicates there are no valid addresses, so the client cannot
1452be authorized. (This is an odd configuration because weight=2 target=. is
1453equivalent to weight=1, but we check for it in order to keep load off the
1454root name servers.) Note that dn_expand() turns "." into "". */
1455
1456if (Ustrcmp(target, "") == 0) return t->data.val = CSA_FAIL_NOADDR;
1457
1458/* Scan the additional section of the CSA SRV reply for addresses belonging
1459to the target. If the name server didn't return any additional data (e.g.
1460because it does not fully support SRV records), we need to do another lookup
1461to obtain the target addresses; otherwise we have a definitive result. */
1462
1463rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ADDITIONAL, target);
1464if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1465
1466/* The DNS lookup type corresponds to the IP version used by the client. */
1467
1468#if HAVE_IPV6
1469if (Ustrchr(sender_host_address, ':') != NULL)
1470 type = T_AAAA;
1471else
1472#endif /* HAVE_IPV6 */
1473 type = T_A;
1474
1475
1476#if HAVE_IPV6 && defined(SUPPORT_A6)
1477DNS_LOOKUP_AGAIN:
1478#endif
1479
1480switch (dns_lookup(&dnsa, target, type, NULL))
1481 {
1482 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1483
1484 default:
1485 return t->data.val = CSA_DEFER_ADDR;
1486
1487 /* If the query succeeded, scan the addresses and return the result. */
1488
1489 case DNS_SUCCEED:
1490 rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ANSWERS, target);
1491 if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1492 /* else fall through */
1493
1494 /* If the target has no IP addresses, the client cannot have an authorized
1495 IP address. However, if the target site uses A6 records (not AAAA records)
1496 we have to do yet another lookup in order to check them. */
1497
1498 case DNS_NOMATCH:
1499 case DNS_NODATA:
1500
1501 #if HAVE_IPV6 && defined(SUPPORT_A6)
1502 if (type == T_AAAA) { type = T_A6; goto DNS_LOOKUP_AGAIN; }
1503 #endif
1504
1505 return t->data.val = CSA_FAIL_NOADDR;
1506 }
1507}
1508
1509
1510
059ec3d9
PH		 1511/*************************************************
1512* Handle verification (address & other) *
1513*************************************************/
1514
89583014
JH		 1515enum { VERIFY_REV_HOST_LKUP, VERIFY_CERT, VERIFY_HELO, VERIFY_CSA, VERIFY_HDR_SYNTAX,
1516 VERIFY_NOT_BLIND, VERIFY_HDR_SNDR, VERIFY_SNDR, VERIFY_RCPT
1517 };
1518typedef struct {
1519 uschar * name;
1520 int value;
1521 unsigned where_allowed; /* bitmap */
1522 BOOL no_options; /* Never has /option(s) following */
1523 unsigned alt_opt_sep; /* >0 Non-/ option separator (custom parser) */
1524 } verify_type_t;
1525static verify_type_t verify_type_list[] = {
1526 { US"reverse_host_lookup", VERIFY_REV_HOST_LKUP, ~0, TRUE, 0 },
1527 { US"certificate", VERIFY_CERT, ~0, TRUE, 0 },
1528 { US"helo", VERIFY_HELO, ~0, TRUE, 0 },
1529 { US"csa", VERIFY_CSA, ~0, FALSE, 0 },
1530 { US"header_syntax", VERIFY_HDR_SYNTAX, (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), TRUE, 0 },
1531 { US"not_blind", VERIFY_NOT_BLIND, (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), TRUE, 0 },
1532 { US"header_sender", VERIFY_HDR_SNDR, (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), FALSE, 0 },
1533 { US"sender", VERIFY_SNDR, (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)
1534 |(1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP),
1535 FALSE, 6 },
1536 { US"recipient", VERIFY_RCPT, (1<<ACL_WHERE_RCPT), FALSE, 0 }
1537 };
1538
1539
1540enum { CALLOUT_DEFER_OK, CALLOUT_NOCACHE, CALLOUT_RANDOM, CALLOUT_USE_SENDER,
1541 CALLOUT_USE_POSTMASTER, CALLOUT_POSTMASTER, CALLOUT_FULLPOSTMASTER,
1542 CALLOUT_MAILFROM, CALLOUT_POSTMASTER_MAILFROM, CALLOUT_MAXWAIT, CALLOUT_CONNECT,
1543 CALLOUT_TIME
1544 };
1545typedef struct {
1546 uschar * name;
1547 int value;
1548 int flag;
1549 BOOL has_option; /* Has =option(s) following */
1550 BOOL timeval; /* Has a time value */
1551 } callout_opt_t;
1552static callout_opt_t callout_opt_list[] = {
1553 { US"defer_ok", CALLOUT_DEFER_OK, 0, FALSE, FALSE },
1554 { US"no_cache", CALLOUT_NOCACHE, vopt_callout_no_cache, FALSE, FALSE },
1555 { US"random", CALLOUT_RANDOM, vopt_callout_random, FALSE, FALSE },
1556 { US"use_sender", CALLOUT_USE_SENDER, vopt_callout_recipsender, FALSE, FALSE },
1557 { US"use_postmaster", CALLOUT_USE_POSTMASTER,vopt_callout_recippmaster, FALSE, FALSE },
1558 { US"postmaster_mailfrom",CALLOUT_POSTMASTER_MAILFROM,0, TRUE, FALSE },
1559 { US"postmaster", CALLOUT_POSTMASTER, 0, FALSE, FALSE },
1560 { US"fullpostmaster", CALLOUT_FULLPOSTMASTER,vopt_callout_fullpm, FALSE, FALSE },
1561 { US"mailfrom", CALLOUT_MAILFROM, 0, TRUE, FALSE },
1562 { US"maxwait", CALLOUT_MAXWAIT, 0, TRUE, TRUE },
1563 { US"connect", CALLOUT_CONNECT, 0, TRUE, TRUE },
1564 { NULL, CALLOUT_TIME, 0, FALSE, TRUE }
1565 };
1566
1567
1568
059ec3d9
PH		 1569/* This function implements the "verify" condition. It is called when
1570encountered in any ACL, because some tests are almost always permitted. Some
1571just don't make sense, and always fail (for example, an attempt to test a host
1572lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
1573
1574Arguments:
1575 where where called from
1576 addr the recipient address that the ACL is handling, or NULL
1577 arg the argument of "verify"
1578 user_msgptr pointer for user message
1579 log_msgptr pointer for log message
1580 basic_errno where to put verify errno
1581
1582Returns: OK verification condition succeeded
1583 FAIL verification failed
1584 DEFER there was a problem verifying
1585 ERROR syntax error
1586*/
1587
1588static int
1589acl_verify(int where, address_item *addr, uschar *arg,
1590 uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
1591{
1592int sep = '/';
1593int callout = -1;
1594int callout_overall = -1;
4deaf07d 1595int callout_connect = -1;
059ec3d9
PH		 1596int verify_options = 0;
1597int rc;
1598BOOL verify_header_sender = FALSE;
1599BOOL defer_ok = FALSE;
1600BOOL callout_defer_ok = FALSE;
1601BOOL no_details = FALSE;
eafd343b 1602BOOL success_on_redirect = FALSE;
059ec3d9
PH		 1603address_item *sender_vaddr = NULL;
1604uschar *verify_sender_address = NULL;
1605uschar *pm_mailfrom = NULL;
1606uschar *se_mailfrom = NULL;
596875b3
PH		 1607
1608/* Some of the verify items have slash-separated options; some do not. Diagnose
89583014 1609an error if options are given for items that don't expect them.
596875b3
PH		 1610*/
1611
1612uschar *slash = Ustrchr(arg, '/');
059ec3d9
PH		 1613uschar *list = arg;
1614uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
89583014 1615verify_type_t * vp;
059ec3d9
PH		 1616
1617if (ss == NULL) goto BAD_VERIFY;
1618
1619/* Handle name/address consistency verification in a separate function. */
1620
89583014
JH		 1621for (vp= verify_type_list;
1622 (char *)vp < (char *)verify_type_list + sizeof(verify_type_list);
1623 vp++
1624 )
1625 if (vp->alt_opt_sep ? strncmpic(ss, vp->name, vp->alt_opt_sep) == 0
1626 : strcmpic (ss, vp->name) == 0)
1627 break;
1628if ((char *)vp >= (char *)verify_type_list + sizeof(verify_type_list))
1629 goto BAD_VERIFY;
1630
1631if (vp->no_options && slash != NULL)
059ec3d9 1632 {
89583014
JH		 1633 *log_msgptr = string_sprintf("unexpected '/' found in \"%s\" "
1634 "(this verify item has no options)", arg);
1635 return ERROR;
059ec3d9 1636 }
89583014 1637if (!(vp->where_allowed & (1<<where)))
059ec3d9 1638 {
89583014
JH		 1639 *log_msgptr = string_sprintf("cannot verify %s in ACL for %s", vp->name, acl_wherenames[where]);
1640 return ERROR;
059ec3d9 1641 }
89583014 1642switch(vp->value)
596875b3 1643 {
89583014
JH		 1644 case VERIFY_REV_HOST_LKUP:
1645 if (sender_host_address == NULL) return OK;
1646 return acl_verify_reverse(user_msgptr, log_msgptr);
059ec3d9 1647
89583014
JH		 1648 case VERIFY_CERT:
1649 /* TLS certificate verification is done at STARTTLS time; here we just
1650 test whether it was successful or not. (This is for optional verification; for
1651 mandatory verification, the connection doesn't last this long.) */
e5a9dba6 1652
817d9f57 1653 if (tls_in.certificate_verified) return OK;
89583014
JH		 1654 *user_msgptr = US"no verified certificate";
1655 return FAIL;
e5a9dba6 1656
89583014
JH		 1657 case VERIFY_HELO:
1658 /* We can test the result of optional HELO verification that might have
1659 occurred earlier. If not, we can attempt the verification now. */
059ec3d9 1660
89583014
JH		 1661 if (!helo_verified && !helo_verify_failed) smtp_verify_helo();
1662 return helo_verified? OK : FAIL;
059ec3d9 1663
89583014
JH		 1664 case VERIFY_CSA:
1665 /* Do Client SMTP Authorization checks in a separate function, and turn the
1666 result code into user-friendly strings. */
1c41c9cc 1667
89583014
JH		 1668 rc = acl_verify_csa(list);
1669 *log_msgptr = *user_msgptr = string_sprintf("client SMTP authorization %s",
1670 csa_reason_string[rc]);
1671 csa_status = csa_status_string[rc];
1672 DEBUG(D_acl) debug_printf("CSA result %s\n", csa_status);
1673 return csa_return_code[rc];
1674
1675 case VERIFY_HDR_SYNTAX:
1676 /* Check that all relevant header lines have the correct syntax. If there is
1677 a syntax error, we return details of the error to the sender if configured to
1678 send out full details. (But a "message" setting on the ACL can override, as
1679 always). */
1680
1681 rc = verify_check_headers(log_msgptr);
1682 if (rc != OK && smtp_return_error_details && *log_msgptr != NULL)
1c41c9cc 1683 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
89583014 1684 return rc;
059ec3d9 1685
89583014
JH		 1686 case VERIFY_NOT_BLIND:
1687 /* Check that no recipient of this message is "blind", that is, every envelope
1688 recipient must be mentioned in either To: or Cc:. */
059ec3d9 1689
89583014
JH		 1690 rc = verify_check_notblind();
1691 if (rc != OK)
1692 {
1693 *log_msgptr = string_sprintf("bcc recipient detected");
1694 if (smtp_return_error_details)
1695 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1696 }
1697 return rc;
059ec3d9 1698
89583014
JH		 1699 /* The remaining verification tests check recipient and sender addresses,
1700 either from the envelope or from the header. There are a number of
1701 slash-separated options that are common to all of them. */
059ec3d9 1702
89583014
JH		 1703 case VERIFY_HDR_SNDR:
1704 verify_header_sender = TRUE;
1705 break;
059ec3d9 1706
89583014
JH		 1707 case VERIFY_SNDR:
1708 /* In the case of a sender, this can optionally be followed by an address to use
1709 in place of the actual sender (rare special-case requirement). */
059ec3d9 1710 {
89583014
JH		 1711 uschar *s = ss + 6;
1712 if (*s == 0)
1713 verify_sender_address = sender_address;
1714 else
1715 {
1716 while (isspace(*s)) s++;
1717 if (*s++ != '=') goto BAD_VERIFY;
1718 while (isspace(*s)) s++;
1719 verify_sender_address = string_copy(s);
1720 }
059ec3d9 1721 }
89583014
JH		 1722 break;
1723
1724 case VERIFY_RCPT:
1725 break;
059ec3d9
PH		 1726 }
1727
89583014
JH		 1728
1729
596875b3
PH		 1730/* Remaining items are optional; they apply to sender and recipient
1731verification, including "header sender" verification. */
059ec3d9
PH		 1732
1733while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))
1734 != NULL)
1735 {
1736 if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
1737 else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
eafd343b 1738 else if (strcmpic(ss, US"success_on_redirect") == 0) success_on_redirect = TRUE;
059ec3d9
PH		 1739
1740 /* These two old options are left for backwards compatibility */
1741
1742 else if (strcmpic(ss, US"callout_defer_ok") == 0)
1743 {
1744 callout_defer_ok = TRUE;
1745 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1746 }
1747
1748 else if (strcmpic(ss, US"check_postmaster") == 0)
1749 {
1750 pm_mailfrom = US"";
1751 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1752 }
1753
1754 /* The callout option has a number of sub-options, comma separated */
1755
1756 else if (strncmpic(ss, US"callout", 7) == 0)
1757 {
1758 callout = CALLOUT_TIMEOUT_DEFAULT;
1759 ss += 7;
1760 if (*ss != 0)
1761 {
1762 while (isspace(*ss)) ss++;
1763 if (*ss++ == '=')
1764 {
1765 int optsep = ',';
1766 uschar *opt;
1767 uschar buffer[256];
1768 while (isspace(*ss)) ss++;
8e669ac1 1769
059ec3d9
PH		 1770 while ((opt = string_nextinlist(&ss, &optsep, buffer, sizeof(buffer)))
1771 != NULL)
1772 {
89583014 1773 callout_opt_t * op;
438257ba 1774 double period = 1.0F;
059ec3d9 1775
89583014 1776 for (op= callout_opt_list; op->name; op++)
438257ba 1777 if (strncmpic(opt, op->name, Ustrlen(op->name)) == 0)
89583014 1778 break;
059ec3d9 1779
89583014
JH		 1780 verify_options |= op->flag;
1781 if (op->has_option)
1782 {
438257ba 1783 opt += Ustrlen(op->name);
4deaf07d
PH		 1784 while (isspace(*opt)) opt++;
1785 if (*opt++ != '=')
1786 {
1787 *log_msgptr = string_sprintf("'=' expected after "
89583014 1788 "\"%s\" in ACL verify condition \"%s\"", op->name, arg);
4deaf07d
PH		 1789 return ERROR;
1790 }
1791 while (isspace(*opt)) opt++;
89583014
JH		 1792 }
1793 if (op->timeval)
1794 {
1795 period = readconf_readtime(opt, 0, FALSE);
1796 if (period < 0)
4deaf07d
PH		 1797 {
1798 *log_msgptr = string_sprintf("bad time value in ACL condition "
1799 "\"verify %s\"", arg);
1800 return ERROR;
1801 }
89583014
JH		 1802 }
1803
1804 switch(op->value)
1805 {
1806 case CALLOUT_DEFER_OK: callout_defer_ok = TRUE; break;
1807 case CALLOUT_POSTMASTER: pm_mailfrom = US""; break;
1808 case CALLOUT_FULLPOSTMASTER: pm_mailfrom = US""; break;
1809 case CALLOUT_MAILFROM:
1810 if (!verify_header_sender)
1811 {
1812 *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
1813 "callout option only for verify=header_sender (detected in ACL "
1814 "condition \"%s\")", arg);
1815 return ERROR;
1816 }
1817 se_mailfrom = string_copy(opt);
1818 break;
1819 case CALLOUT_POSTMASTER_MAILFROM: pm_mailfrom = string_copy(opt); break;
1820 case CALLOUT_MAXWAIT: callout_overall = period; break;
1821 case CALLOUT_CONNECT: callout_connect = period; break;
1822 case CALLOUT_TIME: callout = period; break;
1823 }
059ec3d9
PH		 1824 }
1825 }
1826 else
1827 {
1828 *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
1829 "ACL condition \"%s\"", arg);
1830 return ERROR;
1831 }
1832 }
1833 }
1834
1835 /* Option not recognized */
1836
1837 else
1838 {
1839 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
1840 "condition \"verify %s\"", ss, arg);
1841 return ERROR;
1842 }
1843 }
1844
1845if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
1846 (vopt_callout_recipsender|vopt_callout_recippmaster))
1847 {
1848 *log_msgptr = US"only one of use_sender and use_postmaster can be set "
1849 "for a recipient callout";
1850 return ERROR;
1851 }
1852
1853/* Handle sender-in-header verification. Default the user message to the log
1854message if giving out verification details. */
1855
1856if (verify_header_sender)
1857 {
8e669ac1 1858 int verrno;
059ec3d9 1859 rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
fe5b5d0b
PH		 1860 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, verify_options,
1861 &verrno);
1862 if (rc != OK)
8e669ac1 1863 {
fe5b5d0b
PH		 1864 *basic_errno = verrno;
1865 if (smtp_return_error_details)
1866 {
1867 if (*user_msgptr == NULL && *log_msgptr != NULL)
1868 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1869 if (rc == DEFER) acl_temp_details = TRUE;
1870 }
8e669ac1 1871 }
059ec3d9
PH		 1872 }
1873
1874/* Handle a sender address. The default is to verify *the* sender address, but
1875optionally a different address can be given, for special requirements. If the
1876address is empty, we are dealing with a bounce message that has no sender, so
1877we cannot do any checking. If the real sender address gets rewritten during
1878verification (e.g. DNS widening), set the flag to stop it being rewritten again
1879during message reception.
1880
1881A list of verified "sender" addresses is kept to try to avoid doing to much
1882work repetitively when there are multiple recipients in a message and they all
1883require sender verification. However, when callouts are involved, it gets too
1884complicated because different recipients may require different callout options.
1885Therefore, we always do a full sender verify when any kind of callout is
1886specified. Caching elsewhere, for instance in the DNS resolver and in the
1887callout handling, should ensure that this is not terribly inefficient. */
1888
1889else if (verify_sender_address != NULL)
1890 {
1891 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster))
1892 != 0)
1893 {
1894 *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
1895 "sender verify callout";
1896 return ERROR;
1897 }
1898
1899 sender_vaddr = verify_checked_sender(verify_sender_address);
1900 if (sender_vaddr != NULL && /* Previously checked */
1901 callout <= 0) /* No callout needed this time */
1902 {
1903 /* If the "routed" flag is set, it means that routing worked before, so
1904 this check can give OK (the saved return code value, if set, belongs to a
1905 callout that was done previously). If the "routed" flag is not set, routing
1906 must have failed, so we use the saved return code. */
1907
1908 if (testflag(sender_vaddr, af_verify_routed)) rc = OK; else
1909 {
1910 rc = sender_vaddr->special_action;
1911 *basic_errno = sender_vaddr->basic_errno;
1912 }
1913 HDEBUG(D_acl) debug_printf("using cached sender verify result\n");
1914 }
1915
1916 /* Do a new verification, and cache the result. The cache is used to avoid
1917 verifying the sender multiple times for multiple RCPTs when callouts are not
1918 specified (see comments above).
1919
1920 The cache is also used on failure to give details in response to the first
1921 RCPT that gets bounced for this reason. However, this can be suppressed by
1922 the no_details option, which sets the flag that says "this detail has already
1923 been sent". The cache normally contains just one address, but there may be
1924 more in esoteric circumstances. */
1925
1926 else
1927 {
1928 BOOL routed = TRUE;
2a3eea10 1929 uschar *save_address_data = deliver_address_data;
8e669ac1 1930
059ec3d9
PH		 1931 sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
1932 if (no_details) setflag(sender_vaddr, af_sverify_told);
1933 if (verify_sender_address[0] != 0)
1934 {
1935 /* If this is the real sender address, save the unrewritten version
1936 for use later in receive. Otherwise, set a flag so that rewriting the
1937 sender in verify_address() does not update sender_address. */
1938
1939 if (verify_sender_address == sender_address)
1940 sender_address_unrewritten = sender_address;
1941 else
1942 verify_options |= vopt_fake_sender;
1943
eafd343b
TK		 1944 if (success_on_redirect)
1945 verify_options |= vopt_success_on_redirect;
1946
059ec3d9
PH		 1947 /* The recipient, qualify, and expn options are never set in
1948 verify_options. */
1949
1950 rc = verify_address(sender_vaddr, NULL, verify_options, callout,
4deaf07d 1951 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, &routed);
059ec3d9
PH		 1952
1953 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1954
1955 if (rc == OK)
1956 {
1957 if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
1958 {
1959 DEBUG(D_acl) debug_printf("sender %s verified ok as %s\n",
1960 verify_sender_address, sender_vaddr->address);
1961 }
1962 else
1963 {
1964 DEBUG(D_acl) debug_printf("sender %s verified ok\n",
1965 verify_sender_address);
1966 }
1967 }
1968 else *basic_errno = sender_vaddr->basic_errno;
1969 }
1970 else rc = OK; /* Null sender */
1971
1972 /* Cache the result code */
1973
1974 if (routed) setflag(sender_vaddr, af_verify_routed);
1975 if (callout > 0) setflag(sender_vaddr, af_verify_callout);
1976 sender_vaddr->special_action = rc;
1977 sender_vaddr->next = sender_verified_list;
1978 sender_verified_list = sender_vaddr;
8e669ac1
PH		 1979
1980 /* Restore the recipient address data, which might have been clobbered by
2a3eea10 1981 the sender verification. */
8e669ac1 1982
2a3eea10 1983 deliver_address_data = save_address_data;
059ec3d9 1984 }
8e669ac1 1985
2a3eea10
PH		 1986 /* Put the sender address_data value into $sender_address_data */
1987
8e669ac1 1988 sender_address_data = sender_vaddr->p.address_data;
059ec3d9
PH		 1989 }
1990
1991/* A recipient address just gets a straightforward verify; again we must handle
1992the DEFER overrides. */
1993
1994else
1995 {
1996 address_item addr2;
1997
eafd343b
TK		 1998 if (success_on_redirect)
1999 verify_options |= vopt_success_on_redirect;
2000
059ec3d9
PH		 2001 /* We must use a copy of the address for verification, because it might
2002 get rewritten. */
2003
2004 addr2 = *addr;
2005 rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
4deaf07d 2006 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, NULL);
059ec3d9 2007 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
8e669ac1 2008
42855d71 2009 *basic_errno = addr2.basic_errno;
059ec3d9 2010 *log_msgptr = addr2.message;
8e669ac1 2011 *user_msgptr = (addr2.user_message != NULL)?
6729cf78 2012 addr2.user_message : addr2.message;
42855d71
PH		 2013
2014 /* Allow details for temporary error if the address is so flagged. */
2015 if (testflag((&addr2), af_pass_message)) acl_temp_details = TRUE;
059ec3d9
PH		 2016
2017 /* Make $address_data visible */
2018 deliver_address_data = addr2.p.address_data;
2019 }
2020
2021/* We have a result from the relevant test. Handle defer overrides first. */
2022
2023if (rc == DEFER && (defer_ok ||
2024 (callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER)))
2025 {
2026 HDEBUG(D_acl) debug_printf("verify defer overridden by %s\n",
2027 defer_ok? "defer_ok" : "callout_defer_ok");
2028 rc = OK;
2029 }
2030
2031/* If we've failed a sender, set up a recipient message, and point
2032sender_verified_failed to the address item that actually failed. */
2033
2034if (rc != OK && verify_sender_address != NULL)
2035 {
2036 if (rc != DEFER)
2037 {
2038 *log_msgptr = *user_msgptr = US"Sender verify failed";
2039 }
2040 else if (*basic_errno != ERRNO_CALLOUTDEFER)
2041 {
2042 *log_msgptr = *user_msgptr = US"Could not complete sender verify";
2043 }
2044 else
2045 {
2046 *log_msgptr = US"Could not complete sender verify callout";
2047 *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
2048 *log_msgptr;
2049 }
2050
2051 sender_verified_failed = sender_vaddr;
2052 }
2053
2054/* Verifying an address messes up the values of $domain and $local_part,
2055so reset them before returning if this is a RCPT ACL. */
2056
2057if (addr != NULL)
2058 {
2059 deliver_domain = addr->domain;
2060 deliver_localpart = addr->local_part;
2061 }
2062return rc;
2063
2064/* Syntax errors in the verify argument come here. */
2065
2066BAD_VERIFY:
2067*log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
596875b3
PH		 2068 "\"helo\", \"header_syntax\", \"header_sender\" or "
2069 "\"reverse_host_lookup\" at start of ACL condition "
059ec3d9
PH		 2070 "\"verify %s\"", arg);
2071return ERROR;
2072}
2073
2074
2075
2076
2077/*************************************************
2078* Check argument for control= modifier *
2079*************************************************/
2080
2081/* Called from acl_check_condition() below
2082
2083Arguments:
2084 arg the argument string for control=
2085 pptr set to point to the terminating character
2086 where which ACL we are in
2087 log_msgptr for error messages
2088
2089Returns: CONTROL_xxx value
2090*/
2091
2092static int
2093decode_control(uschar *arg, uschar **pptr, int where, uschar **log_msgptr)
2094{
2095int len;
2096control_def *d;
2097
2098for (d = controls_list;
2099 d < controls_list + sizeof(controls_list)/sizeof(control_def);
2100 d++)
2101 {
2102 len = Ustrlen(d->name);
2103 if (Ustrncmp(d->name, arg, len) == 0) break;
2104 }
2105
2106if (d >= controls_list + sizeof(controls_list)/sizeof(control_def) ||
2107 (arg[len] != 0 && (!d->has_option || arg[len] != '/')))
2108 {
2109 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2110 return CONTROL_ERROR;
2111 }
2112
059ec3d9
PH		 2113*pptr = arg + len;
2114return d->value;
2115}
2116
2117
2118
c99ce5c9
TF		 2119
2120/*************************************************
2121* Return a ratelimit error *
2122*************************************************/
2123
2124/* Called from acl_ratelimit() below
2125
2126Arguments:
2127 log_msgptr for error messages
2128 format format string
2129 ... supplementary arguments
2130 ss ratelimit option name
2131 where ACL_WHERE_xxxx indicating which ACL this is
2132
2133Returns: ERROR
2134*/
2135
2136static int
2137ratelimit_error(uschar **log_msgptr, const char *format, ...)
2138{
2139va_list ap;
2140uschar buffer[STRING_SPRINTF_BUFFER_SIZE];
2141va_start(ap, format);
2142if (!string_vformat(buffer, sizeof(buffer), format, ap))
2143 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
ef840681 2144 "string_sprintf expansion was longer than " SIZE_T_FMT, sizeof(buffer));
c99ce5c9
TF		 2145va_end(ap);
2146*log_msgptr = string_sprintf(
2147 "error in arguments to \"ratelimit\" condition: %s", buffer);
2148return ERROR;
2149}
2150
2151
2152
2153
870f6ba8
TF		 2154/*************************************************
2155* Handle rate limiting *
2156*************************************************/
2157
2158/* Called by acl_check_condition() below to calculate the result
2159of the ACL ratelimit condition.
2160
2161Note that the return value might be slightly unexpected: if the
2162sender's rate is above the limit then the result is OK. This is
2163similar to the dnslists condition, and is so that you can write
2164ACL clauses like: defer ratelimit = 15 / 1h
2165
2166Arguments:
2167 arg the option string for ratelimit=
90fc3069 2168 where ACL_WHERE_xxxx indicating which ACL this is
870f6ba8
TF		 2169 log_msgptr for error messages
2170
2171Returns: OK - Sender's rate is above limit
2172 FAIL - Sender's rate is below limit
2173 DEFER - Problem opening ratelimit database
2174 ERROR - Syntax error in options.
2175*/
2176
2177static int
90fc3069 2178acl_ratelimit(uschar *arg, int where, uschar **log_msgptr)
870f6ba8 2179{
c99ce5c9 2180double limit, period, count;
8f240103
PH		 2181uschar *ss;
2182uschar *key = NULL;
c99ce5c9 2183uschar *unique = NULL;
870f6ba8 2184int sep = '/';
c99ce5c9
TF		 2185BOOL leaky = FALSE, strict = FALSE, readonly = FALSE;
2186BOOL noupdate = FALSE, badacl = FALSE;
2187int mode = RATE_PER_WHAT;
870f6ba8
TF		 2188int old_pool, rc;
2189tree_node **anchor, *t;
2190open_db dbblock, *dbm;
c99ce5c9 2191int dbdb_size;
870f6ba8 2192dbdata_ratelimit *dbd;
c99ce5c9 2193dbdata_ratelimit_unique *dbdb;
870f6ba8
TF		 2194struct timeval tv;
2195
2196/* Parse the first two options and record their values in expansion
2197variables. These variables allow the configuration to have informative
2198error messages based on rate limits obtained from a table lookup. */
2199
c99ce5c9 2200/* First is the maximum number of messages per period / maximum burst
870f6ba8
TF		 2201size, which must be greater than or equal to zero. Zero is useful for
2202rate measurement as opposed to rate limiting. */
2203
2204sender_rate_limit = string_nextinlist(&arg, &sep, NULL, 0);
2205if (sender_rate_limit == NULL)
2206 limit = -1.0;
2207else
2208 {
2209 limit = Ustrtod(sender_rate_limit, &ss);
2210 if (tolower(*ss) == 'k') { limit *= 1024.0; ss++; }
2211 else if (tolower(*ss) == 'm') { limit *= 1024.0*1024.0; ss++; }
2212 else if (tolower(*ss) == 'g') { limit *= 1024.0*1024.0*1024.0; ss++; }
2213 }
c99ce5c9
TF		 2214if (limit < 0.0 || *ss != '\0')
2215 return ratelimit_error(log_msgptr,
2216 "\"%s\" is not a positive number", sender_rate_limit);
870f6ba8 2217
c99ce5c9 2218/* Second is the rate measurement period / exponential smoothing time
870f6ba8
TF		 2219constant. This must be strictly greater than zero, because zero leads to
2220run-time division errors. */
2221
2222sender_rate_period = string_nextinlist(&arg, &sep, NULL, 0);
2223if (sender_rate_period == NULL) period = -1.0;
2224else period = readconf_readtime(sender_rate_period, 0, FALSE);
2225if (period <= 0.0)
c99ce5c9
TF		 2226 return ratelimit_error(log_msgptr,
2227 "\"%s\" is not a time value", sender_rate_period);
2228
2229/* By default we are counting one of something, but the per_rcpt,
2230per_byte, and count options can change this. */
2231
2232count = 1.0;
870f6ba8 2233
c99ce5c9 2234/* Parse the other options. */
870f6ba8
TF		 2235
2236while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2237 != NULL)
2238 {
2239 if (strcmpic(ss, US"leaky") == 0) leaky = TRUE;
2240 else if (strcmpic(ss, US"strict") == 0) strict = TRUE;
8f240103 2241 else if (strcmpic(ss, US"noupdate") == 0) noupdate = TRUE;
c99ce5c9
TF		 2242 else if (strcmpic(ss, US"readonly") == 0) readonly = TRUE;
2243 else if (strcmpic(ss, US"per_cmd") == 0) RATE_SET(mode, PER_CMD);
2244 else if (strcmpic(ss, US"per_conn") == 0)
2245 {
2246 RATE_SET(mode, PER_CONN);
2247 if (where == ACL_WHERE_NOTSMTP || where == ACL_WHERE_NOTSMTP_START)
2248 badacl = TRUE;
2249 }
2250 else if (strcmpic(ss, US"per_mail") == 0)
2251 {
2252 RATE_SET(mode, PER_MAIL);
2253 if (where > ACL_WHERE_NOTSMTP) badacl = TRUE;
2254 }
2255 else if (strcmpic(ss, US"per_rcpt") == 0)
2256 {
2257 /* If we are running in the RCPT ACL, then we'll count the recipients
2258 one by one, but if we are running when we have accumulated the whole
2259 list then we'll add them all in one batch. */
2260 if (where == ACL_WHERE_RCPT)
2261 RATE_SET(mode, PER_RCPT);
2262 else if (where >= ACL_WHERE_PREDATA && where <= ACL_WHERE_NOTSMTP)
2263 RATE_SET(mode, PER_ALLRCPTS), count = (double)recipients_count;
2264 else if (where == ACL_WHERE_MAIL || where > ACL_WHERE_NOTSMTP)
2265 RATE_SET(mode, PER_RCPT), badacl = TRUE;
2266 }
2267 else if (strcmpic(ss, US"per_byte") == 0)
2268 {
2269 /* If we have not yet received the message data and there was no SIZE
2270 declaration on the MAIL comand, then it's safe to just use a value of
2271 zero and let the recorded rate decay as if nothing happened. */
2272 RATE_SET(mode, PER_MAIL);
2273 if (where > ACL_WHERE_NOTSMTP) badacl = TRUE;
2274 else count = message_size < 0 ? 0.0 : (double)message_size;
2275 }
2276 else if (strcmpic(ss, US"per_addr") == 0)
2277 {
2278 RATE_SET(mode, PER_RCPT);
438257ba 2279 if (where != ACL_WHERE_RCPT) badacl = TRUE, unique = US"*";
c99ce5c9
TF		 2280 else unique = string_sprintf("%s@%s", deliver_localpart, deliver_domain);
2281 }
2282 else if (strncmpic(ss, US"count=", 6) == 0)
2283 {
2284 uschar *e;
2285 count = Ustrtod(ss+6, &e);
2286 if (count < 0.0 || *e != '\0')
2287 return ratelimit_error(log_msgptr,
2288 "\"%s\" is not a positive number", ss);
2289 }
2290 else if (strncmpic(ss, US"unique=", 7) == 0)
2291 unique = string_copy(ss + 7);
2292 else if (key == NULL)
2293 key = string_copy(ss);
2294 else
2295 key = string_sprintf("%s/%s", key, ss);
870f6ba8
TF		 2296 }
2297
c99ce5c9
TF		 2298/* Sanity check. When the badacl flag is set the update mode must either
2299be readonly (which is the default if it is omitted) or, for backwards
2300compatibility, a combination of noupdate and strict or leaky. */
2301
2302if (mode == RATE_PER_CLASH)
2303 return ratelimit_error(log_msgptr, "conflicting per_* options");
2304if (leaky + strict + readonly > 1)
2305 return ratelimit_error(log_msgptr, "conflicting update modes");
2306if (badacl && (leaky || strict) && !noupdate)
2307 return ratelimit_error(log_msgptr,
2308 "\"%s\" must not have /leaky or /strict option in %s ACL",
2309 ratelimit_option_string[mode], acl_wherenames[where]);
2310
2311/* Set the default values of any unset options. In readonly mode we
2312perform the rate computation without any increment so that its value
2313decays to eventually allow over-limit senders through. */
2314
2315if (noupdate) readonly = TRUE, leaky = strict = FALSE;
2316if (badacl) readonly = TRUE;
2317if (readonly) count = 0.0;
2318if (!strict && !readonly) leaky = TRUE;
2319if (mode == RATE_PER_WHAT) mode = RATE_PER_MAIL;
870f6ba8 2320
8f240103
PH		 2321/* Create the lookup key. If there is no explicit key, use sender_host_address.
2322If there is no sender_host_address (e.g. -bs or acl_not_smtp) then we simply
2323omit it. The smoothing constant (sender_rate_period) and the per_xxx options
2324are added to the key because they alter the meaning of the stored data. */
2325
2326if (key == NULL)
2327 key = (sender_host_address == NULL)? US"" : sender_host_address;
870f6ba8 2328
c99ce5c9 2329key = string_sprintf("%s/%s/%s%s",
8f240103 2330 sender_rate_period,
c99ce5c9
TF		 2331 ratelimit_option_string[mode],
2332 unique == NULL ? "" : "unique/",
8f240103 2333 key);
870f6ba8 2334
c99ce5c9
TF		 2335HDEBUG(D_acl)
2336 debug_printf("ratelimit condition count=%.0f %.1f/%s\n", count, limit, key);
870f6ba8 2337
8f240103
PH		 2338/* See if we have already computed the rate by looking in the relevant tree.
2339For per-connection rate limiting, store tree nodes and dbdata in the permanent
c99ce5c9
TF		 2340pool so that they survive across resets. In readonly mode we only remember the
2341result for the rest of this command in case a later command changes it. After
2342this bit of logic the code is independent of the per_* mode. */
870f6ba8 2343
870f6ba8
TF		 2344old_pool = store_pool;
2345
c99ce5c9
TF		 2346if (readonly)
2347 anchor = &ratelimiters_cmd;
2348else switch(mode) {
2349case RATE_PER_CONN:
870f6ba8
TF		 2350 anchor = &ratelimiters_conn;
2351 store_pool = POOL_PERM;
c99ce5c9
TF		 2352 break;
2353case RATE_PER_BYTE:
2354case RATE_PER_MAIL:
2355case RATE_PER_ALLRCPTS:
870f6ba8 2356 anchor = &ratelimiters_mail;
c99ce5c9
TF		 2357 break;
2358case RATE_PER_ADDR:
2359case RATE_PER_CMD:
2360case RATE_PER_RCPT:
fe0dab11 2361 anchor = &ratelimiters_cmd;
c99ce5c9
TF		 2362 break;
2363default:
3399bb60 2364 anchor = NULL; /* silence an "unused" complaint */
c99ce5c9
TF		 2365 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
2366 "internal ACL error: unknown ratelimit mode %d", mode);
2367 break;
2368}
870f6ba8 2369
c99ce5c9
TF		 2370t = tree_search(*anchor, key);
2371if (t != NULL)
870f6ba8
TF		 2372 {
2373 dbd = t->data.ptr;
2374 /* The following few lines duplicate some of the code below. */
8f240103 2375 rc = (dbd->rate < limit)? FAIL : OK;
870f6ba8
TF		 2376 store_pool = old_pool;
2377 sender_rate = string_sprintf("%.1f", dbd->rate);
2378 HDEBUG(D_acl)
2379 debug_printf("ratelimit found pre-computed rate %s\n", sender_rate);
2380 return rc;
2381 }
2382
c99ce5c9
TF		 2383/* We aren't using a pre-computed rate, so get a previously recorded rate
2384from the database, which will be updated and written back if required. */
870f6ba8
TF		 2385
2386dbm = dbfn_open(US"ratelimit", O_RDWR, &dbblock, TRUE);
2387if (dbm == NULL)
2388 {
2389 store_pool = old_pool;
2390 sender_rate = NULL;
2391 HDEBUG(D_acl) debug_printf("ratelimit database not available\n");
2392 *log_msgptr = US"ratelimit database not available";
2393 return DEFER;
2394 }
c99ce5c9
TF		 2395dbdb = dbfn_read_with_length(dbm, key, &dbdb_size);
2396dbd = NULL;
870f6ba8
TF		 2397
2398gettimeofday(&tv, NULL);
2399
c99ce5c9
TF		 2400if (dbdb != NULL)
2401 {
2402 /* Locate the basic ratelimit block inside the DB data. */
2403 HDEBUG(D_acl) debug_printf("ratelimit found key in database\n");
2404 dbd = &dbdb->dbd;
2405
2406 /* Forget the old Bloom filter if it is too old, so that we count each
2407 repeating event once per period. We don't simply clear and re-use the old
2408 filter because we want its size to change if the limit changes. Note that
2409 we keep the dbd pointer for copying the rate into the new data block. */
2410
2411 if(unique != NULL && tv.tv_sec > dbdb->bloom_epoch + period)
2412 {
2413 HDEBUG(D_acl) debug_printf("ratelimit discarding old Bloom filter\n");
2414 dbdb = NULL;
2415 }
2416
2417 /* Sanity check. */
2418
2419 if(unique != NULL && dbdb_size < sizeof(*dbdb))
2420 {
2421 HDEBUG(D_acl) debug_printf("ratelimit discarding undersize Bloom filter\n");
2422 dbdb = NULL;
2423 }
2424 }
2425
2426/* Allocate a new data block if the database lookup failed
2427or the Bloom filter passed its age limit. */
2428
2429if (dbdb == NULL)
2430 {
2431 if (unique == NULL)
2432 {
2433 /* No Bloom filter. This basic ratelimit block is initialized below. */
2434 HDEBUG(D_acl) debug_printf("ratelimit creating new rate data block\n");
2435 dbdb_size = sizeof(*dbd);
2436 dbdb = store_get(dbdb_size);
2437 }
2438 else
2439 {
2440 int extra;
2441 HDEBUG(D_acl) debug_printf("ratelimit creating new Bloom filter\n");
2442
2443 /* See the long comment below for an explanation of the magic number 2.
2444 The filter has a minimum size in case the rate limit is very small;
2445 this is determined by the definition of dbdata_ratelimit_unique. */
2446
2447 extra = (int)limit * 2 - sizeof(dbdb->bloom);
2448 if (extra < 0) extra = 0;
2449 dbdb_size = sizeof(*dbdb) + extra;
2450 dbdb = store_get(dbdb_size);
2451 dbdb->bloom_epoch = tv.tv_sec;
2452 dbdb->bloom_size = sizeof(dbdb->bloom) + extra;
2453 memset(dbdb->bloom, 0, dbdb->bloom_size);
2454
2455 /* Preserve any basic ratelimit data (which is our longer-term memory)
2456 by copying it from the discarded block. */
2457
2458 if (dbd != NULL)
2459 {
2460 dbdb->dbd = *dbd;
2461 dbd = &dbdb->dbd;
2462 }
2463 }
2464 }
2465
2466/* If we are counting unique events, find out if this event is new or not.
2467If the client repeats the event during the current period then it should be
2468counted. We skip this code in readonly mode for efficiency, because any
2469changes to the filter will be discarded and because count is already set to
2470zero. */
2471
2472if (unique != NULL && !readonly)
2473 {
2474 /* We identify unique events using a Bloom filter. (You can find my
2475 notes on Bloom filters at http://fanf.livejournal.com/81696.html)
2476 With the per_addr option, an "event" is a recipient address, though the
2477 user can use the unique option to define their own events. We only count
2478 an event if we have not seen it before.
2479
2480 We size the filter according to the rate limit, which (in leaky mode)
2481 is the limit on the population of the filter. We allow 16 bits of space
2482 per entry (see the construction code above) and we set (up to) 8 of them
2483 when inserting an element (see the loop below). The probability of a false
2484 positive (an event we have not seen before but which we fail to count) is
2485
2486 size = limit * 16
2487 numhash = 8
2488 allzero = exp(-numhash * pop / size)
2489 = exp(-0.5 * pop / limit)
2490 fpr = pow(1 - allzero, numhash)
2491
2492 For senders at the limit the fpr is 0.06% or 1 in 1700
2493 and for senders at half the limit it is 0.0006% or 1 in 170000
2494
2495 In strict mode the Bloom filter can fill up beyond the normal limit, in
2496 which case the false positive rate will rise. This means that the
2497 measured rate for very fast senders can bogusly drop off after a while.
2498
2499 At twice the limit, the fpr is 2.5% or 1 in 40
2500 At four times the limit, it is 31% or 1 in 3.2
2501
2502 It takes ln(pop/limit) periods for an over-limit burst of pop events to
2503 decay below the limit, and if this is more than one then the Bloom filter
2504 will be discarded before the decay gets that far. The false positive rate
2505 at this threshold is 9.3% or 1 in 10.7. */
2506
2507 BOOL seen;
2508 unsigned n, hash, hinc;
2509 uschar md5sum[16];
2510 md5 md5info;
2511
2512 /* Instead of using eight independent hash values, we combine two values
2513 using the formula h1 + n * h2. This does not harm the Bloom filter's
2514 performance, and means the amount of hash we need is independent of the
2515 number of bits we set in the filter. */
2516
2517 md5_start(&md5info);
2518 md5_end(&md5info, unique, Ustrlen(unique), md5sum);
2519 hash = md5sum[0] | md5sum[1] << 8 | md5sum[2] << 16 | md5sum[3] << 24;
2520 hinc = md5sum[4] | md5sum[5] << 8 | md5sum[6] << 16 | md5sum[7] << 24;
2521
2522 /* Scan the bits corresponding to this event. A zero bit means we have
2523 not seen it before. Ensure all bits are set to record this event. */
2524
2525 HDEBUG(D_acl) debug_printf("ratelimit checking uniqueness of %s\n", unique);
2526
2527 seen = TRUE;
2528 for (n = 0; n < 8; n++, hash += hinc)
2529 {
2530 int bit = 1 << (hash % 8);
2531 int byte = (hash / 8) % dbdb->bloom_size;
2532 if ((dbdb->bloom[byte] & bit) == 0)
2533 {
2534 dbdb->bloom[byte] |= bit;
2535 seen = FALSE;
2536 }
2537 }
2538
2539 /* If this event has occurred before, do not count it. */
2540
2541 if (seen)
2542 {
2543 HDEBUG(D_acl) debug_printf("ratelimit event found in Bloom filter\n");
2544 count = 0.0;
2545 }
2546 else
2547 HDEBUG(D_acl) debug_printf("ratelimit event added to Bloom filter\n");
2548 }
2549
2550/* If there was no previous ratelimit data block for this key, initialize
2551the new one, otherwise update the block from the database. The initial rate
2552is what would be computed by the code below for an infinite interval. */
2553
870f6ba8
TF		 2554if (dbd == NULL)
2555 {
c99ce5c9
TF		 2556 HDEBUG(D_acl) debug_printf("ratelimit initializing new key's rate data\n");
2557 dbd = &dbdb->dbd;
870f6ba8
TF		 2558 dbd->time_stamp = tv.tv_sec;
2559 dbd->time_usec = tv.tv_usec;
c99ce5c9 2560 dbd->rate = count;
870f6ba8
TF		 2561 }
2562else
2563 {
2564 /* The smoothed rate is computed using an exponentially weighted moving
2565 average adjusted for variable sampling intervals. The standard EWMA for
2566 a fixed sampling interval is: f'(t) = (1 - a) * f(t) + a * f'(t - 1)
2567 where f() is the measured value and f'() is the smoothed value.
2568
2569 Old data decays out of the smoothed value exponentially, such that data n
2570 samples old is multiplied by a^n. The exponential decay time constant p
2571 is defined such that data p samples old is multiplied by 1/e, which means
2572 that a = exp(-1/p). We can maintain the same time constant for a variable
2573 sampling interval i by using a = exp(-i/p).
2574
2575 The rate we are measuring is messages per period, suitable for directly
2576 comparing with the limit. The average rate between now and the previous
2577 message is period / interval, which we feed into the EWMA as the sample.
2578
2579 It turns out that the number of messages required for the smoothed rate
2580 to reach the limit when they are sent in a burst is equal to the limit.
2581 This can be seen by analysing the value of the smoothed rate after N
2582 messages sent at even intervals. Let k = (1 - a) * p/i
2583
2584 rate_1 = (1 - a) * p/i + a * rate_0
2585 = k + a * rate_0
2586 rate_2 = k + a * rate_1
2587 = k + a * k + a^2 * rate_0
2588 rate_3 = k + a * k + a^2 * k + a^3 * rate_0
2589 rate_N = rate_0 * a^N + k * SUM(x=0..N-1)(a^x)
2590 = rate_0 * a^N + k * (1 - a^N) / (1 - a)
2591 = rate_0 * a^N + p/i * (1 - a^N)
2592
2593 When N is large, a^N -> 0 so rate_N -> p/i as desired.
2594
2595 rate_N = p/i + (rate_0 - p/i) * a^N
2596 a^N = (rate_N - p/i) / (rate_0 - p/i)
2597 N * -i/p = log((rate_N - p/i) / (rate_0 - p/i))
2598 N = p/i * log((rate_0 - p/i) / (rate_N - p/i))
2599
2600 Numerical analysis of the above equation, setting the computed rate to
2601 increase from rate_0 = 0 to rate_N = limit, shows that for large sending
2602 rates, p/i, the number of messages N = limit. So limit serves as both the
2603 maximum rate measured in messages per period, and the maximum number of
2604 messages that can be sent in a fast burst. */
2605
2606 double this_time = (double)tv.tv_sec
2607 + (double)tv.tv_usec / 1000000.0;
2608 double prev_time = (double)dbd->time_stamp
2609 + (double)dbd->time_usec / 1000000.0;
870f6ba8
TF		 2610
2611 /* We must avoid division by zero, and deal gracefully with the clock going
2612 backwards. If we blunder ahead when time is in reverse then the computed
e5d5a95f 2613 rate will be bogus. To be safe we clamp interval to a very small number. */
870f6ba8 2614
e5d5a95f
TF		 2615 double interval = this_time - prev_time <= 0.0 ? 1e-9
2616 : this_time - prev_time;
2617
2618 double i_over_p = interval / period;
2619 double a = exp(-i_over_p);
870f6ba8 2620
c99ce5c9
TF		 2621 /* Combine the instantaneous rate (period / interval) with the previous rate
2622 using the smoothing factor a. In order to measure sized events, multiply the
2623 instantaneous rate by the count of bytes or recipients etc. */
2624
870f6ba8
TF		 2625 dbd->time_stamp = tv.tv_sec;
2626 dbd->time_usec = tv.tv_usec;
c99ce5c9
TF		 2627 dbd->rate = (1 - a) * count / i_over_p + a * dbd->rate;
2628
2629 /* When events are very widely spaced the computed rate tends towards zero.
2630 Although this is accurate it turns out not to be useful for our purposes,
2631 especially when the first event after a long silence is the start of a spam
2632 run. A more useful model is that the rate for an isolated event should be the
2633 size of the event per the period size, ignoring the lack of events outside
2634 the current period and regardless of where the event falls in the period. So,
2635 if the interval was so long that the calculated rate is unhelpfully small, we
2636 re-intialize the rate. In the absence of higher-rate bursts, the condition
2637 below is true if the interval is greater than the period. */
2638
2639 if (dbd->rate < count) dbd->rate = count;
870f6ba8
TF		 2640 }
2641
c99ce5c9
TF		 2642/* Clients sending at the limit are considered to be over the limit.
2643This matters for edge cases such as a limit of zero, when the client
2644should be completely blocked. */
3348576f 2645
8f240103 2646rc = (dbd->rate < limit)? FAIL : OK;
870f6ba8
TF		 2647
2648/* Update the state if the rate is low or if we are being strict. If we
2649are in leaky mode and the sender's rate is too high, we do not update
2650the recorded rate in order to avoid an over-aggressive sender's retry
c99ce5c9
TF		 2651rate preventing them from getting any email through. If readonly is set,
2652neither leaky nor strict are set, so we do not do any updates. */
870f6ba8 2653
c99ce5c9 2654if ((rc == FAIL && leaky) || strict)
8f240103 2655 {
c99ce5c9 2656 dbfn_write(dbm, key, dbdb, dbdb_size);
8f240103
PH		 2657 HDEBUG(D_acl) debug_printf("ratelimit db updated\n");
2658 }
2659else
2660 {
2661 HDEBUG(D_acl) debug_printf("ratelimit db not updated: %s\n",
c99ce5c9 2662 readonly? "readonly mode" : "over the limit, but leaky");
8f240103
PH		 2663 }
2664
870f6ba8
TF		 2665dbfn_close(dbm);
2666
c99ce5c9 2667/* Store the result in the tree for future reference. */
870f6ba8 2668
c99ce5c9
TF		 2669t = store_get(sizeof(tree_node) + Ustrlen(key));
2670t->data.ptr = dbd;
2671Ustrcpy(t->name, key);
2672(void)tree_insertnode(anchor, t);
870f6ba8
TF		 2673
2674/* We create the formatted version of the sender's rate very late in
2675order to ensure that it is done using the correct storage pool. */
2676
2677store_pool = old_pool;
2678sender_rate = string_sprintf("%.1f", dbd->rate);
2679
2680HDEBUG(D_acl)
2681 debug_printf("ratelimit computed rate %s\n", sender_rate);
2682
2683return rc;
2684}
2685
2686
2687
059ec3d9
PH		 2688/*************************************************
2689* Handle conditions/modifiers on an ACL item *
2690*************************************************/
2691
2692/* Called from acl_check() below.
2693
2694Arguments:
2695 verb ACL verb
2696 cb ACL condition block - if NULL, result is OK
2697 where where called from
2698 addr the address being checked for RCPT, or NULL
2699 level the nesting level
2700 epp pointer to pass back TRUE if "endpass" encountered
2701 (applies only to "accept" and "discard")
2702 user_msgptr user message pointer
2703 log_msgptr log message pointer
2704 basic_errno pointer to where to put verify error
2705
2706Returns: OK - all conditions are met
2707 DISCARD - an "acl" condition returned DISCARD - only allowed
2708 for "accept" or "discard" verbs
2709 FAIL - at least one condition fails
2710 FAIL_DROP - an "acl" condition returned FAIL_DROP
2711 DEFER - can't tell at the moment (typically, lookup defer,
2712 but can be temporary callout problem)
2713 ERROR - ERROR from nested ACL or expansion failure or other
2714 error
2715*/
2716
2717static int
2718acl_check_condition(int verb, acl_condition_block *cb, int where,
2719 address_item *addr, int level, BOOL *epp, uschar **user_msgptr,
2720 uschar **log_msgptr, int *basic_errno)
2721{
2722uschar *user_message = NULL;
2723uschar *log_message = NULL;
ed7f7860
PP		 2724uschar *debug_tag = NULL;
2725uschar *debug_opts = NULL;
91ecef39 2726uschar *p = NULL;
059ec3d9 2727int rc = OK;
8523533c
TK		 2728#ifdef WITH_CONTENT_SCAN
2729int sep = '/';
2730#endif
059ec3d9
PH		 2731
2732for (; cb != NULL; cb = cb->next)
2733 {
2734 uschar *arg;
8e669ac1 2735 int control_type;
059ec3d9
PH		 2736
2737 /* The message and log_message items set up messages to be used in
2738 case of rejection. They are expanded later. */
2739
2740 if (cb->type == ACLC_MESSAGE)
2741 {
2742 user_message = cb->arg;
2743 continue;
2744 }
2745
2746 if (cb->type == ACLC_LOG_MESSAGE)
2747 {
2748 log_message = cb->arg;
2749 continue;
2750 }
2751
2752 /* The endpass "condition" just sets a flag to show it occurred. This is
2753 checked at compile time to be on an "accept" or "discard" item. */
2754
2755 if (cb->type == ACLC_ENDPASS)
2756 {
2757 *epp = TRUE;
2758 continue;
2759 }
2760
2761 /* For other conditions and modifiers, the argument is expanded now for some
2762 of them, but not for all, because expansion happens down in some lower level
2763 checking functions in some cases. */
2764
2765 if (cond_expand_at_top[cb->type])
2766 {
2767 arg = expand_string(cb->arg);
2768 if (arg == NULL)
2769 {
2770 if (expand_string_forcedfail) continue;
2771 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
2772 cb->arg, expand_string_message);
2773 return search_find_defer? DEFER : ERROR;
2774 }
2775 }
2776 else arg = cb->arg;
2777
2778 /* Show condition, and expanded condition if it's different */
2779
2780 HDEBUG(D_acl)
2781 {
2782 int lhswidth = 0;
2783 debug_printf("check %s%s %n",
2784 (!cond_modifiers[cb->type] && cb->u.negated)? "!":"",
2785 conditions[cb->type], &lhswidth);
2786
2787 if (cb->type == ACLC_SET)
2788 {
38a0a95f
PH		 2789 debug_printf("acl_%s ", cb->u.varname);
2790 lhswidth += 5 + Ustrlen(cb->u.varname);
059ec3d9
PH		 2791 }
2792
2793 debug_printf("= %s\n", cb->arg);
2794
2795 if (arg != cb->arg)
2796 debug_printf("%.*s= %s\n", lhswidth,
2797 US" ", CS arg);
2798 }
2799
2800 /* Check that this condition makes sense at this time */
2801
2802 if ((cond_forbids[cb->type] & (1 << where)) != 0)
2803 {
2804 *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
2805 cond_modifiers[cb->type]? "use" : "test",
2806 conditions[cb->type], acl_wherenames[where]);
2807 return ERROR;
2808 }
2809
2810 /* Run the appropriate test for each condition, or take the appropriate
2811 action for the remaining modifiers. */
2812
2813 switch(cb->type)
2814 {
71fafd95
PH		 2815 case ACLC_ADD_HEADER:
2816 setup_header(arg);
2817 break;
2818
059ec3d9
PH		 2819 /* A nested ACL that returns "discard" makes sense only for an "accept" or
2820 "discard" verb. */
71fafd95 2821
059ec3d9 2822 case ACLC_ACL:
f60d98e8 2823 rc = acl_check_wargs(where, addr, arg, level+1, user_msgptr, log_msgptr);
7421ecab
JH		 2824 if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
2825 {
2826 *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
2827 "\"%s\" command (only allowed with \"accept\" or \"discard\")",
2828 verbs[verb]);
2829 return ERROR;
2830 }
059ec3d9
PH		 2831 break;
2832
2833 case ACLC_AUTHENTICATED:
2834 rc = (sender_host_authenticated == NULL)? FAIL :
2835 match_isinlist(sender_host_authenticated, &arg, 0, NULL, NULL, MCL_STRING,
2836 TRUE, NULL);
2837 break;
2838
71fafd95 2839 #ifdef EXPERIMENTAL_BRIGHTMAIL
8523533c
TK		 2840 case ACLC_BMI_OPTIN:
2841 {
2842 int old_pool = store_pool;
2843 store_pool = POOL_PERM;
2844 bmi_current_optin = string_copy(arg);
2845 store_pool = old_pool;
2846 }
2847 break;
71fafd95 2848 #endif
8523533c 2849
059ec3d9 2850 case ACLC_CONDITION:
f3766eb5
NM		 2851 /* The true/false parsing here should be kept in sync with that used in
2852 expand.c when dealing with ECOND_BOOL so that we don't have too many
2853 different definitions of what can be a boolean. */
059ec3d9
PH		 2854 if (Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
2855 rc = (Uatoi(arg) == 0)? FAIL : OK;
2856 else
2857 rc = (strcmpic(arg, US"no") == 0 ||
2858 strcmpic(arg, US"false") == 0)? FAIL :
2859 (strcmpic(arg, US"yes") == 0 ||
2860 strcmpic(arg, US"true") == 0)? OK : DEFER;
2861 if (rc == DEFER)
2862 *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
2863 break;
2864
c3611384
PH		 2865 case ACLC_CONTINUE: /* Always succeeds */
2866 break;
2867
059ec3d9 2868 case ACLC_CONTROL:
c5fcb476
PH		 2869 control_type = decode_control(arg, &p, where, log_msgptr);
2870
8523533c 2871 /* Check if this control makes sense at this time */
c5fcb476
PH		 2872
2873 if ((control_forbids[control_type] & (1 << where)) != 0)
2874 {
2875 *log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
2876 controls[control_type], acl_wherenames[where]);
2877 return ERROR;
8e669ac1 2878 }
c5fcb476
PH		 2879
2880 switch(control_type)
059ec3d9 2881 {
c46782ef
PH		 2882 case CONTROL_AUTH_UNADVERTISED:
2883 allow_auth_unadvertised = TRUE;
2884 break;
2885
2886 #ifdef EXPERIMENTAL_BRIGHTMAIL
8523533c
TK		 2887 case CONTROL_BMI_RUN:
2888 bmi_run = 1;
2889 break;
c46782ef
PH		 2890 #endif
2891
80a47a2c 2892 #ifndef DISABLE_DKIM
f7572e5a 2893 case CONTROL_DKIM_VERIFY:
80a47a2c 2894 dkim_disable_verify = TRUE;
f7572e5a
TK		 2895 break;
2896 #endif
2897
13363eba
PP		 2898 case CONTROL_DSCP:
2899 if (*p == '/')
2900 {
2901 int fd, af, level, optname, value;
2902 /* If we are acting on stdin, the setsockopt may fail if stdin is not
2903 a socket; we can accept that, we'll just debug-log failures anyway. */
2904 fd = fileno(smtp_in);
2905 af = ip_get_address_family(fd);
2906 if (af < 0)
2907 {
2908 HDEBUG(D_acl)
2909 debug_printf("smtp input is probably not a socket [%s], not setting DSCP\n",
2910 strerror(errno));
2911 break;
2912 }
2913 if (dscp_lookup(p+1, af, &level, &optname, &value))
2914 {
2915 if (setsockopt(fd, level, optname, &value, sizeof(value)) < 0)
2916 {
2917 HDEBUG(D_acl) debug_printf("failed to set input DSCP[%s]: %s\n",
2918 p+1, strerror(errno));
2919 }
2920 else
2921 {
2922 HDEBUG(D_acl) debug_printf("set input DSCP to \"%s\"\n", p+1);
2923 }
2924 }
2925 else
2926 {
2927 *log_msgptr = string_sprintf("unrecognised DSCP value in \"control=%s\"", arg);
2928 return ERROR;
2929 }
2930 }
2931 else
2932 {
2933 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2934 return ERROR;
2935 }
2936 break;
2937
059ec3d9
PH		 2938 case CONTROL_ERROR:
2939 return ERROR;
2940
2941 case CONTROL_CASEFUL_LOCAL_PART:
2942 deliver_localpart = addr->cc_local_part;
2943 break;
2944
2945 case CONTROL_CASELOWER_LOCAL_PART:
2946 deliver_localpart = addr->lc_local_part;
2947 break;
2948
2949 case CONTROL_ENFORCE_SYNC:
2950 smtp_enforce_sync = TRUE;
2951 break;
2952
2953 case CONTROL_NO_ENFORCE_SYNC:
2954 smtp_enforce_sync = FALSE;
2955 break;
2956
c46782ef 2957 #ifdef WITH_CONTENT_SCAN
8523533c
TK		 2958 case CONTROL_NO_MBOX_UNSPOOL:
2959 no_mbox_unspool = TRUE;
2960 break;
c46782ef 2961 #endif
8523533c 2962
059ec3d9
PH		 2963 case CONTROL_NO_MULTILINE:
2964 no_multiline_responses = TRUE;
2965 break;
2966
cf8b11a5
PH		 2967 case CONTROL_NO_PIPELINING:
2968 pipelining_enable = FALSE;
2969 break;
2970
047bdd8c
PH		 2971 case CONTROL_NO_DELAY_FLUSH:
2972 disable_delay_flush = TRUE;
2973 break;
2974
4c590bd1
PH		 2975 case CONTROL_NO_CALLOUT_FLUSH:
2976 disable_callout_flush = TRUE;
2977 break;
2978
29aba418 2979 case CONTROL_FAKEDEFER:
8523533c 2980 case CONTROL_FAKEREJECT:
29aba418 2981 fake_response = (control_type == CONTROL_FAKEDEFER) ? DEFER : FAIL;
8523533c 2982 if (*p == '/')
8e669ac1 2983 {
8523533c 2984 uschar *pp = p + 1;
8e669ac1 2985 while (*pp != 0) pp++;
29aba418 2986 fake_response_text = expand_string(string_copyn(p+1, pp-p-1));
8523533c
TK		 2987 p = pp;
2988 }
2989 else
2990 {
2991 /* Explicitly reset to default string */
29aba418 2992 fake_response_text = US"Your message has been rejected but is being kept for evaluation.\nIf it was a legitimate message, it may still be delivered to the target recipient(s).";
8523533c
TK		 2993 }
2994 break;
8523533c 2995
059ec3d9
PH		 2996 case CONTROL_FREEZE:
2997 deliver_freeze = TRUE;
2998 deliver_frozen_at = time(NULL);
6a3f1455
PH		 2999 freeze_tell = freeze_tell_config; /* Reset to configured value */
3000 if (Ustrncmp(p, "/no_tell", 8) == 0)
3001 {
3002 p += 8;
3003 freeze_tell = NULL;
3004 }
3005 if (*p != 0)
3006 {
3007 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
3008 return ERROR;
3009 }
059ec3d9
PH		 3010 break;
3011
3012 case CONTROL_QUEUE_ONLY:
3013 queue_only_policy = TRUE;
3014 break;
3015
3016 case CONTROL_SUBMISSION:
87ba3f5f 3017 originator_name = US"";
059ec3d9 3018 submission_mode = TRUE;
69358f02 3019 while (*p == '/')
8e669ac1 3020 {
69358f02
PH		 3021 if (Ustrncmp(p, "/sender_retain", 14) == 0)
3022 {
3023 p += 14;
3024 active_local_sender_retain = TRUE;
8e669ac1
PH		 3025 active_local_from_check = FALSE;
3026 }
69358f02
PH		 3027 else if (Ustrncmp(p, "/domain=", 8) == 0)
3028 {
3029 uschar *pp = p + 8;
8e669ac1 3030 while (*pp != 0 && *pp != '/') pp++;
87ba3f5f
PH		 3031 submission_domain = string_copyn(p+8, pp-p-8);
3032 p = pp;
3033 }
8857ccfd
PH		 3034 /* The name= option must be last, because it swallows the rest of
3035 the string. */
87ba3f5f
PH		 3036 else if (Ustrncmp(p, "/name=", 6) == 0)
3037 {
3038 uschar *pp = p + 6;
8857ccfd 3039 while (*pp != 0) pp++;
2fe1a124 3040 submission_name = string_copy(parse_fix_phrase(p+6, pp-p-6,
87ba3f5f 3041 big_buffer, big_buffer_size));
8e669ac1 3042 p = pp;
69358f02 3043 }
8e669ac1
PH		 3044 else break;
3045 }
69358f02 3046 if (*p != 0)
059ec3d9 3047 {
69358f02 3048 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
059ec3d9
PH		 3049 return ERROR;
3050 }
3051 break;
8800895a 3052
ed7f7860
PP		 3053 case CONTROL_DEBUG:
3054 while (*p == '/')
3055 {
3056 if (Ustrncmp(p, "/tag=", 5) == 0)
3057 {
3058 uschar *pp = p + 5;
3059 while (*pp != '\0' && *pp != '/') pp++;
3060 debug_tag = string_copyn(p+5, pp-p-5);
3061 p = pp;
3062 }
3063 else if (Ustrncmp(p, "/opts=", 6) == 0)
3064 {
3065 uschar *pp = p + 6;
3066 while (*pp != '\0' && *pp != '/') pp++;
3067 debug_opts = string_copyn(p+6, pp-p-6);
3068 p = pp;
3069 }
3070 }
3071 debug_logging_activate(debug_tag, debug_opts);
3072 break;
3073
8800895a
PH		 3074 case CONTROL_SUPPRESS_LOCAL_FIXUPS:
3075 suppress_local_fixups = TRUE;
3076 break;
e4bdf652
JH		 3077
3078 case CONTROL_CUTTHROUGH_DELIVERY:
3079 if (deliver_freeze)
3080 {
3081 *log_msgptr = string_sprintf("\"control=%s\" on frozen item", arg);
3082 return ERROR;
3083 }
3084 if (queue_only_policy)
3085 {
3086 *log_msgptr = string_sprintf("\"control=%s\" on queue-only item", arg);
3087 return ERROR;
3088 }
3089 cutthrough_delivery = TRUE;
3090 break;
059ec3d9
PH		 3091 }
3092 break;
3093
6a8f9482
TK		 3094 #ifdef EXPERIMENTAL_DCC
3095 case ACLC_DCC:
3096 {
3097 /* Seperate the regular expression and any optional parameters. */
3098 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
3099 /* Run the dcc backend. */
3100 rc = dcc_process(&ss);
3101 /* Modify return code based upon the existance of options. */
3102 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
3103 != NULL) {
3104 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
3105 {
3106 /* FAIL so that the message is passed to the next ACL */
3107 rc = FAIL;
3108 }
3109 }
3110 }
3111 break;
3112 #endif
3113
71fafd95 3114 #ifdef WITH_CONTENT_SCAN
8523533c
TK		 3115 case ACLC_DECODE:
3116 rc = mime_decode(&arg);
3117 break;
71fafd95 3118 #endif
8523533c 3119
059ec3d9
PH		 3120 case ACLC_DELAY:
3121 {
3122 int delay = readconf_readtime(arg, 0, FALSE);
3123 if (delay < 0)
3124 {
3125 *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
3126 "modifier: \"%s\" is not a time value", arg);
3127 return ERROR;
3128 }
3129 else
3130 {
3131 HDEBUG(D_acl) debug_printf("delay modifier requests %d-second delay\n",
3132 delay);
3133 if (host_checking)
3134 {
3135 HDEBUG(D_acl)
3136 debug_printf("delay skipped in -bh checking mode\n");
3137 }
010c2d14
PH		 3138
3139 /* It appears to be impossible to detect that a TCP/IP connection has
3140 gone away without reading from it. This means that we cannot shorten
3141 the delay below if the client goes away, because we cannot discover
3142 that the client has closed its end of the connection. (The connection
3143 is actually in a half-closed state, waiting for the server to close its
3144 end.) It would be nice to be able to detect this state, so that the
3145 Exim process is not held up unnecessarily. However, it seems that we
3146 can't. The poll() function does not do the right thing, and in any case
3147 it is not always available.
3148
047bdd8c 3149 NOTE 1: If ever this state of affairs changes, remember that we may be
010c2d14 3150 dealing with stdin/stdout here, in addition to TCP/IP connections.
047bdd8c
PH		 3151 Also, delays may be specified for non-SMTP input, where smtp_out and
3152 smtp_in will be NULL. Whatever is done must work in all cases.
3153
3154 NOTE 2: The added feature of flushing the output before a delay must
3155 apply only to SMTP input. Hence the test for smtp_out being non-NULL.
3156 */
010c2d14 3157
8e669ac1 3158 else
86b8287f 3159 {
14f4a80d 3160 if (smtp_out != NULL && !disable_delay_flush) mac_smtp_fflush();
86b8287f 3161 while (delay > 0) delay = sleep(delay);
8e669ac1 3162 }
059ec3d9
PH		 3163 }
3164 }
3165 break;
3166
71fafd95 3167 #ifdef WITH_OLD_DEMIME
8523533c
TK		 3168 case ACLC_DEMIME:
3169 rc = demime(&arg);
3170 break;
71fafd95 3171 #endif
8523533c 3172
80a47a2c
TK		 3173 #ifndef DISABLE_DKIM
3174 case ACLC_DKIM_SIGNER:
9e5d6b55
TK		 3175 if (dkim_cur_signer != NULL)
3176 rc = match_isinlist(dkim_cur_signer,
80a47a2c 3177 &arg,0,NULL,NULL,MCL_STRING,TRUE,NULL);
80a47a2c 3178 else
80a47a2c 3179 rc = FAIL;
71fafd95
PH		 3180 break;
3181
80a47a2c
TK		 3182 case ACLC_DKIM_STATUS:
3183 rc = match_isinlist(dkim_exim_expand_query(DKIM_VERIFY_STATUS),
3184 &arg,0,NULL,NULL,MCL_STRING,TRUE,NULL);
71fafd95
PH		 3185 break;
3186 #endif
fb2274d4 3187
059ec3d9
PH		 3188 case ACLC_DNSLISTS:
3189 rc = verify_check_dnsbl(&arg);
3190 break;
3191
3192 case ACLC_DOMAINS:
3193 rc = match_isinlist(addr->domain, &arg, 0, &domainlist_anchor,
3194 addr->domain_cache, MCL_DOMAIN, TRUE, &deliver_domain_data);
3195 break;
3196
3197 /* The value in tls_cipher is the full cipher name, for example,
3198 TLSv1:DES-CBC3-SHA:168, whereas the values to test for are just the
3199 cipher names such as DES-CBC3-SHA. But program defensively. We don't know
3200 what may in practice come out of the SSL library - which at the time of
3201 writing is poorly documented. */
3202
3203 case ACLC_ENCRYPTED:
817d9f57 3204 if (tls_in.cipher == NULL) rc = FAIL; else
059ec3d9
PH		 3205 {
3206 uschar *endcipher = NULL;
817d9f57
JH		 3207 uschar *cipher = Ustrchr(tls_in.cipher, ':');
3208 if (cipher == NULL) cipher = tls_in.cipher; else
059ec3d9
PH		 3209 {
3210 endcipher = Ustrchr(++cipher, ':');
3211 if (endcipher != NULL) *endcipher = 0;
3212 }
3213 rc = match_isinlist(cipher, &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
3214 if (endcipher != NULL) *endcipher = ':';
3215 }
3216 break;
3217
3218 /* Use verify_check_this_host() instead of verify_check_host() so that
3219 we can pass over &host_data to catch any looked up data. Once it has been
3220 set, it retains its value so that it's still there if another ACL verb
3221 comes through here and uses the cache. However, we must put it into
3222 permanent store in case it is also expected to be used in a subsequent
3223 message in the same SMTP connection. */
3224
3225 case ACLC_HOSTS:
3226 rc = verify_check_this_host(&arg, sender_host_cache, NULL,
3227 (sender_host_address == NULL)? US"" : sender_host_address, &host_data);
3228 if (host_data != NULL) host_data = string_copy_malloc(host_data);
3229 break;
3230
3231 case ACLC_LOCAL_PARTS:
3232 rc = match_isinlist(addr->cc_local_part, &arg, 0,
3233 &localpartlist_anchor, addr->localpart_cache, MCL_LOCALPART, TRUE,
3234 &deliver_localpart_data);
3235 break;
3236
6ea85e9a
PH		 3237 case ACLC_LOG_REJECT_TARGET:
3238 {
3239 int logbits = 0;
3240 int sep = 0;
3241 uschar *s = arg;
3242 uschar *ss;
3243 while ((ss = string_nextinlist(&s, &sep, big_buffer, big_buffer_size))
3244 != NULL)
3245 {
3246 if (Ustrcmp(ss, "main") == 0) logbits |= LOG_MAIN;
3247 else if (Ustrcmp(ss, "panic") == 0) logbits |= LOG_PANIC;
3248 else if (Ustrcmp(ss, "reject") == 0) logbits |= LOG_REJECT;
3249 else
3250 {
3251 logbits |= LOG_MAIN|LOG_REJECT;
3252 log_write(0, LOG_MAIN|LOG_PANIC, "unknown log name \"%s\" in "
3253 "\"log_reject_target\" in %s ACL", ss, acl_wherenames[where]);
3254 }
3255 }
3256 log_reject_target = logbits;
3257 }
3258 break;
3259
059ec3d9
PH		 3260 case ACLC_LOGWRITE:
3261 {
3262 int logbits = 0;
3263 uschar *s = arg;
3264 if (*s == ':')
3265 {
3266 s++;
3267 while (*s != ':')
3268 {
3269 if (Ustrncmp(s, "main", 4) == 0)
3270 { logbits |= LOG_MAIN; s += 4; }
3271 else if (Ustrncmp(s, "panic", 5) == 0)
3272 { logbits |= LOG_PANIC; s += 5; }
3273 else if (Ustrncmp(s, "reject", 6) == 0)
3274 { logbits |= LOG_REJECT; s += 6; }
3275 else
3276 {
3277 logbits = LOG_MAIN|LOG_PANIC;
3278 s = string_sprintf(":unknown log name in \"%s\" in "
3279 "\"logwrite\" in %s ACL", arg, acl_wherenames[where]);
3280 }
3281 if (*s == ',') s++;
3282 }
3283 s++;
3284 }
3285 while (isspace(*s)) s++;
6ea85e9a
PH		 3286
3287
059ec3d9
PH		 3288 if (logbits == 0) logbits = LOG_MAIN;
3289 log_write(0, logbits, "%s", string_printing(s));
3290 }
3291 break;
8e669ac1 3292
71fafd95 3293 #ifdef WITH_CONTENT_SCAN
8523533c
TK		 3294 case ACLC_MALWARE:
3295 {
6ea85e9a 3296 /* Separate the regular expression and any optional parameters. */
8523533c
TK		 3297 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
3298 /* Run the malware backend. */
3299 rc = malware(&ss);
3300 /* Modify return code based upon the existance of options. */
3301 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
3302 != NULL) {
3303 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
3304 {
3305 /* FAIL so that the message is passed to the next ACL */
3306 rc = FAIL;
3307 }
3308 }
3309 }
3310 break;
3311
3312 case ACLC_MIME_REGEX:
71fafd95 3313 rc = mime_regex(&arg);
8523533c 3314 break;
71fafd95 3315 #endif
059ec3d9 3316
870f6ba8 3317 case ACLC_RATELIMIT:
90fc3069 3318 rc = acl_ratelimit(arg, where, log_msgptr);
870f6ba8
TF		 3319 break;
3320
059ec3d9
PH		 3321 case ACLC_RECIPIENTS:
3322 rc = match_address_list(addr->address, TRUE, TRUE, &arg, NULL, -1, 0,
3323 &recipient_data);
3324 break;
3325
71fafd95
PH		 3326 #ifdef WITH_CONTENT_SCAN
3327 case ACLC_REGEX:
3328 rc = regex(&arg);
8523533c 3329 break;
71fafd95 3330 #endif
8523533c 3331
e7568d51
TL		 3332 case ACLC_REMOVE_HEADER:
3333 setup_remove_header(arg);
3334 break;
3335
059ec3d9
PH		 3336 case ACLC_SENDER_DOMAINS:
3337 {
3338 uschar *sdomain;
3339 sdomain = Ustrrchr(sender_address, '@');
3340 sdomain = (sdomain == NULL)? US"" : sdomain + 1;
3341 rc = match_isinlist(sdomain, &arg, 0, &domainlist_anchor,
3342 sender_domain_cache, MCL_DOMAIN, TRUE, NULL);
3343 }
3344 break;
3345
3346 case ACLC_SENDERS:
3347 rc = match_address_list(sender_address, TRUE, TRUE, &arg,
3348 sender_address_cache, -1, 0, &sender_data);
3349 break;
3350
3351 /* Connection variables must persist forever */
3352
3353 case ACLC_SET:
3354 {
3355 int old_pool = store_pool;
38a0a95f
PH		 3356 if (cb->u.varname[0] == 'c') store_pool = POOL_PERM;
3357 acl_var_create(cb->u.varname)->data.ptr = string_copy(arg);
059ec3d9
PH		 3358 store_pool = old_pool;
3359 }
3360 break;
3361
71fafd95 3362 #ifdef WITH_CONTENT_SCAN
8523533c
TK		 3363 case ACLC_SPAM:
3364 {
3365 /* Seperate the regular expression and any optional parameters. */
3366 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
3367 /* Run the spam backend. */
3368 rc = spam(&ss);
3369 /* Modify return code based upon the existance of options. */
3370 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
3371 != NULL) {
3372 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
3373 {
3374 /* FAIL so that the message is passed to the next ACL */
3375 rc = FAIL;
3376 }
3377 }
3378 }
3379 break;
71fafd95 3380 #endif
8523533c 3381
71fafd95 3382 #ifdef EXPERIMENTAL_SPF
8523533c 3383 case ACLC_SPF:
65a7d8c3
NM		 3384 rc = spf_process(&arg, sender_address, SPF_PROCESS_NORMAL);
3385 break;
3386 case ACLC_SPF_GUESS:
3387 rc = spf_process(&arg, sender_address, SPF_PROCESS_GUESS);
8523533c 3388 break;
71fafd95 3389 #endif
8523533c 3390
059ec3d9
PH		 3391 /* If the verb is WARN, discard any user message from verification, because
3392 such messages are SMTP responses, not header additions. The latter come
475fe28a
PH		 3393 only from explicit "message" modifiers. However, put the user message into
3394 $acl_verify_message so it can be used in subsequent conditions or modifiers
3395 (until something changes it). */
059ec3d9
PH		 3396
3397 case ACLC_VERIFY:
3398 rc = acl_verify(where, addr, arg, user_msgptr, log_msgptr, basic_errno);
475fe28a 3399 acl_verify_message = *user_msgptr;
059ec3d9
PH		 3400 if (verb == ACL_WARN) *user_msgptr = NULL;
3401 break;
3402
3403 default:
3404 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown "
3405 "condition %d", cb->type);
3406 break;
3407 }
3408
3409 /* If a condition was negated, invert OK/FAIL. */
3410
3411 if (!cond_modifiers[cb->type] && cb->u.negated)
3412 {
3413 if (rc == OK) rc = FAIL;
3414 else if (rc == FAIL || rc == FAIL_DROP) rc = OK;
3415 }
3416
3417 if (rc != OK) break; /* Conditions loop */
3418 }
3419
3420
3421/* If the result is the one for which "message" and/or "log_message" are used,
4e88a19f
PH		 3422handle the values of these modifiers. If there isn't a log message set, we make
3423it the same as the user message.
059ec3d9
PH		 3424
3425"message" is a user message that will be included in an SMTP response. Unless
3426it is empty, it overrides any previously set user message.
3427
3428"log_message" is a non-user message, and it adds to any existing non-user
3429message that is already set.
3430
4e88a19f
PH		 3431Most verbs have but a single return for which the messages are relevant, but
3432for "discard", it's useful to have the log message both when it succeeds and
3433when it fails. For "accept", the message is used in the OK case if there is no
3434"endpass", but (for backwards compatibility) in the FAIL case if "endpass" is
3435present. */
059ec3d9 3436
4e88a19f
PH		 3437if (*epp && rc == OK) user_message = NULL;
3438
3439if (((1<<rc) & msgcond[verb]) != 0)
059ec3d9
PH		 3440 {
3441 uschar *expmessage;
4e88a19f
PH		 3442 uschar *old_user_msgptr = *user_msgptr;
3443 uschar *old_log_msgptr = (*log_msgptr != NULL)? *log_msgptr : old_user_msgptr;
059ec3d9
PH		 3444
3445 /* If the verb is "warn", messages generated by conditions (verification or
4e88a19f
PH		 3446 nested ACLs) are always discarded. This also happens for acceptance verbs
3447 when they actually do accept. Only messages specified at this level are used.
059ec3d9
PH		 3448 However, the value of an existing message is available in $acl_verify_message
3449 during expansions. */
3450
4e88a19f
PH		 3451 if (verb == ACL_WARN ||
3452 (rc == OK && (verb == ACL_ACCEPT || verb == ACL_DISCARD)))
3453 *log_msgptr = *user_msgptr = NULL;
059ec3d9
PH		 3454
3455 if (user_message != NULL)
3456 {
3457 acl_verify_message = old_user_msgptr;
3458 expmessage = expand_string(user_message);
3459 if (expmessage == NULL)
3460 {
3461 if (!expand_string_forcedfail)
3462 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
3463 user_message, expand_string_message);
3464 }
3465 else if (expmessage[0] != 0) *user_msgptr = expmessage;
3466 }
3467
3468 if (log_message != NULL)
3469 {
3470 acl_verify_message = old_log_msgptr;
3471 expmessage = expand_string(log_message);
3472 if (expmessage == NULL)
3473 {
3474 if (!expand_string_forcedfail)
3475 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
3476 log_message, expand_string_message);
3477 }
3478 else if (expmessage[0] != 0)
3479 {
3480 *log_msgptr = (*log_msgptr == NULL)? expmessage :
3481 string_sprintf("%s: %s", expmessage, *log_msgptr);
3482 }
3483 }
3484
3485 /* If no log message, default it to the user message */
3486
3487 if (*log_msgptr == NULL) *log_msgptr = *user_msgptr;
3488 }
3489
3490acl_verify_message = NULL;
3491return rc;
3492}
3493
3494
3495
3496
3497
3498/*************************************************
3499* Get line from a literal ACL *
3500*************************************************/
3501
3502/* This function is passed to acl_read() in order to extract individual lines
3503of a literal ACL, which we access via static pointers. We can destroy the
3504contents because this is called only once (the compiled ACL is remembered).
3505
3506This code is intended to treat the data in the same way as lines in the main
3507Exim configuration file. That is:
3508
3509 . Leading spaces are ignored.
3510
3511 . A \ at the end of a line is a continuation - trailing spaces after the \
3512 are permitted (this is because I don't believe in making invisible things
3513 significant). Leading spaces on the continued part of a line are ignored.
3514
3515 . Physical lines starting (significantly) with # are totally ignored, and
3516 may appear within a sequence of backslash-continued lines.
3517
3518 . Blank lines are ignored, but will end a sequence of continuations.
3519
3520Arguments: none
3521Returns: a pointer to the next line
3522*/
3523
3524
3525static uschar *acl_text; /* Current pointer in the text */
3526static uschar *acl_text_end; /* Points one past the terminating '0' */
3527
3528
3529static uschar *
3530acl_getline(void)
3531{
3532uschar *yield;
3533
3534/* This loop handles leading blank lines and comments. */
3535
3536for(;;)
3537 {
3538 while (isspace(*acl_text)) acl_text++; /* Leading spaces/empty lines */
3539 if (*acl_text == 0) return NULL; /* No more data */
3540 yield = acl_text; /* Potential data line */
3541
3542 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
3543
3544 /* If we hit the end before a newline, we have the whole logical line. If
3545 it's a comment, there's no more data to be given. Otherwise, yield it. */
3546
3547 if (*acl_text == 0) return (*yield == '#')? NULL : yield;
3548
3549 /* After reaching a newline, end this loop if the physical line does not
3550 start with '#'. If it does, it's a comment, and the loop continues. */
3551
3552 if (*yield != '#') break;
3553 }
3554
3555/* This loop handles continuations. We know we have some real data, ending in
3556newline. See if there is a continuation marker at the end (ignoring trailing
3557white space). We know that *yield is not white space, so no need to test for
3558cont > yield in the backwards scanning loop. */
3559
3560for(;;)
3561 {
3562 uschar *cont;
3563 for (cont = acl_text - 1; isspace(*cont); cont--);
3564
3565 /* If no continuation follows, we are done. Mark the end of the line and
3566 return it. */
3567
3568 if (*cont != '\\')
3569 {
3570 *acl_text++ = 0;
3571 return yield;
3572 }
3573
3574 /* We have encountered a continuation. Skip over whitespace at the start of
3575 the next line, and indeed the whole of the next line or lines if they are
3576 comment lines. */
3577
3578 for (;;)
3579 {
3580 while (*(++acl_text) == ' ' || *acl_text == '\t');
3581 if (*acl_text != '#') break;
3582 while (*(++acl_text) != 0 && *acl_text != '\n');
3583 }
3584
3585 /* We have the start of a continuation line. Move all the rest of the data
3586 to join onto the previous line, and then find its end. If the end is not a
3587 newline, we are done. Otherwise loop to look for another continuation. */
3588
3589 memmove(cont, acl_text, acl_text_end - acl_text);
3590 acl_text_end -= acl_text - cont;
3591 acl_text = cont;
3592 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
3593 if (*acl_text == 0) return yield;
3594 }
3595
3596/* Control does not reach here */
3597}
3598
3599
3600
3601
3602
3603/*************************************************
3604* Check access using an ACL *
3605*************************************************/
3606
3607/* This function is called from address_check. It may recurse via
3608acl_check_condition() - hence the use of a level to stop looping. The ACL is
3609passed as a string which is expanded. A forced failure implies no access check
3610is required. If the result is a single word, it is taken as the name of an ACL
3611which is sought in the global ACL tree. Otherwise, it is taken as literal ACL
3612text, complete with newlines, and parsed as such. In both cases, the ACL check
3613is then run. This function uses an auxiliary function for acl_read() to call
3614for reading individual lines of a literal ACL. This is acl_getline(), which
3615appears immediately above.
3616
3617Arguments:
3618 where where called from
3619 addr address item when called from RCPT; otherwise NULL
3620 s the input string; NULL is the same as an empty ACL => DENY
3621 level the nesting level
3622 user_msgptr where to put a user error (for SMTP response)
3623 log_msgptr where to put a logging message (not for SMTP response)
3624
3625Returns: OK access is granted
3626 DISCARD access is apparently granted...
3627 FAIL access is denied
3628 FAIL_DROP access is denied; drop the connection
3629 DEFER can't tell at the moment
3630 ERROR disaster
3631*/
3632
3633static int
3634acl_check_internal(int where, address_item *addr, uschar *s, int level,
3635 uschar **user_msgptr, uschar **log_msgptr)
3636{
3637int fd = -1;
3638acl_block *acl = NULL;
3639uschar *acl_name = US"inline ACL";
3640uschar *ss;
3641
3642/* Catch configuration loops */
3643
3644if (level > 20)
3645 {
3646 *log_msgptr = US"ACL nested too deep: possible loop";
3647 return ERROR;
3648 }
3649
3650if (s == NULL)
3651 {
3652 HDEBUG(D_acl) debug_printf("ACL is NULL: implicit DENY\n");
3653 return FAIL;
3654 }
3655
3656/* At top level, we expand the incoming string. At lower levels, it has already
3657been expanded as part of condition processing. */
3658
3659if (level == 0)
3660 {
3661 ss = expand_string(s);
3662 if (ss == NULL)
3663 {
3664 if (expand_string_forcedfail) return OK;
3665 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s", s,
3666 expand_string_message);
3667 return ERROR;
3668 }
3669 }
3670else ss = s;
3671
3672while (isspace(*ss))ss++;
3673
3674/* If we can't find a named ACL, the default is to parse it as an inline one.
3675(Unless it begins with a slash; non-existent files give rise to an error.) */
3676
3677acl_text = ss;
3678
3679/* Handle the case of a string that does not contain any spaces. Look for a
3680named ACL among those read from the configuration, or a previously read file.
3681It is possible that the pointer to the ACL is NULL if the configuration
3682contains a name with no data. If not found, and the text begins with '/',
3683read an ACL from a file, and save it so it can be re-used. */
3684
3685if (Ustrchr(ss, ' ') == NULL)
3686 {
3687 tree_node *t = tree_search(acl_anchor, ss);
3688 if (t != NULL)
3689 {
3690 acl = (acl_block *)(t->data.ptr);
3691 if (acl == NULL)
3692 {
3693 HDEBUG(D_acl) debug_printf("ACL \"%s\" is empty: implicit DENY\n", ss);
3694 return FAIL;
3695 }
3696 acl_name = string_sprintf("ACL \"%s\"", ss);
3697 HDEBUG(D_acl) debug_printf("using ACL \"%s\"\n", ss);
3698 }
3699
3700 else if (*ss == '/')
3701 {
3702 struct stat statbuf;
3703 fd = Uopen(ss, O_RDONLY, 0);
3704 if (fd < 0)
3705 {
3706 *log_msgptr = string_sprintf("failed to open ACL file \"%s\": %s", ss,
3707 strerror(errno));
3708 return ERROR;
3709 }
3710
3711 if (fstat(fd, &statbuf) != 0)
3712 {
3713 *log_msgptr = string_sprintf("failed to fstat ACL file \"%s\": %s", ss,
3714 strerror(errno));
3715 return ERROR;
3716 }
3717
3718 acl_text = store_get(statbuf.st_size + 1);
3719 acl_text_end = acl_text + statbuf.st_size + 1;
3720
3721 if (read(fd, acl_text, statbuf.st_size) != statbuf.st_size)
3722 {
3723 *log_msgptr = string_sprintf("failed to read ACL file \"%s\": %s",
3724 ss, strerror(errno));
3725 return ERROR;
3726 }
3727 acl_text[statbuf.st_size] = 0;
f1e894f3 3728 (void)close(fd);
059ec3d9
PH		 3729
3730 acl_name = string_sprintf("ACL \"%s\"", ss);
3731 HDEBUG(D_acl) debug_printf("read ACL from file %s\n", ss);
3732 }
3733 }
3734
3735/* Parse an ACL that is still in text form. If it came from a file, remember it
3736in the ACL tree, having read it into the POOL_PERM store pool so that it
3737persists between multiple messages. */
3738
3739if (acl == NULL)
3740 {
3741 int old_pool = store_pool;
3742 if (fd >= 0) store_pool = POOL_PERM;
3743 acl = acl_read(acl_getline, log_msgptr);
3744 store_pool = old_pool;
3745 if (acl == NULL && *log_msgptr != NULL) return ERROR;
3746 if (fd >= 0)
3747 {
3748 tree_node *t = store_get_perm(sizeof(tree_node) + Ustrlen(ss));
3749 Ustrcpy(t->name, ss);
3750 t->data.ptr = acl;
3751 (void)tree_insertnode(&acl_anchor, t);
3752 }
3753 }
3754
3755/* Now we have an ACL to use. It's possible it may be NULL. */
3756
3757while (acl != NULL)
3758 {
3759 int cond;
3760 int basic_errno = 0;
3761 BOOL endpass_seen = FALSE;
3762
3763 *log_msgptr = *user_msgptr = NULL;
3764 acl_temp_details = FALSE;
3765
7353285c 3766 if ((where == ACL_WHERE_QUIT || where == ACL_WHERE_NOTQUIT) &&
059ec3d9
PH		 3767 acl->verb != ACL_ACCEPT &&
3768 acl->verb != ACL_WARN)
3769 {
7353285c 3770 *log_msgptr = string_sprintf("\"%s\" is not allowed in a QUIT or not-QUIT ACL",
059ec3d9
PH		 3771 verbs[acl->verb]);
3772 return ERROR;
3773 }
3774
3775 HDEBUG(D_acl) debug_printf("processing \"%s\"\n", verbs[acl->verb]);
3776
3777 /* Clear out any search error message from a previous check before testing
3778 this condition. */
3779
3780 search_error_message = NULL;
3781 cond = acl_check_condition(acl->verb, acl->condition, where, addr, level,
3782 &endpass_seen, user_msgptr, log_msgptr, &basic_errno);
3783
3784 /* Handle special returns: DEFER causes a return except on a WARN verb;
3785 ERROR always causes a return. */
3786
3787 switch (cond)
3788 {
3789 case DEFER:
6968512f 3790 HDEBUG(D_acl) debug_printf("%s: condition test deferred in %s\n", verbs[acl->verb], acl_name);
059ec3d9
PH		 3791 if (basic_errno != ERRNO_CALLOUTDEFER)
3792 {
3793 if (search_error_message != NULL && *search_error_message != 0)
3794 *log_msgptr = search_error_message;
3795 if (smtp_return_error_details) acl_temp_details = TRUE;
3796 }
3797 else
3798 {
3799 acl_temp_details = TRUE;
3800 }
3801 if (acl->verb != ACL_WARN) return DEFER;
3802 break;
3803
3804 default: /* Paranoia */
3805 case ERROR:
6968512f 3806 HDEBUG(D_acl) debug_printf("%s: condition test error in %s\n", verbs[acl->verb], acl_name);
059ec3d9
PH		 3807 return ERROR;
3808
3809 case OK:
6968512f
JH		 3810 HDEBUG(D_acl) debug_printf("%s: condition test succeeded in %s\n",
3811 verbs[acl->verb], acl_name);
059ec3d9
PH		 3812 break;
3813
3814 case FAIL:
6968512f 3815 HDEBUG(D_acl) debug_printf("%s: condition test failed in %s\n", verbs[acl->verb], acl_name);
059ec3d9
PH		 3816 break;
3817
3818 /* DISCARD and DROP can happen only from a nested ACL condition, and
3819 DISCARD can happen only for an "accept" or "discard" verb. */
3820
3821 case DISCARD:
6968512f
JH		 3822 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"discard\" in %s\n",
3823 verbs[acl->verb], acl_name);
059ec3d9
PH		 3824 break;
3825
3826 case FAIL_DROP:
6968512f
JH		 3827 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"drop\" in %s\n",
3828 verbs[acl->verb], acl_name);
059ec3d9
PH		 3829 break;
3830 }
3831
3832 /* At this point, cond for most verbs is either OK or FAIL or (as a result of
3833 a nested ACL condition) FAIL_DROP. However, for WARN, cond may be DEFER, and
3834 for ACCEPT and DISCARD, it may be DISCARD after a nested ACL call. */
3835
3836 switch(acl->verb)
3837 {
3838 case ACL_ACCEPT:
3839 if (cond == OK || cond == DISCARD) return cond;
3840 if (endpass_seen)
3841 {
3842 HDEBUG(D_acl) debug_printf("accept: endpass encountered - denying access\n");
3843 return cond;
3844 }
3845 break;
3846
3847 case ACL_DEFER:
3848 if (cond == OK)
3849 {
3850 acl_temp_details = TRUE;
3851 return DEFER;
3852 }
3853 break;
3854
3855 case ACL_DENY:
3856 if (cond == OK) return FAIL;
3857 break;
3858
3859 case ACL_DISCARD:
3860 if (cond == OK || cond == DISCARD) return DISCARD;
3861 if (endpass_seen)
3862 {
3863 HDEBUG(D_acl) debug_printf("discard: endpass encountered - denying access\n");
3864 return cond;
3865 }
3866 break;
3867
3868 case ACL_DROP:
3869 if (cond == OK) return FAIL_DROP;
3870 break;
3871
3872 case ACL_REQUIRE:
3873 if (cond != OK) return cond;
3874 break;
3875
3876 case ACL_WARN:
3877 if (cond == OK)
3878 acl_warn(where, *user_msgptr, *log_msgptr);
49826d12 3879 else if (cond == DEFER && (log_extra_selector & LX_acl_warn_skipped) != 0)
9c7a242c
PH		 3880 log_write(0, LOG_MAIN, "%s Warning: ACL \"warn\" statement skipped: "
3881 "condition test deferred%s%s", host_and_ident(TRUE),
3882 (*log_msgptr == NULL)? US"" : US": ",
3883 (*log_msgptr == NULL)? US"" : *log_msgptr);
059ec3d9
PH		 3884 *log_msgptr = *user_msgptr = NULL; /* In case implicit DENY follows */
3885 break;
3886
3887 default:
3888 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown verb %d",
3889 acl->verb);
3890 break;
3891 }
3892
3893 /* Pass to the next ACL item */
3894
3895 acl = acl->next;
3896 }
3897
3898/* We have reached the end of the ACL. This is an implicit DENY. */
3899
3900HDEBUG(D_acl) debug_printf("end of %s: implicit DENY\n", acl_name);
3901return FAIL;
3902}
3903
3904
333eea9c
JH		 3905
3906
3907/* Same args as acl_check_internal() above, but the string s is
3908the name of an ACL followed optionally by up to 9 space-separated arguments.
3909The name and args are separately expanded. Args go into $acl_arg globals. */
f60d98e8
JH		 3910static int
3911acl_check_wargs(int where, address_item *addr, uschar *s, int level,
333eea9c
JH		 3912 uschar **user_msgptr, uschar **log_msgptr)
3913{
3914uschar * tmp;
bef3ea7f 3915uschar * tmp_arg[9]; /* must match acl_arg[] */
333eea9c 3916uschar * name;
bef3ea7f 3917int i;
333eea9c
JH		 3918
3919if (!(tmp = string_dequote(&s)) || !(name = expand_string(tmp)))
3920 goto bad;
3921
bef3ea7f 3922for (i = 0; i < 9; i++)
333eea9c
JH		 3923 {
3924 while (*s && isspace(*s)) s++;
3925 if (!*s) break;
bef3ea7f 3926 if (!(tmp = string_dequote(&s)) || !(tmp_arg[i] = expand_string(tmp)))
333eea9c
JH		 3927 {
3928 tmp = name;
3929 goto bad;
3930 }
3931 }
bef3ea7f
JH		 3932acl_narg = i;
3933for (i = 0; i < acl_narg; i++) acl_arg[i] = tmp_arg[i];
3934while (i < 9) acl_arg[i++] = NULL;
333eea9c 3935
bef3ea7f 3936return acl_check_internal(where, addr, name, level, user_msgptr, log_msgptr);
333eea9c
JH		 3937
3938bad:
3939if (expand_string_forcedfail) return ERROR;
3940*log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
3941 tmp, expand_string_message);
3942return search_find_defer?DEFER:ERROR;
3943}
3944
3945
3946
059ec3d9
PH		 3947/*************************************************
3948* Check access using an ACL *
3949*************************************************/
3950
3951/* This is the external interface for ACL checks. It sets up an address and the
3952expansions for $domain and $local_part when called after RCPT, then calls
3953acl_check_internal() to do the actual work.
3954
3955Arguments:
3956 where ACL_WHERE_xxxx indicating where called from
64ffc24f 3957 recipient RCPT address for RCPT check, else NULL
059ec3d9
PH		 3958 s the input string; NULL is the same as an empty ACL => DENY
3959 user_msgptr where to put a user error (for SMTP response)
3960 log_msgptr where to put a logging message (not for SMTP response)
3961
3962Returns: OK access is granted by an ACCEPT verb
3963 DISCARD access is granted by a DISCARD verb
3964 FAIL access is denied
3965 FAIL_DROP access is denied; drop the connection
3966 DEFER can't tell at the moment
3967 ERROR disaster
3968*/
3969
3970int
64ffc24f 3971acl_check(int where, uschar *recipient, uschar *s, uschar **user_msgptr,
059ec3d9
PH		 3972 uschar **log_msgptr)
3973{
3974int rc;
3975address_item adb;
64ffc24f 3976address_item *addr = NULL;
059ec3d9
PH		 3977
3978*user_msgptr = *log_msgptr = NULL;
3979sender_verified_failed = NULL;
fe0dab11 3980ratelimiters_cmd = NULL;
6ea85e9a 3981log_reject_target = LOG_MAIN|LOG_REJECT;
059ec3d9
PH		 3982
3983if (where == ACL_WHERE_RCPT)
3984 {
3985 adb = address_defaults;
3986 addr = &adb;
64ffc24f 3987 addr->address = recipient;
059ec3d9
PH		 3988 if (deliver_split_address(addr) == DEFER)
3989 {
3990 *log_msgptr = US"defer in percent_hack_domains check";
3991 return DEFER;
3992 }
3993 deliver_domain = addr->domain;
3994 deliver_localpart = addr->local_part;
3995 }
059ec3d9
PH		 3996
3997rc = acl_check_internal(where, addr, s, 0, user_msgptr, log_msgptr);
3998
817d9f57
JH		 3999/* Cutthrough - if requested,
4000and WHERE_RCPT and not yet opened conn as result of recipient-verify,
4001and rcpt acl returned accept,
4002and first recipient (cancel on any subsequents)
e4bdf652 4003open one now and run it up to RCPT acceptance.
e4bdf652 4004A failed verify should cancel cutthrough request.
e4bdf652 4005
817d9f57 4006Initial implementation: dual-write to spool.
e4bdf652
JH		 4007Assume the rxd datastream is now being copied byte-for-byte to an open cutthrough connection.
4008
4009Cease cutthrough copy on rxd final dot; do not send one.
4010
4011On a data acl, if not accept and a cutthrough conn is open, hard-close it (no SMTP niceness).
4012
4013On data acl accept, terminate the dataphase on an open cutthrough conn. If accepted or
4014perm-rejected, reflect that to the original sender - and dump the spooled copy.
4015If temp-reject, close the conn (and keep the spooled copy).
4016If conn-failure, no action (and keep the spooled copy).
e4bdf652
JH		 4017*/
4018switch (where)
4019{
4020case ACL_WHERE_RCPT:
4021 if( rcpt_count > 1 )
2e5b33cd 4022 cancel_cutthrough_connection("more than one recipient");
e4bdf652
JH		 4023 else if (rc == OK && cutthrough_delivery && cutthrough_fd < 0)
4024 open_cutthrough_connection(addr);
4025 break;
4026
4027case ACL_WHERE_PREDATA:
4028 if( rc == OK )
4029 cutthrough_predata();
4030 else
2e5b33cd 4031 cancel_cutthrough_connection("predata acl not ok");
e4bdf652
JH		 4032 break;
4033
4034case ACL_WHERE_QUIT:
4035case ACL_WHERE_NOTQUIT:
2e5b33cd 4036 cancel_cutthrough_connection("quit or notquit");
e4bdf652
JH		 4037 break;
4038
4039default:
4040 break;
4041}
4042
64ffc24f
PH		 4043deliver_domain = deliver_localpart = deliver_address_data =
4044 sender_address_data = NULL;
059ec3d9
PH		 4045
4046/* A DISCARD response is permitted only for message ACLs, excluding the PREDATA
4047ACL, which is really in the middle of an SMTP command. */
4048
4049if (rc == DISCARD)
4050 {
4051 if (where > ACL_WHERE_NOTSMTP || where == ACL_WHERE_PREDATA)
4052 {
4053 log_write(0, LOG_MAIN|LOG_PANIC, "\"discard\" verb not allowed in %s "
4054 "ACL", acl_wherenames[where]);
4055 return ERROR;
4056 }
4057 return DISCARD;
4058 }
4059
4060/* A DROP response is not permitted from MAILAUTH */
4061
4062if (rc == FAIL_DROP && where == ACL_WHERE_MAILAUTH)
4063 {
4064 log_write(0, LOG_MAIN|LOG_PANIC, "\"drop\" verb not allowed in %s "
4065 "ACL", acl_wherenames[where]);
4066 return ERROR;
4067 }
4068
4e88a19f
PH		 4069/* Before giving a response, take a look at the length of any user message, and
4070split it up into multiple lines if possible. */
059ec3d9 4071
e28326d8
PH		 4072*user_msgptr = string_split_message(*user_msgptr);
4073if (fake_response != OK)
4074 fake_response_text = string_split_message(fake_response_text);
059ec3d9
PH		 4075
4076return rc;
4077}
4078
38a0a95f
PH		 4079
4080
4081/*************************************************
4082* Create ACL variable *
4083*************************************************/
4084
4085/* Create an ACL variable or reuse an existing one. ACL variables are in a
4086binary tree (see tree.c) with acl_var_c and acl_var_m as root nodes.
4087
4088Argument:
4089 name pointer to the variable's name, starting with c or m
4090
4091Returns the pointer to variable's tree node
4092*/
4093
4094tree_node *
4095acl_var_create(uschar *name)
4096{
4097tree_node *node, **root;
4098root = (name[0] == 'c')? &acl_var_c : &acl_var_m;
4099node = tree_search(*root, name);
4100if (node == NULL)
4101 {
4102 node = store_get(sizeof(tree_node) + Ustrlen(name));
4103 Ustrcpy(node->name, name);
4104 (void)tree_insertnode(root, node);
4105 }
4106node->data.ptr = NULL;
4107return node;
4108}
4109
4110
4111
4112/*************************************************
4113* Write an ACL variable in spool format *
4114*************************************************/
4115
4116/* This function is used as a callback for tree_walk when writing variables to
4117the spool file. To retain spool file compatibility, what is written is -aclc or
4118-aclm followed by the rest of the name and the data length, space separated,
4119then the value itself, starting on a new line, and terminated by an additional
4120newline. When we had only numbered ACL variables, the first line might look
4121like this: "-aclc 5 20". Now it might be "-aclc foo 20" for the variable called
4122acl_cfoo.
4123
4124Arguments:
4125 name of the variable
4126 value of the variable
4127 ctx FILE pointer (as a void pointer)
4128
4129Returns: nothing
4130*/
4131
4132void
4133acl_var_write(uschar *name, uschar *value, void *ctx)
4134{
4135FILE *f = (FILE *)ctx;
4136fprintf(f, "-acl%c %s %d\n%s\n", name[0], name+1, Ustrlen(value), value);
4137}
4138
059ec3d9 4139/* End of acl.c */
Unnamed repository; edit this file 'description' to name the repository.