projects / exim.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Fix non-check for read() error in sync check before writing banner.
[exim.git] / src / src / acl.c
CommitLineData
2f079f46 1/* $Cambridge: exim/src/src/acl.c,v 1.26 2005/03/29 10:56:48 ph10 Exp $ */
059ec3d9
PH		 2
3/*************************************************
4* Exim - an Internet mail transport agent *
5*************************************************/
6
c988f1f4 7/* Copyright (c) University of Cambridge 1995 - 2005 */
059ec3d9
PH		 8/* See the file NOTICE for conditions of use and distribution. */
9
10/* Code for handling Access Control Lists (ACLs) */
11
12#include "exim.h"
13
14
15/* Default callout timeout */
16
17#define CALLOUT_TIMEOUT_DEFAULT 30
18
19/* ACL verb codes - keep in step with the table of verbs that follows */
20
21enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
22 ACL_WARN };
23
24/* ACL verbs */
25
26static uschar *verbs[] =
27 { US"accept", US"defer", US"deny", US"discard", US"drop", US"require",
28 US"warn" };
29
30/* For each verb, the condition for which "message" is used */
31
32static int msgcond[] = { FAIL, OK, OK, FAIL, OK, FAIL, OK };
33
34/* ACL condition and modifier codes - keep in step with the table that
35follows. */
36
8523533c
TK		 37enum { ACLC_ACL, ACLC_AUTHENTICATED,
38#ifdef EXPERIMENTAL_BRIGHTMAIL
39 ACLC_BMI_OPTIN,
40#endif
41ACLC_CONDITION, ACLC_CONTROL,
42#ifdef WITH_CONTENT_SCAN
43 ACLC_DECODE,
44#endif
45 ACLC_DELAY,
46#ifdef WITH_OLD_DEMIME
47 ACLC_DEMIME,
fb2274d4
TK		 48#endif
49#ifdef EXPERIMENTAL_DOMAINKEYS
50 ACLC_DK_DOMAIN_SOURCE,
51 ACLC_DK_POLICY,
52 ACLC_DK_SENDER_DOMAINS,
53 ACLC_DK_SENDER_LOCAL_PARTS,
54 ACLC_DK_SENDERS,
55 ACLC_DK_STATUS,
8e669ac1 56#endif
8523533c
TK		 57 ACLC_DNSLISTS, ACLC_DOMAINS, ACLC_ENCRYPTED, ACLC_ENDPASS,
58 ACLC_HOSTS, ACLC_LOCAL_PARTS, ACLC_LOG_MESSAGE, ACLC_LOGWRITE,
59#ifdef WITH_CONTENT_SCAN
60 ACLC_MALWARE,
61#endif
62 ACLC_MESSAGE,
63#ifdef WITH_CONTENT_SCAN
64 ACLC_MIME_REGEX,
65#endif
66 ACLC_RECIPIENTS,
67#ifdef WITH_CONTENT_SCAN
68 ACLC_REGEX,
69#endif
70 ACLC_SENDER_DOMAINS, ACLC_SENDERS, ACLC_SET,
71#ifdef WITH_CONTENT_SCAN
8e669ac1 72 ACLC_SPAM,
8523533c
TK		 73#endif
74#ifdef EXPERIMENTAL_SPF
75 ACLC_SPF,
76#endif
77 ACLC_VERIFY };
059ec3d9
PH		 78
79/* ACL conditions/modifiers: "delay", "control", "endpass", "message",
80"log_message", "logwrite", and "set" are modifiers that look like conditions
81but always return TRUE. They are used for their side effects. */
82
8523533c
TK		 83static uschar *conditions[] = { US"acl", US"authenticated",
84#ifdef EXPERIMENTAL_BRIGHTMAIL
85 US"bmi_optin",
86#endif
87 US"condition",
8e669ac1 88 US"control",
8523533c
TK		 89#ifdef WITH_CONTENT_SCAN
90 US"decode",
91#endif
92 US"delay",
93#ifdef WITH_OLD_DEMIME
94 US"demime",
fb2274d4
TK		 95#endif
96#ifdef EXPERIMENTAL_DOMAINKEYS
7f45268c
PH		 97 US"dk_domain_source",
98 US"dk_policy",
99 US"dk_sender_domains",
100 US"dk_sender_local_parts",
101 US"dk_senders",
102 US"dk_status",
8523533c
TK		 103#endif
104 US"dnslists", US"domains", US"encrypted",
059ec3d9 105 US"endpass", US"hosts", US"local_parts", US"log_message", US"logwrite",
8523533c
TK		 106#ifdef WITH_CONTENT_SCAN
107 US"malware",
108#endif
109 US"message",
110#ifdef WITH_CONTENT_SCAN
111 US"mime_regex",
112#endif
113 US"recipients",
114#ifdef WITH_CONTENT_SCAN
115 US"regex",
116#endif
117 US"sender_domains", US"senders", US"set",
118#ifdef WITH_CONTENT_SCAN
119 US"spam",
120#endif
121#ifdef EXPERIMENTAL_SPF
122 US"spf",
123#endif
059ec3d9 124 US"verify" };
8e669ac1 125
c5fcb476
PH		 126/* ACL control names */
127
128static uschar *controls[] = { US"error", US"caseful_local_part",
129 US"caselower_local_part", US"enforce_sync", US"no_enforce_sync", US"freeze",
8e669ac1 130 US"queue_only", US"submission", US"no_multiline"};
059ec3d9
PH		 131
132/* Flags to indicate for which conditions /modifiers a string expansion is done
133at the outer level. In the other cases, expansion already occurs in the
134checking functions. */
135
136static uschar cond_expand_at_top[] = {
137 TRUE, /* acl */
138 FALSE, /* authenticated */
8523533c
TK		 139#ifdef EXPERIMENTAL_BRIGHTMAIL
140 TRUE, /* bmi_optin */
8e669ac1 141#endif
059ec3d9
PH		 142 TRUE, /* condition */
143 TRUE, /* control */
8523533c
TK		 144#ifdef WITH_CONTENT_SCAN
145 TRUE, /* decode */
146#endif
059ec3d9 147 TRUE, /* delay */
8523533c
TK		 148#ifdef WITH_OLD_DEMIME
149 TRUE, /* demime */
fb2274d4
TK		 150#endif
151#ifdef EXPERIMENTAL_DOMAINKEYS
7f45268c
PH		 152 TRUE, /* dk_domain_source */
153 TRUE, /* dk_policy */
154 TRUE, /* dk_sender_domains */
e715ad22 155 TRUE, /* dk_sender_local_parts */
7f45268c
PH		 156 TRUE, /* dk_senders */
157 TRUE, /* dk_status */
8523533c 158#endif
059ec3d9
PH		 159 TRUE, /* dnslists */
160 FALSE, /* domains */
161 FALSE, /* encrypted */
162 TRUE, /* endpass */
163 FALSE, /* hosts */
164 FALSE, /* local_parts */
165 TRUE, /* log_message */
166 TRUE, /* logwrite */
8523533c
TK		 167#ifdef WITH_CONTENT_SCAN
168 TRUE, /* malware */
169#endif
059ec3d9 170 TRUE, /* message */
8523533c
TK		 171#ifdef WITH_CONTENT_SCAN
172 TRUE, /* mime_regex */
173#endif
059ec3d9 174 FALSE, /* recipients */
8523533c
TK		 175#ifdef WITH_CONTENT_SCAN
176 TRUE, /* regex */
177#endif
059ec3d9
PH		 178 FALSE, /* sender_domains */
179 FALSE, /* senders */
180 TRUE, /* set */
8523533c
TK		 181#ifdef WITH_CONTENT_SCAN
182 TRUE, /* spam */
183#endif
184#ifdef EXPERIMENTAL_SPF
185 TRUE, /* spf */
186#endif
059ec3d9
PH		 187 TRUE /* verify */
188};
189
190/* Flags to identify the modifiers */
191
192static uschar cond_modifiers[] = {
193 FALSE, /* acl */
194 FALSE, /* authenticated */
8523533c
TK		 195#ifdef EXPERIMENTAL_BRIGHTMAIL
196 TRUE, /* bmi_optin */
8e669ac1 197#endif
059ec3d9
PH		 198 FALSE, /* condition */
199 TRUE, /* control */
8523533c
TK		 200#ifdef WITH_CONTENT_SCAN
201 FALSE, /* decode */
202#endif
059ec3d9 203 TRUE, /* delay */
8523533c
TK		 204#ifdef WITH_OLD_DEMIME
205 FALSE, /* demime */
fb2274d4
TK		 206#endif
207#ifdef EXPERIMENTAL_DOMAINKEYS
7f45268c
PH		 208 FALSE, /* dk_domain_source */
209 FALSE, /* dk_policy */
210 FALSE, /* dk_sender_domains */
e715ad22 211 FALSE, /* dk_sender_local_parts */
7f45268c
PH		 212 FALSE, /* dk_senders */
213 FALSE, /* dk_status */
8523533c 214#endif
059ec3d9
PH		 215 FALSE, /* dnslists */
216 FALSE, /* domains */
217 FALSE, /* encrypted */
218 TRUE, /* endpass */
219 FALSE, /* hosts */
220 FALSE, /* local_parts */
221 TRUE, /* log_message */
8523533c
TK		 222 TRUE, /* logwrite */
223#ifdef WITH_CONTENT_SCAN
224 FALSE, /* malware */
225#endif
059ec3d9 226 TRUE, /* message */
8523533c
TK		 227#ifdef WITH_CONTENT_SCAN
228 FALSE, /* mime_regex */
229#endif
059ec3d9 230 FALSE, /* recipients */
8523533c
TK		 231#ifdef WITH_CONTENT_SCAN
232 FALSE, /* regex */
233#endif
059ec3d9
PH		 234 FALSE, /* sender_domains */
235 FALSE, /* senders */
236 TRUE, /* set */
8523533c
TK		 237#ifdef WITH_CONTENT_SCAN
238 FALSE, /* spam */
239#endif
240#ifdef EXPERIMENTAL_SPF
241 FALSE, /* spf */
242#endif
059ec3d9
PH		 243 FALSE /* verify */
244};
245
c5fcb476 246/* Bit map vector of which conditions are not allowed at certain times. For
2f079f46
PH		 247each condition, there's a bitmap of dis-allowed times. For some, it is easier
248to specify the negation of a small number of allowed times. */
059ec3d9
PH		 249
250static unsigned int cond_forbids[] = {
251 0, /* acl */
8e669ac1 252
059ec3d9
PH		 253 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_CONNECT)| /* authenticated */
254 (1<<ACL_WHERE_HELO),
8e669ac1 255
8523533c 256#ifdef EXPERIMENTAL_BRIGHTMAIL
3864bb8e 257 (1<<ACL_WHERE_AUTH)| /* bmi_optin */
8523533c
TK		 258 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
259 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_MIME)|
8e669ac1 260 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
8523533c
TK		 261 (1<<ACL_WHERE_MAILAUTH)|
262 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
263 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_PREDATA),
264#endif
8e669ac1 265
059ec3d9 266 0, /* condition */
8e669ac1 267
059ec3d9 268 /* Certain types of control are always allowed, so we let it through
2f079f46 269 always and check in the control processing itself. */
8e669ac1 270
059ec3d9 271 0, /* control */
8e669ac1 272
8523533c 273#ifdef WITH_CONTENT_SCAN
2f079f46
PH		 274 (unsigned int)
275 ~(1<<ACL_WHERE_MIME), /* decode */
8523533c
TK		 276#endif
277
059ec3d9 278 0, /* delay */
8e669ac1 279
f7b63901 280#ifdef WITH_OLD_DEMIME
2f079f46
PH		 281 (unsigned int)
282 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* demime */
8523533c 283#endif
8e669ac1 284
fb2274d4 285#ifdef EXPERIMENTAL_DOMAINKEYS
2f079f46 286 (1<<ACL_WHERE_AUTH)| /* dk_domain_source */
fb2274d4
TK		 287 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
288 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
289 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
290 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
291 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
292 (1<<ACL_WHERE_VRFY),
84330b7b 293
2f079f46 294 (1<<ACL_WHERE_AUTH)| /* dk_policy */
fb2274d4
TK		 295 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
296 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
297 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
298 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
299 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
300 (1<<ACL_WHERE_VRFY),
84330b7b 301
2f079f46 302 (1<<ACL_WHERE_AUTH)| /* dk_sender_domains */
fb2274d4
TK		 303 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
304 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
305 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
306 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
307 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
308 (1<<ACL_WHERE_VRFY),
84330b7b 309
2f079f46 310 (1<<ACL_WHERE_AUTH)| /* dk_sender_local_parts */
fb2274d4
TK		 311 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
312 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
313 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
314 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
315 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
316 (1<<ACL_WHERE_VRFY),
84330b7b 317
2f079f46 318 (1<<ACL_WHERE_AUTH)| /* dk_senders */
fb2274d4
TK		 319 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
320 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
321 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
322 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
323 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
324 (1<<ACL_WHERE_VRFY),
84330b7b 325
2f079f46 326 (1<<ACL_WHERE_AUTH)| /* dk_status */
fb2274d4
TK		 327 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
328 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
329 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
330 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
331 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
332 (1<<ACL_WHERE_VRFY),
333#endif
334
059ec3d9
PH		 335 (1<<ACL_WHERE_NOTSMTP), /* dnslists */
336
2f079f46
PH		 337 (unsigned int)
338 ~(1<<ACL_WHERE_RCPT), /* domains */
059ec3d9
PH		 339
340 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_CONNECT)| /* encrypted */
341 (1<<ACL_WHERE_HELO),
8e669ac1 342
059ec3d9 343 0, /* endpass */
8e669ac1 344
059ec3d9
PH		 345 (1<<ACL_WHERE_NOTSMTP), /* hosts */
346
2f079f46
PH		 347 (unsigned int)
348 ~(1<<ACL_WHERE_RCPT), /* local_parts */
059ec3d9
PH		 349
350 0, /* log_message */
8e669ac1 351
059ec3d9 352 0, /* logwrite */
8e669ac1 353
8523533c 354#ifdef WITH_CONTENT_SCAN
2f079f46
PH		 355 (unsigned int)
356 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* malware */
8523533c
TK		 357#endif
358
059ec3d9
PH		 359 0, /* message */
360
8523533c 361#ifdef WITH_CONTENT_SCAN
2f079f46
PH		 362 (unsigned int)
363 ~(1<<ACL_WHERE_MIME), /* mime_regex */
8523533c
TK		 364#endif
365
2f079f46
PH		 366 (unsigned int)
367 ~(1<<ACL_WHERE_RCPT), /* recipients */
059ec3d9 368
8523533c 369#ifdef WITH_CONTENT_SCAN
2f079f46
PH		 370 (unsigned int)
371 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* regex */
372 (1<<ACL_WHERE_MIME)),
8523533c
TK		 373#endif
374
059ec3d9
PH		 375 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* sender_domains */
376 (1<<ACL_WHERE_HELO)|
377 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
378 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
379 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
380
381 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* senders */
382 (1<<ACL_WHERE_HELO)|
383 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
384 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
385 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
386
387 0, /* set */
388
8523533c 389#ifdef WITH_CONTENT_SCAN
2f079f46
PH		 390 (unsigned int)
391 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* spam */
8523533c
TK		 392#endif
393
394#ifdef EXPERIMENTAL_SPF
395 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf */
396 (1<<ACL_WHERE_HELO)|
397 (1<<ACL_WHERE_MAILAUTH)|
398 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
399 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
400#endif
401
059ec3d9
PH		 402 /* Certain types of verify are always allowed, so we let it through
403 always and check in the verify function itself */
404
405 0 /* verify */
059ec3d9
PH		 406};
407
408
409/* Return values from decode_control() */
410
8e669ac1 411enum {
8523533c
TK		 412#ifdef EXPERIMENTAL_BRIGHTMAIL
413 CONTROL_BMI_RUN,
fb2274d4
TK		 414#endif
415#ifdef EXPERIMENTAL_DOMAINKEYS
416 CONTROL_DK_VERIFY,
8e669ac1 417#endif
8523533c 418 CONTROL_ERROR, CONTROL_CASEFUL_LOCAL_PART, CONTROL_CASELOWER_LOCAL_PART,
059ec3d9 419 CONTROL_ENFORCE_SYNC, CONTROL_NO_ENFORCE_SYNC, CONTROL_FREEZE,
8523533c
TK		 420 CONTROL_QUEUE_ONLY, CONTROL_SUBMISSION,
421#ifdef WITH_CONTENT_SCAN
8e669ac1 422 CONTROL_NO_MBOX_UNSPOOL,
8523533c 423#endif
0f9b0483 424 CONTROL_FAKEREJECT, CONTROL_NO_MULTILINE };
059ec3d9 425
c5fcb476
PH		 426/* Bit map vector of which controls are not allowed at certain times. For
427each control, there's a bitmap of dis-allowed times. For some, it is easier to
428specify the negation of a small number of allowed times. */
429
430static unsigned int control_forbids[] = {
8523533c
TK		 431#ifdef EXPERIMENTAL_BRIGHTMAIL
432 0, /* bmi_run */
433#endif
fb2274d4 434#ifdef EXPERIMENTAL_DOMAINKEYS
e715ad22 435 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), /* dk_verify */
fb2274d4 436#endif
3e11c26b 437
c5fcb476 438 0, /* error */
8e669ac1
PH		 439
440 (unsigned int)
c5fcb476 441 ~(1<<ACL_WHERE_RCPT), /* caseful_local_part */
8e669ac1
PH		 442
443 (unsigned int)
c5fcb476 444 ~(1<<ACL_WHERE_RCPT), /* caselower_local_part */
8e669ac1 445
c5fcb476 446 (1<<ACL_WHERE_NOTSMTP), /* enforce_sync */
8e669ac1 447
c5fcb476 448 (1<<ACL_WHERE_NOTSMTP), /* no_enforce_sync */
8e669ac1
PH		 449
450 (unsigned int)
c5fcb476
PH		 451 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* freeze */
452 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
e715ad22 453 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
8e669ac1
PH		 454
455 (unsigned int)
c5fcb476
PH		 456 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* queue_only */
457 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
e715ad22 458 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
8e669ac1
PH		 459
460 (unsigned int)
c5fcb476 461 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* submission */
8e669ac1 462 (1<<ACL_WHERE_PREDATA)),
8523533c
TK		 463
464#ifdef WITH_CONTENT_SCAN
8e669ac1 465 (unsigned int)
14d57970 466 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* no_mbox_unspool */
e715ad22
TK		 467 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
468 (1<<ACL_WHERE_MIME)),
8523533c 469#endif
a6c4ab60 470
8e669ac1 471 (unsigned int)
a6c4ab60 472 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakereject */
e715ad22
TK		 473 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
474 (1<<ACL_WHERE_MIME)),
8523533c 475
c5fcb476
PH		 476 (1<<ACL_WHERE_NOTSMTP) /* no_multiline */
477};
478
479/* Structure listing various control arguments, with their characteristics. */
059ec3d9
PH		 480
481typedef struct control_def {
482 uschar *name;
483 int value; /* CONTROL_xxx value */
059ec3d9
PH		 484 BOOL has_option; /* Has /option(s) following */
485} control_def;
486
487static control_def controls_list[] = {
8523533c
TK		 488#ifdef EXPERIMENTAL_BRIGHTMAIL
489 { US"bmi_run", CONTROL_BMI_RUN, FALSE},
fb2274d4
TK		 490#endif
491#ifdef EXPERIMENTAL_DOMAINKEYS
492 { US"dk_verify", CONTROL_DK_VERIFY, FALSE},
8523533c 493#endif
c5fcb476
PH		 494 { US"caseful_local_part", CONTROL_CASEFUL_LOCAL_PART, FALSE},
495 { US"caselower_local_part", CONTROL_CASELOWER_LOCAL_PART, FALSE},
496 { US"enforce_sync", CONTROL_ENFORCE_SYNC, FALSE},
497 { US"freeze", CONTROL_FREEZE, FALSE},
498 { US"no_enforce_sync", CONTROL_NO_ENFORCE_SYNC, FALSE},
499 { US"no_multiline_responses", CONTROL_NO_MULTILINE, FALSE},
500 { US"queue_only", CONTROL_QUEUE_ONLY, FALSE},
8523533c
TK		 501#ifdef WITH_CONTENT_SCAN
502 { US"no_mbox_unspool", CONTROL_NO_MBOX_UNSPOOL, FALSE},
8523533c 503#endif
0f9b0483 504 { US"fakereject", CONTROL_FAKEREJECT, TRUE},
c5fcb476 505 { US"submission", CONTROL_SUBMISSION, TRUE}
059ec3d9
PH		 506 };
507
508/* Enable recursion between acl_check_internal() and acl_check_condition() */
509
510static int acl_check_internal(int, address_item *, uschar *, int, uschar **,
511 uschar **);
512
513
514/*************************************************
515* Pick out name from list *
516*************************************************/
517
518/* Use a binary chop method
519
520Arguments:
521 name name to find
522 list list of names
523 end size of list
524
525Returns: offset in list, or -1 if not found
526*/
527
528static int
529acl_checkname(uschar *name, uschar **list, int end)
530{
531int start = 0;
532
533while (start < end)
534 {
535 int mid = (start + end)/2;
536 int c = Ustrcmp(name, list[mid]);
537 if (c == 0) return mid;
538 if (c < 0) end = mid; else start = mid + 1;
539 }
540
541return -1;
542}
543
544
545/*************************************************
546* Read and parse one ACL *
547*************************************************/
548
549/* This function is called both from readconf in order to parse the ACLs in the
550configuration file, and also when an ACL is encountered dynamically (e.g. as
551the result of an expansion). It is given a function to call in order to
552retrieve the lines of the ACL. This function handles skipping comments and
553blank lines (where relevant).
554
555Arguments:
556 func function to get next line of ACL
557 error where to put an error message
558
559Returns: pointer to ACL, or NULL
560 NULL can be legal (empty ACL); in this case error will be NULL
561*/
562
563acl_block *
564acl_read(uschar *(*func)(void), uschar **error)
565{
566acl_block *yield = NULL;
567acl_block **lastp = &yield;
568acl_block *this = NULL;
569acl_condition_block *cond;
570acl_condition_block **condp = NULL;
571uschar *s;
572
573*error = NULL;
574
575while ((s = (*func)()) != NULL)
576 {
577 int v, c;
578 BOOL negated = FALSE;
579 uschar *saveline = s;
580 uschar name[64];
581
582 /* Conditions (but not verbs) are allowed to be negated by an initial
583 exclamation mark. */
584
585 while (isspace(*s)) s++;
586 if (*s == '!')
587 {
588 negated = TRUE;
589 s++;
590 }
591
592 /* Read the name of a verb or a condition, or the start of a new ACL */
593
594 s = readconf_readname(name, sizeof(name), s);
595 if (*s == ':')
596 {
597 if (negated || name[0] == 0)
598 {
599 *error = string_sprintf("malformed ACL name in \"%s\"", saveline);
600 return NULL;
601 }
602 break;
603 }
604
605 /* If a verb is unrecognized, it may be another condition or modifier that
606 continues the previous verb. */
607
608 v = acl_checkname(name, verbs, sizeof(verbs)/sizeof(char *));
609 if (v < 0)
610 {
611 if (this == NULL)
612 {
613 *error = string_sprintf("unknown ACL verb in \"%s\"", saveline);
614 return NULL;
615 }
616 }
617
618 /* New verb */
619
620 else
621 {
622 if (negated)
623 {
624 *error = string_sprintf("malformed ACL line \"%s\"", saveline);
625 return NULL;
626 }
627 this = store_get(sizeof(acl_block));
628 *lastp = this;
629 lastp = &(this->next);
630 this->next = NULL;
631 this->verb = v;
632 this->condition = NULL;
633 condp = &(this->condition);
634 if (*s == 0) continue; /* No condition on this line */
635 if (*s == '!')
636 {
637 negated = TRUE;
638 s++;
639 }
640 s = readconf_readname(name, sizeof(name), s); /* Condition name */
641 }
642
643 /* Handle a condition or modifier. */
644
645 c = acl_checkname(name, conditions, sizeof(conditions)/sizeof(char *));
646 if (c < 0)
647 {
648 *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
649 saveline);
650 return NULL;
651 }
652
653 /* The modifiers may not be negated */
654
655 if (negated && cond_modifiers[c])
656 {
657 *error = string_sprintf("ACL error: negation is not allowed with "
658 "\"%s\"", conditions[c]);
659 return NULL;
660 }
661
662 /* ENDPASS may occur only with ACCEPT or DISCARD. */
663
664 if (c == ACLC_ENDPASS &&
665 this->verb != ACL_ACCEPT &&
666 this->verb != ACL_DISCARD)
667 {
668 *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
669 conditions[c], verbs[this->verb]);
670 return NULL;
671 }
672
673 cond = store_get(sizeof(acl_condition_block));
674 cond->next = NULL;
675 cond->type = c;
676 cond->u.negated = negated;
677
678 *condp = cond;
679 condp = &(cond->next);
680
681 /* The "set" modifier is different in that its argument is "name=value"
682 rather than just a value, and we can check the validity of the name, which
683 gives us a variable number to insert into the data block. */
684
685 if (c == ACLC_SET)
686 {
687 if (Ustrncmp(s, "acl_", 4) != 0 || (s[4] != 'c' && s[4] != 'm') ||
688 !isdigit(s[5]) || (!isspace(s[6]) && s[6] != '='))
689 {
690 *error = string_sprintf("unrecognized name after \"set\" in ACL "
691 "modifier \"set %s\"", s);
692 return NULL;
693 }
694
695 cond->u.varnumber = s[5] - '0';
696 if (s[4] == 'm') cond->u.varnumber += ACL_C_MAX;
697 s += 6;
698 while (isspace(*s)) s++;
699 }
700
701 /* For "set", we are now positioned for the data. For the others, only
702 "endpass" has no data */
703
704 if (c != ACLC_ENDPASS)
705 {
706 if (*s++ != '=')
707 {
708 *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
709 cond_modifiers[c]? US"modifier" : US"condition");
710 return NULL;
711 }
712 while (isspace(*s)) s++;
713 cond->arg = string_copy(s);
714 }
715 }
716
717return yield;
718}
719
720
721
722/*************************************************
723* Handle warnings *
724*************************************************/
725
726/* This function is called when a WARN verb's conditions are true. It adds to
727the message's headers, and/or writes information to the log. In each case, this
728only happens once (per message for headers, per connection for log).
729
730Arguments:
731 where ACL_WHERE_xxxx indicating which ACL this is
732 user_message message for adding to headers
733 log_message message for logging, if different
734
735Returns: nothing
736*/
737
738static void
739acl_warn(int where, uschar *user_message, uschar *log_message)
740{
741int hlen;
742
743if (log_message != NULL && log_message != user_message)
744 {
745 uschar *text;
746 string_item *logged;
747
748 text = string_sprintf("%s Warning: %s", host_and_ident(TRUE),
749 string_printing(log_message));
750
751 /* If a sender verification has failed, and the log message is "sender verify
752 failed", add the failure message. */
753
754 if (sender_verified_failed != NULL &&
755 sender_verified_failed->message != NULL &&
756 strcmpic(log_message, US"sender verify failed") == 0)
757 text = string_sprintf("%s: %s", text, sender_verified_failed->message);
758
759 /* Search previously logged warnings. They are kept in malloc store so they
760 can be freed at the start of a new message. */
761
762 for (logged = acl_warn_logged; logged != NULL; logged = logged->next)
763 if (Ustrcmp(logged->text, text) == 0) break;
764
765 if (logged == NULL)
766 {
767 int length = Ustrlen(text) + 1;
768 log_write(0, LOG_MAIN, "%s", text);
769 logged = store_malloc(sizeof(string_item) + length);
770 logged->text = (uschar *)logged + sizeof(string_item);
771 memcpy(logged->text, text, length);
772 logged->next = acl_warn_logged;
773 acl_warn_logged = logged;
774 }
775 }
776
777/* If there's no user message, we are done. */
778
779if (user_message == NULL) return;
780
781/* If this isn't a message ACL, we can't do anything with a user message.
782Log an error. */
783
784if (where > ACL_WHERE_NOTSMTP)
785 {
786 log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
787 "found in a non-message (%s) ACL: cannot specify header lines here: "
788 "message ignored", acl_wherenames[where]);
789 return;
790 }
791
792/* Treat the user message as a sequence of one or more header lines. */
793
794hlen = Ustrlen(user_message);
795if (hlen > 0)
796 {
797 uschar *text, *p, *q;
798
799 /* Add a final newline if not present */
800
801 text = ((user_message)[hlen-1] == '\n')? user_message :
802 string_sprintf("%s\n", user_message);
803
804 /* Loop for multiple header lines, taking care about continuations */
805
806 for (p = q = text; *p != 0; )
807 {
808 uschar *s;
809 int newtype = htype_add_bot;
810 header_line **hptr = &acl_warn_headers;
811
812 /* Find next header line within the string */
813
814 for (;;)
815 {
816 q = Ustrchr(q, '\n');
817 if (*(++q) != ' ' && *q != '\t') break;
818 }
819
820 /* If the line starts with a colon, interpret the instruction for where to
821 add it. This temporarily sets up a new type. */
822
823 if (*p == ':')
824 {
825 if (strncmpic(p, US":after_received:", 16) == 0)
826 {
827 newtype = htype_add_rec;
828 p += 16;
829 }
8523533c
TK		 830 else if (strncmpic(p, US":at_start_rfc:", 14) == 0)
831 {
832 newtype = htype_add_rfc;
833 p += 14;
8e669ac1 834 }
059ec3d9
PH		 835 else if (strncmpic(p, US":at_start:", 10) == 0)
836 {
837 newtype = htype_add_top;
838 p += 10;
839 }
840 else if (strncmpic(p, US":at_end:", 8) == 0)
841 {
842 newtype = htype_add_bot;
843 p += 8;
844 }
845 while (*p == ' ' || *p == '\t') p++;
846 }
847
848 /* See if this line starts with a header name, and if not, add X-ACL-Warn:
849 to the front of it. */
850
851 for (s = p; s < q - 1; s++)
852 {
853 if (*s == ':' || !isgraph(*s)) break;
854 }
855
856 s = string_sprintf("%s%.*s", (*s == ':')? "" : "X-ACL-Warn: ", q - p, p);
857 hlen = Ustrlen(s);
858
859 /* See if this line has already been added */
860
861 while (*hptr != NULL)
862 {
863 if (Ustrncmp((*hptr)->text, s, hlen) == 0) break;
864 hptr = &((*hptr)->next);
865 }
866
867 /* Add if not previously present */
868
869 if (*hptr == NULL)
870 {
871 header_line *h = store_get(sizeof(header_line));
872 h->text = s;
873 h->next = NULL;
874 h->type = newtype;
875 h->slen = hlen;
876 *hptr = h;
877 hptr = &(h->next);
878 }
879
880 /* Advance for next header line within the string */
881
882 p = q;
883 }
884 }
885}
886
887
888
889/*************************************************
890* Verify and check reverse DNS *
891*************************************************/
892
893/* Called from acl_verify() below. We look up the host name(s) of the client IP
894address if this has not yet been done. The host_name_lookup() function checks
895that one of these names resolves to an address list that contains the client IP
896address, so we don't actually have to do the check here.
897
898Arguments:
899 user_msgptr pointer for user message
900 log_msgptr pointer for log message
901
902Returns: OK verification condition succeeded
903 FAIL verification failed
904 DEFER there was a problem verifying
905*/
906
907static int
908acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
909{
910int rc;
911
912user_msgptr = user_msgptr; /* stop compiler warning */
913
914/* Previous success */
915
916if (sender_host_name != NULL) return OK;
917
918/* Previous failure */
919
920if (host_lookup_failed)
921 {
922 *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
923 return FAIL;
924 }
925
926/* Need to do a lookup */
927
928HDEBUG(D_acl)
929 debug_printf("looking up host name to force name/address consistency check\n");
930
931if ((rc = host_name_lookup()) != OK)
932 {
933 *log_msgptr = (rc == DEFER)?
934 US"host lookup deferred for reverse lookup check"
935 :
936 string_sprintf("host lookup failed for reverse lookup check%s",
937 host_lookup_msg);
938 return rc; /* DEFER or FAIL */
939 }
940
941host_build_sender_fullhost();
942return OK;
943}
944
945
946
947/*************************************************
948* Handle verification (address & other) *
949*************************************************/
950
951/* This function implements the "verify" condition. It is called when
952encountered in any ACL, because some tests are almost always permitted. Some
953just don't make sense, and always fail (for example, an attempt to test a host
954lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
955
956Arguments:
957 where where called from
958 addr the recipient address that the ACL is handling, or NULL
959 arg the argument of "verify"
960 user_msgptr pointer for user message
961 log_msgptr pointer for log message
962 basic_errno where to put verify errno
963
964Returns: OK verification condition succeeded
965 FAIL verification failed
966 DEFER there was a problem verifying
967 ERROR syntax error
968*/
969
970static int
971acl_verify(int where, address_item *addr, uschar *arg,
972 uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
973{
974int sep = '/';
975int callout = -1;
976int callout_overall = -1;
4deaf07d 977int callout_connect = -1;
059ec3d9
PH		 978int verify_options = 0;
979int rc;
980BOOL verify_header_sender = FALSE;
981BOOL defer_ok = FALSE;
982BOOL callout_defer_ok = FALSE;
983BOOL no_details = FALSE;
984address_item *sender_vaddr = NULL;
985uschar *verify_sender_address = NULL;
986uschar *pm_mailfrom = NULL;
987uschar *se_mailfrom = NULL;
596875b3
PH		 988
989/* Some of the verify items have slash-separated options; some do not. Diagnose
990an error if options are given for items that don't expect them. This code has
991now got very message. Refactoring to use a table would be a good idea one day.
992*/
993
994uschar *slash = Ustrchr(arg, '/');
059ec3d9
PH		 995uschar *list = arg;
996uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
997
998if (ss == NULL) goto BAD_VERIFY;
999
1000/* Handle name/address consistency verification in a separate function. */
1001
1002if (strcmpic(ss, US"reverse_host_lookup") == 0)
1003 {
596875b3 1004 if (slash != NULL) goto NO_OPTIONS;
059ec3d9
PH		 1005 if (sender_host_address == NULL) return OK;
1006 return acl_verify_reverse(user_msgptr, log_msgptr);
1007 }
1008
1009/* TLS certificate verification is done at STARTTLS time; here we just
1010test whether it was successful or not. (This is for optional verification; for
1011mandatory verification, the connection doesn't last this long.) */
1012
1013if (strcmpic(ss, US"certificate") == 0)
1014 {
596875b3 1015 if (slash != NULL) goto NO_OPTIONS;
059ec3d9
PH		 1016 if (tls_certificate_verified) return OK;
1017 *user_msgptr = US"no verified certificate";
1018 return FAIL;
1019 }
1020
1021/* We can test the result of optional HELO verification */
1022
596875b3
PH		 1023if (strcmpic(ss, US"helo") == 0)
1024 {
1025 if (slash != NULL) goto NO_OPTIONS;
1026 return helo_verified? OK : FAIL;
1027 }
059ec3d9 1028
596875b3
PH		 1029/* Check that all relevant header lines have the correct syntax. If there is
1030a syntax error, we return details of the error to the sender if configured to
1031send out full details. (But a "message" setting on the ACL can override, as
1032always). */
059ec3d9 1033
596875b3 1034if (strcmpic(ss, US"header_syntax") == 0)
059ec3d9 1035 {
596875b3 1036 if (slash != NULL) goto NO_OPTIONS;
059ec3d9
PH		 1037 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP)
1038 {
1039 *log_msgptr = string_sprintf("cannot check header contents in ACL for %s "
1040 "(only possible in ACL for DATA)", acl_wherenames[where]);
1041 return ERROR;
1042 }
596875b3
PH		 1043 rc = verify_check_headers(log_msgptr);
1044 if (rc != OK && smtp_return_error_details && *log_msgptr != NULL)
1045 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1046 return rc;
1047 }
059ec3d9 1048
059ec3d9 1049
596875b3
PH		 1050/* The remaining verification tests check recipient and sender addresses,
1051either from the envelope or from the header. There are a number of
1052slash-separated options that are common to all of them. */
059ec3d9 1053
059ec3d9 1054
596875b3
PH		 1055/* Check that there is at least one verifiable sender address in the relevant
1056header lines. This can be followed by callout and defer options, just like
1057sender and recipient. */
059ec3d9 1058
596875b3
PH		 1059if (strcmpic(ss, US"header_sender") == 0)
1060 {
1061 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP)
1062 {
1063 *log_msgptr = string_sprintf("cannot check header contents in ACL for %s "
1064 "(only possible in ACL for DATA)", acl_wherenames[where]);
1065 return ERROR;
1066 }
1067 verify_header_sender = TRUE;
059ec3d9
PH		 1068 }
1069
1070/* Otherwise, first item in verify argument must be "sender" or "recipient".
1071In the case of a sender, this can optionally be followed by an address to use
1072in place of the actual sender (rare special-case requirement). */
1073
1074else if (strncmpic(ss, US"sender", 6) == 0)
1075 {
1076 uschar *s = ss + 6;
1077 if (where > ACL_WHERE_NOTSMTP)
1078 {
1079 *log_msgptr = string_sprintf("cannot verify sender in ACL for %s "
1080 "(only possible for MAIL, RCPT, PREDATA, or DATA)",
1081 acl_wherenames[where]);
1082 return ERROR;
1083 }
1084 if (*s == 0)
1085 verify_sender_address = sender_address;
1086 else
1087 {
1088 while (isspace(*s)) s++;
1089 if (*s++ != '=') goto BAD_VERIFY;
1090 while (isspace(*s)) s++;
1091 verify_sender_address = string_copy(s);
1092 }
1093 }
1094else
1095 {
1096 if (strcmpic(ss, US"recipient") != 0) goto BAD_VERIFY;
1097 if (addr == NULL)
1098 {
1099 *log_msgptr = string_sprintf("cannot verify recipient in ACL for %s "
1100 "(only possible for RCPT)", acl_wherenames[where]);
1101 return ERROR;
1102 }
1103 }
1104
596875b3
PH		 1105/* Remaining items are optional; they apply to sender and recipient
1106verification, including "header sender" verification. */
059ec3d9
PH		 1107
1108while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))
1109 != NULL)
1110 {
1111 if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
1112 else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
1113
1114 /* These two old options are left for backwards compatibility */
1115
1116 else if (strcmpic(ss, US"callout_defer_ok") == 0)
1117 {
1118 callout_defer_ok = TRUE;
1119 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1120 }
1121
1122 else if (strcmpic(ss, US"check_postmaster") == 0)
1123 {
1124 pm_mailfrom = US"";
1125 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1126 }
1127
1128 /* The callout option has a number of sub-options, comma separated */
1129
1130 else if (strncmpic(ss, US"callout", 7) == 0)
1131 {
1132 callout = CALLOUT_TIMEOUT_DEFAULT;
1133 ss += 7;
1134 if (*ss != 0)
1135 {
1136 while (isspace(*ss)) ss++;
1137 if (*ss++ == '=')
1138 {
1139 int optsep = ',';
1140 uschar *opt;
1141 uschar buffer[256];
1142 while (isspace(*ss)) ss++;
8e669ac1
PH		 1143
1144 /* This callout option handling code has become a mess as new options
1145 have been added in an ad hoc manner. It should be tidied up into some
4deaf07d 1146 kind of table-driven thing. */
8e669ac1 1147
059ec3d9
PH		 1148 while ((opt = string_nextinlist(&ss, &optsep, buffer, sizeof(buffer)))
1149 != NULL)
1150 {
1151 if (strcmpic(opt, US"defer_ok") == 0) callout_defer_ok = TRUE;
1152 else if (strcmpic(opt, US"no_cache") == 0)
1153 verify_options |= vopt_callout_no_cache;
1154 else if (strcmpic(opt, US"random") == 0)
1155 verify_options |= vopt_callout_random;
1156 else if (strcmpic(opt, US"use_sender") == 0)
1157 verify_options |= vopt_callout_recipsender;
1158 else if (strcmpic(opt, US"use_postmaster") == 0)
1159 verify_options |= vopt_callout_recippmaster;
1160 else if (strcmpic(opt, US"postmaster") == 0) pm_mailfrom = US"";
1161
1162 else if (strncmpic(opt, US"mailfrom", 8) == 0)
1163 {
1164 if (!verify_header_sender)
1165 {
1166 *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
1167 "callout option only for verify=header_sender (detected in ACL "
1168 "condition \"%s\")", arg);
1169 return ERROR;
1170 }
1171 opt += 8;
1172 while (isspace(*opt)) opt++;
1173 if (*opt++ != '=')
1174 {
1175 *log_msgptr = string_sprintf("'=' expected after "
1176 "\"mailfrom\" in ACL condition \"%s\"", arg);
1177 return ERROR;
1178 }
1179 while (isspace(*opt)) opt++;
1180 se_mailfrom = string_copy(opt);
1181 }
1182
1183 else if (strncmpic(opt, US"postmaster_mailfrom", 19) == 0)
1184 {
1185 opt += 19;
1186 while (isspace(*opt)) opt++;
1187 if (*opt++ != '=')
1188 {
1189 *log_msgptr = string_sprintf("'=' expected after "
1190 "\"postmaster_mailfrom\" in ACL condition \"%s\"", arg);
1191 return ERROR;
1192 }
1193 while (isspace(*opt)) opt++;
1194 pm_mailfrom = string_copy(opt);
1195 }
1196
1197 else if (strncmpic(opt, US"maxwait", 7) == 0)
1198 {
1199 opt += 7;
1200 while (isspace(*opt)) opt++;
1201 if (*opt++ != '=')
1202 {
1203 *log_msgptr = string_sprintf("'=' expected after \"maxwait\" in "
1204 "ACL condition \"%s\"", arg);
1205 return ERROR;
1206 }
1207 while (isspace(*opt)) opt++;
1208 callout_overall = readconf_readtime(opt, 0, FALSE);
1209 if (callout_overall < 0)
1210 {
1211 *log_msgptr = string_sprintf("bad time value in ACL condition "
1212 "\"verify %s\"", arg);
1213 return ERROR;
1214 }
1215 }
4deaf07d
PH		 1216 else if (strncmpic(opt, US"connect", 7) == 0)
1217 {
1218 opt += 7;
1219 while (isspace(*opt)) opt++;
1220 if (*opt++ != '=')
1221 {
1222 *log_msgptr = string_sprintf("'=' expected after "
1223 "\"callout_overaall\" in ACL condition \"%s\"", arg);
1224 return ERROR;
1225 }
1226 while (isspace(*opt)) opt++;
1227 callout_connect = readconf_readtime(opt, 0, FALSE);
1228 if (callout_connect < 0)
1229 {
1230 *log_msgptr = string_sprintf("bad time value in ACL condition "
1231 "\"verify %s\"", arg);
1232 return ERROR;
1233 }
1234 }
059ec3d9
PH		 1235 else /* Plain time is callout connect/command timeout */
1236 {
1237 callout = readconf_readtime(opt, 0, FALSE);
1238 if (callout < 0)
1239 {
1240 *log_msgptr = string_sprintf("bad time value in ACL condition "
1241 "\"verify %s\"", arg);
1242 return ERROR;
1243 }
1244 }
1245 }
1246 }
1247 else
1248 {
1249 *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
1250 "ACL condition \"%s\"", arg);
1251 return ERROR;
1252 }
1253 }
1254 }
1255
1256 /* Option not recognized */
1257
1258 else
1259 {
1260 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
1261 "condition \"verify %s\"", ss, arg);
1262 return ERROR;
1263 }
1264 }
1265
1266if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
1267 (vopt_callout_recipsender|vopt_callout_recippmaster))
1268 {
1269 *log_msgptr = US"only one of use_sender and use_postmaster can be set "
1270 "for a recipient callout";
1271 return ERROR;
1272 }
1273
1274/* Handle sender-in-header verification. Default the user message to the log
1275message if giving out verification details. */
1276
1277if (verify_header_sender)
1278 {
8e669ac1 1279 int verrno;
059ec3d9 1280 rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
fe5b5d0b
PH		 1281 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, verify_options,
1282 &verrno);
1283 if (rc != OK)
8e669ac1 1284 {
fe5b5d0b
PH		 1285 *basic_errno = verrno;
1286 if (smtp_return_error_details)
1287 {
1288 if (*user_msgptr == NULL && *log_msgptr != NULL)
1289 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1290 if (rc == DEFER) acl_temp_details = TRUE;
1291 }
8e669ac1 1292 }
059ec3d9
PH		 1293 }
1294
1295/* Handle a sender address. The default is to verify *the* sender address, but
1296optionally a different address can be given, for special requirements. If the
1297address is empty, we are dealing with a bounce message that has no sender, so
1298we cannot do any checking. If the real sender address gets rewritten during
1299verification (e.g. DNS widening), set the flag to stop it being rewritten again
1300during message reception.
1301
1302A list of verified "sender" addresses is kept to try to avoid doing to much
1303work repetitively when there are multiple recipients in a message and they all
1304require sender verification. However, when callouts are involved, it gets too
1305complicated because different recipients may require different callout options.
1306Therefore, we always do a full sender verify when any kind of callout is
1307specified. Caching elsewhere, for instance in the DNS resolver and in the
1308callout handling, should ensure that this is not terribly inefficient. */
1309
1310else if (verify_sender_address != NULL)
1311 {
1312 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster))
1313 != 0)
1314 {
1315 *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
1316 "sender verify callout";
1317 return ERROR;
1318 }
1319
1320 sender_vaddr = verify_checked_sender(verify_sender_address);
1321 if (sender_vaddr != NULL && /* Previously checked */
1322 callout <= 0) /* No callout needed this time */
1323 {
1324 /* If the "routed" flag is set, it means that routing worked before, so
1325 this check can give OK (the saved return code value, if set, belongs to a
1326 callout that was done previously). If the "routed" flag is not set, routing
1327 must have failed, so we use the saved return code. */
1328
1329 if (testflag(sender_vaddr, af_verify_routed)) rc = OK; else
1330 {
1331 rc = sender_vaddr->special_action;
1332 *basic_errno = sender_vaddr->basic_errno;
1333 }
1334 HDEBUG(D_acl) debug_printf("using cached sender verify result\n");
1335 }
1336
1337 /* Do a new verification, and cache the result. The cache is used to avoid
1338 verifying the sender multiple times for multiple RCPTs when callouts are not
1339 specified (see comments above).
1340
1341 The cache is also used on failure to give details in response to the first
1342 RCPT that gets bounced for this reason. However, this can be suppressed by
1343 the no_details option, which sets the flag that says "this detail has already
1344 been sent". The cache normally contains just one address, but there may be
1345 more in esoteric circumstances. */
1346
1347 else
1348 {
1349 BOOL routed = TRUE;
2a3eea10 1350 uschar *save_address_data = deliver_address_data;
8e669ac1 1351
059ec3d9
PH		 1352 sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
1353 if (no_details) setflag(sender_vaddr, af_sverify_told);
1354 if (verify_sender_address[0] != 0)
1355 {
1356 /* If this is the real sender address, save the unrewritten version
1357 for use later in receive. Otherwise, set a flag so that rewriting the
1358 sender in verify_address() does not update sender_address. */
1359
1360 if (verify_sender_address == sender_address)
1361 sender_address_unrewritten = sender_address;
1362 else
1363 verify_options |= vopt_fake_sender;
1364
1365 /* The recipient, qualify, and expn options are never set in
1366 verify_options. */
1367
1368 rc = verify_address(sender_vaddr, NULL, verify_options, callout,
4deaf07d 1369 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, &routed);
059ec3d9
PH		 1370
1371 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1372
1373 if (rc == OK)
1374 {
1375 if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
1376 {
1377 DEBUG(D_acl) debug_printf("sender %s verified ok as %s\n",
1378 verify_sender_address, sender_vaddr->address);
1379 }
1380 else
1381 {
1382 DEBUG(D_acl) debug_printf("sender %s verified ok\n",
1383 verify_sender_address);
1384 }
1385 }
1386 else *basic_errno = sender_vaddr->basic_errno;
1387 }
1388 else rc = OK; /* Null sender */
1389
1390 /* Cache the result code */
1391
1392 if (routed) setflag(sender_vaddr, af_verify_routed);
1393 if (callout > 0) setflag(sender_vaddr, af_verify_callout);
1394 sender_vaddr->special_action = rc;
1395 sender_vaddr->next = sender_verified_list;
1396 sender_verified_list = sender_vaddr;
8e669ac1
PH		 1397
1398 /* Restore the recipient address data, which might have been clobbered by
2a3eea10 1399 the sender verification. */
8e669ac1 1400
2a3eea10 1401 deliver_address_data = save_address_data;
059ec3d9 1402 }
8e669ac1 1403
2a3eea10
PH		 1404 /* Put the sender address_data value into $sender_address_data */
1405
8e669ac1 1406 sender_address_data = sender_vaddr->p.address_data;
059ec3d9
PH		 1407 }
1408
1409/* A recipient address just gets a straightforward verify; again we must handle
1410the DEFER overrides. */
1411
1412else
1413 {
1414 address_item addr2;
1415
1416 /* We must use a copy of the address for verification, because it might
1417 get rewritten. */
1418
1419 addr2 = *addr;
1420 rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
4deaf07d 1421 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, NULL);
059ec3d9 1422 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
8e669ac1 1423
059ec3d9 1424 *log_msgptr = addr2.message;
8e669ac1 1425 *user_msgptr = (addr2.user_message != NULL)?
6729cf78 1426 addr2.user_message : addr2.message;
059ec3d9
PH		 1427 *basic_errno = addr2.basic_errno;
1428
1429 /* Make $address_data visible */
1430 deliver_address_data = addr2.p.address_data;
1431 }
1432
1433/* We have a result from the relevant test. Handle defer overrides first. */
1434
1435if (rc == DEFER && (defer_ok ||
1436 (callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER)))
1437 {
1438 HDEBUG(D_acl) debug_printf("verify defer overridden by %s\n",
1439 defer_ok? "defer_ok" : "callout_defer_ok");
1440 rc = OK;
1441 }
1442
1443/* If we've failed a sender, set up a recipient message, and point
1444sender_verified_failed to the address item that actually failed. */
1445
1446if (rc != OK && verify_sender_address != NULL)
1447 {
1448 if (rc != DEFER)
1449 {
1450 *log_msgptr = *user_msgptr = US"Sender verify failed";
1451 }
1452 else if (*basic_errno != ERRNO_CALLOUTDEFER)
1453 {
1454 *log_msgptr = *user_msgptr = US"Could not complete sender verify";
1455 }
1456 else
1457 {
1458 *log_msgptr = US"Could not complete sender verify callout";
1459 *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
1460 *log_msgptr;
1461 }
1462
1463 sender_verified_failed = sender_vaddr;
1464 }
1465
1466/* Verifying an address messes up the values of $domain and $local_part,
1467so reset them before returning if this is a RCPT ACL. */
1468
1469if (addr != NULL)
1470 {
1471 deliver_domain = addr->domain;
1472 deliver_localpart = addr->local_part;
1473 }
1474return rc;
1475
1476/* Syntax errors in the verify argument come here. */
1477
1478BAD_VERIFY:
1479*log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
596875b3
PH		 1480 "\"helo\", \"header_syntax\", \"header_sender\" or "
1481 "\"reverse_host_lookup\" at start of ACL condition "
059ec3d9
PH		 1482 "\"verify %s\"", arg);
1483return ERROR;
596875b3
PH		 1484
1485/* Options supplied when not allowed come here */
1486
1487NO_OPTIONS:
1488*log_msgptr = string_sprintf("unexpected '/' found in \"%s\" "
1489 "(this verify item has no options)", arg);
1490return ERROR;
059ec3d9
PH		 1491}
1492
1493
1494
1495
1496/*************************************************
1497* Check argument for control= modifier *
1498*************************************************/
1499
1500/* Called from acl_check_condition() below
1501
1502Arguments:
1503 arg the argument string for control=
1504 pptr set to point to the terminating character
1505 where which ACL we are in
1506 log_msgptr for error messages
1507
1508Returns: CONTROL_xxx value
1509*/
1510
1511static int
1512decode_control(uschar *arg, uschar **pptr, int where, uschar **log_msgptr)
1513{
1514int len;
1515control_def *d;
1516
1517for (d = controls_list;
1518 d < controls_list + sizeof(controls_list)/sizeof(control_def);
1519 d++)
1520 {
1521 len = Ustrlen(d->name);
1522 if (Ustrncmp(d->name, arg, len) == 0) break;
1523 }
1524
1525if (d >= controls_list + sizeof(controls_list)/sizeof(control_def) ||
1526 (arg[len] != 0 && (!d->has_option || arg[len] != '/')))
1527 {
1528 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
1529 return CONTROL_ERROR;
1530 }
1531
059ec3d9
PH		 1532*pptr = arg + len;
1533return d->value;
1534}
1535
1536
1537
1538/*************************************************
1539* Handle conditions/modifiers on an ACL item *
1540*************************************************/
1541
1542/* Called from acl_check() below.
1543
1544Arguments:
1545 verb ACL verb
1546 cb ACL condition block - if NULL, result is OK
1547 where where called from
1548 addr the address being checked for RCPT, or NULL
1549 level the nesting level
1550 epp pointer to pass back TRUE if "endpass" encountered
1551 (applies only to "accept" and "discard")
1552 user_msgptr user message pointer
1553 log_msgptr log message pointer
1554 basic_errno pointer to where to put verify error
1555
1556Returns: OK - all conditions are met
1557 DISCARD - an "acl" condition returned DISCARD - only allowed
1558 for "accept" or "discard" verbs
1559 FAIL - at least one condition fails
1560 FAIL_DROP - an "acl" condition returned FAIL_DROP
1561 DEFER - can't tell at the moment (typically, lookup defer,
1562 but can be temporary callout problem)
1563 ERROR - ERROR from nested ACL or expansion failure or other
1564 error
1565*/
1566
1567static int
1568acl_check_condition(int verb, acl_condition_block *cb, int where,
1569 address_item *addr, int level, BOOL *epp, uschar **user_msgptr,
1570 uschar **log_msgptr, int *basic_errno)
1571{
1572uschar *user_message = NULL;
1573uschar *log_message = NULL;
1574uschar *p;
1575int rc = OK;
8523533c
TK		 1576#ifdef WITH_CONTENT_SCAN
1577int sep = '/';
1578#endif
059ec3d9
PH		 1579
1580for (; cb != NULL; cb = cb->next)
1581 {
1582 uschar *arg;
8e669ac1 1583 int control_type;
059ec3d9
PH		 1584
1585 /* The message and log_message items set up messages to be used in
1586 case of rejection. They are expanded later. */
1587
1588 if (cb->type == ACLC_MESSAGE)
1589 {
1590 user_message = cb->arg;
1591 continue;
1592 }
1593
1594 if (cb->type == ACLC_LOG_MESSAGE)
1595 {
1596 log_message = cb->arg;
1597 continue;
1598 }
1599
1600 /* The endpass "condition" just sets a flag to show it occurred. This is
1601 checked at compile time to be on an "accept" or "discard" item. */
1602
1603 if (cb->type == ACLC_ENDPASS)
1604 {
1605 *epp = TRUE;
1606 continue;
1607 }
1608
1609 /* For other conditions and modifiers, the argument is expanded now for some
1610 of them, but not for all, because expansion happens down in some lower level
1611 checking functions in some cases. */
1612
1613 if (cond_expand_at_top[cb->type])
1614 {
1615 arg = expand_string(cb->arg);
1616 if (arg == NULL)
1617 {
1618 if (expand_string_forcedfail) continue;
1619 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
1620 cb->arg, expand_string_message);
1621 return search_find_defer? DEFER : ERROR;
1622 }
1623 }
1624 else arg = cb->arg;
1625
1626 /* Show condition, and expanded condition if it's different */
1627
1628 HDEBUG(D_acl)
1629 {
1630 int lhswidth = 0;
1631 debug_printf("check %s%s %n",
1632 (!cond_modifiers[cb->type] && cb->u.negated)? "!":"",
1633 conditions[cb->type], &lhswidth);
1634
1635 if (cb->type == ACLC_SET)
1636 {
1637 int n = cb->u.varnumber;
1638 int t = (n < ACL_C_MAX)? 'c' : 'm';
1639 if (n >= ACL_C_MAX) n -= ACL_C_MAX;
1640 debug_printf("acl_%c%d ", t, n);
1641 lhswidth += 7;
1642 }
1643
1644 debug_printf("= %s\n", cb->arg);
1645
1646 if (arg != cb->arg)
1647 debug_printf("%.*s= %s\n", lhswidth,
1648 US" ", CS arg);
1649 }
1650
1651 /* Check that this condition makes sense at this time */
1652
1653 if ((cond_forbids[cb->type] & (1 << where)) != 0)
1654 {
1655 *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
1656 cond_modifiers[cb->type]? "use" : "test",
1657 conditions[cb->type], acl_wherenames[where]);
1658 return ERROR;
1659 }
1660
1661 /* Run the appropriate test for each condition, or take the appropriate
1662 action for the remaining modifiers. */
1663
1664 switch(cb->type)
1665 {
1666 /* A nested ACL that returns "discard" makes sense only for an "accept" or
1667 "discard" verb. */
1668
1669 case ACLC_ACL:
1670 rc = acl_check_internal(where, addr, arg, level+1, user_msgptr, log_msgptr);
1671 if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
1672 {
1673 *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
1674 "\"%s\" command (only allowed with \"accept\" or \"discard\")",
1675 verbs[verb]);
1676 return ERROR;
1677 }
1678 break;
1679
1680 case ACLC_AUTHENTICATED:
1681 rc = (sender_host_authenticated == NULL)? FAIL :
1682 match_isinlist(sender_host_authenticated, &arg, 0, NULL, NULL, MCL_STRING,
1683 TRUE, NULL);
1684 break;
1685
8523533c
TK		 1686#ifdef EXPERIMENTAL_BRIGHTMAIL
1687 case ACLC_BMI_OPTIN:
1688 {
1689 int old_pool = store_pool;
1690 store_pool = POOL_PERM;
1691 bmi_current_optin = string_copy(arg);
1692 store_pool = old_pool;
1693 }
1694 break;
1695#endif
1696
059ec3d9
PH		 1697 case ACLC_CONDITION:
1698 if (Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
1699 rc = (Uatoi(arg) == 0)? FAIL : OK;
1700 else
1701 rc = (strcmpic(arg, US"no") == 0 ||
1702 strcmpic(arg, US"false") == 0)? FAIL :
1703 (strcmpic(arg, US"yes") == 0 ||
1704 strcmpic(arg, US"true") == 0)? OK : DEFER;
1705 if (rc == DEFER)
1706 *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
1707 break;
1708
1709 case ACLC_CONTROL:
c5fcb476
PH		 1710 control_type = decode_control(arg, &p, where, log_msgptr);
1711
8523533c 1712 /* Check if this control makes sense at this time */
c5fcb476
PH		 1713
1714 if ((control_forbids[control_type] & (1 << where)) != 0)
1715 {
1716 *log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
1717 controls[control_type], acl_wherenames[where]);
1718 return ERROR;
8e669ac1 1719 }
c5fcb476
PH		 1720
1721 switch(control_type)
059ec3d9 1722 {
8523533c
TK		 1723#ifdef EXPERIMENTAL_BRIGHTMAIL
1724 case CONTROL_BMI_RUN:
1725 bmi_run = 1;
1726 break;
1727#endif
fb2274d4
TK		 1728#ifdef EXPERIMENTAL_DOMAINKEYS
1729 case CONTROL_DK_VERIFY:
1730 dk_do_verify = 1;
1731 break;
1732#endif
059ec3d9
PH		 1733 case CONTROL_ERROR:
1734 return ERROR;
1735
1736 case CONTROL_CASEFUL_LOCAL_PART:
1737 deliver_localpart = addr->cc_local_part;
1738 break;
1739
1740 case CONTROL_CASELOWER_LOCAL_PART:
1741 deliver_localpart = addr->lc_local_part;
1742 break;
1743
1744 case CONTROL_ENFORCE_SYNC:
1745 smtp_enforce_sync = TRUE;
1746 break;
1747
1748 case CONTROL_NO_ENFORCE_SYNC:
1749 smtp_enforce_sync = FALSE;
1750 break;
1751
8523533c
TK		 1752#ifdef WITH_CONTENT_SCAN
1753 case CONTROL_NO_MBOX_UNSPOOL:
1754 no_mbox_unspool = TRUE;
1755 break;
1756#endif
1757
059ec3d9
PH		 1758 case CONTROL_NO_MULTILINE:
1759 no_multiline_responses = TRUE;
1760 break;
1761
8523533c
TK		 1762 case CONTROL_FAKEREJECT:
1763 fake_reject = TRUE;
1764 if (*p == '/')
8e669ac1 1765 {
8523533c 1766 uschar *pp = p + 1;
8e669ac1 1767 while (*pp != 0) pp++;
8523533c
TK		 1768 fake_reject_text = expand_string(string_copyn(p+1, pp-p));
1769 p = pp;
1770 }
1771 else
1772 {
1773 /* Explicitly reset to default string */
dc082449 1774 fake_reject_text = US"Your message has been rejected but is being kept for evaluation.\nIf it was a legitimate message, it may still be delivered to the target recipient(s).";
8523533c
TK		 1775 }
1776 break;
8523533c 1777
059ec3d9
PH		 1778 case CONTROL_FREEZE:
1779 deliver_freeze = TRUE;
1780 deliver_frozen_at = time(NULL);
1781 break;
1782
1783 case CONTROL_QUEUE_ONLY:
1784 queue_only_policy = TRUE;
1785 break;
1786
1787 case CONTROL_SUBMISSION:
1788 submission_mode = TRUE;
69358f02 1789 while (*p == '/')
8e669ac1 1790 {
69358f02
PH		 1791 if (Ustrncmp(p, "/sender_retain", 14) == 0)
1792 {
1793 p += 14;
1794 active_local_sender_retain = TRUE;
8e669ac1
PH		 1795 active_local_from_check = FALSE;
1796 }
69358f02
PH		 1797 else if (Ustrncmp(p, "/domain=", 8) == 0)
1798 {
1799 uschar *pp = p + 8;
8e669ac1 1800 while (*pp != 0 && *pp != '/') pp++;
69358f02 1801 submission_domain = string_copyn(p+8, pp-p);
8e669ac1 1802 p = pp;
69358f02 1803 }
8e669ac1
PH		 1804 else break;
1805 }
69358f02 1806 if (*p != 0)
059ec3d9 1807 {
69358f02 1808 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
059ec3d9
PH		 1809 return ERROR;
1810 }
1811 break;
1812 }
1813 break;
1814
8523533c
TK		 1815#ifdef WITH_CONTENT_SCAN
1816 case ACLC_DECODE:
1817 rc = mime_decode(&arg);
1818 break;
1819#endif
1820
059ec3d9
PH		 1821 case ACLC_DELAY:
1822 {
1823 int delay = readconf_readtime(arg, 0, FALSE);
1824 if (delay < 0)
1825 {
1826 *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
1827 "modifier: \"%s\" is not a time value", arg);
1828 return ERROR;
1829 }
1830 else
1831 {
1832 HDEBUG(D_acl) debug_printf("delay modifier requests %d-second delay\n",
1833 delay);
1834 if (host_checking)
1835 {
1836 HDEBUG(D_acl)
1837 debug_printf("delay skipped in -bh checking mode\n");
1838 }
8e669ac1 1839 else
86b8287f
PH		 1840 {
1841 while (delay > 0) delay = sleep(delay);
8e669ac1 1842 }
059ec3d9
PH		 1843 }
1844 }
1845 break;
1846
8523533c
TK		 1847#ifdef WITH_OLD_DEMIME
1848 case ACLC_DEMIME:
1849 rc = demime(&arg);
1850 break;
1851#endif
1852
fb2274d4
TK		 1853#ifdef EXPERIMENTAL_DOMAINKEYS
1854 case ACLC_DK_DOMAIN_SOURCE:
1855 if (dk_verify_block == NULL) { rc = FAIL; break; };
1856 /* check header source of domain against given string */
1857 switch (dk_verify_block->address_source) {
1858 case DK_EXIM_ADDRESS_FROM_FROM:
1859 rc = match_isinlist(US"from", &arg, 0, NULL,
1860 NULL, MCL_STRING, TRUE, NULL);
1861 break;
1862 case DK_EXIM_ADDRESS_FROM_SENDER:
1863 rc = match_isinlist(US"sender", &arg, 0, NULL,
1864 NULL, MCL_STRING, TRUE, NULL);
1865 break;
1866 case DK_EXIM_ADDRESS_NONE:
1867 rc = match_isinlist(US"none", &arg, 0, NULL,
1868 NULL, MCL_STRING, TRUE, NULL);
1869 break;
1870 }
1871 break;
1872 case ACLC_DK_POLICY:
1873 if (dk_verify_block == NULL) { rc = FAIL; break; };
1874 /* check policy against given string, default FAIL */
1875 rc = FAIL;
1876 if (dk_verify_block->signsall)
1877 rc = match_isinlist(US"signsall", &arg, 0, NULL,
1878 NULL, MCL_STRING, TRUE, NULL);
1879 if (dk_verify_block->testing)
1880 rc = match_isinlist(US"testing", &arg, 0, NULL,
1881 NULL, MCL_STRING, TRUE, NULL);
1882 break;
1883 case ACLC_DK_SENDER_DOMAINS:
1884 if (dk_verify_block == NULL) { rc = FAIL; break; };
1885 if (dk_verify_block->domain != NULL)
1886 rc = match_isinlist(dk_verify_block->domain, &arg, 0, &domainlist_anchor,
1887 NULL, MCL_DOMAIN, TRUE, NULL);
1888 else rc = FAIL;
1889 break;
1890 case ACLC_DK_SENDER_LOCAL_PARTS:
1891 if (dk_verify_block == NULL) { rc = FAIL; break; };
1892 if (dk_verify_block->local_part != NULL)
1893 rc = match_isinlist(dk_verify_block->local_part, &arg, 0, &localpartlist_anchor,
1894 NULL, MCL_LOCALPART, TRUE, NULL);
1895 else rc = FAIL;
1896 break;
1897 case ACLC_DK_SENDERS:
1898 if (dk_verify_block == NULL) { rc = FAIL; break; };
1899 if (dk_verify_block->address != NULL)
1900 rc = match_address_list(dk_verify_block->address, TRUE, TRUE, &arg, NULL, -1, 0, NULL);
1901 else rc = FAIL;
1902 break;
1903 case ACLC_DK_STATUS:
1904 if (dk_verify_block == NULL) { rc = FAIL; break; };
1905 if (dk_verify_block->result > 0) {
1906 switch(dk_verify_block->result) {
1907 case DK_EXIM_RESULT_BAD_FORMAT:
1908 rc = match_isinlist(US"bad format", &arg, 0, NULL,
1909 NULL, MCL_STRING, TRUE, NULL);
1910 break;
1911 case DK_EXIM_RESULT_NO_KEY:
1912 rc = match_isinlist(US"no key", &arg, 0, NULL,
1913 NULL, MCL_STRING, TRUE, NULL);
1914 break;
1915 case DK_EXIM_RESULT_NO_SIGNATURE:
1916 rc = match_isinlist(US"no signature", &arg, 0, NULL,
1917 NULL, MCL_STRING, TRUE, NULL);
1918 break;
1919 case DK_EXIM_RESULT_REVOKED:
1920 rc = match_isinlist(US"revoked", &arg, 0, NULL,
1921 NULL, MCL_STRING, TRUE, NULL);
1922 break;
1923 case DK_EXIM_RESULT_NON_PARTICIPANT:
1924 rc = match_isinlist(US"non-participant", &arg, 0, NULL,
1925 NULL, MCL_STRING, TRUE, NULL);
1926 break;
1927 case DK_EXIM_RESULT_GOOD:
1928 rc = match_isinlist(US"good", &arg, 0, NULL,
1929 NULL, MCL_STRING, TRUE, NULL);
1930 break;
1931 case DK_EXIM_RESULT_BAD:
1932 rc = match_isinlist(US"bad", &arg, 0, NULL,
1933 NULL, MCL_STRING, TRUE, NULL);
1934 break;
1935 }
1936 }
1937 break;
1938#endif
1939
059ec3d9
PH		 1940 case ACLC_DNSLISTS:
1941 rc = verify_check_dnsbl(&arg);
1942 break;
1943
1944 case ACLC_DOMAINS:
1945 rc = match_isinlist(addr->domain, &arg, 0, &domainlist_anchor,
1946 addr->domain_cache, MCL_DOMAIN, TRUE, &deliver_domain_data);
1947 break;
1948
1949 /* The value in tls_cipher is the full cipher name, for example,
1950 TLSv1:DES-CBC3-SHA:168, whereas the values to test for are just the
1951 cipher names such as DES-CBC3-SHA. But program defensively. We don't know
1952 what may in practice come out of the SSL library - which at the time of
1953 writing is poorly documented. */
1954
1955 case ACLC_ENCRYPTED:
1956 if (tls_cipher == NULL) rc = FAIL; else
1957 {
1958 uschar *endcipher = NULL;
1959 uschar *cipher = Ustrchr(tls_cipher, ':');
1960 if (cipher == NULL) cipher = tls_cipher; else
1961 {
1962 endcipher = Ustrchr(++cipher, ':');
1963 if (endcipher != NULL) *endcipher = 0;
1964 }
1965 rc = match_isinlist(cipher, &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
1966 if (endcipher != NULL) *endcipher = ':';
1967 }
1968 break;
1969
1970 /* Use verify_check_this_host() instead of verify_check_host() so that
1971 we can pass over &host_data to catch any looked up data. Once it has been
1972 set, it retains its value so that it's still there if another ACL verb
1973 comes through here and uses the cache. However, we must put it into
1974 permanent store in case it is also expected to be used in a subsequent
1975 message in the same SMTP connection. */
1976
1977 case ACLC_HOSTS:
1978 rc = verify_check_this_host(&arg, sender_host_cache, NULL,
1979 (sender_host_address == NULL)? US"" : sender_host_address, &host_data);
1980 if (host_data != NULL) host_data = string_copy_malloc(host_data);
1981 break;
1982
1983 case ACLC_LOCAL_PARTS:
1984 rc = match_isinlist(addr->cc_local_part, &arg, 0,
1985 &localpartlist_anchor, addr->localpart_cache, MCL_LOCALPART, TRUE,
1986 &deliver_localpart_data);
1987 break;
1988
1989 case ACLC_LOGWRITE:
1990 {
1991 int logbits = 0;
1992 uschar *s = arg;
1993 if (*s == ':')
1994 {
1995 s++;
1996 while (*s != ':')
1997 {
1998 if (Ustrncmp(s, "main", 4) == 0)
1999 { logbits |= LOG_MAIN; s += 4; }
2000 else if (Ustrncmp(s, "panic", 5) == 0)
2001 { logbits |= LOG_PANIC; s += 5; }
2002 else if (Ustrncmp(s, "reject", 6) == 0)
2003 { logbits |= LOG_REJECT; s += 6; }
2004 else
2005 {
2006 logbits = LOG_MAIN|LOG_PANIC;
2007 s = string_sprintf(":unknown log name in \"%s\" in "
2008 "\"logwrite\" in %s ACL", arg, acl_wherenames[where]);
2009 }
2010 if (*s == ',') s++;
2011 }
2012 s++;
2013 }
2014 while (isspace(*s)) s++;
2015 if (logbits == 0) logbits = LOG_MAIN;
2016 log_write(0, logbits, "%s", string_printing(s));
2017 }
2018 break;
8e669ac1 2019
8523533c
TK		 2020#ifdef WITH_CONTENT_SCAN
2021 case ACLC_MALWARE:
2022 {
2023 /* Seperate the regular expression and any optional parameters. */
2024 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
2025 /* Run the malware backend. */
2026 rc = malware(&ss);
2027 /* Modify return code based upon the existance of options. */
2028 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2029 != NULL) {
2030 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
2031 {
2032 /* FAIL so that the message is passed to the next ACL */
2033 rc = FAIL;
2034 }
2035 }
2036 }
2037 break;
2038
2039 case ACLC_MIME_REGEX:
2040 rc = mime_regex(&arg);
2041 break;
2042#endif
059ec3d9
PH		 2043
2044 case ACLC_RECIPIENTS:
2045 rc = match_address_list(addr->address, TRUE, TRUE, &arg, NULL, -1, 0,
2046 &recipient_data);
2047 break;
2048
8523533c
TK		 2049#ifdef WITH_CONTENT_SCAN
2050 case ACLC_REGEX:
2051 rc = regex(&arg);
2052 break;
2053#endif
2054
059ec3d9
PH		 2055 case ACLC_SENDER_DOMAINS:
2056 {
2057 uschar *sdomain;
2058 sdomain = Ustrrchr(sender_address, '@');
2059 sdomain = (sdomain == NULL)? US"" : sdomain + 1;
2060 rc = match_isinlist(sdomain, &arg, 0, &domainlist_anchor,
2061 sender_domain_cache, MCL_DOMAIN, TRUE, NULL);
2062 }
2063 break;
2064
2065 case ACLC_SENDERS:
2066 rc = match_address_list(sender_address, TRUE, TRUE, &arg,
2067 sender_address_cache, -1, 0, &sender_data);
2068 break;
2069
2070 /* Connection variables must persist forever */
2071
2072 case ACLC_SET:
2073 {
2074 int old_pool = store_pool;
2075 if (cb->u.varnumber < ACL_C_MAX) store_pool = POOL_PERM;
2076 acl_var[cb->u.varnumber] = string_copy(arg);
2077 store_pool = old_pool;
2078 }
2079 break;
2080
8523533c
TK		 2081#ifdef WITH_CONTENT_SCAN
2082 case ACLC_SPAM:
2083 {
2084 /* Seperate the regular expression and any optional parameters. */
2085 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
2086 /* Run the spam backend. */
2087 rc = spam(&ss);
2088 /* Modify return code based upon the existance of options. */
2089 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2090 != NULL) {
2091 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
2092 {
2093 /* FAIL so that the message is passed to the next ACL */
2094 rc = FAIL;
2095 }
2096 }
2097 }
2098 break;
2099#endif
2100
2101#ifdef EXPERIMENTAL_SPF
2102 case ACLC_SPF:
2103 rc = spf_process(&arg, sender_address);
2104 break;
2105#endif
2106
059ec3d9
PH		 2107 /* If the verb is WARN, discard any user message from verification, because
2108 such messages are SMTP responses, not header additions. The latter come
2109 only from explicit "message" modifiers. */
2110
2111 case ACLC_VERIFY:
2112 rc = acl_verify(where, addr, arg, user_msgptr, log_msgptr, basic_errno);
2113 if (verb == ACL_WARN) *user_msgptr = NULL;
2114 break;
2115
2116 default:
2117 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown "
2118 "condition %d", cb->type);
2119 break;
2120 }
2121
2122 /* If a condition was negated, invert OK/FAIL. */
2123
2124 if (!cond_modifiers[cb->type] && cb->u.negated)
2125 {
2126 if (rc == OK) rc = FAIL;
2127 else if (rc == FAIL || rc == FAIL_DROP) rc = OK;
2128 }
2129
2130 if (rc != OK) break; /* Conditions loop */
2131 }
2132
2133
2134/* If the result is the one for which "message" and/or "log_message" are used,
2135handle the values of these options. Most verbs have but a single return for
2136which the messages are relevant, but for "discard", it's useful to have the log
2137message both when it succeeds and when it fails. Also, for an "accept" that
2138appears in a QUIT ACL, we want to handle the user message. Since only "accept"
2139and "warn" are permitted in that ACL, we don't need to test the verb.
2140
2141These modifiers act in different ways:
2142
2143"message" is a user message that will be included in an SMTP response. Unless
2144it is empty, it overrides any previously set user message.
2145
2146"log_message" is a non-user message, and it adds to any existing non-user
2147message that is already set.
2148
2149If there isn't a log message set, we make it the same as the user message. */
2150
2151if (((rc == FAIL_DROP)? FAIL : rc) == msgcond[verb] ||
2152 (verb == ACL_DISCARD && rc == OK) ||
2153 (where == ACL_WHERE_QUIT))
2154 {
2155 uschar *expmessage;
2156
2157 /* If the verb is "warn", messages generated by conditions (verification or
2158 nested ACLs) are discarded. Only messages specified at this level are used.
2159 However, the value of an existing message is available in $acl_verify_message
2160 during expansions. */
2161
2162 uschar *old_user_msgptr = *user_msgptr;
2163 uschar *old_log_msgptr = (*log_msgptr != NULL)? *log_msgptr : old_user_msgptr;
2164
2165 if (verb == ACL_WARN) *log_msgptr = *user_msgptr = NULL;
2166
2167 if (user_message != NULL)
2168 {
2169 acl_verify_message = old_user_msgptr;
2170 expmessage = expand_string(user_message);
2171 if (expmessage == NULL)
2172 {
2173 if (!expand_string_forcedfail)
2174 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
2175 user_message, expand_string_message);
2176 }
2177 else if (expmessage[0] != 0) *user_msgptr = expmessage;
2178 }
2179
2180 if (log_message != NULL)
2181 {
2182 acl_verify_message = old_log_msgptr;
2183 expmessage = expand_string(log_message);
2184 if (expmessage == NULL)
2185 {
2186 if (!expand_string_forcedfail)
2187 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
2188 log_message, expand_string_message);
2189 }
2190 else if (expmessage[0] != 0)
2191 {
2192 *log_msgptr = (*log_msgptr == NULL)? expmessage :
2193 string_sprintf("%s: %s", expmessage, *log_msgptr);
2194 }
2195 }
2196
2197 /* If no log message, default it to the user message */
2198
2199 if (*log_msgptr == NULL) *log_msgptr = *user_msgptr;
2200 }
2201
2202acl_verify_message = NULL;
2203return rc;
2204}
2205
2206
2207
2208
2209
2210/*************************************************
2211* Get line from a literal ACL *
2212*************************************************/
2213
2214/* This function is passed to acl_read() in order to extract individual lines
2215of a literal ACL, which we access via static pointers. We can destroy the
2216contents because this is called only once (the compiled ACL is remembered).
2217
2218This code is intended to treat the data in the same way as lines in the main
2219Exim configuration file. That is:
2220
2221 . Leading spaces are ignored.
2222
2223 . A \ at the end of a line is a continuation - trailing spaces after the \
2224 are permitted (this is because I don't believe in making invisible things
2225 significant). Leading spaces on the continued part of a line are ignored.
2226
2227 . Physical lines starting (significantly) with # are totally ignored, and
2228 may appear within a sequence of backslash-continued lines.
2229
2230 . Blank lines are ignored, but will end a sequence of continuations.
2231
2232Arguments: none
2233Returns: a pointer to the next line
2234*/
2235
2236
2237static uschar *acl_text; /* Current pointer in the text */
2238static uschar *acl_text_end; /* Points one past the terminating '0' */
2239
2240
2241static uschar *
2242acl_getline(void)
2243{
2244uschar *yield;
2245
2246/* This loop handles leading blank lines and comments. */
2247
2248for(;;)
2249 {
2250 while (isspace(*acl_text)) acl_text++; /* Leading spaces/empty lines */
2251 if (*acl_text == 0) return NULL; /* No more data */
2252 yield = acl_text; /* Potential data line */
2253
2254 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
2255
2256 /* If we hit the end before a newline, we have the whole logical line. If
2257 it's a comment, there's no more data to be given. Otherwise, yield it. */
2258
2259 if (*acl_text == 0) return (*yield == '#')? NULL : yield;
2260
2261 /* After reaching a newline, end this loop if the physical line does not
2262 start with '#'. If it does, it's a comment, and the loop continues. */
2263
2264 if (*yield != '#') break;
2265 }
2266
2267/* This loop handles continuations. We know we have some real data, ending in
2268newline. See if there is a continuation marker at the end (ignoring trailing
2269white space). We know that *yield is not white space, so no need to test for
2270cont > yield in the backwards scanning loop. */
2271
2272for(;;)
2273 {
2274 uschar *cont;
2275 for (cont = acl_text - 1; isspace(*cont); cont--);
2276
2277 /* If no continuation follows, we are done. Mark the end of the line and
2278 return it. */
2279
2280 if (*cont != '\\')
2281 {
2282 *acl_text++ = 0;
2283 return yield;
2284 }
2285
2286 /* We have encountered a continuation. Skip over whitespace at the start of
2287 the next line, and indeed the whole of the next line or lines if they are
2288 comment lines. */
2289
2290 for (;;)
2291 {
2292 while (*(++acl_text) == ' ' || *acl_text == '\t');
2293 if (*acl_text != '#') break;
2294 while (*(++acl_text) != 0 && *acl_text != '\n');
2295 }
2296
2297 /* We have the start of a continuation line. Move all the rest of the data
2298 to join onto the previous line, and then find its end. If the end is not a
2299 newline, we are done. Otherwise loop to look for another continuation. */
2300
2301 memmove(cont, acl_text, acl_text_end - acl_text);
2302 acl_text_end -= acl_text - cont;
2303 acl_text = cont;
2304 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
2305 if (*acl_text == 0) return yield;
2306 }
2307
2308/* Control does not reach here */
2309}
2310
2311
2312
2313
2314
2315/*************************************************
2316* Check access using an ACL *
2317*************************************************/
2318
2319/* This function is called from address_check. It may recurse via
2320acl_check_condition() - hence the use of a level to stop looping. The ACL is
2321passed as a string which is expanded. A forced failure implies no access check
2322is required. If the result is a single word, it is taken as the name of an ACL
2323which is sought in the global ACL tree. Otherwise, it is taken as literal ACL
2324text, complete with newlines, and parsed as such. In both cases, the ACL check
2325is then run. This function uses an auxiliary function for acl_read() to call
2326for reading individual lines of a literal ACL. This is acl_getline(), which
2327appears immediately above.
2328
2329Arguments:
2330 where where called from
2331 addr address item when called from RCPT; otherwise NULL
2332 s the input string; NULL is the same as an empty ACL => DENY
2333 level the nesting level
2334 user_msgptr where to put a user error (for SMTP response)
2335 log_msgptr where to put a logging message (not for SMTP response)
2336
2337Returns: OK access is granted
2338 DISCARD access is apparently granted...
2339 FAIL access is denied
2340 FAIL_DROP access is denied; drop the connection
2341 DEFER can't tell at the moment
2342 ERROR disaster
2343*/
2344
2345static int
2346acl_check_internal(int where, address_item *addr, uschar *s, int level,
2347 uschar **user_msgptr, uschar **log_msgptr)
2348{
2349int fd = -1;
2350acl_block *acl = NULL;
2351uschar *acl_name = US"inline ACL";
2352uschar *ss;
2353
2354/* Catch configuration loops */
2355
2356if (level > 20)
2357 {
2358 *log_msgptr = US"ACL nested too deep: possible loop";
2359 return ERROR;
2360 }
2361
2362if (s == NULL)
2363 {
2364 HDEBUG(D_acl) debug_printf("ACL is NULL: implicit DENY\n");
2365 return FAIL;
2366 }
2367
2368/* At top level, we expand the incoming string. At lower levels, it has already
2369been expanded as part of condition processing. */
2370
2371if (level == 0)
2372 {
2373 ss = expand_string(s);
2374 if (ss == NULL)
2375 {
2376 if (expand_string_forcedfail) return OK;
2377 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s", s,
2378 expand_string_message);
2379 return ERROR;
2380 }
2381 }
2382else ss = s;
2383
2384while (isspace(*ss))ss++;
2385
2386/* If we can't find a named ACL, the default is to parse it as an inline one.
2387(Unless it begins with a slash; non-existent files give rise to an error.) */
2388
2389acl_text = ss;
2390
2391/* Handle the case of a string that does not contain any spaces. Look for a
2392named ACL among those read from the configuration, or a previously read file.
2393It is possible that the pointer to the ACL is NULL if the configuration
2394contains a name with no data. If not found, and the text begins with '/',
2395read an ACL from a file, and save it so it can be re-used. */
2396
2397if (Ustrchr(ss, ' ') == NULL)
2398 {
2399 tree_node *t = tree_search(acl_anchor, ss);
2400 if (t != NULL)
2401 {
2402 acl = (acl_block *)(t->data.ptr);
2403 if (acl == NULL)
2404 {
2405 HDEBUG(D_acl) debug_printf("ACL \"%s\" is empty: implicit DENY\n", ss);
2406 return FAIL;
2407 }
2408 acl_name = string_sprintf("ACL \"%s\"", ss);
2409 HDEBUG(D_acl) debug_printf("using ACL \"%s\"\n", ss);
2410 }
2411
2412 else if (*ss == '/')
2413 {
2414 struct stat statbuf;
2415 fd = Uopen(ss, O_RDONLY, 0);
2416 if (fd < 0)
2417 {
2418 *log_msgptr = string_sprintf("failed to open ACL file \"%s\": %s", ss,
2419 strerror(errno));
2420 return ERROR;
2421 }
2422
2423 if (fstat(fd, &statbuf) != 0)
2424 {
2425 *log_msgptr = string_sprintf("failed to fstat ACL file \"%s\": %s", ss,
2426 strerror(errno));
2427 return ERROR;
2428 }
2429
2430 acl_text = store_get(statbuf.st_size + 1);
2431 acl_text_end = acl_text + statbuf.st_size + 1;
2432
2433 if (read(fd, acl_text, statbuf.st_size) != statbuf.st_size)
2434 {
2435 *log_msgptr = string_sprintf("failed to read ACL file \"%s\": %s",
2436 ss, strerror(errno));
2437 return ERROR;
2438 }
2439 acl_text[statbuf.st_size] = 0;
2440 close(fd);
2441
2442 acl_name = string_sprintf("ACL \"%s\"", ss);
2443 HDEBUG(D_acl) debug_printf("read ACL from file %s\n", ss);
2444 }
2445 }
2446
2447/* Parse an ACL that is still in text form. If it came from a file, remember it
2448in the ACL tree, having read it into the POOL_PERM store pool so that it
2449persists between multiple messages. */
2450
2451if (acl == NULL)
2452 {
2453 int old_pool = store_pool;
2454 if (fd >= 0) store_pool = POOL_PERM;
2455 acl = acl_read(acl_getline, log_msgptr);
2456 store_pool = old_pool;
2457 if (acl == NULL && *log_msgptr != NULL) return ERROR;
2458 if (fd >= 0)
2459 {
2460 tree_node *t = store_get_perm(sizeof(tree_node) + Ustrlen(ss));
2461 Ustrcpy(t->name, ss);
2462 t->data.ptr = acl;
2463 (void)tree_insertnode(&acl_anchor, t);
2464 }
2465 }
2466
2467/* Now we have an ACL to use. It's possible it may be NULL. */
2468
2469while (acl != NULL)
2470 {
2471 int cond;
2472 int basic_errno = 0;
2473 BOOL endpass_seen = FALSE;
2474
2475 *log_msgptr = *user_msgptr = NULL;
2476 acl_temp_details = FALSE;
2477
2478 if (where == ACL_WHERE_QUIT &&
2479 acl->verb != ACL_ACCEPT &&
2480 acl->verb != ACL_WARN)
2481 {
2482 *log_msgptr = string_sprintf("\"%s\" is not allowed in a QUIT ACL",
2483 verbs[acl->verb]);
2484 return ERROR;
2485 }
2486
2487 HDEBUG(D_acl) debug_printf("processing \"%s\"\n", verbs[acl->verb]);
2488
2489 /* Clear out any search error message from a previous check before testing
2490 this condition. */
2491
2492 search_error_message = NULL;
2493 cond = acl_check_condition(acl->verb, acl->condition, where, addr, level,
2494 &endpass_seen, user_msgptr, log_msgptr, &basic_errno);
2495
2496 /* Handle special returns: DEFER causes a return except on a WARN verb;
2497 ERROR always causes a return. */
2498
2499 switch (cond)
2500 {
2501 case DEFER:
2502 HDEBUG(D_acl) debug_printf("%s: condition test deferred\n", verbs[acl->verb]);
2503 if (basic_errno != ERRNO_CALLOUTDEFER)
2504 {
2505 if (search_error_message != NULL && *search_error_message != 0)
2506 *log_msgptr = search_error_message;
2507 if (smtp_return_error_details) acl_temp_details = TRUE;
2508 }
2509 else
2510 {
2511 acl_temp_details = TRUE;
2512 }
2513 if (acl->verb != ACL_WARN) return DEFER;
2514 break;
2515
2516 default: /* Paranoia */
2517 case ERROR:
2518 HDEBUG(D_acl) debug_printf("%s: condition test error\n", verbs[acl->verb]);
2519 return ERROR;
2520
2521 case OK:
2522 HDEBUG(D_acl) debug_printf("%s: condition test succeeded\n",
2523 verbs[acl->verb]);
2524 break;
2525
2526 case FAIL:
2527 HDEBUG(D_acl) debug_printf("%s: condition test failed\n", verbs[acl->verb]);
2528 break;
2529
2530 /* DISCARD and DROP can happen only from a nested ACL condition, and
2531 DISCARD can happen only for an "accept" or "discard" verb. */
2532
2533 case DISCARD:
2534 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"discard\"\n",
2535 verbs[acl->verb]);
2536 break;
2537
2538 case FAIL_DROP:
2539 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"drop\"\n",
2540 verbs[acl->verb]);
2541 break;
2542 }
2543
2544 /* At this point, cond for most verbs is either OK or FAIL or (as a result of
2545 a nested ACL condition) FAIL_DROP. However, for WARN, cond may be DEFER, and
2546 for ACCEPT and DISCARD, it may be DISCARD after a nested ACL call. */
2547
2548 switch(acl->verb)
2549 {
2550 case ACL_ACCEPT:
2551 if (cond == OK || cond == DISCARD) return cond;
2552 if (endpass_seen)
2553 {
2554 HDEBUG(D_acl) debug_printf("accept: endpass encountered - denying access\n");
2555 return cond;
2556 }
2557 break;
2558
2559 case ACL_DEFER:
2560 if (cond == OK)
2561 {
2562 acl_temp_details = TRUE;
2563 return DEFER;
2564 }
2565 break;
2566
2567 case ACL_DENY:
2568 if (cond == OK) return FAIL;
2569 break;
2570
2571 case ACL_DISCARD:
2572 if (cond == OK || cond == DISCARD) return DISCARD;
2573 if (endpass_seen)
2574 {
2575 HDEBUG(D_acl) debug_printf("discard: endpass encountered - denying access\n");
2576 return cond;
2577 }
2578 break;
2579
2580 case ACL_DROP:
2581 if (cond == OK) return FAIL_DROP;
2582 break;
2583
2584 case ACL_REQUIRE:
2585 if (cond != OK) return cond;
2586 break;
2587
2588 case ACL_WARN:
2589 if (cond == OK)
2590 acl_warn(where, *user_msgptr, *log_msgptr);
2591 else if (cond == DEFER)
2592 acl_warn(where, NULL, string_sprintf("ACL \"warn\" statement skipped: "
2593 "condition test deferred: %s",
2594 (*log_msgptr == NULL)? US"" : *log_msgptr));
2595 *log_msgptr = *user_msgptr = NULL; /* In case implicit DENY follows */
2596 break;
2597
2598 default:
2599 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown verb %d",
2600 acl->verb);
2601 break;
2602 }
2603
2604 /* Pass to the next ACL item */
2605
2606 acl = acl->next;
2607 }
2608
2609/* We have reached the end of the ACL. This is an implicit DENY. */
2610
2611HDEBUG(D_acl) debug_printf("end of %s: implicit DENY\n", acl_name);
2612return FAIL;
2613}
2614
2615
2616/*************************************************
2617* Check access using an ACL *
2618*************************************************/
2619
2620/* This is the external interface for ACL checks. It sets up an address and the
2621expansions for $domain and $local_part when called after RCPT, then calls
2622acl_check_internal() to do the actual work.
2623
2624Arguments:
2625 where ACL_WHERE_xxxx indicating where called from
2626 data_string RCPT address, or SMTP command argument, or NULL
2627 s the input string; NULL is the same as an empty ACL => DENY
2628 user_msgptr where to put a user error (for SMTP response)
2629 log_msgptr where to put a logging message (not for SMTP response)
2630
2631Returns: OK access is granted by an ACCEPT verb
2632 DISCARD access is granted by a DISCARD verb
2633 FAIL access is denied
2634 FAIL_DROP access is denied; drop the connection
2635 DEFER can't tell at the moment
2636 ERROR disaster
2637*/
2638
2639int
2640acl_check(int where, uschar *data_string, uschar *s, uschar **user_msgptr,
2641 uschar **log_msgptr)
2642{
2643int rc;
2644address_item adb;
2645address_item *addr;
2646
2647*user_msgptr = *log_msgptr = NULL;
2648sender_verified_failed = NULL;
2649
2650if (where == ACL_WHERE_RCPT)
2651 {
2652 adb = address_defaults;
2653 addr = &adb;
2654 addr->address = data_string;
2655 if (deliver_split_address(addr) == DEFER)
2656 {
2657 *log_msgptr = US"defer in percent_hack_domains check";
2658 return DEFER;
2659 }
2660 deliver_domain = addr->domain;
2661 deliver_localpart = addr->local_part;
2662 }
2663else
2664 {
2665 addr = NULL;
2666 smtp_command_argument = data_string;
2667 }
2668
2669rc = acl_check_internal(where, addr, s, 0, user_msgptr, log_msgptr);
2670
2671smtp_command_argument = deliver_domain =
2a3eea10 2672 deliver_localpart = deliver_address_data = sender_address_data = NULL;
059ec3d9
PH		 2673
2674/* A DISCARD response is permitted only for message ACLs, excluding the PREDATA
2675ACL, which is really in the middle of an SMTP command. */
2676
2677if (rc == DISCARD)
2678 {
2679 if (where > ACL_WHERE_NOTSMTP || where == ACL_WHERE_PREDATA)
2680 {
2681 log_write(0, LOG_MAIN|LOG_PANIC, "\"discard\" verb not allowed in %s "
2682 "ACL", acl_wherenames[where]);
2683 return ERROR;
2684 }
2685 return DISCARD;
2686 }
2687
2688/* A DROP response is not permitted from MAILAUTH */
2689
2690if (rc == FAIL_DROP && where == ACL_WHERE_MAILAUTH)
2691 {
2692 log_write(0, LOG_MAIN|LOG_PANIC, "\"drop\" verb not allowed in %s "
2693 "ACL", acl_wherenames[where]);
2694 return ERROR;
2695 }
2696
2697/* Before giving an error response, take a look at the length of any user
2698message, and split it up into multiple lines if possible. */
2699
2700if (rc != OK && *user_msgptr != NULL && Ustrlen(*user_msgptr) > 75)
2701 {
2702 uschar *s = *user_msgptr = string_copy(*user_msgptr);
2703 uschar *ss = s;
2704
2705 for (;;)
2706 {
2707 int i = 0;
2708 while (i < 75 && *ss != 0 && *ss != '\n') ss++, i++;
2709 if (*ss == 0) break;
2710 if (*ss == '\n')
2711 s = ++ss;
2712 else
2713 {
2714 uschar *t = ss + 1;
2715 uschar *tt = NULL;
2716 while (--t > s + 35)
2717 {
2718 if (*t == ' ')
2719 {
2720 if (t[-1] == ':') { tt = t; break; }
2721 if (tt == NULL) tt = t;
2722 }
2723 }
2724
2725 if (tt == NULL) /* Can't split behind - try ahead */
2726 {
2727 t = ss + 1;
2728 while (*t != 0)
2729 {
2730 if (*t == ' ' || *t == '\n')
2731 { tt = t; break; }
2732 t++;
2733 }
2734 }
2735
2736 if (tt == NULL) break; /* Can't find anywhere to split */
2737 *tt = '\n';
2738 s = ss = tt+1;
2739 }
2740 }
2741 }
2742
2743return rc;
2744}
2745
2746/* End of acl.c */
Unnamed repository; edit this file 'description' to name the repository.