projects / exim.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
1. Added Tony F's ${dlfunc expansion, slightly modified (see NewStuff).
[exim.git] / src / src / acl.c
CommitLineData
596875b3 1/* $Cambridge: exim/src/src/acl.c,v 1.25 2005/03/15 15:36:41 ph10 Exp $ */
059ec3d9
PH		 2
3/*************************************************
4* Exim - an Internet mail transport agent *
5*************************************************/
6
c988f1f4 7/* Copyright (c) University of Cambridge 1995 - 2005 */
059ec3d9
PH		 8/* See the file NOTICE for conditions of use and distribution. */
9
10/* Code for handling Access Control Lists (ACLs) */
11
12#include "exim.h"
13
14
15/* Default callout timeout */
16
17#define CALLOUT_TIMEOUT_DEFAULT 30
18
19/* ACL verb codes - keep in step with the table of verbs that follows */
20
21enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
22 ACL_WARN };
23
24/* ACL verbs */
25
26static uschar *verbs[] =
27 { US"accept", US"defer", US"deny", US"discard", US"drop", US"require",
28 US"warn" };
29
30/* For each verb, the condition for which "message" is used */
31
32static int msgcond[] = { FAIL, OK, OK, FAIL, OK, FAIL, OK };
33
34/* ACL condition and modifier codes - keep in step with the table that
35follows. */
36
8523533c
TK		 37enum { ACLC_ACL, ACLC_AUTHENTICATED,
38#ifdef EXPERIMENTAL_BRIGHTMAIL
39 ACLC_BMI_OPTIN,
40#endif
41ACLC_CONDITION, ACLC_CONTROL,
42#ifdef WITH_CONTENT_SCAN
43 ACLC_DECODE,
44#endif
45 ACLC_DELAY,
46#ifdef WITH_OLD_DEMIME
47 ACLC_DEMIME,
fb2274d4
TK		 48#endif
49#ifdef EXPERIMENTAL_DOMAINKEYS
50 ACLC_DK_DOMAIN_SOURCE,
51 ACLC_DK_POLICY,
52 ACLC_DK_SENDER_DOMAINS,
53 ACLC_DK_SENDER_LOCAL_PARTS,
54 ACLC_DK_SENDERS,
55 ACLC_DK_STATUS,
8e669ac1 56#endif
8523533c
TK		 57 ACLC_DNSLISTS, ACLC_DOMAINS, ACLC_ENCRYPTED, ACLC_ENDPASS,
58 ACLC_HOSTS, ACLC_LOCAL_PARTS, ACLC_LOG_MESSAGE, ACLC_LOGWRITE,
59#ifdef WITH_CONTENT_SCAN
60 ACLC_MALWARE,
61#endif
62 ACLC_MESSAGE,
63#ifdef WITH_CONTENT_SCAN
64 ACLC_MIME_REGEX,
65#endif
66 ACLC_RECIPIENTS,
67#ifdef WITH_CONTENT_SCAN
68 ACLC_REGEX,
69#endif
70 ACLC_SENDER_DOMAINS, ACLC_SENDERS, ACLC_SET,
71#ifdef WITH_CONTENT_SCAN
8e669ac1 72 ACLC_SPAM,
8523533c
TK		 73#endif
74#ifdef EXPERIMENTAL_SPF
75 ACLC_SPF,
76#endif
77 ACLC_VERIFY };
059ec3d9
PH		 78
79/* ACL conditions/modifiers: "delay", "control", "endpass", "message",
80"log_message", "logwrite", and "set" are modifiers that look like conditions
81but always return TRUE. They are used for their side effects. */
82
8523533c
TK		 83static uschar *conditions[] = { US"acl", US"authenticated",
84#ifdef EXPERIMENTAL_BRIGHTMAIL
85 US"bmi_optin",
86#endif
87 US"condition",
8e669ac1 88 US"control",
8523533c
TK		 89#ifdef WITH_CONTENT_SCAN
90 US"decode",
91#endif
92 US"delay",
93#ifdef WITH_OLD_DEMIME
94 US"demime",
fb2274d4
TK		 95#endif
96#ifdef EXPERIMENTAL_DOMAINKEYS
7f45268c
PH		 97 US"dk_domain_source",
98 US"dk_policy",
99 US"dk_sender_domains",
100 US"dk_sender_local_parts",
101 US"dk_senders",
102 US"dk_status",
8523533c
TK		 103#endif
104 US"dnslists", US"domains", US"encrypted",
059ec3d9 105 US"endpass", US"hosts", US"local_parts", US"log_message", US"logwrite",
8523533c
TK		 106#ifdef WITH_CONTENT_SCAN
107 US"malware",
108#endif
109 US"message",
110#ifdef WITH_CONTENT_SCAN
111 US"mime_regex",
112#endif
113 US"recipients",
114#ifdef WITH_CONTENT_SCAN
115 US"regex",
116#endif
117 US"sender_domains", US"senders", US"set",
118#ifdef WITH_CONTENT_SCAN
119 US"spam",
120#endif
121#ifdef EXPERIMENTAL_SPF
122 US"spf",
123#endif
059ec3d9 124 US"verify" };
8e669ac1 125
c5fcb476
PH		 126/* ACL control names */
127
128static uschar *controls[] = { US"error", US"caseful_local_part",
129 US"caselower_local_part", US"enforce_sync", US"no_enforce_sync", US"freeze",
8e669ac1 130 US"queue_only", US"submission", US"no_multiline"};
059ec3d9
PH		 131
132/* Flags to indicate for which conditions /modifiers a string expansion is done
133at the outer level. In the other cases, expansion already occurs in the
134checking functions. */
135
136static uschar cond_expand_at_top[] = {
137 TRUE, /* acl */
138 FALSE, /* authenticated */
8523533c
TK		 139#ifdef EXPERIMENTAL_BRIGHTMAIL
140 TRUE, /* bmi_optin */
8e669ac1 141#endif
059ec3d9
PH		 142 TRUE, /* condition */
143 TRUE, /* control */
8523533c
TK		 144#ifdef WITH_CONTENT_SCAN
145 TRUE, /* decode */
146#endif
059ec3d9 147 TRUE, /* delay */
8523533c
TK		 148#ifdef WITH_OLD_DEMIME
149 TRUE, /* demime */
fb2274d4
TK		 150#endif
151#ifdef EXPERIMENTAL_DOMAINKEYS
7f45268c
PH		 152 TRUE, /* dk_domain_source */
153 TRUE, /* dk_policy */
154 TRUE, /* dk_sender_domains */
e715ad22 155 TRUE, /* dk_sender_local_parts */
7f45268c
PH		 156 TRUE, /* dk_senders */
157 TRUE, /* dk_status */
8523533c 158#endif
059ec3d9
PH		 159 TRUE, /* dnslists */
160 FALSE, /* domains */
161 FALSE, /* encrypted */
162 TRUE, /* endpass */
163 FALSE, /* hosts */
164 FALSE, /* local_parts */
165 TRUE, /* log_message */
166 TRUE, /* logwrite */
8523533c
TK		 167#ifdef WITH_CONTENT_SCAN
168 TRUE, /* malware */
169#endif
059ec3d9 170 TRUE, /* message */
8523533c
TK		 171#ifdef WITH_CONTENT_SCAN
172 TRUE, /* mime_regex */
173#endif
059ec3d9 174 FALSE, /* recipients */
8523533c
TK		 175#ifdef WITH_CONTENT_SCAN
176 TRUE, /* regex */
177#endif
059ec3d9
PH		 178 FALSE, /* sender_domains */
179 FALSE, /* senders */
180 TRUE, /* set */
8523533c
TK		 181#ifdef WITH_CONTENT_SCAN
182 TRUE, /* spam */
183#endif
184#ifdef EXPERIMENTAL_SPF
185 TRUE, /* spf */
186#endif
059ec3d9
PH		 187 TRUE /* verify */
188};
189
190/* Flags to identify the modifiers */
191
192static uschar cond_modifiers[] = {
193 FALSE, /* acl */
194 FALSE, /* authenticated */
8523533c
TK		 195#ifdef EXPERIMENTAL_BRIGHTMAIL
196 TRUE, /* bmi_optin */
8e669ac1 197#endif
059ec3d9
PH		 198 FALSE, /* condition */
199 TRUE, /* control */
8523533c
TK		 200#ifdef WITH_CONTENT_SCAN
201 FALSE, /* decode */
202#endif
059ec3d9 203 TRUE, /* delay */
8523533c
TK		 204#ifdef WITH_OLD_DEMIME
205 FALSE, /* demime */
fb2274d4
TK		 206#endif
207#ifdef EXPERIMENTAL_DOMAINKEYS
7f45268c
PH		 208 FALSE, /* dk_domain_source */
209 FALSE, /* dk_policy */
210 FALSE, /* dk_sender_domains */
e715ad22 211 FALSE, /* dk_sender_local_parts */
7f45268c
PH		 212 FALSE, /* dk_senders */
213 FALSE, /* dk_status */
8523533c 214#endif
059ec3d9
PH		 215 FALSE, /* dnslists */
216 FALSE, /* domains */
217 FALSE, /* encrypted */
218 TRUE, /* endpass */
219 FALSE, /* hosts */
220 FALSE, /* local_parts */
221 TRUE, /* log_message */
8523533c
TK		 222 TRUE, /* logwrite */
223#ifdef WITH_CONTENT_SCAN
224 FALSE, /* malware */
225#endif
059ec3d9 226 TRUE, /* message */
8523533c
TK		 227#ifdef WITH_CONTENT_SCAN
228 FALSE, /* mime_regex */
229#endif
059ec3d9 230 FALSE, /* recipients */
8523533c
TK		 231#ifdef WITH_CONTENT_SCAN
232 FALSE, /* regex */
233#endif
059ec3d9
PH		 234 FALSE, /* sender_domains */
235 FALSE, /* senders */
236 TRUE, /* set */
8523533c
TK		 237#ifdef WITH_CONTENT_SCAN
238 FALSE, /* spam */
239#endif
240#ifdef EXPERIMENTAL_SPF
241 FALSE, /* spf */
242#endif
059ec3d9
PH		 243 FALSE /* verify */
244};
245
c5fcb476
PH		 246/* Bit map vector of which conditions are not allowed at certain times. For
247each condition, there's a bitmap of dis-allowed times. */
059ec3d9
PH		 248
249static unsigned int cond_forbids[] = {
250 0, /* acl */
8e669ac1 251
059ec3d9
PH		 252 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_CONNECT)| /* authenticated */
253 (1<<ACL_WHERE_HELO),
8e669ac1 254
8523533c 255#ifdef EXPERIMENTAL_BRIGHTMAIL
3864bb8e 256 (1<<ACL_WHERE_AUTH)| /* bmi_optin */
8523533c
TK		 257 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
258 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_MIME)|
8e669ac1 259 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
8523533c
TK		 260 (1<<ACL_WHERE_MAILAUTH)|
261 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
262 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_PREDATA),
263#endif
8e669ac1 264
059ec3d9 265 0, /* condition */
8e669ac1 266
059ec3d9
PH		 267 /* Certain types of control are always allowed, so we let it through
268 always and check in the control processing itself */
8e669ac1 269
059ec3d9 270 0, /* control */
8e669ac1 271
8523533c 272#ifdef WITH_CONTENT_SCAN
3864bb8e 273 (1<<ACL_WHERE_AUTH)| /* decode */
8523533c
TK		 274 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
275 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
276 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
277 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
278 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
279 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_RCPT),
280#endif
281
059ec3d9 282 0, /* delay */
8e669ac1 283
f7b63901 284#ifdef WITH_OLD_DEMIME
3864bb8e 285 (1<<ACL_WHERE_AUTH)| /* demime */
8523533c
TK		 286 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
287 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
288 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
289 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
290 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
291 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_MIME),
292#endif
8e669ac1 293
fb2274d4 294#ifdef EXPERIMENTAL_DOMAINKEYS
e715ad22 295 (1<<ACL_WHERE_AUTH)| /* dk_domain_source */
fb2274d4
TK		 296 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
297 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
298 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
299 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
300 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
301 (1<<ACL_WHERE_VRFY),
84330b7b 302
e715ad22 303 (1<<ACL_WHERE_AUTH)| /* dk_policy */
fb2274d4
TK		 304 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
305 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
306 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
307 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
308 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
309 (1<<ACL_WHERE_VRFY),
84330b7b 310
e715ad22 311 (1<<ACL_WHERE_AUTH)| /* dk_sender_domains */
fb2274d4
TK		 312 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
313 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
314 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
315 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
316 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
317 (1<<ACL_WHERE_VRFY),
84330b7b 318
e715ad22 319 (1<<ACL_WHERE_AUTH)| /* dk_sender_local_parts */
fb2274d4
TK		 320 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
321 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
322 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
323 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
324 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
325 (1<<ACL_WHERE_VRFY),
84330b7b 326
e715ad22 327 (1<<ACL_WHERE_AUTH)| /* dk_senders */
fb2274d4
TK		 328 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
329 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
330 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
331 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
332 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
333 (1<<ACL_WHERE_VRFY),
84330b7b 334
e715ad22 335 (1<<ACL_WHERE_AUTH)| /* dk_status */
fb2274d4
TK		 336 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
337 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
338 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
339 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
340 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
341 (1<<ACL_WHERE_VRFY),
342#endif
343
059ec3d9
PH		 344 (1<<ACL_WHERE_NOTSMTP), /* dnslists */
345
346 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* domains */
347 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
348 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
349 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
350 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
351 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
352 (1<<ACL_WHERE_VRFY),
353
354 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_CONNECT)| /* encrypted */
355 (1<<ACL_WHERE_HELO),
8e669ac1 356
059ec3d9 357 0, /* endpass */
8e669ac1 358
059ec3d9
PH		 359 (1<<ACL_WHERE_NOTSMTP), /* hosts */
360
361 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* local_parts */
362 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
363 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
364 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
365 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
366 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
367 (1<<ACL_WHERE_VRFY),
368
369 0, /* log_message */
8e669ac1 370
059ec3d9 371 0, /* logwrite */
8e669ac1 372
8523533c 373#ifdef WITH_CONTENT_SCAN
3864bb8e 374 (1<<ACL_WHERE_AUTH)| /* malware */
8523533c
TK		 375 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
376 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
377 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
378 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
379 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
380 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_MIME),
381#endif
382
059ec3d9
PH		 383 0, /* message */
384
8523533c 385#ifdef WITH_CONTENT_SCAN
3864bb8e 386 (1<<ACL_WHERE_AUTH)| /* mime_regex */
8523533c
TK		 387 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
388 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
389 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
390 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
391 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
392 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_RCPT),
393#endif
394
059ec3d9
PH		 395 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_AUTH)| /* recipients */
396 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
397 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_PREDATA)|
398 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
399 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
400 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
401 (1<<ACL_WHERE_VRFY),
402
8523533c 403#ifdef WITH_CONTENT_SCAN
3864bb8e 404 (1<<ACL_WHERE_AUTH)| /* regex */
8523533c
TK		 405 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
406 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
407 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
408 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
409 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
82c6549e 410 (1<<ACL_WHERE_VRFY),
8523533c
TK		 411#endif
412
059ec3d9
PH		 413 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* sender_domains */
414 (1<<ACL_WHERE_HELO)|
415 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
416 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
417 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
418
419 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* senders */
420 (1<<ACL_WHERE_HELO)|
421 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
422 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
423 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
424
425 0, /* set */
426
8523533c 427#ifdef WITH_CONTENT_SCAN
3864bb8e 428 (1<<ACL_WHERE_AUTH)| /* spam */
8523533c
TK		 429 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
430 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
431 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
432 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
433 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
434 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_MIME),
435#endif
436
437#ifdef EXPERIMENTAL_SPF
438 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf */
439 (1<<ACL_WHERE_HELO)|
440 (1<<ACL_WHERE_MAILAUTH)|
441 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
442 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
443#endif
444
059ec3d9
PH		 445 /* Certain types of verify are always allowed, so we let it through
446 always and check in the verify function itself */
447
448 0 /* verify */
059ec3d9
PH		 449};
450
451
452/* Return values from decode_control() */
453
8e669ac1 454enum {
8523533c
TK		 455#ifdef EXPERIMENTAL_BRIGHTMAIL
456 CONTROL_BMI_RUN,
fb2274d4
TK		 457#endif
458#ifdef EXPERIMENTAL_DOMAINKEYS
459 CONTROL_DK_VERIFY,
8e669ac1 460#endif
8523533c 461 CONTROL_ERROR, CONTROL_CASEFUL_LOCAL_PART, CONTROL_CASELOWER_LOCAL_PART,
059ec3d9 462 CONTROL_ENFORCE_SYNC, CONTROL_NO_ENFORCE_SYNC, CONTROL_FREEZE,
8523533c
TK		 463 CONTROL_QUEUE_ONLY, CONTROL_SUBMISSION,
464#ifdef WITH_CONTENT_SCAN
8e669ac1 465 CONTROL_NO_MBOX_UNSPOOL,
8523533c 466#endif
0f9b0483 467 CONTROL_FAKEREJECT, CONTROL_NO_MULTILINE };
059ec3d9 468
c5fcb476
PH		 469/* Bit map vector of which controls are not allowed at certain times. For
470each control, there's a bitmap of dis-allowed times. For some, it is easier to
471specify the negation of a small number of allowed times. */
472
473static unsigned int control_forbids[] = {
8523533c
TK		 474#ifdef EXPERIMENTAL_BRIGHTMAIL
475 0, /* bmi_run */
476#endif
fb2274d4 477#ifdef EXPERIMENTAL_DOMAINKEYS
e715ad22 478 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), /* dk_verify */
fb2274d4 479#endif
3e11c26b 480
c5fcb476 481 0, /* error */
8e669ac1
PH		 482
483 (unsigned int)
c5fcb476 484 ~(1<<ACL_WHERE_RCPT), /* caseful_local_part */
8e669ac1
PH		 485
486 (unsigned int)
c5fcb476 487 ~(1<<ACL_WHERE_RCPT), /* caselower_local_part */
8e669ac1 488
c5fcb476 489 (1<<ACL_WHERE_NOTSMTP), /* enforce_sync */
8e669ac1 490
c5fcb476 491 (1<<ACL_WHERE_NOTSMTP), /* no_enforce_sync */
8e669ac1
PH		 492
493 (unsigned int)
c5fcb476
PH		 494 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* freeze */
495 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
e715ad22 496 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
8e669ac1
PH		 497
498 (unsigned int)
c5fcb476
PH		 499 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* queue_only */
500 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
e715ad22 501 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
8e669ac1
PH		 502
503 (unsigned int)
c5fcb476 504 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* submission */
8e669ac1 505 (1<<ACL_WHERE_PREDATA)),
8523533c
TK		 506
507#ifdef WITH_CONTENT_SCAN
8e669ac1 508 (unsigned int)
14d57970 509 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* no_mbox_unspool */
e715ad22
TK		 510 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
511 (1<<ACL_WHERE_MIME)),
8523533c 512#endif
a6c4ab60 513
8e669ac1 514 (unsigned int)
a6c4ab60 515 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakereject */
e715ad22
TK		 516 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
517 (1<<ACL_WHERE_MIME)),
8523533c 518
c5fcb476
PH		 519 (1<<ACL_WHERE_NOTSMTP) /* no_multiline */
520};
521
522/* Structure listing various control arguments, with their characteristics. */
059ec3d9
PH		 523
524typedef struct control_def {
525 uschar *name;
526 int value; /* CONTROL_xxx value */
059ec3d9
PH		 527 BOOL has_option; /* Has /option(s) following */
528} control_def;
529
530static control_def controls_list[] = {
8523533c
TK		 531#ifdef EXPERIMENTAL_BRIGHTMAIL
532 { US"bmi_run", CONTROL_BMI_RUN, FALSE},
fb2274d4
TK		 533#endif
534#ifdef EXPERIMENTAL_DOMAINKEYS
535 { US"dk_verify", CONTROL_DK_VERIFY, FALSE},
8523533c 536#endif
c5fcb476
PH		 537 { US"caseful_local_part", CONTROL_CASEFUL_LOCAL_PART, FALSE},
538 { US"caselower_local_part", CONTROL_CASELOWER_LOCAL_PART, FALSE},
539 { US"enforce_sync", CONTROL_ENFORCE_SYNC, FALSE},
540 { US"freeze", CONTROL_FREEZE, FALSE},
541 { US"no_enforce_sync", CONTROL_NO_ENFORCE_SYNC, FALSE},
542 { US"no_multiline_responses", CONTROL_NO_MULTILINE, FALSE},
543 { US"queue_only", CONTROL_QUEUE_ONLY, FALSE},
8523533c
TK		 544#ifdef WITH_CONTENT_SCAN
545 { US"no_mbox_unspool", CONTROL_NO_MBOX_UNSPOOL, FALSE},
8523533c 546#endif
0f9b0483 547 { US"fakereject", CONTROL_FAKEREJECT, TRUE},
c5fcb476 548 { US"submission", CONTROL_SUBMISSION, TRUE}
059ec3d9
PH		 549 };
550
551/* Enable recursion between acl_check_internal() and acl_check_condition() */
552
553static int acl_check_internal(int, address_item *, uschar *, int, uschar **,
554 uschar **);
555
556
557/*************************************************
558* Pick out name from list *
559*************************************************/
560
561/* Use a binary chop method
562
563Arguments:
564 name name to find
565 list list of names
566 end size of list
567
568Returns: offset in list, or -1 if not found
569*/
570
571static int
572acl_checkname(uschar *name, uschar **list, int end)
573{
574int start = 0;
575
576while (start < end)
577 {
578 int mid = (start + end)/2;
579 int c = Ustrcmp(name, list[mid]);
580 if (c == 0) return mid;
581 if (c < 0) end = mid; else start = mid + 1;
582 }
583
584return -1;
585}
586
587
588/*************************************************
589* Read and parse one ACL *
590*************************************************/
591
592/* This function is called both from readconf in order to parse the ACLs in the
593configuration file, and also when an ACL is encountered dynamically (e.g. as
594the result of an expansion). It is given a function to call in order to
595retrieve the lines of the ACL. This function handles skipping comments and
596blank lines (where relevant).
597
598Arguments:
599 func function to get next line of ACL
600 error where to put an error message
601
602Returns: pointer to ACL, or NULL
603 NULL can be legal (empty ACL); in this case error will be NULL
604*/
605
606acl_block *
607acl_read(uschar *(*func)(void), uschar **error)
608{
609acl_block *yield = NULL;
610acl_block **lastp = &yield;
611acl_block *this = NULL;
612acl_condition_block *cond;
613acl_condition_block **condp = NULL;
614uschar *s;
615
616*error = NULL;
617
618while ((s = (*func)()) != NULL)
619 {
620 int v, c;
621 BOOL negated = FALSE;
622 uschar *saveline = s;
623 uschar name[64];
624
625 /* Conditions (but not verbs) are allowed to be negated by an initial
626 exclamation mark. */
627
628 while (isspace(*s)) s++;
629 if (*s == '!')
630 {
631 negated = TRUE;
632 s++;
633 }
634
635 /* Read the name of a verb or a condition, or the start of a new ACL */
636
637 s = readconf_readname(name, sizeof(name), s);
638 if (*s == ':')
639 {
640 if (negated || name[0] == 0)
641 {
642 *error = string_sprintf("malformed ACL name in \"%s\"", saveline);
643 return NULL;
644 }
645 break;
646 }
647
648 /* If a verb is unrecognized, it may be another condition or modifier that
649 continues the previous verb. */
650
651 v = acl_checkname(name, verbs, sizeof(verbs)/sizeof(char *));
652 if (v < 0)
653 {
654 if (this == NULL)
655 {
656 *error = string_sprintf("unknown ACL verb in \"%s\"", saveline);
657 return NULL;
658 }
659 }
660
661 /* New verb */
662
663 else
664 {
665 if (negated)
666 {
667 *error = string_sprintf("malformed ACL line \"%s\"", saveline);
668 return NULL;
669 }
670 this = store_get(sizeof(acl_block));
671 *lastp = this;
672 lastp = &(this->next);
673 this->next = NULL;
674 this->verb = v;
675 this->condition = NULL;
676 condp = &(this->condition);
677 if (*s == 0) continue; /* No condition on this line */
678 if (*s == '!')
679 {
680 negated = TRUE;
681 s++;
682 }
683 s = readconf_readname(name, sizeof(name), s); /* Condition name */
684 }
685
686 /* Handle a condition or modifier. */
687
688 c = acl_checkname(name, conditions, sizeof(conditions)/sizeof(char *));
689 if (c < 0)
690 {
691 *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
692 saveline);
693 return NULL;
694 }
695
696 /* The modifiers may not be negated */
697
698 if (negated && cond_modifiers[c])
699 {
700 *error = string_sprintf("ACL error: negation is not allowed with "
701 "\"%s\"", conditions[c]);
702 return NULL;
703 }
704
705 /* ENDPASS may occur only with ACCEPT or DISCARD. */
706
707 if (c == ACLC_ENDPASS &&
708 this->verb != ACL_ACCEPT &&
709 this->verb != ACL_DISCARD)
710 {
711 *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
712 conditions[c], verbs[this->verb]);
713 return NULL;
714 }
715
716 cond = store_get(sizeof(acl_condition_block));
717 cond->next = NULL;
718 cond->type = c;
719 cond->u.negated = negated;
720
721 *condp = cond;
722 condp = &(cond->next);
723
724 /* The "set" modifier is different in that its argument is "name=value"
725 rather than just a value, and we can check the validity of the name, which
726 gives us a variable number to insert into the data block. */
727
728 if (c == ACLC_SET)
729 {
730 if (Ustrncmp(s, "acl_", 4) != 0 || (s[4] != 'c' && s[4] != 'm') ||
731 !isdigit(s[5]) || (!isspace(s[6]) && s[6] != '='))
732 {
733 *error = string_sprintf("unrecognized name after \"set\" in ACL "
734 "modifier \"set %s\"", s);
735 return NULL;
736 }
737
738 cond->u.varnumber = s[5] - '0';
739 if (s[4] == 'm') cond->u.varnumber += ACL_C_MAX;
740 s += 6;
741 while (isspace(*s)) s++;
742 }
743
744 /* For "set", we are now positioned for the data. For the others, only
745 "endpass" has no data */
746
747 if (c != ACLC_ENDPASS)
748 {
749 if (*s++ != '=')
750 {
751 *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
752 cond_modifiers[c]? US"modifier" : US"condition");
753 return NULL;
754 }
755 while (isspace(*s)) s++;
756 cond->arg = string_copy(s);
757 }
758 }
759
760return yield;
761}
762
763
764
765/*************************************************
766* Handle warnings *
767*************************************************/
768
769/* This function is called when a WARN verb's conditions are true. It adds to
770the message's headers, and/or writes information to the log. In each case, this
771only happens once (per message for headers, per connection for log).
772
773Arguments:
774 where ACL_WHERE_xxxx indicating which ACL this is
775 user_message message for adding to headers
776 log_message message for logging, if different
777
778Returns: nothing
779*/
780
781static void
782acl_warn(int where, uschar *user_message, uschar *log_message)
783{
784int hlen;
785
786if (log_message != NULL && log_message != user_message)
787 {
788 uschar *text;
789 string_item *logged;
790
791 text = string_sprintf("%s Warning: %s", host_and_ident(TRUE),
792 string_printing(log_message));
793
794 /* If a sender verification has failed, and the log message is "sender verify
795 failed", add the failure message. */
796
797 if (sender_verified_failed != NULL &&
798 sender_verified_failed->message != NULL &&
799 strcmpic(log_message, US"sender verify failed") == 0)
800 text = string_sprintf("%s: %s", text, sender_verified_failed->message);
801
802 /* Search previously logged warnings. They are kept in malloc store so they
803 can be freed at the start of a new message. */
804
805 for (logged = acl_warn_logged; logged != NULL; logged = logged->next)
806 if (Ustrcmp(logged->text, text) == 0) break;
807
808 if (logged == NULL)
809 {
810 int length = Ustrlen(text) + 1;
811 log_write(0, LOG_MAIN, "%s", text);
812 logged = store_malloc(sizeof(string_item) + length);
813 logged->text = (uschar *)logged + sizeof(string_item);
814 memcpy(logged->text, text, length);
815 logged->next = acl_warn_logged;
816 acl_warn_logged = logged;
817 }
818 }
819
820/* If there's no user message, we are done. */
821
822if (user_message == NULL) return;
823
824/* If this isn't a message ACL, we can't do anything with a user message.
825Log an error. */
826
827if (where > ACL_WHERE_NOTSMTP)
828 {
829 log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
830 "found in a non-message (%s) ACL: cannot specify header lines here: "
831 "message ignored", acl_wherenames[where]);
832 return;
833 }
834
835/* Treat the user message as a sequence of one or more header lines. */
836
837hlen = Ustrlen(user_message);
838if (hlen > 0)
839 {
840 uschar *text, *p, *q;
841
842 /* Add a final newline if not present */
843
844 text = ((user_message)[hlen-1] == '\n')? user_message :
845 string_sprintf("%s\n", user_message);
846
847 /* Loop for multiple header lines, taking care about continuations */
848
849 for (p = q = text; *p != 0; )
850 {
851 uschar *s;
852 int newtype = htype_add_bot;
853 header_line **hptr = &acl_warn_headers;
854
855 /* Find next header line within the string */
856
857 for (;;)
858 {
859 q = Ustrchr(q, '\n');
860 if (*(++q) != ' ' && *q != '\t') break;
861 }
862
863 /* If the line starts with a colon, interpret the instruction for where to
864 add it. This temporarily sets up a new type. */
865
866 if (*p == ':')
867 {
868 if (strncmpic(p, US":after_received:", 16) == 0)
869 {
870 newtype = htype_add_rec;
871 p += 16;
872 }
8523533c
TK		 873 else if (strncmpic(p, US":at_start_rfc:", 14) == 0)
874 {
875 newtype = htype_add_rfc;
876 p += 14;
8e669ac1 877 }
059ec3d9
PH		 878 else if (strncmpic(p, US":at_start:", 10) == 0)
879 {
880 newtype = htype_add_top;
881 p += 10;
882 }
883 else if (strncmpic(p, US":at_end:", 8) == 0)
884 {
885 newtype = htype_add_bot;
886 p += 8;
887 }
888 while (*p == ' ' || *p == '\t') p++;
889 }
890
891 /* See if this line starts with a header name, and if not, add X-ACL-Warn:
892 to the front of it. */
893
894 for (s = p; s < q - 1; s++)
895 {
896 if (*s == ':' || !isgraph(*s)) break;
897 }
898
899 s = string_sprintf("%s%.*s", (*s == ':')? "" : "X-ACL-Warn: ", q - p, p);
900 hlen = Ustrlen(s);
901
902 /* See if this line has already been added */
903
904 while (*hptr != NULL)
905 {
906 if (Ustrncmp((*hptr)->text, s, hlen) == 0) break;
907 hptr = &((*hptr)->next);
908 }
909
910 /* Add if not previously present */
911
912 if (*hptr == NULL)
913 {
914 header_line *h = store_get(sizeof(header_line));
915 h->text = s;
916 h->next = NULL;
917 h->type = newtype;
918 h->slen = hlen;
919 *hptr = h;
920 hptr = &(h->next);
921 }
922
923 /* Advance for next header line within the string */
924
925 p = q;
926 }
927 }
928}
929
930
931
932/*************************************************
933* Verify and check reverse DNS *
934*************************************************/
935
936/* Called from acl_verify() below. We look up the host name(s) of the client IP
937address if this has not yet been done. The host_name_lookup() function checks
938that one of these names resolves to an address list that contains the client IP
939address, so we don't actually have to do the check here.
940
941Arguments:
942 user_msgptr pointer for user message
943 log_msgptr pointer for log message
944
945Returns: OK verification condition succeeded
946 FAIL verification failed
947 DEFER there was a problem verifying
948*/
949
950static int
951acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
952{
953int rc;
954
955user_msgptr = user_msgptr; /* stop compiler warning */
956
957/* Previous success */
958
959if (sender_host_name != NULL) return OK;
960
961/* Previous failure */
962
963if (host_lookup_failed)
964 {
965 *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
966 return FAIL;
967 }
968
969/* Need to do a lookup */
970
971HDEBUG(D_acl)
972 debug_printf("looking up host name to force name/address consistency check\n");
973
974if ((rc = host_name_lookup()) != OK)
975 {
976 *log_msgptr = (rc == DEFER)?
977 US"host lookup deferred for reverse lookup check"
978 :
979 string_sprintf("host lookup failed for reverse lookup check%s",
980 host_lookup_msg);
981 return rc; /* DEFER or FAIL */
982 }
983
984host_build_sender_fullhost();
985return OK;
986}
987
988
989
990/*************************************************
991* Handle verification (address & other) *
992*************************************************/
993
994/* This function implements the "verify" condition. It is called when
995encountered in any ACL, because some tests are almost always permitted. Some
996just don't make sense, and always fail (for example, an attempt to test a host
997lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
998
999Arguments:
1000 where where called from
1001 addr the recipient address that the ACL is handling, or NULL
1002 arg the argument of "verify"
1003 user_msgptr pointer for user message
1004 log_msgptr pointer for log message
1005 basic_errno where to put verify errno
1006
1007Returns: OK verification condition succeeded
1008 FAIL verification failed
1009 DEFER there was a problem verifying
1010 ERROR syntax error
1011*/
1012
1013static int
1014acl_verify(int where, address_item *addr, uschar *arg,
1015 uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
1016{
1017int sep = '/';
1018int callout = -1;
1019int callout_overall = -1;
4deaf07d 1020int callout_connect = -1;
059ec3d9
PH		 1021int verify_options = 0;
1022int rc;
1023BOOL verify_header_sender = FALSE;
1024BOOL defer_ok = FALSE;
1025BOOL callout_defer_ok = FALSE;
1026BOOL no_details = FALSE;
1027address_item *sender_vaddr = NULL;
1028uschar *verify_sender_address = NULL;
1029uschar *pm_mailfrom = NULL;
1030uschar *se_mailfrom = NULL;
596875b3
PH		 1031
1032/* Some of the verify items have slash-separated options; some do not. Diagnose
1033an error if options are given for items that don't expect them. This code has
1034now got very message. Refactoring to use a table would be a good idea one day.
1035*/
1036
1037uschar *slash = Ustrchr(arg, '/');
059ec3d9
PH		 1038uschar *list = arg;
1039uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
1040
1041if (ss == NULL) goto BAD_VERIFY;
1042
1043/* Handle name/address consistency verification in a separate function. */
1044
1045if (strcmpic(ss, US"reverse_host_lookup") == 0)
1046 {
596875b3 1047 if (slash != NULL) goto NO_OPTIONS;
059ec3d9
PH		 1048 if (sender_host_address == NULL) return OK;
1049 return acl_verify_reverse(user_msgptr, log_msgptr);
1050 }
1051
1052/* TLS certificate verification is done at STARTTLS time; here we just
1053test whether it was successful or not. (This is for optional verification; for
1054mandatory verification, the connection doesn't last this long.) */
1055
1056if (strcmpic(ss, US"certificate") == 0)
1057 {
596875b3 1058 if (slash != NULL) goto NO_OPTIONS;
059ec3d9
PH		 1059 if (tls_certificate_verified) return OK;
1060 *user_msgptr = US"no verified certificate";
1061 return FAIL;
1062 }
1063
1064/* We can test the result of optional HELO verification */
1065
596875b3
PH		 1066if (strcmpic(ss, US"helo") == 0)
1067 {
1068 if (slash != NULL) goto NO_OPTIONS;
1069 return helo_verified? OK : FAIL;
1070 }
059ec3d9 1071
596875b3
PH		 1072/* Check that all relevant header lines have the correct syntax. If there is
1073a syntax error, we return details of the error to the sender if configured to
1074send out full details. (But a "message" setting on the ACL can override, as
1075always). */
059ec3d9 1076
596875b3 1077if (strcmpic(ss, US"header_syntax") == 0)
059ec3d9 1078 {
596875b3 1079 if (slash != NULL) goto NO_OPTIONS;
059ec3d9
PH		 1080 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP)
1081 {
1082 *log_msgptr = string_sprintf("cannot check header contents in ACL for %s "
1083 "(only possible in ACL for DATA)", acl_wherenames[where]);
1084 return ERROR;
1085 }
596875b3
PH		 1086 rc = verify_check_headers(log_msgptr);
1087 if (rc != OK && smtp_return_error_details && *log_msgptr != NULL)
1088 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1089 return rc;
1090 }
059ec3d9 1091
059ec3d9 1092
596875b3
PH		 1093/* The remaining verification tests check recipient and sender addresses,
1094either from the envelope or from the header. There are a number of
1095slash-separated options that are common to all of them. */
059ec3d9 1096
059ec3d9 1097
596875b3
PH		 1098/* Check that there is at least one verifiable sender address in the relevant
1099header lines. This can be followed by callout and defer options, just like
1100sender and recipient. */
059ec3d9 1101
596875b3
PH		 1102if (strcmpic(ss, US"header_sender") == 0)
1103 {
1104 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP)
1105 {
1106 *log_msgptr = string_sprintf("cannot check header contents in ACL for %s "
1107 "(only possible in ACL for DATA)", acl_wherenames[where]);
1108 return ERROR;
1109 }
1110 verify_header_sender = TRUE;
059ec3d9
PH		 1111 }
1112
1113/* Otherwise, first item in verify argument must be "sender" or "recipient".
1114In the case of a sender, this can optionally be followed by an address to use
1115in place of the actual sender (rare special-case requirement). */
1116
1117else if (strncmpic(ss, US"sender", 6) == 0)
1118 {
1119 uschar *s = ss + 6;
1120 if (where > ACL_WHERE_NOTSMTP)
1121 {
1122 *log_msgptr = string_sprintf("cannot verify sender in ACL for %s "
1123 "(only possible for MAIL, RCPT, PREDATA, or DATA)",
1124 acl_wherenames[where]);
1125 return ERROR;
1126 }
1127 if (*s == 0)
1128 verify_sender_address = sender_address;
1129 else
1130 {
1131 while (isspace(*s)) s++;
1132 if (*s++ != '=') goto BAD_VERIFY;
1133 while (isspace(*s)) s++;
1134 verify_sender_address = string_copy(s);
1135 }
1136 }
1137else
1138 {
1139 if (strcmpic(ss, US"recipient") != 0) goto BAD_VERIFY;
1140 if (addr == NULL)
1141 {
1142 *log_msgptr = string_sprintf("cannot verify recipient in ACL for %s "
1143 "(only possible for RCPT)", acl_wherenames[where]);
1144 return ERROR;
1145 }
1146 }
1147
596875b3
PH		 1148/* Remaining items are optional; they apply to sender and recipient
1149verification, including "header sender" verification. */
059ec3d9
PH		 1150
1151while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))
1152 != NULL)
1153 {
1154 if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
1155 else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
1156
1157 /* These two old options are left for backwards compatibility */
1158
1159 else if (strcmpic(ss, US"callout_defer_ok") == 0)
1160 {
1161 callout_defer_ok = TRUE;
1162 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1163 }
1164
1165 else if (strcmpic(ss, US"check_postmaster") == 0)
1166 {
1167 pm_mailfrom = US"";
1168 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1169 }
1170
1171 /* The callout option has a number of sub-options, comma separated */
1172
1173 else if (strncmpic(ss, US"callout", 7) == 0)
1174 {
1175 callout = CALLOUT_TIMEOUT_DEFAULT;
1176 ss += 7;
1177 if (*ss != 0)
1178 {
1179 while (isspace(*ss)) ss++;
1180 if (*ss++ == '=')
1181 {
1182 int optsep = ',';
1183 uschar *opt;
1184 uschar buffer[256];
1185 while (isspace(*ss)) ss++;
8e669ac1
PH		 1186
1187 /* This callout option handling code has become a mess as new options
1188 have been added in an ad hoc manner. It should be tidied up into some
4deaf07d 1189 kind of table-driven thing. */
8e669ac1 1190
059ec3d9
PH		 1191 while ((opt = string_nextinlist(&ss, &optsep, buffer, sizeof(buffer)))
1192 != NULL)
1193 {
1194 if (strcmpic(opt, US"defer_ok") == 0) callout_defer_ok = TRUE;
1195 else if (strcmpic(opt, US"no_cache") == 0)
1196 verify_options |= vopt_callout_no_cache;
1197 else if (strcmpic(opt, US"random") == 0)
1198 verify_options |= vopt_callout_random;
1199 else if (strcmpic(opt, US"use_sender") == 0)
1200 verify_options |= vopt_callout_recipsender;
1201 else if (strcmpic(opt, US"use_postmaster") == 0)
1202 verify_options |= vopt_callout_recippmaster;
1203 else if (strcmpic(opt, US"postmaster") == 0) pm_mailfrom = US"";
1204
1205 else if (strncmpic(opt, US"mailfrom", 8) == 0)
1206 {
1207 if (!verify_header_sender)
1208 {
1209 *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
1210 "callout option only for verify=header_sender (detected in ACL "
1211 "condition \"%s\")", arg);
1212 return ERROR;
1213 }
1214 opt += 8;
1215 while (isspace(*opt)) opt++;
1216 if (*opt++ != '=')
1217 {
1218 *log_msgptr = string_sprintf("'=' expected after "
1219 "\"mailfrom\" in ACL condition \"%s\"", arg);
1220 return ERROR;
1221 }
1222 while (isspace(*opt)) opt++;
1223 se_mailfrom = string_copy(opt);
1224 }
1225
1226 else if (strncmpic(opt, US"postmaster_mailfrom", 19) == 0)
1227 {
1228 opt += 19;
1229 while (isspace(*opt)) opt++;
1230 if (*opt++ != '=')
1231 {
1232 *log_msgptr = string_sprintf("'=' expected after "
1233 "\"postmaster_mailfrom\" in ACL condition \"%s\"", arg);
1234 return ERROR;
1235 }
1236 while (isspace(*opt)) opt++;
1237 pm_mailfrom = string_copy(opt);
1238 }
1239
1240 else if (strncmpic(opt, US"maxwait", 7) == 0)
1241 {
1242 opt += 7;
1243 while (isspace(*opt)) opt++;
1244 if (*opt++ != '=')
1245 {
1246 *log_msgptr = string_sprintf("'=' expected after \"maxwait\" in "
1247 "ACL condition \"%s\"", arg);
1248 return ERROR;
1249 }
1250 while (isspace(*opt)) opt++;
1251 callout_overall = readconf_readtime(opt, 0, FALSE);
1252 if (callout_overall < 0)
1253 {
1254 *log_msgptr = string_sprintf("bad time value in ACL condition "
1255 "\"verify %s\"", arg);
1256 return ERROR;
1257 }
1258 }
4deaf07d
PH		 1259 else if (strncmpic(opt, US"connect", 7) == 0)
1260 {
1261 opt += 7;
1262 while (isspace(*opt)) opt++;
1263 if (*opt++ != '=')
1264 {
1265 *log_msgptr = string_sprintf("'=' expected after "
1266 "\"callout_overaall\" in ACL condition \"%s\"", arg);
1267 return ERROR;
1268 }
1269 while (isspace(*opt)) opt++;
1270 callout_connect = readconf_readtime(opt, 0, FALSE);
1271 if (callout_connect < 0)
1272 {
1273 *log_msgptr = string_sprintf("bad time value in ACL condition "
1274 "\"verify %s\"", arg);
1275 return ERROR;
1276 }
1277 }
059ec3d9
PH		 1278 else /* Plain time is callout connect/command timeout */
1279 {
1280 callout = readconf_readtime(opt, 0, FALSE);
1281 if (callout < 0)
1282 {
1283 *log_msgptr = string_sprintf("bad time value in ACL condition "
1284 "\"verify %s\"", arg);
1285 return ERROR;
1286 }
1287 }
1288 }
1289 }
1290 else
1291 {
1292 *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
1293 "ACL condition \"%s\"", arg);
1294 return ERROR;
1295 }
1296 }
1297 }
1298
1299 /* Option not recognized */
1300
1301 else
1302 {
1303 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
1304 "condition \"verify %s\"", ss, arg);
1305 return ERROR;
1306 }
1307 }
1308
1309if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
1310 (vopt_callout_recipsender|vopt_callout_recippmaster))
1311 {
1312 *log_msgptr = US"only one of use_sender and use_postmaster can be set "
1313 "for a recipient callout";
1314 return ERROR;
1315 }
1316
1317/* Handle sender-in-header verification. Default the user message to the log
1318message if giving out verification details. */
1319
1320if (verify_header_sender)
1321 {
8e669ac1 1322 int verrno;
059ec3d9 1323 rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
fe5b5d0b
PH		 1324 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, verify_options,
1325 &verrno);
1326 if (rc != OK)
8e669ac1 1327 {
fe5b5d0b
PH		 1328 *basic_errno = verrno;
1329 if (smtp_return_error_details)
1330 {
1331 if (*user_msgptr == NULL && *log_msgptr != NULL)
1332 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1333 if (rc == DEFER) acl_temp_details = TRUE;
1334 }
8e669ac1 1335 }
059ec3d9
PH		 1336 }
1337
1338/* Handle a sender address. The default is to verify *the* sender address, but
1339optionally a different address can be given, for special requirements. If the
1340address is empty, we are dealing with a bounce message that has no sender, so
1341we cannot do any checking. If the real sender address gets rewritten during
1342verification (e.g. DNS widening), set the flag to stop it being rewritten again
1343during message reception.
1344
1345A list of verified "sender" addresses is kept to try to avoid doing to much
1346work repetitively when there are multiple recipients in a message and they all
1347require sender verification. However, when callouts are involved, it gets too
1348complicated because different recipients may require different callout options.
1349Therefore, we always do a full sender verify when any kind of callout is
1350specified. Caching elsewhere, for instance in the DNS resolver and in the
1351callout handling, should ensure that this is not terribly inefficient. */
1352
1353else if (verify_sender_address != NULL)
1354 {
1355 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster))
1356 != 0)
1357 {
1358 *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
1359 "sender verify callout";
1360 return ERROR;
1361 }
1362
1363 sender_vaddr = verify_checked_sender(verify_sender_address);
1364 if (sender_vaddr != NULL && /* Previously checked */
1365 callout <= 0) /* No callout needed this time */
1366 {
1367 /* If the "routed" flag is set, it means that routing worked before, so
1368 this check can give OK (the saved return code value, if set, belongs to a
1369 callout that was done previously). If the "routed" flag is not set, routing
1370 must have failed, so we use the saved return code. */
1371
1372 if (testflag(sender_vaddr, af_verify_routed)) rc = OK; else
1373 {
1374 rc = sender_vaddr->special_action;
1375 *basic_errno = sender_vaddr->basic_errno;
1376 }
1377 HDEBUG(D_acl) debug_printf("using cached sender verify result\n");
1378 }
1379
1380 /* Do a new verification, and cache the result. The cache is used to avoid
1381 verifying the sender multiple times for multiple RCPTs when callouts are not
1382 specified (see comments above).
1383
1384 The cache is also used on failure to give details in response to the first
1385 RCPT that gets bounced for this reason. However, this can be suppressed by
1386 the no_details option, which sets the flag that says "this detail has already
1387 been sent". The cache normally contains just one address, but there may be
1388 more in esoteric circumstances. */
1389
1390 else
1391 {
1392 BOOL routed = TRUE;
2a3eea10 1393 uschar *save_address_data = deliver_address_data;
8e669ac1 1394
059ec3d9
PH		 1395 sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
1396 if (no_details) setflag(sender_vaddr, af_sverify_told);
1397 if (verify_sender_address[0] != 0)
1398 {
1399 /* If this is the real sender address, save the unrewritten version
1400 for use later in receive. Otherwise, set a flag so that rewriting the
1401 sender in verify_address() does not update sender_address. */
1402
1403 if (verify_sender_address == sender_address)
1404 sender_address_unrewritten = sender_address;
1405 else
1406 verify_options |= vopt_fake_sender;
1407
1408 /* The recipient, qualify, and expn options are never set in
1409 verify_options. */
1410
1411 rc = verify_address(sender_vaddr, NULL, verify_options, callout,
4deaf07d 1412 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, &routed);
059ec3d9
PH		 1413
1414 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1415
1416 if (rc == OK)
1417 {
1418 if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
1419 {
1420 DEBUG(D_acl) debug_printf("sender %s verified ok as %s\n",
1421 verify_sender_address, sender_vaddr->address);
1422 }
1423 else
1424 {
1425 DEBUG(D_acl) debug_printf("sender %s verified ok\n",
1426 verify_sender_address);
1427 }
1428 }
1429 else *basic_errno = sender_vaddr->basic_errno;
1430 }
1431 else rc = OK; /* Null sender */
1432
1433 /* Cache the result code */
1434
1435 if (routed) setflag(sender_vaddr, af_verify_routed);
1436 if (callout > 0) setflag(sender_vaddr, af_verify_callout);
1437 sender_vaddr->special_action = rc;
1438 sender_vaddr->next = sender_verified_list;
1439 sender_verified_list = sender_vaddr;
8e669ac1
PH		 1440
1441 /* Restore the recipient address data, which might have been clobbered by
2a3eea10 1442 the sender verification. */
8e669ac1 1443
2a3eea10 1444 deliver_address_data = save_address_data;
059ec3d9 1445 }
8e669ac1 1446
2a3eea10
PH		 1447 /* Put the sender address_data value into $sender_address_data */
1448
8e669ac1 1449 sender_address_data = sender_vaddr->p.address_data;
059ec3d9
PH		 1450 }
1451
1452/* A recipient address just gets a straightforward verify; again we must handle
1453the DEFER overrides. */
1454
1455else
1456 {
1457 address_item addr2;
1458
1459 /* We must use a copy of the address for verification, because it might
1460 get rewritten. */
1461
1462 addr2 = *addr;
1463 rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
4deaf07d 1464 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, NULL);
059ec3d9 1465 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
8e669ac1 1466
059ec3d9 1467 *log_msgptr = addr2.message;
8e669ac1 1468 *user_msgptr = (addr2.user_message != NULL)?
6729cf78 1469 addr2.user_message : addr2.message;
059ec3d9
PH		 1470 *basic_errno = addr2.basic_errno;
1471
1472 /* Make $address_data visible */
1473 deliver_address_data = addr2.p.address_data;
1474 }
1475
1476/* We have a result from the relevant test. Handle defer overrides first. */
1477
1478if (rc == DEFER && (defer_ok ||
1479 (callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER)))
1480 {
1481 HDEBUG(D_acl) debug_printf("verify defer overridden by %s\n",
1482 defer_ok? "defer_ok" : "callout_defer_ok");
1483 rc = OK;
1484 }
1485
1486/* If we've failed a sender, set up a recipient message, and point
1487sender_verified_failed to the address item that actually failed. */
1488
1489if (rc != OK && verify_sender_address != NULL)
1490 {
1491 if (rc != DEFER)
1492 {
1493 *log_msgptr = *user_msgptr = US"Sender verify failed";
1494 }
1495 else if (*basic_errno != ERRNO_CALLOUTDEFER)
1496 {
1497 *log_msgptr = *user_msgptr = US"Could not complete sender verify";
1498 }
1499 else
1500 {
1501 *log_msgptr = US"Could not complete sender verify callout";
1502 *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
1503 *log_msgptr;
1504 }
1505
1506 sender_verified_failed = sender_vaddr;
1507 }
1508
1509/* Verifying an address messes up the values of $domain and $local_part,
1510so reset them before returning if this is a RCPT ACL. */
1511
1512if (addr != NULL)
1513 {
1514 deliver_domain = addr->domain;
1515 deliver_localpart = addr->local_part;
1516 }
1517return rc;
1518
1519/* Syntax errors in the verify argument come here. */
1520
1521BAD_VERIFY:
1522*log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
596875b3
PH		 1523 "\"helo\", \"header_syntax\", \"header_sender\" or "
1524 "\"reverse_host_lookup\" at start of ACL condition "
059ec3d9
PH		 1525 "\"verify %s\"", arg);
1526return ERROR;
596875b3
PH		 1527
1528/* Options supplied when not allowed come here */
1529
1530NO_OPTIONS:
1531*log_msgptr = string_sprintf("unexpected '/' found in \"%s\" "
1532 "(this verify item has no options)", arg);
1533return ERROR;
059ec3d9
PH		 1534}
1535
1536
1537
1538
1539/*************************************************
1540* Check argument for control= modifier *
1541*************************************************/
1542
1543/* Called from acl_check_condition() below
1544
1545Arguments:
1546 arg the argument string for control=
1547 pptr set to point to the terminating character
1548 where which ACL we are in
1549 log_msgptr for error messages
1550
1551Returns: CONTROL_xxx value
1552*/
1553
1554static int
1555decode_control(uschar *arg, uschar **pptr, int where, uschar **log_msgptr)
1556{
1557int len;
1558control_def *d;
1559
1560for (d = controls_list;
1561 d < controls_list + sizeof(controls_list)/sizeof(control_def);
1562 d++)
1563 {
1564 len = Ustrlen(d->name);
1565 if (Ustrncmp(d->name, arg, len) == 0) break;
1566 }
1567
1568if (d >= controls_list + sizeof(controls_list)/sizeof(control_def) ||
1569 (arg[len] != 0 && (!d->has_option || arg[len] != '/')))
1570 {
1571 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
1572 return CONTROL_ERROR;
1573 }
1574
059ec3d9
PH		 1575*pptr = arg + len;
1576return d->value;
1577}
1578
1579
1580
1581/*************************************************
1582* Handle conditions/modifiers on an ACL item *
1583*************************************************/
1584
1585/* Called from acl_check() below.
1586
1587Arguments:
1588 verb ACL verb
1589 cb ACL condition block - if NULL, result is OK
1590 where where called from
1591 addr the address being checked for RCPT, or NULL
1592 level the nesting level
1593 epp pointer to pass back TRUE if "endpass" encountered
1594 (applies only to "accept" and "discard")
1595 user_msgptr user message pointer
1596 log_msgptr log message pointer
1597 basic_errno pointer to where to put verify error
1598
1599Returns: OK - all conditions are met
1600 DISCARD - an "acl" condition returned DISCARD - only allowed
1601 for "accept" or "discard" verbs
1602 FAIL - at least one condition fails
1603 FAIL_DROP - an "acl" condition returned FAIL_DROP
1604 DEFER - can't tell at the moment (typically, lookup defer,
1605 but can be temporary callout problem)
1606 ERROR - ERROR from nested ACL or expansion failure or other
1607 error
1608*/
1609
1610static int
1611acl_check_condition(int verb, acl_condition_block *cb, int where,
1612 address_item *addr, int level, BOOL *epp, uschar **user_msgptr,
1613 uschar **log_msgptr, int *basic_errno)
1614{
1615uschar *user_message = NULL;
1616uschar *log_message = NULL;
1617uschar *p;
1618int rc = OK;
8523533c
TK		 1619#ifdef WITH_CONTENT_SCAN
1620int sep = '/';
1621#endif
059ec3d9
PH		 1622
1623for (; cb != NULL; cb = cb->next)
1624 {
1625 uschar *arg;
8e669ac1 1626 int control_type;
059ec3d9
PH		 1627
1628 /* The message and log_message items set up messages to be used in
1629 case of rejection. They are expanded later. */
1630
1631 if (cb->type == ACLC_MESSAGE)
1632 {
1633 user_message = cb->arg;
1634 continue;
1635 }
1636
1637 if (cb->type == ACLC_LOG_MESSAGE)
1638 {
1639 log_message = cb->arg;
1640 continue;
1641 }
1642
1643 /* The endpass "condition" just sets a flag to show it occurred. This is
1644 checked at compile time to be on an "accept" or "discard" item. */
1645
1646 if (cb->type == ACLC_ENDPASS)
1647 {
1648 *epp = TRUE;
1649 continue;
1650 }
1651
1652 /* For other conditions and modifiers, the argument is expanded now for some
1653 of them, but not for all, because expansion happens down in some lower level
1654 checking functions in some cases. */
1655
1656 if (cond_expand_at_top[cb->type])
1657 {
1658 arg = expand_string(cb->arg);
1659 if (arg == NULL)
1660 {
1661 if (expand_string_forcedfail) continue;
1662 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
1663 cb->arg, expand_string_message);
1664 return search_find_defer? DEFER : ERROR;
1665 }
1666 }
1667 else arg = cb->arg;
1668
1669 /* Show condition, and expanded condition if it's different */
1670
1671 HDEBUG(D_acl)
1672 {
1673 int lhswidth = 0;
1674 debug_printf("check %s%s %n",
1675 (!cond_modifiers[cb->type] && cb->u.negated)? "!":"",
1676 conditions[cb->type], &lhswidth);
1677
1678 if (cb->type == ACLC_SET)
1679 {
1680 int n = cb->u.varnumber;
1681 int t = (n < ACL_C_MAX)? 'c' : 'm';
1682 if (n >= ACL_C_MAX) n -= ACL_C_MAX;
1683 debug_printf("acl_%c%d ", t, n);
1684 lhswidth += 7;
1685 }
1686
1687 debug_printf("= %s\n", cb->arg);
1688
1689 if (arg != cb->arg)
1690 debug_printf("%.*s= %s\n", lhswidth,
1691 US" ", CS arg);
1692 }
1693
1694 /* Check that this condition makes sense at this time */
1695
1696 if ((cond_forbids[cb->type] & (1 << where)) != 0)
1697 {
1698 *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
1699 cond_modifiers[cb->type]? "use" : "test",
1700 conditions[cb->type], acl_wherenames[where]);
1701 return ERROR;
1702 }
1703
1704 /* Run the appropriate test for each condition, or take the appropriate
1705 action for the remaining modifiers. */
1706
1707 switch(cb->type)
1708 {
1709 /* A nested ACL that returns "discard" makes sense only for an "accept" or
1710 "discard" verb. */
1711
1712 case ACLC_ACL:
1713 rc = acl_check_internal(where, addr, arg, level+1, user_msgptr, log_msgptr);
1714 if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
1715 {
1716 *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
1717 "\"%s\" command (only allowed with \"accept\" or \"discard\")",
1718 verbs[verb]);
1719 return ERROR;
1720 }
1721 break;
1722
1723 case ACLC_AUTHENTICATED:
1724 rc = (sender_host_authenticated == NULL)? FAIL :
1725 match_isinlist(sender_host_authenticated, &arg, 0, NULL, NULL, MCL_STRING,
1726 TRUE, NULL);
1727 break;
1728
8523533c
TK		 1729#ifdef EXPERIMENTAL_BRIGHTMAIL
1730 case ACLC_BMI_OPTIN:
1731 {
1732 int old_pool = store_pool;
1733 store_pool = POOL_PERM;
1734 bmi_current_optin = string_copy(arg);
1735 store_pool = old_pool;
1736 }
1737 break;
1738#endif
1739
059ec3d9
PH		 1740 case ACLC_CONDITION:
1741 if (Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
1742 rc = (Uatoi(arg) == 0)? FAIL : OK;
1743 else
1744 rc = (strcmpic(arg, US"no") == 0 ||
1745 strcmpic(arg, US"false") == 0)? FAIL :
1746 (strcmpic(arg, US"yes") == 0 ||
1747 strcmpic(arg, US"true") == 0)? OK : DEFER;
1748 if (rc == DEFER)
1749 *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
1750 break;
1751
1752 case ACLC_CONTROL:
c5fcb476
PH		 1753 control_type = decode_control(arg, &p, where, log_msgptr);
1754
8523533c 1755 /* Check if this control makes sense at this time */
c5fcb476
PH		 1756
1757 if ((control_forbids[control_type] & (1 << where)) != 0)
1758 {
1759 *log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
1760 controls[control_type], acl_wherenames[where]);
1761 return ERROR;
8e669ac1 1762 }
c5fcb476
PH		 1763
1764 switch(control_type)
059ec3d9 1765 {
8523533c
TK		 1766#ifdef EXPERIMENTAL_BRIGHTMAIL
1767 case CONTROL_BMI_RUN:
1768 bmi_run = 1;
1769 break;
1770#endif
fb2274d4
TK		 1771#ifdef EXPERIMENTAL_DOMAINKEYS
1772 case CONTROL_DK_VERIFY:
1773 dk_do_verify = 1;
1774 break;
1775#endif
059ec3d9
PH		 1776 case CONTROL_ERROR:
1777 return ERROR;
1778
1779 case CONTROL_CASEFUL_LOCAL_PART:
1780 deliver_localpart = addr->cc_local_part;
1781 break;
1782
1783 case CONTROL_CASELOWER_LOCAL_PART:
1784 deliver_localpart = addr->lc_local_part;
1785 break;
1786
1787 case CONTROL_ENFORCE_SYNC:
1788 smtp_enforce_sync = TRUE;
1789 break;
1790
1791 case CONTROL_NO_ENFORCE_SYNC:
1792 smtp_enforce_sync = FALSE;
1793 break;
1794
8523533c
TK		 1795#ifdef WITH_CONTENT_SCAN
1796 case CONTROL_NO_MBOX_UNSPOOL:
1797 no_mbox_unspool = TRUE;
1798 break;
1799#endif
1800
059ec3d9
PH		 1801 case CONTROL_NO_MULTILINE:
1802 no_multiline_responses = TRUE;
1803 break;
1804
8523533c
TK		 1805 case CONTROL_FAKEREJECT:
1806 fake_reject = TRUE;
1807 if (*p == '/')
8e669ac1 1808 {
8523533c 1809 uschar *pp = p + 1;
8e669ac1 1810 while (*pp != 0) pp++;
8523533c
TK		 1811 fake_reject_text = expand_string(string_copyn(p+1, pp-p));
1812 p = pp;
1813 }
1814 else
1815 {
1816 /* Explicitly reset to default string */
dc082449 1817 fake_reject_text = US"Your message has been rejected but is being kept for evaluation.\nIf it was a legitimate message, it may still be delivered to the target recipient(s).";
8523533c
TK		 1818 }
1819 break;
8523533c 1820
059ec3d9
PH		 1821 case CONTROL_FREEZE:
1822 deliver_freeze = TRUE;
1823 deliver_frozen_at = time(NULL);
1824 break;
1825
1826 case CONTROL_QUEUE_ONLY:
1827 queue_only_policy = TRUE;
1828 break;
1829
1830 case CONTROL_SUBMISSION:
1831 submission_mode = TRUE;
69358f02 1832 while (*p == '/')
8e669ac1 1833 {
69358f02
PH		 1834 if (Ustrncmp(p, "/sender_retain", 14) == 0)
1835 {
1836 p += 14;
1837 active_local_sender_retain = TRUE;
8e669ac1
PH		 1838 active_local_from_check = FALSE;
1839 }
69358f02
PH		 1840 else if (Ustrncmp(p, "/domain=", 8) == 0)
1841 {
1842 uschar *pp = p + 8;
8e669ac1 1843 while (*pp != 0 && *pp != '/') pp++;
69358f02 1844 submission_domain = string_copyn(p+8, pp-p);
8e669ac1 1845 p = pp;
69358f02 1846 }
8e669ac1
PH		 1847 else break;
1848 }
69358f02 1849 if (*p != 0)
059ec3d9 1850 {
69358f02 1851 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
059ec3d9
PH		 1852 return ERROR;
1853 }
1854 break;
1855 }
1856 break;
1857
8523533c
TK		 1858#ifdef WITH_CONTENT_SCAN
1859 case ACLC_DECODE:
1860 rc = mime_decode(&arg);
1861 break;
1862#endif
1863
059ec3d9
PH		 1864 case ACLC_DELAY:
1865 {
1866 int delay = readconf_readtime(arg, 0, FALSE);
1867 if (delay < 0)
1868 {
1869 *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
1870 "modifier: \"%s\" is not a time value", arg);
1871 return ERROR;
1872 }
1873 else
1874 {
1875 HDEBUG(D_acl) debug_printf("delay modifier requests %d-second delay\n",
1876 delay);
1877 if (host_checking)
1878 {
1879 HDEBUG(D_acl)
1880 debug_printf("delay skipped in -bh checking mode\n");
1881 }
8e669ac1 1882 else
86b8287f
PH		 1883 {
1884 while (delay > 0) delay = sleep(delay);
8e669ac1 1885 }
059ec3d9
PH		 1886 }
1887 }
1888 break;
1889
8523533c
TK		 1890#ifdef WITH_OLD_DEMIME
1891 case ACLC_DEMIME:
1892 rc = demime(&arg);
1893 break;
1894#endif
1895
fb2274d4
TK		 1896#ifdef EXPERIMENTAL_DOMAINKEYS
1897 case ACLC_DK_DOMAIN_SOURCE:
1898 if (dk_verify_block == NULL) { rc = FAIL; break; };
1899 /* check header source of domain against given string */
1900 switch (dk_verify_block->address_source) {
1901 case DK_EXIM_ADDRESS_FROM_FROM:
1902 rc = match_isinlist(US"from", &arg, 0, NULL,
1903 NULL, MCL_STRING, TRUE, NULL);
1904 break;
1905 case DK_EXIM_ADDRESS_FROM_SENDER:
1906 rc = match_isinlist(US"sender", &arg, 0, NULL,
1907 NULL, MCL_STRING, TRUE, NULL);
1908 break;
1909 case DK_EXIM_ADDRESS_NONE:
1910 rc = match_isinlist(US"none", &arg, 0, NULL,
1911 NULL, MCL_STRING, TRUE, NULL);
1912 break;
1913 }
1914 break;
1915 case ACLC_DK_POLICY:
1916 if (dk_verify_block == NULL) { rc = FAIL; break; };
1917 /* check policy against given string, default FAIL */
1918 rc = FAIL;
1919 if (dk_verify_block->signsall)
1920 rc = match_isinlist(US"signsall", &arg, 0, NULL,
1921 NULL, MCL_STRING, TRUE, NULL);
1922 if (dk_verify_block->testing)
1923 rc = match_isinlist(US"testing", &arg, 0, NULL,
1924 NULL, MCL_STRING, TRUE, NULL);
1925 break;
1926 case ACLC_DK_SENDER_DOMAINS:
1927 if (dk_verify_block == NULL) { rc = FAIL; break; };
1928 if (dk_verify_block->domain != NULL)
1929 rc = match_isinlist(dk_verify_block->domain, &arg, 0, &domainlist_anchor,
1930 NULL, MCL_DOMAIN, TRUE, NULL);
1931 else rc = FAIL;
1932 break;
1933 case ACLC_DK_SENDER_LOCAL_PARTS:
1934 if (dk_verify_block == NULL) { rc = FAIL; break; };
1935 if (dk_verify_block->local_part != NULL)
1936 rc = match_isinlist(dk_verify_block->local_part, &arg, 0, &localpartlist_anchor,
1937 NULL, MCL_LOCALPART, TRUE, NULL);
1938 else rc = FAIL;
1939 break;
1940 case ACLC_DK_SENDERS:
1941 if (dk_verify_block == NULL) { rc = FAIL; break; };
1942 if (dk_verify_block->address != NULL)
1943 rc = match_address_list(dk_verify_block->address, TRUE, TRUE, &arg, NULL, -1, 0, NULL);
1944 else rc = FAIL;
1945 break;
1946 case ACLC_DK_STATUS:
1947 if (dk_verify_block == NULL) { rc = FAIL; break; };
1948 if (dk_verify_block->result > 0) {
1949 switch(dk_verify_block->result) {
1950 case DK_EXIM_RESULT_BAD_FORMAT:
1951 rc = match_isinlist(US"bad format", &arg, 0, NULL,
1952 NULL, MCL_STRING, TRUE, NULL);
1953 break;
1954 case DK_EXIM_RESULT_NO_KEY:
1955 rc = match_isinlist(US"no key", &arg, 0, NULL,
1956 NULL, MCL_STRING, TRUE, NULL);
1957 break;
1958 case DK_EXIM_RESULT_NO_SIGNATURE:
1959 rc = match_isinlist(US"no signature", &arg, 0, NULL,
1960 NULL, MCL_STRING, TRUE, NULL);
1961 break;
1962 case DK_EXIM_RESULT_REVOKED:
1963 rc = match_isinlist(US"revoked", &arg, 0, NULL,
1964 NULL, MCL_STRING, TRUE, NULL);
1965 break;
1966 case DK_EXIM_RESULT_NON_PARTICIPANT:
1967 rc = match_isinlist(US"non-participant", &arg, 0, NULL,
1968 NULL, MCL_STRING, TRUE, NULL);
1969 break;
1970 case DK_EXIM_RESULT_GOOD:
1971 rc = match_isinlist(US"good", &arg, 0, NULL,
1972 NULL, MCL_STRING, TRUE, NULL);
1973 break;
1974 case DK_EXIM_RESULT_BAD:
1975 rc = match_isinlist(US"bad", &arg, 0, NULL,
1976 NULL, MCL_STRING, TRUE, NULL);
1977 break;
1978 }
1979 }
1980 break;
1981#endif
1982
059ec3d9
PH		 1983 case ACLC_DNSLISTS:
1984 rc = verify_check_dnsbl(&arg);
1985 break;
1986
1987 case ACLC_DOMAINS:
1988 rc = match_isinlist(addr->domain, &arg, 0, &domainlist_anchor,
1989 addr->domain_cache, MCL_DOMAIN, TRUE, &deliver_domain_data);
1990 break;
1991
1992 /* The value in tls_cipher is the full cipher name, for example,
1993 TLSv1:DES-CBC3-SHA:168, whereas the values to test for are just the
1994 cipher names such as DES-CBC3-SHA. But program defensively. We don't know
1995 what may in practice come out of the SSL library - which at the time of
1996 writing is poorly documented. */
1997
1998 case ACLC_ENCRYPTED:
1999 if (tls_cipher == NULL) rc = FAIL; else
2000 {
2001 uschar *endcipher = NULL;
2002 uschar *cipher = Ustrchr(tls_cipher, ':');
2003 if (cipher == NULL) cipher = tls_cipher; else
2004 {
2005 endcipher = Ustrchr(++cipher, ':');
2006 if (endcipher != NULL) *endcipher = 0;
2007 }
2008 rc = match_isinlist(cipher, &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
2009 if (endcipher != NULL) *endcipher = ':';
2010 }
2011 break;
2012
2013 /* Use verify_check_this_host() instead of verify_check_host() so that
2014 we can pass over &host_data to catch any looked up data. Once it has been
2015 set, it retains its value so that it's still there if another ACL verb
2016 comes through here and uses the cache. However, we must put it into
2017 permanent store in case it is also expected to be used in a subsequent
2018 message in the same SMTP connection. */
2019
2020 case ACLC_HOSTS:
2021 rc = verify_check_this_host(&arg, sender_host_cache, NULL,
2022 (sender_host_address == NULL)? US"" : sender_host_address, &host_data);
2023 if (host_data != NULL) host_data = string_copy_malloc(host_data);
2024 break;
2025
2026 case ACLC_LOCAL_PARTS:
2027 rc = match_isinlist(addr->cc_local_part, &arg, 0,
2028 &localpartlist_anchor, addr->localpart_cache, MCL_LOCALPART, TRUE,
2029 &deliver_localpart_data);
2030 break;
2031
2032 case ACLC_LOGWRITE:
2033 {
2034 int logbits = 0;
2035 uschar *s = arg;
2036 if (*s == ':')
2037 {
2038 s++;
2039 while (*s != ':')
2040 {
2041 if (Ustrncmp(s, "main", 4) == 0)
2042 { logbits |= LOG_MAIN; s += 4; }
2043 else if (Ustrncmp(s, "panic", 5) == 0)
2044 { logbits |= LOG_PANIC; s += 5; }
2045 else if (Ustrncmp(s, "reject", 6) == 0)
2046 { logbits |= LOG_REJECT; s += 6; }
2047 else
2048 {
2049 logbits = LOG_MAIN|LOG_PANIC;
2050 s = string_sprintf(":unknown log name in \"%s\" in "
2051 "\"logwrite\" in %s ACL", arg, acl_wherenames[where]);
2052 }
2053 if (*s == ',') s++;
2054 }
2055 s++;
2056 }
2057 while (isspace(*s)) s++;
2058 if (logbits == 0) logbits = LOG_MAIN;
2059 log_write(0, logbits, "%s", string_printing(s));
2060 }
2061 break;
8e669ac1 2062
8523533c
TK		 2063#ifdef WITH_CONTENT_SCAN
2064 case ACLC_MALWARE:
2065 {
2066 /* Seperate the regular expression and any optional parameters. */
2067 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
2068 /* Run the malware backend. */
2069 rc = malware(&ss);
2070 /* Modify return code based upon the existance of options. */
2071 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2072 != NULL) {
2073 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
2074 {
2075 /* FAIL so that the message is passed to the next ACL */
2076 rc = FAIL;
2077 }
2078 }
2079 }
2080 break;
2081
2082 case ACLC_MIME_REGEX:
2083 rc = mime_regex(&arg);
2084 break;
2085#endif
059ec3d9
PH		 2086
2087 case ACLC_RECIPIENTS:
2088 rc = match_address_list(addr->address, TRUE, TRUE, &arg, NULL, -1, 0,
2089 &recipient_data);
2090 break;
2091
8523533c
TK		 2092#ifdef WITH_CONTENT_SCAN
2093 case ACLC_REGEX:
2094 rc = regex(&arg);
2095 break;
2096#endif
2097
059ec3d9
PH		 2098 case ACLC_SENDER_DOMAINS:
2099 {
2100 uschar *sdomain;
2101 sdomain = Ustrrchr(sender_address, '@');
2102 sdomain = (sdomain == NULL)? US"" : sdomain + 1;
2103 rc = match_isinlist(sdomain, &arg, 0, &domainlist_anchor,
2104 sender_domain_cache, MCL_DOMAIN, TRUE, NULL);
2105 }
2106 break;
2107
2108 case ACLC_SENDERS:
2109 rc = match_address_list(sender_address, TRUE, TRUE, &arg,
2110 sender_address_cache, -1, 0, &sender_data);
2111 break;
2112
2113 /* Connection variables must persist forever */
2114
2115 case ACLC_SET:
2116 {
2117 int old_pool = store_pool;
2118 if (cb->u.varnumber < ACL_C_MAX) store_pool = POOL_PERM;
2119 acl_var[cb->u.varnumber] = string_copy(arg);
2120 store_pool = old_pool;
2121 }
2122 break;
2123
8523533c
TK		 2124#ifdef WITH_CONTENT_SCAN
2125 case ACLC_SPAM:
2126 {
2127 /* Seperate the regular expression and any optional parameters. */
2128 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
2129 /* Run the spam backend. */
2130 rc = spam(&ss);
2131 /* Modify return code based upon the existance of options. */
2132 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2133 != NULL) {
2134 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
2135 {
2136 /* FAIL so that the message is passed to the next ACL */
2137 rc = FAIL;
2138 }
2139 }
2140 }
2141 break;
2142#endif
2143
2144#ifdef EXPERIMENTAL_SPF
2145 case ACLC_SPF:
2146 rc = spf_process(&arg, sender_address);
2147 break;
2148#endif
2149
059ec3d9
PH		 2150 /* If the verb is WARN, discard any user message from verification, because
2151 such messages are SMTP responses, not header additions. The latter come
2152 only from explicit "message" modifiers. */
2153
2154 case ACLC_VERIFY:
2155 rc = acl_verify(where, addr, arg, user_msgptr, log_msgptr, basic_errno);
2156 if (verb == ACL_WARN) *user_msgptr = NULL;
2157 break;
2158
2159 default:
2160 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown "
2161 "condition %d", cb->type);
2162 break;
2163 }
2164
2165 /* If a condition was negated, invert OK/FAIL. */
2166
2167 if (!cond_modifiers[cb->type] && cb->u.negated)
2168 {
2169 if (rc == OK) rc = FAIL;
2170 else if (rc == FAIL || rc == FAIL_DROP) rc = OK;
2171 }
2172
2173 if (rc != OK) break; /* Conditions loop */
2174 }
2175
2176
2177/* If the result is the one for which "message" and/or "log_message" are used,
2178handle the values of these options. Most verbs have but a single return for
2179which the messages are relevant, but for "discard", it's useful to have the log
2180message both when it succeeds and when it fails. Also, for an "accept" that
2181appears in a QUIT ACL, we want to handle the user message. Since only "accept"
2182and "warn" are permitted in that ACL, we don't need to test the verb.
2183
2184These modifiers act in different ways:
2185
2186"message" is a user message that will be included in an SMTP response. Unless
2187it is empty, it overrides any previously set user message.
2188
2189"log_message" is a non-user message, and it adds to any existing non-user
2190message that is already set.
2191
2192If there isn't a log message set, we make it the same as the user message. */
2193
2194if (((rc == FAIL_DROP)? FAIL : rc) == msgcond[verb] ||
2195 (verb == ACL_DISCARD && rc == OK) ||
2196 (where == ACL_WHERE_QUIT))
2197 {
2198 uschar *expmessage;
2199
2200 /* If the verb is "warn", messages generated by conditions (verification or
2201 nested ACLs) are discarded. Only messages specified at this level are used.
2202 However, the value of an existing message is available in $acl_verify_message
2203 during expansions. */
2204
2205 uschar *old_user_msgptr = *user_msgptr;
2206 uschar *old_log_msgptr = (*log_msgptr != NULL)? *log_msgptr : old_user_msgptr;
2207
2208 if (verb == ACL_WARN) *log_msgptr = *user_msgptr = NULL;
2209
2210 if (user_message != NULL)
2211 {
2212 acl_verify_message = old_user_msgptr;
2213 expmessage = expand_string(user_message);
2214 if (expmessage == NULL)
2215 {
2216 if (!expand_string_forcedfail)
2217 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
2218 user_message, expand_string_message);
2219 }
2220 else if (expmessage[0] != 0) *user_msgptr = expmessage;
2221 }
2222
2223 if (log_message != NULL)
2224 {
2225 acl_verify_message = old_log_msgptr;
2226 expmessage = expand_string(log_message);
2227 if (expmessage == NULL)
2228 {
2229 if (!expand_string_forcedfail)
2230 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
2231 log_message, expand_string_message);
2232 }
2233 else if (expmessage[0] != 0)
2234 {
2235 *log_msgptr = (*log_msgptr == NULL)? expmessage :
2236 string_sprintf("%s: %s", expmessage, *log_msgptr);
2237 }
2238 }
2239
2240 /* If no log message, default it to the user message */
2241
2242 if (*log_msgptr == NULL) *log_msgptr = *user_msgptr;
2243 }
2244
2245acl_verify_message = NULL;
2246return rc;
2247}
2248
2249
2250
2251
2252
2253/*************************************************
2254* Get line from a literal ACL *
2255*************************************************/
2256
2257/* This function is passed to acl_read() in order to extract individual lines
2258of a literal ACL, which we access via static pointers. We can destroy the
2259contents because this is called only once (the compiled ACL is remembered).
2260
2261This code is intended to treat the data in the same way as lines in the main
2262Exim configuration file. That is:
2263
2264 . Leading spaces are ignored.
2265
2266 . A \ at the end of a line is a continuation - trailing spaces after the \
2267 are permitted (this is because I don't believe in making invisible things
2268 significant). Leading spaces on the continued part of a line are ignored.
2269
2270 . Physical lines starting (significantly) with # are totally ignored, and
2271 may appear within a sequence of backslash-continued lines.
2272
2273 . Blank lines are ignored, but will end a sequence of continuations.
2274
2275Arguments: none
2276Returns: a pointer to the next line
2277*/
2278
2279
2280static uschar *acl_text; /* Current pointer in the text */
2281static uschar *acl_text_end; /* Points one past the terminating '0' */
2282
2283
2284static uschar *
2285acl_getline(void)
2286{
2287uschar *yield;
2288
2289/* This loop handles leading blank lines and comments. */
2290
2291for(;;)
2292 {
2293 while (isspace(*acl_text)) acl_text++; /* Leading spaces/empty lines */
2294 if (*acl_text == 0) return NULL; /* No more data */
2295 yield = acl_text; /* Potential data line */
2296
2297 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
2298
2299 /* If we hit the end before a newline, we have the whole logical line. If
2300 it's a comment, there's no more data to be given. Otherwise, yield it. */
2301
2302 if (*acl_text == 0) return (*yield == '#')? NULL : yield;
2303
2304 /* After reaching a newline, end this loop if the physical line does not
2305 start with '#'. If it does, it's a comment, and the loop continues. */
2306
2307 if (*yield != '#') break;
2308 }
2309
2310/* This loop handles continuations. We know we have some real data, ending in
2311newline. See if there is a continuation marker at the end (ignoring trailing
2312white space). We know that *yield is not white space, so no need to test for
2313cont > yield in the backwards scanning loop. */
2314
2315for(;;)
2316 {
2317 uschar *cont;
2318 for (cont = acl_text - 1; isspace(*cont); cont--);
2319
2320 /* If no continuation follows, we are done. Mark the end of the line and
2321 return it. */
2322
2323 if (*cont != '\\')
2324 {
2325 *acl_text++ = 0;
2326 return yield;
2327 }
2328
2329 /* We have encountered a continuation. Skip over whitespace at the start of
2330 the next line, and indeed the whole of the next line or lines if they are
2331 comment lines. */
2332
2333 for (;;)
2334 {
2335 while (*(++acl_text) == ' ' || *acl_text == '\t');
2336 if (*acl_text != '#') break;
2337 while (*(++acl_text) != 0 && *acl_text != '\n');
2338 }
2339
2340 /* We have the start of a continuation line. Move all the rest of the data
2341 to join onto the previous line, and then find its end. If the end is not a
2342 newline, we are done. Otherwise loop to look for another continuation. */
2343
2344 memmove(cont, acl_text, acl_text_end - acl_text);
2345 acl_text_end -= acl_text - cont;
2346 acl_text = cont;
2347 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
2348 if (*acl_text == 0) return yield;
2349 }
2350
2351/* Control does not reach here */
2352}
2353
2354
2355
2356
2357
2358/*************************************************
2359* Check access using an ACL *
2360*************************************************/
2361
2362/* This function is called from address_check. It may recurse via
2363acl_check_condition() - hence the use of a level to stop looping. The ACL is
2364passed as a string which is expanded. A forced failure implies no access check
2365is required. If the result is a single word, it is taken as the name of an ACL
2366which is sought in the global ACL tree. Otherwise, it is taken as literal ACL
2367text, complete with newlines, and parsed as such. In both cases, the ACL check
2368is then run. This function uses an auxiliary function for acl_read() to call
2369for reading individual lines of a literal ACL. This is acl_getline(), which
2370appears immediately above.
2371
2372Arguments:
2373 where where called from
2374 addr address item when called from RCPT; otherwise NULL
2375 s the input string; NULL is the same as an empty ACL => DENY
2376 level the nesting level
2377 user_msgptr where to put a user error (for SMTP response)
2378 log_msgptr where to put a logging message (not for SMTP response)
2379
2380Returns: OK access is granted
2381 DISCARD access is apparently granted...
2382 FAIL access is denied
2383 FAIL_DROP access is denied; drop the connection
2384 DEFER can't tell at the moment
2385 ERROR disaster
2386*/
2387
2388static int
2389acl_check_internal(int where, address_item *addr, uschar *s, int level,
2390 uschar **user_msgptr, uschar **log_msgptr)
2391{
2392int fd = -1;
2393acl_block *acl = NULL;
2394uschar *acl_name = US"inline ACL";
2395uschar *ss;
2396
2397/* Catch configuration loops */
2398
2399if (level > 20)
2400 {
2401 *log_msgptr = US"ACL nested too deep: possible loop";
2402 return ERROR;
2403 }
2404
2405if (s == NULL)
2406 {
2407 HDEBUG(D_acl) debug_printf("ACL is NULL: implicit DENY\n");
2408 return FAIL;
2409 }
2410
2411/* At top level, we expand the incoming string. At lower levels, it has already
2412been expanded as part of condition processing. */
2413
2414if (level == 0)
2415 {
2416 ss = expand_string(s);
2417 if (ss == NULL)
2418 {
2419 if (expand_string_forcedfail) return OK;
2420 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s", s,
2421 expand_string_message);
2422 return ERROR;
2423 }
2424 }
2425else ss = s;
2426
2427while (isspace(*ss))ss++;
2428
2429/* If we can't find a named ACL, the default is to parse it as an inline one.
2430(Unless it begins with a slash; non-existent files give rise to an error.) */
2431
2432acl_text = ss;
2433
2434/* Handle the case of a string that does not contain any spaces. Look for a
2435named ACL among those read from the configuration, or a previously read file.
2436It is possible that the pointer to the ACL is NULL if the configuration
2437contains a name with no data. If not found, and the text begins with '/',
2438read an ACL from a file, and save it so it can be re-used. */
2439
2440if (Ustrchr(ss, ' ') == NULL)
2441 {
2442 tree_node *t = tree_search(acl_anchor, ss);
2443 if (t != NULL)
2444 {
2445 acl = (acl_block *)(t->data.ptr);
2446 if (acl == NULL)
2447 {
2448 HDEBUG(D_acl) debug_printf("ACL \"%s\" is empty: implicit DENY\n", ss);
2449 return FAIL;
2450 }
2451 acl_name = string_sprintf("ACL \"%s\"", ss);
2452 HDEBUG(D_acl) debug_printf("using ACL \"%s\"\n", ss);
2453 }
2454
2455 else if (*ss == '/')
2456 {
2457 struct stat statbuf;
2458 fd = Uopen(ss, O_RDONLY, 0);
2459 if (fd < 0)
2460 {
2461 *log_msgptr = string_sprintf("failed to open ACL file \"%s\": %s", ss,
2462 strerror(errno));
2463 return ERROR;
2464 }
2465
2466 if (fstat(fd, &statbuf) != 0)
2467 {
2468 *log_msgptr = string_sprintf("failed to fstat ACL file \"%s\": %s", ss,
2469 strerror(errno));
2470 return ERROR;
2471 }
2472
2473 acl_text = store_get(statbuf.st_size + 1);
2474 acl_text_end = acl_text + statbuf.st_size + 1;
2475
2476 if (read(fd, acl_text, statbuf.st_size) != statbuf.st_size)
2477 {
2478 *log_msgptr = string_sprintf("failed to read ACL file \"%s\": %s",
2479 ss, strerror(errno));
2480 return ERROR;
2481 }
2482 acl_text[statbuf.st_size] = 0;
2483 close(fd);
2484
2485 acl_name = string_sprintf("ACL \"%s\"", ss);
2486 HDEBUG(D_acl) debug_printf("read ACL from file %s\n", ss);
2487 }
2488 }
2489
2490/* Parse an ACL that is still in text form. If it came from a file, remember it
2491in the ACL tree, having read it into the POOL_PERM store pool so that it
2492persists between multiple messages. */
2493
2494if (acl == NULL)
2495 {
2496 int old_pool = store_pool;
2497 if (fd >= 0) store_pool = POOL_PERM;
2498 acl = acl_read(acl_getline, log_msgptr);
2499 store_pool = old_pool;
2500 if (acl == NULL && *log_msgptr != NULL) return ERROR;
2501 if (fd >= 0)
2502 {
2503 tree_node *t = store_get_perm(sizeof(tree_node) + Ustrlen(ss));
2504 Ustrcpy(t->name, ss);
2505 t->data.ptr = acl;
2506 (void)tree_insertnode(&acl_anchor, t);
2507 }
2508 }
2509
2510/* Now we have an ACL to use. It's possible it may be NULL. */
2511
2512while (acl != NULL)
2513 {
2514 int cond;
2515 int basic_errno = 0;
2516 BOOL endpass_seen = FALSE;
2517
2518 *log_msgptr = *user_msgptr = NULL;
2519 acl_temp_details = FALSE;
2520
2521 if (where == ACL_WHERE_QUIT &&
2522 acl->verb != ACL_ACCEPT &&
2523 acl->verb != ACL_WARN)
2524 {
2525 *log_msgptr = string_sprintf("\"%s\" is not allowed in a QUIT ACL",
2526 verbs[acl->verb]);
2527 return ERROR;
2528 }
2529
2530 HDEBUG(D_acl) debug_printf("processing \"%s\"\n", verbs[acl->verb]);
2531
2532 /* Clear out any search error message from a previous check before testing
2533 this condition. */
2534
2535 search_error_message = NULL;
2536 cond = acl_check_condition(acl->verb, acl->condition, where, addr, level,
2537 &endpass_seen, user_msgptr, log_msgptr, &basic_errno);
2538
2539 /* Handle special returns: DEFER causes a return except on a WARN verb;
2540 ERROR always causes a return. */
2541
2542 switch (cond)
2543 {
2544 case DEFER:
2545 HDEBUG(D_acl) debug_printf("%s: condition test deferred\n", verbs[acl->verb]);
2546 if (basic_errno != ERRNO_CALLOUTDEFER)
2547 {
2548 if (search_error_message != NULL && *search_error_message != 0)
2549 *log_msgptr = search_error_message;
2550 if (smtp_return_error_details) acl_temp_details = TRUE;
2551 }
2552 else
2553 {
2554 acl_temp_details = TRUE;
2555 }
2556 if (acl->verb != ACL_WARN) return DEFER;
2557 break;
2558
2559 default: /* Paranoia */
2560 case ERROR:
2561 HDEBUG(D_acl) debug_printf("%s: condition test error\n", verbs[acl->verb]);
2562 return ERROR;
2563
2564 case OK:
2565 HDEBUG(D_acl) debug_printf("%s: condition test succeeded\n",
2566 verbs[acl->verb]);
2567 break;
2568
2569 case FAIL:
2570 HDEBUG(D_acl) debug_printf("%s: condition test failed\n", verbs[acl->verb]);
2571 break;
2572
2573 /* DISCARD and DROP can happen only from a nested ACL condition, and
2574 DISCARD can happen only for an "accept" or "discard" verb. */
2575
2576 case DISCARD:
2577 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"discard\"\n",
2578 verbs[acl->verb]);
2579 break;
2580
2581 case FAIL_DROP:
2582 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"drop\"\n",
2583 verbs[acl->verb]);
2584 break;
2585 }
2586
2587 /* At this point, cond for most verbs is either OK or FAIL or (as a result of
2588 a nested ACL condition) FAIL_DROP. However, for WARN, cond may be DEFER, and
2589 for ACCEPT and DISCARD, it may be DISCARD after a nested ACL call. */
2590
2591 switch(acl->verb)
2592 {
2593 case ACL_ACCEPT:
2594 if (cond == OK || cond == DISCARD) return cond;
2595 if (endpass_seen)
2596 {
2597 HDEBUG(D_acl) debug_printf("accept: endpass encountered - denying access\n");
2598 return cond;
2599 }
2600 break;
2601
2602 case ACL_DEFER:
2603 if (cond == OK)
2604 {
2605 acl_temp_details = TRUE;
2606 return DEFER;
2607 }
2608 break;
2609
2610 case ACL_DENY:
2611 if (cond == OK) return FAIL;
2612 break;
2613
2614 case ACL_DISCARD:
2615 if (cond == OK || cond == DISCARD) return DISCARD;
2616 if (endpass_seen)
2617 {
2618 HDEBUG(D_acl) debug_printf("discard: endpass encountered - denying access\n");
2619 return cond;
2620 }
2621 break;
2622
2623 case ACL_DROP:
2624 if (cond == OK) return FAIL_DROP;
2625 break;
2626
2627 case ACL_REQUIRE:
2628 if (cond != OK) return cond;
2629 break;
2630
2631 case ACL_WARN:
2632 if (cond == OK)
2633 acl_warn(where, *user_msgptr, *log_msgptr);
2634 else if (cond == DEFER)
2635 acl_warn(where, NULL, string_sprintf("ACL \"warn\" statement skipped: "
2636 "condition test deferred: %s",
2637 (*log_msgptr == NULL)? US"" : *log_msgptr));
2638 *log_msgptr = *user_msgptr = NULL; /* In case implicit DENY follows */
2639 break;
2640
2641 default:
2642 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown verb %d",
2643 acl->verb);
2644 break;
2645 }
2646
2647 /* Pass to the next ACL item */
2648
2649 acl = acl->next;
2650 }
2651
2652/* We have reached the end of the ACL. This is an implicit DENY. */
2653
2654HDEBUG(D_acl) debug_printf("end of %s: implicit DENY\n", acl_name);
2655return FAIL;
2656}
2657
2658
2659/*************************************************
2660* Check access using an ACL *
2661*************************************************/
2662
2663/* This is the external interface for ACL checks. It sets up an address and the
2664expansions for $domain and $local_part when called after RCPT, then calls
2665acl_check_internal() to do the actual work.
2666
2667Arguments:
2668 where ACL_WHERE_xxxx indicating where called from
2669 data_string RCPT address, or SMTP command argument, or NULL
2670 s the input string; NULL is the same as an empty ACL => DENY
2671 user_msgptr where to put a user error (for SMTP response)
2672 log_msgptr where to put a logging message (not for SMTP response)
2673
2674Returns: OK access is granted by an ACCEPT verb
2675 DISCARD access is granted by a DISCARD verb
2676 FAIL access is denied
2677 FAIL_DROP access is denied; drop the connection
2678 DEFER can't tell at the moment
2679 ERROR disaster
2680*/
2681
2682int
2683acl_check(int where, uschar *data_string, uschar *s, uschar **user_msgptr,
2684 uschar **log_msgptr)
2685{
2686int rc;
2687address_item adb;
2688address_item *addr;
2689
2690*user_msgptr = *log_msgptr = NULL;
2691sender_verified_failed = NULL;
2692
2693if (where == ACL_WHERE_RCPT)
2694 {
2695 adb = address_defaults;
2696 addr = &adb;
2697 addr->address = data_string;
2698 if (deliver_split_address(addr) == DEFER)
2699 {
2700 *log_msgptr = US"defer in percent_hack_domains check";
2701 return DEFER;
2702 }
2703 deliver_domain = addr->domain;
2704 deliver_localpart = addr->local_part;
2705 }
2706else
2707 {
2708 addr = NULL;
2709 smtp_command_argument = data_string;
2710 }
2711
2712rc = acl_check_internal(where, addr, s, 0, user_msgptr, log_msgptr);
2713
2714smtp_command_argument = deliver_domain =
2a3eea10 2715 deliver_localpart = deliver_address_data = sender_address_data = NULL;
059ec3d9
PH		 2716
2717/* A DISCARD response is permitted only for message ACLs, excluding the PREDATA
2718ACL, which is really in the middle of an SMTP command. */
2719
2720if (rc == DISCARD)
2721 {
2722 if (where > ACL_WHERE_NOTSMTP || where == ACL_WHERE_PREDATA)
2723 {
2724 log_write(0, LOG_MAIN|LOG_PANIC, "\"discard\" verb not allowed in %s "
2725 "ACL", acl_wherenames[where]);
2726 return ERROR;
2727 }
2728 return DISCARD;
2729 }
2730
2731/* A DROP response is not permitted from MAILAUTH */
2732
2733if (rc == FAIL_DROP && where == ACL_WHERE_MAILAUTH)
2734 {
2735 log_write(0, LOG_MAIN|LOG_PANIC, "\"drop\" verb not allowed in %s "
2736 "ACL", acl_wherenames[where]);
2737 return ERROR;
2738 }
2739
2740/* Before giving an error response, take a look at the length of any user
2741message, and split it up into multiple lines if possible. */
2742
2743if (rc != OK && *user_msgptr != NULL && Ustrlen(*user_msgptr) > 75)
2744 {
2745 uschar *s = *user_msgptr = string_copy(*user_msgptr);
2746 uschar *ss = s;
2747
2748 for (;;)
2749 {
2750 int i = 0;
2751 while (i < 75 && *ss != 0 && *ss != '\n') ss++, i++;
2752 if (*ss == 0) break;
2753 if (*ss == '\n')
2754 s = ++ss;
2755 else
2756 {
2757 uschar *t = ss + 1;
2758 uschar *tt = NULL;
2759 while (--t > s + 35)
2760 {
2761 if (*t == ' ')
2762 {
2763 if (t[-1] == ':') { tt = t; break; }
2764 if (tt == NULL) tt = t;
2765 }
2766 }
2767
2768 if (tt == NULL) /* Can't split behind - try ahead */
2769 {
2770 t = ss + 1;
2771 while (*t != 0)
2772 {
2773 if (*t == ' ' || *t == '\n')
2774 { tt = t; break; }
2775 t++;
2776 }
2777 }
2778
2779 if (tt == NULL) break; /* Can't find anywhere to split */
2780 *tt = '\n';
2781 s = ss = tt+1;
2782 }
2783 }
2784 }
2785
2786return rc;
2787}
2788
2789/* End of acl.c */
Unnamed repository; edit this file 'description' to name the repository.