projects / exim.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge native DKIM support (from DEVEL_PDKIM)
[exim.git] / src / src / acl.c
CommitLineData
80a47a2c 1/* $Cambridge: exim/src/src/acl.c,v 1.83 2009/06/10 07:34:04 tom Exp $ */
059ec3d9
PH		 2
3/*************************************************
4* Exim - an Internet mail transport agent *
5*************************************************/
6
184e8823 7/* Copyright (c) University of Cambridge 1995 - 2007 */
059ec3d9
PH		 8/* See the file NOTICE for conditions of use and distribution. */
9
10/* Code for handling Access Control Lists (ACLs) */
11
12#include "exim.h"
13
14
15/* Default callout timeout */
16
17#define CALLOUT_TIMEOUT_DEFAULT 30
18
19/* ACL verb codes - keep in step with the table of verbs that follows */
20
21enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
22 ACL_WARN };
23
24/* ACL verbs */
25
26static uschar *verbs[] =
27 { US"accept", US"defer", US"deny", US"discard", US"drop", US"require",
28 US"warn" };
29
4e88a19f
PH		 30/* For each verb, the conditions for which "message" or "log_message" are used
31are held as a bitmap. This is to avoid expanding the strings unnecessarily. For
32"accept", the FAIL case is used only after "endpass", but that is selected in
33the code. */
34
35static int msgcond[] = {
36 (1<<OK) | (1<<FAIL) | (1<<FAIL_DROP), /* accept */
37 (1<<OK), /* defer */
38 (1<<OK), /* deny */
39 (1<<OK) | (1<<FAIL) | (1<<FAIL_DROP), /* discard */
40 (1<<OK), /* drop */
41 (1<<FAIL) | (1<<FAIL_DROP), /* require */
42 (1<<OK) /* warn */
43 };
059ec3d9
PH		 44
45/* ACL condition and modifier codes - keep in step with the table that
71fafd95
PH		 46follows, and the cond_expand_at_top and uschar cond_modifiers tables lower
47down. */
059ec3d9 48
71fafd95
PH		 49enum { ACLC_ACL,
50 ACLC_ADD_HEADER,
51 ACLC_AUTHENTICATED,
8523533c
TK		 52#ifdef EXPERIMENTAL_BRIGHTMAIL
53 ACLC_BMI_OPTIN,
54#endif
71fafd95 55 ACLC_CONDITION,
c3611384 56 ACLC_CONTINUE,
71fafd95 57 ACLC_CONTROL,
6a8f9482
TK		 58#ifdef EXPERIMENTAL_DCC
59 ACLC_DCC,
60#endif
8523533c
TK		 61#ifdef WITH_CONTENT_SCAN
62 ACLC_DECODE,
63#endif
64 ACLC_DELAY,
65#ifdef WITH_OLD_DEMIME
66 ACLC_DEMIME,
fb2274d4 67#endif
80a47a2c
TK		 68#ifndef DISABLE_DKIM
69 ACLC_DKIM_SIGNER,
70 ACLC_DKIM_STATUS,
8e669ac1 71#endif
71fafd95
PH		 72 ACLC_DNSLISTS,
73 ACLC_DOMAINS,
74 ACLC_ENCRYPTED,
75 ACLC_ENDPASS,
76 ACLC_HOSTS,
77 ACLC_LOCAL_PARTS,
78 ACLC_LOG_MESSAGE,
6ea85e9a 79 ACLC_LOG_REJECT_TARGET,
71fafd95 80 ACLC_LOGWRITE,
8523533c
TK		 81#ifdef WITH_CONTENT_SCAN
82 ACLC_MALWARE,
83#endif
84 ACLC_MESSAGE,
85#ifdef WITH_CONTENT_SCAN
86 ACLC_MIME_REGEX,
87#endif
870f6ba8 88 ACLC_RATELIMIT,
8523533c
TK		 89 ACLC_RECIPIENTS,
90#ifdef WITH_CONTENT_SCAN
91 ACLC_REGEX,
92#endif
71fafd95
PH		 93 ACLC_SENDER_DOMAINS,
94 ACLC_SENDERS,
95 ACLC_SET,
8523533c 96#ifdef WITH_CONTENT_SCAN
8e669ac1 97 ACLC_SPAM,
8523533c
TK		 98#endif
99#ifdef EXPERIMENTAL_SPF
100 ACLC_SPF,
65a7d8c3 101 ACLC_SPF_GUESS,
8523533c
TK		 102#endif
103 ACLC_VERIFY };
059ec3d9 104
c3611384
PH		 105/* ACL conditions/modifiers: "delay", "control", "continue", "endpass",
106"message", "log_message", "log_reject_target", "logwrite", and "set" are
107modifiers that look like conditions but always return TRUE. They are used for
108their side effects. */
059ec3d9 109
9a26b6b2
PH		 110static uschar *conditions[] = {
111 US"acl",
71fafd95 112 US"add_header",
9a26b6b2 113 US"authenticated",
8523533c
TK		 114#ifdef EXPERIMENTAL_BRIGHTMAIL
115 US"bmi_optin",
116#endif
117 US"condition",
c3611384 118 US"continue",
8e669ac1 119 US"control",
6a8f9482
TK		 120#ifdef EXPERIMENTAL_DCC
121 US"dcc",
122#endif
8523533c
TK		 123#ifdef WITH_CONTENT_SCAN
124 US"decode",
125#endif
126 US"delay",
127#ifdef WITH_OLD_DEMIME
128 US"demime",
fb2274d4 129#endif
80a47a2c
TK		 130#ifndef DISABLE_DKIM
131 US"dkim_signers",
132 US"dkim_status",
8523533c 133#endif
6ea85e9a
PH		 134 US"dnslists",
135 US"domains",
136 US"encrypted",
137 US"endpass",
138 US"hosts",
139 US"local_parts",
140 US"log_message",
141 US"log_reject_target",
142 US"logwrite",
8523533c
TK		 143#ifdef WITH_CONTENT_SCAN
144 US"malware",
145#endif
146 US"message",
147#ifdef WITH_CONTENT_SCAN
148 US"mime_regex",
149#endif
870f6ba8 150 US"ratelimit",
8523533c
TK		 151 US"recipients",
152#ifdef WITH_CONTENT_SCAN
153 US"regex",
154#endif
155 US"sender_domains", US"senders", US"set",
156#ifdef WITH_CONTENT_SCAN
157 US"spam",
158#endif
159#ifdef EXPERIMENTAL_SPF
160 US"spf",
65a7d8c3 161 US"spf_guess",
8523533c 162#endif
059ec3d9 163 US"verify" };
8e669ac1 164
c5fcb476 165
9a26b6b2
PH		 166/* Return values from decode_control(); keep in step with the table of names
167that follows! */
168
169enum {
c46782ef
PH		 170 CONTROL_AUTH_UNADVERTISED,
171 #ifdef EXPERIMENTAL_BRIGHTMAIL
9a26b6b2 172 CONTROL_BMI_RUN,
c46782ef 173 #endif
80a47a2c 174 #ifndef DISABLE_DKIM
f7572e5a
TK		 175 CONTROL_DKIM_VERIFY,
176 #endif
c46782ef
PH		 177 CONTROL_ERROR,
178 CONTROL_CASEFUL_LOCAL_PART,
179 CONTROL_CASELOWER_LOCAL_PART,
180 CONTROL_ENFORCE_SYNC,
181 CONTROL_NO_ENFORCE_SYNC,
182 CONTROL_FREEZE,
183 CONTROL_QUEUE_ONLY,
184 CONTROL_SUBMISSION,
185 CONTROL_SUPPRESS_LOCAL_FIXUPS,
186 #ifdef WITH_CONTENT_SCAN
9a26b6b2 187 CONTROL_NO_MBOX_UNSPOOL,
c46782ef
PH		 188 #endif
189 CONTROL_FAKEDEFER,
190 CONTROL_FAKEREJECT,
cf8b11a5 191 CONTROL_NO_MULTILINE,
047bdd8c 192 CONTROL_NO_PIPELINING,
4c590bd1
PH		 193 CONTROL_NO_DELAY_FLUSH,
194 CONTROL_NO_CALLOUT_FLUSH
c46782ef 195};
9a26b6b2 196
8800895a
PH		 197/* ACL control names; keep in step with the table above! This list is used for
198turning ids into names. The actual list of recognized names is in the variable
199control_def controls_list[] below. The fact that there are two lists is a mess
200and should be tidied up. */
9a26b6b2
PH		 201
202static uschar *controls[] = {
c46782ef 203 US"allow_auth_unadvertised",
9a26b6b2
PH		 204 #ifdef EXPERIMENTAL_BRIGHTMAIL
205 US"bmi_run",
206 #endif
80a47a2c
TK		 207 #ifndef DISABLE_DKIM
208 US"dkim_disable_verify",
f7572e5a 209 #endif
c46782ef
PH		 210 US"error",
211 US"caseful_local_part",
212 US"caselower_local_part",
213 US"enforce_sync",
214 US"no_enforce_sync",
215 US"freeze",
216 US"queue_only",
217 US"submission",
218 US"suppress_local_fixups",
9a26b6b2
PH		 219 #ifdef WITH_CONTENT_SCAN
220 US"no_mbox_unspool",
221 #endif
cf8b11a5
PH		 222 US"fakedefer",
223 US"fakereject",
aa6dc513 224 US"no_multiline_responses",
cf8b11a5 225 US"no_pipelining",
4c590bd1
PH		 226 US"no_delay_flush",
227 US"no_callout_flush"
c46782ef 228};
059ec3d9 229
047bdd8c 230/* Flags to indicate for which conditions/modifiers a string expansion is done
059ec3d9
PH		 231at the outer level. In the other cases, expansion already occurs in the
232checking functions. */
233
234static uschar cond_expand_at_top[] = {
235 TRUE, /* acl */
3e536984 236 TRUE, /* add_header */
059ec3d9 237 FALSE, /* authenticated */
8523533c
TK		 238#ifdef EXPERIMENTAL_BRIGHTMAIL
239 TRUE, /* bmi_optin */
8e669ac1 240#endif
059ec3d9 241 TRUE, /* condition */
c3611384 242 TRUE, /* continue */
059ec3d9 243 TRUE, /* control */
6a8f9482
TK		 244#ifdef EXPERIMENTAL_DCC
245 TRUE, /* dcc */
246#endif
8523533c
TK		 247#ifdef WITH_CONTENT_SCAN
248 TRUE, /* decode */
249#endif
059ec3d9 250 TRUE, /* delay */
8523533c
TK		 251#ifdef WITH_OLD_DEMIME
252 TRUE, /* demime */
fb2274d4 253#endif
80a47a2c
TK		 254#ifndef DISABLE_DKIM
255 TRUE, /* dkim_signers */
256 TRUE, /* dkim_status */
8523533c 257#endif
059ec3d9
PH		 258 TRUE, /* dnslists */
259 FALSE, /* domains */
260 FALSE, /* encrypted */
261 TRUE, /* endpass */
262 FALSE, /* hosts */
263 FALSE, /* local_parts */
264 TRUE, /* log_message */
6ea85e9a 265 TRUE, /* log_reject_target */
059ec3d9 266 TRUE, /* logwrite */
8523533c
TK		 267#ifdef WITH_CONTENT_SCAN
268 TRUE, /* malware */
269#endif
059ec3d9 270 TRUE, /* message */
8523533c
TK		 271#ifdef WITH_CONTENT_SCAN
272 TRUE, /* mime_regex */
273#endif
870f6ba8 274 TRUE, /* ratelimit */
059ec3d9 275 FALSE, /* recipients */
8523533c
TK		 276#ifdef WITH_CONTENT_SCAN
277 TRUE, /* regex */
278#endif
059ec3d9
PH		 279 FALSE, /* sender_domains */
280 FALSE, /* senders */
281 TRUE, /* set */
8523533c
TK		 282#ifdef WITH_CONTENT_SCAN
283 TRUE, /* spam */
284#endif
285#ifdef EXPERIMENTAL_SPF
286 TRUE, /* spf */
65a7d8c3 287 TRUE, /* spf_guess */
8523533c 288#endif
059ec3d9
PH		 289 TRUE /* verify */
290};
291
292/* Flags to identify the modifiers */
293
294static uschar cond_modifiers[] = {
295 FALSE, /* acl */
3e536984 296 TRUE, /* add_header */
059ec3d9 297 FALSE, /* authenticated */
8523533c
TK		 298#ifdef EXPERIMENTAL_BRIGHTMAIL
299 TRUE, /* bmi_optin */
8e669ac1 300#endif
059ec3d9 301 FALSE, /* condition */
c3611384 302 TRUE, /* continue */
059ec3d9 303 TRUE, /* control */
6a8f9482
TK		 304#ifdef EXPERIMENTAL_DCC
305 FALSE, /* dcc */
306#endif
8523533c
TK		 307#ifdef WITH_CONTENT_SCAN
308 FALSE, /* decode */
309#endif
059ec3d9 310 TRUE, /* delay */
8523533c
TK		 311#ifdef WITH_OLD_DEMIME
312 FALSE, /* demime */
fb2274d4 313#endif
80a47a2c
TK		 314#ifndef DISABLE_DKIM
315 FALSE, /* dkim_signers */
316 FALSE, /* dkim_status */
8523533c 317#endif
059ec3d9
PH		 318 FALSE, /* dnslists */
319 FALSE, /* domains */
320 FALSE, /* encrypted */
321 TRUE, /* endpass */
322 FALSE, /* hosts */
323 FALSE, /* local_parts */
324 TRUE, /* log_message */
6ea85e9a 325 TRUE, /* log_reject_target */
8523533c
TK		 326 TRUE, /* logwrite */
327#ifdef WITH_CONTENT_SCAN
328 FALSE, /* malware */
329#endif
059ec3d9 330 TRUE, /* message */
8523533c
TK		 331#ifdef WITH_CONTENT_SCAN
332 FALSE, /* mime_regex */
333#endif
870f6ba8 334 FALSE, /* ratelimit */
059ec3d9 335 FALSE, /* recipients */
8523533c
TK		 336#ifdef WITH_CONTENT_SCAN
337 FALSE, /* regex */
338#endif
059ec3d9
PH		 339 FALSE, /* sender_domains */
340 FALSE, /* senders */
341 TRUE, /* set */
8523533c
TK		 342#ifdef WITH_CONTENT_SCAN
343 FALSE, /* spam */
344#endif
345#ifdef EXPERIMENTAL_SPF
346 FALSE, /* spf */
65a7d8c3 347 FALSE, /* spf_guess */
8523533c 348#endif
059ec3d9
PH		 349 FALSE /* verify */
350};
351
c3611384 352/* Bit map vector of which conditions and modifiers are not allowed at certain
8f128379
PH		 353times. For each condition and modifier, there's a bitmap of dis-allowed times.
354For some, it is easier to specify the negation of a small number of allowed
355times. */
059ec3d9
PH		 356
357static unsigned int cond_forbids[] = {
358 0, /* acl */
8e669ac1 359
71fafd95 360 (unsigned int)
45b91596 361 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* add_header */
71fafd95 362 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
45b91596
PH		 363 (1<<ACL_WHERE_MIME)|(1<<ACL_WHERE_NOTSMTP)|
364 (1<<ACL_WHERE_NOTSMTP_START)),
71fafd95 365
45b91596
PH		 366 (1<<ACL_WHERE_NOTSMTP)| /* authenticated */
367 (1<<ACL_WHERE_NOTSMTP_START)|
368 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO),
8e669ac1 369
71fafd95 370 #ifdef EXPERIMENTAL_BRIGHTMAIL
3864bb8e 371 (1<<ACL_WHERE_AUTH)| /* bmi_optin */
8523533c
TK		 372 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
373 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_MIME)|
8e669ac1 374 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
8523533c
TK		 375 (1<<ACL_WHERE_MAILAUTH)|
376 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
45b91596
PH		 377 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_PREDATA)|
378 (1<<ACL_WHERE_NOTSMTP_START),
71fafd95 379 #endif
8e669ac1 380
059ec3d9 381 0, /* condition */
8e669ac1 382
c3611384
PH		 383 0, /* continue */
384
059ec3d9 385 /* Certain types of control are always allowed, so we let it through
2f079f46 386 always and check in the control processing itself. */
8e669ac1 387
059ec3d9 388 0, /* control */
8e669ac1 389
6a8f9482
TK		 390 #ifdef EXPERIMENTAL_DCC
391 (unsigned int)
392 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* dcc */
393 #endif
394
71fafd95 395 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 396 (unsigned int)
397 ~(1<<ACL_WHERE_MIME), /* decode */
71fafd95 398 #endif
8523533c 399
8f128379 400 (1<<ACL_WHERE_NOTQUIT), /* delay */
8e669ac1 401
71fafd95 402 #ifdef WITH_OLD_DEMIME
2f079f46
PH		 403 (unsigned int)
404 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* demime */
71fafd95 405 #endif
8e669ac1 406
80a47a2c
TK		 407 #ifndef DISABLE_DKIM
408 (unsigned int)
409 ~(1<<ACL_WHERE_DKIM), /* dkim_signers */
84330b7b 410
80a47a2c
TK		 411 (unsigned int)
412 ~(1<<ACL_WHERE_DKIM), /* dkim_status */
71fafd95 413 #endif
fb2274d4 414
45b91596
PH		 415 (1<<ACL_WHERE_NOTSMTP)| /* dnslists */
416 (1<<ACL_WHERE_NOTSMTP_START),
059ec3d9 417
2f079f46
PH		 418 (unsigned int)
419 ~(1<<ACL_WHERE_RCPT), /* domains */
059ec3d9 420
45b91596
PH		 421 (1<<ACL_WHERE_NOTSMTP)| /* encrypted */
422 (1<<ACL_WHERE_CONNECT)|
423 (1<<ACL_WHERE_NOTSMTP_START)|
059ec3d9 424 (1<<ACL_WHERE_HELO),
8e669ac1 425
059ec3d9 426 0, /* endpass */
8e669ac1 427
45b91596
PH		 428 (1<<ACL_WHERE_NOTSMTP)| /* hosts */
429 (1<<ACL_WHERE_NOTSMTP_START),
059ec3d9 430
2f079f46
PH		 431 (unsigned int)
432 ~(1<<ACL_WHERE_RCPT), /* local_parts */
059ec3d9
PH		 433
434 0, /* log_message */
8e669ac1 435
6ea85e9a
PH		 436 0, /* log_reject_target */
437
059ec3d9 438 0, /* logwrite */
8e669ac1 439
71fafd95 440 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 441 (unsigned int)
442 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* malware */
71fafd95 443 #endif
8523533c 444
059ec3d9
PH		 445 0, /* message */
446
71fafd95 447 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 448 (unsigned int)
449 ~(1<<ACL_WHERE_MIME), /* mime_regex */
71fafd95 450 #endif
8523533c 451
870f6ba8
TF		 452 0, /* ratelimit */
453
2f079f46
PH		 454 (unsigned int)
455 ~(1<<ACL_WHERE_RCPT), /* recipients */
059ec3d9 456
71fafd95 457 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 458 (unsigned int)
459 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* regex */
460 (1<<ACL_WHERE_MIME)),
71fafd95 461 #endif
8523533c 462
059ec3d9
PH		 463 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* sender_domains */
464 (1<<ACL_WHERE_HELO)|
465 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
466 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
467 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
468
469 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* senders */
470 (1<<ACL_WHERE_HELO)|
471 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
472 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
473 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
474
475 0, /* set */
476
71fafd95 477 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 478 (unsigned int)
479 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* spam */
71fafd95 480 #endif
8523533c 481
71fafd95 482 #ifdef EXPERIMENTAL_SPF
8523533c
TK		 483 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf */
484 (1<<ACL_WHERE_HELO)|
485 (1<<ACL_WHERE_MAILAUTH)|
486 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
45b91596
PH		 487 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY)|
488 (1<<ACL_WHERE_NOTSMTP)|
489 (1<<ACL_WHERE_NOTSMTP_START),
65a7d8c3
NM		 490
491 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf_guess */
492 (1<<ACL_WHERE_HELO)|
493 (1<<ACL_WHERE_MAILAUTH)|
494 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
495 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY)|
496 (1<<ACL_WHERE_NOTSMTP)|
497 (1<<ACL_WHERE_NOTSMTP_START),
71fafd95 498 #endif
8523533c 499
059ec3d9
PH		 500 /* Certain types of verify are always allowed, so we let it through
501 always and check in the verify function itself */
502
503 0 /* verify */
059ec3d9
PH		 504};
505
506
c5fcb476
PH		 507/* Bit map vector of which controls are not allowed at certain times. For
508each control, there's a bitmap of dis-allowed times. For some, it is easier to
509specify the negation of a small number of allowed times. */
510
511static unsigned int control_forbids[] = {
c46782ef
PH		 512 (unsigned int)
513 ~((1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)), /* allow_auth_unadvertised */
514
515 #ifdef EXPERIMENTAL_BRIGHTMAIL
8523533c 516 0, /* bmi_run */
c46782ef
PH		 517 #endif
518
80a47a2c
TK		 519 #ifndef DISABLE_DKIM
520 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* dkim_disable_verify */
f7572e5a
TK		 521 (1<<ACL_WHERE_NOTSMTP_START),
522 #endif
523
c5fcb476 524 0, /* error */
8e669ac1
PH		 525
526 (unsigned int)
c5fcb476 527 ~(1<<ACL_WHERE_RCPT), /* caseful_local_part */
8e669ac1
PH		 528
529 (unsigned int)
c5fcb476 530 ~(1<<ACL_WHERE_RCPT), /* caselower_local_part */
8e669ac1 531
45b91596
PH		 532 (1<<ACL_WHERE_NOTSMTP)| /* enforce_sync */
533 (1<<ACL_WHERE_NOTSMTP_START),
8e669ac1 534
45b91596
PH		 535 (1<<ACL_WHERE_NOTSMTP)| /* no_enforce_sync */
536 (1<<ACL_WHERE_NOTSMTP_START),
8e669ac1
PH		 537
538 (unsigned int)
c5fcb476
PH		 539 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* freeze */
540 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
e715ad22 541 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
8e669ac1
PH		 542
543 (unsigned int)
c5fcb476
PH		 544 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* queue_only */
545 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
e715ad22 546 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
8e669ac1
PH		 547
548 (unsigned int)
c5fcb476 549 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* submission */
8e669ac1 550 (1<<ACL_WHERE_PREDATA)),
8523533c 551
8800895a
PH		 552 (unsigned int)
553 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* suppress_local_fixups */
45b91596
PH		 554 (1<<ACL_WHERE_PREDATA)|
555 (1<<ACL_WHERE_NOTSMTP_START)),
8800895a 556
c46782ef 557 #ifdef WITH_CONTENT_SCAN
8e669ac1 558 (unsigned int)
14d57970 559 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* no_mbox_unspool */
e715ad22
TK		 560 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
561 (1<<ACL_WHERE_MIME)),
c46782ef 562 #endif
a6c4ab60 563
29aba418
TF		 564 (unsigned int)
565 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakedefer */
566 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
567 (1<<ACL_WHERE_MIME)),
568
8e669ac1 569 (unsigned int)
a6c4ab60 570 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakereject */
e715ad22
TK		 571 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
572 (1<<ACL_WHERE_MIME)),
8523533c 573
45b91596 574 (1<<ACL_WHERE_NOTSMTP)| /* no_multiline */
cf8b11a5
PH		 575 (1<<ACL_WHERE_NOTSMTP_START),
576
577 (1<<ACL_WHERE_NOTSMTP)| /* no_pipelining */
047bdd8c
PH		 578 (1<<ACL_WHERE_NOTSMTP_START),
579
580 (1<<ACL_WHERE_NOTSMTP)| /* no_delay_flush */
4c590bd1
PH		 581 (1<<ACL_WHERE_NOTSMTP_START),
582
583 (1<<ACL_WHERE_NOTSMTP)| /* no_callout_flush */
45b91596 584 (1<<ACL_WHERE_NOTSMTP_START)
c5fcb476
PH		 585};
586
587/* Structure listing various control arguments, with their characteristics. */
059ec3d9
PH		 588
589typedef struct control_def {
590 uschar *name;
591 int value; /* CONTROL_xxx value */
059ec3d9
PH		 592 BOOL has_option; /* Has /option(s) following */
593} control_def;
594
595static control_def controls_list[] = {
c46782ef 596 { US"allow_auth_unadvertised", CONTROL_AUTH_UNADVERTISED, FALSE },
8523533c 597#ifdef EXPERIMENTAL_BRIGHTMAIL
c46782ef 598 { US"bmi_run", CONTROL_BMI_RUN, FALSE },
fb2274d4 599#endif
80a47a2c
TK		 600#ifndef DISABLE_DKIM
601 { US"dkim_disable_verify", CONTROL_DKIM_VERIFY, FALSE },
8523533c 602#endif
c46782ef
PH		 603 { US"caseful_local_part", CONTROL_CASEFUL_LOCAL_PART, FALSE },
604 { US"caselower_local_part", CONTROL_CASELOWER_LOCAL_PART, FALSE },
605 { US"enforce_sync", CONTROL_ENFORCE_SYNC, FALSE },
606 { US"freeze", CONTROL_FREEZE, TRUE },
4c590bd1 607 { US"no_callout_flush", CONTROL_NO_CALLOUT_FLUSH, FALSE },
047bdd8c 608 { US"no_delay_flush", CONTROL_NO_DELAY_FLUSH, FALSE },
c46782ef
PH		 609 { US"no_enforce_sync", CONTROL_NO_ENFORCE_SYNC, FALSE },
610 { US"no_multiline_responses", CONTROL_NO_MULTILINE, FALSE },
cf8b11a5 611 { US"no_pipelining", CONTROL_NO_PIPELINING, FALSE },
c46782ef 612 { US"queue_only", CONTROL_QUEUE_ONLY, FALSE },
8523533c 613#ifdef WITH_CONTENT_SCAN
c46782ef 614 { US"no_mbox_unspool", CONTROL_NO_MBOX_UNSPOOL, FALSE },
8523533c 615#endif
c46782ef
PH		 616 { US"fakedefer", CONTROL_FAKEDEFER, TRUE },
617 { US"fakereject", CONTROL_FAKEREJECT, TRUE },
618 { US"submission", CONTROL_SUBMISSION, TRUE },
619 { US"suppress_local_fixups", CONTROL_SUPPRESS_LOCAL_FIXUPS, FALSE }
059ec3d9
PH		 620 };
621
e5a9dba6
PH		 622/* Support data structures for Client SMTP Authorization. acl_verify_csa()
623caches its result in a tree to avoid repeated DNS queries. The result is an
624integer code which is used as an index into the following tables of
625explanatory strings and verification return codes. */
626
627static tree_node *csa_cache = NULL;
628
629enum { CSA_UNKNOWN, CSA_OK, CSA_DEFER_SRV, CSA_DEFER_ADDR,
630 CSA_FAIL_EXPLICIT, CSA_FAIL_DOMAIN, CSA_FAIL_NOADDR, CSA_FAIL_MISMATCH };
631
632/* The acl_verify_csa() return code is translated into an acl_verify() return
633code using the following table. It is OK unless the client is definitely not
634authorized. This is because CSA is supposed to be optional for sending sites,
635so recipients should not be too strict about checking it - especially because
636DNS problems are quite likely to occur. It's possible to use $csa_status in
637further ACL conditions to distinguish ok, unknown, and defer if required, but
638the aim is to make the usual configuration simple. */
639
640static int csa_return_code[] = {
641 OK, OK, OK, OK,
642 FAIL, FAIL, FAIL, FAIL
643};
644
645static uschar *csa_status_string[] = {
646 US"unknown", US"ok", US"defer", US"defer",
647 US"fail", US"fail", US"fail", US"fail"
648};
649
650static uschar *csa_reason_string[] = {
651 US"unknown",
652 US"ok",
653 US"deferred (SRV lookup failed)",
654 US"deferred (target address lookup failed)",
655 US"failed (explicit authorization required)",
656 US"failed (host name not authorized)",
657 US"failed (no authorized addresses)",
658 US"failed (client address mismatch)"
659};
660
059ec3d9
PH		 661/* Enable recursion between acl_check_internal() and acl_check_condition() */
662
663static int acl_check_internal(int, address_item *, uschar *, int, uschar **,
664 uschar **);
665
666
667/*************************************************
668* Pick out name from list *
669*************************************************/
670
671/* Use a binary chop method
672
673Arguments:
674 name name to find
675 list list of names
676 end size of list
677
678Returns: offset in list, or -1 if not found
679*/
680
681static int
682acl_checkname(uschar *name, uschar **list, int end)
683{
684int start = 0;
685
686while (start < end)
687 {
688 int mid = (start + end)/2;
689 int c = Ustrcmp(name, list[mid]);
690 if (c == 0) return mid;
691 if (c < 0) end = mid; else start = mid + 1;
692 }
693
694return -1;
695}
696
697
698/*************************************************
699* Read and parse one ACL *
700*************************************************/
701
702/* This function is called both from readconf in order to parse the ACLs in the
703configuration file, and also when an ACL is encountered dynamically (e.g. as
704the result of an expansion). It is given a function to call in order to
705retrieve the lines of the ACL. This function handles skipping comments and
706blank lines (where relevant).
707
708Arguments:
709 func function to get next line of ACL
710 error where to put an error message
711
712Returns: pointer to ACL, or NULL
713 NULL can be legal (empty ACL); in this case error will be NULL
714*/
715
716acl_block *
717acl_read(uschar *(*func)(void), uschar **error)
718{
719acl_block *yield = NULL;
720acl_block **lastp = &yield;
721acl_block *this = NULL;
722acl_condition_block *cond;
723acl_condition_block **condp = NULL;
724uschar *s;
725
726*error = NULL;
727
728while ((s = (*func)()) != NULL)
729 {
730 int v, c;
731 BOOL negated = FALSE;
732 uschar *saveline = s;
733 uschar name[64];
734
735 /* Conditions (but not verbs) are allowed to be negated by an initial
736 exclamation mark. */
737
738 while (isspace(*s)) s++;
739 if (*s == '!')
740 {
741 negated = TRUE;
742 s++;
743 }
744
cf00dad6
PH		 745 /* Read the name of a verb or a condition, or the start of a new ACL, which
746 can be started by a name, or by a macro definition. */
059ec3d9
PH		 747
748 s = readconf_readname(name, sizeof(name), s);
b8dc3e4a 749 if (*s == ':' || (isupper(name[0]) && *s == '=')) return yield;
059ec3d9
PH		 750
751 /* If a verb is unrecognized, it may be another condition or modifier that
752 continues the previous verb. */
753
754 v = acl_checkname(name, verbs, sizeof(verbs)/sizeof(char *));
755 if (v < 0)
756 {
757 if (this == NULL)
758 {
4e167a8c
PH		 759 *error = string_sprintf("unknown ACL verb \"%s\" in \"%s\"", name,
760 saveline);
059ec3d9
PH		 761 return NULL;
762 }
763 }
764
765 /* New verb */
766
767 else
768 {
769 if (negated)
770 {
771 *error = string_sprintf("malformed ACL line \"%s\"", saveline);
772 return NULL;
773 }
774 this = store_get(sizeof(acl_block));
775 *lastp = this;
776 lastp = &(this->next);
777 this->next = NULL;
778 this->verb = v;
779 this->condition = NULL;
780 condp = &(this->condition);
781 if (*s == 0) continue; /* No condition on this line */
782 if (*s == '!')
783 {
784 negated = TRUE;
785 s++;
786 }
787 s = readconf_readname(name, sizeof(name), s); /* Condition name */
788 }
789
790 /* Handle a condition or modifier. */
791
792 c = acl_checkname(name, conditions, sizeof(conditions)/sizeof(char *));
793 if (c < 0)
794 {
795 *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
796 saveline);
797 return NULL;
798 }
799
800 /* The modifiers may not be negated */
801
802 if (negated && cond_modifiers[c])
803 {
804 *error = string_sprintf("ACL error: negation is not allowed with "
805 "\"%s\"", conditions[c]);
806 return NULL;
807 }
808
809 /* ENDPASS may occur only with ACCEPT or DISCARD. */
810
811 if (c == ACLC_ENDPASS &&
812 this->verb != ACL_ACCEPT &&
813 this->verb != ACL_DISCARD)
814 {
815 *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
816 conditions[c], verbs[this->verb]);
817 return NULL;
818 }
819
820 cond = store_get(sizeof(acl_condition_block));
821 cond->next = NULL;
822 cond->type = c;
823 cond->u.negated = negated;
824
825 *condp = cond;
826 condp = &(cond->next);
827
828 /* The "set" modifier is different in that its argument is "name=value"
829 rather than just a value, and we can check the validity of the name, which
38a0a95f
PH		 830 gives us a variable name to insert into the data block. The original ACL
831 variable names were acl_c0 ... acl_c9 and acl_m0 ... acl_m9. This was
832 extended to 20 of each type, but after that people successfully argued for
641cb756
PH		 833 arbitrary names. In the new scheme, the names must start with acl_c or acl_m.
834 After that, we allow alphanumerics and underscores, but the first character
835 after c or m must be a digit or an underscore. This retains backwards
836 compatibility. */
059ec3d9
PH		 837
838 if (c == ACLC_SET)
839 {
47ca6d6c
PH		 840 uschar *endptr;
841
38a0a95f
PH		 842 if (Ustrncmp(s, "acl_c", 5) != 0 &&
843 Ustrncmp(s, "acl_m", 5) != 0)
47ca6d6c 844 {
38a0a95f
PH		 845 *error = string_sprintf("invalid variable name after \"set\" in ACL "
846 "modifier \"set %s\" (must start \"acl_c\" or \"acl_m\")", s);
847 return NULL;
47ca6d6c 848 }
38a0a95f
PH		 849
850 endptr = s + 5;
641cb756
PH		 851 if (!isdigit(*endptr) && *endptr != '_')
852 {
853 *error = string_sprintf("invalid variable name after \"set\" in ACL "
854 "modifier \"set %s\" (digit or underscore must follow acl_c or acl_m)",
855 s);
856 return NULL;
857 }
858
38a0a95f 859 while (*endptr != 0 && *endptr != '=' && !isspace(*endptr))
47ca6d6c 860 {
38a0a95f
PH		 861 if (!isalnum(*endptr) && *endptr != '_')
862 {
863 *error = string_sprintf("invalid character \"%c\" in variable name "
864 "in ACL modifier \"set %s\"", *endptr, s);
865 return NULL;
866 }
867 endptr++;
47ca6d6c 868 }
47ca6d6c 869
38a0a95f 870 cond->u.varname = string_copyn(s + 4, endptr - s - 4);
47ca6d6c 871 s = endptr;
059ec3d9
PH		 872 while (isspace(*s)) s++;
873 }
874
875 /* For "set", we are now positioned for the data. For the others, only
876 "endpass" has no data */
877
878 if (c != ACLC_ENDPASS)
879 {
880 if (*s++ != '=')
881 {
882 *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
883 cond_modifiers[c]? US"modifier" : US"condition");
884 return NULL;
885 }
886 while (isspace(*s)) s++;
887 cond->arg = string_copy(s);
888 }
889 }
890
891return yield;
892}
893
894
895
71fafd95
PH		 896/*************************************************
897* Set up added header line(s) *
898*************************************************/
899
900/* This function is called by the add_header modifier, and also from acl_warn()
901to implement the now-deprecated way of adding header lines using "message" on a
902"warn" verb. The argument is treated as a sequence of header lines which are
903added to a chain, provided there isn't an identical one already there.
904
905Argument: string of header lines
906Returns: nothing
907*/
908
909static void
910setup_header(uschar *hstring)
911{
912uschar *p, *q;
913int hlen = Ustrlen(hstring);
914
915/* An empty string does nothing; otherwise add a final newline if necessary. */
916
917if (hlen <= 0) return;
918if (hstring[hlen-1] != '\n') hstring = string_sprintf("%s\n", hstring);
919
920/* Loop for multiple header lines, taking care about continuations */
921
922for (p = q = hstring; *p != 0; )
923 {
924 uschar *s;
925 int newtype = htype_add_bot;
926 header_line **hptr = &acl_added_headers;
927
928 /* Find next header line within the string */
929
930 for (;;)
931 {
932 q = Ustrchr(q, '\n');
933 if (*(++q) != ' ' && *q != '\t') break;
934 }
935
936 /* If the line starts with a colon, interpret the instruction for where to
937 add it. This temporarily sets up a new type. */
938
939 if (*p == ':')
940 {
941 if (strncmpic(p, US":after_received:", 16) == 0)
942 {
943 newtype = htype_add_rec;
944 p += 16;
945 }
946 else if (strncmpic(p, US":at_start_rfc:", 14) == 0)
947 {
948 newtype = htype_add_rfc;
949 p += 14;
950 }
951 else if (strncmpic(p, US":at_start:", 10) == 0)
952 {
953 newtype = htype_add_top;
954 p += 10;
955 }
956 else if (strncmpic(p, US":at_end:", 8) == 0)
957 {
958 newtype = htype_add_bot;
959 p += 8;
960 }
961 while (*p == ' ' || *p == '\t') p++;
962 }
963
964 /* See if this line starts with a header name, and if not, add X-ACL-Warn:
965 to the front of it. */
966
967 for (s = p; s < q - 1; s++)
968 {
969 if (*s == ':' || !isgraph(*s)) break;
970 }
971
972 s = string_sprintf("%s%.*s", (*s == ':')? "" : "X-ACL-Warn: ", q - p, p);
973 hlen = Ustrlen(s);
974
975 /* See if this line has already been added */
976
977 while (*hptr != NULL)
978 {
979 if (Ustrncmp((*hptr)->text, s, hlen) == 0) break;
980 hptr = &((*hptr)->next);
981 }
982
983 /* Add if not previously present */
984
985 if (*hptr == NULL)
986 {
987 header_line *h = store_get(sizeof(header_line));
988 h->text = s;
989 h->next = NULL;
990 h->type = newtype;
991 h->slen = hlen;
992 *hptr = h;
993 hptr = &(h->next);
994 }
995
996 /* Advance for next header line within the string */
997
998 p = q;
999 }
1000}
1001
1002
1003
1004
059ec3d9
PH		 1005/*************************************************
1006* Handle warnings *
1007*************************************************/
1008
1009/* This function is called when a WARN verb's conditions are true. It adds to
1010the message's headers, and/or writes information to the log. In each case, this
1011only happens once (per message for headers, per connection for log).
1012
71fafd95
PH		 1013** NOTE: The header adding action using the "message" setting is historic, and
1014its use is now deprecated. The new add_header modifier should be used instead.
1015
059ec3d9
PH		 1016Arguments:
1017 where ACL_WHERE_xxxx indicating which ACL this is
1018 user_message message for adding to headers
1019 log_message message for logging, if different
1020
1021Returns: nothing
1022*/
1023
1024static void
1025acl_warn(int where, uschar *user_message, uschar *log_message)
1026{
059ec3d9
PH		 1027if (log_message != NULL && log_message != user_message)
1028 {
1029 uschar *text;
1030 string_item *logged;
1031
1032 text = string_sprintf("%s Warning: %s", host_and_ident(TRUE),
1033 string_printing(log_message));
1034
1035 /* If a sender verification has failed, and the log message is "sender verify
1036 failed", add the failure message. */
1037
1038 if (sender_verified_failed != NULL &&
1039 sender_verified_failed->message != NULL &&
1040 strcmpic(log_message, US"sender verify failed") == 0)
1041 text = string_sprintf("%s: %s", text, sender_verified_failed->message);
1042
9c7a242c
PH		 1043 /* Search previously logged warnings. They are kept in malloc
1044 store so they can be freed at the start of a new message. */
059ec3d9
PH		 1045
1046 for (logged = acl_warn_logged; logged != NULL; logged = logged->next)
1047 if (Ustrcmp(logged->text, text) == 0) break;
1048
1049 if (logged == NULL)
1050 {
1051 int length = Ustrlen(text) + 1;
1052 log_write(0, LOG_MAIN, "%s", text);
1053 logged = store_malloc(sizeof(string_item) + length);
1054 logged->text = (uschar *)logged + sizeof(string_item);
1055 memcpy(logged->text, text, length);
1056 logged->next = acl_warn_logged;
1057 acl_warn_logged = logged;
1058 }
1059 }
1060
1061/* If there's no user message, we are done. */
1062
1063if (user_message == NULL) return;
1064
1065/* If this isn't a message ACL, we can't do anything with a user message.
1066Log an error. */
1067
1068if (where > ACL_WHERE_NOTSMTP)
1069 {
1070 log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
1071 "found in a non-message (%s) ACL: cannot specify header lines here: "
1072 "message ignored", acl_wherenames[where]);
1073 return;
1074 }
1075
71fafd95
PH		 1076/* The code for setting up header lines is now abstracted into a separate
1077function so that it can be used for the add_header modifier as well. */
059ec3d9 1078
71fafd95 1079setup_header(user_message);
059ec3d9
PH		 1080}
1081
1082
1083
1084/*************************************************
1085* Verify and check reverse DNS *
1086*************************************************/
1087
1088/* Called from acl_verify() below. We look up the host name(s) of the client IP
1089address if this has not yet been done. The host_name_lookup() function checks
1090that one of these names resolves to an address list that contains the client IP
1091address, so we don't actually have to do the check here.
1092
1093Arguments:
1094 user_msgptr pointer for user message
1095 log_msgptr pointer for log message
1096
1097Returns: OK verification condition succeeded
1098 FAIL verification failed
1099 DEFER there was a problem verifying
1100*/
1101
1102static int
1103acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
1104{
1105int rc;
1106
1107user_msgptr = user_msgptr; /* stop compiler warning */
1108
1109/* Previous success */
1110
1111if (sender_host_name != NULL) return OK;
1112
1113/* Previous failure */
1114
1115if (host_lookup_failed)
1116 {
1117 *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
1118 return FAIL;
1119 }
1120
1121/* Need to do a lookup */
1122
1123HDEBUG(D_acl)
1124 debug_printf("looking up host name to force name/address consistency check\n");
1125
1126if ((rc = host_name_lookup()) != OK)
1127 {
1128 *log_msgptr = (rc == DEFER)?
1129 US"host lookup deferred for reverse lookup check"
1130 :
1131 string_sprintf("host lookup failed for reverse lookup check%s",
1132 host_lookup_msg);
1133 return rc; /* DEFER or FAIL */
1134 }
1135
1136host_build_sender_fullhost();
1137return OK;
1138}
1139
1140
1141
e5a9dba6
PH		 1142/*************************************************
1143* Check client IP address matches CSA target *
1144*************************************************/
1145
1146/* Called from acl_verify_csa() below. This routine scans a section of a DNS
1147response for address records belonging to the CSA target hostname. The section
1148is specified by the reset argument, either RESET_ADDITIONAL or RESET_ANSWERS.
1149If one of the addresses matches the client's IP address, then the client is
1150authorized by CSA. If there are target IP addresses but none of them match
1151then the client is using an unauthorized IP address. If there are no target IP
1152addresses then the client cannot be using an authorized IP address. (This is
1153an odd configuration - why didn't the SRV record have a weight of 1 instead?)
1154
1155Arguments:
1156 dnsa the DNS answer block
1157 dnss a DNS scan block for us to use
1158 reset option specifing what portion to scan, as described above
1159 target the target hostname to use for matching RR names
1160
1161Returns: CSA_OK successfully authorized
1162 CSA_FAIL_MISMATCH addresses found but none matched
1163 CSA_FAIL_NOADDR no target addresses found
1164*/
1165
1166static int
1167acl_verify_csa_address(dns_answer *dnsa, dns_scan *dnss, int reset,
1168 uschar *target)
1169{
1170dns_record *rr;
1171dns_address *da;
1172
1173BOOL target_found = FALSE;
1174
1175for (rr = dns_next_rr(dnsa, dnss, reset);
1176 rr != NULL;
1177 rr = dns_next_rr(dnsa, dnss, RESET_NEXT))
1178 {
1179 /* Check this is an address RR for the target hostname. */
1180
1181 if (rr->type != T_A
1182 #if HAVE_IPV6
1183 && rr->type != T_AAAA
1184 #ifdef SUPPORT_A6
1185 && rr->type != T_A6
1186 #endif
1187 #endif
1188 ) continue;
1189
1190 if (strcmpic(target, rr->name) != 0) continue;
1191
1192 target_found = TRUE;
1193
1194 /* Turn the target address RR into a list of textual IP addresses and scan
1195 the list. There may be more than one if it is an A6 RR. */
1196
1197 for (da = dns_address_from_rr(dnsa, rr); da != NULL; da = da->next)
1198 {
1199 /* If the client IP address matches the target IP address, it's good! */
1200
1201 DEBUG(D_acl) debug_printf("CSA target address is %s\n", da->address);
1202
1203 if (strcmpic(sender_host_address, da->address) == 0) return CSA_OK;
1204 }
1205 }
1206
1207/* If we found some target addresses but none of them matched, the client is
1208using an unauthorized IP address, otherwise the target has no authorized IP
1209addresses. */
1210
1211if (target_found) return CSA_FAIL_MISMATCH;
1212else return CSA_FAIL_NOADDR;
1213}
1214
1215
1216
1217/*************************************************
1218* Verify Client SMTP Authorization *
1219*************************************************/
1220
1221/* Called from acl_verify() below. This routine calls dns_lookup_special()
1222to find the CSA SRV record corresponding to the domain argument, or
1223$sender_helo_name if no argument is provided. It then checks that the
1224client is authorized, and that its IP address corresponds to the SRV
1225target's address by calling acl_verify_csa_address() above. The address
1226should have been returned in the DNS response's ADDITIONAL section, but if
1227not we perform another DNS lookup to get it.
1228
1229Arguments:
1230 domain pointer to optional parameter following verify = csa
1231
1232Returns: CSA_UNKNOWN no valid CSA record found
1233 CSA_OK successfully authorized
1234 CSA_FAIL_* client is definitely not authorized
1235 CSA_DEFER_* there was a DNS problem
1236*/
1237
1238static int
1239acl_verify_csa(uschar *domain)
1240{
1241tree_node *t;
1242uschar *found, *p;
1243int priority, weight, port;
1244dns_answer dnsa;
1245dns_scan dnss;
1246dns_record *rr;
1247int rc, type;
1248uschar target[256];
1249
1250/* Work out the domain we are using for the CSA lookup. The default is the
1251client's HELO domain. If the client has not said HELO, use its IP address
1252instead. If it's a local client (exim -bs), CSA isn't applicable. */
1253
1254while (isspace(*domain) && *domain != '\0') ++domain;
1255if (*domain == '\0') domain = sender_helo_name;
1256if (domain == NULL) domain = sender_host_address;
1257if (sender_host_address == NULL) return CSA_UNKNOWN;
1258
1259/* If we have an address literal, strip off the framing ready for turning it
1260into a domain. The framing consists of matched square brackets possibly
1261containing a keyword and a colon before the actual IP address. */
1262
1263if (domain[0] == '[')
1264 {
1265 uschar *start = Ustrchr(domain, ':');
1266 if (start == NULL) start = domain;
1267 domain = string_copyn(start + 1, Ustrlen(start) - 2);
1268 }
1269
1270/* Turn domains that look like bare IP addresses into domains in the reverse
1271DNS. This code also deals with address literals and $sender_host_address. It's
1272not quite kosher to treat bare domains such as EHLO 192.0.2.57 the same as
1273address literals, but it's probably the most friendly thing to do. This is an
1274extension to CSA, so we allow it to be turned off for proper conformance. */
1275
7e66e54d 1276if (string_is_ip_address(domain, NULL) != 0)
e5a9dba6
PH		 1277 {
1278 if (!dns_csa_use_reverse) return CSA_UNKNOWN;
1279 dns_build_reverse(domain, target);
1280 domain = target;
1281 }
1282
1283/* Find out if we've already done the CSA check for this domain. If we have,
1284return the same result again. Otherwise build a new cached result structure
1285for this domain. The name is filled in now, and the value is filled in when
1286we return from this function. */
1287
1288t = tree_search(csa_cache, domain);
1289if (t != NULL) return t->data.val;
1290
1291t = store_get_perm(sizeof(tree_node) + Ustrlen(domain));
1292Ustrcpy(t->name, domain);
1293(void)tree_insertnode(&csa_cache, t);
1294
1295/* Now we are ready to do the actual DNS lookup(s). */
1296
28e6ef29 1297found = domain;
e5a9dba6
PH		 1298switch (dns_special_lookup(&dnsa, domain, T_CSA, &found))
1299 {
1300 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1301
1302 default:
1303 return t->data.val = CSA_DEFER_SRV;
1304
1305 /* If we found nothing, the client's authorization is unknown. */
1306
1307 case DNS_NOMATCH:
1308 case DNS_NODATA:
1309 return t->data.val = CSA_UNKNOWN;
1310
1311 /* We got something! Go on to look at the reply in more detail. */
1312
1313 case DNS_SUCCEED:
1314 break;
1315 }
1316
1317/* Scan the reply for well-formed CSA SRV records. */
1318
1319for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
1320 rr != NULL;
1321 rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
1322 {
1323 if (rr->type != T_SRV) continue;
1324
1325 /* Extract the numerical SRV fields (p is incremented) */
1326
1327 p = rr->data;
1328 GETSHORT(priority, p);
1329 GETSHORT(weight, p);
1330 GETSHORT(port, p);
1331
1332 DEBUG(D_acl)
1333 debug_printf("CSA priority=%d weight=%d port=%d\n", priority, weight, port);
1334
1335 /* Check the CSA version number */
1336
1337 if (priority != 1) continue;
1338
1339 /* If the domain does not have a CSA SRV record of its own (i.e. the domain
1340 found by dns_special_lookup() is a parent of the one we asked for), we check
1341 the subdomain assertions in the port field. At the moment there's only one
1342 assertion: legitimate SMTP clients are all explicitly authorized with CSA
1343 SRV records of their own. */
1344
1345 if (found != domain)
1346 {
1347 if (port & 1)
1348 return t->data.val = CSA_FAIL_EXPLICIT;
1349 else
1350 return t->data.val = CSA_UNKNOWN;
1351 }
1352
1353 /* This CSA SRV record refers directly to our domain, so we check the value
1354 in the weight field to work out the domain's authorization. 0 and 1 are
1355 unauthorized; 3 means the client is authorized but we can't check the IP
1356 address in order to authenticate it, so we treat it as unknown; values
1357 greater than 3 are undefined. */
1358
1359 if (weight < 2) return t->data.val = CSA_FAIL_DOMAIN;
1360
1361 if (weight > 2) continue;
1362
1363 /* Weight == 2, which means the domain is authorized. We must check that the
1364 client's IP address is listed as one of the SRV target addresses. Save the
1365 target hostname then break to scan the additional data for its addresses. */
1366
1367 (void)dn_expand(dnsa.answer, dnsa.answer + dnsa.answerlen, p,
1368 (DN_EXPAND_ARG4_TYPE)target, sizeof(target));
1369
1370 DEBUG(D_acl) debug_printf("CSA target is %s\n", target);
1371
1372 break;
1373 }
1374
1375/* If we didn't break the loop then no appropriate records were found. */
1376
1377if (rr == NULL) return t->data.val = CSA_UNKNOWN;
1378
1379/* Do not check addresses if the target is ".", in accordance with RFC 2782.
1380A target of "." indicates there are no valid addresses, so the client cannot
1381be authorized. (This is an odd configuration because weight=2 target=. is
1382equivalent to weight=1, but we check for it in order to keep load off the
1383root name servers.) Note that dn_expand() turns "." into "". */
1384
1385if (Ustrcmp(target, "") == 0) return t->data.val = CSA_FAIL_NOADDR;
1386
1387/* Scan the additional section of the CSA SRV reply for addresses belonging
1388to the target. If the name server didn't return any additional data (e.g.
1389because it does not fully support SRV records), we need to do another lookup
1390to obtain the target addresses; otherwise we have a definitive result. */
1391
1392rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ADDITIONAL, target);
1393if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1394
1395/* The DNS lookup type corresponds to the IP version used by the client. */
1396
1397#if HAVE_IPV6
1398if (Ustrchr(sender_host_address, ':') != NULL)
1399 type = T_AAAA;
1400else
1401#endif /* HAVE_IPV6 */
1402 type = T_A;
1403
1404
1405#if HAVE_IPV6 && defined(SUPPORT_A6)
1406DNS_LOOKUP_AGAIN:
1407#endif
1408
1409switch (dns_lookup(&dnsa, target, type, NULL))
1410 {
1411 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1412
1413 default:
1414 return t->data.val = CSA_DEFER_ADDR;
1415
1416 /* If the query succeeded, scan the addresses and return the result. */
1417
1418 case DNS_SUCCEED:
1419 rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ANSWERS, target);
1420 if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1421 /* else fall through */
1422
1423 /* If the target has no IP addresses, the client cannot have an authorized
1424 IP address. However, if the target site uses A6 records (not AAAA records)
1425 we have to do yet another lookup in order to check them. */
1426
1427 case DNS_NOMATCH:
1428 case DNS_NODATA:
1429
1430 #if HAVE_IPV6 && defined(SUPPORT_A6)
1431 if (type == T_AAAA) { type = T_A6; goto DNS_LOOKUP_AGAIN; }
1432 #endif
1433
1434 return t->data.val = CSA_FAIL_NOADDR;
1435 }
1436}
1437
1438
1439
059ec3d9
PH		 1440/*************************************************
1441* Handle verification (address & other) *
1442*************************************************/
1443
1444/* This function implements the "verify" condition. It is called when
1445encountered in any ACL, because some tests are almost always permitted. Some
1446just don't make sense, and always fail (for example, an attempt to test a host
1447lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
1448
1449Arguments:
1450 where where called from
1451 addr the recipient address that the ACL is handling, or NULL
1452 arg the argument of "verify"
1453 user_msgptr pointer for user message
1454 log_msgptr pointer for log message
1455 basic_errno where to put verify errno
1456
1457Returns: OK verification condition succeeded
1458 FAIL verification failed
1459 DEFER there was a problem verifying
1460 ERROR syntax error
1461*/
1462
1463static int
1464acl_verify(int where, address_item *addr, uschar *arg,
1465 uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
1466{
1467int sep = '/';
1468int callout = -1;
1469int callout_overall = -1;
4deaf07d 1470int callout_connect = -1;
059ec3d9
PH		 1471int verify_options = 0;
1472int rc;
1473BOOL verify_header_sender = FALSE;
1474BOOL defer_ok = FALSE;
1475BOOL callout_defer_ok = FALSE;
1476BOOL no_details = FALSE;
eafd343b 1477BOOL success_on_redirect = FALSE;
059ec3d9
PH		 1478address_item *sender_vaddr = NULL;
1479uschar *verify_sender_address = NULL;
1480uschar *pm_mailfrom = NULL;
1481uschar *se_mailfrom = NULL;
596875b3
PH		 1482
1483/* Some of the verify items have slash-separated options; some do not. Diagnose
1484an error if options are given for items that don't expect them. This code has
1485now got very message. Refactoring to use a table would be a good idea one day.
1486*/
1487
1488uschar *slash = Ustrchr(arg, '/');
059ec3d9
PH		 1489uschar *list = arg;
1490uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
1491
1492if (ss == NULL) goto BAD_VERIFY;
1493
1494/* Handle name/address consistency verification in a separate function. */
1495
1496if (strcmpic(ss, US"reverse_host_lookup") == 0)
1497 {
596875b3 1498 if (slash != NULL) goto NO_OPTIONS;
059ec3d9
PH		 1499 if (sender_host_address == NULL) return OK;
1500 return acl_verify_reverse(user_msgptr, log_msgptr);
1501 }
1502
1503/* TLS certificate verification is done at STARTTLS time; here we just
1504test whether it was successful or not. (This is for optional verification; for
1505mandatory verification, the connection doesn't last this long.) */
1506
1507if (strcmpic(ss, US"certificate") == 0)
1508 {
596875b3 1509 if (slash != NULL) goto NO_OPTIONS;
059ec3d9
PH		 1510 if (tls_certificate_verified) return OK;
1511 *user_msgptr = US"no verified certificate";
1512 return FAIL;
1513 }
1514
d7b47fd0
PH		 1515/* We can test the result of optional HELO verification that might have
1516occurred earlier. If not, we can attempt the verification now. */
059ec3d9 1517
596875b3
PH		 1518if (strcmpic(ss, US"helo") == 0)
1519 {
1520 if (slash != NULL) goto NO_OPTIONS;
0154e85a
TF		 1521 if (!helo_verified && !helo_verify_failed) smtp_verify_helo();
1522 return helo_verified? OK : FAIL;
596875b3 1523 }
059ec3d9 1524
e5a9dba6
PH		 1525/* Do Client SMTP Authorization checks in a separate function, and turn the
1526result code into user-friendly strings. */
1527
1528if (strcmpic(ss, US"csa") == 0)
1529 {
1530 rc = acl_verify_csa(list);
1531 *log_msgptr = *user_msgptr = string_sprintf("client SMTP authorization %s",
1532 csa_reason_string[rc]);
1533 csa_status = csa_status_string[rc];
1534 DEBUG(D_acl) debug_printf("CSA result %s\n", csa_status);
1535 return csa_return_code[rc];
1536 }
1537
596875b3
PH		 1538/* Check that all relevant header lines have the correct syntax. If there is
1539a syntax error, we return details of the error to the sender if configured to
1540send out full details. (But a "message" setting on the ACL can override, as
1541always). */
059ec3d9 1542
596875b3 1543if (strcmpic(ss, US"header_syntax") == 0)
059ec3d9 1544 {
596875b3 1545 if (slash != NULL) goto NO_OPTIONS;
1c41c9cc 1546 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP) goto WRONG_ACL;
596875b3
PH		 1547 rc = verify_check_headers(log_msgptr);
1548 if (rc != OK && smtp_return_error_details && *log_msgptr != NULL)
1549 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1550 return rc;
1551 }
059ec3d9 1552
1c41c9cc
PH		 1553/* Check that no recipient of this message is "blind", that is, every envelope
1554recipient must be mentioned in either To: or Cc:. */
1555
1556if (strcmpic(ss, US"not_blind") == 0)
1557 {
1558 if (slash != NULL) goto NO_OPTIONS;
1559 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP) goto WRONG_ACL;
1560 rc = verify_check_notblind();
1561 if (rc != OK)
1562 {
1563 *log_msgptr = string_sprintf("bcc recipient detected");
1564 if (smtp_return_error_details)
1565 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1566 }
1567 return rc;
1568 }
059ec3d9 1569
596875b3
PH		 1570/* The remaining verification tests check recipient and sender addresses,
1571either from the envelope or from the header. There are a number of
1572slash-separated options that are common to all of them. */
059ec3d9 1573
059ec3d9 1574
596875b3
PH		 1575/* Check that there is at least one verifiable sender address in the relevant
1576header lines. This can be followed by callout and defer options, just like
1577sender and recipient. */
059ec3d9 1578
596875b3
PH		 1579if (strcmpic(ss, US"header_sender") == 0)
1580 {
1c41c9cc 1581 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP) goto WRONG_ACL;
596875b3 1582 verify_header_sender = TRUE;
059ec3d9
PH		 1583 }
1584
1585/* Otherwise, first item in verify argument must be "sender" or "recipient".
1586In the case of a sender, this can optionally be followed by an address to use
1587in place of the actual sender (rare special-case requirement). */
1588
1589else if (strncmpic(ss, US"sender", 6) == 0)
1590 {
1591 uschar *s = ss + 6;
1592 if (where > ACL_WHERE_NOTSMTP)
1593 {
1594 *log_msgptr = string_sprintf("cannot verify sender in ACL for %s "
1595 "(only possible for MAIL, RCPT, PREDATA, or DATA)",
1596 acl_wherenames[where]);
1597 return ERROR;
1598 }
1599 if (*s == 0)
1600 verify_sender_address = sender_address;
1601 else
1602 {
1603 while (isspace(*s)) s++;
1604 if (*s++ != '=') goto BAD_VERIFY;
1605 while (isspace(*s)) s++;
1606 verify_sender_address = string_copy(s);
1607 }
1608 }
1609else
1610 {
1611 if (strcmpic(ss, US"recipient") != 0) goto BAD_VERIFY;
1612 if (addr == NULL)
1613 {
1614 *log_msgptr = string_sprintf("cannot verify recipient in ACL for %s "
1615 "(only possible for RCPT)", acl_wherenames[where]);
1616 return ERROR;
1617 }
1618 }
1619
596875b3
PH		 1620/* Remaining items are optional; they apply to sender and recipient
1621verification, including "header sender" verification. */
059ec3d9
PH		 1622
1623while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))
1624 != NULL)
1625 {
1626 if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
1627 else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
eafd343b 1628 else if (strcmpic(ss, US"success_on_redirect") == 0) success_on_redirect = TRUE;
059ec3d9
PH		 1629
1630 /* These two old options are left for backwards compatibility */
1631
1632 else if (strcmpic(ss, US"callout_defer_ok") == 0)
1633 {
1634 callout_defer_ok = TRUE;
1635 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1636 }
1637
1638 else if (strcmpic(ss, US"check_postmaster") == 0)
1639 {
1640 pm_mailfrom = US"";
1641 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1642 }
1643
1644 /* The callout option has a number of sub-options, comma separated */
1645
1646 else if (strncmpic(ss, US"callout", 7) == 0)
1647 {
1648 callout = CALLOUT_TIMEOUT_DEFAULT;
1649 ss += 7;
1650 if (*ss != 0)
1651 {
1652 while (isspace(*ss)) ss++;
1653 if (*ss++ == '=')
1654 {
1655 int optsep = ',';
1656 uschar *opt;
1657 uschar buffer[256];
1658 while (isspace(*ss)) ss++;
8e669ac1
PH		 1659
1660 /* This callout option handling code has become a mess as new options
1661 have been added in an ad hoc manner. It should be tidied up into some
4deaf07d 1662 kind of table-driven thing. */
8e669ac1 1663
059ec3d9
PH		 1664 while ((opt = string_nextinlist(&ss, &optsep, buffer, sizeof(buffer)))
1665 != NULL)
1666 {
1667 if (strcmpic(opt, US"defer_ok") == 0) callout_defer_ok = TRUE;
1668 else if (strcmpic(opt, US"no_cache") == 0)
1669 verify_options |= vopt_callout_no_cache;
1670 else if (strcmpic(opt, US"random") == 0)
1671 verify_options |= vopt_callout_random;
1672 else if (strcmpic(opt, US"use_sender") == 0)
1673 verify_options |= vopt_callout_recipsender;
1674 else if (strcmpic(opt, US"use_postmaster") == 0)
1675 verify_options |= vopt_callout_recippmaster;
1676 else if (strcmpic(opt, US"postmaster") == 0) pm_mailfrom = US"";
2a4be8f9
PH		 1677 else if (strcmpic(opt, US"fullpostmaster") == 0)
1678 {
1679 pm_mailfrom = US"";
1680 verify_options |= vopt_callout_fullpm;
1681 }
059ec3d9
PH		 1682
1683 else if (strncmpic(opt, US"mailfrom", 8) == 0)
1684 {
1685 if (!verify_header_sender)
1686 {
1687 *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
1688 "callout option only for verify=header_sender (detected in ACL "
1689 "condition \"%s\")", arg);
1690 return ERROR;
1691 }
1692 opt += 8;
1693 while (isspace(*opt)) opt++;
1694 if (*opt++ != '=')
1695 {
1696 *log_msgptr = string_sprintf("'=' expected after "
1697 "\"mailfrom\" in ACL condition \"%s\"", arg);
1698 return ERROR;
1699 }
1700 while (isspace(*opt)) opt++;
1701 se_mailfrom = string_copy(opt);
1702 }
1703
1704 else if (strncmpic(opt, US"postmaster_mailfrom", 19) == 0)
1705 {
1706 opt += 19;
1707 while (isspace(*opt)) opt++;
1708 if (*opt++ != '=')
1709 {
1710 *log_msgptr = string_sprintf("'=' expected after "
1711 "\"postmaster_mailfrom\" in ACL condition \"%s\"", arg);
1712 return ERROR;
1713 }
1714 while (isspace(*opt)) opt++;
1715 pm_mailfrom = string_copy(opt);
1716 }
1717
1718 else if (strncmpic(opt, US"maxwait", 7) == 0)
1719 {
1720 opt += 7;
1721 while (isspace(*opt)) opt++;
1722 if (*opt++ != '=')
1723 {
1724 *log_msgptr = string_sprintf("'=' expected after \"maxwait\" in "
1725 "ACL condition \"%s\"", arg);
1726 return ERROR;
1727 }
1728 while (isspace(*opt)) opt++;
1729 callout_overall = readconf_readtime(opt, 0, FALSE);
1730 if (callout_overall < 0)
1731 {
1732 *log_msgptr = string_sprintf("bad time value in ACL condition "
1733 "\"verify %s\"", arg);
1734 return ERROR;
1735 }
1736 }
4deaf07d
PH		 1737 else if (strncmpic(opt, US"connect", 7) == 0)
1738 {
1739 opt += 7;
1740 while (isspace(*opt)) opt++;
1741 if (*opt++ != '=')
1742 {
1743 *log_msgptr = string_sprintf("'=' expected after "
1744 "\"callout_overaall\" in ACL condition \"%s\"", arg);
1745 return ERROR;
1746 }
1747 while (isspace(*opt)) opt++;
1748 callout_connect = readconf_readtime(opt, 0, FALSE);
1749 if (callout_connect < 0)
1750 {
1751 *log_msgptr = string_sprintf("bad time value in ACL condition "
1752 "\"verify %s\"", arg);
1753 return ERROR;
1754 }
1755 }
059ec3d9
PH		 1756 else /* Plain time is callout connect/command timeout */
1757 {
1758 callout = readconf_readtime(opt, 0, FALSE);
1759 if (callout < 0)
1760 {
1761 *log_msgptr = string_sprintf("bad time value in ACL condition "
1762 "\"verify %s\"", arg);
1763 return ERROR;
1764 }
1765 }
1766 }
1767 }
1768 else
1769 {
1770 *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
1771 "ACL condition \"%s\"", arg);
1772 return ERROR;
1773 }
1774 }
1775 }
1776
1777 /* Option not recognized */
1778
1779 else
1780 {
1781 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
1782 "condition \"verify %s\"", ss, arg);
1783 return ERROR;
1784 }
1785 }
1786
1787if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
1788 (vopt_callout_recipsender|vopt_callout_recippmaster))
1789 {
1790 *log_msgptr = US"only one of use_sender and use_postmaster can be set "
1791 "for a recipient callout";
1792 return ERROR;
1793 }
1794
1795/* Handle sender-in-header verification. Default the user message to the log
1796message if giving out verification details. */
1797
1798if (verify_header_sender)
1799 {
8e669ac1 1800 int verrno;
059ec3d9 1801 rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
fe5b5d0b
PH		 1802 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, verify_options,
1803 &verrno);
1804 if (rc != OK)
8e669ac1 1805 {
fe5b5d0b
PH		 1806 *basic_errno = verrno;
1807 if (smtp_return_error_details)
1808 {
1809 if (*user_msgptr == NULL && *log_msgptr != NULL)
1810 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1811 if (rc == DEFER) acl_temp_details = TRUE;
1812 }
8e669ac1 1813 }
059ec3d9
PH		 1814 }
1815
1816/* Handle a sender address. The default is to verify *the* sender address, but
1817optionally a different address can be given, for special requirements. If the
1818address is empty, we are dealing with a bounce message that has no sender, so
1819we cannot do any checking. If the real sender address gets rewritten during
1820verification (e.g. DNS widening), set the flag to stop it being rewritten again
1821during message reception.
1822
1823A list of verified "sender" addresses is kept to try to avoid doing to much
1824work repetitively when there are multiple recipients in a message and they all
1825require sender verification. However, when callouts are involved, it gets too
1826complicated because different recipients may require different callout options.
1827Therefore, we always do a full sender verify when any kind of callout is
1828specified. Caching elsewhere, for instance in the DNS resolver and in the
1829callout handling, should ensure that this is not terribly inefficient. */
1830
1831else if (verify_sender_address != NULL)
1832 {
1833 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster))
1834 != 0)
1835 {
1836 *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
1837 "sender verify callout";
1838 return ERROR;
1839 }
1840
1841 sender_vaddr = verify_checked_sender(verify_sender_address);
1842 if (sender_vaddr != NULL && /* Previously checked */
1843 callout <= 0) /* No callout needed this time */
1844 {
1845 /* If the "routed" flag is set, it means that routing worked before, so
1846 this check can give OK (the saved return code value, if set, belongs to a
1847 callout that was done previously). If the "routed" flag is not set, routing
1848 must have failed, so we use the saved return code. */
1849
1850 if (testflag(sender_vaddr, af_verify_routed)) rc = OK; else
1851 {
1852 rc = sender_vaddr->special_action;
1853 *basic_errno = sender_vaddr->basic_errno;
1854 }
1855 HDEBUG(D_acl) debug_printf("using cached sender verify result\n");
1856 }
1857
1858 /* Do a new verification, and cache the result. The cache is used to avoid
1859 verifying the sender multiple times for multiple RCPTs when callouts are not
1860 specified (see comments above).
1861
1862 The cache is also used on failure to give details in response to the first
1863 RCPT that gets bounced for this reason. However, this can be suppressed by
1864 the no_details option, which sets the flag that says "this detail has already
1865 been sent". The cache normally contains just one address, but there may be
1866 more in esoteric circumstances. */
1867
1868 else
1869 {
1870 BOOL routed = TRUE;
2a3eea10 1871 uschar *save_address_data = deliver_address_data;
8e669ac1 1872
059ec3d9
PH		 1873 sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
1874 if (no_details) setflag(sender_vaddr, af_sverify_told);
1875 if (verify_sender_address[0] != 0)
1876 {
1877 /* If this is the real sender address, save the unrewritten version
1878 for use later in receive. Otherwise, set a flag so that rewriting the
1879 sender in verify_address() does not update sender_address. */
1880
1881 if (verify_sender_address == sender_address)
1882 sender_address_unrewritten = sender_address;
1883 else
1884 verify_options |= vopt_fake_sender;
1885
eafd343b
TK		 1886 if (success_on_redirect)
1887 verify_options |= vopt_success_on_redirect;
1888
059ec3d9
PH		 1889 /* The recipient, qualify, and expn options are never set in
1890 verify_options. */
1891
1892 rc = verify_address(sender_vaddr, NULL, verify_options, callout,
4deaf07d 1893 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, &routed);
059ec3d9
PH		 1894
1895 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1896
1897 if (rc == OK)
1898 {
1899 if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
1900 {
1901 DEBUG(D_acl) debug_printf("sender %s verified ok as %s\n",
1902 verify_sender_address, sender_vaddr->address);
1903 }
1904 else
1905 {
1906 DEBUG(D_acl) debug_printf("sender %s verified ok\n",
1907 verify_sender_address);
1908 }
1909 }
1910 else *basic_errno = sender_vaddr->basic_errno;
1911 }
1912 else rc = OK; /* Null sender */
1913
1914 /* Cache the result code */
1915
1916 if (routed) setflag(sender_vaddr, af_verify_routed);
1917 if (callout > 0) setflag(sender_vaddr, af_verify_callout);
1918 sender_vaddr->special_action = rc;
1919 sender_vaddr->next = sender_verified_list;
1920 sender_verified_list = sender_vaddr;
8e669ac1
PH		 1921
1922 /* Restore the recipient address data, which might have been clobbered by
2a3eea10 1923 the sender verification. */
8e669ac1 1924
2a3eea10 1925 deliver_address_data = save_address_data;
059ec3d9 1926 }
8e669ac1 1927
2a3eea10
PH		 1928 /* Put the sender address_data value into $sender_address_data */
1929
8e669ac1 1930 sender_address_data = sender_vaddr->p.address_data;
059ec3d9
PH		 1931 }
1932
1933/* A recipient address just gets a straightforward verify; again we must handle
1934the DEFER overrides. */
1935
1936else
1937 {
1938 address_item addr2;
1939
eafd343b
TK		 1940 if (success_on_redirect)
1941 verify_options |= vopt_success_on_redirect;
1942
059ec3d9
PH		 1943 /* We must use a copy of the address for verification, because it might
1944 get rewritten. */
1945
1946 addr2 = *addr;
1947 rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
4deaf07d 1948 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, NULL);
059ec3d9 1949 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
8e669ac1 1950
42855d71 1951 *basic_errno = addr2.basic_errno;
059ec3d9 1952 *log_msgptr = addr2.message;
8e669ac1 1953 *user_msgptr = (addr2.user_message != NULL)?
6729cf78 1954 addr2.user_message : addr2.message;
42855d71
PH		 1955
1956 /* Allow details for temporary error if the address is so flagged. */
1957 if (testflag((&addr2), af_pass_message)) acl_temp_details = TRUE;
059ec3d9
PH		 1958
1959 /* Make $address_data visible */
1960 deliver_address_data = addr2.p.address_data;
1961 }
1962
1963/* We have a result from the relevant test. Handle defer overrides first. */
1964
1965if (rc == DEFER && (defer_ok ||
1966 (callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER)))
1967 {
1968 HDEBUG(D_acl) debug_printf("verify defer overridden by %s\n",
1969 defer_ok? "defer_ok" : "callout_defer_ok");
1970 rc = OK;
1971 }
1972
1973/* If we've failed a sender, set up a recipient message, and point
1974sender_verified_failed to the address item that actually failed. */
1975
1976if (rc != OK && verify_sender_address != NULL)
1977 {
1978 if (rc != DEFER)
1979 {
1980 *log_msgptr = *user_msgptr = US"Sender verify failed";
1981 }
1982 else if (*basic_errno != ERRNO_CALLOUTDEFER)
1983 {
1984 *log_msgptr = *user_msgptr = US"Could not complete sender verify";
1985 }
1986 else
1987 {
1988 *log_msgptr = US"Could not complete sender verify callout";
1989 *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
1990 *log_msgptr;
1991 }
1992
1993 sender_verified_failed = sender_vaddr;
1994 }
1995
1996/* Verifying an address messes up the values of $domain and $local_part,
1997so reset them before returning if this is a RCPT ACL. */
1998
1999if (addr != NULL)
2000 {
2001 deliver_domain = addr->domain;
2002 deliver_localpart = addr->local_part;
2003 }
2004return rc;
2005
2006/* Syntax errors in the verify argument come here. */
2007
2008BAD_VERIFY:
2009*log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
596875b3
PH		 2010 "\"helo\", \"header_syntax\", \"header_sender\" or "
2011 "\"reverse_host_lookup\" at start of ACL condition "
059ec3d9
PH		 2012 "\"verify %s\"", arg);
2013return ERROR;
596875b3
PH		 2014
2015/* Options supplied when not allowed come here */
2016
2017NO_OPTIONS:
2018*log_msgptr = string_sprintf("unexpected '/' found in \"%s\" "
2019 "(this verify item has no options)", arg);
2020return ERROR;
1c41c9cc
PH		 2021
2022/* Calls in the wrong ACL come here */
2023
2024WRONG_ACL:
2025*log_msgptr = string_sprintf("cannot check header contents in ACL for %s "
2026 "(only possible in ACL for DATA)", acl_wherenames[where]);
2027return ERROR;
059ec3d9
PH		 2028}
2029
2030
2031
2032
2033/*************************************************
2034* Check argument for control= modifier *
2035*************************************************/
2036
2037/* Called from acl_check_condition() below
2038
2039Arguments:
2040 arg the argument string for control=
2041 pptr set to point to the terminating character
2042 where which ACL we are in
2043 log_msgptr for error messages
2044
2045Returns: CONTROL_xxx value
2046*/
2047
2048static int
2049decode_control(uschar *arg, uschar **pptr, int where, uschar **log_msgptr)
2050{
2051int len;
2052control_def *d;
2053
2054for (d = controls_list;
2055 d < controls_list + sizeof(controls_list)/sizeof(control_def);
2056 d++)
2057 {
2058 len = Ustrlen(d->name);
2059 if (Ustrncmp(d->name, arg, len) == 0) break;
2060 }
2061
2062if (d >= controls_list + sizeof(controls_list)/sizeof(control_def) ||
2063 (arg[len] != 0 && (!d->has_option || arg[len] != '/')))
2064 {
2065 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2066 return CONTROL_ERROR;
2067 }
2068
059ec3d9
PH		 2069*pptr = arg + len;
2070return d->value;
2071}
2072
2073
2074
870f6ba8
TF		 2075/*************************************************
2076* Handle rate limiting *
2077*************************************************/
2078
2079/* Called by acl_check_condition() below to calculate the result
2080of the ACL ratelimit condition.
2081
2082Note that the return value might be slightly unexpected: if the
2083sender's rate is above the limit then the result is OK. This is
2084similar to the dnslists condition, and is so that you can write
2085ACL clauses like: defer ratelimit = 15 / 1h
2086
2087Arguments:
2088 arg the option string for ratelimit=
90fc3069 2089 where ACL_WHERE_xxxx indicating which ACL this is
870f6ba8
TF		 2090 log_msgptr for error messages
2091
2092Returns: OK - Sender's rate is above limit
2093 FAIL - Sender's rate is below limit
2094 DEFER - Problem opening ratelimit database
2095 ERROR - Syntax error in options.
2096*/
2097
2098static int
90fc3069 2099acl_ratelimit(uschar *arg, int where, uschar **log_msgptr)
870f6ba8
TF		 2100{
2101double limit, period;
8f240103
PH		 2102uschar *ss;
2103uschar *key = NULL;
870f6ba8 2104int sep = '/';
8f240103 2105BOOL leaky = FALSE, strict = FALSE, noupdate = FALSE;
870f6ba8
TF		 2106BOOL per_byte = FALSE, per_cmd = FALSE, per_conn = FALSE, per_mail = FALSE;
2107int old_pool, rc;
2108tree_node **anchor, *t;
2109open_db dbblock, *dbm;
2110dbdata_ratelimit *dbd;
2111struct timeval tv;
2112
2113/* Parse the first two options and record their values in expansion
2114variables. These variables allow the configuration to have informative
2115error messages based on rate limits obtained from a table lookup. */
2116
2117/* First is the maximum number of messages per period and maximum burst
2118size, which must be greater than or equal to zero. Zero is useful for
2119rate measurement as opposed to rate limiting. */
2120
2121sender_rate_limit = string_nextinlist(&arg, &sep, NULL, 0);
2122if (sender_rate_limit == NULL)
2123 limit = -1.0;
2124else
2125 {
2126 limit = Ustrtod(sender_rate_limit, &ss);
2127 if (tolower(*ss) == 'k') { limit *= 1024.0; ss++; }
2128 else if (tolower(*ss) == 'm') { limit *= 1024.0*1024.0; ss++; }
2129 else if (tolower(*ss) == 'g') { limit *= 1024.0*1024.0*1024.0; ss++; }
2130 }
2131if (limit < 0.0 || *ss != 0)
2132 {
2133 *log_msgptr = string_sprintf("syntax error in argument for "
2134 "\"ratelimit\" condition: \"%s\" is not a positive number",
2135 sender_rate_limit);
2136 return ERROR;
2137 }
2138
2139/* Second is the rate measurement period and exponential smoothing time
2140constant. This must be strictly greater than zero, because zero leads to
2141run-time division errors. */
2142
2143sender_rate_period = string_nextinlist(&arg, &sep, NULL, 0);
2144if (sender_rate_period == NULL) period = -1.0;
2145else period = readconf_readtime(sender_rate_period, 0, FALSE);
2146if (period <= 0.0)
2147 {
2148 *log_msgptr = string_sprintf("syntax error in argument for "
2149 "\"ratelimit\" condition: \"%s\" is not a time value",
2150 sender_rate_period);
2151 return ERROR;
2152 }
2153
2154/* Parse the other options. Should we check if the per_* options are being
2155used in ACLs where they don't make sense, e.g. per_mail in the connect ACL? */
2156
2157while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2158 != NULL)
2159 {
2160 if (strcmpic(ss, US"leaky") == 0) leaky = TRUE;
2161 else if (strcmpic(ss, US"strict") == 0) strict = TRUE;
8f240103 2162 else if (strcmpic(ss, US"noupdate") == 0) noupdate = TRUE;
870f6ba8 2163 else if (strcmpic(ss, US"per_byte") == 0) per_byte = TRUE;
8f240103
PH		 2164 else if (strcmpic(ss, US"per_cmd") == 0) per_cmd = TRUE;
2165 else if (strcmpic(ss, US"per_rcpt") == 0) per_cmd = TRUE; /* alias */
870f6ba8
TF		 2166 else if (strcmpic(ss, US"per_conn") == 0) per_conn = TRUE;
2167 else if (strcmpic(ss, US"per_mail") == 0) per_mail = TRUE;
8f240103 2168 else key = string_sprintf("%s", ss);
870f6ba8 2169 }
8f240103 2170
870f6ba8
TF		 2171if (leaky + strict > 1 || per_byte + per_cmd + per_conn + per_mail > 1)
2172 {
2173 *log_msgptr = US"conflicting options for \"ratelimit\" condition";
2174 return ERROR;
2175 }
2176
2177/* Default option values */
8f240103 2178
870f6ba8
TF		 2179if (!strict) leaky = TRUE;
2180if (!per_byte && !per_cmd && !per_conn) per_mail = TRUE;
2181
8f240103
PH		 2182/* Create the lookup key. If there is no explicit key, use sender_host_address.
2183If there is no sender_host_address (e.g. -bs or acl_not_smtp) then we simply
2184omit it. The smoothing constant (sender_rate_period) and the per_xxx options
2185are added to the key because they alter the meaning of the stored data. */
2186
2187if (key == NULL)
2188 key = (sender_host_address == NULL)? US"" : sender_host_address;
870f6ba8 2189
8f240103
PH		 2190key = string_sprintf("%s/%s/%s/%s",
2191 sender_rate_period,
2192 per_byte? US"per_byte" :
2193 per_cmd? US"per_cmd" :
2194 per_mail? US"per_mail" : US"per_conn",
2195 strict? US"strict" : US"leaky",
2196 key);
870f6ba8
TF		 2197
2198HDEBUG(D_acl) debug_printf("ratelimit condition limit=%.0f period=%.0f key=%s\n",
2199 limit, period, key);
2200
8f240103
PH		 2201/* See if we have already computed the rate by looking in the relevant tree.
2202For per-connection rate limiting, store tree nodes and dbdata in the permanent
2203pool so that they survive across resets. */
870f6ba8
TF		 2204
2205anchor = NULL;
2206old_pool = store_pool;
2207
2208if (per_conn)
2209 {
2210 anchor = &ratelimiters_conn;
2211 store_pool = POOL_PERM;
2212 }
fe0dab11 2213else if (per_mail || per_byte)
870f6ba8 2214 anchor = &ratelimiters_mail;
fe0dab11
TF		 2215else if (per_cmd)
2216 anchor = &ratelimiters_cmd;
870f6ba8
TF		 2217
2218if (anchor != NULL && (t = tree_search(*anchor, key)) != NULL)
2219 {
2220 dbd = t->data.ptr;
2221 /* The following few lines duplicate some of the code below. */
8f240103 2222 rc = (dbd->rate < limit)? FAIL : OK;
870f6ba8
TF		 2223 store_pool = old_pool;
2224 sender_rate = string_sprintf("%.1f", dbd->rate);
2225 HDEBUG(D_acl)
2226 debug_printf("ratelimit found pre-computed rate %s\n", sender_rate);
2227 return rc;
2228 }
2229
2230/* We aren't using a pre-computed rate, so get a previously recorded
8f240103
PH		 2231rate from the database, update it, and write it back when required. If there's
2232no previous rate for this key, create one. */
870f6ba8
TF		 2233
2234dbm = dbfn_open(US"ratelimit", O_RDWR, &dbblock, TRUE);
2235if (dbm == NULL)
2236 {
2237 store_pool = old_pool;
2238 sender_rate = NULL;
2239 HDEBUG(D_acl) debug_printf("ratelimit database not available\n");
2240 *log_msgptr = US"ratelimit database not available";
2241 return DEFER;
2242 }
2243dbd = dbfn_read(dbm, key);
2244
2245gettimeofday(&tv, NULL);
2246
2247if (dbd == NULL)
2248 {
2249 HDEBUG(D_acl) debug_printf("ratelimit initializing new key's data\n");
2250 dbd = store_get(sizeof(dbdata_ratelimit));
2251 dbd->time_stamp = tv.tv_sec;
2252 dbd->time_usec = tv.tv_usec;
2253 dbd->rate = 0.0;
2254 }
2255else
2256 {
2257 /* The smoothed rate is computed using an exponentially weighted moving
2258 average adjusted for variable sampling intervals. The standard EWMA for
2259 a fixed sampling interval is: f'(t) = (1 - a) * f(t) + a * f'(t - 1)
2260 where f() is the measured value and f'() is the smoothed value.
2261
2262 Old data decays out of the smoothed value exponentially, such that data n
2263 samples old is multiplied by a^n. The exponential decay time constant p
2264 is defined such that data p samples old is multiplied by 1/e, which means
2265 that a = exp(-1/p). We can maintain the same time constant for a variable
2266 sampling interval i by using a = exp(-i/p).
2267
2268 The rate we are measuring is messages per period, suitable for directly
2269 comparing with the limit. The average rate between now and the previous
2270 message is period / interval, which we feed into the EWMA as the sample.
2271
2272 It turns out that the number of messages required for the smoothed rate
2273 to reach the limit when they are sent in a burst is equal to the limit.
2274 This can be seen by analysing the value of the smoothed rate after N
2275 messages sent at even intervals. Let k = (1 - a) * p/i
2276
2277 rate_1 = (1 - a) * p/i + a * rate_0
2278 = k + a * rate_0
2279 rate_2 = k + a * rate_1
2280 = k + a * k + a^2 * rate_0
2281 rate_3 = k + a * k + a^2 * k + a^3 * rate_0
2282 rate_N = rate_0 * a^N + k * SUM(x=0..N-1)(a^x)
2283 = rate_0 * a^N + k * (1 - a^N) / (1 - a)
2284 = rate_0 * a^N + p/i * (1 - a^N)
2285
2286 When N is large, a^N -> 0 so rate_N -> p/i as desired.
2287
2288 rate_N = p/i + (rate_0 - p/i) * a^N
2289 a^N = (rate_N - p/i) / (rate_0 - p/i)
2290 N * -i/p = log((rate_N - p/i) / (rate_0 - p/i))
2291 N = p/i * log((rate_0 - p/i) / (rate_N - p/i))
2292
2293 Numerical analysis of the above equation, setting the computed rate to
2294 increase from rate_0 = 0 to rate_N = limit, shows that for large sending
2295 rates, p/i, the number of messages N = limit. So limit serves as both the
2296 maximum rate measured in messages per period, and the maximum number of
2297 messages that can be sent in a fast burst. */
2298
2299 double this_time = (double)tv.tv_sec
2300 + (double)tv.tv_usec / 1000000.0;
2301 double prev_time = (double)dbd->time_stamp
2302 + (double)dbd->time_usec / 1000000.0;
870f6ba8
TF		 2303
2304 /* We must avoid division by zero, and deal gracefully with the clock going
2305 backwards. If we blunder ahead when time is in reverse then the computed
e5d5a95f 2306 rate will be bogus. To be safe we clamp interval to a very small number. */
870f6ba8 2307
e5d5a95f
TF		 2308 double interval = this_time - prev_time <= 0.0 ? 1e-9
2309 : this_time - prev_time;
2310
2311 double i_over_p = interval / period;
2312 double a = exp(-i_over_p);
870f6ba8
TF		 2313
2314 dbd->time_stamp = tv.tv_sec;
2315 dbd->time_usec = tv.tv_usec;
2316
2317 /* If we are measuring the rate in bytes per period, multiply the
2318 measured rate by the message size. If we don't know the message size
2319 then it's safe to just use a value of zero and let the recorded rate
2320 decay as if nothing happened. */
2321
2322 if (per_byte)
2323 dbd->rate = (message_size < 0 ? 0.0 : (double)message_size)
2324 * (1 - a) / i_over_p + a * dbd->rate;
90fc3069
TF		 2325 else if (per_cmd && where == ACL_WHERE_NOTSMTP)
2326 dbd->rate = (double)recipients_count
2327 * (1 - a) / i_over_p + a * dbd->rate;
870f6ba8
TF		 2328 else
2329 dbd->rate = (1 - a) / i_over_p + a * dbd->rate;
2330 }
2331
3348576f
TF		 2332/* Clients sending at the limit are considered to be over the limit. This
2333matters for edge cases such the first message sent by a client (which gets
2334the initial rate of 0.0) when the rate limit is zero (i.e. the client should
2335be completely blocked). */
2336
8f240103 2337rc = (dbd->rate < limit)? FAIL : OK;
870f6ba8
TF		 2338
2339/* Update the state if the rate is low or if we are being strict. If we
2340are in leaky mode and the sender's rate is too high, we do not update
2341the recorded rate in order to avoid an over-aggressive sender's retry
8f240103
PH		 2342rate preventing them from getting any email through. If noupdate is set,
2343do not do any updates. */
870f6ba8 2344
8f240103
PH		 2345if ((rc == FAIL || !leaky) && !noupdate)
2346 {
870f6ba8 2347 dbfn_write(dbm, key, dbd, sizeof(dbdata_ratelimit));
8f240103
PH		 2348 HDEBUG(D_acl) debug_printf("ratelimit db updated\n");
2349 }
2350else
2351 {
2352 HDEBUG(D_acl) debug_printf("ratelimit db not updated: %s\n",
2353 noupdate? "noupdate set" : "over the limit, but leaky");
2354 }
2355
870f6ba8
TF		 2356dbfn_close(dbm);
2357
2358/* Store the result in the tree for future reference, if necessary. */
2359
8f240103 2360if (anchor != NULL && !noupdate)
870f6ba8
TF		 2361 {
2362 t = store_get(sizeof(tree_node) + Ustrlen(key));
2363 t->data.ptr = dbd;
2364 Ustrcpy(t->name, key);
2365 (void)tree_insertnode(anchor, t);
2366 }
2367
2368/* We create the formatted version of the sender's rate very late in
2369order to ensure that it is done using the correct storage pool. */
2370
2371store_pool = old_pool;
2372sender_rate = string_sprintf("%.1f", dbd->rate);
2373
2374HDEBUG(D_acl)
2375 debug_printf("ratelimit computed rate %s\n", sender_rate);
2376
2377return rc;
2378}
2379
2380
2381
059ec3d9
PH		 2382/*************************************************
2383* Handle conditions/modifiers on an ACL item *
2384*************************************************/
2385
2386/* Called from acl_check() below.
2387
2388Arguments:
2389 verb ACL verb
2390 cb ACL condition block - if NULL, result is OK
2391 where where called from
2392 addr the address being checked for RCPT, or NULL
2393 level the nesting level
2394 epp pointer to pass back TRUE if "endpass" encountered
2395 (applies only to "accept" and "discard")
2396 user_msgptr user message pointer
2397 log_msgptr log message pointer
2398 basic_errno pointer to where to put verify error
2399
2400Returns: OK - all conditions are met
2401 DISCARD - an "acl" condition returned DISCARD - only allowed
2402 for "accept" or "discard" verbs
2403 FAIL - at least one condition fails
2404 FAIL_DROP - an "acl" condition returned FAIL_DROP
2405 DEFER - can't tell at the moment (typically, lookup defer,
2406 but can be temporary callout problem)
2407 ERROR - ERROR from nested ACL or expansion failure or other
2408 error
2409*/
2410
2411static int
2412acl_check_condition(int verb, acl_condition_block *cb, int where,
2413 address_item *addr, int level, BOOL *epp, uschar **user_msgptr,
2414 uschar **log_msgptr, int *basic_errno)
2415{
2416uschar *user_message = NULL;
2417uschar *log_message = NULL;
91ecef39 2418uschar *p = NULL;
059ec3d9 2419int rc = OK;
8523533c
TK		 2420#ifdef WITH_CONTENT_SCAN
2421int sep = '/';
2422#endif
059ec3d9
PH		 2423
2424for (; cb != NULL; cb = cb->next)
2425 {
2426 uschar *arg;
8e669ac1 2427 int control_type;
059ec3d9
PH		 2428
2429 /* The message and log_message items set up messages to be used in
2430 case of rejection. They are expanded later. */
2431
2432 if (cb->type == ACLC_MESSAGE)
2433 {
2434 user_message = cb->arg;
2435 continue;
2436 }
2437
2438 if (cb->type == ACLC_LOG_MESSAGE)
2439 {
2440 log_message = cb->arg;
2441 continue;
2442 }
2443
2444 /* The endpass "condition" just sets a flag to show it occurred. This is
2445 checked at compile time to be on an "accept" or "discard" item. */
2446
2447 if (cb->type == ACLC_ENDPASS)
2448 {
2449 *epp = TRUE;
2450 continue;
2451 }
2452
2453 /* For other conditions and modifiers, the argument is expanded now for some
2454 of them, but not for all, because expansion happens down in some lower level
2455 checking functions in some cases. */
2456
2457 if (cond_expand_at_top[cb->type])
2458 {
2459 arg = expand_string(cb->arg);
2460 if (arg == NULL)
2461 {
2462 if (expand_string_forcedfail) continue;
2463 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
2464 cb->arg, expand_string_message);
2465 return search_find_defer? DEFER : ERROR;
2466 }
2467 }
2468 else arg = cb->arg;
2469
2470 /* Show condition, and expanded condition if it's different */
2471
2472 HDEBUG(D_acl)
2473 {
2474 int lhswidth = 0;
2475 debug_printf("check %s%s %n",
2476 (!cond_modifiers[cb->type] && cb->u.negated)? "!":"",
2477 conditions[cb->type], &lhswidth);
2478
2479 if (cb->type == ACLC_SET)
2480 {
38a0a95f
PH		 2481 debug_printf("acl_%s ", cb->u.varname);
2482 lhswidth += 5 + Ustrlen(cb->u.varname);
059ec3d9
PH		 2483 }
2484
2485 debug_printf("= %s\n", cb->arg);
2486
2487 if (arg != cb->arg)
2488 debug_printf("%.*s= %s\n", lhswidth,
2489 US" ", CS arg);
2490 }
2491
2492 /* Check that this condition makes sense at this time */
2493
2494 if ((cond_forbids[cb->type] & (1 << where)) != 0)
2495 {
2496 *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
2497 cond_modifiers[cb->type]? "use" : "test",
2498 conditions[cb->type], acl_wherenames[where]);
2499 return ERROR;
2500 }
2501
2502 /* Run the appropriate test for each condition, or take the appropriate
2503 action for the remaining modifiers. */
2504
2505 switch(cb->type)
2506 {
71fafd95
PH		 2507 case ACLC_ADD_HEADER:
2508 setup_header(arg);
2509 break;
2510
059ec3d9
PH		 2511 /* A nested ACL that returns "discard" makes sense only for an "accept" or
2512 "discard" verb. */
71fafd95 2513
059ec3d9
PH		 2514 case ACLC_ACL:
2515 rc = acl_check_internal(where, addr, arg, level+1, user_msgptr, log_msgptr);
2516 if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
2517 {
2518 *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
2519 "\"%s\" command (only allowed with \"accept\" or \"discard\")",
2520 verbs[verb]);
2521 return ERROR;
2522 }
2523 break;
2524
2525 case ACLC_AUTHENTICATED:
2526 rc = (sender_host_authenticated == NULL)? FAIL :
2527 match_isinlist(sender_host_authenticated, &arg, 0, NULL, NULL, MCL_STRING,
2528 TRUE, NULL);
2529 break;
2530
71fafd95 2531 #ifdef EXPERIMENTAL_BRIGHTMAIL
8523533c
TK		 2532 case ACLC_BMI_OPTIN:
2533 {
2534 int old_pool = store_pool;
2535 store_pool = POOL_PERM;
2536 bmi_current_optin = string_copy(arg);
2537 store_pool = old_pool;
2538 }
2539 break;
71fafd95 2540 #endif
8523533c 2541
059ec3d9
PH		 2542 case ACLC_CONDITION:
2543 if (Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
2544 rc = (Uatoi(arg) == 0)? FAIL : OK;
2545 else
2546 rc = (strcmpic(arg, US"no") == 0 ||
2547 strcmpic(arg, US"false") == 0)? FAIL :
2548 (strcmpic(arg, US"yes") == 0 ||
2549 strcmpic(arg, US"true") == 0)? OK : DEFER;
2550 if (rc == DEFER)
2551 *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
2552 break;
2553
c3611384
PH		 2554 case ACLC_CONTINUE: /* Always succeeds */
2555 break;
2556
059ec3d9 2557 case ACLC_CONTROL:
c5fcb476
PH		 2558 control_type = decode_control(arg, &p, where, log_msgptr);
2559
8523533c 2560 /* Check if this control makes sense at this time */
c5fcb476
PH		 2561
2562 if ((control_forbids[control_type] & (1 << where)) != 0)
2563 {
2564 *log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
2565 controls[control_type], acl_wherenames[where]);
2566 return ERROR;
8e669ac1 2567 }
c5fcb476
PH		 2568
2569 switch(control_type)
059ec3d9 2570 {
c46782ef
PH		 2571 case CONTROL_AUTH_UNADVERTISED:
2572 allow_auth_unadvertised = TRUE;
2573 break;
2574
2575 #ifdef EXPERIMENTAL_BRIGHTMAIL
8523533c
TK		 2576 case CONTROL_BMI_RUN:
2577 bmi_run = 1;
2578 break;
c46782ef
PH		 2579 #endif
2580
80a47a2c 2581 #ifndef DISABLE_DKIM
f7572e5a 2582 case CONTROL_DKIM_VERIFY:
80a47a2c 2583 dkim_disable_verify = TRUE;
f7572e5a
TK		 2584 break;
2585 #endif
2586
059ec3d9
PH		 2587 case CONTROL_ERROR:
2588 return ERROR;
2589
2590 case CONTROL_CASEFUL_LOCAL_PART:
2591 deliver_localpart = addr->cc_local_part;
2592 break;
2593
2594 case CONTROL_CASELOWER_LOCAL_PART:
2595 deliver_localpart = addr->lc_local_part;
2596 break;
2597
2598 case CONTROL_ENFORCE_SYNC:
2599 smtp_enforce_sync = TRUE;
2600 break;
2601
2602 case CONTROL_NO_ENFORCE_SYNC:
2603 smtp_enforce_sync = FALSE;
2604 break;
2605
c46782ef 2606 #ifdef WITH_CONTENT_SCAN
8523533c
TK		 2607 case CONTROL_NO_MBOX_UNSPOOL:
2608 no_mbox_unspool = TRUE;
2609 break;
c46782ef 2610 #endif
8523533c 2611
059ec3d9
PH		 2612 case CONTROL_NO_MULTILINE:
2613 no_multiline_responses = TRUE;
2614 break;
2615
cf8b11a5
PH		 2616 case CONTROL_NO_PIPELINING:
2617 pipelining_enable = FALSE;
2618 break;
2619
047bdd8c
PH		 2620 case CONTROL_NO_DELAY_FLUSH:
2621 disable_delay_flush = TRUE;
2622 break;
2623
4c590bd1
PH		 2624 case CONTROL_NO_CALLOUT_FLUSH:
2625 disable_callout_flush = TRUE;
2626 break;
2627
29aba418 2628 case CONTROL_FAKEDEFER:
8523533c 2629 case CONTROL_FAKEREJECT:
29aba418 2630 fake_response = (control_type == CONTROL_FAKEDEFER) ? DEFER : FAIL;
8523533c 2631 if (*p == '/')
8e669ac1 2632 {
8523533c 2633 uschar *pp = p + 1;
8e669ac1 2634 while (*pp != 0) pp++;
29aba418 2635 fake_response_text = expand_string(string_copyn(p+1, pp-p-1));
8523533c
TK		 2636 p = pp;
2637 }
2638 else
2639 {
2640 /* Explicitly reset to default string */
29aba418 2641 fake_response_text = US"Your message has been rejected but is being kept for evaluation.\nIf it was a legitimate message, it may still be delivered to the target recipient(s).";
8523533c
TK		 2642 }
2643 break;
8523533c 2644
059ec3d9
PH		 2645 case CONTROL_FREEZE:
2646 deliver_freeze = TRUE;
2647 deliver_frozen_at = time(NULL);
6a3f1455
PH		 2648 freeze_tell = freeze_tell_config; /* Reset to configured value */
2649 if (Ustrncmp(p, "/no_tell", 8) == 0)
2650 {
2651 p += 8;
2652 freeze_tell = NULL;
2653 }
2654 if (*p != 0)
2655 {
2656 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2657 return ERROR;
2658 }
059ec3d9
PH		 2659 break;
2660
2661 case CONTROL_QUEUE_ONLY:
2662 queue_only_policy = TRUE;
2663 break;
2664
2665 case CONTROL_SUBMISSION:
87ba3f5f 2666 originator_name = US"";
059ec3d9 2667 submission_mode = TRUE;
69358f02 2668 while (*p == '/')
8e669ac1 2669 {
69358f02
PH		 2670 if (Ustrncmp(p, "/sender_retain", 14) == 0)
2671 {
2672 p += 14;
2673 active_local_sender_retain = TRUE;
8e669ac1
PH		 2674 active_local_from_check = FALSE;
2675 }
69358f02
PH		 2676 else if (Ustrncmp(p, "/domain=", 8) == 0)
2677 {
2678 uschar *pp = p + 8;
8e669ac1 2679 while (*pp != 0 && *pp != '/') pp++;
87ba3f5f
PH		 2680 submission_domain = string_copyn(p+8, pp-p-8);
2681 p = pp;
2682 }
8857ccfd
PH		 2683 /* The name= option must be last, because it swallows the rest of
2684 the string. */
87ba3f5f
PH		 2685 else if (Ustrncmp(p, "/name=", 6) == 0)
2686 {
2687 uschar *pp = p + 6;
8857ccfd 2688 while (*pp != 0) pp++;
2fe1a124 2689 submission_name = string_copy(parse_fix_phrase(p+6, pp-p-6,
87ba3f5f 2690 big_buffer, big_buffer_size));
8e669ac1 2691 p = pp;
69358f02 2692 }
8e669ac1
PH		 2693 else break;
2694 }
69358f02 2695 if (*p != 0)
059ec3d9 2696 {
69358f02 2697 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
059ec3d9
PH		 2698 return ERROR;
2699 }
2700 break;
8800895a
PH		 2701
2702 case CONTROL_SUPPRESS_LOCAL_FIXUPS:
2703 suppress_local_fixups = TRUE;
2704 break;
059ec3d9
PH		 2705 }
2706 break;
2707
6a8f9482
TK		 2708 #ifdef EXPERIMENTAL_DCC
2709 case ACLC_DCC:
2710 {
2711 /* Seperate the regular expression and any optional parameters. */
2712 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
2713 /* Run the dcc backend. */
2714 rc = dcc_process(&ss);
2715 /* Modify return code based upon the existance of options. */
2716 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2717 != NULL) {
2718 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
2719 {
2720 /* FAIL so that the message is passed to the next ACL */
2721 rc = FAIL;
2722 }
2723 }
2724 }
2725 break;
2726 #endif
2727
71fafd95 2728 #ifdef WITH_CONTENT_SCAN
8523533c
TK		 2729 case ACLC_DECODE:
2730 rc = mime_decode(&arg);
2731 break;
71fafd95 2732 #endif
8523533c 2733
059ec3d9
PH		 2734 case ACLC_DELAY:
2735 {
2736 int delay = readconf_readtime(arg, 0, FALSE);
2737 if (delay < 0)
2738 {
2739 *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
2740 "modifier: \"%s\" is not a time value", arg);
2741 return ERROR;
2742 }
2743 else
2744 {
2745 HDEBUG(D_acl) debug_printf("delay modifier requests %d-second delay\n",
2746 delay);
2747 if (host_checking)
2748 {
2749 HDEBUG(D_acl)
2750 debug_printf("delay skipped in -bh checking mode\n");
2751 }
010c2d14
PH		 2752
2753 /* It appears to be impossible to detect that a TCP/IP connection has
2754 gone away without reading from it. This means that we cannot shorten
2755 the delay below if the client goes away, because we cannot discover
2756 that the client has closed its end of the connection. (The connection
2757 is actually in a half-closed state, waiting for the server to close its
2758 end.) It would be nice to be able to detect this state, so that the
2759 Exim process is not held up unnecessarily. However, it seems that we
2760 can't. The poll() function does not do the right thing, and in any case
2761 it is not always available.
2762
047bdd8c 2763 NOTE 1: If ever this state of affairs changes, remember that we may be
010c2d14 2764 dealing with stdin/stdout here, in addition to TCP/IP connections.
047bdd8c
PH		 2765 Also, delays may be specified for non-SMTP input, where smtp_out and
2766 smtp_in will be NULL. Whatever is done must work in all cases.
2767
2768 NOTE 2: The added feature of flushing the output before a delay must
2769 apply only to SMTP input. Hence the test for smtp_out being non-NULL.
2770 */
010c2d14 2771
8e669ac1 2772 else
86b8287f 2773 {
14f4a80d 2774 if (smtp_out != NULL && !disable_delay_flush) mac_smtp_fflush();
86b8287f 2775 while (delay > 0) delay = sleep(delay);
8e669ac1 2776 }
059ec3d9
PH		 2777 }
2778 }
2779 break;
2780
71fafd95 2781 #ifdef WITH_OLD_DEMIME
8523533c
TK		 2782 case ACLC_DEMIME:
2783 rc = demime(&arg);
2784 break;
71fafd95 2785 #endif
8523533c 2786
80a47a2c
TK		 2787 #ifndef DISABLE_DKIM
2788 case ACLC_DKIM_SIGNER:
2789 if (dkim_signing_domain != NULL)
2790 {
2791 rc = match_isinlist(dkim_signing_domain,
2792 &arg,0,NULL,NULL,MCL_STRING,TRUE,NULL);
2793 if (rc == FAIL)
2794 {
2795 rc = match_isinlist(dkim_exim_expand_query(DKIM_IDENTITY),
2796 &arg,0,NULL,NULL,MCL_STRING,TRUE,NULL);
2797 }
2798 }
2799 else
2800 {
2801 rc = FAIL;
71fafd95
PH		 2802 }
2803 break;
2804
80a47a2c
TK		 2805 case ACLC_DKIM_STATUS:
2806 rc = match_isinlist(dkim_exim_expand_query(DKIM_VERIFY_STATUS),
2807 &arg,0,NULL,NULL,MCL_STRING,TRUE,NULL);
71fafd95
PH		 2808 break;
2809 #endif
fb2274d4 2810
059ec3d9
PH		 2811 case ACLC_DNSLISTS:
2812 rc = verify_check_dnsbl(&arg);
2813 break;
2814
2815 case ACLC_DOMAINS:
2816 rc = match_isinlist(addr->domain, &arg, 0, &domainlist_anchor,
2817 addr->domain_cache, MCL_DOMAIN, TRUE, &deliver_domain_data);
2818 break;
2819
2820 /* The value in tls_cipher is the full cipher name, for example,
2821 TLSv1:DES-CBC3-SHA:168, whereas the values to test for are just the
2822 cipher names such as DES-CBC3-SHA. But program defensively. We don't know
2823 what may in practice come out of the SSL library - which at the time of
2824 writing is poorly documented. */
2825
2826 case ACLC_ENCRYPTED:
2827 if (tls_cipher == NULL) rc = FAIL; else
2828 {
2829 uschar *endcipher = NULL;
2830 uschar *cipher = Ustrchr(tls_cipher, ':');
2831 if (cipher == NULL) cipher = tls_cipher; else
2832 {
2833 endcipher = Ustrchr(++cipher, ':');
2834 if (endcipher != NULL) *endcipher = 0;
2835 }
2836 rc = match_isinlist(cipher, &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
2837 if (endcipher != NULL) *endcipher = ':';
2838 }
2839 break;
2840
2841 /* Use verify_check_this_host() instead of verify_check_host() so that
2842 we can pass over &host_data to catch any looked up data. Once it has been
2843 set, it retains its value so that it's still there if another ACL verb
2844 comes through here and uses the cache. However, we must put it into
2845 permanent store in case it is also expected to be used in a subsequent
2846 message in the same SMTP connection. */
2847
2848 case ACLC_HOSTS:
2849 rc = verify_check_this_host(&arg, sender_host_cache, NULL,
2850 (sender_host_address == NULL)? US"" : sender_host_address, &host_data);
2851 if (host_data != NULL) host_data = string_copy_malloc(host_data);
2852 break;
2853
2854 case ACLC_LOCAL_PARTS:
2855 rc = match_isinlist(addr->cc_local_part, &arg, 0,
2856 &localpartlist_anchor, addr->localpart_cache, MCL_LOCALPART, TRUE,
2857 &deliver_localpart_data);
2858 break;
2859
6ea85e9a
PH		 2860 case ACLC_LOG_REJECT_TARGET:
2861 {
2862 int logbits = 0;
2863 int sep = 0;
2864 uschar *s = arg;
2865 uschar *ss;
2866 while ((ss = string_nextinlist(&s, &sep, big_buffer, big_buffer_size))
2867 != NULL)
2868 {
2869 if (Ustrcmp(ss, "main") == 0) logbits |= LOG_MAIN;
2870 else if (Ustrcmp(ss, "panic") == 0) logbits |= LOG_PANIC;
2871 else if (Ustrcmp(ss, "reject") == 0) logbits |= LOG_REJECT;
2872 else
2873 {
2874 logbits |= LOG_MAIN|LOG_REJECT;
2875 log_write(0, LOG_MAIN|LOG_PANIC, "unknown log name \"%s\" in "
2876 "\"log_reject_target\" in %s ACL", ss, acl_wherenames[where]);
2877 }
2878 }
2879 log_reject_target = logbits;
2880 }
2881 break;
2882
059ec3d9
PH		 2883 case ACLC_LOGWRITE:
2884 {
2885 int logbits = 0;
2886 uschar *s = arg;
2887 if (*s == ':')
2888 {
2889 s++;
2890 while (*s != ':')
2891 {
2892 if (Ustrncmp(s, "main", 4) == 0)
2893 { logbits |= LOG_MAIN; s += 4; }
2894 else if (Ustrncmp(s, "panic", 5) == 0)
2895 { logbits |= LOG_PANIC; s += 5; }
2896 else if (Ustrncmp(s, "reject", 6) == 0)
2897 { logbits |= LOG_REJECT; s += 6; }
2898 else
2899 {
2900 logbits = LOG_MAIN|LOG_PANIC;
2901 s = string_sprintf(":unknown log name in \"%s\" in "
2902 "\"logwrite\" in %s ACL", arg, acl_wherenames[where]);
2903 }
2904 if (*s == ',') s++;
2905 }
2906 s++;
2907 }
2908 while (isspace(*s)) s++;
6ea85e9a
PH		 2909
2910
059ec3d9
PH		 2911 if (logbits == 0) logbits = LOG_MAIN;
2912 log_write(0, logbits, "%s", string_printing(s));
2913 }
2914 break;
8e669ac1 2915
71fafd95 2916 #ifdef WITH_CONTENT_SCAN
8523533c
TK		 2917 case ACLC_MALWARE:
2918 {
6ea85e9a 2919 /* Separate the regular expression and any optional parameters. */
8523533c
TK		 2920 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
2921 /* Run the malware backend. */
2922 rc = malware(&ss);
2923 /* Modify return code based upon the existance of options. */
2924 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2925 != NULL) {
2926 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
2927 {
2928 /* FAIL so that the message is passed to the next ACL */
2929 rc = FAIL;
2930 }
2931 }
2932 }
2933 break;
2934
2935 case ACLC_MIME_REGEX:
71fafd95 2936 rc = mime_regex(&arg);
8523533c 2937 break;
71fafd95 2938 #endif
059ec3d9 2939
870f6ba8 2940 case ACLC_RATELIMIT:
90fc3069 2941 rc = acl_ratelimit(arg, where, log_msgptr);
870f6ba8
TF		 2942 break;
2943
059ec3d9
PH		 2944 case ACLC_RECIPIENTS:
2945 rc = match_address_list(addr->address, TRUE, TRUE, &arg, NULL, -1, 0,
2946 &recipient_data);
2947 break;
2948
71fafd95
PH		 2949 #ifdef WITH_CONTENT_SCAN
2950 case ACLC_REGEX:
2951 rc = regex(&arg);
8523533c 2952 break;
71fafd95 2953 #endif
8523533c 2954
059ec3d9
PH		 2955 case ACLC_SENDER_DOMAINS:
2956 {
2957 uschar *sdomain;
2958 sdomain = Ustrrchr(sender_address, '@');
2959 sdomain = (sdomain == NULL)? US"" : sdomain + 1;
2960 rc = match_isinlist(sdomain, &arg, 0, &domainlist_anchor,
2961 sender_domain_cache, MCL_DOMAIN, TRUE, NULL);
2962 }
2963 break;
2964
2965 case ACLC_SENDERS:
2966 rc = match_address_list(sender_address, TRUE, TRUE, &arg,
2967 sender_address_cache, -1, 0, &sender_data);
2968 break;
2969
2970 /* Connection variables must persist forever */
2971
2972 case ACLC_SET:
2973 {
2974 int old_pool = store_pool;
38a0a95f
PH		 2975 if (cb->u.varname[0] == 'c') store_pool = POOL_PERM;
2976 acl_var_create(cb->u.varname)->data.ptr = string_copy(arg);
059ec3d9
PH		 2977 store_pool = old_pool;
2978 }
2979 break;
2980
71fafd95 2981 #ifdef WITH_CONTENT_SCAN
8523533c
TK		 2982 case ACLC_SPAM:
2983 {
2984 /* Seperate the regular expression and any optional parameters. */
2985 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
2986 /* Run the spam backend. */
2987 rc = spam(&ss);
2988 /* Modify return code based upon the existance of options. */
2989 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2990 != NULL) {
2991 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
2992 {
2993 /* FAIL so that the message is passed to the next ACL */
2994 rc = FAIL;
2995 }
2996 }
2997 }
2998 break;
71fafd95 2999 #endif
8523533c 3000
71fafd95 3001 #ifdef EXPERIMENTAL_SPF
8523533c 3002 case ACLC_SPF:
65a7d8c3
NM		 3003 rc = spf_process(&arg, sender_address, SPF_PROCESS_NORMAL);
3004 break;
3005 case ACLC_SPF_GUESS:
3006 rc = spf_process(&arg, sender_address, SPF_PROCESS_GUESS);
8523533c 3007 break;
71fafd95 3008 #endif
8523533c 3009
059ec3d9
PH		 3010 /* If the verb is WARN, discard any user message from verification, because
3011 such messages are SMTP responses, not header additions. The latter come
475fe28a
PH		 3012 only from explicit "message" modifiers. However, put the user message into
3013 $acl_verify_message so it can be used in subsequent conditions or modifiers
3014 (until something changes it). */
059ec3d9
PH		 3015
3016 case ACLC_VERIFY:
3017 rc = acl_verify(where, addr, arg, user_msgptr, log_msgptr, basic_errno);
475fe28a 3018 acl_verify_message = *user_msgptr;
059ec3d9
PH		 3019 if (verb == ACL_WARN) *user_msgptr = NULL;
3020 break;
3021
3022 default:
3023 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown "
3024 "condition %d", cb->type);
3025 break;
3026 }
3027
3028 /* If a condition was negated, invert OK/FAIL. */
3029
3030 if (!cond_modifiers[cb->type] && cb->u.negated)
3031 {
3032 if (rc == OK) rc = FAIL;
3033 else if (rc == FAIL || rc == FAIL_DROP) rc = OK;
3034 }
3035
3036 if (rc != OK) break; /* Conditions loop */
3037 }
3038
3039
3040/* If the result is the one for which "message" and/or "log_message" are used,
4e88a19f
PH		 3041handle the values of these modifiers. If there isn't a log message set, we make
3042it the same as the user message.
059ec3d9
PH		 3043
3044"message" is a user message that will be included in an SMTP response. Unless
3045it is empty, it overrides any previously set user message.
3046
3047"log_message" is a non-user message, and it adds to any existing non-user
3048message that is already set.
3049
4e88a19f
PH		 3050Most verbs have but a single return for which the messages are relevant, but
3051for "discard", it's useful to have the log message both when it succeeds and
3052when it fails. For "accept", the message is used in the OK case if there is no
3053"endpass", but (for backwards compatibility) in the FAIL case if "endpass" is
3054present. */
059ec3d9 3055
4e88a19f
PH		 3056if (*epp && rc == OK) user_message = NULL;
3057
3058if (((1<<rc) & msgcond[verb]) != 0)
059ec3d9
PH		 3059 {
3060 uschar *expmessage;
4e88a19f
PH		 3061 uschar *old_user_msgptr = *user_msgptr;
3062 uschar *old_log_msgptr = (*log_msgptr != NULL)? *log_msgptr : old_user_msgptr;
059ec3d9
PH		 3063
3064 /* If the verb is "warn", messages generated by conditions (verification or
4e88a19f
PH		 3065 nested ACLs) are always discarded. This also happens for acceptance verbs
3066 when they actually do accept. Only messages specified at this level are used.
059ec3d9
PH		 3067 However, the value of an existing message is available in $acl_verify_message
3068 during expansions. */
3069
4e88a19f
PH		 3070 if (verb == ACL_WARN ||
3071 (rc == OK && (verb == ACL_ACCEPT || verb == ACL_DISCARD)))
3072 *log_msgptr = *user_msgptr = NULL;
059ec3d9
PH		 3073
3074 if (user_message != NULL)
3075 {
3076 acl_verify_message = old_user_msgptr;
3077 expmessage = expand_string(user_message);
3078 if (expmessage == NULL)
3079 {
3080 if (!expand_string_forcedfail)
3081 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
3082 user_message, expand_string_message);
3083 }
3084 else if (expmessage[0] != 0) *user_msgptr = expmessage;
3085 }
3086
3087 if (log_message != NULL)
3088 {
3089 acl_verify_message = old_log_msgptr;
3090 expmessage = expand_string(log_message);
3091 if (expmessage == NULL)
3092 {
3093 if (!expand_string_forcedfail)
3094 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
3095 log_message, expand_string_message);
3096 }
3097 else if (expmessage[0] != 0)
3098 {
3099 *log_msgptr = (*log_msgptr == NULL)? expmessage :
3100 string_sprintf("%s: %s", expmessage, *log_msgptr);
3101 }
3102 }
3103
3104 /* If no log message, default it to the user message */
3105
3106 if (*log_msgptr == NULL) *log_msgptr = *user_msgptr;
3107 }
3108
3109acl_verify_message = NULL;
3110return rc;
3111}
3112
3113
3114
3115
3116
3117/*************************************************
3118* Get line from a literal ACL *
3119*************************************************/
3120
3121/* This function is passed to acl_read() in order to extract individual lines
3122of a literal ACL, which we access via static pointers. We can destroy the
3123contents because this is called only once (the compiled ACL is remembered).
3124
3125This code is intended to treat the data in the same way as lines in the main
3126Exim configuration file. That is:
3127
3128 . Leading spaces are ignored.
3129
3130 . A \ at the end of a line is a continuation - trailing spaces after the \
3131 are permitted (this is because I don't believe in making invisible things
3132 significant). Leading spaces on the continued part of a line are ignored.
3133
3134 . Physical lines starting (significantly) with # are totally ignored, and
3135 may appear within a sequence of backslash-continued lines.
3136
3137 . Blank lines are ignored, but will end a sequence of continuations.
3138
3139Arguments: none
3140Returns: a pointer to the next line
3141*/
3142
3143
3144static uschar *acl_text; /* Current pointer in the text */
3145static uschar *acl_text_end; /* Points one past the terminating '0' */
3146
3147
3148static uschar *
3149acl_getline(void)
3150{
3151uschar *yield;
3152
3153/* This loop handles leading blank lines and comments. */
3154
3155for(;;)
3156 {
3157 while (isspace(*acl_text)) acl_text++; /* Leading spaces/empty lines */
3158 if (*acl_text == 0) return NULL; /* No more data */
3159 yield = acl_text; /* Potential data line */
3160
3161 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
3162
3163 /* If we hit the end before a newline, we have the whole logical line. If
3164 it's a comment, there's no more data to be given. Otherwise, yield it. */
3165
3166 if (*acl_text == 0) return (*yield == '#')? NULL : yield;
3167
3168 /* After reaching a newline, end this loop if the physical line does not
3169 start with '#'. If it does, it's a comment, and the loop continues. */
3170
3171 if (*yield != '#') break;
3172 }
3173
3174/* This loop handles continuations. We know we have some real data, ending in
3175newline. See if there is a continuation marker at the end (ignoring trailing
3176white space). We know that *yield is not white space, so no need to test for
3177cont > yield in the backwards scanning loop. */
3178
3179for(;;)
3180 {
3181 uschar *cont;
3182 for (cont = acl_text - 1; isspace(*cont); cont--);
3183
3184 /* If no continuation follows, we are done. Mark the end of the line and
3185 return it. */
3186
3187 if (*cont != '\\')
3188 {
3189 *acl_text++ = 0;
3190 return yield;
3191 }
3192
3193 /* We have encountered a continuation. Skip over whitespace at the start of
3194 the next line, and indeed the whole of the next line or lines if they are
3195 comment lines. */
3196
3197 for (;;)
3198 {
3199 while (*(++acl_text) == ' ' || *acl_text == '\t');
3200 if (*acl_text != '#') break;
3201 while (*(++acl_text) != 0 && *acl_text != '\n');
3202 }
3203
3204 /* We have the start of a continuation line. Move all the rest of the data
3205 to join onto the previous line, and then find its end. If the end is not a
3206 newline, we are done. Otherwise loop to look for another continuation. */
3207
3208 memmove(cont, acl_text, acl_text_end - acl_text);
3209 acl_text_end -= acl_text - cont;
3210 acl_text = cont;
3211 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
3212 if (*acl_text == 0) return yield;
3213 }
3214
3215/* Control does not reach here */
3216}
3217
3218
3219
3220
3221
3222/*************************************************
3223* Check access using an ACL *
3224*************************************************/
3225
3226/* This function is called from address_check. It may recurse via
3227acl_check_condition() - hence the use of a level to stop looping. The ACL is
3228passed as a string which is expanded. A forced failure implies no access check
3229is required. If the result is a single word, it is taken as the name of an ACL
3230which is sought in the global ACL tree. Otherwise, it is taken as literal ACL
3231text, complete with newlines, and parsed as such. In both cases, the ACL check
3232is then run. This function uses an auxiliary function for acl_read() to call
3233for reading individual lines of a literal ACL. This is acl_getline(), which
3234appears immediately above.
3235
3236Arguments:
3237 where where called from
3238 addr address item when called from RCPT; otherwise NULL
3239 s the input string; NULL is the same as an empty ACL => DENY
3240 level the nesting level
3241 user_msgptr where to put a user error (for SMTP response)
3242 log_msgptr where to put a logging message (not for SMTP response)
3243
3244Returns: OK access is granted
3245 DISCARD access is apparently granted...
3246 FAIL access is denied
3247 FAIL_DROP access is denied; drop the connection
3248 DEFER can't tell at the moment
3249 ERROR disaster
3250*/
3251
3252static int
3253acl_check_internal(int where, address_item *addr, uschar *s, int level,
3254 uschar **user_msgptr, uschar **log_msgptr)
3255{
3256int fd = -1;
3257acl_block *acl = NULL;
3258uschar *acl_name = US"inline ACL";
3259uschar *ss;
3260
3261/* Catch configuration loops */
3262
3263if (level > 20)
3264 {
3265 *log_msgptr = US"ACL nested too deep: possible loop";
3266 return ERROR;
3267 }
3268
3269if (s == NULL)
3270 {
3271 HDEBUG(D_acl) debug_printf("ACL is NULL: implicit DENY\n");
3272 return FAIL;
3273 }
3274
3275/* At top level, we expand the incoming string. At lower levels, it has already
3276been expanded as part of condition processing. */
3277
3278if (level == 0)
3279 {
3280 ss = expand_string(s);
3281 if (ss == NULL)
3282 {
3283 if (expand_string_forcedfail) return OK;
3284 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s", s,
3285 expand_string_message);
3286 return ERROR;
3287 }
3288 }
3289else ss = s;
3290
3291while (isspace(*ss))ss++;
3292
3293/* If we can't find a named ACL, the default is to parse it as an inline one.
3294(Unless it begins with a slash; non-existent files give rise to an error.) */
3295
3296acl_text = ss;
3297
3298/* Handle the case of a string that does not contain any spaces. Look for a
3299named ACL among those read from the configuration, or a previously read file.
3300It is possible that the pointer to the ACL is NULL if the configuration
3301contains a name with no data. If not found, and the text begins with '/',
3302read an ACL from a file, and save it so it can be re-used. */
3303
3304if (Ustrchr(ss, ' ') == NULL)
3305 {
3306 tree_node *t = tree_search(acl_anchor, ss);
3307 if (t != NULL)
3308 {
3309 acl = (acl_block *)(t->data.ptr);
3310 if (acl == NULL)
3311 {
3312 HDEBUG(D_acl) debug_printf("ACL \"%s\" is empty: implicit DENY\n", ss);
3313 return FAIL;
3314 }
3315 acl_name = string_sprintf("ACL \"%s\"", ss);
3316 HDEBUG(D_acl) debug_printf("using ACL \"%s\"\n", ss);
3317 }
3318
3319 else if (*ss == '/')
3320 {
3321 struct stat statbuf;
3322 fd = Uopen(ss, O_RDONLY, 0);
3323 if (fd < 0)
3324 {
3325 *log_msgptr = string_sprintf("failed to open ACL file \"%s\": %s", ss,
3326 strerror(errno));
3327 return ERROR;
3328 }
3329
3330 if (fstat(fd, &statbuf) != 0)
3331 {
3332 *log_msgptr = string_sprintf("failed to fstat ACL file \"%s\": %s", ss,
3333 strerror(errno));
3334 return ERROR;
3335 }
3336
3337 acl_text = store_get(statbuf.st_size + 1);
3338 acl_text_end = acl_text + statbuf.st_size + 1;
3339
3340 if (read(fd, acl_text, statbuf.st_size) != statbuf.st_size)
3341 {
3342 *log_msgptr = string_sprintf("failed to read ACL file \"%s\": %s",
3343 ss, strerror(errno));
3344 return ERROR;
3345 }
3346 acl_text[statbuf.st_size] = 0;
f1e894f3 3347 (void)close(fd);
059ec3d9
PH		 3348
3349 acl_name = string_sprintf("ACL \"%s\"", ss);
3350 HDEBUG(D_acl) debug_printf("read ACL from file %s\n", ss);
3351 }
3352 }
3353
3354/* Parse an ACL that is still in text form. If it came from a file, remember it
3355in the ACL tree, having read it into the POOL_PERM store pool so that it
3356persists between multiple messages. */
3357
3358if (acl == NULL)
3359 {
3360 int old_pool = store_pool;
3361 if (fd >= 0) store_pool = POOL_PERM;
3362 acl = acl_read(acl_getline, log_msgptr);
3363 store_pool = old_pool;
3364 if (acl == NULL && *log_msgptr != NULL) return ERROR;
3365 if (fd >= 0)
3366 {
3367 tree_node *t = store_get_perm(sizeof(tree_node) + Ustrlen(ss));
3368 Ustrcpy(t->name, ss);
3369 t->data.ptr = acl;
3370 (void)tree_insertnode(&acl_anchor, t);
3371 }
3372 }
3373
3374/* Now we have an ACL to use. It's possible it may be NULL. */
3375
3376while (acl != NULL)
3377 {
3378 int cond;
3379 int basic_errno = 0;
3380 BOOL endpass_seen = FALSE;
3381
3382 *log_msgptr = *user_msgptr = NULL;
3383 acl_temp_details = FALSE;
3384
7353285c 3385 if ((where == ACL_WHERE_QUIT || where == ACL_WHERE_NOTQUIT) &&
059ec3d9
PH		 3386 acl->verb != ACL_ACCEPT &&
3387 acl->verb != ACL_WARN)
3388 {
7353285c 3389 *log_msgptr = string_sprintf("\"%s\" is not allowed in a QUIT or not-QUIT ACL",
059ec3d9
PH		 3390 verbs[acl->verb]);
3391 return ERROR;
3392 }
3393
3394 HDEBUG(D_acl) debug_printf("processing \"%s\"\n", verbs[acl->verb]);
3395
3396 /* Clear out any search error message from a previous check before testing
3397 this condition. */
3398
3399 search_error_message = NULL;
3400 cond = acl_check_condition(acl->verb, acl->condition, where, addr, level,
3401 &endpass_seen, user_msgptr, log_msgptr, &basic_errno);
3402
3403 /* Handle special returns: DEFER causes a return except on a WARN verb;
3404 ERROR always causes a return. */
3405
3406 switch (cond)
3407 {
3408 case DEFER:
3409 HDEBUG(D_acl) debug_printf("%s: condition test deferred\n", verbs[acl->verb]);
3410 if (basic_errno != ERRNO_CALLOUTDEFER)
3411 {
3412 if (search_error_message != NULL && *search_error_message != 0)
3413 *log_msgptr = search_error_message;
3414 if (smtp_return_error_details) acl_temp_details = TRUE;
3415 }
3416 else
3417 {
3418 acl_temp_details = TRUE;
3419 }
3420 if (acl->verb != ACL_WARN) return DEFER;
3421 break;
3422
3423 default: /* Paranoia */
3424 case ERROR:
3425 HDEBUG(D_acl) debug_printf("%s: condition test error\n", verbs[acl->verb]);
3426 return ERROR;
3427
3428 case OK:
3429 HDEBUG(D_acl) debug_printf("%s: condition test succeeded\n",
3430 verbs[acl->verb]);
3431 break;
3432
3433 case FAIL:
3434 HDEBUG(D_acl) debug_printf("%s: condition test failed\n", verbs[acl->verb]);
3435 break;
3436
3437 /* DISCARD and DROP can happen only from a nested ACL condition, and
3438 DISCARD can happen only for an "accept" or "discard" verb. */
3439
3440 case DISCARD:
3441 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"discard\"\n",
3442 verbs[acl->verb]);
3443 break;
3444
3445 case FAIL_DROP:
3446 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"drop\"\n",
3447 verbs[acl->verb]);
3448 break;
3449 }
3450
3451 /* At this point, cond for most verbs is either OK or FAIL or (as a result of
3452 a nested ACL condition) FAIL_DROP. However, for WARN, cond may be DEFER, and
3453 for ACCEPT and DISCARD, it may be DISCARD after a nested ACL call. */
3454
3455 switch(acl->verb)
3456 {
3457 case ACL_ACCEPT:
3458 if (cond == OK || cond == DISCARD) return cond;
3459 if (endpass_seen)
3460 {
3461 HDEBUG(D_acl) debug_printf("accept: endpass encountered - denying access\n");
3462 return cond;
3463 }
3464 break;
3465
3466 case ACL_DEFER:
3467 if (cond == OK)
3468 {
3469 acl_temp_details = TRUE;
3470 return DEFER;
3471 }
3472 break;
3473
3474 case ACL_DENY:
3475 if (cond == OK) return FAIL;
3476 break;
3477
3478 case ACL_DISCARD:
3479 if (cond == OK || cond == DISCARD) return DISCARD;
3480 if (endpass_seen)
3481 {
3482 HDEBUG(D_acl) debug_printf("discard: endpass encountered - denying access\n");
3483 return cond;
3484 }
3485 break;
3486
3487 case ACL_DROP:
3488 if (cond == OK) return FAIL_DROP;
3489 break;
3490
3491 case ACL_REQUIRE:
3492 if (cond != OK) return cond;
3493 break;
3494
3495 case ACL_WARN:
3496 if (cond == OK)
3497 acl_warn(where, *user_msgptr, *log_msgptr);
49826d12 3498 else if (cond == DEFER && (log_extra_selector & LX_acl_warn_skipped) != 0)
9c7a242c
PH		 3499 log_write(0, LOG_MAIN, "%s Warning: ACL \"warn\" statement skipped: "
3500 "condition test deferred%s%s", host_and_ident(TRUE),
3501 (*log_msgptr == NULL)? US"" : US": ",
3502 (*log_msgptr == NULL)? US"" : *log_msgptr);
059ec3d9
PH		 3503 *log_msgptr = *user_msgptr = NULL; /* In case implicit DENY follows */
3504 break;
3505
3506 default:
3507 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown verb %d",
3508 acl->verb);
3509 break;
3510 }
3511
3512 /* Pass to the next ACL item */
3513
3514 acl = acl->next;
3515 }
3516
3517/* We have reached the end of the ACL. This is an implicit DENY. */
3518
3519HDEBUG(D_acl) debug_printf("end of %s: implicit DENY\n", acl_name);
3520return FAIL;
3521}
3522
3523
3524/*************************************************
3525* Check access using an ACL *
3526*************************************************/
3527
3528/* This is the external interface for ACL checks. It sets up an address and the
3529expansions for $domain and $local_part when called after RCPT, then calls
3530acl_check_internal() to do the actual work.
3531
3532Arguments:
3533 where ACL_WHERE_xxxx indicating where called from
64ffc24f 3534 recipient RCPT address for RCPT check, else NULL
059ec3d9
PH		 3535 s the input string; NULL is the same as an empty ACL => DENY
3536 user_msgptr where to put a user error (for SMTP response)
3537 log_msgptr where to put a logging message (not for SMTP response)
3538
3539Returns: OK access is granted by an ACCEPT verb
3540 DISCARD access is granted by a DISCARD verb
3541 FAIL access is denied
3542 FAIL_DROP access is denied; drop the connection
3543 DEFER can't tell at the moment
3544 ERROR disaster
3545*/
3546
3547int
64ffc24f 3548acl_check(int where, uschar *recipient, uschar *s, uschar **user_msgptr,
059ec3d9
PH		 3549 uschar **log_msgptr)
3550{
3551int rc;
3552address_item adb;
64ffc24f 3553address_item *addr = NULL;
059ec3d9
PH		 3554
3555*user_msgptr = *log_msgptr = NULL;
3556sender_verified_failed = NULL;
fe0dab11 3557ratelimiters_cmd = NULL;
6ea85e9a 3558log_reject_target = LOG_MAIN|LOG_REJECT;
059ec3d9
PH		 3559
3560if (where == ACL_WHERE_RCPT)
3561 {
3562 adb = address_defaults;
3563 addr = &adb;
64ffc24f 3564 addr->address = recipient;
059ec3d9
PH		 3565 if (deliver_split_address(addr) == DEFER)
3566 {
3567 *log_msgptr = US"defer in percent_hack_domains check";
3568 return DEFER;
3569 }
3570 deliver_domain = addr->domain;
3571 deliver_localpart = addr->local_part;
3572 }
059ec3d9
PH		 3573
3574rc = acl_check_internal(where, addr, s, 0, user_msgptr, log_msgptr);
3575
64ffc24f
PH		 3576deliver_domain = deliver_localpart = deliver_address_data =
3577 sender_address_data = NULL;
059ec3d9
PH		 3578
3579/* A DISCARD response is permitted only for message ACLs, excluding the PREDATA
3580ACL, which is really in the middle of an SMTP command. */
3581
3582if (rc == DISCARD)
3583 {
3584 if (where > ACL_WHERE_NOTSMTP || where == ACL_WHERE_PREDATA)
3585 {
3586 log_write(0, LOG_MAIN|LOG_PANIC, "\"discard\" verb not allowed in %s "
3587 "ACL", acl_wherenames[where]);
3588 return ERROR;
3589 }
3590 return DISCARD;
3591 }
3592
3593/* A DROP response is not permitted from MAILAUTH */
3594
3595if (rc == FAIL_DROP && where == ACL_WHERE_MAILAUTH)
3596 {
3597 log_write(0, LOG_MAIN|LOG_PANIC, "\"drop\" verb not allowed in %s "
3598 "ACL", acl_wherenames[where]);
3599 return ERROR;
3600 }
3601
4e88a19f
PH		 3602/* Before giving a response, take a look at the length of any user message, and
3603split it up into multiple lines if possible. */
059ec3d9 3604
e28326d8
PH		 3605*user_msgptr = string_split_message(*user_msgptr);
3606if (fake_response != OK)
3607 fake_response_text = string_split_message(fake_response_text);
059ec3d9
PH		 3608
3609return rc;
3610}
3611
38a0a95f
PH		 3612
3613
3614/*************************************************
3615* Create ACL variable *
3616*************************************************/
3617
3618/* Create an ACL variable or reuse an existing one. ACL variables are in a
3619binary tree (see tree.c) with acl_var_c and acl_var_m as root nodes.
3620
3621Argument:
3622 name pointer to the variable's name, starting with c or m
3623
3624Returns the pointer to variable's tree node
3625*/
3626
3627tree_node *
3628acl_var_create(uschar *name)
3629{
3630tree_node *node, **root;
3631root = (name[0] == 'c')? &acl_var_c : &acl_var_m;
3632node = tree_search(*root, name);
3633if (node == NULL)
3634 {
3635 node = store_get(sizeof(tree_node) + Ustrlen(name));
3636 Ustrcpy(node->name, name);
3637 (void)tree_insertnode(root, node);
3638 }
3639node->data.ptr = NULL;
3640return node;
3641}
3642
3643
3644
3645/*************************************************
3646* Write an ACL variable in spool format *
3647*************************************************/
3648
3649/* This function is used as a callback for tree_walk when writing variables to
3650the spool file. To retain spool file compatibility, what is written is -aclc or
3651-aclm followed by the rest of the name and the data length, space separated,
3652then the value itself, starting on a new line, and terminated by an additional
3653newline. When we had only numbered ACL variables, the first line might look
3654like this: "-aclc 5 20". Now it might be "-aclc foo 20" for the variable called
3655acl_cfoo.
3656
3657Arguments:
3658 name of the variable
3659 value of the variable
3660 ctx FILE pointer (as a void pointer)
3661
3662Returns: nothing
3663*/
3664
3665void
3666acl_var_write(uschar *name, uschar *value, void *ctx)
3667{
3668FILE *f = (FILE *)ctx;
3669fprintf(f, "-acl%c %s %d\n%s\n", name[0], name+1, Ustrlen(value), value);
3670}
3671
059ec3d9 3672/* End of acl.c */
Unnamed repository; edit this file 'description' to name the repository.