projects / exim.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
tidying
[exim.git] / src / src / acl.c
CommitLineData
059ec3d9
PH		 1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
c4ceed07 5/* Copyright (c) University of Cambridge 1995 - 2012 */
059ec3d9
PH		 6/* See the file NOTICE for conditions of use and distribution. */
7
8/* Code for handling Access Control Lists (ACLs) */
9
10#include "exim.h"
11
12
13/* Default callout timeout */
14
15#define CALLOUT_TIMEOUT_DEFAULT 30
16
17/* ACL verb codes - keep in step with the table of verbs that follows */
18
19enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
20 ACL_WARN };
21
22/* ACL verbs */
23
24static uschar *verbs[] =
25 { US"accept", US"defer", US"deny", US"discard", US"drop", US"require",
26 US"warn" };
27
4e88a19f
PH		 28/* For each verb, the conditions for which "message" or "log_message" are used
29are held as a bitmap. This is to avoid expanding the strings unnecessarily. For
30"accept", the FAIL case is used only after "endpass", but that is selected in
31the code. */
32
33static int msgcond[] = {
34 (1<<OK) | (1<<FAIL) | (1<<FAIL_DROP), /* accept */
35 (1<<OK), /* defer */
36 (1<<OK), /* deny */
37 (1<<OK) | (1<<FAIL) | (1<<FAIL_DROP), /* discard */
38 (1<<OK), /* drop */
39 (1<<FAIL) | (1<<FAIL_DROP), /* require */
40 (1<<OK) /* warn */
41 };
059ec3d9
PH		 42
43/* ACL condition and modifier codes - keep in step with the table that
71fafd95
PH		 44follows, and the cond_expand_at_top and uschar cond_modifiers tables lower
45down. */
059ec3d9 46
71fafd95
PH		 47enum { ACLC_ACL,
48 ACLC_ADD_HEADER,
49 ACLC_AUTHENTICATED,
8523533c
TK		 50#ifdef EXPERIMENTAL_BRIGHTMAIL
51 ACLC_BMI_OPTIN,
52#endif
71fafd95 53 ACLC_CONDITION,
c3611384 54 ACLC_CONTINUE,
71fafd95 55 ACLC_CONTROL,
6a8f9482
TK		 56#ifdef EXPERIMENTAL_DCC
57 ACLC_DCC,
58#endif
8523533c
TK		 59#ifdef WITH_CONTENT_SCAN
60 ACLC_DECODE,
61#endif
62 ACLC_DELAY,
63#ifdef WITH_OLD_DEMIME
64 ACLC_DEMIME,
fb2274d4 65#endif
80a47a2c
TK		 66#ifndef DISABLE_DKIM
67 ACLC_DKIM_SIGNER,
68 ACLC_DKIM_STATUS,
8e669ac1 69#endif
71fafd95
PH		 70 ACLC_DNSLISTS,
71 ACLC_DOMAINS,
72 ACLC_ENCRYPTED,
73 ACLC_ENDPASS,
74 ACLC_HOSTS,
75 ACLC_LOCAL_PARTS,
76 ACLC_LOG_MESSAGE,
6ea85e9a 77 ACLC_LOG_REJECT_TARGET,
71fafd95 78 ACLC_LOGWRITE,
8523533c
TK		 79#ifdef WITH_CONTENT_SCAN
80 ACLC_MALWARE,
81#endif
82 ACLC_MESSAGE,
83#ifdef WITH_CONTENT_SCAN
84 ACLC_MIME_REGEX,
85#endif
870f6ba8 86 ACLC_RATELIMIT,
8523533c
TK		 87 ACLC_RECIPIENTS,
88#ifdef WITH_CONTENT_SCAN
89 ACLC_REGEX,
90#endif
e7568d51 91 ACLC_REMOVE_HEADER,
71fafd95
PH		 92 ACLC_SENDER_DOMAINS,
93 ACLC_SENDERS,
94 ACLC_SET,
8523533c 95#ifdef WITH_CONTENT_SCAN
8e669ac1 96 ACLC_SPAM,
8523533c
TK		 97#endif
98#ifdef EXPERIMENTAL_SPF
99 ACLC_SPF,
65a7d8c3 100 ACLC_SPF_GUESS,
8523533c
TK		 101#endif
102 ACLC_VERIFY };
059ec3d9 103
c3611384
PH		 104/* ACL conditions/modifiers: "delay", "control", "continue", "endpass",
105"message", "log_message", "log_reject_target", "logwrite", and "set" are
106modifiers that look like conditions but always return TRUE. They are used for
107their side effects. */
059ec3d9 108
9a26b6b2
PH		 109static uschar *conditions[] = {
110 US"acl",
71fafd95 111 US"add_header",
9a26b6b2 112 US"authenticated",
8523533c
TK		 113#ifdef EXPERIMENTAL_BRIGHTMAIL
114 US"bmi_optin",
115#endif
116 US"condition",
c3611384 117 US"continue",
8e669ac1 118 US"control",
6a8f9482
TK		 119#ifdef EXPERIMENTAL_DCC
120 US"dcc",
121#endif
8523533c
TK		 122#ifdef WITH_CONTENT_SCAN
123 US"decode",
124#endif
125 US"delay",
126#ifdef WITH_OLD_DEMIME
127 US"demime",
fb2274d4 128#endif
80a47a2c
TK		 129#ifndef DISABLE_DKIM
130 US"dkim_signers",
131 US"dkim_status",
8523533c 132#endif
6ea85e9a
PH		 133 US"dnslists",
134 US"domains",
135 US"encrypted",
136 US"endpass",
137 US"hosts",
138 US"local_parts",
139 US"log_message",
140 US"log_reject_target",
141 US"logwrite",
8523533c
TK		 142#ifdef WITH_CONTENT_SCAN
143 US"malware",
144#endif
145 US"message",
146#ifdef WITH_CONTENT_SCAN
147 US"mime_regex",
148#endif
870f6ba8 149 US"ratelimit",
8523533c
TK		 150 US"recipients",
151#ifdef WITH_CONTENT_SCAN
152 US"regex",
153#endif
e7568d51 154 US"remove_header",
8523533c
TK		 155 US"sender_domains", US"senders", US"set",
156#ifdef WITH_CONTENT_SCAN
157 US"spam",
158#endif
159#ifdef EXPERIMENTAL_SPF
160 US"spf",
65a7d8c3 161 US"spf_guess",
8523533c 162#endif
059ec3d9 163 US"verify" };
8e669ac1 164
c5fcb476 165
9a26b6b2
PH		 166/* Return values from decode_control(); keep in step with the table of names
167that follows! */
168
169enum {
c46782ef
PH		 170 CONTROL_AUTH_UNADVERTISED,
171 #ifdef EXPERIMENTAL_BRIGHTMAIL
9a26b6b2 172 CONTROL_BMI_RUN,
c46782ef 173 #endif
ed7f7860 174 CONTROL_DEBUG,
80a47a2c 175 #ifndef DISABLE_DKIM
f7572e5a
TK		 176 CONTROL_DKIM_VERIFY,
177 #endif
13363eba 178 CONTROL_DSCP,
c46782ef
PH		 179 CONTROL_ERROR,
180 CONTROL_CASEFUL_LOCAL_PART,
181 CONTROL_CASELOWER_LOCAL_PART,
e4bdf652 182 CONTROL_CUTTHROUGH_DELIVERY,
c46782ef
PH		 183 CONTROL_ENFORCE_SYNC,
184 CONTROL_NO_ENFORCE_SYNC,
185 CONTROL_FREEZE,
186 CONTROL_QUEUE_ONLY,
187 CONTROL_SUBMISSION,
188 CONTROL_SUPPRESS_LOCAL_FIXUPS,
189 #ifdef WITH_CONTENT_SCAN
9a26b6b2 190 CONTROL_NO_MBOX_UNSPOOL,
c46782ef
PH		 191 #endif
192 CONTROL_FAKEDEFER,
193 CONTROL_FAKEREJECT,
cf8b11a5 194 CONTROL_NO_MULTILINE,
047bdd8c 195 CONTROL_NO_PIPELINING,
4c590bd1
PH		 196 CONTROL_NO_DELAY_FLUSH,
197 CONTROL_NO_CALLOUT_FLUSH
c46782ef 198};
9a26b6b2 199
8800895a
PH		 200/* ACL control names; keep in step with the table above! This list is used for
201turning ids into names. The actual list of recognized names is in the variable
202control_def controls_list[] below. The fact that there are two lists is a mess
203and should be tidied up. */
9a26b6b2
PH		 204
205static uschar *controls[] = {
c46782ef 206 US"allow_auth_unadvertised",
9a26b6b2
PH		 207 #ifdef EXPERIMENTAL_BRIGHTMAIL
208 US"bmi_run",
209 #endif
ed7f7860 210 US"debug",
80a47a2c
TK		 211 #ifndef DISABLE_DKIM
212 US"dkim_disable_verify",
f7572e5a 213 #endif
13363eba 214 US"dscp",
c46782ef
PH		 215 US"error",
216 US"caseful_local_part",
217 US"caselower_local_part",
e4bdf652 218 US"cutthrough_delivery",
c46782ef
PH		 219 US"enforce_sync",
220 US"no_enforce_sync",
221 US"freeze",
222 US"queue_only",
223 US"submission",
224 US"suppress_local_fixups",
9a26b6b2
PH		 225 #ifdef WITH_CONTENT_SCAN
226 US"no_mbox_unspool",
227 #endif
cf8b11a5
PH		 228 US"fakedefer",
229 US"fakereject",
aa6dc513 230 US"no_multiline_responses",
cf8b11a5 231 US"no_pipelining",
4c590bd1
PH		 232 US"no_delay_flush",
233 US"no_callout_flush"
c46782ef 234};
059ec3d9 235
047bdd8c 236/* Flags to indicate for which conditions/modifiers a string expansion is done
059ec3d9
PH		 237at the outer level. In the other cases, expansion already occurs in the
238checking functions. */
239
240static uschar cond_expand_at_top[] = {
7421ecab 241 FALSE, /* acl */
3e536984 242 TRUE, /* add_header */
059ec3d9 243 FALSE, /* authenticated */
8523533c
TK		 244#ifdef EXPERIMENTAL_BRIGHTMAIL
245 TRUE, /* bmi_optin */
8e669ac1 246#endif
059ec3d9 247 TRUE, /* condition */
c3611384 248 TRUE, /* continue */
059ec3d9 249 TRUE, /* control */
6a8f9482
TK		 250#ifdef EXPERIMENTAL_DCC
251 TRUE, /* dcc */
252#endif
8523533c
TK		 253#ifdef WITH_CONTENT_SCAN
254 TRUE, /* decode */
255#endif
059ec3d9 256 TRUE, /* delay */
8523533c
TK		 257#ifdef WITH_OLD_DEMIME
258 TRUE, /* demime */
fb2274d4 259#endif
80a47a2c
TK		 260#ifndef DISABLE_DKIM
261 TRUE, /* dkim_signers */
262 TRUE, /* dkim_status */
8523533c 263#endif
059ec3d9
PH		 264 TRUE, /* dnslists */
265 FALSE, /* domains */
266 FALSE, /* encrypted */
267 TRUE, /* endpass */
268 FALSE, /* hosts */
269 FALSE, /* local_parts */
270 TRUE, /* log_message */
6ea85e9a 271 TRUE, /* log_reject_target */
059ec3d9 272 TRUE, /* logwrite */
8523533c
TK		 273#ifdef WITH_CONTENT_SCAN
274 TRUE, /* malware */
275#endif
059ec3d9 276 TRUE, /* message */
8523533c
TK		 277#ifdef WITH_CONTENT_SCAN
278 TRUE, /* mime_regex */
279#endif
870f6ba8 280 TRUE, /* ratelimit */
059ec3d9 281 FALSE, /* recipients */
8523533c
TK		 282#ifdef WITH_CONTENT_SCAN
283 TRUE, /* regex */
284#endif
e7568d51 285 TRUE, /* remove_header */
059ec3d9
PH		 286 FALSE, /* sender_domains */
287 FALSE, /* senders */
288 TRUE, /* set */
8523533c
TK		 289#ifdef WITH_CONTENT_SCAN
290 TRUE, /* spam */
291#endif
292#ifdef EXPERIMENTAL_SPF
293 TRUE, /* spf */
65a7d8c3 294 TRUE, /* spf_guess */
8523533c 295#endif
059ec3d9
PH		 296 TRUE /* verify */
297};
298
299/* Flags to identify the modifiers */
300
301static uschar cond_modifiers[] = {
302 FALSE, /* acl */
3e536984 303 TRUE, /* add_header */
059ec3d9 304 FALSE, /* authenticated */
8523533c
TK		 305#ifdef EXPERIMENTAL_BRIGHTMAIL
306 TRUE, /* bmi_optin */
8e669ac1 307#endif
059ec3d9 308 FALSE, /* condition */
c3611384 309 TRUE, /* continue */
059ec3d9 310 TRUE, /* control */
6a8f9482
TK		 311#ifdef EXPERIMENTAL_DCC
312 FALSE, /* dcc */
313#endif
8523533c
TK		 314#ifdef WITH_CONTENT_SCAN
315 FALSE, /* decode */
316#endif
059ec3d9 317 TRUE, /* delay */
8523533c
TK		 318#ifdef WITH_OLD_DEMIME
319 FALSE, /* demime */
fb2274d4 320#endif
80a47a2c
TK		 321#ifndef DISABLE_DKIM
322 FALSE, /* dkim_signers */
323 FALSE, /* dkim_status */
8523533c 324#endif
059ec3d9
PH		 325 FALSE, /* dnslists */
326 FALSE, /* domains */
327 FALSE, /* encrypted */
328 TRUE, /* endpass */
329 FALSE, /* hosts */
330 FALSE, /* local_parts */
331 TRUE, /* log_message */
6ea85e9a 332 TRUE, /* log_reject_target */
8523533c
TK		 333 TRUE, /* logwrite */
334#ifdef WITH_CONTENT_SCAN
335 FALSE, /* malware */
336#endif
059ec3d9 337 TRUE, /* message */
8523533c
TK		 338#ifdef WITH_CONTENT_SCAN
339 FALSE, /* mime_regex */
340#endif
870f6ba8 341 FALSE, /* ratelimit */
059ec3d9 342 FALSE, /* recipients */
8523533c
TK		 343#ifdef WITH_CONTENT_SCAN
344 FALSE, /* regex */
345#endif
e7568d51 346 TRUE, /* remove_header */
059ec3d9
PH		 347 FALSE, /* sender_domains */
348 FALSE, /* senders */
349 TRUE, /* set */
8523533c
TK		 350#ifdef WITH_CONTENT_SCAN
351 FALSE, /* spam */
352#endif
353#ifdef EXPERIMENTAL_SPF
354 FALSE, /* spf */
65a7d8c3 355 FALSE, /* spf_guess */
8523533c 356#endif
059ec3d9
PH		 357 FALSE /* verify */
358};
359
c3611384 360/* Bit map vector of which conditions and modifiers are not allowed at certain
8f128379
PH		 361times. For each condition and modifier, there's a bitmap of dis-allowed times.
362For some, it is easier to specify the negation of a small number of allowed
363times. */
059ec3d9
PH		 364
365static unsigned int cond_forbids[] = {
366 0, /* acl */
8e669ac1 367
71fafd95 368 (unsigned int)
45b91596 369 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* add_header */
71fafd95 370 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
fd98a5c6
JH		 371 #ifdef EXPERIMENTAL_PRDR
372 (1<<ACL_WHERE_PRDR)|
373 #endif
45b91596 374 (1<<ACL_WHERE_MIME)|(1<<ACL_WHERE_NOTSMTP)|
67caae1f 375 (1<<ACL_WHERE_DKIM)|
45b91596 376 (1<<ACL_WHERE_NOTSMTP_START)),
71fafd95 377
45b91596
PH		 378 (1<<ACL_WHERE_NOTSMTP)| /* authenticated */
379 (1<<ACL_WHERE_NOTSMTP_START)|
380 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO),
8e669ac1 381
71fafd95 382 #ifdef EXPERIMENTAL_BRIGHTMAIL
3864bb8e 383 (1<<ACL_WHERE_AUTH)| /* bmi_optin */
8523533c
TK		 384 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
385 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_MIME)|
fd98a5c6
JH		 386 #ifdef EXPERIMENTAL_PRDR
387 (1<<ACL_WHERE_PRDR)|
388 #endif
8e669ac1 389 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
8523533c
TK		 390 (1<<ACL_WHERE_MAILAUTH)|
391 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
45b91596
PH		 392 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_PREDATA)|
393 (1<<ACL_WHERE_NOTSMTP_START),
71fafd95 394 #endif
8e669ac1 395
059ec3d9 396 0, /* condition */
8e669ac1 397
c3611384
PH		 398 0, /* continue */
399
059ec3d9 400 /* Certain types of control are always allowed, so we let it through
2f079f46 401 always and check in the control processing itself. */
8e669ac1 402
059ec3d9 403 0, /* control */
8e669ac1 404
6a8f9482
TK		 405 #ifdef EXPERIMENTAL_DCC
406 (unsigned int)
fd98a5c6
JH		 407 ~((1<<ACL_WHERE_DATA)| /* dcc */
408 #ifdef EXPERIMENTAL_PRDR
409 (1<<ACL_WHERE_PRDR)|
410 #endif /* EXPERIMENTAL_PRDR */
411 (1<<ACL_WHERE_NOTSMTP)),
6a8f9482
TK		 412 #endif
413
71fafd95 414 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 415 (unsigned int)
416 ~(1<<ACL_WHERE_MIME), /* decode */
71fafd95 417 #endif
8523533c 418
8f128379 419 (1<<ACL_WHERE_NOTQUIT), /* delay */
8e669ac1 420
71fafd95 421 #ifdef WITH_OLD_DEMIME
2f079f46 422 (unsigned int)
fd98a5c6
JH		 423 ~((1<<ACL_WHERE_DATA)| /* demime */
424 #ifdef EXPERIMENTAL_PRDR
425 (1<<ACL_WHERE_PRDR)|
426 #endif /* EXPERIMENTAL_PRDR */
427 (1<<ACL_WHERE_NOTSMTP)),
71fafd95 428 #endif
8e669ac1 429
80a47a2c
TK		 430 #ifndef DISABLE_DKIM
431 (unsigned int)
432 ~(1<<ACL_WHERE_DKIM), /* dkim_signers */
84330b7b 433
80a47a2c
TK		 434 (unsigned int)
435 ~(1<<ACL_WHERE_DKIM), /* dkim_status */
71fafd95 436 #endif
fb2274d4 437
45b91596
PH		 438 (1<<ACL_WHERE_NOTSMTP)| /* dnslists */
439 (1<<ACL_WHERE_NOTSMTP_START),
059ec3d9 440
2f079f46 441 (unsigned int)
fd98a5c6
JH		 442 ~((1<<ACL_WHERE_RCPT) /* domains */
443 #ifdef EXPERIMENTAL_PRDR
444 |(1<<ACL_WHERE_PRDR)
445 #endif
446 ),
059ec3d9 447
45b91596
PH		 448 (1<<ACL_WHERE_NOTSMTP)| /* encrypted */
449 (1<<ACL_WHERE_CONNECT)|
450 (1<<ACL_WHERE_NOTSMTP_START)|
059ec3d9 451 (1<<ACL_WHERE_HELO),
8e669ac1 452
059ec3d9 453 0, /* endpass */
8e669ac1 454
45b91596
PH		 455 (1<<ACL_WHERE_NOTSMTP)| /* hosts */
456 (1<<ACL_WHERE_NOTSMTP_START),
059ec3d9 457
2f079f46 458 (unsigned int)
fd98a5c6
JH		 459 ~((1<<ACL_WHERE_RCPT) /* local_parts */
460 #ifdef EXPERIMENTAL_PRDR
461 |(1<<ACL_WHERE_PRDR)
462 #endif
463 ),
059ec3d9
PH		 464
465 0, /* log_message */
8e669ac1 466
6ea85e9a
PH		 467 0, /* log_reject_target */
468
059ec3d9 469 0, /* logwrite */
8e669ac1 470
71fafd95 471 #ifdef WITH_CONTENT_SCAN
2f079f46 472 (unsigned int)
fd98a5c6
JH		 473 ~((1<<ACL_WHERE_DATA)| /* malware */
474 #ifdef EXPERIMENTAL_PRDR
475 (1<<ACL_WHERE_PRDR)|
476 #endif /* EXPERIMENTAL_PRDR */
477 (1<<ACL_WHERE_NOTSMTP)),
71fafd95 478 #endif
8523533c 479
059ec3d9
PH		 480 0, /* message */
481
71fafd95 482 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 483 (unsigned int)
484 ~(1<<ACL_WHERE_MIME), /* mime_regex */
71fafd95 485 #endif
8523533c 486
870f6ba8
TF		 487 0, /* ratelimit */
488
2f079f46
PH		 489 (unsigned int)
490 ~(1<<ACL_WHERE_RCPT), /* recipients */
059ec3d9 491
71fafd95 492 #ifdef WITH_CONTENT_SCAN
2f079f46 493 (unsigned int)
fd98a5c6
JH		 494 ~((1<<ACL_WHERE_DATA)| /* regex */
495 #ifdef EXPERIMENTAL_PRDR
496 (1<<ACL_WHERE_PRDR)|
497 #endif /* EXPERIMENTAL_PRDR */
498 (1<<ACL_WHERE_NOTSMTP)|
2f079f46 499 (1<<ACL_WHERE_MIME)),
71fafd95 500 #endif
8523533c 501
e7568d51
TL		 502 (unsigned int)
503 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* remove_header */
504 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
fd98a5c6
JH		 505 #ifdef EXPERIMENTAL_PRDR
506 (1<<ACL_WHERE_PRDR)|
507 #endif
e7568d51
TL		 508 (1<<ACL_WHERE_MIME)|(1<<ACL_WHERE_NOTSMTP)|
509 (1<<ACL_WHERE_NOTSMTP_START)),
510
059ec3d9
PH		 511 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* sender_domains */
512 (1<<ACL_WHERE_HELO)|
513 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
514 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
515 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
516
517 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* senders */
518 (1<<ACL_WHERE_HELO)|
519 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
520 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
521 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
522
523 0, /* set */
524
71fafd95 525 #ifdef WITH_CONTENT_SCAN
2f079f46 526 (unsigned int)
fd98a5c6
JH		 527 ~((1<<ACL_WHERE_DATA)| /* spam */
528 #ifdef EXPERIMENTAL_PRDR
529 (1<<ACL_WHERE_PRDR)|
530 #endif /* EXPERIMENTAL_PRDR */
531 (1<<ACL_WHERE_NOTSMTP)),
71fafd95 532 #endif
8523533c 533
71fafd95 534 #ifdef EXPERIMENTAL_SPF
8523533c
TK		 535 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf */
536 (1<<ACL_WHERE_HELO)|
537 (1<<ACL_WHERE_MAILAUTH)|
538 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
45b91596
PH		 539 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY)|
540 (1<<ACL_WHERE_NOTSMTP)|
541 (1<<ACL_WHERE_NOTSMTP_START),
65a7d8c3
NM		 542
543 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf_guess */
544 (1<<ACL_WHERE_HELO)|
545 (1<<ACL_WHERE_MAILAUTH)|
546 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
547 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY)|
548 (1<<ACL_WHERE_NOTSMTP)|
549 (1<<ACL_WHERE_NOTSMTP_START),
71fafd95 550 #endif
8523533c 551
059ec3d9
PH		 552 /* Certain types of verify are always allowed, so we let it through
553 always and check in the verify function itself */
554
555 0 /* verify */
059ec3d9
PH		 556};
557
558
c5fcb476
PH		 559/* Bit map vector of which controls are not allowed at certain times. For
560each control, there's a bitmap of dis-allowed times. For some, it is easier to
561specify the negation of a small number of allowed times. */
562
563static unsigned int control_forbids[] = {
c46782ef
PH		 564 (unsigned int)
565 ~((1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)), /* allow_auth_unadvertised */
566
567 #ifdef EXPERIMENTAL_BRIGHTMAIL
8523533c 568 0, /* bmi_run */
c46782ef
PH		 569 #endif
570
ed7f7860
PP		 571 0, /* debug */
572
80a47a2c
TK		 573 #ifndef DISABLE_DKIM
574 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* dkim_disable_verify */
fd98a5c6
JH		 575 #ifdef EXPERIMENTAL_PRDR
576 (1<<ACL_WHERE_PRDR)|
577 #endif /* EXPERIMENTAL_PRDR */
f7572e5a
TK		 578 (1<<ACL_WHERE_NOTSMTP_START),
579 #endif
580
13363eba
PP		 581 (1<<ACL_WHERE_NOTSMTP)|
582 (1<<ACL_WHERE_NOTSMTP_START)|
583 (1<<ACL_WHERE_NOTQUIT), /* dscp */
584
c5fcb476 585 0, /* error */
8e669ac1
PH		 586
587 (unsigned int)
c5fcb476 588 ~(1<<ACL_WHERE_RCPT), /* caseful_local_part */
8e669ac1
PH		 589
590 (unsigned int)
c5fcb476 591 ~(1<<ACL_WHERE_RCPT), /* caselower_local_part */
8e669ac1 592
e4bdf652
JH		 593 (unsigned int)
594 0, /* cutthrough_delivery */
595
45b91596
PH		 596 (1<<ACL_WHERE_NOTSMTP)| /* enforce_sync */
597 (1<<ACL_WHERE_NOTSMTP_START),
8e669ac1 598
45b91596
PH		 599 (1<<ACL_WHERE_NOTSMTP)| /* no_enforce_sync */
600 (1<<ACL_WHERE_NOTSMTP_START),
8e669ac1
PH		 601
602 (unsigned int)
c5fcb476
PH		 603 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* freeze */
604 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
fd98a5c6 605 // (1<<ACL_WHERE_PRDR)| /* Not allow one user to freeze for all */
e715ad22 606 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
8e669ac1
PH		 607
608 (unsigned int)
c5fcb476
PH		 609 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* queue_only */
610 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
fd98a5c6 611 // (1<<ACL_WHERE_PRDR)| /* Not allow one user to freeze for all */
e715ad22 612 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
8e669ac1
PH		 613
614 (unsigned int)
c5fcb476 615 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* submission */
8e669ac1 616 (1<<ACL_WHERE_PREDATA)),
8523533c 617
8800895a
PH		 618 (unsigned int)
619 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* suppress_local_fixups */
45b91596
PH		 620 (1<<ACL_WHERE_PREDATA)|
621 (1<<ACL_WHERE_NOTSMTP_START)),
8800895a 622
c46782ef 623 #ifdef WITH_CONTENT_SCAN
8e669ac1 624 (unsigned int)
14d57970 625 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* no_mbox_unspool */
e715ad22 626 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
fd98a5c6 627 // (1<<ACL_WHERE_PRDR)| /* Not allow one user to freeze for all */
e715ad22 628 (1<<ACL_WHERE_MIME)),
c46782ef 629 #endif
a6c4ab60 630
29aba418
TF		 631 (unsigned int)
632 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakedefer */
633 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
fd98a5c6
JH		 634 #ifdef EXPERIMENTAL_PRDR
635 (1<<ACL_WHERE_PRDR)|
636 #endif /* EXPERIMENTAL_PRDR */
29aba418
TF		 637 (1<<ACL_WHERE_MIME)),
638
8e669ac1 639 (unsigned int)
a6c4ab60 640 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakereject */
e715ad22 641 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
fd98a5c6
JH		 642 #ifdef EXPERIMENTAL_PRDR
643 (1<<ACL_WHERE_PRDR)|
644 #endif /* EXPERIMENTAL_PRDR */
e715ad22 645 (1<<ACL_WHERE_MIME)),
8523533c 646
45b91596 647 (1<<ACL_WHERE_NOTSMTP)| /* no_multiline */
cf8b11a5
PH		 648 (1<<ACL_WHERE_NOTSMTP_START),
649
650 (1<<ACL_WHERE_NOTSMTP)| /* no_pipelining */
047bdd8c
PH		 651 (1<<ACL_WHERE_NOTSMTP_START),
652
653 (1<<ACL_WHERE_NOTSMTP)| /* no_delay_flush */
4c590bd1
PH		 654 (1<<ACL_WHERE_NOTSMTP_START),
655
656 (1<<ACL_WHERE_NOTSMTP)| /* no_callout_flush */
45b91596 657 (1<<ACL_WHERE_NOTSMTP_START)
c5fcb476
PH		 658};
659
660/* Structure listing various control arguments, with their characteristics. */
059ec3d9
PH		 661
662typedef struct control_def {
663 uschar *name;
664 int value; /* CONTROL_xxx value */
059ec3d9
PH		 665 BOOL has_option; /* Has /option(s) following */
666} control_def;
667
668static control_def controls_list[] = {
c46782ef 669 { US"allow_auth_unadvertised", CONTROL_AUTH_UNADVERTISED, FALSE },
8523533c 670#ifdef EXPERIMENTAL_BRIGHTMAIL
c46782ef 671 { US"bmi_run", CONTROL_BMI_RUN, FALSE },
fb2274d4 672#endif
ed7f7860 673 { US"debug", CONTROL_DEBUG, TRUE },
80a47a2c
TK		 674#ifndef DISABLE_DKIM
675 { US"dkim_disable_verify", CONTROL_DKIM_VERIFY, FALSE },
8523533c 676#endif
13363eba 677 { US"dscp", CONTROL_DSCP, TRUE },
c46782ef
PH		 678 { US"caseful_local_part", CONTROL_CASEFUL_LOCAL_PART, FALSE },
679 { US"caselower_local_part", CONTROL_CASELOWER_LOCAL_PART, FALSE },
680 { US"enforce_sync", CONTROL_ENFORCE_SYNC, FALSE },
681 { US"freeze", CONTROL_FREEZE, TRUE },
4c590bd1 682 { US"no_callout_flush", CONTROL_NO_CALLOUT_FLUSH, FALSE },
047bdd8c 683 { US"no_delay_flush", CONTROL_NO_DELAY_FLUSH, FALSE },
c46782ef
PH		 684 { US"no_enforce_sync", CONTROL_NO_ENFORCE_SYNC, FALSE },
685 { US"no_multiline_responses", CONTROL_NO_MULTILINE, FALSE },
cf8b11a5 686 { US"no_pipelining", CONTROL_NO_PIPELINING, FALSE },
c46782ef 687 { US"queue_only", CONTROL_QUEUE_ONLY, FALSE },
8523533c 688#ifdef WITH_CONTENT_SCAN
c46782ef 689 { US"no_mbox_unspool", CONTROL_NO_MBOX_UNSPOOL, FALSE },
8523533c 690#endif
c46782ef
PH		 691 { US"fakedefer", CONTROL_FAKEDEFER, TRUE },
692 { US"fakereject", CONTROL_FAKEREJECT, TRUE },
693 { US"submission", CONTROL_SUBMISSION, TRUE },
e4bdf652
JH		 694 { US"suppress_local_fixups", CONTROL_SUPPRESS_LOCAL_FIXUPS, FALSE },
695 { US"cutthrough_delivery", CONTROL_CUTTHROUGH_DELIVERY, FALSE }
059ec3d9
PH		 696 };
697
e5a9dba6
PH		 698/* Support data structures for Client SMTP Authorization. acl_verify_csa()
699caches its result in a tree to avoid repeated DNS queries. The result is an
700integer code which is used as an index into the following tables of
701explanatory strings and verification return codes. */
702
703static tree_node *csa_cache = NULL;
704
705enum { CSA_UNKNOWN, CSA_OK, CSA_DEFER_SRV, CSA_DEFER_ADDR,
706 CSA_FAIL_EXPLICIT, CSA_FAIL_DOMAIN, CSA_FAIL_NOADDR, CSA_FAIL_MISMATCH };
707
708/* The acl_verify_csa() return code is translated into an acl_verify() return
709code using the following table. It is OK unless the client is definitely not
710authorized. This is because CSA is supposed to be optional for sending sites,
711so recipients should not be too strict about checking it - especially because
712DNS problems are quite likely to occur. It's possible to use $csa_status in
713further ACL conditions to distinguish ok, unknown, and defer if required, but
714the aim is to make the usual configuration simple. */
715
716static int csa_return_code[] = {
717 OK, OK, OK, OK,
718 FAIL, FAIL, FAIL, FAIL
719};
720
721static uschar *csa_status_string[] = {
722 US"unknown", US"ok", US"defer", US"defer",
723 US"fail", US"fail", US"fail", US"fail"
724};
725
726static uschar *csa_reason_string[] = {
727 US"unknown",
728 US"ok",
729 US"deferred (SRV lookup failed)",
730 US"deferred (target address lookup failed)",
731 US"failed (explicit authorization required)",
732 US"failed (host name not authorized)",
733 US"failed (no authorized addresses)",
734 US"failed (client address mismatch)"
735};
736
c99ce5c9
TF		 737/* Options for the ratelimit condition. Note that there are two variants of
738the per_rcpt option, depending on the ACL that is used to measure the rate.
739However any ACL must be able to look up per_rcpt rates in /noupdate mode,
740so the two variants must have the same internal representation as well as
741the same configuration string. */
742
743enum {
744 RATE_PER_WHAT, RATE_PER_CLASH, RATE_PER_ADDR, RATE_PER_BYTE, RATE_PER_CMD,
745 RATE_PER_CONN, RATE_PER_MAIL, RATE_PER_RCPT, RATE_PER_ALLRCPTS
746};
747
748#define RATE_SET(var,new) \
749 (((var) == RATE_PER_WHAT) ? ((var) = RATE_##new) : ((var) = RATE_PER_CLASH))
750
751static uschar *ratelimit_option_string[] = {
752 US"?", US"!", US"per_addr", US"per_byte", US"per_cmd",
753 US"per_conn", US"per_mail", US"per_rcpt", US"per_rcpt"
754};
755
059ec3d9
PH		 756/* Enable recursion between acl_check_internal() and acl_check_condition() */
757
f60d98e8
JH		 758static int acl_check_wargs(int, address_item *, uschar *, int, uschar **,
759 uschar **);
059ec3d9
PH		 760
761
762/*************************************************
763* Pick out name from list *
764*************************************************/
765
766/* Use a binary chop method
767
768Arguments:
769 name name to find
770 list list of names
771 end size of list
772
773Returns: offset in list, or -1 if not found
774*/
775
776static int
777acl_checkname(uschar *name, uschar **list, int end)
778{
779int start = 0;
780
781while (start < end)
782 {
783 int mid = (start + end)/2;
784 int c = Ustrcmp(name, list[mid]);
785 if (c == 0) return mid;
786 if (c < 0) end = mid; else start = mid + 1;
787 }
788
789return -1;
790}
791
792
793/*************************************************
794* Read and parse one ACL *
795*************************************************/
796
797/* This function is called both from readconf in order to parse the ACLs in the
798configuration file, and also when an ACL is encountered dynamically (e.g. as
799the result of an expansion). It is given a function to call in order to
800retrieve the lines of the ACL. This function handles skipping comments and
801blank lines (where relevant).
802
803Arguments:
804 func function to get next line of ACL
805 error where to put an error message
806
807Returns: pointer to ACL, or NULL
808 NULL can be legal (empty ACL); in this case error will be NULL
809*/
810
811acl_block *
812acl_read(uschar *(*func)(void), uschar **error)
813{
814acl_block *yield = NULL;
815acl_block **lastp = &yield;
816acl_block *this = NULL;
817acl_condition_block *cond;
818acl_condition_block **condp = NULL;
819uschar *s;
820
821*error = NULL;
822
823while ((s = (*func)()) != NULL)
824 {
825 int v, c;
826 BOOL negated = FALSE;
827 uschar *saveline = s;
828 uschar name[64];
829
830 /* Conditions (but not verbs) are allowed to be negated by an initial
831 exclamation mark. */
832
833 while (isspace(*s)) s++;
834 if (*s == '!')
835 {
836 negated = TRUE;
837 s++;
838 }
839
cf00dad6
PH		 840 /* Read the name of a verb or a condition, or the start of a new ACL, which
841 can be started by a name, or by a macro definition. */
059ec3d9
PH		 842
843 s = readconf_readname(name, sizeof(name), s);
b8dc3e4a 844 if (*s == ':' || (isupper(name[0]) && *s == '=')) return yield;
059ec3d9
PH		 845
846 /* If a verb is unrecognized, it may be another condition or modifier that
847 continues the previous verb. */
848
849 v = acl_checkname(name, verbs, sizeof(verbs)/sizeof(char *));
850 if (v < 0)
851 {
852 if (this == NULL)
853 {
4e167a8c
PH		 854 *error = string_sprintf("unknown ACL verb \"%s\" in \"%s\"", name,
855 saveline);
059ec3d9
PH		 856 return NULL;
857 }
858 }
859
860 /* New verb */
861
862 else
863 {
864 if (negated)
865 {
866 *error = string_sprintf("malformed ACL line \"%s\"", saveline);
867 return NULL;
868 }
869 this = store_get(sizeof(acl_block));
870 *lastp = this;
871 lastp = &(this->next);
872 this->next = NULL;
873 this->verb = v;
874 this->condition = NULL;
875 condp = &(this->condition);
876 if (*s == 0) continue; /* No condition on this line */
877 if (*s == '!')
878 {
879 negated = TRUE;
880 s++;
881 }
882 s = readconf_readname(name, sizeof(name), s); /* Condition name */
883 }
884
885 /* Handle a condition or modifier. */
886
887 c = acl_checkname(name, conditions, sizeof(conditions)/sizeof(char *));
888 if (c < 0)
889 {
890 *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
891 saveline);
892 return NULL;
893 }
894
895 /* The modifiers may not be negated */
896
897 if (negated && cond_modifiers[c])
898 {
899 *error = string_sprintf("ACL error: negation is not allowed with "
900 "\"%s\"", conditions[c]);
901 return NULL;
902 }
903
904 /* ENDPASS may occur only with ACCEPT or DISCARD. */
905
906 if (c == ACLC_ENDPASS &&
907 this->verb != ACL_ACCEPT &&
908 this->verb != ACL_DISCARD)
909 {
910 *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
911 conditions[c], verbs[this->verb]);
912 return NULL;
913 }
914
915 cond = store_get(sizeof(acl_condition_block));
916 cond->next = NULL;
917 cond->type = c;
918 cond->u.negated = negated;
919
920 *condp = cond;
921 condp = &(cond->next);
922
923 /* The "set" modifier is different in that its argument is "name=value"
924 rather than just a value, and we can check the validity of the name, which
38a0a95f
PH		 925 gives us a variable name to insert into the data block. The original ACL
926 variable names were acl_c0 ... acl_c9 and acl_m0 ... acl_m9. This was
927 extended to 20 of each type, but after that people successfully argued for
641cb756
PH		 928 arbitrary names. In the new scheme, the names must start with acl_c or acl_m.
929 After that, we allow alphanumerics and underscores, but the first character
930 after c or m must be a digit or an underscore. This retains backwards
931 compatibility. */
059ec3d9
PH		 932
933 if (c == ACLC_SET)
934 {
47ca6d6c
PH		 935 uschar *endptr;
936
38a0a95f
PH		 937 if (Ustrncmp(s, "acl_c", 5) != 0 &&
938 Ustrncmp(s, "acl_m", 5) != 0)
47ca6d6c 939 {
38a0a95f
PH		 940 *error = string_sprintf("invalid variable name after \"set\" in ACL "
941 "modifier \"set %s\" (must start \"acl_c\" or \"acl_m\")", s);
942 return NULL;
47ca6d6c 943 }
38a0a95f
PH		 944
945 endptr = s + 5;
641cb756
PH		 946 if (!isdigit(*endptr) && *endptr != '_')
947 {
948 *error = string_sprintf("invalid variable name after \"set\" in ACL "
949 "modifier \"set %s\" (digit or underscore must follow acl_c or acl_m)",
950 s);
951 return NULL;
952 }
953
38a0a95f 954 while (*endptr != 0 && *endptr != '=' && !isspace(*endptr))
47ca6d6c 955 {
38a0a95f
PH		 956 if (!isalnum(*endptr) && *endptr != '_')
957 {
958 *error = string_sprintf("invalid character \"%c\" in variable name "
959 "in ACL modifier \"set %s\"", *endptr, s);
960 return NULL;
961 }
962 endptr++;
47ca6d6c 963 }
47ca6d6c 964
38a0a95f 965 cond->u.varname = string_copyn(s + 4, endptr - s - 4);
47ca6d6c 966 s = endptr;
059ec3d9
PH		 967 while (isspace(*s)) s++;
968 }
969
970 /* For "set", we are now positioned for the data. For the others, only
971 "endpass" has no data */
972
973 if (c != ACLC_ENDPASS)
974 {
975 if (*s++ != '=')
976 {
977 *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
978 cond_modifiers[c]? US"modifier" : US"condition");
979 return NULL;
980 }
981 while (isspace(*s)) s++;
982 cond->arg = string_copy(s);
983 }
984 }
985
986return yield;
987}
988
989
990
71fafd95
PH		 991/*************************************************
992* Set up added header line(s) *
993*************************************************/
994
995/* This function is called by the add_header modifier, and also from acl_warn()
996to implement the now-deprecated way of adding header lines using "message" on a
997"warn" verb. The argument is treated as a sequence of header lines which are
998added to a chain, provided there isn't an identical one already there.
999
1000Argument: string of header lines
1001Returns: nothing
1002*/
1003
1004static void
1005setup_header(uschar *hstring)
1006{
1007uschar *p, *q;
1008int hlen = Ustrlen(hstring);
1009
b1b05573
JH		 1010/* Ignore any leading newlines */
1011while (*hstring == '\n') hstring++, hlen--;
71fafd95 1012
b1b05573 1013/* An empty string does nothing; ensure exactly one final newline. */
71fafd95 1014if (hlen <= 0) return;
b1b05573
JH		 1015if (hstring[--hlen] != '\n') hstring = string_sprintf("%s\n", hstring);
1016else while(hstring[--hlen] == '\n') hstring[hlen+1] = '\0';
71fafd95
PH		 1017
1018/* Loop for multiple header lines, taking care about continuations */
1019
1020for (p = q = hstring; *p != 0; )
1021 {
1022 uschar *s;
1023 int newtype = htype_add_bot;
1024 header_line **hptr = &acl_added_headers;
1025
1026 /* Find next header line within the string */
1027
1028 for (;;)
1029 {
1030 q = Ustrchr(q, '\n');
1031 if (*(++q) != ' ' && *q != '\t') break;
1032 }
1033
1034 /* If the line starts with a colon, interpret the instruction for where to
1035 add it. This temporarily sets up a new type. */
1036
1037 if (*p == ':')
1038 {
1039 if (strncmpic(p, US":after_received:", 16) == 0)
1040 {
1041 newtype = htype_add_rec;
1042 p += 16;
1043 }
1044 else if (strncmpic(p, US":at_start_rfc:", 14) == 0)
1045 {
1046 newtype = htype_add_rfc;
1047 p += 14;
1048 }
1049 else if (strncmpic(p, US":at_start:", 10) == 0)
1050 {
1051 newtype = htype_add_top;
1052 p += 10;
1053 }
1054 else if (strncmpic(p, US":at_end:", 8) == 0)
1055 {
1056 newtype = htype_add_bot;
1057 p += 8;
1058 }
1059 while (*p == ' ' || *p == '\t') p++;
1060 }
1061
1062 /* See if this line starts with a header name, and if not, add X-ACL-Warn:
1063 to the front of it. */
1064
1065 for (s = p; s < q - 1; s++)
1066 {
1067 if (*s == ':' || !isgraph(*s)) break;
1068 }
1069
438257ba 1070 s = string_sprintf("%s%.*s", (*s == ':')? "" : "X-ACL-Warn: ", (int) (q - p), p);
71fafd95
PH		 1071 hlen = Ustrlen(s);
1072
1073 /* See if this line has already been added */
1074
1075 while (*hptr != NULL)
1076 {
1077 if (Ustrncmp((*hptr)->text, s, hlen) == 0) break;
1078 hptr = &((*hptr)->next);
1079 }
1080
1081 /* Add if not previously present */
1082
1083 if (*hptr == NULL)
1084 {
1085 header_line *h = store_get(sizeof(header_line));
1086 h->text = s;
1087 h->next = NULL;
1088 h->type = newtype;
1089 h->slen = hlen;
1090 *hptr = h;
1091 hptr = &(h->next);
1092 }
1093
1094 /* Advance for next header line within the string */
1095
1096 p = q;
1097 }
1098}
1099
1100
1101
362145b5
JH		 1102/*************************************************
1103* List the added header lines *
1104*************************************************/
1105uschar *
1106fn_hdrs_added(void)
1107{
1108uschar * ret = NULL;
1109header_line * h = acl_added_headers;
1110uschar * s;
1111uschar * cp;
1112int size = 0;
1113int ptr = 0;
1114
1115if (!h) return NULL;
1116
1117do
1118 {
1119 s = h->text;
1120 while ((cp = Ustrchr(s, '\n')) != NULL)
1121 {
1122 if (cp[1] == '\0') break;
1123
1124 /* contains embedded newline; needs doubling */
1125 ret = string_cat(ret, &size, &ptr, s, cp-s+1);
6d9cfc47 1126 ret = string_cat(ret, &size, &ptr, US"\n", 1);
362145b5
JH		 1127 s = cp+1;
1128 }
1129 /* last bit of header */
1130
1131 ret = string_cat(ret, &size, &ptr, s, cp-s+1); /* newline-sep list */
1132 }
6d9cfc47 1133while((h = h->next));
362145b5
JH		 1134
1135ret[ptr-1] = '\0'; /* overwrite last newline */
1136return ret;
1137}
1138
1139
e7568d51
TL		 1140/*************************************************
1141* Set up removed header line(s) *
1142*************************************************/
1143
1144/* This function is called by the remove_header modifier. The argument is
1145treated as a sequence of header names which are added to a colon separated
1146list, provided there isn't an identical one already there.
1147
1148Argument: string of header names
1149Returns: nothing
1150*/
1151
1152static void
1153setup_remove_header(uschar *hnames)
1154{
1155if (*hnames != 0)
1156 {
1157 if (acl_removed_headers == NULL)
1158 acl_removed_headers = hnames;
1159 else
1160 acl_removed_headers = string_sprintf("%s : %s", acl_removed_headers, hnames);
1161 }
1162}
1163
1164
71fafd95 1165
059ec3d9
PH		 1166/*************************************************
1167* Handle warnings *
1168*************************************************/
1169
1170/* This function is called when a WARN verb's conditions are true. It adds to
1171the message's headers, and/or writes information to the log. In each case, this
1172only happens once (per message for headers, per connection for log).
1173
71fafd95
PH		 1174** NOTE: The header adding action using the "message" setting is historic, and
1175its use is now deprecated. The new add_header modifier should be used instead.
1176
059ec3d9
PH		 1177Arguments:
1178 where ACL_WHERE_xxxx indicating which ACL this is
1179 user_message message for adding to headers
1180 log_message message for logging, if different
1181
1182Returns: nothing
1183*/
1184
1185static void
1186acl_warn(int where, uschar *user_message, uschar *log_message)
1187{
059ec3d9
PH		 1188if (log_message != NULL && log_message != user_message)
1189 {
1190 uschar *text;
1191 string_item *logged;
1192
1193 text = string_sprintf("%s Warning: %s", host_and_ident(TRUE),
1194 string_printing(log_message));
1195
1196 /* If a sender verification has failed, and the log message is "sender verify
1197 failed", add the failure message. */
1198
1199 if (sender_verified_failed != NULL &&
1200 sender_verified_failed->message != NULL &&
1201 strcmpic(log_message, US"sender verify failed") == 0)
1202 text = string_sprintf("%s: %s", text, sender_verified_failed->message);
1203
9c7a242c
PH		 1204 /* Search previously logged warnings. They are kept in malloc
1205 store so they can be freed at the start of a new message. */
059ec3d9
PH		 1206
1207 for (logged = acl_warn_logged; logged != NULL; logged = logged->next)
1208 if (Ustrcmp(logged->text, text) == 0) break;
1209
1210 if (logged == NULL)
1211 {
1212 int length = Ustrlen(text) + 1;
1213 log_write(0, LOG_MAIN, "%s", text);
1214 logged = store_malloc(sizeof(string_item) + length);
1215 logged->text = (uschar *)logged + sizeof(string_item);
1216 memcpy(logged->text, text, length);
1217 logged->next = acl_warn_logged;
1218 acl_warn_logged = logged;
1219 }
1220 }
1221
1222/* If there's no user message, we are done. */
1223
1224if (user_message == NULL) return;
1225
1226/* If this isn't a message ACL, we can't do anything with a user message.
1227Log an error. */
1228
1229if (where > ACL_WHERE_NOTSMTP)
1230 {
1231 log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
1232 "found in a non-message (%s) ACL: cannot specify header lines here: "
1233 "message ignored", acl_wherenames[where]);
1234 return;
1235 }
1236
71fafd95
PH		 1237/* The code for setting up header lines is now abstracted into a separate
1238function so that it can be used for the add_header modifier as well. */
059ec3d9 1239
71fafd95 1240setup_header(user_message);
059ec3d9
PH		 1241}
1242
1243
1244
1245/*************************************************
1246* Verify and check reverse DNS *
1247*************************************************/
1248
1249/* Called from acl_verify() below. We look up the host name(s) of the client IP
1250address if this has not yet been done. The host_name_lookup() function checks
1251that one of these names resolves to an address list that contains the client IP
1252address, so we don't actually have to do the check here.
1253
1254Arguments:
1255 user_msgptr pointer for user message
1256 log_msgptr pointer for log message
1257
1258Returns: OK verification condition succeeded
1259 FAIL verification failed
1260 DEFER there was a problem verifying
1261*/
1262
1263static int
1264acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
1265{
1266int rc;
1267
1268user_msgptr = user_msgptr; /* stop compiler warning */
1269
1270/* Previous success */
1271
1272if (sender_host_name != NULL) return OK;
1273
1274/* Previous failure */
1275
1276if (host_lookup_failed)
1277 {
1278 *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
1279 return FAIL;
1280 }
1281
1282/* Need to do a lookup */
1283
1284HDEBUG(D_acl)
1285 debug_printf("looking up host name to force name/address consistency check\n");
1286
1287if ((rc = host_name_lookup()) != OK)
1288 {
1289 *log_msgptr = (rc == DEFER)?
1290 US"host lookup deferred for reverse lookup check"
1291 :
1292 string_sprintf("host lookup failed for reverse lookup check%s",
1293 host_lookup_msg);
1294 return rc; /* DEFER or FAIL */
1295 }
1296
1297host_build_sender_fullhost();
1298return OK;
1299}
1300
1301
1302
e5a9dba6
PH		 1303/*************************************************
1304* Check client IP address matches CSA target *
1305*************************************************/
1306
1307/* Called from acl_verify_csa() below. This routine scans a section of a DNS
1308response for address records belonging to the CSA target hostname. The section
1309is specified by the reset argument, either RESET_ADDITIONAL or RESET_ANSWERS.
1310If one of the addresses matches the client's IP address, then the client is
1311authorized by CSA. If there are target IP addresses but none of them match
1312then the client is using an unauthorized IP address. If there are no target IP
1313addresses then the client cannot be using an authorized IP address. (This is
1314an odd configuration - why didn't the SRV record have a weight of 1 instead?)
1315
1316Arguments:
1317 dnsa the DNS answer block
1318 dnss a DNS scan block for us to use
1319 reset option specifing what portion to scan, as described above
1320 target the target hostname to use for matching RR names
1321
1322Returns: CSA_OK successfully authorized
1323 CSA_FAIL_MISMATCH addresses found but none matched
1324 CSA_FAIL_NOADDR no target addresses found
1325*/
1326
1327static int
1328acl_verify_csa_address(dns_answer *dnsa, dns_scan *dnss, int reset,
1329 uschar *target)
1330{
1331dns_record *rr;
1332dns_address *da;
1333
1334BOOL target_found = FALSE;
1335
1336for (rr = dns_next_rr(dnsa, dnss, reset);
1337 rr != NULL;
1338 rr = dns_next_rr(dnsa, dnss, RESET_NEXT))
1339 {
1340 /* Check this is an address RR for the target hostname. */
1341
1342 if (rr->type != T_A
1343 #if HAVE_IPV6
1344 && rr->type != T_AAAA
1345 #ifdef SUPPORT_A6
1346 && rr->type != T_A6
1347 #endif
1348 #endif
1349 ) continue;
1350
1351 if (strcmpic(target, rr->name) != 0) continue;
1352
1353 target_found = TRUE;
1354
1355 /* Turn the target address RR into a list of textual IP addresses and scan
1356 the list. There may be more than one if it is an A6 RR. */
1357
1358 for (da = dns_address_from_rr(dnsa, rr); da != NULL; da = da->next)
1359 {
1360 /* If the client IP address matches the target IP address, it's good! */
1361
1362 DEBUG(D_acl) debug_printf("CSA target address is %s\n", da->address);
1363
1364 if (strcmpic(sender_host_address, da->address) == 0) return CSA_OK;
1365 }
1366 }
1367
1368/* If we found some target addresses but none of them matched, the client is
1369using an unauthorized IP address, otherwise the target has no authorized IP
1370addresses. */
1371
1372if (target_found) return CSA_FAIL_MISMATCH;
1373else return CSA_FAIL_NOADDR;
1374}
1375
1376
1377
1378/*************************************************
1379* Verify Client SMTP Authorization *
1380*************************************************/
1381
1382/* Called from acl_verify() below. This routine calls dns_lookup_special()
1383to find the CSA SRV record corresponding to the domain argument, or
1384$sender_helo_name if no argument is provided. It then checks that the
1385client is authorized, and that its IP address corresponds to the SRV
1386target's address by calling acl_verify_csa_address() above. The address
1387should have been returned in the DNS response's ADDITIONAL section, but if
1388not we perform another DNS lookup to get it.
1389
1390Arguments:
1391 domain pointer to optional parameter following verify = csa
1392
1393Returns: CSA_UNKNOWN no valid CSA record found
1394 CSA_OK successfully authorized
1395 CSA_FAIL_* client is definitely not authorized
1396 CSA_DEFER_* there was a DNS problem
1397*/
1398
1399static int
1400acl_verify_csa(uschar *domain)
1401{
1402tree_node *t;
1403uschar *found, *p;
1404int priority, weight, port;
1405dns_answer dnsa;
1406dns_scan dnss;
1407dns_record *rr;
1408int rc, type;
1409uschar target[256];
1410
1411/* Work out the domain we are using for the CSA lookup. The default is the
1412client's HELO domain. If the client has not said HELO, use its IP address
1413instead. If it's a local client (exim -bs), CSA isn't applicable. */
1414
1415while (isspace(*domain) && *domain != '\0') ++domain;
1416if (*domain == '\0') domain = sender_helo_name;
1417if (domain == NULL) domain = sender_host_address;
1418if (sender_host_address == NULL) return CSA_UNKNOWN;
1419
1420/* If we have an address literal, strip off the framing ready for turning it
1421into a domain. The framing consists of matched square brackets possibly
1422containing a keyword and a colon before the actual IP address. */
1423
1424if (domain[0] == '[')
1425 {
1426 uschar *start = Ustrchr(domain, ':');
1427 if (start == NULL) start = domain;
1428 domain = string_copyn(start + 1, Ustrlen(start) - 2);
1429 }
1430
1431/* Turn domains that look like bare IP addresses into domains in the reverse
1432DNS. This code also deals with address literals and $sender_host_address. It's
1433not quite kosher to treat bare domains such as EHLO 192.0.2.57 the same as
1434address literals, but it's probably the most friendly thing to do. This is an
1435extension to CSA, so we allow it to be turned off for proper conformance. */
1436
7e66e54d 1437if (string_is_ip_address(domain, NULL) != 0)
e5a9dba6
PH		 1438 {
1439 if (!dns_csa_use_reverse) return CSA_UNKNOWN;
1440 dns_build_reverse(domain, target);
1441 domain = target;
1442 }
1443
1444/* Find out if we've already done the CSA check for this domain. If we have,
1445return the same result again. Otherwise build a new cached result structure
1446for this domain. The name is filled in now, and the value is filled in when
1447we return from this function. */
1448
1449t = tree_search(csa_cache, domain);
1450if (t != NULL) return t->data.val;
1451
1452t = store_get_perm(sizeof(tree_node) + Ustrlen(domain));
1453Ustrcpy(t->name, domain);
1454(void)tree_insertnode(&csa_cache, t);
1455
1456/* Now we are ready to do the actual DNS lookup(s). */
1457
28e6ef29 1458found = domain;
e5a9dba6
PH		 1459switch (dns_special_lookup(&dnsa, domain, T_CSA, &found))
1460 {
1461 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1462
1463 default:
1464 return t->data.val = CSA_DEFER_SRV;
1465
1466 /* If we found nothing, the client's authorization is unknown. */
1467
1468 case DNS_NOMATCH:
1469 case DNS_NODATA:
1470 return t->data.val = CSA_UNKNOWN;
1471
1472 /* We got something! Go on to look at the reply in more detail. */
1473
1474 case DNS_SUCCEED:
1475 break;
1476 }
1477
1478/* Scan the reply for well-formed CSA SRV records. */
1479
1480for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
1481 rr != NULL;
1482 rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
1483 {
1484 if (rr->type != T_SRV) continue;
1485
1486 /* Extract the numerical SRV fields (p is incremented) */
1487
1488 p = rr->data;
1489 GETSHORT(priority, p);
1490 GETSHORT(weight, p);
1491 GETSHORT(port, p);
1492
1493 DEBUG(D_acl)
1494 debug_printf("CSA priority=%d weight=%d port=%d\n", priority, weight, port);
1495
1496 /* Check the CSA version number */
1497
1498 if (priority != 1) continue;
1499
1500 /* If the domain does not have a CSA SRV record of its own (i.e. the domain
1501 found by dns_special_lookup() is a parent of the one we asked for), we check
1502 the subdomain assertions in the port field. At the moment there's only one
1503 assertion: legitimate SMTP clients are all explicitly authorized with CSA
1504 SRV records of their own. */
1505
1506 if (found != domain)
1507 {
1508 if (port & 1)
1509 return t->data.val = CSA_FAIL_EXPLICIT;
1510 else
1511 return t->data.val = CSA_UNKNOWN;
1512 }
1513
1514 /* This CSA SRV record refers directly to our domain, so we check the value
1515 in the weight field to work out the domain's authorization. 0 and 1 are
1516 unauthorized; 3 means the client is authorized but we can't check the IP
1517 address in order to authenticate it, so we treat it as unknown; values
1518 greater than 3 are undefined. */
1519
1520 if (weight < 2) return t->data.val = CSA_FAIL_DOMAIN;
1521
1522 if (weight > 2) continue;
1523
1524 /* Weight == 2, which means the domain is authorized. We must check that the
1525 client's IP address is listed as one of the SRV target addresses. Save the
1526 target hostname then break to scan the additional data for its addresses. */
1527
1528 (void)dn_expand(dnsa.answer, dnsa.answer + dnsa.answerlen, p,
1529 (DN_EXPAND_ARG4_TYPE)target, sizeof(target));
1530
1531 DEBUG(D_acl) debug_printf("CSA target is %s\n", target);
1532
1533 break;
1534 }
1535
1536/* If we didn't break the loop then no appropriate records were found. */
1537
1538if (rr == NULL) return t->data.val = CSA_UNKNOWN;
1539
1540/* Do not check addresses if the target is ".", in accordance with RFC 2782.
1541A target of "." indicates there are no valid addresses, so the client cannot
1542be authorized. (This is an odd configuration because weight=2 target=. is
1543equivalent to weight=1, but we check for it in order to keep load off the
1544root name servers.) Note that dn_expand() turns "." into "". */
1545
1546if (Ustrcmp(target, "") == 0) return t->data.val = CSA_FAIL_NOADDR;
1547
1548/* Scan the additional section of the CSA SRV reply for addresses belonging
1549to the target. If the name server didn't return any additional data (e.g.
1550because it does not fully support SRV records), we need to do another lookup
1551to obtain the target addresses; otherwise we have a definitive result. */
1552
1553rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ADDITIONAL, target);
1554if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1555
1556/* The DNS lookup type corresponds to the IP version used by the client. */
1557
1558#if HAVE_IPV6
1559if (Ustrchr(sender_host_address, ':') != NULL)
1560 type = T_AAAA;
1561else
1562#endif /* HAVE_IPV6 */
1563 type = T_A;
1564
1565
1566#if HAVE_IPV6 && defined(SUPPORT_A6)
1567DNS_LOOKUP_AGAIN:
1568#endif
1569
1570switch (dns_lookup(&dnsa, target, type, NULL))
1571 {
1572 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1573
1574 default:
1575 return t->data.val = CSA_DEFER_ADDR;
1576
1577 /* If the query succeeded, scan the addresses and return the result. */
1578
1579 case DNS_SUCCEED:
1580 rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ANSWERS, target);
1581 if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1582 /* else fall through */
1583
1584 /* If the target has no IP addresses, the client cannot have an authorized
1585 IP address. However, if the target site uses A6 records (not AAAA records)
1586 we have to do yet another lookup in order to check them. */
1587
1588 case DNS_NOMATCH:
1589 case DNS_NODATA:
1590
1591 #if HAVE_IPV6 && defined(SUPPORT_A6)
1592 if (type == T_AAAA) { type = T_A6; goto DNS_LOOKUP_AGAIN; }
1593 #endif
1594
1595 return t->data.val = CSA_FAIL_NOADDR;
1596 }
1597}
1598
1599
1600
059ec3d9
PH		 1601/*************************************************
1602* Handle verification (address & other) *
1603*************************************************/
1604
89583014
JH		 1605enum { VERIFY_REV_HOST_LKUP, VERIFY_CERT, VERIFY_HELO, VERIFY_CSA, VERIFY_HDR_SYNTAX,
1606 VERIFY_NOT_BLIND, VERIFY_HDR_SNDR, VERIFY_SNDR, VERIFY_RCPT
1607 };
1608typedef struct {
1609 uschar * name;
1610 int value;
1611 unsigned where_allowed; /* bitmap */
1612 BOOL no_options; /* Never has /option(s) following */
1613 unsigned alt_opt_sep; /* >0 Non-/ option separator (custom parser) */
1614 } verify_type_t;
1615static verify_type_t verify_type_list[] = {
1616 { US"reverse_host_lookup", VERIFY_REV_HOST_LKUP, ~0, TRUE, 0 },
1617 { US"certificate", VERIFY_CERT, ~0, TRUE, 0 },
1618 { US"helo", VERIFY_HELO, ~0, TRUE, 0 },
1619 { US"csa", VERIFY_CSA, ~0, FALSE, 0 },
1620 { US"header_syntax", VERIFY_HDR_SYNTAX, (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), TRUE, 0 },
1621 { US"not_blind", VERIFY_NOT_BLIND, (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), TRUE, 0 },
1622 { US"header_sender", VERIFY_HDR_SNDR, (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), FALSE, 0 },
1623 { US"sender", VERIFY_SNDR, (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)
1624 |(1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP),
1625 FALSE, 6 },
1626 { US"recipient", VERIFY_RCPT, (1<<ACL_WHERE_RCPT), FALSE, 0 }
1627 };
1628
1629
1630enum { CALLOUT_DEFER_OK, CALLOUT_NOCACHE, CALLOUT_RANDOM, CALLOUT_USE_SENDER,
1631 CALLOUT_USE_POSTMASTER, CALLOUT_POSTMASTER, CALLOUT_FULLPOSTMASTER,
1632 CALLOUT_MAILFROM, CALLOUT_POSTMASTER_MAILFROM, CALLOUT_MAXWAIT, CALLOUT_CONNECT,
1633 CALLOUT_TIME
1634 };
1635typedef struct {
1636 uschar * name;
1637 int value;
1638 int flag;
1639 BOOL has_option; /* Has =option(s) following */
1640 BOOL timeval; /* Has a time value */
1641 } callout_opt_t;
1642static callout_opt_t callout_opt_list[] = {
1643 { US"defer_ok", CALLOUT_DEFER_OK, 0, FALSE, FALSE },
1644 { US"no_cache", CALLOUT_NOCACHE, vopt_callout_no_cache, FALSE, FALSE },
1645 { US"random", CALLOUT_RANDOM, vopt_callout_random, FALSE, FALSE },
1646 { US"use_sender", CALLOUT_USE_SENDER, vopt_callout_recipsender, FALSE, FALSE },
1647 { US"use_postmaster", CALLOUT_USE_POSTMASTER,vopt_callout_recippmaster, FALSE, FALSE },
1648 { US"postmaster_mailfrom",CALLOUT_POSTMASTER_MAILFROM,0, TRUE, FALSE },
1649 { US"postmaster", CALLOUT_POSTMASTER, 0, FALSE, FALSE },
1650 { US"fullpostmaster", CALLOUT_FULLPOSTMASTER,vopt_callout_fullpm, FALSE, FALSE },
1651 { US"mailfrom", CALLOUT_MAILFROM, 0, TRUE, FALSE },
1652 { US"maxwait", CALLOUT_MAXWAIT, 0, TRUE, TRUE },
1653 { US"connect", CALLOUT_CONNECT, 0, TRUE, TRUE },
1654 { NULL, CALLOUT_TIME, 0, FALSE, TRUE }
1655 };
1656
1657
1658
059ec3d9
PH		 1659/* This function implements the "verify" condition. It is called when
1660encountered in any ACL, because some tests are almost always permitted. Some
1661just don't make sense, and always fail (for example, an attempt to test a host
1662lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
1663
1664Arguments:
1665 where where called from
1666 addr the recipient address that the ACL is handling, or NULL
1667 arg the argument of "verify"
1668 user_msgptr pointer for user message
1669 log_msgptr pointer for log message
1670 basic_errno where to put verify errno
1671
1672Returns: OK verification condition succeeded
1673 FAIL verification failed
1674 DEFER there was a problem verifying
1675 ERROR syntax error
1676*/
1677
1678static int
1679acl_verify(int where, address_item *addr, uschar *arg,
1680 uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
1681{
1682int sep = '/';
1683int callout = -1;
1684int callout_overall = -1;
4deaf07d 1685int callout_connect = -1;
059ec3d9
PH		 1686int verify_options = 0;
1687int rc;
1688BOOL verify_header_sender = FALSE;
1689BOOL defer_ok = FALSE;
1690BOOL callout_defer_ok = FALSE;
1691BOOL no_details = FALSE;
eafd343b 1692BOOL success_on_redirect = FALSE;
059ec3d9
PH		 1693address_item *sender_vaddr = NULL;
1694uschar *verify_sender_address = NULL;
1695uschar *pm_mailfrom = NULL;
1696uschar *se_mailfrom = NULL;
596875b3
PH		 1697
1698/* Some of the verify items have slash-separated options; some do not. Diagnose
89583014 1699an error if options are given for items that don't expect them.
596875b3
PH		 1700*/
1701
1702uschar *slash = Ustrchr(arg, '/');
059ec3d9
PH		 1703uschar *list = arg;
1704uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
89583014 1705verify_type_t * vp;
059ec3d9
PH		 1706
1707if (ss == NULL) goto BAD_VERIFY;
1708
1709/* Handle name/address consistency verification in a separate function. */
1710
89583014
JH		 1711for (vp= verify_type_list;
1712 (char *)vp < (char *)verify_type_list + sizeof(verify_type_list);
1713 vp++
1714 )
1715 if (vp->alt_opt_sep ? strncmpic(ss, vp->name, vp->alt_opt_sep) == 0
1716 : strcmpic (ss, vp->name) == 0)
1717 break;
1718if ((char *)vp >= (char *)verify_type_list + sizeof(verify_type_list))
1719 goto BAD_VERIFY;
1720
1721if (vp->no_options && slash != NULL)
059ec3d9 1722 {
89583014
JH		 1723 *log_msgptr = string_sprintf("unexpected '/' found in \"%s\" "
1724 "(this verify item has no options)", arg);
1725 return ERROR;
059ec3d9 1726 }
89583014 1727if (!(vp->where_allowed & (1<<where)))
059ec3d9 1728 {
89583014
JH		 1729 *log_msgptr = string_sprintf("cannot verify %s in ACL for %s", vp->name, acl_wherenames[where]);
1730 return ERROR;
059ec3d9 1731 }
89583014 1732switch(vp->value)
596875b3 1733 {
89583014
JH		 1734 case VERIFY_REV_HOST_LKUP:
1735 if (sender_host_address == NULL) return OK;
1736 return acl_verify_reverse(user_msgptr, log_msgptr);
059ec3d9 1737
89583014
JH		 1738 case VERIFY_CERT:
1739 /* TLS certificate verification is done at STARTTLS time; here we just
1740 test whether it was successful or not. (This is for optional verification; for
1741 mandatory verification, the connection doesn't last this long.) */
e5a9dba6 1742
817d9f57 1743 if (tls_in.certificate_verified) return OK;
89583014
JH		 1744 *user_msgptr = US"no verified certificate";
1745 return FAIL;
e5a9dba6 1746
89583014
JH		 1747 case VERIFY_HELO:
1748 /* We can test the result of optional HELO verification that might have
1749 occurred earlier. If not, we can attempt the verification now. */
059ec3d9 1750
89583014
JH		 1751 if (!helo_verified && !helo_verify_failed) smtp_verify_helo();
1752 return helo_verified? OK : FAIL;
059ec3d9 1753
89583014
JH		 1754 case VERIFY_CSA:
1755 /* Do Client SMTP Authorization checks in a separate function, and turn the
1756 result code into user-friendly strings. */
1c41c9cc 1757
89583014
JH		 1758 rc = acl_verify_csa(list);
1759 *log_msgptr = *user_msgptr = string_sprintf("client SMTP authorization %s",
1760 csa_reason_string[rc]);
1761 csa_status = csa_status_string[rc];
1762 DEBUG(D_acl) debug_printf("CSA result %s\n", csa_status);
1763 return csa_return_code[rc];
1764
1765 case VERIFY_HDR_SYNTAX:
1766 /* Check that all relevant header lines have the correct syntax. If there is
1767 a syntax error, we return details of the error to the sender if configured to
1768 send out full details. (But a "message" setting on the ACL can override, as
1769 always). */
1770
1771 rc = verify_check_headers(log_msgptr);
1772 if (rc != OK && smtp_return_error_details && *log_msgptr != NULL)
1c41c9cc 1773 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
89583014 1774 return rc;
059ec3d9 1775
89583014
JH		 1776 case VERIFY_NOT_BLIND:
1777 /* Check that no recipient of this message is "blind", that is, every envelope
1778 recipient must be mentioned in either To: or Cc:. */
059ec3d9 1779
89583014
JH		 1780 rc = verify_check_notblind();
1781 if (rc != OK)
1782 {
1783 *log_msgptr = string_sprintf("bcc recipient detected");
1784 if (smtp_return_error_details)
1785 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1786 }
1787 return rc;
059ec3d9 1788
89583014
JH		 1789 /* The remaining verification tests check recipient and sender addresses,
1790 either from the envelope or from the header. There are a number of
1791 slash-separated options that are common to all of them. */
059ec3d9 1792
89583014
JH		 1793 case VERIFY_HDR_SNDR:
1794 verify_header_sender = TRUE;
1795 break;
059ec3d9 1796
89583014
JH		 1797 case VERIFY_SNDR:
1798 /* In the case of a sender, this can optionally be followed by an address to use
1799 in place of the actual sender (rare special-case requirement). */
059ec3d9 1800 {
89583014
JH		 1801 uschar *s = ss + 6;
1802 if (*s == 0)
1803 verify_sender_address = sender_address;
1804 else
1805 {
1806 while (isspace(*s)) s++;
1807 if (*s++ != '=') goto BAD_VERIFY;
1808 while (isspace(*s)) s++;
1809 verify_sender_address = string_copy(s);
1810 }
059ec3d9 1811 }
89583014
JH		 1812 break;
1813
1814 case VERIFY_RCPT:
1815 break;
059ec3d9
PH		 1816 }
1817
89583014
JH		 1818
1819
596875b3
PH		 1820/* Remaining items are optional; they apply to sender and recipient
1821verification, including "header sender" verification. */
059ec3d9
PH		 1822
1823while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))
1824 != NULL)
1825 {
1826 if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
1827 else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
eafd343b 1828 else if (strcmpic(ss, US"success_on_redirect") == 0) success_on_redirect = TRUE;
059ec3d9
PH		 1829
1830 /* These two old options are left for backwards compatibility */
1831
1832 else if (strcmpic(ss, US"callout_defer_ok") == 0)
1833 {
1834 callout_defer_ok = TRUE;
1835 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1836 }
1837
1838 else if (strcmpic(ss, US"check_postmaster") == 0)
1839 {
1840 pm_mailfrom = US"";
1841 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1842 }
1843
1844 /* The callout option has a number of sub-options, comma separated */
1845
1846 else if (strncmpic(ss, US"callout", 7) == 0)
1847 {
1848 callout = CALLOUT_TIMEOUT_DEFAULT;
1849 ss += 7;
1850 if (*ss != 0)
1851 {
1852 while (isspace(*ss)) ss++;
1853 if (*ss++ == '=')
1854 {
1855 int optsep = ',';
1856 uschar *opt;
1857 uschar buffer[256];
1858 while (isspace(*ss)) ss++;
8e669ac1 1859
059ec3d9
PH		 1860 while ((opt = string_nextinlist(&ss, &optsep, buffer, sizeof(buffer)))
1861 != NULL)
1862 {
89583014 1863 callout_opt_t * op;
438257ba 1864 double period = 1.0F;
059ec3d9 1865
89583014 1866 for (op= callout_opt_list; op->name; op++)
438257ba 1867 if (strncmpic(opt, op->name, Ustrlen(op->name)) == 0)
89583014 1868 break;
059ec3d9 1869
89583014
JH		 1870 verify_options |= op->flag;
1871 if (op->has_option)
1872 {
438257ba 1873 opt += Ustrlen(op->name);
4deaf07d
PH		 1874 while (isspace(*opt)) opt++;
1875 if (*opt++ != '=')
1876 {
1877 *log_msgptr = string_sprintf("'=' expected after "
89583014 1878 "\"%s\" in ACL verify condition \"%s\"", op->name, arg);
4deaf07d
PH		 1879 return ERROR;
1880 }
1881 while (isspace(*opt)) opt++;
89583014
JH		 1882 }
1883 if (op->timeval)
1884 {
1885 period = readconf_readtime(opt, 0, FALSE);
1886 if (period < 0)
4deaf07d
PH		 1887 {
1888 *log_msgptr = string_sprintf("bad time value in ACL condition "
1889 "\"verify %s\"", arg);
1890 return ERROR;
1891 }
89583014
JH		 1892 }
1893
1894 switch(op->value)
1895 {
1896 case CALLOUT_DEFER_OK: callout_defer_ok = TRUE; break;
1897 case CALLOUT_POSTMASTER: pm_mailfrom = US""; break;
1898 case CALLOUT_FULLPOSTMASTER: pm_mailfrom = US""; break;
1899 case CALLOUT_MAILFROM:
1900 if (!verify_header_sender)
1901 {
1902 *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
1903 "callout option only for verify=header_sender (detected in ACL "
1904 "condition \"%s\")", arg);
1905 return ERROR;
1906 }
1907 se_mailfrom = string_copy(opt);
1908 break;
1909 case CALLOUT_POSTMASTER_MAILFROM: pm_mailfrom = string_copy(opt); break;
1910 case CALLOUT_MAXWAIT: callout_overall = period; break;
1911 case CALLOUT_CONNECT: callout_connect = period; break;
1912 case CALLOUT_TIME: callout = period; break;
1913 }
059ec3d9
PH		 1914 }
1915 }
1916 else
1917 {
1918 *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
1919 "ACL condition \"%s\"", arg);
1920 return ERROR;
1921 }
1922 }
1923 }
1924
1925 /* Option not recognized */
1926
1927 else
1928 {
1929 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
1930 "condition \"verify %s\"", ss, arg);
1931 return ERROR;
1932 }
1933 }
1934
1935if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
1936 (vopt_callout_recipsender|vopt_callout_recippmaster))
1937 {
1938 *log_msgptr = US"only one of use_sender and use_postmaster can be set "
1939 "for a recipient callout";
1940 return ERROR;
1941 }
1942
1943/* Handle sender-in-header verification. Default the user message to the log
1944message if giving out verification details. */
1945
1946if (verify_header_sender)
1947 {
8e669ac1 1948 int verrno;
059ec3d9 1949 rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
fe5b5d0b
PH		 1950 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, verify_options,
1951 &verrno);
1952 if (rc != OK)
8e669ac1 1953 {
fe5b5d0b
PH		 1954 *basic_errno = verrno;
1955 if (smtp_return_error_details)
1956 {
1957 if (*user_msgptr == NULL && *log_msgptr != NULL)
1958 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1959 if (rc == DEFER) acl_temp_details = TRUE;
1960 }
8e669ac1 1961 }
059ec3d9
PH		 1962 }
1963
1964/* Handle a sender address. The default is to verify *the* sender address, but
1965optionally a different address can be given, for special requirements. If the
1966address is empty, we are dealing with a bounce message that has no sender, so
1967we cannot do any checking. If the real sender address gets rewritten during
1968verification (e.g. DNS widening), set the flag to stop it being rewritten again
1969during message reception.
1970
1971A list of verified "sender" addresses is kept to try to avoid doing to much
1972work repetitively when there are multiple recipients in a message and they all
1973require sender verification. However, when callouts are involved, it gets too
1974complicated because different recipients may require different callout options.
1975Therefore, we always do a full sender verify when any kind of callout is
1976specified. Caching elsewhere, for instance in the DNS resolver and in the
1977callout handling, should ensure that this is not terribly inefficient. */
1978
1979else if (verify_sender_address != NULL)
1980 {
1981 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster))
1982 != 0)
1983 {
1984 *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
1985 "sender verify callout";
1986 return ERROR;
1987 }
1988
1989 sender_vaddr = verify_checked_sender(verify_sender_address);
1990 if (sender_vaddr != NULL && /* Previously checked */
1991 callout <= 0) /* No callout needed this time */
1992 {
1993 /* If the "routed" flag is set, it means that routing worked before, so
1994 this check can give OK (the saved return code value, if set, belongs to a
1995 callout that was done previously). If the "routed" flag is not set, routing
1996 must have failed, so we use the saved return code. */
1997
1998 if (testflag(sender_vaddr, af_verify_routed)) rc = OK; else
1999 {
2000 rc = sender_vaddr->special_action;
2001 *basic_errno = sender_vaddr->basic_errno;
2002 }
2003 HDEBUG(D_acl) debug_printf("using cached sender verify result\n");
2004 }
2005
2006 /* Do a new verification, and cache the result. The cache is used to avoid
2007 verifying the sender multiple times for multiple RCPTs when callouts are not
2008 specified (see comments above).
2009
2010 The cache is also used on failure to give details in response to the first
2011 RCPT that gets bounced for this reason. However, this can be suppressed by
2012 the no_details option, which sets the flag that says "this detail has already
2013 been sent". The cache normally contains just one address, but there may be
2014 more in esoteric circumstances. */
2015
2016 else
2017 {
2018 BOOL routed = TRUE;
2a3eea10 2019 uschar *save_address_data = deliver_address_data;
8e669ac1 2020
059ec3d9
PH		 2021 sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
2022 if (no_details) setflag(sender_vaddr, af_sverify_told);
2023 if (verify_sender_address[0] != 0)
2024 {
2025 /* If this is the real sender address, save the unrewritten version
2026 for use later in receive. Otherwise, set a flag so that rewriting the
2027 sender in verify_address() does not update sender_address. */
2028
2029 if (verify_sender_address == sender_address)
2030 sender_address_unrewritten = sender_address;
2031 else
2032 verify_options |= vopt_fake_sender;
2033
eafd343b
TK		 2034 if (success_on_redirect)
2035 verify_options |= vopt_success_on_redirect;
2036
059ec3d9
PH		 2037 /* The recipient, qualify, and expn options are never set in
2038 verify_options. */
2039
2040 rc = verify_address(sender_vaddr, NULL, verify_options, callout,
4deaf07d 2041 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, &routed);
059ec3d9
PH		 2042
2043 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
2044
2045 if (rc == OK)
2046 {
2047 if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
2048 {
2049 DEBUG(D_acl) debug_printf("sender %s verified ok as %s\n",
2050 verify_sender_address, sender_vaddr->address);
2051 }
2052 else
2053 {
2054 DEBUG(D_acl) debug_printf("sender %s verified ok\n",
2055 verify_sender_address);
2056 }
2057 }
2058 else *basic_errno = sender_vaddr->basic_errno;
2059 }
2060 else rc = OK; /* Null sender */
2061
2062 /* Cache the result code */
2063
2064 if (routed) setflag(sender_vaddr, af_verify_routed);
2065 if (callout > 0) setflag(sender_vaddr, af_verify_callout);
2066 sender_vaddr->special_action = rc;
2067 sender_vaddr->next = sender_verified_list;
2068 sender_verified_list = sender_vaddr;
8e669ac1
PH		 2069
2070 /* Restore the recipient address data, which might have been clobbered by
2a3eea10 2071 the sender verification. */
8e669ac1 2072
2a3eea10 2073 deliver_address_data = save_address_data;
059ec3d9 2074 }
8e669ac1 2075
2a3eea10
PH		 2076 /* Put the sender address_data value into $sender_address_data */
2077
8e669ac1 2078 sender_address_data = sender_vaddr->p.address_data;
059ec3d9
PH		 2079 }
2080
2081/* A recipient address just gets a straightforward verify; again we must handle
2082the DEFER overrides. */
2083
2084else
2085 {
2086 address_item addr2;
2087
eafd343b
TK		 2088 if (success_on_redirect)
2089 verify_options |= vopt_success_on_redirect;
2090
059ec3d9
PH		 2091 /* We must use a copy of the address for verification, because it might
2092 get rewritten. */
2093
2094 addr2 = *addr;
2095 rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
4deaf07d 2096 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, NULL);
059ec3d9 2097 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
8e669ac1 2098
42855d71 2099 *basic_errno = addr2.basic_errno;
059ec3d9 2100 *log_msgptr = addr2.message;
8e669ac1 2101 *user_msgptr = (addr2.user_message != NULL)?
6729cf78 2102 addr2.user_message : addr2.message;
42855d71
PH		 2103
2104 /* Allow details for temporary error if the address is so flagged. */
2105 if (testflag((&addr2), af_pass_message)) acl_temp_details = TRUE;
059ec3d9
PH		 2106
2107 /* Make $address_data visible */
2108 deliver_address_data = addr2.p.address_data;
2109 }
2110
2111/* We have a result from the relevant test. Handle defer overrides first. */
2112
2113if (rc == DEFER && (defer_ok ||
2114 (callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER)))
2115 {
2116 HDEBUG(D_acl) debug_printf("verify defer overridden by %s\n",
2117 defer_ok? "defer_ok" : "callout_defer_ok");
2118 rc = OK;
2119 }
2120
2121/* If we've failed a sender, set up a recipient message, and point
2122sender_verified_failed to the address item that actually failed. */
2123
2124if (rc != OK && verify_sender_address != NULL)
2125 {
2126 if (rc != DEFER)
2127 {
2128 *log_msgptr = *user_msgptr = US"Sender verify failed";
2129 }
2130 else if (*basic_errno != ERRNO_CALLOUTDEFER)
2131 {
2132 *log_msgptr = *user_msgptr = US"Could not complete sender verify";
2133 }
2134 else
2135 {
2136 *log_msgptr = US"Could not complete sender verify callout";
2137 *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
2138 *log_msgptr;
2139 }
2140
2141 sender_verified_failed = sender_vaddr;
2142 }
2143
2144/* Verifying an address messes up the values of $domain and $local_part,
2145so reset them before returning if this is a RCPT ACL. */
2146
2147if (addr != NULL)
2148 {
2149 deliver_domain = addr->domain;
2150 deliver_localpart = addr->local_part;
2151 }
2152return rc;
2153
2154/* Syntax errors in the verify argument come here. */
2155
2156BAD_VERIFY:
2157*log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
596875b3
PH		 2158 "\"helo\", \"header_syntax\", \"header_sender\" or "
2159 "\"reverse_host_lookup\" at start of ACL condition "
059ec3d9
PH		 2160 "\"verify %s\"", arg);
2161return ERROR;
2162}
2163
2164
2165
2166
2167/*************************************************
2168* Check argument for control= modifier *
2169*************************************************/
2170
2171/* Called from acl_check_condition() below
2172
2173Arguments:
2174 arg the argument string for control=
2175 pptr set to point to the terminating character
2176 where which ACL we are in
2177 log_msgptr for error messages
2178
2179Returns: CONTROL_xxx value
2180*/
2181
2182static int
2183decode_control(uschar *arg, uschar **pptr, int where, uschar **log_msgptr)
2184{
2185int len;
2186control_def *d;
2187
2188for (d = controls_list;
2189 d < controls_list + sizeof(controls_list)/sizeof(control_def);
2190 d++)
2191 {
2192 len = Ustrlen(d->name);
2193 if (Ustrncmp(d->name, arg, len) == 0) break;
2194 }
2195
2196if (d >= controls_list + sizeof(controls_list)/sizeof(control_def) ||
2197 (arg[len] != 0 && (!d->has_option || arg[len] != '/')))
2198 {
2199 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2200 return CONTROL_ERROR;
2201 }
2202
059ec3d9
PH		 2203*pptr = arg + len;
2204return d->value;
2205}
2206
2207
2208
c99ce5c9
TF		 2209
2210/*************************************************
2211* Return a ratelimit error *
2212*************************************************/
2213
2214/* Called from acl_ratelimit() below
2215
2216Arguments:
2217 log_msgptr for error messages
2218 format format string
2219 ... supplementary arguments
2220 ss ratelimit option name
2221 where ACL_WHERE_xxxx indicating which ACL this is
2222
2223Returns: ERROR
2224*/
2225
2226static int
2227ratelimit_error(uschar **log_msgptr, const char *format, ...)
2228{
2229va_list ap;
2230uschar buffer[STRING_SPRINTF_BUFFER_SIZE];
2231va_start(ap, format);
2232if (!string_vformat(buffer, sizeof(buffer), format, ap))
2233 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
ef840681 2234 "string_sprintf expansion was longer than " SIZE_T_FMT, sizeof(buffer));
c99ce5c9
TF		 2235va_end(ap);
2236*log_msgptr = string_sprintf(
2237 "error in arguments to \"ratelimit\" condition: %s", buffer);
2238return ERROR;
2239}
2240
2241
2242
2243
870f6ba8
TF		 2244/*************************************************
2245* Handle rate limiting *
2246*************************************************/
2247
2248/* Called by acl_check_condition() below to calculate the result
2249of the ACL ratelimit condition.
2250
2251Note that the return value might be slightly unexpected: if the
2252sender's rate is above the limit then the result is OK. This is
2253similar to the dnslists condition, and is so that you can write
2254ACL clauses like: defer ratelimit = 15 / 1h
2255
2256Arguments:
2257 arg the option string for ratelimit=
90fc3069 2258 where ACL_WHERE_xxxx indicating which ACL this is
870f6ba8
TF		 2259 log_msgptr for error messages
2260
2261Returns: OK - Sender's rate is above limit
2262 FAIL - Sender's rate is below limit
2263 DEFER - Problem opening ratelimit database
2264 ERROR - Syntax error in options.
2265*/
2266
2267static int
90fc3069 2268acl_ratelimit(uschar *arg, int where, uschar **log_msgptr)
870f6ba8 2269{
c99ce5c9 2270double limit, period, count;
8f240103
PH		 2271uschar *ss;
2272uschar *key = NULL;
c99ce5c9 2273uschar *unique = NULL;
870f6ba8 2274int sep = '/';
c99ce5c9
TF		 2275BOOL leaky = FALSE, strict = FALSE, readonly = FALSE;
2276BOOL noupdate = FALSE, badacl = FALSE;
2277int mode = RATE_PER_WHAT;
870f6ba8
TF		 2278int old_pool, rc;
2279tree_node **anchor, *t;
2280open_db dbblock, *dbm;
c99ce5c9 2281int dbdb_size;
870f6ba8 2282dbdata_ratelimit *dbd;
c99ce5c9 2283dbdata_ratelimit_unique *dbdb;
870f6ba8
TF		 2284struct timeval tv;
2285
2286/* Parse the first two options and record their values in expansion
2287variables. These variables allow the configuration to have informative
2288error messages based on rate limits obtained from a table lookup. */
2289
c99ce5c9 2290/* First is the maximum number of messages per period / maximum burst
870f6ba8
TF		 2291size, which must be greater than or equal to zero. Zero is useful for
2292rate measurement as opposed to rate limiting. */
2293
2294sender_rate_limit = string_nextinlist(&arg, &sep, NULL, 0);
2295if (sender_rate_limit == NULL)
2296 limit = -1.0;
2297else
2298 {
2299 limit = Ustrtod(sender_rate_limit, &ss);
2300 if (tolower(*ss) == 'k') { limit *= 1024.0; ss++; }
2301 else if (tolower(*ss) == 'm') { limit *= 1024.0*1024.0; ss++; }
2302 else if (tolower(*ss) == 'g') { limit *= 1024.0*1024.0*1024.0; ss++; }
2303 }
c99ce5c9
TF		 2304if (limit < 0.0 || *ss != '\0')
2305 return ratelimit_error(log_msgptr,
2306 "\"%s\" is not a positive number", sender_rate_limit);
870f6ba8 2307
c99ce5c9 2308/* Second is the rate measurement period / exponential smoothing time
870f6ba8
TF		 2309constant. This must be strictly greater than zero, because zero leads to
2310run-time division errors. */
2311
2312sender_rate_period = string_nextinlist(&arg, &sep, NULL, 0);
2313if (sender_rate_period == NULL) period = -1.0;
2314else period = readconf_readtime(sender_rate_period, 0, FALSE);
2315if (period <= 0.0)
c99ce5c9
TF		 2316 return ratelimit_error(log_msgptr,
2317 "\"%s\" is not a time value", sender_rate_period);
2318
2319/* By default we are counting one of something, but the per_rcpt,
2320per_byte, and count options can change this. */
2321
2322count = 1.0;
870f6ba8 2323
c99ce5c9 2324/* Parse the other options. */
870f6ba8
TF		 2325
2326while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2327 != NULL)
2328 {
2329 if (strcmpic(ss, US"leaky") == 0) leaky = TRUE;
2330 else if (strcmpic(ss, US"strict") == 0) strict = TRUE;
8f240103 2331 else if (strcmpic(ss, US"noupdate") == 0) noupdate = TRUE;
c99ce5c9
TF		 2332 else if (strcmpic(ss, US"readonly") == 0) readonly = TRUE;
2333 else if (strcmpic(ss, US"per_cmd") == 0) RATE_SET(mode, PER_CMD);
2334 else if (strcmpic(ss, US"per_conn") == 0)
2335 {
2336 RATE_SET(mode, PER_CONN);
2337 if (where == ACL_WHERE_NOTSMTP || where == ACL_WHERE_NOTSMTP_START)
2338 badacl = TRUE;
2339 }
2340 else if (strcmpic(ss, US"per_mail") == 0)
2341 {
2342 RATE_SET(mode, PER_MAIL);
2343 if (where > ACL_WHERE_NOTSMTP) badacl = TRUE;
2344 }
2345 else if (strcmpic(ss, US"per_rcpt") == 0)
2346 {
2347 /* If we are running in the RCPT ACL, then we'll count the recipients
2348 one by one, but if we are running when we have accumulated the whole
2349 list then we'll add them all in one batch. */
2350 if (where == ACL_WHERE_RCPT)
2351 RATE_SET(mode, PER_RCPT);
2352 else if (where >= ACL_WHERE_PREDATA && where <= ACL_WHERE_NOTSMTP)
2353 RATE_SET(mode, PER_ALLRCPTS), count = (double)recipients_count;
2354 else if (where == ACL_WHERE_MAIL || where > ACL_WHERE_NOTSMTP)
2355 RATE_SET(mode, PER_RCPT), badacl = TRUE;
2356 }
2357 else if (strcmpic(ss, US"per_byte") == 0)
2358 {
2359 /* If we have not yet received the message data and there was no SIZE
2360 declaration on the MAIL comand, then it's safe to just use a value of
2361 zero and let the recorded rate decay as if nothing happened. */
2362 RATE_SET(mode, PER_MAIL);
2363 if (where > ACL_WHERE_NOTSMTP) badacl = TRUE;
2364 else count = message_size < 0 ? 0.0 : (double)message_size;
2365 }
2366 else if (strcmpic(ss, US"per_addr") == 0)
2367 {
2368 RATE_SET(mode, PER_RCPT);
438257ba 2369 if (where != ACL_WHERE_RCPT) badacl = TRUE, unique = US"*";
c99ce5c9
TF		 2370 else unique = string_sprintf("%s@%s", deliver_localpart, deliver_domain);
2371 }
2372 else if (strncmpic(ss, US"count=", 6) == 0)
2373 {
2374 uschar *e;
2375 count = Ustrtod(ss+6, &e);
2376 if (count < 0.0 || *e != '\0')
2377 return ratelimit_error(log_msgptr,
2378 "\"%s\" is not a positive number", ss);
2379 }
2380 else if (strncmpic(ss, US"unique=", 7) == 0)
2381 unique = string_copy(ss + 7);
2382 else if (key == NULL)
2383 key = string_copy(ss);
2384 else
2385 key = string_sprintf("%s/%s", key, ss);
870f6ba8
TF		 2386 }
2387
c99ce5c9
TF		 2388/* Sanity check. When the badacl flag is set the update mode must either
2389be readonly (which is the default if it is omitted) or, for backwards
2390compatibility, a combination of noupdate and strict or leaky. */
2391
2392if (mode == RATE_PER_CLASH)
2393 return ratelimit_error(log_msgptr, "conflicting per_* options");
2394if (leaky + strict + readonly > 1)
2395 return ratelimit_error(log_msgptr, "conflicting update modes");
2396if (badacl && (leaky || strict) && !noupdate)
2397 return ratelimit_error(log_msgptr,
2398 "\"%s\" must not have /leaky or /strict option in %s ACL",
2399 ratelimit_option_string[mode], acl_wherenames[where]);
2400
2401/* Set the default values of any unset options. In readonly mode we
2402perform the rate computation without any increment so that its value
2403decays to eventually allow over-limit senders through. */
2404
2405if (noupdate) readonly = TRUE, leaky = strict = FALSE;
2406if (badacl) readonly = TRUE;
2407if (readonly) count = 0.0;
2408if (!strict && !readonly) leaky = TRUE;
2409if (mode == RATE_PER_WHAT) mode = RATE_PER_MAIL;
870f6ba8 2410
8f240103
PH		 2411/* Create the lookup key. If there is no explicit key, use sender_host_address.
2412If there is no sender_host_address (e.g. -bs or acl_not_smtp) then we simply
2413omit it. The smoothing constant (sender_rate_period) and the per_xxx options
2414are added to the key because they alter the meaning of the stored data. */
2415
2416if (key == NULL)
2417 key = (sender_host_address == NULL)? US"" : sender_host_address;
870f6ba8 2418
c99ce5c9 2419key = string_sprintf("%s/%s/%s%s",
8f240103 2420 sender_rate_period,
c99ce5c9
TF		 2421 ratelimit_option_string[mode],
2422 unique == NULL ? "" : "unique/",
8f240103 2423 key);
870f6ba8 2424
c99ce5c9
TF		 2425HDEBUG(D_acl)
2426 debug_printf("ratelimit condition count=%.0f %.1f/%s\n", count, limit, key);
870f6ba8 2427
8f240103
PH		 2428/* See if we have already computed the rate by looking in the relevant tree.
2429For per-connection rate limiting, store tree nodes and dbdata in the permanent
c99ce5c9
TF		 2430pool so that they survive across resets. In readonly mode we only remember the
2431result for the rest of this command in case a later command changes it. After
2432this bit of logic the code is independent of the per_* mode. */
870f6ba8 2433
870f6ba8
TF		 2434old_pool = store_pool;
2435
c99ce5c9
TF		 2436if (readonly)
2437 anchor = &ratelimiters_cmd;
2438else switch(mode) {
2439case RATE_PER_CONN:
870f6ba8
TF		 2440 anchor = &ratelimiters_conn;
2441 store_pool = POOL_PERM;
c99ce5c9
TF		 2442 break;
2443case RATE_PER_BYTE:
2444case RATE_PER_MAIL:
2445case RATE_PER_ALLRCPTS:
870f6ba8 2446 anchor = &ratelimiters_mail;
c99ce5c9
TF		 2447 break;
2448case RATE_PER_ADDR:
2449case RATE_PER_CMD:
2450case RATE_PER_RCPT:
fe0dab11 2451 anchor = &ratelimiters_cmd;
c99ce5c9
TF		 2452 break;
2453default:
3399bb60 2454 anchor = NULL; /* silence an "unused" complaint */
c99ce5c9
TF		 2455 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
2456 "internal ACL error: unknown ratelimit mode %d", mode);
2457 break;
2458}
870f6ba8 2459
c99ce5c9
TF		 2460t = tree_search(*anchor, key);
2461if (t != NULL)
870f6ba8
TF		 2462 {
2463 dbd = t->data.ptr;
2464 /* The following few lines duplicate some of the code below. */
8f240103 2465 rc = (dbd->rate < limit)? FAIL : OK;
870f6ba8
TF		 2466 store_pool = old_pool;
2467 sender_rate = string_sprintf("%.1f", dbd->rate);
2468 HDEBUG(D_acl)
2469 debug_printf("ratelimit found pre-computed rate %s\n", sender_rate);
2470 return rc;
2471 }
2472
c99ce5c9
TF		 2473/* We aren't using a pre-computed rate, so get a previously recorded rate
2474from the database, which will be updated and written back if required. */
870f6ba8
TF		 2475
2476dbm = dbfn_open(US"ratelimit", O_RDWR, &dbblock, TRUE);
2477if (dbm == NULL)
2478 {
2479 store_pool = old_pool;
2480 sender_rate = NULL;
2481 HDEBUG(D_acl) debug_printf("ratelimit database not available\n");
2482 *log_msgptr = US"ratelimit database not available";
2483 return DEFER;
2484 }
c99ce5c9
TF		 2485dbdb = dbfn_read_with_length(dbm, key, &dbdb_size);
2486dbd = NULL;
870f6ba8
TF		 2487
2488gettimeofday(&tv, NULL);
2489
c99ce5c9
TF		 2490if (dbdb != NULL)
2491 {
2492 /* Locate the basic ratelimit block inside the DB data. */
2493 HDEBUG(D_acl) debug_printf("ratelimit found key in database\n");
2494 dbd = &dbdb->dbd;
2495
2496 /* Forget the old Bloom filter if it is too old, so that we count each
2497 repeating event once per period. We don't simply clear and re-use the old
2498 filter because we want its size to change if the limit changes. Note that
2499 we keep the dbd pointer for copying the rate into the new data block. */
2500
2501 if(unique != NULL && tv.tv_sec > dbdb->bloom_epoch + period)
2502 {
2503 HDEBUG(D_acl) debug_printf("ratelimit discarding old Bloom filter\n");
2504 dbdb = NULL;
2505 }
2506
2507 /* Sanity check. */
2508
2509 if(unique != NULL && dbdb_size < sizeof(*dbdb))
2510 {
2511 HDEBUG(D_acl) debug_printf("ratelimit discarding undersize Bloom filter\n");
2512 dbdb = NULL;
2513 }
2514 }
2515
2516/* Allocate a new data block if the database lookup failed
2517or the Bloom filter passed its age limit. */
2518
2519if (dbdb == NULL)
2520 {
2521 if (unique == NULL)
2522 {
2523 /* No Bloom filter. This basic ratelimit block is initialized below. */
2524 HDEBUG(D_acl) debug_printf("ratelimit creating new rate data block\n");
2525 dbdb_size = sizeof(*dbd);
2526 dbdb = store_get(dbdb_size);
2527 }
2528 else
2529 {
2530 int extra;
2531 HDEBUG(D_acl) debug_printf("ratelimit creating new Bloom filter\n");
2532
2533 /* See the long comment below for an explanation of the magic number 2.
2534 The filter has a minimum size in case the rate limit is very small;
2535 this is determined by the definition of dbdata_ratelimit_unique. */
2536
2537 extra = (int)limit * 2 - sizeof(dbdb->bloom);
2538 if (extra < 0) extra = 0;
2539 dbdb_size = sizeof(*dbdb) + extra;
2540 dbdb = store_get(dbdb_size);
2541 dbdb->bloom_epoch = tv.tv_sec;
2542 dbdb->bloom_size = sizeof(dbdb->bloom) + extra;
2543 memset(dbdb->bloom, 0, dbdb->bloom_size);
2544
2545 /* Preserve any basic ratelimit data (which is our longer-term memory)
2546 by copying it from the discarded block. */
2547
2548 if (dbd != NULL)
2549 {
2550 dbdb->dbd = *dbd;
2551 dbd = &dbdb->dbd;
2552 }
2553 }
2554 }
2555
2556/* If we are counting unique events, find out if this event is new or not.
2557If the client repeats the event during the current period then it should be
2558counted. We skip this code in readonly mode for efficiency, because any
2559changes to the filter will be discarded and because count is already set to
2560zero. */
2561
2562if (unique != NULL && !readonly)
2563 {
2564 /* We identify unique events using a Bloom filter. (You can find my
2565 notes on Bloom filters at http://fanf.livejournal.com/81696.html)
2566 With the per_addr option, an "event" is a recipient address, though the
2567 user can use the unique option to define their own events. We only count
2568 an event if we have not seen it before.
2569
2570 We size the filter according to the rate limit, which (in leaky mode)
2571 is the limit on the population of the filter. We allow 16 bits of space
2572 per entry (see the construction code above) and we set (up to) 8 of them
2573 when inserting an element (see the loop below). The probability of a false
2574 positive (an event we have not seen before but which we fail to count) is
2575
2576 size = limit * 16
2577 numhash = 8
2578 allzero = exp(-numhash * pop / size)
2579 = exp(-0.5 * pop / limit)
2580 fpr = pow(1 - allzero, numhash)
2581
2582 For senders at the limit the fpr is 0.06% or 1 in 1700
2583 and for senders at half the limit it is 0.0006% or 1 in 170000
2584
2585 In strict mode the Bloom filter can fill up beyond the normal limit, in
2586 which case the false positive rate will rise. This means that the
2587 measured rate for very fast senders can bogusly drop off after a while.
2588
2589 At twice the limit, the fpr is 2.5% or 1 in 40
2590 At four times the limit, it is 31% or 1 in 3.2
2591
2592 It takes ln(pop/limit) periods for an over-limit burst of pop events to
2593 decay below the limit, and if this is more than one then the Bloom filter
2594 will be discarded before the decay gets that far. The false positive rate
2595 at this threshold is 9.3% or 1 in 10.7. */
2596
2597 BOOL seen;
2598 unsigned n, hash, hinc;
2599 uschar md5sum[16];
2600 md5 md5info;
2601
2602 /* Instead of using eight independent hash values, we combine two values
2603 using the formula h1 + n * h2. This does not harm the Bloom filter's
2604 performance, and means the amount of hash we need is independent of the
2605 number of bits we set in the filter. */
2606
2607 md5_start(&md5info);
2608 md5_end(&md5info, unique, Ustrlen(unique), md5sum);
2609 hash = md5sum[0] | md5sum[1] << 8 | md5sum[2] << 16 | md5sum[3] << 24;
2610 hinc = md5sum[4] | md5sum[5] << 8 | md5sum[6] << 16 | md5sum[7] << 24;
2611
2612 /* Scan the bits corresponding to this event. A zero bit means we have
2613 not seen it before. Ensure all bits are set to record this event. */
2614
2615 HDEBUG(D_acl) debug_printf("ratelimit checking uniqueness of %s\n", unique);
2616
2617 seen = TRUE;
2618 for (n = 0; n < 8; n++, hash += hinc)
2619 {
2620 int bit = 1 << (hash % 8);
2621 int byte = (hash / 8) % dbdb->bloom_size;
2622 if ((dbdb->bloom[byte] & bit) == 0)
2623 {
2624 dbdb->bloom[byte] |= bit;
2625 seen = FALSE;
2626 }
2627 }
2628
2629 /* If this event has occurred before, do not count it. */
2630
2631 if (seen)
2632 {
2633 HDEBUG(D_acl) debug_printf("ratelimit event found in Bloom filter\n");
2634 count = 0.0;
2635 }
2636 else
2637 HDEBUG(D_acl) debug_printf("ratelimit event added to Bloom filter\n");
2638 }
2639
2640/* If there was no previous ratelimit data block for this key, initialize
2641the new one, otherwise update the block from the database. The initial rate
2642is what would be computed by the code below for an infinite interval. */
2643
870f6ba8
TF		 2644if (dbd == NULL)
2645 {
c99ce5c9
TF		 2646 HDEBUG(D_acl) debug_printf("ratelimit initializing new key's rate data\n");
2647 dbd = &dbdb->dbd;
870f6ba8
TF		 2648 dbd->time_stamp = tv.tv_sec;
2649 dbd->time_usec = tv.tv_usec;
c99ce5c9 2650 dbd->rate = count;
870f6ba8
TF		 2651 }
2652else
2653 {
2654 /* The smoothed rate is computed using an exponentially weighted moving
2655 average adjusted for variable sampling intervals. The standard EWMA for
2656 a fixed sampling interval is: f'(t) = (1 - a) * f(t) + a * f'(t - 1)
2657 where f() is the measured value and f'() is the smoothed value.
2658
2659 Old data decays out of the smoothed value exponentially, such that data n
2660 samples old is multiplied by a^n. The exponential decay time constant p
2661 is defined such that data p samples old is multiplied by 1/e, which means
2662 that a = exp(-1/p). We can maintain the same time constant for a variable
2663 sampling interval i by using a = exp(-i/p).
2664
2665 The rate we are measuring is messages per period, suitable for directly
2666 comparing with the limit. The average rate between now and the previous
2667 message is period / interval, which we feed into the EWMA as the sample.
2668
2669 It turns out that the number of messages required for the smoothed rate
2670 to reach the limit when they are sent in a burst is equal to the limit.
2671 This can be seen by analysing the value of the smoothed rate after N
2672 messages sent at even intervals. Let k = (1 - a) * p/i
2673
2674 rate_1 = (1 - a) * p/i + a * rate_0
2675 = k + a * rate_0
2676 rate_2 = k + a * rate_1
2677 = k + a * k + a^2 * rate_0
2678 rate_3 = k + a * k + a^2 * k + a^3 * rate_0
2679 rate_N = rate_0 * a^N + k * SUM(x=0..N-1)(a^x)
2680 = rate_0 * a^N + k * (1 - a^N) / (1 - a)
2681 = rate_0 * a^N + p/i * (1 - a^N)
2682
2683 When N is large, a^N -> 0 so rate_N -> p/i as desired.
2684
2685 rate_N = p/i + (rate_0 - p/i) * a^N
2686 a^N = (rate_N - p/i) / (rate_0 - p/i)
2687 N * -i/p = log((rate_N - p/i) / (rate_0 - p/i))
2688 N = p/i * log((rate_0 - p/i) / (rate_N - p/i))
2689
2690 Numerical analysis of the above equation, setting the computed rate to
2691 increase from rate_0 = 0 to rate_N = limit, shows that for large sending
2692 rates, p/i, the number of messages N = limit. So limit serves as both the
2693 maximum rate measured in messages per period, and the maximum number of
2694 messages that can be sent in a fast burst. */
2695
2696 double this_time = (double)tv.tv_sec
2697 + (double)tv.tv_usec / 1000000.0;
2698 double prev_time = (double)dbd->time_stamp
2699 + (double)dbd->time_usec / 1000000.0;
870f6ba8
TF		 2700
2701 /* We must avoid division by zero, and deal gracefully with the clock going
2702 backwards. If we blunder ahead when time is in reverse then the computed
e5d5a95f 2703 rate will be bogus. To be safe we clamp interval to a very small number. */
870f6ba8 2704
e5d5a95f
TF		 2705 double interval = this_time - prev_time <= 0.0 ? 1e-9
2706 : this_time - prev_time;
2707
2708 double i_over_p = interval / period;
2709 double a = exp(-i_over_p);
870f6ba8 2710
c99ce5c9
TF		 2711 /* Combine the instantaneous rate (period / interval) with the previous rate
2712 using the smoothing factor a. In order to measure sized events, multiply the
2713 instantaneous rate by the count of bytes or recipients etc. */
2714
870f6ba8
TF		 2715 dbd->time_stamp = tv.tv_sec;
2716 dbd->time_usec = tv.tv_usec;
c99ce5c9
TF		 2717 dbd->rate = (1 - a) * count / i_over_p + a * dbd->rate;
2718
2719 /* When events are very widely spaced the computed rate tends towards zero.
2720 Although this is accurate it turns out not to be useful for our purposes,
2721 especially when the first event after a long silence is the start of a spam
2722 run. A more useful model is that the rate for an isolated event should be the
2723 size of the event per the period size, ignoring the lack of events outside
2724 the current period and regardless of where the event falls in the period. So,
2725 if the interval was so long that the calculated rate is unhelpfully small, we
2726 re-intialize the rate. In the absence of higher-rate bursts, the condition
2727 below is true if the interval is greater than the period. */
2728
2729 if (dbd->rate < count) dbd->rate = count;
870f6ba8
TF		 2730 }
2731
c99ce5c9
TF		 2732/* Clients sending at the limit are considered to be over the limit.
2733This matters for edge cases such as a limit of zero, when the client
2734should be completely blocked. */
3348576f 2735
8f240103 2736rc = (dbd->rate < limit)? FAIL : OK;
870f6ba8
TF		 2737
2738/* Update the state if the rate is low or if we are being strict. If we
2739are in leaky mode and the sender's rate is too high, we do not update
2740the recorded rate in order to avoid an over-aggressive sender's retry
c99ce5c9
TF		 2741rate preventing them from getting any email through. If readonly is set,
2742neither leaky nor strict are set, so we do not do any updates. */
870f6ba8 2743
c99ce5c9 2744if ((rc == FAIL && leaky) || strict)
8f240103 2745 {
c99ce5c9 2746 dbfn_write(dbm, key, dbdb, dbdb_size);
8f240103
PH		 2747 HDEBUG(D_acl) debug_printf("ratelimit db updated\n");
2748 }
2749else
2750 {
2751 HDEBUG(D_acl) debug_printf("ratelimit db not updated: %s\n",
c99ce5c9 2752 readonly? "readonly mode" : "over the limit, but leaky");
8f240103
PH		 2753 }
2754
870f6ba8
TF		 2755dbfn_close(dbm);
2756
c99ce5c9 2757/* Store the result in the tree for future reference. */
870f6ba8 2758
c99ce5c9
TF		 2759t = store_get(sizeof(tree_node) + Ustrlen(key));
2760t->data.ptr = dbd;
2761Ustrcpy(t->name, key);
2762(void)tree_insertnode(anchor, t);
870f6ba8
TF		 2763
2764/* We create the formatted version of the sender's rate very late in
2765order to ensure that it is done using the correct storage pool. */
2766
2767store_pool = old_pool;
2768sender_rate = string_sprintf("%.1f", dbd->rate);
2769
2770HDEBUG(D_acl)
2771 debug_printf("ratelimit computed rate %s\n", sender_rate);
2772
2773return rc;
2774}
2775
2776
2777
059ec3d9
PH		 2778/*************************************************
2779* Handle conditions/modifiers on an ACL item *
2780*************************************************/
2781
2782/* Called from acl_check() below.
2783
2784Arguments:
2785 verb ACL verb
2786 cb ACL condition block - if NULL, result is OK
2787 where where called from
2788 addr the address being checked for RCPT, or NULL
2789 level the nesting level
2790 epp pointer to pass back TRUE if "endpass" encountered
2791 (applies only to "accept" and "discard")
2792 user_msgptr user message pointer
2793 log_msgptr log message pointer
2794 basic_errno pointer to where to put verify error
2795
2796Returns: OK - all conditions are met
2797 DISCARD - an "acl" condition returned DISCARD - only allowed
2798 for "accept" or "discard" verbs
2799 FAIL - at least one condition fails
2800 FAIL_DROP - an "acl" condition returned FAIL_DROP
2801 DEFER - can't tell at the moment (typically, lookup defer,
2802 but can be temporary callout problem)
2803 ERROR - ERROR from nested ACL or expansion failure or other
2804 error
2805*/
2806
2807static int
2808acl_check_condition(int verb, acl_condition_block *cb, int where,
2809 address_item *addr, int level, BOOL *epp, uschar **user_msgptr,
2810 uschar **log_msgptr, int *basic_errno)
2811{
2812uschar *user_message = NULL;
2813uschar *log_message = NULL;
ed7f7860
PP		 2814uschar *debug_tag = NULL;
2815uschar *debug_opts = NULL;
91ecef39 2816uschar *p = NULL;
059ec3d9 2817int rc = OK;
8523533c
TK		 2818#ifdef WITH_CONTENT_SCAN
2819int sep = '/';
2820#endif
059ec3d9
PH		 2821
2822for (; cb != NULL; cb = cb->next)
2823 {
2824 uschar *arg;
8e669ac1 2825 int control_type;
059ec3d9
PH		 2826
2827 /* The message and log_message items set up messages to be used in
2828 case of rejection. They are expanded later. */
2829
2830 if (cb->type == ACLC_MESSAGE)
2831 {
2832 user_message = cb->arg;
2833 continue;
2834 }
2835
2836 if (cb->type == ACLC_LOG_MESSAGE)
2837 {
2838 log_message = cb->arg;
2839 continue;
2840 }
2841
2842 /* The endpass "condition" just sets a flag to show it occurred. This is
2843 checked at compile time to be on an "accept" or "discard" item. */
2844
2845 if (cb->type == ACLC_ENDPASS)
2846 {
2847 *epp = TRUE;
2848 continue;
2849 }
2850
2851 /* For other conditions and modifiers, the argument is expanded now for some
2852 of them, but not for all, because expansion happens down in some lower level
2853 checking functions in some cases. */
2854
2855 if (cond_expand_at_top[cb->type])
2856 {
2857 arg = expand_string(cb->arg);
2858 if (arg == NULL)
2859 {
2860 if (expand_string_forcedfail) continue;
2861 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
2862 cb->arg, expand_string_message);
2863 return search_find_defer? DEFER : ERROR;
2864 }
2865 }
2866 else arg = cb->arg;
2867
2868 /* Show condition, and expanded condition if it's different */
2869
2870 HDEBUG(D_acl)
2871 {
2872 int lhswidth = 0;
2873 debug_printf("check %s%s %n",
2874 (!cond_modifiers[cb->type] && cb->u.negated)? "!":"",
2875 conditions[cb->type], &lhswidth);
2876
2877 if (cb->type == ACLC_SET)
2878 {
38a0a95f
PH		 2879 debug_printf("acl_%s ", cb->u.varname);
2880 lhswidth += 5 + Ustrlen(cb->u.varname);
059ec3d9
PH		 2881 }
2882
2883 debug_printf("= %s\n", cb->arg);
2884
2885 if (arg != cb->arg)
2886 debug_printf("%.*s= %s\n", lhswidth,
2887 US" ", CS arg);
2888 }
2889
2890 /* Check that this condition makes sense at this time */
2891
2892 if ((cond_forbids[cb->type] & (1 << where)) != 0)
2893 {
2894 *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
2895 cond_modifiers[cb->type]? "use" : "test",
2896 conditions[cb->type], acl_wherenames[where]);
2897 return ERROR;
2898 }
2899
2900 /* Run the appropriate test for each condition, or take the appropriate
2901 action for the remaining modifiers. */
2902
2903 switch(cb->type)
2904 {
71fafd95
PH		 2905 case ACLC_ADD_HEADER:
2906 setup_header(arg);
2907 break;
2908
059ec3d9
PH		 2909 /* A nested ACL that returns "discard" makes sense only for an "accept" or
2910 "discard" verb. */
71fafd95 2911
059ec3d9 2912 case ACLC_ACL:
f60d98e8 2913 rc = acl_check_wargs(where, addr, arg, level+1, user_msgptr, log_msgptr);
7421ecab
JH		 2914 if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
2915 {
2916 *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
2917 "\"%s\" command (only allowed with \"accept\" or \"discard\")",
2918 verbs[verb]);
2919 return ERROR;
2920 }
059ec3d9
PH		 2921 break;
2922
2923 case ACLC_AUTHENTICATED:
2924 rc = (sender_host_authenticated == NULL)? FAIL :
2925 match_isinlist(sender_host_authenticated, &arg, 0, NULL, NULL, MCL_STRING,
2926 TRUE, NULL);
2927 break;
2928
71fafd95 2929 #ifdef EXPERIMENTAL_BRIGHTMAIL
8523533c
TK		 2930 case ACLC_BMI_OPTIN:
2931 {
2932 int old_pool = store_pool;
2933 store_pool = POOL_PERM;
2934 bmi_current_optin = string_copy(arg);
2935 store_pool = old_pool;
2936 }
2937 break;
71fafd95 2938 #endif
8523533c 2939
059ec3d9 2940 case ACLC_CONDITION:
f3766eb5
NM		 2941 /* The true/false parsing here should be kept in sync with that used in
2942 expand.c when dealing with ECOND_BOOL so that we don't have too many
2943 different definitions of what can be a boolean. */
059ec3d9
PH		 2944 if (Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
2945 rc = (Uatoi(arg) == 0)? FAIL : OK;
2946 else
2947 rc = (strcmpic(arg, US"no") == 0 ||
2948 strcmpic(arg, US"false") == 0)? FAIL :
2949 (strcmpic(arg, US"yes") == 0 ||
2950 strcmpic(arg, US"true") == 0)? OK : DEFER;
2951 if (rc == DEFER)
2952 *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
2953 break;
2954
c3611384
PH		 2955 case ACLC_CONTINUE: /* Always succeeds */
2956 break;
2957
059ec3d9 2958 case ACLC_CONTROL:
c5fcb476
PH		 2959 control_type = decode_control(arg, &p, where, log_msgptr);
2960
8523533c 2961 /* Check if this control makes sense at this time */
c5fcb476
PH		 2962
2963 if ((control_forbids[control_type] & (1 << where)) != 0)
2964 {
2965 *log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
2966 controls[control_type], acl_wherenames[where]);
2967 return ERROR;
8e669ac1 2968 }
c5fcb476
PH		 2969
2970 switch(control_type)
059ec3d9 2971 {
c46782ef
PH		 2972 case CONTROL_AUTH_UNADVERTISED:
2973 allow_auth_unadvertised = TRUE;
2974 break;
2975
2976 #ifdef EXPERIMENTAL_BRIGHTMAIL
8523533c
TK		 2977 case CONTROL_BMI_RUN:
2978 bmi_run = 1;
2979 break;
c46782ef
PH		 2980 #endif
2981
80a47a2c 2982 #ifndef DISABLE_DKIM
f7572e5a 2983 case CONTROL_DKIM_VERIFY:
80a47a2c 2984 dkim_disable_verify = TRUE;
f7572e5a
TK		 2985 break;
2986 #endif
2987
13363eba
PP		 2988 case CONTROL_DSCP:
2989 if (*p == '/')
2990 {
2991 int fd, af, level, optname, value;
2992 /* If we are acting on stdin, the setsockopt may fail if stdin is not
2993 a socket; we can accept that, we'll just debug-log failures anyway. */
2994 fd = fileno(smtp_in);
2995 af = ip_get_address_family(fd);
2996 if (af < 0)
2997 {
2998 HDEBUG(D_acl)
2999 debug_printf("smtp input is probably not a socket [%s], not setting DSCP\n",
3000 strerror(errno));
3001 break;
3002 }
3003 if (dscp_lookup(p+1, af, &level, &optname, &value))
3004 {
3005 if (setsockopt(fd, level, optname, &value, sizeof(value)) < 0)
3006 {
3007 HDEBUG(D_acl) debug_printf("failed to set input DSCP[%s]: %s\n",
3008 p+1, strerror(errno));
3009 }
3010 else
3011 {
3012 HDEBUG(D_acl) debug_printf("set input DSCP to \"%s\"\n", p+1);
3013 }
3014 }
3015 else
3016 {
3017 *log_msgptr = string_sprintf("unrecognised DSCP value in \"control=%s\"", arg);
3018 return ERROR;
3019 }
3020 }
3021 else
3022 {
3023 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
3024 return ERROR;
3025 }
3026 break;
3027
059ec3d9
PH		 3028 case CONTROL_ERROR:
3029 return ERROR;
3030
3031 case CONTROL_CASEFUL_LOCAL_PART:
3032 deliver_localpart = addr->cc_local_part;
3033 break;
3034
3035 case CONTROL_CASELOWER_LOCAL_PART:
3036 deliver_localpart = addr->lc_local_part;
3037 break;
3038
3039 case CONTROL_ENFORCE_SYNC:
3040 smtp_enforce_sync = TRUE;
3041 break;
3042
3043 case CONTROL_NO_ENFORCE_SYNC:
3044 smtp_enforce_sync = FALSE;
3045 break;
3046
c46782ef 3047 #ifdef WITH_CONTENT_SCAN
8523533c
TK		 3048 case CONTROL_NO_MBOX_UNSPOOL:
3049 no_mbox_unspool = TRUE;
3050 break;
c46782ef 3051 #endif
8523533c 3052
059ec3d9
PH		 3053 case CONTROL_NO_MULTILINE:
3054 no_multiline_responses = TRUE;
3055 break;
3056
cf8b11a5
PH		 3057 case CONTROL_NO_PIPELINING:
3058 pipelining_enable = FALSE;
3059 break;
3060
047bdd8c
PH		 3061 case CONTROL_NO_DELAY_FLUSH:
3062 disable_delay_flush = TRUE;
3063 break;
3064
4c590bd1
PH		 3065 case CONTROL_NO_CALLOUT_FLUSH:
3066 disable_callout_flush = TRUE;
3067 break;
3068
29aba418 3069 case CONTROL_FAKEDEFER:
8523533c 3070 case CONTROL_FAKEREJECT:
29aba418 3071 fake_response = (control_type == CONTROL_FAKEDEFER) ? DEFER : FAIL;
8523533c 3072 if (*p == '/')
8e669ac1 3073 {
8523533c 3074 uschar *pp = p + 1;
8e669ac1 3075 while (*pp != 0) pp++;
29aba418 3076 fake_response_text = expand_string(string_copyn(p+1, pp-p-1));
8523533c
TK		 3077 p = pp;
3078 }
3079 else
3080 {
3081 /* Explicitly reset to default string */
29aba418 3082 fake_response_text = US"Your message has been rejected but is being kept for evaluation.\nIf it was a legitimate message, it may still be delivered to the target recipient(s).";
8523533c
TK		 3083 }
3084 break;
8523533c 3085
059ec3d9
PH		 3086 case CONTROL_FREEZE:
3087 deliver_freeze = TRUE;
3088 deliver_frozen_at = time(NULL);
6a3f1455
PH		 3089 freeze_tell = freeze_tell_config; /* Reset to configured value */
3090 if (Ustrncmp(p, "/no_tell", 8) == 0)
3091 {
3092 p += 8;
3093 freeze_tell = NULL;
3094 }
3095 if (*p != 0)
3096 {
3097 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
3098 return ERROR;
3099 }
059ec3d9
PH		 3100 break;
3101
3102 case CONTROL_QUEUE_ONLY:
3103 queue_only_policy = TRUE;
3104 break;
3105
3106 case CONTROL_SUBMISSION:
87ba3f5f 3107 originator_name = US"";
059ec3d9 3108 submission_mode = TRUE;
69358f02 3109 while (*p == '/')
8e669ac1 3110 {
69358f02
PH		 3111 if (Ustrncmp(p, "/sender_retain", 14) == 0)
3112 {
3113 p += 14;
3114 active_local_sender_retain = TRUE;
8e669ac1
PH		 3115 active_local_from_check = FALSE;
3116 }
69358f02
PH		 3117 else if (Ustrncmp(p, "/domain=", 8) == 0)
3118 {
3119 uschar *pp = p + 8;
8e669ac1 3120 while (*pp != 0 && *pp != '/') pp++;
87ba3f5f
PH		 3121 submission_domain = string_copyn(p+8, pp-p-8);
3122 p = pp;
3123 }
8857ccfd
PH		 3124 /* The name= option must be last, because it swallows the rest of
3125 the string. */
87ba3f5f
PH		 3126 else if (Ustrncmp(p, "/name=", 6) == 0)
3127 {
3128 uschar *pp = p + 6;
8857ccfd 3129 while (*pp != 0) pp++;
2fe1a124 3130 submission_name = string_copy(parse_fix_phrase(p+6, pp-p-6,
87ba3f5f 3131 big_buffer, big_buffer_size));
8e669ac1 3132 p = pp;
69358f02 3133 }
8e669ac1
PH		 3134 else break;
3135 }
69358f02 3136 if (*p != 0)
059ec3d9 3137 {
69358f02 3138 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
059ec3d9
PH		 3139 return ERROR;
3140 }
3141 break;
8800895a 3142
ed7f7860
PP		 3143 case CONTROL_DEBUG:
3144 while (*p == '/')
3145 {
3146 if (Ustrncmp(p, "/tag=", 5) == 0)
3147 {
3148 uschar *pp = p + 5;
3149 while (*pp != '\0' && *pp != '/') pp++;
3150 debug_tag = string_copyn(p+5, pp-p-5);
3151 p = pp;
3152 }
3153 else if (Ustrncmp(p, "/opts=", 6) == 0)
3154 {
3155 uschar *pp = p + 6;
3156 while (*pp != '\0' && *pp != '/') pp++;
3157 debug_opts = string_copyn(p+6, pp-p-6);
3158 p = pp;
3159 }
3160 }
3161 debug_logging_activate(debug_tag, debug_opts);
3162 break;
3163
8800895a
PH		 3164 case CONTROL_SUPPRESS_LOCAL_FIXUPS:
3165 suppress_local_fixups = TRUE;
3166 break;
e4bdf652
JH		 3167
3168 case CONTROL_CUTTHROUGH_DELIVERY:
3169 if (deliver_freeze)
3170 {
3171 *log_msgptr = string_sprintf("\"control=%s\" on frozen item", arg);
3172 return ERROR;
3173 }
3174 if (queue_only_policy)
3175 {
3176 *log_msgptr = string_sprintf("\"control=%s\" on queue-only item", arg);
3177 return ERROR;
3178 }
3179 cutthrough_delivery = TRUE;
3180 break;
059ec3d9
PH		 3181 }
3182 break;
3183
6a8f9482
TK		 3184 #ifdef EXPERIMENTAL_DCC
3185 case ACLC_DCC:
3186 {
3187 /* Seperate the regular expression and any optional parameters. */
3188 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
3189 /* Run the dcc backend. */
3190 rc = dcc_process(&ss);
3191 /* Modify return code based upon the existance of options. */
3192 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
3193 != NULL) {
3194 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
3195 {
3196 /* FAIL so that the message is passed to the next ACL */
3197 rc = FAIL;
3198 }
3199 }
3200 }
3201 break;
3202 #endif
3203
71fafd95 3204 #ifdef WITH_CONTENT_SCAN
8523533c
TK		 3205 case ACLC_DECODE:
3206 rc = mime_decode(&arg);
3207 break;
71fafd95 3208 #endif
8523533c 3209
059ec3d9
PH		 3210 case ACLC_DELAY:
3211 {
3212 int delay = readconf_readtime(arg, 0, FALSE);
3213 if (delay < 0)
3214 {
3215 *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
3216 "modifier: \"%s\" is not a time value", arg);
3217 return ERROR;
3218 }
3219 else
3220 {
3221 HDEBUG(D_acl) debug_printf("delay modifier requests %d-second delay\n",
3222 delay);
3223 if (host_checking)
3224 {
3225 HDEBUG(D_acl)
3226 debug_printf("delay skipped in -bh checking mode\n");
3227 }
010c2d14
PH		 3228
3229 /* It appears to be impossible to detect that a TCP/IP connection has
3230 gone away without reading from it. This means that we cannot shorten
3231 the delay below if the client goes away, because we cannot discover
3232 that the client has closed its end of the connection. (The connection
3233 is actually in a half-closed state, waiting for the server to close its
3234 end.) It would be nice to be able to detect this state, so that the
3235 Exim process is not held up unnecessarily. However, it seems that we
3236 can't. The poll() function does not do the right thing, and in any case
3237 it is not always available.
3238
047bdd8c 3239 NOTE 1: If ever this state of affairs changes, remember that we may be
010c2d14 3240 dealing with stdin/stdout here, in addition to TCP/IP connections.
047bdd8c
PH		 3241 Also, delays may be specified for non-SMTP input, where smtp_out and
3242 smtp_in will be NULL. Whatever is done must work in all cases.
3243
3244 NOTE 2: The added feature of flushing the output before a delay must
3245 apply only to SMTP input. Hence the test for smtp_out being non-NULL.
3246 */
010c2d14 3247
8e669ac1 3248 else
86b8287f 3249 {
14f4a80d 3250 if (smtp_out != NULL && !disable_delay_flush) mac_smtp_fflush();
86b8287f 3251 while (delay > 0) delay = sleep(delay);
8e669ac1 3252 }
059ec3d9
PH		 3253 }
3254 }
3255 break;
3256
71fafd95 3257 #ifdef WITH_OLD_DEMIME
8523533c
TK		 3258 case ACLC_DEMIME:
3259 rc = demime(&arg);
3260 break;
71fafd95 3261 #endif
8523533c 3262
80a47a2c
TK		 3263 #ifndef DISABLE_DKIM
3264 case ACLC_DKIM_SIGNER:
9e5d6b55
TK		 3265 if (dkim_cur_signer != NULL)
3266 rc = match_isinlist(dkim_cur_signer,
80a47a2c 3267 &arg,0,NULL,NULL,MCL_STRING,TRUE,NULL);
80a47a2c 3268 else
80a47a2c 3269 rc = FAIL;
71fafd95
PH		 3270 break;
3271
80a47a2c
TK		 3272 case ACLC_DKIM_STATUS:
3273 rc = match_isinlist(dkim_exim_expand_query(DKIM_VERIFY_STATUS),
3274 &arg,0,NULL,NULL,MCL_STRING,TRUE,NULL);
71fafd95
PH		 3275 break;
3276 #endif
fb2274d4 3277
059ec3d9
PH		 3278 case ACLC_DNSLISTS:
3279 rc = verify_check_dnsbl(&arg);
3280 break;
3281
3282 case ACLC_DOMAINS:
3283 rc = match_isinlist(addr->domain, &arg, 0, &domainlist_anchor,
3284 addr->domain_cache, MCL_DOMAIN, TRUE, &deliver_domain_data);
3285 break;
3286
3287 /* The value in tls_cipher is the full cipher name, for example,
3288 TLSv1:DES-CBC3-SHA:168, whereas the values to test for are just the
3289 cipher names such as DES-CBC3-SHA. But program defensively. We don't know
3290 what may in practice come out of the SSL library - which at the time of
3291 writing is poorly documented. */
3292
3293 case ACLC_ENCRYPTED:
817d9f57 3294 if (tls_in.cipher == NULL) rc = FAIL; else
059ec3d9
PH		 3295 {
3296 uschar *endcipher = NULL;
817d9f57
JH		 3297 uschar *cipher = Ustrchr(tls_in.cipher, ':');
3298 if (cipher == NULL) cipher = tls_in.cipher; else
059ec3d9
PH		 3299 {
3300 endcipher = Ustrchr(++cipher, ':');
3301 if (endcipher != NULL) *endcipher = 0;
3302 }
3303 rc = match_isinlist(cipher, &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
3304 if (endcipher != NULL) *endcipher = ':';
3305 }
3306 break;
3307
3308 /* Use verify_check_this_host() instead of verify_check_host() so that
3309 we can pass over &host_data to catch any looked up data. Once it has been
3310 set, it retains its value so that it's still there if another ACL verb
3311 comes through here and uses the cache. However, we must put it into
3312 permanent store in case it is also expected to be used in a subsequent
3313 message in the same SMTP connection. */
3314
3315 case ACLC_HOSTS:
3316 rc = verify_check_this_host(&arg, sender_host_cache, NULL,
3317 (sender_host_address == NULL)? US"" : sender_host_address, &host_data);
3318 if (host_data != NULL) host_data = string_copy_malloc(host_data);
3319 break;
3320
3321 case ACLC_LOCAL_PARTS:
3322 rc = match_isinlist(addr->cc_local_part, &arg, 0,
3323 &localpartlist_anchor, addr->localpart_cache, MCL_LOCALPART, TRUE,
3324 &deliver_localpart_data);
3325 break;
3326
6ea85e9a
PH		 3327 case ACLC_LOG_REJECT_TARGET:
3328 {
3329 int logbits = 0;
3330 int sep = 0;
3331 uschar *s = arg;
3332 uschar *ss;
3333 while ((ss = string_nextinlist(&s, &sep, big_buffer, big_buffer_size))
3334 != NULL)
3335 {
3336 if (Ustrcmp(ss, "main") == 0) logbits |= LOG_MAIN;
3337 else if (Ustrcmp(ss, "panic") == 0) logbits |= LOG_PANIC;
3338 else if (Ustrcmp(ss, "reject") == 0) logbits |= LOG_REJECT;
3339 else
3340 {
3341 logbits |= LOG_MAIN|LOG_REJECT;
3342 log_write(0, LOG_MAIN|LOG_PANIC, "unknown log name \"%s\" in "
3343 "\"log_reject_target\" in %s ACL", ss, acl_wherenames[where]);
3344 }
3345 }
3346 log_reject_target = logbits;
3347 }
3348 break;
3349
059ec3d9
PH		 3350 case ACLC_LOGWRITE:
3351 {
3352 int logbits = 0;
3353 uschar *s = arg;
3354 if (*s == ':')
3355 {
3356 s++;
3357 while (*s != ':')
3358 {
3359 if (Ustrncmp(s, "main", 4) == 0)
3360 { logbits |= LOG_MAIN; s += 4; }
3361 else if (Ustrncmp(s, "panic", 5) == 0)
3362 { logbits |= LOG_PANIC; s += 5; }
3363 else if (Ustrncmp(s, "reject", 6) == 0)
3364 { logbits |= LOG_REJECT; s += 6; }
3365 else
3366 {
3367 logbits = LOG_MAIN|LOG_PANIC;
3368 s = string_sprintf(":unknown log name in \"%s\" in "
3369 "\"logwrite\" in %s ACL", arg, acl_wherenames[where]);
3370 }
3371 if (*s == ',') s++;
3372 }
3373 s++;
3374 }
3375 while (isspace(*s)) s++;
6ea85e9a
PH		 3376
3377
059ec3d9
PH		 3378 if (logbits == 0) logbits = LOG_MAIN;
3379 log_write(0, logbits, "%s", string_printing(s));
3380 }
3381 break;
8e669ac1 3382
71fafd95 3383 #ifdef WITH_CONTENT_SCAN
8523533c
TK		 3384 case ACLC_MALWARE:
3385 {
6ea85e9a 3386 /* Separate the regular expression and any optional parameters. */
8523533c
TK		 3387 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
3388 /* Run the malware backend. */
3389 rc = malware(&ss);
3390 /* Modify return code based upon the existance of options. */
3391 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
3392 != NULL) {
3393 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
3394 {
3395 /* FAIL so that the message is passed to the next ACL */
3396 rc = FAIL;
3397 }
3398 }
3399 }
3400 break;
3401
3402 case ACLC_MIME_REGEX:
71fafd95 3403 rc = mime_regex(&arg);
8523533c 3404 break;
71fafd95 3405 #endif
059ec3d9 3406
870f6ba8 3407 case ACLC_RATELIMIT:
90fc3069 3408 rc = acl_ratelimit(arg, where, log_msgptr);
870f6ba8
TF		 3409 break;
3410
059ec3d9
PH		 3411 case ACLC_RECIPIENTS:
3412 rc = match_address_list(addr->address, TRUE, TRUE, &arg, NULL, -1, 0,
3413 &recipient_data);
3414 break;
3415
71fafd95
PH		 3416 #ifdef WITH_CONTENT_SCAN
3417 case ACLC_REGEX:
3418 rc = regex(&arg);
8523533c 3419 break;
71fafd95 3420 #endif
8523533c 3421
e7568d51
TL		 3422 case ACLC_REMOVE_HEADER:
3423 setup_remove_header(arg);
3424 break;
3425
059ec3d9
PH		 3426 case ACLC_SENDER_DOMAINS:
3427 {
3428 uschar *sdomain;
3429 sdomain = Ustrrchr(sender_address, '@');
3430 sdomain = (sdomain == NULL)? US"" : sdomain + 1;
3431 rc = match_isinlist(sdomain, &arg, 0, &domainlist_anchor,
3432 sender_domain_cache, MCL_DOMAIN, TRUE, NULL);
3433 }
3434 break;
3435
3436 case ACLC_SENDERS:
3437 rc = match_address_list(sender_address, TRUE, TRUE, &arg,
3438 sender_address_cache, -1, 0, &sender_data);
3439 break;
3440
3441 /* Connection variables must persist forever */
3442
3443 case ACLC_SET:
3444 {
3445 int old_pool = store_pool;
38a0a95f
PH		 3446 if (cb->u.varname[0] == 'c') store_pool = POOL_PERM;
3447 acl_var_create(cb->u.varname)->data.ptr = string_copy(arg);
059ec3d9
PH		 3448 store_pool = old_pool;
3449 }
3450 break;
3451
71fafd95 3452 #ifdef WITH_CONTENT_SCAN
8523533c
TK		 3453 case ACLC_SPAM:
3454 {
3455 /* Seperate the regular expression and any optional parameters. */
3456 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
3457 /* Run the spam backend. */
3458 rc = spam(&ss);
3459 /* Modify return code based upon the existance of options. */
3460 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
3461 != NULL) {
3462 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
3463 {
3464 /* FAIL so that the message is passed to the next ACL */
3465 rc = FAIL;
3466 }
3467 }
3468 }
3469 break;
71fafd95 3470 #endif
8523533c 3471
71fafd95 3472 #ifdef EXPERIMENTAL_SPF
8523533c 3473 case ACLC_SPF:
65a7d8c3
NM		 3474 rc = spf_process(&arg, sender_address, SPF_PROCESS_NORMAL);
3475 break;
3476 case ACLC_SPF_GUESS:
3477 rc = spf_process(&arg, sender_address, SPF_PROCESS_GUESS);
8523533c 3478 break;
71fafd95 3479 #endif
8523533c 3480
059ec3d9
PH		 3481 /* If the verb is WARN, discard any user message from verification, because
3482 such messages are SMTP responses, not header additions. The latter come
475fe28a
PH		 3483 only from explicit "message" modifiers. However, put the user message into
3484 $acl_verify_message so it can be used in subsequent conditions or modifiers
3485 (until something changes it). */
059ec3d9
PH		 3486
3487 case ACLC_VERIFY:
3488 rc = acl_verify(where, addr, arg, user_msgptr, log_msgptr, basic_errno);
475fe28a 3489 acl_verify_message = *user_msgptr;
059ec3d9
PH		 3490 if (verb == ACL_WARN) *user_msgptr = NULL;
3491 break;
3492
3493 default:
3494 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown "
3495 "condition %d", cb->type);
3496 break;
3497 }
3498
3499 /* If a condition was negated, invert OK/FAIL. */
3500
3501 if (!cond_modifiers[cb->type] && cb->u.negated)
3502 {
3503 if (rc == OK) rc = FAIL;
3504 else if (rc == FAIL || rc == FAIL_DROP) rc = OK;
3505 }
3506
3507 if (rc != OK) break; /* Conditions loop */
3508 }
3509
3510
3511/* If the result is the one for which "message" and/or "log_message" are used,
4e88a19f
PH		 3512handle the values of these modifiers. If there isn't a log message set, we make
3513it the same as the user message.
059ec3d9
PH		 3514
3515"message" is a user message that will be included in an SMTP response. Unless
3516it is empty, it overrides any previously set user message.
3517
3518"log_message" is a non-user message, and it adds to any existing non-user
3519message that is already set.
3520
4e88a19f
PH		 3521Most verbs have but a single return for which the messages are relevant, but
3522for "discard", it's useful to have the log message both when it succeeds and
3523when it fails. For "accept", the message is used in the OK case if there is no
3524"endpass", but (for backwards compatibility) in the FAIL case if "endpass" is
3525present. */
059ec3d9 3526
4e88a19f
PH		 3527if (*epp && rc == OK) user_message = NULL;
3528
3529if (((1<<rc) & msgcond[verb]) != 0)
059ec3d9
PH		 3530 {
3531 uschar *expmessage;
4e88a19f
PH		 3532 uschar *old_user_msgptr = *user_msgptr;
3533 uschar *old_log_msgptr = (*log_msgptr != NULL)? *log_msgptr : old_user_msgptr;
059ec3d9
PH		 3534
3535 /* If the verb is "warn", messages generated by conditions (verification or
4e88a19f
PH		 3536 nested ACLs) are always discarded. This also happens for acceptance verbs
3537 when they actually do accept. Only messages specified at this level are used.
059ec3d9
PH		 3538 However, the value of an existing message is available in $acl_verify_message
3539 during expansions. */
3540
4e88a19f
PH		 3541 if (verb == ACL_WARN ||
3542 (rc == OK && (verb == ACL_ACCEPT || verb == ACL_DISCARD)))
3543 *log_msgptr = *user_msgptr = NULL;
059ec3d9
PH		 3544
3545 if (user_message != NULL)
3546 {
3547 acl_verify_message = old_user_msgptr;
3548 expmessage = expand_string(user_message);
3549 if (expmessage == NULL)
3550 {
3551 if (!expand_string_forcedfail)
3552 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
3553 user_message, expand_string_message);
3554 }
3555 else if (expmessage[0] != 0) *user_msgptr = expmessage;
3556 }
3557
3558 if (log_message != NULL)
3559 {
3560 acl_verify_message = old_log_msgptr;
3561 expmessage = expand_string(log_message);
3562 if (expmessage == NULL)
3563 {
3564 if (!expand_string_forcedfail)
3565 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
3566 log_message, expand_string_message);
3567 }
3568 else if (expmessage[0] != 0)
3569 {
3570 *log_msgptr = (*log_msgptr == NULL)? expmessage :
3571 string_sprintf("%s: %s", expmessage, *log_msgptr);
3572 }
3573 }
3574
3575 /* If no log message, default it to the user message */
3576
3577 if (*log_msgptr == NULL) *log_msgptr = *user_msgptr;
3578 }
3579
3580acl_verify_message = NULL;
3581return rc;
3582}
3583
3584
3585
3586
3587
3588/*************************************************
3589* Get line from a literal ACL *
3590*************************************************/
3591
3592/* This function is passed to acl_read() in order to extract individual lines
3593of a literal ACL, which we access via static pointers. We can destroy the
3594contents because this is called only once (the compiled ACL is remembered).
3595
3596This code is intended to treat the data in the same way as lines in the main
3597Exim configuration file. That is:
3598
3599 . Leading spaces are ignored.
3600
3601 . A \ at the end of a line is a continuation - trailing spaces after the \
3602 are permitted (this is because I don't believe in making invisible things
3603 significant). Leading spaces on the continued part of a line are ignored.
3604
3605 . Physical lines starting (significantly) with # are totally ignored, and
3606 may appear within a sequence of backslash-continued lines.
3607
3608 . Blank lines are ignored, but will end a sequence of continuations.
3609
3610Arguments: none
3611Returns: a pointer to the next line
3612*/
3613
3614
3615static uschar *acl_text; /* Current pointer in the text */
3616static uschar *acl_text_end; /* Points one past the terminating '0' */
3617
3618
3619static uschar *
3620acl_getline(void)
3621{
3622uschar *yield;
3623
3624/* This loop handles leading blank lines and comments. */
3625
3626for(;;)
3627 {
3628 while (isspace(*acl_text)) acl_text++; /* Leading spaces/empty lines */
3629 if (*acl_text == 0) return NULL; /* No more data */
3630 yield = acl_text; /* Potential data line */
3631
3632 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
3633
3634 /* If we hit the end before a newline, we have the whole logical line. If
3635 it's a comment, there's no more data to be given. Otherwise, yield it. */
3636
3637 if (*acl_text == 0) return (*yield == '#')? NULL : yield;
3638
3639 /* After reaching a newline, end this loop if the physical line does not
3640 start with '#'. If it does, it's a comment, and the loop continues. */
3641
3642 if (*yield != '#') break;
3643 }
3644
3645/* This loop handles continuations. We know we have some real data, ending in
3646newline. See if there is a continuation marker at the end (ignoring trailing
3647white space). We know that *yield is not white space, so no need to test for
3648cont > yield in the backwards scanning loop. */
3649
3650for(;;)
3651 {
3652 uschar *cont;
3653 for (cont = acl_text - 1; isspace(*cont); cont--);
3654
3655 /* If no continuation follows, we are done. Mark the end of the line and
3656 return it. */
3657
3658 if (*cont != '\\')
3659 {
3660 *acl_text++ = 0;
3661 return yield;
3662 }
3663
3664 /* We have encountered a continuation. Skip over whitespace at the start of
3665 the next line, and indeed the whole of the next line or lines if they are
3666 comment lines. */
3667
3668 for (;;)
3669 {
3670 while (*(++acl_text) == ' ' || *acl_text == '\t');
3671 if (*acl_text != '#') break;
3672 while (*(++acl_text) != 0 && *acl_text != '\n');
3673 }
3674
3675 /* We have the start of a continuation line. Move all the rest of the data
3676 to join onto the previous line, and then find its end. If the end is not a
3677 newline, we are done. Otherwise loop to look for another continuation. */
3678
3679 memmove(cont, acl_text, acl_text_end - acl_text);
3680 acl_text_end -= acl_text - cont;
3681 acl_text = cont;
3682 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
3683 if (*acl_text == 0) return yield;
3684 }
3685
3686/* Control does not reach here */
3687}
3688
3689
3690
3691
3692
3693/*************************************************
3694* Check access using an ACL *
3695*************************************************/
3696
3697/* This function is called from address_check. It may recurse via
3698acl_check_condition() - hence the use of a level to stop looping. The ACL is
3699passed as a string which is expanded. A forced failure implies no access check
3700is required. If the result is a single word, it is taken as the name of an ACL
3701which is sought in the global ACL tree. Otherwise, it is taken as literal ACL
3702text, complete with newlines, and parsed as such. In both cases, the ACL check
3703is then run. This function uses an auxiliary function for acl_read() to call
3704for reading individual lines of a literal ACL. This is acl_getline(), which
3705appears immediately above.
3706
3707Arguments:
3708 where where called from
3709 addr address item when called from RCPT; otherwise NULL
3710 s the input string; NULL is the same as an empty ACL => DENY
3711 level the nesting level
3712 user_msgptr where to put a user error (for SMTP response)
3713 log_msgptr where to put a logging message (not for SMTP response)
3714
3715Returns: OK access is granted
3716 DISCARD access is apparently granted...
3717 FAIL access is denied
3718 FAIL_DROP access is denied; drop the connection
3719 DEFER can't tell at the moment
3720 ERROR disaster
3721*/
3722
3723static int
3724acl_check_internal(int where, address_item *addr, uschar *s, int level,
3725 uschar **user_msgptr, uschar **log_msgptr)
3726{
3727int fd = -1;
3728acl_block *acl = NULL;
3729uschar *acl_name = US"inline ACL";
3730uschar *ss;
3731
3732/* Catch configuration loops */
3733
3734if (level > 20)
3735 {
3736 *log_msgptr = US"ACL nested too deep: possible loop";
3737 return ERROR;
3738 }
3739
3740if (s == NULL)
3741 {
3742 HDEBUG(D_acl) debug_printf("ACL is NULL: implicit DENY\n");
3743 return FAIL;
3744 }
3745
3746/* At top level, we expand the incoming string. At lower levels, it has already
3747been expanded as part of condition processing. */
3748
3749if (level == 0)
3750 {
3751 ss = expand_string(s);
3752 if (ss == NULL)
3753 {
3754 if (expand_string_forcedfail) return OK;
3755 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s", s,
3756 expand_string_message);
3757 return ERROR;
3758 }
3759 }
3760else ss = s;
3761
3762while (isspace(*ss))ss++;
3763
3764/* If we can't find a named ACL, the default is to parse it as an inline one.
3765(Unless it begins with a slash; non-existent files give rise to an error.) */
3766
3767acl_text = ss;
3768
3769/* Handle the case of a string that does not contain any spaces. Look for a
3770named ACL among those read from the configuration, or a previously read file.
3771It is possible that the pointer to the ACL is NULL if the configuration
3772contains a name with no data. If not found, and the text begins with '/',
3773read an ACL from a file, and save it so it can be re-used. */
3774
3775if (Ustrchr(ss, ' ') == NULL)
3776 {
3777 tree_node *t = tree_search(acl_anchor, ss);
3778 if (t != NULL)
3779 {
3780 acl = (acl_block *)(t->data.ptr);
3781 if (acl == NULL)
3782 {
3783 HDEBUG(D_acl) debug_printf("ACL \"%s\" is empty: implicit DENY\n", ss);
3784 return FAIL;
3785 }
3786 acl_name = string_sprintf("ACL \"%s\"", ss);
3787 HDEBUG(D_acl) debug_printf("using ACL \"%s\"\n", ss);
3788 }
3789
3790 else if (*ss == '/')
3791 {
3792 struct stat statbuf;
3793 fd = Uopen(ss, O_RDONLY, 0);
3794 if (fd < 0)
3795 {
3796 *log_msgptr = string_sprintf("failed to open ACL file \"%s\": %s", ss,
3797 strerror(errno));
3798 return ERROR;
3799 }
3800
3801 if (fstat(fd, &statbuf) != 0)
3802 {
3803 *log_msgptr = string_sprintf("failed to fstat ACL file \"%s\": %s", ss,
3804 strerror(errno));
3805 return ERROR;
3806 }
3807
3808 acl_text = store_get(statbuf.st_size + 1);
3809 acl_text_end = acl_text + statbuf.st_size + 1;
3810
3811 if (read(fd, acl_text, statbuf.st_size) != statbuf.st_size)
3812 {
3813 *log_msgptr = string_sprintf("failed to read ACL file \"%s\": %s",
3814 ss, strerror(errno));
3815 return ERROR;
3816 }
3817 acl_text[statbuf.st_size] = 0;
f1e894f3 3818 (void)close(fd);
059ec3d9
PH		 3819
3820 acl_name = string_sprintf("ACL \"%s\"", ss);
3821 HDEBUG(D_acl) debug_printf("read ACL from file %s\n", ss);
3822 }
3823 }
3824
3825/* Parse an ACL that is still in text form. If it came from a file, remember it
3826in the ACL tree, having read it into the POOL_PERM store pool so that it
3827persists between multiple messages. */
3828
3829if (acl == NULL)
3830 {
3831 int old_pool = store_pool;
3832 if (fd >= 0) store_pool = POOL_PERM;
3833 acl = acl_read(acl_getline, log_msgptr);
3834 store_pool = old_pool;
3835 if (acl == NULL && *log_msgptr != NULL) return ERROR;
3836 if (fd >= 0)
3837 {
3838 tree_node *t = store_get_perm(sizeof(tree_node) + Ustrlen(ss));
3839 Ustrcpy(t->name, ss);
3840 t->data.ptr = acl;
3841 (void)tree_insertnode(&acl_anchor, t);
3842 }
3843 }
3844
3845/* Now we have an ACL to use. It's possible it may be NULL. */
3846
3847while (acl != NULL)
3848 {
3849 int cond;
3850 int basic_errno = 0;
3851 BOOL endpass_seen = FALSE;
3852
3853 *log_msgptr = *user_msgptr = NULL;
3854 acl_temp_details = FALSE;
3855
7353285c 3856 if ((where == ACL_WHERE_QUIT || where == ACL_WHERE_NOTQUIT) &&
059ec3d9
PH		 3857 acl->verb != ACL_ACCEPT &&
3858 acl->verb != ACL_WARN)
3859 {
7353285c 3860 *log_msgptr = string_sprintf("\"%s\" is not allowed in a QUIT or not-QUIT ACL",
059ec3d9
PH		 3861 verbs[acl->verb]);
3862 return ERROR;
3863 }
3864
3865 HDEBUG(D_acl) debug_printf("processing \"%s\"\n", verbs[acl->verb]);
3866
3867 /* Clear out any search error message from a previous check before testing
3868 this condition. */
3869
3870 search_error_message = NULL;
3871 cond = acl_check_condition(acl->verb, acl->condition, where, addr, level,
3872 &endpass_seen, user_msgptr, log_msgptr, &basic_errno);
3873
3874 /* Handle special returns: DEFER causes a return except on a WARN verb;
3875 ERROR always causes a return. */
3876
3877 switch (cond)
3878 {
3879 case DEFER:
6968512f 3880 HDEBUG(D_acl) debug_printf("%s: condition test deferred in %s\n", verbs[acl->verb], acl_name);
059ec3d9
PH		 3881 if (basic_errno != ERRNO_CALLOUTDEFER)
3882 {
3883 if (search_error_message != NULL && *search_error_message != 0)
3884 *log_msgptr = search_error_message;
3885 if (smtp_return_error_details) acl_temp_details = TRUE;
3886 }
3887 else
3888 {
3889 acl_temp_details = TRUE;
3890 }
3891 if (acl->verb != ACL_WARN) return DEFER;
3892 break;
3893
3894 default: /* Paranoia */
3895 case ERROR:
6968512f 3896 HDEBUG(D_acl) debug_printf("%s: condition test error in %s\n", verbs[acl->verb], acl_name);
059ec3d9
PH		 3897 return ERROR;
3898
3899 case OK:
6968512f
JH		 3900 HDEBUG(D_acl) debug_printf("%s: condition test succeeded in %s\n",
3901 verbs[acl->verb], acl_name);
059ec3d9
PH		 3902 break;
3903
3904 case FAIL:
6968512f 3905 HDEBUG(D_acl) debug_printf("%s: condition test failed in %s\n", verbs[acl->verb], acl_name);
059ec3d9
PH		 3906 break;
3907
3908 /* DISCARD and DROP can happen only from a nested ACL condition, and
3909 DISCARD can happen only for an "accept" or "discard" verb. */
3910
3911 case DISCARD:
6968512f
JH		 3912 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"discard\" in %s\n",
3913 verbs[acl->verb], acl_name);
059ec3d9
PH		 3914 break;
3915
3916 case FAIL_DROP:
6968512f
JH		 3917 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"drop\" in %s\n",
3918 verbs[acl->verb], acl_name);
059ec3d9
PH		 3919 break;
3920 }
3921
3922 /* At this point, cond for most verbs is either OK or FAIL or (as a result of
3923 a nested ACL condition) FAIL_DROP. However, for WARN, cond may be DEFER, and
3924 for ACCEPT and DISCARD, it may be DISCARD after a nested ACL call. */
3925
3926 switch(acl->verb)
3927 {
3928 case ACL_ACCEPT:
3929 if (cond == OK || cond == DISCARD) return cond;
3930 if (endpass_seen)
3931 {
3932 HDEBUG(D_acl) debug_printf("accept: endpass encountered - denying access\n");
3933 return cond;
3934 }
3935 break;
3936
3937 case ACL_DEFER:
3938 if (cond == OK)
3939 {
3940 acl_temp_details = TRUE;
3941 return DEFER;
3942 }
3943 break;
3944
3945 case ACL_DENY:
3946 if (cond == OK) return FAIL;
3947 break;
3948
3949 case ACL_DISCARD:
3950 if (cond == OK || cond == DISCARD) return DISCARD;
3951 if (endpass_seen)
3952 {
3953 HDEBUG(D_acl) debug_printf("discard: endpass encountered - denying access\n");
3954 return cond;
3955 }
3956 break;
3957
3958 case ACL_DROP:
3959 if (cond == OK) return FAIL_DROP;
3960 break;
3961
3962 case ACL_REQUIRE:
3963 if (cond != OK) return cond;
3964 break;
3965
3966 case ACL_WARN:
3967 if (cond == OK)
3968 acl_warn(where, *user_msgptr, *log_msgptr);
49826d12 3969 else if (cond == DEFER && (log_extra_selector & LX_acl_warn_skipped) != 0)
9c7a242c
PH		 3970 log_write(0, LOG_MAIN, "%s Warning: ACL \"warn\" statement skipped: "
3971 "condition test deferred%s%s", host_and_ident(TRUE),
3972 (*log_msgptr == NULL)? US"" : US": ",
3973 (*log_msgptr == NULL)? US"" : *log_msgptr);
059ec3d9
PH		 3974 *log_msgptr = *user_msgptr = NULL; /* In case implicit DENY follows */
3975 break;
3976
3977 default:
3978 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown verb %d",
3979 acl->verb);
3980 break;
3981 }
3982
3983 /* Pass to the next ACL item */
3984
3985 acl = acl->next;
3986 }
3987
3988/* We have reached the end of the ACL. This is an implicit DENY. */
3989
3990HDEBUG(D_acl) debug_printf("end of %s: implicit DENY\n", acl_name);
3991return FAIL;
3992}
3993
3994
333eea9c
JH		 3995
3996
3997/* Same args as acl_check_internal() above, but the string s is
3998the name of an ACL followed optionally by up to 9 space-separated arguments.
3999The name and args are separately expanded. Args go into $acl_arg globals. */
f60d98e8
JH		 4000static int
4001acl_check_wargs(int where, address_item *addr, uschar *s, int level,
333eea9c
JH		 4002 uschar **user_msgptr, uschar **log_msgptr)
4003{
4004uschar * tmp;
bef3ea7f 4005uschar * tmp_arg[9]; /* must match acl_arg[] */
ef21c07d
JH		 4006uschar * sav_arg[9]; /* must match acl_arg[] */
4007int sav_narg;
333eea9c 4008uschar * name;
bef3ea7f 4009int i;
ef21c07d 4010int ret;
333eea9c
JH		 4011
4012if (!(tmp = string_dequote(&s)) || !(name = expand_string(tmp)))
4013 goto bad;
4014
bef3ea7f 4015for (i = 0; i < 9; i++)
333eea9c
JH		 4016 {
4017 while (*s && isspace(*s)) s++;
4018 if (!*s) break;
bef3ea7f 4019 if (!(tmp = string_dequote(&s)) || !(tmp_arg[i] = expand_string(tmp)))
333eea9c
JH		 4020 {
4021 tmp = name;
4022 goto bad;
4023 }
4024 }
ef21c07d
JH		 4025
4026sav_narg = acl_narg;
bef3ea7f 4027acl_narg = i;
ef21c07d
JH		 4028for (i = 0; i < acl_narg; i++)
4029 {
4030 sav_arg[i] = acl_arg[i];
4031 acl_arg[i] = tmp_arg[i];
4032 }
4033while (i < 9)
4034 {
4035 sav_arg[i] = acl_arg[i];
4036 acl_arg[i++] = NULL;
4037 }
4038
4039ret = acl_check_internal(where, addr, name, level, user_msgptr, log_msgptr);
333eea9c 4040
ef21c07d
JH		 4041acl_narg = sav_narg;
4042for (i = 0; i < 9; i++) acl_arg[i] = sav_arg[i];
4043return ret;
333eea9c
JH		 4044
4045bad:
4046if (expand_string_forcedfail) return ERROR;
4047*log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
4048 tmp, expand_string_message);
4049return search_find_defer?DEFER:ERROR;
4050}
4051
4052
4053
059ec3d9
PH		 4054/*************************************************
4055* Check access using an ACL *
4056*************************************************/
4057
faa05a93
JH		 4058/* Alternate interface for ACL, used by expansions */
4059int
05caaeaa 4060acl_eval(int where, uschar *s, uschar **user_msgptr, uschar **log_msgptr)
faa05a93 4061{
faa05a93
JH		 4062address_item adb;
4063address_item *addr = NULL;
4064
4065*user_msgptr = *log_msgptr = NULL;
4066sender_verified_failed = NULL;
4067ratelimiters_cmd = NULL;
4068log_reject_target = LOG_MAIN|LOG_REJECT;
4069
4070if (where == ACL_WHERE_RCPT)
4071 {
4072 adb = address_defaults;
4073 addr = &adb;
05caaeaa
JH		 4074 addr->address = expand_string(US"$local_part@$domain");
4075 addr->domain = deliver_domain;
4076 addr->local_part = deliver_localpart;
4077 addr->cc_local_part = deliver_localpart;
4078 addr->lc_local_part = deliver_localpart;
faa05a93
JH		 4079 }
4080
4081return acl_check_internal(where, addr, s, 0, user_msgptr, log_msgptr);
4082}
4083
4084
4085
059ec3d9
PH		 4086/* This is the external interface for ACL checks. It sets up an address and the
4087expansions for $domain and $local_part when called after RCPT, then calls
4088acl_check_internal() to do the actual work.
4089
4090Arguments:
4091 where ACL_WHERE_xxxx indicating where called from
64ffc24f 4092 recipient RCPT address for RCPT check, else NULL
059ec3d9
PH		 4093 s the input string; NULL is the same as an empty ACL => DENY
4094 user_msgptr where to put a user error (for SMTP response)
4095 log_msgptr where to put a logging message (not for SMTP response)
4096
4097Returns: OK access is granted by an ACCEPT verb
4098 DISCARD access is granted by a DISCARD verb
4099 FAIL access is denied
4100 FAIL_DROP access is denied; drop the connection
4101 DEFER can't tell at the moment
4102 ERROR disaster
4103*/
faa05a93 4104int acl_where = ACL_WHERE_UNKNOWN;
059ec3d9
PH		 4105
4106int
64ffc24f 4107acl_check(int where, uschar *recipient, uschar *s, uschar **user_msgptr,
059ec3d9
PH		 4108 uschar **log_msgptr)
4109{
4110int rc;
4111address_item adb;
64ffc24f 4112address_item *addr = NULL;
059ec3d9
PH		 4113
4114*user_msgptr = *log_msgptr = NULL;
4115sender_verified_failed = NULL;
fe0dab11 4116ratelimiters_cmd = NULL;
6ea85e9a 4117log_reject_target = LOG_MAIN|LOG_REJECT;
059ec3d9 4118
fd98a5c6
JH		 4119#ifdef EXPERIMENTAL_PRDR
4120if (where == ACL_WHERE_RCPT || where == ACL_WHERE_PRDR )
4121#else
4122if (where == ACL_WHERE_RCPT )
4123#endif
059ec3d9
PH		 4124 {
4125 adb = address_defaults;
4126 addr = &adb;
64ffc24f 4127 addr->address = recipient;
059ec3d9
PH		 4128 if (deliver_split_address(addr) == DEFER)
4129 {
4130 *log_msgptr = US"defer in percent_hack_domains check";
4131 return DEFER;
4132 }
4133 deliver_domain = addr->domain;
4134 deliver_localpart = addr->local_part;
4135 }
059ec3d9 4136
faa05a93 4137acl_where = where;
059ec3d9 4138rc = acl_check_internal(where, addr, s, 0, user_msgptr, log_msgptr);
faa05a93 4139acl_where = ACL_WHERE_UNKNOWN;
059ec3d9 4140
817d9f57
JH		 4141/* Cutthrough - if requested,
4142and WHERE_RCPT and not yet opened conn as result of recipient-verify,
4143and rcpt acl returned accept,
4144and first recipient (cancel on any subsequents)
e4bdf652 4145open one now and run it up to RCPT acceptance.
e4bdf652 4146A failed verify should cancel cutthrough request.
e4bdf652 4147
817d9f57 4148Initial implementation: dual-write to spool.
e4bdf652
JH		 4149Assume the rxd datastream is now being copied byte-for-byte to an open cutthrough connection.
4150
4151Cease cutthrough copy on rxd final dot; do not send one.
4152
4153On a data acl, if not accept and a cutthrough conn is open, hard-close it (no SMTP niceness).
4154
4155On data acl accept, terminate the dataphase on an open cutthrough conn. If accepted or
4156perm-rejected, reflect that to the original sender - and dump the spooled copy.
4157If temp-reject, close the conn (and keep the spooled copy).
4158If conn-failure, no action (and keep the spooled copy).
e4bdf652
JH		 4159*/
4160switch (where)
4161{
4162case ACL_WHERE_RCPT:
fd98a5c6
JH		 4163#ifdef EXPERIMENTAL_PRDR
4164case ACL_WHERE_PRDR:
4165#endif
e4bdf652 4166 if( rcpt_count > 1 )
2e5b33cd 4167 cancel_cutthrough_connection("more than one recipient");
e4bdf652
JH		 4168 else if (rc == OK && cutthrough_delivery && cutthrough_fd < 0)
4169 open_cutthrough_connection(addr);
4170 break;
4171
4172case ACL_WHERE_PREDATA:
4173 if( rc == OK )
4174 cutthrough_predata();
4175 else
2e5b33cd 4176 cancel_cutthrough_connection("predata acl not ok");
e4bdf652
JH		 4177 break;
4178
4179case ACL_WHERE_QUIT:
4180case ACL_WHERE_NOTQUIT:
2e5b33cd 4181 cancel_cutthrough_connection("quit or notquit");
e4bdf652
JH		 4182 break;
4183
4184default:
4185 break;
4186}
4187
64ffc24f
PH		 4188deliver_domain = deliver_localpart = deliver_address_data =
4189 sender_address_data = NULL;
059ec3d9
PH		 4190
4191/* A DISCARD response is permitted only for message ACLs, excluding the PREDATA
4192ACL, which is really in the middle of an SMTP command. */
4193
4194if (rc == DISCARD)
4195 {
4196 if (where > ACL_WHERE_NOTSMTP || where == ACL_WHERE_PREDATA)
4197 {
4198 log_write(0, LOG_MAIN|LOG_PANIC, "\"discard\" verb not allowed in %s "
4199 "ACL", acl_wherenames[where]);
4200 return ERROR;
4201 }
4202 return DISCARD;
4203 }
4204
4205/* A DROP response is not permitted from MAILAUTH */
4206
4207if (rc == FAIL_DROP && where == ACL_WHERE_MAILAUTH)
4208 {
4209 log_write(0, LOG_MAIN|LOG_PANIC, "\"drop\" verb not allowed in %s "
4210 "ACL", acl_wherenames[where]);
4211 return ERROR;
4212 }
4213
4e88a19f
PH		 4214/* Before giving a response, take a look at the length of any user message, and
4215split it up into multiple lines if possible. */
059ec3d9 4216
e28326d8
PH		 4217*user_msgptr = string_split_message(*user_msgptr);
4218if (fake_response != OK)
4219 fake_response_text = string_split_message(fake_response_text);
059ec3d9
PH		 4220
4221return rc;
4222}
4223
38a0a95f 4224
38a0a95f
PH		 4225/*************************************************
4226* Create ACL variable *
4227*************************************************/
4228
4229/* Create an ACL variable or reuse an existing one. ACL variables are in a
4230binary tree (see tree.c) with acl_var_c and acl_var_m as root nodes.
4231
4232Argument:
4233 name pointer to the variable's name, starting with c or m
4234
4235Returns the pointer to variable's tree node
4236*/
4237
4238tree_node *
4239acl_var_create(uschar *name)
4240{
4241tree_node *node, **root;
4242root = (name[0] == 'c')? &acl_var_c : &acl_var_m;
4243node = tree_search(*root, name);
4244if (node == NULL)
4245 {
4246 node = store_get(sizeof(tree_node) + Ustrlen(name));
4247 Ustrcpy(node->name, name);
4248 (void)tree_insertnode(root, node);
4249 }
4250node->data.ptr = NULL;
4251return node;
4252}
4253
4254
4255
4256/*************************************************
4257* Write an ACL variable in spool format *
4258*************************************************/
4259
4260/* This function is used as a callback for tree_walk when writing variables to
4261the spool file. To retain spool file compatibility, what is written is -aclc or
4262-aclm followed by the rest of the name and the data length, space separated,
4263then the value itself, starting on a new line, and terminated by an additional
4264newline. When we had only numbered ACL variables, the first line might look
4265like this: "-aclc 5 20". Now it might be "-aclc foo 20" for the variable called
4266acl_cfoo.
4267
4268Arguments:
4269 name of the variable
4270 value of the variable
4271 ctx FILE pointer (as a void pointer)
4272
4273Returns: nothing
4274*/
4275
4276void
4277acl_var_write(uschar *name, uschar *value, void *ctx)
4278{
4279FILE *f = (FILE *)ctx;
4280fprintf(f, "-acl%c %s %d\n%s\n", name[0], name+1, Ustrlen(value), value);
4281}
4282
059ec3d9 4283/* End of acl.c */
Unnamed repository; edit this file 'description' to name the repository.