projects / exim.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
ACL: merge the tables used for codition/modifier decode
[exim.git] / src / src / acl.c
CommitLineData
059ec3d9
PH		 1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
80fea873 5/* Copyright (c) University of Cambridge 1995 - 2016 */
059ec3d9
PH		 6/* See the file NOTICE for conditions of use and distribution. */
7
8/* Code for handling Access Control Lists (ACLs) */
9
10#include "exim.h"
11
12
13/* Default callout timeout */
14
15#define CALLOUT_TIMEOUT_DEFAULT 30
16
17/* ACL verb codes - keep in step with the table of verbs that follows */
18
19enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
20 ACL_WARN };
21
22/* ACL verbs */
23
f9d04f08
JH		 24static uschar *verbs[] = {
25 US"accept",
26 US"defer",
27 US"deny",
28 US"discard",
29 US"drop",
30 US"require",
059ec3d9
PH		 31 US"warn" };
32
4e88a19f
PH		 33/* For each verb, the conditions for which "message" or "log_message" are used
34are held as a bitmap. This is to avoid expanding the strings unnecessarily. For
35"accept", the FAIL case is used only after "endpass", but that is selected in
36the code. */
37
38static int msgcond[] = {
39 (1<<OK) | (1<<FAIL) | (1<<FAIL_DROP), /* accept */
40 (1<<OK), /* defer */
41 (1<<OK), /* deny */
42 (1<<OK) | (1<<FAIL) | (1<<FAIL_DROP), /* discard */
43 (1<<OK), /* drop */
44 (1<<FAIL) | (1<<FAIL_DROP), /* require */
45 (1<<OK) /* warn */
46 };
059ec3d9
PH		 47
48/* ACL condition and modifier codes - keep in step with the table that
2d009132 49follows.
71fafd95 50down. */
059ec3d9 51
71fafd95
PH		 52enum { ACLC_ACL,
53 ACLC_ADD_HEADER,
54 ACLC_AUTHENTICATED,
8523533c
TK		 55#ifdef EXPERIMENTAL_BRIGHTMAIL
56 ACLC_BMI_OPTIN,
57#endif
71fafd95 58 ACLC_CONDITION,
c3611384 59 ACLC_CONTINUE,
71fafd95 60 ACLC_CONTROL,
6a8f9482
TK		 61#ifdef EXPERIMENTAL_DCC
62 ACLC_DCC,
63#endif
8523533c
TK		 64#ifdef WITH_CONTENT_SCAN
65 ACLC_DECODE,
66#endif
67 ACLC_DELAY,
80a47a2c
TK		 68#ifndef DISABLE_DKIM
69 ACLC_DKIM_SIGNER,
70 ACLC_DKIM_STATUS,
4840604e
TL		 71#endif
72#ifdef EXPERIMENTAL_DMARC
73 ACLC_DMARC_STATUS,
8e669ac1 74#endif
71fafd95
PH		 75 ACLC_DNSLISTS,
76 ACLC_DOMAINS,
77 ACLC_ENCRYPTED,
78 ACLC_ENDPASS,
79 ACLC_HOSTS,
80 ACLC_LOCAL_PARTS,
81 ACLC_LOG_MESSAGE,
6ea85e9a 82 ACLC_LOG_REJECT_TARGET,
71fafd95 83 ACLC_LOGWRITE,
8523533c
TK		 84#ifdef WITH_CONTENT_SCAN
85 ACLC_MALWARE,
86#endif
87 ACLC_MESSAGE,
88#ifdef WITH_CONTENT_SCAN
89 ACLC_MIME_REGEX,
90#endif
b0b9dbb1 91 ACLC_QUEUE,
870f6ba8 92 ACLC_RATELIMIT,
8523533c
TK		 93 ACLC_RECIPIENTS,
94#ifdef WITH_CONTENT_SCAN
95 ACLC_REGEX,
96#endif
e7568d51 97 ACLC_REMOVE_HEADER,
71fafd95
PH		 98 ACLC_SENDER_DOMAINS,
99 ACLC_SENDERS,
100 ACLC_SET,
8523533c 101#ifdef WITH_CONTENT_SCAN
8e669ac1 102 ACLC_SPAM,
8523533c
TK		 103#endif
104#ifdef EXPERIMENTAL_SPF
105 ACLC_SPF,
65a7d8c3 106 ACLC_SPF_GUESS,
8523533c 107#endif
b0019c78 108 ACLC_UDPSEND,
8523533c 109 ACLC_VERIFY };
059ec3d9 110
c3611384 111/* ACL conditions/modifiers: "delay", "control", "continue", "endpass",
b0b9dbb1 112"message", "log_message", "log_reject_target", "logwrite", "queue" and "set" are
c3611384
PH		 113modifiers that look like conditions but always return TRUE. They are used for
114their side effects. */
059ec3d9 115
2d009132
JH		 116typedef struct condition_def {
117 uschar *name;
c5fcb476 118
2d009132 119/* Flag to indicate the condition/modifier has a string expansion done
059ec3d9
PH		 120at the outer level. In the other cases, expansion already occurs in the
121checking functions. */
2d009132 122 BOOL expand_at_top:1;
059ec3d9 123
2d009132 124 BOOL is_modifier:1;
059ec3d9 125
2d009132
JH		 126/* Bit map vector of which conditions and modifiers are not allowed at certain
127times. For each condition and modifier, there's a bitmap of dis-allowed times.
128For some, it is easier to specify the negation of a small number of allowed
129times. */
130 unsigned forbids;
131
132} condition_def;
133
134static condition_def conditions[] = {
135 { US"acl", FALSE, FALSE, 0 },
136
137 { US"add_header", TRUE, TRUE,
138 (unsigned int)
139 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)|
140 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
141#ifndef DISABLE_PRDR
142 (1<<ACL_WHERE_PRDR)|
143#endif
144 (1<<ACL_WHERE_MIME)|(1<<ACL_WHERE_NOTSMTP)|
145 (1<<ACL_WHERE_DKIM)|
146 (1<<ACL_WHERE_NOTSMTP_START)),
147 },
059ec3d9 148
2d009132
JH		 149 { US"authenticated", FALSE, FALSE,
150 (1<<ACL_WHERE_NOTSMTP)|
151 (1<<ACL_WHERE_NOTSMTP_START)|
152 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO),
153 },
8523533c 154#ifdef EXPERIMENTAL_BRIGHTMAIL
2d009132
JH		 155 { US"bmi_optin", TRUE, TRUE,
156 (1<<ACL_WHERE_AUTH)|
157 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
158 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_MIME)|
159# ifndef DISABLE_PRDR
160 (1<<ACL_WHERE_PRDR)|
161# endif
162 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
163 (1<<ACL_WHERE_MAILAUTH)|
164 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
165 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_PREDATA)|
166 (1<<ACL_WHERE_NOTSMTP_START),
167 },
8e669ac1 168#endif
2d009132
JH		 169 { US"condition", TRUE, FALSE, 0 },
170 { US"continue", TRUE, TRUE, 0 },
171
172 /* Certain types of control are always allowed, so we let it through
173 always and check in the control processing itself. */
174 { US"control", TRUE, TRUE, 0 },
175
6a8f9482 176#ifdef EXPERIMENTAL_DCC
2d009132
JH		 177 { US"dcc", TRUE, FALSE,
178 (unsigned int)
179 ~((1<<ACL_WHERE_DATA)|
180# ifndef DISABLE_PRDR
181 (1<<ACL_WHERE_PRDR)|
182# endif
183 (1<<ACL_WHERE_NOTSMTP)),
184 },
6a8f9482 185#endif
8523533c 186#ifdef WITH_CONTENT_SCAN
2d009132
JH		 187 { US"decode", TRUE, FALSE, (unsigned int) ~(1<<ACL_WHERE_MIME) },
188
8523533c 189#endif
2d009132 190 { US"delay", TRUE, TRUE, (1<<ACL_WHERE_NOTQUIT) },
80a47a2c 191#ifndef DISABLE_DKIM
2d009132
JH		 192 { US"dkim_signers", TRUE, FALSE, (unsigned int) ~(1<<ACL_WHERE_DKIM) },
193 { US"dkim_status", TRUE, FALSE, (unsigned int) ~(1<<ACL_WHERE_DKIM) },
4840604e
TL		 194#endif
195#ifdef EXPERIMENTAL_DMARC
2d009132 196 { US"dmarc_status", TRUE, FALSE, (unsigned int) ~(1<<ACL_WHERE_DATA) },
8523533c 197#endif
059ec3d9 198
2d009132
JH		 199 /* Explicit key lookups can be made in non-smtp ACLs so pass
200 always and check in the verify processing itself. */
201 { US"dnslists", TRUE, FALSE, 0 },
c3611384 202
2d009132
JH		 203 { US"domains", FALSE, FALSE,
204 (unsigned int)
205 ~((1<<ACL_WHERE_RCPT)
206 |(1<<ACL_WHERE_VRFY)
207#ifndef DISABLE_PRDR
208 |(1<<ACL_WHERE_PRDR)
209#endif
210 ),
211 },
212 { US"encrypted", FALSE, FALSE,
213 (1<<ACL_WHERE_NOTSMTP)|
214 (1<<ACL_WHERE_CONNECT)|
215 (1<<ACL_WHERE_NOTSMTP_START)|
216 (1<<ACL_WHERE_HELO),
217 },
8e669ac1 218
2d009132 219 { US"endpass", TRUE, TRUE, 0 },
8e669ac1 220
2d009132
JH		 221 { US"hosts", FALSE, FALSE,
222 (1<<ACL_WHERE_NOTSMTP)|
223 (1<<ACL_WHERE_NOTSMTP_START),
224 },
225 { US"local_parts", FALSE, FALSE,
226 (unsigned int)
227 ~((1<<ACL_WHERE_RCPT)
228 |(1<<ACL_WHERE_VRFY)
229 #ifndef DISABLE_PRDR
230 |(1<<ACL_WHERE_PRDR)
231 #endif
232 ),
233 },
6a8f9482 234
2d009132
JH		 235 { US"log_message", TRUE, TRUE, 0 },
236 { US"log_reject_target", TRUE, TRUE, 0 },
237 { US"logwrite", TRUE, TRUE, 0 },
8523533c 238
2d009132
JH		 239#ifdef WITH_CONTENT_SCAN
240 { US"malware", TRUE, FALSE,
241 (unsigned int)
242 ~((1<<ACL_WHERE_DATA)|
243# ifndef DISABLE_PRDR
244 (1<<ACL_WHERE_PRDR)|
245# endif
246 (1<<ACL_WHERE_NOTSMTP)),
247 },
248#endif
8e669ac1 249
2d009132
JH		 250 { US"message", TRUE, TRUE, 0 },
251#ifdef WITH_CONTENT_SCAN
252 { US"mime_regex", TRUE, FALSE, (unsigned int) ~(1<<ACL_WHERE_MIME) },
253#endif
84330b7b 254
2d009132
JH		 255 { US"queue", TRUE, TRUE,
256 (1<<ACL_WHERE_NOTSMTP)|
257#ifndef DISABLE_PRDR
258 (1<<ACL_WHERE_PRDR)|
259#endif
260 (1<<ACL_WHERE_DATA),
261 },
fb2274d4 262
2d009132
JH		 263 { US"ratelimit", TRUE, FALSE, 0 },
264 { US"recipients", FALSE, FALSE, (unsigned int) ~(1<<ACL_WHERE_RCPT) },
4840604e 265
2d009132
JH		 266#ifdef WITH_CONTENT_SCAN
267 { US"regex", TRUE, FALSE,
268 (unsigned int)
269 ~((1<<ACL_WHERE_DATA)|
270# ifndef DISABLE_PRDR
271 (1<<ACL_WHERE_PRDR)|
272# endif
273 (1<<ACL_WHERE_NOTSMTP)|
274 (1<<ACL_WHERE_MIME)),
275 },
379ba7d0 276
2d009132
JH		 277#endif
278 { US"remove_header", TRUE, TRUE,
279 (unsigned int)
280 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)|
281 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
282#ifndef DISABLE_PRDR
283 (1<<ACL_WHERE_PRDR)|
284#endif
285 (1<<ACL_WHERE_MIME)|(1<<ACL_WHERE_NOTSMTP)|
286 (1<<ACL_WHERE_NOTSMTP_START)),
287 },
288 { US"sender_domains", FALSE, FALSE,
289 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)|
290 (1<<ACL_WHERE_HELO)|
291 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
292 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
293 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
294 },
295 { US"senders", FALSE, FALSE,
296 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)|
297 (1<<ACL_WHERE_HELO)|
298 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
299 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
300 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
301 },
65a7d8c3 302
2d009132 303 { US"set", TRUE, TRUE, 0 },
8523533c 304
2d009132
JH		 305#ifdef WITH_CONTENT_SCAN
306 { US"spam", TRUE, FALSE,
307 (unsigned int)
308 ~((1<<ACL_WHERE_DATA)|
309# ifndef DISABLE_PRDR
310 (1<<ACL_WHERE_PRDR)|
311# endif
312 (1<<ACL_WHERE_NOTSMTP)),
313 },
314#endif
315#ifdef EXPERIMENTAL_SPF
316 { US"spf", TRUE, FALSE,
317 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)|
318 (1<<ACL_WHERE_HELO)|
319 (1<<ACL_WHERE_MAILAUTH)|
320 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
321 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY)|
322 (1<<ACL_WHERE_NOTSMTP)|
323 (1<<ACL_WHERE_NOTSMTP_START),
324 },
325 { US"spf_guess", TRUE, FALSE,
326 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)|
327 (1<<ACL_WHERE_HELO)|
328 (1<<ACL_WHERE_MAILAUTH)|
329 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
330 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY)|
331 (1<<ACL_WHERE_NOTSMTP)|
332 (1<<ACL_WHERE_NOTSMTP_START),
333 },
334#endif
335 { US"udpsend", TRUE, TRUE, 0 },
b0019c78 336
059ec3d9
PH		 337 /* Certain types of verify are always allowed, so we let it through
338 always and check in the verify function itself */
2d009132
JH		 339 { US"verify", TRUE, FALSE,
340 0
341 },
059ec3d9
PH		 342};
343
344
2d009132 345
d7bed771
JH		 346/* Return values from decode_control(); used as index so keep in step
347with the controls_list table that follows! */
c46782ef 348
d7bed771
JH		 349enum {
350 CONTROL_AUTH_UNADVERTISED,
3c8b3577 351#ifdef EXPERIMENTAL_BRIGHTMAIL
d7bed771 352 CONTROL_BMI_RUN,
3c8b3577 353#endif
d7bed771
JH		 354 CONTROL_CASEFUL_LOCAL_PART,
355 CONTROL_CASELOWER_LOCAL_PART,
356 CONTROL_CUTTHROUGH_DELIVERY,
357 CONTROL_DEBUG,
3c8b3577 358#ifndef DISABLE_DKIM
d7bed771 359 CONTROL_DKIM_VERIFY,
3c8b3577 360#endif
3c8b3577 361#ifdef EXPERIMENTAL_DMARC
d7bed771
JH		 362 CONTROL_DMARC_VERIFY,
363 CONTROL_DMARC_FORENSIC,
3c8b3577 364#endif
d7bed771
JH		 365 CONTROL_DSCP,
366 CONTROL_ENFORCE_SYNC,
367 CONTROL_ERROR, /* pseudo-value for decode errors */
368 CONTROL_FAKEDEFER,
369 CONTROL_FAKEREJECT,
370 CONTROL_FREEZE,
4840604e 371
d7bed771
JH		 372 CONTROL_NO_CALLOUT_FLUSH,
373 CONTROL_NO_DELAY_FLUSH,
374 CONTROL_NO_ENFORCE_SYNC,
3c8b3577 375#ifdef WITH_CONTENT_SCAN
d7bed771 376 CONTROL_NO_MBOX_UNSPOOL,
3c8b3577 377#endif
d7bed771
JH		 378 CONTROL_NO_MULTILINE,
379 CONTROL_NO_PIPELINING,
8523533c 380
d7bed771
JH		 381 CONTROL_QUEUE_ONLY,
382 CONTROL_SUBMISSION,
383 CONTROL_SUPPRESS_LOCAL_FIXUPS,
8c5d388a 384#ifdef SUPPORT_I18N
d7bed771 385 CONTROL_UTF8_DOWNCONVERT,
3c8b3577 386#endif
d7bed771 387};
3c8b3577 388
4c590bd1 389
c5fcb476 390
d7bed771
JH		 391/* Structure listing various control arguments, with their characteristics.
392For each control, there's a bitmap of dis-allowed times. For some, it is easier
393to specify the negation of a small number of allowed times. */
059ec3d9
PH		 394
395typedef struct control_def {
d7bed771
JH		 396 uschar *name;
397 BOOL has_option; /* Has /option(s) following */
398 unsigned forbids; /* bitmap of dis-allowed times */
059ec3d9
PH		 399} control_def;
400
401static control_def controls_list[] = {
d7bed771
JH		 402 { US"allow_auth_unadvertised", FALSE,
403 (unsigned)
404 ~((1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO))
405 },
8523533c 406#ifdef EXPERIMENTAL_BRIGHTMAIL
d7bed771 407 { US"bmi_run", FALSE, 0 },
fb2274d4 408#endif
d7bed771
JH		 409 { US"caseful_local_part", FALSE, (unsigned) ~(1<<ACL_WHERE_RCPT) },
410 { US"caselower_local_part", FALSE, (unsigned) ~(1<<ACL_WHERE_RCPT) },
411 { US"cutthrough_delivery", TRUE, 0 },
412 { US"debug", TRUE, 0 },
413
80a47a2c 414#ifndef DISABLE_DKIM
d7bed771
JH		 415 { US"dkim_disable_verify", FALSE,
416 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)|
417# ifndef DISABLE_PRDR
418 (1<<ACL_WHERE_PRDR)|
419# endif
420 (1<<ACL_WHERE_NOTSMTP_START)
421 },
4840604e 422#endif
d7bed771 423
4840604e 424#ifdef EXPERIMENTAL_DMARC
d7bed771
JH		 425 { US"dmarc_disable_verify", FALSE,
426 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_NOTSMTP_START)
427 },
428 { US"dmarc_enable_forensic", FALSE,
429 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_NOTSMTP_START)
430 },
431#endif
432
433 { US"dscp", TRUE,
434 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_NOTSMTP_START)|(1<<ACL_WHERE_NOTQUIT)
435 },
436 { US"enforce_sync", FALSE,
437 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_NOTSMTP_START)
438 },
439
440 /* Pseudo-value for decode errors */
441 { US"error", FALSE, 0 },
442
443 { US"fakedefer", TRUE,
444 (unsigned)
445 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)|
446 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
447#ifndef DISABLE_PRDR
448 (1<<ACL_WHERE_PRDR)|
449#endif
450 (1<<ACL_WHERE_MIME))
451 },
452 { US"fakereject", TRUE,
453 (unsigned)
454 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)|
455 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
456#ifndef DISABLE_PRDR
457 (1<<ACL_WHERE_PRDR)|
458#endif
459 (1<<ACL_WHERE_MIME))
460 },
461 { US"freeze", TRUE,
462 (unsigned)
463 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)|
464 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
465 // (1<<ACL_WHERE_PRDR)| /* Not allow one user to freeze for all */
466 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME))
467 },
468
469 { US"no_callout_flush", FALSE,
470 (1<<ACL_WHERE_NOTSMTP)| (1<<ACL_WHERE_NOTSMTP_START)
471 },
472 { US"no_delay_flush", FALSE,
473 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_NOTSMTP_START)
474 },
475
476 { US"no_enforce_sync", FALSE,
477 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_NOTSMTP_START)
478 },
8523533c 479#ifdef WITH_CONTENT_SCAN
d7bed771
JH		 480 { US"no_mbox_unspool", FALSE,
481 (unsigned)
482 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)|
483 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
484 // (1<<ACL_WHERE_PRDR)| /* Not allow one user to freeze for all */
485 (1<<ACL_WHERE_MIME))
486 },
487#endif
488 { US"no_multiline_responses", FALSE,
489 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_NOTSMTP_START)
490 },
491 { US"no_pipelining", FALSE,
492 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_NOTSMTP_START)
493 },
494
495 { US"queue_only", FALSE,
496 (unsigned)
497 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)|
498 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
499 // (1<<ACL_WHERE_PRDR)| /* Not allow one user to freeze for all */
500 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME))
501 },
502 { US"submission", TRUE,
503 (unsigned)
504 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA))
505 },
506 { US"suppress_local_fixups", FALSE,
507 (unsigned)
508 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
509 (1<<ACL_WHERE_NOTSMTP_START))
510 },
8c5d388a 511#ifdef SUPPORT_I18N
d7bed771 512 { US"utf8_downconvert", TRUE, 0 }
3c8b3577 513#endif
d7bed771 514};
059ec3d9 515
e5a9dba6
PH		 516/* Support data structures for Client SMTP Authorization. acl_verify_csa()
517caches its result in a tree to avoid repeated DNS queries. The result is an
518integer code which is used as an index into the following tables of
519explanatory strings and verification return codes. */
520
521static tree_node *csa_cache = NULL;
522
523enum { CSA_UNKNOWN, CSA_OK, CSA_DEFER_SRV, CSA_DEFER_ADDR,
524 CSA_FAIL_EXPLICIT, CSA_FAIL_DOMAIN, CSA_FAIL_NOADDR, CSA_FAIL_MISMATCH };
525
526/* The acl_verify_csa() return code is translated into an acl_verify() return
527code using the following table. It is OK unless the client is definitely not
528authorized. This is because CSA is supposed to be optional for sending sites,
529so recipients should not be too strict about checking it - especially because
530DNS problems are quite likely to occur. It's possible to use $csa_status in
531further ACL conditions to distinguish ok, unknown, and defer if required, but
532the aim is to make the usual configuration simple. */
533
534static int csa_return_code[] = {
535 OK, OK, OK, OK,
536 FAIL, FAIL, FAIL, FAIL
537};
538
539static uschar *csa_status_string[] = {
540 US"unknown", US"ok", US"defer", US"defer",
541 US"fail", US"fail", US"fail", US"fail"
542};
543
544static uschar *csa_reason_string[] = {
545 US"unknown",
546 US"ok",
547 US"deferred (SRV lookup failed)",
548 US"deferred (target address lookup failed)",
549 US"failed (explicit authorization required)",
550 US"failed (host name not authorized)",
551 US"failed (no authorized addresses)",
552 US"failed (client address mismatch)"
553};
554
c99ce5c9
TF		 555/* Options for the ratelimit condition. Note that there are two variants of
556the per_rcpt option, depending on the ACL that is used to measure the rate.
557However any ACL must be able to look up per_rcpt rates in /noupdate mode,
558so the two variants must have the same internal representation as well as
559the same configuration string. */
560
561enum {
562 RATE_PER_WHAT, RATE_PER_CLASH, RATE_PER_ADDR, RATE_PER_BYTE, RATE_PER_CMD,
563 RATE_PER_CONN, RATE_PER_MAIL, RATE_PER_RCPT, RATE_PER_ALLRCPTS
564};
565
566#define RATE_SET(var,new) \
567 (((var) == RATE_PER_WHAT) ? ((var) = RATE_##new) : ((var) = RATE_PER_CLASH))
568
569static uschar *ratelimit_option_string[] = {
570 US"?", US"!", US"per_addr", US"per_byte", US"per_cmd",
571 US"per_conn", US"per_mail", US"per_rcpt", US"per_rcpt"
572};
573
059ec3d9
PH		 574/* Enable recursion between acl_check_internal() and acl_check_condition() */
575
55414b25 576static int acl_check_wargs(int, address_item *, const uschar *, int, uschar **,
f60d98e8 577 uschar **);
059ec3d9
PH		 578
579
d7bed771
JH		 580/*************************************************
581* Find control in list *
582*************************************************/
583
584/* The lists are always in order, so binary chop can be used.
585
586Arguments:
587 name the control name to search for
588 ol the first entry in the control list
589 last one more than the offset of the last entry in the control list
590
591Returns: index of a control entry, or -1 if not found
592*/
593
594static int
595find_control(const uschar * name, control_def * ol, int last)
596{
597int first = 0;
598while (last > first)
599 {
600 int middle = (first + last)/2;
601 uschar * s = ol[middle].name;
602 int c = Ustrncmp(name, s, Ustrlen(s));
603 if (c == 0) return middle;
604 else if (c > 0) first = middle + 1;
605 else last = middle;
606 }
607return -1;
608}
609
610
611
2d009132
JH		 612/*************************************************
613* Pick out condition from list *
614*************************************************/
615
616/* Use a binary chop method
617
618Arguments:
619 name name to find
620 list list of conditions
621 end size of list
622
623Returns: offset in list, or -1 if not found
624*/
625
626static int
627acl_checkcondition(uschar * name, condition_def * list, int end)
628{
629int start = 0;
630while (start < end)
631 {
632 int mid = (start + end)/2;
633 int c = Ustrcmp(name, list[mid].name);
634 if (c == 0) return mid;
635 if (c < 0) end = mid;
636 else start = mid + 1;
637 }
638return -1;
639}
640
641
059ec3d9
PH		 642/*************************************************
643* Pick out name from list *
644*************************************************/
645
646/* Use a binary chop method
647
648Arguments:
649 name name to find
650 list list of names
651 end size of list
652
653Returns: offset in list, or -1 if not found
654*/
655
656static int
657acl_checkname(uschar *name, uschar **list, int end)
658{
659int start = 0;
660
661while (start < end)
662 {
663 int mid = (start + end)/2;
664 int c = Ustrcmp(name, list[mid]);
665 if (c == 0) return mid;
666 if (c < 0) end = mid; else start = mid + 1;
667 }
668
669return -1;
670}
671
672
673/*************************************************
674* Read and parse one ACL *
675*************************************************/
676
677/* This function is called both from readconf in order to parse the ACLs in the
678configuration file, and also when an ACL is encountered dynamically (e.g. as
679the result of an expansion). It is given a function to call in order to
680retrieve the lines of the ACL. This function handles skipping comments and
681blank lines (where relevant).
682
683Arguments:
684 func function to get next line of ACL
685 error where to put an error message
686
687Returns: pointer to ACL, or NULL
688 NULL can be legal (empty ACL); in this case error will be NULL
689*/
690
691acl_block *
692acl_read(uschar *(*func)(void), uschar **error)
693{
694acl_block *yield = NULL;
695acl_block **lastp = &yield;
696acl_block *this = NULL;
697acl_condition_block *cond;
698acl_condition_block **condp = NULL;
699uschar *s;
700
701*error = NULL;
702
703while ((s = (*func)()) != NULL)
704 {
705 int v, c;
706 BOOL negated = FALSE;
707 uschar *saveline = s;
708 uschar name[64];
709
710 /* Conditions (but not verbs) are allowed to be negated by an initial
711 exclamation mark. */
712
713 while (isspace(*s)) s++;
714 if (*s == '!')
715 {
716 negated = TRUE;
717 s++;
718 }
719
cf00dad6
PH		 720 /* Read the name of a verb or a condition, or the start of a new ACL, which
721 can be started by a name, or by a macro definition. */
059ec3d9
PH		 722
723 s = readconf_readname(name, sizeof(name), s);
b8dc3e4a 724 if (*s == ':' || (isupper(name[0]) && *s == '=')) return yield;
059ec3d9
PH		 725
726 /* If a verb is unrecognized, it may be another condition or modifier that
727 continues the previous verb. */
728
2d009132 729 if ((v = acl_checkname(name, verbs, nelem(verbs))) < 0)
059ec3d9
PH		 730 {
731 if (this == NULL)
732 {
4e167a8c
PH		 733 *error = string_sprintf("unknown ACL verb \"%s\" in \"%s\"", name,
734 saveline);
059ec3d9
PH		 735 return NULL;
736 }
737 }
738
739 /* New verb */
740
741 else
742 {
743 if (negated)
744 {
745 *error = string_sprintf("malformed ACL line \"%s\"", saveline);
746 return NULL;
747 }
748 this = store_get(sizeof(acl_block));
749 *lastp = this;
750 lastp = &(this->next);
751 this->next = NULL;
752 this->verb = v;
753 this->condition = NULL;
754 condp = &(this->condition);
755 if (*s == 0) continue; /* No condition on this line */
756 if (*s == '!')
757 {
758 negated = TRUE;
759 s++;
760 }
761 s = readconf_readname(name, sizeof(name), s); /* Condition name */
762 }
763
764 /* Handle a condition or modifier. */
765
2d009132 766 if ((c = acl_checkcondition(name, conditions, nelem(conditions))) < 0)
059ec3d9
PH		 767 {
768 *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
769 saveline);
770 return NULL;
771 }
772
773 /* The modifiers may not be negated */
774
2d009132 775 if (negated && conditions[c].is_modifier)
059ec3d9
PH		 776 {
777 *error = string_sprintf("ACL error: negation is not allowed with "
2d009132 778 "\"%s\"", conditions[c].name);
059ec3d9
PH		 779 return NULL;
780 }
781
782 /* ENDPASS may occur only with ACCEPT or DISCARD. */
783
784 if (c == ACLC_ENDPASS &&
785 this->verb != ACL_ACCEPT &&
786 this->verb != ACL_DISCARD)
787 {
788 *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
2d009132 789 conditions[c].name, verbs[this->verb]);
059ec3d9
PH		 790 return NULL;
791 }
792
793 cond = store_get(sizeof(acl_condition_block));
794 cond->next = NULL;
795 cond->type = c;
796 cond->u.negated = negated;
797
798 *condp = cond;
799 condp = &(cond->next);
800
801 /* The "set" modifier is different in that its argument is "name=value"
802 rather than just a value, and we can check the validity of the name, which
38a0a95f
PH		 803 gives us a variable name to insert into the data block. The original ACL
804 variable names were acl_c0 ... acl_c9 and acl_m0 ... acl_m9. This was
805 extended to 20 of each type, but after that people successfully argued for
641cb756
PH		 806 arbitrary names. In the new scheme, the names must start with acl_c or acl_m.
807 After that, we allow alphanumerics and underscores, but the first character
808 after c or m must be a digit or an underscore. This retains backwards
809 compatibility. */
059ec3d9
PH		 810
811 if (c == ACLC_SET)
812 {
47ca6d6c
PH		 813 uschar *endptr;
814
38a0a95f
PH		 815 if (Ustrncmp(s, "acl_c", 5) != 0 &&
816 Ustrncmp(s, "acl_m", 5) != 0)
47ca6d6c 817 {
38a0a95f
PH		 818 *error = string_sprintf("invalid variable name after \"set\" in ACL "
819 "modifier \"set %s\" (must start \"acl_c\" or \"acl_m\")", s);
820 return NULL;
47ca6d6c 821 }
38a0a95f
PH		 822
823 endptr = s + 5;
641cb756
PH		 824 if (!isdigit(*endptr) && *endptr != '_')
825 {
826 *error = string_sprintf("invalid variable name after \"set\" in ACL "
827 "modifier \"set %s\" (digit or underscore must follow acl_c or acl_m)",
828 s);
829 return NULL;
830 }
831
38a0a95f 832 while (*endptr != 0 && *endptr != '=' && !isspace(*endptr))
47ca6d6c 833 {
38a0a95f
PH		 834 if (!isalnum(*endptr) && *endptr != '_')
835 {
836 *error = string_sprintf("invalid character \"%c\" in variable name "
837 "in ACL modifier \"set %s\"", *endptr, s);
838 return NULL;
839 }
840 endptr++;
47ca6d6c 841 }
47ca6d6c 842
38a0a95f 843 cond->u.varname = string_copyn(s + 4, endptr - s - 4);
47ca6d6c 844 s = endptr;
059ec3d9
PH		 845 while (isspace(*s)) s++;
846 }
847
848 /* For "set", we are now positioned for the data. For the others, only
849 "endpass" has no data */
850
851 if (c != ACLC_ENDPASS)
852 {
853 if (*s++ != '=')
854 {
855 *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
2d009132 856 conditions[c].is_modifier ? US"modifier" : US"condition");
059ec3d9
PH		 857 return NULL;
858 }
859 while (isspace(*s)) s++;
860 cond->arg = string_copy(s);
861 }
862 }
863
864return yield;
865}
866
867
868
71fafd95
PH		 869/*************************************************
870* Set up added header line(s) *
871*************************************************/
872
873/* This function is called by the add_header modifier, and also from acl_warn()
874to implement the now-deprecated way of adding header lines using "message" on a
875"warn" verb. The argument is treated as a sequence of header lines which are
876added to a chain, provided there isn't an identical one already there.
877
878Argument: string of header lines
879Returns: nothing
880*/
881
882static void
55414b25 883setup_header(const uschar *hstring)
71fafd95 884{
55414b25 885const uschar *p, *q;
71fafd95
PH		 886int hlen = Ustrlen(hstring);
887
b1b05573
JH		 888/* Ignore any leading newlines */
889while (*hstring == '\n') hstring++, hlen--;
71fafd95 890
b1b05573 891/* An empty string does nothing; ensure exactly one final newline. */
71fafd95 892if (hlen <= 0) return;
96f5fe4c 893if (hstring[--hlen] != '\n') /* no newline */
55414b25 894 q = string_sprintf("%s\n", hstring);
96f5fe4c 895else if (hstring[hlen-1] == '\n') /* double newline */
55414b25
JH		 896 {
897 uschar * s = string_copy(hstring);
898 while(s[--hlen] == '\n')
899 s[hlen+1] = '\0';
900 q = s;
901 }
902else
903 q = hstring;
71fafd95
PH		 904
905/* Loop for multiple header lines, taking care about continuations */
906
55414b25 907for (p = q; *p != 0; )
71fafd95 908 {
55414b25
JH		 909 const uschar *s;
910 uschar * hdr;
71fafd95
PH		 911 int newtype = htype_add_bot;
912 header_line **hptr = &acl_added_headers;
913
914 /* Find next header line within the string */
915
916 for (;;)
917 {
96f5fe4c 918 q = Ustrchr(q, '\n'); /* we know there was a newline */
71fafd95
PH		 919 if (*(++q) != ' ' && *q != '\t') break;
920 }
921
922 /* If the line starts with a colon, interpret the instruction for where to
923 add it. This temporarily sets up a new type. */
924
925 if (*p == ':')
926 {
927 if (strncmpic(p, US":after_received:", 16) == 0)
928 {
929 newtype = htype_add_rec;
930 p += 16;
931 }
932 else if (strncmpic(p, US":at_start_rfc:", 14) == 0)
933 {
934 newtype = htype_add_rfc;
935 p += 14;
936 }
937 else if (strncmpic(p, US":at_start:", 10) == 0)
938 {
939 newtype = htype_add_top;
940 p += 10;
941 }
942 else if (strncmpic(p, US":at_end:", 8) == 0)
943 {
944 newtype = htype_add_bot;
945 p += 8;
946 }
947 while (*p == ' ' || *p == '\t') p++;
948 }
949
950 /* See if this line starts with a header name, and if not, add X-ACL-Warn:
951 to the front of it. */
952
953 for (s = p; s < q - 1; s++)
954 {
955 if (*s == ':' || !isgraph(*s)) break;
956 }
957
55414b25
JH		 958 hdr = string_sprintf("%s%.*s", (*s == ':')? "" : "X-ACL-Warn: ", (int) (q - p), p);
959 hlen = Ustrlen(hdr);
71fafd95
PH		 960
961 /* See if this line has already been added */
962
963 while (*hptr != NULL)
964 {
55414b25 965 if (Ustrncmp((*hptr)->text, hdr, hlen) == 0) break;
71fafd95
PH		 966 hptr = &((*hptr)->next);
967 }
968
969 /* Add if not previously present */
970
971 if (*hptr == NULL)
972 {
973 header_line *h = store_get(sizeof(header_line));
55414b25 974 h->text = hdr;
71fafd95
PH		 975 h->next = NULL;
976 h->type = newtype;
977 h->slen = hlen;
978 *hptr = h;
979 hptr = &(h->next);
980 }
981
982 /* Advance for next header line within the string */
983
984 p = q;
985 }
986}
987
988
989
362145b5
JH		 990/*************************************************
991* List the added header lines *
992*************************************************/
993uschar *
994fn_hdrs_added(void)
995{
996uschar * ret = NULL;
5f5be492
JH		 997int size = 0;
998int ptr = 0;
362145b5
JH		 999header_line * h = acl_added_headers;
1000uschar * s;
1001uschar * cp;
362145b5
JH		 1002
1003if (!h) return NULL;
1004
1005do
1006 {
1007 s = h->text;
1008 while ((cp = Ustrchr(s, '\n')) != NULL)
1009 {
1010 if (cp[1] == '\0') break;
1011
1012 /* contains embedded newline; needs doubling */
c2f669a4
JH		 1013 ret = string_catn(ret, &size, &ptr, s, cp-s+1);
1014 ret = string_catn(ret, &size, &ptr, US"\n", 1);
362145b5
JH		 1015 s = cp+1;
1016 }
1017 /* last bit of header */
1018
c2f669a4 1019 ret = string_catn(ret, &size, &ptr, s, cp-s+1); /* newline-sep list */
362145b5 1020 }
6d9cfc47 1021while((h = h->next));
362145b5
JH		 1022
1023ret[ptr-1] = '\0'; /* overwrite last newline */
1024return ret;
1025}
1026
1027
e7568d51
TL		 1028/*************************************************
1029* Set up removed header line(s) *
1030*************************************************/
1031
1032/* This function is called by the remove_header modifier. The argument is
1033treated as a sequence of header names which are added to a colon separated
1034list, provided there isn't an identical one already there.
1035
1036Argument: string of header names
1037Returns: nothing
1038*/
1039
1040static void
55414b25 1041setup_remove_header(const uschar *hnames)
e7568d51
TL		 1042{
1043if (*hnames != 0)
55414b25
JH		 1044 acl_removed_headers = acl_removed_headers
1045 ? string_sprintf("%s : %s", acl_removed_headers, hnames)
1046 : string_copy(hnames);
e7568d51
TL		 1047}
1048
1049
71fafd95 1050
059ec3d9
PH		 1051/*************************************************
1052* Handle warnings *
1053*************************************************/
1054
1055/* This function is called when a WARN verb's conditions are true. It adds to
1056the message's headers, and/or writes information to the log. In each case, this
1057only happens once (per message for headers, per connection for log).
1058
71fafd95
PH		 1059** NOTE: The header adding action using the "message" setting is historic, and
1060its use is now deprecated. The new add_header modifier should be used instead.
1061
059ec3d9
PH		 1062Arguments:
1063 where ACL_WHERE_xxxx indicating which ACL this is
1064 user_message message for adding to headers
1065 log_message message for logging, if different
1066
1067Returns: nothing
1068*/
1069
1070static void
1071acl_warn(int where, uschar *user_message, uschar *log_message)
1072{
059ec3d9
PH		 1073if (log_message != NULL && log_message != user_message)
1074 {
1075 uschar *text;
1076 string_item *logged;
1077
1078 text = string_sprintf("%s Warning: %s", host_and_ident(TRUE),
1079 string_printing(log_message));
1080
1081 /* If a sender verification has failed, and the log message is "sender verify
1082 failed", add the failure message. */
1083
1084 if (sender_verified_failed != NULL &&
1085 sender_verified_failed->message != NULL &&
1086 strcmpic(log_message, US"sender verify failed") == 0)
1087 text = string_sprintf("%s: %s", text, sender_verified_failed->message);
1088
9c7a242c
PH		 1089 /* Search previously logged warnings. They are kept in malloc
1090 store so they can be freed at the start of a new message. */
059ec3d9
PH		 1091
1092 for (logged = acl_warn_logged; logged != NULL; logged = logged->next)
1093 if (Ustrcmp(logged->text, text) == 0) break;
1094
1095 if (logged == NULL)
1096 {
1097 int length = Ustrlen(text) + 1;
1098 log_write(0, LOG_MAIN, "%s", text);
1099 logged = store_malloc(sizeof(string_item) + length);
1100 logged->text = (uschar *)logged + sizeof(string_item);
1101 memcpy(logged->text, text, length);
1102 logged->next = acl_warn_logged;
1103 acl_warn_logged = logged;
1104 }
1105 }
1106
1107/* If there's no user message, we are done. */
1108
1109if (user_message == NULL) return;
1110
1111/* If this isn't a message ACL, we can't do anything with a user message.
1112Log an error. */
1113
1114if (where > ACL_WHERE_NOTSMTP)
1115 {
1116 log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
1117 "found in a non-message (%s) ACL: cannot specify header lines here: "
1118 "message ignored", acl_wherenames[where]);
1119 return;
1120 }
1121
71fafd95
PH		 1122/* The code for setting up header lines is now abstracted into a separate
1123function so that it can be used for the add_header modifier as well. */
059ec3d9 1124
71fafd95 1125setup_header(user_message);
059ec3d9
PH		 1126}
1127
1128
1129
1130/*************************************************
1131* Verify and check reverse DNS *
1132*************************************************/
1133
1134/* Called from acl_verify() below. We look up the host name(s) of the client IP
1135address if this has not yet been done. The host_name_lookup() function checks
1136that one of these names resolves to an address list that contains the client IP
1137address, so we don't actually have to do the check here.
1138
1139Arguments:
1140 user_msgptr pointer for user message
1141 log_msgptr pointer for log message
1142
1143Returns: OK verification condition succeeded
1144 FAIL verification failed
1145 DEFER there was a problem verifying
1146*/
1147
1148static int
1149acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
1150{
1151int rc;
1152
1153user_msgptr = user_msgptr; /* stop compiler warning */
1154
1155/* Previous success */
1156
1157if (sender_host_name != NULL) return OK;
1158
1159/* Previous failure */
1160
1161if (host_lookup_failed)
1162 {
1163 *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
1164 return FAIL;
1165 }
1166
1167/* Need to do a lookup */
1168
1169HDEBUG(D_acl)
1170 debug_printf("looking up host name to force name/address consistency check\n");
1171
1172if ((rc = host_name_lookup()) != OK)
1173 {
1174 *log_msgptr = (rc == DEFER)?
1175 US"host lookup deferred for reverse lookup check"
1176 :
1177 string_sprintf("host lookup failed for reverse lookup check%s",
1178 host_lookup_msg);
1179 return rc; /* DEFER or FAIL */
1180 }
1181
1182host_build_sender_fullhost();
1183return OK;
1184}
1185
1186
1187
e5a9dba6
PH		 1188/*************************************************
1189* Check client IP address matches CSA target *
1190*************************************************/
1191
1192/* Called from acl_verify_csa() below. This routine scans a section of a DNS
1193response for address records belonging to the CSA target hostname. The section
1194is specified by the reset argument, either RESET_ADDITIONAL or RESET_ANSWERS.
1195If one of the addresses matches the client's IP address, then the client is
1196authorized by CSA. If there are target IP addresses but none of them match
1197then the client is using an unauthorized IP address. If there are no target IP
1198addresses then the client cannot be using an authorized IP address. (This is
1199an odd configuration - why didn't the SRV record have a weight of 1 instead?)
1200
1201Arguments:
1202 dnsa the DNS answer block
1203 dnss a DNS scan block for us to use
1204 reset option specifing what portion to scan, as described above
1205 target the target hostname to use for matching RR names
1206
1207Returns: CSA_OK successfully authorized
1208 CSA_FAIL_MISMATCH addresses found but none matched
1209 CSA_FAIL_NOADDR no target addresses found
1210*/
1211
1212static int
1213acl_verify_csa_address(dns_answer *dnsa, dns_scan *dnss, int reset,
1214 uschar *target)
1215{
1216dns_record *rr;
1217dns_address *da;
1218
1219BOOL target_found = FALSE;
1220
1221for (rr = dns_next_rr(dnsa, dnss, reset);
1222 rr != NULL;
1223 rr = dns_next_rr(dnsa, dnss, RESET_NEXT))
1224 {
1225 /* Check this is an address RR for the target hostname. */
1226
1227 if (rr->type != T_A
1228 #if HAVE_IPV6
1229 && rr->type != T_AAAA
e5a9dba6
PH		 1230 #endif
1231 ) continue;
1232
1233 if (strcmpic(target, rr->name) != 0) continue;
1234
1235 target_found = TRUE;
1236
1237 /* Turn the target address RR into a list of textual IP addresses and scan
1238 the list. There may be more than one if it is an A6 RR. */
1239
1240 for (da = dns_address_from_rr(dnsa, rr); da != NULL; da = da->next)
1241 {
1242 /* If the client IP address matches the target IP address, it's good! */
1243
1244 DEBUG(D_acl) debug_printf("CSA target address is %s\n", da->address);
1245
1246 if (strcmpic(sender_host_address, da->address) == 0) return CSA_OK;
1247 }
1248 }
1249
1250/* If we found some target addresses but none of them matched, the client is
1251using an unauthorized IP address, otherwise the target has no authorized IP
1252addresses. */
1253
1254if (target_found) return CSA_FAIL_MISMATCH;
1255else return CSA_FAIL_NOADDR;
1256}
1257
1258
1259
1260/*************************************************
1261* Verify Client SMTP Authorization *
1262*************************************************/
1263
1264/* Called from acl_verify() below. This routine calls dns_lookup_special()
1265to find the CSA SRV record corresponding to the domain argument, or
1266$sender_helo_name if no argument is provided. It then checks that the
1267client is authorized, and that its IP address corresponds to the SRV
1268target's address by calling acl_verify_csa_address() above. The address
1269should have been returned in the DNS response's ADDITIONAL section, but if
1270not we perform another DNS lookup to get it.
1271
1272Arguments:
1273 domain pointer to optional parameter following verify = csa
1274
1275Returns: CSA_UNKNOWN no valid CSA record found
1276 CSA_OK successfully authorized
1277 CSA_FAIL_* client is definitely not authorized
1278 CSA_DEFER_* there was a DNS problem
1279*/
1280
1281static int
55414b25 1282acl_verify_csa(const uschar *domain)
e5a9dba6
PH		 1283{
1284tree_node *t;
55414b25
JH		 1285const uschar *found;
1286uschar *p;
e5a9dba6
PH		 1287int priority, weight, port;
1288dns_answer dnsa;
1289dns_scan dnss;
1290dns_record *rr;
1291int rc, type;
1292uschar target[256];
1293
1294/* Work out the domain we are using for the CSA lookup. The default is the
1295client's HELO domain. If the client has not said HELO, use its IP address
1296instead. If it's a local client (exim -bs), CSA isn't applicable. */
1297
1298while (isspace(*domain) && *domain != '\0') ++domain;
1299if (*domain == '\0') domain = sender_helo_name;
1300if (domain == NULL) domain = sender_host_address;
1301if (sender_host_address == NULL) return CSA_UNKNOWN;
1302
1303/* If we have an address literal, strip off the framing ready for turning it
1304into a domain. The framing consists of matched square brackets possibly
1305containing a keyword and a colon before the actual IP address. */
1306
1307if (domain[0] == '[')
1308 {
55414b25 1309 const uschar *start = Ustrchr(domain, ':');
e5a9dba6
PH		 1310 if (start == NULL) start = domain;
1311 domain = string_copyn(start + 1, Ustrlen(start) - 2);
1312 }
1313
1314/* Turn domains that look like bare IP addresses into domains in the reverse
1315DNS. This code also deals with address literals and $sender_host_address. It's
1316not quite kosher to treat bare domains such as EHLO 192.0.2.57 the same as
1317address literals, but it's probably the most friendly thing to do. This is an
1318extension to CSA, so we allow it to be turned off for proper conformance. */
1319
7e66e54d 1320if (string_is_ip_address(domain, NULL) != 0)
e5a9dba6
PH		 1321 {
1322 if (!dns_csa_use_reverse) return CSA_UNKNOWN;
1323 dns_build_reverse(domain, target);
1324 domain = target;
1325 }
1326
1327/* Find out if we've already done the CSA check for this domain. If we have,
1328return the same result again. Otherwise build a new cached result structure
1329for this domain. The name is filled in now, and the value is filled in when
1330we return from this function. */
1331
1332t = tree_search(csa_cache, domain);
1333if (t != NULL) return t->data.val;
1334
1335t = store_get_perm(sizeof(tree_node) + Ustrlen(domain));
1336Ustrcpy(t->name, domain);
1337(void)tree_insertnode(&csa_cache, t);
1338
1339/* Now we are ready to do the actual DNS lookup(s). */
1340
28e6ef29 1341found = domain;
e5a9dba6
PH		 1342switch (dns_special_lookup(&dnsa, domain, T_CSA, &found))
1343 {
1344 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1345
1346 default:
1347 return t->data.val = CSA_DEFER_SRV;
1348
1349 /* If we found nothing, the client's authorization is unknown. */
1350
1351 case DNS_NOMATCH:
1352 case DNS_NODATA:
1353 return t->data.val = CSA_UNKNOWN;
1354
1355 /* We got something! Go on to look at the reply in more detail. */
1356
1357 case DNS_SUCCEED:
1358 break;
1359 }
1360
1361/* Scan the reply for well-formed CSA SRV records. */
1362
1363for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
1364 rr != NULL;
1365 rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
1366 {
1367 if (rr->type != T_SRV) continue;
1368
1369 /* Extract the numerical SRV fields (p is incremented) */
1370
1371 p = rr->data;
1372 GETSHORT(priority, p);
1373 GETSHORT(weight, p);
1374 GETSHORT(port, p);
1375
1376 DEBUG(D_acl)
1377 debug_printf("CSA priority=%d weight=%d port=%d\n", priority, weight, port);
1378
1379 /* Check the CSA version number */
1380
1381 if (priority != 1) continue;
1382
1383 /* If the domain does not have a CSA SRV record of its own (i.e. the domain
1384 found by dns_special_lookup() is a parent of the one we asked for), we check
1385 the subdomain assertions in the port field. At the moment there's only one
1386 assertion: legitimate SMTP clients are all explicitly authorized with CSA
1387 SRV records of their own. */
1388
1dc92d5a 1389 if (Ustrcmp(found, domain) != 0)
e5a9dba6
PH		 1390 {
1391 if (port & 1)
1392 return t->data.val = CSA_FAIL_EXPLICIT;
1393 else
1394 return t->data.val = CSA_UNKNOWN;
1395 }
1396
1397 /* This CSA SRV record refers directly to our domain, so we check the value
1398 in the weight field to work out the domain's authorization. 0 and 1 are
1399 unauthorized; 3 means the client is authorized but we can't check the IP
1400 address in order to authenticate it, so we treat it as unknown; values
1401 greater than 3 are undefined. */
1402
1403 if (weight < 2) return t->data.val = CSA_FAIL_DOMAIN;
1404
1405 if (weight > 2) continue;
1406
1407 /* Weight == 2, which means the domain is authorized. We must check that the
1408 client's IP address is listed as one of the SRV target addresses. Save the
1409 target hostname then break to scan the additional data for its addresses. */
1410
1411 (void)dn_expand(dnsa.answer, dnsa.answer + dnsa.answerlen, p,
1412 (DN_EXPAND_ARG4_TYPE)target, sizeof(target));
1413
1414 DEBUG(D_acl) debug_printf("CSA target is %s\n", target);
1415
1416 break;
1417 }
1418
1419/* If we didn't break the loop then no appropriate records were found. */
1420
1421if (rr == NULL) return t->data.val = CSA_UNKNOWN;
1422
1423/* Do not check addresses if the target is ".", in accordance with RFC 2782.
1424A target of "." indicates there are no valid addresses, so the client cannot
1425be authorized. (This is an odd configuration because weight=2 target=. is
1426equivalent to weight=1, but we check for it in order to keep load off the
1427root name servers.) Note that dn_expand() turns "." into "". */
1428
1429if (Ustrcmp(target, "") == 0) return t->data.val = CSA_FAIL_NOADDR;
1430
1431/* Scan the additional section of the CSA SRV reply for addresses belonging
1432to the target. If the name server didn't return any additional data (e.g.
1433because it does not fully support SRV records), we need to do another lookup
1434to obtain the target addresses; otherwise we have a definitive result. */
1435
1436rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ADDITIONAL, target);
1437if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1438
1439/* The DNS lookup type corresponds to the IP version used by the client. */
1440
1441#if HAVE_IPV6
1442if (Ustrchr(sender_host_address, ':') != NULL)
1443 type = T_AAAA;
1444else
1445#endif /* HAVE_IPV6 */
1446 type = T_A;
1447
1448
4e0983dc 1449lookup_dnssec_authenticated = NULL;
e5a9dba6
PH		 1450switch (dns_lookup(&dnsa, target, type, NULL))
1451 {
1452 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1453
1454 default:
cc00f4af 1455 return t->data.val = CSA_DEFER_ADDR;
e5a9dba6
PH		 1456
1457 /* If the query succeeded, scan the addresses and return the result. */
1458
1459 case DNS_SUCCEED:
cc00f4af
JH		 1460 rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ANSWERS, target);
1461 if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1462 /* else fall through */
e5a9dba6
PH		 1463
1464 /* If the target has no IP addresses, the client cannot have an authorized
1465 IP address. However, if the target site uses A6 records (not AAAA records)
1466 we have to do yet another lookup in order to check them. */
1467
1468 case DNS_NOMATCH:
1469 case DNS_NODATA:
cc00f4af 1470 return t->data.val = CSA_FAIL_NOADDR;
e5a9dba6
PH		 1471 }
1472}
1473
1474
1475
059ec3d9
PH		 1476/*************************************************
1477* Handle verification (address & other) *
1478*************************************************/
1479
89583014 1480enum { VERIFY_REV_HOST_LKUP, VERIFY_CERT, VERIFY_HELO, VERIFY_CSA, VERIFY_HDR_SYNTAX,
770747fd
MFM		 1481 VERIFY_NOT_BLIND, VERIFY_HDR_SNDR, VERIFY_SNDR, VERIFY_RCPT,
1482 VERIFY_HDR_NAMES_ASCII
89583014
JH		 1483 };
1484typedef struct {
1485 uschar * name;
1486 int value;
1487 unsigned where_allowed; /* bitmap */
1488 BOOL no_options; /* Never has /option(s) following */
1489 unsigned alt_opt_sep; /* >0 Non-/ option separator (custom parser) */
1490 } verify_type_t;
1491static verify_type_t verify_type_list[] = {
7e8360e6 1492 { US"reverse_host_lookup", VERIFY_REV_HOST_LKUP, ~0, FALSE, 0 },
89583014
JH		 1493 { US"certificate", VERIFY_CERT, ~0, TRUE, 0 },
1494 { US"helo", VERIFY_HELO, ~0, TRUE, 0 },
1495 { US"csa", VERIFY_CSA, ~0, FALSE, 0 },
1496 { US"header_syntax", VERIFY_HDR_SYNTAX, (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), TRUE, 0 },
1497 { US"not_blind", VERIFY_NOT_BLIND, (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), TRUE, 0 },
1498 { US"header_sender", VERIFY_HDR_SNDR, (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), FALSE, 0 },
1499 { US"sender", VERIFY_SNDR, (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)
1500 |(1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP),
1501 FALSE, 6 },
770747fd
MFM		 1502 { US"recipient", VERIFY_RCPT, (1<<ACL_WHERE_RCPT), FALSE, 0 },
1503 { US"header_names_ascii", VERIFY_HDR_NAMES_ASCII, (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), TRUE, 0 }
89583014
JH		 1504 };
1505
1506
1507enum { CALLOUT_DEFER_OK, CALLOUT_NOCACHE, CALLOUT_RANDOM, CALLOUT_USE_SENDER,
1508 CALLOUT_USE_POSTMASTER, CALLOUT_POSTMASTER, CALLOUT_FULLPOSTMASTER,
1509 CALLOUT_MAILFROM, CALLOUT_POSTMASTER_MAILFROM, CALLOUT_MAXWAIT, CALLOUT_CONNECT,
1510 CALLOUT_TIME
1511 };
1512typedef struct {
1513 uschar * name;
1514 int value;
1515 int flag;
1516 BOOL has_option; /* Has =option(s) following */
1517 BOOL timeval; /* Has a time value */
1518 } callout_opt_t;
1519static callout_opt_t callout_opt_list[] = {
1520 { US"defer_ok", CALLOUT_DEFER_OK, 0, FALSE, FALSE },
1521 { US"no_cache", CALLOUT_NOCACHE, vopt_callout_no_cache, FALSE, FALSE },
1522 { US"random", CALLOUT_RANDOM, vopt_callout_random, FALSE, FALSE },
1523 { US"use_sender", CALLOUT_USE_SENDER, vopt_callout_recipsender, FALSE, FALSE },
1524 { US"use_postmaster", CALLOUT_USE_POSTMASTER,vopt_callout_recippmaster, FALSE, FALSE },
1525 { US"postmaster_mailfrom",CALLOUT_POSTMASTER_MAILFROM,0, TRUE, FALSE },
1526 { US"postmaster", CALLOUT_POSTMASTER, 0, FALSE, FALSE },
1527 { US"fullpostmaster", CALLOUT_FULLPOSTMASTER,vopt_callout_fullpm, FALSE, FALSE },
1528 { US"mailfrom", CALLOUT_MAILFROM, 0, TRUE, FALSE },
1529 { US"maxwait", CALLOUT_MAXWAIT, 0, TRUE, TRUE },
1530 { US"connect", CALLOUT_CONNECT, 0, TRUE, TRUE },
1531 { NULL, CALLOUT_TIME, 0, FALSE, TRUE }
1532 };
1533
1534
1535
059ec3d9
PH		 1536/* This function implements the "verify" condition. It is called when
1537encountered in any ACL, because some tests are almost always permitted. Some
1538just don't make sense, and always fail (for example, an attempt to test a host
1539lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
1540
1541Arguments:
1542 where where called from
1543 addr the recipient address that the ACL is handling, or NULL
1544 arg the argument of "verify"
1545 user_msgptr pointer for user message
1546 log_msgptr pointer for log message
1547 basic_errno where to put verify errno
1548
1549Returns: OK verification condition succeeded
1550 FAIL verification failed
1551 DEFER there was a problem verifying
1552 ERROR syntax error
1553*/
1554
1555static int
55414b25 1556acl_verify(int where, address_item *addr, const uschar *arg,
059ec3d9
PH		 1557 uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
1558{
1559int sep = '/';
1560int callout = -1;
1561int callout_overall = -1;
4deaf07d 1562int callout_connect = -1;
059ec3d9
PH		 1563int verify_options = 0;
1564int rc;
1565BOOL verify_header_sender = FALSE;
1566BOOL defer_ok = FALSE;
1567BOOL callout_defer_ok = FALSE;
1568BOOL no_details = FALSE;
eafd343b 1569BOOL success_on_redirect = FALSE;
059ec3d9
PH		 1570address_item *sender_vaddr = NULL;
1571uschar *verify_sender_address = NULL;
1572uschar *pm_mailfrom = NULL;
1573uschar *se_mailfrom = NULL;
596875b3
PH		 1574
1575/* Some of the verify items have slash-separated options; some do not. Diagnose
89583014 1576an error if options are given for items that don't expect them.
596875b3
PH		 1577*/
1578
1579uschar *slash = Ustrchr(arg, '/');
55414b25 1580const uschar *list = arg;
059ec3d9 1581uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
89583014 1582verify_type_t * vp;
059ec3d9
PH		 1583
1584if (ss == NULL) goto BAD_VERIFY;
1585
1586/* Handle name/address consistency verification in a separate function. */
1587
89583014
JH		 1588for (vp= verify_type_list;
1589 (char *)vp < (char *)verify_type_list + sizeof(verify_type_list);
1590 vp++
1591 )
1592 if (vp->alt_opt_sep ? strncmpic(ss, vp->name, vp->alt_opt_sep) == 0
1593 : strcmpic (ss, vp->name) == 0)
1594 break;
1595if ((char *)vp >= (char *)verify_type_list + sizeof(verify_type_list))
1596 goto BAD_VERIFY;
1597
1598if (vp->no_options && slash != NULL)
059ec3d9 1599 {
89583014
JH		 1600 *log_msgptr = string_sprintf("unexpected '/' found in \"%s\" "
1601 "(this verify item has no options)", arg);
1602 return ERROR;
059ec3d9 1603 }
89583014 1604if (!(vp->where_allowed & (1<<where)))
059ec3d9 1605 {
89583014
JH		 1606 *log_msgptr = string_sprintf("cannot verify %s in ACL for %s", vp->name, acl_wherenames[where]);
1607 return ERROR;
059ec3d9 1608 }
89583014 1609switch(vp->value)
596875b3 1610 {
89583014
JH		 1611 case VERIFY_REV_HOST_LKUP:
1612 if (sender_host_address == NULL) return OK;
7e8360e6
JH		 1613 if ((rc = acl_verify_reverse(user_msgptr, log_msgptr)) == DEFER)
1614 while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size)))
1615 if (strcmpic(ss, US"defer_ok") == 0)
1616 return OK;
1617 return rc;
059ec3d9 1618
89583014
JH		 1619 case VERIFY_CERT:
1620 /* TLS certificate verification is done at STARTTLS time; here we just
1621 test whether it was successful or not. (This is for optional verification; for
1622 mandatory verification, the connection doesn't last this long.) */
e5a9dba6 1623
3703d818
JH		 1624 if (tls_in.certificate_verified) return OK;
1625 *user_msgptr = US"no verified certificate";
1626 return FAIL;
e5a9dba6 1627
89583014
JH		 1628 case VERIFY_HELO:
1629 /* We can test the result of optional HELO verification that might have
1630 occurred earlier. If not, we can attempt the verification now. */
059ec3d9 1631
3703d818
JH		 1632 if (!helo_verified && !helo_verify_failed) smtp_verify_helo();
1633 return helo_verified? OK : FAIL;
059ec3d9 1634
89583014
JH		 1635 case VERIFY_CSA:
1636 /* Do Client SMTP Authorization checks in a separate function, and turn the
1637 result code into user-friendly strings. */
1c41c9cc 1638
3703d818
JH		 1639 rc = acl_verify_csa(list);
1640 *log_msgptr = *user_msgptr = string_sprintf("client SMTP authorization %s",
89583014 1641 csa_reason_string[rc]);
3703d818
JH		 1642 csa_status = csa_status_string[rc];
1643 DEBUG(D_acl) debug_printf("CSA result %s\n", csa_status);
1644 return csa_return_code[rc];
89583014
JH		 1645
1646 case VERIFY_HDR_SYNTAX:
1647 /* Check that all relevant header lines have the correct syntax. If there is
1648 a syntax error, we return details of the error to the sender if configured to
1649 send out full details. (But a "message" setting on the ACL can override, as
1650 always). */
1651
1652 rc = verify_check_headers(log_msgptr);
3703d818
JH		 1653 if (rc != OK && *log_msgptr)
1654 if (smtp_return_error_details)
1655 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1656 else
1657 acl_verify_message = *log_msgptr;
89583014 1658 return rc;
059ec3d9 1659
770747fd
MFM		 1660 case VERIFY_HDR_NAMES_ASCII:
1661 /* Check that all header names are true 7 bit strings
1662 See RFC 5322, 2.2. and RFC 6532, 3. */
1663
1664 rc = verify_check_header_names_ascii(log_msgptr);
1665 if (rc != OK && smtp_return_error_details && *log_msgptr != NULL)
1666 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1667 return rc;
1668
89583014
JH		 1669 case VERIFY_NOT_BLIND:
1670 /* Check that no recipient of this message is "blind", that is, every envelope
1671 recipient must be mentioned in either To: or Cc:. */
059ec3d9 1672
89583014
JH		 1673 rc = verify_check_notblind();
1674 if (rc != OK)
1675 {
1676 *log_msgptr = string_sprintf("bcc recipient detected");
1677 if (smtp_return_error_details)
1678 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1679 }
1680 return rc;
059ec3d9 1681
89583014
JH		 1682 /* The remaining verification tests check recipient and sender addresses,
1683 either from the envelope or from the header. There are a number of
1684 slash-separated options that are common to all of them. */
059ec3d9 1685
89583014
JH		 1686 case VERIFY_HDR_SNDR:
1687 verify_header_sender = TRUE;
1688 break;
059ec3d9 1689
89583014
JH		 1690 case VERIFY_SNDR:
1691 /* In the case of a sender, this can optionally be followed by an address to use
1692 in place of the actual sender (rare special-case requirement). */
059ec3d9 1693 {
89583014
JH		 1694 uschar *s = ss + 6;
1695 if (*s == 0)
1696 verify_sender_address = sender_address;
1697 else
1698 {
1699 while (isspace(*s)) s++;
1700 if (*s++ != '=') goto BAD_VERIFY;
1701 while (isspace(*s)) s++;
1702 verify_sender_address = string_copy(s);
1703 }
059ec3d9 1704 }
89583014
JH		 1705 break;
1706
1707 case VERIFY_RCPT:
1708 break;
059ec3d9
PH		 1709 }
1710
89583014
JH		 1711
1712
596875b3
PH		 1713/* Remaining items are optional; they apply to sender and recipient
1714verification, including "header sender" verification. */
059ec3d9
PH		 1715
1716while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))
1717 != NULL)
1718 {
1719 if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
1720 else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
eafd343b 1721 else if (strcmpic(ss, US"success_on_redirect") == 0) success_on_redirect = TRUE;
059ec3d9
PH		 1722
1723 /* These two old options are left for backwards compatibility */
1724
1725 else if (strcmpic(ss, US"callout_defer_ok") == 0)
1726 {
1727 callout_defer_ok = TRUE;
1728 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1729 }
1730
1731 else if (strcmpic(ss, US"check_postmaster") == 0)
1732 {
1733 pm_mailfrom = US"";
1734 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1735 }
1736
1737 /* The callout option has a number of sub-options, comma separated */
1738
1739 else if (strncmpic(ss, US"callout", 7) == 0)
1740 {
1741 callout = CALLOUT_TIMEOUT_DEFAULT;
1742 ss += 7;
1743 if (*ss != 0)
1744 {
1745 while (isspace(*ss)) ss++;
1746 if (*ss++ == '=')
1747 {
55414b25 1748 const uschar * sublist = ss;
059ec3d9
PH		 1749 int optsep = ',';
1750 uschar *opt;
1751 uschar buffer[256];
55414b25 1752 while (isspace(*sublist)) sublist++;
8e669ac1 1753
55414b25 1754 while ((opt = string_nextinlist(&sublist, &optsep, buffer, sizeof(buffer)))
059ec3d9
PH		 1755 != NULL)
1756 {
89583014 1757 callout_opt_t * op;
438257ba 1758 double period = 1.0F;
059ec3d9 1759
89583014 1760 for (op= callout_opt_list; op->name; op++)
438257ba 1761 if (strncmpic(opt, op->name, Ustrlen(op->name)) == 0)
89583014 1762 break;
059ec3d9 1763
89583014
JH		 1764 verify_options |= op->flag;
1765 if (op->has_option)
1766 {
438257ba 1767 opt += Ustrlen(op->name);
4deaf07d
PH		 1768 while (isspace(*opt)) opt++;
1769 if (*opt++ != '=')
1770 {
1771 *log_msgptr = string_sprintf("'=' expected after "
89583014 1772 "\"%s\" in ACL verify condition \"%s\"", op->name, arg);
4deaf07d
PH		 1773 return ERROR;
1774 }
1775 while (isspace(*opt)) opt++;
89583014
JH		 1776 }
1777 if (op->timeval)
1778 {
1779 period = readconf_readtime(opt, 0, FALSE);
1780 if (period < 0)
4deaf07d
PH		 1781 {
1782 *log_msgptr = string_sprintf("bad time value in ACL condition "
1783 "\"verify %s\"", arg);
1784 return ERROR;
1785 }
89583014
JH		 1786 }
1787
1788 switch(op->value)
1789 {
1790 case CALLOUT_DEFER_OK: callout_defer_ok = TRUE; break;
1791 case CALLOUT_POSTMASTER: pm_mailfrom = US""; break;
1792 case CALLOUT_FULLPOSTMASTER: pm_mailfrom = US""; break;
1793 case CALLOUT_MAILFROM:
1794 if (!verify_header_sender)
1795 {
1796 *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
1797 "callout option only for verify=header_sender (detected in ACL "
1798 "condition \"%s\")", arg);
1799 return ERROR;
1800 }
1801 se_mailfrom = string_copy(opt);
1802 break;
1803 case CALLOUT_POSTMASTER_MAILFROM: pm_mailfrom = string_copy(opt); break;
1804 case CALLOUT_MAXWAIT: callout_overall = period; break;
1805 case CALLOUT_CONNECT: callout_connect = period; break;
1806 case CALLOUT_TIME: callout = period; break;
1807 }
059ec3d9
PH		 1808 }
1809 }
1810 else
1811 {
1812 *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
1813 "ACL condition \"%s\"", arg);
1814 return ERROR;
1815 }
1816 }
1817 }
1818
1819 /* Option not recognized */
1820
1821 else
1822 {
1823 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
1824 "condition \"verify %s\"", ss, arg);
1825 return ERROR;
1826 }
1827 }
1828
1829if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
1830 (vopt_callout_recipsender|vopt_callout_recippmaster))
1831 {
1832 *log_msgptr = US"only one of use_sender and use_postmaster can be set "
1833 "for a recipient callout";
1834 return ERROR;
1835 }
1836
1837/* Handle sender-in-header verification. Default the user message to the log
1838message if giving out verification details. */
1839
1840if (verify_header_sender)
1841 {
8e669ac1 1842 int verrno;
2f682e45
JH		 1843
1844 if ((rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
fe5b5d0b 1845 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, verify_options,
2f682e45 1846 &verrno)) != OK)
8e669ac1 1847 {
fe5b5d0b
PH		 1848 *basic_errno = verrno;
1849 if (smtp_return_error_details)
1850 {
2f682e45 1851 if (!*user_msgptr && *log_msgptr)
fe5b5d0b
PH		 1852 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1853 if (rc == DEFER) acl_temp_details = TRUE;
1854 }
8e669ac1 1855 }
059ec3d9
PH		 1856 }
1857
1858/* Handle a sender address. The default is to verify *the* sender address, but
1859optionally a different address can be given, for special requirements. If the
1860address is empty, we are dealing with a bounce message that has no sender, so
1861we cannot do any checking. If the real sender address gets rewritten during
1862verification (e.g. DNS widening), set the flag to stop it being rewritten again
1863during message reception.
1864
1865A list of verified "sender" addresses is kept to try to avoid doing to much
1866work repetitively when there are multiple recipients in a message and they all
1867require sender verification. However, when callouts are involved, it gets too
1868complicated because different recipients may require different callout options.
1869Therefore, we always do a full sender verify when any kind of callout is
1870specified. Caching elsewhere, for instance in the DNS resolver and in the
1871callout handling, should ensure that this is not terribly inefficient. */
1872
2f682e45 1873else if (verify_sender_address)
059ec3d9 1874 {
2f682e45 1875 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)))
059ec3d9
PH		 1876 {
1877 *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
1878 "sender verify callout";
1879 return ERROR;
1880 }
1881
1882 sender_vaddr = verify_checked_sender(verify_sender_address);
1883 if (sender_vaddr != NULL && /* Previously checked */
1884 callout <= 0) /* No callout needed this time */
1885 {
1886 /* If the "routed" flag is set, it means that routing worked before, so
1887 this check can give OK (the saved return code value, if set, belongs to a
1888 callout that was done previously). If the "routed" flag is not set, routing
1889 must have failed, so we use the saved return code. */
1890
2f682e45
JH		 1891 if (testflag(sender_vaddr, af_verify_routed))
1892 rc = OK;
1893 else
059ec3d9
PH		 1894 {
1895 rc = sender_vaddr->special_action;
1896 *basic_errno = sender_vaddr->basic_errno;
1897 }
1898 HDEBUG(D_acl) debug_printf("using cached sender verify result\n");
1899 }
1900
1901 /* Do a new verification, and cache the result. The cache is used to avoid
1902 verifying the sender multiple times for multiple RCPTs when callouts are not
1903 specified (see comments above).
1904
1905 The cache is also used on failure to give details in response to the first
1906 RCPT that gets bounced for this reason. However, this can be suppressed by
1907 the no_details option, which sets the flag that says "this detail has already
1908 been sent". The cache normally contains just one address, but there may be
1909 more in esoteric circumstances. */
1910
1911 else
1912 {
1913 BOOL routed = TRUE;
2a3eea10 1914 uschar *save_address_data = deliver_address_data;
8e669ac1 1915
059ec3d9 1916 sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
8c5d388a 1917#ifdef SUPPORT_I18N
3c8b3577
JH		 1918 if ((sender_vaddr->prop.utf8_msg = message_smtputf8))
1919 {
1920 sender_vaddr->prop.utf8_downcvt = message_utf8_downconvert == 1;
1921 sender_vaddr->prop.utf8_downcvt_maybe = message_utf8_downconvert == -1;
1922 }
f358d5e0 1923#endif
059ec3d9
PH		 1924 if (no_details) setflag(sender_vaddr, af_sverify_told);
1925 if (verify_sender_address[0] != 0)
1926 {
1927 /* If this is the real sender address, save the unrewritten version
1928 for use later in receive. Otherwise, set a flag so that rewriting the
1929 sender in verify_address() does not update sender_address. */
1930
1931 if (verify_sender_address == sender_address)
1932 sender_address_unrewritten = sender_address;
1933 else
1934 verify_options |= vopt_fake_sender;
1935
eafd343b
TK		 1936 if (success_on_redirect)
1937 verify_options |= vopt_success_on_redirect;
1938
059ec3d9
PH		 1939 /* The recipient, qualify, and expn options are never set in
1940 verify_options. */
1941
1942 rc = verify_address(sender_vaddr, NULL, verify_options, callout,
4deaf07d 1943 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, &routed);
059ec3d9
PH		 1944
1945 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1946
2f682e45
JH		 1947 if (rc != OK)
1948 *basic_errno = sender_vaddr->basic_errno;
1949 else
1950 DEBUG(D_acl)
1951 {
1952 if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
1953 debug_printf("sender %s verified ok as %s\n",
1954 verify_sender_address, sender_vaddr->address);
1955 else
1956 debug_printf("sender %s verified ok\n",
1957 verify_sender_address);
1958 }
059ec3d9 1959 }
2f682e45
JH		 1960 else
1961 rc = OK; /* Null sender */
059ec3d9
PH		 1962
1963 /* Cache the result code */
1964
1965 if (routed) setflag(sender_vaddr, af_verify_routed);
1966 if (callout > 0) setflag(sender_vaddr, af_verify_callout);
1967 sender_vaddr->special_action = rc;
1968 sender_vaddr->next = sender_verified_list;
1969 sender_verified_list = sender_vaddr;
8e669ac1
PH		 1970
1971 /* Restore the recipient address data, which might have been clobbered by
2a3eea10 1972 the sender verification. */
8e669ac1 1973
2a3eea10 1974 deliver_address_data = save_address_data;
059ec3d9 1975 }
8e669ac1 1976
2a3eea10
PH		 1977 /* Put the sender address_data value into $sender_address_data */
1978
d43cbe25 1979 sender_address_data = sender_vaddr->prop.address_data;
059ec3d9
PH		 1980 }
1981
1982/* A recipient address just gets a straightforward verify; again we must handle
1983the DEFER overrides. */
1984
1985else
1986 {
1987 address_item addr2;
1988
eafd343b
TK		 1989 if (success_on_redirect)
1990 verify_options |= vopt_success_on_redirect;
1991
059ec3d9
PH		 1992 /* We must use a copy of the address for verification, because it might
1993 get rewritten. */
1994
1995 addr2 = *addr;
1996 rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
4deaf07d 1997 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, NULL);
059ec3d9 1998 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
8e669ac1 1999
42855d71 2000 *basic_errno = addr2.basic_errno;
059ec3d9 2001 *log_msgptr = addr2.message;
8e669ac1 2002 *user_msgptr = (addr2.user_message != NULL)?
6729cf78 2003 addr2.user_message : addr2.message;
42855d71
PH		 2004
2005 /* Allow details for temporary error if the address is so flagged. */
2006 if (testflag((&addr2), af_pass_message)) acl_temp_details = TRUE;
059ec3d9
PH		 2007
2008 /* Make $address_data visible */
d43cbe25 2009 deliver_address_data = addr2.prop.address_data;
059ec3d9
PH		 2010 }
2011
2012/* We have a result from the relevant test. Handle defer overrides first. */
2013
2014if (rc == DEFER && (defer_ok ||
2015 (callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER)))
2016 {
2017 HDEBUG(D_acl) debug_printf("verify defer overridden by %s\n",
2018 defer_ok? "defer_ok" : "callout_defer_ok");
2019 rc = OK;
2020 }
2021
2022/* If we've failed a sender, set up a recipient message, and point
2023sender_verified_failed to the address item that actually failed. */
2024
2025if (rc != OK && verify_sender_address != NULL)
2026 {
2027 if (rc != DEFER)
059ec3d9 2028 *log_msgptr = *user_msgptr = US"Sender verify failed";
059ec3d9 2029 else if (*basic_errno != ERRNO_CALLOUTDEFER)
059ec3d9 2030 *log_msgptr = *user_msgptr = US"Could not complete sender verify";
059ec3d9
PH		 2031 else
2032 {
2033 *log_msgptr = US"Could not complete sender verify callout";
2034 *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
2035 *log_msgptr;
2036 }
2037
2038 sender_verified_failed = sender_vaddr;
2039 }
2040
2041/* Verifying an address messes up the values of $domain and $local_part,
2042so reset them before returning if this is a RCPT ACL. */
2043
2044if (addr != NULL)
2045 {
2046 deliver_domain = addr->domain;
2047 deliver_localpart = addr->local_part;
2048 }
2049return rc;
2050
2051/* Syntax errors in the verify argument come here. */
2052
2053BAD_VERIFY:
2054*log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
770747fd
MFM		 2055 "\"helo\", \"header_syntax\", \"header_sender\", \"header_names_ascii\" "
2056 "or \"reverse_host_lookup\" at start of ACL condition "
059ec3d9
PH		 2057 "\"verify %s\"", arg);
2058return ERROR;
2059}
2060
2061
2062
2063
2064/*************************************************
2065* Check argument for control= modifier *
2066*************************************************/
2067
2068/* Called from acl_check_condition() below
2069
2070Arguments:
2071 arg the argument string for control=
2072 pptr set to point to the terminating character
2073 where which ACL we are in
2074 log_msgptr for error messages
2075
2076Returns: CONTROL_xxx value
2077*/
2078
2079static int
55414b25 2080decode_control(const uschar *arg, const uschar **pptr, int where, uschar **log_msgptr)
059ec3d9 2081{
d7bed771
JH		 2082int idx, len;
2083control_def * d;
059ec3d9 2084
d7bed771
JH		 2085if ( (idx = find_control(arg, controls_list, nelem(controls_list))) < 0
2086 || ( arg[len = Ustrlen((d = controls_list+idx)->name)] != 0
2087 && (!d->has_option || arg[len] != '/')
2088 ) )
059ec3d9
PH		 2089 {
2090 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2091 return CONTROL_ERROR;
2092 }
2093
059ec3d9 2094*pptr = arg + len;
d7bed771 2095return idx;
059ec3d9
PH		 2096}
2097
2098
2099
c99ce5c9
TF		 2100
2101/*************************************************
2102* Return a ratelimit error *
2103*************************************************/
2104
2105/* Called from acl_ratelimit() below
2106
2107Arguments:
2108 log_msgptr for error messages
2109 format format string
2110 ... supplementary arguments
2111 ss ratelimit option name
2112 where ACL_WHERE_xxxx indicating which ACL this is
2113
2114Returns: ERROR
2115*/
2116
2117static int
2118ratelimit_error(uschar **log_msgptr, const char *format, ...)
2119{
2120va_list ap;
2121uschar buffer[STRING_SPRINTF_BUFFER_SIZE];
2122va_start(ap, format);
2123if (!string_vformat(buffer, sizeof(buffer), format, ap))
2124 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
ef840681 2125 "string_sprintf expansion was longer than " SIZE_T_FMT, sizeof(buffer));
c99ce5c9
TF		 2126va_end(ap);
2127*log_msgptr = string_sprintf(
2128 "error in arguments to \"ratelimit\" condition: %s", buffer);
2129return ERROR;
2130}
2131
2132
2133
2134
870f6ba8
TF		 2135/*************************************************
2136* Handle rate limiting *
2137*************************************************/
2138
2139/* Called by acl_check_condition() below to calculate the result
2140of the ACL ratelimit condition.
2141
2142Note that the return value might be slightly unexpected: if the
2143sender's rate is above the limit then the result is OK. This is
2144similar to the dnslists condition, and is so that you can write
2145ACL clauses like: defer ratelimit = 15 / 1h
2146
2147Arguments:
2148 arg the option string for ratelimit=
90fc3069 2149 where ACL_WHERE_xxxx indicating which ACL this is
870f6ba8
TF		 2150 log_msgptr for error messages
2151
2152Returns: OK - Sender's rate is above limit
2153 FAIL - Sender's rate is below limit
2154 DEFER - Problem opening ratelimit database
2155 ERROR - Syntax error in options.
2156*/
2157
2158static int
55414b25 2159acl_ratelimit(const uschar *arg, int where, uschar **log_msgptr)
870f6ba8 2160{
c99ce5c9 2161double limit, period, count;
8f240103
PH		 2162uschar *ss;
2163uschar *key = NULL;
c99ce5c9 2164uschar *unique = NULL;
870f6ba8 2165int sep = '/';
c99ce5c9
TF		 2166BOOL leaky = FALSE, strict = FALSE, readonly = FALSE;
2167BOOL noupdate = FALSE, badacl = FALSE;
2168int mode = RATE_PER_WHAT;
870f6ba8
TF		 2169int old_pool, rc;
2170tree_node **anchor, *t;
2171open_db dbblock, *dbm;
c99ce5c9 2172int dbdb_size;
870f6ba8 2173dbdata_ratelimit *dbd;
c99ce5c9 2174dbdata_ratelimit_unique *dbdb;
870f6ba8
TF		 2175struct timeval tv;
2176
2177/* Parse the first two options and record their values in expansion
2178variables. These variables allow the configuration to have informative
2179error messages based on rate limits obtained from a table lookup. */
2180
c99ce5c9 2181/* First is the maximum number of messages per period / maximum burst
870f6ba8
TF		 2182size, which must be greater than or equal to zero. Zero is useful for
2183rate measurement as opposed to rate limiting. */
2184
2185sender_rate_limit = string_nextinlist(&arg, &sep, NULL, 0);
2186if (sender_rate_limit == NULL)
96f5fe4c
JH		 2187 return ratelimit_error(log_msgptr, "sender rate limit not set");
2188
2189limit = Ustrtod(sender_rate_limit, &ss);
2190if (tolower(*ss) == 'k') { limit *= 1024.0; ss++; }
2191else if (tolower(*ss) == 'm') { limit *= 1024.0*1024.0; ss++; }
2192else if (tolower(*ss) == 'g') { limit *= 1024.0*1024.0*1024.0; ss++; }
2193
c99ce5c9
TF		 2194if (limit < 0.0 || *ss != '\0')
2195 return ratelimit_error(log_msgptr,
2196 "\"%s\" is not a positive number", sender_rate_limit);
870f6ba8 2197
c99ce5c9 2198/* Second is the rate measurement period / exponential smoothing time
870f6ba8
TF		 2199constant. This must be strictly greater than zero, because zero leads to
2200run-time division errors. */
2201
2202sender_rate_period = string_nextinlist(&arg, &sep, NULL, 0);
2203if (sender_rate_period == NULL) period = -1.0;
2204else period = readconf_readtime(sender_rate_period, 0, FALSE);
2205if (period <= 0.0)
c99ce5c9
TF		 2206 return ratelimit_error(log_msgptr,
2207 "\"%s\" is not a time value", sender_rate_period);
2208
2209/* By default we are counting one of something, but the per_rcpt,
2210per_byte, and count options can change this. */
2211
2212count = 1.0;
870f6ba8 2213
c99ce5c9 2214/* Parse the other options. */
870f6ba8
TF		 2215
2216while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2217 != NULL)
2218 {
2219 if (strcmpic(ss, US"leaky") == 0) leaky = TRUE;
2220 else if (strcmpic(ss, US"strict") == 0) strict = TRUE;
8f240103 2221 else if (strcmpic(ss, US"noupdate") == 0) noupdate = TRUE;
c99ce5c9
TF		 2222 else if (strcmpic(ss, US"readonly") == 0) readonly = TRUE;
2223 else if (strcmpic(ss, US"per_cmd") == 0) RATE_SET(mode, PER_CMD);
2224 else if (strcmpic(ss, US"per_conn") == 0)
2225 {
2226 RATE_SET(mode, PER_CONN);
2227 if (where == ACL_WHERE_NOTSMTP || where == ACL_WHERE_NOTSMTP_START)
2228 badacl = TRUE;
2229 }
2230 else if (strcmpic(ss, US"per_mail") == 0)
2231 {
2232 RATE_SET(mode, PER_MAIL);
2233 if (where > ACL_WHERE_NOTSMTP) badacl = TRUE;
2234 }
2235 else if (strcmpic(ss, US"per_rcpt") == 0)
2236 {
2237 /* If we are running in the RCPT ACL, then we'll count the recipients
2238 one by one, but if we are running when we have accumulated the whole
2239 list then we'll add them all in one batch. */
2240 if (where == ACL_WHERE_RCPT)
2241 RATE_SET(mode, PER_RCPT);
2242 else if (where >= ACL_WHERE_PREDATA && where <= ACL_WHERE_NOTSMTP)
2243 RATE_SET(mode, PER_ALLRCPTS), count = (double)recipients_count;
2244 else if (where == ACL_WHERE_MAIL || where > ACL_WHERE_NOTSMTP)
2245 RATE_SET(mode, PER_RCPT), badacl = TRUE;
2246 }
2247 else if (strcmpic(ss, US"per_byte") == 0)
2248 {
2249 /* If we have not yet received the message data and there was no SIZE
2250 declaration on the MAIL comand, then it's safe to just use a value of
2251 zero and let the recorded rate decay as if nothing happened. */
2252 RATE_SET(mode, PER_MAIL);
2253 if (where > ACL_WHERE_NOTSMTP) badacl = TRUE;
2254 else count = message_size < 0 ? 0.0 : (double)message_size;
2255 }
2256 else if (strcmpic(ss, US"per_addr") == 0)
2257 {
2258 RATE_SET(mode, PER_RCPT);
438257ba 2259 if (where != ACL_WHERE_RCPT) badacl = TRUE, unique = US"*";
c99ce5c9
TF		 2260 else unique = string_sprintf("%s@%s", deliver_localpart, deliver_domain);
2261 }
2262 else if (strncmpic(ss, US"count=", 6) == 0)
2263 {
2264 uschar *e;
2265 count = Ustrtod(ss+6, &e);
2266 if (count < 0.0 || *e != '\0')
2267 return ratelimit_error(log_msgptr,
2268 "\"%s\" is not a positive number", ss);
2269 }
2270 else if (strncmpic(ss, US"unique=", 7) == 0)
2271 unique = string_copy(ss + 7);
2272 else if (key == NULL)
2273 key = string_copy(ss);
2274 else
2275 key = string_sprintf("%s/%s", key, ss);
870f6ba8
TF		 2276 }
2277
c99ce5c9
TF		 2278/* Sanity check. When the badacl flag is set the update mode must either
2279be readonly (which is the default if it is omitted) or, for backwards
2280compatibility, a combination of noupdate and strict or leaky. */
2281
2282if (mode == RATE_PER_CLASH)
2283 return ratelimit_error(log_msgptr, "conflicting per_* options");
2284if (leaky + strict + readonly > 1)
2285 return ratelimit_error(log_msgptr, "conflicting update modes");
2286if (badacl && (leaky || strict) && !noupdate)
2287 return ratelimit_error(log_msgptr,
2288 "\"%s\" must not have /leaky or /strict option in %s ACL",
2289 ratelimit_option_string[mode], acl_wherenames[where]);
2290
2291/* Set the default values of any unset options. In readonly mode we
2292perform the rate computation without any increment so that its value
2293decays to eventually allow over-limit senders through. */
2294
2295if (noupdate) readonly = TRUE, leaky = strict = FALSE;
2296if (badacl) readonly = TRUE;
2297if (readonly) count = 0.0;
2298if (!strict && !readonly) leaky = TRUE;
2299if (mode == RATE_PER_WHAT) mode = RATE_PER_MAIL;
870f6ba8 2300
8f240103
PH		 2301/* Create the lookup key. If there is no explicit key, use sender_host_address.
2302If there is no sender_host_address (e.g. -bs or acl_not_smtp) then we simply
2303omit it. The smoothing constant (sender_rate_period) and the per_xxx options
2304are added to the key because they alter the meaning of the stored data. */
2305
2306if (key == NULL)
2307 key = (sender_host_address == NULL)? US"" : sender_host_address;
870f6ba8 2308
c99ce5c9 2309key = string_sprintf("%s/%s/%s%s",
8f240103 2310 sender_rate_period,
c99ce5c9
TF		 2311 ratelimit_option_string[mode],
2312 unique == NULL ? "" : "unique/",
8f240103 2313 key);
870f6ba8 2314
c99ce5c9
TF		 2315HDEBUG(D_acl)
2316 debug_printf("ratelimit condition count=%.0f %.1f/%s\n", count, limit, key);
870f6ba8 2317
8f240103
PH		 2318/* See if we have already computed the rate by looking in the relevant tree.
2319For per-connection rate limiting, store tree nodes and dbdata in the permanent
c99ce5c9
TF		 2320pool so that they survive across resets. In readonly mode we only remember the
2321result for the rest of this command in case a later command changes it. After
2322this bit of logic the code is independent of the per_* mode. */
870f6ba8 2323
870f6ba8
TF		 2324old_pool = store_pool;
2325
c99ce5c9
TF		 2326if (readonly)
2327 anchor = &ratelimiters_cmd;
2328else switch(mode) {
2329case RATE_PER_CONN:
870f6ba8
TF		 2330 anchor = &ratelimiters_conn;
2331 store_pool = POOL_PERM;
c99ce5c9
TF		 2332 break;
2333case RATE_PER_BYTE:
2334case RATE_PER_MAIL:
2335case RATE_PER_ALLRCPTS:
870f6ba8 2336 anchor = &ratelimiters_mail;
c99ce5c9
TF		 2337 break;
2338case RATE_PER_ADDR:
2339case RATE_PER_CMD:
2340case RATE_PER_RCPT:
fe0dab11 2341 anchor = &ratelimiters_cmd;
c99ce5c9
TF		 2342 break;
2343default:
3399bb60 2344 anchor = NULL; /* silence an "unused" complaint */
c99ce5c9
TF		 2345 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
2346 "internal ACL error: unknown ratelimit mode %d", mode);
2347 break;
2348}
870f6ba8 2349
c99ce5c9
TF		 2350t = tree_search(*anchor, key);
2351if (t != NULL)
870f6ba8
TF		 2352 {
2353 dbd = t->data.ptr;
2354 /* The following few lines duplicate some of the code below. */
8f240103 2355 rc = (dbd->rate < limit)? FAIL : OK;
870f6ba8
TF		 2356 store_pool = old_pool;
2357 sender_rate = string_sprintf("%.1f", dbd->rate);
2358 HDEBUG(D_acl)
2359 debug_printf("ratelimit found pre-computed rate %s\n", sender_rate);
2360 return rc;
2361 }
2362
c99ce5c9
TF		 2363/* We aren't using a pre-computed rate, so get a previously recorded rate
2364from the database, which will be updated and written back if required. */
870f6ba8
TF		 2365
2366dbm = dbfn_open(US"ratelimit", O_RDWR, &dbblock, TRUE);
2367if (dbm == NULL)
2368 {
2369 store_pool = old_pool;
2370 sender_rate = NULL;
2371 HDEBUG(D_acl) debug_printf("ratelimit database not available\n");
2372 *log_msgptr = US"ratelimit database not available";
2373 return DEFER;
2374 }
c99ce5c9
TF		 2375dbdb = dbfn_read_with_length(dbm, key, &dbdb_size);
2376dbd = NULL;
870f6ba8
TF		 2377
2378gettimeofday(&tv, NULL);
2379
c99ce5c9
TF		 2380if (dbdb != NULL)
2381 {
2382 /* Locate the basic ratelimit block inside the DB data. */
2383 HDEBUG(D_acl) debug_printf("ratelimit found key in database\n");
2384 dbd = &dbdb->dbd;
2385
2386 /* Forget the old Bloom filter if it is too old, so that we count each
2387 repeating event once per period. We don't simply clear and re-use the old
2388 filter because we want its size to change if the limit changes. Note that
2389 we keep the dbd pointer for copying the rate into the new data block. */
2390
2391 if(unique != NULL && tv.tv_sec > dbdb->bloom_epoch + period)
2392 {
2393 HDEBUG(D_acl) debug_printf("ratelimit discarding old Bloom filter\n");
2394 dbdb = NULL;
2395 }
2396
2397 /* Sanity check. */
2398
2399 if(unique != NULL && dbdb_size < sizeof(*dbdb))
2400 {
2401 HDEBUG(D_acl) debug_printf("ratelimit discarding undersize Bloom filter\n");
2402 dbdb = NULL;
2403 }
2404 }
2405
2406/* Allocate a new data block if the database lookup failed
2407or the Bloom filter passed its age limit. */
2408
2409if (dbdb == NULL)
2410 {
2411 if (unique == NULL)
2412 {
2413 /* No Bloom filter. This basic ratelimit block is initialized below. */
2414 HDEBUG(D_acl) debug_printf("ratelimit creating new rate data block\n");
2415 dbdb_size = sizeof(*dbd);
2416 dbdb = store_get(dbdb_size);
2417 }
2418 else
2419 {
2420 int extra;
2421 HDEBUG(D_acl) debug_printf("ratelimit creating new Bloom filter\n");
2422
2423 /* See the long comment below for an explanation of the magic number 2.
2424 The filter has a minimum size in case the rate limit is very small;
2425 this is determined by the definition of dbdata_ratelimit_unique. */
2426
2427 extra = (int)limit * 2 - sizeof(dbdb->bloom);
2428 if (extra < 0) extra = 0;
2429 dbdb_size = sizeof(*dbdb) + extra;
2430 dbdb = store_get(dbdb_size);
2431 dbdb->bloom_epoch = tv.tv_sec;
2432 dbdb->bloom_size = sizeof(dbdb->bloom) + extra;
2433 memset(dbdb->bloom, 0, dbdb->bloom_size);
2434
2435 /* Preserve any basic ratelimit data (which is our longer-term memory)
2436 by copying it from the discarded block. */
2437
2438 if (dbd != NULL)
2439 {
2440 dbdb->dbd = *dbd;
2441 dbd = &dbdb->dbd;
2442 }
2443 }
2444 }
2445
2446/* If we are counting unique events, find out if this event is new or not.
2447If the client repeats the event during the current period then it should be
2448counted. We skip this code in readonly mode for efficiency, because any
2449changes to the filter will be discarded and because count is already set to
2450zero. */
2451
2452if (unique != NULL && !readonly)
2453 {
2454 /* We identify unique events using a Bloom filter. (You can find my
2455 notes on Bloom filters at http://fanf.livejournal.com/81696.html)
2456 With the per_addr option, an "event" is a recipient address, though the
2457 user can use the unique option to define their own events. We only count
2458 an event if we have not seen it before.
2459
2460 We size the filter according to the rate limit, which (in leaky mode)
2461 is the limit on the population of the filter. We allow 16 bits of space
2462 per entry (see the construction code above) and we set (up to) 8 of them
2463 when inserting an element (see the loop below). The probability of a false
2464 positive (an event we have not seen before but which we fail to count) is
2465
2466 size = limit * 16
2467 numhash = 8
2468 allzero = exp(-numhash * pop / size)
2469 = exp(-0.5 * pop / limit)
2470 fpr = pow(1 - allzero, numhash)
2471
2472 For senders at the limit the fpr is 0.06% or 1 in 1700
2473 and for senders at half the limit it is 0.0006% or 1 in 170000
2474
2475 In strict mode the Bloom filter can fill up beyond the normal limit, in
2476 which case the false positive rate will rise. This means that the
2477 measured rate for very fast senders can bogusly drop off after a while.
2478
2479 At twice the limit, the fpr is 2.5% or 1 in 40
2480 At four times the limit, it is 31% or 1 in 3.2
2481
2482 It takes ln(pop/limit) periods for an over-limit burst of pop events to
2483 decay below the limit, and if this is more than one then the Bloom filter
2484 will be discarded before the decay gets that far. The false positive rate
2485 at this threshold is 9.3% or 1 in 10.7. */
2486
2487 BOOL seen;
2488 unsigned n, hash, hinc;
2489 uschar md5sum[16];
2490 md5 md5info;
2491
2492 /* Instead of using eight independent hash values, we combine two values
2493 using the formula h1 + n * h2. This does not harm the Bloom filter's
2494 performance, and means the amount of hash we need is independent of the
2495 number of bits we set in the filter. */
2496
2497 md5_start(&md5info);
2498 md5_end(&md5info, unique, Ustrlen(unique), md5sum);
2499 hash = md5sum[0] | md5sum[1] << 8 | md5sum[2] << 16 | md5sum[3] << 24;
2500 hinc = md5sum[4] | md5sum[5] << 8 | md5sum[6] << 16 | md5sum[7] << 24;
2501
2502 /* Scan the bits corresponding to this event. A zero bit means we have
2503 not seen it before. Ensure all bits are set to record this event. */
2504
2505 HDEBUG(D_acl) debug_printf("ratelimit checking uniqueness of %s\n", unique);
2506
2507 seen = TRUE;
2508 for (n = 0; n < 8; n++, hash += hinc)
2509 {
2510 int bit = 1 << (hash % 8);
2511 int byte = (hash / 8) % dbdb->bloom_size;
2512 if ((dbdb->bloom[byte] & bit) == 0)
2513 {
2514 dbdb->bloom[byte] |= bit;
2515 seen = FALSE;
2516 }
2517 }
2518
2519 /* If this event has occurred before, do not count it. */
2520
2521 if (seen)
2522 {
2523 HDEBUG(D_acl) debug_printf("ratelimit event found in Bloom filter\n");
2524 count = 0.0;
2525 }
2526 else
2527 HDEBUG(D_acl) debug_printf("ratelimit event added to Bloom filter\n");
2528 }
2529
2530/* If there was no previous ratelimit data block for this key, initialize
2531the new one, otherwise update the block from the database. The initial rate
2532is what would be computed by the code below for an infinite interval. */
2533
870f6ba8
TF		 2534if (dbd == NULL)
2535 {
c99ce5c9
TF		 2536 HDEBUG(D_acl) debug_printf("ratelimit initializing new key's rate data\n");
2537 dbd = &dbdb->dbd;
870f6ba8
TF		 2538 dbd->time_stamp = tv.tv_sec;
2539 dbd->time_usec = tv.tv_usec;
c99ce5c9 2540 dbd->rate = count;
870f6ba8
TF		 2541 }
2542else
2543 {
2544 /* The smoothed rate is computed using an exponentially weighted moving
2545 average adjusted for variable sampling intervals. The standard EWMA for
2546 a fixed sampling interval is: f'(t) = (1 - a) * f(t) + a * f'(t - 1)
2547 where f() is the measured value and f'() is the smoothed value.
2548
2549 Old data decays out of the smoothed value exponentially, such that data n
2550 samples old is multiplied by a^n. The exponential decay time constant p
2551 is defined such that data p samples old is multiplied by 1/e, which means
2552 that a = exp(-1/p). We can maintain the same time constant for a variable
2553 sampling interval i by using a = exp(-i/p).
2554
2555 The rate we are measuring is messages per period, suitable for directly
2556 comparing with the limit. The average rate between now and the previous
2557 message is period / interval, which we feed into the EWMA as the sample.
2558
2559 It turns out that the number of messages required for the smoothed rate
2560 to reach the limit when they are sent in a burst is equal to the limit.
2561 This can be seen by analysing the value of the smoothed rate after N
2562 messages sent at even intervals. Let k = (1 - a) * p/i
2563
2564 rate_1 = (1 - a) * p/i + a * rate_0
2565 = k + a * rate_0
2566 rate_2 = k + a * rate_1
2567 = k + a * k + a^2 * rate_0
2568 rate_3 = k + a * k + a^2 * k + a^3 * rate_0
2569 rate_N = rate_0 * a^N + k * SUM(x=0..N-1)(a^x)
2570 = rate_0 * a^N + k * (1 - a^N) / (1 - a)
2571 = rate_0 * a^N + p/i * (1 - a^N)
2572
2573 When N is large, a^N -> 0 so rate_N -> p/i as desired.
2574
2575 rate_N = p/i + (rate_0 - p/i) * a^N
2576 a^N = (rate_N - p/i) / (rate_0 - p/i)
2577 N * -i/p = log((rate_N - p/i) / (rate_0 - p/i))
2578 N = p/i * log((rate_0 - p/i) / (rate_N - p/i))
2579
2580 Numerical analysis of the above equation, setting the computed rate to
2581 increase from rate_0 = 0 to rate_N = limit, shows that for large sending
2582 rates, p/i, the number of messages N = limit. So limit serves as both the
2583 maximum rate measured in messages per period, and the maximum number of
2584 messages that can be sent in a fast burst. */
2585
2586 double this_time = (double)tv.tv_sec
2587 + (double)tv.tv_usec / 1000000.0;
2588 double prev_time = (double)dbd->time_stamp
2589 + (double)dbd->time_usec / 1000000.0;
870f6ba8
TF		 2590
2591 /* We must avoid division by zero, and deal gracefully with the clock going
2592 backwards. If we blunder ahead when time is in reverse then the computed
e5d5a95f 2593 rate will be bogus. To be safe we clamp interval to a very small number. */
870f6ba8 2594
e5d5a95f
TF		 2595 double interval = this_time - prev_time <= 0.0 ? 1e-9
2596 : this_time - prev_time;
2597
2598 double i_over_p = interval / period;
2599 double a = exp(-i_over_p);
870f6ba8 2600
c99ce5c9
TF		 2601 /* Combine the instantaneous rate (period / interval) with the previous rate
2602 using the smoothing factor a. In order to measure sized events, multiply the
2603 instantaneous rate by the count of bytes or recipients etc. */
2604
870f6ba8
TF		 2605 dbd->time_stamp = tv.tv_sec;
2606 dbd->time_usec = tv.tv_usec;
c99ce5c9
TF		 2607 dbd->rate = (1 - a) * count / i_over_p + a * dbd->rate;
2608
2609 /* When events are very widely spaced the computed rate tends towards zero.
2610 Although this is accurate it turns out not to be useful for our purposes,
2611 especially when the first event after a long silence is the start of a spam
2612 run. A more useful model is that the rate for an isolated event should be the
2613 size of the event per the period size, ignoring the lack of events outside
2614 the current period and regardless of where the event falls in the period. So,
2615 if the interval was so long that the calculated rate is unhelpfully small, we
2616 re-intialize the rate. In the absence of higher-rate bursts, the condition
2617 below is true if the interval is greater than the period. */
2618
2619 if (dbd->rate < count) dbd->rate = count;
870f6ba8
TF		 2620 }
2621
c99ce5c9
TF		 2622/* Clients sending at the limit are considered to be over the limit.
2623This matters for edge cases such as a limit of zero, when the client
2624should be completely blocked. */
3348576f 2625
8f240103 2626rc = (dbd->rate < limit)? FAIL : OK;
870f6ba8
TF		 2627
2628/* Update the state if the rate is low or if we are being strict. If we
2629are in leaky mode and the sender's rate is too high, we do not update
2630the recorded rate in order to avoid an over-aggressive sender's retry
c99ce5c9
TF		 2631rate preventing them from getting any email through. If readonly is set,
2632neither leaky nor strict are set, so we do not do any updates. */
870f6ba8 2633
c99ce5c9 2634if ((rc == FAIL && leaky) || strict)
8f240103 2635 {
c99ce5c9 2636 dbfn_write(dbm, key, dbdb, dbdb_size);
8f240103
PH		 2637 HDEBUG(D_acl) debug_printf("ratelimit db updated\n");
2638 }
2639else
2640 {
2641 HDEBUG(D_acl) debug_printf("ratelimit db not updated: %s\n",
c99ce5c9 2642 readonly? "readonly mode" : "over the limit, but leaky");
8f240103
PH		 2643 }
2644
870f6ba8
TF		 2645dbfn_close(dbm);
2646
c99ce5c9 2647/* Store the result in the tree for future reference. */
870f6ba8 2648
c99ce5c9
TF		 2649t = store_get(sizeof(tree_node) + Ustrlen(key));
2650t->data.ptr = dbd;
2651Ustrcpy(t->name, key);
2652(void)tree_insertnode(anchor, t);
870f6ba8
TF		 2653
2654/* We create the formatted version of the sender's rate very late in
2655order to ensure that it is done using the correct storage pool. */
2656
2657store_pool = old_pool;
2658sender_rate = string_sprintf("%.1f", dbd->rate);
2659
2660HDEBUG(D_acl)
2661 debug_printf("ratelimit computed rate %s\n", sender_rate);
2662
2663return rc;
2664}
2665
2666
2667
b0019c78
TF		 2668/*************************************************
2669* The udpsend ACL modifier *
2670*************************************************/
2671
2672/* Called by acl_check_condition() below.
2673
2674Arguments:
2675 arg the option string for udpsend=
2676 log_msgptr for error messages
2677
2678Returns: OK - Completed.
2679 DEFER - Problem with DNS lookup.
2680 ERROR - Syntax error in options.
2681*/
2682
2683static int
55414b25 2684acl_udpsend(const uschar *arg, uschar **log_msgptr)
b0019c78
TF		 2685{
2686int sep = 0;
2687uschar *hostname;
2688uschar *portstr;
2689uschar *portend;
2690host_item *h;
2691int portnum;
b0019c78
TF		 2692int len;
2693int r, s;
b1f8e4f8 2694uschar * errstr;
b0019c78
TF		 2695
2696hostname = string_nextinlist(&arg, &sep, NULL, 0);
2697portstr = string_nextinlist(&arg, &sep, NULL, 0);
2698
2699if (hostname == NULL)
2700 {
217b0e56 2701 *log_msgptr = US"missing destination host in \"udpsend\" modifier";
b0019c78
TF		 2702 return ERROR;
2703 }
2704if (portstr == NULL)
2705 {
217b0e56 2706 *log_msgptr = US"missing destination port in \"udpsend\" modifier";
b0019c78
TF		 2707 return ERROR;
2708 }
2709if (arg == NULL)
2710 {
217b0e56 2711 *log_msgptr = US"missing datagram payload in \"udpsend\" modifier";
b0019c78
TF		 2712 return ERROR;
2713 }
2714portnum = Ustrtol(portstr, &portend, 10);
2715if (*portend != '\0')
2716 {
217b0e56 2717 *log_msgptr = US"bad destination port in \"udpsend\" modifier";
b0019c78
TF		 2718 return ERROR;
2719 }
2720
2721/* Make a single-item host list. */
2722h = store_get(sizeof(host_item));
2723memset(h, 0, sizeof(host_item));
2724h->name = hostname;
2725h->port = portnum;
2726h->mx = MX_NONE;
2727
2728if (string_is_ip_address(hostname, NULL))
2729 h->address = hostname, r = HOST_FOUND;
2730else
2731 r = host_find_byname(h, NULL, 0, NULL, FALSE);
2732if (r == HOST_FIND_FAILED || r == HOST_FIND_AGAIN)
2733 {
217b0e56 2734 *log_msgptr = US"DNS lookup failed in \"udpsend\" modifier";
b0019c78
TF		 2735 return DEFER;
2736 }
2737
2738HDEBUG(D_acl)
2739 debug_printf("udpsend [%s]:%d %s\n", h->address, portnum, arg);
2740
b1f8e4f8
JH		 2741r = s = ip_connectedsocket(SOCK_DGRAM, h->address, portnum, portnum,
2742 1, NULL, &errstr);
b0019c78 2743if (r < 0) goto defer;
27f9999e 2744len = Ustrlen(arg);
9cb1785a 2745r = send(s, arg, len, 0);
b1f8e4f8
JH		 2746if (r < 0)
2747 {
2748 errstr = US strerror(errno);
2749 close(s);
2750 goto defer;
2751 }
2752close(s);
b0019c78
TF		 2753if (r < len)
2754 {
2755 *log_msgptr =
2756 string_sprintf("\"udpsend\" truncated from %d to %d octets", len, r);
2757 return DEFER;
2758 }
2759
2760HDEBUG(D_acl)
2761 debug_printf("udpsend %d bytes\n", r);
2762
2763return OK;
2764
2765defer:
b1f8e4f8 2766*log_msgptr = string_sprintf("\"udpsend\" failed: %s", errstr);
b0019c78
TF		 2767return DEFER;
2768}
2769
2770
2771
059ec3d9
PH		 2772/*************************************************
2773* Handle conditions/modifiers on an ACL item *
2774*************************************************/
2775
2776/* Called from acl_check() below.
2777
2778Arguments:
2779 verb ACL verb
2780 cb ACL condition block - if NULL, result is OK
2781 where where called from
2782 addr the address being checked for RCPT, or NULL
2783 level the nesting level
2784 epp pointer to pass back TRUE if "endpass" encountered
2785 (applies only to "accept" and "discard")
2786 user_msgptr user message pointer
2787 log_msgptr log message pointer
2788 basic_errno pointer to where to put verify error
2789
2790Returns: OK - all conditions are met
2791 DISCARD - an "acl" condition returned DISCARD - only allowed
2792 for "accept" or "discard" verbs
2793 FAIL - at least one condition fails
2794 FAIL_DROP - an "acl" condition returned FAIL_DROP
2795 DEFER - can't tell at the moment (typically, lookup defer,
2796 but can be temporary callout problem)
2797 ERROR - ERROR from nested ACL or expansion failure or other
2798 error
2799*/
2800
2801static int
2802acl_check_condition(int verb, acl_condition_block *cb, int where,
2803 address_item *addr, int level, BOOL *epp, uschar **user_msgptr,
2804 uschar **log_msgptr, int *basic_errno)
2805{
2806uschar *user_message = NULL;
2807uschar *log_message = NULL;
059ec3d9 2808int rc = OK;
8523533c 2809#ifdef WITH_CONTENT_SCAN
0f0c8159 2810int sep = -'/';
8523533c 2811#endif
059ec3d9
PH		 2812
2813for (; cb != NULL; cb = cb->next)
2814 {
55414b25 2815 const uschar *arg;
8e669ac1 2816 int control_type;
059ec3d9
PH		 2817
2818 /* The message and log_message items set up messages to be used in
2819 case of rejection. They are expanded later. */
2820
2821 if (cb->type == ACLC_MESSAGE)
2822 {
187bc588 2823 HDEBUG(D_acl) debug_printf(" message: %s\n", cb->arg);
059ec3d9
PH		 2824 user_message = cb->arg;
2825 continue;
2826 }
2827
2828 if (cb->type == ACLC_LOG_MESSAGE)
2829 {
187bc588 2830 HDEBUG(D_acl) debug_printf("l_message: %s\n", cb->arg);
059ec3d9
PH		 2831 log_message = cb->arg;
2832 continue;
2833 }
2834
2835 /* The endpass "condition" just sets a flag to show it occurred. This is
2836 checked at compile time to be on an "accept" or "discard" item. */
2837
2838 if (cb->type == ACLC_ENDPASS)
2839 {
2840 *epp = TRUE;
2841 continue;
2842 }
2843
2844 /* For other conditions and modifiers, the argument is expanded now for some
2845 of them, but not for all, because expansion happens down in some lower level
2846 checking functions in some cases. */
2847
2d009132 2848 if (conditions[cb->type].expand_at_top)
059ec3d9
PH		 2849 {
2850 arg = expand_string(cb->arg);
2851 if (arg == NULL)
2852 {
2853 if (expand_string_forcedfail) continue;
2854 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
2855 cb->arg, expand_string_message);
2856 return search_find_defer? DEFER : ERROR;
2857 }
2858 }
2859 else arg = cb->arg;
2860
2861 /* Show condition, and expanded condition if it's different */
2862
2863 HDEBUG(D_acl)
2864 {
2865 int lhswidth = 0;
2866 debug_printf("check %s%s %n",
2d009132
JH		 2867 (!conditions[cb->type].is_modifier && cb->u.negated)? "!":"",
2868 conditions[cb->type].name, &lhswidth);
059ec3d9
PH		 2869
2870 if (cb->type == ACLC_SET)
2871 {
38a0a95f
PH		 2872 debug_printf("acl_%s ", cb->u.varname);
2873 lhswidth += 5 + Ustrlen(cb->u.varname);
059ec3d9
PH		 2874 }
2875
2876 debug_printf("= %s\n", cb->arg);
2877
2878 if (arg != cb->arg)
2879 debug_printf("%.*s= %s\n", lhswidth,
2880 US" ", CS arg);
2881 }
2882
2883 /* Check that this condition makes sense at this time */
2884
2d009132 2885 if ((conditions[cb->type].forbids & (1 << where)) != 0)
059ec3d9
PH		 2886 {
2887 *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
2d009132
JH		 2888 conditions[cb->type].is_modifier ? "use" : "test",
2889 conditions[cb->type].name, acl_wherenames[where]);
059ec3d9
PH		 2890 return ERROR;
2891 }
2892
2893 /* Run the appropriate test for each condition, or take the appropriate
2894 action for the remaining modifiers. */
2895
2896 switch(cb->type)
2897 {
71fafd95
PH		 2898 case ACLC_ADD_HEADER:
2899 setup_header(arg);
2900 break;
2901
059ec3d9
PH		 2902 /* A nested ACL that returns "discard" makes sense only for an "accept" or
2903 "discard" verb. */
71fafd95 2904
059ec3d9 2905 case ACLC_ACL:
f60d98e8 2906 rc = acl_check_wargs(where, addr, arg, level+1, user_msgptr, log_msgptr);
7421ecab
JH		 2907 if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
2908 {
2909 *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
2910 "\"%s\" command (only allowed with \"accept\" or \"discard\")",
2911 verbs[verb]);
2912 return ERROR;
2913 }
059ec3d9
PH		 2914 break;
2915
2916 case ACLC_AUTHENTICATED:
2917 rc = (sender_host_authenticated == NULL)? FAIL :
2918 match_isinlist(sender_host_authenticated, &arg, 0, NULL, NULL, MCL_STRING,
2919 TRUE, NULL);
2920 break;
2921
71fafd95 2922 #ifdef EXPERIMENTAL_BRIGHTMAIL
8523533c
TK		 2923 case ACLC_BMI_OPTIN:
2924 {
2925 int old_pool = store_pool;
2926 store_pool = POOL_PERM;
2927 bmi_current_optin = string_copy(arg);
2928 store_pool = old_pool;
2929 }
2930 break;
71fafd95 2931 #endif
8523533c 2932
059ec3d9 2933 case ACLC_CONDITION:
f3766eb5
NM		 2934 /* The true/false parsing here should be kept in sync with that used in
2935 expand.c when dealing with ECOND_BOOL so that we don't have too many
2936 different definitions of what can be a boolean. */
51c7471d
JH		 2937 if (*arg == '-'
2938 ? Ustrspn(arg+1, "0123456789") == Ustrlen(arg+1) /* Negative number */
2939 : Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
059ec3d9
PH		 2940 rc = (Uatoi(arg) == 0)? FAIL : OK;
2941 else
2942 rc = (strcmpic(arg, US"no") == 0 ||
2943 strcmpic(arg, US"false") == 0)? FAIL :
2944 (strcmpic(arg, US"yes") == 0 ||
2945 strcmpic(arg, US"true") == 0)? OK : DEFER;
2946 if (rc == DEFER)
2947 *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
2948 break;
2949
c3611384
PH		 2950 case ACLC_CONTINUE: /* Always succeeds */
2951 break;
2952
059ec3d9 2953 case ACLC_CONTROL:
c5fcb476 2954 {
55414b25
JH		 2955 const uschar *p = NULL;
2956 control_type = decode_control(arg, &p, where, log_msgptr);
4840604e 2957
55414b25 2958 /* Check if this control makes sense at this time */
f7572e5a 2959
d7bed771 2960 if (controls_list[control_type].forbids & (1 << where))
55414b25
JH		 2961 {
2962 *log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
d7bed771 2963 controls_list[control_type].name, acl_wherenames[where]);
55414b25
JH		 2964 return ERROR;
2965 }
8800895a 2966
55414b25
JH		 2967 switch(control_type)
2968 {
2969 case CONTROL_AUTH_UNADVERTISED:
2970 allow_auth_unadvertised = TRUE;
2971 break;
2972
2973 #ifdef EXPERIMENTAL_BRIGHTMAIL
2974 case CONTROL_BMI_RUN:
2975 bmi_run = 1;
2976 break;
2977 #endif
2978
2979 #ifndef DISABLE_DKIM
2980 case CONTROL_DKIM_VERIFY:
2981 dkim_disable_verify = TRUE;
2982 #ifdef EXPERIMENTAL_DMARC
2983 /* Since DKIM was blocked, skip DMARC too */
2984 dmarc_disable_verify = TRUE;
2985 dmarc_enable_forensic = FALSE;
2986 #endif
2987 break;
2988 #endif
2989
2990 #ifdef EXPERIMENTAL_DMARC
2991 case CONTROL_DMARC_VERIFY:
2992 dmarc_disable_verify = TRUE;
2993 break;
2994
2995 case CONTROL_DMARC_FORENSIC:
2996 dmarc_enable_forensic = TRUE;
2997 break;
2998 #endif
2999
3000 case CONTROL_DSCP:
3001 if (*p == '/')
3002 {
3003 int fd, af, level, optname, value;
3004 /* If we are acting on stdin, the setsockopt may fail if stdin is not
3005 a socket; we can accept that, we'll just debug-log failures anyway. */
3006 fd = fileno(smtp_in);
3007 af = ip_get_address_family(fd);
3008 if (af < 0)
3009 {
3010 HDEBUG(D_acl)
3011 debug_printf("smtp input is probably not a socket [%s], not setting DSCP\n",
3012 strerror(errno));
3013 break;
3014 }
3015 if (dscp_lookup(p+1, af, &level, &optname, &value))
3016 {
3017 if (setsockopt(fd, level, optname, &value, sizeof(value)) < 0)
3018 {
3019 HDEBUG(D_acl) debug_printf("failed to set input DSCP[%s]: %s\n",
3020 p+1, strerror(errno));
3021 }
3022 else
3023 {
3024 HDEBUG(D_acl) debug_printf("set input DSCP to \"%s\"\n", p+1);
3025 }
3026 }
3027 else
3028 {
3029 *log_msgptr = string_sprintf("unrecognised DSCP value in \"control=%s\"", arg);
3030 return ERROR;
3031 }
3032 }
3033 else
3034 {
3035 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
3036 return ERROR;
3037 }
3038 break;
3039
3040 case CONTROL_ERROR:
3041 return ERROR;
3042
3043 case CONTROL_CASEFUL_LOCAL_PART:
3044 deliver_localpart = addr->cc_local_part;
3045 break;
3046
3047 case CONTROL_CASELOWER_LOCAL_PART:
3048 deliver_localpart = addr->lc_local_part;
3049 break;
3050
3051 case CONTROL_ENFORCE_SYNC:
3052 smtp_enforce_sync = TRUE;
3053 break;
3054
3055 case CONTROL_NO_ENFORCE_SYNC:
3056 smtp_enforce_sync = FALSE;
3057 break;
3058
3059 #ifdef WITH_CONTENT_SCAN
3060 case CONTROL_NO_MBOX_UNSPOOL:
3061 no_mbox_unspool = TRUE;
3062 break;
3063 #endif
3064
3065 case CONTROL_NO_MULTILINE:
3066 no_multiline_responses = TRUE;
3067 break;
3068
3069 case CONTROL_NO_PIPELINING:
3070 pipelining_enable = FALSE;
3071 break;
3072
3073 case CONTROL_NO_DELAY_FLUSH:
3074 disable_delay_flush = TRUE;
3075 break;
3076
3077 case CONTROL_NO_CALLOUT_FLUSH:
3078 disable_callout_flush = TRUE;
3079 break;
3080
3081 case CONTROL_FAKEREJECT:
3082 cancel_cutthrough_connection("fakereject");
3083 case CONTROL_FAKEDEFER:
3084 fake_response = (control_type == CONTROL_FAKEDEFER) ? DEFER : FAIL;
3085 if (*p == '/')
3086 {
3087 const uschar *pp = p + 1;
3088 while (*pp != 0) pp++;
3089 fake_response_text = expand_string(string_copyn(p+1, pp-p-1));
3090 p = pp;
3091 }
3092 else
3093 {
3094 /* Explicitly reset to default string */
3095 fake_response_text = US"Your message has been rejected but is being kept for evaluation.\nIf it was a legitimate message, it may still be delivered to the target recipient(s).";
3096 }
3097 break;
ed7f7860 3098
55414b25
JH		 3099 case CONTROL_FREEZE:
3100 deliver_freeze = TRUE;
3101 deliver_frozen_at = time(NULL);
3102 freeze_tell = freeze_tell_config; /* Reset to configured value */
3103 if (Ustrncmp(p, "/no_tell", 8) == 0)
3104 {
3105 p += 8;
3106 freeze_tell = NULL;
3107 }
3108 if (*p != 0)
3109 {
3110 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
3111 return ERROR;
3112 }
3113 cancel_cutthrough_connection("item frozen");
3114 break;
3115
3116 case CONTROL_QUEUE_ONLY:
3117 queue_only_policy = TRUE;
3118 cancel_cutthrough_connection("queueing forced");
3119 break;
3120
3121 case CONTROL_SUBMISSION:
3122 originator_name = US"";
3123 submission_mode = TRUE;
3124 while (*p == '/')
3125 {
3126 if (Ustrncmp(p, "/sender_retain", 14) == 0)
3127 {
3128 p += 14;
3129 active_local_sender_retain = TRUE;
3130 active_local_from_check = FALSE;
3131 }
3132 else if (Ustrncmp(p, "/domain=", 8) == 0)
3133 {
3134 const uschar *pp = p + 8;
3135 while (*pp != 0 && *pp != '/') pp++;
3136 submission_domain = string_copyn(p+8, pp-p-8);
3137 p = pp;
3138 }
3139 /* The name= option must be last, because it swallows the rest of
3140 the string. */
3141 else if (Ustrncmp(p, "/name=", 6) == 0)
3142 {
3143 const uschar *pp = p + 6;
3144 while (*pp != 0) pp++;
3145 submission_name = string_copy(parse_fix_phrase(p+6, pp-p-6,
3146 big_buffer, big_buffer_size));
3147 p = pp;
3148 }
3149 else break;
3150 }
3151 if (*p != 0)
3152 {
3153 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
3154 return ERROR;
3155 }
3156 break;
e4bdf652 3157
55414b25 3158 case CONTROL_DEBUG:
55414b25 3159 {
b0d68adc
JH		 3160 uschar * debug_tag = NULL;
3161 uschar * debug_opts = NULL;
3162 BOOL kill = FALSE;
3163
3164 while (*p == '/')
55414b25 3165 {
b0d68adc
JH		 3166 const uschar * pp = p+1;
3167 if (Ustrncmp(pp, "tag=", 4) == 0)
3168 {
3169 for (pp += 4; *pp && *pp != '/';) pp++;
3170 debug_tag = string_copyn(p+5, pp-p-5);
3171 }
3172 else if (Ustrncmp(pp, "opts=", 5) == 0)
3173 {
3174 for (pp += 5; *pp && *pp != '/';) pp++;
3175 debug_opts = string_copyn(p+6, pp-p-6);
3176 }
3177 else if (Ustrncmp(pp, "kill", 4) == 0)
3178 {
3179 for (pp += 4; *pp && *pp != '/';) pp++;
3180 kill = TRUE;
3181 }
3182 else
3183 while (*pp && *pp != '/') pp++;
55414b25
JH		 3184 p = pp;
3185 }
b0d68adc
JH		 3186
3187 if (kill)
3188 debug_logging_stop();
3189 else
3190 debug_logging_activate(debug_tag, debug_opts);
55414b25 3191 }
55414b25
JH		 3192 break;
3193
3194 case CONTROL_SUPPRESS_LOCAL_FIXUPS:
3195 suppress_local_fixups = TRUE;
3196 break;
3197
3198 case CONTROL_CUTTHROUGH_DELIVERY:
a2b89db1 3199#ifndef DISABLE_PRDR
55414b25 3200 if (prdr_requested)
a2b89db1
PP		 3201#else
3202 if (0)
3203#endif
55414b25
JH		 3204 /* Too hard to think about for now. We might in future cutthrough
3205 the case where both sides handle prdr and this-node prdr acl
3206 is "accept" */
93a6fce2 3207 *log_msgptr = string_sprintf("PRDR on %s reception\n", arg);
5032d1cf
JH		 3208 else
3209 {
55414b25
JH		 3210 if (deliver_freeze)
3211 *log_msgptr = US"frozen";
3212 else if (queue_only_policy)
3213 *log_msgptr = US"queue-only";
3214 else if (fake_response == FAIL)
3215 *log_msgptr = US"fakereject";
3216 else
3217 {
ff5929e3
JH		 3218 if (rcpt_count == 1)
3219 {
3220 cutthrough.delivery = TRUE;
3221 while (*p == '/')
3222 {
3223 const uschar * pp = p+1;
3224 if (Ustrncmp(pp, "defer=", 6) == 0)
3225 {
3226 pp += 6;
3227 if (Ustrncmp(pp, "pass", 4) == 0) cutthrough.defer_pass = TRUE;
3228 /* else if (Ustrncmp(pp, "spool") == 0) ; default */
3229 }
3230 else
3231 while (*pp && *pp != '/') pp++;
3232 p = pp;
3233 }
3234 }
55414b25
JH		 3235 break;
3236 }
3237 *log_msgptr = string_sprintf("\"control=%s\" on %s item",
3238 arg, *log_msgptr);
5032d1cf 3239 }
55414b25 3240 return ERROR;
3c8b3577 3241
8c5d388a 3242#ifdef SUPPORT_I18N
3c8b3577
JH		 3243 case CONTROL_UTF8_DOWNCONVERT:
3244 if (*p == '/')
3245 {
921dfc11
JH		 3246 if (p[1] == '1')
3247 {
3248 message_utf8_downconvert = 1;
3249 addr->prop.utf8_downcvt = TRUE;
3250 addr->prop.utf8_downcvt_maybe = FALSE;
3251 p += 2;
3252 break;
3253 }
3254 if (p[1] == '0')
3255 {
3256 message_utf8_downconvert = 0;
3257 addr->prop.utf8_downcvt = FALSE;
3258 addr->prop.utf8_downcvt_maybe = FALSE;
3259 p += 2;
3260 break;
3261 }
3c8b3577 3262 if (p[1] == '-' && p[2] == '1')
921dfc11
JH		 3263 {
3264 message_utf8_downconvert = -1;
3265 addr->prop.utf8_downcvt = FALSE;
3266 addr->prop.utf8_downcvt_maybe = TRUE;
3267 p += 3;
3268 break;
3269 }
3c8b3577
JH		 3270 *log_msgptr = US"bad option value for control=utf8_downconvert";
3271 }
3272 else
3273 {
921dfc11
JH		 3274 message_utf8_downconvert = 1;
3275 addr->prop.utf8_downcvt = TRUE;
3276 addr->prop.utf8_downcvt_maybe = FALSE;
3277 break;
3c8b3577
JH		 3278 }
3279 return ERROR;
8c5d388a 3280#endif
3c8b3577 3281
9171d434 3282 }
55414b25 3283 break;
059ec3d9 3284 }
059ec3d9 3285
6a8f9482
TK		 3286 #ifdef EXPERIMENTAL_DCC
3287 case ACLC_DCC:
3288 {
3289 /* Seperate the regular expression and any optional parameters. */
55414b25
JH		 3290 const uschar * list = arg;
3291 uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
6a8f9482
TK		 3292 /* Run the dcc backend. */
3293 rc = dcc_process(&ss);
3294 /* Modify return code based upon the existance of options. */
3c8b3577 3295 while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size)))
6a8f9482 3296 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
3c8b3577 3297 rc = FAIL; /* FAIL so that the message is passed to the next ACL */
6a8f9482
TK		 3298 }
3299 break;
3300 #endif
3301
71fafd95 3302 #ifdef WITH_CONTENT_SCAN
8523533c
TK		 3303 case ACLC_DECODE:
3304 rc = mime_decode(&arg);
3305 break;
71fafd95 3306 #endif
8523533c 3307
059ec3d9
PH		 3308 case ACLC_DELAY:
3309 {
3310 int delay = readconf_readtime(arg, 0, FALSE);
3311 if (delay < 0)
3312 {
3313 *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
3314 "modifier: \"%s\" is not a time value", arg);
3315 return ERROR;
3316 }
3317 else
3318 {
3319 HDEBUG(D_acl) debug_printf("delay modifier requests %d-second delay\n",
3320 delay);
3321 if (host_checking)
3322 {
3323 HDEBUG(D_acl)
3324 debug_printf("delay skipped in -bh checking mode\n");
3325 }
010c2d14 3326
ae9d18bc
JH		 3327 /* NOTE 1: Remember that we may be
3328 dealing with stdin/stdout here, in addition to TCP/IP connections.
3329 Also, delays may be specified for non-SMTP input, where smtp_out and
3330 smtp_in will be NULL. Whatever is done must work in all cases.
3331
3332 NOTE 2: The added feature of flushing the output before a delay must
3333 apply only to SMTP input. Hence the test for smtp_out being non-NULL.
3334 */
3335
3336 else
3337 {
3338 if (smtp_out != NULL && !disable_delay_flush)
3339 mac_smtp_fflush();
3340
861a7c51 3341#if !defined(NO_POLL_H) && defined (POLLRDHUP)
ae9d18bc
JH		 3342 {
3343 struct pollfd p;
3344 nfds_t n = 0;
3345 if (smtp_out)
3346 {
3347 p.fd = fileno(smtp_out);
3348 p.events = POLLRDHUP;
3349 n = 1;
3350 }
3351 if (poll(&p, n, delay*1000) > 0)
3352 HDEBUG(D_acl) debug_printf("delay cancelled by peer close\n");
3353 }
3354#else
010c2d14
PH		 3355 /* It appears to be impossible to detect that a TCP/IP connection has
3356 gone away without reading from it. This means that we cannot shorten
3357 the delay below if the client goes away, because we cannot discover
3358 that the client has closed its end of the connection. (The connection
3359 is actually in a half-closed state, waiting for the server to close its
3360 end.) It would be nice to be able to detect this state, so that the
3361 Exim process is not held up unnecessarily. However, it seems that we
3362 can't. The poll() function does not do the right thing, and in any case
3363 it is not always available.
047bdd8c 3364 */
010c2d14 3365
86b8287f 3366 while (delay > 0) delay = sleep(delay);
ae9d18bc 3367#endif
8e669ac1 3368 }
059ec3d9
PH		 3369 }
3370 }
3371 break;
3372
80a47a2c
TK		 3373 #ifndef DISABLE_DKIM
3374 case ACLC_DKIM_SIGNER:
9e5d6b55
TK		 3375 if (dkim_cur_signer != NULL)
3376 rc = match_isinlist(dkim_cur_signer,
80a47a2c 3377 &arg,0,NULL,NULL,MCL_STRING,TRUE,NULL);
80a47a2c 3378 else
b0b9dbb1 3379 rc = FAIL;
71fafd95
PH		 3380 break;
3381
80a47a2c
TK		 3382 case ACLC_DKIM_STATUS:
3383 rc = match_isinlist(dkim_exim_expand_query(DKIM_VERIFY_STATUS),
3384 &arg,0,NULL,NULL,MCL_STRING,TRUE,NULL);
71fafd95
PH		 3385 break;
3386 #endif
fb2274d4 3387
4840604e
TL		 3388 #ifdef EXPERIMENTAL_DMARC
3389 case ACLC_DMARC_STATUS:
4a8ce2d8 3390 if (!dmarc_has_been_checked)
4840604e 3391 dmarc_process();
4a8ce2d8 3392 dmarc_has_been_checked = TRUE;
4840604e
TL		 3393 /* used long way of dmarc_exim_expand_query() in case we need more
3394 * view into the process in the future. */
3395 rc = match_isinlist(dmarc_exim_expand_query(DMARC_VERIFY_STATUS),
3396 &arg,0,NULL,NULL,MCL_STRING,TRUE,NULL);
3397 break;
3398 #endif
3399
059ec3d9 3400 case ACLC_DNSLISTS:
379ba7d0 3401 rc = verify_check_dnsbl(where, &arg, log_msgptr);
059ec3d9
PH		 3402 break;
3403
3404 case ACLC_DOMAINS:
3405 rc = match_isinlist(addr->domain, &arg, 0, &domainlist_anchor,
55414b25 3406 addr->domain_cache, MCL_DOMAIN, TRUE, CUSS &deliver_domain_data);
059ec3d9
PH		 3407 break;
3408
3409 /* The value in tls_cipher is the full cipher name, for example,
3410 TLSv1:DES-CBC3-SHA:168, whereas the values to test for are just the
3411 cipher names such as DES-CBC3-SHA. But program defensively. We don't know
3412 what may in practice come out of the SSL library - which at the time of
3413 writing is poorly documented. */
3414
3415 case ACLC_ENCRYPTED:
817d9f57 3416 if (tls_in.cipher == NULL) rc = FAIL; else
059ec3d9
PH		 3417 {
3418 uschar *endcipher = NULL;
817d9f57
JH		 3419 uschar *cipher = Ustrchr(tls_in.cipher, ':');
3420 if (cipher == NULL) cipher = tls_in.cipher; else
059ec3d9
PH		 3421 {
3422 endcipher = Ustrchr(++cipher, ':');
3423 if (endcipher != NULL) *endcipher = 0;
3424 }
3425 rc = match_isinlist(cipher, &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
3426 if (endcipher != NULL) *endcipher = ':';
3427 }
3428 break;
3429
3430 /* Use verify_check_this_host() instead of verify_check_host() so that
3431 we can pass over &host_data to catch any looked up data. Once it has been
3432 set, it retains its value so that it's still there if another ACL verb
3433 comes through here and uses the cache. However, we must put it into
3434 permanent store in case it is also expected to be used in a subsequent
3435 message in the same SMTP connection. */
3436
3437 case ACLC_HOSTS:
3438 rc = verify_check_this_host(&arg, sender_host_cache, NULL,
55414b25
JH		 3439 (sender_host_address == NULL)? US"" : sender_host_address,
3440 CUSS &host_data);
4a452c43
JH		 3441 if (rc == DEFER) *log_msgptr = search_error_message;
3442 if (host_data) host_data = string_copy_malloc(host_data);
059ec3d9
PH		 3443 break;
3444
3445 case ACLC_LOCAL_PARTS:
3446 rc = match_isinlist(addr->cc_local_part, &arg, 0,
3447 &localpartlist_anchor, addr->localpart_cache, MCL_LOCALPART, TRUE,
55414b25 3448 CUSS &deliver_localpart_data);
059ec3d9
PH		 3449 break;
3450
6ea85e9a
PH		 3451 case ACLC_LOG_REJECT_TARGET:
3452 {
3453 int logbits = 0;
3454 int sep = 0;
55414b25 3455 const uschar *s = arg;
6ea85e9a 3456 uschar *ss;
4a452c43 3457 while ((ss = string_nextinlist(&s, &sep, big_buffer, big_buffer_size)))
6ea85e9a
PH		 3458 {
3459 if (Ustrcmp(ss, "main") == 0) logbits |= LOG_MAIN;
3460 else if (Ustrcmp(ss, "panic") == 0) logbits |= LOG_PANIC;
3461 else if (Ustrcmp(ss, "reject") == 0) logbits |= LOG_REJECT;
3462 else
3463 {
3464 logbits |= LOG_MAIN|LOG_REJECT;
3465 log_write(0, LOG_MAIN|LOG_PANIC, "unknown log name \"%s\" in "
3466 "\"log_reject_target\" in %s ACL", ss, acl_wherenames[where]);
3467 }
3468 }
3469 log_reject_target = logbits;
3470 }
3471 break;
3472
059ec3d9
PH		 3473 case ACLC_LOGWRITE:
3474 {
3475 int logbits = 0;
55414b25 3476 const uschar *s = arg;
059ec3d9
PH		 3477 if (*s == ':')
3478 {
3479 s++;
3480 while (*s != ':')
3481 {
3482 if (Ustrncmp(s, "main", 4) == 0)
3483 { logbits |= LOG_MAIN; s += 4; }
3484 else if (Ustrncmp(s, "panic", 5) == 0)
3485 { logbits |= LOG_PANIC; s += 5; }
3486 else if (Ustrncmp(s, "reject", 6) == 0)
3487 { logbits |= LOG_REJECT; s += 6; }
3488 else
3489 {
3490 logbits = LOG_MAIN|LOG_PANIC;
3491 s = string_sprintf(":unknown log name in \"%s\" in "
3492 "\"logwrite\" in %s ACL", arg, acl_wherenames[where]);
3493 }
3494 if (*s == ',') s++;
3495 }
3496 s++;
3497 }
3498 while (isspace(*s)) s++;
6ea85e9a
PH		 3499
3500
059ec3d9
PH		 3501 if (logbits == 0) logbits = LOG_MAIN;
3502 log_write(0, logbits, "%s", string_printing(s));
3503 }
3504 break;
8e669ac1 3505
71fafd95 3506 #ifdef WITH_CONTENT_SCAN
0f0c8159 3507 case ACLC_MALWARE: /* Run the malware backend. */
8523533c 3508 {
6ea85e9a 3509 /* Separate the regular expression and any optional parameters. */
55414b25
JH		 3510 const uschar * list = arg;
3511 uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
0f0c8159
JH		 3512 uschar *opt;
3513 BOOL defer_ok = FALSE;
3514 int timeout = 0;
3515
55414b25 3516 while ((opt = string_nextinlist(&list, &sep, NULL, 0)))
0f0c8159
JH		 3517 if (strcmpic(opt, US"defer_ok") == 0)
3518 defer_ok = TRUE;
3519 else if ( strncmpic(opt, US"tmo=", 4) == 0
3520 && (timeout = readconf_readtime(opt+4, '\0', FALSE)) < 0
3521 )
3522 {
3523 *log_msgptr = string_sprintf("bad timeout value in '%s'", opt);
3524 return ERROR;
3525 }
3526
3527 rc = malware(ss, timeout);
3528 if (rc == DEFER && defer_ok)
3529 rc = FAIL; /* FAIL so that the message is passed to the next ACL */
8523533c
TK		 3530 }
3531 break;
3532
3533 case ACLC_MIME_REGEX:
71fafd95 3534 rc = mime_regex(&arg);
8523533c 3535 break;
71fafd95 3536 #endif
059ec3d9 3537
b0b9dbb1
JH		 3538 case ACLC_QUEUE:
3539 queue_name = string_copy_malloc(arg);
3540 break;
3541
870f6ba8 3542 case ACLC_RATELIMIT:
90fc3069 3543 rc = acl_ratelimit(arg, where, log_msgptr);
870f6ba8
TF		 3544 break;
3545
059ec3d9 3546 case ACLC_RECIPIENTS:
55414b25
JH		 3547 rc = match_address_list((const uschar *)addr->address, TRUE, TRUE, &arg, NULL, -1, 0,
3548 CUSS &recipient_data);
059ec3d9
PH		 3549 break;
3550
71fafd95
PH		 3551 #ifdef WITH_CONTENT_SCAN
3552 case ACLC_REGEX:
3553 rc = regex(&arg);
8523533c 3554 break;
71fafd95 3555 #endif
8523533c 3556
e7568d51
TL		 3557 case ACLC_REMOVE_HEADER:
3558 setup_remove_header(arg);
3559 break;
3560
059ec3d9
PH		 3561 case ACLC_SENDER_DOMAINS:
3562 {
3563 uschar *sdomain;
3564 sdomain = Ustrrchr(sender_address, '@');
3565 sdomain = (sdomain == NULL)? US"" : sdomain + 1;
3566 rc = match_isinlist(sdomain, &arg, 0, &domainlist_anchor,
3567 sender_domain_cache, MCL_DOMAIN, TRUE, NULL);
3568 }
3569 break;
3570
3571 case ACLC_SENDERS:
55414b25
JH		 3572 rc = match_address_list((const uschar *)sender_address, TRUE, TRUE, &arg,
3573 sender_address_cache, -1, 0, CUSS &sender_data);
059ec3d9
PH		 3574 break;
3575
3576 /* Connection variables must persist forever */
3577
3578 case ACLC_SET:
3579 {
3580 int old_pool = store_pool;
5ef5dd52 3581 if ( cb->u.varname[0] == 'c'
0cbf2b82 3582#ifndef DISABLE_EVENT
5ef5dd52
JB		 3583 || event_name /* An event is being delivered */
3584#endif
3585 )
3586 store_pool = POOL_PERM;
38a0a95f 3587 acl_var_create(cb->u.varname)->data.ptr = string_copy(arg);
059ec3d9
PH		 3588 store_pool = old_pool;
3589 }
3590 break;
3591
71fafd95 3592 #ifdef WITH_CONTENT_SCAN
8523533c
TK		 3593 case ACLC_SPAM:
3594 {
3595 /* Seperate the regular expression and any optional parameters. */
55414b25
JH		 3596 const uschar * list = arg;
3597 uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
8523533c 3598 /* Run the spam backend. */
55414b25 3599 rc = spam(CUSS &ss);
8523533c 3600 /* Modify return code based upon the existance of options. */
55414b25 3601 while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))
8523533c
TK		 3602 != NULL) {
3603 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
3604 {
3605 /* FAIL so that the message is passed to the next ACL */
3606 rc = FAIL;
3607 }
3608 }
3609 }
3610 break;
71fafd95 3611 #endif
8523533c 3612
71fafd95 3613 #ifdef EXPERIMENTAL_SPF
8523533c 3614 case ACLC_SPF:
65a7d8c3
NM		 3615 rc = spf_process(&arg, sender_address, SPF_PROCESS_NORMAL);
3616 break;
3617 case ACLC_SPF_GUESS:
3618 rc = spf_process(&arg, sender_address, SPF_PROCESS_GUESS);
8523533c 3619 break;
71fafd95 3620 #endif
8523533c 3621
b0019c78
TF		 3622 case ACLC_UDPSEND:
3623 rc = acl_udpsend(arg, log_msgptr);
3624 break;
3625
059ec3d9
PH		 3626 /* If the verb is WARN, discard any user message from verification, because
3627 such messages are SMTP responses, not header additions. The latter come
475fe28a
PH		 3628 only from explicit "message" modifiers. However, put the user message into
3629 $acl_verify_message so it can be used in subsequent conditions or modifiers
3630 (until something changes it). */
059ec3d9
PH		 3631
3632 case ACLC_VERIFY:
3633 rc = acl_verify(where, addr, arg, user_msgptr, log_msgptr, basic_errno);
3703d818
JH		 3634 if (*user_msgptr)
3635 acl_verify_message = *user_msgptr;
059ec3d9
PH		 3636 if (verb == ACL_WARN) *user_msgptr = NULL;
3637 break;
3638
3639 default:
3640 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown "
3641 "condition %d", cb->type);
3642 break;
3643 }
3644
3645 /* If a condition was negated, invert OK/FAIL. */
3646
2d009132 3647 if (!conditions[cb->type].is_modifier && cb->u.negated)
059ec3d9 3648 if (rc == OK) rc = FAIL;
2d009132 3649 else if (rc == FAIL || rc == FAIL_DROP) rc = OK;
059ec3d9
PH		 3650
3651 if (rc != OK) break; /* Conditions loop */
3652 }
3653
3654
3655/* If the result is the one for which "message" and/or "log_message" are used,
4e88a19f
PH		 3656handle the values of these modifiers. If there isn't a log message set, we make
3657it the same as the user message.
059ec3d9
PH		 3658
3659"message" is a user message that will be included in an SMTP response. Unless
3660it is empty, it overrides any previously set user message.
3661
3662"log_message" is a non-user message, and it adds to any existing non-user
3663message that is already set.
3664
4e88a19f
PH		 3665Most verbs have but a single return for which the messages are relevant, but
3666for "discard", it's useful to have the log message both when it succeeds and
3667when it fails. For "accept", the message is used in the OK case if there is no
3668"endpass", but (for backwards compatibility) in the FAIL case if "endpass" is
3669present. */
059ec3d9 3670
4e88a19f
PH		 3671if (*epp && rc == OK) user_message = NULL;
3672
3673if (((1<<rc) & msgcond[verb]) != 0)
059ec3d9
PH		 3674 {
3675 uschar *expmessage;
4e88a19f
PH		 3676 uschar *old_user_msgptr = *user_msgptr;
3677 uschar *old_log_msgptr = (*log_msgptr != NULL)? *log_msgptr : old_user_msgptr;
059ec3d9
PH		 3678
3679 /* If the verb is "warn", messages generated by conditions (verification or
4e88a19f
PH		 3680 nested ACLs) are always discarded. This also happens for acceptance verbs
3681 when they actually do accept. Only messages specified at this level are used.
059ec3d9
PH		 3682 However, the value of an existing message is available in $acl_verify_message
3683 during expansions. */
3684
4e88a19f
PH		 3685 if (verb == ACL_WARN ||
3686 (rc == OK && (verb == ACL_ACCEPT || verb == ACL_DISCARD)))
3687 *log_msgptr = *user_msgptr = NULL;
059ec3d9
PH		 3688
3689 if (user_message != NULL)
3690 {
3691 acl_verify_message = old_user_msgptr;
3692 expmessage = expand_string(user_message);
3693 if (expmessage == NULL)
3694 {
3695 if (!expand_string_forcedfail)
3696 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
3697 user_message, expand_string_message);
3698 }
3699 else if (expmessage[0] != 0) *user_msgptr = expmessage;
3700 }
3701
3702 if (log_message != NULL)
3703 {
3704 acl_verify_message = old_log_msgptr;
3705 expmessage = expand_string(log_message);
3706 if (expmessage == NULL)
3707 {
3708 if (!expand_string_forcedfail)
3709 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
3710 log_message, expand_string_message);
3711 }
3712 else if (expmessage[0] != 0)
3713 {
3714 *log_msgptr = (*log_msgptr == NULL)? expmessage :
3715 string_sprintf("%s: %s", expmessage, *log_msgptr);
3716 }
3717 }
3718
3719 /* If no log message, default it to the user message */
3720
3721 if (*log_msgptr == NULL) *log_msgptr = *user_msgptr;
3722 }
3723
3724acl_verify_message = NULL;
3725return rc;
3726}
3727
3728
3729
3730
3731
3732/*************************************************
3733* Get line from a literal ACL *
3734*************************************************/
3735
3736/* This function is passed to acl_read() in order to extract individual lines
3737of a literal ACL, which we access via static pointers. We can destroy the
3738contents because this is called only once (the compiled ACL is remembered).
3739
3740This code is intended to treat the data in the same way as lines in the main
3741Exim configuration file. That is:
3742
3743 . Leading spaces are ignored.
3744
3745 . A \ at the end of a line is a continuation - trailing spaces after the \
3746 are permitted (this is because I don't believe in making invisible things
3747 significant). Leading spaces on the continued part of a line are ignored.
3748
3749 . Physical lines starting (significantly) with # are totally ignored, and
3750 may appear within a sequence of backslash-continued lines.
3751
3752 . Blank lines are ignored, but will end a sequence of continuations.
3753
3754Arguments: none
3755Returns: a pointer to the next line
3756*/
3757
3758
3759static uschar *acl_text; /* Current pointer in the text */
3760static uschar *acl_text_end; /* Points one past the terminating '0' */
3761
3762
3763static uschar *
3764acl_getline(void)
3765{
3766uschar *yield;
3767
3768/* This loop handles leading blank lines and comments. */
3769
3770for(;;)
3771 {
3772 while (isspace(*acl_text)) acl_text++; /* Leading spaces/empty lines */
3773 if (*acl_text == 0) return NULL; /* No more data */
3774 yield = acl_text; /* Potential data line */
3775
3776 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
3777
3778 /* If we hit the end before a newline, we have the whole logical line. If
3779 it's a comment, there's no more data to be given. Otherwise, yield it. */
3780
3781 if (*acl_text == 0) return (*yield == '#')? NULL : yield;
3782
3783 /* After reaching a newline, end this loop if the physical line does not
3784 start with '#'. If it does, it's a comment, and the loop continues. */
3785
3786 if (*yield != '#') break;
3787 }
3788
3789/* This loop handles continuations. We know we have some real data, ending in
3790newline. See if there is a continuation marker at the end (ignoring trailing
3791white space). We know that *yield is not white space, so no need to test for
3792cont > yield in the backwards scanning loop. */
3793
3794for(;;)
3795 {
3796 uschar *cont;
3797 for (cont = acl_text - 1; isspace(*cont); cont--);
3798
3799 /* If no continuation follows, we are done. Mark the end of the line and
3800 return it. */
3801
3802 if (*cont != '\\')
3803 {
3804 *acl_text++ = 0;
3805 return yield;
3806 }
3807
3808 /* We have encountered a continuation. Skip over whitespace at the start of
3809 the next line, and indeed the whole of the next line or lines if they are
3810 comment lines. */
3811
3812 for (;;)
3813 {
3814 while (*(++acl_text) == ' ' || *acl_text == '\t');
3815 if (*acl_text != '#') break;
3816 while (*(++acl_text) != 0 && *acl_text != '\n');
3817 }
3818
3819 /* We have the start of a continuation line. Move all the rest of the data
3820 to join onto the previous line, and then find its end. If the end is not a
3821 newline, we are done. Otherwise loop to look for another continuation. */
3822
3823 memmove(cont, acl_text, acl_text_end - acl_text);
3824 acl_text_end -= acl_text - cont;
3825 acl_text = cont;
3826 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
3827 if (*acl_text == 0) return yield;
3828 }
3829
3830/* Control does not reach here */
3831}
3832
3833
3834
3835
3836
3837/*************************************************
3838* Check access using an ACL *
3839*************************************************/
3840
3841/* This function is called from address_check. It may recurse via
3842acl_check_condition() - hence the use of a level to stop looping. The ACL is
3843passed as a string which is expanded. A forced failure implies no access check
3844is required. If the result is a single word, it is taken as the name of an ACL
3845which is sought in the global ACL tree. Otherwise, it is taken as literal ACL
3846text, complete with newlines, and parsed as such. In both cases, the ACL check
3847is then run. This function uses an auxiliary function for acl_read() to call
3848for reading individual lines of a literal ACL. This is acl_getline(), which
3849appears immediately above.
3850
3851Arguments:
3852 where where called from
3853 addr address item when called from RCPT; otherwise NULL
3854 s the input string; NULL is the same as an empty ACL => DENY
3855 level the nesting level
3856 user_msgptr where to put a user error (for SMTP response)
3857 log_msgptr where to put a logging message (not for SMTP response)
3858
3859Returns: OK access is granted
3860 DISCARD access is apparently granted...
3861 FAIL access is denied
3862 FAIL_DROP access is denied; drop the connection
3863 DEFER can't tell at the moment
3864 ERROR disaster
3865*/
3866
3867static int
3868acl_check_internal(int where, address_item *addr, uschar *s, int level,
3869 uschar **user_msgptr, uschar **log_msgptr)
3870{
3871int fd = -1;
3872acl_block *acl = NULL;
3873uschar *acl_name = US"inline ACL";
3874uschar *ss;
3875
3876/* Catch configuration loops */
3877
3878if (level > 20)
3879 {
3880 *log_msgptr = US"ACL nested too deep: possible loop";
3881 return ERROR;
3882 }
3883
3884if (s == NULL)
3885 {
3886 HDEBUG(D_acl) debug_printf("ACL is NULL: implicit DENY\n");
3887 return FAIL;
3888 }
3889
3890/* At top level, we expand the incoming string. At lower levels, it has already
3891been expanded as part of condition processing. */
3892
3893if (level == 0)
3894 {
3895 ss = expand_string(s);
3896 if (ss == NULL)
3897 {
3898 if (expand_string_forcedfail) return OK;
3899 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s", s,
3900 expand_string_message);
3901 return ERROR;
3902 }
3903 }
3904else ss = s;
3905
3906while (isspace(*ss))ss++;
3907
3908/* If we can't find a named ACL, the default is to parse it as an inline one.
3909(Unless it begins with a slash; non-existent files give rise to an error.) */
3910
3911acl_text = ss;
3912
3913/* Handle the case of a string that does not contain any spaces. Look for a
3914named ACL among those read from the configuration, or a previously read file.
3915It is possible that the pointer to the ACL is NULL if the configuration
3916contains a name with no data. If not found, and the text begins with '/',
3917read an ACL from a file, and save it so it can be re-used. */
3918
3919if (Ustrchr(ss, ' ') == NULL)
3920 {
3921 tree_node *t = tree_search(acl_anchor, ss);
3922 if (t != NULL)
3923 {
3924 acl = (acl_block *)(t->data.ptr);
3925 if (acl == NULL)
3926 {
3927 HDEBUG(D_acl) debug_printf("ACL \"%s\" is empty: implicit DENY\n", ss);
3928 return FAIL;
3929 }
3930 acl_name = string_sprintf("ACL \"%s\"", ss);
3931 HDEBUG(D_acl) debug_printf("using ACL \"%s\"\n", ss);
3932 }
3933
3934 else if (*ss == '/')
3935 {
3936 struct stat statbuf;
3937 fd = Uopen(ss, O_RDONLY, 0);
3938 if (fd < 0)
3939 {
3940 *log_msgptr = string_sprintf("failed to open ACL file \"%s\": %s", ss,
3941 strerror(errno));
3942 return ERROR;
3943 }
3944
3945 if (fstat(fd, &statbuf) != 0)
3946 {
3947 *log_msgptr = string_sprintf("failed to fstat ACL file \"%s\": %s", ss,
3948 strerror(errno));
3949 return ERROR;
3950 }
3951
3952 acl_text = store_get(statbuf.st_size + 1);
3953 acl_text_end = acl_text + statbuf.st_size + 1;
3954
3955 if (read(fd, acl_text, statbuf.st_size) != statbuf.st_size)
3956 {
3957 *log_msgptr = string_sprintf("failed to read ACL file \"%s\": %s",
3958 ss, strerror(errno));
3959 return ERROR;
3960 }
3961 acl_text[statbuf.st_size] = 0;
f1e894f3 3962 (void)close(fd);
059ec3d9
PH		 3963
3964 acl_name = string_sprintf("ACL \"%s\"", ss);
3965 HDEBUG(D_acl) debug_printf("read ACL from file %s\n", ss);
3966 }
3967 }
3968
3969/* Parse an ACL that is still in text form. If it came from a file, remember it
3970in the ACL tree, having read it into the POOL_PERM store pool so that it
3971persists between multiple messages. */
3972
3973if (acl == NULL)
3974 {
3975 int old_pool = store_pool;
3976 if (fd >= 0) store_pool = POOL_PERM;
3977 acl = acl_read(acl_getline, log_msgptr);
3978 store_pool = old_pool;
3979 if (acl == NULL && *log_msgptr != NULL) return ERROR;
3980 if (fd >= 0)
3981 {
3982 tree_node *t = store_get_perm(sizeof(tree_node) + Ustrlen(ss));
3983 Ustrcpy(t->name, ss);
3984 t->data.ptr = acl;
3985 (void)tree_insertnode(&acl_anchor, t);
3986 }
3987 }
3988
3989/* Now we have an ACL to use. It's possible it may be NULL. */
3990
3991while (acl != NULL)
3992 {
3993 int cond;
3994 int basic_errno = 0;
3995 BOOL endpass_seen = FALSE;
82c0c8ea
JH		 3996 BOOL acl_quit_check = level == 0
3997 && (where == ACL_WHERE_QUIT || where == ACL_WHERE_NOTQUIT);
059ec3d9
PH		 3998
3999 *log_msgptr = *user_msgptr = NULL;
4000 acl_temp_details = FALSE;
4001
059ec3d9
PH		 4002 HDEBUG(D_acl) debug_printf("processing \"%s\"\n", verbs[acl->verb]);
4003
4004 /* Clear out any search error message from a previous check before testing
4005 this condition. */
4006
4007 search_error_message = NULL;
4008 cond = acl_check_condition(acl->verb, acl->condition, where, addr, level,
4009 &endpass_seen, user_msgptr, log_msgptr, &basic_errno);
4010
4011 /* Handle special returns: DEFER causes a return except on a WARN verb;
4012 ERROR always causes a return. */
4013
4014 switch (cond)
4015 {
4016 case DEFER:
6968512f 4017 HDEBUG(D_acl) debug_printf("%s: condition test deferred in %s\n", verbs[acl->verb], acl_name);
059ec3d9
PH		 4018 if (basic_errno != ERRNO_CALLOUTDEFER)
4019 {
4020 if (search_error_message != NULL && *search_error_message != 0)
4021 *log_msgptr = search_error_message;
4022 if (smtp_return_error_details) acl_temp_details = TRUE;
4023 }
4024 else
4025 {
4026 acl_temp_details = TRUE;
4027 }
4028 if (acl->verb != ACL_WARN) return DEFER;
4029 break;
4030
4031 default: /* Paranoia */
4032 case ERROR:
6968512f 4033 HDEBUG(D_acl) debug_printf("%s: condition test error in %s\n", verbs[acl->verb], acl_name);
059ec3d9
PH		 4034 return ERROR;
4035
4036 case OK:
6968512f
JH		 4037 HDEBUG(D_acl) debug_printf("%s: condition test succeeded in %s\n",
4038 verbs[acl->verb], acl_name);
059ec3d9
PH		 4039 break;
4040
4041 case FAIL:
6968512f 4042 HDEBUG(D_acl) debug_printf("%s: condition test failed in %s\n", verbs[acl->verb], acl_name);
059ec3d9
PH		 4043 break;
4044
4045 /* DISCARD and DROP can happen only from a nested ACL condition, and
4046 DISCARD can happen only for an "accept" or "discard" verb. */
4047
4048 case DISCARD:
6968512f
JH		 4049 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"discard\" in %s\n",
4050 verbs[acl->verb], acl_name);
059ec3d9
PH		 4051 break;
4052
4053 case FAIL_DROP:
6968512f
JH		 4054 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"drop\" in %s\n",
4055 verbs[acl->verb], acl_name);
059ec3d9
PH		 4056 break;
4057 }
4058
4059 /* At this point, cond for most verbs is either OK or FAIL or (as a result of
4060 a nested ACL condition) FAIL_DROP. However, for WARN, cond may be DEFER, and
4061 for ACCEPT and DISCARD, it may be DISCARD after a nested ACL call. */
4062
4063 switch(acl->verb)
4064 {
4065 case ACL_ACCEPT:
a7538db1
JH		 4066 if (cond == OK || cond == DISCARD)
4067 {
4068 HDEBUG(D_acl) debug_printf("end of %s: ACCEPT\n", acl_name);
4069 return cond;
4070 }
059ec3d9
PH		 4071 if (endpass_seen)
4072 {
4073 HDEBUG(D_acl) debug_printf("accept: endpass encountered - denying access\n");
4074 return cond;
4075 }
4076 break;
4077
4078 case ACL_DEFER:
4079 if (cond == OK)
4080 {
a7538db1 4081 HDEBUG(D_acl) debug_printf("end of %s: DEFER\n", acl_name);
82c0c8ea 4082 if (acl_quit_check) goto badquit;
059ec3d9
PH		 4083 acl_temp_details = TRUE;
4084 return DEFER;
4085 }
4086 break;
4087
4088 case ACL_DENY:
a7538db1
JH		 4089 if (cond == OK)
4090 {
4091 HDEBUG(D_acl) debug_printf("end of %s: DENY\n", acl_name);
82c0c8ea 4092 if (acl_quit_check) goto badquit;
a7538db1
JH		 4093 return FAIL;
4094 }
059ec3d9
PH		 4095 break;
4096
4097 case ACL_DISCARD:
a7538db1
JH		 4098 if (cond == OK || cond == DISCARD)
4099 {
4100 HDEBUG(D_acl) debug_printf("end of %s: DISCARD\n", acl_name);
82c0c8ea 4101 if (acl_quit_check) goto badquit;
a7538db1
JH		 4102 return DISCARD;
4103 }
059ec3d9
PH		 4104 if (endpass_seen)
4105 {
4106 HDEBUG(D_acl) debug_printf("discard: endpass encountered - denying access\n");
4107 return cond;
4108 }
4109 break;
4110
4111 case ACL_DROP:
a7538db1
JH		 4112 if (cond == OK)
4113 {
4114 HDEBUG(D_acl) debug_printf("end of %s: DROP\n", acl_name);
82c0c8ea 4115 if (acl_quit_check) goto badquit;
a7538db1
JH		 4116 return FAIL_DROP;
4117 }
059ec3d9
PH		 4118 break;
4119
4120 case ACL_REQUIRE:
a7538db1
JH		 4121 if (cond != OK)
4122 {
4123 HDEBUG(D_acl) debug_printf("end of %s: not OK\n", acl_name);
82c0c8ea 4124 if (acl_quit_check) goto badquit;
a7538db1
JH		 4125 return cond;
4126 }
059ec3d9
PH		 4127 break;
4128
4129 case ACL_WARN:
4130 if (cond == OK)
4131 acl_warn(where, *user_msgptr, *log_msgptr);
6c6d6e48 4132 else if (cond == DEFER && LOGGING(acl_warn_skipped))
9c7a242c
PH		 4133 log_write(0, LOG_MAIN, "%s Warning: ACL \"warn\" statement skipped: "
4134 "condition test deferred%s%s", host_and_ident(TRUE),
4135 (*log_msgptr == NULL)? US"" : US": ",
4136 (*log_msgptr == NULL)? US"" : *log_msgptr);
059ec3d9
PH		 4137 *log_msgptr = *user_msgptr = NULL; /* In case implicit DENY follows */
4138 break;
4139
4140 default:
4141 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown verb %d",
4142 acl->verb);
4143 break;
4144 }
4145
4146 /* Pass to the next ACL item */
4147
4148 acl = acl->next;
4149 }
4150
4151/* We have reached the end of the ACL. This is an implicit DENY. */
4152
4153HDEBUG(D_acl) debug_printf("end of %s: implicit DENY\n", acl_name);
4154return FAIL;
82c0c8ea
JH		 4155
4156badquit:
4157 *log_msgptr = string_sprintf("QUIT or not-QUIT teplevel ACL may not fail "
4158 "('%s' verb used incorrectly)", verbs[acl->verb]);
4159 return ERROR;
059ec3d9
PH		 4160}
4161
4162
333eea9c
JH		 4163
4164
4165/* Same args as acl_check_internal() above, but the string s is
4166the name of an ACL followed optionally by up to 9 space-separated arguments.
4167The name and args are separately expanded. Args go into $acl_arg globals. */
f60d98e8 4168static int
55414b25 4169acl_check_wargs(int where, address_item *addr, const uschar *s, int level,
333eea9c
JH		 4170 uschar **user_msgptr, uschar **log_msgptr)
4171{
4172uschar * tmp;
bef3ea7f 4173uschar * tmp_arg[9]; /* must match acl_arg[] */
ef21c07d
JH		 4174uschar * sav_arg[9]; /* must match acl_arg[] */
4175int sav_narg;
333eea9c 4176uschar * name;
bef3ea7f 4177int i;
ef21c07d 4178int ret;
333eea9c
JH		 4179
4180if (!(tmp = string_dequote(&s)) || !(name = expand_string(tmp)))
4181 goto bad;
4182
bef3ea7f 4183for (i = 0; i < 9; i++)
333eea9c
JH		 4184 {
4185 while (*s && isspace(*s)) s++;
4186 if (!*s) break;
bef3ea7f 4187 if (!(tmp = string_dequote(&s)) || !(tmp_arg[i] = expand_string(tmp)))
333eea9c
JH		 4188 {
4189 tmp = name;
4190 goto bad;
4191 }
4192 }
ef21c07d
JH		 4193
4194sav_narg = acl_narg;
bef3ea7f 4195acl_narg = i;
ef21c07d
JH		 4196for (i = 0; i < acl_narg; i++)
4197 {
4198 sav_arg[i] = acl_arg[i];
4199 acl_arg[i] = tmp_arg[i];
4200 }
4201while (i < 9)
4202 {
4203 sav_arg[i] = acl_arg[i];
4204 acl_arg[i++] = NULL;
4205 }
4206
4207ret = acl_check_internal(where, addr, name, level, user_msgptr, log_msgptr);
333eea9c 4208
ef21c07d
JH		 4209acl_narg = sav_narg;
4210for (i = 0; i < 9; i++) acl_arg[i] = sav_arg[i];
4211return ret;
333eea9c
JH		 4212
4213bad:
4214if (expand_string_forcedfail) return ERROR;
4215*log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
4216 tmp, expand_string_message);
4217return search_find_defer?DEFER:ERROR;
4218}
4219
4220
4221
059ec3d9
PH		 4222/*************************************************
4223* Check access using an ACL *
4224*************************************************/
4225
faa05a93
JH		 4226/* Alternate interface for ACL, used by expansions */
4227int
05caaeaa 4228acl_eval(int where, uschar *s, uschar **user_msgptr, uschar **log_msgptr)
faa05a93 4229{
faa05a93
JH		 4230address_item adb;
4231address_item *addr = NULL;
4232
4233*user_msgptr = *log_msgptr = NULL;
4234sender_verified_failed = NULL;
4235ratelimiters_cmd = NULL;
4236log_reject_target = LOG_MAIN|LOG_REJECT;
4237
4238if (where == ACL_WHERE_RCPT)
4239 {
4240 adb = address_defaults;
4241 addr = &adb;
05caaeaa
JH		 4242 addr->address = expand_string(US"$local_part@$domain");
4243 addr->domain = deliver_domain;
4244 addr->local_part = deliver_localpart;
4245 addr->cc_local_part = deliver_localpart;
4246 addr->lc_local_part = deliver_localpart;
faa05a93
JH		 4247 }
4248
4249return acl_check_internal(where, addr, s, 0, user_msgptr, log_msgptr);
4250}
4251
4252
4253
059ec3d9
PH		 4254/* This is the external interface for ACL checks. It sets up an address and the
4255expansions for $domain and $local_part when called after RCPT, then calls
4256acl_check_internal() to do the actual work.
4257
4258Arguments:
4259 where ACL_WHERE_xxxx indicating where called from
64ffc24f 4260 recipient RCPT address for RCPT check, else NULL
059ec3d9
PH		 4261 s the input string; NULL is the same as an empty ACL => DENY
4262 user_msgptr where to put a user error (for SMTP response)
4263 log_msgptr where to put a logging message (not for SMTP response)
4264
4265Returns: OK access is granted by an ACCEPT verb
4266 DISCARD access is granted by a DISCARD verb
4267 FAIL access is denied
4268 FAIL_DROP access is denied; drop the connection
4269 DEFER can't tell at the moment
4270 ERROR disaster
4271*/
faa05a93 4272int acl_where = ACL_WHERE_UNKNOWN;
059ec3d9
PH		 4273
4274int
64ffc24f 4275acl_check(int where, uschar *recipient, uschar *s, uschar **user_msgptr,
059ec3d9
PH		 4276 uschar **log_msgptr)
4277{
4278int rc;
4279address_item adb;
64ffc24f 4280address_item *addr = NULL;
059ec3d9
PH		 4281
4282*user_msgptr = *log_msgptr = NULL;
4283sender_verified_failed = NULL;
fe0dab11 4284ratelimiters_cmd = NULL;
6ea85e9a 4285log_reject_target = LOG_MAIN|LOG_REJECT;
059ec3d9 4286
8ccd00b1 4287#ifndef DISABLE_PRDR
4f6ae5c3 4288if (where==ACL_WHERE_RCPT || where==ACL_WHERE_VRFY || where==ACL_WHERE_PRDR)
fd98a5c6 4289#else
4f6ae5c3 4290if (where==ACL_WHERE_RCPT || where==ACL_WHERE_VRFY)
fd98a5c6 4291#endif
059ec3d9
PH		 4292 {
4293 adb = address_defaults;
4294 addr = &adb;
64ffc24f 4295 addr->address = recipient;
059ec3d9
PH		 4296 if (deliver_split_address(addr) == DEFER)
4297 {
4298 *log_msgptr = US"defer in percent_hack_domains check";
4299 return DEFER;
4300 }
8c5d388a 4301#ifdef SUPPORT_I18N
3c8b3577
JH		 4302 if ((addr->prop.utf8_msg = message_smtputf8))
4303 {
4304 addr->prop.utf8_downcvt = message_utf8_downconvert == 1;
4305 addr->prop.utf8_downcvt_maybe = message_utf8_downconvert == -1;
4306 }
9bfc60eb 4307#endif
059ec3d9
PH		 4308 deliver_domain = addr->domain;
4309 deliver_localpart = addr->local_part;
4310 }
059ec3d9 4311
faa05a93 4312acl_where = where;
059ec3d9 4313rc = acl_check_internal(where, addr, s, 0, user_msgptr, log_msgptr);
faa05a93 4314acl_where = ACL_WHERE_UNKNOWN;
059ec3d9 4315
817d9f57
JH		 4316/* Cutthrough - if requested,
4317and WHERE_RCPT and not yet opened conn as result of recipient-verify,
4318and rcpt acl returned accept,
4319and first recipient (cancel on any subsequents)
e4bdf652 4320open one now and run it up to RCPT acceptance.
f9334a28
JH		 4321A failed verify should cancel cutthrough request,
4322and will pass the fail to the originator.
817d9f57 4323Initial implementation: dual-write to spool.
e4bdf652
JH		 4324Assume the rxd datastream is now being copied byte-for-byte to an open cutthrough connection.
4325
4326Cease cutthrough copy on rxd final dot; do not send one.
4327
4328On a data acl, if not accept and a cutthrough conn is open, hard-close it (no SMTP niceness).
4329
4330On data acl accept, terminate the dataphase on an open cutthrough conn. If accepted or
4331perm-rejected, reflect that to the original sender - and dump the spooled copy.
4332If temp-reject, close the conn (and keep the spooled copy).
4333If conn-failure, no action (and keep the spooled copy).
e4bdf652
JH		 4334*/
4335switch (where)
ff5929e3
JH		 4336 {
4337 case ACL_WHERE_RCPT:
8ccd00b1 4338#ifndef DISABLE_PRDR
ff5929e3 4339 case ACL_WHERE_PRDR:
fd98a5c6 4340#endif
ff5929e3
JH		 4341 if (host_checking_callout) /* -bhc mode */
4342 cancel_cutthrough_connection("host-checking mode");
4343
4344 else if ( rc == OK
4345 && cutthrough.delivery
4346 && rcpt_count > cutthrough.nrcpt
4347 && (rc = open_cutthrough_connection(addr)) == DEFER
4348 )
4349 if (cutthrough.defer_pass)
4350 {
4351 uschar * s = addr->message;
4352 /* Horrid kludge to recover target's SMTP message */
4353 while (*s) s++;
4354 do --s; while (!isdigit(*s));
4355 if (*--s && isdigit(*s) && *--s && isdigit(*s)) *user_msgptr = s;
4356 acl_temp_details = TRUE;
4357 }
4358 else
4359 {
4360 HDEBUG(D_acl) debug_printf("cutthrough defer; will spool\n");
4361 rc = OK;
4362 }
4363 break;
e4bdf652 4364
ff5929e3
JH		 4365 case ACL_WHERE_PREDATA:
4366 if (rc == OK)
4367 cutthrough_predata();
4368 else
4369 cancel_cutthrough_connection("predata acl not ok");
4370 break;
e4bdf652 4371
ff5929e3
JH		 4372 case ACL_WHERE_QUIT:
4373 case ACL_WHERE_NOTQUIT:
4374 cancel_cutthrough_connection("quit or notquit");
4375 break;
e4bdf652 4376
ff5929e3
JH		 4377 default:
4378 break;
4379 }
e4bdf652 4380
64ffc24f
PH		 4381deliver_domain = deliver_localpart = deliver_address_data =
4382 sender_address_data = NULL;
059ec3d9
PH		 4383
4384/* A DISCARD response is permitted only for message ACLs, excluding the PREDATA
4385ACL, which is really in the middle of an SMTP command. */
4386
4387if (rc == DISCARD)
4388 {
4389 if (where > ACL_WHERE_NOTSMTP || where == ACL_WHERE_PREDATA)
4390 {
4391 log_write(0, LOG_MAIN|LOG_PANIC, "\"discard\" verb not allowed in %s "
4392 "ACL", acl_wherenames[where]);
4393 return ERROR;
4394 }
4395 return DISCARD;
4396 }
4397
4398/* A DROP response is not permitted from MAILAUTH */
4399
4400if (rc == FAIL_DROP && where == ACL_WHERE_MAILAUTH)
4401 {
4402 log_write(0, LOG_MAIN|LOG_PANIC, "\"drop\" verb not allowed in %s "
4403 "ACL", acl_wherenames[where]);
4404 return ERROR;
4405 }
4406
4e88a19f
PH		 4407/* Before giving a response, take a look at the length of any user message, and
4408split it up into multiple lines if possible. */
059ec3d9 4409
e28326d8
PH		 4410*user_msgptr = string_split_message(*user_msgptr);
4411if (fake_response != OK)
4412 fake_response_text = string_split_message(fake_response_text);
059ec3d9
PH		 4413
4414return rc;
4415}
4416
38a0a95f 4417
38a0a95f
PH		 4418/*************************************************
4419* Create ACL variable *
4420*************************************************/
4421
4422/* Create an ACL variable or reuse an existing one. ACL variables are in a
4423binary tree (see tree.c) with acl_var_c and acl_var_m as root nodes.
4424
4425Argument:
4426 name pointer to the variable's name, starting with c or m
4427
4428Returns the pointer to variable's tree node
4429*/
4430
4431tree_node *
4432acl_var_create(uschar *name)
4433{
4434tree_node *node, **root;
4435root = (name[0] == 'c')? &acl_var_c : &acl_var_m;
4436node = tree_search(*root, name);
4437if (node == NULL)
4438 {
4439 node = store_get(sizeof(tree_node) + Ustrlen(name));
4440 Ustrcpy(node->name, name);
4441 (void)tree_insertnode(root, node);
4442 }
4443node->data.ptr = NULL;
4444return node;
4445}
4446
4447
4448
4449/*************************************************
4450* Write an ACL variable in spool format *
4451*************************************************/
4452
4453/* This function is used as a callback for tree_walk when writing variables to
4454the spool file. To retain spool file compatibility, what is written is -aclc or
4455-aclm followed by the rest of the name and the data length, space separated,
4456then the value itself, starting on a new line, and terminated by an additional
4457newline. When we had only numbered ACL variables, the first line might look
4458like this: "-aclc 5 20". Now it might be "-aclc foo 20" for the variable called
4459acl_cfoo.
4460
4461Arguments:
4462 name of the variable
4463 value of the variable
4464 ctx FILE pointer (as a void pointer)
4465
4466Returns: nothing
4467*/
4468
4469void
4470acl_var_write(uschar *name, uschar *value, void *ctx)
4471{
4472FILE *f = (FILE *)ctx;
4473fprintf(f, "-acl%c %s %d\n%s\n", name[0], name+1, Ustrlen(value), value);
4474}
4475
9171d434
JH		 4476/* vi: aw ai sw=2
4477*/
059ec3d9 4478/* End of acl.c */
Unnamed repository; edit this file 'description' to name the repository.