projects / exim.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Turn MH's patch into my standard style. (Explicit != NULL in test).
[exim.git] / src / src / acl.c
CommitLineData
184e8823 1/* $Cambridge: exim/src/src/acl.c,v 1.68 2007/01/08 10:50:17 ph10 Exp $ */
059ec3d9
PH		 2
3/*************************************************
4* Exim - an Internet mail transport agent *
5*************************************************/
6
184e8823 7/* Copyright (c) University of Cambridge 1995 - 2007 */
059ec3d9
PH		 8/* See the file NOTICE for conditions of use and distribution. */
9
10/* Code for handling Access Control Lists (ACLs) */
11
12#include "exim.h"
13
14
15/* Default callout timeout */
16
17#define CALLOUT_TIMEOUT_DEFAULT 30
18
19/* ACL verb codes - keep in step with the table of verbs that follows */
20
21enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
22 ACL_WARN };
23
24/* ACL verbs */
25
26static uschar *verbs[] =
27 { US"accept", US"defer", US"deny", US"discard", US"drop", US"require",
28 US"warn" };
29
4e88a19f
PH		 30/* For each verb, the conditions for which "message" or "log_message" are used
31are held as a bitmap. This is to avoid expanding the strings unnecessarily. For
32"accept", the FAIL case is used only after "endpass", but that is selected in
33the code. */
34
35static int msgcond[] = {
36 (1<<OK) | (1<<FAIL) | (1<<FAIL_DROP), /* accept */
37 (1<<OK), /* defer */
38 (1<<OK), /* deny */
39 (1<<OK) | (1<<FAIL) | (1<<FAIL_DROP), /* discard */
40 (1<<OK), /* drop */
41 (1<<FAIL) | (1<<FAIL_DROP), /* require */
42 (1<<OK) /* warn */
43 };
059ec3d9
PH		 44
45/* ACL condition and modifier codes - keep in step with the table that
71fafd95
PH		 46follows, and the cond_expand_at_top and uschar cond_modifiers tables lower
47down. */
059ec3d9 48
71fafd95
PH		 49enum { ACLC_ACL,
50 ACLC_ADD_HEADER,
51 ACLC_AUTHENTICATED,
8523533c
TK		 52#ifdef EXPERIMENTAL_BRIGHTMAIL
53 ACLC_BMI_OPTIN,
54#endif
71fafd95
PH		 55 ACLC_CONDITION,
56 ACLC_CONTROL,
8523533c
TK		 57#ifdef WITH_CONTENT_SCAN
58 ACLC_DECODE,
59#endif
60 ACLC_DELAY,
61#ifdef WITH_OLD_DEMIME
62 ACLC_DEMIME,
fb2274d4
TK		 63#endif
64#ifdef EXPERIMENTAL_DOMAINKEYS
65 ACLC_DK_DOMAIN_SOURCE,
66 ACLC_DK_POLICY,
67 ACLC_DK_SENDER_DOMAINS,
68 ACLC_DK_SENDER_LOCAL_PARTS,
69 ACLC_DK_SENDERS,
70 ACLC_DK_STATUS,
8e669ac1 71#endif
71fafd95
PH		 72 ACLC_DNSLISTS,
73 ACLC_DOMAINS,
74 ACLC_ENCRYPTED,
75 ACLC_ENDPASS,
76 ACLC_HOSTS,
77 ACLC_LOCAL_PARTS,
78 ACLC_LOG_MESSAGE,
6ea85e9a 79 ACLC_LOG_REJECT_TARGET,
71fafd95 80 ACLC_LOGWRITE,
8523533c
TK		 81#ifdef WITH_CONTENT_SCAN
82 ACLC_MALWARE,
83#endif
84 ACLC_MESSAGE,
85#ifdef WITH_CONTENT_SCAN
86 ACLC_MIME_REGEX,
87#endif
870f6ba8 88 ACLC_RATELIMIT,
8523533c
TK		 89 ACLC_RECIPIENTS,
90#ifdef WITH_CONTENT_SCAN
91 ACLC_REGEX,
92#endif
71fafd95
PH		 93 ACLC_SENDER_DOMAINS,
94 ACLC_SENDERS,
95 ACLC_SET,
8523533c 96#ifdef WITH_CONTENT_SCAN
8e669ac1 97 ACLC_SPAM,
8523533c
TK		 98#endif
99#ifdef EXPERIMENTAL_SPF
100 ACLC_SPF,
101#endif
102 ACLC_VERIFY };
059ec3d9
PH		 103
104/* ACL conditions/modifiers: "delay", "control", "endpass", "message",
6ea85e9a
PH		 105"log_message", "log_reject_target", "logwrite", and "set" are modifiers that
106look like conditions but always return TRUE. They are used for their side
107effects. */
059ec3d9 108
9a26b6b2
PH		 109static uschar *conditions[] = {
110 US"acl",
71fafd95 111 US"add_header",
9a26b6b2 112 US"authenticated",
8523533c
TK		 113#ifdef EXPERIMENTAL_BRIGHTMAIL
114 US"bmi_optin",
115#endif
116 US"condition",
8e669ac1 117 US"control",
8523533c
TK		 118#ifdef WITH_CONTENT_SCAN
119 US"decode",
120#endif
121 US"delay",
122#ifdef WITH_OLD_DEMIME
123 US"demime",
fb2274d4
TK		 124#endif
125#ifdef EXPERIMENTAL_DOMAINKEYS
7f45268c
PH		 126 US"dk_domain_source",
127 US"dk_policy",
128 US"dk_sender_domains",
129 US"dk_sender_local_parts",
130 US"dk_senders",
131 US"dk_status",
8523533c 132#endif
6ea85e9a
PH		 133 US"dnslists",
134 US"domains",
135 US"encrypted",
136 US"endpass",
137 US"hosts",
138 US"local_parts",
139 US"log_message",
140 US"log_reject_target",
141 US"logwrite",
8523533c
TK		 142#ifdef WITH_CONTENT_SCAN
143 US"malware",
144#endif
145 US"message",
146#ifdef WITH_CONTENT_SCAN
147 US"mime_regex",
148#endif
870f6ba8 149 US"ratelimit",
8523533c
TK		 150 US"recipients",
151#ifdef WITH_CONTENT_SCAN
152 US"regex",
153#endif
154 US"sender_domains", US"senders", US"set",
155#ifdef WITH_CONTENT_SCAN
156 US"spam",
157#endif
158#ifdef EXPERIMENTAL_SPF
159 US"spf",
160#endif
059ec3d9 161 US"verify" };
8e669ac1 162
c5fcb476 163
9a26b6b2
PH		 164/* Return values from decode_control(); keep in step with the table of names
165that follows! */
166
167enum {
c46782ef
PH		 168 CONTROL_AUTH_UNADVERTISED,
169 #ifdef EXPERIMENTAL_BRIGHTMAIL
9a26b6b2 170 CONTROL_BMI_RUN,
c46782ef
PH		 171 #endif
172 #ifdef EXPERIMENTAL_DOMAINKEYS
9a26b6b2 173 CONTROL_DK_VERIFY,
c46782ef
PH		 174 #endif
175 CONTROL_ERROR,
176 CONTROL_CASEFUL_LOCAL_PART,
177 CONTROL_CASELOWER_LOCAL_PART,
178 CONTROL_ENFORCE_SYNC,
179 CONTROL_NO_ENFORCE_SYNC,
180 CONTROL_FREEZE,
181 CONTROL_QUEUE_ONLY,
182 CONTROL_SUBMISSION,
183 CONTROL_SUPPRESS_LOCAL_FIXUPS,
184 #ifdef WITH_CONTENT_SCAN
9a26b6b2 185 CONTROL_NO_MBOX_UNSPOOL,
c46782ef
PH		 186 #endif
187 CONTROL_FAKEDEFER,
188 CONTROL_FAKEREJECT,
189 CONTROL_NO_MULTILINE
190};
9a26b6b2 191
8800895a
PH		 192/* ACL control names; keep in step with the table above! This list is used for
193turning ids into names. The actual list of recognized names is in the variable
194control_def controls_list[] below. The fact that there are two lists is a mess
195and should be tidied up. */
9a26b6b2
PH		 196
197static uschar *controls[] = {
c46782ef 198 US"allow_auth_unadvertised",
9a26b6b2
PH		 199 #ifdef EXPERIMENTAL_BRIGHTMAIL
200 US"bmi_run",
201 #endif
202 #ifdef EXPERIMENTAL_DOMAINKEYS
203 US"dk_verify",
204 #endif
c46782ef
PH		 205 US"error",
206 US"caseful_local_part",
207 US"caselower_local_part",
208 US"enforce_sync",
209 US"no_enforce_sync",
210 US"freeze",
211 US"queue_only",
212 US"submission",
213 US"suppress_local_fixups",
9a26b6b2
PH		 214 #ifdef WITH_CONTENT_SCAN
215 US"no_mbox_unspool",
216 #endif
c46782ef
PH		 217 US"no_multiline"
218};
059ec3d9
PH		 219
220/* Flags to indicate for which conditions /modifiers a string expansion is done
221at the outer level. In the other cases, expansion already occurs in the
222checking functions. */
223
224static uschar cond_expand_at_top[] = {
225 TRUE, /* acl */
3e536984 226 TRUE, /* add_header */
059ec3d9 227 FALSE, /* authenticated */
8523533c
TK		 228#ifdef EXPERIMENTAL_BRIGHTMAIL
229 TRUE, /* bmi_optin */
8e669ac1 230#endif
059ec3d9
PH		 231 TRUE, /* condition */
232 TRUE, /* control */
8523533c
TK		 233#ifdef WITH_CONTENT_SCAN
234 TRUE, /* decode */
235#endif
059ec3d9 236 TRUE, /* delay */
8523533c
TK		 237#ifdef WITH_OLD_DEMIME
238 TRUE, /* demime */
fb2274d4
TK		 239#endif
240#ifdef EXPERIMENTAL_DOMAINKEYS
7f45268c
PH		 241 TRUE, /* dk_domain_source */
242 TRUE, /* dk_policy */
243 TRUE, /* dk_sender_domains */
e715ad22 244 TRUE, /* dk_sender_local_parts */
7f45268c
PH		 245 TRUE, /* dk_senders */
246 TRUE, /* dk_status */
8523533c 247#endif
059ec3d9
PH		 248 TRUE, /* dnslists */
249 FALSE, /* domains */
250 FALSE, /* encrypted */
251 TRUE, /* endpass */
252 FALSE, /* hosts */
253 FALSE, /* local_parts */
254 TRUE, /* log_message */
6ea85e9a 255 TRUE, /* log_reject_target */
059ec3d9 256 TRUE, /* logwrite */
8523533c
TK		 257#ifdef WITH_CONTENT_SCAN
258 TRUE, /* malware */
259#endif
059ec3d9 260 TRUE, /* message */
8523533c
TK		 261#ifdef WITH_CONTENT_SCAN
262 TRUE, /* mime_regex */
263#endif
870f6ba8 264 TRUE, /* ratelimit */
059ec3d9 265 FALSE, /* recipients */
8523533c
TK		 266#ifdef WITH_CONTENT_SCAN
267 TRUE, /* regex */
268#endif
059ec3d9
PH		 269 FALSE, /* sender_domains */
270 FALSE, /* senders */
271 TRUE, /* set */
8523533c
TK		 272#ifdef WITH_CONTENT_SCAN
273 TRUE, /* spam */
274#endif
275#ifdef EXPERIMENTAL_SPF
276 TRUE, /* spf */
277#endif
059ec3d9
PH		 278 TRUE /* verify */
279};
280
281/* Flags to identify the modifiers */
282
283static uschar cond_modifiers[] = {
284 FALSE, /* acl */
3e536984 285 TRUE, /* add_header */
059ec3d9 286 FALSE, /* authenticated */
8523533c
TK		 287#ifdef EXPERIMENTAL_BRIGHTMAIL
288 TRUE, /* bmi_optin */
8e669ac1 289#endif
059ec3d9
PH		 290 FALSE, /* condition */
291 TRUE, /* control */
8523533c
TK		 292#ifdef WITH_CONTENT_SCAN
293 FALSE, /* decode */
294#endif
059ec3d9 295 TRUE, /* delay */
8523533c
TK		 296#ifdef WITH_OLD_DEMIME
297 FALSE, /* demime */
fb2274d4
TK		 298#endif
299#ifdef EXPERIMENTAL_DOMAINKEYS
7f45268c
PH		 300 FALSE, /* dk_domain_source */
301 FALSE, /* dk_policy */
302 FALSE, /* dk_sender_domains */
e715ad22 303 FALSE, /* dk_sender_local_parts */
7f45268c
PH		 304 FALSE, /* dk_senders */
305 FALSE, /* dk_status */
8523533c 306#endif
059ec3d9
PH		 307 FALSE, /* dnslists */
308 FALSE, /* domains */
309 FALSE, /* encrypted */
310 TRUE, /* endpass */
311 FALSE, /* hosts */
312 FALSE, /* local_parts */
313 TRUE, /* log_message */
6ea85e9a 314 TRUE, /* log_reject_target */
8523533c
TK		 315 TRUE, /* logwrite */
316#ifdef WITH_CONTENT_SCAN
317 FALSE, /* malware */
318#endif
059ec3d9 319 TRUE, /* message */
8523533c
TK		 320#ifdef WITH_CONTENT_SCAN
321 FALSE, /* mime_regex */
322#endif
870f6ba8 323 FALSE, /* ratelimit */
059ec3d9 324 FALSE, /* recipients */
8523533c
TK		 325#ifdef WITH_CONTENT_SCAN
326 FALSE, /* regex */
327#endif
059ec3d9
PH		 328 FALSE, /* sender_domains */
329 FALSE, /* senders */
330 TRUE, /* set */
8523533c
TK		 331#ifdef WITH_CONTENT_SCAN
332 FALSE, /* spam */
333#endif
334#ifdef EXPERIMENTAL_SPF
335 FALSE, /* spf */
336#endif
059ec3d9
PH		 337 FALSE /* verify */
338};
339
c5fcb476 340/* Bit map vector of which conditions are not allowed at certain times. For
2f079f46
PH		 341each condition, there's a bitmap of dis-allowed times. For some, it is easier
342to specify the negation of a small number of allowed times. */
059ec3d9
PH		 343
344static unsigned int cond_forbids[] = {
345 0, /* acl */
8e669ac1 346
71fafd95 347 (unsigned int)
45b91596 348 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* add_header */
71fafd95 349 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
45b91596
PH		 350 (1<<ACL_WHERE_MIME)|(1<<ACL_WHERE_NOTSMTP)|
351 (1<<ACL_WHERE_NOTSMTP_START)),
71fafd95 352
45b91596
PH		 353 (1<<ACL_WHERE_NOTSMTP)| /* authenticated */
354 (1<<ACL_WHERE_NOTSMTP_START)|
355 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO),
8e669ac1 356
71fafd95 357 #ifdef EXPERIMENTAL_BRIGHTMAIL
3864bb8e 358 (1<<ACL_WHERE_AUTH)| /* bmi_optin */
8523533c
TK		 359 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
360 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_MIME)|
8e669ac1 361 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
8523533c
TK		 362 (1<<ACL_WHERE_MAILAUTH)|
363 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
45b91596
PH		 364 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_PREDATA)|
365 (1<<ACL_WHERE_NOTSMTP_START),
71fafd95 366 #endif
8e669ac1 367
059ec3d9 368 0, /* condition */
8e669ac1 369
059ec3d9 370 /* Certain types of control are always allowed, so we let it through
2f079f46 371 always and check in the control processing itself. */
8e669ac1 372
059ec3d9 373 0, /* control */
8e669ac1 374
71fafd95 375 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 376 (unsigned int)
377 ~(1<<ACL_WHERE_MIME), /* decode */
71fafd95 378 #endif
8523533c 379
059ec3d9 380 0, /* delay */
8e669ac1 381
71fafd95 382 #ifdef WITH_OLD_DEMIME
2f079f46
PH		 383 (unsigned int)
384 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* demime */
71fafd95 385 #endif
8e669ac1 386
71fafd95 387 #ifdef EXPERIMENTAL_DOMAINKEYS
2f079f46 388 (1<<ACL_WHERE_AUTH)| /* dk_domain_source */
fb2274d4
TK		 389 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
390 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
391 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
392 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
393 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
45b91596 394 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
84330b7b 395
2f079f46 396 (1<<ACL_WHERE_AUTH)| /* dk_policy */
fb2274d4
TK		 397 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
398 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
399 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
400 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
401 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
45b91596 402 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
84330b7b 403
2f079f46 404 (1<<ACL_WHERE_AUTH)| /* dk_sender_domains */
fb2274d4
TK		 405 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
406 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
407 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
408 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
409 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
45b91596 410 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
84330b7b 411
2f079f46 412 (1<<ACL_WHERE_AUTH)| /* dk_sender_local_parts */
fb2274d4
TK		 413 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
414 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
415 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
416 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
417 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
45b91596 418 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
84330b7b 419
2f079f46 420 (1<<ACL_WHERE_AUTH)| /* dk_senders */
fb2274d4
TK		 421 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
422 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
423 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
424 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
425 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
45b91596 426 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
84330b7b 427
2f079f46 428 (1<<ACL_WHERE_AUTH)| /* dk_status */
fb2274d4
TK		 429 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
430 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
431 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
432 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
433 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
45b91596 434 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
71fafd95 435 #endif
fb2274d4 436
45b91596
PH		 437 (1<<ACL_WHERE_NOTSMTP)| /* dnslists */
438 (1<<ACL_WHERE_NOTSMTP_START),
059ec3d9 439
2f079f46
PH		 440 (unsigned int)
441 ~(1<<ACL_WHERE_RCPT), /* domains */
059ec3d9 442
45b91596
PH		 443 (1<<ACL_WHERE_NOTSMTP)| /* encrypted */
444 (1<<ACL_WHERE_CONNECT)|
445 (1<<ACL_WHERE_NOTSMTP_START)|
059ec3d9 446 (1<<ACL_WHERE_HELO),
8e669ac1 447
059ec3d9 448 0, /* endpass */
8e669ac1 449
45b91596
PH		 450 (1<<ACL_WHERE_NOTSMTP)| /* hosts */
451 (1<<ACL_WHERE_NOTSMTP_START),
059ec3d9 452
2f079f46
PH		 453 (unsigned int)
454 ~(1<<ACL_WHERE_RCPT), /* local_parts */
059ec3d9
PH		 455
456 0, /* log_message */
8e669ac1 457
6ea85e9a
PH		 458 0, /* log_reject_target */
459
059ec3d9 460 0, /* logwrite */
8e669ac1 461
71fafd95 462 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 463 (unsigned int)
464 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* malware */
71fafd95 465 #endif
8523533c 466
059ec3d9
PH		 467 0, /* message */
468
71fafd95 469 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 470 (unsigned int)
471 ~(1<<ACL_WHERE_MIME), /* mime_regex */
71fafd95 472 #endif
8523533c 473
870f6ba8
TF		 474 0, /* ratelimit */
475
2f079f46
PH		 476 (unsigned int)
477 ~(1<<ACL_WHERE_RCPT), /* recipients */
059ec3d9 478
71fafd95 479 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 480 (unsigned int)
481 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* regex */
482 (1<<ACL_WHERE_MIME)),
71fafd95 483 #endif
8523533c 484
059ec3d9
PH		 485 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* sender_domains */
486 (1<<ACL_WHERE_HELO)|
487 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
488 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
489 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
490
491 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* senders */
492 (1<<ACL_WHERE_HELO)|
493 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
494 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
495 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
496
497 0, /* set */
498
71fafd95 499 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 500 (unsigned int)
501 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* spam */
71fafd95 502 #endif
8523533c 503
71fafd95 504 #ifdef EXPERIMENTAL_SPF
8523533c
TK		 505 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf */
506 (1<<ACL_WHERE_HELO)|
507 (1<<ACL_WHERE_MAILAUTH)|
508 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
45b91596
PH		 509 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY)|
510 (1<<ACL_WHERE_NOTSMTP)|
511 (1<<ACL_WHERE_NOTSMTP_START),
71fafd95 512 #endif
8523533c 513
059ec3d9
PH		 514 /* Certain types of verify are always allowed, so we let it through
515 always and check in the verify function itself */
516
517 0 /* verify */
059ec3d9
PH		 518};
519
520
c5fcb476
PH		 521/* Bit map vector of which controls are not allowed at certain times. For
522each control, there's a bitmap of dis-allowed times. For some, it is easier to
523specify the negation of a small number of allowed times. */
524
525static unsigned int control_forbids[] = {
c46782ef
PH		 526 (unsigned int)
527 ~((1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)), /* allow_auth_unadvertised */
528
529 #ifdef EXPERIMENTAL_BRIGHTMAIL
8523533c 530 0, /* bmi_run */
c46782ef
PH		 531 #endif
532
533 #ifdef EXPERIMENTAL_DOMAINKEYS
45b91596
PH		 534 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* dk_verify */
535 (1<<ACL_WHERE_NOTSMTP_START),
c46782ef 536 #endif
3e11c26b 537
c5fcb476 538 0, /* error */
8e669ac1
PH		 539
540 (unsigned int)
c5fcb476 541 ~(1<<ACL_WHERE_RCPT), /* caseful_local_part */
8e669ac1
PH		 542
543 (unsigned int)
c5fcb476 544 ~(1<<ACL_WHERE_RCPT), /* caselower_local_part */
8e669ac1 545
45b91596
PH		 546 (1<<ACL_WHERE_NOTSMTP)| /* enforce_sync */
547 (1<<ACL_WHERE_NOTSMTP_START),
8e669ac1 548
45b91596
PH		 549 (1<<ACL_WHERE_NOTSMTP)| /* no_enforce_sync */
550 (1<<ACL_WHERE_NOTSMTP_START),
8e669ac1
PH		 551
552 (unsigned int)
c5fcb476
PH		 553 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* freeze */
554 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
e715ad22 555 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
8e669ac1
PH		 556
557 (unsigned int)
c5fcb476
PH		 558 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* queue_only */
559 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
e715ad22 560 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
8e669ac1
PH		 561
562 (unsigned int)
c5fcb476 563 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* submission */
8e669ac1 564 (1<<ACL_WHERE_PREDATA)),
8523533c 565
8800895a
PH		 566 (unsigned int)
567 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* suppress_local_fixups */
45b91596
PH		 568 (1<<ACL_WHERE_PREDATA)|
569 (1<<ACL_WHERE_NOTSMTP_START)),
8800895a 570
c46782ef 571 #ifdef WITH_CONTENT_SCAN
8e669ac1 572 (unsigned int)
14d57970 573 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* no_mbox_unspool */
e715ad22
TK		 574 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
575 (1<<ACL_WHERE_MIME)),
c46782ef 576 #endif
a6c4ab60 577
29aba418
TF		 578 (unsigned int)
579 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakedefer */
580 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
581 (1<<ACL_WHERE_MIME)),
582
8e669ac1 583 (unsigned int)
a6c4ab60 584 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakereject */
e715ad22
TK		 585 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
586 (1<<ACL_WHERE_MIME)),
8523533c 587
45b91596
PH		 588 (1<<ACL_WHERE_NOTSMTP)| /* no_multiline */
589 (1<<ACL_WHERE_NOTSMTP_START)
c5fcb476
PH		 590};
591
592/* Structure listing various control arguments, with their characteristics. */
059ec3d9
PH		 593
594typedef struct control_def {
595 uschar *name;
596 int value; /* CONTROL_xxx value */
059ec3d9
PH		 597 BOOL has_option; /* Has /option(s) following */
598} control_def;
599
600static control_def controls_list[] = {
c46782ef 601 { US"allow_auth_unadvertised", CONTROL_AUTH_UNADVERTISED, FALSE },
8523533c 602#ifdef EXPERIMENTAL_BRIGHTMAIL
c46782ef 603 { US"bmi_run", CONTROL_BMI_RUN, FALSE },
fb2274d4
TK		 604#endif
605#ifdef EXPERIMENTAL_DOMAINKEYS
c46782ef 606 { US"dk_verify", CONTROL_DK_VERIFY, FALSE },
8523533c 607#endif
c46782ef
PH		 608 { US"caseful_local_part", CONTROL_CASEFUL_LOCAL_PART, FALSE },
609 { US"caselower_local_part", CONTROL_CASELOWER_LOCAL_PART, FALSE },
610 { US"enforce_sync", CONTROL_ENFORCE_SYNC, FALSE },
611 { US"freeze", CONTROL_FREEZE, TRUE },
612 { US"no_enforce_sync", CONTROL_NO_ENFORCE_SYNC, FALSE },
613 { US"no_multiline_responses", CONTROL_NO_MULTILINE, FALSE },
614 { US"queue_only", CONTROL_QUEUE_ONLY, FALSE },
8523533c 615#ifdef WITH_CONTENT_SCAN
c46782ef 616 { US"no_mbox_unspool", CONTROL_NO_MBOX_UNSPOOL, FALSE },
8523533c 617#endif
c46782ef
PH		 618 { US"fakedefer", CONTROL_FAKEDEFER, TRUE },
619 { US"fakereject", CONTROL_FAKEREJECT, TRUE },
620 { US"submission", CONTROL_SUBMISSION, TRUE },
621 { US"suppress_local_fixups", CONTROL_SUPPRESS_LOCAL_FIXUPS, FALSE }
059ec3d9
PH		 622 };
623
e5a9dba6
PH		 624/* Support data structures for Client SMTP Authorization. acl_verify_csa()
625caches its result in a tree to avoid repeated DNS queries. The result is an
626integer code which is used as an index into the following tables of
627explanatory strings and verification return codes. */
628
629static tree_node *csa_cache = NULL;
630
631enum { CSA_UNKNOWN, CSA_OK, CSA_DEFER_SRV, CSA_DEFER_ADDR,
632 CSA_FAIL_EXPLICIT, CSA_FAIL_DOMAIN, CSA_FAIL_NOADDR, CSA_FAIL_MISMATCH };
633
634/* The acl_verify_csa() return code is translated into an acl_verify() return
635code using the following table. It is OK unless the client is definitely not
636authorized. This is because CSA is supposed to be optional for sending sites,
637so recipients should not be too strict about checking it - especially because
638DNS problems are quite likely to occur. It's possible to use $csa_status in
639further ACL conditions to distinguish ok, unknown, and defer if required, but
640the aim is to make the usual configuration simple. */
641
642static int csa_return_code[] = {
643 OK, OK, OK, OK,
644 FAIL, FAIL, FAIL, FAIL
645};
646
647static uschar *csa_status_string[] = {
648 US"unknown", US"ok", US"defer", US"defer",
649 US"fail", US"fail", US"fail", US"fail"
650};
651
652static uschar *csa_reason_string[] = {
653 US"unknown",
654 US"ok",
655 US"deferred (SRV lookup failed)",
656 US"deferred (target address lookup failed)",
657 US"failed (explicit authorization required)",
658 US"failed (host name not authorized)",
659 US"failed (no authorized addresses)",
660 US"failed (client address mismatch)"
661};
662
059ec3d9
PH		 663/* Enable recursion between acl_check_internal() and acl_check_condition() */
664
665static int acl_check_internal(int, address_item *, uschar *, int, uschar **,
666 uschar **);
667
668
669/*************************************************
670* Pick out name from list *
671*************************************************/
672
673/* Use a binary chop method
674
675Arguments:
676 name name to find
677 list list of names
678 end size of list
679
680Returns: offset in list, or -1 if not found
681*/
682
683static int
684acl_checkname(uschar *name, uschar **list, int end)
685{
686int start = 0;
687
688while (start < end)
689 {
690 int mid = (start + end)/2;
691 int c = Ustrcmp(name, list[mid]);
692 if (c == 0) return mid;
693 if (c < 0) end = mid; else start = mid + 1;
694 }
695
696return -1;
697}
698
699
700/*************************************************
701* Read and parse one ACL *
702*************************************************/
703
704/* This function is called both from readconf in order to parse the ACLs in the
705configuration file, and also when an ACL is encountered dynamically (e.g. as
706the result of an expansion). It is given a function to call in order to
707retrieve the lines of the ACL. This function handles skipping comments and
708blank lines (where relevant).
709
710Arguments:
711 func function to get next line of ACL
712 error where to put an error message
713
714Returns: pointer to ACL, or NULL
715 NULL can be legal (empty ACL); in this case error will be NULL
716*/
717
718acl_block *
719acl_read(uschar *(*func)(void), uschar **error)
720{
721acl_block *yield = NULL;
722acl_block **lastp = &yield;
723acl_block *this = NULL;
724acl_condition_block *cond;
725acl_condition_block **condp = NULL;
726uschar *s;
727
728*error = NULL;
729
730while ((s = (*func)()) != NULL)
731 {
732 int v, c;
733 BOOL negated = FALSE;
734 uschar *saveline = s;
735 uschar name[64];
736
737 /* Conditions (but not verbs) are allowed to be negated by an initial
738 exclamation mark. */
739
740 while (isspace(*s)) s++;
741 if (*s == '!')
742 {
743 negated = TRUE;
744 s++;
745 }
746
cf00dad6
PH		 747 /* Read the name of a verb or a condition, or the start of a new ACL, which
748 can be started by a name, or by a macro definition. */
059ec3d9
PH		 749
750 s = readconf_readname(name, sizeof(name), s);
b8dc3e4a 751 if (*s == ':' || (isupper(name[0]) && *s == '=')) return yield;
059ec3d9
PH		 752
753 /* If a verb is unrecognized, it may be another condition or modifier that
754 continues the previous verb. */
755
756 v = acl_checkname(name, verbs, sizeof(verbs)/sizeof(char *));
757 if (v < 0)
758 {
759 if (this == NULL)
760 {
4e167a8c
PH		 761 *error = string_sprintf("unknown ACL verb \"%s\" in \"%s\"", name,
762 saveline);
059ec3d9
PH		 763 return NULL;
764 }
765 }
766
767 /* New verb */
768
769 else
770 {
771 if (negated)
772 {
773 *error = string_sprintf("malformed ACL line \"%s\"", saveline);
774 return NULL;
775 }
776 this = store_get(sizeof(acl_block));
777 *lastp = this;
778 lastp = &(this->next);
779 this->next = NULL;
780 this->verb = v;
781 this->condition = NULL;
782 condp = &(this->condition);
783 if (*s == 0) continue; /* No condition on this line */
784 if (*s == '!')
785 {
786 negated = TRUE;
787 s++;
788 }
789 s = readconf_readname(name, sizeof(name), s); /* Condition name */
790 }
791
792 /* Handle a condition or modifier. */
793
794 c = acl_checkname(name, conditions, sizeof(conditions)/sizeof(char *));
795 if (c < 0)
796 {
797 *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
798 saveline);
799 return NULL;
800 }
801
802 /* The modifiers may not be negated */
803
804 if (negated && cond_modifiers[c])
805 {
806 *error = string_sprintf("ACL error: negation is not allowed with "
807 "\"%s\"", conditions[c]);
808 return NULL;
809 }
810
811 /* ENDPASS may occur only with ACCEPT or DISCARD. */
812
813 if (c == ACLC_ENDPASS &&
814 this->verb != ACL_ACCEPT &&
815 this->verb != ACL_DISCARD)
816 {
817 *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
818 conditions[c], verbs[this->verb]);
819 return NULL;
820 }
821
822 cond = store_get(sizeof(acl_condition_block));
823 cond->next = NULL;
824 cond->type = c;
825 cond->u.negated = negated;
826
827 *condp = cond;
828 condp = &(cond->next);
829
830 /* The "set" modifier is different in that its argument is "name=value"
831 rather than just a value, and we can check the validity of the name, which
38a0a95f
PH		 832 gives us a variable name to insert into the data block. The original ACL
833 variable names were acl_c0 ... acl_c9 and acl_m0 ... acl_m9. This was
834 extended to 20 of each type, but after that people successfully argued for
641cb756
PH		 835 arbitrary names. In the new scheme, the names must start with acl_c or acl_m.
836 After that, we allow alphanumerics and underscores, but the first character
837 after c or m must be a digit or an underscore. This retains backwards
838 compatibility. */
059ec3d9
PH		 839
840 if (c == ACLC_SET)
841 {
47ca6d6c
PH		 842 uschar *endptr;
843
38a0a95f
PH		 844 if (Ustrncmp(s, "acl_c", 5) != 0 &&
845 Ustrncmp(s, "acl_m", 5) != 0)
47ca6d6c 846 {
38a0a95f
PH		 847 *error = string_sprintf("invalid variable name after \"set\" in ACL "
848 "modifier \"set %s\" (must start \"acl_c\" or \"acl_m\")", s);
849 return NULL;
47ca6d6c 850 }
38a0a95f
PH		 851
852 endptr = s + 5;
641cb756
PH		 853 if (!isdigit(*endptr) && *endptr != '_')
854 {
855 *error = string_sprintf("invalid variable name after \"set\" in ACL "
856 "modifier \"set %s\" (digit or underscore must follow acl_c or acl_m)",
857 s);
858 return NULL;
859 }
860
38a0a95f 861 while (*endptr != 0 && *endptr != '=' && !isspace(*endptr))
47ca6d6c 862 {
38a0a95f
PH		 863 if (!isalnum(*endptr) && *endptr != '_')
864 {
865 *error = string_sprintf("invalid character \"%c\" in variable name "
866 "in ACL modifier \"set %s\"", *endptr, s);
867 return NULL;
868 }
869 endptr++;
47ca6d6c 870 }
47ca6d6c 871
38a0a95f 872 cond->u.varname = string_copyn(s + 4, endptr - s - 4);
47ca6d6c 873 s = endptr;
059ec3d9
PH		 874 while (isspace(*s)) s++;
875 }
876
877 /* For "set", we are now positioned for the data. For the others, only
878 "endpass" has no data */
879
880 if (c != ACLC_ENDPASS)
881 {
882 if (*s++ != '=')
883 {
884 *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
885 cond_modifiers[c]? US"modifier" : US"condition");
886 return NULL;
887 }
888 while (isspace(*s)) s++;
889 cond->arg = string_copy(s);
890 }
891 }
892
893return yield;
894}
895
896
897
71fafd95
PH		 898/*************************************************
899* Set up added header line(s) *
900*************************************************/
901
902/* This function is called by the add_header modifier, and also from acl_warn()
903to implement the now-deprecated way of adding header lines using "message" on a
904"warn" verb. The argument is treated as a sequence of header lines which are
905added to a chain, provided there isn't an identical one already there.
906
907Argument: string of header lines
908Returns: nothing
909*/
910
911static void
912setup_header(uschar *hstring)
913{
914uschar *p, *q;
915int hlen = Ustrlen(hstring);
916
917/* An empty string does nothing; otherwise add a final newline if necessary. */
918
919if (hlen <= 0) return;
920if (hstring[hlen-1] != '\n') hstring = string_sprintf("%s\n", hstring);
921
922/* Loop for multiple header lines, taking care about continuations */
923
924for (p = q = hstring; *p != 0; )
925 {
926 uschar *s;
927 int newtype = htype_add_bot;
928 header_line **hptr = &acl_added_headers;
929
930 /* Find next header line within the string */
931
932 for (;;)
933 {
934 q = Ustrchr(q, '\n');
935 if (*(++q) != ' ' && *q != '\t') break;
936 }
937
938 /* If the line starts with a colon, interpret the instruction for where to
939 add it. This temporarily sets up a new type. */
940
941 if (*p == ':')
942 {
943 if (strncmpic(p, US":after_received:", 16) == 0)
944 {
945 newtype = htype_add_rec;
946 p += 16;
947 }
948 else if (strncmpic(p, US":at_start_rfc:", 14) == 0)
949 {
950 newtype = htype_add_rfc;
951 p += 14;
952 }
953 else if (strncmpic(p, US":at_start:", 10) == 0)
954 {
955 newtype = htype_add_top;
956 p += 10;
957 }
958 else if (strncmpic(p, US":at_end:", 8) == 0)
959 {
960 newtype = htype_add_bot;
961 p += 8;
962 }
963 while (*p == ' ' || *p == '\t') p++;
964 }
965
966 /* See if this line starts with a header name, and if not, add X-ACL-Warn:
967 to the front of it. */
968
969 for (s = p; s < q - 1; s++)
970 {
971 if (*s == ':' || !isgraph(*s)) break;
972 }
973
974 s = string_sprintf("%s%.*s", (*s == ':')? "" : "X-ACL-Warn: ", q - p, p);
975 hlen = Ustrlen(s);
976
977 /* See if this line has already been added */
978
979 while (*hptr != NULL)
980 {
981 if (Ustrncmp((*hptr)->text, s, hlen) == 0) break;
982 hptr = &((*hptr)->next);
983 }
984
985 /* Add if not previously present */
986
987 if (*hptr == NULL)
988 {
989 header_line *h = store_get(sizeof(header_line));
990 h->text = s;
991 h->next = NULL;
992 h->type = newtype;
993 h->slen = hlen;
994 *hptr = h;
995 hptr = &(h->next);
996 }
997
998 /* Advance for next header line within the string */
999
1000 p = q;
1001 }
1002}
1003
1004
1005
1006
059ec3d9
PH		 1007/*************************************************
1008* Handle warnings *
1009*************************************************/
1010
1011/* This function is called when a WARN verb's conditions are true. It adds to
1012the message's headers, and/or writes information to the log. In each case, this
1013only happens once (per message for headers, per connection for log).
1014
71fafd95
PH		 1015** NOTE: The header adding action using the "message" setting is historic, and
1016its use is now deprecated. The new add_header modifier should be used instead.
1017
059ec3d9
PH		 1018Arguments:
1019 where ACL_WHERE_xxxx indicating which ACL this is
1020 user_message message for adding to headers
1021 log_message message for logging, if different
1022
1023Returns: nothing
1024*/
1025
1026static void
1027acl_warn(int where, uschar *user_message, uschar *log_message)
1028{
059ec3d9
PH		 1029if (log_message != NULL && log_message != user_message)
1030 {
1031 uschar *text;
1032 string_item *logged;
1033
1034 text = string_sprintf("%s Warning: %s", host_and_ident(TRUE),
1035 string_printing(log_message));
1036
1037 /* If a sender verification has failed, and the log message is "sender verify
1038 failed", add the failure message. */
1039
1040 if (sender_verified_failed != NULL &&
1041 sender_verified_failed->message != NULL &&
1042 strcmpic(log_message, US"sender verify failed") == 0)
1043 text = string_sprintf("%s: %s", text, sender_verified_failed->message);
1044
9c7a242c
PH		 1045 /* Search previously logged warnings. They are kept in malloc
1046 store so they can be freed at the start of a new message. */
059ec3d9
PH		 1047
1048 for (logged = acl_warn_logged; logged != NULL; logged = logged->next)
1049 if (Ustrcmp(logged->text, text) == 0) break;
1050
1051 if (logged == NULL)
1052 {
1053 int length = Ustrlen(text) + 1;
1054 log_write(0, LOG_MAIN, "%s", text);
1055 logged = store_malloc(sizeof(string_item) + length);
1056 logged->text = (uschar *)logged + sizeof(string_item);
1057 memcpy(logged->text, text, length);
1058 logged->next = acl_warn_logged;
1059 acl_warn_logged = logged;
1060 }
1061 }
1062
1063/* If there's no user message, we are done. */
1064
1065if (user_message == NULL) return;
1066
1067/* If this isn't a message ACL, we can't do anything with a user message.
1068Log an error. */
1069
1070if (where > ACL_WHERE_NOTSMTP)
1071 {
1072 log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
1073 "found in a non-message (%s) ACL: cannot specify header lines here: "
1074 "message ignored", acl_wherenames[where]);
1075 return;
1076 }
1077
71fafd95
PH		 1078/* The code for setting up header lines is now abstracted into a separate
1079function so that it can be used for the add_header modifier as well. */
059ec3d9 1080
71fafd95 1081setup_header(user_message);
059ec3d9
PH		 1082}
1083
1084
1085
1086/*************************************************
1087* Verify and check reverse DNS *
1088*************************************************/
1089
1090/* Called from acl_verify() below. We look up the host name(s) of the client IP
1091address if this has not yet been done. The host_name_lookup() function checks
1092that one of these names resolves to an address list that contains the client IP
1093address, so we don't actually have to do the check here.
1094
1095Arguments:
1096 user_msgptr pointer for user message
1097 log_msgptr pointer for log message
1098
1099Returns: OK verification condition succeeded
1100 FAIL verification failed
1101 DEFER there was a problem verifying
1102*/
1103
1104static int
1105acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
1106{
1107int rc;
1108
1109user_msgptr = user_msgptr; /* stop compiler warning */
1110
1111/* Previous success */
1112
1113if (sender_host_name != NULL) return OK;
1114
1115/* Previous failure */
1116
1117if (host_lookup_failed)
1118 {
1119 *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
1120 return FAIL;
1121 }
1122
1123/* Need to do a lookup */
1124
1125HDEBUG(D_acl)
1126 debug_printf("looking up host name to force name/address consistency check\n");
1127
1128if ((rc = host_name_lookup()) != OK)
1129 {
1130 *log_msgptr = (rc == DEFER)?
1131 US"host lookup deferred for reverse lookup check"
1132 :
1133 string_sprintf("host lookup failed for reverse lookup check%s",
1134 host_lookup_msg);
1135 return rc; /* DEFER or FAIL */
1136 }
1137
1138host_build_sender_fullhost();
1139return OK;
1140}
1141
1142
1143
e5a9dba6
PH		 1144/*************************************************
1145* Check client IP address matches CSA target *
1146*************************************************/
1147
1148/* Called from acl_verify_csa() below. This routine scans a section of a DNS
1149response for address records belonging to the CSA target hostname. The section
1150is specified by the reset argument, either RESET_ADDITIONAL or RESET_ANSWERS.
1151If one of the addresses matches the client's IP address, then the client is
1152authorized by CSA. If there are target IP addresses but none of them match
1153then the client is using an unauthorized IP address. If there are no target IP
1154addresses then the client cannot be using an authorized IP address. (This is
1155an odd configuration - why didn't the SRV record have a weight of 1 instead?)
1156
1157Arguments:
1158 dnsa the DNS answer block
1159 dnss a DNS scan block for us to use
1160 reset option specifing what portion to scan, as described above
1161 target the target hostname to use for matching RR names
1162
1163Returns: CSA_OK successfully authorized
1164 CSA_FAIL_MISMATCH addresses found but none matched
1165 CSA_FAIL_NOADDR no target addresses found
1166*/
1167
1168static int
1169acl_verify_csa_address(dns_answer *dnsa, dns_scan *dnss, int reset,
1170 uschar *target)
1171{
1172dns_record *rr;
1173dns_address *da;
1174
1175BOOL target_found = FALSE;
1176
1177for (rr = dns_next_rr(dnsa, dnss, reset);
1178 rr != NULL;
1179 rr = dns_next_rr(dnsa, dnss, RESET_NEXT))
1180 {
1181 /* Check this is an address RR for the target hostname. */
1182
1183 if (rr->type != T_A
1184 #if HAVE_IPV6
1185 && rr->type != T_AAAA
1186 #ifdef SUPPORT_A6
1187 && rr->type != T_A6
1188 #endif
1189 #endif
1190 ) continue;
1191
1192 if (strcmpic(target, rr->name) != 0) continue;
1193
1194 target_found = TRUE;
1195
1196 /* Turn the target address RR into a list of textual IP addresses and scan
1197 the list. There may be more than one if it is an A6 RR. */
1198
1199 for (da = dns_address_from_rr(dnsa, rr); da != NULL; da = da->next)
1200 {
1201 /* If the client IP address matches the target IP address, it's good! */
1202
1203 DEBUG(D_acl) debug_printf("CSA target address is %s\n", da->address);
1204
1205 if (strcmpic(sender_host_address, da->address) == 0) return CSA_OK;
1206 }
1207 }
1208
1209/* If we found some target addresses but none of them matched, the client is
1210using an unauthorized IP address, otherwise the target has no authorized IP
1211addresses. */
1212
1213if (target_found) return CSA_FAIL_MISMATCH;
1214else return CSA_FAIL_NOADDR;
1215}
1216
1217
1218
1219/*************************************************
1220* Verify Client SMTP Authorization *
1221*************************************************/
1222
1223/* Called from acl_verify() below. This routine calls dns_lookup_special()
1224to find the CSA SRV record corresponding to the domain argument, or
1225$sender_helo_name if no argument is provided. It then checks that the
1226client is authorized, and that its IP address corresponds to the SRV
1227target's address by calling acl_verify_csa_address() above. The address
1228should have been returned in the DNS response's ADDITIONAL section, but if
1229not we perform another DNS lookup to get it.
1230
1231Arguments:
1232 domain pointer to optional parameter following verify = csa
1233
1234Returns: CSA_UNKNOWN no valid CSA record found
1235 CSA_OK successfully authorized
1236 CSA_FAIL_* client is definitely not authorized
1237 CSA_DEFER_* there was a DNS problem
1238*/
1239
1240static int
1241acl_verify_csa(uschar *domain)
1242{
1243tree_node *t;
1244uschar *found, *p;
1245int priority, weight, port;
1246dns_answer dnsa;
1247dns_scan dnss;
1248dns_record *rr;
1249int rc, type;
1250uschar target[256];
1251
1252/* Work out the domain we are using for the CSA lookup. The default is the
1253client's HELO domain. If the client has not said HELO, use its IP address
1254instead. If it's a local client (exim -bs), CSA isn't applicable. */
1255
1256while (isspace(*domain) && *domain != '\0') ++domain;
1257if (*domain == '\0') domain = sender_helo_name;
1258if (domain == NULL) domain = sender_host_address;
1259if (sender_host_address == NULL) return CSA_UNKNOWN;
1260
1261/* If we have an address literal, strip off the framing ready for turning it
1262into a domain. The framing consists of matched square brackets possibly
1263containing a keyword and a colon before the actual IP address. */
1264
1265if (domain[0] == '[')
1266 {
1267 uschar *start = Ustrchr(domain, ':');
1268 if (start == NULL) start = domain;
1269 domain = string_copyn(start + 1, Ustrlen(start) - 2);
1270 }
1271
1272/* Turn domains that look like bare IP addresses into domains in the reverse
1273DNS. This code also deals with address literals and $sender_host_address. It's
1274not quite kosher to treat bare domains such as EHLO 192.0.2.57 the same as
1275address literals, but it's probably the most friendly thing to do. This is an
1276extension to CSA, so we allow it to be turned off for proper conformance. */
1277
7e66e54d 1278if (string_is_ip_address(domain, NULL) != 0)
e5a9dba6
PH		 1279 {
1280 if (!dns_csa_use_reverse) return CSA_UNKNOWN;
1281 dns_build_reverse(domain, target);
1282 domain = target;
1283 }
1284
1285/* Find out if we've already done the CSA check for this domain. If we have,
1286return the same result again. Otherwise build a new cached result structure
1287for this domain. The name is filled in now, and the value is filled in when
1288we return from this function. */
1289
1290t = tree_search(csa_cache, domain);
1291if (t != NULL) return t->data.val;
1292
1293t = store_get_perm(sizeof(tree_node) + Ustrlen(domain));
1294Ustrcpy(t->name, domain);
1295(void)tree_insertnode(&csa_cache, t);
1296
1297/* Now we are ready to do the actual DNS lookup(s). */
1298
28e6ef29 1299found = domain;
e5a9dba6
PH		 1300switch (dns_special_lookup(&dnsa, domain, T_CSA, &found))
1301 {
1302 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1303
1304 default:
1305 return t->data.val = CSA_DEFER_SRV;
1306
1307 /* If we found nothing, the client's authorization is unknown. */
1308
1309 case DNS_NOMATCH:
1310 case DNS_NODATA:
1311 return t->data.val = CSA_UNKNOWN;
1312
1313 /* We got something! Go on to look at the reply in more detail. */
1314
1315 case DNS_SUCCEED:
1316 break;
1317 }
1318
1319/* Scan the reply for well-formed CSA SRV records. */
1320
1321for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
1322 rr != NULL;
1323 rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
1324 {
1325 if (rr->type != T_SRV) continue;
1326
1327 /* Extract the numerical SRV fields (p is incremented) */
1328
1329 p = rr->data;
1330 GETSHORT(priority, p);
1331 GETSHORT(weight, p);
1332 GETSHORT(port, p);
1333
1334 DEBUG(D_acl)
1335 debug_printf("CSA priority=%d weight=%d port=%d\n", priority, weight, port);
1336
1337 /* Check the CSA version number */
1338
1339 if (priority != 1) continue;
1340
1341 /* If the domain does not have a CSA SRV record of its own (i.e. the domain
1342 found by dns_special_lookup() is a parent of the one we asked for), we check
1343 the subdomain assertions in the port field. At the moment there's only one
1344 assertion: legitimate SMTP clients are all explicitly authorized with CSA
1345 SRV records of their own. */
1346
1347 if (found != domain)
1348 {
1349 if (port & 1)
1350 return t->data.val = CSA_FAIL_EXPLICIT;
1351 else
1352 return t->data.val = CSA_UNKNOWN;
1353 }
1354
1355 /* This CSA SRV record refers directly to our domain, so we check the value
1356 in the weight field to work out the domain's authorization. 0 and 1 are
1357 unauthorized; 3 means the client is authorized but we can't check the IP
1358 address in order to authenticate it, so we treat it as unknown; values
1359 greater than 3 are undefined. */
1360
1361 if (weight < 2) return t->data.val = CSA_FAIL_DOMAIN;
1362
1363 if (weight > 2) continue;
1364
1365 /* Weight == 2, which means the domain is authorized. We must check that the
1366 client's IP address is listed as one of the SRV target addresses. Save the
1367 target hostname then break to scan the additional data for its addresses. */
1368
1369 (void)dn_expand(dnsa.answer, dnsa.answer + dnsa.answerlen, p,
1370 (DN_EXPAND_ARG4_TYPE)target, sizeof(target));
1371
1372 DEBUG(D_acl) debug_printf("CSA target is %s\n", target);
1373
1374 break;
1375 }
1376
1377/* If we didn't break the loop then no appropriate records were found. */
1378
1379if (rr == NULL) return t->data.val = CSA_UNKNOWN;
1380
1381/* Do not check addresses if the target is ".", in accordance with RFC 2782.
1382A target of "." indicates there are no valid addresses, so the client cannot
1383be authorized. (This is an odd configuration because weight=2 target=. is
1384equivalent to weight=1, but we check for it in order to keep load off the
1385root name servers.) Note that dn_expand() turns "." into "". */
1386
1387if (Ustrcmp(target, "") == 0) return t->data.val = CSA_FAIL_NOADDR;
1388
1389/* Scan the additional section of the CSA SRV reply for addresses belonging
1390to the target. If the name server didn't return any additional data (e.g.
1391because it does not fully support SRV records), we need to do another lookup
1392to obtain the target addresses; otherwise we have a definitive result. */
1393
1394rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ADDITIONAL, target);
1395if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1396
1397/* The DNS lookup type corresponds to the IP version used by the client. */
1398
1399#if HAVE_IPV6
1400if (Ustrchr(sender_host_address, ':') != NULL)
1401 type = T_AAAA;
1402else
1403#endif /* HAVE_IPV6 */
1404 type = T_A;
1405
1406
1407#if HAVE_IPV6 && defined(SUPPORT_A6)
1408DNS_LOOKUP_AGAIN:
1409#endif
1410
1411switch (dns_lookup(&dnsa, target, type, NULL))
1412 {
1413 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1414
1415 default:
1416 return t->data.val = CSA_DEFER_ADDR;
1417
1418 /* If the query succeeded, scan the addresses and return the result. */
1419
1420 case DNS_SUCCEED:
1421 rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ANSWERS, target);
1422 if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1423 /* else fall through */
1424
1425 /* If the target has no IP addresses, the client cannot have an authorized
1426 IP address. However, if the target site uses A6 records (not AAAA records)
1427 we have to do yet another lookup in order to check them. */
1428
1429 case DNS_NOMATCH:
1430 case DNS_NODATA:
1431
1432 #if HAVE_IPV6 && defined(SUPPORT_A6)
1433 if (type == T_AAAA) { type = T_A6; goto DNS_LOOKUP_AGAIN; }
1434 #endif
1435
1436 return t->data.val = CSA_FAIL_NOADDR;
1437 }
1438}
1439
1440
1441
059ec3d9
PH		 1442/*************************************************
1443* Handle verification (address & other) *
1444*************************************************/
1445
1446/* This function implements the "verify" condition. It is called when
1447encountered in any ACL, because some tests are almost always permitted. Some
1448just don't make sense, and always fail (for example, an attempt to test a host
1449lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
1450
1451Arguments:
1452 where where called from
1453 addr the recipient address that the ACL is handling, or NULL
1454 arg the argument of "verify"
1455 user_msgptr pointer for user message
1456 log_msgptr pointer for log message
1457 basic_errno where to put verify errno
1458
1459Returns: OK verification condition succeeded
1460 FAIL verification failed
1461 DEFER there was a problem verifying
1462 ERROR syntax error
1463*/
1464
1465static int
1466acl_verify(int where, address_item *addr, uschar *arg,
1467 uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
1468{
1469int sep = '/';
1470int callout = -1;
1471int callout_overall = -1;
4deaf07d 1472int callout_connect = -1;
059ec3d9
PH		 1473int verify_options = 0;
1474int rc;
1475BOOL verify_header_sender = FALSE;
1476BOOL defer_ok = FALSE;
1477BOOL callout_defer_ok = FALSE;
1478BOOL no_details = FALSE;
eafd343b 1479BOOL success_on_redirect = FALSE;
059ec3d9
PH		 1480address_item *sender_vaddr = NULL;
1481uschar *verify_sender_address = NULL;
1482uschar *pm_mailfrom = NULL;
1483uschar *se_mailfrom = NULL;
596875b3
PH		 1484
1485/* Some of the verify items have slash-separated options; some do not. Diagnose
1486an error if options are given for items that don't expect them. This code has
1487now got very message. Refactoring to use a table would be a good idea one day.
1488*/
1489
1490uschar *slash = Ustrchr(arg, '/');
059ec3d9
PH		 1491uschar *list = arg;
1492uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
1493
1494if (ss == NULL) goto BAD_VERIFY;
1495
1496/* Handle name/address consistency verification in a separate function. */
1497
1498if (strcmpic(ss, US"reverse_host_lookup") == 0)
1499 {
596875b3 1500 if (slash != NULL) goto NO_OPTIONS;
059ec3d9
PH		 1501 if (sender_host_address == NULL) return OK;
1502 return acl_verify_reverse(user_msgptr, log_msgptr);
1503 }
1504
1505/* TLS certificate verification is done at STARTTLS time; here we just
1506test whether it was successful or not. (This is for optional verification; for
1507mandatory verification, the connection doesn't last this long.) */
1508
1509if (strcmpic(ss, US"certificate") == 0)
1510 {
596875b3 1511 if (slash != NULL) goto NO_OPTIONS;
059ec3d9
PH		 1512 if (tls_certificate_verified) return OK;
1513 *user_msgptr = US"no verified certificate";
1514 return FAIL;
1515 }
1516
d7b47fd0
PH		 1517/* We can test the result of optional HELO verification that might have
1518occurred earlier. If not, we can attempt the verification now. */
059ec3d9 1519
596875b3
PH		 1520if (strcmpic(ss, US"helo") == 0)
1521 {
1522 if (slash != NULL) goto NO_OPTIONS;
0154e85a
TF		 1523 if (!helo_verified && !helo_verify_failed) smtp_verify_helo();
1524 return helo_verified? OK : FAIL;
596875b3 1525 }
059ec3d9 1526
e5a9dba6
PH		 1527/* Do Client SMTP Authorization checks in a separate function, and turn the
1528result code into user-friendly strings. */
1529
1530if (strcmpic(ss, US"csa") == 0)
1531 {
1532 rc = acl_verify_csa(list);
1533 *log_msgptr = *user_msgptr = string_sprintf("client SMTP authorization %s",
1534 csa_reason_string[rc]);
1535 csa_status = csa_status_string[rc];
1536 DEBUG(D_acl) debug_printf("CSA result %s\n", csa_status);
1537 return csa_return_code[rc];
1538 }
1539
596875b3
PH		 1540/* Check that all relevant header lines have the correct syntax. If there is
1541a syntax error, we return details of the error to the sender if configured to
1542send out full details. (But a "message" setting on the ACL can override, as
1543always). */
059ec3d9 1544
596875b3 1545if (strcmpic(ss, US"header_syntax") == 0)
059ec3d9 1546 {
596875b3 1547 if (slash != NULL) goto NO_OPTIONS;
1c41c9cc 1548 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP) goto WRONG_ACL;
596875b3
PH		 1549 rc = verify_check_headers(log_msgptr);
1550 if (rc != OK && smtp_return_error_details && *log_msgptr != NULL)
1551 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1552 return rc;
1553 }
059ec3d9 1554
1c41c9cc
PH		 1555/* Check that no recipient of this message is "blind", that is, every envelope
1556recipient must be mentioned in either To: or Cc:. */
1557
1558if (strcmpic(ss, US"not_blind") == 0)
1559 {
1560 if (slash != NULL) goto NO_OPTIONS;
1561 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP) goto WRONG_ACL;
1562 rc = verify_check_notblind();
1563 if (rc != OK)
1564 {
1565 *log_msgptr = string_sprintf("bcc recipient detected");
1566 if (smtp_return_error_details)
1567 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1568 }
1569 return rc;
1570 }
059ec3d9 1571
596875b3
PH		 1572/* The remaining verification tests check recipient and sender addresses,
1573either from the envelope or from the header. There are a number of
1574slash-separated options that are common to all of them. */
059ec3d9 1575
059ec3d9 1576
596875b3
PH		 1577/* Check that there is at least one verifiable sender address in the relevant
1578header lines. This can be followed by callout and defer options, just like
1579sender and recipient. */
059ec3d9 1580
596875b3
PH		 1581if (strcmpic(ss, US"header_sender") == 0)
1582 {
1c41c9cc 1583 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP) goto WRONG_ACL;
596875b3 1584 verify_header_sender = TRUE;
059ec3d9
PH		 1585 }
1586
1587/* Otherwise, first item in verify argument must be "sender" or "recipient".
1588In the case of a sender, this can optionally be followed by an address to use
1589in place of the actual sender (rare special-case requirement). */
1590
1591else if (strncmpic(ss, US"sender", 6) == 0)
1592 {
1593 uschar *s = ss + 6;
1594 if (where > ACL_WHERE_NOTSMTP)
1595 {
1596 *log_msgptr = string_sprintf("cannot verify sender in ACL for %s "
1597 "(only possible for MAIL, RCPT, PREDATA, or DATA)",
1598 acl_wherenames[where]);
1599 return ERROR;
1600 }
1601 if (*s == 0)
1602 verify_sender_address = sender_address;
1603 else
1604 {
1605 while (isspace(*s)) s++;
1606 if (*s++ != '=') goto BAD_VERIFY;
1607 while (isspace(*s)) s++;
1608 verify_sender_address = string_copy(s);
1609 }
1610 }
1611else
1612 {
1613 if (strcmpic(ss, US"recipient") != 0) goto BAD_VERIFY;
1614 if (addr == NULL)
1615 {
1616 *log_msgptr = string_sprintf("cannot verify recipient in ACL for %s "
1617 "(only possible for RCPT)", acl_wherenames[where]);
1618 return ERROR;
1619 }
1620 }
1621
596875b3
PH		 1622/* Remaining items are optional; they apply to sender and recipient
1623verification, including "header sender" verification. */
059ec3d9
PH		 1624
1625while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))
1626 != NULL)
1627 {
1628 if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
1629 else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
eafd343b 1630 else if (strcmpic(ss, US"success_on_redirect") == 0) success_on_redirect = TRUE;
059ec3d9
PH		 1631
1632 /* These two old options are left for backwards compatibility */
1633
1634 else if (strcmpic(ss, US"callout_defer_ok") == 0)
1635 {
1636 callout_defer_ok = TRUE;
1637 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1638 }
1639
1640 else if (strcmpic(ss, US"check_postmaster") == 0)
1641 {
1642 pm_mailfrom = US"";
1643 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1644 }
1645
1646 /* The callout option has a number of sub-options, comma separated */
1647
1648 else if (strncmpic(ss, US"callout", 7) == 0)
1649 {
1650 callout = CALLOUT_TIMEOUT_DEFAULT;
1651 ss += 7;
1652 if (*ss != 0)
1653 {
1654 while (isspace(*ss)) ss++;
1655 if (*ss++ == '=')
1656 {
1657 int optsep = ',';
1658 uschar *opt;
1659 uschar buffer[256];
1660 while (isspace(*ss)) ss++;
8e669ac1
PH		 1661
1662 /* This callout option handling code has become a mess as new options
1663 have been added in an ad hoc manner. It should be tidied up into some
4deaf07d 1664 kind of table-driven thing. */
8e669ac1 1665
059ec3d9
PH		 1666 while ((opt = string_nextinlist(&ss, &optsep, buffer, sizeof(buffer)))
1667 != NULL)
1668 {
1669 if (strcmpic(opt, US"defer_ok") == 0) callout_defer_ok = TRUE;
1670 else if (strcmpic(opt, US"no_cache") == 0)
1671 verify_options |= vopt_callout_no_cache;
1672 else if (strcmpic(opt, US"random") == 0)
1673 verify_options |= vopt_callout_random;
1674 else if (strcmpic(opt, US"use_sender") == 0)
1675 verify_options |= vopt_callout_recipsender;
1676 else if (strcmpic(opt, US"use_postmaster") == 0)
1677 verify_options |= vopt_callout_recippmaster;
1678 else if (strcmpic(opt, US"postmaster") == 0) pm_mailfrom = US"";
2a4be8f9
PH		 1679 else if (strcmpic(opt, US"fullpostmaster") == 0)
1680 {
1681 pm_mailfrom = US"";
1682 verify_options |= vopt_callout_fullpm;
1683 }
059ec3d9
PH		 1684
1685 else if (strncmpic(opt, US"mailfrom", 8) == 0)
1686 {
1687 if (!verify_header_sender)
1688 {
1689 *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
1690 "callout option only for verify=header_sender (detected in ACL "
1691 "condition \"%s\")", arg);
1692 return ERROR;
1693 }
1694 opt += 8;
1695 while (isspace(*opt)) opt++;
1696 if (*opt++ != '=')
1697 {
1698 *log_msgptr = string_sprintf("'=' expected after "
1699 "\"mailfrom\" in ACL condition \"%s\"", arg);
1700 return ERROR;
1701 }
1702 while (isspace(*opt)) opt++;
1703 se_mailfrom = string_copy(opt);
1704 }
1705
1706 else if (strncmpic(opt, US"postmaster_mailfrom", 19) == 0)
1707 {
1708 opt += 19;
1709 while (isspace(*opt)) opt++;
1710 if (*opt++ != '=')
1711 {
1712 *log_msgptr = string_sprintf("'=' expected after "
1713 "\"postmaster_mailfrom\" in ACL condition \"%s\"", arg);
1714 return ERROR;
1715 }
1716 while (isspace(*opt)) opt++;
1717 pm_mailfrom = string_copy(opt);
1718 }
1719
1720 else if (strncmpic(opt, US"maxwait", 7) == 0)
1721 {
1722 opt += 7;
1723 while (isspace(*opt)) opt++;
1724 if (*opt++ != '=')
1725 {
1726 *log_msgptr = string_sprintf("'=' expected after \"maxwait\" in "
1727 "ACL condition \"%s\"", arg);
1728 return ERROR;
1729 }
1730 while (isspace(*opt)) opt++;
1731 callout_overall = readconf_readtime(opt, 0, FALSE);
1732 if (callout_overall < 0)
1733 {
1734 *log_msgptr = string_sprintf("bad time value in ACL condition "
1735 "\"verify %s\"", arg);
1736 return ERROR;
1737 }
1738 }
4deaf07d
PH		 1739 else if (strncmpic(opt, US"connect", 7) == 0)
1740 {
1741 opt += 7;
1742 while (isspace(*opt)) opt++;
1743 if (*opt++ != '=')
1744 {
1745 *log_msgptr = string_sprintf("'=' expected after "
1746 "\"callout_overaall\" in ACL condition \"%s\"", arg);
1747 return ERROR;
1748 }
1749 while (isspace(*opt)) opt++;
1750 callout_connect = readconf_readtime(opt, 0, FALSE);
1751 if (callout_connect < 0)
1752 {
1753 *log_msgptr = string_sprintf("bad time value in ACL condition "
1754 "\"verify %s\"", arg);
1755 return ERROR;
1756 }
1757 }
059ec3d9
PH		 1758 else /* Plain time is callout connect/command timeout */
1759 {
1760 callout = readconf_readtime(opt, 0, FALSE);
1761 if (callout < 0)
1762 {
1763 *log_msgptr = string_sprintf("bad time value in ACL condition "
1764 "\"verify %s\"", arg);
1765 return ERROR;
1766 }
1767 }
1768 }
1769 }
1770 else
1771 {
1772 *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
1773 "ACL condition \"%s\"", arg);
1774 return ERROR;
1775 }
1776 }
1777 }
1778
1779 /* Option not recognized */
1780
1781 else
1782 {
1783 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
1784 "condition \"verify %s\"", ss, arg);
1785 return ERROR;
1786 }
1787 }
1788
1789if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
1790 (vopt_callout_recipsender|vopt_callout_recippmaster))
1791 {
1792 *log_msgptr = US"only one of use_sender and use_postmaster can be set "
1793 "for a recipient callout";
1794 return ERROR;
1795 }
1796
1797/* Handle sender-in-header verification. Default the user message to the log
1798message if giving out verification details. */
1799
1800if (verify_header_sender)
1801 {
8e669ac1 1802 int verrno;
059ec3d9 1803 rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
fe5b5d0b
PH		 1804 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, verify_options,
1805 &verrno);
1806 if (rc != OK)
8e669ac1 1807 {
fe5b5d0b
PH		 1808 *basic_errno = verrno;
1809 if (smtp_return_error_details)
1810 {
1811 if (*user_msgptr == NULL && *log_msgptr != NULL)
1812 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1813 if (rc == DEFER) acl_temp_details = TRUE;
1814 }
8e669ac1 1815 }
059ec3d9
PH		 1816 }
1817
1818/* Handle a sender address. The default is to verify *the* sender address, but
1819optionally a different address can be given, for special requirements. If the
1820address is empty, we are dealing with a bounce message that has no sender, so
1821we cannot do any checking. If the real sender address gets rewritten during
1822verification (e.g. DNS widening), set the flag to stop it being rewritten again
1823during message reception.
1824
1825A list of verified "sender" addresses is kept to try to avoid doing to much
1826work repetitively when there are multiple recipients in a message and they all
1827require sender verification. However, when callouts are involved, it gets too
1828complicated because different recipients may require different callout options.
1829Therefore, we always do a full sender verify when any kind of callout is
1830specified. Caching elsewhere, for instance in the DNS resolver and in the
1831callout handling, should ensure that this is not terribly inefficient. */
1832
1833else if (verify_sender_address != NULL)
1834 {
1835 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster))
1836 != 0)
1837 {
1838 *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
1839 "sender verify callout";
1840 return ERROR;
1841 }
1842
1843 sender_vaddr = verify_checked_sender(verify_sender_address);
1844 if (sender_vaddr != NULL && /* Previously checked */
1845 callout <= 0) /* No callout needed this time */
1846 {
1847 /* If the "routed" flag is set, it means that routing worked before, so
1848 this check can give OK (the saved return code value, if set, belongs to a
1849 callout that was done previously). If the "routed" flag is not set, routing
1850 must have failed, so we use the saved return code. */
1851
1852 if (testflag(sender_vaddr, af_verify_routed)) rc = OK; else
1853 {
1854 rc = sender_vaddr->special_action;
1855 *basic_errno = sender_vaddr->basic_errno;
1856 }
1857 HDEBUG(D_acl) debug_printf("using cached sender verify result\n");
1858 }
1859
1860 /* Do a new verification, and cache the result. The cache is used to avoid
1861 verifying the sender multiple times for multiple RCPTs when callouts are not
1862 specified (see comments above).
1863
1864 The cache is also used on failure to give details in response to the first
1865 RCPT that gets bounced for this reason. However, this can be suppressed by
1866 the no_details option, which sets the flag that says "this detail has already
1867 been sent". The cache normally contains just one address, but there may be
1868 more in esoteric circumstances. */
1869
1870 else
1871 {
1872 BOOL routed = TRUE;
2a3eea10 1873 uschar *save_address_data = deliver_address_data;
8e669ac1 1874
059ec3d9
PH		 1875 sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
1876 if (no_details) setflag(sender_vaddr, af_sverify_told);
1877 if (verify_sender_address[0] != 0)
1878 {
1879 /* If this is the real sender address, save the unrewritten version
1880 for use later in receive. Otherwise, set a flag so that rewriting the
1881 sender in verify_address() does not update sender_address. */
1882
1883 if (verify_sender_address == sender_address)
1884 sender_address_unrewritten = sender_address;
1885 else
1886 verify_options |= vopt_fake_sender;
1887
eafd343b
TK		 1888 if (success_on_redirect)
1889 verify_options |= vopt_success_on_redirect;
1890
059ec3d9
PH		 1891 /* The recipient, qualify, and expn options are never set in
1892 verify_options. */
1893
1894 rc = verify_address(sender_vaddr, NULL, verify_options, callout,
4deaf07d 1895 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, &routed);
059ec3d9
PH		 1896
1897 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1898
1899 if (rc == OK)
1900 {
1901 if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
1902 {
1903 DEBUG(D_acl) debug_printf("sender %s verified ok as %s\n",
1904 verify_sender_address, sender_vaddr->address);
1905 }
1906 else
1907 {
1908 DEBUG(D_acl) debug_printf("sender %s verified ok\n",
1909 verify_sender_address);
1910 }
1911 }
1912 else *basic_errno = sender_vaddr->basic_errno;
1913 }
1914 else rc = OK; /* Null sender */
1915
1916 /* Cache the result code */
1917
1918 if (routed) setflag(sender_vaddr, af_verify_routed);
1919 if (callout > 0) setflag(sender_vaddr, af_verify_callout);
1920 sender_vaddr->special_action = rc;
1921 sender_vaddr->next = sender_verified_list;
1922 sender_verified_list = sender_vaddr;
8e669ac1
PH		 1923
1924 /* Restore the recipient address data, which might have been clobbered by
2a3eea10 1925 the sender verification. */
8e669ac1 1926
2a3eea10 1927 deliver_address_data = save_address_data;
059ec3d9 1928 }
8e669ac1 1929
2a3eea10
PH		 1930 /* Put the sender address_data value into $sender_address_data */
1931
8e669ac1 1932 sender_address_data = sender_vaddr->p.address_data;
059ec3d9
PH		 1933 }
1934
1935/* A recipient address just gets a straightforward verify; again we must handle
1936the DEFER overrides. */
1937
1938else
1939 {
1940 address_item addr2;
1941
eafd343b
TK		 1942 if (success_on_redirect)
1943 verify_options |= vopt_success_on_redirect;
1944
059ec3d9
PH		 1945 /* We must use a copy of the address for verification, because it might
1946 get rewritten. */
1947
1948 addr2 = *addr;
1949 rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
4deaf07d 1950 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, NULL);
059ec3d9 1951 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
8e669ac1 1952
059ec3d9 1953 *log_msgptr = addr2.message;
8e669ac1 1954 *user_msgptr = (addr2.user_message != NULL)?
6729cf78 1955 addr2.user_message : addr2.message;
059ec3d9
PH		 1956 *basic_errno = addr2.basic_errno;
1957
1958 /* Make $address_data visible */
1959 deliver_address_data = addr2.p.address_data;
1960 }
1961
1962/* We have a result from the relevant test. Handle defer overrides first. */
1963
1964if (rc == DEFER && (defer_ok ||
1965 (callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER)))
1966 {
1967 HDEBUG(D_acl) debug_printf("verify defer overridden by %s\n",
1968 defer_ok? "defer_ok" : "callout_defer_ok");
1969 rc = OK;
1970 }
1971
1972/* If we've failed a sender, set up a recipient message, and point
1973sender_verified_failed to the address item that actually failed. */
1974
1975if (rc != OK && verify_sender_address != NULL)
1976 {
1977 if (rc != DEFER)
1978 {
1979 *log_msgptr = *user_msgptr = US"Sender verify failed";
1980 }
1981 else if (*basic_errno != ERRNO_CALLOUTDEFER)
1982 {
1983 *log_msgptr = *user_msgptr = US"Could not complete sender verify";
1984 }
1985 else
1986 {
1987 *log_msgptr = US"Could not complete sender verify callout";
1988 *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
1989 *log_msgptr;
1990 }
1991
1992 sender_verified_failed = sender_vaddr;
1993 }
1994
1995/* Verifying an address messes up the values of $domain and $local_part,
1996so reset them before returning if this is a RCPT ACL. */
1997
1998if (addr != NULL)
1999 {
2000 deliver_domain = addr->domain;
2001 deliver_localpart = addr->local_part;
2002 }
2003return rc;
2004
2005/* Syntax errors in the verify argument come here. */
2006
2007BAD_VERIFY:
2008*log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
596875b3
PH		 2009 "\"helo\", \"header_syntax\", \"header_sender\" or "
2010 "\"reverse_host_lookup\" at start of ACL condition "
059ec3d9
PH		 2011 "\"verify %s\"", arg);
2012return ERROR;
596875b3
PH		 2013
2014/* Options supplied when not allowed come here */
2015
2016NO_OPTIONS:
2017*log_msgptr = string_sprintf("unexpected '/' found in \"%s\" "
2018 "(this verify item has no options)", arg);
2019return ERROR;
1c41c9cc
PH		 2020
2021/* Calls in the wrong ACL come here */
2022
2023WRONG_ACL:
2024*log_msgptr = string_sprintf("cannot check header contents in ACL for %s "
2025 "(only possible in ACL for DATA)", acl_wherenames[where]);
2026return ERROR;
059ec3d9
PH		 2027}
2028
2029
2030
2031
2032/*************************************************
2033* Check argument for control= modifier *
2034*************************************************/
2035
2036/* Called from acl_check_condition() below
2037
2038Arguments:
2039 arg the argument string for control=
2040 pptr set to point to the terminating character
2041 where which ACL we are in
2042 log_msgptr for error messages
2043
2044Returns: CONTROL_xxx value
2045*/
2046
2047static int
2048decode_control(uschar *arg, uschar **pptr, int where, uschar **log_msgptr)
2049{
2050int len;
2051control_def *d;
2052
2053for (d = controls_list;
2054 d < controls_list + sizeof(controls_list)/sizeof(control_def);
2055 d++)
2056 {
2057 len = Ustrlen(d->name);
2058 if (Ustrncmp(d->name, arg, len) == 0) break;
2059 }
2060
2061if (d >= controls_list + sizeof(controls_list)/sizeof(control_def) ||
2062 (arg[len] != 0 && (!d->has_option || arg[len] != '/')))
2063 {
2064 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2065 return CONTROL_ERROR;
2066 }
2067
059ec3d9
PH		 2068*pptr = arg + len;
2069return d->value;
2070}
2071
2072
2073
870f6ba8
TF		 2074/*************************************************
2075* Handle rate limiting *
2076*************************************************/
2077
2078/* Called by acl_check_condition() below to calculate the result
2079of the ACL ratelimit condition.
2080
2081Note that the return value might be slightly unexpected: if the
2082sender's rate is above the limit then the result is OK. This is
2083similar to the dnslists condition, and is so that you can write
2084ACL clauses like: defer ratelimit = 15 / 1h
2085
2086Arguments:
2087 arg the option string for ratelimit=
90fc3069 2088 where ACL_WHERE_xxxx indicating which ACL this is
870f6ba8
TF		 2089 log_msgptr for error messages
2090
2091Returns: OK - Sender's rate is above limit
2092 FAIL - Sender's rate is below limit
2093 DEFER - Problem opening ratelimit database
2094 ERROR - Syntax error in options.
2095*/
2096
2097static int
90fc3069 2098acl_ratelimit(uschar *arg, int where, uschar **log_msgptr)
870f6ba8
TF		 2099{
2100double limit, period;
f3dcf4a2 2101uschar *ss, *key;
870f6ba8
TF		 2102int sep = '/';
2103BOOL have_key = FALSE, leaky = FALSE, strict = FALSE;
2104BOOL per_byte = FALSE, per_cmd = FALSE, per_conn = FALSE, per_mail = FALSE;
2105int old_pool, rc;
2106tree_node **anchor, *t;
2107open_db dbblock, *dbm;
2108dbdata_ratelimit *dbd;
2109struct timeval tv;
2110
2111/* Parse the first two options and record their values in expansion
2112variables. These variables allow the configuration to have informative
2113error messages based on rate limits obtained from a table lookup. */
2114
2115/* First is the maximum number of messages per period and maximum burst
2116size, which must be greater than or equal to zero. Zero is useful for
2117rate measurement as opposed to rate limiting. */
2118
2119sender_rate_limit = string_nextinlist(&arg, &sep, NULL, 0);
2120if (sender_rate_limit == NULL)
2121 limit = -1.0;
2122else
2123 {
2124 limit = Ustrtod(sender_rate_limit, &ss);
2125 if (tolower(*ss) == 'k') { limit *= 1024.0; ss++; }
2126 else if (tolower(*ss) == 'm') { limit *= 1024.0*1024.0; ss++; }
2127 else if (tolower(*ss) == 'g') { limit *= 1024.0*1024.0*1024.0; ss++; }
2128 }
2129if (limit < 0.0 || *ss != 0)
2130 {
2131 *log_msgptr = string_sprintf("syntax error in argument for "
2132 "\"ratelimit\" condition: \"%s\" is not a positive number",
2133 sender_rate_limit);
2134 return ERROR;
2135 }
2136
f3dcf4a2
TF		 2137/* We use the rest of the argument list following the limit as the
2138lookup key, because it doesn't make sense to use the same stored data
2139if the period or options are different. */
2140
2141key = arg;
2142
870f6ba8
TF		 2143/* Second is the rate measurement period and exponential smoothing time
2144constant. This must be strictly greater than zero, because zero leads to
2145run-time division errors. */
2146
2147sender_rate_period = string_nextinlist(&arg, &sep, NULL, 0);
2148if (sender_rate_period == NULL) period = -1.0;
2149else period = readconf_readtime(sender_rate_period, 0, FALSE);
2150if (period <= 0.0)
2151 {
2152 *log_msgptr = string_sprintf("syntax error in argument for "
2153 "\"ratelimit\" condition: \"%s\" is not a time value",
2154 sender_rate_period);
2155 return ERROR;
2156 }
2157
2158/* Parse the other options. Should we check if the per_* options are being
2159used in ACLs where they don't make sense, e.g. per_mail in the connect ACL? */
2160
2161while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2162 != NULL)
2163 {
2164 if (strcmpic(ss, US"leaky") == 0) leaky = TRUE;
2165 else if (strcmpic(ss, US"strict") == 0) strict = TRUE;
2166 else if (strcmpic(ss, US"per_byte") == 0) per_byte = TRUE;
2167 else if (strcmpic(ss, US"per_cmd") == 0) per_cmd = TRUE;
2168 else if (strcmpic(ss, US"per_conn") == 0) per_conn = TRUE;
2169 else if (strcmpic(ss, US"per_mail") == 0) per_mail = TRUE;
2170 else if (strcmpic(ss, US"per_rcpt") == 0) per_cmd = TRUE; /* alias */
2171 else have_key = TRUE;
2172 }
2173if (leaky + strict > 1 || per_byte + per_cmd + per_conn + per_mail > 1)
2174 {
2175 *log_msgptr = US"conflicting options for \"ratelimit\" condition";
2176 return ERROR;
2177 }
2178
2179/* Default option values */
2180if (!strict) leaky = TRUE;
2181if (!per_byte && !per_cmd && !per_conn) per_mail = TRUE;
2182
f3dcf4a2 2183/* If there is no explicit key, use the sender_host_address. If there is no
870f6ba8
TF		 2184sender_host_address (e.g. -bs or acl_not_smtp) then we simply omit it. */
2185
2186if (!have_key && sender_host_address != NULL)
2187 key = string_sprintf("%s / %s", key, sender_host_address);
2188
2189HDEBUG(D_acl) debug_printf("ratelimit condition limit=%.0f period=%.0f key=%s\n",
2190 limit, period, key);
2191
fe0dab11 2192/* See if we have already computed the rate by looking in the relevant tree. For
870f6ba8
TF		 2193per-connection rate limiting, store tree nodes and dbdata in the permanent pool
2194so that they survive across resets. */
2195
2196anchor = NULL;
2197old_pool = store_pool;
2198
2199if (per_conn)
2200 {
2201 anchor = &ratelimiters_conn;
2202 store_pool = POOL_PERM;
2203 }
fe0dab11 2204else if (per_mail || per_byte)
870f6ba8 2205 anchor = &ratelimiters_mail;
fe0dab11
TF		 2206else if (per_cmd)
2207 anchor = &ratelimiters_cmd;
870f6ba8
TF		 2208
2209if (anchor != NULL && (t = tree_search(*anchor, key)) != NULL)
2210 {
2211 dbd = t->data.ptr;
2212 /* The following few lines duplicate some of the code below. */
3348576f
TF		 2213 if (dbd->rate < limit) rc = FAIL;
2214 else rc = OK;
870f6ba8
TF		 2215 store_pool = old_pool;
2216 sender_rate = string_sprintf("%.1f", dbd->rate);
2217 HDEBUG(D_acl)
2218 debug_printf("ratelimit found pre-computed rate %s\n", sender_rate);
2219 return rc;
2220 }
2221
2222/* We aren't using a pre-computed rate, so get a previously recorded
2223rate from the database, update it, and write it back. If there's no
2224previous rate for this key, create one. */
2225
2226dbm = dbfn_open(US"ratelimit", O_RDWR, &dbblock, TRUE);
2227if (dbm == NULL)
2228 {
2229 store_pool = old_pool;
2230 sender_rate = NULL;
2231 HDEBUG(D_acl) debug_printf("ratelimit database not available\n");
2232 *log_msgptr = US"ratelimit database not available";
2233 return DEFER;
2234 }
2235dbd = dbfn_read(dbm, key);
2236
2237gettimeofday(&tv, NULL);
2238
2239if (dbd == NULL)
2240 {
2241 HDEBUG(D_acl) debug_printf("ratelimit initializing new key's data\n");
2242 dbd = store_get(sizeof(dbdata_ratelimit));
2243 dbd->time_stamp = tv.tv_sec;
2244 dbd->time_usec = tv.tv_usec;
2245 dbd->rate = 0.0;
2246 }
2247else
2248 {
2249 /* The smoothed rate is computed using an exponentially weighted moving
2250 average adjusted for variable sampling intervals. The standard EWMA for
2251 a fixed sampling interval is: f'(t) = (1 - a) * f(t) + a * f'(t - 1)
2252 where f() is the measured value and f'() is the smoothed value.
2253
2254 Old data decays out of the smoothed value exponentially, such that data n
2255 samples old is multiplied by a^n. The exponential decay time constant p
2256 is defined such that data p samples old is multiplied by 1/e, which means
2257 that a = exp(-1/p). We can maintain the same time constant for a variable
2258 sampling interval i by using a = exp(-i/p).
2259
2260 The rate we are measuring is messages per period, suitable for directly
2261 comparing with the limit. The average rate between now and the previous
2262 message is period / interval, which we feed into the EWMA as the sample.
2263
2264 It turns out that the number of messages required for the smoothed rate
2265 to reach the limit when they are sent in a burst is equal to the limit.
2266 This can be seen by analysing the value of the smoothed rate after N
2267 messages sent at even intervals. Let k = (1 - a) * p/i
2268
2269 rate_1 = (1 - a) * p/i + a * rate_0
2270 = k + a * rate_0
2271 rate_2 = k + a * rate_1
2272 = k + a * k + a^2 * rate_0
2273 rate_3 = k + a * k + a^2 * k + a^3 * rate_0
2274 rate_N = rate_0 * a^N + k * SUM(x=0..N-1)(a^x)
2275 = rate_0 * a^N + k * (1 - a^N) / (1 - a)
2276 = rate_0 * a^N + p/i * (1 - a^N)
2277
2278 When N is large, a^N -> 0 so rate_N -> p/i as desired.
2279
2280 rate_N = p/i + (rate_0 - p/i) * a^N
2281 a^N = (rate_N - p/i) / (rate_0 - p/i)
2282 N * -i/p = log((rate_N - p/i) / (rate_0 - p/i))
2283 N = p/i * log((rate_0 - p/i) / (rate_N - p/i))
2284
2285 Numerical analysis of the above equation, setting the computed rate to
2286 increase from rate_0 = 0 to rate_N = limit, shows that for large sending
2287 rates, p/i, the number of messages N = limit. So limit serves as both the
2288 maximum rate measured in messages per period, and the maximum number of
2289 messages that can be sent in a fast burst. */
2290
2291 double this_time = (double)tv.tv_sec
2292 + (double)tv.tv_usec / 1000000.0;
2293 double prev_time = (double)dbd->time_stamp
2294 + (double)dbd->time_usec / 1000000.0;
870f6ba8
TF		 2295
2296 /* We must avoid division by zero, and deal gracefully with the clock going
2297 backwards. If we blunder ahead when time is in reverse then the computed
e5d5a95f 2298 rate will be bogus. To be safe we clamp interval to a very small number. */
870f6ba8 2299
e5d5a95f
TF		 2300 double interval = this_time - prev_time <= 0.0 ? 1e-9
2301 : this_time - prev_time;
2302
2303 double i_over_p = interval / period;
2304 double a = exp(-i_over_p);
870f6ba8
TF		 2305
2306 dbd->time_stamp = tv.tv_sec;
2307 dbd->time_usec = tv.tv_usec;
2308
2309 /* If we are measuring the rate in bytes per period, multiply the
2310 measured rate by the message size. If we don't know the message size
2311 then it's safe to just use a value of zero and let the recorded rate
2312 decay as if nothing happened. */
2313
2314 if (per_byte)
2315 dbd->rate = (message_size < 0 ? 0.0 : (double)message_size)
2316 * (1 - a) / i_over_p + a * dbd->rate;
90fc3069
TF		 2317 else if (per_cmd && where == ACL_WHERE_NOTSMTP)
2318 dbd->rate = (double)recipients_count
2319 * (1 - a) / i_over_p + a * dbd->rate;
870f6ba8
TF		 2320 else
2321 dbd->rate = (1 - a) / i_over_p + a * dbd->rate;
2322 }
2323
3348576f
TF		 2324/* Clients sending at the limit are considered to be over the limit. This
2325matters for edge cases such the first message sent by a client (which gets
2326the initial rate of 0.0) when the rate limit is zero (i.e. the client should
2327be completely blocked). */
2328
2329if (dbd->rate < limit) rc = FAIL;
2330 else rc = OK;
870f6ba8
TF		 2331
2332/* Update the state if the rate is low or if we are being strict. If we
2333are in leaky mode and the sender's rate is too high, we do not update
2334the recorded rate in order to avoid an over-aggressive sender's retry
2335rate preventing them from getting any email through. */
2336
2337if (rc == FAIL || !leaky)
2338 dbfn_write(dbm, key, dbd, sizeof(dbdata_ratelimit));
2339dbfn_close(dbm);
2340
2341/* Store the result in the tree for future reference, if necessary. */
2342
2343if (anchor != NULL)
2344 {
2345 t = store_get(sizeof(tree_node) + Ustrlen(key));
2346 t->data.ptr = dbd;
2347 Ustrcpy(t->name, key);
2348 (void)tree_insertnode(anchor, t);
2349 }
2350
2351/* We create the formatted version of the sender's rate very late in
2352order to ensure that it is done using the correct storage pool. */
2353
2354store_pool = old_pool;
2355sender_rate = string_sprintf("%.1f", dbd->rate);
2356
2357HDEBUG(D_acl)
2358 debug_printf("ratelimit computed rate %s\n", sender_rate);
2359
2360return rc;
2361}
2362
2363
2364
059ec3d9
PH		 2365/*************************************************
2366* Handle conditions/modifiers on an ACL item *
2367*************************************************/
2368
2369/* Called from acl_check() below.
2370
2371Arguments:
2372 verb ACL verb
2373 cb ACL condition block - if NULL, result is OK
2374 where where called from
2375 addr the address being checked for RCPT, or NULL
2376 level the nesting level
2377 epp pointer to pass back TRUE if "endpass" encountered
2378 (applies only to "accept" and "discard")
2379 user_msgptr user message pointer
2380 log_msgptr log message pointer
2381 basic_errno pointer to where to put verify error
2382
2383Returns: OK - all conditions are met
2384 DISCARD - an "acl" condition returned DISCARD - only allowed
2385 for "accept" or "discard" verbs
2386 FAIL - at least one condition fails
2387 FAIL_DROP - an "acl" condition returned FAIL_DROP
2388 DEFER - can't tell at the moment (typically, lookup defer,
2389 but can be temporary callout problem)
2390 ERROR - ERROR from nested ACL or expansion failure or other
2391 error
2392*/
2393
2394static int
2395acl_check_condition(int verb, acl_condition_block *cb, int where,
2396 address_item *addr, int level, BOOL *epp, uschar **user_msgptr,
2397 uschar **log_msgptr, int *basic_errno)
2398{
2399uschar *user_message = NULL;
2400uschar *log_message = NULL;
91ecef39 2401uschar *p = NULL;
059ec3d9 2402int rc = OK;
8523533c
TK		 2403#ifdef WITH_CONTENT_SCAN
2404int sep = '/';
2405#endif
059ec3d9
PH		 2406
2407for (; cb != NULL; cb = cb->next)
2408 {
2409 uschar *arg;
8e669ac1 2410 int control_type;
059ec3d9
PH		 2411
2412 /* The message and log_message items set up messages to be used in
2413 case of rejection. They are expanded later. */
2414
2415 if (cb->type == ACLC_MESSAGE)
2416 {
2417 user_message = cb->arg;
2418 continue;
2419 }
2420
2421 if (cb->type == ACLC_LOG_MESSAGE)
2422 {
2423 log_message = cb->arg;
2424 continue;
2425 }
2426
2427 /* The endpass "condition" just sets a flag to show it occurred. This is
2428 checked at compile time to be on an "accept" or "discard" item. */
2429
2430 if (cb->type == ACLC_ENDPASS)
2431 {
2432 *epp = TRUE;
2433 continue;
2434 }
2435
2436 /* For other conditions and modifiers, the argument is expanded now for some
2437 of them, but not for all, because expansion happens down in some lower level
2438 checking functions in some cases. */
2439
2440 if (cond_expand_at_top[cb->type])
2441 {
2442 arg = expand_string(cb->arg);
2443 if (arg == NULL)
2444 {
2445 if (expand_string_forcedfail) continue;
2446 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
2447 cb->arg, expand_string_message);
2448 return search_find_defer? DEFER : ERROR;
2449 }
2450 }
2451 else arg = cb->arg;
2452
2453 /* Show condition, and expanded condition if it's different */
2454
2455 HDEBUG(D_acl)
2456 {
2457 int lhswidth = 0;
2458 debug_printf("check %s%s %n",
2459 (!cond_modifiers[cb->type] && cb->u.negated)? "!":"",
2460 conditions[cb->type], &lhswidth);
2461
2462 if (cb->type == ACLC_SET)
2463 {
38a0a95f
PH		 2464 debug_printf("acl_%s ", cb->u.varname);
2465 lhswidth += 5 + Ustrlen(cb->u.varname);
059ec3d9
PH		 2466 }
2467
2468 debug_printf("= %s\n", cb->arg);
2469
2470 if (arg != cb->arg)
2471 debug_printf("%.*s= %s\n", lhswidth,
2472 US" ", CS arg);
2473 }
2474
2475 /* Check that this condition makes sense at this time */
2476
2477 if ((cond_forbids[cb->type] & (1 << where)) != 0)
2478 {
2479 *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
2480 cond_modifiers[cb->type]? "use" : "test",
2481 conditions[cb->type], acl_wherenames[where]);
2482 return ERROR;
2483 }
2484
2485 /* Run the appropriate test for each condition, or take the appropriate
2486 action for the remaining modifiers. */
2487
2488 switch(cb->type)
2489 {
71fafd95
PH		 2490 case ACLC_ADD_HEADER:
2491 setup_header(arg);
2492 break;
2493
059ec3d9
PH		 2494 /* A nested ACL that returns "discard" makes sense only for an "accept" or
2495 "discard" verb. */
71fafd95 2496
059ec3d9
PH		 2497 case ACLC_ACL:
2498 rc = acl_check_internal(where, addr, arg, level+1, user_msgptr, log_msgptr);
2499 if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
2500 {
2501 *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
2502 "\"%s\" command (only allowed with \"accept\" or \"discard\")",
2503 verbs[verb]);
2504 return ERROR;
2505 }
2506 break;
2507
2508 case ACLC_AUTHENTICATED:
2509 rc = (sender_host_authenticated == NULL)? FAIL :
2510 match_isinlist(sender_host_authenticated, &arg, 0, NULL, NULL, MCL_STRING,
2511 TRUE, NULL);
2512 break;
2513
71fafd95 2514 #ifdef EXPERIMENTAL_BRIGHTMAIL
8523533c
TK		 2515 case ACLC_BMI_OPTIN:
2516 {
2517 int old_pool = store_pool;
2518 store_pool = POOL_PERM;
2519 bmi_current_optin = string_copy(arg);
2520 store_pool = old_pool;
2521 }
2522 break;
71fafd95 2523 #endif
8523533c 2524
059ec3d9
PH		 2525 case ACLC_CONDITION:
2526 if (Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
2527 rc = (Uatoi(arg) == 0)? FAIL : OK;
2528 else
2529 rc = (strcmpic(arg, US"no") == 0 ||
2530 strcmpic(arg, US"false") == 0)? FAIL :
2531 (strcmpic(arg, US"yes") == 0 ||
2532 strcmpic(arg, US"true") == 0)? OK : DEFER;
2533 if (rc == DEFER)
2534 *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
2535 break;
2536
2537 case ACLC_CONTROL:
c5fcb476
PH		 2538 control_type = decode_control(arg, &p, where, log_msgptr);
2539
8523533c 2540 /* Check if this control makes sense at this time */
c5fcb476
PH		 2541
2542 if ((control_forbids[control_type] & (1 << where)) != 0)
2543 {
2544 *log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
2545 controls[control_type], acl_wherenames[where]);
2546 return ERROR;
8e669ac1 2547 }
c5fcb476
PH		 2548
2549 switch(control_type)
059ec3d9 2550 {
c46782ef
PH		 2551 case CONTROL_AUTH_UNADVERTISED:
2552 allow_auth_unadvertised = TRUE;
2553 break;
2554
2555 #ifdef EXPERIMENTAL_BRIGHTMAIL
8523533c
TK		 2556 case CONTROL_BMI_RUN:
2557 bmi_run = 1;
2558 break;
c46782ef
PH		 2559 #endif
2560
2561 #ifdef EXPERIMENTAL_DOMAINKEYS
fb2274d4
TK		 2562 case CONTROL_DK_VERIFY:
2563 dk_do_verify = 1;
2564 break;
c46782ef
PH		 2565 #endif
2566
059ec3d9
PH		 2567 case CONTROL_ERROR:
2568 return ERROR;
2569
2570 case CONTROL_CASEFUL_LOCAL_PART:
2571 deliver_localpart = addr->cc_local_part;
2572 break;
2573
2574 case CONTROL_CASELOWER_LOCAL_PART:
2575 deliver_localpart = addr->lc_local_part;
2576 break;
2577
2578 case CONTROL_ENFORCE_SYNC:
2579 smtp_enforce_sync = TRUE;
2580 break;
2581
2582 case CONTROL_NO_ENFORCE_SYNC:
2583 smtp_enforce_sync = FALSE;
2584 break;
2585
c46782ef 2586 #ifdef WITH_CONTENT_SCAN
8523533c
TK		 2587 case CONTROL_NO_MBOX_UNSPOOL:
2588 no_mbox_unspool = TRUE;
2589 break;
c46782ef 2590 #endif
8523533c 2591
059ec3d9
PH		 2592 case CONTROL_NO_MULTILINE:
2593 no_multiline_responses = TRUE;
2594 break;
2595
29aba418 2596 case CONTROL_FAKEDEFER:
8523533c 2597 case CONTROL_FAKEREJECT:
29aba418 2598 fake_response = (control_type == CONTROL_FAKEDEFER) ? DEFER : FAIL;
8523533c 2599 if (*p == '/')
8e669ac1 2600 {
8523533c 2601 uschar *pp = p + 1;
8e669ac1 2602 while (*pp != 0) pp++;
29aba418 2603 fake_response_text = expand_string(string_copyn(p+1, pp-p-1));
8523533c
TK		 2604 p = pp;
2605 }
2606 else
2607 {
2608 /* Explicitly reset to default string */
29aba418 2609 fake_response_text = US"Your message has been rejected but is being kept for evaluation.\nIf it was a legitimate message, it may still be delivered to the target recipient(s).";
8523533c
TK		 2610 }
2611 break;
8523533c 2612
059ec3d9
PH		 2613 case CONTROL_FREEZE:
2614 deliver_freeze = TRUE;
2615 deliver_frozen_at = time(NULL);
6a3f1455
PH		 2616 freeze_tell = freeze_tell_config; /* Reset to configured value */
2617 if (Ustrncmp(p, "/no_tell", 8) == 0)
2618 {
2619 p += 8;
2620 freeze_tell = NULL;
2621 }
2622 if (*p != 0)
2623 {
2624 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2625 return ERROR;
2626 }
059ec3d9
PH		 2627 break;
2628
2629 case CONTROL_QUEUE_ONLY:
2630 queue_only_policy = TRUE;
2631 break;
2632
2633 case CONTROL_SUBMISSION:
87ba3f5f 2634 originator_name = US"";
059ec3d9 2635 submission_mode = TRUE;
69358f02 2636 while (*p == '/')
8e669ac1 2637 {
69358f02
PH		 2638 if (Ustrncmp(p, "/sender_retain", 14) == 0)
2639 {
2640 p += 14;
2641 active_local_sender_retain = TRUE;
8e669ac1
PH		 2642 active_local_from_check = FALSE;
2643 }
69358f02
PH		 2644 else if (Ustrncmp(p, "/domain=", 8) == 0)
2645 {
2646 uschar *pp = p + 8;
8e669ac1 2647 while (*pp != 0 && *pp != '/') pp++;
87ba3f5f
PH		 2648 submission_domain = string_copyn(p+8, pp-p-8);
2649 p = pp;
2650 }
8857ccfd
PH		 2651 /* The name= option must be last, because it swallows the rest of
2652 the string. */
87ba3f5f
PH		 2653 else if (Ustrncmp(p, "/name=", 6) == 0)
2654 {
2655 uschar *pp = p + 6;
8857ccfd 2656 while (*pp != 0) pp++;
2fe1a124 2657 submission_name = string_copy(parse_fix_phrase(p+6, pp-p-6,
87ba3f5f 2658 big_buffer, big_buffer_size));
8e669ac1 2659 p = pp;
69358f02 2660 }
8e669ac1
PH		 2661 else break;
2662 }
69358f02 2663 if (*p != 0)
059ec3d9 2664 {
69358f02 2665 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
059ec3d9
PH		 2666 return ERROR;
2667 }
2668 break;
8800895a
PH		 2669
2670 case CONTROL_SUPPRESS_LOCAL_FIXUPS:
2671 suppress_local_fixups = TRUE;
2672 break;
059ec3d9
PH		 2673 }
2674 break;
2675
71fafd95 2676 #ifdef WITH_CONTENT_SCAN
8523533c
TK		 2677 case ACLC_DECODE:
2678 rc = mime_decode(&arg);
2679 break;
71fafd95 2680 #endif
8523533c 2681
059ec3d9
PH		 2682 case ACLC_DELAY:
2683 {
2684 int delay = readconf_readtime(arg, 0, FALSE);
2685 if (delay < 0)
2686 {
2687 *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
2688 "modifier: \"%s\" is not a time value", arg);
2689 return ERROR;
2690 }
2691 else
2692 {
2693 HDEBUG(D_acl) debug_printf("delay modifier requests %d-second delay\n",
2694 delay);
2695 if (host_checking)
2696 {
2697 HDEBUG(D_acl)
2698 debug_printf("delay skipped in -bh checking mode\n");
2699 }
010c2d14
PH		 2700
2701 /* It appears to be impossible to detect that a TCP/IP connection has
2702 gone away without reading from it. This means that we cannot shorten
2703 the delay below if the client goes away, because we cannot discover
2704 that the client has closed its end of the connection. (The connection
2705 is actually in a half-closed state, waiting for the server to close its
2706 end.) It would be nice to be able to detect this state, so that the
2707 Exim process is not held up unnecessarily. However, it seems that we
2708 can't. The poll() function does not do the right thing, and in any case
2709 it is not always available.
2710
2711 NOTE: If ever this state of affairs changes, remember that we may be
2712 dealing with stdin/stdout here, in addition to TCP/IP connections.
2713 Whatever is done must work in both cases. To detected the stdin/stdout
2714 case, check for smtp_in or smtp_out being NULL. */
2715
8e669ac1 2716 else
86b8287f
PH		 2717 {
2718 while (delay > 0) delay = sleep(delay);
8e669ac1 2719 }
059ec3d9
PH		 2720 }
2721 }
2722 break;
2723
71fafd95 2724 #ifdef WITH_OLD_DEMIME
8523533c
TK		 2725 case ACLC_DEMIME:
2726 rc = demime(&arg);
2727 break;
71fafd95 2728 #endif
8523533c 2729
71fafd95
PH		 2730 #ifdef EXPERIMENTAL_DOMAINKEYS
2731 case ACLC_DK_DOMAIN_SOURCE:
fb2274d4
TK		 2732 if (dk_verify_block == NULL) { rc = FAIL; break; };
2733 /* check header source of domain against given string */
2734 switch (dk_verify_block->address_source) {
2735 case DK_EXIM_ADDRESS_FROM_FROM:
2736 rc = match_isinlist(US"from", &arg, 0, NULL,
2737 NULL, MCL_STRING, TRUE, NULL);
2738 break;
2739 case DK_EXIM_ADDRESS_FROM_SENDER:
2740 rc = match_isinlist(US"sender", &arg, 0, NULL,
2741 NULL, MCL_STRING, TRUE, NULL);
2742 break;
2743 case DK_EXIM_ADDRESS_NONE:
2744 rc = match_isinlist(US"none", &arg, 0, NULL,
2745 NULL, MCL_STRING, TRUE, NULL);
2746 break;
71fafd95
PH		 2747 }
2748 break;
2749
2750 case ACLC_DK_POLICY:
fb2274d4
TK		 2751 if (dk_verify_block == NULL) { rc = FAIL; break; };
2752 /* check policy against given string, default FAIL */
2753 rc = FAIL;
2754 if (dk_verify_block->signsall)
2755 rc = match_isinlist(US"signsall", &arg, 0, NULL,
2756 NULL, MCL_STRING, TRUE, NULL);
2757 if (dk_verify_block->testing)
2758 rc = match_isinlist(US"testing", &arg, 0, NULL,
2759 NULL, MCL_STRING, TRUE, NULL);
71fafd95
PH		 2760 break;
2761
2762 case ACLC_DK_SENDER_DOMAINS:
fb2274d4
TK		 2763 if (dk_verify_block == NULL) { rc = FAIL; break; };
2764 if (dk_verify_block->domain != NULL)
2765 rc = match_isinlist(dk_verify_block->domain, &arg, 0, &domainlist_anchor,
2766 NULL, MCL_DOMAIN, TRUE, NULL);
2767 else rc = FAIL;
71fafd95
PH		 2768 break;
2769
2770 case ACLC_DK_SENDER_LOCAL_PARTS:
fb2274d4
TK		 2771 if (dk_verify_block == NULL) { rc = FAIL; break; };
2772 if (dk_verify_block->local_part != NULL)
2773 rc = match_isinlist(dk_verify_block->local_part, &arg, 0, &localpartlist_anchor,
2774 NULL, MCL_LOCALPART, TRUE, NULL);
2775 else rc = FAIL;
71fafd95
PH		 2776 break;
2777
2778 case ACLC_DK_SENDERS:
fb2274d4
TK		 2779 if (dk_verify_block == NULL) { rc = FAIL; break; };
2780 if (dk_verify_block->address != NULL)
2781 rc = match_address_list(dk_verify_block->address, TRUE, TRUE, &arg, NULL, -1, 0, NULL);
2782 else rc = FAIL;
71fafd95
PH		 2783 break;
2784
2785 case ACLC_DK_STATUS:
fb2274d4
TK		 2786 if (dk_verify_block == NULL) { rc = FAIL; break; };
2787 if (dk_verify_block->result > 0) {
2788 switch(dk_verify_block->result) {
2789 case DK_EXIM_RESULT_BAD_FORMAT:
2790 rc = match_isinlist(US"bad format", &arg, 0, NULL,
2791 NULL, MCL_STRING, TRUE, NULL);
2792 break;
2793 case DK_EXIM_RESULT_NO_KEY:
2794 rc = match_isinlist(US"no key", &arg, 0, NULL,
2795 NULL, MCL_STRING, TRUE, NULL);
2796 break;
2797 case DK_EXIM_RESULT_NO_SIGNATURE:
2798 rc = match_isinlist(US"no signature", &arg, 0, NULL,
2799 NULL, MCL_STRING, TRUE, NULL);
2800 break;
2801 case DK_EXIM_RESULT_REVOKED:
2802 rc = match_isinlist(US"revoked", &arg, 0, NULL,
2803 NULL, MCL_STRING, TRUE, NULL);
2804 break;
2805 case DK_EXIM_RESULT_NON_PARTICIPANT:
2806 rc = match_isinlist(US"non-participant", &arg, 0, NULL,
2807 NULL, MCL_STRING, TRUE, NULL);
2808 break;
2809 case DK_EXIM_RESULT_GOOD:
2810 rc = match_isinlist(US"good", &arg, 0, NULL,
2811 NULL, MCL_STRING, TRUE, NULL);
2812 break;
2813 case DK_EXIM_RESULT_BAD:
2814 rc = match_isinlist(US"bad", &arg, 0, NULL,
2815 NULL, MCL_STRING, TRUE, NULL);
2816 break;
71fafd95 2817 }
fb2274d4 2818 }
71fafd95
PH		 2819 break;
2820 #endif
fb2274d4 2821
059ec3d9
PH		 2822 case ACLC_DNSLISTS:
2823 rc = verify_check_dnsbl(&arg);
2824 break;
2825
2826 case ACLC_DOMAINS:
2827 rc = match_isinlist(addr->domain, &arg, 0, &domainlist_anchor,
2828 addr->domain_cache, MCL_DOMAIN, TRUE, &deliver_domain_data);
2829 break;
2830
2831 /* The value in tls_cipher is the full cipher name, for example,
2832 TLSv1:DES-CBC3-SHA:168, whereas the values to test for are just the
2833 cipher names such as DES-CBC3-SHA. But program defensively. We don't know
2834 what may in practice come out of the SSL library - which at the time of
2835 writing is poorly documented. */
2836
2837 case ACLC_ENCRYPTED:
2838 if (tls_cipher == NULL) rc = FAIL; else
2839 {
2840 uschar *endcipher = NULL;
2841 uschar *cipher = Ustrchr(tls_cipher, ':');
2842 if (cipher == NULL) cipher = tls_cipher; else
2843 {
2844 endcipher = Ustrchr(++cipher, ':');
2845 if (endcipher != NULL) *endcipher = 0;
2846 }
2847 rc = match_isinlist(cipher, &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
2848 if (endcipher != NULL) *endcipher = ':';
2849 }
2850 break;
2851
2852 /* Use verify_check_this_host() instead of verify_check_host() so that
2853 we can pass over &host_data to catch any looked up data. Once it has been
2854 set, it retains its value so that it's still there if another ACL verb
2855 comes through here and uses the cache. However, we must put it into
2856 permanent store in case it is also expected to be used in a subsequent
2857 message in the same SMTP connection. */
2858
2859 case ACLC_HOSTS:
2860 rc = verify_check_this_host(&arg, sender_host_cache, NULL,
2861 (sender_host_address == NULL)? US"" : sender_host_address, &host_data);
2862 if (host_data != NULL) host_data = string_copy_malloc(host_data);
2863 break;
2864
2865 case ACLC_LOCAL_PARTS:
2866 rc = match_isinlist(addr->cc_local_part, &arg, 0,
2867 &localpartlist_anchor, addr->localpart_cache, MCL_LOCALPART, TRUE,
2868 &deliver_localpart_data);
2869 break;
2870
6ea85e9a
PH		 2871 case ACLC_LOG_REJECT_TARGET:
2872 {
2873 int logbits = 0;
2874 int sep = 0;
2875 uschar *s = arg;
2876 uschar *ss;
2877 while ((ss = string_nextinlist(&s, &sep, big_buffer, big_buffer_size))
2878 != NULL)
2879 {
2880 if (Ustrcmp(ss, "main") == 0) logbits |= LOG_MAIN;
2881 else if (Ustrcmp(ss, "panic") == 0) logbits |= LOG_PANIC;
2882 else if (Ustrcmp(ss, "reject") == 0) logbits |= LOG_REJECT;
2883 else
2884 {
2885 logbits |= LOG_MAIN|LOG_REJECT;
2886 log_write(0, LOG_MAIN|LOG_PANIC, "unknown log name \"%s\" in "
2887 "\"log_reject_target\" in %s ACL", ss, acl_wherenames[where]);
2888 }
2889 }
2890 log_reject_target = logbits;
2891 }
2892 break;
2893
059ec3d9
PH		 2894 case ACLC_LOGWRITE:
2895 {
2896 int logbits = 0;
2897 uschar *s = arg;
2898 if (*s == ':')
2899 {
2900 s++;
2901 while (*s != ':')
2902 {
2903 if (Ustrncmp(s, "main", 4) == 0)
2904 { logbits |= LOG_MAIN; s += 4; }
2905 else if (Ustrncmp(s, "panic", 5) == 0)
2906 { logbits |= LOG_PANIC; s += 5; }
2907 else if (Ustrncmp(s, "reject", 6) == 0)
2908 { logbits |= LOG_REJECT; s += 6; }
2909 else
2910 {
2911 logbits = LOG_MAIN|LOG_PANIC;
2912 s = string_sprintf(":unknown log name in \"%s\" in "
2913 "\"logwrite\" in %s ACL", arg, acl_wherenames[where]);
2914 }
2915 if (*s == ',') s++;
2916 }
2917 s++;
2918 }
2919 while (isspace(*s)) s++;
6ea85e9a
PH		 2920
2921
059ec3d9
PH		 2922 if (logbits == 0) logbits = LOG_MAIN;
2923 log_write(0, logbits, "%s", string_printing(s));
2924 }
2925 break;
8e669ac1 2926
71fafd95 2927 #ifdef WITH_CONTENT_SCAN
8523533c
TK		 2928 case ACLC_MALWARE:
2929 {
6ea85e9a 2930 /* Separate the regular expression and any optional parameters. */
8523533c
TK		 2931 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
2932 /* Run the malware backend. */
2933 rc = malware(&ss);
2934 /* Modify return code based upon the existance of options. */
2935 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2936 != NULL) {
2937 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
2938 {
2939 /* FAIL so that the message is passed to the next ACL */
2940 rc = FAIL;
2941 }
2942 }
2943 }
2944 break;
2945
2946 case ACLC_MIME_REGEX:
71fafd95 2947 rc = mime_regex(&arg);
8523533c 2948 break;
71fafd95 2949 #endif
059ec3d9 2950
870f6ba8 2951 case ACLC_RATELIMIT:
90fc3069 2952 rc = acl_ratelimit(arg, where, log_msgptr);
870f6ba8
TF		 2953 break;
2954
059ec3d9
PH		 2955 case ACLC_RECIPIENTS:
2956 rc = match_address_list(addr->address, TRUE, TRUE, &arg, NULL, -1, 0,
2957 &recipient_data);
2958 break;
2959
71fafd95
PH		 2960 #ifdef WITH_CONTENT_SCAN
2961 case ACLC_REGEX:
2962 rc = regex(&arg);
8523533c 2963 break;
71fafd95 2964 #endif
8523533c 2965
059ec3d9
PH		 2966 case ACLC_SENDER_DOMAINS:
2967 {
2968 uschar *sdomain;
2969 sdomain = Ustrrchr(sender_address, '@');
2970 sdomain = (sdomain == NULL)? US"" : sdomain + 1;
2971 rc = match_isinlist(sdomain, &arg, 0, &domainlist_anchor,
2972 sender_domain_cache, MCL_DOMAIN, TRUE, NULL);
2973 }
2974 break;
2975
2976 case ACLC_SENDERS:
2977 rc = match_address_list(sender_address, TRUE, TRUE, &arg,
2978 sender_address_cache, -1, 0, &sender_data);
2979 break;
2980
2981 /* Connection variables must persist forever */
2982
2983 case ACLC_SET:
2984 {
2985 int old_pool = store_pool;
38a0a95f
PH		 2986 if (cb->u.varname[0] == 'c') store_pool = POOL_PERM;
2987 acl_var_create(cb->u.varname)->data.ptr = string_copy(arg);
059ec3d9
PH		 2988 store_pool = old_pool;
2989 }
2990 break;
2991
71fafd95 2992 #ifdef WITH_CONTENT_SCAN
8523533c
TK		 2993 case ACLC_SPAM:
2994 {
2995 /* Seperate the regular expression and any optional parameters. */
2996 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
2997 /* Run the spam backend. */
2998 rc = spam(&ss);
2999 /* Modify return code based upon the existance of options. */
3000 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
3001 != NULL) {
3002 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
3003 {
3004 /* FAIL so that the message is passed to the next ACL */
3005 rc = FAIL;
3006 }
3007 }
3008 }
3009 break;
71fafd95 3010 #endif
8523533c 3011
71fafd95 3012 #ifdef EXPERIMENTAL_SPF
8523533c
TK		 3013 case ACLC_SPF:
3014 rc = spf_process(&arg, sender_address);
3015 break;
71fafd95 3016 #endif
8523533c 3017
059ec3d9
PH		 3018 /* If the verb is WARN, discard any user message from verification, because
3019 such messages are SMTP responses, not header additions. The latter come
475fe28a
PH		 3020 only from explicit "message" modifiers. However, put the user message into
3021 $acl_verify_message so it can be used in subsequent conditions or modifiers
3022 (until something changes it). */
059ec3d9
PH		 3023
3024 case ACLC_VERIFY:
3025 rc = acl_verify(where, addr, arg, user_msgptr, log_msgptr, basic_errno);
475fe28a 3026 acl_verify_message = *user_msgptr;
059ec3d9
PH		 3027 if (verb == ACL_WARN) *user_msgptr = NULL;
3028 break;
3029
3030 default:
3031 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown "
3032 "condition %d", cb->type);
3033 break;
3034 }
3035
3036 /* If a condition was negated, invert OK/FAIL. */
3037
3038 if (!cond_modifiers[cb->type] && cb->u.negated)
3039 {
3040 if (rc == OK) rc = FAIL;
3041 else if (rc == FAIL || rc == FAIL_DROP) rc = OK;
3042 }
3043
3044 if (rc != OK) break; /* Conditions loop */
3045 }
3046
3047
3048/* If the result is the one for which "message" and/or "log_message" are used,
4e88a19f
PH		 3049handle the values of these modifiers. If there isn't a log message set, we make
3050it the same as the user message.
059ec3d9
PH		 3051
3052"message" is a user message that will be included in an SMTP response. Unless
3053it is empty, it overrides any previously set user message.
3054
3055"log_message" is a non-user message, and it adds to any existing non-user
3056message that is already set.
3057
4e88a19f
PH		 3058Most verbs have but a single return for which the messages are relevant, but
3059for "discard", it's useful to have the log message both when it succeeds and
3060when it fails. For "accept", the message is used in the OK case if there is no
3061"endpass", but (for backwards compatibility) in the FAIL case if "endpass" is
3062present. */
059ec3d9 3063
4e88a19f
PH		 3064if (*epp && rc == OK) user_message = NULL;
3065
3066if (((1<<rc) & msgcond[verb]) != 0)
059ec3d9
PH		 3067 {
3068 uschar *expmessage;
4e88a19f
PH		 3069 uschar *old_user_msgptr = *user_msgptr;
3070 uschar *old_log_msgptr = (*log_msgptr != NULL)? *log_msgptr : old_user_msgptr;
059ec3d9
PH		 3071
3072 /* If the verb is "warn", messages generated by conditions (verification or
4e88a19f
PH		 3073 nested ACLs) are always discarded. This also happens for acceptance verbs
3074 when they actually do accept. Only messages specified at this level are used.
059ec3d9
PH		 3075 However, the value of an existing message is available in $acl_verify_message
3076 during expansions. */
3077
4e88a19f
PH		 3078 if (verb == ACL_WARN ||
3079 (rc == OK && (verb == ACL_ACCEPT || verb == ACL_DISCARD)))
3080 *log_msgptr = *user_msgptr = NULL;
059ec3d9
PH		 3081
3082 if (user_message != NULL)
3083 {
3084 acl_verify_message = old_user_msgptr;
3085 expmessage = expand_string(user_message);
3086 if (expmessage == NULL)
3087 {
3088 if (!expand_string_forcedfail)
3089 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
3090 user_message, expand_string_message);
3091 }
3092 else if (expmessage[0] != 0) *user_msgptr = expmessage;
3093 }
3094
3095 if (log_message != NULL)
3096 {
3097 acl_verify_message = old_log_msgptr;
3098 expmessage = expand_string(log_message);
3099 if (expmessage == NULL)
3100 {
3101 if (!expand_string_forcedfail)
3102 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
3103 log_message, expand_string_message);
3104 }
3105 else if (expmessage[0] != 0)
3106 {
3107 *log_msgptr = (*log_msgptr == NULL)? expmessage :
3108 string_sprintf("%s: %s", expmessage, *log_msgptr);
3109 }
3110 }
3111
3112 /* If no log message, default it to the user message */
3113
3114 if (*log_msgptr == NULL) *log_msgptr = *user_msgptr;
3115 }
3116
3117acl_verify_message = NULL;
3118return rc;
3119}
3120
3121
3122
3123
3124
3125/*************************************************
3126* Get line from a literal ACL *
3127*************************************************/
3128
3129/* This function is passed to acl_read() in order to extract individual lines
3130of a literal ACL, which we access via static pointers. We can destroy the
3131contents because this is called only once (the compiled ACL is remembered).
3132
3133This code is intended to treat the data in the same way as lines in the main
3134Exim configuration file. That is:
3135
3136 . Leading spaces are ignored.
3137
3138 . A \ at the end of a line is a continuation - trailing spaces after the \
3139 are permitted (this is because I don't believe in making invisible things
3140 significant). Leading spaces on the continued part of a line are ignored.
3141
3142 . Physical lines starting (significantly) with # are totally ignored, and
3143 may appear within a sequence of backslash-continued lines.
3144
3145 . Blank lines are ignored, but will end a sequence of continuations.
3146
3147Arguments: none
3148Returns: a pointer to the next line
3149*/
3150
3151
3152static uschar *acl_text; /* Current pointer in the text */
3153static uschar *acl_text_end; /* Points one past the terminating '0' */
3154
3155
3156static uschar *
3157acl_getline(void)
3158{
3159uschar *yield;
3160
3161/* This loop handles leading blank lines and comments. */
3162
3163for(;;)
3164 {
3165 while (isspace(*acl_text)) acl_text++; /* Leading spaces/empty lines */
3166 if (*acl_text == 0) return NULL; /* No more data */
3167 yield = acl_text; /* Potential data line */
3168
3169 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
3170
3171 /* If we hit the end before a newline, we have the whole logical line. If
3172 it's a comment, there's no more data to be given. Otherwise, yield it. */
3173
3174 if (*acl_text == 0) return (*yield == '#')? NULL : yield;
3175
3176 /* After reaching a newline, end this loop if the physical line does not
3177 start with '#'. If it does, it's a comment, and the loop continues. */
3178
3179 if (*yield != '#') break;
3180 }
3181
3182/* This loop handles continuations. We know we have some real data, ending in
3183newline. See if there is a continuation marker at the end (ignoring trailing
3184white space). We know that *yield is not white space, so no need to test for
3185cont > yield in the backwards scanning loop. */
3186
3187for(;;)
3188 {
3189 uschar *cont;
3190 for (cont = acl_text - 1; isspace(*cont); cont--);
3191
3192 /* If no continuation follows, we are done. Mark the end of the line and
3193 return it. */
3194
3195 if (*cont != '\\')
3196 {
3197 *acl_text++ = 0;
3198 return yield;
3199 }
3200
3201 /* We have encountered a continuation. Skip over whitespace at the start of
3202 the next line, and indeed the whole of the next line or lines if they are
3203 comment lines. */
3204
3205 for (;;)
3206 {
3207 while (*(++acl_text) == ' ' || *acl_text == '\t');
3208 if (*acl_text != '#') break;
3209 while (*(++acl_text) != 0 && *acl_text != '\n');
3210 }
3211
3212 /* We have the start of a continuation line. Move all the rest of the data
3213 to join onto the previous line, and then find its end. If the end is not a
3214 newline, we are done. Otherwise loop to look for another continuation. */
3215
3216 memmove(cont, acl_text, acl_text_end - acl_text);
3217 acl_text_end -= acl_text - cont;
3218 acl_text = cont;
3219 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
3220 if (*acl_text == 0) return yield;
3221 }
3222
3223/* Control does not reach here */
3224}
3225
3226
3227
3228
3229
3230/*************************************************
3231* Check access using an ACL *
3232*************************************************/
3233
3234/* This function is called from address_check. It may recurse via
3235acl_check_condition() - hence the use of a level to stop looping. The ACL is
3236passed as a string which is expanded. A forced failure implies no access check
3237is required. If the result is a single word, it is taken as the name of an ACL
3238which is sought in the global ACL tree. Otherwise, it is taken as literal ACL
3239text, complete with newlines, and parsed as such. In both cases, the ACL check
3240is then run. This function uses an auxiliary function for acl_read() to call
3241for reading individual lines of a literal ACL. This is acl_getline(), which
3242appears immediately above.
3243
3244Arguments:
3245 where where called from
3246 addr address item when called from RCPT; otherwise NULL
3247 s the input string; NULL is the same as an empty ACL => DENY
3248 level the nesting level
3249 user_msgptr where to put a user error (for SMTP response)
3250 log_msgptr where to put a logging message (not for SMTP response)
3251
3252Returns: OK access is granted
3253 DISCARD access is apparently granted...
3254 FAIL access is denied
3255 FAIL_DROP access is denied; drop the connection
3256 DEFER can't tell at the moment
3257 ERROR disaster
3258*/
3259
3260static int
3261acl_check_internal(int where, address_item *addr, uschar *s, int level,
3262 uschar **user_msgptr, uschar **log_msgptr)
3263{
3264int fd = -1;
3265acl_block *acl = NULL;
3266uschar *acl_name = US"inline ACL";
3267uschar *ss;
3268
3269/* Catch configuration loops */
3270
3271if (level > 20)
3272 {
3273 *log_msgptr = US"ACL nested too deep: possible loop";
3274 return ERROR;
3275 }
3276
3277if (s == NULL)
3278 {
3279 HDEBUG(D_acl) debug_printf("ACL is NULL: implicit DENY\n");
3280 return FAIL;
3281 }
3282
3283/* At top level, we expand the incoming string. At lower levels, it has already
3284been expanded as part of condition processing. */
3285
3286if (level == 0)
3287 {
3288 ss = expand_string(s);
3289 if (ss == NULL)
3290 {
3291 if (expand_string_forcedfail) return OK;
3292 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s", s,
3293 expand_string_message);
3294 return ERROR;
3295 }
3296 }
3297else ss = s;
3298
3299while (isspace(*ss))ss++;
3300
3301/* If we can't find a named ACL, the default is to parse it as an inline one.
3302(Unless it begins with a slash; non-existent files give rise to an error.) */
3303
3304acl_text = ss;
3305
3306/* Handle the case of a string that does not contain any spaces. Look for a
3307named ACL among those read from the configuration, or a previously read file.
3308It is possible that the pointer to the ACL is NULL if the configuration
3309contains a name with no data. If not found, and the text begins with '/',
3310read an ACL from a file, and save it so it can be re-used. */
3311
3312if (Ustrchr(ss, ' ') == NULL)
3313 {
3314 tree_node *t = tree_search(acl_anchor, ss);
3315 if (t != NULL)
3316 {
3317 acl = (acl_block *)(t->data.ptr);
3318 if (acl == NULL)
3319 {
3320 HDEBUG(D_acl) debug_printf("ACL \"%s\" is empty: implicit DENY\n", ss);
3321 return FAIL;
3322 }
3323 acl_name = string_sprintf("ACL \"%s\"", ss);
3324 HDEBUG(D_acl) debug_printf("using ACL \"%s\"\n", ss);
3325 }
3326
3327 else if (*ss == '/')
3328 {
3329 struct stat statbuf;
3330 fd = Uopen(ss, O_RDONLY, 0);
3331 if (fd < 0)
3332 {
3333 *log_msgptr = string_sprintf("failed to open ACL file \"%s\": %s", ss,
3334 strerror(errno));
3335 return ERROR;
3336 }
3337
3338 if (fstat(fd, &statbuf) != 0)
3339 {
3340 *log_msgptr = string_sprintf("failed to fstat ACL file \"%s\": %s", ss,
3341 strerror(errno));
3342 return ERROR;
3343 }
3344
3345 acl_text = store_get(statbuf.st_size + 1);
3346 acl_text_end = acl_text + statbuf.st_size + 1;
3347
3348 if (read(fd, acl_text, statbuf.st_size) != statbuf.st_size)
3349 {
3350 *log_msgptr = string_sprintf("failed to read ACL file \"%s\": %s",
3351 ss, strerror(errno));
3352 return ERROR;
3353 }
3354 acl_text[statbuf.st_size] = 0;
f1e894f3 3355 (void)close(fd);
059ec3d9
PH		 3356
3357 acl_name = string_sprintf("ACL \"%s\"", ss);
3358 HDEBUG(D_acl) debug_printf("read ACL from file %s\n", ss);
3359 }
3360 }
3361
3362/* Parse an ACL that is still in text form. If it came from a file, remember it
3363in the ACL tree, having read it into the POOL_PERM store pool so that it
3364persists between multiple messages. */
3365
3366if (acl == NULL)
3367 {
3368 int old_pool = store_pool;
3369 if (fd >= 0) store_pool = POOL_PERM;
3370 acl = acl_read(acl_getline, log_msgptr);
3371 store_pool = old_pool;
3372 if (acl == NULL && *log_msgptr != NULL) return ERROR;
3373 if (fd >= 0)
3374 {
3375 tree_node *t = store_get_perm(sizeof(tree_node) + Ustrlen(ss));
3376 Ustrcpy(t->name, ss);
3377 t->data.ptr = acl;
3378 (void)tree_insertnode(&acl_anchor, t);
3379 }
3380 }
3381
3382/* Now we have an ACL to use. It's possible it may be NULL. */
3383
3384while (acl != NULL)
3385 {
3386 int cond;
3387 int basic_errno = 0;
3388 BOOL endpass_seen = FALSE;
3389
3390 *log_msgptr = *user_msgptr = NULL;
3391 acl_temp_details = FALSE;
3392
3393 if (where == ACL_WHERE_QUIT &&
3394 acl->verb != ACL_ACCEPT &&
3395 acl->verb != ACL_WARN)
3396 {
3397 *log_msgptr = string_sprintf("\"%s\" is not allowed in a QUIT ACL",
3398 verbs[acl->verb]);
3399 return ERROR;
3400 }
3401
3402 HDEBUG(D_acl) debug_printf("processing \"%s\"\n", verbs[acl->verb]);
3403
3404 /* Clear out any search error message from a previous check before testing
3405 this condition. */
3406
3407 search_error_message = NULL;
3408 cond = acl_check_condition(acl->verb, acl->condition, where, addr, level,
3409 &endpass_seen, user_msgptr, log_msgptr, &basic_errno);
3410
3411 /* Handle special returns: DEFER causes a return except on a WARN verb;
3412 ERROR always causes a return. */
3413
3414 switch (cond)
3415 {
3416 case DEFER:
3417 HDEBUG(D_acl) debug_printf("%s: condition test deferred\n", verbs[acl->verb]);
3418 if (basic_errno != ERRNO_CALLOUTDEFER)
3419 {
3420 if (search_error_message != NULL && *search_error_message != 0)
3421 *log_msgptr = search_error_message;
3422 if (smtp_return_error_details) acl_temp_details = TRUE;
3423 }
3424 else
3425 {
3426 acl_temp_details = TRUE;
3427 }
3428 if (acl->verb != ACL_WARN) return DEFER;
3429 break;
3430
3431 default: /* Paranoia */
3432 case ERROR:
3433 HDEBUG(D_acl) debug_printf("%s: condition test error\n", verbs[acl->verb]);
3434 return ERROR;
3435
3436 case OK:
3437 HDEBUG(D_acl) debug_printf("%s: condition test succeeded\n",
3438 verbs[acl->verb]);
3439 break;
3440
3441 case FAIL:
3442 HDEBUG(D_acl) debug_printf("%s: condition test failed\n", verbs[acl->verb]);
3443 break;
3444
3445 /* DISCARD and DROP can happen only from a nested ACL condition, and
3446 DISCARD can happen only for an "accept" or "discard" verb. */
3447
3448 case DISCARD:
3449 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"discard\"\n",
3450 verbs[acl->verb]);
3451 break;
3452
3453 case FAIL_DROP:
3454 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"drop\"\n",
3455 verbs[acl->verb]);
3456 break;
3457 }
3458
3459 /* At this point, cond for most verbs is either OK or FAIL or (as a result of
3460 a nested ACL condition) FAIL_DROP. However, for WARN, cond may be DEFER, and
3461 for ACCEPT and DISCARD, it may be DISCARD after a nested ACL call. */
3462
3463 switch(acl->verb)
3464 {
3465 case ACL_ACCEPT:
3466 if (cond == OK || cond == DISCARD) return cond;
3467 if (endpass_seen)
3468 {
3469 HDEBUG(D_acl) debug_printf("accept: endpass encountered - denying access\n");
3470 return cond;
3471 }
3472 break;
3473
3474 case ACL_DEFER:
3475 if (cond == OK)
3476 {
3477 acl_temp_details = TRUE;
3478 return DEFER;
3479 }
3480 break;
3481
3482 case ACL_DENY:
3483 if (cond == OK) return FAIL;
3484 break;
3485
3486 case ACL_DISCARD:
3487 if (cond == OK || cond == DISCARD) return DISCARD;
3488 if (endpass_seen)
3489 {
3490 HDEBUG(D_acl) debug_printf("discard: endpass encountered - denying access\n");
3491 return cond;
3492 }
3493 break;
3494
3495 case ACL_DROP:
3496 if (cond == OK) return FAIL_DROP;
3497 break;
3498
3499 case ACL_REQUIRE:
3500 if (cond != OK) return cond;
3501 break;
3502
3503 case ACL_WARN:
3504 if (cond == OK)
3505 acl_warn(where, *user_msgptr, *log_msgptr);
49826d12 3506 else if (cond == DEFER && (log_extra_selector & LX_acl_warn_skipped) != 0)
9c7a242c
PH		 3507 log_write(0, LOG_MAIN, "%s Warning: ACL \"warn\" statement skipped: "
3508 "condition test deferred%s%s", host_and_ident(TRUE),
3509 (*log_msgptr == NULL)? US"" : US": ",
3510 (*log_msgptr == NULL)? US"" : *log_msgptr);
059ec3d9
PH		 3511 *log_msgptr = *user_msgptr = NULL; /* In case implicit DENY follows */
3512 break;
3513
3514 default:
3515 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown verb %d",
3516 acl->verb);
3517 break;
3518 }
3519
3520 /* Pass to the next ACL item */
3521
3522 acl = acl->next;
3523 }
3524
3525/* We have reached the end of the ACL. This is an implicit DENY. */
3526
3527HDEBUG(D_acl) debug_printf("end of %s: implicit DENY\n", acl_name);
3528return FAIL;
3529}
3530
3531
3532/*************************************************
3533* Check access using an ACL *
3534*************************************************/
3535
3536/* This is the external interface for ACL checks. It sets up an address and the
3537expansions for $domain and $local_part when called after RCPT, then calls
3538acl_check_internal() to do the actual work.
3539
3540Arguments:
3541 where ACL_WHERE_xxxx indicating where called from
64ffc24f 3542 recipient RCPT address for RCPT check, else NULL
059ec3d9
PH		 3543 s the input string; NULL is the same as an empty ACL => DENY
3544 user_msgptr where to put a user error (for SMTP response)
3545 log_msgptr where to put a logging message (not for SMTP response)
3546
3547Returns: OK access is granted by an ACCEPT verb
3548 DISCARD access is granted by a DISCARD verb
3549 FAIL access is denied
3550 FAIL_DROP access is denied; drop the connection
3551 DEFER can't tell at the moment
3552 ERROR disaster
3553*/
3554
3555int
64ffc24f 3556acl_check(int where, uschar *recipient, uschar *s, uschar **user_msgptr,
059ec3d9
PH		 3557 uschar **log_msgptr)
3558{
3559int rc;
3560address_item adb;
64ffc24f 3561address_item *addr = NULL;
059ec3d9
PH		 3562
3563*user_msgptr = *log_msgptr = NULL;
3564sender_verified_failed = NULL;
fe0dab11 3565ratelimiters_cmd = NULL;
6ea85e9a 3566log_reject_target = LOG_MAIN|LOG_REJECT;
059ec3d9
PH		 3567
3568if (where == ACL_WHERE_RCPT)
3569 {
3570 adb = address_defaults;
3571 addr = &adb;
64ffc24f 3572 addr->address = recipient;
059ec3d9
PH		 3573 if (deliver_split_address(addr) == DEFER)
3574 {
3575 *log_msgptr = US"defer in percent_hack_domains check";
3576 return DEFER;
3577 }
3578 deliver_domain = addr->domain;
3579 deliver_localpart = addr->local_part;
3580 }
059ec3d9
PH		 3581
3582rc = acl_check_internal(where, addr, s, 0, user_msgptr, log_msgptr);
3583
64ffc24f
PH		 3584deliver_domain = deliver_localpart = deliver_address_data =
3585 sender_address_data = NULL;
059ec3d9
PH		 3586
3587/* A DISCARD response is permitted only for message ACLs, excluding the PREDATA
3588ACL, which is really in the middle of an SMTP command. */
3589
3590if (rc == DISCARD)
3591 {
3592 if (where > ACL_WHERE_NOTSMTP || where == ACL_WHERE_PREDATA)
3593 {
3594 log_write(0, LOG_MAIN|LOG_PANIC, "\"discard\" verb not allowed in %s "
3595 "ACL", acl_wherenames[where]);
3596 return ERROR;
3597 }
3598 return DISCARD;
3599 }
3600
3601/* A DROP response is not permitted from MAILAUTH */
3602
3603if (rc == FAIL_DROP && where == ACL_WHERE_MAILAUTH)
3604 {
3605 log_write(0, LOG_MAIN|LOG_PANIC, "\"drop\" verb not allowed in %s "
3606 "ACL", acl_wherenames[where]);
3607 return ERROR;
3608 }
3609
4e88a19f
PH		 3610/* Before giving a response, take a look at the length of any user message, and
3611split it up into multiple lines if possible. */
059ec3d9 3612
4e88a19f 3613if (*user_msgptr != NULL && Ustrlen(*user_msgptr) > 75)
059ec3d9
PH		 3614 {
3615 uschar *s = *user_msgptr = string_copy(*user_msgptr);
3616 uschar *ss = s;
3617
3618 for (;;)
3619 {
3620 int i = 0;
3621 while (i < 75 && *ss != 0 && *ss != '\n') ss++, i++;
3622 if (*ss == 0) break;
3623 if (*ss == '\n')
3624 s = ++ss;
3625 else
3626 {
3627 uschar *t = ss + 1;
3628 uschar *tt = NULL;
3629 while (--t > s + 35)
3630 {
3631 if (*t == ' ')
3632 {
3633 if (t[-1] == ':') { tt = t; break; }
3634 if (tt == NULL) tt = t;
3635 }
3636 }
3637
3638 if (tt == NULL) /* Can't split behind - try ahead */
3639 {
3640 t = ss + 1;
3641 while (*t != 0)
3642 {
3643 if (*t == ' ' || *t == '\n')
3644 { tt = t; break; }
3645 t++;
3646 }
3647 }
3648
3649 if (tt == NULL) break; /* Can't find anywhere to split */
3650 *tt = '\n';
3651 s = ss = tt+1;
3652 }
3653 }
3654 }
3655
3656return rc;
3657}
3658
38a0a95f
PH		 3659
3660
3661/*************************************************
3662* Create ACL variable *
3663*************************************************/
3664
3665/* Create an ACL variable or reuse an existing one. ACL variables are in a
3666binary tree (see tree.c) with acl_var_c and acl_var_m as root nodes.
3667
3668Argument:
3669 name pointer to the variable's name, starting with c or m
3670
3671Returns the pointer to variable's tree node
3672*/
3673
3674tree_node *
3675acl_var_create(uschar *name)
3676{
3677tree_node *node, **root;
3678root = (name[0] == 'c')? &acl_var_c : &acl_var_m;
3679node = tree_search(*root, name);
3680if (node == NULL)
3681 {
3682 node = store_get(sizeof(tree_node) + Ustrlen(name));
3683 Ustrcpy(node->name, name);
3684 (void)tree_insertnode(root, node);
3685 }
3686node->data.ptr = NULL;
3687return node;
3688}
3689
3690
3691
3692/*************************************************
3693* Write an ACL variable in spool format *
3694*************************************************/
3695
3696/* This function is used as a callback for tree_walk when writing variables to
3697the spool file. To retain spool file compatibility, what is written is -aclc or
3698-aclm followed by the rest of the name and the data length, space separated,
3699then the value itself, starting on a new line, and terminated by an additional
3700newline. When we had only numbered ACL variables, the first line might look
3701like this: "-aclc 5 20". Now it might be "-aclc foo 20" for the variable called
3702acl_cfoo.
3703
3704Arguments:
3705 name of the variable
3706 value of the variable
3707 ctx FILE pointer (as a void pointer)
3708
3709Returns: nothing
3710*/
3711
3712void
3713acl_var_write(uschar *name, uschar *value, void *ctx)
3714{
3715FILE *f = (FILE *)ctx;
3716fprintf(f, "-acl%c %s %d\n%s\n", name[0], name+1, Ustrlen(value), value);
3717}
3718
059ec3d9 3719/* End of acl.c */
Unnamed repository; edit this file 'description' to name the repository.