projects / exim.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
DSCP: inbound via control = dscp/<value>
[exim.git] / src / src / acl.c
CommitLineData
059ec3d9
PH		 1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
c4ceed07 5/* Copyright (c) University of Cambridge 1995 - 2012 */
059ec3d9
PH		 6/* See the file NOTICE for conditions of use and distribution. */
7
8/* Code for handling Access Control Lists (ACLs) */
9
10#include "exim.h"
11
12
13/* Default callout timeout */
14
15#define CALLOUT_TIMEOUT_DEFAULT 30
16
17/* ACL verb codes - keep in step with the table of verbs that follows */
18
19enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
20 ACL_WARN };
21
22/* ACL verbs */
23
24static uschar *verbs[] =
25 { US"accept", US"defer", US"deny", US"discard", US"drop", US"require",
26 US"warn" };
27
4e88a19f
PH		 28/* For each verb, the conditions for which "message" or "log_message" are used
29are held as a bitmap. This is to avoid expanding the strings unnecessarily. For
30"accept", the FAIL case is used only after "endpass", but that is selected in
31the code. */
32
33static int msgcond[] = {
34 (1<<OK) | (1<<FAIL) | (1<<FAIL_DROP), /* accept */
35 (1<<OK), /* defer */
36 (1<<OK), /* deny */
37 (1<<OK) | (1<<FAIL) | (1<<FAIL_DROP), /* discard */
38 (1<<OK), /* drop */
39 (1<<FAIL) | (1<<FAIL_DROP), /* require */
40 (1<<OK) /* warn */
41 };
059ec3d9
PH		 42
43/* ACL condition and modifier codes - keep in step with the table that
71fafd95
PH		 44follows, and the cond_expand_at_top and uschar cond_modifiers tables lower
45down. */
059ec3d9 46
71fafd95
PH		 47enum { ACLC_ACL,
48 ACLC_ADD_HEADER,
49 ACLC_AUTHENTICATED,
8523533c
TK		 50#ifdef EXPERIMENTAL_BRIGHTMAIL
51 ACLC_BMI_OPTIN,
52#endif
71fafd95 53 ACLC_CONDITION,
c3611384 54 ACLC_CONTINUE,
71fafd95 55 ACLC_CONTROL,
6a8f9482
TK		 56#ifdef EXPERIMENTAL_DCC
57 ACLC_DCC,
58#endif
8523533c
TK		 59#ifdef WITH_CONTENT_SCAN
60 ACLC_DECODE,
61#endif
62 ACLC_DELAY,
63#ifdef WITH_OLD_DEMIME
64 ACLC_DEMIME,
fb2274d4 65#endif
80a47a2c
TK		 66#ifndef DISABLE_DKIM
67 ACLC_DKIM_SIGNER,
68 ACLC_DKIM_STATUS,
8e669ac1 69#endif
71fafd95
PH		 70 ACLC_DNSLISTS,
71 ACLC_DOMAINS,
72 ACLC_ENCRYPTED,
73 ACLC_ENDPASS,
74 ACLC_HOSTS,
75 ACLC_LOCAL_PARTS,
76 ACLC_LOG_MESSAGE,
6ea85e9a 77 ACLC_LOG_REJECT_TARGET,
71fafd95 78 ACLC_LOGWRITE,
8523533c
TK		 79#ifdef WITH_CONTENT_SCAN
80 ACLC_MALWARE,
81#endif
82 ACLC_MESSAGE,
83#ifdef WITH_CONTENT_SCAN
84 ACLC_MIME_REGEX,
85#endif
870f6ba8 86 ACLC_RATELIMIT,
8523533c
TK		 87 ACLC_RECIPIENTS,
88#ifdef WITH_CONTENT_SCAN
89 ACLC_REGEX,
90#endif
71fafd95
PH		 91 ACLC_SENDER_DOMAINS,
92 ACLC_SENDERS,
93 ACLC_SET,
8523533c 94#ifdef WITH_CONTENT_SCAN
8e669ac1 95 ACLC_SPAM,
8523533c
TK		 96#endif
97#ifdef EXPERIMENTAL_SPF
98 ACLC_SPF,
65a7d8c3 99 ACLC_SPF_GUESS,
8523533c
TK		 100#endif
101 ACLC_VERIFY };
059ec3d9 102
c3611384
PH		 103/* ACL conditions/modifiers: "delay", "control", "continue", "endpass",
104"message", "log_message", "log_reject_target", "logwrite", and "set" are
105modifiers that look like conditions but always return TRUE. They are used for
106their side effects. */
059ec3d9 107
9a26b6b2
PH		 108static uschar *conditions[] = {
109 US"acl",
71fafd95 110 US"add_header",
9a26b6b2 111 US"authenticated",
8523533c
TK		 112#ifdef EXPERIMENTAL_BRIGHTMAIL
113 US"bmi_optin",
114#endif
115 US"condition",
c3611384 116 US"continue",
8e669ac1 117 US"control",
6a8f9482
TK		 118#ifdef EXPERIMENTAL_DCC
119 US"dcc",
120#endif
8523533c
TK		 121#ifdef WITH_CONTENT_SCAN
122 US"decode",
123#endif
124 US"delay",
125#ifdef WITH_OLD_DEMIME
126 US"demime",
fb2274d4 127#endif
80a47a2c
TK		 128#ifndef DISABLE_DKIM
129 US"dkim_signers",
130 US"dkim_status",
8523533c 131#endif
6ea85e9a
PH		 132 US"dnslists",
133 US"domains",
134 US"encrypted",
135 US"endpass",
136 US"hosts",
137 US"local_parts",
138 US"log_message",
139 US"log_reject_target",
140 US"logwrite",
8523533c
TK		 141#ifdef WITH_CONTENT_SCAN
142 US"malware",
143#endif
144 US"message",
145#ifdef WITH_CONTENT_SCAN
146 US"mime_regex",
147#endif
870f6ba8 148 US"ratelimit",
8523533c
TK		 149 US"recipients",
150#ifdef WITH_CONTENT_SCAN
151 US"regex",
152#endif
153 US"sender_domains", US"senders", US"set",
154#ifdef WITH_CONTENT_SCAN
155 US"spam",
156#endif
157#ifdef EXPERIMENTAL_SPF
158 US"spf",
65a7d8c3 159 US"spf_guess",
8523533c 160#endif
059ec3d9 161 US"verify" };
8e669ac1 162
c5fcb476 163
9a26b6b2
PH		 164/* Return values from decode_control(); keep in step with the table of names
165that follows! */
166
167enum {
c46782ef
PH		 168 CONTROL_AUTH_UNADVERTISED,
169 #ifdef EXPERIMENTAL_BRIGHTMAIL
9a26b6b2 170 CONTROL_BMI_RUN,
c46782ef 171 #endif
ed7f7860 172 CONTROL_DEBUG,
80a47a2c 173 #ifndef DISABLE_DKIM
f7572e5a
TK		 174 CONTROL_DKIM_VERIFY,
175 #endif
13363eba 176 CONTROL_DSCP,
c46782ef
PH		 177 CONTROL_ERROR,
178 CONTROL_CASEFUL_LOCAL_PART,
179 CONTROL_CASELOWER_LOCAL_PART,
180 CONTROL_ENFORCE_SYNC,
181 CONTROL_NO_ENFORCE_SYNC,
182 CONTROL_FREEZE,
183 CONTROL_QUEUE_ONLY,
184 CONTROL_SUBMISSION,
185 CONTROL_SUPPRESS_LOCAL_FIXUPS,
186 #ifdef WITH_CONTENT_SCAN
9a26b6b2 187 CONTROL_NO_MBOX_UNSPOOL,
c46782ef
PH		 188 #endif
189 CONTROL_FAKEDEFER,
190 CONTROL_FAKEREJECT,
cf8b11a5 191 CONTROL_NO_MULTILINE,
047bdd8c 192 CONTROL_NO_PIPELINING,
4c590bd1
PH		 193 CONTROL_NO_DELAY_FLUSH,
194 CONTROL_NO_CALLOUT_FLUSH
c46782ef 195};
9a26b6b2 196
8800895a
PH		 197/* ACL control names; keep in step with the table above! This list is used for
198turning ids into names. The actual list of recognized names is in the variable
199control_def controls_list[] below. The fact that there are two lists is a mess
200and should be tidied up. */
9a26b6b2
PH		 201
202static uschar *controls[] = {
c46782ef 203 US"allow_auth_unadvertised",
9a26b6b2
PH		 204 #ifdef EXPERIMENTAL_BRIGHTMAIL
205 US"bmi_run",
206 #endif
ed7f7860 207 US"debug",
80a47a2c
TK		 208 #ifndef DISABLE_DKIM
209 US"dkim_disable_verify",
f7572e5a 210 #endif
13363eba 211 US"dscp",
c46782ef
PH		 212 US"error",
213 US"caseful_local_part",
214 US"caselower_local_part",
215 US"enforce_sync",
216 US"no_enforce_sync",
217 US"freeze",
218 US"queue_only",
219 US"submission",
220 US"suppress_local_fixups",
9a26b6b2
PH		 221 #ifdef WITH_CONTENT_SCAN
222 US"no_mbox_unspool",
223 #endif
cf8b11a5
PH		 224 US"fakedefer",
225 US"fakereject",
aa6dc513 226 US"no_multiline_responses",
cf8b11a5 227 US"no_pipelining",
4c590bd1
PH		 228 US"no_delay_flush",
229 US"no_callout_flush"
c46782ef 230};
059ec3d9 231
047bdd8c 232/* Flags to indicate for which conditions/modifiers a string expansion is done
059ec3d9
PH		 233at the outer level. In the other cases, expansion already occurs in the
234checking functions. */
235
236static uschar cond_expand_at_top[] = {
237 TRUE, /* acl */
3e536984 238 TRUE, /* add_header */
059ec3d9 239 FALSE, /* authenticated */
8523533c
TK		 240#ifdef EXPERIMENTAL_BRIGHTMAIL
241 TRUE, /* bmi_optin */
8e669ac1 242#endif
059ec3d9 243 TRUE, /* condition */
c3611384 244 TRUE, /* continue */
059ec3d9 245 TRUE, /* control */
6a8f9482
TK		 246#ifdef EXPERIMENTAL_DCC
247 TRUE, /* dcc */
248#endif
8523533c
TK		 249#ifdef WITH_CONTENT_SCAN
250 TRUE, /* decode */
251#endif
059ec3d9 252 TRUE, /* delay */
8523533c
TK		 253#ifdef WITH_OLD_DEMIME
254 TRUE, /* demime */
fb2274d4 255#endif
80a47a2c
TK		 256#ifndef DISABLE_DKIM
257 TRUE, /* dkim_signers */
258 TRUE, /* dkim_status */
8523533c 259#endif
059ec3d9
PH		 260 TRUE, /* dnslists */
261 FALSE, /* domains */
262 FALSE, /* encrypted */
263 TRUE, /* endpass */
264 FALSE, /* hosts */
265 FALSE, /* local_parts */
266 TRUE, /* log_message */
6ea85e9a 267 TRUE, /* log_reject_target */
059ec3d9 268 TRUE, /* logwrite */
8523533c
TK		 269#ifdef WITH_CONTENT_SCAN
270 TRUE, /* malware */
271#endif
059ec3d9 272 TRUE, /* message */
8523533c
TK		 273#ifdef WITH_CONTENT_SCAN
274 TRUE, /* mime_regex */
275#endif
870f6ba8 276 TRUE, /* ratelimit */
059ec3d9 277 FALSE, /* recipients */
8523533c
TK		 278#ifdef WITH_CONTENT_SCAN
279 TRUE, /* regex */
280#endif
059ec3d9
PH		 281 FALSE, /* sender_domains */
282 FALSE, /* senders */
283 TRUE, /* set */
8523533c
TK		 284#ifdef WITH_CONTENT_SCAN
285 TRUE, /* spam */
286#endif
287#ifdef EXPERIMENTAL_SPF
288 TRUE, /* spf */
65a7d8c3 289 TRUE, /* spf_guess */
8523533c 290#endif
059ec3d9
PH		 291 TRUE /* verify */
292};
293
294/* Flags to identify the modifiers */
295
296static uschar cond_modifiers[] = {
297 FALSE, /* acl */
3e536984 298 TRUE, /* add_header */
059ec3d9 299 FALSE, /* authenticated */
8523533c
TK		 300#ifdef EXPERIMENTAL_BRIGHTMAIL
301 TRUE, /* bmi_optin */
8e669ac1 302#endif
059ec3d9 303 FALSE, /* condition */
c3611384 304 TRUE, /* continue */
059ec3d9 305 TRUE, /* control */
6a8f9482
TK		 306#ifdef EXPERIMENTAL_DCC
307 FALSE, /* dcc */
308#endif
8523533c
TK		 309#ifdef WITH_CONTENT_SCAN
310 FALSE, /* decode */
311#endif
059ec3d9 312 TRUE, /* delay */
8523533c
TK		 313#ifdef WITH_OLD_DEMIME
314 FALSE, /* demime */
fb2274d4 315#endif
80a47a2c
TK		 316#ifndef DISABLE_DKIM
317 FALSE, /* dkim_signers */
318 FALSE, /* dkim_status */
8523533c 319#endif
059ec3d9
PH		 320 FALSE, /* dnslists */
321 FALSE, /* domains */
322 FALSE, /* encrypted */
323 TRUE, /* endpass */
324 FALSE, /* hosts */
325 FALSE, /* local_parts */
326 TRUE, /* log_message */
6ea85e9a 327 TRUE, /* log_reject_target */
8523533c
TK		 328 TRUE, /* logwrite */
329#ifdef WITH_CONTENT_SCAN
330 FALSE, /* malware */
331#endif
059ec3d9 332 TRUE, /* message */
8523533c
TK		 333#ifdef WITH_CONTENT_SCAN
334 FALSE, /* mime_regex */
335#endif
870f6ba8 336 FALSE, /* ratelimit */
059ec3d9 337 FALSE, /* recipients */
8523533c
TK		 338#ifdef WITH_CONTENT_SCAN
339 FALSE, /* regex */
340#endif
059ec3d9
PH		 341 FALSE, /* sender_domains */
342 FALSE, /* senders */
343 TRUE, /* set */
8523533c
TK		 344#ifdef WITH_CONTENT_SCAN
345 FALSE, /* spam */
346#endif
347#ifdef EXPERIMENTAL_SPF
348 FALSE, /* spf */
65a7d8c3 349 FALSE, /* spf_guess */
8523533c 350#endif
059ec3d9
PH		 351 FALSE /* verify */
352};
353
c3611384 354/* Bit map vector of which conditions and modifiers are not allowed at certain
8f128379
PH		 355times. For each condition and modifier, there's a bitmap of dis-allowed times.
356For some, it is easier to specify the negation of a small number of allowed
357times. */
059ec3d9
PH		 358
359static unsigned int cond_forbids[] = {
360 0, /* acl */
8e669ac1 361
71fafd95 362 (unsigned int)
45b91596 363 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* add_header */
71fafd95 364 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
45b91596 365 (1<<ACL_WHERE_MIME)|(1<<ACL_WHERE_NOTSMTP)|
67caae1f 366 (1<<ACL_WHERE_DKIM)|
45b91596 367 (1<<ACL_WHERE_NOTSMTP_START)),
71fafd95 368
45b91596
PH		 369 (1<<ACL_WHERE_NOTSMTP)| /* authenticated */
370 (1<<ACL_WHERE_NOTSMTP_START)|
371 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO),
8e669ac1 372
71fafd95 373 #ifdef EXPERIMENTAL_BRIGHTMAIL
3864bb8e 374 (1<<ACL_WHERE_AUTH)| /* bmi_optin */
8523533c
TK		 375 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
376 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_MIME)|
8e669ac1 377 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
8523533c
TK		 378 (1<<ACL_WHERE_MAILAUTH)|
379 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
45b91596
PH		 380 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_PREDATA)|
381 (1<<ACL_WHERE_NOTSMTP_START),
71fafd95 382 #endif
8e669ac1 383
059ec3d9 384 0, /* condition */
8e669ac1 385
c3611384
PH		 386 0, /* continue */
387
059ec3d9 388 /* Certain types of control are always allowed, so we let it through
2f079f46 389 always and check in the control processing itself. */
8e669ac1 390
059ec3d9 391 0, /* control */
8e669ac1 392
6a8f9482
TK		 393 #ifdef EXPERIMENTAL_DCC
394 (unsigned int)
395 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* dcc */
396 #endif
397
71fafd95 398 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 399 (unsigned int)
400 ~(1<<ACL_WHERE_MIME), /* decode */
71fafd95 401 #endif
8523533c 402
8f128379 403 (1<<ACL_WHERE_NOTQUIT), /* delay */
8e669ac1 404
71fafd95 405 #ifdef WITH_OLD_DEMIME
2f079f46
PH		 406 (unsigned int)
407 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* demime */
71fafd95 408 #endif
8e669ac1 409
80a47a2c
TK		 410 #ifndef DISABLE_DKIM
411 (unsigned int)
412 ~(1<<ACL_WHERE_DKIM), /* dkim_signers */
84330b7b 413
80a47a2c
TK		 414 (unsigned int)
415 ~(1<<ACL_WHERE_DKIM), /* dkim_status */
71fafd95 416 #endif
fb2274d4 417
45b91596
PH		 418 (1<<ACL_WHERE_NOTSMTP)| /* dnslists */
419 (1<<ACL_WHERE_NOTSMTP_START),
059ec3d9 420
2f079f46
PH		 421 (unsigned int)
422 ~(1<<ACL_WHERE_RCPT), /* domains */
059ec3d9 423
45b91596
PH		 424 (1<<ACL_WHERE_NOTSMTP)| /* encrypted */
425 (1<<ACL_WHERE_CONNECT)|
426 (1<<ACL_WHERE_NOTSMTP_START)|
059ec3d9 427 (1<<ACL_WHERE_HELO),
8e669ac1 428
059ec3d9 429 0, /* endpass */
8e669ac1 430
45b91596
PH		 431 (1<<ACL_WHERE_NOTSMTP)| /* hosts */
432 (1<<ACL_WHERE_NOTSMTP_START),
059ec3d9 433
2f079f46
PH		 434 (unsigned int)
435 ~(1<<ACL_WHERE_RCPT), /* local_parts */
059ec3d9
PH		 436
437 0, /* log_message */
8e669ac1 438
6ea85e9a
PH		 439 0, /* log_reject_target */
440
059ec3d9 441 0, /* logwrite */
8e669ac1 442
71fafd95 443 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 444 (unsigned int)
445 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* malware */
71fafd95 446 #endif
8523533c 447
059ec3d9
PH		 448 0, /* message */
449
71fafd95 450 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 451 (unsigned int)
452 ~(1<<ACL_WHERE_MIME), /* mime_regex */
71fafd95 453 #endif
8523533c 454
870f6ba8
TF		 455 0, /* ratelimit */
456
2f079f46
PH		 457 (unsigned int)
458 ~(1<<ACL_WHERE_RCPT), /* recipients */
059ec3d9 459
71fafd95 460 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 461 (unsigned int)
462 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* regex */
463 (1<<ACL_WHERE_MIME)),
71fafd95 464 #endif
8523533c 465
059ec3d9
PH		 466 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* sender_domains */
467 (1<<ACL_WHERE_HELO)|
468 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
469 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
470 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
471
472 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* senders */
473 (1<<ACL_WHERE_HELO)|
474 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
475 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
476 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
477
478 0, /* set */
479
71fafd95 480 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 481 (unsigned int)
482 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* spam */
71fafd95 483 #endif
8523533c 484
71fafd95 485 #ifdef EXPERIMENTAL_SPF
8523533c
TK		 486 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf */
487 (1<<ACL_WHERE_HELO)|
488 (1<<ACL_WHERE_MAILAUTH)|
489 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
45b91596
PH		 490 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY)|
491 (1<<ACL_WHERE_NOTSMTP)|
492 (1<<ACL_WHERE_NOTSMTP_START),
65a7d8c3
NM		 493
494 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf_guess */
495 (1<<ACL_WHERE_HELO)|
496 (1<<ACL_WHERE_MAILAUTH)|
497 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
498 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY)|
499 (1<<ACL_WHERE_NOTSMTP)|
500 (1<<ACL_WHERE_NOTSMTP_START),
71fafd95 501 #endif
8523533c 502
059ec3d9
PH		 503 /* Certain types of verify are always allowed, so we let it through
504 always and check in the verify function itself */
505
506 0 /* verify */
059ec3d9
PH		 507};
508
509
c5fcb476
PH		 510/* Bit map vector of which controls are not allowed at certain times. For
511each control, there's a bitmap of dis-allowed times. For some, it is easier to
512specify the negation of a small number of allowed times. */
513
514static unsigned int control_forbids[] = {
c46782ef
PH		 515 (unsigned int)
516 ~((1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)), /* allow_auth_unadvertised */
517
518 #ifdef EXPERIMENTAL_BRIGHTMAIL
8523533c 519 0, /* bmi_run */
c46782ef
PH		 520 #endif
521
ed7f7860
PP		 522 0, /* debug */
523
80a47a2c
TK		 524 #ifndef DISABLE_DKIM
525 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* dkim_disable_verify */
f7572e5a
TK		 526 (1<<ACL_WHERE_NOTSMTP_START),
527 #endif
528
13363eba
PP		 529 (1<<ACL_WHERE_NOTSMTP)|
530 (1<<ACL_WHERE_NOTSMTP_START)|
531 (1<<ACL_WHERE_NOTQUIT), /* dscp */
532
c5fcb476 533 0, /* error */
8e669ac1
PH		 534
535 (unsigned int)
c5fcb476 536 ~(1<<ACL_WHERE_RCPT), /* caseful_local_part */
8e669ac1
PH		 537
538 (unsigned int)
c5fcb476 539 ~(1<<ACL_WHERE_RCPT), /* caselower_local_part */
8e669ac1 540
45b91596
PH		 541 (1<<ACL_WHERE_NOTSMTP)| /* enforce_sync */
542 (1<<ACL_WHERE_NOTSMTP_START),
8e669ac1 543
45b91596
PH		 544 (1<<ACL_WHERE_NOTSMTP)| /* no_enforce_sync */
545 (1<<ACL_WHERE_NOTSMTP_START),
8e669ac1
PH		 546
547 (unsigned int)
c5fcb476
PH		 548 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* freeze */
549 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
e715ad22 550 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
8e669ac1
PH		 551
552 (unsigned int)
c5fcb476
PH		 553 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* queue_only */
554 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
e715ad22 555 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
8e669ac1
PH		 556
557 (unsigned int)
c5fcb476 558 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* submission */
8e669ac1 559 (1<<ACL_WHERE_PREDATA)),
8523533c 560
8800895a
PH		 561 (unsigned int)
562 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* suppress_local_fixups */
45b91596
PH		 563 (1<<ACL_WHERE_PREDATA)|
564 (1<<ACL_WHERE_NOTSMTP_START)),
8800895a 565
c46782ef 566 #ifdef WITH_CONTENT_SCAN
8e669ac1 567 (unsigned int)
14d57970 568 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* no_mbox_unspool */
e715ad22
TK		 569 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
570 (1<<ACL_WHERE_MIME)),
c46782ef 571 #endif
a6c4ab60 572
29aba418
TF		 573 (unsigned int)
574 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakedefer */
575 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
576 (1<<ACL_WHERE_MIME)),
577
8e669ac1 578 (unsigned int)
a6c4ab60 579 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakereject */
e715ad22
TK		 580 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
581 (1<<ACL_WHERE_MIME)),
8523533c 582
45b91596 583 (1<<ACL_WHERE_NOTSMTP)| /* no_multiline */
cf8b11a5
PH		 584 (1<<ACL_WHERE_NOTSMTP_START),
585
586 (1<<ACL_WHERE_NOTSMTP)| /* no_pipelining */
047bdd8c
PH		 587 (1<<ACL_WHERE_NOTSMTP_START),
588
589 (1<<ACL_WHERE_NOTSMTP)| /* no_delay_flush */
4c590bd1
PH		 590 (1<<ACL_WHERE_NOTSMTP_START),
591
592 (1<<ACL_WHERE_NOTSMTP)| /* no_callout_flush */
45b91596 593 (1<<ACL_WHERE_NOTSMTP_START)
c5fcb476
PH		 594};
595
596/* Structure listing various control arguments, with their characteristics. */
059ec3d9
PH		 597
598typedef struct control_def {
599 uschar *name;
600 int value; /* CONTROL_xxx value */
059ec3d9
PH		 601 BOOL has_option; /* Has /option(s) following */
602} control_def;
603
604static control_def controls_list[] = {
c46782ef 605 { US"allow_auth_unadvertised", CONTROL_AUTH_UNADVERTISED, FALSE },
8523533c 606#ifdef EXPERIMENTAL_BRIGHTMAIL
c46782ef 607 { US"bmi_run", CONTROL_BMI_RUN, FALSE },
fb2274d4 608#endif
ed7f7860 609 { US"debug", CONTROL_DEBUG, TRUE },
80a47a2c
TK		 610#ifndef DISABLE_DKIM
611 { US"dkim_disable_verify", CONTROL_DKIM_VERIFY, FALSE },
8523533c 612#endif
13363eba 613 { US"dscp", CONTROL_DSCP, TRUE },
c46782ef
PH		 614 { US"caseful_local_part", CONTROL_CASEFUL_LOCAL_PART, FALSE },
615 { US"caselower_local_part", CONTROL_CASELOWER_LOCAL_PART, FALSE },
616 { US"enforce_sync", CONTROL_ENFORCE_SYNC, FALSE },
617 { US"freeze", CONTROL_FREEZE, TRUE },
4c590bd1 618 { US"no_callout_flush", CONTROL_NO_CALLOUT_FLUSH, FALSE },
047bdd8c 619 { US"no_delay_flush", CONTROL_NO_DELAY_FLUSH, FALSE },
c46782ef
PH		 620 { US"no_enforce_sync", CONTROL_NO_ENFORCE_SYNC, FALSE },
621 { US"no_multiline_responses", CONTROL_NO_MULTILINE, FALSE },
cf8b11a5 622 { US"no_pipelining", CONTROL_NO_PIPELINING, FALSE },
c46782ef 623 { US"queue_only", CONTROL_QUEUE_ONLY, FALSE },
8523533c 624#ifdef WITH_CONTENT_SCAN
c46782ef 625 { US"no_mbox_unspool", CONTROL_NO_MBOX_UNSPOOL, FALSE },
8523533c 626#endif
c46782ef
PH		 627 { US"fakedefer", CONTROL_FAKEDEFER, TRUE },
628 { US"fakereject", CONTROL_FAKEREJECT, TRUE },
629 { US"submission", CONTROL_SUBMISSION, TRUE },
630 { US"suppress_local_fixups", CONTROL_SUPPRESS_LOCAL_FIXUPS, FALSE }
059ec3d9
PH		 631 };
632
e5a9dba6
PH		 633/* Support data structures for Client SMTP Authorization. acl_verify_csa()
634caches its result in a tree to avoid repeated DNS queries. The result is an
635integer code which is used as an index into the following tables of
636explanatory strings and verification return codes. */
637
638static tree_node *csa_cache = NULL;
639
640enum { CSA_UNKNOWN, CSA_OK, CSA_DEFER_SRV, CSA_DEFER_ADDR,
641 CSA_FAIL_EXPLICIT, CSA_FAIL_DOMAIN, CSA_FAIL_NOADDR, CSA_FAIL_MISMATCH };
642
643/* The acl_verify_csa() return code is translated into an acl_verify() return
644code using the following table. It is OK unless the client is definitely not
645authorized. This is because CSA is supposed to be optional for sending sites,
646so recipients should not be too strict about checking it - especially because
647DNS problems are quite likely to occur. It's possible to use $csa_status in
648further ACL conditions to distinguish ok, unknown, and defer if required, but
649the aim is to make the usual configuration simple. */
650
651static int csa_return_code[] = {
652 OK, OK, OK, OK,
653 FAIL, FAIL, FAIL, FAIL
654};
655
656static uschar *csa_status_string[] = {
657 US"unknown", US"ok", US"defer", US"defer",
658 US"fail", US"fail", US"fail", US"fail"
659};
660
661static uschar *csa_reason_string[] = {
662 US"unknown",
663 US"ok",
664 US"deferred (SRV lookup failed)",
665 US"deferred (target address lookup failed)",
666 US"failed (explicit authorization required)",
667 US"failed (host name not authorized)",
668 US"failed (no authorized addresses)",
669 US"failed (client address mismatch)"
670};
671
c99ce5c9
TF		 672/* Options for the ratelimit condition. Note that there are two variants of
673the per_rcpt option, depending on the ACL that is used to measure the rate.
674However any ACL must be able to look up per_rcpt rates in /noupdate mode,
675so the two variants must have the same internal representation as well as
676the same configuration string. */
677
678enum {
679 RATE_PER_WHAT, RATE_PER_CLASH, RATE_PER_ADDR, RATE_PER_BYTE, RATE_PER_CMD,
680 RATE_PER_CONN, RATE_PER_MAIL, RATE_PER_RCPT, RATE_PER_ALLRCPTS
681};
682
683#define RATE_SET(var,new) \
684 (((var) == RATE_PER_WHAT) ? ((var) = RATE_##new) : ((var) = RATE_PER_CLASH))
685
686static uschar *ratelimit_option_string[] = {
687 US"?", US"!", US"per_addr", US"per_byte", US"per_cmd",
688 US"per_conn", US"per_mail", US"per_rcpt", US"per_rcpt"
689};
690
059ec3d9
PH		 691/* Enable recursion between acl_check_internal() and acl_check_condition() */
692
693static int acl_check_internal(int, address_item *, uschar *, int, uschar **,
694 uschar **);
695
696
697/*************************************************
698* Pick out name from list *
699*************************************************/
700
701/* Use a binary chop method
702
703Arguments:
704 name name to find
705 list list of names
706 end size of list
707
708Returns: offset in list, or -1 if not found
709*/
710
711static int
712acl_checkname(uschar *name, uschar **list, int end)
713{
714int start = 0;
715
716while (start < end)
717 {
718 int mid = (start + end)/2;
719 int c = Ustrcmp(name, list[mid]);
720 if (c == 0) return mid;
721 if (c < 0) end = mid; else start = mid + 1;
722 }
723
724return -1;
725}
726
727
728/*************************************************
729* Read and parse one ACL *
730*************************************************/
731
732/* This function is called both from readconf in order to parse the ACLs in the
733configuration file, and also when an ACL is encountered dynamically (e.g. as
734the result of an expansion). It is given a function to call in order to
735retrieve the lines of the ACL. This function handles skipping comments and
736blank lines (where relevant).
737
738Arguments:
739 func function to get next line of ACL
740 error where to put an error message
741
742Returns: pointer to ACL, or NULL
743 NULL can be legal (empty ACL); in this case error will be NULL
744*/
745
746acl_block *
747acl_read(uschar *(*func)(void), uschar **error)
748{
749acl_block *yield = NULL;
750acl_block **lastp = &yield;
751acl_block *this = NULL;
752acl_condition_block *cond;
753acl_condition_block **condp = NULL;
754uschar *s;
755
756*error = NULL;
757
758while ((s = (*func)()) != NULL)
759 {
760 int v, c;
761 BOOL negated = FALSE;
762 uschar *saveline = s;
763 uschar name[64];
764
765 /* Conditions (but not verbs) are allowed to be negated by an initial
766 exclamation mark. */
767
768 while (isspace(*s)) s++;
769 if (*s == '!')
770 {
771 negated = TRUE;
772 s++;
773 }
774
cf00dad6
PH		 775 /* Read the name of a verb or a condition, or the start of a new ACL, which
776 can be started by a name, or by a macro definition. */
059ec3d9
PH		 777
778 s = readconf_readname(name, sizeof(name), s);
b8dc3e4a 779 if (*s == ':' || (isupper(name[0]) && *s == '=')) return yield;
059ec3d9
PH		 780
781 /* If a verb is unrecognized, it may be another condition or modifier that
782 continues the previous verb. */
783
784 v = acl_checkname(name, verbs, sizeof(verbs)/sizeof(char *));
785 if (v < 0)
786 {
787 if (this == NULL)
788 {
4e167a8c
PH		 789 *error = string_sprintf("unknown ACL verb \"%s\" in \"%s\"", name,
790 saveline);
059ec3d9
PH		 791 return NULL;
792 }
793 }
794
795 /* New verb */
796
797 else
798 {
799 if (negated)
800 {
801 *error = string_sprintf("malformed ACL line \"%s\"", saveline);
802 return NULL;
803 }
804 this = store_get(sizeof(acl_block));
805 *lastp = this;
806 lastp = &(this->next);
807 this->next = NULL;
808 this->verb = v;
809 this->condition = NULL;
810 condp = &(this->condition);
811 if (*s == 0) continue; /* No condition on this line */
812 if (*s == '!')
813 {
814 negated = TRUE;
815 s++;
816 }
817 s = readconf_readname(name, sizeof(name), s); /* Condition name */
818 }
819
820 /* Handle a condition or modifier. */
821
822 c = acl_checkname(name, conditions, sizeof(conditions)/sizeof(char *));
823 if (c < 0)
824 {
825 *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
826 saveline);
827 return NULL;
828 }
829
830 /* The modifiers may not be negated */
831
832 if (negated && cond_modifiers[c])
833 {
834 *error = string_sprintf("ACL error: negation is not allowed with "
835 "\"%s\"", conditions[c]);
836 return NULL;
837 }
838
839 /* ENDPASS may occur only with ACCEPT or DISCARD. */
840
841 if (c == ACLC_ENDPASS &&
842 this->verb != ACL_ACCEPT &&
843 this->verb != ACL_DISCARD)
844 {
845 *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
846 conditions[c], verbs[this->verb]);
847 return NULL;
848 }
849
850 cond = store_get(sizeof(acl_condition_block));
851 cond->next = NULL;
852 cond->type = c;
853 cond->u.negated = negated;
854
855 *condp = cond;
856 condp = &(cond->next);
857
858 /* The "set" modifier is different in that its argument is "name=value"
859 rather than just a value, and we can check the validity of the name, which
38a0a95f
PH		 860 gives us a variable name to insert into the data block. The original ACL
861 variable names were acl_c0 ... acl_c9 and acl_m0 ... acl_m9. This was
862 extended to 20 of each type, but after that people successfully argued for
641cb756
PH		 863 arbitrary names. In the new scheme, the names must start with acl_c or acl_m.
864 After that, we allow alphanumerics and underscores, but the first character
865 after c or m must be a digit or an underscore. This retains backwards
866 compatibility. */
059ec3d9
PH		 867
868 if (c == ACLC_SET)
869 {
47ca6d6c
PH		 870 uschar *endptr;
871
38a0a95f
PH		 872 if (Ustrncmp(s, "acl_c", 5) != 0 &&
873 Ustrncmp(s, "acl_m", 5) != 0)
47ca6d6c 874 {
38a0a95f
PH		 875 *error = string_sprintf("invalid variable name after \"set\" in ACL "
876 "modifier \"set %s\" (must start \"acl_c\" or \"acl_m\")", s);
877 return NULL;
47ca6d6c 878 }
38a0a95f
PH		 879
880 endptr = s + 5;
641cb756
PH		 881 if (!isdigit(*endptr) && *endptr != '_')
882 {
883 *error = string_sprintf("invalid variable name after \"set\" in ACL "
884 "modifier \"set %s\" (digit or underscore must follow acl_c or acl_m)",
885 s);
886 return NULL;
887 }
888
38a0a95f 889 while (*endptr != 0 && *endptr != '=' && !isspace(*endptr))
47ca6d6c 890 {
38a0a95f
PH		 891 if (!isalnum(*endptr) && *endptr != '_')
892 {
893 *error = string_sprintf("invalid character \"%c\" in variable name "
894 "in ACL modifier \"set %s\"", *endptr, s);
895 return NULL;
896 }
897 endptr++;
47ca6d6c 898 }
47ca6d6c 899
38a0a95f 900 cond->u.varname = string_copyn(s + 4, endptr - s - 4);
47ca6d6c 901 s = endptr;
059ec3d9
PH		 902 while (isspace(*s)) s++;
903 }
904
905 /* For "set", we are now positioned for the data. For the others, only
906 "endpass" has no data */
907
908 if (c != ACLC_ENDPASS)
909 {
910 if (*s++ != '=')
911 {
912 *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
913 cond_modifiers[c]? US"modifier" : US"condition");
914 return NULL;
915 }
916 while (isspace(*s)) s++;
917 cond->arg = string_copy(s);
918 }
919 }
920
921return yield;
922}
923
924
925
71fafd95
PH		 926/*************************************************
927* Set up added header line(s) *
928*************************************************/
929
930/* This function is called by the add_header modifier, and also from acl_warn()
931to implement the now-deprecated way of adding header lines using "message" on a
932"warn" verb. The argument is treated as a sequence of header lines which are
933added to a chain, provided there isn't an identical one already there.
934
935Argument: string of header lines
936Returns: nothing
937*/
938
939static void
940setup_header(uschar *hstring)
941{
942uschar *p, *q;
943int hlen = Ustrlen(hstring);
944
945/* An empty string does nothing; otherwise add a final newline if necessary. */
946
947if (hlen <= 0) return;
948if (hstring[hlen-1] != '\n') hstring = string_sprintf("%s\n", hstring);
949
950/* Loop for multiple header lines, taking care about continuations */
951
952for (p = q = hstring; *p != 0; )
953 {
954 uschar *s;
955 int newtype = htype_add_bot;
956 header_line **hptr = &acl_added_headers;
957
958 /* Find next header line within the string */
959
960 for (;;)
961 {
962 q = Ustrchr(q, '\n');
963 if (*(++q) != ' ' && *q != '\t') break;
964 }
965
966 /* If the line starts with a colon, interpret the instruction for where to
967 add it. This temporarily sets up a new type. */
968
969 if (*p == ':')
970 {
971 if (strncmpic(p, US":after_received:", 16) == 0)
972 {
973 newtype = htype_add_rec;
974 p += 16;
975 }
976 else if (strncmpic(p, US":at_start_rfc:", 14) == 0)
977 {
978 newtype = htype_add_rfc;
979 p += 14;
980 }
981 else if (strncmpic(p, US":at_start:", 10) == 0)
982 {
983 newtype = htype_add_top;
984 p += 10;
985 }
986 else if (strncmpic(p, US":at_end:", 8) == 0)
987 {
988 newtype = htype_add_bot;
989 p += 8;
990 }
991 while (*p == ' ' || *p == '\t') p++;
992 }
993
994 /* See if this line starts with a header name, and if not, add X-ACL-Warn:
995 to the front of it. */
996
997 for (s = p; s < q - 1; s++)
998 {
999 if (*s == ':' || !isgraph(*s)) break;
1000 }
1001
438257ba 1002 s = string_sprintf("%s%.*s", (*s == ':')? "" : "X-ACL-Warn: ", (int) (q - p), p);
71fafd95
PH		 1003 hlen = Ustrlen(s);
1004
1005 /* See if this line has already been added */
1006
1007 while (*hptr != NULL)
1008 {
1009 if (Ustrncmp((*hptr)->text, s, hlen) == 0) break;
1010 hptr = &((*hptr)->next);
1011 }
1012
1013 /* Add if not previously present */
1014
1015 if (*hptr == NULL)
1016 {
1017 header_line *h = store_get(sizeof(header_line));
1018 h->text = s;
1019 h->next = NULL;
1020 h->type = newtype;
1021 h->slen = hlen;
1022 *hptr = h;
1023 hptr = &(h->next);
1024 }
1025
1026 /* Advance for next header line within the string */
1027
1028 p = q;
1029 }
1030}
1031
1032
1033
1034
059ec3d9
PH		 1035/*************************************************
1036* Handle warnings *
1037*************************************************/
1038
1039/* This function is called when a WARN verb's conditions are true. It adds to
1040the message's headers, and/or writes information to the log. In each case, this
1041only happens once (per message for headers, per connection for log).
1042
71fafd95
PH		 1043** NOTE: The header adding action using the "message" setting is historic, and
1044its use is now deprecated. The new add_header modifier should be used instead.
1045
059ec3d9
PH		 1046Arguments:
1047 where ACL_WHERE_xxxx indicating which ACL this is
1048 user_message message for adding to headers
1049 log_message message for logging, if different
1050
1051Returns: nothing
1052*/
1053
1054static void
1055acl_warn(int where, uschar *user_message, uschar *log_message)
1056{
059ec3d9
PH		 1057if (log_message != NULL && log_message != user_message)
1058 {
1059 uschar *text;
1060 string_item *logged;
1061
1062 text = string_sprintf("%s Warning: %s", host_and_ident(TRUE),
1063 string_printing(log_message));
1064
1065 /* If a sender verification has failed, and the log message is "sender verify
1066 failed", add the failure message. */
1067
1068 if (sender_verified_failed != NULL &&
1069 sender_verified_failed->message != NULL &&
1070 strcmpic(log_message, US"sender verify failed") == 0)
1071 text = string_sprintf("%s: %s", text, sender_verified_failed->message);
1072
9c7a242c
PH		 1073 /* Search previously logged warnings. They are kept in malloc
1074 store so they can be freed at the start of a new message. */
059ec3d9
PH		 1075
1076 for (logged = acl_warn_logged; logged != NULL; logged = logged->next)
1077 if (Ustrcmp(logged->text, text) == 0) break;
1078
1079 if (logged == NULL)
1080 {
1081 int length = Ustrlen(text) + 1;
1082 log_write(0, LOG_MAIN, "%s", text);
1083 logged = store_malloc(sizeof(string_item) + length);
1084 logged->text = (uschar *)logged + sizeof(string_item);
1085 memcpy(logged->text, text, length);
1086 logged->next = acl_warn_logged;
1087 acl_warn_logged = logged;
1088 }
1089 }
1090
1091/* If there's no user message, we are done. */
1092
1093if (user_message == NULL) return;
1094
1095/* If this isn't a message ACL, we can't do anything with a user message.
1096Log an error. */
1097
1098if (where > ACL_WHERE_NOTSMTP)
1099 {
1100 log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
1101 "found in a non-message (%s) ACL: cannot specify header lines here: "
1102 "message ignored", acl_wherenames[where]);
1103 return;
1104 }
1105
71fafd95
PH		 1106/* The code for setting up header lines is now abstracted into a separate
1107function so that it can be used for the add_header modifier as well. */
059ec3d9 1108
71fafd95 1109setup_header(user_message);
059ec3d9
PH		 1110}
1111
1112
1113
1114/*************************************************
1115* Verify and check reverse DNS *
1116*************************************************/
1117
1118/* Called from acl_verify() below. We look up the host name(s) of the client IP
1119address if this has not yet been done. The host_name_lookup() function checks
1120that one of these names resolves to an address list that contains the client IP
1121address, so we don't actually have to do the check here.
1122
1123Arguments:
1124 user_msgptr pointer for user message
1125 log_msgptr pointer for log message
1126
1127Returns: OK verification condition succeeded
1128 FAIL verification failed
1129 DEFER there was a problem verifying
1130*/
1131
1132static int
1133acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
1134{
1135int rc;
1136
1137user_msgptr = user_msgptr; /* stop compiler warning */
1138
1139/* Previous success */
1140
1141if (sender_host_name != NULL) return OK;
1142
1143/* Previous failure */
1144
1145if (host_lookup_failed)
1146 {
1147 *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
1148 return FAIL;
1149 }
1150
1151/* Need to do a lookup */
1152
1153HDEBUG(D_acl)
1154 debug_printf("looking up host name to force name/address consistency check\n");
1155
1156if ((rc = host_name_lookup()) != OK)
1157 {
1158 *log_msgptr = (rc == DEFER)?
1159 US"host lookup deferred for reverse lookup check"
1160 :
1161 string_sprintf("host lookup failed for reverse lookup check%s",
1162 host_lookup_msg);
1163 return rc; /* DEFER or FAIL */
1164 }
1165
1166host_build_sender_fullhost();
1167return OK;
1168}
1169
1170
1171
e5a9dba6
PH		 1172/*************************************************
1173* Check client IP address matches CSA target *
1174*************************************************/
1175
1176/* Called from acl_verify_csa() below. This routine scans a section of a DNS
1177response for address records belonging to the CSA target hostname. The section
1178is specified by the reset argument, either RESET_ADDITIONAL or RESET_ANSWERS.
1179If one of the addresses matches the client's IP address, then the client is
1180authorized by CSA. If there are target IP addresses but none of them match
1181then the client is using an unauthorized IP address. If there are no target IP
1182addresses then the client cannot be using an authorized IP address. (This is
1183an odd configuration - why didn't the SRV record have a weight of 1 instead?)
1184
1185Arguments:
1186 dnsa the DNS answer block
1187 dnss a DNS scan block for us to use
1188 reset option specifing what portion to scan, as described above
1189 target the target hostname to use for matching RR names
1190
1191Returns: CSA_OK successfully authorized
1192 CSA_FAIL_MISMATCH addresses found but none matched
1193 CSA_FAIL_NOADDR no target addresses found
1194*/
1195
1196static int
1197acl_verify_csa_address(dns_answer *dnsa, dns_scan *dnss, int reset,
1198 uschar *target)
1199{
1200dns_record *rr;
1201dns_address *da;
1202
1203BOOL target_found = FALSE;
1204
1205for (rr = dns_next_rr(dnsa, dnss, reset);
1206 rr != NULL;
1207 rr = dns_next_rr(dnsa, dnss, RESET_NEXT))
1208 {
1209 /* Check this is an address RR for the target hostname. */
1210
1211 if (rr->type != T_A
1212 #if HAVE_IPV6
1213 && rr->type != T_AAAA
1214 #ifdef SUPPORT_A6
1215 && rr->type != T_A6
1216 #endif
1217 #endif
1218 ) continue;
1219
1220 if (strcmpic(target, rr->name) != 0) continue;
1221
1222 target_found = TRUE;
1223
1224 /* Turn the target address RR into a list of textual IP addresses and scan
1225 the list. There may be more than one if it is an A6 RR. */
1226
1227 for (da = dns_address_from_rr(dnsa, rr); da != NULL; da = da->next)
1228 {
1229 /* If the client IP address matches the target IP address, it's good! */
1230
1231 DEBUG(D_acl) debug_printf("CSA target address is %s\n", da->address);
1232
1233 if (strcmpic(sender_host_address, da->address) == 0) return CSA_OK;
1234 }
1235 }
1236
1237/* If we found some target addresses but none of them matched, the client is
1238using an unauthorized IP address, otherwise the target has no authorized IP
1239addresses. */
1240
1241if (target_found) return CSA_FAIL_MISMATCH;
1242else return CSA_FAIL_NOADDR;
1243}
1244
1245
1246
1247/*************************************************
1248* Verify Client SMTP Authorization *
1249*************************************************/
1250
1251/* Called from acl_verify() below. This routine calls dns_lookup_special()
1252to find the CSA SRV record corresponding to the domain argument, or
1253$sender_helo_name if no argument is provided. It then checks that the
1254client is authorized, and that its IP address corresponds to the SRV
1255target's address by calling acl_verify_csa_address() above. The address
1256should have been returned in the DNS response's ADDITIONAL section, but if
1257not we perform another DNS lookup to get it.
1258
1259Arguments:
1260 domain pointer to optional parameter following verify = csa
1261
1262Returns: CSA_UNKNOWN no valid CSA record found
1263 CSA_OK successfully authorized
1264 CSA_FAIL_* client is definitely not authorized
1265 CSA_DEFER_* there was a DNS problem
1266*/
1267
1268static int
1269acl_verify_csa(uschar *domain)
1270{
1271tree_node *t;
1272uschar *found, *p;
1273int priority, weight, port;
1274dns_answer dnsa;
1275dns_scan dnss;
1276dns_record *rr;
1277int rc, type;
1278uschar target[256];
1279
1280/* Work out the domain we are using for the CSA lookup. The default is the
1281client's HELO domain. If the client has not said HELO, use its IP address
1282instead. If it's a local client (exim -bs), CSA isn't applicable. */
1283
1284while (isspace(*domain) && *domain != '\0') ++domain;
1285if (*domain == '\0') domain = sender_helo_name;
1286if (domain == NULL) domain = sender_host_address;
1287if (sender_host_address == NULL) return CSA_UNKNOWN;
1288
1289/* If we have an address literal, strip off the framing ready for turning it
1290into a domain. The framing consists of matched square brackets possibly
1291containing a keyword and a colon before the actual IP address. */
1292
1293if (domain[0] == '[')
1294 {
1295 uschar *start = Ustrchr(domain, ':');
1296 if (start == NULL) start = domain;
1297 domain = string_copyn(start + 1, Ustrlen(start) - 2);
1298 }
1299
1300/* Turn domains that look like bare IP addresses into domains in the reverse
1301DNS. This code also deals with address literals and $sender_host_address. It's
1302not quite kosher to treat bare domains such as EHLO 192.0.2.57 the same as
1303address literals, but it's probably the most friendly thing to do. This is an
1304extension to CSA, so we allow it to be turned off for proper conformance. */
1305
7e66e54d 1306if (string_is_ip_address(domain, NULL) != 0)
e5a9dba6
PH		 1307 {
1308 if (!dns_csa_use_reverse) return CSA_UNKNOWN;
1309 dns_build_reverse(domain, target);
1310 domain = target;
1311 }
1312
1313/* Find out if we've already done the CSA check for this domain. If we have,
1314return the same result again. Otherwise build a new cached result structure
1315for this domain. The name is filled in now, and the value is filled in when
1316we return from this function. */
1317
1318t = tree_search(csa_cache, domain);
1319if (t != NULL) return t->data.val;
1320
1321t = store_get_perm(sizeof(tree_node) + Ustrlen(domain));
1322Ustrcpy(t->name, domain);
1323(void)tree_insertnode(&csa_cache, t);
1324
1325/* Now we are ready to do the actual DNS lookup(s). */
1326
28e6ef29 1327found = domain;
e5a9dba6
PH		 1328switch (dns_special_lookup(&dnsa, domain, T_CSA, &found))
1329 {
1330 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1331
1332 default:
1333 return t->data.val = CSA_DEFER_SRV;
1334
1335 /* If we found nothing, the client's authorization is unknown. */
1336
1337 case DNS_NOMATCH:
1338 case DNS_NODATA:
1339 return t->data.val = CSA_UNKNOWN;
1340
1341 /* We got something! Go on to look at the reply in more detail. */
1342
1343 case DNS_SUCCEED:
1344 break;
1345 }
1346
1347/* Scan the reply for well-formed CSA SRV records. */
1348
1349for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
1350 rr != NULL;
1351 rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
1352 {
1353 if (rr->type != T_SRV) continue;
1354
1355 /* Extract the numerical SRV fields (p is incremented) */
1356
1357 p = rr->data;
1358 GETSHORT(priority, p);
1359 GETSHORT(weight, p);
1360 GETSHORT(port, p);
1361
1362 DEBUG(D_acl)
1363 debug_printf("CSA priority=%d weight=%d port=%d\n", priority, weight, port);
1364
1365 /* Check the CSA version number */
1366
1367 if (priority != 1) continue;
1368
1369 /* If the domain does not have a CSA SRV record of its own (i.e. the domain
1370 found by dns_special_lookup() is a parent of the one we asked for), we check
1371 the subdomain assertions in the port field. At the moment there's only one
1372 assertion: legitimate SMTP clients are all explicitly authorized with CSA
1373 SRV records of their own. */
1374
1375 if (found != domain)
1376 {
1377 if (port & 1)
1378 return t->data.val = CSA_FAIL_EXPLICIT;
1379 else
1380 return t->data.val = CSA_UNKNOWN;
1381 }
1382
1383 /* This CSA SRV record refers directly to our domain, so we check the value
1384 in the weight field to work out the domain's authorization. 0 and 1 are
1385 unauthorized; 3 means the client is authorized but we can't check the IP
1386 address in order to authenticate it, so we treat it as unknown; values
1387 greater than 3 are undefined. */
1388
1389 if (weight < 2) return t->data.val = CSA_FAIL_DOMAIN;
1390
1391 if (weight > 2) continue;
1392
1393 /* Weight == 2, which means the domain is authorized. We must check that the
1394 client's IP address is listed as one of the SRV target addresses. Save the
1395 target hostname then break to scan the additional data for its addresses. */
1396
1397 (void)dn_expand(dnsa.answer, dnsa.answer + dnsa.answerlen, p,
1398 (DN_EXPAND_ARG4_TYPE)target, sizeof(target));
1399
1400 DEBUG(D_acl) debug_printf("CSA target is %s\n", target);
1401
1402 break;
1403 }
1404
1405/* If we didn't break the loop then no appropriate records were found. */
1406
1407if (rr == NULL) return t->data.val = CSA_UNKNOWN;
1408
1409/* Do not check addresses if the target is ".", in accordance with RFC 2782.
1410A target of "." indicates there are no valid addresses, so the client cannot
1411be authorized. (This is an odd configuration because weight=2 target=. is
1412equivalent to weight=1, but we check for it in order to keep load off the
1413root name servers.) Note that dn_expand() turns "." into "". */
1414
1415if (Ustrcmp(target, "") == 0) return t->data.val = CSA_FAIL_NOADDR;
1416
1417/* Scan the additional section of the CSA SRV reply for addresses belonging
1418to the target. If the name server didn't return any additional data (e.g.
1419because it does not fully support SRV records), we need to do another lookup
1420to obtain the target addresses; otherwise we have a definitive result. */
1421
1422rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ADDITIONAL, target);
1423if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1424
1425/* The DNS lookup type corresponds to the IP version used by the client. */
1426
1427#if HAVE_IPV6
1428if (Ustrchr(sender_host_address, ':') != NULL)
1429 type = T_AAAA;
1430else
1431#endif /* HAVE_IPV6 */
1432 type = T_A;
1433
1434
1435#if HAVE_IPV6 && defined(SUPPORT_A6)
1436DNS_LOOKUP_AGAIN:
1437#endif
1438
1439switch (dns_lookup(&dnsa, target, type, NULL))
1440 {
1441 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1442
1443 default:
1444 return t->data.val = CSA_DEFER_ADDR;
1445
1446 /* If the query succeeded, scan the addresses and return the result. */
1447
1448 case DNS_SUCCEED:
1449 rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ANSWERS, target);
1450 if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1451 /* else fall through */
1452
1453 /* If the target has no IP addresses, the client cannot have an authorized
1454 IP address. However, if the target site uses A6 records (not AAAA records)
1455 we have to do yet another lookup in order to check them. */
1456
1457 case DNS_NOMATCH:
1458 case DNS_NODATA:
1459
1460 #if HAVE_IPV6 && defined(SUPPORT_A6)
1461 if (type == T_AAAA) { type = T_A6; goto DNS_LOOKUP_AGAIN; }
1462 #endif
1463
1464 return t->data.val = CSA_FAIL_NOADDR;
1465 }
1466}
1467
1468
1469
059ec3d9
PH		 1470/*************************************************
1471* Handle verification (address & other) *
1472*************************************************/
1473
89583014
JH		 1474enum { VERIFY_REV_HOST_LKUP, VERIFY_CERT, VERIFY_HELO, VERIFY_CSA, VERIFY_HDR_SYNTAX,
1475 VERIFY_NOT_BLIND, VERIFY_HDR_SNDR, VERIFY_SNDR, VERIFY_RCPT
1476 };
1477typedef struct {
1478 uschar * name;
1479 int value;
1480 unsigned where_allowed; /* bitmap */
1481 BOOL no_options; /* Never has /option(s) following */
1482 unsigned alt_opt_sep; /* >0 Non-/ option separator (custom parser) */
1483 } verify_type_t;
1484static verify_type_t verify_type_list[] = {
1485 { US"reverse_host_lookup", VERIFY_REV_HOST_LKUP, ~0, TRUE, 0 },
1486 { US"certificate", VERIFY_CERT, ~0, TRUE, 0 },
1487 { US"helo", VERIFY_HELO, ~0, TRUE, 0 },
1488 { US"csa", VERIFY_CSA, ~0, FALSE, 0 },
1489 { US"header_syntax", VERIFY_HDR_SYNTAX, (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), TRUE, 0 },
1490 { US"not_blind", VERIFY_NOT_BLIND, (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), TRUE, 0 },
1491 { US"header_sender", VERIFY_HDR_SNDR, (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), FALSE, 0 },
1492 { US"sender", VERIFY_SNDR, (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)
1493 |(1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP),
1494 FALSE, 6 },
1495 { US"recipient", VERIFY_RCPT, (1<<ACL_WHERE_RCPT), FALSE, 0 }
1496 };
1497
1498
1499enum { CALLOUT_DEFER_OK, CALLOUT_NOCACHE, CALLOUT_RANDOM, CALLOUT_USE_SENDER,
1500 CALLOUT_USE_POSTMASTER, CALLOUT_POSTMASTER, CALLOUT_FULLPOSTMASTER,
1501 CALLOUT_MAILFROM, CALLOUT_POSTMASTER_MAILFROM, CALLOUT_MAXWAIT, CALLOUT_CONNECT,
1502 CALLOUT_TIME
1503 };
1504typedef struct {
1505 uschar * name;
1506 int value;
1507 int flag;
1508 BOOL has_option; /* Has =option(s) following */
1509 BOOL timeval; /* Has a time value */
1510 } callout_opt_t;
1511static callout_opt_t callout_opt_list[] = {
1512 { US"defer_ok", CALLOUT_DEFER_OK, 0, FALSE, FALSE },
1513 { US"no_cache", CALLOUT_NOCACHE, vopt_callout_no_cache, FALSE, FALSE },
1514 { US"random", CALLOUT_RANDOM, vopt_callout_random, FALSE, FALSE },
1515 { US"use_sender", CALLOUT_USE_SENDER, vopt_callout_recipsender, FALSE, FALSE },
1516 { US"use_postmaster", CALLOUT_USE_POSTMASTER,vopt_callout_recippmaster, FALSE, FALSE },
1517 { US"postmaster_mailfrom",CALLOUT_POSTMASTER_MAILFROM,0, TRUE, FALSE },
1518 { US"postmaster", CALLOUT_POSTMASTER, 0, FALSE, FALSE },
1519 { US"fullpostmaster", CALLOUT_FULLPOSTMASTER,vopt_callout_fullpm, FALSE, FALSE },
1520 { US"mailfrom", CALLOUT_MAILFROM, 0, TRUE, FALSE },
1521 { US"maxwait", CALLOUT_MAXWAIT, 0, TRUE, TRUE },
1522 { US"connect", CALLOUT_CONNECT, 0, TRUE, TRUE },
1523 { NULL, CALLOUT_TIME, 0, FALSE, TRUE }
1524 };
1525
1526
1527
059ec3d9
PH		 1528/* This function implements the "verify" condition. It is called when
1529encountered in any ACL, because some tests are almost always permitted. Some
1530just don't make sense, and always fail (for example, an attempt to test a host
1531lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
1532
1533Arguments:
1534 where where called from
1535 addr the recipient address that the ACL is handling, or NULL
1536 arg the argument of "verify"
1537 user_msgptr pointer for user message
1538 log_msgptr pointer for log message
1539 basic_errno where to put verify errno
1540
1541Returns: OK verification condition succeeded
1542 FAIL verification failed
1543 DEFER there was a problem verifying
1544 ERROR syntax error
1545*/
1546
1547static int
1548acl_verify(int where, address_item *addr, uschar *arg,
1549 uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
1550{
1551int sep = '/';
1552int callout = -1;
1553int callout_overall = -1;
4deaf07d 1554int callout_connect = -1;
059ec3d9
PH		 1555int verify_options = 0;
1556int rc;
1557BOOL verify_header_sender = FALSE;
1558BOOL defer_ok = FALSE;
1559BOOL callout_defer_ok = FALSE;
1560BOOL no_details = FALSE;
eafd343b 1561BOOL success_on_redirect = FALSE;
059ec3d9
PH		 1562address_item *sender_vaddr = NULL;
1563uschar *verify_sender_address = NULL;
1564uschar *pm_mailfrom = NULL;
1565uschar *se_mailfrom = NULL;
596875b3
PH		 1566
1567/* Some of the verify items have slash-separated options; some do not. Diagnose
89583014 1568an error if options are given for items that don't expect them.
596875b3
PH		 1569*/
1570
1571uschar *slash = Ustrchr(arg, '/');
059ec3d9
PH		 1572uschar *list = arg;
1573uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
89583014 1574verify_type_t * vp;
059ec3d9
PH		 1575
1576if (ss == NULL) goto BAD_VERIFY;
1577
1578/* Handle name/address consistency verification in a separate function. */
1579
89583014
JH		 1580for (vp= verify_type_list;
1581 (char *)vp < (char *)verify_type_list + sizeof(verify_type_list);
1582 vp++
1583 )
1584 if (vp->alt_opt_sep ? strncmpic(ss, vp->name, vp->alt_opt_sep) == 0
1585 : strcmpic (ss, vp->name) == 0)
1586 break;
1587if ((char *)vp >= (char *)verify_type_list + sizeof(verify_type_list))
1588 goto BAD_VERIFY;
1589
1590if (vp->no_options && slash != NULL)
059ec3d9 1591 {
89583014
JH		 1592 *log_msgptr = string_sprintf("unexpected '/' found in \"%s\" "
1593 "(this verify item has no options)", arg);
1594 return ERROR;
059ec3d9 1595 }
89583014 1596if (!(vp->where_allowed & (1<<where)))
059ec3d9 1597 {
89583014
JH		 1598 *log_msgptr = string_sprintf("cannot verify %s in ACL for %s", vp->name, acl_wherenames[where]);
1599 return ERROR;
059ec3d9 1600 }
89583014 1601switch(vp->value)
596875b3 1602 {
89583014
JH		 1603 case VERIFY_REV_HOST_LKUP:
1604 if (sender_host_address == NULL) return OK;
1605 return acl_verify_reverse(user_msgptr, log_msgptr);
059ec3d9 1606
89583014
JH		 1607 case VERIFY_CERT:
1608 /* TLS certificate verification is done at STARTTLS time; here we just
1609 test whether it was successful or not. (This is for optional verification; for
1610 mandatory verification, the connection doesn't last this long.) */
e5a9dba6 1611
89583014
JH		 1612 if (tls_certificate_verified) return OK;
1613 *user_msgptr = US"no verified certificate";
1614 return FAIL;
e5a9dba6 1615
89583014
JH		 1616 case VERIFY_HELO:
1617 /* We can test the result of optional HELO verification that might have
1618 occurred earlier. If not, we can attempt the verification now. */
059ec3d9 1619
89583014
JH		 1620 if (!helo_verified && !helo_verify_failed) smtp_verify_helo();
1621 return helo_verified? OK : FAIL;
059ec3d9 1622
89583014
JH		 1623 case VERIFY_CSA:
1624 /* Do Client SMTP Authorization checks in a separate function, and turn the
1625 result code into user-friendly strings. */
1c41c9cc 1626
89583014
JH		 1627 rc = acl_verify_csa(list);
1628 *log_msgptr = *user_msgptr = string_sprintf("client SMTP authorization %s",
1629 csa_reason_string[rc]);
1630 csa_status = csa_status_string[rc];
1631 DEBUG(D_acl) debug_printf("CSA result %s\n", csa_status);
1632 return csa_return_code[rc];
1633
1634 case VERIFY_HDR_SYNTAX:
1635 /* Check that all relevant header lines have the correct syntax. If there is
1636 a syntax error, we return details of the error to the sender if configured to
1637 send out full details. (But a "message" setting on the ACL can override, as
1638 always). */
1639
1640 rc = verify_check_headers(log_msgptr);
1641 if (rc != OK && smtp_return_error_details && *log_msgptr != NULL)
1c41c9cc 1642 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
89583014 1643 return rc;
059ec3d9 1644
89583014
JH		 1645 case VERIFY_NOT_BLIND:
1646 /* Check that no recipient of this message is "blind", that is, every envelope
1647 recipient must be mentioned in either To: or Cc:. */
059ec3d9 1648
89583014
JH		 1649 rc = verify_check_notblind();
1650 if (rc != OK)
1651 {
1652 *log_msgptr = string_sprintf("bcc recipient detected");
1653 if (smtp_return_error_details)
1654 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1655 }
1656 return rc;
059ec3d9 1657
89583014
JH		 1658 /* The remaining verification tests check recipient and sender addresses,
1659 either from the envelope or from the header. There are a number of
1660 slash-separated options that are common to all of them. */
059ec3d9 1661
89583014
JH		 1662 case VERIFY_HDR_SNDR:
1663 verify_header_sender = TRUE;
1664 break;
059ec3d9 1665
89583014
JH		 1666 case VERIFY_SNDR:
1667 /* In the case of a sender, this can optionally be followed by an address to use
1668 in place of the actual sender (rare special-case requirement). */
059ec3d9 1669 {
89583014
JH		 1670 uschar *s = ss + 6;
1671 if (*s == 0)
1672 verify_sender_address = sender_address;
1673 else
1674 {
1675 while (isspace(*s)) s++;
1676 if (*s++ != '=') goto BAD_VERIFY;
1677 while (isspace(*s)) s++;
1678 verify_sender_address = string_copy(s);
1679 }
059ec3d9 1680 }
89583014
JH		 1681 break;
1682
1683 case VERIFY_RCPT:
1684 break;
059ec3d9
PH		 1685 }
1686
89583014
JH		 1687
1688
596875b3
PH		 1689/* Remaining items are optional; they apply to sender and recipient
1690verification, including "header sender" verification. */
059ec3d9
PH		 1691
1692while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))
1693 != NULL)
1694 {
1695 if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
1696 else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
eafd343b 1697 else if (strcmpic(ss, US"success_on_redirect") == 0) success_on_redirect = TRUE;
059ec3d9
PH		 1698
1699 /* These two old options are left for backwards compatibility */
1700
1701 else if (strcmpic(ss, US"callout_defer_ok") == 0)
1702 {
1703 callout_defer_ok = TRUE;
1704 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1705 }
1706
1707 else if (strcmpic(ss, US"check_postmaster") == 0)
1708 {
1709 pm_mailfrom = US"";
1710 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1711 }
1712
1713 /* The callout option has a number of sub-options, comma separated */
1714
1715 else if (strncmpic(ss, US"callout", 7) == 0)
1716 {
1717 callout = CALLOUT_TIMEOUT_DEFAULT;
1718 ss += 7;
1719 if (*ss != 0)
1720 {
1721 while (isspace(*ss)) ss++;
1722 if (*ss++ == '=')
1723 {
1724 int optsep = ',';
1725 uschar *opt;
1726 uschar buffer[256];
1727 while (isspace(*ss)) ss++;
8e669ac1 1728
059ec3d9
PH		 1729 while ((opt = string_nextinlist(&ss, &optsep, buffer, sizeof(buffer)))
1730 != NULL)
1731 {
89583014 1732 callout_opt_t * op;
438257ba 1733 double period = 1.0F;
059ec3d9 1734
89583014 1735 for (op= callout_opt_list; op->name; op++)
438257ba 1736 if (strncmpic(opt, op->name, Ustrlen(op->name)) == 0)
89583014 1737 break;
059ec3d9 1738
89583014
JH		 1739 verify_options |= op->flag;
1740 if (op->has_option)
1741 {
438257ba 1742 opt += Ustrlen(op->name);
4deaf07d
PH		 1743 while (isspace(*opt)) opt++;
1744 if (*opt++ != '=')
1745 {
1746 *log_msgptr = string_sprintf("'=' expected after "
89583014 1747 "\"%s\" in ACL verify condition \"%s\"", op->name, arg);
4deaf07d
PH		 1748 return ERROR;
1749 }
1750 while (isspace(*opt)) opt++;
89583014
JH		 1751 }
1752 if (op->timeval)
1753 {
1754 period = readconf_readtime(opt, 0, FALSE);
1755 if (period < 0)
4deaf07d
PH		 1756 {
1757 *log_msgptr = string_sprintf("bad time value in ACL condition "
1758 "\"verify %s\"", arg);
1759 return ERROR;
1760 }
89583014
JH		 1761 }
1762
1763 switch(op->value)
1764 {
1765 case CALLOUT_DEFER_OK: callout_defer_ok = TRUE; break;
1766 case CALLOUT_POSTMASTER: pm_mailfrom = US""; break;
1767 case CALLOUT_FULLPOSTMASTER: pm_mailfrom = US""; break;
1768 case CALLOUT_MAILFROM:
1769 if (!verify_header_sender)
1770 {
1771 *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
1772 "callout option only for verify=header_sender (detected in ACL "
1773 "condition \"%s\")", arg);
1774 return ERROR;
1775 }
1776 se_mailfrom = string_copy(opt);
1777 break;
1778 case CALLOUT_POSTMASTER_MAILFROM: pm_mailfrom = string_copy(opt); break;
1779 case CALLOUT_MAXWAIT: callout_overall = period; break;
1780 case CALLOUT_CONNECT: callout_connect = period; break;
1781 case CALLOUT_TIME: callout = period; break;
1782 }
059ec3d9
PH		 1783 }
1784 }
1785 else
1786 {
1787 *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
1788 "ACL condition \"%s\"", arg);
1789 return ERROR;
1790 }
1791 }
1792 }
1793
1794 /* Option not recognized */
1795
1796 else
1797 {
1798 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
1799 "condition \"verify %s\"", ss, arg);
1800 return ERROR;
1801 }
1802 }
1803
1804if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
1805 (vopt_callout_recipsender|vopt_callout_recippmaster))
1806 {
1807 *log_msgptr = US"only one of use_sender and use_postmaster can be set "
1808 "for a recipient callout";
1809 return ERROR;
1810 }
1811
1812/* Handle sender-in-header verification. Default the user message to the log
1813message if giving out verification details. */
1814
1815if (verify_header_sender)
1816 {
8e669ac1 1817 int verrno;
059ec3d9 1818 rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
fe5b5d0b
PH		 1819 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, verify_options,
1820 &verrno);
1821 if (rc != OK)
8e669ac1 1822 {
fe5b5d0b
PH		 1823 *basic_errno = verrno;
1824 if (smtp_return_error_details)
1825 {
1826 if (*user_msgptr == NULL && *log_msgptr != NULL)
1827 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1828 if (rc == DEFER) acl_temp_details = TRUE;
1829 }
8e669ac1 1830 }
059ec3d9
PH		 1831 }
1832
1833/* Handle a sender address. The default is to verify *the* sender address, but
1834optionally a different address can be given, for special requirements. If the
1835address is empty, we are dealing with a bounce message that has no sender, so
1836we cannot do any checking. If the real sender address gets rewritten during
1837verification (e.g. DNS widening), set the flag to stop it being rewritten again
1838during message reception.
1839
1840A list of verified "sender" addresses is kept to try to avoid doing to much
1841work repetitively when there are multiple recipients in a message and they all
1842require sender verification. However, when callouts are involved, it gets too
1843complicated because different recipients may require different callout options.
1844Therefore, we always do a full sender verify when any kind of callout is
1845specified. Caching elsewhere, for instance in the DNS resolver and in the
1846callout handling, should ensure that this is not terribly inefficient. */
1847
1848else if (verify_sender_address != NULL)
1849 {
1850 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster))
1851 != 0)
1852 {
1853 *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
1854 "sender verify callout";
1855 return ERROR;
1856 }
1857
1858 sender_vaddr = verify_checked_sender(verify_sender_address);
1859 if (sender_vaddr != NULL && /* Previously checked */
1860 callout <= 0) /* No callout needed this time */
1861 {
1862 /* If the "routed" flag is set, it means that routing worked before, so
1863 this check can give OK (the saved return code value, if set, belongs to a
1864 callout that was done previously). If the "routed" flag is not set, routing
1865 must have failed, so we use the saved return code. */
1866
1867 if (testflag(sender_vaddr, af_verify_routed)) rc = OK; else
1868 {
1869 rc = sender_vaddr->special_action;
1870 *basic_errno = sender_vaddr->basic_errno;
1871 }
1872 HDEBUG(D_acl) debug_printf("using cached sender verify result\n");
1873 }
1874
1875 /* Do a new verification, and cache the result. The cache is used to avoid
1876 verifying the sender multiple times for multiple RCPTs when callouts are not
1877 specified (see comments above).
1878
1879 The cache is also used on failure to give details in response to the first
1880 RCPT that gets bounced for this reason. However, this can be suppressed by
1881 the no_details option, which sets the flag that says "this detail has already
1882 been sent". The cache normally contains just one address, but there may be
1883 more in esoteric circumstances. */
1884
1885 else
1886 {
1887 BOOL routed = TRUE;
2a3eea10 1888 uschar *save_address_data = deliver_address_data;
8e669ac1 1889
059ec3d9
PH		 1890 sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
1891 if (no_details) setflag(sender_vaddr, af_sverify_told);
1892 if (verify_sender_address[0] != 0)
1893 {
1894 /* If this is the real sender address, save the unrewritten version
1895 for use later in receive. Otherwise, set a flag so that rewriting the
1896 sender in verify_address() does not update sender_address. */
1897
1898 if (verify_sender_address == sender_address)
1899 sender_address_unrewritten = sender_address;
1900 else
1901 verify_options |= vopt_fake_sender;
1902
eafd343b
TK		 1903 if (success_on_redirect)
1904 verify_options |= vopt_success_on_redirect;
1905
059ec3d9
PH		 1906 /* The recipient, qualify, and expn options are never set in
1907 verify_options. */
1908
1909 rc = verify_address(sender_vaddr, NULL, verify_options, callout,
4deaf07d 1910 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, &routed);
059ec3d9
PH		 1911
1912 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1913
1914 if (rc == OK)
1915 {
1916 if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
1917 {
1918 DEBUG(D_acl) debug_printf("sender %s verified ok as %s\n",
1919 verify_sender_address, sender_vaddr->address);
1920 }
1921 else
1922 {
1923 DEBUG(D_acl) debug_printf("sender %s verified ok\n",
1924 verify_sender_address);
1925 }
1926 }
1927 else *basic_errno = sender_vaddr->basic_errno;
1928 }
1929 else rc = OK; /* Null sender */
1930
1931 /* Cache the result code */
1932
1933 if (routed) setflag(sender_vaddr, af_verify_routed);
1934 if (callout > 0) setflag(sender_vaddr, af_verify_callout);
1935 sender_vaddr->special_action = rc;
1936 sender_vaddr->next = sender_verified_list;
1937 sender_verified_list = sender_vaddr;
8e669ac1
PH		 1938
1939 /* Restore the recipient address data, which might have been clobbered by
2a3eea10 1940 the sender verification. */
8e669ac1 1941
2a3eea10 1942 deliver_address_data = save_address_data;
059ec3d9 1943 }
8e669ac1 1944
2a3eea10
PH		 1945 /* Put the sender address_data value into $sender_address_data */
1946
8e669ac1 1947 sender_address_data = sender_vaddr->p.address_data;
059ec3d9
PH		 1948 }
1949
1950/* A recipient address just gets a straightforward verify; again we must handle
1951the DEFER overrides. */
1952
1953else
1954 {
1955 address_item addr2;
1956
eafd343b
TK		 1957 if (success_on_redirect)
1958 verify_options |= vopt_success_on_redirect;
1959
059ec3d9
PH		 1960 /* We must use a copy of the address for verification, because it might
1961 get rewritten. */
1962
1963 addr2 = *addr;
1964 rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
4deaf07d 1965 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, NULL);
059ec3d9 1966 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
8e669ac1 1967
42855d71 1968 *basic_errno = addr2.basic_errno;
059ec3d9 1969 *log_msgptr = addr2.message;
8e669ac1 1970 *user_msgptr = (addr2.user_message != NULL)?
6729cf78 1971 addr2.user_message : addr2.message;
42855d71
PH		 1972
1973 /* Allow details for temporary error if the address is so flagged. */
1974 if (testflag((&addr2), af_pass_message)) acl_temp_details = TRUE;
059ec3d9
PH		 1975
1976 /* Make $address_data visible */
1977 deliver_address_data = addr2.p.address_data;
1978 }
1979
1980/* We have a result from the relevant test. Handle defer overrides first. */
1981
1982if (rc == DEFER && (defer_ok ||
1983 (callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER)))
1984 {
1985 HDEBUG(D_acl) debug_printf("verify defer overridden by %s\n",
1986 defer_ok? "defer_ok" : "callout_defer_ok");
1987 rc = OK;
1988 }
1989
1990/* If we've failed a sender, set up a recipient message, and point
1991sender_verified_failed to the address item that actually failed. */
1992
1993if (rc != OK && verify_sender_address != NULL)
1994 {
1995 if (rc != DEFER)
1996 {
1997 *log_msgptr = *user_msgptr = US"Sender verify failed";
1998 }
1999 else if (*basic_errno != ERRNO_CALLOUTDEFER)
2000 {
2001 *log_msgptr = *user_msgptr = US"Could not complete sender verify";
2002 }
2003 else
2004 {
2005 *log_msgptr = US"Could not complete sender verify callout";
2006 *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
2007 *log_msgptr;
2008 }
2009
2010 sender_verified_failed = sender_vaddr;
2011 }
2012
2013/* Verifying an address messes up the values of $domain and $local_part,
2014so reset them before returning if this is a RCPT ACL. */
2015
2016if (addr != NULL)
2017 {
2018 deliver_domain = addr->domain;
2019 deliver_localpart = addr->local_part;
2020 }
2021return rc;
2022
2023/* Syntax errors in the verify argument come here. */
2024
2025BAD_VERIFY:
2026*log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
596875b3
PH		 2027 "\"helo\", \"header_syntax\", \"header_sender\" or "
2028 "\"reverse_host_lookup\" at start of ACL condition "
059ec3d9
PH		 2029 "\"verify %s\"", arg);
2030return ERROR;
2031}
2032
2033
2034
2035
2036/*************************************************
2037* Check argument for control= modifier *
2038*************************************************/
2039
2040/* Called from acl_check_condition() below
2041
2042Arguments:
2043 arg the argument string for control=
2044 pptr set to point to the terminating character
2045 where which ACL we are in
2046 log_msgptr for error messages
2047
2048Returns: CONTROL_xxx value
2049*/
2050
2051static int
2052decode_control(uschar *arg, uschar **pptr, int where, uschar **log_msgptr)
2053{
2054int len;
2055control_def *d;
2056
2057for (d = controls_list;
2058 d < controls_list + sizeof(controls_list)/sizeof(control_def);
2059 d++)
2060 {
2061 len = Ustrlen(d->name);
2062 if (Ustrncmp(d->name, arg, len) == 0) break;
2063 }
2064
2065if (d >= controls_list + sizeof(controls_list)/sizeof(control_def) ||
2066 (arg[len] != 0 && (!d->has_option || arg[len] != '/')))
2067 {
2068 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2069 return CONTROL_ERROR;
2070 }
2071
059ec3d9
PH		 2072*pptr = arg + len;
2073return d->value;
2074}
2075
2076
2077
c99ce5c9
TF		 2078
2079/*************************************************
2080* Return a ratelimit error *
2081*************************************************/
2082
2083/* Called from acl_ratelimit() below
2084
2085Arguments:
2086 log_msgptr for error messages
2087 format format string
2088 ... supplementary arguments
2089 ss ratelimit option name
2090 where ACL_WHERE_xxxx indicating which ACL this is
2091
2092Returns: ERROR
2093*/
2094
2095static int
2096ratelimit_error(uschar **log_msgptr, const char *format, ...)
2097{
2098va_list ap;
2099uschar buffer[STRING_SPRINTF_BUFFER_SIZE];
2100va_start(ap, format);
2101if (!string_vformat(buffer, sizeof(buffer), format, ap))
2102 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
ef840681 2103 "string_sprintf expansion was longer than " SIZE_T_FMT, sizeof(buffer));
c99ce5c9
TF		 2104va_end(ap);
2105*log_msgptr = string_sprintf(
2106 "error in arguments to \"ratelimit\" condition: %s", buffer);
2107return ERROR;
2108}
2109
2110
2111
2112
870f6ba8
TF		 2113/*************************************************
2114* Handle rate limiting *
2115*************************************************/
2116
2117/* Called by acl_check_condition() below to calculate the result
2118of the ACL ratelimit condition.
2119
2120Note that the return value might be slightly unexpected: if the
2121sender's rate is above the limit then the result is OK. This is
2122similar to the dnslists condition, and is so that you can write
2123ACL clauses like: defer ratelimit = 15 / 1h
2124
2125Arguments:
2126 arg the option string for ratelimit=
90fc3069 2127 where ACL_WHERE_xxxx indicating which ACL this is
870f6ba8
TF		 2128 log_msgptr for error messages
2129
2130Returns: OK - Sender's rate is above limit
2131 FAIL - Sender's rate is below limit
2132 DEFER - Problem opening ratelimit database
2133 ERROR - Syntax error in options.
2134*/
2135
2136static int
90fc3069 2137acl_ratelimit(uschar *arg, int where, uschar **log_msgptr)
870f6ba8 2138{
c99ce5c9 2139double limit, period, count;
8f240103
PH		 2140uschar *ss;
2141uschar *key = NULL;
c99ce5c9 2142uschar *unique = NULL;
870f6ba8 2143int sep = '/';
c99ce5c9
TF		 2144BOOL leaky = FALSE, strict = FALSE, readonly = FALSE;
2145BOOL noupdate = FALSE, badacl = FALSE;
2146int mode = RATE_PER_WHAT;
870f6ba8
TF		 2147int old_pool, rc;
2148tree_node **anchor, *t;
2149open_db dbblock, *dbm;
c99ce5c9 2150int dbdb_size;
870f6ba8 2151dbdata_ratelimit *dbd;
c99ce5c9 2152dbdata_ratelimit_unique *dbdb;
870f6ba8
TF		 2153struct timeval tv;
2154
2155/* Parse the first two options and record their values in expansion
2156variables. These variables allow the configuration to have informative
2157error messages based on rate limits obtained from a table lookup. */
2158
c99ce5c9 2159/* First is the maximum number of messages per period / maximum burst
870f6ba8
TF		 2160size, which must be greater than or equal to zero. Zero is useful for
2161rate measurement as opposed to rate limiting. */
2162
2163sender_rate_limit = string_nextinlist(&arg, &sep, NULL, 0);
2164if (sender_rate_limit == NULL)
2165 limit = -1.0;
2166else
2167 {
2168 limit = Ustrtod(sender_rate_limit, &ss);
2169 if (tolower(*ss) == 'k') { limit *= 1024.0; ss++; }
2170 else if (tolower(*ss) == 'm') { limit *= 1024.0*1024.0; ss++; }
2171 else if (tolower(*ss) == 'g') { limit *= 1024.0*1024.0*1024.0; ss++; }
2172 }
c99ce5c9
TF		 2173if (limit < 0.0 || *ss != '\0')
2174 return ratelimit_error(log_msgptr,
2175 "\"%s\" is not a positive number", sender_rate_limit);
870f6ba8 2176
c99ce5c9 2177/* Second is the rate measurement period / exponential smoothing time
870f6ba8
TF		 2178constant. This must be strictly greater than zero, because zero leads to
2179run-time division errors. */
2180
2181sender_rate_period = string_nextinlist(&arg, &sep, NULL, 0);
2182if (sender_rate_period == NULL) period = -1.0;
2183else period = readconf_readtime(sender_rate_period, 0, FALSE);
2184if (period <= 0.0)
c99ce5c9
TF		 2185 return ratelimit_error(log_msgptr,
2186 "\"%s\" is not a time value", sender_rate_period);
2187
2188/* By default we are counting one of something, but the per_rcpt,
2189per_byte, and count options can change this. */
2190
2191count = 1.0;
870f6ba8 2192
c99ce5c9 2193/* Parse the other options. */
870f6ba8
TF		 2194
2195while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2196 != NULL)
2197 {
2198 if (strcmpic(ss, US"leaky") == 0) leaky = TRUE;
2199 else if (strcmpic(ss, US"strict") == 0) strict = TRUE;
8f240103 2200 else if (strcmpic(ss, US"noupdate") == 0) noupdate = TRUE;
c99ce5c9
TF		 2201 else if (strcmpic(ss, US"readonly") == 0) readonly = TRUE;
2202 else if (strcmpic(ss, US"per_cmd") == 0) RATE_SET(mode, PER_CMD);
2203 else if (strcmpic(ss, US"per_conn") == 0)
2204 {
2205 RATE_SET(mode, PER_CONN);
2206 if (where == ACL_WHERE_NOTSMTP || where == ACL_WHERE_NOTSMTP_START)
2207 badacl = TRUE;
2208 }
2209 else if (strcmpic(ss, US"per_mail") == 0)
2210 {
2211 RATE_SET(mode, PER_MAIL);
2212 if (where > ACL_WHERE_NOTSMTP) badacl = TRUE;
2213 }
2214 else if (strcmpic(ss, US"per_rcpt") == 0)
2215 {
2216 /* If we are running in the RCPT ACL, then we'll count the recipients
2217 one by one, but if we are running when we have accumulated the whole
2218 list then we'll add them all in one batch. */
2219 if (where == ACL_WHERE_RCPT)
2220 RATE_SET(mode, PER_RCPT);
2221 else if (where >= ACL_WHERE_PREDATA && where <= ACL_WHERE_NOTSMTP)
2222 RATE_SET(mode, PER_ALLRCPTS), count = (double)recipients_count;
2223 else if (where == ACL_WHERE_MAIL || where > ACL_WHERE_NOTSMTP)
2224 RATE_SET(mode, PER_RCPT), badacl = TRUE;
2225 }
2226 else if (strcmpic(ss, US"per_byte") == 0)
2227 {
2228 /* If we have not yet received the message data and there was no SIZE
2229 declaration on the MAIL comand, then it's safe to just use a value of
2230 zero and let the recorded rate decay as if nothing happened. */
2231 RATE_SET(mode, PER_MAIL);
2232 if (where > ACL_WHERE_NOTSMTP) badacl = TRUE;
2233 else count = message_size < 0 ? 0.0 : (double)message_size;
2234 }
2235 else if (strcmpic(ss, US"per_addr") == 0)
2236 {
2237 RATE_SET(mode, PER_RCPT);
438257ba 2238 if (where != ACL_WHERE_RCPT) badacl = TRUE, unique = US"*";
c99ce5c9
TF		 2239 else unique = string_sprintf("%s@%s", deliver_localpart, deliver_domain);
2240 }
2241 else if (strncmpic(ss, US"count=", 6) == 0)
2242 {
2243 uschar *e;
2244 count = Ustrtod(ss+6, &e);
2245 if (count < 0.0 || *e != '\0')
2246 return ratelimit_error(log_msgptr,
2247 "\"%s\" is not a positive number", ss);
2248 }
2249 else if (strncmpic(ss, US"unique=", 7) == 0)
2250 unique = string_copy(ss + 7);
2251 else if (key == NULL)
2252 key = string_copy(ss);
2253 else
2254 key = string_sprintf("%s/%s", key, ss);
870f6ba8
TF		 2255 }
2256
c99ce5c9
TF		 2257/* Sanity check. When the badacl flag is set the update mode must either
2258be readonly (which is the default if it is omitted) or, for backwards
2259compatibility, a combination of noupdate and strict or leaky. */
2260
2261if (mode == RATE_PER_CLASH)
2262 return ratelimit_error(log_msgptr, "conflicting per_* options");
2263if (leaky + strict + readonly > 1)
2264 return ratelimit_error(log_msgptr, "conflicting update modes");
2265if (badacl && (leaky || strict) && !noupdate)
2266 return ratelimit_error(log_msgptr,
2267 "\"%s\" must not have /leaky or /strict option in %s ACL",
2268 ratelimit_option_string[mode], acl_wherenames[where]);
2269
2270/* Set the default values of any unset options. In readonly mode we
2271perform the rate computation without any increment so that its value
2272decays to eventually allow over-limit senders through. */
2273
2274if (noupdate) readonly = TRUE, leaky = strict = FALSE;
2275if (badacl) readonly = TRUE;
2276if (readonly) count = 0.0;
2277if (!strict && !readonly) leaky = TRUE;
2278if (mode == RATE_PER_WHAT) mode = RATE_PER_MAIL;
870f6ba8 2279
8f240103
PH		 2280/* Create the lookup key. If there is no explicit key, use sender_host_address.
2281If there is no sender_host_address (e.g. -bs or acl_not_smtp) then we simply
2282omit it. The smoothing constant (sender_rate_period) and the per_xxx options
2283are added to the key because they alter the meaning of the stored data. */
2284
2285if (key == NULL)
2286 key = (sender_host_address == NULL)? US"" : sender_host_address;
870f6ba8 2287
c99ce5c9 2288key = string_sprintf("%s/%s/%s%s",
8f240103 2289 sender_rate_period,
c99ce5c9
TF		 2290 ratelimit_option_string[mode],
2291 unique == NULL ? "" : "unique/",
8f240103 2292 key);
870f6ba8 2293
c99ce5c9
TF		 2294HDEBUG(D_acl)
2295 debug_printf("ratelimit condition count=%.0f %.1f/%s\n", count, limit, key);
870f6ba8 2296
8f240103
PH		 2297/* See if we have already computed the rate by looking in the relevant tree.
2298For per-connection rate limiting, store tree nodes and dbdata in the permanent
c99ce5c9
TF		 2299pool so that they survive across resets. In readonly mode we only remember the
2300result for the rest of this command in case a later command changes it. After
2301this bit of logic the code is independent of the per_* mode. */
870f6ba8 2302
870f6ba8
TF		 2303old_pool = store_pool;
2304
c99ce5c9
TF		 2305if (readonly)
2306 anchor = &ratelimiters_cmd;
2307else switch(mode) {
2308case RATE_PER_CONN:
870f6ba8
TF		 2309 anchor = &ratelimiters_conn;
2310 store_pool = POOL_PERM;
c99ce5c9
TF		 2311 break;
2312case RATE_PER_BYTE:
2313case RATE_PER_MAIL:
2314case RATE_PER_ALLRCPTS:
870f6ba8 2315 anchor = &ratelimiters_mail;
c99ce5c9
TF		 2316 break;
2317case RATE_PER_ADDR:
2318case RATE_PER_CMD:
2319case RATE_PER_RCPT:
fe0dab11 2320 anchor = &ratelimiters_cmd;
c99ce5c9
TF		 2321 break;
2322default:
3399bb60 2323 anchor = NULL; /* silence an "unused" complaint */
c99ce5c9
TF		 2324 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
2325 "internal ACL error: unknown ratelimit mode %d", mode);
2326 break;
2327}
870f6ba8 2328
c99ce5c9
TF		 2329t = tree_search(*anchor, key);
2330if (t != NULL)
870f6ba8
TF		 2331 {
2332 dbd = t->data.ptr;
2333 /* The following few lines duplicate some of the code below. */
8f240103 2334 rc = (dbd->rate < limit)? FAIL : OK;
870f6ba8
TF		 2335 store_pool = old_pool;
2336 sender_rate = string_sprintf("%.1f", dbd->rate);
2337 HDEBUG(D_acl)
2338 debug_printf("ratelimit found pre-computed rate %s\n", sender_rate);
2339 return rc;
2340 }
2341
c99ce5c9
TF		 2342/* We aren't using a pre-computed rate, so get a previously recorded rate
2343from the database, which will be updated and written back if required. */
870f6ba8
TF		 2344
2345dbm = dbfn_open(US"ratelimit", O_RDWR, &dbblock, TRUE);
2346if (dbm == NULL)
2347 {
2348 store_pool = old_pool;
2349 sender_rate = NULL;
2350 HDEBUG(D_acl) debug_printf("ratelimit database not available\n");
2351 *log_msgptr = US"ratelimit database not available";
2352 return DEFER;
2353 }
c99ce5c9
TF		 2354dbdb = dbfn_read_with_length(dbm, key, &dbdb_size);
2355dbd = NULL;
870f6ba8
TF		 2356
2357gettimeofday(&tv, NULL);
2358
c99ce5c9
TF		 2359if (dbdb != NULL)
2360 {
2361 /* Locate the basic ratelimit block inside the DB data. */
2362 HDEBUG(D_acl) debug_printf("ratelimit found key in database\n");
2363 dbd = &dbdb->dbd;
2364
2365 /* Forget the old Bloom filter if it is too old, so that we count each
2366 repeating event once per period. We don't simply clear and re-use the old
2367 filter because we want its size to change if the limit changes. Note that
2368 we keep the dbd pointer for copying the rate into the new data block. */
2369
2370 if(unique != NULL && tv.tv_sec > dbdb->bloom_epoch + period)
2371 {
2372 HDEBUG(D_acl) debug_printf("ratelimit discarding old Bloom filter\n");
2373 dbdb = NULL;
2374 }
2375
2376 /* Sanity check. */
2377
2378 if(unique != NULL && dbdb_size < sizeof(*dbdb))
2379 {
2380 HDEBUG(D_acl) debug_printf("ratelimit discarding undersize Bloom filter\n");
2381 dbdb = NULL;
2382 }
2383 }
2384
2385/* Allocate a new data block if the database lookup failed
2386or the Bloom filter passed its age limit. */
2387
2388if (dbdb == NULL)
2389 {
2390 if (unique == NULL)
2391 {
2392 /* No Bloom filter. This basic ratelimit block is initialized below. */
2393 HDEBUG(D_acl) debug_printf("ratelimit creating new rate data block\n");
2394 dbdb_size = sizeof(*dbd);
2395 dbdb = store_get(dbdb_size);
2396 }
2397 else
2398 {
2399 int extra;
2400 HDEBUG(D_acl) debug_printf("ratelimit creating new Bloom filter\n");
2401
2402 /* See the long comment below for an explanation of the magic number 2.
2403 The filter has a minimum size in case the rate limit is very small;
2404 this is determined by the definition of dbdata_ratelimit_unique. */
2405
2406 extra = (int)limit * 2 - sizeof(dbdb->bloom);
2407 if (extra < 0) extra = 0;
2408 dbdb_size = sizeof(*dbdb) + extra;
2409 dbdb = store_get(dbdb_size);
2410 dbdb->bloom_epoch = tv.tv_sec;
2411 dbdb->bloom_size = sizeof(dbdb->bloom) + extra;
2412 memset(dbdb->bloom, 0, dbdb->bloom_size);
2413
2414 /* Preserve any basic ratelimit data (which is our longer-term memory)
2415 by copying it from the discarded block. */
2416
2417 if (dbd != NULL)
2418 {
2419 dbdb->dbd = *dbd;
2420 dbd = &dbdb->dbd;
2421 }
2422 }
2423 }
2424
2425/* If we are counting unique events, find out if this event is new or not.
2426If the client repeats the event during the current period then it should be
2427counted. We skip this code in readonly mode for efficiency, because any
2428changes to the filter will be discarded and because count is already set to
2429zero. */
2430
2431if (unique != NULL && !readonly)
2432 {
2433 /* We identify unique events using a Bloom filter. (You can find my
2434 notes on Bloom filters at http://fanf.livejournal.com/81696.html)
2435 With the per_addr option, an "event" is a recipient address, though the
2436 user can use the unique option to define their own events. We only count
2437 an event if we have not seen it before.
2438
2439 We size the filter according to the rate limit, which (in leaky mode)
2440 is the limit on the population of the filter. We allow 16 bits of space
2441 per entry (see the construction code above) and we set (up to) 8 of them
2442 when inserting an element (see the loop below). The probability of a false
2443 positive (an event we have not seen before but which we fail to count) is
2444
2445 size = limit * 16
2446 numhash = 8
2447 allzero = exp(-numhash * pop / size)
2448 = exp(-0.5 * pop / limit)
2449 fpr = pow(1 - allzero, numhash)
2450
2451 For senders at the limit the fpr is 0.06% or 1 in 1700
2452 and for senders at half the limit it is 0.0006% or 1 in 170000
2453
2454 In strict mode the Bloom filter can fill up beyond the normal limit, in
2455 which case the false positive rate will rise. This means that the
2456 measured rate for very fast senders can bogusly drop off after a while.
2457
2458 At twice the limit, the fpr is 2.5% or 1 in 40
2459 At four times the limit, it is 31% or 1 in 3.2
2460
2461 It takes ln(pop/limit) periods for an over-limit burst of pop events to
2462 decay below the limit, and if this is more than one then the Bloom filter
2463 will be discarded before the decay gets that far. The false positive rate
2464 at this threshold is 9.3% or 1 in 10.7. */
2465
2466 BOOL seen;
2467 unsigned n, hash, hinc;
2468 uschar md5sum[16];
2469 md5 md5info;
2470
2471 /* Instead of using eight independent hash values, we combine two values
2472 using the formula h1 + n * h2. This does not harm the Bloom filter's
2473 performance, and means the amount of hash we need is independent of the
2474 number of bits we set in the filter. */
2475
2476 md5_start(&md5info);
2477 md5_end(&md5info, unique, Ustrlen(unique), md5sum);
2478 hash = md5sum[0] | md5sum[1] << 8 | md5sum[2] << 16 | md5sum[3] << 24;
2479 hinc = md5sum[4] | md5sum[5] << 8 | md5sum[6] << 16 | md5sum[7] << 24;
2480
2481 /* Scan the bits corresponding to this event. A zero bit means we have
2482 not seen it before. Ensure all bits are set to record this event. */
2483
2484 HDEBUG(D_acl) debug_printf("ratelimit checking uniqueness of %s\n", unique);
2485
2486 seen = TRUE;
2487 for (n = 0; n < 8; n++, hash += hinc)
2488 {
2489 int bit = 1 << (hash % 8);
2490 int byte = (hash / 8) % dbdb->bloom_size;
2491 if ((dbdb->bloom[byte] & bit) == 0)
2492 {
2493 dbdb->bloom[byte] |= bit;
2494 seen = FALSE;
2495 }
2496 }
2497
2498 /* If this event has occurred before, do not count it. */
2499
2500 if (seen)
2501 {
2502 HDEBUG(D_acl) debug_printf("ratelimit event found in Bloom filter\n");
2503 count = 0.0;
2504 }
2505 else
2506 HDEBUG(D_acl) debug_printf("ratelimit event added to Bloom filter\n");
2507 }
2508
2509/* If there was no previous ratelimit data block for this key, initialize
2510the new one, otherwise update the block from the database. The initial rate
2511is what would be computed by the code below for an infinite interval. */
2512
870f6ba8
TF		 2513if (dbd == NULL)
2514 {
c99ce5c9
TF		 2515 HDEBUG(D_acl) debug_printf("ratelimit initializing new key's rate data\n");
2516 dbd = &dbdb->dbd;
870f6ba8
TF		 2517 dbd->time_stamp = tv.tv_sec;
2518 dbd->time_usec = tv.tv_usec;
c99ce5c9 2519 dbd->rate = count;
870f6ba8
TF		 2520 }
2521else
2522 {
2523 /* The smoothed rate is computed using an exponentially weighted moving
2524 average adjusted for variable sampling intervals. The standard EWMA for
2525 a fixed sampling interval is: f'(t) = (1 - a) * f(t) + a * f'(t - 1)
2526 where f() is the measured value and f'() is the smoothed value.
2527
2528 Old data decays out of the smoothed value exponentially, such that data n
2529 samples old is multiplied by a^n. The exponential decay time constant p
2530 is defined such that data p samples old is multiplied by 1/e, which means
2531 that a = exp(-1/p). We can maintain the same time constant for a variable
2532 sampling interval i by using a = exp(-i/p).
2533
2534 The rate we are measuring is messages per period, suitable for directly
2535 comparing with the limit. The average rate between now and the previous
2536 message is period / interval, which we feed into the EWMA as the sample.
2537
2538 It turns out that the number of messages required for the smoothed rate
2539 to reach the limit when they are sent in a burst is equal to the limit.
2540 This can be seen by analysing the value of the smoothed rate after N
2541 messages sent at even intervals. Let k = (1 - a) * p/i
2542
2543 rate_1 = (1 - a) * p/i + a * rate_0
2544 = k + a * rate_0
2545 rate_2 = k + a * rate_1
2546 = k + a * k + a^2 * rate_0
2547 rate_3 = k + a * k + a^2 * k + a^3 * rate_0
2548 rate_N = rate_0 * a^N + k * SUM(x=0..N-1)(a^x)
2549 = rate_0 * a^N + k * (1 - a^N) / (1 - a)
2550 = rate_0 * a^N + p/i * (1 - a^N)
2551
2552 When N is large, a^N -> 0 so rate_N -> p/i as desired.
2553
2554 rate_N = p/i + (rate_0 - p/i) * a^N
2555 a^N = (rate_N - p/i) / (rate_0 - p/i)
2556 N * -i/p = log((rate_N - p/i) / (rate_0 - p/i))
2557 N = p/i * log((rate_0 - p/i) / (rate_N - p/i))
2558
2559 Numerical analysis of the above equation, setting the computed rate to
2560 increase from rate_0 = 0 to rate_N = limit, shows that for large sending
2561 rates, p/i, the number of messages N = limit. So limit serves as both the
2562 maximum rate measured in messages per period, and the maximum number of
2563 messages that can be sent in a fast burst. */
2564
2565 double this_time = (double)tv.tv_sec
2566 + (double)tv.tv_usec / 1000000.0;
2567 double prev_time = (double)dbd->time_stamp
2568 + (double)dbd->time_usec / 1000000.0;
870f6ba8
TF		 2569
2570 /* We must avoid division by zero, and deal gracefully with the clock going
2571 backwards. If we blunder ahead when time is in reverse then the computed
e5d5a95f 2572 rate will be bogus. To be safe we clamp interval to a very small number. */
870f6ba8 2573
e5d5a95f
TF		 2574 double interval = this_time - prev_time <= 0.0 ? 1e-9
2575 : this_time - prev_time;
2576
2577 double i_over_p = interval / period;
2578 double a = exp(-i_over_p);
870f6ba8 2579
c99ce5c9
TF		 2580 /* Combine the instantaneous rate (period / interval) with the previous rate
2581 using the smoothing factor a. In order to measure sized events, multiply the
2582 instantaneous rate by the count of bytes or recipients etc. */
2583
870f6ba8
TF		 2584 dbd->time_stamp = tv.tv_sec;
2585 dbd->time_usec = tv.tv_usec;
c99ce5c9
TF		 2586 dbd->rate = (1 - a) * count / i_over_p + a * dbd->rate;
2587
2588 /* When events are very widely spaced the computed rate tends towards zero.
2589 Although this is accurate it turns out not to be useful for our purposes,
2590 especially when the first event after a long silence is the start of a spam
2591 run. A more useful model is that the rate for an isolated event should be the
2592 size of the event per the period size, ignoring the lack of events outside
2593 the current period and regardless of where the event falls in the period. So,
2594 if the interval was so long that the calculated rate is unhelpfully small, we
2595 re-intialize the rate. In the absence of higher-rate bursts, the condition
2596 below is true if the interval is greater than the period. */
2597
2598 if (dbd->rate < count) dbd->rate = count;
870f6ba8
TF		 2599 }
2600
c99ce5c9
TF		 2601/* Clients sending at the limit are considered to be over the limit.
2602This matters for edge cases such as a limit of zero, when the client
2603should be completely blocked. */
3348576f 2604
8f240103 2605rc = (dbd->rate < limit)? FAIL : OK;
870f6ba8
TF		 2606
2607/* Update the state if the rate is low or if we are being strict. If we
2608are in leaky mode and the sender's rate is too high, we do not update
2609the recorded rate in order to avoid an over-aggressive sender's retry
c99ce5c9
TF		 2610rate preventing them from getting any email through. If readonly is set,
2611neither leaky nor strict are set, so we do not do any updates. */
870f6ba8 2612
c99ce5c9 2613if ((rc == FAIL && leaky) || strict)
8f240103 2614 {
c99ce5c9 2615 dbfn_write(dbm, key, dbdb, dbdb_size);
8f240103
PH		 2616 HDEBUG(D_acl) debug_printf("ratelimit db updated\n");
2617 }
2618else
2619 {
2620 HDEBUG(D_acl) debug_printf("ratelimit db not updated: %s\n",
c99ce5c9 2621 readonly? "readonly mode" : "over the limit, but leaky");
8f240103
PH		 2622 }
2623
870f6ba8
TF		 2624dbfn_close(dbm);
2625
c99ce5c9 2626/* Store the result in the tree for future reference. */
870f6ba8 2627
c99ce5c9
TF		 2628t = store_get(sizeof(tree_node) + Ustrlen(key));
2629t->data.ptr = dbd;
2630Ustrcpy(t->name, key);
2631(void)tree_insertnode(anchor, t);
870f6ba8
TF		 2632
2633/* We create the formatted version of the sender's rate very late in
2634order to ensure that it is done using the correct storage pool. */
2635
2636store_pool = old_pool;
2637sender_rate = string_sprintf("%.1f", dbd->rate);
2638
2639HDEBUG(D_acl)
2640 debug_printf("ratelimit computed rate %s\n", sender_rate);
2641
2642return rc;
2643}
2644
2645
2646
059ec3d9
PH		 2647/*************************************************
2648* Handle conditions/modifiers on an ACL item *
2649*************************************************/
2650
2651/* Called from acl_check() below.
2652
2653Arguments:
2654 verb ACL verb
2655 cb ACL condition block - if NULL, result is OK
2656 where where called from
2657 addr the address being checked for RCPT, or NULL
2658 level the nesting level
2659 epp pointer to pass back TRUE if "endpass" encountered
2660 (applies only to "accept" and "discard")
2661 user_msgptr user message pointer
2662 log_msgptr log message pointer
2663 basic_errno pointer to where to put verify error
2664
2665Returns: OK - all conditions are met
2666 DISCARD - an "acl" condition returned DISCARD - only allowed
2667 for "accept" or "discard" verbs
2668 FAIL - at least one condition fails
2669 FAIL_DROP - an "acl" condition returned FAIL_DROP
2670 DEFER - can't tell at the moment (typically, lookup defer,
2671 but can be temporary callout problem)
2672 ERROR - ERROR from nested ACL or expansion failure or other
2673 error
2674*/
2675
2676static int
2677acl_check_condition(int verb, acl_condition_block *cb, int where,
2678 address_item *addr, int level, BOOL *epp, uschar **user_msgptr,
2679 uschar **log_msgptr, int *basic_errno)
2680{
2681uschar *user_message = NULL;
2682uschar *log_message = NULL;
ed7f7860
PP		 2683uschar *debug_tag = NULL;
2684uschar *debug_opts = NULL;
91ecef39 2685uschar *p = NULL;
059ec3d9 2686int rc = OK;
8523533c
TK		 2687#ifdef WITH_CONTENT_SCAN
2688int sep = '/';
2689#endif
059ec3d9
PH		 2690
2691for (; cb != NULL; cb = cb->next)
2692 {
2693 uschar *arg;
8e669ac1 2694 int control_type;
059ec3d9
PH		 2695
2696 /* The message and log_message items set up messages to be used in
2697 case of rejection. They are expanded later. */
2698
2699 if (cb->type == ACLC_MESSAGE)
2700 {
2701 user_message = cb->arg;
2702 continue;
2703 }
2704
2705 if (cb->type == ACLC_LOG_MESSAGE)
2706 {
2707 log_message = cb->arg;
2708 continue;
2709 }
2710
2711 /* The endpass "condition" just sets a flag to show it occurred. This is
2712 checked at compile time to be on an "accept" or "discard" item. */
2713
2714 if (cb->type == ACLC_ENDPASS)
2715 {
2716 *epp = TRUE;
2717 continue;
2718 }
2719
2720 /* For other conditions and modifiers, the argument is expanded now for some
2721 of them, but not for all, because expansion happens down in some lower level
2722 checking functions in some cases. */
2723
2724 if (cond_expand_at_top[cb->type])
2725 {
2726 arg = expand_string(cb->arg);
2727 if (arg == NULL)
2728 {
2729 if (expand_string_forcedfail) continue;
2730 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
2731 cb->arg, expand_string_message);
2732 return search_find_defer? DEFER : ERROR;
2733 }
2734 }
2735 else arg = cb->arg;
2736
2737 /* Show condition, and expanded condition if it's different */
2738
2739 HDEBUG(D_acl)
2740 {
2741 int lhswidth = 0;
2742 debug_printf("check %s%s %n",
2743 (!cond_modifiers[cb->type] && cb->u.negated)? "!":"",
2744 conditions[cb->type], &lhswidth);
2745
2746 if (cb->type == ACLC_SET)
2747 {
38a0a95f
PH		 2748 debug_printf("acl_%s ", cb->u.varname);
2749 lhswidth += 5 + Ustrlen(cb->u.varname);
059ec3d9
PH		 2750 }
2751
2752 debug_printf("= %s\n", cb->arg);
2753
2754 if (arg != cb->arg)
2755 debug_printf("%.*s= %s\n", lhswidth,
2756 US" ", CS arg);
2757 }
2758
2759 /* Check that this condition makes sense at this time */
2760
2761 if ((cond_forbids[cb->type] & (1 << where)) != 0)
2762 {
2763 *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
2764 cond_modifiers[cb->type]? "use" : "test",
2765 conditions[cb->type], acl_wherenames[where]);
2766 return ERROR;
2767 }
2768
2769 /* Run the appropriate test for each condition, or take the appropriate
2770 action for the remaining modifiers. */
2771
2772 switch(cb->type)
2773 {
71fafd95
PH		 2774 case ACLC_ADD_HEADER:
2775 setup_header(arg);
2776 break;
2777
059ec3d9
PH		 2778 /* A nested ACL that returns "discard" makes sense only for an "accept" or
2779 "discard" verb. */
71fafd95 2780
059ec3d9
PH		 2781 case ACLC_ACL:
2782 rc = acl_check_internal(where, addr, arg, level+1, user_msgptr, log_msgptr);
2783 if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
2784 {
2785 *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
2786 "\"%s\" command (only allowed with \"accept\" or \"discard\")",
2787 verbs[verb]);
2788 return ERROR;
2789 }
2790 break;
2791
2792 case ACLC_AUTHENTICATED:
2793 rc = (sender_host_authenticated == NULL)? FAIL :
2794 match_isinlist(sender_host_authenticated, &arg, 0, NULL, NULL, MCL_STRING,
2795 TRUE, NULL);
2796 break;
2797
71fafd95 2798 #ifdef EXPERIMENTAL_BRIGHTMAIL
8523533c
TK		 2799 case ACLC_BMI_OPTIN:
2800 {
2801 int old_pool = store_pool;
2802 store_pool = POOL_PERM;
2803 bmi_current_optin = string_copy(arg);
2804 store_pool = old_pool;
2805 }
2806 break;
71fafd95 2807 #endif
8523533c 2808
059ec3d9 2809 case ACLC_CONDITION:
f3766eb5
NM		 2810 /* The true/false parsing here should be kept in sync with that used in
2811 expand.c when dealing with ECOND_BOOL so that we don't have too many
2812 different definitions of what can be a boolean. */
059ec3d9
PH		 2813 if (Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
2814 rc = (Uatoi(arg) == 0)? FAIL : OK;
2815 else
2816 rc = (strcmpic(arg, US"no") == 0 ||
2817 strcmpic(arg, US"false") == 0)? FAIL :
2818 (strcmpic(arg, US"yes") == 0 ||
2819 strcmpic(arg, US"true") == 0)? OK : DEFER;
2820 if (rc == DEFER)
2821 *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
2822 break;
2823
c3611384
PH		 2824 case ACLC_CONTINUE: /* Always succeeds */
2825 break;
2826
059ec3d9 2827 case ACLC_CONTROL:
c5fcb476
PH		 2828 control_type = decode_control(arg, &p, where, log_msgptr);
2829
8523533c 2830 /* Check if this control makes sense at this time */
c5fcb476
PH		 2831
2832 if ((control_forbids[control_type] & (1 << where)) != 0)
2833 {
2834 *log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
2835 controls[control_type], acl_wherenames[where]);
2836 return ERROR;
8e669ac1 2837 }
c5fcb476
PH		 2838
2839 switch(control_type)
059ec3d9 2840 {
c46782ef
PH		 2841 case CONTROL_AUTH_UNADVERTISED:
2842 allow_auth_unadvertised = TRUE;
2843 break;
2844
2845 #ifdef EXPERIMENTAL_BRIGHTMAIL
8523533c
TK		 2846 case CONTROL_BMI_RUN:
2847 bmi_run = 1;
2848 break;
c46782ef
PH		 2849 #endif
2850
80a47a2c 2851 #ifndef DISABLE_DKIM
f7572e5a 2852 case CONTROL_DKIM_VERIFY:
80a47a2c 2853 dkim_disable_verify = TRUE;
f7572e5a
TK		 2854 break;
2855 #endif
2856
13363eba
PP		 2857 case CONTROL_DSCP:
2858 if (*p == '/')
2859 {
2860 int fd, af, level, optname, value;
2861 /* If we are acting on stdin, the setsockopt may fail if stdin is not
2862 a socket; we can accept that, we'll just debug-log failures anyway. */
2863 fd = fileno(smtp_in);
2864 af = ip_get_address_family(fd);
2865 if (af < 0)
2866 {
2867 HDEBUG(D_acl)
2868 debug_printf("smtp input is probably not a socket [%s], not setting DSCP\n",
2869 strerror(errno));
2870 break;
2871 }
2872 if (dscp_lookup(p+1, af, &level, &optname, &value))
2873 {
2874 if (setsockopt(fd, level, optname, &value, sizeof(value)) < 0)
2875 {
2876 HDEBUG(D_acl) debug_printf("failed to set input DSCP[%s]: %s\n",
2877 p+1, strerror(errno));
2878 }
2879 else
2880 {
2881 HDEBUG(D_acl) debug_printf("set input DSCP to \"%s\"\n", p+1);
2882 }
2883 }
2884 else
2885 {
2886 *log_msgptr = string_sprintf("unrecognised DSCP value in \"control=%s\"", arg);
2887 return ERROR;
2888 }
2889 }
2890 else
2891 {
2892 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2893 return ERROR;
2894 }
2895 break;
2896
059ec3d9
PH		 2897 case CONTROL_ERROR:
2898 return ERROR;
2899
2900 case CONTROL_CASEFUL_LOCAL_PART:
2901 deliver_localpart = addr->cc_local_part;
2902 break;
2903
2904 case CONTROL_CASELOWER_LOCAL_PART:
2905 deliver_localpart = addr->lc_local_part;
2906 break;
2907
2908 case CONTROL_ENFORCE_SYNC:
2909 smtp_enforce_sync = TRUE;
2910 break;
2911
2912 case CONTROL_NO_ENFORCE_SYNC:
2913 smtp_enforce_sync = FALSE;
2914 break;
2915
c46782ef 2916 #ifdef WITH_CONTENT_SCAN
8523533c
TK		 2917 case CONTROL_NO_MBOX_UNSPOOL:
2918 no_mbox_unspool = TRUE;
2919 break;
c46782ef 2920 #endif
8523533c 2921
059ec3d9
PH		 2922 case CONTROL_NO_MULTILINE:
2923 no_multiline_responses = TRUE;
2924 break;
2925
cf8b11a5
PH		 2926 case CONTROL_NO_PIPELINING:
2927 pipelining_enable = FALSE;
2928 break;
2929
047bdd8c
PH		 2930 case CONTROL_NO_DELAY_FLUSH:
2931 disable_delay_flush = TRUE;
2932 break;
2933
4c590bd1
PH		 2934 case CONTROL_NO_CALLOUT_FLUSH:
2935 disable_callout_flush = TRUE;
2936 break;
2937
29aba418 2938 case CONTROL_FAKEDEFER:
8523533c 2939 case CONTROL_FAKEREJECT:
29aba418 2940 fake_response = (control_type == CONTROL_FAKEDEFER) ? DEFER : FAIL;
8523533c 2941 if (*p == '/')
8e669ac1 2942 {
8523533c 2943 uschar *pp = p + 1;
8e669ac1 2944 while (*pp != 0) pp++;
29aba418 2945 fake_response_text = expand_string(string_copyn(p+1, pp-p-1));
8523533c
TK		 2946 p = pp;
2947 }
2948 else
2949 {
2950 /* Explicitly reset to default string */
29aba418 2951 fake_response_text = US"Your message has been rejected but is being kept for evaluation.\nIf it was a legitimate message, it may still be delivered to the target recipient(s).";
8523533c
TK		 2952 }
2953 break;
8523533c 2954
059ec3d9
PH		 2955 case CONTROL_FREEZE:
2956 deliver_freeze = TRUE;
2957 deliver_frozen_at = time(NULL);
6a3f1455
PH		 2958 freeze_tell = freeze_tell_config; /* Reset to configured value */
2959 if (Ustrncmp(p, "/no_tell", 8) == 0)
2960 {
2961 p += 8;
2962 freeze_tell = NULL;
2963 }
2964 if (*p != 0)
2965 {
2966 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2967 return ERROR;
2968 }
059ec3d9
PH		 2969 break;
2970
2971 case CONTROL_QUEUE_ONLY:
2972 queue_only_policy = TRUE;
2973 break;
2974
2975 case CONTROL_SUBMISSION:
87ba3f5f 2976 originator_name = US"";
059ec3d9 2977 submission_mode = TRUE;
69358f02 2978 while (*p == '/')
8e669ac1 2979 {
69358f02
PH		 2980 if (Ustrncmp(p, "/sender_retain", 14) == 0)
2981 {
2982 p += 14;
2983 active_local_sender_retain = TRUE;
8e669ac1
PH		 2984 active_local_from_check = FALSE;
2985 }
69358f02
PH		 2986 else if (Ustrncmp(p, "/domain=", 8) == 0)
2987 {
2988 uschar *pp = p + 8;
8e669ac1 2989 while (*pp != 0 && *pp != '/') pp++;
87ba3f5f
PH		 2990 submission_domain = string_copyn(p+8, pp-p-8);
2991 p = pp;
2992 }
8857ccfd
PH		 2993 /* The name= option must be last, because it swallows the rest of
2994 the string. */
87ba3f5f
PH		 2995 else if (Ustrncmp(p, "/name=", 6) == 0)
2996 {
2997 uschar *pp = p + 6;
8857ccfd 2998 while (*pp != 0) pp++;
2fe1a124 2999 submission_name = string_copy(parse_fix_phrase(p+6, pp-p-6,
87ba3f5f 3000 big_buffer, big_buffer_size));
8e669ac1 3001 p = pp;
69358f02 3002 }
8e669ac1
PH		 3003 else break;
3004 }
69358f02 3005 if (*p != 0)
059ec3d9 3006 {
69358f02 3007 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
059ec3d9
PH		 3008 return ERROR;
3009 }
3010 break;
8800895a 3011
ed7f7860
PP		 3012 case CONTROL_DEBUG:
3013 while (*p == '/')
3014 {
3015 if (Ustrncmp(p, "/tag=", 5) == 0)
3016 {
3017 uschar *pp = p + 5;
3018 while (*pp != '\0' && *pp != '/') pp++;
3019 debug_tag = string_copyn(p+5, pp-p-5);
3020 p = pp;
3021 }
3022 else if (Ustrncmp(p, "/opts=", 6) == 0)
3023 {
3024 uschar *pp = p + 6;
3025 while (*pp != '\0' && *pp != '/') pp++;
3026 debug_opts = string_copyn(p+6, pp-p-6);
3027 p = pp;
3028 }
3029 }
3030 debug_logging_activate(debug_tag, debug_opts);
3031 break;
3032
8800895a
PH		 3033 case CONTROL_SUPPRESS_LOCAL_FIXUPS:
3034 suppress_local_fixups = TRUE;
3035 break;
059ec3d9
PH		 3036 }
3037 break;
3038
6a8f9482
TK		 3039 #ifdef EXPERIMENTAL_DCC
3040 case ACLC_DCC:
3041 {
3042 /* Seperate the regular expression and any optional parameters. */
3043 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
3044 /* Run the dcc backend. */
3045 rc = dcc_process(&ss);
3046 /* Modify return code based upon the existance of options. */
3047 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
3048 != NULL) {
3049 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
3050 {
3051 /* FAIL so that the message is passed to the next ACL */
3052 rc = FAIL;
3053 }
3054 }
3055 }
3056 break;
3057 #endif
3058
71fafd95 3059 #ifdef WITH_CONTENT_SCAN
8523533c
TK		 3060 case ACLC_DECODE:
3061 rc = mime_decode(&arg);
3062 break;
71fafd95 3063 #endif
8523533c 3064
059ec3d9
PH		 3065 case ACLC_DELAY:
3066 {
3067 int delay = readconf_readtime(arg, 0, FALSE);
3068 if (delay < 0)
3069 {
3070 *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
3071 "modifier: \"%s\" is not a time value", arg);
3072 return ERROR;
3073 }
3074 else
3075 {
3076 HDEBUG(D_acl) debug_printf("delay modifier requests %d-second delay\n",
3077 delay);
3078 if (host_checking)
3079 {
3080 HDEBUG(D_acl)
3081 debug_printf("delay skipped in -bh checking mode\n");
3082 }
010c2d14
PH		 3083
3084 /* It appears to be impossible to detect that a TCP/IP connection has
3085 gone away without reading from it. This means that we cannot shorten
3086 the delay below if the client goes away, because we cannot discover
3087 that the client has closed its end of the connection. (The connection
3088 is actually in a half-closed state, waiting for the server to close its
3089 end.) It would be nice to be able to detect this state, so that the
3090 Exim process is not held up unnecessarily. However, it seems that we
3091 can't. The poll() function does not do the right thing, and in any case
3092 it is not always available.
3093
047bdd8c 3094 NOTE 1: If ever this state of affairs changes, remember that we may be
010c2d14 3095 dealing with stdin/stdout here, in addition to TCP/IP connections.
047bdd8c
PH		 3096 Also, delays may be specified for non-SMTP input, where smtp_out and
3097 smtp_in will be NULL. Whatever is done must work in all cases.
3098
3099 NOTE 2: The added feature of flushing the output before a delay must
3100 apply only to SMTP input. Hence the test for smtp_out being non-NULL.
3101 */
010c2d14 3102
8e669ac1 3103 else
86b8287f 3104 {
14f4a80d 3105 if (smtp_out != NULL && !disable_delay_flush) mac_smtp_fflush();
86b8287f 3106 while (delay > 0) delay = sleep(delay);
8e669ac1 3107 }
059ec3d9
PH		 3108 }
3109 }
3110 break;
3111
71fafd95 3112 #ifdef WITH_OLD_DEMIME
8523533c
TK		 3113 case ACLC_DEMIME:
3114 rc = demime(&arg);
3115 break;
71fafd95 3116 #endif
8523533c 3117
80a47a2c
TK		 3118 #ifndef DISABLE_DKIM
3119 case ACLC_DKIM_SIGNER:
9e5d6b55
TK		 3120 if (dkim_cur_signer != NULL)
3121 rc = match_isinlist(dkim_cur_signer,
80a47a2c 3122 &arg,0,NULL,NULL,MCL_STRING,TRUE,NULL);
80a47a2c 3123 else
80a47a2c 3124 rc = FAIL;
71fafd95
PH		 3125 break;
3126
80a47a2c
TK		 3127 case ACLC_DKIM_STATUS:
3128 rc = match_isinlist(dkim_exim_expand_query(DKIM_VERIFY_STATUS),
3129 &arg,0,NULL,NULL,MCL_STRING,TRUE,NULL);
71fafd95
PH		 3130 break;
3131 #endif
fb2274d4 3132
059ec3d9
PH		 3133 case ACLC_DNSLISTS:
3134 rc = verify_check_dnsbl(&arg);
3135 break;
3136
3137 case ACLC_DOMAINS:
3138 rc = match_isinlist(addr->domain, &arg, 0, &domainlist_anchor,
3139 addr->domain_cache, MCL_DOMAIN, TRUE, &deliver_domain_data);
3140 break;
3141
3142 /* The value in tls_cipher is the full cipher name, for example,
3143 TLSv1:DES-CBC3-SHA:168, whereas the values to test for are just the
3144 cipher names such as DES-CBC3-SHA. But program defensively. We don't know
3145 what may in practice come out of the SSL library - which at the time of
3146 writing is poorly documented. */
3147
3148 case ACLC_ENCRYPTED:
3149 if (tls_cipher == NULL) rc = FAIL; else
3150 {
3151 uschar *endcipher = NULL;
3152 uschar *cipher = Ustrchr(tls_cipher, ':');
3153 if (cipher == NULL) cipher = tls_cipher; else
3154 {
3155 endcipher = Ustrchr(++cipher, ':');
3156 if (endcipher != NULL) *endcipher = 0;
3157 }
3158 rc = match_isinlist(cipher, &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
3159 if (endcipher != NULL) *endcipher = ':';
3160 }
3161 break;
3162
3163 /* Use verify_check_this_host() instead of verify_check_host() so that
3164 we can pass over &host_data to catch any looked up data. Once it has been
3165 set, it retains its value so that it's still there if another ACL verb
3166 comes through here and uses the cache. However, we must put it into
3167 permanent store in case it is also expected to be used in a subsequent
3168 message in the same SMTP connection. */
3169
3170 case ACLC_HOSTS:
3171 rc = verify_check_this_host(&arg, sender_host_cache, NULL,
3172 (sender_host_address == NULL)? US"" : sender_host_address, &host_data);
3173 if (host_data != NULL) host_data = string_copy_malloc(host_data);
3174 break;
3175
3176 case ACLC_LOCAL_PARTS:
3177 rc = match_isinlist(addr->cc_local_part, &arg, 0,
3178 &localpartlist_anchor, addr->localpart_cache, MCL_LOCALPART, TRUE,
3179 &deliver_localpart_data);
3180 break;
3181
6ea85e9a
PH		 3182 case ACLC_LOG_REJECT_TARGET:
3183 {
3184 int logbits = 0;
3185 int sep = 0;
3186 uschar *s = arg;
3187 uschar *ss;
3188 while ((ss = string_nextinlist(&s, &sep, big_buffer, big_buffer_size))
3189 != NULL)
3190 {
3191 if (Ustrcmp(ss, "main") == 0) logbits |= LOG_MAIN;
3192 else if (Ustrcmp(ss, "panic") == 0) logbits |= LOG_PANIC;
3193 else if (Ustrcmp(ss, "reject") == 0) logbits |= LOG_REJECT;
3194 else
3195 {
3196 logbits |= LOG_MAIN|LOG_REJECT;
3197 log_write(0, LOG_MAIN|LOG_PANIC, "unknown log name \"%s\" in "
3198 "\"log_reject_target\" in %s ACL", ss, acl_wherenames[where]);
3199 }
3200 }
3201 log_reject_target = logbits;
3202 }
3203 break;
3204
059ec3d9
PH		 3205 case ACLC_LOGWRITE:
3206 {
3207 int logbits = 0;
3208 uschar *s = arg;
3209 if (*s == ':')
3210 {
3211 s++;
3212 while (*s != ':')
3213 {
3214 if (Ustrncmp(s, "main", 4) == 0)
3215 { logbits |= LOG_MAIN; s += 4; }
3216 else if (Ustrncmp(s, "panic", 5) == 0)
3217 { logbits |= LOG_PANIC; s += 5; }
3218 else if (Ustrncmp(s, "reject", 6) == 0)
3219 { logbits |= LOG_REJECT; s += 6; }
3220 else
3221 {
3222 logbits = LOG_MAIN|LOG_PANIC;
3223 s = string_sprintf(":unknown log name in \"%s\" in "
3224 "\"logwrite\" in %s ACL", arg, acl_wherenames[where]);
3225 }
3226 if (*s == ',') s++;
3227 }
3228 s++;
3229 }
3230 while (isspace(*s)) s++;
6ea85e9a
PH		 3231
3232
059ec3d9
PH		 3233 if (logbits == 0) logbits = LOG_MAIN;
3234 log_write(0, logbits, "%s", string_printing(s));
3235 }
3236 break;
8e669ac1 3237
71fafd95 3238 #ifdef WITH_CONTENT_SCAN
8523533c
TK		 3239 case ACLC_MALWARE:
3240 {
6ea85e9a 3241 /* Separate the regular expression and any optional parameters. */
8523533c
TK		 3242 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
3243 /* Run the malware backend. */
3244 rc = malware(&ss);
3245 /* Modify return code based upon the existance of options. */
3246 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
3247 != NULL) {
3248 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
3249 {
3250 /* FAIL so that the message is passed to the next ACL */
3251 rc = FAIL;
3252 }
3253 }
3254 }
3255 break;
3256
3257 case ACLC_MIME_REGEX:
71fafd95 3258 rc = mime_regex(&arg);
8523533c 3259 break;
71fafd95 3260 #endif
059ec3d9 3261
870f6ba8 3262 case ACLC_RATELIMIT:
90fc3069 3263 rc = acl_ratelimit(arg, where, log_msgptr);
870f6ba8
TF		 3264 break;
3265
059ec3d9
PH		 3266 case ACLC_RECIPIENTS:
3267 rc = match_address_list(addr->address, TRUE, TRUE, &arg, NULL, -1, 0,
3268 &recipient_data);
3269 break;
3270
71fafd95
PH		 3271 #ifdef WITH_CONTENT_SCAN
3272 case ACLC_REGEX:
3273 rc = regex(&arg);
8523533c 3274 break;
71fafd95 3275 #endif
8523533c 3276
059ec3d9
PH		 3277 case ACLC_SENDER_DOMAINS:
3278 {
3279 uschar *sdomain;
3280 sdomain = Ustrrchr(sender_address, '@');
3281 sdomain = (sdomain == NULL)? US"" : sdomain + 1;
3282 rc = match_isinlist(sdomain, &arg, 0, &domainlist_anchor,
3283 sender_domain_cache, MCL_DOMAIN, TRUE, NULL);
3284 }
3285 break;
3286
3287 case ACLC_SENDERS:
3288 rc = match_address_list(sender_address, TRUE, TRUE, &arg,
3289 sender_address_cache, -1, 0, &sender_data);
3290 break;
3291
3292 /* Connection variables must persist forever */
3293
3294 case ACLC_SET:
3295 {
3296 int old_pool = store_pool;
38a0a95f
PH		 3297 if (cb->u.varname[0] == 'c') store_pool = POOL_PERM;
3298 acl_var_create(cb->u.varname)->data.ptr = string_copy(arg);
059ec3d9
PH		 3299 store_pool = old_pool;
3300 }
3301 break;
3302
71fafd95 3303 #ifdef WITH_CONTENT_SCAN
8523533c
TK		 3304 case ACLC_SPAM:
3305 {
3306 /* Seperate the regular expression and any optional parameters. */
3307 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
3308 /* Run the spam backend. */
3309 rc = spam(&ss);
3310 /* Modify return code based upon the existance of options. */
3311 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
3312 != NULL) {
3313 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
3314 {
3315 /* FAIL so that the message is passed to the next ACL */
3316 rc = FAIL;
3317 }
3318 }
3319 }
3320 break;
71fafd95 3321 #endif
8523533c 3322
71fafd95 3323 #ifdef EXPERIMENTAL_SPF
8523533c 3324 case ACLC_SPF:
65a7d8c3
NM		 3325 rc = spf_process(&arg, sender_address, SPF_PROCESS_NORMAL);
3326 break;
3327 case ACLC_SPF_GUESS:
3328 rc = spf_process(&arg, sender_address, SPF_PROCESS_GUESS);
8523533c 3329 break;
71fafd95 3330 #endif
8523533c 3331
059ec3d9
PH		 3332 /* If the verb is WARN, discard any user message from verification, because
3333 such messages are SMTP responses, not header additions. The latter come
475fe28a
PH		 3334 only from explicit "message" modifiers. However, put the user message into
3335 $acl_verify_message so it can be used in subsequent conditions or modifiers
3336 (until something changes it). */
059ec3d9
PH		 3337
3338 case ACLC_VERIFY:
3339 rc = acl_verify(where, addr, arg, user_msgptr, log_msgptr, basic_errno);
475fe28a 3340 acl_verify_message = *user_msgptr;
059ec3d9
PH		 3341 if (verb == ACL_WARN) *user_msgptr = NULL;
3342 break;
3343
3344 default:
3345 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown "
3346 "condition %d", cb->type);
3347 break;
3348 }
3349
3350 /* If a condition was negated, invert OK/FAIL. */
3351
3352 if (!cond_modifiers[cb->type] && cb->u.negated)
3353 {
3354 if (rc == OK) rc = FAIL;
3355 else if (rc == FAIL || rc == FAIL_DROP) rc = OK;
3356 }
3357
3358 if (rc != OK) break; /* Conditions loop */
3359 }
3360
3361
3362/* If the result is the one for which "message" and/or "log_message" are used,
4e88a19f
PH		 3363handle the values of these modifiers. If there isn't a log message set, we make
3364it the same as the user message.
059ec3d9
PH		 3365
3366"message" is a user message that will be included in an SMTP response. Unless
3367it is empty, it overrides any previously set user message.
3368
3369"log_message" is a non-user message, and it adds to any existing non-user
3370message that is already set.
3371
4e88a19f
PH		 3372Most verbs have but a single return for which the messages are relevant, but
3373for "discard", it's useful to have the log message both when it succeeds and
3374when it fails. For "accept", the message is used in the OK case if there is no
3375"endpass", but (for backwards compatibility) in the FAIL case if "endpass" is
3376present. */
059ec3d9 3377
4e88a19f
PH		 3378if (*epp && rc == OK) user_message = NULL;
3379
3380if (((1<<rc) & msgcond[verb]) != 0)
059ec3d9
PH		 3381 {
3382 uschar *expmessage;
4e88a19f
PH		 3383 uschar *old_user_msgptr = *user_msgptr;
3384 uschar *old_log_msgptr = (*log_msgptr != NULL)? *log_msgptr : old_user_msgptr;
059ec3d9
PH		 3385
3386 /* If the verb is "warn", messages generated by conditions (verification or
4e88a19f
PH		 3387 nested ACLs) are always discarded. This also happens for acceptance verbs
3388 when they actually do accept. Only messages specified at this level are used.
059ec3d9
PH		 3389 However, the value of an existing message is available in $acl_verify_message
3390 during expansions. */
3391
4e88a19f
PH		 3392 if (verb == ACL_WARN ||
3393 (rc == OK && (verb == ACL_ACCEPT || verb == ACL_DISCARD)))
3394 *log_msgptr = *user_msgptr = NULL;
059ec3d9
PH		 3395
3396 if (user_message != NULL)
3397 {
3398 acl_verify_message = old_user_msgptr;
3399 expmessage = expand_string(user_message);
3400 if (expmessage == NULL)
3401 {
3402 if (!expand_string_forcedfail)
3403 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
3404 user_message, expand_string_message);
3405 }
3406 else if (expmessage[0] != 0) *user_msgptr = expmessage;
3407 }
3408
3409 if (log_message != NULL)
3410 {
3411 acl_verify_message = old_log_msgptr;
3412 expmessage = expand_string(log_message);
3413 if (expmessage == NULL)
3414 {
3415 if (!expand_string_forcedfail)
3416 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
3417 log_message, expand_string_message);
3418 }
3419 else if (expmessage[0] != 0)
3420 {
3421 *log_msgptr = (*log_msgptr == NULL)? expmessage :
3422 string_sprintf("%s: %s", expmessage, *log_msgptr);
3423 }
3424 }
3425
3426 /* If no log message, default it to the user message */
3427
3428 if (*log_msgptr == NULL) *log_msgptr = *user_msgptr;
3429 }
3430
3431acl_verify_message = NULL;
3432return rc;
3433}
3434
3435
3436
3437
3438
3439/*************************************************
3440* Get line from a literal ACL *
3441*************************************************/
3442
3443/* This function is passed to acl_read() in order to extract individual lines
3444of a literal ACL, which we access via static pointers. We can destroy the
3445contents because this is called only once (the compiled ACL is remembered).
3446
3447This code is intended to treat the data in the same way as lines in the main
3448Exim configuration file. That is:
3449
3450 . Leading spaces are ignored.
3451
3452 . A \ at the end of a line is a continuation - trailing spaces after the \
3453 are permitted (this is because I don't believe in making invisible things
3454 significant). Leading spaces on the continued part of a line are ignored.
3455
3456 . Physical lines starting (significantly) with # are totally ignored, and
3457 may appear within a sequence of backslash-continued lines.
3458
3459 . Blank lines are ignored, but will end a sequence of continuations.
3460
3461Arguments: none
3462Returns: a pointer to the next line
3463*/
3464
3465
3466static uschar *acl_text; /* Current pointer in the text */
3467static uschar *acl_text_end; /* Points one past the terminating '0' */
3468
3469
3470static uschar *
3471acl_getline(void)
3472{
3473uschar *yield;
3474
3475/* This loop handles leading blank lines and comments. */
3476
3477for(;;)
3478 {
3479 while (isspace(*acl_text)) acl_text++; /* Leading spaces/empty lines */
3480 if (*acl_text == 0) return NULL; /* No more data */
3481 yield = acl_text; /* Potential data line */
3482
3483 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
3484
3485 /* If we hit the end before a newline, we have the whole logical line. If
3486 it's a comment, there's no more data to be given. Otherwise, yield it. */
3487
3488 if (*acl_text == 0) return (*yield == '#')? NULL : yield;
3489
3490 /* After reaching a newline, end this loop if the physical line does not
3491 start with '#'. If it does, it's a comment, and the loop continues. */
3492
3493 if (*yield != '#') break;
3494 }
3495
3496/* This loop handles continuations. We know we have some real data, ending in
3497newline. See if there is a continuation marker at the end (ignoring trailing
3498white space). We know that *yield is not white space, so no need to test for
3499cont > yield in the backwards scanning loop. */
3500
3501for(;;)
3502 {
3503 uschar *cont;
3504 for (cont = acl_text - 1; isspace(*cont); cont--);
3505
3506 /* If no continuation follows, we are done. Mark the end of the line and
3507 return it. */
3508
3509 if (*cont != '\\')
3510 {
3511 *acl_text++ = 0;
3512 return yield;
3513 }
3514
3515 /* We have encountered a continuation. Skip over whitespace at the start of
3516 the next line, and indeed the whole of the next line or lines if they are
3517 comment lines. */
3518
3519 for (;;)
3520 {
3521 while (*(++acl_text) == ' ' || *acl_text == '\t');
3522 if (*acl_text != '#') break;
3523 while (*(++acl_text) != 0 && *acl_text != '\n');
3524 }
3525
3526 /* We have the start of a continuation line. Move all the rest of the data
3527 to join onto the previous line, and then find its end. If the end is not a
3528 newline, we are done. Otherwise loop to look for another continuation. */
3529
3530 memmove(cont, acl_text, acl_text_end - acl_text);
3531 acl_text_end -= acl_text - cont;
3532 acl_text = cont;
3533 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
3534 if (*acl_text == 0) return yield;
3535 }
3536
3537/* Control does not reach here */
3538}
3539
3540
3541
3542
3543
3544/*************************************************
3545* Check access using an ACL *
3546*************************************************/
3547
3548/* This function is called from address_check. It may recurse via
3549acl_check_condition() - hence the use of a level to stop looping. The ACL is
3550passed as a string which is expanded. A forced failure implies no access check
3551is required. If the result is a single word, it is taken as the name of an ACL
3552which is sought in the global ACL tree. Otherwise, it is taken as literal ACL
3553text, complete with newlines, and parsed as such. In both cases, the ACL check
3554is then run. This function uses an auxiliary function for acl_read() to call
3555for reading individual lines of a literal ACL. This is acl_getline(), which
3556appears immediately above.
3557
3558Arguments:
3559 where where called from
3560 addr address item when called from RCPT; otherwise NULL
3561 s the input string; NULL is the same as an empty ACL => DENY
3562 level the nesting level
3563 user_msgptr where to put a user error (for SMTP response)
3564 log_msgptr where to put a logging message (not for SMTP response)
3565
3566Returns: OK access is granted
3567 DISCARD access is apparently granted...
3568 FAIL access is denied
3569 FAIL_DROP access is denied; drop the connection
3570 DEFER can't tell at the moment
3571 ERROR disaster
3572*/
3573
3574static int
3575acl_check_internal(int where, address_item *addr, uschar *s, int level,
3576 uschar **user_msgptr, uschar **log_msgptr)
3577{
3578int fd = -1;
3579acl_block *acl = NULL;
3580uschar *acl_name = US"inline ACL";
3581uschar *ss;
3582
3583/* Catch configuration loops */
3584
3585if (level > 20)
3586 {
3587 *log_msgptr = US"ACL nested too deep: possible loop";
3588 return ERROR;
3589 }
3590
3591if (s == NULL)
3592 {
3593 HDEBUG(D_acl) debug_printf("ACL is NULL: implicit DENY\n");
3594 return FAIL;
3595 }
3596
3597/* At top level, we expand the incoming string. At lower levels, it has already
3598been expanded as part of condition processing. */
3599
3600if (level == 0)
3601 {
3602 ss = expand_string(s);
3603 if (ss == NULL)
3604 {
3605 if (expand_string_forcedfail) return OK;
3606 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s", s,
3607 expand_string_message);
3608 return ERROR;
3609 }
3610 }
3611else ss = s;
3612
3613while (isspace(*ss))ss++;
3614
3615/* If we can't find a named ACL, the default is to parse it as an inline one.
3616(Unless it begins with a slash; non-existent files give rise to an error.) */
3617
3618acl_text = ss;
3619
3620/* Handle the case of a string that does not contain any spaces. Look for a
3621named ACL among those read from the configuration, or a previously read file.
3622It is possible that the pointer to the ACL is NULL if the configuration
3623contains a name with no data. If not found, and the text begins with '/',
3624read an ACL from a file, and save it so it can be re-used. */
3625
3626if (Ustrchr(ss, ' ') == NULL)
3627 {
3628 tree_node *t = tree_search(acl_anchor, ss);
3629 if (t != NULL)
3630 {
3631 acl = (acl_block *)(t->data.ptr);
3632 if (acl == NULL)
3633 {
3634 HDEBUG(D_acl) debug_printf("ACL \"%s\" is empty: implicit DENY\n", ss);
3635 return FAIL;
3636 }
3637 acl_name = string_sprintf("ACL \"%s\"", ss);
3638 HDEBUG(D_acl) debug_printf("using ACL \"%s\"\n", ss);
3639 }
3640
3641 else if (*ss == '/')
3642 {
3643 struct stat statbuf;
3644 fd = Uopen(ss, O_RDONLY, 0);
3645 if (fd < 0)
3646 {
3647 *log_msgptr = string_sprintf("failed to open ACL file \"%s\": %s", ss,
3648 strerror(errno));
3649 return ERROR;
3650 }
3651
3652 if (fstat(fd, &statbuf) != 0)
3653 {
3654 *log_msgptr = string_sprintf("failed to fstat ACL file \"%s\": %s", ss,
3655 strerror(errno));
3656 return ERROR;
3657 }
3658
3659 acl_text = store_get(statbuf.st_size + 1);
3660 acl_text_end = acl_text + statbuf.st_size + 1;
3661
3662 if (read(fd, acl_text, statbuf.st_size) != statbuf.st_size)
3663 {
3664 *log_msgptr = string_sprintf("failed to read ACL file \"%s\": %s",
3665 ss, strerror(errno));
3666 return ERROR;
3667 }
3668 acl_text[statbuf.st_size] = 0;
f1e894f3 3669 (void)close(fd);
059ec3d9
PH		 3670
3671 acl_name = string_sprintf("ACL \"%s\"", ss);
3672 HDEBUG(D_acl) debug_printf("read ACL from file %s\n", ss);
3673 }
3674 }
3675
3676/* Parse an ACL that is still in text form. If it came from a file, remember it
3677in the ACL tree, having read it into the POOL_PERM store pool so that it
3678persists between multiple messages. */
3679
3680if (acl == NULL)
3681 {
3682 int old_pool = store_pool;
3683 if (fd >= 0) store_pool = POOL_PERM;
3684 acl = acl_read(acl_getline, log_msgptr);
3685 store_pool = old_pool;
3686 if (acl == NULL && *log_msgptr != NULL) return ERROR;
3687 if (fd >= 0)
3688 {
3689 tree_node *t = store_get_perm(sizeof(tree_node) + Ustrlen(ss));
3690 Ustrcpy(t->name, ss);
3691 t->data.ptr = acl;
3692 (void)tree_insertnode(&acl_anchor, t);
3693 }
3694 }
3695
3696/* Now we have an ACL to use. It's possible it may be NULL. */
3697
3698while (acl != NULL)
3699 {
3700 int cond;
3701 int basic_errno = 0;
3702 BOOL endpass_seen = FALSE;
3703
3704 *log_msgptr = *user_msgptr = NULL;
3705 acl_temp_details = FALSE;
3706
7353285c 3707 if ((where == ACL_WHERE_QUIT || where == ACL_WHERE_NOTQUIT) &&
059ec3d9
PH		 3708 acl->verb != ACL_ACCEPT &&
3709 acl->verb != ACL_WARN)
3710 {
7353285c 3711 *log_msgptr = string_sprintf("\"%s\" is not allowed in a QUIT or not-QUIT ACL",
059ec3d9
PH		 3712 verbs[acl->verb]);
3713 return ERROR;
3714 }
3715
3716 HDEBUG(D_acl) debug_printf("processing \"%s\"\n", verbs[acl->verb]);
3717
3718 /* Clear out any search error message from a previous check before testing
3719 this condition. */
3720
3721 search_error_message = NULL;
3722 cond = acl_check_condition(acl->verb, acl->condition, where, addr, level,
3723 &endpass_seen, user_msgptr, log_msgptr, &basic_errno);
3724
3725 /* Handle special returns: DEFER causes a return except on a WARN verb;
3726 ERROR always causes a return. */
3727
3728 switch (cond)
3729 {
3730 case DEFER:
6968512f 3731 HDEBUG(D_acl) debug_printf("%s: condition test deferred in %s\n", verbs[acl->verb], acl_name);
059ec3d9
PH		 3732 if (basic_errno != ERRNO_CALLOUTDEFER)
3733 {
3734 if (search_error_message != NULL && *search_error_message != 0)
3735 *log_msgptr = search_error_message;
3736 if (smtp_return_error_details) acl_temp_details = TRUE;
3737 }
3738 else
3739 {
3740 acl_temp_details = TRUE;
3741 }
3742 if (acl->verb != ACL_WARN) return DEFER;
3743 break;
3744
3745 default: /* Paranoia */
3746 case ERROR:
6968512f 3747 HDEBUG(D_acl) debug_printf("%s: condition test error in %s\n", verbs[acl->verb], acl_name);
059ec3d9
PH		 3748 return ERROR;
3749
3750 case OK:
6968512f
JH		 3751 HDEBUG(D_acl) debug_printf("%s: condition test succeeded in %s\n",
3752 verbs[acl->verb], acl_name);
059ec3d9
PH		 3753 break;
3754
3755 case FAIL:
6968512f 3756 HDEBUG(D_acl) debug_printf("%s: condition test failed in %s\n", verbs[acl->verb], acl_name);
059ec3d9
PH		 3757 break;
3758
3759 /* DISCARD and DROP can happen only from a nested ACL condition, and
3760 DISCARD can happen only for an "accept" or "discard" verb. */
3761
3762 case DISCARD:
6968512f
JH		 3763 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"discard\" in %s\n",
3764 verbs[acl->verb], acl_name);
059ec3d9
PH		 3765 break;
3766
3767 case FAIL_DROP:
6968512f
JH		 3768 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"drop\" in %s\n",
3769 verbs[acl->verb], acl_name);
059ec3d9
PH		 3770 break;
3771 }
3772
3773 /* At this point, cond for most verbs is either OK or FAIL or (as a result of
3774 a nested ACL condition) FAIL_DROP. However, for WARN, cond may be DEFER, and
3775 for ACCEPT and DISCARD, it may be DISCARD after a nested ACL call. */
3776
3777 switch(acl->verb)
3778 {
3779 case ACL_ACCEPT:
3780 if (cond == OK || cond == DISCARD) return cond;
3781 if (endpass_seen)
3782 {
3783 HDEBUG(D_acl) debug_printf("accept: endpass encountered - denying access\n");
3784 return cond;
3785 }
3786 break;
3787
3788 case ACL_DEFER:
3789 if (cond == OK)
3790 {
3791 acl_temp_details = TRUE;
3792 return DEFER;
3793 }
3794 break;
3795
3796 case ACL_DENY:
3797 if (cond == OK) return FAIL;
3798 break;
3799
3800 case ACL_DISCARD:
3801 if (cond == OK || cond == DISCARD) return DISCARD;
3802 if (endpass_seen)
3803 {
3804 HDEBUG(D_acl) debug_printf("discard: endpass encountered - denying access\n");
3805 return cond;
3806 }
3807 break;
3808
3809 case ACL_DROP:
3810 if (cond == OK) return FAIL_DROP;
3811 break;
3812
3813 case ACL_REQUIRE:
3814 if (cond != OK) return cond;
3815 break;
3816
3817 case ACL_WARN:
3818 if (cond == OK)
3819 acl_warn(where, *user_msgptr, *log_msgptr);
49826d12 3820 else if (cond == DEFER && (log_extra_selector & LX_acl_warn_skipped) != 0)
9c7a242c
PH		 3821 log_write(0, LOG_MAIN, "%s Warning: ACL \"warn\" statement skipped: "
3822 "condition test deferred%s%s", host_and_ident(TRUE),
3823 (*log_msgptr == NULL)? US"" : US": ",
3824 (*log_msgptr == NULL)? US"" : *log_msgptr);
059ec3d9
PH		 3825 *log_msgptr = *user_msgptr = NULL; /* In case implicit DENY follows */
3826 break;
3827
3828 default:
3829 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown verb %d",
3830 acl->verb);
3831 break;
3832 }
3833
3834 /* Pass to the next ACL item */
3835
3836 acl = acl->next;
3837 }
3838
3839/* We have reached the end of the ACL. This is an implicit DENY. */
3840
3841HDEBUG(D_acl) debug_printf("end of %s: implicit DENY\n", acl_name);
3842return FAIL;
3843}
3844
3845
3846/*************************************************
3847* Check access using an ACL *
3848*************************************************/
3849
3850/* This is the external interface for ACL checks. It sets up an address and the
3851expansions for $domain and $local_part when called after RCPT, then calls
3852acl_check_internal() to do the actual work.
3853
3854Arguments:
3855 where ACL_WHERE_xxxx indicating where called from
64ffc24f 3856 recipient RCPT address for RCPT check, else NULL
059ec3d9
PH		 3857 s the input string; NULL is the same as an empty ACL => DENY
3858 user_msgptr where to put a user error (for SMTP response)
3859 log_msgptr where to put a logging message (not for SMTP response)
3860
3861Returns: OK access is granted by an ACCEPT verb
3862 DISCARD access is granted by a DISCARD verb
3863 FAIL access is denied
3864 FAIL_DROP access is denied; drop the connection
3865 DEFER can't tell at the moment
3866 ERROR disaster
3867*/
3868
3869int
64ffc24f 3870acl_check(int where, uschar *recipient, uschar *s, uschar **user_msgptr,
059ec3d9
PH		 3871 uschar **log_msgptr)
3872{
3873int rc;
3874address_item adb;
64ffc24f 3875address_item *addr = NULL;
059ec3d9
PH		 3876
3877*user_msgptr = *log_msgptr = NULL;
3878sender_verified_failed = NULL;
fe0dab11 3879ratelimiters_cmd = NULL;
6ea85e9a 3880log_reject_target = LOG_MAIN|LOG_REJECT;
059ec3d9
PH		 3881
3882if (where == ACL_WHERE_RCPT)
3883 {
3884 adb = address_defaults;
3885 addr = &adb;
64ffc24f 3886 addr->address = recipient;
059ec3d9
PH		 3887 if (deliver_split_address(addr) == DEFER)
3888 {
3889 *log_msgptr = US"defer in percent_hack_domains check";
3890 return DEFER;
3891 }
3892 deliver_domain = addr->domain;
3893 deliver_localpart = addr->local_part;
3894 }
059ec3d9
PH		 3895
3896rc = acl_check_internal(where, addr, s, 0, user_msgptr, log_msgptr);
3897
64ffc24f
PH		 3898deliver_domain = deliver_localpart = deliver_address_data =
3899 sender_address_data = NULL;
059ec3d9
PH		 3900
3901/* A DISCARD response is permitted only for message ACLs, excluding the PREDATA
3902ACL, which is really in the middle of an SMTP command. */
3903
3904if (rc == DISCARD)
3905 {
3906 if (where > ACL_WHERE_NOTSMTP || where == ACL_WHERE_PREDATA)
3907 {
3908 log_write(0, LOG_MAIN|LOG_PANIC, "\"discard\" verb not allowed in %s "
3909 "ACL", acl_wherenames[where]);
3910 return ERROR;
3911 }
3912 return DISCARD;
3913 }
3914
3915/* A DROP response is not permitted from MAILAUTH */
3916
3917if (rc == FAIL_DROP && where == ACL_WHERE_MAILAUTH)
3918 {
3919 log_write(0, LOG_MAIN|LOG_PANIC, "\"drop\" verb not allowed in %s "
3920 "ACL", acl_wherenames[where]);
3921 return ERROR;
3922 }
3923
4e88a19f
PH		 3924/* Before giving a response, take a look at the length of any user message, and
3925split it up into multiple lines if possible. */
059ec3d9 3926
e28326d8
PH		 3927*user_msgptr = string_split_message(*user_msgptr);
3928if (fake_response != OK)
3929 fake_response_text = string_split_message(fake_response_text);
059ec3d9
PH		 3930
3931return rc;
3932}
3933
38a0a95f
PH		 3934
3935
3936/*************************************************
3937* Create ACL variable *
3938*************************************************/
3939
3940/* Create an ACL variable or reuse an existing one. ACL variables are in a
3941binary tree (see tree.c) with acl_var_c and acl_var_m as root nodes.
3942
3943Argument:
3944 name pointer to the variable's name, starting with c or m
3945
3946Returns the pointer to variable's tree node
3947*/
3948
3949tree_node *
3950acl_var_create(uschar *name)
3951{
3952tree_node *node, **root;
3953root = (name[0] == 'c')? &acl_var_c : &acl_var_m;
3954node = tree_search(*root, name);
3955if (node == NULL)
3956 {
3957 node = store_get(sizeof(tree_node) + Ustrlen(name));
3958 Ustrcpy(node->name, name);
3959 (void)tree_insertnode(root, node);
3960 }
3961node->data.ptr = NULL;
3962return node;
3963}
3964
3965
3966
3967/*************************************************
3968* Write an ACL variable in spool format *
3969*************************************************/
3970
3971/* This function is used as a callback for tree_walk when writing variables to
3972the spool file. To retain spool file compatibility, what is written is -aclc or
3973-aclm followed by the rest of the name and the data length, space separated,
3974then the value itself, starting on a new line, and terminated by an additional
3975newline. When we had only numbered ACL variables, the first line might look
3976like this: "-aclc 5 20". Now it might be "-aclc foo 20" for the variable called
3977acl_cfoo.
3978
3979Arguments:
3980 name of the variable
3981 value of the variable
3982 ctx FILE pointer (as a void pointer)
3983
3984Returns: nothing
3985*/
3986
3987void
3988acl_var_write(uschar *name, uschar *value, void *ctx)
3989{
3990FILE *f = (FILE *)ctx;
3991fprintf(f, "-acl%c %s %d\n%s\n", name[0], name+1, Ustrlen(value), value);
3992}
3993
059ec3d9 3994/* End of acl.c */
Unnamed repository; edit this file 'description' to name the repository.