projects / exim.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Added expansion items addresses, filter, map, reduce.
[exim.git] / src / src / acl.c
CommitLineData
e28326d8 1/* $Cambridge: exim/src/src/acl.c,v 1.73 2007/02/07 11:24:56 ph10 Exp $ */
059ec3d9
PH		 2
3/*************************************************
4* Exim - an Internet mail transport agent *
5*************************************************/
6
184e8823 7/* Copyright (c) University of Cambridge 1995 - 2007 */
059ec3d9
PH		 8/* See the file NOTICE for conditions of use and distribution. */
9
10/* Code for handling Access Control Lists (ACLs) */
11
12#include "exim.h"
13
14
15/* Default callout timeout */
16
17#define CALLOUT_TIMEOUT_DEFAULT 30
18
19/* ACL verb codes - keep in step with the table of verbs that follows */
20
21enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
22 ACL_WARN };
23
24/* ACL verbs */
25
26static uschar *verbs[] =
27 { US"accept", US"defer", US"deny", US"discard", US"drop", US"require",
28 US"warn" };
29
4e88a19f
PH		 30/* For each verb, the conditions for which "message" or "log_message" are used
31are held as a bitmap. This is to avoid expanding the strings unnecessarily. For
32"accept", the FAIL case is used only after "endpass", but that is selected in
33the code. */
34
35static int msgcond[] = {
36 (1<<OK) | (1<<FAIL) | (1<<FAIL_DROP), /* accept */
37 (1<<OK), /* defer */
38 (1<<OK), /* deny */
39 (1<<OK) | (1<<FAIL) | (1<<FAIL_DROP), /* discard */
40 (1<<OK), /* drop */
41 (1<<FAIL) | (1<<FAIL_DROP), /* require */
42 (1<<OK) /* warn */
43 };
059ec3d9
PH		 44
45/* ACL condition and modifier codes - keep in step with the table that
71fafd95
PH		 46follows, and the cond_expand_at_top and uschar cond_modifiers tables lower
47down. */
059ec3d9 48
71fafd95
PH		 49enum { ACLC_ACL,
50 ACLC_ADD_HEADER,
51 ACLC_AUTHENTICATED,
8523533c
TK		 52#ifdef EXPERIMENTAL_BRIGHTMAIL
53 ACLC_BMI_OPTIN,
54#endif
71fafd95
PH		 55 ACLC_CONDITION,
56 ACLC_CONTROL,
8523533c
TK		 57#ifdef WITH_CONTENT_SCAN
58 ACLC_DECODE,
59#endif
60 ACLC_DELAY,
61#ifdef WITH_OLD_DEMIME
62 ACLC_DEMIME,
fb2274d4
TK		 63#endif
64#ifdef EXPERIMENTAL_DOMAINKEYS
65 ACLC_DK_DOMAIN_SOURCE,
66 ACLC_DK_POLICY,
67 ACLC_DK_SENDER_DOMAINS,
68 ACLC_DK_SENDER_LOCAL_PARTS,
69 ACLC_DK_SENDERS,
70 ACLC_DK_STATUS,
8e669ac1 71#endif
71fafd95
PH		 72 ACLC_DNSLISTS,
73 ACLC_DOMAINS,
74 ACLC_ENCRYPTED,
75 ACLC_ENDPASS,
76 ACLC_HOSTS,
77 ACLC_LOCAL_PARTS,
78 ACLC_LOG_MESSAGE,
6ea85e9a 79 ACLC_LOG_REJECT_TARGET,
71fafd95 80 ACLC_LOGWRITE,
8523533c
TK		 81#ifdef WITH_CONTENT_SCAN
82 ACLC_MALWARE,
83#endif
84 ACLC_MESSAGE,
85#ifdef WITH_CONTENT_SCAN
86 ACLC_MIME_REGEX,
87#endif
870f6ba8 88 ACLC_RATELIMIT,
8523533c
TK		 89 ACLC_RECIPIENTS,
90#ifdef WITH_CONTENT_SCAN
91 ACLC_REGEX,
92#endif
71fafd95
PH		 93 ACLC_SENDER_DOMAINS,
94 ACLC_SENDERS,
95 ACLC_SET,
8523533c 96#ifdef WITH_CONTENT_SCAN
8e669ac1 97 ACLC_SPAM,
8523533c
TK		 98#endif
99#ifdef EXPERIMENTAL_SPF
100 ACLC_SPF,
101#endif
102 ACLC_VERIFY };
059ec3d9
PH		 103
104/* ACL conditions/modifiers: "delay", "control", "endpass", "message",
6ea85e9a
PH		 105"log_message", "log_reject_target", "logwrite", and "set" are modifiers that
106look like conditions but always return TRUE. They are used for their side
107effects. */
059ec3d9 108
9a26b6b2
PH		 109static uschar *conditions[] = {
110 US"acl",
71fafd95 111 US"add_header",
9a26b6b2 112 US"authenticated",
8523533c
TK		 113#ifdef EXPERIMENTAL_BRIGHTMAIL
114 US"bmi_optin",
115#endif
116 US"condition",
8e669ac1 117 US"control",
8523533c
TK		 118#ifdef WITH_CONTENT_SCAN
119 US"decode",
120#endif
121 US"delay",
122#ifdef WITH_OLD_DEMIME
123 US"demime",
fb2274d4
TK		 124#endif
125#ifdef EXPERIMENTAL_DOMAINKEYS
7f45268c
PH		 126 US"dk_domain_source",
127 US"dk_policy",
128 US"dk_sender_domains",
129 US"dk_sender_local_parts",
130 US"dk_senders",
131 US"dk_status",
8523533c 132#endif
6ea85e9a
PH		 133 US"dnslists",
134 US"domains",
135 US"encrypted",
136 US"endpass",
137 US"hosts",
138 US"local_parts",
139 US"log_message",
140 US"log_reject_target",
141 US"logwrite",
8523533c
TK		 142#ifdef WITH_CONTENT_SCAN
143 US"malware",
144#endif
145 US"message",
146#ifdef WITH_CONTENT_SCAN
147 US"mime_regex",
148#endif
870f6ba8 149 US"ratelimit",
8523533c
TK		 150 US"recipients",
151#ifdef WITH_CONTENT_SCAN
152 US"regex",
153#endif
154 US"sender_domains", US"senders", US"set",
155#ifdef WITH_CONTENT_SCAN
156 US"spam",
157#endif
158#ifdef EXPERIMENTAL_SPF
159 US"spf",
160#endif
059ec3d9 161 US"verify" };
8e669ac1 162
c5fcb476 163
9a26b6b2
PH		 164/* Return values from decode_control(); keep in step with the table of names
165that follows! */
166
167enum {
c46782ef
PH		 168 CONTROL_AUTH_UNADVERTISED,
169 #ifdef EXPERIMENTAL_BRIGHTMAIL
9a26b6b2 170 CONTROL_BMI_RUN,
c46782ef
PH		 171 #endif
172 #ifdef EXPERIMENTAL_DOMAINKEYS
9a26b6b2 173 CONTROL_DK_VERIFY,
c46782ef
PH		 174 #endif
175 CONTROL_ERROR,
176 CONTROL_CASEFUL_LOCAL_PART,
177 CONTROL_CASELOWER_LOCAL_PART,
178 CONTROL_ENFORCE_SYNC,
179 CONTROL_NO_ENFORCE_SYNC,
180 CONTROL_FREEZE,
181 CONTROL_QUEUE_ONLY,
182 CONTROL_SUBMISSION,
183 CONTROL_SUPPRESS_LOCAL_FIXUPS,
184 #ifdef WITH_CONTENT_SCAN
9a26b6b2 185 CONTROL_NO_MBOX_UNSPOOL,
c46782ef
PH		 186 #endif
187 CONTROL_FAKEDEFER,
188 CONTROL_FAKEREJECT,
cf8b11a5 189 CONTROL_NO_MULTILINE,
047bdd8c 190 CONTROL_NO_PIPELINING,
4c590bd1
PH		 191 CONTROL_NO_DELAY_FLUSH,
192 CONTROL_NO_CALLOUT_FLUSH
c46782ef 193};
9a26b6b2 194
8800895a
PH		 195/* ACL control names; keep in step with the table above! This list is used for
196turning ids into names. The actual list of recognized names is in the variable
197control_def controls_list[] below. The fact that there are two lists is a mess
198and should be tidied up. */
9a26b6b2
PH		 199
200static uschar *controls[] = {
c46782ef 201 US"allow_auth_unadvertised",
9a26b6b2
PH		 202 #ifdef EXPERIMENTAL_BRIGHTMAIL
203 US"bmi_run",
204 #endif
205 #ifdef EXPERIMENTAL_DOMAINKEYS
206 US"dk_verify",
207 #endif
c46782ef
PH		 208 US"error",
209 US"caseful_local_part",
210 US"caselower_local_part",
211 US"enforce_sync",
212 US"no_enforce_sync",
213 US"freeze",
214 US"queue_only",
215 US"submission",
216 US"suppress_local_fixups",
9a26b6b2
PH		 217 #ifdef WITH_CONTENT_SCAN
218 US"no_mbox_unspool",
219 #endif
cf8b11a5
PH		 220 US"fakedefer",
221 US"fakereject",
222 US"no_multiline",
223 US"no_pipelining",
4c590bd1
PH		 224 US"no_delay_flush",
225 US"no_callout_flush"
c46782ef 226};
059ec3d9 227
047bdd8c 228/* Flags to indicate for which conditions/modifiers a string expansion is done
059ec3d9
PH		 229at the outer level. In the other cases, expansion already occurs in the
230checking functions. */
231
232static uschar cond_expand_at_top[] = {
233 TRUE, /* acl */
3e536984 234 TRUE, /* add_header */
059ec3d9 235 FALSE, /* authenticated */
8523533c
TK		 236#ifdef EXPERIMENTAL_BRIGHTMAIL
237 TRUE, /* bmi_optin */
8e669ac1 238#endif
059ec3d9
PH		 239 TRUE, /* condition */
240 TRUE, /* control */
8523533c
TK		 241#ifdef WITH_CONTENT_SCAN
242 TRUE, /* decode */
243#endif
059ec3d9 244 TRUE, /* delay */
8523533c
TK		 245#ifdef WITH_OLD_DEMIME
246 TRUE, /* demime */
fb2274d4
TK		 247#endif
248#ifdef EXPERIMENTAL_DOMAINKEYS
7f45268c
PH		 249 TRUE, /* dk_domain_source */
250 TRUE, /* dk_policy */
251 TRUE, /* dk_sender_domains */
e715ad22 252 TRUE, /* dk_sender_local_parts */
7f45268c
PH		 253 TRUE, /* dk_senders */
254 TRUE, /* dk_status */
8523533c 255#endif
059ec3d9
PH		 256 TRUE, /* dnslists */
257 FALSE, /* domains */
258 FALSE, /* encrypted */
259 TRUE, /* endpass */
260 FALSE, /* hosts */
261 FALSE, /* local_parts */
262 TRUE, /* log_message */
6ea85e9a 263 TRUE, /* log_reject_target */
059ec3d9 264 TRUE, /* logwrite */
8523533c
TK		 265#ifdef WITH_CONTENT_SCAN
266 TRUE, /* malware */
267#endif
059ec3d9 268 TRUE, /* message */
8523533c
TK		 269#ifdef WITH_CONTENT_SCAN
270 TRUE, /* mime_regex */
271#endif
870f6ba8 272 TRUE, /* ratelimit */
059ec3d9 273 FALSE, /* recipients */
8523533c
TK		 274#ifdef WITH_CONTENT_SCAN
275 TRUE, /* regex */
276#endif
059ec3d9
PH		 277 FALSE, /* sender_domains */
278 FALSE, /* senders */
279 TRUE, /* set */
8523533c
TK		 280#ifdef WITH_CONTENT_SCAN
281 TRUE, /* spam */
282#endif
283#ifdef EXPERIMENTAL_SPF
284 TRUE, /* spf */
285#endif
059ec3d9
PH		 286 TRUE /* verify */
287};
288
289/* Flags to identify the modifiers */
290
291static uschar cond_modifiers[] = {
292 FALSE, /* acl */
3e536984 293 TRUE, /* add_header */
059ec3d9 294 FALSE, /* authenticated */
8523533c
TK		 295#ifdef EXPERIMENTAL_BRIGHTMAIL
296 TRUE, /* bmi_optin */
8e669ac1 297#endif
059ec3d9
PH		 298 FALSE, /* condition */
299 TRUE, /* control */
8523533c
TK		 300#ifdef WITH_CONTENT_SCAN
301 FALSE, /* decode */
302#endif
059ec3d9 303 TRUE, /* delay */
8523533c
TK		 304#ifdef WITH_OLD_DEMIME
305 FALSE, /* demime */
fb2274d4
TK		 306#endif
307#ifdef EXPERIMENTAL_DOMAINKEYS
7f45268c
PH		 308 FALSE, /* dk_domain_source */
309 FALSE, /* dk_policy */
310 FALSE, /* dk_sender_domains */
e715ad22 311 FALSE, /* dk_sender_local_parts */
7f45268c
PH		 312 FALSE, /* dk_senders */
313 FALSE, /* dk_status */
8523533c 314#endif
059ec3d9
PH		 315 FALSE, /* dnslists */
316 FALSE, /* domains */
317 FALSE, /* encrypted */
318 TRUE, /* endpass */
319 FALSE, /* hosts */
320 FALSE, /* local_parts */
321 TRUE, /* log_message */
6ea85e9a 322 TRUE, /* log_reject_target */
8523533c
TK		 323 TRUE, /* logwrite */
324#ifdef WITH_CONTENT_SCAN
325 FALSE, /* malware */
326#endif
059ec3d9 327 TRUE, /* message */
8523533c
TK		 328#ifdef WITH_CONTENT_SCAN
329 FALSE, /* mime_regex */
330#endif
870f6ba8 331 FALSE, /* ratelimit */
059ec3d9 332 FALSE, /* recipients */
8523533c
TK		 333#ifdef WITH_CONTENT_SCAN
334 FALSE, /* regex */
335#endif
059ec3d9
PH		 336 FALSE, /* sender_domains */
337 FALSE, /* senders */
338 TRUE, /* set */
8523533c
TK		 339#ifdef WITH_CONTENT_SCAN
340 FALSE, /* spam */
341#endif
342#ifdef EXPERIMENTAL_SPF
343 FALSE, /* spf */
344#endif
059ec3d9
PH		 345 FALSE /* verify */
346};
347
c5fcb476 348/* Bit map vector of which conditions are not allowed at certain times. For
2f079f46
PH		 349each condition, there's a bitmap of dis-allowed times. For some, it is easier
350to specify the negation of a small number of allowed times. */
059ec3d9
PH		 351
352static unsigned int cond_forbids[] = {
353 0, /* acl */
8e669ac1 354
71fafd95 355 (unsigned int)
45b91596 356 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* add_header */
71fafd95 357 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
45b91596
PH		 358 (1<<ACL_WHERE_MIME)|(1<<ACL_WHERE_NOTSMTP)|
359 (1<<ACL_WHERE_NOTSMTP_START)),
71fafd95 360
45b91596
PH		 361 (1<<ACL_WHERE_NOTSMTP)| /* authenticated */
362 (1<<ACL_WHERE_NOTSMTP_START)|
363 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO),
8e669ac1 364
71fafd95 365 #ifdef EXPERIMENTAL_BRIGHTMAIL
3864bb8e 366 (1<<ACL_WHERE_AUTH)| /* bmi_optin */
8523533c
TK		 367 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
368 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_MIME)|
8e669ac1 369 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
8523533c
TK		 370 (1<<ACL_WHERE_MAILAUTH)|
371 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
45b91596
PH		 372 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_PREDATA)|
373 (1<<ACL_WHERE_NOTSMTP_START),
71fafd95 374 #endif
8e669ac1 375
059ec3d9 376 0, /* condition */
8e669ac1 377
059ec3d9 378 /* Certain types of control are always allowed, so we let it through
2f079f46 379 always and check in the control processing itself. */
8e669ac1 380
059ec3d9 381 0, /* control */
8e669ac1 382
71fafd95 383 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 384 (unsigned int)
385 ~(1<<ACL_WHERE_MIME), /* decode */
71fafd95 386 #endif
8523533c 387
059ec3d9 388 0, /* delay */
8e669ac1 389
71fafd95 390 #ifdef WITH_OLD_DEMIME
2f079f46
PH		 391 (unsigned int)
392 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* demime */
71fafd95 393 #endif
8e669ac1 394
71fafd95 395 #ifdef EXPERIMENTAL_DOMAINKEYS
2f079f46 396 (1<<ACL_WHERE_AUTH)| /* dk_domain_source */
fb2274d4
TK		 397 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
398 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
399 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
400 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
401 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
45b91596 402 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
84330b7b 403
2f079f46 404 (1<<ACL_WHERE_AUTH)| /* dk_policy */
fb2274d4
TK		 405 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
406 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
407 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
408 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
409 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
45b91596 410 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
84330b7b 411
2f079f46 412 (1<<ACL_WHERE_AUTH)| /* dk_sender_domains */
fb2274d4
TK		 413 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
414 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
415 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
416 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
417 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
45b91596 418 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
84330b7b 419
2f079f46 420 (1<<ACL_WHERE_AUTH)| /* dk_sender_local_parts */
fb2274d4
TK		 421 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
422 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
423 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
424 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
425 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
45b91596 426 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
84330b7b 427
2f079f46 428 (1<<ACL_WHERE_AUTH)| /* dk_senders */
fb2274d4
TK		 429 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
430 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
431 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
432 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
433 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
45b91596 434 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
84330b7b 435
2f079f46 436 (1<<ACL_WHERE_AUTH)| /* dk_status */
fb2274d4
TK		 437 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
438 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
439 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
440 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
441 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
45b91596 442 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
71fafd95 443 #endif
fb2274d4 444
45b91596
PH		 445 (1<<ACL_WHERE_NOTSMTP)| /* dnslists */
446 (1<<ACL_WHERE_NOTSMTP_START),
059ec3d9 447
2f079f46
PH		 448 (unsigned int)
449 ~(1<<ACL_WHERE_RCPT), /* domains */
059ec3d9 450
45b91596
PH		 451 (1<<ACL_WHERE_NOTSMTP)| /* encrypted */
452 (1<<ACL_WHERE_CONNECT)|
453 (1<<ACL_WHERE_NOTSMTP_START)|
059ec3d9 454 (1<<ACL_WHERE_HELO),
8e669ac1 455
059ec3d9 456 0, /* endpass */
8e669ac1 457
45b91596
PH		 458 (1<<ACL_WHERE_NOTSMTP)| /* hosts */
459 (1<<ACL_WHERE_NOTSMTP_START),
059ec3d9 460
2f079f46
PH		 461 (unsigned int)
462 ~(1<<ACL_WHERE_RCPT), /* local_parts */
059ec3d9
PH		 463
464 0, /* log_message */
8e669ac1 465
6ea85e9a
PH		 466 0, /* log_reject_target */
467
059ec3d9 468 0, /* logwrite */
8e669ac1 469
71fafd95 470 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 471 (unsigned int)
472 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* malware */
71fafd95 473 #endif
8523533c 474
059ec3d9
PH		 475 0, /* message */
476
71fafd95 477 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 478 (unsigned int)
479 ~(1<<ACL_WHERE_MIME), /* mime_regex */
71fafd95 480 #endif
8523533c 481
870f6ba8
TF		 482 0, /* ratelimit */
483
2f079f46
PH		 484 (unsigned int)
485 ~(1<<ACL_WHERE_RCPT), /* recipients */
059ec3d9 486
71fafd95 487 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 488 (unsigned int)
489 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* regex */
490 (1<<ACL_WHERE_MIME)),
71fafd95 491 #endif
8523533c 492
059ec3d9
PH		 493 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* sender_domains */
494 (1<<ACL_WHERE_HELO)|
495 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
496 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
497 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
498
499 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* senders */
500 (1<<ACL_WHERE_HELO)|
501 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
502 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
503 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
504
505 0, /* set */
506
71fafd95 507 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 508 (unsigned int)
509 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* spam */
71fafd95 510 #endif
8523533c 511
71fafd95 512 #ifdef EXPERIMENTAL_SPF
8523533c
TK		 513 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf */
514 (1<<ACL_WHERE_HELO)|
515 (1<<ACL_WHERE_MAILAUTH)|
516 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
45b91596
PH		 517 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY)|
518 (1<<ACL_WHERE_NOTSMTP)|
519 (1<<ACL_WHERE_NOTSMTP_START),
71fafd95 520 #endif
8523533c 521
059ec3d9
PH		 522 /* Certain types of verify are always allowed, so we let it through
523 always and check in the verify function itself */
524
525 0 /* verify */
059ec3d9
PH		 526};
527
528
c5fcb476
PH		 529/* Bit map vector of which controls are not allowed at certain times. For
530each control, there's a bitmap of dis-allowed times. For some, it is easier to
531specify the negation of a small number of allowed times. */
532
533static unsigned int control_forbids[] = {
c46782ef
PH		 534 (unsigned int)
535 ~((1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)), /* allow_auth_unadvertised */
536
537 #ifdef EXPERIMENTAL_BRIGHTMAIL
8523533c 538 0, /* bmi_run */
c46782ef
PH		 539 #endif
540
541 #ifdef EXPERIMENTAL_DOMAINKEYS
45b91596
PH		 542 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* dk_verify */
543 (1<<ACL_WHERE_NOTSMTP_START),
c46782ef 544 #endif
3e11c26b 545
c5fcb476 546 0, /* error */
8e669ac1
PH		 547
548 (unsigned int)
c5fcb476 549 ~(1<<ACL_WHERE_RCPT), /* caseful_local_part */
8e669ac1
PH		 550
551 (unsigned int)
c5fcb476 552 ~(1<<ACL_WHERE_RCPT), /* caselower_local_part */
8e669ac1 553
45b91596
PH		 554 (1<<ACL_WHERE_NOTSMTP)| /* enforce_sync */
555 (1<<ACL_WHERE_NOTSMTP_START),
8e669ac1 556
45b91596
PH		 557 (1<<ACL_WHERE_NOTSMTP)| /* no_enforce_sync */
558 (1<<ACL_WHERE_NOTSMTP_START),
8e669ac1
PH		 559
560 (unsigned int)
c5fcb476
PH		 561 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* freeze */
562 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
e715ad22 563 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
8e669ac1
PH		 564
565 (unsigned int)
c5fcb476
PH		 566 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* queue_only */
567 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
e715ad22 568 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
8e669ac1
PH		 569
570 (unsigned int)
c5fcb476 571 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* submission */
8e669ac1 572 (1<<ACL_WHERE_PREDATA)),
8523533c 573
8800895a
PH		 574 (unsigned int)
575 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* suppress_local_fixups */
45b91596
PH		 576 (1<<ACL_WHERE_PREDATA)|
577 (1<<ACL_WHERE_NOTSMTP_START)),
8800895a 578
c46782ef 579 #ifdef WITH_CONTENT_SCAN
8e669ac1 580 (unsigned int)
14d57970 581 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* no_mbox_unspool */
e715ad22
TK		 582 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
583 (1<<ACL_WHERE_MIME)),
c46782ef 584 #endif
a6c4ab60 585
29aba418
TF		 586 (unsigned int)
587 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakedefer */
588 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
589 (1<<ACL_WHERE_MIME)),
590
8e669ac1 591 (unsigned int)
a6c4ab60 592 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakereject */
e715ad22
TK		 593 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
594 (1<<ACL_WHERE_MIME)),
8523533c 595
45b91596 596 (1<<ACL_WHERE_NOTSMTP)| /* no_multiline */
cf8b11a5
PH		 597 (1<<ACL_WHERE_NOTSMTP_START),
598
599 (1<<ACL_WHERE_NOTSMTP)| /* no_pipelining */
047bdd8c
PH		 600 (1<<ACL_WHERE_NOTSMTP_START),
601
602 (1<<ACL_WHERE_NOTSMTP)| /* no_delay_flush */
4c590bd1
PH		 603 (1<<ACL_WHERE_NOTSMTP_START),
604
605 (1<<ACL_WHERE_NOTSMTP)| /* no_callout_flush */
45b91596 606 (1<<ACL_WHERE_NOTSMTP_START)
c5fcb476
PH		 607};
608
609/* Structure listing various control arguments, with their characteristics. */
059ec3d9
PH		 610
611typedef struct control_def {
612 uschar *name;
613 int value; /* CONTROL_xxx value */
059ec3d9
PH		 614 BOOL has_option; /* Has /option(s) following */
615} control_def;
616
617static control_def controls_list[] = {
c46782ef 618 { US"allow_auth_unadvertised", CONTROL_AUTH_UNADVERTISED, FALSE },
8523533c 619#ifdef EXPERIMENTAL_BRIGHTMAIL
c46782ef 620 { US"bmi_run", CONTROL_BMI_RUN, FALSE },
fb2274d4
TK		 621#endif
622#ifdef EXPERIMENTAL_DOMAINKEYS
c46782ef 623 { US"dk_verify", CONTROL_DK_VERIFY, FALSE },
8523533c 624#endif
c46782ef
PH		 625 { US"caseful_local_part", CONTROL_CASEFUL_LOCAL_PART, FALSE },
626 { US"caselower_local_part", CONTROL_CASELOWER_LOCAL_PART, FALSE },
627 { US"enforce_sync", CONTROL_ENFORCE_SYNC, FALSE },
628 { US"freeze", CONTROL_FREEZE, TRUE },
4c590bd1 629 { US"no_callout_flush", CONTROL_NO_CALLOUT_FLUSH, FALSE },
047bdd8c 630 { US"no_delay_flush", CONTROL_NO_DELAY_FLUSH, FALSE },
c46782ef
PH		 631 { US"no_enforce_sync", CONTROL_NO_ENFORCE_SYNC, FALSE },
632 { US"no_multiline_responses", CONTROL_NO_MULTILINE, FALSE },
cf8b11a5 633 { US"no_pipelining", CONTROL_NO_PIPELINING, FALSE },
c46782ef 634 { US"queue_only", CONTROL_QUEUE_ONLY, FALSE },
8523533c 635#ifdef WITH_CONTENT_SCAN
c46782ef 636 { US"no_mbox_unspool", CONTROL_NO_MBOX_UNSPOOL, FALSE },
8523533c 637#endif
c46782ef
PH		 638 { US"fakedefer", CONTROL_FAKEDEFER, TRUE },
639 { US"fakereject", CONTROL_FAKEREJECT, TRUE },
640 { US"submission", CONTROL_SUBMISSION, TRUE },
641 { US"suppress_local_fixups", CONTROL_SUPPRESS_LOCAL_FIXUPS, FALSE }
059ec3d9
PH		 642 };
643
e5a9dba6
PH		 644/* Support data structures for Client SMTP Authorization. acl_verify_csa()
645caches its result in a tree to avoid repeated DNS queries. The result is an
646integer code which is used as an index into the following tables of
647explanatory strings and verification return codes. */
648
649static tree_node *csa_cache = NULL;
650
651enum { CSA_UNKNOWN, CSA_OK, CSA_DEFER_SRV, CSA_DEFER_ADDR,
652 CSA_FAIL_EXPLICIT, CSA_FAIL_DOMAIN, CSA_FAIL_NOADDR, CSA_FAIL_MISMATCH };
653
654/* The acl_verify_csa() return code is translated into an acl_verify() return
655code using the following table. It is OK unless the client is definitely not
656authorized. This is because CSA is supposed to be optional for sending sites,
657so recipients should not be too strict about checking it - especially because
658DNS problems are quite likely to occur. It's possible to use $csa_status in
659further ACL conditions to distinguish ok, unknown, and defer if required, but
660the aim is to make the usual configuration simple. */
661
662static int csa_return_code[] = {
663 OK, OK, OK, OK,
664 FAIL, FAIL, FAIL, FAIL
665};
666
667static uschar *csa_status_string[] = {
668 US"unknown", US"ok", US"defer", US"defer",
669 US"fail", US"fail", US"fail", US"fail"
670};
671
672static uschar *csa_reason_string[] = {
673 US"unknown",
674 US"ok",
675 US"deferred (SRV lookup failed)",
676 US"deferred (target address lookup failed)",
677 US"failed (explicit authorization required)",
678 US"failed (host name not authorized)",
679 US"failed (no authorized addresses)",
680 US"failed (client address mismatch)"
681};
682
059ec3d9
PH		 683/* Enable recursion between acl_check_internal() and acl_check_condition() */
684
685static int acl_check_internal(int, address_item *, uschar *, int, uschar **,
686 uschar **);
687
688
689/*************************************************
690* Pick out name from list *
691*************************************************/
692
693/* Use a binary chop method
694
695Arguments:
696 name name to find
697 list list of names
698 end size of list
699
700Returns: offset in list, or -1 if not found
701*/
702
703static int
704acl_checkname(uschar *name, uschar **list, int end)
705{
706int start = 0;
707
708while (start < end)
709 {
710 int mid = (start + end)/2;
711 int c = Ustrcmp(name, list[mid]);
712 if (c == 0) return mid;
713 if (c < 0) end = mid; else start = mid + 1;
714 }
715
716return -1;
717}
718
719
720/*************************************************
721* Read and parse one ACL *
722*************************************************/
723
724/* This function is called both from readconf in order to parse the ACLs in the
725configuration file, and also when an ACL is encountered dynamically (e.g. as
726the result of an expansion). It is given a function to call in order to
727retrieve the lines of the ACL. This function handles skipping comments and
728blank lines (where relevant).
729
730Arguments:
731 func function to get next line of ACL
732 error where to put an error message
733
734Returns: pointer to ACL, or NULL
735 NULL can be legal (empty ACL); in this case error will be NULL
736*/
737
738acl_block *
739acl_read(uschar *(*func)(void), uschar **error)
740{
741acl_block *yield = NULL;
742acl_block **lastp = &yield;
743acl_block *this = NULL;
744acl_condition_block *cond;
745acl_condition_block **condp = NULL;
746uschar *s;
747
748*error = NULL;
749
750while ((s = (*func)()) != NULL)
751 {
752 int v, c;
753 BOOL negated = FALSE;
754 uschar *saveline = s;
755 uschar name[64];
756
757 /* Conditions (but not verbs) are allowed to be negated by an initial
758 exclamation mark. */
759
760 while (isspace(*s)) s++;
761 if (*s == '!')
762 {
763 negated = TRUE;
764 s++;
765 }
766
cf00dad6
PH		 767 /* Read the name of a verb or a condition, or the start of a new ACL, which
768 can be started by a name, or by a macro definition. */
059ec3d9
PH		 769
770 s = readconf_readname(name, sizeof(name), s);
b8dc3e4a 771 if (*s == ':' || (isupper(name[0]) && *s == '=')) return yield;
059ec3d9
PH		 772
773 /* If a verb is unrecognized, it may be another condition or modifier that
774 continues the previous verb. */
775
776 v = acl_checkname(name, verbs, sizeof(verbs)/sizeof(char *));
777 if (v < 0)
778 {
779 if (this == NULL)
780 {
4e167a8c
PH		 781 *error = string_sprintf("unknown ACL verb \"%s\" in \"%s\"", name,
782 saveline);
059ec3d9
PH		 783 return NULL;
784 }
785 }
786
787 /* New verb */
788
789 else
790 {
791 if (negated)
792 {
793 *error = string_sprintf("malformed ACL line \"%s\"", saveline);
794 return NULL;
795 }
796 this = store_get(sizeof(acl_block));
797 *lastp = this;
798 lastp = &(this->next);
799 this->next = NULL;
800 this->verb = v;
801 this->condition = NULL;
802 condp = &(this->condition);
803 if (*s == 0) continue; /* No condition on this line */
804 if (*s == '!')
805 {
806 negated = TRUE;
807 s++;
808 }
809 s = readconf_readname(name, sizeof(name), s); /* Condition name */
810 }
811
812 /* Handle a condition or modifier. */
813
814 c = acl_checkname(name, conditions, sizeof(conditions)/sizeof(char *));
815 if (c < 0)
816 {
817 *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
818 saveline);
819 return NULL;
820 }
821
822 /* The modifiers may not be negated */
823
824 if (negated && cond_modifiers[c])
825 {
826 *error = string_sprintf("ACL error: negation is not allowed with "
827 "\"%s\"", conditions[c]);
828 return NULL;
829 }
830
831 /* ENDPASS may occur only with ACCEPT or DISCARD. */
832
833 if (c == ACLC_ENDPASS &&
834 this->verb != ACL_ACCEPT &&
835 this->verb != ACL_DISCARD)
836 {
837 *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
838 conditions[c], verbs[this->verb]);
839 return NULL;
840 }
841
842 cond = store_get(sizeof(acl_condition_block));
843 cond->next = NULL;
844 cond->type = c;
845 cond->u.negated = negated;
846
847 *condp = cond;
848 condp = &(cond->next);
849
850 /* The "set" modifier is different in that its argument is "name=value"
851 rather than just a value, and we can check the validity of the name, which
38a0a95f
PH		 852 gives us a variable name to insert into the data block. The original ACL
853 variable names were acl_c0 ... acl_c9 and acl_m0 ... acl_m9. This was
854 extended to 20 of each type, but after that people successfully argued for
641cb756
PH		 855 arbitrary names. In the new scheme, the names must start with acl_c or acl_m.
856 After that, we allow alphanumerics and underscores, but the first character
857 after c or m must be a digit or an underscore. This retains backwards
858 compatibility. */
059ec3d9
PH		 859
860 if (c == ACLC_SET)
861 {
47ca6d6c
PH		 862 uschar *endptr;
863
38a0a95f
PH		 864 if (Ustrncmp(s, "acl_c", 5) != 0 &&
865 Ustrncmp(s, "acl_m", 5) != 0)
47ca6d6c 866 {
38a0a95f
PH		 867 *error = string_sprintf("invalid variable name after \"set\" in ACL "
868 "modifier \"set %s\" (must start \"acl_c\" or \"acl_m\")", s);
869 return NULL;
47ca6d6c 870 }
38a0a95f
PH		 871
872 endptr = s + 5;
641cb756
PH		 873 if (!isdigit(*endptr) && *endptr != '_')
874 {
875 *error = string_sprintf("invalid variable name after \"set\" in ACL "
876 "modifier \"set %s\" (digit or underscore must follow acl_c or acl_m)",
877 s);
878 return NULL;
879 }
880
38a0a95f 881 while (*endptr != 0 && *endptr != '=' && !isspace(*endptr))
47ca6d6c 882 {
38a0a95f
PH		 883 if (!isalnum(*endptr) && *endptr != '_')
884 {
885 *error = string_sprintf("invalid character \"%c\" in variable name "
886 "in ACL modifier \"set %s\"", *endptr, s);
887 return NULL;
888 }
889 endptr++;
47ca6d6c 890 }
47ca6d6c 891
38a0a95f 892 cond->u.varname = string_copyn(s + 4, endptr - s - 4);
47ca6d6c 893 s = endptr;
059ec3d9
PH		 894 while (isspace(*s)) s++;
895 }
896
897 /* For "set", we are now positioned for the data. For the others, only
898 "endpass" has no data */
899
900 if (c != ACLC_ENDPASS)
901 {
902 if (*s++ != '=')
903 {
904 *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
905 cond_modifiers[c]? US"modifier" : US"condition");
906 return NULL;
907 }
908 while (isspace(*s)) s++;
909 cond->arg = string_copy(s);
910 }
911 }
912
913return yield;
914}
915
916
917
71fafd95
PH		 918/*************************************************
919* Set up added header line(s) *
920*************************************************/
921
922/* This function is called by the add_header modifier, and also from acl_warn()
923to implement the now-deprecated way of adding header lines using "message" on a
924"warn" verb. The argument is treated as a sequence of header lines which are
925added to a chain, provided there isn't an identical one already there.
926
927Argument: string of header lines
928Returns: nothing
929*/
930
931static void
932setup_header(uschar *hstring)
933{
934uschar *p, *q;
935int hlen = Ustrlen(hstring);
936
937/* An empty string does nothing; otherwise add a final newline if necessary. */
938
939if (hlen <= 0) return;
940if (hstring[hlen-1] != '\n') hstring = string_sprintf("%s\n", hstring);
941
942/* Loop for multiple header lines, taking care about continuations */
943
944for (p = q = hstring; *p != 0; )
945 {
946 uschar *s;
947 int newtype = htype_add_bot;
948 header_line **hptr = &acl_added_headers;
949
950 /* Find next header line within the string */
951
952 for (;;)
953 {
954 q = Ustrchr(q, '\n');
955 if (*(++q) != ' ' && *q != '\t') break;
956 }
957
958 /* If the line starts with a colon, interpret the instruction for where to
959 add it. This temporarily sets up a new type. */
960
961 if (*p == ':')
962 {
963 if (strncmpic(p, US":after_received:", 16) == 0)
964 {
965 newtype = htype_add_rec;
966 p += 16;
967 }
968 else if (strncmpic(p, US":at_start_rfc:", 14) == 0)
969 {
970 newtype = htype_add_rfc;
971 p += 14;
972 }
973 else if (strncmpic(p, US":at_start:", 10) == 0)
974 {
975 newtype = htype_add_top;
976 p += 10;
977 }
978 else if (strncmpic(p, US":at_end:", 8) == 0)
979 {
980 newtype = htype_add_bot;
981 p += 8;
982 }
983 while (*p == ' ' || *p == '\t') p++;
984 }
985
986 /* See if this line starts with a header name, and if not, add X-ACL-Warn:
987 to the front of it. */
988
989 for (s = p; s < q - 1; s++)
990 {
991 if (*s == ':' || !isgraph(*s)) break;
992 }
993
994 s = string_sprintf("%s%.*s", (*s == ':')? "" : "X-ACL-Warn: ", q - p, p);
995 hlen = Ustrlen(s);
996
997 /* See if this line has already been added */
998
999 while (*hptr != NULL)
1000 {
1001 if (Ustrncmp((*hptr)->text, s, hlen) == 0) break;
1002 hptr = &((*hptr)->next);
1003 }
1004
1005 /* Add if not previously present */
1006
1007 if (*hptr == NULL)
1008 {
1009 header_line *h = store_get(sizeof(header_line));
1010 h->text = s;
1011 h->next = NULL;
1012 h->type = newtype;
1013 h->slen = hlen;
1014 *hptr = h;
1015 hptr = &(h->next);
1016 }
1017
1018 /* Advance for next header line within the string */
1019
1020 p = q;
1021 }
1022}
1023
1024
1025
1026
059ec3d9
PH		 1027/*************************************************
1028* Handle warnings *
1029*************************************************/
1030
1031/* This function is called when a WARN verb's conditions are true. It adds to
1032the message's headers, and/or writes information to the log. In each case, this
1033only happens once (per message for headers, per connection for log).
1034
71fafd95
PH		 1035** NOTE: The header adding action using the "message" setting is historic, and
1036its use is now deprecated. The new add_header modifier should be used instead.
1037
059ec3d9
PH		 1038Arguments:
1039 where ACL_WHERE_xxxx indicating which ACL this is
1040 user_message message for adding to headers
1041 log_message message for logging, if different
1042
1043Returns: nothing
1044*/
1045
1046static void
1047acl_warn(int where, uschar *user_message, uschar *log_message)
1048{
059ec3d9
PH		 1049if (log_message != NULL && log_message != user_message)
1050 {
1051 uschar *text;
1052 string_item *logged;
1053
1054 text = string_sprintf("%s Warning: %s", host_and_ident(TRUE),
1055 string_printing(log_message));
1056
1057 /* If a sender verification has failed, and the log message is "sender verify
1058 failed", add the failure message. */
1059
1060 if (sender_verified_failed != NULL &&
1061 sender_verified_failed->message != NULL &&
1062 strcmpic(log_message, US"sender verify failed") == 0)
1063 text = string_sprintf("%s: %s", text, sender_verified_failed->message);
1064
9c7a242c
PH		 1065 /* Search previously logged warnings. They are kept in malloc
1066 store so they can be freed at the start of a new message. */
059ec3d9
PH		 1067
1068 for (logged = acl_warn_logged; logged != NULL; logged = logged->next)
1069 if (Ustrcmp(logged->text, text) == 0) break;
1070
1071 if (logged == NULL)
1072 {
1073 int length = Ustrlen(text) + 1;
1074 log_write(0, LOG_MAIN, "%s", text);
1075 logged = store_malloc(sizeof(string_item) + length);
1076 logged->text = (uschar *)logged + sizeof(string_item);
1077 memcpy(logged->text, text, length);
1078 logged->next = acl_warn_logged;
1079 acl_warn_logged = logged;
1080 }
1081 }
1082
1083/* If there's no user message, we are done. */
1084
1085if (user_message == NULL) return;
1086
1087/* If this isn't a message ACL, we can't do anything with a user message.
1088Log an error. */
1089
1090if (where > ACL_WHERE_NOTSMTP)
1091 {
1092 log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
1093 "found in a non-message (%s) ACL: cannot specify header lines here: "
1094 "message ignored", acl_wherenames[where]);
1095 return;
1096 }
1097
71fafd95
PH		 1098/* The code for setting up header lines is now abstracted into a separate
1099function so that it can be used for the add_header modifier as well. */
059ec3d9 1100
71fafd95 1101setup_header(user_message);
059ec3d9
PH		 1102}
1103
1104
1105
1106/*************************************************
1107* Verify and check reverse DNS *
1108*************************************************/
1109
1110/* Called from acl_verify() below. We look up the host name(s) of the client IP
1111address if this has not yet been done. The host_name_lookup() function checks
1112that one of these names resolves to an address list that contains the client IP
1113address, so we don't actually have to do the check here.
1114
1115Arguments:
1116 user_msgptr pointer for user message
1117 log_msgptr pointer for log message
1118
1119Returns: OK verification condition succeeded
1120 FAIL verification failed
1121 DEFER there was a problem verifying
1122*/
1123
1124static int
1125acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
1126{
1127int rc;
1128
1129user_msgptr = user_msgptr; /* stop compiler warning */
1130
1131/* Previous success */
1132
1133if (sender_host_name != NULL) return OK;
1134
1135/* Previous failure */
1136
1137if (host_lookup_failed)
1138 {
1139 *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
1140 return FAIL;
1141 }
1142
1143/* Need to do a lookup */
1144
1145HDEBUG(D_acl)
1146 debug_printf("looking up host name to force name/address consistency check\n");
1147
1148if ((rc = host_name_lookup()) != OK)
1149 {
1150 *log_msgptr = (rc == DEFER)?
1151 US"host lookup deferred for reverse lookup check"
1152 :
1153 string_sprintf("host lookup failed for reverse lookup check%s",
1154 host_lookup_msg);
1155 return rc; /* DEFER or FAIL */
1156 }
1157
1158host_build_sender_fullhost();
1159return OK;
1160}
1161
1162
1163
e5a9dba6
PH		 1164/*************************************************
1165* Check client IP address matches CSA target *
1166*************************************************/
1167
1168/* Called from acl_verify_csa() below. This routine scans a section of a DNS
1169response for address records belonging to the CSA target hostname. The section
1170is specified by the reset argument, either RESET_ADDITIONAL or RESET_ANSWERS.
1171If one of the addresses matches the client's IP address, then the client is
1172authorized by CSA. If there are target IP addresses but none of them match
1173then the client is using an unauthorized IP address. If there are no target IP
1174addresses then the client cannot be using an authorized IP address. (This is
1175an odd configuration - why didn't the SRV record have a weight of 1 instead?)
1176
1177Arguments:
1178 dnsa the DNS answer block
1179 dnss a DNS scan block for us to use
1180 reset option specifing what portion to scan, as described above
1181 target the target hostname to use for matching RR names
1182
1183Returns: CSA_OK successfully authorized
1184 CSA_FAIL_MISMATCH addresses found but none matched
1185 CSA_FAIL_NOADDR no target addresses found
1186*/
1187
1188static int
1189acl_verify_csa_address(dns_answer *dnsa, dns_scan *dnss, int reset,
1190 uschar *target)
1191{
1192dns_record *rr;
1193dns_address *da;
1194
1195BOOL target_found = FALSE;
1196
1197for (rr = dns_next_rr(dnsa, dnss, reset);
1198 rr != NULL;
1199 rr = dns_next_rr(dnsa, dnss, RESET_NEXT))
1200 {
1201 /* Check this is an address RR for the target hostname. */
1202
1203 if (rr->type != T_A
1204 #if HAVE_IPV6
1205 && rr->type != T_AAAA
1206 #ifdef SUPPORT_A6
1207 && rr->type != T_A6
1208 #endif
1209 #endif
1210 ) continue;
1211
1212 if (strcmpic(target, rr->name) != 0) continue;
1213
1214 target_found = TRUE;
1215
1216 /* Turn the target address RR into a list of textual IP addresses and scan
1217 the list. There may be more than one if it is an A6 RR. */
1218
1219 for (da = dns_address_from_rr(dnsa, rr); da != NULL; da = da->next)
1220 {
1221 /* If the client IP address matches the target IP address, it's good! */
1222
1223 DEBUG(D_acl) debug_printf("CSA target address is %s\n", da->address);
1224
1225 if (strcmpic(sender_host_address, da->address) == 0) return CSA_OK;
1226 }
1227 }
1228
1229/* If we found some target addresses but none of them matched, the client is
1230using an unauthorized IP address, otherwise the target has no authorized IP
1231addresses. */
1232
1233if (target_found) return CSA_FAIL_MISMATCH;
1234else return CSA_FAIL_NOADDR;
1235}
1236
1237
1238
1239/*************************************************
1240* Verify Client SMTP Authorization *
1241*************************************************/
1242
1243/* Called from acl_verify() below. This routine calls dns_lookup_special()
1244to find the CSA SRV record corresponding to the domain argument, or
1245$sender_helo_name if no argument is provided. It then checks that the
1246client is authorized, and that its IP address corresponds to the SRV
1247target's address by calling acl_verify_csa_address() above. The address
1248should have been returned in the DNS response's ADDITIONAL section, but if
1249not we perform another DNS lookup to get it.
1250
1251Arguments:
1252 domain pointer to optional parameter following verify = csa
1253
1254Returns: CSA_UNKNOWN no valid CSA record found
1255 CSA_OK successfully authorized
1256 CSA_FAIL_* client is definitely not authorized
1257 CSA_DEFER_* there was a DNS problem
1258*/
1259
1260static int
1261acl_verify_csa(uschar *domain)
1262{
1263tree_node *t;
1264uschar *found, *p;
1265int priority, weight, port;
1266dns_answer dnsa;
1267dns_scan dnss;
1268dns_record *rr;
1269int rc, type;
1270uschar target[256];
1271
1272/* Work out the domain we are using for the CSA lookup. The default is the
1273client's HELO domain. If the client has not said HELO, use its IP address
1274instead. If it's a local client (exim -bs), CSA isn't applicable. */
1275
1276while (isspace(*domain) && *domain != '\0') ++domain;
1277if (*domain == '\0') domain = sender_helo_name;
1278if (domain == NULL) domain = sender_host_address;
1279if (sender_host_address == NULL) return CSA_UNKNOWN;
1280
1281/* If we have an address literal, strip off the framing ready for turning it
1282into a domain. The framing consists of matched square brackets possibly
1283containing a keyword and a colon before the actual IP address. */
1284
1285if (domain[0] == '[')
1286 {
1287 uschar *start = Ustrchr(domain, ':');
1288 if (start == NULL) start = domain;
1289 domain = string_copyn(start + 1, Ustrlen(start) - 2);
1290 }
1291
1292/* Turn domains that look like bare IP addresses into domains in the reverse
1293DNS. This code also deals with address literals and $sender_host_address. It's
1294not quite kosher to treat bare domains such as EHLO 192.0.2.57 the same as
1295address literals, but it's probably the most friendly thing to do. This is an
1296extension to CSA, so we allow it to be turned off for proper conformance. */
1297
7e66e54d 1298if (string_is_ip_address(domain, NULL) != 0)
e5a9dba6
PH		 1299 {
1300 if (!dns_csa_use_reverse) return CSA_UNKNOWN;
1301 dns_build_reverse(domain, target);
1302 domain = target;
1303 }
1304
1305/* Find out if we've already done the CSA check for this domain. If we have,
1306return the same result again. Otherwise build a new cached result structure
1307for this domain. The name is filled in now, and the value is filled in when
1308we return from this function. */
1309
1310t = tree_search(csa_cache, domain);
1311if (t != NULL) return t->data.val;
1312
1313t = store_get_perm(sizeof(tree_node) + Ustrlen(domain));
1314Ustrcpy(t->name, domain);
1315(void)tree_insertnode(&csa_cache, t);
1316
1317/* Now we are ready to do the actual DNS lookup(s). */
1318
28e6ef29 1319found = domain;
e5a9dba6
PH		 1320switch (dns_special_lookup(&dnsa, domain, T_CSA, &found))
1321 {
1322 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1323
1324 default:
1325 return t->data.val = CSA_DEFER_SRV;
1326
1327 /* If we found nothing, the client's authorization is unknown. */
1328
1329 case DNS_NOMATCH:
1330 case DNS_NODATA:
1331 return t->data.val = CSA_UNKNOWN;
1332
1333 /* We got something! Go on to look at the reply in more detail. */
1334
1335 case DNS_SUCCEED:
1336 break;
1337 }
1338
1339/* Scan the reply for well-formed CSA SRV records. */
1340
1341for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
1342 rr != NULL;
1343 rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
1344 {
1345 if (rr->type != T_SRV) continue;
1346
1347 /* Extract the numerical SRV fields (p is incremented) */
1348
1349 p = rr->data;
1350 GETSHORT(priority, p);
1351 GETSHORT(weight, p);
1352 GETSHORT(port, p);
1353
1354 DEBUG(D_acl)
1355 debug_printf("CSA priority=%d weight=%d port=%d\n", priority, weight, port);
1356
1357 /* Check the CSA version number */
1358
1359 if (priority != 1) continue;
1360
1361 /* If the domain does not have a CSA SRV record of its own (i.e. the domain
1362 found by dns_special_lookup() is a parent of the one we asked for), we check
1363 the subdomain assertions in the port field. At the moment there's only one
1364 assertion: legitimate SMTP clients are all explicitly authorized with CSA
1365 SRV records of their own. */
1366
1367 if (found != domain)
1368 {
1369 if (port & 1)
1370 return t->data.val = CSA_FAIL_EXPLICIT;
1371 else
1372 return t->data.val = CSA_UNKNOWN;
1373 }
1374
1375 /* This CSA SRV record refers directly to our domain, so we check the value
1376 in the weight field to work out the domain's authorization. 0 and 1 are
1377 unauthorized; 3 means the client is authorized but we can't check the IP
1378 address in order to authenticate it, so we treat it as unknown; values
1379 greater than 3 are undefined. */
1380
1381 if (weight < 2) return t->data.val = CSA_FAIL_DOMAIN;
1382
1383 if (weight > 2) continue;
1384
1385 /* Weight == 2, which means the domain is authorized. We must check that the
1386 client's IP address is listed as one of the SRV target addresses. Save the
1387 target hostname then break to scan the additional data for its addresses. */
1388
1389 (void)dn_expand(dnsa.answer, dnsa.answer + dnsa.answerlen, p,
1390 (DN_EXPAND_ARG4_TYPE)target, sizeof(target));
1391
1392 DEBUG(D_acl) debug_printf("CSA target is %s\n", target);
1393
1394 break;
1395 }
1396
1397/* If we didn't break the loop then no appropriate records were found. */
1398
1399if (rr == NULL) return t->data.val = CSA_UNKNOWN;
1400
1401/* Do not check addresses if the target is ".", in accordance with RFC 2782.
1402A target of "." indicates there are no valid addresses, so the client cannot
1403be authorized. (This is an odd configuration because weight=2 target=. is
1404equivalent to weight=1, but we check for it in order to keep load off the
1405root name servers.) Note that dn_expand() turns "." into "". */
1406
1407if (Ustrcmp(target, "") == 0) return t->data.val = CSA_FAIL_NOADDR;
1408
1409/* Scan the additional section of the CSA SRV reply for addresses belonging
1410to the target. If the name server didn't return any additional data (e.g.
1411because it does not fully support SRV records), we need to do another lookup
1412to obtain the target addresses; otherwise we have a definitive result. */
1413
1414rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ADDITIONAL, target);
1415if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1416
1417/* The DNS lookup type corresponds to the IP version used by the client. */
1418
1419#if HAVE_IPV6
1420if (Ustrchr(sender_host_address, ':') != NULL)
1421 type = T_AAAA;
1422else
1423#endif /* HAVE_IPV6 */
1424 type = T_A;
1425
1426
1427#if HAVE_IPV6 && defined(SUPPORT_A6)
1428DNS_LOOKUP_AGAIN:
1429#endif
1430
1431switch (dns_lookup(&dnsa, target, type, NULL))
1432 {
1433 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1434
1435 default:
1436 return t->data.val = CSA_DEFER_ADDR;
1437
1438 /* If the query succeeded, scan the addresses and return the result. */
1439
1440 case DNS_SUCCEED:
1441 rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ANSWERS, target);
1442 if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1443 /* else fall through */
1444
1445 /* If the target has no IP addresses, the client cannot have an authorized
1446 IP address. However, if the target site uses A6 records (not AAAA records)
1447 we have to do yet another lookup in order to check them. */
1448
1449 case DNS_NOMATCH:
1450 case DNS_NODATA:
1451
1452 #if HAVE_IPV6 && defined(SUPPORT_A6)
1453 if (type == T_AAAA) { type = T_A6; goto DNS_LOOKUP_AGAIN; }
1454 #endif
1455
1456 return t->data.val = CSA_FAIL_NOADDR;
1457 }
1458}
1459
1460
1461
059ec3d9
PH		 1462/*************************************************
1463* Handle verification (address & other) *
1464*************************************************/
1465
1466/* This function implements the "verify" condition. It is called when
1467encountered in any ACL, because some tests are almost always permitted. Some
1468just don't make sense, and always fail (for example, an attempt to test a host
1469lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
1470
1471Arguments:
1472 where where called from
1473 addr the recipient address that the ACL is handling, or NULL
1474 arg the argument of "verify"
1475 user_msgptr pointer for user message
1476 log_msgptr pointer for log message
1477 basic_errno where to put verify errno
1478
1479Returns: OK verification condition succeeded
1480 FAIL verification failed
1481 DEFER there was a problem verifying
1482 ERROR syntax error
1483*/
1484
1485static int
1486acl_verify(int where, address_item *addr, uschar *arg,
1487 uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
1488{
1489int sep = '/';
1490int callout = -1;
1491int callout_overall = -1;
4deaf07d 1492int callout_connect = -1;
059ec3d9
PH		 1493int verify_options = 0;
1494int rc;
1495BOOL verify_header_sender = FALSE;
1496BOOL defer_ok = FALSE;
1497BOOL callout_defer_ok = FALSE;
1498BOOL no_details = FALSE;
eafd343b 1499BOOL success_on_redirect = FALSE;
059ec3d9
PH		 1500address_item *sender_vaddr = NULL;
1501uschar *verify_sender_address = NULL;
1502uschar *pm_mailfrom = NULL;
1503uschar *se_mailfrom = NULL;
596875b3
PH		 1504
1505/* Some of the verify items have slash-separated options; some do not. Diagnose
1506an error if options are given for items that don't expect them. This code has
1507now got very message. Refactoring to use a table would be a good idea one day.
1508*/
1509
1510uschar *slash = Ustrchr(arg, '/');
059ec3d9
PH		 1511uschar *list = arg;
1512uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
1513
1514if (ss == NULL) goto BAD_VERIFY;
1515
1516/* Handle name/address consistency verification in a separate function. */
1517
1518if (strcmpic(ss, US"reverse_host_lookup") == 0)
1519 {
596875b3 1520 if (slash != NULL) goto NO_OPTIONS;
059ec3d9
PH		 1521 if (sender_host_address == NULL) return OK;
1522 return acl_verify_reverse(user_msgptr, log_msgptr);
1523 }
1524
1525/* TLS certificate verification is done at STARTTLS time; here we just
1526test whether it was successful or not. (This is for optional verification; for
1527mandatory verification, the connection doesn't last this long.) */
1528
1529if (strcmpic(ss, US"certificate") == 0)
1530 {
596875b3 1531 if (slash != NULL) goto NO_OPTIONS;
059ec3d9
PH		 1532 if (tls_certificate_verified) return OK;
1533 *user_msgptr = US"no verified certificate";
1534 return FAIL;
1535 }
1536
d7b47fd0
PH		 1537/* We can test the result of optional HELO verification that might have
1538occurred earlier. If not, we can attempt the verification now. */
059ec3d9 1539
596875b3
PH		 1540if (strcmpic(ss, US"helo") == 0)
1541 {
1542 if (slash != NULL) goto NO_OPTIONS;
0154e85a
TF		 1543 if (!helo_verified && !helo_verify_failed) smtp_verify_helo();
1544 return helo_verified? OK : FAIL;
596875b3 1545 }
059ec3d9 1546
e5a9dba6
PH		 1547/* Do Client SMTP Authorization checks in a separate function, and turn the
1548result code into user-friendly strings. */
1549
1550if (strcmpic(ss, US"csa") == 0)
1551 {
1552 rc = acl_verify_csa(list);
1553 *log_msgptr = *user_msgptr = string_sprintf("client SMTP authorization %s",
1554 csa_reason_string[rc]);
1555 csa_status = csa_status_string[rc];
1556 DEBUG(D_acl) debug_printf("CSA result %s\n", csa_status);
1557 return csa_return_code[rc];
1558 }
1559
596875b3
PH		 1560/* Check that all relevant header lines have the correct syntax. If there is
1561a syntax error, we return details of the error to the sender if configured to
1562send out full details. (But a "message" setting on the ACL can override, as
1563always). */
059ec3d9 1564
596875b3 1565if (strcmpic(ss, US"header_syntax") == 0)
059ec3d9 1566 {
596875b3 1567 if (slash != NULL) goto NO_OPTIONS;
1c41c9cc 1568 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP) goto WRONG_ACL;
596875b3
PH		 1569 rc = verify_check_headers(log_msgptr);
1570 if (rc != OK && smtp_return_error_details && *log_msgptr != NULL)
1571 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1572 return rc;
1573 }
059ec3d9 1574
1c41c9cc
PH		 1575/* Check that no recipient of this message is "blind", that is, every envelope
1576recipient must be mentioned in either To: or Cc:. */
1577
1578if (strcmpic(ss, US"not_blind") == 0)
1579 {
1580 if (slash != NULL) goto NO_OPTIONS;
1581 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP) goto WRONG_ACL;
1582 rc = verify_check_notblind();
1583 if (rc != OK)
1584 {
1585 *log_msgptr = string_sprintf("bcc recipient detected");
1586 if (smtp_return_error_details)
1587 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1588 }
1589 return rc;
1590 }
059ec3d9 1591
596875b3
PH		 1592/* The remaining verification tests check recipient and sender addresses,
1593either from the envelope or from the header. There are a number of
1594slash-separated options that are common to all of them. */
059ec3d9 1595
059ec3d9 1596
596875b3
PH		 1597/* Check that there is at least one verifiable sender address in the relevant
1598header lines. This can be followed by callout and defer options, just like
1599sender and recipient. */
059ec3d9 1600
596875b3
PH		 1601if (strcmpic(ss, US"header_sender") == 0)
1602 {
1c41c9cc 1603 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP) goto WRONG_ACL;
596875b3 1604 verify_header_sender = TRUE;
059ec3d9
PH		 1605 }
1606
1607/* Otherwise, first item in verify argument must be "sender" or "recipient".
1608In the case of a sender, this can optionally be followed by an address to use
1609in place of the actual sender (rare special-case requirement). */
1610
1611else if (strncmpic(ss, US"sender", 6) == 0)
1612 {
1613 uschar *s = ss + 6;
1614 if (where > ACL_WHERE_NOTSMTP)
1615 {
1616 *log_msgptr = string_sprintf("cannot verify sender in ACL for %s "
1617 "(only possible for MAIL, RCPT, PREDATA, or DATA)",
1618 acl_wherenames[where]);
1619 return ERROR;
1620 }
1621 if (*s == 0)
1622 verify_sender_address = sender_address;
1623 else
1624 {
1625 while (isspace(*s)) s++;
1626 if (*s++ != '=') goto BAD_VERIFY;
1627 while (isspace(*s)) s++;
1628 verify_sender_address = string_copy(s);
1629 }
1630 }
1631else
1632 {
1633 if (strcmpic(ss, US"recipient") != 0) goto BAD_VERIFY;
1634 if (addr == NULL)
1635 {
1636 *log_msgptr = string_sprintf("cannot verify recipient in ACL for %s "
1637 "(only possible for RCPT)", acl_wherenames[where]);
1638 return ERROR;
1639 }
1640 }
1641
596875b3
PH		 1642/* Remaining items are optional; they apply to sender and recipient
1643verification, including "header sender" verification. */
059ec3d9
PH		 1644
1645while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))
1646 != NULL)
1647 {
1648 if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
1649 else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
eafd343b 1650 else if (strcmpic(ss, US"success_on_redirect") == 0) success_on_redirect = TRUE;
059ec3d9
PH		 1651
1652 /* These two old options are left for backwards compatibility */
1653
1654 else if (strcmpic(ss, US"callout_defer_ok") == 0)
1655 {
1656 callout_defer_ok = TRUE;
1657 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1658 }
1659
1660 else if (strcmpic(ss, US"check_postmaster") == 0)
1661 {
1662 pm_mailfrom = US"";
1663 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1664 }
1665
1666 /* The callout option has a number of sub-options, comma separated */
1667
1668 else if (strncmpic(ss, US"callout", 7) == 0)
1669 {
1670 callout = CALLOUT_TIMEOUT_DEFAULT;
1671 ss += 7;
1672 if (*ss != 0)
1673 {
1674 while (isspace(*ss)) ss++;
1675 if (*ss++ == '=')
1676 {
1677 int optsep = ',';
1678 uschar *opt;
1679 uschar buffer[256];
1680 while (isspace(*ss)) ss++;
8e669ac1
PH		 1681
1682 /* This callout option handling code has become a mess as new options
1683 have been added in an ad hoc manner. It should be tidied up into some
4deaf07d 1684 kind of table-driven thing. */
8e669ac1 1685
059ec3d9
PH		 1686 while ((opt = string_nextinlist(&ss, &optsep, buffer, sizeof(buffer)))
1687 != NULL)
1688 {
1689 if (strcmpic(opt, US"defer_ok") == 0) callout_defer_ok = TRUE;
1690 else if (strcmpic(opt, US"no_cache") == 0)
1691 verify_options |= vopt_callout_no_cache;
1692 else if (strcmpic(opt, US"random") == 0)
1693 verify_options |= vopt_callout_random;
1694 else if (strcmpic(opt, US"use_sender") == 0)
1695 verify_options |= vopt_callout_recipsender;
1696 else if (strcmpic(opt, US"use_postmaster") == 0)
1697 verify_options |= vopt_callout_recippmaster;
1698 else if (strcmpic(opt, US"postmaster") == 0) pm_mailfrom = US"";
2a4be8f9
PH		 1699 else if (strcmpic(opt, US"fullpostmaster") == 0)
1700 {
1701 pm_mailfrom = US"";
1702 verify_options |= vopt_callout_fullpm;
1703 }
059ec3d9
PH		 1704
1705 else if (strncmpic(opt, US"mailfrom", 8) == 0)
1706 {
1707 if (!verify_header_sender)
1708 {
1709 *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
1710 "callout option only for verify=header_sender (detected in ACL "
1711 "condition \"%s\")", arg);
1712 return ERROR;
1713 }
1714 opt += 8;
1715 while (isspace(*opt)) opt++;
1716 if (*opt++ != '=')
1717 {
1718 *log_msgptr = string_sprintf("'=' expected after "
1719 "\"mailfrom\" in ACL condition \"%s\"", arg);
1720 return ERROR;
1721 }
1722 while (isspace(*opt)) opt++;
1723 se_mailfrom = string_copy(opt);
1724 }
1725
1726 else if (strncmpic(opt, US"postmaster_mailfrom", 19) == 0)
1727 {
1728 opt += 19;
1729 while (isspace(*opt)) opt++;
1730 if (*opt++ != '=')
1731 {
1732 *log_msgptr = string_sprintf("'=' expected after "
1733 "\"postmaster_mailfrom\" in ACL condition \"%s\"", arg);
1734 return ERROR;
1735 }
1736 while (isspace(*opt)) opt++;
1737 pm_mailfrom = string_copy(opt);
1738 }
1739
1740 else if (strncmpic(opt, US"maxwait", 7) == 0)
1741 {
1742 opt += 7;
1743 while (isspace(*opt)) opt++;
1744 if (*opt++ != '=')
1745 {
1746 *log_msgptr = string_sprintf("'=' expected after \"maxwait\" in "
1747 "ACL condition \"%s\"", arg);
1748 return ERROR;
1749 }
1750 while (isspace(*opt)) opt++;
1751 callout_overall = readconf_readtime(opt, 0, FALSE);
1752 if (callout_overall < 0)
1753 {
1754 *log_msgptr = string_sprintf("bad time value in ACL condition "
1755 "\"verify %s\"", arg);
1756 return ERROR;
1757 }
1758 }
4deaf07d
PH		 1759 else if (strncmpic(opt, US"connect", 7) == 0)
1760 {
1761 opt += 7;
1762 while (isspace(*opt)) opt++;
1763 if (*opt++ != '=')
1764 {
1765 *log_msgptr = string_sprintf("'=' expected after "
1766 "\"callout_overaall\" in ACL condition \"%s\"", arg);
1767 return ERROR;
1768 }
1769 while (isspace(*opt)) opt++;
1770 callout_connect = readconf_readtime(opt, 0, FALSE);
1771 if (callout_connect < 0)
1772 {
1773 *log_msgptr = string_sprintf("bad time value in ACL condition "
1774 "\"verify %s\"", arg);
1775 return ERROR;
1776 }
1777 }
059ec3d9
PH		 1778 else /* Plain time is callout connect/command timeout */
1779 {
1780 callout = readconf_readtime(opt, 0, FALSE);
1781 if (callout < 0)
1782 {
1783 *log_msgptr = string_sprintf("bad time value in ACL condition "
1784 "\"verify %s\"", arg);
1785 return ERROR;
1786 }
1787 }
1788 }
1789 }
1790 else
1791 {
1792 *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
1793 "ACL condition \"%s\"", arg);
1794 return ERROR;
1795 }
1796 }
1797 }
1798
1799 /* Option not recognized */
1800
1801 else
1802 {
1803 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
1804 "condition \"verify %s\"", ss, arg);
1805 return ERROR;
1806 }
1807 }
1808
1809if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
1810 (vopt_callout_recipsender|vopt_callout_recippmaster))
1811 {
1812 *log_msgptr = US"only one of use_sender and use_postmaster can be set "
1813 "for a recipient callout";
1814 return ERROR;
1815 }
1816
1817/* Handle sender-in-header verification. Default the user message to the log
1818message if giving out verification details. */
1819
1820if (verify_header_sender)
1821 {
8e669ac1 1822 int verrno;
059ec3d9 1823 rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
fe5b5d0b
PH		 1824 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, verify_options,
1825 &verrno);
1826 if (rc != OK)
8e669ac1 1827 {
fe5b5d0b
PH		 1828 *basic_errno = verrno;
1829 if (smtp_return_error_details)
1830 {
1831 if (*user_msgptr == NULL && *log_msgptr != NULL)
1832 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1833 if (rc == DEFER) acl_temp_details = TRUE;
1834 }
8e669ac1 1835 }
059ec3d9
PH		 1836 }
1837
1838/* Handle a sender address. The default is to verify *the* sender address, but
1839optionally a different address can be given, for special requirements. If the
1840address is empty, we are dealing with a bounce message that has no sender, so
1841we cannot do any checking. If the real sender address gets rewritten during
1842verification (e.g. DNS widening), set the flag to stop it being rewritten again
1843during message reception.
1844
1845A list of verified "sender" addresses is kept to try to avoid doing to much
1846work repetitively when there are multiple recipients in a message and they all
1847require sender verification. However, when callouts are involved, it gets too
1848complicated because different recipients may require different callout options.
1849Therefore, we always do a full sender verify when any kind of callout is
1850specified. Caching elsewhere, for instance in the DNS resolver and in the
1851callout handling, should ensure that this is not terribly inefficient. */
1852
1853else if (verify_sender_address != NULL)
1854 {
1855 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster))
1856 != 0)
1857 {
1858 *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
1859 "sender verify callout";
1860 return ERROR;
1861 }
1862
1863 sender_vaddr = verify_checked_sender(verify_sender_address);
1864 if (sender_vaddr != NULL && /* Previously checked */
1865 callout <= 0) /* No callout needed this time */
1866 {
1867 /* If the "routed" flag is set, it means that routing worked before, so
1868 this check can give OK (the saved return code value, if set, belongs to a
1869 callout that was done previously). If the "routed" flag is not set, routing
1870 must have failed, so we use the saved return code. */
1871
1872 if (testflag(sender_vaddr, af_verify_routed)) rc = OK; else
1873 {
1874 rc = sender_vaddr->special_action;
1875 *basic_errno = sender_vaddr->basic_errno;
1876 }
1877 HDEBUG(D_acl) debug_printf("using cached sender verify result\n");
1878 }
1879
1880 /* Do a new verification, and cache the result. The cache is used to avoid
1881 verifying the sender multiple times for multiple RCPTs when callouts are not
1882 specified (see comments above).
1883
1884 The cache is also used on failure to give details in response to the first
1885 RCPT that gets bounced for this reason. However, this can be suppressed by
1886 the no_details option, which sets the flag that says "this detail has already
1887 been sent". The cache normally contains just one address, but there may be
1888 more in esoteric circumstances. */
1889
1890 else
1891 {
1892 BOOL routed = TRUE;
2a3eea10 1893 uschar *save_address_data = deliver_address_data;
8e669ac1 1894
059ec3d9
PH		 1895 sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
1896 if (no_details) setflag(sender_vaddr, af_sverify_told);
1897 if (verify_sender_address[0] != 0)
1898 {
1899 /* If this is the real sender address, save the unrewritten version
1900 for use later in receive. Otherwise, set a flag so that rewriting the
1901 sender in verify_address() does not update sender_address. */
1902
1903 if (verify_sender_address == sender_address)
1904 sender_address_unrewritten = sender_address;
1905 else
1906 verify_options |= vopt_fake_sender;
1907
eafd343b
TK		 1908 if (success_on_redirect)
1909 verify_options |= vopt_success_on_redirect;
1910
059ec3d9
PH		 1911 /* The recipient, qualify, and expn options are never set in
1912 verify_options. */
1913
1914 rc = verify_address(sender_vaddr, NULL, verify_options, callout,
4deaf07d 1915 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, &routed);
059ec3d9
PH		 1916
1917 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1918
1919 if (rc == OK)
1920 {
1921 if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
1922 {
1923 DEBUG(D_acl) debug_printf("sender %s verified ok as %s\n",
1924 verify_sender_address, sender_vaddr->address);
1925 }
1926 else
1927 {
1928 DEBUG(D_acl) debug_printf("sender %s verified ok\n",
1929 verify_sender_address);
1930 }
1931 }
1932 else *basic_errno = sender_vaddr->basic_errno;
1933 }
1934 else rc = OK; /* Null sender */
1935
1936 /* Cache the result code */
1937
1938 if (routed) setflag(sender_vaddr, af_verify_routed);
1939 if (callout > 0) setflag(sender_vaddr, af_verify_callout);
1940 sender_vaddr->special_action = rc;
1941 sender_vaddr->next = sender_verified_list;
1942 sender_verified_list = sender_vaddr;
8e669ac1
PH		 1943
1944 /* Restore the recipient address data, which might have been clobbered by
2a3eea10 1945 the sender verification. */
8e669ac1 1946
2a3eea10 1947 deliver_address_data = save_address_data;
059ec3d9 1948 }
8e669ac1 1949
2a3eea10
PH		 1950 /* Put the sender address_data value into $sender_address_data */
1951
8e669ac1 1952 sender_address_data = sender_vaddr->p.address_data;
059ec3d9
PH		 1953 }
1954
1955/* A recipient address just gets a straightforward verify; again we must handle
1956the DEFER overrides. */
1957
1958else
1959 {
1960 address_item addr2;
1961
eafd343b
TK		 1962 if (success_on_redirect)
1963 verify_options |= vopt_success_on_redirect;
1964
059ec3d9
PH		 1965 /* We must use a copy of the address for verification, because it might
1966 get rewritten. */
1967
1968 addr2 = *addr;
1969 rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
4deaf07d 1970 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, NULL);
059ec3d9 1971 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
8e669ac1 1972
059ec3d9 1973 *log_msgptr = addr2.message;
8e669ac1 1974 *user_msgptr = (addr2.user_message != NULL)?
6729cf78 1975 addr2.user_message : addr2.message;
059ec3d9
PH		 1976 *basic_errno = addr2.basic_errno;
1977
1978 /* Make $address_data visible */
1979 deliver_address_data = addr2.p.address_data;
1980 }
1981
1982/* We have a result from the relevant test. Handle defer overrides first. */
1983
1984if (rc == DEFER && (defer_ok ||
1985 (callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER)))
1986 {
1987 HDEBUG(D_acl) debug_printf("verify defer overridden by %s\n",
1988 defer_ok? "defer_ok" : "callout_defer_ok");
1989 rc = OK;
1990 }
1991
1992/* If we've failed a sender, set up a recipient message, and point
1993sender_verified_failed to the address item that actually failed. */
1994
1995if (rc != OK && verify_sender_address != NULL)
1996 {
1997 if (rc != DEFER)
1998 {
1999 *log_msgptr = *user_msgptr = US"Sender verify failed";
2000 }
2001 else if (*basic_errno != ERRNO_CALLOUTDEFER)
2002 {
2003 *log_msgptr = *user_msgptr = US"Could not complete sender verify";
2004 }
2005 else
2006 {
2007 *log_msgptr = US"Could not complete sender verify callout";
2008 *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
2009 *log_msgptr;
2010 }
2011
2012 sender_verified_failed = sender_vaddr;
2013 }
2014
2015/* Verifying an address messes up the values of $domain and $local_part,
2016so reset them before returning if this is a RCPT ACL. */
2017
2018if (addr != NULL)
2019 {
2020 deliver_domain = addr->domain;
2021 deliver_localpart = addr->local_part;
2022 }
2023return rc;
2024
2025/* Syntax errors in the verify argument come here. */
2026
2027BAD_VERIFY:
2028*log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
596875b3
PH		 2029 "\"helo\", \"header_syntax\", \"header_sender\" or "
2030 "\"reverse_host_lookup\" at start of ACL condition "
059ec3d9
PH		 2031 "\"verify %s\"", arg);
2032return ERROR;
596875b3
PH		 2033
2034/* Options supplied when not allowed come here */
2035
2036NO_OPTIONS:
2037*log_msgptr = string_sprintf("unexpected '/' found in \"%s\" "
2038 "(this verify item has no options)", arg);
2039return ERROR;
1c41c9cc
PH		 2040
2041/* Calls in the wrong ACL come here */
2042
2043WRONG_ACL:
2044*log_msgptr = string_sprintf("cannot check header contents in ACL for %s "
2045 "(only possible in ACL for DATA)", acl_wherenames[where]);
2046return ERROR;
059ec3d9
PH		 2047}
2048
2049
2050
2051
2052/*************************************************
2053* Check argument for control= modifier *
2054*************************************************/
2055
2056/* Called from acl_check_condition() below
2057
2058Arguments:
2059 arg the argument string for control=
2060 pptr set to point to the terminating character
2061 where which ACL we are in
2062 log_msgptr for error messages
2063
2064Returns: CONTROL_xxx value
2065*/
2066
2067static int
2068decode_control(uschar *arg, uschar **pptr, int where, uschar **log_msgptr)
2069{
2070int len;
2071control_def *d;
2072
2073for (d = controls_list;
2074 d < controls_list + sizeof(controls_list)/sizeof(control_def);
2075 d++)
2076 {
2077 len = Ustrlen(d->name);
2078 if (Ustrncmp(d->name, arg, len) == 0) break;
2079 }
2080
2081if (d >= controls_list + sizeof(controls_list)/sizeof(control_def) ||
2082 (arg[len] != 0 && (!d->has_option || arg[len] != '/')))
2083 {
2084 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2085 return CONTROL_ERROR;
2086 }
2087
059ec3d9
PH		 2088*pptr = arg + len;
2089return d->value;
2090}
2091
2092
2093
870f6ba8
TF		 2094/*************************************************
2095* Handle rate limiting *
2096*************************************************/
2097
2098/* Called by acl_check_condition() below to calculate the result
2099of the ACL ratelimit condition.
2100
2101Note that the return value might be slightly unexpected: if the
2102sender's rate is above the limit then the result is OK. This is
2103similar to the dnslists condition, and is so that you can write
2104ACL clauses like: defer ratelimit = 15 / 1h
2105
2106Arguments:
2107 arg the option string for ratelimit=
90fc3069 2108 where ACL_WHERE_xxxx indicating which ACL this is
870f6ba8
TF		 2109 log_msgptr for error messages
2110
2111Returns: OK - Sender's rate is above limit
2112 FAIL - Sender's rate is below limit
2113 DEFER - Problem opening ratelimit database
2114 ERROR - Syntax error in options.
2115*/
2116
2117static int
90fc3069 2118acl_ratelimit(uschar *arg, int where, uschar **log_msgptr)
870f6ba8
TF		 2119{
2120double limit, period;
f3dcf4a2 2121uschar *ss, *key;
870f6ba8
TF		 2122int sep = '/';
2123BOOL have_key = FALSE, leaky = FALSE, strict = FALSE;
2124BOOL per_byte = FALSE, per_cmd = FALSE, per_conn = FALSE, per_mail = FALSE;
2125int old_pool, rc;
2126tree_node **anchor, *t;
2127open_db dbblock, *dbm;
2128dbdata_ratelimit *dbd;
2129struct timeval tv;
2130
2131/* Parse the first two options and record their values in expansion
2132variables. These variables allow the configuration to have informative
2133error messages based on rate limits obtained from a table lookup. */
2134
2135/* First is the maximum number of messages per period and maximum burst
2136size, which must be greater than or equal to zero. Zero is useful for
2137rate measurement as opposed to rate limiting. */
2138
2139sender_rate_limit = string_nextinlist(&arg, &sep, NULL, 0);
2140if (sender_rate_limit == NULL)
2141 limit = -1.0;
2142else
2143 {
2144 limit = Ustrtod(sender_rate_limit, &ss);
2145 if (tolower(*ss) == 'k') { limit *= 1024.0; ss++; }
2146 else if (tolower(*ss) == 'm') { limit *= 1024.0*1024.0; ss++; }
2147 else if (tolower(*ss) == 'g') { limit *= 1024.0*1024.0*1024.0; ss++; }
2148 }
2149if (limit < 0.0 || *ss != 0)
2150 {
2151 *log_msgptr = string_sprintf("syntax error in argument for "
2152 "\"ratelimit\" condition: \"%s\" is not a positive number",
2153 sender_rate_limit);
2154 return ERROR;
2155 }
2156
f3dcf4a2
TF		 2157/* We use the rest of the argument list following the limit as the
2158lookup key, because it doesn't make sense to use the same stored data
2159if the period or options are different. */
2160
2161key = arg;
2162
870f6ba8
TF		 2163/* Second is the rate measurement period and exponential smoothing time
2164constant. This must be strictly greater than zero, because zero leads to
2165run-time division errors. */
2166
2167sender_rate_period = string_nextinlist(&arg, &sep, NULL, 0);
2168if (sender_rate_period == NULL) period = -1.0;
2169else period = readconf_readtime(sender_rate_period, 0, FALSE);
2170if (period <= 0.0)
2171 {
2172 *log_msgptr = string_sprintf("syntax error in argument for "
2173 "\"ratelimit\" condition: \"%s\" is not a time value",
2174 sender_rate_period);
2175 return ERROR;
2176 }
2177
2178/* Parse the other options. Should we check if the per_* options are being
2179used in ACLs where they don't make sense, e.g. per_mail in the connect ACL? */
2180
2181while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2182 != NULL)
2183 {
2184 if (strcmpic(ss, US"leaky") == 0) leaky = TRUE;
2185 else if (strcmpic(ss, US"strict") == 0) strict = TRUE;
2186 else if (strcmpic(ss, US"per_byte") == 0) per_byte = TRUE;
2187 else if (strcmpic(ss, US"per_cmd") == 0) per_cmd = TRUE;
2188 else if (strcmpic(ss, US"per_conn") == 0) per_conn = TRUE;
2189 else if (strcmpic(ss, US"per_mail") == 0) per_mail = TRUE;
2190 else if (strcmpic(ss, US"per_rcpt") == 0) per_cmd = TRUE; /* alias */
2191 else have_key = TRUE;
2192 }
2193if (leaky + strict > 1 || per_byte + per_cmd + per_conn + per_mail > 1)
2194 {
2195 *log_msgptr = US"conflicting options for \"ratelimit\" condition";
2196 return ERROR;
2197 }
2198
2199/* Default option values */
2200if (!strict) leaky = TRUE;
2201if (!per_byte && !per_cmd && !per_conn) per_mail = TRUE;
2202
f3dcf4a2 2203/* If there is no explicit key, use the sender_host_address. If there is no
870f6ba8
TF		 2204sender_host_address (e.g. -bs or acl_not_smtp) then we simply omit it. */
2205
2206if (!have_key && sender_host_address != NULL)
2207 key = string_sprintf("%s / %s", key, sender_host_address);
2208
2209HDEBUG(D_acl) debug_printf("ratelimit condition limit=%.0f period=%.0f key=%s\n",
2210 limit, period, key);
2211
fe0dab11 2212/* See if we have already computed the rate by looking in the relevant tree. For
870f6ba8
TF		 2213per-connection rate limiting, store tree nodes and dbdata in the permanent pool
2214so that they survive across resets. */
2215
2216anchor = NULL;
2217old_pool = store_pool;
2218
2219if (per_conn)
2220 {
2221 anchor = &ratelimiters_conn;
2222 store_pool = POOL_PERM;
2223 }
fe0dab11 2224else if (per_mail || per_byte)
870f6ba8 2225 anchor = &ratelimiters_mail;
fe0dab11
TF		 2226else if (per_cmd)
2227 anchor = &ratelimiters_cmd;
870f6ba8
TF		 2228
2229if (anchor != NULL && (t = tree_search(*anchor, key)) != NULL)
2230 {
2231 dbd = t->data.ptr;
2232 /* The following few lines duplicate some of the code below. */
3348576f
TF		 2233 if (dbd->rate < limit) rc = FAIL;
2234 else rc = OK;
870f6ba8
TF		 2235 store_pool = old_pool;
2236 sender_rate = string_sprintf("%.1f", dbd->rate);
2237 HDEBUG(D_acl)
2238 debug_printf("ratelimit found pre-computed rate %s\n", sender_rate);
2239 return rc;
2240 }
2241
2242/* We aren't using a pre-computed rate, so get a previously recorded
2243rate from the database, update it, and write it back. If there's no
2244previous rate for this key, create one. */
2245
2246dbm = dbfn_open(US"ratelimit", O_RDWR, &dbblock, TRUE);
2247if (dbm == NULL)
2248 {
2249 store_pool = old_pool;
2250 sender_rate = NULL;
2251 HDEBUG(D_acl) debug_printf("ratelimit database not available\n");
2252 *log_msgptr = US"ratelimit database not available";
2253 return DEFER;
2254 }
2255dbd = dbfn_read(dbm, key);
2256
2257gettimeofday(&tv, NULL);
2258
2259if (dbd == NULL)
2260 {
2261 HDEBUG(D_acl) debug_printf("ratelimit initializing new key's data\n");
2262 dbd = store_get(sizeof(dbdata_ratelimit));
2263 dbd->time_stamp = tv.tv_sec;
2264 dbd->time_usec = tv.tv_usec;
2265 dbd->rate = 0.0;
2266 }
2267else
2268 {
2269 /* The smoothed rate is computed using an exponentially weighted moving
2270 average adjusted for variable sampling intervals. The standard EWMA for
2271 a fixed sampling interval is: f'(t) = (1 - a) * f(t) + a * f'(t - 1)
2272 where f() is the measured value and f'() is the smoothed value.
2273
2274 Old data decays out of the smoothed value exponentially, such that data n
2275 samples old is multiplied by a^n. The exponential decay time constant p
2276 is defined such that data p samples old is multiplied by 1/e, which means
2277 that a = exp(-1/p). We can maintain the same time constant for a variable
2278 sampling interval i by using a = exp(-i/p).
2279
2280 The rate we are measuring is messages per period, suitable for directly
2281 comparing with the limit. The average rate between now and the previous
2282 message is period / interval, which we feed into the EWMA as the sample.
2283
2284 It turns out that the number of messages required for the smoothed rate
2285 to reach the limit when they are sent in a burst is equal to the limit.
2286 This can be seen by analysing the value of the smoothed rate after N
2287 messages sent at even intervals. Let k = (1 - a) * p/i
2288
2289 rate_1 = (1 - a) * p/i + a * rate_0
2290 = k + a * rate_0
2291 rate_2 = k + a * rate_1
2292 = k + a * k + a^2 * rate_0
2293 rate_3 = k + a * k + a^2 * k + a^3 * rate_0
2294 rate_N = rate_0 * a^N + k * SUM(x=0..N-1)(a^x)
2295 = rate_0 * a^N + k * (1 - a^N) / (1 - a)
2296 = rate_0 * a^N + p/i * (1 - a^N)
2297
2298 When N is large, a^N -> 0 so rate_N -> p/i as desired.
2299
2300 rate_N = p/i + (rate_0 - p/i) * a^N
2301 a^N = (rate_N - p/i) / (rate_0 - p/i)
2302 N * -i/p = log((rate_N - p/i) / (rate_0 - p/i))
2303 N = p/i * log((rate_0 - p/i) / (rate_N - p/i))
2304
2305 Numerical analysis of the above equation, setting the computed rate to
2306 increase from rate_0 = 0 to rate_N = limit, shows that for large sending
2307 rates, p/i, the number of messages N = limit. So limit serves as both the
2308 maximum rate measured in messages per period, and the maximum number of
2309 messages that can be sent in a fast burst. */
2310
2311 double this_time = (double)tv.tv_sec
2312 + (double)tv.tv_usec / 1000000.0;
2313 double prev_time = (double)dbd->time_stamp
2314 + (double)dbd->time_usec / 1000000.0;
870f6ba8
TF		 2315
2316 /* We must avoid division by zero, and deal gracefully with the clock going
2317 backwards. If we blunder ahead when time is in reverse then the computed
e5d5a95f 2318 rate will be bogus. To be safe we clamp interval to a very small number. */
870f6ba8 2319
e5d5a95f
TF		 2320 double interval = this_time - prev_time <= 0.0 ? 1e-9
2321 : this_time - prev_time;
2322
2323 double i_over_p = interval / period;
2324 double a = exp(-i_over_p);
870f6ba8
TF		 2325
2326 dbd->time_stamp = tv.tv_sec;
2327 dbd->time_usec = tv.tv_usec;
2328
2329 /* If we are measuring the rate in bytes per period, multiply the
2330 measured rate by the message size. If we don't know the message size
2331 then it's safe to just use a value of zero and let the recorded rate
2332 decay as if nothing happened. */
2333
2334 if (per_byte)
2335 dbd->rate = (message_size < 0 ? 0.0 : (double)message_size)
2336 * (1 - a) / i_over_p + a * dbd->rate;
90fc3069
TF		 2337 else if (per_cmd && where == ACL_WHERE_NOTSMTP)
2338 dbd->rate = (double)recipients_count
2339 * (1 - a) / i_over_p + a * dbd->rate;
870f6ba8
TF		 2340 else
2341 dbd->rate = (1 - a) / i_over_p + a * dbd->rate;
2342 }
2343
3348576f
TF		 2344/* Clients sending at the limit are considered to be over the limit. This
2345matters for edge cases such the first message sent by a client (which gets
2346the initial rate of 0.0) when the rate limit is zero (i.e. the client should
2347be completely blocked). */
2348
2349if (dbd->rate < limit) rc = FAIL;
2350 else rc = OK;
870f6ba8
TF		 2351
2352/* Update the state if the rate is low or if we are being strict. If we
2353are in leaky mode and the sender's rate is too high, we do not update
2354the recorded rate in order to avoid an over-aggressive sender's retry
2355rate preventing them from getting any email through. */
2356
2357if (rc == FAIL || !leaky)
2358 dbfn_write(dbm, key, dbd, sizeof(dbdata_ratelimit));
2359dbfn_close(dbm);
2360
2361/* Store the result in the tree for future reference, if necessary. */
2362
2363if (anchor != NULL)
2364 {
2365 t = store_get(sizeof(tree_node) + Ustrlen(key));
2366 t->data.ptr = dbd;
2367 Ustrcpy(t->name, key);
2368 (void)tree_insertnode(anchor, t);
2369 }
2370
2371/* We create the formatted version of the sender's rate very late in
2372order to ensure that it is done using the correct storage pool. */
2373
2374store_pool = old_pool;
2375sender_rate = string_sprintf("%.1f", dbd->rate);
2376
2377HDEBUG(D_acl)
2378 debug_printf("ratelimit computed rate %s\n", sender_rate);
2379
2380return rc;
2381}
2382
2383
2384
059ec3d9
PH		 2385/*************************************************
2386* Handle conditions/modifiers on an ACL item *
2387*************************************************/
2388
2389/* Called from acl_check() below.
2390
2391Arguments:
2392 verb ACL verb
2393 cb ACL condition block - if NULL, result is OK
2394 where where called from
2395 addr the address being checked for RCPT, or NULL
2396 level the nesting level
2397 epp pointer to pass back TRUE if "endpass" encountered
2398 (applies only to "accept" and "discard")
2399 user_msgptr user message pointer
2400 log_msgptr log message pointer
2401 basic_errno pointer to where to put verify error
2402
2403Returns: OK - all conditions are met
2404 DISCARD - an "acl" condition returned DISCARD - only allowed
2405 for "accept" or "discard" verbs
2406 FAIL - at least one condition fails
2407 FAIL_DROP - an "acl" condition returned FAIL_DROP
2408 DEFER - can't tell at the moment (typically, lookup defer,
2409 but can be temporary callout problem)
2410 ERROR - ERROR from nested ACL or expansion failure or other
2411 error
2412*/
2413
2414static int
2415acl_check_condition(int verb, acl_condition_block *cb, int where,
2416 address_item *addr, int level, BOOL *epp, uschar **user_msgptr,
2417 uschar **log_msgptr, int *basic_errno)
2418{
2419uschar *user_message = NULL;
2420uschar *log_message = NULL;
91ecef39 2421uschar *p = NULL;
059ec3d9 2422int rc = OK;
8523533c
TK		 2423#ifdef WITH_CONTENT_SCAN
2424int sep = '/';
2425#endif
059ec3d9
PH		 2426
2427for (; cb != NULL; cb = cb->next)
2428 {
2429 uschar *arg;
8e669ac1 2430 int control_type;
059ec3d9
PH		 2431
2432 /* The message and log_message items set up messages to be used in
2433 case of rejection. They are expanded later. */
2434
2435 if (cb->type == ACLC_MESSAGE)
2436 {
2437 user_message = cb->arg;
2438 continue;
2439 }
2440
2441 if (cb->type == ACLC_LOG_MESSAGE)
2442 {
2443 log_message = cb->arg;
2444 continue;
2445 }
2446
2447 /* The endpass "condition" just sets a flag to show it occurred. This is
2448 checked at compile time to be on an "accept" or "discard" item. */
2449
2450 if (cb->type == ACLC_ENDPASS)
2451 {
2452 *epp = TRUE;
2453 continue;
2454 }
2455
2456 /* For other conditions and modifiers, the argument is expanded now for some
2457 of them, but not for all, because expansion happens down in some lower level
2458 checking functions in some cases. */
2459
2460 if (cond_expand_at_top[cb->type])
2461 {
2462 arg = expand_string(cb->arg);
2463 if (arg == NULL)
2464 {
2465 if (expand_string_forcedfail) continue;
2466 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
2467 cb->arg, expand_string_message);
2468 return search_find_defer? DEFER : ERROR;
2469 }
2470 }
2471 else arg = cb->arg;
2472
2473 /* Show condition, and expanded condition if it's different */
2474
2475 HDEBUG(D_acl)
2476 {
2477 int lhswidth = 0;
2478 debug_printf("check %s%s %n",
2479 (!cond_modifiers[cb->type] && cb->u.negated)? "!":"",
2480 conditions[cb->type], &lhswidth);
2481
2482 if (cb->type == ACLC_SET)
2483 {
38a0a95f
PH		 2484 debug_printf("acl_%s ", cb->u.varname);
2485 lhswidth += 5 + Ustrlen(cb->u.varname);
059ec3d9
PH		 2486 }
2487
2488 debug_printf("= %s\n", cb->arg);
2489
2490 if (arg != cb->arg)
2491 debug_printf("%.*s= %s\n", lhswidth,
2492 US" ", CS arg);
2493 }
2494
2495 /* Check that this condition makes sense at this time */
2496
2497 if ((cond_forbids[cb->type] & (1 << where)) != 0)
2498 {
2499 *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
2500 cond_modifiers[cb->type]? "use" : "test",
2501 conditions[cb->type], acl_wherenames[where]);
2502 return ERROR;
2503 }
2504
2505 /* Run the appropriate test for each condition, or take the appropriate
2506 action for the remaining modifiers. */
2507
2508 switch(cb->type)
2509 {
71fafd95
PH		 2510 case ACLC_ADD_HEADER:
2511 setup_header(arg);
2512 break;
2513
059ec3d9
PH		 2514 /* A nested ACL that returns "discard" makes sense only for an "accept" or
2515 "discard" verb. */
71fafd95 2516
059ec3d9
PH		 2517 case ACLC_ACL:
2518 rc = acl_check_internal(where, addr, arg, level+1, user_msgptr, log_msgptr);
2519 if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
2520 {
2521 *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
2522 "\"%s\" command (only allowed with \"accept\" or \"discard\")",
2523 verbs[verb]);
2524 return ERROR;
2525 }
2526 break;
2527
2528 case ACLC_AUTHENTICATED:
2529 rc = (sender_host_authenticated == NULL)? FAIL :
2530 match_isinlist(sender_host_authenticated, &arg, 0, NULL, NULL, MCL_STRING,
2531 TRUE, NULL);
2532 break;
2533
71fafd95 2534 #ifdef EXPERIMENTAL_BRIGHTMAIL
8523533c
TK		 2535 case ACLC_BMI_OPTIN:
2536 {
2537 int old_pool = store_pool;
2538 store_pool = POOL_PERM;
2539 bmi_current_optin = string_copy(arg);
2540 store_pool = old_pool;
2541 }
2542 break;
71fafd95 2543 #endif
8523533c 2544
059ec3d9
PH		 2545 case ACLC_CONDITION:
2546 if (Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
2547 rc = (Uatoi(arg) == 0)? FAIL : OK;
2548 else
2549 rc = (strcmpic(arg, US"no") == 0 ||
2550 strcmpic(arg, US"false") == 0)? FAIL :
2551 (strcmpic(arg, US"yes") == 0 ||
2552 strcmpic(arg, US"true") == 0)? OK : DEFER;
2553 if (rc == DEFER)
2554 *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
2555 break;
2556
2557 case ACLC_CONTROL:
c5fcb476
PH		 2558 control_type = decode_control(arg, &p, where, log_msgptr);
2559
8523533c 2560 /* Check if this control makes sense at this time */
c5fcb476
PH		 2561
2562 if ((control_forbids[control_type] & (1 << where)) != 0)
2563 {
2564 *log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
2565 controls[control_type], acl_wherenames[where]);
2566 return ERROR;
8e669ac1 2567 }
c5fcb476
PH		 2568
2569 switch(control_type)
059ec3d9 2570 {
c46782ef
PH		 2571 case CONTROL_AUTH_UNADVERTISED:
2572 allow_auth_unadvertised = TRUE;
2573 break;
2574
2575 #ifdef EXPERIMENTAL_BRIGHTMAIL
8523533c
TK		 2576 case CONTROL_BMI_RUN:
2577 bmi_run = 1;
2578 break;
c46782ef
PH		 2579 #endif
2580
2581 #ifdef EXPERIMENTAL_DOMAINKEYS
fb2274d4
TK		 2582 case CONTROL_DK_VERIFY:
2583 dk_do_verify = 1;
2584 break;
c46782ef
PH		 2585 #endif
2586
059ec3d9
PH		 2587 case CONTROL_ERROR:
2588 return ERROR;
2589
2590 case CONTROL_CASEFUL_LOCAL_PART:
2591 deliver_localpart = addr->cc_local_part;
2592 break;
2593
2594 case CONTROL_CASELOWER_LOCAL_PART:
2595 deliver_localpart = addr->lc_local_part;
2596 break;
2597
2598 case CONTROL_ENFORCE_SYNC:
2599 smtp_enforce_sync = TRUE;
2600 break;
2601
2602 case CONTROL_NO_ENFORCE_SYNC:
2603 smtp_enforce_sync = FALSE;
2604 break;
2605
c46782ef 2606 #ifdef WITH_CONTENT_SCAN
8523533c
TK		 2607 case CONTROL_NO_MBOX_UNSPOOL:
2608 no_mbox_unspool = TRUE;
2609 break;
c46782ef 2610 #endif
8523533c 2611
059ec3d9
PH		 2612 case CONTROL_NO_MULTILINE:
2613 no_multiline_responses = TRUE;
2614 break;
2615
cf8b11a5
PH		 2616 case CONTROL_NO_PIPELINING:
2617 pipelining_enable = FALSE;
2618 break;
2619
047bdd8c
PH		 2620 case CONTROL_NO_DELAY_FLUSH:
2621 disable_delay_flush = TRUE;
2622 break;
2623
4c590bd1
PH		 2624 case CONTROL_NO_CALLOUT_FLUSH:
2625 disable_callout_flush = TRUE;
2626 break;
2627
29aba418 2628 case CONTROL_FAKEDEFER:
8523533c 2629 case CONTROL_FAKEREJECT:
29aba418 2630 fake_response = (control_type == CONTROL_FAKEDEFER) ? DEFER : FAIL;
8523533c 2631 if (*p == '/')
8e669ac1 2632 {
8523533c 2633 uschar *pp = p + 1;
8e669ac1 2634 while (*pp != 0) pp++;
29aba418 2635 fake_response_text = expand_string(string_copyn(p+1, pp-p-1));
8523533c
TK		 2636 p = pp;
2637 }
2638 else
2639 {
2640 /* Explicitly reset to default string */
29aba418 2641 fake_response_text = US"Your message has been rejected but is being kept for evaluation.\nIf it was a legitimate message, it may still be delivered to the target recipient(s).";
8523533c
TK		 2642 }
2643 break;
8523533c 2644
059ec3d9
PH		 2645 case CONTROL_FREEZE:
2646 deliver_freeze = TRUE;
2647 deliver_frozen_at = time(NULL);
6a3f1455
PH		 2648 freeze_tell = freeze_tell_config; /* Reset to configured value */
2649 if (Ustrncmp(p, "/no_tell", 8) == 0)
2650 {
2651 p += 8;
2652 freeze_tell = NULL;
2653 }
2654 if (*p != 0)
2655 {
2656 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2657 return ERROR;
2658 }
059ec3d9
PH		 2659 break;
2660
2661 case CONTROL_QUEUE_ONLY:
2662 queue_only_policy = TRUE;
2663 break;
2664
2665 case CONTROL_SUBMISSION:
87ba3f5f 2666 originator_name = US"";
059ec3d9 2667 submission_mode = TRUE;
69358f02 2668 while (*p == '/')
8e669ac1 2669 {
69358f02
PH		 2670 if (Ustrncmp(p, "/sender_retain", 14) == 0)
2671 {
2672 p += 14;
2673 active_local_sender_retain = TRUE;
8e669ac1
PH		 2674 active_local_from_check = FALSE;
2675 }
69358f02
PH		 2676 else if (Ustrncmp(p, "/domain=", 8) == 0)
2677 {
2678 uschar *pp = p + 8;
8e669ac1 2679 while (*pp != 0 && *pp != '/') pp++;
87ba3f5f
PH		 2680 submission_domain = string_copyn(p+8, pp-p-8);
2681 p = pp;
2682 }
8857ccfd
PH		 2683 /* The name= option must be last, because it swallows the rest of
2684 the string. */
87ba3f5f
PH		 2685 else if (Ustrncmp(p, "/name=", 6) == 0)
2686 {
2687 uschar *pp = p + 6;
8857ccfd 2688 while (*pp != 0) pp++;
2fe1a124 2689 submission_name = string_copy(parse_fix_phrase(p+6, pp-p-6,
87ba3f5f 2690 big_buffer, big_buffer_size));
8e669ac1 2691 p = pp;
69358f02 2692 }
8e669ac1
PH		 2693 else break;
2694 }
69358f02 2695 if (*p != 0)
059ec3d9 2696 {
69358f02 2697 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
059ec3d9
PH		 2698 return ERROR;
2699 }
2700 break;
8800895a
PH		 2701
2702 case CONTROL_SUPPRESS_LOCAL_FIXUPS:
2703 suppress_local_fixups = TRUE;
2704 break;
059ec3d9
PH		 2705 }
2706 break;
2707
71fafd95 2708 #ifdef WITH_CONTENT_SCAN
8523533c
TK		 2709 case ACLC_DECODE:
2710 rc = mime_decode(&arg);
2711 break;
71fafd95 2712 #endif
8523533c 2713
059ec3d9
PH		 2714 case ACLC_DELAY:
2715 {
2716 int delay = readconf_readtime(arg, 0, FALSE);
2717 if (delay < 0)
2718 {
2719 *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
2720 "modifier: \"%s\" is not a time value", arg);
2721 return ERROR;
2722 }
2723 else
2724 {
2725 HDEBUG(D_acl) debug_printf("delay modifier requests %d-second delay\n",
2726 delay);
2727 if (host_checking)
2728 {
2729 HDEBUG(D_acl)
2730 debug_printf("delay skipped in -bh checking mode\n");
2731 }
010c2d14
PH		 2732
2733 /* It appears to be impossible to detect that a TCP/IP connection has
2734 gone away without reading from it. This means that we cannot shorten
2735 the delay below if the client goes away, because we cannot discover
2736 that the client has closed its end of the connection. (The connection
2737 is actually in a half-closed state, waiting for the server to close its
2738 end.) It would be nice to be able to detect this state, so that the
2739 Exim process is not held up unnecessarily. However, it seems that we
2740 can't. The poll() function does not do the right thing, and in any case
2741 it is not always available.
2742
047bdd8c 2743 NOTE 1: If ever this state of affairs changes, remember that we may be
010c2d14 2744 dealing with stdin/stdout here, in addition to TCP/IP connections.
047bdd8c
PH		 2745 Also, delays may be specified for non-SMTP input, where smtp_out and
2746 smtp_in will be NULL. Whatever is done must work in all cases.
2747
2748 NOTE 2: The added feature of flushing the output before a delay must
2749 apply only to SMTP input. Hence the test for smtp_out being non-NULL.
2750 */
010c2d14 2751
8e669ac1 2752 else
86b8287f 2753 {
14f4a80d 2754 if (smtp_out != NULL && !disable_delay_flush) mac_smtp_fflush();
86b8287f 2755 while (delay > 0) delay = sleep(delay);
8e669ac1 2756 }
059ec3d9
PH		 2757 }
2758 }
2759 break;
2760
71fafd95 2761 #ifdef WITH_OLD_DEMIME
8523533c
TK		 2762 case ACLC_DEMIME:
2763 rc = demime(&arg);
2764 break;
71fafd95 2765 #endif
8523533c 2766
71fafd95
PH		 2767 #ifdef EXPERIMENTAL_DOMAINKEYS
2768 case ACLC_DK_DOMAIN_SOURCE:
fb2274d4
TK		 2769 if (dk_verify_block == NULL) { rc = FAIL; break; };
2770 /* check header source of domain against given string */
2771 switch (dk_verify_block->address_source) {
2772 case DK_EXIM_ADDRESS_FROM_FROM:
2773 rc = match_isinlist(US"from", &arg, 0, NULL,
2774 NULL, MCL_STRING, TRUE, NULL);
2775 break;
2776 case DK_EXIM_ADDRESS_FROM_SENDER:
2777 rc = match_isinlist(US"sender", &arg, 0, NULL,
2778 NULL, MCL_STRING, TRUE, NULL);
2779 break;
2780 case DK_EXIM_ADDRESS_NONE:
2781 rc = match_isinlist(US"none", &arg, 0, NULL,
2782 NULL, MCL_STRING, TRUE, NULL);
2783 break;
71fafd95
PH		 2784 }
2785 break;
2786
2787 case ACLC_DK_POLICY:
fb2274d4
TK		 2788 if (dk_verify_block == NULL) { rc = FAIL; break; };
2789 /* check policy against given string, default FAIL */
2790 rc = FAIL;
2791 if (dk_verify_block->signsall)
2792 rc = match_isinlist(US"signsall", &arg, 0, NULL,
2793 NULL, MCL_STRING, TRUE, NULL);
2794 if (dk_verify_block->testing)
2795 rc = match_isinlist(US"testing", &arg, 0, NULL,
2796 NULL, MCL_STRING, TRUE, NULL);
71fafd95
PH		 2797 break;
2798
2799 case ACLC_DK_SENDER_DOMAINS:
fb2274d4
TK		 2800 if (dk_verify_block == NULL) { rc = FAIL; break; };
2801 if (dk_verify_block->domain != NULL)
2802 rc = match_isinlist(dk_verify_block->domain, &arg, 0, &domainlist_anchor,
2803 NULL, MCL_DOMAIN, TRUE, NULL);
2804 else rc = FAIL;
71fafd95
PH		 2805 break;
2806
2807 case ACLC_DK_SENDER_LOCAL_PARTS:
fb2274d4
TK		 2808 if (dk_verify_block == NULL) { rc = FAIL; break; };
2809 if (dk_verify_block->local_part != NULL)
2810 rc = match_isinlist(dk_verify_block->local_part, &arg, 0, &localpartlist_anchor,
2811 NULL, MCL_LOCALPART, TRUE, NULL);
2812 else rc = FAIL;
71fafd95
PH		 2813 break;
2814
2815 case ACLC_DK_SENDERS:
fb2274d4
TK		 2816 if (dk_verify_block == NULL) { rc = FAIL; break; };
2817 if (dk_verify_block->address != NULL)
2818 rc = match_address_list(dk_verify_block->address, TRUE, TRUE, &arg, NULL, -1, 0, NULL);
2819 else rc = FAIL;
71fafd95
PH		 2820 break;
2821
2822 case ACLC_DK_STATUS:
fb2274d4
TK		 2823 if (dk_verify_block == NULL) { rc = FAIL; break; };
2824 if (dk_verify_block->result > 0) {
2825 switch(dk_verify_block->result) {
2826 case DK_EXIM_RESULT_BAD_FORMAT:
2827 rc = match_isinlist(US"bad format", &arg, 0, NULL,
2828 NULL, MCL_STRING, TRUE, NULL);
2829 break;
2830 case DK_EXIM_RESULT_NO_KEY:
2831 rc = match_isinlist(US"no key", &arg, 0, NULL,
2832 NULL, MCL_STRING, TRUE, NULL);
2833 break;
2834 case DK_EXIM_RESULT_NO_SIGNATURE:
2835 rc = match_isinlist(US"no signature", &arg, 0, NULL,
2836 NULL, MCL_STRING, TRUE, NULL);
2837 break;
2838 case DK_EXIM_RESULT_REVOKED:
2839 rc = match_isinlist(US"revoked", &arg, 0, NULL,
2840 NULL, MCL_STRING, TRUE, NULL);
2841 break;
2842 case DK_EXIM_RESULT_NON_PARTICIPANT:
2843 rc = match_isinlist(US"non-participant", &arg, 0, NULL,
2844 NULL, MCL_STRING, TRUE, NULL);
2845 break;
2846 case DK_EXIM_RESULT_GOOD:
2847 rc = match_isinlist(US"good", &arg, 0, NULL,
2848 NULL, MCL_STRING, TRUE, NULL);
2849 break;
2850 case DK_EXIM_RESULT_BAD:
2851 rc = match_isinlist(US"bad", &arg, 0, NULL,
2852 NULL, MCL_STRING, TRUE, NULL);
2853 break;
71fafd95 2854 }
fb2274d4 2855 }
71fafd95
PH		 2856 break;
2857 #endif
fb2274d4 2858
059ec3d9
PH		 2859 case ACLC_DNSLISTS:
2860 rc = verify_check_dnsbl(&arg);
2861 break;
2862
2863 case ACLC_DOMAINS:
2864 rc = match_isinlist(addr->domain, &arg, 0, &domainlist_anchor,
2865 addr->domain_cache, MCL_DOMAIN, TRUE, &deliver_domain_data);
2866 break;
2867
2868 /* The value in tls_cipher is the full cipher name, for example,
2869 TLSv1:DES-CBC3-SHA:168, whereas the values to test for are just the
2870 cipher names such as DES-CBC3-SHA. But program defensively. We don't know
2871 what may in practice come out of the SSL library - which at the time of
2872 writing is poorly documented. */
2873
2874 case ACLC_ENCRYPTED:
2875 if (tls_cipher == NULL) rc = FAIL; else
2876 {
2877 uschar *endcipher = NULL;
2878 uschar *cipher = Ustrchr(tls_cipher, ':');
2879 if (cipher == NULL) cipher = tls_cipher; else
2880 {
2881 endcipher = Ustrchr(++cipher, ':');
2882 if (endcipher != NULL) *endcipher = 0;
2883 }
2884 rc = match_isinlist(cipher, &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
2885 if (endcipher != NULL) *endcipher = ':';
2886 }
2887 break;
2888
2889 /* Use verify_check_this_host() instead of verify_check_host() so that
2890 we can pass over &host_data to catch any looked up data. Once it has been
2891 set, it retains its value so that it's still there if another ACL verb
2892 comes through here and uses the cache. However, we must put it into
2893 permanent store in case it is also expected to be used in a subsequent
2894 message in the same SMTP connection. */
2895
2896 case ACLC_HOSTS:
2897 rc = verify_check_this_host(&arg, sender_host_cache, NULL,
2898 (sender_host_address == NULL)? US"" : sender_host_address, &host_data);
2899 if (host_data != NULL) host_data = string_copy_malloc(host_data);
2900 break;
2901
2902 case ACLC_LOCAL_PARTS:
2903 rc = match_isinlist(addr->cc_local_part, &arg, 0,
2904 &localpartlist_anchor, addr->localpart_cache, MCL_LOCALPART, TRUE,
2905 &deliver_localpart_data);
2906 break;
2907
6ea85e9a
PH		 2908 case ACLC_LOG_REJECT_TARGET:
2909 {
2910 int logbits = 0;
2911 int sep = 0;
2912 uschar *s = arg;
2913 uschar *ss;
2914 while ((ss = string_nextinlist(&s, &sep, big_buffer, big_buffer_size))
2915 != NULL)
2916 {
2917 if (Ustrcmp(ss, "main") == 0) logbits |= LOG_MAIN;
2918 else if (Ustrcmp(ss, "panic") == 0) logbits |= LOG_PANIC;
2919 else if (Ustrcmp(ss, "reject") == 0) logbits |= LOG_REJECT;
2920 else
2921 {
2922 logbits |= LOG_MAIN|LOG_REJECT;
2923 log_write(0, LOG_MAIN|LOG_PANIC, "unknown log name \"%s\" in "
2924 "\"log_reject_target\" in %s ACL", ss, acl_wherenames[where]);
2925 }
2926 }
2927 log_reject_target = logbits;
2928 }
2929 break;
2930
059ec3d9
PH		 2931 case ACLC_LOGWRITE:
2932 {
2933 int logbits = 0;
2934 uschar *s = arg;
2935 if (*s == ':')
2936 {
2937 s++;
2938 while (*s != ':')
2939 {
2940 if (Ustrncmp(s, "main", 4) == 0)
2941 { logbits |= LOG_MAIN; s += 4; }
2942 else if (Ustrncmp(s, "panic", 5) == 0)
2943 { logbits |= LOG_PANIC; s += 5; }
2944 else if (Ustrncmp(s, "reject", 6) == 0)
2945 { logbits |= LOG_REJECT; s += 6; }
2946 else
2947 {
2948 logbits = LOG_MAIN|LOG_PANIC;
2949 s = string_sprintf(":unknown log name in \"%s\" in "
2950 "\"logwrite\" in %s ACL", arg, acl_wherenames[where]);
2951 }
2952 if (*s == ',') s++;
2953 }
2954 s++;
2955 }
2956 while (isspace(*s)) s++;
6ea85e9a
PH		 2957
2958
059ec3d9
PH		 2959 if (logbits == 0) logbits = LOG_MAIN;
2960 log_write(0, logbits, "%s", string_printing(s));
2961 }
2962 break;
8e669ac1 2963
71fafd95 2964 #ifdef WITH_CONTENT_SCAN
8523533c
TK		 2965 case ACLC_MALWARE:
2966 {
6ea85e9a 2967 /* Separate the regular expression and any optional parameters. */
8523533c
TK		 2968 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
2969 /* Run the malware backend. */
2970 rc = malware(&ss);
2971 /* Modify return code based upon the existance of options. */
2972 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2973 != NULL) {
2974 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
2975 {
2976 /* FAIL so that the message is passed to the next ACL */
2977 rc = FAIL;
2978 }
2979 }
2980 }
2981 break;
2982
2983 case ACLC_MIME_REGEX:
71fafd95 2984 rc = mime_regex(&arg);
8523533c 2985 break;
71fafd95 2986 #endif
059ec3d9 2987
870f6ba8 2988 case ACLC_RATELIMIT:
90fc3069 2989 rc = acl_ratelimit(arg, where, log_msgptr);
870f6ba8
TF		 2990 break;
2991
059ec3d9
PH		 2992 case ACLC_RECIPIENTS:
2993 rc = match_address_list(addr->address, TRUE, TRUE, &arg, NULL, -1, 0,
2994 &recipient_data);
2995 break;
2996
71fafd95
PH		 2997 #ifdef WITH_CONTENT_SCAN
2998 case ACLC_REGEX:
2999 rc = regex(&arg);
8523533c 3000 break;
71fafd95 3001 #endif
8523533c 3002
059ec3d9
PH		 3003 case ACLC_SENDER_DOMAINS:
3004 {
3005 uschar *sdomain;
3006 sdomain = Ustrrchr(sender_address, '@');
3007 sdomain = (sdomain == NULL)? US"" : sdomain + 1;
3008 rc = match_isinlist(sdomain, &arg, 0, &domainlist_anchor,
3009 sender_domain_cache, MCL_DOMAIN, TRUE, NULL);
3010 }
3011 break;
3012
3013 case ACLC_SENDERS:
3014 rc = match_address_list(sender_address, TRUE, TRUE, &arg,
3015 sender_address_cache, -1, 0, &sender_data);
3016 break;
3017
3018 /* Connection variables must persist forever */
3019
3020 case ACLC_SET:
3021 {
3022 int old_pool = store_pool;
38a0a95f
PH		 3023 if (cb->u.varname[0] == 'c') store_pool = POOL_PERM;
3024 acl_var_create(cb->u.varname)->data.ptr = string_copy(arg);
059ec3d9
PH		 3025 store_pool = old_pool;
3026 }
3027 break;
3028
71fafd95 3029 #ifdef WITH_CONTENT_SCAN
8523533c
TK		 3030 case ACLC_SPAM:
3031 {
3032 /* Seperate the regular expression and any optional parameters. */
3033 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
3034 /* Run the spam backend. */
3035 rc = spam(&ss);
3036 /* Modify return code based upon the existance of options. */
3037 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
3038 != NULL) {
3039 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
3040 {
3041 /* FAIL so that the message is passed to the next ACL */
3042 rc = FAIL;
3043 }
3044 }
3045 }
3046 break;
71fafd95 3047 #endif
8523533c 3048
71fafd95 3049 #ifdef EXPERIMENTAL_SPF
8523533c
TK		 3050 case ACLC_SPF:
3051 rc = spf_process(&arg, sender_address);
3052 break;
71fafd95 3053 #endif
8523533c 3054
059ec3d9
PH		 3055 /* If the verb is WARN, discard any user message from verification, because
3056 such messages are SMTP responses, not header additions. The latter come
475fe28a
PH		 3057 only from explicit "message" modifiers. However, put the user message into
3058 $acl_verify_message so it can be used in subsequent conditions or modifiers
3059 (until something changes it). */
059ec3d9
PH		 3060
3061 case ACLC_VERIFY:
3062 rc = acl_verify(where, addr, arg, user_msgptr, log_msgptr, basic_errno);
475fe28a 3063 acl_verify_message = *user_msgptr;
059ec3d9
PH		 3064 if (verb == ACL_WARN) *user_msgptr = NULL;
3065 break;
3066
3067 default:
3068 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown "
3069 "condition %d", cb->type);
3070 break;
3071 }
3072
3073 /* If a condition was negated, invert OK/FAIL. */
3074
3075 if (!cond_modifiers[cb->type] && cb->u.negated)
3076 {
3077 if (rc == OK) rc = FAIL;
3078 else if (rc == FAIL || rc == FAIL_DROP) rc = OK;
3079 }
3080
3081 if (rc != OK) break; /* Conditions loop */
3082 }
3083
3084
3085/* If the result is the one for which "message" and/or "log_message" are used,
4e88a19f
PH		 3086handle the values of these modifiers. If there isn't a log message set, we make
3087it the same as the user message.
059ec3d9
PH		 3088
3089"message" is a user message that will be included in an SMTP response. Unless
3090it is empty, it overrides any previously set user message.
3091
3092"log_message" is a non-user message, and it adds to any existing non-user
3093message that is already set.
3094
4e88a19f
PH		 3095Most verbs have but a single return for which the messages are relevant, but
3096for "discard", it's useful to have the log message both when it succeeds and
3097when it fails. For "accept", the message is used in the OK case if there is no
3098"endpass", but (for backwards compatibility) in the FAIL case if "endpass" is
3099present. */
059ec3d9 3100
4e88a19f
PH		 3101if (*epp && rc == OK) user_message = NULL;
3102
3103if (((1<<rc) & msgcond[verb]) != 0)
059ec3d9
PH		 3104 {
3105 uschar *expmessage;
4e88a19f
PH		 3106 uschar *old_user_msgptr = *user_msgptr;
3107 uschar *old_log_msgptr = (*log_msgptr != NULL)? *log_msgptr : old_user_msgptr;
059ec3d9
PH		 3108
3109 /* If the verb is "warn", messages generated by conditions (verification or
4e88a19f
PH		 3110 nested ACLs) are always discarded. This also happens for acceptance verbs
3111 when they actually do accept. Only messages specified at this level are used.
059ec3d9
PH		 3112 However, the value of an existing message is available in $acl_verify_message
3113 during expansions. */
3114
4e88a19f
PH		 3115 if (verb == ACL_WARN ||
3116 (rc == OK && (verb == ACL_ACCEPT || verb == ACL_DISCARD)))
3117 *log_msgptr = *user_msgptr = NULL;
059ec3d9
PH		 3118
3119 if (user_message != NULL)
3120 {
3121 acl_verify_message = old_user_msgptr;
3122 expmessage = expand_string(user_message);
3123 if (expmessage == NULL)
3124 {
3125 if (!expand_string_forcedfail)
3126 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
3127 user_message, expand_string_message);
3128 }
3129 else if (expmessage[0] != 0) *user_msgptr = expmessage;
3130 }
3131
3132 if (log_message != NULL)
3133 {
3134 acl_verify_message = old_log_msgptr;
3135 expmessage = expand_string(log_message);
3136 if (expmessage == NULL)
3137 {
3138 if (!expand_string_forcedfail)
3139 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
3140 log_message, expand_string_message);
3141 }
3142 else if (expmessage[0] != 0)
3143 {
3144 *log_msgptr = (*log_msgptr == NULL)? expmessage :
3145 string_sprintf("%s: %s", expmessage, *log_msgptr);
3146 }
3147 }
3148
3149 /* If no log message, default it to the user message */
3150
3151 if (*log_msgptr == NULL) *log_msgptr = *user_msgptr;
3152 }
3153
3154acl_verify_message = NULL;
3155return rc;
3156}
3157
3158
3159
3160
3161
3162/*************************************************
3163* Get line from a literal ACL *
3164*************************************************/
3165
3166/* This function is passed to acl_read() in order to extract individual lines
3167of a literal ACL, which we access via static pointers. We can destroy the
3168contents because this is called only once (the compiled ACL is remembered).
3169
3170This code is intended to treat the data in the same way as lines in the main
3171Exim configuration file. That is:
3172
3173 . Leading spaces are ignored.
3174
3175 . A \ at the end of a line is a continuation - trailing spaces after the \
3176 are permitted (this is because I don't believe in making invisible things
3177 significant). Leading spaces on the continued part of a line are ignored.
3178
3179 . Physical lines starting (significantly) with # are totally ignored, and
3180 may appear within a sequence of backslash-continued lines.
3181
3182 . Blank lines are ignored, but will end a sequence of continuations.
3183
3184Arguments: none
3185Returns: a pointer to the next line
3186*/
3187
3188
3189static uschar *acl_text; /* Current pointer in the text */
3190static uschar *acl_text_end; /* Points one past the terminating '0' */
3191
3192
3193static uschar *
3194acl_getline(void)
3195{
3196uschar *yield;
3197
3198/* This loop handles leading blank lines and comments. */
3199
3200for(;;)
3201 {
3202 while (isspace(*acl_text)) acl_text++; /* Leading spaces/empty lines */
3203 if (*acl_text == 0) return NULL; /* No more data */
3204 yield = acl_text; /* Potential data line */
3205
3206 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
3207
3208 /* If we hit the end before a newline, we have the whole logical line. If
3209 it's a comment, there's no more data to be given. Otherwise, yield it. */
3210
3211 if (*acl_text == 0) return (*yield == '#')? NULL : yield;
3212
3213 /* After reaching a newline, end this loop if the physical line does not
3214 start with '#'. If it does, it's a comment, and the loop continues. */
3215
3216 if (*yield != '#') break;
3217 }
3218
3219/* This loop handles continuations. We know we have some real data, ending in
3220newline. See if there is a continuation marker at the end (ignoring trailing
3221white space). We know that *yield is not white space, so no need to test for
3222cont > yield in the backwards scanning loop. */
3223
3224for(;;)
3225 {
3226 uschar *cont;
3227 for (cont = acl_text - 1; isspace(*cont); cont--);
3228
3229 /* If no continuation follows, we are done. Mark the end of the line and
3230 return it. */
3231
3232 if (*cont != '\\')
3233 {
3234 *acl_text++ = 0;
3235 return yield;
3236 }
3237
3238 /* We have encountered a continuation. Skip over whitespace at the start of
3239 the next line, and indeed the whole of the next line or lines if they are
3240 comment lines. */
3241
3242 for (;;)
3243 {
3244 while (*(++acl_text) == ' ' || *acl_text == '\t');
3245 if (*acl_text != '#') break;
3246 while (*(++acl_text) != 0 && *acl_text != '\n');
3247 }
3248
3249 /* We have the start of a continuation line. Move all the rest of the data
3250 to join onto the previous line, and then find its end. If the end is not a
3251 newline, we are done. Otherwise loop to look for another continuation. */
3252
3253 memmove(cont, acl_text, acl_text_end - acl_text);
3254 acl_text_end -= acl_text - cont;
3255 acl_text = cont;
3256 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
3257 if (*acl_text == 0) return yield;
3258 }
3259
3260/* Control does not reach here */
3261}
3262
3263
3264
3265
3266
3267/*************************************************
3268* Check access using an ACL *
3269*************************************************/
3270
3271/* This function is called from address_check. It may recurse via
3272acl_check_condition() - hence the use of a level to stop looping. The ACL is
3273passed as a string which is expanded. A forced failure implies no access check
3274is required. If the result is a single word, it is taken as the name of an ACL
3275which is sought in the global ACL tree. Otherwise, it is taken as literal ACL
3276text, complete with newlines, and parsed as such. In both cases, the ACL check
3277is then run. This function uses an auxiliary function for acl_read() to call
3278for reading individual lines of a literal ACL. This is acl_getline(), which
3279appears immediately above.
3280
3281Arguments:
3282 where where called from
3283 addr address item when called from RCPT; otherwise NULL
3284 s the input string; NULL is the same as an empty ACL => DENY
3285 level the nesting level
3286 user_msgptr where to put a user error (for SMTP response)
3287 log_msgptr where to put a logging message (not for SMTP response)
3288
3289Returns: OK access is granted
3290 DISCARD access is apparently granted...
3291 FAIL access is denied
3292 FAIL_DROP access is denied; drop the connection
3293 DEFER can't tell at the moment
3294 ERROR disaster
3295*/
3296
3297static int
3298acl_check_internal(int where, address_item *addr, uschar *s, int level,
3299 uschar **user_msgptr, uschar **log_msgptr)
3300{
3301int fd = -1;
3302acl_block *acl = NULL;
3303uschar *acl_name = US"inline ACL";
3304uschar *ss;
3305
3306/* Catch configuration loops */
3307
3308if (level > 20)
3309 {
3310 *log_msgptr = US"ACL nested too deep: possible loop";
3311 return ERROR;
3312 }
3313
3314if (s == NULL)
3315 {
3316 HDEBUG(D_acl) debug_printf("ACL is NULL: implicit DENY\n");
3317 return FAIL;
3318 }
3319
3320/* At top level, we expand the incoming string. At lower levels, it has already
3321been expanded as part of condition processing. */
3322
3323if (level == 0)
3324 {
3325 ss = expand_string(s);
3326 if (ss == NULL)
3327 {
3328 if (expand_string_forcedfail) return OK;
3329 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s", s,
3330 expand_string_message);
3331 return ERROR;
3332 }
3333 }
3334else ss = s;
3335
3336while (isspace(*ss))ss++;
3337
3338/* If we can't find a named ACL, the default is to parse it as an inline one.
3339(Unless it begins with a slash; non-existent files give rise to an error.) */
3340
3341acl_text = ss;
3342
3343/* Handle the case of a string that does not contain any spaces. Look for a
3344named ACL among those read from the configuration, or a previously read file.
3345It is possible that the pointer to the ACL is NULL if the configuration
3346contains a name with no data. If not found, and the text begins with '/',
3347read an ACL from a file, and save it so it can be re-used. */
3348
3349if (Ustrchr(ss, ' ') == NULL)
3350 {
3351 tree_node *t = tree_search(acl_anchor, ss);
3352 if (t != NULL)
3353 {
3354 acl = (acl_block *)(t->data.ptr);
3355 if (acl == NULL)
3356 {
3357 HDEBUG(D_acl) debug_printf("ACL \"%s\" is empty: implicit DENY\n", ss);
3358 return FAIL;
3359 }
3360 acl_name = string_sprintf("ACL \"%s\"", ss);
3361 HDEBUG(D_acl) debug_printf("using ACL \"%s\"\n", ss);
3362 }
3363
3364 else if (*ss == '/')
3365 {
3366 struct stat statbuf;
3367 fd = Uopen(ss, O_RDONLY, 0);
3368 if (fd < 0)
3369 {
3370 *log_msgptr = string_sprintf("failed to open ACL file \"%s\": %s", ss,
3371 strerror(errno));
3372 return ERROR;
3373 }
3374
3375 if (fstat(fd, &statbuf) != 0)
3376 {
3377 *log_msgptr = string_sprintf("failed to fstat ACL file \"%s\": %s", ss,
3378 strerror(errno));
3379 return ERROR;
3380 }
3381
3382 acl_text = store_get(statbuf.st_size + 1);
3383 acl_text_end = acl_text + statbuf.st_size + 1;
3384
3385 if (read(fd, acl_text, statbuf.st_size) != statbuf.st_size)
3386 {
3387 *log_msgptr = string_sprintf("failed to read ACL file \"%s\": %s",
3388 ss, strerror(errno));
3389 return ERROR;
3390 }
3391 acl_text[statbuf.st_size] = 0;
f1e894f3 3392 (void)close(fd);
059ec3d9
PH		 3393
3394 acl_name = string_sprintf("ACL \"%s\"", ss);
3395 HDEBUG(D_acl) debug_printf("read ACL from file %s\n", ss);
3396 }
3397 }
3398
3399/* Parse an ACL that is still in text form. If it came from a file, remember it
3400in the ACL tree, having read it into the POOL_PERM store pool so that it
3401persists between multiple messages. */
3402
3403if (acl == NULL)
3404 {
3405 int old_pool = store_pool;
3406 if (fd >= 0) store_pool = POOL_PERM;
3407 acl = acl_read(acl_getline, log_msgptr);
3408 store_pool = old_pool;
3409 if (acl == NULL && *log_msgptr != NULL) return ERROR;
3410 if (fd >= 0)
3411 {
3412 tree_node *t = store_get_perm(sizeof(tree_node) + Ustrlen(ss));
3413 Ustrcpy(t->name, ss);
3414 t->data.ptr = acl;
3415 (void)tree_insertnode(&acl_anchor, t);
3416 }
3417 }
3418
3419/* Now we have an ACL to use. It's possible it may be NULL. */
3420
3421while (acl != NULL)
3422 {
3423 int cond;
3424 int basic_errno = 0;
3425 BOOL endpass_seen = FALSE;
3426
3427 *log_msgptr = *user_msgptr = NULL;
3428 acl_temp_details = FALSE;
3429
3430 if (where == ACL_WHERE_QUIT &&
3431 acl->verb != ACL_ACCEPT &&
3432 acl->verb != ACL_WARN)
3433 {
3434 *log_msgptr = string_sprintf("\"%s\" is not allowed in a QUIT ACL",
3435 verbs[acl->verb]);
3436 return ERROR;
3437 }
3438
3439 HDEBUG(D_acl) debug_printf("processing \"%s\"\n", verbs[acl->verb]);
3440
3441 /* Clear out any search error message from a previous check before testing
3442 this condition. */
3443
3444 search_error_message = NULL;
3445 cond = acl_check_condition(acl->verb, acl->condition, where, addr, level,
3446 &endpass_seen, user_msgptr, log_msgptr, &basic_errno);
3447
3448 /* Handle special returns: DEFER causes a return except on a WARN verb;
3449 ERROR always causes a return. */
3450
3451 switch (cond)
3452 {
3453 case DEFER:
3454 HDEBUG(D_acl) debug_printf("%s: condition test deferred\n", verbs[acl->verb]);
3455 if (basic_errno != ERRNO_CALLOUTDEFER)
3456 {
3457 if (search_error_message != NULL && *search_error_message != 0)
3458 *log_msgptr = search_error_message;
3459 if (smtp_return_error_details) acl_temp_details = TRUE;
3460 }
3461 else
3462 {
3463 acl_temp_details = TRUE;
3464 }
3465 if (acl->verb != ACL_WARN) return DEFER;
3466 break;
3467
3468 default: /* Paranoia */
3469 case ERROR:
3470 HDEBUG(D_acl) debug_printf("%s: condition test error\n", verbs[acl->verb]);
3471 return ERROR;
3472
3473 case OK:
3474 HDEBUG(D_acl) debug_printf("%s: condition test succeeded\n",
3475 verbs[acl->verb]);
3476 break;
3477
3478 case FAIL:
3479 HDEBUG(D_acl) debug_printf("%s: condition test failed\n", verbs[acl->verb]);
3480 break;
3481
3482 /* DISCARD and DROP can happen only from a nested ACL condition, and
3483 DISCARD can happen only for an "accept" or "discard" verb. */
3484
3485 case DISCARD:
3486 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"discard\"\n",
3487 verbs[acl->verb]);
3488 break;
3489
3490 case FAIL_DROP:
3491 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"drop\"\n",
3492 verbs[acl->verb]);
3493 break;
3494 }
3495
3496 /* At this point, cond for most verbs is either OK or FAIL or (as a result of
3497 a nested ACL condition) FAIL_DROP. However, for WARN, cond may be DEFER, and
3498 for ACCEPT and DISCARD, it may be DISCARD after a nested ACL call. */
3499
3500 switch(acl->verb)
3501 {
3502 case ACL_ACCEPT:
3503 if (cond == OK || cond == DISCARD) return cond;
3504 if (endpass_seen)
3505 {
3506 HDEBUG(D_acl) debug_printf("accept: endpass encountered - denying access\n");
3507 return cond;
3508 }
3509 break;
3510
3511 case ACL_DEFER:
3512 if (cond == OK)
3513 {
3514 acl_temp_details = TRUE;
3515 return DEFER;
3516 }
3517 break;
3518
3519 case ACL_DENY:
3520 if (cond == OK) return FAIL;
3521 break;
3522
3523 case ACL_DISCARD:
3524 if (cond == OK || cond == DISCARD) return DISCARD;
3525 if (endpass_seen)
3526 {
3527 HDEBUG(D_acl) debug_printf("discard: endpass encountered - denying access\n");
3528 return cond;
3529 }
3530 break;
3531
3532 case ACL_DROP:
3533 if (cond == OK) return FAIL_DROP;
3534 break;
3535
3536 case ACL_REQUIRE:
3537 if (cond != OK) return cond;
3538 break;
3539
3540 case ACL_WARN:
3541 if (cond == OK)
3542 acl_warn(where, *user_msgptr, *log_msgptr);
49826d12 3543 else if (cond == DEFER && (log_extra_selector & LX_acl_warn_skipped) != 0)
9c7a242c
PH		 3544 log_write(0, LOG_MAIN, "%s Warning: ACL \"warn\" statement skipped: "
3545 "condition test deferred%s%s", host_and_ident(TRUE),
3546 (*log_msgptr == NULL)? US"" : US": ",
3547 (*log_msgptr == NULL)? US"" : *log_msgptr);
059ec3d9
PH		 3548 *log_msgptr = *user_msgptr = NULL; /* In case implicit DENY follows */
3549 break;
3550
3551 default:
3552 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown verb %d",
3553 acl->verb);
3554 break;
3555 }
3556
3557 /* Pass to the next ACL item */
3558
3559 acl = acl->next;
3560 }
3561
3562/* We have reached the end of the ACL. This is an implicit DENY. */
3563
3564HDEBUG(D_acl) debug_printf("end of %s: implicit DENY\n", acl_name);
3565return FAIL;
3566}
3567
3568
3569/*************************************************
3570* Check access using an ACL *
3571*************************************************/
3572
3573/* This is the external interface for ACL checks. It sets up an address and the
3574expansions for $domain and $local_part when called after RCPT, then calls
3575acl_check_internal() to do the actual work.
3576
3577Arguments:
3578 where ACL_WHERE_xxxx indicating where called from
64ffc24f 3579 recipient RCPT address for RCPT check, else NULL
059ec3d9
PH		 3580 s the input string; NULL is the same as an empty ACL => DENY
3581 user_msgptr where to put a user error (for SMTP response)
3582 log_msgptr where to put a logging message (not for SMTP response)
3583
3584Returns: OK access is granted by an ACCEPT verb
3585 DISCARD access is granted by a DISCARD verb
3586 FAIL access is denied
3587 FAIL_DROP access is denied; drop the connection
3588 DEFER can't tell at the moment
3589 ERROR disaster
3590*/
3591
3592int
64ffc24f 3593acl_check(int where, uschar *recipient, uschar *s, uschar **user_msgptr,
059ec3d9
PH		 3594 uschar **log_msgptr)
3595{
3596int rc;
3597address_item adb;
64ffc24f 3598address_item *addr = NULL;
059ec3d9
PH		 3599
3600*user_msgptr = *log_msgptr = NULL;
3601sender_verified_failed = NULL;
fe0dab11 3602ratelimiters_cmd = NULL;
6ea85e9a 3603log_reject_target = LOG_MAIN|LOG_REJECT;
059ec3d9
PH		 3604
3605if (where == ACL_WHERE_RCPT)
3606 {
3607 adb = address_defaults;
3608 addr = &adb;
64ffc24f 3609 addr->address = recipient;
059ec3d9
PH		 3610 if (deliver_split_address(addr) == DEFER)
3611 {
3612 *log_msgptr = US"defer in percent_hack_domains check";
3613 return DEFER;
3614 }
3615 deliver_domain = addr->domain;
3616 deliver_localpart = addr->local_part;
3617 }
059ec3d9
PH		 3618
3619rc = acl_check_internal(where, addr, s, 0, user_msgptr, log_msgptr);
3620
64ffc24f
PH		 3621deliver_domain = deliver_localpart = deliver_address_data =
3622 sender_address_data = NULL;
059ec3d9
PH		 3623
3624/* A DISCARD response is permitted only for message ACLs, excluding the PREDATA
3625ACL, which is really in the middle of an SMTP command. */
3626
3627if (rc == DISCARD)
3628 {
3629 if (where > ACL_WHERE_NOTSMTP || where == ACL_WHERE_PREDATA)
3630 {
3631 log_write(0, LOG_MAIN|LOG_PANIC, "\"discard\" verb not allowed in %s "
3632 "ACL", acl_wherenames[where]);
3633 return ERROR;
3634 }
3635 return DISCARD;
3636 }
3637
3638/* A DROP response is not permitted from MAILAUTH */
3639
3640if (rc == FAIL_DROP && where == ACL_WHERE_MAILAUTH)
3641 {
3642 log_write(0, LOG_MAIN|LOG_PANIC, "\"drop\" verb not allowed in %s "
3643 "ACL", acl_wherenames[where]);
3644 return ERROR;
3645 }
3646
4e88a19f
PH		 3647/* Before giving a response, take a look at the length of any user message, and
3648split it up into multiple lines if possible. */
059ec3d9 3649
e28326d8
PH		 3650*user_msgptr = string_split_message(*user_msgptr);
3651if (fake_response != OK)
3652 fake_response_text = string_split_message(fake_response_text);
059ec3d9
PH		 3653
3654return rc;
3655}
3656
38a0a95f
PH		 3657
3658
3659/*************************************************
3660* Create ACL variable *
3661*************************************************/
3662
3663/* Create an ACL variable or reuse an existing one. ACL variables are in a
3664binary tree (see tree.c) with acl_var_c and acl_var_m as root nodes.
3665
3666Argument:
3667 name pointer to the variable's name, starting with c or m
3668
3669Returns the pointer to variable's tree node
3670*/
3671
3672tree_node *
3673acl_var_create(uschar *name)
3674{
3675tree_node *node, **root;
3676root = (name[0] == 'c')? &acl_var_c : &acl_var_m;
3677node = tree_search(*root, name);
3678if (node == NULL)
3679 {
3680 node = store_get(sizeof(tree_node) + Ustrlen(name));
3681 Ustrcpy(node->name, name);
3682 (void)tree_insertnode(root, node);
3683 }
3684node->data.ptr = NULL;
3685return node;
3686}
3687
3688
3689
3690/*************************************************
3691* Write an ACL variable in spool format *
3692*************************************************/
3693
3694/* This function is used as a callback for tree_walk when writing variables to
3695the spool file. To retain spool file compatibility, what is written is -aclc or
3696-aclm followed by the rest of the name and the data length, space separated,
3697then the value itself, starting on a new line, and terminated by an additional
3698newline. When we had only numbered ACL variables, the first line might look
3699like this: "-aclc 5 20". Now it might be "-aclc foo 20" for the variable called
3700acl_cfoo.
3701
3702Arguments:
3703 name of the variable
3704 value of the variable
3705 ctx FILE pointer (as a void pointer)
3706
3707Returns: nothing
3708*/
3709
3710void
3711acl_var_write(uschar *name, uschar *value, void *ctx)
3712{
3713FILE *f = (FILE *)ctx;
3714fprintf(f, "-acl%c %s %d\n%s\n", name[0], name+1, Ustrlen(value), value);
3715}
3716
059ec3d9 3717/* End of acl.c */
Unnamed repository; edit this file 'description' to name the repository.