projects / exim.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge branch 'acl'
[exim.git] / src / src / acl.c
CommitLineData
059ec3d9
PH		 1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
c4ceed07 5/* Copyright (c) University of Cambridge 1995 - 2012 */
059ec3d9
PH		 6/* See the file NOTICE for conditions of use and distribution. */
7
8/* Code for handling Access Control Lists (ACLs) */
9
10#include "exim.h"
11
12
13/* Default callout timeout */
14
15#define CALLOUT_TIMEOUT_DEFAULT 30
16
17/* ACL verb codes - keep in step with the table of verbs that follows */
18
19enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
20 ACL_WARN };
21
22/* ACL verbs */
23
24static uschar *verbs[] =
25 { US"accept", US"defer", US"deny", US"discard", US"drop", US"require",
26 US"warn" };
27
4e88a19f
PH		 28/* For each verb, the conditions for which "message" or "log_message" are used
29are held as a bitmap. This is to avoid expanding the strings unnecessarily. For
30"accept", the FAIL case is used only after "endpass", but that is selected in
31the code. */
32
33static int msgcond[] = {
34 (1<<OK) | (1<<FAIL) | (1<<FAIL_DROP), /* accept */
35 (1<<OK), /* defer */
36 (1<<OK), /* deny */
37 (1<<OK) | (1<<FAIL) | (1<<FAIL_DROP), /* discard */
38 (1<<OK), /* drop */
39 (1<<FAIL) | (1<<FAIL_DROP), /* require */
40 (1<<OK) /* warn */
41 };
059ec3d9
PH		 42
43/* ACL condition and modifier codes - keep in step with the table that
71fafd95
PH		 44follows, and the cond_expand_at_top and uschar cond_modifiers tables lower
45down. */
059ec3d9 46
71fafd95
PH		 47enum { ACLC_ACL,
48 ACLC_ADD_HEADER,
49 ACLC_AUTHENTICATED,
8523533c
TK		 50#ifdef EXPERIMENTAL_BRIGHTMAIL
51 ACLC_BMI_OPTIN,
52#endif
71fafd95 53 ACLC_CONDITION,
c3611384 54 ACLC_CONTINUE,
71fafd95 55 ACLC_CONTROL,
6a8f9482
TK		 56#ifdef EXPERIMENTAL_DCC
57 ACLC_DCC,
58#endif
8523533c
TK		 59#ifdef WITH_CONTENT_SCAN
60 ACLC_DECODE,
61#endif
62 ACLC_DELAY,
63#ifdef WITH_OLD_DEMIME
64 ACLC_DEMIME,
fb2274d4 65#endif
80a47a2c
TK		 66#ifndef DISABLE_DKIM
67 ACLC_DKIM_SIGNER,
68 ACLC_DKIM_STATUS,
8e669ac1 69#endif
71fafd95
PH		 70 ACLC_DNSLISTS,
71 ACLC_DOMAINS,
72 ACLC_ENCRYPTED,
73 ACLC_ENDPASS,
74 ACLC_HOSTS,
75 ACLC_LOCAL_PARTS,
76 ACLC_LOG_MESSAGE,
6ea85e9a 77 ACLC_LOG_REJECT_TARGET,
71fafd95 78 ACLC_LOGWRITE,
8523533c
TK		 79#ifdef WITH_CONTENT_SCAN
80 ACLC_MALWARE,
81#endif
82 ACLC_MESSAGE,
83#ifdef WITH_CONTENT_SCAN
84 ACLC_MIME_REGEX,
85#endif
870f6ba8 86 ACLC_RATELIMIT,
8523533c
TK		 87 ACLC_RECIPIENTS,
88#ifdef WITH_CONTENT_SCAN
89 ACLC_REGEX,
90#endif
71fafd95
PH		 91 ACLC_SENDER_DOMAINS,
92 ACLC_SENDERS,
93 ACLC_SET,
8523533c 94#ifdef WITH_CONTENT_SCAN
8e669ac1 95 ACLC_SPAM,
8523533c
TK		 96#endif
97#ifdef EXPERIMENTAL_SPF
98 ACLC_SPF,
65a7d8c3 99 ACLC_SPF_GUESS,
8523533c
TK		 100#endif
101 ACLC_VERIFY };
059ec3d9 102
c3611384
PH		 103/* ACL conditions/modifiers: "delay", "control", "continue", "endpass",
104"message", "log_message", "log_reject_target", "logwrite", and "set" are
105modifiers that look like conditions but always return TRUE. They are used for
106their side effects. */
059ec3d9 107
9a26b6b2
PH		 108static uschar *conditions[] = {
109 US"acl",
71fafd95 110 US"add_header",
9a26b6b2 111 US"authenticated",
8523533c
TK		 112#ifdef EXPERIMENTAL_BRIGHTMAIL
113 US"bmi_optin",
114#endif
115 US"condition",
c3611384 116 US"continue",
8e669ac1 117 US"control",
6a8f9482
TK		 118#ifdef EXPERIMENTAL_DCC
119 US"dcc",
120#endif
8523533c
TK		 121#ifdef WITH_CONTENT_SCAN
122 US"decode",
123#endif
124 US"delay",
125#ifdef WITH_OLD_DEMIME
126 US"demime",
fb2274d4 127#endif
80a47a2c
TK		 128#ifndef DISABLE_DKIM
129 US"dkim_signers",
130 US"dkim_status",
8523533c 131#endif
6ea85e9a
PH		 132 US"dnslists",
133 US"domains",
134 US"encrypted",
135 US"endpass",
136 US"hosts",
137 US"local_parts",
138 US"log_message",
139 US"log_reject_target",
140 US"logwrite",
8523533c
TK		 141#ifdef WITH_CONTENT_SCAN
142 US"malware",
143#endif
144 US"message",
145#ifdef WITH_CONTENT_SCAN
146 US"mime_regex",
147#endif
870f6ba8 148 US"ratelimit",
8523533c
TK		 149 US"recipients",
150#ifdef WITH_CONTENT_SCAN
151 US"regex",
152#endif
153 US"sender_domains", US"senders", US"set",
154#ifdef WITH_CONTENT_SCAN
155 US"spam",
156#endif
157#ifdef EXPERIMENTAL_SPF
158 US"spf",
65a7d8c3 159 US"spf_guess",
8523533c 160#endif
059ec3d9 161 US"verify" };
8e669ac1 162
c5fcb476 163
9a26b6b2
PH		 164/* Return values from decode_control(); keep in step with the table of names
165that follows! */
166
167enum {
c46782ef
PH		 168 CONTROL_AUTH_UNADVERTISED,
169 #ifdef EXPERIMENTAL_BRIGHTMAIL
9a26b6b2 170 CONTROL_BMI_RUN,
c46782ef 171 #endif
ed7f7860 172 CONTROL_DEBUG,
80a47a2c 173 #ifndef DISABLE_DKIM
f7572e5a
TK		 174 CONTROL_DKIM_VERIFY,
175 #endif
13363eba 176 CONTROL_DSCP,
c46782ef
PH		 177 CONTROL_ERROR,
178 CONTROL_CASEFUL_LOCAL_PART,
179 CONTROL_CASELOWER_LOCAL_PART,
e4bdf652 180 CONTROL_CUTTHROUGH_DELIVERY,
c46782ef
PH		 181 CONTROL_ENFORCE_SYNC,
182 CONTROL_NO_ENFORCE_SYNC,
183 CONTROL_FREEZE,
184 CONTROL_QUEUE_ONLY,
185 CONTROL_SUBMISSION,
186 CONTROL_SUPPRESS_LOCAL_FIXUPS,
187 #ifdef WITH_CONTENT_SCAN
9a26b6b2 188 CONTROL_NO_MBOX_UNSPOOL,
c46782ef
PH		 189 #endif
190 CONTROL_FAKEDEFER,
191 CONTROL_FAKEREJECT,
cf8b11a5 192 CONTROL_NO_MULTILINE,
047bdd8c 193 CONTROL_NO_PIPELINING,
4c590bd1
PH		 194 CONTROL_NO_DELAY_FLUSH,
195 CONTROL_NO_CALLOUT_FLUSH
c46782ef 196};
9a26b6b2 197
8800895a
PH		 198/* ACL control names; keep in step with the table above! This list is used for
199turning ids into names. The actual list of recognized names is in the variable
200control_def controls_list[] below. The fact that there are two lists is a mess
201and should be tidied up. */
9a26b6b2
PH		 202
203static uschar *controls[] = {
c46782ef 204 US"allow_auth_unadvertised",
9a26b6b2
PH		 205 #ifdef EXPERIMENTAL_BRIGHTMAIL
206 US"bmi_run",
207 #endif
ed7f7860 208 US"debug",
80a47a2c
TK		 209 #ifndef DISABLE_DKIM
210 US"dkim_disable_verify",
f7572e5a 211 #endif
13363eba 212 US"dscp",
c46782ef
PH		 213 US"error",
214 US"caseful_local_part",
215 US"caselower_local_part",
e4bdf652 216 US"cutthrough_delivery",
c46782ef
PH		 217 US"enforce_sync",
218 US"no_enforce_sync",
219 US"freeze",
220 US"queue_only",
221 US"submission",
222 US"suppress_local_fixups",
9a26b6b2
PH		 223 #ifdef WITH_CONTENT_SCAN
224 US"no_mbox_unspool",
225 #endif
cf8b11a5
PH		 226 US"fakedefer",
227 US"fakereject",
aa6dc513 228 US"no_multiline_responses",
cf8b11a5 229 US"no_pipelining",
4c590bd1
PH		 230 US"no_delay_flush",
231 US"no_callout_flush"
c46782ef 232};
059ec3d9 233
047bdd8c 234/* Flags to indicate for which conditions/modifiers a string expansion is done
059ec3d9
PH		 235at the outer level. In the other cases, expansion already occurs in the
236checking functions. */
237
238static uschar cond_expand_at_top[] = {
7421ecab 239 FALSE, /* acl */
3e536984 240 TRUE, /* add_header */
059ec3d9 241 FALSE, /* authenticated */
8523533c
TK		 242#ifdef EXPERIMENTAL_BRIGHTMAIL
243 TRUE, /* bmi_optin */
8e669ac1 244#endif
059ec3d9 245 TRUE, /* condition */
c3611384 246 TRUE, /* continue */
059ec3d9 247 TRUE, /* control */
6a8f9482
TK		 248#ifdef EXPERIMENTAL_DCC
249 TRUE, /* dcc */
250#endif
8523533c
TK		 251#ifdef WITH_CONTENT_SCAN
252 TRUE, /* decode */
253#endif
059ec3d9 254 TRUE, /* delay */
8523533c
TK		 255#ifdef WITH_OLD_DEMIME
256 TRUE, /* demime */
fb2274d4 257#endif
80a47a2c
TK		 258#ifndef DISABLE_DKIM
259 TRUE, /* dkim_signers */
260 TRUE, /* dkim_status */
8523533c 261#endif
059ec3d9
PH		 262 TRUE, /* dnslists */
263 FALSE, /* domains */
264 FALSE, /* encrypted */
265 TRUE, /* endpass */
266 FALSE, /* hosts */
267 FALSE, /* local_parts */
268 TRUE, /* log_message */
6ea85e9a 269 TRUE, /* log_reject_target */
059ec3d9 270 TRUE, /* logwrite */
8523533c
TK		 271#ifdef WITH_CONTENT_SCAN
272 TRUE, /* malware */
273#endif
059ec3d9 274 TRUE, /* message */
8523533c
TK		 275#ifdef WITH_CONTENT_SCAN
276 TRUE, /* mime_regex */
277#endif
870f6ba8 278 TRUE, /* ratelimit */
059ec3d9 279 FALSE, /* recipients */
8523533c
TK		 280#ifdef WITH_CONTENT_SCAN
281 TRUE, /* regex */
282#endif
059ec3d9
PH		 283 FALSE, /* sender_domains */
284 FALSE, /* senders */
285 TRUE, /* set */
8523533c
TK		 286#ifdef WITH_CONTENT_SCAN
287 TRUE, /* spam */
288#endif
289#ifdef EXPERIMENTAL_SPF
290 TRUE, /* spf */
65a7d8c3 291 TRUE, /* spf_guess */
8523533c 292#endif
059ec3d9
PH		 293 TRUE /* verify */
294};
295
296/* Flags to identify the modifiers */
297
298static uschar cond_modifiers[] = {
299 FALSE, /* acl */
3e536984 300 TRUE, /* add_header */
059ec3d9 301 FALSE, /* authenticated */
8523533c
TK		 302#ifdef EXPERIMENTAL_BRIGHTMAIL
303 TRUE, /* bmi_optin */
8e669ac1 304#endif
059ec3d9 305 FALSE, /* condition */
c3611384 306 TRUE, /* continue */
059ec3d9 307 TRUE, /* control */
6a8f9482
TK		 308#ifdef EXPERIMENTAL_DCC
309 FALSE, /* dcc */
310#endif
8523533c
TK		 311#ifdef WITH_CONTENT_SCAN
312 FALSE, /* decode */
313#endif
059ec3d9 314 TRUE, /* delay */
8523533c
TK		 315#ifdef WITH_OLD_DEMIME
316 FALSE, /* demime */
fb2274d4 317#endif
80a47a2c
TK		 318#ifndef DISABLE_DKIM
319 FALSE, /* dkim_signers */
320 FALSE, /* dkim_status */
8523533c 321#endif
059ec3d9
PH		 322 FALSE, /* dnslists */
323 FALSE, /* domains */
324 FALSE, /* encrypted */
325 TRUE, /* endpass */
326 FALSE, /* hosts */
327 FALSE, /* local_parts */
328 TRUE, /* log_message */
6ea85e9a 329 TRUE, /* log_reject_target */
8523533c
TK		 330 TRUE, /* logwrite */
331#ifdef WITH_CONTENT_SCAN
332 FALSE, /* malware */
333#endif
059ec3d9 334 TRUE, /* message */
8523533c
TK		 335#ifdef WITH_CONTENT_SCAN
336 FALSE, /* mime_regex */
337#endif
870f6ba8 338 FALSE, /* ratelimit */
059ec3d9 339 FALSE, /* recipients */
8523533c
TK		 340#ifdef WITH_CONTENT_SCAN
341 FALSE, /* regex */
342#endif
059ec3d9
PH		 343 FALSE, /* sender_domains */
344 FALSE, /* senders */
345 TRUE, /* set */
8523533c
TK		 346#ifdef WITH_CONTENT_SCAN
347 FALSE, /* spam */
348#endif
349#ifdef EXPERIMENTAL_SPF
350 FALSE, /* spf */
65a7d8c3 351 FALSE, /* spf_guess */
8523533c 352#endif
059ec3d9
PH		 353 FALSE /* verify */
354};
355
c3611384 356/* Bit map vector of which conditions and modifiers are not allowed at certain
8f128379
PH		 357times. For each condition and modifier, there's a bitmap of dis-allowed times.
358For some, it is easier to specify the negation of a small number of allowed
359times. */
059ec3d9
PH		 360
361static unsigned int cond_forbids[] = {
362 0, /* acl */
8e669ac1 363
71fafd95 364 (unsigned int)
45b91596 365 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* add_header */
71fafd95 366 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
45b91596 367 (1<<ACL_WHERE_MIME)|(1<<ACL_WHERE_NOTSMTP)|
67caae1f 368 (1<<ACL_WHERE_DKIM)|
45b91596 369 (1<<ACL_WHERE_NOTSMTP_START)),
71fafd95 370
45b91596
PH		 371 (1<<ACL_WHERE_NOTSMTP)| /* authenticated */
372 (1<<ACL_WHERE_NOTSMTP_START)|
373 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO),
8e669ac1 374
71fafd95 375 #ifdef EXPERIMENTAL_BRIGHTMAIL
3864bb8e 376 (1<<ACL_WHERE_AUTH)| /* bmi_optin */
8523533c
TK		 377 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
378 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_MIME)|
8e669ac1 379 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
8523533c
TK		 380 (1<<ACL_WHERE_MAILAUTH)|
381 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
45b91596
PH		 382 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_PREDATA)|
383 (1<<ACL_WHERE_NOTSMTP_START),
71fafd95 384 #endif
8e669ac1 385
059ec3d9 386 0, /* condition */
8e669ac1 387
c3611384
PH		 388 0, /* continue */
389
059ec3d9 390 /* Certain types of control are always allowed, so we let it through
2f079f46 391 always and check in the control processing itself. */
8e669ac1 392
059ec3d9 393 0, /* control */
8e669ac1 394
6a8f9482
TK		 395 #ifdef EXPERIMENTAL_DCC
396 (unsigned int)
397 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* dcc */
398 #endif
399
71fafd95 400 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 401 (unsigned int)
402 ~(1<<ACL_WHERE_MIME), /* decode */
71fafd95 403 #endif
8523533c 404
8f128379 405 (1<<ACL_WHERE_NOTQUIT), /* delay */
8e669ac1 406
71fafd95 407 #ifdef WITH_OLD_DEMIME
2f079f46
PH		 408 (unsigned int)
409 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* demime */
71fafd95 410 #endif
8e669ac1 411
80a47a2c
TK		 412 #ifndef DISABLE_DKIM
413 (unsigned int)
414 ~(1<<ACL_WHERE_DKIM), /* dkim_signers */
84330b7b 415
80a47a2c
TK		 416 (unsigned int)
417 ~(1<<ACL_WHERE_DKIM), /* dkim_status */
71fafd95 418 #endif
fb2274d4 419
45b91596
PH		 420 (1<<ACL_WHERE_NOTSMTP)| /* dnslists */
421 (1<<ACL_WHERE_NOTSMTP_START),
059ec3d9 422
2f079f46
PH		 423 (unsigned int)
424 ~(1<<ACL_WHERE_RCPT), /* domains */
059ec3d9 425
45b91596
PH		 426 (1<<ACL_WHERE_NOTSMTP)| /* encrypted */
427 (1<<ACL_WHERE_CONNECT)|
428 (1<<ACL_WHERE_NOTSMTP_START)|
059ec3d9 429 (1<<ACL_WHERE_HELO),
8e669ac1 430
059ec3d9 431 0, /* endpass */
8e669ac1 432
45b91596
PH		 433 (1<<ACL_WHERE_NOTSMTP)| /* hosts */
434 (1<<ACL_WHERE_NOTSMTP_START),
059ec3d9 435
2f079f46
PH		 436 (unsigned int)
437 ~(1<<ACL_WHERE_RCPT), /* local_parts */
059ec3d9
PH		 438
439 0, /* log_message */
8e669ac1 440
6ea85e9a
PH		 441 0, /* log_reject_target */
442
059ec3d9 443 0, /* logwrite */
8e669ac1 444
71fafd95 445 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 446 (unsigned int)
447 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* malware */
71fafd95 448 #endif
8523533c 449
059ec3d9
PH		 450 0, /* message */
451
71fafd95 452 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 453 (unsigned int)
454 ~(1<<ACL_WHERE_MIME), /* mime_regex */
71fafd95 455 #endif
8523533c 456
870f6ba8
TF		 457 0, /* ratelimit */
458
2f079f46
PH		 459 (unsigned int)
460 ~(1<<ACL_WHERE_RCPT), /* recipients */
059ec3d9 461
71fafd95 462 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 463 (unsigned int)
464 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* regex */
465 (1<<ACL_WHERE_MIME)),
71fafd95 466 #endif
8523533c 467
059ec3d9
PH		 468 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* sender_domains */
469 (1<<ACL_WHERE_HELO)|
470 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
471 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
472 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
473
474 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* senders */
475 (1<<ACL_WHERE_HELO)|
476 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
477 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
478 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
479
480 0, /* set */
481
71fafd95 482 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 483 (unsigned int)
484 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* spam */
71fafd95 485 #endif
8523533c 486
71fafd95 487 #ifdef EXPERIMENTAL_SPF
8523533c
TK		 488 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf */
489 (1<<ACL_WHERE_HELO)|
490 (1<<ACL_WHERE_MAILAUTH)|
491 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
45b91596
PH		 492 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY)|
493 (1<<ACL_WHERE_NOTSMTP)|
494 (1<<ACL_WHERE_NOTSMTP_START),
65a7d8c3
NM		 495
496 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf_guess */
497 (1<<ACL_WHERE_HELO)|
498 (1<<ACL_WHERE_MAILAUTH)|
499 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
500 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY)|
501 (1<<ACL_WHERE_NOTSMTP)|
502 (1<<ACL_WHERE_NOTSMTP_START),
71fafd95 503 #endif
8523533c 504
059ec3d9
PH		 505 /* Certain types of verify are always allowed, so we let it through
506 always and check in the verify function itself */
507
508 0 /* verify */
059ec3d9
PH		 509};
510
511
c5fcb476
PH		 512/* Bit map vector of which controls are not allowed at certain times. For
513each control, there's a bitmap of dis-allowed times. For some, it is easier to
514specify the negation of a small number of allowed times. */
515
516static unsigned int control_forbids[] = {
c46782ef
PH		 517 (unsigned int)
518 ~((1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)), /* allow_auth_unadvertised */
519
520 #ifdef EXPERIMENTAL_BRIGHTMAIL
8523533c 521 0, /* bmi_run */
c46782ef
PH		 522 #endif
523
ed7f7860
PP		 524 0, /* debug */
525
80a47a2c
TK		 526 #ifndef DISABLE_DKIM
527 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* dkim_disable_verify */
f7572e5a
TK		 528 (1<<ACL_WHERE_NOTSMTP_START),
529 #endif
530
13363eba
PP		 531 (1<<ACL_WHERE_NOTSMTP)|
532 (1<<ACL_WHERE_NOTSMTP_START)|
533 (1<<ACL_WHERE_NOTQUIT), /* dscp */
534
c5fcb476 535 0, /* error */
8e669ac1
PH		 536
537 (unsigned int)
c5fcb476 538 ~(1<<ACL_WHERE_RCPT), /* caseful_local_part */
8e669ac1
PH		 539
540 (unsigned int)
c5fcb476 541 ~(1<<ACL_WHERE_RCPT), /* caselower_local_part */
8e669ac1 542
e4bdf652
JH		 543 (unsigned int)
544 0, /* cutthrough_delivery */
545
45b91596
PH		 546 (1<<ACL_WHERE_NOTSMTP)| /* enforce_sync */
547 (1<<ACL_WHERE_NOTSMTP_START),
8e669ac1 548
45b91596
PH		 549 (1<<ACL_WHERE_NOTSMTP)| /* no_enforce_sync */
550 (1<<ACL_WHERE_NOTSMTP_START),
8e669ac1
PH		 551
552 (unsigned int)
c5fcb476
PH		 553 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* freeze */
554 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
e715ad22 555 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
8e669ac1
PH		 556
557 (unsigned int)
c5fcb476
PH		 558 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* queue_only */
559 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
e715ad22 560 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
8e669ac1
PH		 561
562 (unsigned int)
c5fcb476 563 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* submission */
8e669ac1 564 (1<<ACL_WHERE_PREDATA)),
8523533c 565
8800895a
PH		 566 (unsigned int)
567 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* suppress_local_fixups */
45b91596
PH		 568 (1<<ACL_WHERE_PREDATA)|
569 (1<<ACL_WHERE_NOTSMTP_START)),
8800895a 570
c46782ef 571 #ifdef WITH_CONTENT_SCAN
8e669ac1 572 (unsigned int)
14d57970 573 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* no_mbox_unspool */
e715ad22
TK		 574 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
575 (1<<ACL_WHERE_MIME)),
c46782ef 576 #endif
a6c4ab60 577
29aba418
TF		 578 (unsigned int)
579 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakedefer */
580 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
581 (1<<ACL_WHERE_MIME)),
582
8e669ac1 583 (unsigned int)
a6c4ab60 584 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakereject */
e715ad22
TK		 585 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
586 (1<<ACL_WHERE_MIME)),
8523533c 587
45b91596 588 (1<<ACL_WHERE_NOTSMTP)| /* no_multiline */
cf8b11a5
PH		 589 (1<<ACL_WHERE_NOTSMTP_START),
590
591 (1<<ACL_WHERE_NOTSMTP)| /* no_pipelining */
047bdd8c
PH		 592 (1<<ACL_WHERE_NOTSMTP_START),
593
594 (1<<ACL_WHERE_NOTSMTP)| /* no_delay_flush */
4c590bd1
PH		 595 (1<<ACL_WHERE_NOTSMTP_START),
596
597 (1<<ACL_WHERE_NOTSMTP)| /* no_callout_flush */
45b91596 598 (1<<ACL_WHERE_NOTSMTP_START)
c5fcb476
PH		 599};
600
601/* Structure listing various control arguments, with their characteristics. */
059ec3d9
PH		 602
603typedef struct control_def {
604 uschar *name;
605 int value; /* CONTROL_xxx value */
059ec3d9
PH		 606 BOOL has_option; /* Has /option(s) following */
607} control_def;
608
609static control_def controls_list[] = {
c46782ef 610 { US"allow_auth_unadvertised", CONTROL_AUTH_UNADVERTISED, FALSE },
8523533c 611#ifdef EXPERIMENTAL_BRIGHTMAIL
c46782ef 612 { US"bmi_run", CONTROL_BMI_RUN, FALSE },
fb2274d4 613#endif
ed7f7860 614 { US"debug", CONTROL_DEBUG, TRUE },
80a47a2c
TK		 615#ifndef DISABLE_DKIM
616 { US"dkim_disable_verify", CONTROL_DKIM_VERIFY, FALSE },
8523533c 617#endif
13363eba 618 { US"dscp", CONTROL_DSCP, TRUE },
c46782ef
PH		 619 { US"caseful_local_part", CONTROL_CASEFUL_LOCAL_PART, FALSE },
620 { US"caselower_local_part", CONTROL_CASELOWER_LOCAL_PART, FALSE },
621 { US"enforce_sync", CONTROL_ENFORCE_SYNC, FALSE },
622 { US"freeze", CONTROL_FREEZE, TRUE },
4c590bd1 623 { US"no_callout_flush", CONTROL_NO_CALLOUT_FLUSH, FALSE },
047bdd8c 624 { US"no_delay_flush", CONTROL_NO_DELAY_FLUSH, FALSE },
c46782ef
PH		 625 { US"no_enforce_sync", CONTROL_NO_ENFORCE_SYNC, FALSE },
626 { US"no_multiline_responses", CONTROL_NO_MULTILINE, FALSE },
cf8b11a5 627 { US"no_pipelining", CONTROL_NO_PIPELINING, FALSE },
c46782ef 628 { US"queue_only", CONTROL_QUEUE_ONLY, FALSE },
8523533c 629#ifdef WITH_CONTENT_SCAN
c46782ef 630 { US"no_mbox_unspool", CONTROL_NO_MBOX_UNSPOOL, FALSE },
8523533c 631#endif
c46782ef
PH		 632 { US"fakedefer", CONTROL_FAKEDEFER, TRUE },
633 { US"fakereject", CONTROL_FAKEREJECT, TRUE },
634 { US"submission", CONTROL_SUBMISSION, TRUE },
e4bdf652
JH		 635 { US"suppress_local_fixups", CONTROL_SUPPRESS_LOCAL_FIXUPS, FALSE },
636 { US"cutthrough_delivery", CONTROL_CUTTHROUGH_DELIVERY, FALSE }
059ec3d9
PH		 637 };
638
e5a9dba6
PH		 639/* Support data structures for Client SMTP Authorization. acl_verify_csa()
640caches its result in a tree to avoid repeated DNS queries. The result is an
641integer code which is used as an index into the following tables of
642explanatory strings and verification return codes. */
643
644static tree_node *csa_cache = NULL;
645
646enum { CSA_UNKNOWN, CSA_OK, CSA_DEFER_SRV, CSA_DEFER_ADDR,
647 CSA_FAIL_EXPLICIT, CSA_FAIL_DOMAIN, CSA_FAIL_NOADDR, CSA_FAIL_MISMATCH };
648
649/* The acl_verify_csa() return code is translated into an acl_verify() return
650code using the following table. It is OK unless the client is definitely not
651authorized. This is because CSA is supposed to be optional for sending sites,
652so recipients should not be too strict about checking it - especially because
653DNS problems are quite likely to occur. It's possible to use $csa_status in
654further ACL conditions to distinguish ok, unknown, and defer if required, but
655the aim is to make the usual configuration simple. */
656
657static int csa_return_code[] = {
658 OK, OK, OK, OK,
659 FAIL, FAIL, FAIL, FAIL
660};
661
662static uschar *csa_status_string[] = {
663 US"unknown", US"ok", US"defer", US"defer",
664 US"fail", US"fail", US"fail", US"fail"
665};
666
667static uschar *csa_reason_string[] = {
668 US"unknown",
669 US"ok",
670 US"deferred (SRV lookup failed)",
671 US"deferred (target address lookup failed)",
672 US"failed (explicit authorization required)",
673 US"failed (host name not authorized)",
674 US"failed (no authorized addresses)",
675 US"failed (client address mismatch)"
676};
677
c99ce5c9
TF		 678/* Options for the ratelimit condition. Note that there are two variants of
679the per_rcpt option, depending on the ACL that is used to measure the rate.
680However any ACL must be able to look up per_rcpt rates in /noupdate mode,
681so the two variants must have the same internal representation as well as
682the same configuration string. */
683
684enum {
685 RATE_PER_WHAT, RATE_PER_CLASH, RATE_PER_ADDR, RATE_PER_BYTE, RATE_PER_CMD,
686 RATE_PER_CONN, RATE_PER_MAIL, RATE_PER_RCPT, RATE_PER_ALLRCPTS
687};
688
689#define RATE_SET(var,new) \
690 (((var) == RATE_PER_WHAT) ? ((var) = RATE_##new) : ((var) = RATE_PER_CLASH))
691
692static uschar *ratelimit_option_string[] = {
693 US"?", US"!", US"per_addr", US"per_byte", US"per_cmd",
694 US"per_conn", US"per_mail", US"per_rcpt", US"per_rcpt"
695};
696
059ec3d9
PH		 697/* Enable recursion between acl_check_internal() and acl_check_condition() */
698
f60d98e8
JH		 699static int acl_check_wargs(int, address_item *, uschar *, int, uschar **,
700 uschar **);
059ec3d9
PH		 701
702
703/*************************************************
704* Pick out name from list *
705*************************************************/
706
707/* Use a binary chop method
708
709Arguments:
710 name name to find
711 list list of names
712 end size of list
713
714Returns: offset in list, or -1 if not found
715*/
716
717static int
718acl_checkname(uschar *name, uschar **list, int end)
719{
720int start = 0;
721
722while (start < end)
723 {
724 int mid = (start + end)/2;
725 int c = Ustrcmp(name, list[mid]);
726 if (c == 0) return mid;
727 if (c < 0) end = mid; else start = mid + 1;
728 }
729
730return -1;
731}
732
733
734/*************************************************
735* Read and parse one ACL *
736*************************************************/
737
738/* This function is called both from readconf in order to parse the ACLs in the
739configuration file, and also when an ACL is encountered dynamically (e.g. as
740the result of an expansion). It is given a function to call in order to
741retrieve the lines of the ACL. This function handles skipping comments and
742blank lines (where relevant).
743
744Arguments:
745 func function to get next line of ACL
746 error where to put an error message
747
748Returns: pointer to ACL, or NULL
749 NULL can be legal (empty ACL); in this case error will be NULL
750*/
751
752acl_block *
753acl_read(uschar *(*func)(void), uschar **error)
754{
755acl_block *yield = NULL;
756acl_block **lastp = &yield;
757acl_block *this = NULL;
758acl_condition_block *cond;
759acl_condition_block **condp = NULL;
760uschar *s;
761
762*error = NULL;
763
764while ((s = (*func)()) != NULL)
765 {
766 int v, c;
767 BOOL negated = FALSE;
768 uschar *saveline = s;
769 uschar name[64];
770
771 /* Conditions (but not verbs) are allowed to be negated by an initial
772 exclamation mark. */
773
774 while (isspace(*s)) s++;
775 if (*s == '!')
776 {
777 negated = TRUE;
778 s++;
779 }
780
cf00dad6
PH		 781 /* Read the name of a verb or a condition, or the start of a new ACL, which
782 can be started by a name, or by a macro definition. */
059ec3d9
PH		 783
784 s = readconf_readname(name, sizeof(name), s);
b8dc3e4a 785 if (*s == ':' || (isupper(name[0]) && *s == '=')) return yield;
059ec3d9
PH		 786
787 /* If a verb is unrecognized, it may be another condition or modifier that
788 continues the previous verb. */
789
790 v = acl_checkname(name, verbs, sizeof(verbs)/sizeof(char *));
791 if (v < 0)
792 {
793 if (this == NULL)
794 {
4e167a8c
PH		 795 *error = string_sprintf("unknown ACL verb \"%s\" in \"%s\"", name,
796 saveline);
059ec3d9
PH		 797 return NULL;
798 }
799 }
800
801 /* New verb */
802
803 else
804 {
805 if (negated)
806 {
807 *error = string_sprintf("malformed ACL line \"%s\"", saveline);
808 return NULL;
809 }
810 this = store_get(sizeof(acl_block));
811 *lastp = this;
812 lastp = &(this->next);
813 this->next = NULL;
814 this->verb = v;
815 this->condition = NULL;
816 condp = &(this->condition);
817 if (*s == 0) continue; /* No condition on this line */
818 if (*s == '!')
819 {
820 negated = TRUE;
821 s++;
822 }
823 s = readconf_readname(name, sizeof(name), s); /* Condition name */
824 }
825
826 /* Handle a condition or modifier. */
827
828 c = acl_checkname(name, conditions, sizeof(conditions)/sizeof(char *));
829 if (c < 0)
830 {
831 *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
832 saveline);
833 return NULL;
834 }
835
836 /* The modifiers may not be negated */
837
838 if (negated && cond_modifiers[c])
839 {
840 *error = string_sprintf("ACL error: negation is not allowed with "
841 "\"%s\"", conditions[c]);
842 return NULL;
843 }
844
845 /* ENDPASS may occur only with ACCEPT or DISCARD. */
846
847 if (c == ACLC_ENDPASS &&
848 this->verb != ACL_ACCEPT &&
849 this->verb != ACL_DISCARD)
850 {
851 *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
852 conditions[c], verbs[this->verb]);
853 return NULL;
854 }
855
856 cond = store_get(sizeof(acl_condition_block));
857 cond->next = NULL;
858 cond->type = c;
859 cond->u.negated = negated;
860
861 *condp = cond;
862 condp = &(cond->next);
863
864 /* The "set" modifier is different in that its argument is "name=value"
865 rather than just a value, and we can check the validity of the name, which
38a0a95f
PH		 866 gives us a variable name to insert into the data block. The original ACL
867 variable names were acl_c0 ... acl_c9 and acl_m0 ... acl_m9. This was
868 extended to 20 of each type, but after that people successfully argued for
641cb756
PH		 869 arbitrary names. In the new scheme, the names must start with acl_c or acl_m.
870 After that, we allow alphanumerics and underscores, but the first character
871 after c or m must be a digit or an underscore. This retains backwards
872 compatibility. */
059ec3d9
PH		 873
874 if (c == ACLC_SET)
875 {
47ca6d6c
PH		 876 uschar *endptr;
877
38a0a95f
PH		 878 if (Ustrncmp(s, "acl_c", 5) != 0 &&
879 Ustrncmp(s, "acl_m", 5) != 0)
47ca6d6c 880 {
38a0a95f
PH		 881 *error = string_sprintf("invalid variable name after \"set\" in ACL "
882 "modifier \"set %s\" (must start \"acl_c\" or \"acl_m\")", s);
883 return NULL;
47ca6d6c 884 }
38a0a95f
PH		 885
886 endptr = s + 5;
641cb756
PH		 887 if (!isdigit(*endptr) && *endptr != '_')
888 {
889 *error = string_sprintf("invalid variable name after \"set\" in ACL "
890 "modifier \"set %s\" (digit or underscore must follow acl_c or acl_m)",
891 s);
892 return NULL;
893 }
894
38a0a95f 895 while (*endptr != 0 && *endptr != '=' && !isspace(*endptr))
47ca6d6c 896 {
38a0a95f
PH		 897 if (!isalnum(*endptr) && *endptr != '_')
898 {
899 *error = string_sprintf("invalid character \"%c\" in variable name "
900 "in ACL modifier \"set %s\"", *endptr, s);
901 return NULL;
902 }
903 endptr++;
47ca6d6c 904 }
47ca6d6c 905
38a0a95f 906 cond->u.varname = string_copyn(s + 4, endptr - s - 4);
47ca6d6c 907 s = endptr;
059ec3d9
PH		 908 while (isspace(*s)) s++;
909 }
910
911 /* For "set", we are now positioned for the data. For the others, only
912 "endpass" has no data */
913
914 if (c != ACLC_ENDPASS)
915 {
916 if (*s++ != '=')
917 {
918 *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
919 cond_modifiers[c]? US"modifier" : US"condition");
920 return NULL;
921 }
922 while (isspace(*s)) s++;
923 cond->arg = string_copy(s);
924 }
925 }
926
927return yield;
928}
929
930
931
71fafd95
PH		 932/*************************************************
933* Set up added header line(s) *
934*************************************************/
935
936/* This function is called by the add_header modifier, and also from acl_warn()
937to implement the now-deprecated way of adding header lines using "message" on a
938"warn" verb. The argument is treated as a sequence of header lines which are
939added to a chain, provided there isn't an identical one already there.
940
941Argument: string of header lines
942Returns: nothing
943*/
944
945static void
946setup_header(uschar *hstring)
947{
948uschar *p, *q;
949int hlen = Ustrlen(hstring);
950
951/* An empty string does nothing; otherwise add a final newline if necessary. */
952
953if (hlen <= 0) return;
954if (hstring[hlen-1] != '\n') hstring = string_sprintf("%s\n", hstring);
955
956/* Loop for multiple header lines, taking care about continuations */
957
958for (p = q = hstring; *p != 0; )
959 {
960 uschar *s;
961 int newtype = htype_add_bot;
962 header_line **hptr = &acl_added_headers;
963
964 /* Find next header line within the string */
965
966 for (;;)
967 {
968 q = Ustrchr(q, '\n');
969 if (*(++q) != ' ' && *q != '\t') break;
970 }
971
972 /* If the line starts with a colon, interpret the instruction for where to
973 add it. This temporarily sets up a new type. */
974
975 if (*p == ':')
976 {
977 if (strncmpic(p, US":after_received:", 16) == 0)
978 {
979 newtype = htype_add_rec;
980 p += 16;
981 }
982 else if (strncmpic(p, US":at_start_rfc:", 14) == 0)
983 {
984 newtype = htype_add_rfc;
985 p += 14;
986 }
987 else if (strncmpic(p, US":at_start:", 10) == 0)
988 {
989 newtype = htype_add_top;
990 p += 10;
991 }
992 else if (strncmpic(p, US":at_end:", 8) == 0)
993 {
994 newtype = htype_add_bot;
995 p += 8;
996 }
997 while (*p == ' ' || *p == '\t') p++;
998 }
999
1000 /* See if this line starts with a header name, and if not, add X-ACL-Warn:
1001 to the front of it. */
1002
1003 for (s = p; s < q - 1; s++)
1004 {
1005 if (*s == ':' || !isgraph(*s)) break;
1006 }
1007
438257ba 1008 s = string_sprintf("%s%.*s", (*s == ':')? "" : "X-ACL-Warn: ", (int) (q - p), p);
71fafd95
PH		 1009 hlen = Ustrlen(s);
1010
1011 /* See if this line has already been added */
1012
1013 while (*hptr != NULL)
1014 {
1015 if (Ustrncmp((*hptr)->text, s, hlen) == 0) break;
1016 hptr = &((*hptr)->next);
1017 }
1018
1019 /* Add if not previously present */
1020
1021 if (*hptr == NULL)
1022 {
1023 header_line *h = store_get(sizeof(header_line));
1024 h->text = s;
1025 h->next = NULL;
1026 h->type = newtype;
1027 h->slen = hlen;
1028 *hptr = h;
1029 hptr = &(h->next);
1030 }
1031
1032 /* Advance for next header line within the string */
1033
1034 p = q;
1035 }
1036}
1037
1038
1039
1040
059ec3d9
PH		 1041/*************************************************
1042* Handle warnings *
1043*************************************************/
1044
1045/* This function is called when a WARN verb's conditions are true. It adds to
1046the message's headers, and/or writes information to the log. In each case, this
1047only happens once (per message for headers, per connection for log).
1048
71fafd95
PH		 1049** NOTE: The header adding action using the "message" setting is historic, and
1050its use is now deprecated. The new add_header modifier should be used instead.
1051
059ec3d9
PH		 1052Arguments:
1053 where ACL_WHERE_xxxx indicating which ACL this is
1054 user_message message for adding to headers
1055 log_message message for logging, if different
1056
1057Returns: nothing
1058*/
1059
1060static void
1061acl_warn(int where, uschar *user_message, uschar *log_message)
1062{
059ec3d9
PH		 1063if (log_message != NULL && log_message != user_message)
1064 {
1065 uschar *text;
1066 string_item *logged;
1067
1068 text = string_sprintf("%s Warning: %s", host_and_ident(TRUE),
1069 string_printing(log_message));
1070
1071 /* If a sender verification has failed, and the log message is "sender verify
1072 failed", add the failure message. */
1073
1074 if (sender_verified_failed != NULL &&
1075 sender_verified_failed->message != NULL &&
1076 strcmpic(log_message, US"sender verify failed") == 0)
1077 text = string_sprintf("%s: %s", text, sender_verified_failed->message);
1078
9c7a242c
PH		 1079 /* Search previously logged warnings. They are kept in malloc
1080 store so they can be freed at the start of a new message. */
059ec3d9
PH		 1081
1082 for (logged = acl_warn_logged; logged != NULL; logged = logged->next)
1083 if (Ustrcmp(logged->text, text) == 0) break;
1084
1085 if (logged == NULL)
1086 {
1087 int length = Ustrlen(text) + 1;
1088 log_write(0, LOG_MAIN, "%s", text);
1089 logged = store_malloc(sizeof(string_item) + length);
1090 logged->text = (uschar *)logged + sizeof(string_item);
1091 memcpy(logged->text, text, length);
1092 logged->next = acl_warn_logged;
1093 acl_warn_logged = logged;
1094 }
1095 }
1096
1097/* If there's no user message, we are done. */
1098
1099if (user_message == NULL) return;
1100
1101/* If this isn't a message ACL, we can't do anything with a user message.
1102Log an error. */
1103
1104if (where > ACL_WHERE_NOTSMTP)
1105 {
1106 log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
1107 "found in a non-message (%s) ACL: cannot specify header lines here: "
1108 "message ignored", acl_wherenames[where]);
1109 return;
1110 }
1111
71fafd95
PH		 1112/* The code for setting up header lines is now abstracted into a separate
1113function so that it can be used for the add_header modifier as well. */
059ec3d9 1114
71fafd95 1115setup_header(user_message);
059ec3d9
PH		 1116}
1117
1118
1119
1120/*************************************************
1121* Verify and check reverse DNS *
1122*************************************************/
1123
1124/* Called from acl_verify() below. We look up the host name(s) of the client IP
1125address if this has not yet been done. The host_name_lookup() function checks
1126that one of these names resolves to an address list that contains the client IP
1127address, so we don't actually have to do the check here.
1128
1129Arguments:
1130 user_msgptr pointer for user message
1131 log_msgptr pointer for log message
1132
1133Returns: OK verification condition succeeded
1134 FAIL verification failed
1135 DEFER there was a problem verifying
1136*/
1137
1138static int
1139acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
1140{
1141int rc;
1142
1143user_msgptr = user_msgptr; /* stop compiler warning */
1144
1145/* Previous success */
1146
1147if (sender_host_name != NULL) return OK;
1148
1149/* Previous failure */
1150
1151if (host_lookup_failed)
1152 {
1153 *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
1154 return FAIL;
1155 }
1156
1157/* Need to do a lookup */
1158
1159HDEBUG(D_acl)
1160 debug_printf("looking up host name to force name/address consistency check\n");
1161
1162if ((rc = host_name_lookup()) != OK)
1163 {
1164 *log_msgptr = (rc == DEFER)?
1165 US"host lookup deferred for reverse lookup check"
1166 :
1167 string_sprintf("host lookup failed for reverse lookup check%s",
1168 host_lookup_msg);
1169 return rc; /* DEFER or FAIL */
1170 }
1171
1172host_build_sender_fullhost();
1173return OK;
1174}
1175
1176
1177
e5a9dba6
PH		 1178/*************************************************
1179* Check client IP address matches CSA target *
1180*************************************************/
1181
1182/* Called from acl_verify_csa() below. This routine scans a section of a DNS
1183response for address records belonging to the CSA target hostname. The section
1184is specified by the reset argument, either RESET_ADDITIONAL or RESET_ANSWERS.
1185If one of the addresses matches the client's IP address, then the client is
1186authorized by CSA. If there are target IP addresses but none of them match
1187then the client is using an unauthorized IP address. If there are no target IP
1188addresses then the client cannot be using an authorized IP address. (This is
1189an odd configuration - why didn't the SRV record have a weight of 1 instead?)
1190
1191Arguments:
1192 dnsa the DNS answer block
1193 dnss a DNS scan block for us to use
1194 reset option specifing what portion to scan, as described above
1195 target the target hostname to use for matching RR names
1196
1197Returns: CSA_OK successfully authorized
1198 CSA_FAIL_MISMATCH addresses found but none matched
1199 CSA_FAIL_NOADDR no target addresses found
1200*/
1201
1202static int
1203acl_verify_csa_address(dns_answer *dnsa, dns_scan *dnss, int reset,
1204 uschar *target)
1205{
1206dns_record *rr;
1207dns_address *da;
1208
1209BOOL target_found = FALSE;
1210
1211for (rr = dns_next_rr(dnsa, dnss, reset);
1212 rr != NULL;
1213 rr = dns_next_rr(dnsa, dnss, RESET_NEXT))
1214 {
1215 /* Check this is an address RR for the target hostname. */
1216
1217 if (rr->type != T_A
1218 #if HAVE_IPV6
1219 && rr->type != T_AAAA
1220 #ifdef SUPPORT_A6
1221 && rr->type != T_A6
1222 #endif
1223 #endif
1224 ) continue;
1225
1226 if (strcmpic(target, rr->name) != 0) continue;
1227
1228 target_found = TRUE;
1229
1230 /* Turn the target address RR into a list of textual IP addresses and scan
1231 the list. There may be more than one if it is an A6 RR. */
1232
1233 for (da = dns_address_from_rr(dnsa, rr); da != NULL; da = da->next)
1234 {
1235 /* If the client IP address matches the target IP address, it's good! */
1236
1237 DEBUG(D_acl) debug_printf("CSA target address is %s\n", da->address);
1238
1239 if (strcmpic(sender_host_address, da->address) == 0) return CSA_OK;
1240 }
1241 }
1242
1243/* If we found some target addresses but none of them matched, the client is
1244using an unauthorized IP address, otherwise the target has no authorized IP
1245addresses. */
1246
1247if (target_found) return CSA_FAIL_MISMATCH;
1248else return CSA_FAIL_NOADDR;
1249}
1250
1251
1252
1253/*************************************************
1254* Verify Client SMTP Authorization *
1255*************************************************/
1256
1257/* Called from acl_verify() below. This routine calls dns_lookup_special()
1258to find the CSA SRV record corresponding to the domain argument, or
1259$sender_helo_name if no argument is provided. It then checks that the
1260client is authorized, and that its IP address corresponds to the SRV
1261target's address by calling acl_verify_csa_address() above. The address
1262should have been returned in the DNS response's ADDITIONAL section, but if
1263not we perform another DNS lookup to get it.
1264
1265Arguments:
1266 domain pointer to optional parameter following verify = csa
1267
1268Returns: CSA_UNKNOWN no valid CSA record found
1269 CSA_OK successfully authorized
1270 CSA_FAIL_* client is definitely not authorized
1271 CSA_DEFER_* there was a DNS problem
1272*/
1273
1274static int
1275acl_verify_csa(uschar *domain)
1276{
1277tree_node *t;
1278uschar *found, *p;
1279int priority, weight, port;
1280dns_answer dnsa;
1281dns_scan dnss;
1282dns_record *rr;
1283int rc, type;
1284uschar target[256];
1285
1286/* Work out the domain we are using for the CSA lookup. The default is the
1287client's HELO domain. If the client has not said HELO, use its IP address
1288instead. If it's a local client (exim -bs), CSA isn't applicable. */
1289
1290while (isspace(*domain) && *domain != '\0') ++domain;
1291if (*domain == '\0') domain = sender_helo_name;
1292if (domain == NULL) domain = sender_host_address;
1293if (sender_host_address == NULL) return CSA_UNKNOWN;
1294
1295/* If we have an address literal, strip off the framing ready for turning it
1296into a domain. The framing consists of matched square brackets possibly
1297containing a keyword and a colon before the actual IP address. */
1298
1299if (domain[0] == '[')
1300 {
1301 uschar *start = Ustrchr(domain, ':');
1302 if (start == NULL) start = domain;
1303 domain = string_copyn(start + 1, Ustrlen(start) - 2);
1304 }
1305
1306/* Turn domains that look like bare IP addresses into domains in the reverse
1307DNS. This code also deals with address literals and $sender_host_address. It's
1308not quite kosher to treat bare domains such as EHLO 192.0.2.57 the same as
1309address literals, but it's probably the most friendly thing to do. This is an
1310extension to CSA, so we allow it to be turned off for proper conformance. */
1311
7e66e54d 1312if (string_is_ip_address(domain, NULL) != 0)
e5a9dba6
PH		 1313 {
1314 if (!dns_csa_use_reverse) return CSA_UNKNOWN;
1315 dns_build_reverse(domain, target);
1316 domain = target;
1317 }
1318
1319/* Find out if we've already done the CSA check for this domain. If we have,
1320return the same result again. Otherwise build a new cached result structure
1321for this domain. The name is filled in now, and the value is filled in when
1322we return from this function. */
1323
1324t = tree_search(csa_cache, domain);
1325if (t != NULL) return t->data.val;
1326
1327t = store_get_perm(sizeof(tree_node) + Ustrlen(domain));
1328Ustrcpy(t->name, domain);
1329(void)tree_insertnode(&csa_cache, t);
1330
1331/* Now we are ready to do the actual DNS lookup(s). */
1332
28e6ef29 1333found = domain;
e5a9dba6
PH		 1334switch (dns_special_lookup(&dnsa, domain, T_CSA, &found))
1335 {
1336 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1337
1338 default:
1339 return t->data.val = CSA_DEFER_SRV;
1340
1341 /* If we found nothing, the client's authorization is unknown. */
1342
1343 case DNS_NOMATCH:
1344 case DNS_NODATA:
1345 return t->data.val = CSA_UNKNOWN;
1346
1347 /* We got something! Go on to look at the reply in more detail. */
1348
1349 case DNS_SUCCEED:
1350 break;
1351 }
1352
1353/* Scan the reply for well-formed CSA SRV records. */
1354
1355for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
1356 rr != NULL;
1357 rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
1358 {
1359 if (rr->type != T_SRV) continue;
1360
1361 /* Extract the numerical SRV fields (p is incremented) */
1362
1363 p = rr->data;
1364 GETSHORT(priority, p);
1365 GETSHORT(weight, p);
1366 GETSHORT(port, p);
1367
1368 DEBUG(D_acl)
1369 debug_printf("CSA priority=%d weight=%d port=%d\n", priority, weight, port);
1370
1371 /* Check the CSA version number */
1372
1373 if (priority != 1) continue;
1374
1375 /* If the domain does not have a CSA SRV record of its own (i.e. the domain
1376 found by dns_special_lookup() is a parent of the one we asked for), we check
1377 the subdomain assertions in the port field. At the moment there's only one
1378 assertion: legitimate SMTP clients are all explicitly authorized with CSA
1379 SRV records of their own. */
1380
1381 if (found != domain)
1382 {
1383 if (port & 1)
1384 return t->data.val = CSA_FAIL_EXPLICIT;
1385 else
1386 return t->data.val = CSA_UNKNOWN;
1387 }
1388
1389 /* This CSA SRV record refers directly to our domain, so we check the value
1390 in the weight field to work out the domain's authorization. 0 and 1 are
1391 unauthorized; 3 means the client is authorized but we can't check the IP
1392 address in order to authenticate it, so we treat it as unknown; values
1393 greater than 3 are undefined. */
1394
1395 if (weight < 2) return t->data.val = CSA_FAIL_DOMAIN;
1396
1397 if (weight > 2) continue;
1398
1399 /* Weight == 2, which means the domain is authorized. We must check that the
1400 client's IP address is listed as one of the SRV target addresses. Save the
1401 target hostname then break to scan the additional data for its addresses. */
1402
1403 (void)dn_expand(dnsa.answer, dnsa.answer + dnsa.answerlen, p,
1404 (DN_EXPAND_ARG4_TYPE)target, sizeof(target));
1405
1406 DEBUG(D_acl) debug_printf("CSA target is %s\n", target);
1407
1408 break;
1409 }
1410
1411/* If we didn't break the loop then no appropriate records were found. */
1412
1413if (rr == NULL) return t->data.val = CSA_UNKNOWN;
1414
1415/* Do not check addresses if the target is ".", in accordance with RFC 2782.
1416A target of "." indicates there are no valid addresses, so the client cannot
1417be authorized. (This is an odd configuration because weight=2 target=. is
1418equivalent to weight=1, but we check for it in order to keep load off the
1419root name servers.) Note that dn_expand() turns "." into "". */
1420
1421if (Ustrcmp(target, "") == 0) return t->data.val = CSA_FAIL_NOADDR;
1422
1423/* Scan the additional section of the CSA SRV reply for addresses belonging
1424to the target. If the name server didn't return any additional data (e.g.
1425because it does not fully support SRV records), we need to do another lookup
1426to obtain the target addresses; otherwise we have a definitive result. */
1427
1428rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ADDITIONAL, target);
1429if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1430
1431/* The DNS lookup type corresponds to the IP version used by the client. */
1432
1433#if HAVE_IPV6
1434if (Ustrchr(sender_host_address, ':') != NULL)
1435 type = T_AAAA;
1436else
1437#endif /* HAVE_IPV6 */
1438 type = T_A;
1439
1440
1441#if HAVE_IPV6 && defined(SUPPORT_A6)
1442DNS_LOOKUP_AGAIN:
1443#endif
1444
1445switch (dns_lookup(&dnsa, target, type, NULL))
1446 {
1447 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1448
1449 default:
1450 return t->data.val = CSA_DEFER_ADDR;
1451
1452 /* If the query succeeded, scan the addresses and return the result. */
1453
1454 case DNS_SUCCEED:
1455 rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ANSWERS, target);
1456 if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1457 /* else fall through */
1458
1459 /* If the target has no IP addresses, the client cannot have an authorized
1460 IP address. However, if the target site uses A6 records (not AAAA records)
1461 we have to do yet another lookup in order to check them. */
1462
1463 case DNS_NOMATCH:
1464 case DNS_NODATA:
1465
1466 #if HAVE_IPV6 && defined(SUPPORT_A6)
1467 if (type == T_AAAA) { type = T_A6; goto DNS_LOOKUP_AGAIN; }
1468 #endif
1469
1470 return t->data.val = CSA_FAIL_NOADDR;
1471 }
1472}
1473
1474
1475
059ec3d9
PH		 1476/*************************************************
1477* Handle verification (address & other) *
1478*************************************************/
1479
89583014
JH		 1480enum { VERIFY_REV_HOST_LKUP, VERIFY_CERT, VERIFY_HELO, VERIFY_CSA, VERIFY_HDR_SYNTAX,
1481 VERIFY_NOT_BLIND, VERIFY_HDR_SNDR, VERIFY_SNDR, VERIFY_RCPT
1482 };
1483typedef struct {
1484 uschar * name;
1485 int value;
1486 unsigned where_allowed; /* bitmap */
1487 BOOL no_options; /* Never has /option(s) following */
1488 unsigned alt_opt_sep; /* >0 Non-/ option separator (custom parser) */
1489 } verify_type_t;
1490static verify_type_t verify_type_list[] = {
1491 { US"reverse_host_lookup", VERIFY_REV_HOST_LKUP, ~0, TRUE, 0 },
1492 { US"certificate", VERIFY_CERT, ~0, TRUE, 0 },
1493 { US"helo", VERIFY_HELO, ~0, TRUE, 0 },
1494 { US"csa", VERIFY_CSA, ~0, FALSE, 0 },
1495 { US"header_syntax", VERIFY_HDR_SYNTAX, (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), TRUE, 0 },
1496 { US"not_blind", VERIFY_NOT_BLIND, (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), TRUE, 0 },
1497 { US"header_sender", VERIFY_HDR_SNDR, (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), FALSE, 0 },
1498 { US"sender", VERIFY_SNDR, (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)
1499 |(1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP),
1500 FALSE, 6 },
1501 { US"recipient", VERIFY_RCPT, (1<<ACL_WHERE_RCPT), FALSE, 0 }
1502 };
1503
1504
1505enum { CALLOUT_DEFER_OK, CALLOUT_NOCACHE, CALLOUT_RANDOM, CALLOUT_USE_SENDER,
1506 CALLOUT_USE_POSTMASTER, CALLOUT_POSTMASTER, CALLOUT_FULLPOSTMASTER,
1507 CALLOUT_MAILFROM, CALLOUT_POSTMASTER_MAILFROM, CALLOUT_MAXWAIT, CALLOUT_CONNECT,
1508 CALLOUT_TIME
1509 };
1510typedef struct {
1511 uschar * name;
1512 int value;
1513 int flag;
1514 BOOL has_option; /* Has =option(s) following */
1515 BOOL timeval; /* Has a time value */
1516 } callout_opt_t;
1517static callout_opt_t callout_opt_list[] = {
1518 { US"defer_ok", CALLOUT_DEFER_OK, 0, FALSE, FALSE },
1519 { US"no_cache", CALLOUT_NOCACHE, vopt_callout_no_cache, FALSE, FALSE },
1520 { US"random", CALLOUT_RANDOM, vopt_callout_random, FALSE, FALSE },
1521 { US"use_sender", CALLOUT_USE_SENDER, vopt_callout_recipsender, FALSE, FALSE },
1522 { US"use_postmaster", CALLOUT_USE_POSTMASTER,vopt_callout_recippmaster, FALSE, FALSE },
1523 { US"postmaster_mailfrom",CALLOUT_POSTMASTER_MAILFROM,0, TRUE, FALSE },
1524 { US"postmaster", CALLOUT_POSTMASTER, 0, FALSE, FALSE },
1525 { US"fullpostmaster", CALLOUT_FULLPOSTMASTER,vopt_callout_fullpm, FALSE, FALSE },
1526 { US"mailfrom", CALLOUT_MAILFROM, 0, TRUE, FALSE },
1527 { US"maxwait", CALLOUT_MAXWAIT, 0, TRUE, TRUE },
1528 { US"connect", CALLOUT_CONNECT, 0, TRUE, TRUE },
1529 { NULL, CALLOUT_TIME, 0, FALSE, TRUE }
1530 };
1531
1532
1533
059ec3d9
PH		 1534/* This function implements the "verify" condition. It is called when
1535encountered in any ACL, because some tests are almost always permitted. Some
1536just don't make sense, and always fail (for example, an attempt to test a host
1537lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
1538
1539Arguments:
1540 where where called from
1541 addr the recipient address that the ACL is handling, or NULL
1542 arg the argument of "verify"
1543 user_msgptr pointer for user message
1544 log_msgptr pointer for log message
1545 basic_errno where to put verify errno
1546
1547Returns: OK verification condition succeeded
1548 FAIL verification failed
1549 DEFER there was a problem verifying
1550 ERROR syntax error
1551*/
1552
1553static int
1554acl_verify(int where, address_item *addr, uschar *arg,
1555 uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
1556{
1557int sep = '/';
1558int callout = -1;
1559int callout_overall = -1;
4deaf07d 1560int callout_connect = -1;
059ec3d9
PH		 1561int verify_options = 0;
1562int rc;
1563BOOL verify_header_sender = FALSE;
1564BOOL defer_ok = FALSE;
1565BOOL callout_defer_ok = FALSE;
1566BOOL no_details = FALSE;
eafd343b 1567BOOL success_on_redirect = FALSE;
059ec3d9
PH		 1568address_item *sender_vaddr = NULL;
1569uschar *verify_sender_address = NULL;
1570uschar *pm_mailfrom = NULL;
1571uschar *se_mailfrom = NULL;
596875b3
PH		 1572
1573/* Some of the verify items have slash-separated options; some do not. Diagnose
89583014 1574an error if options are given for items that don't expect them.
596875b3
PH		 1575*/
1576
1577uschar *slash = Ustrchr(arg, '/');
059ec3d9
PH		 1578uschar *list = arg;
1579uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
89583014 1580verify_type_t * vp;
059ec3d9
PH		 1581
1582if (ss == NULL) goto BAD_VERIFY;
1583
1584/* Handle name/address consistency verification in a separate function. */
1585
89583014
JH		 1586for (vp= verify_type_list;
1587 (char *)vp < (char *)verify_type_list + sizeof(verify_type_list);
1588 vp++
1589 )
1590 if (vp->alt_opt_sep ? strncmpic(ss, vp->name, vp->alt_opt_sep) == 0
1591 : strcmpic (ss, vp->name) == 0)
1592 break;
1593if ((char *)vp >= (char *)verify_type_list + sizeof(verify_type_list))
1594 goto BAD_VERIFY;
1595
1596if (vp->no_options && slash != NULL)
059ec3d9 1597 {
89583014
JH		 1598 *log_msgptr = string_sprintf("unexpected '/' found in \"%s\" "
1599 "(this verify item has no options)", arg);
1600 return ERROR;
059ec3d9 1601 }
89583014 1602if (!(vp->where_allowed & (1<<where)))
059ec3d9 1603 {
89583014
JH		 1604 *log_msgptr = string_sprintf("cannot verify %s in ACL for %s", vp->name, acl_wherenames[where]);
1605 return ERROR;
059ec3d9 1606 }
89583014 1607switch(vp->value)
596875b3 1608 {
89583014
JH		 1609 case VERIFY_REV_HOST_LKUP:
1610 if (sender_host_address == NULL) return OK;
1611 return acl_verify_reverse(user_msgptr, log_msgptr);
059ec3d9 1612
89583014
JH		 1613 case VERIFY_CERT:
1614 /* TLS certificate verification is done at STARTTLS time; here we just
1615 test whether it was successful or not. (This is for optional verification; for
1616 mandatory verification, the connection doesn't last this long.) */
e5a9dba6 1617
817d9f57 1618 if (tls_in.certificate_verified) return OK;
89583014
JH		 1619 *user_msgptr = US"no verified certificate";
1620 return FAIL;
e5a9dba6 1621
89583014
JH		 1622 case VERIFY_HELO:
1623 /* We can test the result of optional HELO verification that might have
1624 occurred earlier. If not, we can attempt the verification now. */
059ec3d9 1625
89583014
JH		 1626 if (!helo_verified && !helo_verify_failed) smtp_verify_helo();
1627 return helo_verified? OK : FAIL;
059ec3d9 1628
89583014
JH		 1629 case VERIFY_CSA:
1630 /* Do Client SMTP Authorization checks in a separate function, and turn the
1631 result code into user-friendly strings. */
1c41c9cc 1632
89583014
JH		 1633 rc = acl_verify_csa(list);
1634 *log_msgptr = *user_msgptr = string_sprintf("client SMTP authorization %s",
1635 csa_reason_string[rc]);
1636 csa_status = csa_status_string[rc];
1637 DEBUG(D_acl) debug_printf("CSA result %s\n", csa_status);
1638 return csa_return_code[rc];
1639
1640 case VERIFY_HDR_SYNTAX:
1641 /* Check that all relevant header lines have the correct syntax. If there is
1642 a syntax error, we return details of the error to the sender if configured to
1643 send out full details. (But a "message" setting on the ACL can override, as
1644 always). */
1645
1646 rc = verify_check_headers(log_msgptr);
1647 if (rc != OK && smtp_return_error_details && *log_msgptr != NULL)
1c41c9cc 1648 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
89583014 1649 return rc;
059ec3d9 1650
89583014
JH		 1651 case VERIFY_NOT_BLIND:
1652 /* Check that no recipient of this message is "blind", that is, every envelope
1653 recipient must be mentioned in either To: or Cc:. */
059ec3d9 1654
89583014
JH		 1655 rc = verify_check_notblind();
1656 if (rc != OK)
1657 {
1658 *log_msgptr = string_sprintf("bcc recipient detected");
1659 if (smtp_return_error_details)
1660 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1661 }
1662 return rc;
059ec3d9 1663
89583014
JH		 1664 /* The remaining verification tests check recipient and sender addresses,
1665 either from the envelope or from the header. There are a number of
1666 slash-separated options that are common to all of them. */
059ec3d9 1667
89583014
JH		 1668 case VERIFY_HDR_SNDR:
1669 verify_header_sender = TRUE;
1670 break;
059ec3d9 1671
89583014
JH		 1672 case VERIFY_SNDR:
1673 /* In the case of a sender, this can optionally be followed by an address to use
1674 in place of the actual sender (rare special-case requirement). */
059ec3d9 1675 {
89583014
JH		 1676 uschar *s = ss + 6;
1677 if (*s == 0)
1678 verify_sender_address = sender_address;
1679 else
1680 {
1681 while (isspace(*s)) s++;
1682 if (*s++ != '=') goto BAD_VERIFY;
1683 while (isspace(*s)) s++;
1684 verify_sender_address = string_copy(s);
1685 }
059ec3d9 1686 }
89583014
JH		 1687 break;
1688
1689 case VERIFY_RCPT:
1690 break;
059ec3d9
PH		 1691 }
1692
89583014
JH		 1693
1694
596875b3
PH		 1695/* Remaining items are optional; they apply to sender and recipient
1696verification, including "header sender" verification. */
059ec3d9
PH		 1697
1698while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))
1699 != NULL)
1700 {
1701 if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
1702 else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
eafd343b 1703 else if (strcmpic(ss, US"success_on_redirect") == 0) success_on_redirect = TRUE;
059ec3d9
PH		 1704
1705 /* These two old options are left for backwards compatibility */
1706
1707 else if (strcmpic(ss, US"callout_defer_ok") == 0)
1708 {
1709 callout_defer_ok = TRUE;
1710 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1711 }
1712
1713 else if (strcmpic(ss, US"check_postmaster") == 0)
1714 {
1715 pm_mailfrom = US"";
1716 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1717 }
1718
1719 /* The callout option has a number of sub-options, comma separated */
1720
1721 else if (strncmpic(ss, US"callout", 7) == 0)
1722 {
1723 callout = CALLOUT_TIMEOUT_DEFAULT;
1724 ss += 7;
1725 if (*ss != 0)
1726 {
1727 while (isspace(*ss)) ss++;
1728 if (*ss++ == '=')
1729 {
1730 int optsep = ',';
1731 uschar *opt;
1732 uschar buffer[256];
1733 while (isspace(*ss)) ss++;
8e669ac1 1734
059ec3d9
PH		 1735 while ((opt = string_nextinlist(&ss, &optsep, buffer, sizeof(buffer)))
1736 != NULL)
1737 {
89583014 1738 callout_opt_t * op;
438257ba 1739 double period = 1.0F;
059ec3d9 1740
89583014 1741 for (op= callout_opt_list; op->name; op++)
438257ba 1742 if (strncmpic(opt, op->name, Ustrlen(op->name)) == 0)
89583014 1743 break;
059ec3d9 1744
89583014
JH		 1745 verify_options |= op->flag;
1746 if (op->has_option)
1747 {
438257ba 1748 opt += Ustrlen(op->name);
4deaf07d
PH		 1749 while (isspace(*opt)) opt++;
1750 if (*opt++ != '=')
1751 {
1752 *log_msgptr = string_sprintf("'=' expected after "
89583014 1753 "\"%s\" in ACL verify condition \"%s\"", op->name, arg);
4deaf07d
PH		 1754 return ERROR;
1755 }
1756 while (isspace(*opt)) opt++;
89583014
JH		 1757 }
1758 if (op->timeval)
1759 {
1760 period = readconf_readtime(opt, 0, FALSE);
1761 if (period < 0)
4deaf07d
PH		 1762 {
1763 *log_msgptr = string_sprintf("bad time value in ACL condition "
1764 "\"verify %s\"", arg);
1765 return ERROR;
1766 }
89583014
JH		 1767 }
1768
1769 switch(op->value)
1770 {
1771 case CALLOUT_DEFER_OK: callout_defer_ok = TRUE; break;
1772 case CALLOUT_POSTMASTER: pm_mailfrom = US""; break;
1773 case CALLOUT_FULLPOSTMASTER: pm_mailfrom = US""; break;
1774 case CALLOUT_MAILFROM:
1775 if (!verify_header_sender)
1776 {
1777 *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
1778 "callout option only for verify=header_sender (detected in ACL "
1779 "condition \"%s\")", arg);
1780 return ERROR;
1781 }
1782 se_mailfrom = string_copy(opt);
1783 break;
1784 case CALLOUT_POSTMASTER_MAILFROM: pm_mailfrom = string_copy(opt); break;
1785 case CALLOUT_MAXWAIT: callout_overall = period; break;
1786 case CALLOUT_CONNECT: callout_connect = period; break;
1787 case CALLOUT_TIME: callout = period; break;
1788 }
059ec3d9
PH		 1789 }
1790 }
1791 else
1792 {
1793 *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
1794 "ACL condition \"%s\"", arg);
1795 return ERROR;
1796 }
1797 }
1798 }
1799
1800 /* Option not recognized */
1801
1802 else
1803 {
1804 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
1805 "condition \"verify %s\"", ss, arg);
1806 return ERROR;
1807 }
1808 }
1809
1810if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
1811 (vopt_callout_recipsender|vopt_callout_recippmaster))
1812 {
1813 *log_msgptr = US"only one of use_sender and use_postmaster can be set "
1814 "for a recipient callout";
1815 return ERROR;
1816 }
1817
1818/* Handle sender-in-header verification. Default the user message to the log
1819message if giving out verification details. */
1820
1821if (verify_header_sender)
1822 {
8e669ac1 1823 int verrno;
059ec3d9 1824 rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
fe5b5d0b
PH		 1825 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, verify_options,
1826 &verrno);
1827 if (rc != OK)
8e669ac1 1828 {
fe5b5d0b
PH		 1829 *basic_errno = verrno;
1830 if (smtp_return_error_details)
1831 {
1832 if (*user_msgptr == NULL && *log_msgptr != NULL)
1833 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1834 if (rc == DEFER) acl_temp_details = TRUE;
1835 }
8e669ac1 1836 }
059ec3d9
PH		 1837 }
1838
1839/* Handle a sender address. The default is to verify *the* sender address, but
1840optionally a different address can be given, for special requirements. If the
1841address is empty, we are dealing with a bounce message that has no sender, so
1842we cannot do any checking. If the real sender address gets rewritten during
1843verification (e.g. DNS widening), set the flag to stop it being rewritten again
1844during message reception.
1845
1846A list of verified "sender" addresses is kept to try to avoid doing to much
1847work repetitively when there are multiple recipients in a message and they all
1848require sender verification. However, when callouts are involved, it gets too
1849complicated because different recipients may require different callout options.
1850Therefore, we always do a full sender verify when any kind of callout is
1851specified. Caching elsewhere, for instance in the DNS resolver and in the
1852callout handling, should ensure that this is not terribly inefficient. */
1853
1854else if (verify_sender_address != NULL)
1855 {
1856 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster))
1857 != 0)
1858 {
1859 *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
1860 "sender verify callout";
1861 return ERROR;
1862 }
1863
1864 sender_vaddr = verify_checked_sender(verify_sender_address);
1865 if (sender_vaddr != NULL && /* Previously checked */
1866 callout <= 0) /* No callout needed this time */
1867 {
1868 /* If the "routed" flag is set, it means that routing worked before, so
1869 this check can give OK (the saved return code value, if set, belongs to a
1870 callout that was done previously). If the "routed" flag is not set, routing
1871 must have failed, so we use the saved return code. */
1872
1873 if (testflag(sender_vaddr, af_verify_routed)) rc = OK; else
1874 {
1875 rc = sender_vaddr->special_action;
1876 *basic_errno = sender_vaddr->basic_errno;
1877 }
1878 HDEBUG(D_acl) debug_printf("using cached sender verify result\n");
1879 }
1880
1881 /* Do a new verification, and cache the result. The cache is used to avoid
1882 verifying the sender multiple times for multiple RCPTs when callouts are not
1883 specified (see comments above).
1884
1885 The cache is also used on failure to give details in response to the first
1886 RCPT that gets bounced for this reason. However, this can be suppressed by
1887 the no_details option, which sets the flag that says "this detail has already
1888 been sent". The cache normally contains just one address, but there may be
1889 more in esoteric circumstances. */
1890
1891 else
1892 {
1893 BOOL routed = TRUE;
2a3eea10 1894 uschar *save_address_data = deliver_address_data;
8e669ac1 1895
059ec3d9
PH		 1896 sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
1897 if (no_details) setflag(sender_vaddr, af_sverify_told);
1898 if (verify_sender_address[0] != 0)
1899 {
1900 /* If this is the real sender address, save the unrewritten version
1901 for use later in receive. Otherwise, set a flag so that rewriting the
1902 sender in verify_address() does not update sender_address. */
1903
1904 if (verify_sender_address == sender_address)
1905 sender_address_unrewritten = sender_address;
1906 else
1907 verify_options |= vopt_fake_sender;
1908
eafd343b
TK		 1909 if (success_on_redirect)
1910 verify_options |= vopt_success_on_redirect;
1911
059ec3d9
PH		 1912 /* The recipient, qualify, and expn options are never set in
1913 verify_options. */
1914
1915 rc = verify_address(sender_vaddr, NULL, verify_options, callout,
4deaf07d 1916 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, &routed);
059ec3d9
PH		 1917
1918 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1919
1920 if (rc == OK)
1921 {
1922 if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
1923 {
1924 DEBUG(D_acl) debug_printf("sender %s verified ok as %s\n",
1925 verify_sender_address, sender_vaddr->address);
1926 }
1927 else
1928 {
1929 DEBUG(D_acl) debug_printf("sender %s verified ok\n",
1930 verify_sender_address);
1931 }
1932 }
1933 else *basic_errno = sender_vaddr->basic_errno;
1934 }
1935 else rc = OK; /* Null sender */
1936
1937 /* Cache the result code */
1938
1939 if (routed) setflag(sender_vaddr, af_verify_routed);
1940 if (callout > 0) setflag(sender_vaddr, af_verify_callout);
1941 sender_vaddr->special_action = rc;
1942 sender_vaddr->next = sender_verified_list;
1943 sender_verified_list = sender_vaddr;
8e669ac1
PH		 1944
1945 /* Restore the recipient address data, which might have been clobbered by
2a3eea10 1946 the sender verification. */
8e669ac1 1947
2a3eea10 1948 deliver_address_data = save_address_data;
059ec3d9 1949 }
8e669ac1 1950
2a3eea10
PH		 1951 /* Put the sender address_data value into $sender_address_data */
1952
8e669ac1 1953 sender_address_data = sender_vaddr->p.address_data;
059ec3d9
PH		 1954 }
1955
1956/* A recipient address just gets a straightforward verify; again we must handle
1957the DEFER overrides. */
1958
1959else
1960 {
1961 address_item addr2;
1962
eafd343b
TK		 1963 if (success_on_redirect)
1964 verify_options |= vopt_success_on_redirect;
1965
059ec3d9
PH		 1966 /* We must use a copy of the address for verification, because it might
1967 get rewritten. */
1968
1969 addr2 = *addr;
1970 rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
4deaf07d 1971 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, NULL);
059ec3d9 1972 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
8e669ac1 1973
42855d71 1974 *basic_errno = addr2.basic_errno;
059ec3d9 1975 *log_msgptr = addr2.message;
8e669ac1 1976 *user_msgptr = (addr2.user_message != NULL)?
6729cf78 1977 addr2.user_message : addr2.message;
42855d71
PH		 1978
1979 /* Allow details for temporary error if the address is so flagged. */
1980 if (testflag((&addr2), af_pass_message)) acl_temp_details = TRUE;
059ec3d9
PH		 1981
1982 /* Make $address_data visible */
1983 deliver_address_data = addr2.p.address_data;
1984 }
1985
1986/* We have a result from the relevant test. Handle defer overrides first. */
1987
1988if (rc == DEFER && (defer_ok ||
1989 (callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER)))
1990 {
1991 HDEBUG(D_acl) debug_printf("verify defer overridden by %s\n",
1992 defer_ok? "defer_ok" : "callout_defer_ok");
1993 rc = OK;
1994 }
1995
1996/* If we've failed a sender, set up a recipient message, and point
1997sender_verified_failed to the address item that actually failed. */
1998
1999if (rc != OK && verify_sender_address != NULL)
2000 {
2001 if (rc != DEFER)
2002 {
2003 *log_msgptr = *user_msgptr = US"Sender verify failed";
2004 }
2005 else if (*basic_errno != ERRNO_CALLOUTDEFER)
2006 {
2007 *log_msgptr = *user_msgptr = US"Could not complete sender verify";
2008 }
2009 else
2010 {
2011 *log_msgptr = US"Could not complete sender verify callout";
2012 *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
2013 *log_msgptr;
2014 }
2015
2016 sender_verified_failed = sender_vaddr;
2017 }
2018
2019/* Verifying an address messes up the values of $domain and $local_part,
2020so reset them before returning if this is a RCPT ACL. */
2021
2022if (addr != NULL)
2023 {
2024 deliver_domain = addr->domain;
2025 deliver_localpart = addr->local_part;
2026 }
2027return rc;
2028
2029/* Syntax errors in the verify argument come here. */
2030
2031BAD_VERIFY:
2032*log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
596875b3
PH		 2033 "\"helo\", \"header_syntax\", \"header_sender\" or "
2034 "\"reverse_host_lookup\" at start of ACL condition "
059ec3d9
PH		 2035 "\"verify %s\"", arg);
2036return ERROR;
2037}
2038
2039
2040
2041
2042/*************************************************
2043* Check argument for control= modifier *
2044*************************************************/
2045
2046/* Called from acl_check_condition() below
2047
2048Arguments:
2049 arg the argument string for control=
2050 pptr set to point to the terminating character
2051 where which ACL we are in
2052 log_msgptr for error messages
2053
2054Returns: CONTROL_xxx value
2055*/
2056
2057static int
2058decode_control(uschar *arg, uschar **pptr, int where, uschar **log_msgptr)
2059{
2060int len;
2061control_def *d;
2062
2063for (d = controls_list;
2064 d < controls_list + sizeof(controls_list)/sizeof(control_def);
2065 d++)
2066 {
2067 len = Ustrlen(d->name);
2068 if (Ustrncmp(d->name, arg, len) == 0) break;
2069 }
2070
2071if (d >= controls_list + sizeof(controls_list)/sizeof(control_def) ||
2072 (arg[len] != 0 && (!d->has_option || arg[len] != '/')))
2073 {
2074 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2075 return CONTROL_ERROR;
2076 }
2077
059ec3d9
PH		 2078*pptr = arg + len;
2079return d->value;
2080}
2081
2082
2083
c99ce5c9
TF		 2084
2085/*************************************************
2086* Return a ratelimit error *
2087*************************************************/
2088
2089/* Called from acl_ratelimit() below
2090
2091Arguments:
2092 log_msgptr for error messages
2093 format format string
2094 ... supplementary arguments
2095 ss ratelimit option name
2096 where ACL_WHERE_xxxx indicating which ACL this is
2097
2098Returns: ERROR
2099*/
2100
2101static int
2102ratelimit_error(uschar **log_msgptr, const char *format, ...)
2103{
2104va_list ap;
2105uschar buffer[STRING_SPRINTF_BUFFER_SIZE];
2106va_start(ap, format);
2107if (!string_vformat(buffer, sizeof(buffer), format, ap))
2108 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
ef840681 2109 "string_sprintf expansion was longer than " SIZE_T_FMT, sizeof(buffer));
c99ce5c9
TF		 2110va_end(ap);
2111*log_msgptr = string_sprintf(
2112 "error in arguments to \"ratelimit\" condition: %s", buffer);
2113return ERROR;
2114}
2115
2116
2117
2118
870f6ba8
TF		 2119/*************************************************
2120* Handle rate limiting *
2121*************************************************/
2122
2123/* Called by acl_check_condition() below to calculate the result
2124of the ACL ratelimit condition.
2125
2126Note that the return value might be slightly unexpected: if the
2127sender's rate is above the limit then the result is OK. This is
2128similar to the dnslists condition, and is so that you can write
2129ACL clauses like: defer ratelimit = 15 / 1h
2130
2131Arguments:
2132 arg the option string for ratelimit=
90fc3069 2133 where ACL_WHERE_xxxx indicating which ACL this is
870f6ba8
TF		 2134 log_msgptr for error messages
2135
2136Returns: OK - Sender's rate is above limit
2137 FAIL - Sender's rate is below limit
2138 DEFER - Problem opening ratelimit database
2139 ERROR - Syntax error in options.
2140*/
2141
2142static int
90fc3069 2143acl_ratelimit(uschar *arg, int where, uschar **log_msgptr)
870f6ba8 2144{
c99ce5c9 2145double limit, period, count;
8f240103
PH		 2146uschar *ss;
2147uschar *key = NULL;
c99ce5c9 2148uschar *unique = NULL;
870f6ba8 2149int sep = '/';
c99ce5c9
TF		 2150BOOL leaky = FALSE, strict = FALSE, readonly = FALSE;
2151BOOL noupdate = FALSE, badacl = FALSE;
2152int mode = RATE_PER_WHAT;
870f6ba8
TF		 2153int old_pool, rc;
2154tree_node **anchor, *t;
2155open_db dbblock, *dbm;
c99ce5c9 2156int dbdb_size;
870f6ba8 2157dbdata_ratelimit *dbd;
c99ce5c9 2158dbdata_ratelimit_unique *dbdb;
870f6ba8
TF		 2159struct timeval tv;
2160
2161/* Parse the first two options and record their values in expansion
2162variables. These variables allow the configuration to have informative
2163error messages based on rate limits obtained from a table lookup. */
2164
c99ce5c9 2165/* First is the maximum number of messages per period / maximum burst
870f6ba8
TF		 2166size, which must be greater than or equal to zero. Zero is useful for
2167rate measurement as opposed to rate limiting. */
2168
2169sender_rate_limit = string_nextinlist(&arg, &sep, NULL, 0);
2170if (sender_rate_limit == NULL)
2171 limit = -1.0;
2172else
2173 {
2174 limit = Ustrtod(sender_rate_limit, &ss);
2175 if (tolower(*ss) == 'k') { limit *= 1024.0; ss++; }
2176 else if (tolower(*ss) == 'm') { limit *= 1024.0*1024.0; ss++; }
2177 else if (tolower(*ss) == 'g') { limit *= 1024.0*1024.0*1024.0; ss++; }
2178 }
c99ce5c9
TF		 2179if (limit < 0.0 || *ss != '\0')
2180 return ratelimit_error(log_msgptr,
2181 "\"%s\" is not a positive number", sender_rate_limit);
870f6ba8 2182
c99ce5c9 2183/* Second is the rate measurement period / exponential smoothing time
870f6ba8
TF		 2184constant. This must be strictly greater than zero, because zero leads to
2185run-time division errors. */
2186
2187sender_rate_period = string_nextinlist(&arg, &sep, NULL, 0);
2188if (sender_rate_period == NULL) period = -1.0;
2189else period = readconf_readtime(sender_rate_period, 0, FALSE);
2190if (period <= 0.0)
c99ce5c9
TF		 2191 return ratelimit_error(log_msgptr,
2192 "\"%s\" is not a time value", sender_rate_period);
2193
2194/* By default we are counting one of something, but the per_rcpt,
2195per_byte, and count options can change this. */
2196
2197count = 1.0;
870f6ba8 2198
c99ce5c9 2199/* Parse the other options. */
870f6ba8
TF		 2200
2201while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2202 != NULL)
2203 {
2204 if (strcmpic(ss, US"leaky") == 0) leaky = TRUE;
2205 else if (strcmpic(ss, US"strict") == 0) strict = TRUE;
8f240103 2206 else if (strcmpic(ss, US"noupdate") == 0) noupdate = TRUE;
c99ce5c9
TF		 2207 else if (strcmpic(ss, US"readonly") == 0) readonly = TRUE;
2208 else if (strcmpic(ss, US"per_cmd") == 0) RATE_SET(mode, PER_CMD);
2209 else if (strcmpic(ss, US"per_conn") == 0)
2210 {
2211 RATE_SET(mode, PER_CONN);
2212 if (where == ACL_WHERE_NOTSMTP || where == ACL_WHERE_NOTSMTP_START)
2213 badacl = TRUE;
2214 }
2215 else if (strcmpic(ss, US"per_mail") == 0)
2216 {
2217 RATE_SET(mode, PER_MAIL);
2218 if (where > ACL_WHERE_NOTSMTP) badacl = TRUE;
2219 }
2220 else if (strcmpic(ss, US"per_rcpt") == 0)
2221 {
2222 /* If we are running in the RCPT ACL, then we'll count the recipients
2223 one by one, but if we are running when we have accumulated the whole
2224 list then we'll add them all in one batch. */
2225 if (where == ACL_WHERE_RCPT)
2226 RATE_SET(mode, PER_RCPT);
2227 else if (where >= ACL_WHERE_PREDATA && where <= ACL_WHERE_NOTSMTP)
2228 RATE_SET(mode, PER_ALLRCPTS), count = (double)recipients_count;
2229 else if (where == ACL_WHERE_MAIL || where > ACL_WHERE_NOTSMTP)
2230 RATE_SET(mode, PER_RCPT), badacl = TRUE;
2231 }
2232 else if (strcmpic(ss, US"per_byte") == 0)
2233 {
2234 /* If we have not yet received the message data and there was no SIZE
2235 declaration on the MAIL comand, then it's safe to just use a value of
2236 zero and let the recorded rate decay as if nothing happened. */
2237 RATE_SET(mode, PER_MAIL);
2238 if (where > ACL_WHERE_NOTSMTP) badacl = TRUE;
2239 else count = message_size < 0 ? 0.0 : (double)message_size;
2240 }
2241 else if (strcmpic(ss, US"per_addr") == 0)
2242 {
2243 RATE_SET(mode, PER_RCPT);
438257ba 2244 if (where != ACL_WHERE_RCPT) badacl = TRUE, unique = US"*";
c99ce5c9
TF		 2245 else unique = string_sprintf("%s@%s", deliver_localpart, deliver_domain);
2246 }
2247 else if (strncmpic(ss, US"count=", 6) == 0)
2248 {
2249 uschar *e;
2250 count = Ustrtod(ss+6, &e);
2251 if (count < 0.0 || *e != '\0')
2252 return ratelimit_error(log_msgptr,
2253 "\"%s\" is not a positive number", ss);
2254 }
2255 else if (strncmpic(ss, US"unique=", 7) == 0)
2256 unique = string_copy(ss + 7);
2257 else if (key == NULL)
2258 key = string_copy(ss);
2259 else
2260 key = string_sprintf("%s/%s", key, ss);
870f6ba8
TF		 2261 }
2262
c99ce5c9
TF		 2263/* Sanity check. When the badacl flag is set the update mode must either
2264be readonly (which is the default if it is omitted) or, for backwards
2265compatibility, a combination of noupdate and strict or leaky. */
2266
2267if (mode == RATE_PER_CLASH)
2268 return ratelimit_error(log_msgptr, "conflicting per_* options");
2269if (leaky + strict + readonly > 1)
2270 return ratelimit_error(log_msgptr, "conflicting update modes");
2271if (badacl && (leaky || strict) && !noupdate)
2272 return ratelimit_error(log_msgptr,
2273 "\"%s\" must not have /leaky or /strict option in %s ACL",
2274 ratelimit_option_string[mode], acl_wherenames[where]);
2275
2276/* Set the default values of any unset options. In readonly mode we
2277perform the rate computation without any increment so that its value
2278decays to eventually allow over-limit senders through. */
2279
2280if (noupdate) readonly = TRUE, leaky = strict = FALSE;
2281if (badacl) readonly = TRUE;
2282if (readonly) count = 0.0;
2283if (!strict && !readonly) leaky = TRUE;
2284if (mode == RATE_PER_WHAT) mode = RATE_PER_MAIL;
870f6ba8 2285
8f240103
PH		 2286/* Create the lookup key. If there is no explicit key, use sender_host_address.
2287If there is no sender_host_address (e.g. -bs or acl_not_smtp) then we simply
2288omit it. The smoothing constant (sender_rate_period) and the per_xxx options
2289are added to the key because they alter the meaning of the stored data. */
2290
2291if (key == NULL)
2292 key = (sender_host_address == NULL)? US"" : sender_host_address;
870f6ba8 2293
c99ce5c9 2294key = string_sprintf("%s/%s/%s%s",
8f240103 2295 sender_rate_period,
c99ce5c9
TF		 2296 ratelimit_option_string[mode],
2297 unique == NULL ? "" : "unique/",
8f240103 2298 key);
870f6ba8 2299
c99ce5c9
TF		 2300HDEBUG(D_acl)
2301 debug_printf("ratelimit condition count=%.0f %.1f/%s\n", count, limit, key);
870f6ba8 2302
8f240103
PH		 2303/* See if we have already computed the rate by looking in the relevant tree.
2304For per-connection rate limiting, store tree nodes and dbdata in the permanent
c99ce5c9
TF		 2305pool so that they survive across resets. In readonly mode we only remember the
2306result for the rest of this command in case a later command changes it. After
2307this bit of logic the code is independent of the per_* mode. */
870f6ba8 2308
870f6ba8
TF		 2309old_pool = store_pool;
2310
c99ce5c9
TF		 2311if (readonly)
2312 anchor = &ratelimiters_cmd;
2313else switch(mode) {
2314case RATE_PER_CONN:
870f6ba8
TF		 2315 anchor = &ratelimiters_conn;
2316 store_pool = POOL_PERM;
c99ce5c9
TF		 2317 break;
2318case RATE_PER_BYTE:
2319case RATE_PER_MAIL:
2320case RATE_PER_ALLRCPTS:
870f6ba8 2321 anchor = &ratelimiters_mail;
c99ce5c9
TF		 2322 break;
2323case RATE_PER_ADDR:
2324case RATE_PER_CMD:
2325case RATE_PER_RCPT:
fe0dab11 2326 anchor = &ratelimiters_cmd;
c99ce5c9
TF		 2327 break;
2328default:
3399bb60 2329 anchor = NULL; /* silence an "unused" complaint */
c99ce5c9
TF		 2330 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
2331 "internal ACL error: unknown ratelimit mode %d", mode);
2332 break;
2333}
870f6ba8 2334
c99ce5c9
TF		 2335t = tree_search(*anchor, key);
2336if (t != NULL)
870f6ba8
TF		 2337 {
2338 dbd = t->data.ptr;
2339 /* The following few lines duplicate some of the code below. */
8f240103 2340 rc = (dbd->rate < limit)? FAIL : OK;
870f6ba8
TF		 2341 store_pool = old_pool;
2342 sender_rate = string_sprintf("%.1f", dbd->rate);
2343 HDEBUG(D_acl)
2344 debug_printf("ratelimit found pre-computed rate %s\n", sender_rate);
2345 return rc;
2346 }
2347
c99ce5c9
TF		 2348/* We aren't using a pre-computed rate, so get a previously recorded rate
2349from the database, which will be updated and written back if required. */
870f6ba8
TF		 2350
2351dbm = dbfn_open(US"ratelimit", O_RDWR, &dbblock, TRUE);
2352if (dbm == NULL)
2353 {
2354 store_pool = old_pool;
2355 sender_rate = NULL;
2356 HDEBUG(D_acl) debug_printf("ratelimit database not available\n");
2357 *log_msgptr = US"ratelimit database not available";
2358 return DEFER;
2359 }
c99ce5c9
TF		 2360dbdb = dbfn_read_with_length(dbm, key, &dbdb_size);
2361dbd = NULL;
870f6ba8
TF		 2362
2363gettimeofday(&tv, NULL);
2364
c99ce5c9
TF		 2365if (dbdb != NULL)
2366 {
2367 /* Locate the basic ratelimit block inside the DB data. */
2368 HDEBUG(D_acl) debug_printf("ratelimit found key in database\n");
2369 dbd = &dbdb->dbd;
2370
2371 /* Forget the old Bloom filter if it is too old, so that we count each
2372 repeating event once per period. We don't simply clear and re-use the old
2373 filter because we want its size to change if the limit changes. Note that
2374 we keep the dbd pointer for copying the rate into the new data block. */
2375
2376 if(unique != NULL && tv.tv_sec > dbdb->bloom_epoch + period)
2377 {
2378 HDEBUG(D_acl) debug_printf("ratelimit discarding old Bloom filter\n");
2379 dbdb = NULL;
2380 }
2381
2382 /* Sanity check. */
2383
2384 if(unique != NULL && dbdb_size < sizeof(*dbdb))
2385 {
2386 HDEBUG(D_acl) debug_printf("ratelimit discarding undersize Bloom filter\n");
2387 dbdb = NULL;
2388 }
2389 }
2390
2391/* Allocate a new data block if the database lookup failed
2392or the Bloom filter passed its age limit. */
2393
2394if (dbdb == NULL)
2395 {
2396 if (unique == NULL)
2397 {
2398 /* No Bloom filter. This basic ratelimit block is initialized below. */
2399 HDEBUG(D_acl) debug_printf("ratelimit creating new rate data block\n");
2400 dbdb_size = sizeof(*dbd);
2401 dbdb = store_get(dbdb_size);
2402 }
2403 else
2404 {
2405 int extra;
2406 HDEBUG(D_acl) debug_printf("ratelimit creating new Bloom filter\n");
2407
2408 /* See the long comment below for an explanation of the magic number 2.
2409 The filter has a minimum size in case the rate limit is very small;
2410 this is determined by the definition of dbdata_ratelimit_unique. */
2411
2412 extra = (int)limit * 2 - sizeof(dbdb->bloom);
2413 if (extra < 0) extra = 0;
2414 dbdb_size = sizeof(*dbdb) + extra;
2415 dbdb = store_get(dbdb_size);
2416 dbdb->bloom_epoch = tv.tv_sec;
2417 dbdb->bloom_size = sizeof(dbdb->bloom) + extra;
2418 memset(dbdb->bloom, 0, dbdb->bloom_size);
2419
2420 /* Preserve any basic ratelimit data (which is our longer-term memory)
2421 by copying it from the discarded block. */
2422
2423 if (dbd != NULL)
2424 {
2425 dbdb->dbd = *dbd;
2426 dbd = &dbdb->dbd;
2427 }
2428 }
2429 }
2430
2431/* If we are counting unique events, find out if this event is new or not.
2432If the client repeats the event during the current period then it should be
2433counted. We skip this code in readonly mode for efficiency, because any
2434changes to the filter will be discarded and because count is already set to
2435zero. */
2436
2437if (unique != NULL && !readonly)
2438 {
2439 /* We identify unique events using a Bloom filter. (You can find my
2440 notes on Bloom filters at http://fanf.livejournal.com/81696.html)
2441 With the per_addr option, an "event" is a recipient address, though the
2442 user can use the unique option to define their own events. We only count
2443 an event if we have not seen it before.
2444
2445 We size the filter according to the rate limit, which (in leaky mode)
2446 is the limit on the population of the filter. We allow 16 bits of space
2447 per entry (see the construction code above) and we set (up to) 8 of them
2448 when inserting an element (see the loop below). The probability of a false
2449 positive (an event we have not seen before but which we fail to count) is
2450
2451 size = limit * 16
2452 numhash = 8
2453 allzero = exp(-numhash * pop / size)
2454 = exp(-0.5 * pop / limit)
2455 fpr = pow(1 - allzero, numhash)
2456
2457 For senders at the limit the fpr is 0.06% or 1 in 1700
2458 and for senders at half the limit it is 0.0006% or 1 in 170000
2459
2460 In strict mode the Bloom filter can fill up beyond the normal limit, in
2461 which case the false positive rate will rise. This means that the
2462 measured rate for very fast senders can bogusly drop off after a while.
2463
2464 At twice the limit, the fpr is 2.5% or 1 in 40
2465 At four times the limit, it is 31% or 1 in 3.2
2466
2467 It takes ln(pop/limit) periods for an over-limit burst of pop events to
2468 decay below the limit, and if this is more than one then the Bloom filter
2469 will be discarded before the decay gets that far. The false positive rate
2470 at this threshold is 9.3% or 1 in 10.7. */
2471
2472 BOOL seen;
2473 unsigned n, hash, hinc;
2474 uschar md5sum[16];
2475 md5 md5info;
2476
2477 /* Instead of using eight independent hash values, we combine two values
2478 using the formula h1 + n * h2. This does not harm the Bloom filter's
2479 performance, and means the amount of hash we need is independent of the
2480 number of bits we set in the filter. */
2481
2482 md5_start(&md5info);
2483 md5_end(&md5info, unique, Ustrlen(unique), md5sum);
2484 hash = md5sum[0] | md5sum[1] << 8 | md5sum[2] << 16 | md5sum[3] << 24;
2485 hinc = md5sum[4] | md5sum[5] << 8 | md5sum[6] << 16 | md5sum[7] << 24;
2486
2487 /* Scan the bits corresponding to this event. A zero bit means we have
2488 not seen it before. Ensure all bits are set to record this event. */
2489
2490 HDEBUG(D_acl) debug_printf("ratelimit checking uniqueness of %s\n", unique);
2491
2492 seen = TRUE;
2493 for (n = 0; n < 8; n++, hash += hinc)
2494 {
2495 int bit = 1 << (hash % 8);
2496 int byte = (hash / 8) % dbdb->bloom_size;
2497 if ((dbdb->bloom[byte] & bit) == 0)
2498 {
2499 dbdb->bloom[byte] |= bit;
2500 seen = FALSE;
2501 }
2502 }
2503
2504 /* If this event has occurred before, do not count it. */
2505
2506 if (seen)
2507 {
2508 HDEBUG(D_acl) debug_printf("ratelimit event found in Bloom filter\n");
2509 count = 0.0;
2510 }
2511 else
2512 HDEBUG(D_acl) debug_printf("ratelimit event added to Bloom filter\n");
2513 }
2514
2515/* If there was no previous ratelimit data block for this key, initialize
2516the new one, otherwise update the block from the database. The initial rate
2517is what would be computed by the code below for an infinite interval. */
2518
870f6ba8
TF		 2519if (dbd == NULL)
2520 {
c99ce5c9
TF		 2521 HDEBUG(D_acl) debug_printf("ratelimit initializing new key's rate data\n");
2522 dbd = &dbdb->dbd;
870f6ba8
TF		 2523 dbd->time_stamp = tv.tv_sec;
2524 dbd->time_usec = tv.tv_usec;
c99ce5c9 2525 dbd->rate = count;
870f6ba8
TF		 2526 }
2527else
2528 {
2529 /* The smoothed rate is computed using an exponentially weighted moving
2530 average adjusted for variable sampling intervals. The standard EWMA for
2531 a fixed sampling interval is: f'(t) = (1 - a) * f(t) + a * f'(t - 1)
2532 where f() is the measured value and f'() is the smoothed value.
2533
2534 Old data decays out of the smoothed value exponentially, such that data n
2535 samples old is multiplied by a^n. The exponential decay time constant p
2536 is defined such that data p samples old is multiplied by 1/e, which means
2537 that a = exp(-1/p). We can maintain the same time constant for a variable
2538 sampling interval i by using a = exp(-i/p).
2539
2540 The rate we are measuring is messages per period, suitable for directly
2541 comparing with the limit. The average rate between now and the previous
2542 message is period / interval, which we feed into the EWMA as the sample.
2543
2544 It turns out that the number of messages required for the smoothed rate
2545 to reach the limit when they are sent in a burst is equal to the limit.
2546 This can be seen by analysing the value of the smoothed rate after N
2547 messages sent at even intervals. Let k = (1 - a) * p/i
2548
2549 rate_1 = (1 - a) * p/i + a * rate_0
2550 = k + a * rate_0
2551 rate_2 = k + a * rate_1
2552 = k + a * k + a^2 * rate_0
2553 rate_3 = k + a * k + a^2 * k + a^3 * rate_0
2554 rate_N = rate_0 * a^N + k * SUM(x=0..N-1)(a^x)
2555 = rate_0 * a^N + k * (1 - a^N) / (1 - a)
2556 = rate_0 * a^N + p/i * (1 - a^N)
2557
2558 When N is large, a^N -> 0 so rate_N -> p/i as desired.
2559
2560 rate_N = p/i + (rate_0 - p/i) * a^N
2561 a^N = (rate_N - p/i) / (rate_0 - p/i)
2562 N * -i/p = log((rate_N - p/i) / (rate_0 - p/i))
2563 N = p/i * log((rate_0 - p/i) / (rate_N - p/i))
2564
2565 Numerical analysis of the above equation, setting the computed rate to
2566 increase from rate_0 = 0 to rate_N = limit, shows that for large sending
2567 rates, p/i, the number of messages N = limit. So limit serves as both the
2568 maximum rate measured in messages per period, and the maximum number of
2569 messages that can be sent in a fast burst. */
2570
2571 double this_time = (double)tv.tv_sec
2572 + (double)tv.tv_usec / 1000000.0;
2573 double prev_time = (double)dbd->time_stamp
2574 + (double)dbd->time_usec / 1000000.0;
870f6ba8
TF		 2575
2576 /* We must avoid division by zero, and deal gracefully with the clock going
2577 backwards. If we blunder ahead when time is in reverse then the computed
e5d5a95f 2578 rate will be bogus. To be safe we clamp interval to a very small number. */
870f6ba8 2579
e5d5a95f
TF		 2580 double interval = this_time - prev_time <= 0.0 ? 1e-9
2581 : this_time - prev_time;
2582
2583 double i_over_p = interval / period;
2584 double a = exp(-i_over_p);
870f6ba8 2585
c99ce5c9
TF		 2586 /* Combine the instantaneous rate (period / interval) with the previous rate
2587 using the smoothing factor a. In order to measure sized events, multiply the
2588 instantaneous rate by the count of bytes or recipients etc. */
2589
870f6ba8
TF		 2590 dbd->time_stamp = tv.tv_sec;
2591 dbd->time_usec = tv.tv_usec;
c99ce5c9
TF		 2592 dbd->rate = (1 - a) * count / i_over_p + a * dbd->rate;
2593
2594 /* When events are very widely spaced the computed rate tends towards zero.
2595 Although this is accurate it turns out not to be useful for our purposes,
2596 especially when the first event after a long silence is the start of a spam
2597 run. A more useful model is that the rate for an isolated event should be the
2598 size of the event per the period size, ignoring the lack of events outside
2599 the current period and regardless of where the event falls in the period. So,
2600 if the interval was so long that the calculated rate is unhelpfully small, we
2601 re-intialize the rate. In the absence of higher-rate bursts, the condition
2602 below is true if the interval is greater than the period. */
2603
2604 if (dbd->rate < count) dbd->rate = count;
870f6ba8
TF		 2605 }
2606
c99ce5c9
TF		 2607/* Clients sending at the limit are considered to be over the limit.
2608This matters for edge cases such as a limit of zero, when the client
2609should be completely blocked. */
3348576f 2610
8f240103 2611rc = (dbd->rate < limit)? FAIL : OK;
870f6ba8
TF		 2612
2613/* Update the state if the rate is low or if we are being strict. If we
2614are in leaky mode and the sender's rate is too high, we do not update
2615the recorded rate in order to avoid an over-aggressive sender's retry
c99ce5c9
TF		 2616rate preventing them from getting any email through. If readonly is set,
2617neither leaky nor strict are set, so we do not do any updates. */
870f6ba8 2618
c99ce5c9 2619if ((rc == FAIL && leaky) || strict)
8f240103 2620 {
c99ce5c9 2621 dbfn_write(dbm, key, dbdb, dbdb_size);
8f240103
PH		 2622 HDEBUG(D_acl) debug_printf("ratelimit db updated\n");
2623 }
2624else
2625 {
2626 HDEBUG(D_acl) debug_printf("ratelimit db not updated: %s\n",
c99ce5c9 2627 readonly? "readonly mode" : "over the limit, but leaky");
8f240103
PH		 2628 }
2629
870f6ba8
TF		 2630dbfn_close(dbm);
2631
c99ce5c9 2632/* Store the result in the tree for future reference. */
870f6ba8 2633
c99ce5c9
TF		 2634t = store_get(sizeof(tree_node) + Ustrlen(key));
2635t->data.ptr = dbd;
2636Ustrcpy(t->name, key);
2637(void)tree_insertnode(anchor, t);
870f6ba8
TF		 2638
2639/* We create the formatted version of the sender's rate very late in
2640order to ensure that it is done using the correct storage pool. */
2641
2642store_pool = old_pool;
2643sender_rate = string_sprintf("%.1f", dbd->rate);
2644
2645HDEBUG(D_acl)
2646 debug_printf("ratelimit computed rate %s\n", sender_rate);
2647
2648return rc;
2649}
2650
2651
2652
059ec3d9
PH		 2653/*************************************************
2654* Handle conditions/modifiers on an ACL item *
2655*************************************************/
2656
2657/* Called from acl_check() below.
2658
2659Arguments:
2660 verb ACL verb
2661 cb ACL condition block - if NULL, result is OK
2662 where where called from
2663 addr the address being checked for RCPT, or NULL
2664 level the nesting level
2665 epp pointer to pass back TRUE if "endpass" encountered
2666 (applies only to "accept" and "discard")
2667 user_msgptr user message pointer
2668 log_msgptr log message pointer
2669 basic_errno pointer to where to put verify error
2670
2671Returns: OK - all conditions are met
2672 DISCARD - an "acl" condition returned DISCARD - only allowed
2673 for "accept" or "discard" verbs
2674 FAIL - at least one condition fails
2675 FAIL_DROP - an "acl" condition returned FAIL_DROP
2676 DEFER - can't tell at the moment (typically, lookup defer,
2677 but can be temporary callout problem)
2678 ERROR - ERROR from nested ACL or expansion failure or other
2679 error
2680*/
2681
2682static int
2683acl_check_condition(int verb, acl_condition_block *cb, int where,
2684 address_item *addr, int level, BOOL *epp, uschar **user_msgptr,
2685 uschar **log_msgptr, int *basic_errno)
2686{
2687uschar *user_message = NULL;
2688uschar *log_message = NULL;
ed7f7860
PP		 2689uschar *debug_tag = NULL;
2690uschar *debug_opts = NULL;
91ecef39 2691uschar *p = NULL;
059ec3d9 2692int rc = OK;
8523533c
TK		 2693#ifdef WITH_CONTENT_SCAN
2694int sep = '/';
2695#endif
059ec3d9
PH		 2696
2697for (; cb != NULL; cb = cb->next)
2698 {
2699 uschar *arg;
8e669ac1 2700 int control_type;
059ec3d9
PH		 2701
2702 /* The message and log_message items set up messages to be used in
2703 case of rejection. They are expanded later. */
2704
2705 if (cb->type == ACLC_MESSAGE)
2706 {
2707 user_message = cb->arg;
2708 continue;
2709 }
2710
2711 if (cb->type == ACLC_LOG_MESSAGE)
2712 {
2713 log_message = cb->arg;
2714 continue;
2715 }
2716
2717 /* The endpass "condition" just sets a flag to show it occurred. This is
2718 checked at compile time to be on an "accept" or "discard" item. */
2719
2720 if (cb->type == ACLC_ENDPASS)
2721 {
2722 *epp = TRUE;
2723 continue;
2724 }
2725
2726 /* For other conditions and modifiers, the argument is expanded now for some
2727 of them, but not for all, because expansion happens down in some lower level
2728 checking functions in some cases. */
2729
2730 if (cond_expand_at_top[cb->type])
2731 {
2732 arg = expand_string(cb->arg);
2733 if (arg == NULL)
2734 {
2735 if (expand_string_forcedfail) continue;
2736 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
2737 cb->arg, expand_string_message);
2738 return search_find_defer? DEFER : ERROR;
2739 }
2740 }
2741 else arg = cb->arg;
2742
2743 /* Show condition, and expanded condition if it's different */
2744
2745 HDEBUG(D_acl)
2746 {
2747 int lhswidth = 0;
2748 debug_printf("check %s%s %n",
2749 (!cond_modifiers[cb->type] && cb->u.negated)? "!":"",
2750 conditions[cb->type], &lhswidth);
2751
2752 if (cb->type == ACLC_SET)
2753 {
38a0a95f
PH		 2754 debug_printf("acl_%s ", cb->u.varname);
2755 lhswidth += 5 + Ustrlen(cb->u.varname);
059ec3d9
PH		 2756 }
2757
2758 debug_printf("= %s\n", cb->arg);
2759
2760 if (arg != cb->arg)
2761 debug_printf("%.*s= %s\n", lhswidth,
2762 US" ", CS arg);
2763 }
2764
2765 /* Check that this condition makes sense at this time */
2766
2767 if ((cond_forbids[cb->type] & (1 << where)) != 0)
2768 {
2769 *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
2770 cond_modifiers[cb->type]? "use" : "test",
2771 conditions[cb->type], acl_wherenames[where]);
2772 return ERROR;
2773 }
2774
2775 /* Run the appropriate test for each condition, or take the appropriate
2776 action for the remaining modifiers. */
2777
2778 switch(cb->type)
2779 {
71fafd95
PH		 2780 case ACLC_ADD_HEADER:
2781 setup_header(arg);
2782 break;
2783
059ec3d9
PH		 2784 /* A nested ACL that returns "discard" makes sense only for an "accept" or
2785 "discard" verb. */
71fafd95 2786
059ec3d9 2787 case ACLC_ACL:
f60d98e8 2788 rc = acl_check_wargs(where, addr, arg, level+1, user_msgptr, log_msgptr);
7421ecab
JH		 2789 if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
2790 {
2791 *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
2792 "\"%s\" command (only allowed with \"accept\" or \"discard\")",
2793 verbs[verb]);
2794 return ERROR;
2795 }
059ec3d9
PH		 2796 break;
2797
2798 case ACLC_AUTHENTICATED:
2799 rc = (sender_host_authenticated == NULL)? FAIL :
2800 match_isinlist(sender_host_authenticated, &arg, 0, NULL, NULL, MCL_STRING,
2801 TRUE, NULL);
2802 break;
2803
71fafd95 2804 #ifdef EXPERIMENTAL_BRIGHTMAIL
8523533c
TK		 2805 case ACLC_BMI_OPTIN:
2806 {
2807 int old_pool = store_pool;
2808 store_pool = POOL_PERM;
2809 bmi_current_optin = string_copy(arg);
2810 store_pool = old_pool;
2811 }
2812 break;
71fafd95 2813 #endif
8523533c 2814
059ec3d9 2815 case ACLC_CONDITION:
f3766eb5
NM		 2816 /* The true/false parsing here should be kept in sync with that used in
2817 expand.c when dealing with ECOND_BOOL so that we don't have too many
2818 different definitions of what can be a boolean. */
059ec3d9
PH		 2819 if (Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
2820 rc = (Uatoi(arg) == 0)? FAIL : OK;
2821 else
2822 rc = (strcmpic(arg, US"no") == 0 ||
2823 strcmpic(arg, US"false") == 0)? FAIL :
2824 (strcmpic(arg, US"yes") == 0 ||
2825 strcmpic(arg, US"true") == 0)? OK : DEFER;
2826 if (rc == DEFER)
2827 *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
2828 break;
2829
c3611384
PH		 2830 case ACLC_CONTINUE: /* Always succeeds */
2831 break;
2832
059ec3d9 2833 case ACLC_CONTROL:
c5fcb476
PH		 2834 control_type = decode_control(arg, &p, where, log_msgptr);
2835
8523533c 2836 /* Check if this control makes sense at this time */
c5fcb476
PH		 2837
2838 if ((control_forbids[control_type] & (1 << where)) != 0)
2839 {
2840 *log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
2841 controls[control_type], acl_wherenames[where]);
2842 return ERROR;
8e669ac1 2843 }
c5fcb476
PH		 2844
2845 switch(control_type)
059ec3d9 2846 {
c46782ef
PH		 2847 case CONTROL_AUTH_UNADVERTISED:
2848 allow_auth_unadvertised = TRUE;
2849 break;
2850
2851 #ifdef EXPERIMENTAL_BRIGHTMAIL
8523533c
TK		 2852 case CONTROL_BMI_RUN:
2853 bmi_run = 1;
2854 break;
c46782ef
PH		 2855 #endif
2856
80a47a2c 2857 #ifndef DISABLE_DKIM
f7572e5a 2858 case CONTROL_DKIM_VERIFY:
80a47a2c 2859 dkim_disable_verify = TRUE;
f7572e5a
TK		 2860 break;
2861 #endif
2862
13363eba
PP		 2863 case CONTROL_DSCP:
2864 if (*p == '/')
2865 {
2866 int fd, af, level, optname, value;
2867 /* If we are acting on stdin, the setsockopt may fail if stdin is not
2868 a socket; we can accept that, we'll just debug-log failures anyway. */
2869 fd = fileno(smtp_in);
2870 af = ip_get_address_family(fd);
2871 if (af < 0)
2872 {
2873 HDEBUG(D_acl)
2874 debug_printf("smtp input is probably not a socket [%s], not setting DSCP\n",
2875 strerror(errno));
2876 break;
2877 }
2878 if (dscp_lookup(p+1, af, &level, &optname, &value))
2879 {
2880 if (setsockopt(fd, level, optname, &value, sizeof(value)) < 0)
2881 {
2882 HDEBUG(D_acl) debug_printf("failed to set input DSCP[%s]: %s\n",
2883 p+1, strerror(errno));
2884 }
2885 else
2886 {
2887 HDEBUG(D_acl) debug_printf("set input DSCP to \"%s\"\n", p+1);
2888 }
2889 }
2890 else
2891 {
2892 *log_msgptr = string_sprintf("unrecognised DSCP value in \"control=%s\"", arg);
2893 return ERROR;
2894 }
2895 }
2896 else
2897 {
2898 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2899 return ERROR;
2900 }
2901 break;
2902
059ec3d9
PH		 2903 case CONTROL_ERROR:
2904 return ERROR;
2905
2906 case CONTROL_CASEFUL_LOCAL_PART:
2907 deliver_localpart = addr->cc_local_part;
2908 break;
2909
2910 case CONTROL_CASELOWER_LOCAL_PART:
2911 deliver_localpart = addr->lc_local_part;
2912 break;
2913
2914 case CONTROL_ENFORCE_SYNC:
2915 smtp_enforce_sync = TRUE;
2916 break;
2917
2918 case CONTROL_NO_ENFORCE_SYNC:
2919 smtp_enforce_sync = FALSE;
2920 break;
2921
c46782ef 2922 #ifdef WITH_CONTENT_SCAN
8523533c
TK		 2923 case CONTROL_NO_MBOX_UNSPOOL:
2924 no_mbox_unspool = TRUE;
2925 break;
c46782ef 2926 #endif
8523533c 2927
059ec3d9
PH		 2928 case CONTROL_NO_MULTILINE:
2929 no_multiline_responses = TRUE;
2930 break;
2931
cf8b11a5
PH		 2932 case CONTROL_NO_PIPELINING:
2933 pipelining_enable = FALSE;
2934 break;
2935
047bdd8c
PH		 2936 case CONTROL_NO_DELAY_FLUSH:
2937 disable_delay_flush = TRUE;
2938 break;
2939
4c590bd1
PH		 2940 case CONTROL_NO_CALLOUT_FLUSH:
2941 disable_callout_flush = TRUE;
2942 break;
2943
29aba418 2944 case CONTROL_FAKEDEFER:
8523533c 2945 case CONTROL_FAKEREJECT:
29aba418 2946 fake_response = (control_type == CONTROL_FAKEDEFER) ? DEFER : FAIL;
8523533c 2947 if (*p == '/')
8e669ac1 2948 {
8523533c 2949 uschar *pp = p + 1;
8e669ac1 2950 while (*pp != 0) pp++;
29aba418 2951 fake_response_text = expand_string(string_copyn(p+1, pp-p-1));
8523533c
TK		 2952 p = pp;
2953 }
2954 else
2955 {
2956 /* Explicitly reset to default string */
29aba418 2957 fake_response_text = US"Your message has been rejected but is being kept for evaluation.\nIf it was a legitimate message, it may still be delivered to the target recipient(s).";
8523533c
TK		 2958 }
2959 break;
8523533c 2960
059ec3d9
PH		 2961 case CONTROL_FREEZE:
2962 deliver_freeze = TRUE;
2963 deliver_frozen_at = time(NULL);
6a3f1455
PH		 2964 freeze_tell = freeze_tell_config; /* Reset to configured value */
2965 if (Ustrncmp(p, "/no_tell", 8) == 0)
2966 {
2967 p += 8;
2968 freeze_tell = NULL;
2969 }
2970 if (*p != 0)
2971 {
2972 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2973 return ERROR;
2974 }
059ec3d9
PH		 2975 break;
2976
2977 case CONTROL_QUEUE_ONLY:
2978 queue_only_policy = TRUE;
2979 break;
2980
2981 case CONTROL_SUBMISSION:
87ba3f5f 2982 originator_name = US"";
059ec3d9 2983 submission_mode = TRUE;
69358f02 2984 while (*p == '/')
8e669ac1 2985 {
69358f02
PH		 2986 if (Ustrncmp(p, "/sender_retain", 14) == 0)
2987 {
2988 p += 14;
2989 active_local_sender_retain = TRUE;
8e669ac1
PH		 2990 active_local_from_check = FALSE;
2991 }
69358f02
PH		 2992 else if (Ustrncmp(p, "/domain=", 8) == 0)
2993 {
2994 uschar *pp = p + 8;
8e669ac1 2995 while (*pp != 0 && *pp != '/') pp++;
87ba3f5f
PH		 2996 submission_domain = string_copyn(p+8, pp-p-8);
2997 p = pp;
2998 }
8857ccfd
PH		 2999 /* The name= option must be last, because it swallows the rest of
3000 the string. */
87ba3f5f
PH		 3001 else if (Ustrncmp(p, "/name=", 6) == 0)
3002 {
3003 uschar *pp = p + 6;
8857ccfd 3004 while (*pp != 0) pp++;
2fe1a124 3005 submission_name = string_copy(parse_fix_phrase(p+6, pp-p-6,
87ba3f5f 3006 big_buffer, big_buffer_size));
8e669ac1 3007 p = pp;
69358f02 3008 }
8e669ac1
PH		 3009 else break;
3010 }
69358f02 3011 if (*p != 0)
059ec3d9 3012 {
69358f02 3013 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
059ec3d9
PH		 3014 return ERROR;
3015 }
3016 break;
8800895a 3017
ed7f7860
PP		 3018 case CONTROL_DEBUG:
3019 while (*p == '/')
3020 {
3021 if (Ustrncmp(p, "/tag=", 5) == 0)
3022 {
3023 uschar *pp = p + 5;
3024 while (*pp != '\0' && *pp != '/') pp++;
3025 debug_tag = string_copyn(p+5, pp-p-5);
3026 p = pp;
3027 }
3028 else if (Ustrncmp(p, "/opts=", 6) == 0)
3029 {
3030 uschar *pp = p + 6;
3031 while (*pp != '\0' && *pp != '/') pp++;
3032 debug_opts = string_copyn(p+6, pp-p-6);
3033 p = pp;
3034 }
3035 }
3036 debug_logging_activate(debug_tag, debug_opts);
3037 break;
3038
8800895a
PH		 3039 case CONTROL_SUPPRESS_LOCAL_FIXUPS:
3040 suppress_local_fixups = TRUE;
3041 break;
e4bdf652
JH		 3042
3043 case CONTROL_CUTTHROUGH_DELIVERY:
3044 if (deliver_freeze)
3045 {
3046 *log_msgptr = string_sprintf("\"control=%s\" on frozen item", arg);
3047 return ERROR;
3048 }
3049 if (queue_only_policy)
3050 {
3051 *log_msgptr = string_sprintf("\"control=%s\" on queue-only item", arg);
3052 return ERROR;
3053 }
3054 cutthrough_delivery = TRUE;
3055 break;
059ec3d9
PH		 3056 }
3057 break;
3058
6a8f9482
TK		 3059 #ifdef EXPERIMENTAL_DCC
3060 case ACLC_DCC:
3061 {
3062 /* Seperate the regular expression and any optional parameters. */
3063 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
3064 /* Run the dcc backend. */
3065 rc = dcc_process(&ss);
3066 /* Modify return code based upon the existance of options. */
3067 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
3068 != NULL) {
3069 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
3070 {
3071 /* FAIL so that the message is passed to the next ACL */
3072 rc = FAIL;
3073 }
3074 }
3075 }
3076 break;
3077 #endif
3078
71fafd95 3079 #ifdef WITH_CONTENT_SCAN
8523533c
TK		 3080 case ACLC_DECODE:
3081 rc = mime_decode(&arg);
3082 break;
71fafd95 3083 #endif
8523533c 3084
059ec3d9
PH		 3085 case ACLC_DELAY:
3086 {
3087 int delay = readconf_readtime(arg, 0, FALSE);
3088 if (delay < 0)
3089 {
3090 *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
3091 "modifier: \"%s\" is not a time value", arg);
3092 return ERROR;
3093 }
3094 else
3095 {
3096 HDEBUG(D_acl) debug_printf("delay modifier requests %d-second delay\n",
3097 delay);
3098 if (host_checking)
3099 {
3100 HDEBUG(D_acl)
3101 debug_printf("delay skipped in -bh checking mode\n");
3102 }
010c2d14
PH		 3103
3104 /* It appears to be impossible to detect that a TCP/IP connection has
3105 gone away without reading from it. This means that we cannot shorten
3106 the delay below if the client goes away, because we cannot discover
3107 that the client has closed its end of the connection. (The connection
3108 is actually in a half-closed state, waiting for the server to close its
3109 end.) It would be nice to be able to detect this state, so that the
3110 Exim process is not held up unnecessarily. However, it seems that we
3111 can't. The poll() function does not do the right thing, and in any case
3112 it is not always available.
3113
047bdd8c 3114 NOTE 1: If ever this state of affairs changes, remember that we may be
010c2d14 3115 dealing with stdin/stdout here, in addition to TCP/IP connections.
047bdd8c
PH		 3116 Also, delays may be specified for non-SMTP input, where smtp_out and
3117 smtp_in will be NULL. Whatever is done must work in all cases.
3118
3119 NOTE 2: The added feature of flushing the output before a delay must
3120 apply only to SMTP input. Hence the test for smtp_out being non-NULL.
3121 */
010c2d14 3122
8e669ac1 3123 else
86b8287f 3124 {
14f4a80d 3125 if (smtp_out != NULL && !disable_delay_flush) mac_smtp_fflush();
86b8287f 3126 while (delay > 0) delay = sleep(delay);
8e669ac1 3127 }
059ec3d9
PH		 3128 }
3129 }
3130 break;
3131
71fafd95 3132 #ifdef WITH_OLD_DEMIME
8523533c
TK		 3133 case ACLC_DEMIME:
3134 rc = demime(&arg);
3135 break;
71fafd95 3136 #endif
8523533c 3137
80a47a2c
TK		 3138 #ifndef DISABLE_DKIM
3139 case ACLC_DKIM_SIGNER:
9e5d6b55
TK		 3140 if (dkim_cur_signer != NULL)
3141 rc = match_isinlist(dkim_cur_signer,
80a47a2c 3142 &arg,0,NULL,NULL,MCL_STRING,TRUE,NULL);
80a47a2c 3143 else
80a47a2c 3144 rc = FAIL;
71fafd95
PH		 3145 break;
3146
80a47a2c
TK		 3147 case ACLC_DKIM_STATUS:
3148 rc = match_isinlist(dkim_exim_expand_query(DKIM_VERIFY_STATUS),
3149 &arg,0,NULL,NULL,MCL_STRING,TRUE,NULL);
71fafd95
PH		 3150 break;
3151 #endif
fb2274d4 3152
059ec3d9
PH		 3153 case ACLC_DNSLISTS:
3154 rc = verify_check_dnsbl(&arg);
3155 break;
3156
3157 case ACLC_DOMAINS:
3158 rc = match_isinlist(addr->domain, &arg, 0, &domainlist_anchor,
3159 addr->domain_cache, MCL_DOMAIN, TRUE, &deliver_domain_data);
3160 break;
3161
3162 /* The value in tls_cipher is the full cipher name, for example,
3163 TLSv1:DES-CBC3-SHA:168, whereas the values to test for are just the
3164 cipher names such as DES-CBC3-SHA. But program defensively. We don't know
3165 what may in practice come out of the SSL library - which at the time of
3166 writing is poorly documented. */
3167
3168 case ACLC_ENCRYPTED:
817d9f57 3169 if (tls_in.cipher == NULL) rc = FAIL; else
059ec3d9
PH		 3170 {
3171 uschar *endcipher = NULL;
817d9f57
JH		 3172 uschar *cipher = Ustrchr(tls_in.cipher, ':');
3173 if (cipher == NULL) cipher = tls_in.cipher; else
059ec3d9
PH		 3174 {
3175 endcipher = Ustrchr(++cipher, ':');
3176 if (endcipher != NULL) *endcipher = 0;
3177 }
3178 rc = match_isinlist(cipher, &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
3179 if (endcipher != NULL) *endcipher = ':';
3180 }
3181 break;
3182
3183 /* Use verify_check_this_host() instead of verify_check_host() so that
3184 we can pass over &host_data to catch any looked up data. Once it has been
3185 set, it retains its value so that it's still there if another ACL verb
3186 comes through here and uses the cache. However, we must put it into
3187 permanent store in case it is also expected to be used in a subsequent
3188 message in the same SMTP connection. */
3189
3190 case ACLC_HOSTS:
3191 rc = verify_check_this_host(&arg, sender_host_cache, NULL,
3192 (sender_host_address == NULL)? US"" : sender_host_address, &host_data);
3193 if (host_data != NULL) host_data = string_copy_malloc(host_data);
3194 break;
3195
3196 case ACLC_LOCAL_PARTS:
3197 rc = match_isinlist(addr->cc_local_part, &arg, 0,
3198 &localpartlist_anchor, addr->localpart_cache, MCL_LOCALPART, TRUE,
3199 &deliver_localpart_data);
3200 break;
3201
6ea85e9a
PH		 3202 case ACLC_LOG_REJECT_TARGET:
3203 {
3204 int logbits = 0;
3205 int sep = 0;
3206 uschar *s = arg;
3207 uschar *ss;
3208 while ((ss = string_nextinlist(&s, &sep, big_buffer, big_buffer_size))
3209 != NULL)
3210 {
3211 if (Ustrcmp(ss, "main") == 0) logbits |= LOG_MAIN;
3212 else if (Ustrcmp(ss, "panic") == 0) logbits |= LOG_PANIC;
3213 else if (Ustrcmp(ss, "reject") == 0) logbits |= LOG_REJECT;
3214 else
3215 {
3216 logbits |= LOG_MAIN|LOG_REJECT;
3217 log_write(0, LOG_MAIN|LOG_PANIC, "unknown log name \"%s\" in "
3218 "\"log_reject_target\" in %s ACL", ss, acl_wherenames[where]);
3219 }
3220 }
3221 log_reject_target = logbits;
3222 }
3223 break;
3224
059ec3d9
PH		 3225 case ACLC_LOGWRITE:
3226 {
3227 int logbits = 0;
3228 uschar *s = arg;
3229 if (*s == ':')
3230 {
3231 s++;
3232 while (*s != ':')
3233 {
3234 if (Ustrncmp(s, "main", 4) == 0)
3235 { logbits |= LOG_MAIN; s += 4; }
3236 else if (Ustrncmp(s, "panic", 5) == 0)
3237 { logbits |= LOG_PANIC; s += 5; }
3238 else if (Ustrncmp(s, "reject", 6) == 0)
3239 { logbits |= LOG_REJECT; s += 6; }
3240 else
3241 {
3242 logbits = LOG_MAIN|LOG_PANIC;
3243 s = string_sprintf(":unknown log name in \"%s\" in "
3244 "\"logwrite\" in %s ACL", arg, acl_wherenames[where]);
3245 }
3246 if (*s == ',') s++;
3247 }
3248 s++;
3249 }
3250 while (isspace(*s)) s++;
6ea85e9a
PH		 3251
3252
059ec3d9
PH		 3253 if (logbits == 0) logbits = LOG_MAIN;
3254 log_write(0, logbits, "%s", string_printing(s));
3255 }
3256 break;
8e669ac1 3257
71fafd95 3258 #ifdef WITH_CONTENT_SCAN
8523533c
TK		 3259 case ACLC_MALWARE:
3260 {
6ea85e9a 3261 /* Separate the regular expression and any optional parameters. */
8523533c
TK		 3262 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
3263 /* Run the malware backend. */
3264 rc = malware(&ss);
3265 /* Modify return code based upon the existance of options. */
3266 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
3267 != NULL) {
3268 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
3269 {
3270 /* FAIL so that the message is passed to the next ACL */
3271 rc = FAIL;
3272 }
3273 }
3274 }
3275 break;
3276
3277 case ACLC_MIME_REGEX:
71fafd95 3278 rc = mime_regex(&arg);
8523533c 3279 break;
71fafd95 3280 #endif
059ec3d9 3281
870f6ba8 3282 case ACLC_RATELIMIT:
90fc3069 3283 rc = acl_ratelimit(arg, where, log_msgptr);
870f6ba8
TF		 3284 break;
3285
059ec3d9
PH		 3286 case ACLC_RECIPIENTS:
3287 rc = match_address_list(addr->address, TRUE, TRUE, &arg, NULL, -1, 0,
3288 &recipient_data);
3289 break;
3290
71fafd95
PH		 3291 #ifdef WITH_CONTENT_SCAN
3292 case ACLC_REGEX:
3293 rc = regex(&arg);
8523533c 3294 break;
71fafd95 3295 #endif
8523533c 3296
059ec3d9
PH		 3297 case ACLC_SENDER_DOMAINS:
3298 {
3299 uschar *sdomain;
3300 sdomain = Ustrrchr(sender_address, '@');
3301 sdomain = (sdomain == NULL)? US"" : sdomain + 1;
3302 rc = match_isinlist(sdomain, &arg, 0, &domainlist_anchor,
3303 sender_domain_cache, MCL_DOMAIN, TRUE, NULL);
3304 }
3305 break;
3306
3307 case ACLC_SENDERS:
3308 rc = match_address_list(sender_address, TRUE, TRUE, &arg,
3309 sender_address_cache, -1, 0, &sender_data);
3310 break;
3311
3312 /* Connection variables must persist forever */
3313
3314 case ACLC_SET:
3315 {
3316 int old_pool = store_pool;
38a0a95f
PH		 3317 if (cb->u.varname[0] == 'c') store_pool = POOL_PERM;
3318 acl_var_create(cb->u.varname)->data.ptr = string_copy(arg);
059ec3d9
PH		 3319 store_pool = old_pool;
3320 }
3321 break;
3322
71fafd95 3323 #ifdef WITH_CONTENT_SCAN
8523533c
TK		 3324 case ACLC_SPAM:
3325 {
3326 /* Seperate the regular expression and any optional parameters. */
3327 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
3328 /* Run the spam backend. */
3329 rc = spam(&ss);
3330 /* Modify return code based upon the existance of options. */
3331 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
3332 != NULL) {
3333 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
3334 {
3335 /* FAIL so that the message is passed to the next ACL */
3336 rc = FAIL;
3337 }
3338 }
3339 }
3340 break;
71fafd95 3341 #endif
8523533c 3342
71fafd95 3343 #ifdef EXPERIMENTAL_SPF
8523533c 3344 case ACLC_SPF:
65a7d8c3
NM		 3345 rc = spf_process(&arg, sender_address, SPF_PROCESS_NORMAL);
3346 break;
3347 case ACLC_SPF_GUESS:
3348 rc = spf_process(&arg, sender_address, SPF_PROCESS_GUESS);
8523533c 3349 break;
71fafd95 3350 #endif
8523533c 3351
059ec3d9
PH		 3352 /* If the verb is WARN, discard any user message from verification, because
3353 such messages are SMTP responses, not header additions. The latter come
475fe28a
PH		 3354 only from explicit "message" modifiers. However, put the user message into
3355 $acl_verify_message so it can be used in subsequent conditions or modifiers
3356 (until something changes it). */
059ec3d9
PH		 3357
3358 case ACLC_VERIFY:
3359 rc = acl_verify(where, addr, arg, user_msgptr, log_msgptr, basic_errno);
475fe28a 3360 acl_verify_message = *user_msgptr;
059ec3d9
PH		 3361 if (verb == ACL_WARN) *user_msgptr = NULL;
3362 break;
3363
3364 default:
3365 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown "
3366 "condition %d", cb->type);
3367 break;
3368 }
3369
3370 /* If a condition was negated, invert OK/FAIL. */
3371
3372 if (!cond_modifiers[cb->type] && cb->u.negated)
3373 {
3374 if (rc == OK) rc = FAIL;
3375 else if (rc == FAIL || rc == FAIL_DROP) rc = OK;
3376 }
3377
3378 if (rc != OK) break; /* Conditions loop */
3379 }
3380
3381
3382/* If the result is the one for which "message" and/or "log_message" are used,
4e88a19f
PH		 3383handle the values of these modifiers. If there isn't a log message set, we make
3384it the same as the user message.
059ec3d9
PH		 3385
3386"message" is a user message that will be included in an SMTP response. Unless
3387it is empty, it overrides any previously set user message.
3388
3389"log_message" is a non-user message, and it adds to any existing non-user
3390message that is already set.
3391
4e88a19f
PH		 3392Most verbs have but a single return for which the messages are relevant, but
3393for "discard", it's useful to have the log message both when it succeeds and
3394when it fails. For "accept", the message is used in the OK case if there is no
3395"endpass", but (for backwards compatibility) in the FAIL case if "endpass" is
3396present. */
059ec3d9 3397
4e88a19f
PH		 3398if (*epp && rc == OK) user_message = NULL;
3399
3400if (((1<<rc) & msgcond[verb]) != 0)
059ec3d9
PH		 3401 {
3402 uschar *expmessage;
4e88a19f
PH		 3403 uschar *old_user_msgptr = *user_msgptr;
3404 uschar *old_log_msgptr = (*log_msgptr != NULL)? *log_msgptr : old_user_msgptr;
059ec3d9
PH		 3405
3406 /* If the verb is "warn", messages generated by conditions (verification or
4e88a19f
PH		 3407 nested ACLs) are always discarded. This also happens for acceptance verbs
3408 when they actually do accept. Only messages specified at this level are used.
059ec3d9
PH		 3409 However, the value of an existing message is available in $acl_verify_message
3410 during expansions. */
3411
4e88a19f
PH		 3412 if (verb == ACL_WARN ||
3413 (rc == OK && (verb == ACL_ACCEPT || verb == ACL_DISCARD)))
3414 *log_msgptr = *user_msgptr = NULL;
059ec3d9
PH		 3415
3416 if (user_message != NULL)
3417 {
3418 acl_verify_message = old_user_msgptr;
3419 expmessage = expand_string(user_message);
3420 if (expmessage == NULL)
3421 {
3422 if (!expand_string_forcedfail)
3423 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
3424 user_message, expand_string_message);
3425 }
3426 else if (expmessage[0] != 0) *user_msgptr = expmessage;
3427 }
3428
3429 if (log_message != NULL)
3430 {
3431 acl_verify_message = old_log_msgptr;
3432 expmessage = expand_string(log_message);
3433 if (expmessage == NULL)
3434 {
3435 if (!expand_string_forcedfail)
3436 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
3437 log_message, expand_string_message);
3438 }
3439 else if (expmessage[0] != 0)
3440 {
3441 *log_msgptr = (*log_msgptr == NULL)? expmessage :
3442 string_sprintf("%s: %s", expmessage, *log_msgptr);
3443 }
3444 }
3445
3446 /* If no log message, default it to the user message */
3447
3448 if (*log_msgptr == NULL) *log_msgptr = *user_msgptr;
3449 }
3450
3451acl_verify_message = NULL;
3452return rc;
3453}
3454
3455
3456
3457
3458
3459/*************************************************
3460* Get line from a literal ACL *
3461*************************************************/
3462
3463/* This function is passed to acl_read() in order to extract individual lines
3464of a literal ACL, which we access via static pointers. We can destroy the
3465contents because this is called only once (the compiled ACL is remembered).
3466
3467This code is intended to treat the data in the same way as lines in the main
3468Exim configuration file. That is:
3469
3470 . Leading spaces are ignored.
3471
3472 . A \ at the end of a line is a continuation - trailing spaces after the \
3473 are permitted (this is because I don't believe in making invisible things
3474 significant). Leading spaces on the continued part of a line are ignored.
3475
3476 . Physical lines starting (significantly) with # are totally ignored, and
3477 may appear within a sequence of backslash-continued lines.
3478
3479 . Blank lines are ignored, but will end a sequence of continuations.
3480
3481Arguments: none
3482Returns: a pointer to the next line
3483*/
3484
3485
3486static uschar *acl_text; /* Current pointer in the text */
3487static uschar *acl_text_end; /* Points one past the terminating '0' */
3488
3489
3490static uschar *
3491acl_getline(void)
3492{
3493uschar *yield;
3494
3495/* This loop handles leading blank lines and comments. */
3496
3497for(;;)
3498 {
3499 while (isspace(*acl_text)) acl_text++; /* Leading spaces/empty lines */
3500 if (*acl_text == 0) return NULL; /* No more data */
3501 yield = acl_text; /* Potential data line */
3502
3503 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
3504
3505 /* If we hit the end before a newline, we have the whole logical line. If
3506 it's a comment, there's no more data to be given. Otherwise, yield it. */
3507
3508 if (*acl_text == 0) return (*yield == '#')? NULL : yield;
3509
3510 /* After reaching a newline, end this loop if the physical line does not
3511 start with '#'. If it does, it's a comment, and the loop continues. */
3512
3513 if (*yield != '#') break;
3514 }
3515
3516/* This loop handles continuations. We know we have some real data, ending in
3517newline. See if there is a continuation marker at the end (ignoring trailing
3518white space). We know that *yield is not white space, so no need to test for
3519cont > yield in the backwards scanning loop. */
3520
3521for(;;)
3522 {
3523 uschar *cont;
3524 for (cont = acl_text - 1; isspace(*cont); cont--);
3525
3526 /* If no continuation follows, we are done. Mark the end of the line and
3527 return it. */
3528
3529 if (*cont != '\\')
3530 {
3531 *acl_text++ = 0;
3532 return yield;
3533 }
3534
3535 /* We have encountered a continuation. Skip over whitespace at the start of
3536 the next line, and indeed the whole of the next line or lines if they are
3537 comment lines. */
3538
3539 for (;;)
3540 {
3541 while (*(++acl_text) == ' ' || *acl_text == '\t');
3542 if (*acl_text != '#') break;
3543 while (*(++acl_text) != 0 && *acl_text != '\n');
3544 }
3545
3546 /* We have the start of a continuation line. Move all the rest of the data
3547 to join onto the previous line, and then find its end. If the end is not a
3548 newline, we are done. Otherwise loop to look for another continuation. */
3549
3550 memmove(cont, acl_text, acl_text_end - acl_text);
3551 acl_text_end -= acl_text - cont;
3552 acl_text = cont;
3553 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
3554 if (*acl_text == 0) return yield;
3555 }
3556
3557/* Control does not reach here */
3558}
3559
3560
3561
3562
3563
3564/*************************************************
3565* Check access using an ACL *
3566*************************************************/
3567
3568/* This function is called from address_check. It may recurse via
3569acl_check_condition() - hence the use of a level to stop looping. The ACL is
3570passed as a string which is expanded. A forced failure implies no access check
3571is required. If the result is a single word, it is taken as the name of an ACL
3572which is sought in the global ACL tree. Otherwise, it is taken as literal ACL
3573text, complete with newlines, and parsed as such. In both cases, the ACL check
3574is then run. This function uses an auxiliary function for acl_read() to call
3575for reading individual lines of a literal ACL. This is acl_getline(), which
3576appears immediately above.
3577
3578Arguments:
3579 where where called from
3580 addr address item when called from RCPT; otherwise NULL
3581 s the input string; NULL is the same as an empty ACL => DENY
3582 level the nesting level
3583 user_msgptr where to put a user error (for SMTP response)
3584 log_msgptr where to put a logging message (not for SMTP response)
3585
3586Returns: OK access is granted
3587 DISCARD access is apparently granted...
3588 FAIL access is denied
3589 FAIL_DROP access is denied; drop the connection
3590 DEFER can't tell at the moment
3591 ERROR disaster
3592*/
3593
3594static int
3595acl_check_internal(int where, address_item *addr, uschar *s, int level,
3596 uschar **user_msgptr, uschar **log_msgptr)
3597{
3598int fd = -1;
3599acl_block *acl = NULL;
3600uschar *acl_name = US"inline ACL";
3601uschar *ss;
3602
3603/* Catch configuration loops */
3604
3605if (level > 20)
3606 {
3607 *log_msgptr = US"ACL nested too deep: possible loop";
3608 return ERROR;
3609 }
3610
3611if (s == NULL)
3612 {
3613 HDEBUG(D_acl) debug_printf("ACL is NULL: implicit DENY\n");
3614 return FAIL;
3615 }
3616
3617/* At top level, we expand the incoming string. At lower levels, it has already
3618been expanded as part of condition processing. */
3619
3620if (level == 0)
3621 {
3622 ss = expand_string(s);
3623 if (ss == NULL)
3624 {
3625 if (expand_string_forcedfail) return OK;
3626 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s", s,
3627 expand_string_message);
3628 return ERROR;
3629 }
3630 }
3631else ss = s;
3632
3633while (isspace(*ss))ss++;
3634
3635/* If we can't find a named ACL, the default is to parse it as an inline one.
3636(Unless it begins with a slash; non-existent files give rise to an error.) */
3637
3638acl_text = ss;
3639
3640/* Handle the case of a string that does not contain any spaces. Look for a
3641named ACL among those read from the configuration, or a previously read file.
3642It is possible that the pointer to the ACL is NULL if the configuration
3643contains a name with no data. If not found, and the text begins with '/',
3644read an ACL from a file, and save it so it can be re-used. */
3645
3646if (Ustrchr(ss, ' ') == NULL)
3647 {
3648 tree_node *t = tree_search(acl_anchor, ss);
3649 if (t != NULL)
3650 {
3651 acl = (acl_block *)(t->data.ptr);
3652 if (acl == NULL)
3653 {
3654 HDEBUG(D_acl) debug_printf("ACL \"%s\" is empty: implicit DENY\n", ss);
3655 return FAIL;
3656 }
3657 acl_name = string_sprintf("ACL \"%s\"", ss);
3658 HDEBUG(D_acl) debug_printf("using ACL \"%s\"\n", ss);
3659 }
3660
3661 else if (*ss == '/')
3662 {
3663 struct stat statbuf;
3664 fd = Uopen(ss, O_RDONLY, 0);
3665 if (fd < 0)
3666 {
3667 *log_msgptr = string_sprintf("failed to open ACL file \"%s\": %s", ss,
3668 strerror(errno));
3669 return ERROR;
3670 }
3671
3672 if (fstat(fd, &statbuf) != 0)
3673 {
3674 *log_msgptr = string_sprintf("failed to fstat ACL file \"%s\": %s", ss,
3675 strerror(errno));
3676 return ERROR;
3677 }
3678
3679 acl_text = store_get(statbuf.st_size + 1);
3680 acl_text_end = acl_text + statbuf.st_size + 1;
3681
3682 if (read(fd, acl_text, statbuf.st_size) != statbuf.st_size)
3683 {
3684 *log_msgptr = string_sprintf("failed to read ACL file \"%s\": %s",
3685 ss, strerror(errno));
3686 return ERROR;
3687 }
3688 acl_text[statbuf.st_size] = 0;
f1e894f3 3689 (void)close(fd);
059ec3d9
PH		 3690
3691 acl_name = string_sprintf("ACL \"%s\"", ss);
3692 HDEBUG(D_acl) debug_printf("read ACL from file %s\n", ss);
3693 }
3694 }
3695
3696/* Parse an ACL that is still in text form. If it came from a file, remember it
3697in the ACL tree, having read it into the POOL_PERM store pool so that it
3698persists between multiple messages. */
3699
3700if (acl == NULL)
3701 {
3702 int old_pool = store_pool;
3703 if (fd >= 0) store_pool = POOL_PERM;
3704 acl = acl_read(acl_getline, log_msgptr);
3705 store_pool = old_pool;
3706 if (acl == NULL && *log_msgptr != NULL) return ERROR;
3707 if (fd >= 0)
3708 {
3709 tree_node *t = store_get_perm(sizeof(tree_node) + Ustrlen(ss));
3710 Ustrcpy(t->name, ss);
3711 t->data.ptr = acl;
3712 (void)tree_insertnode(&acl_anchor, t);
3713 }
3714 }
3715
3716/* Now we have an ACL to use. It's possible it may be NULL. */
3717
3718while (acl != NULL)
3719 {
3720 int cond;
3721 int basic_errno = 0;
3722 BOOL endpass_seen = FALSE;
3723
3724 *log_msgptr = *user_msgptr = NULL;
3725 acl_temp_details = FALSE;
3726
7353285c 3727 if ((where == ACL_WHERE_QUIT || where == ACL_WHERE_NOTQUIT) &&
059ec3d9
PH		 3728 acl->verb != ACL_ACCEPT &&
3729 acl->verb != ACL_WARN)
3730 {
7353285c 3731 *log_msgptr = string_sprintf("\"%s\" is not allowed in a QUIT or not-QUIT ACL",
059ec3d9
PH		 3732 verbs[acl->verb]);
3733 return ERROR;
3734 }
3735
3736 HDEBUG(D_acl) debug_printf("processing \"%s\"\n", verbs[acl->verb]);
3737
3738 /* Clear out any search error message from a previous check before testing
3739 this condition. */
3740
3741 search_error_message = NULL;
3742 cond = acl_check_condition(acl->verb, acl->condition, where, addr, level,
3743 &endpass_seen, user_msgptr, log_msgptr, &basic_errno);
3744
3745 /* Handle special returns: DEFER causes a return except on a WARN verb;
3746 ERROR always causes a return. */
3747
3748 switch (cond)
3749 {
3750 case DEFER:
6968512f 3751 HDEBUG(D_acl) debug_printf("%s: condition test deferred in %s\n", verbs[acl->verb], acl_name);
059ec3d9
PH		 3752 if (basic_errno != ERRNO_CALLOUTDEFER)
3753 {
3754 if (search_error_message != NULL && *search_error_message != 0)
3755 *log_msgptr = search_error_message;
3756 if (smtp_return_error_details) acl_temp_details = TRUE;
3757 }
3758 else
3759 {
3760 acl_temp_details = TRUE;
3761 }
3762 if (acl->verb != ACL_WARN) return DEFER;
3763 break;
3764
3765 default: /* Paranoia */
3766 case ERROR:
6968512f 3767 HDEBUG(D_acl) debug_printf("%s: condition test error in %s\n", verbs[acl->verb], acl_name);
059ec3d9
PH		 3768 return ERROR;
3769
3770 case OK:
6968512f
JH		 3771 HDEBUG(D_acl) debug_printf("%s: condition test succeeded in %s\n",
3772 verbs[acl->verb], acl_name);
059ec3d9
PH		 3773 break;
3774
3775 case FAIL:
6968512f 3776 HDEBUG(D_acl) debug_printf("%s: condition test failed in %s\n", verbs[acl->verb], acl_name);
059ec3d9
PH		 3777 break;
3778
3779 /* DISCARD and DROP can happen only from a nested ACL condition, and
3780 DISCARD can happen only for an "accept" or "discard" verb. */
3781
3782 case DISCARD:
6968512f
JH		 3783 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"discard\" in %s\n",
3784 verbs[acl->verb], acl_name);
059ec3d9
PH		 3785 break;
3786
3787 case FAIL_DROP:
6968512f
JH		 3788 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"drop\" in %s\n",
3789 verbs[acl->verb], acl_name);
059ec3d9
PH		 3790 break;
3791 }
3792
3793 /* At this point, cond for most verbs is either OK or FAIL or (as a result of
3794 a nested ACL condition) FAIL_DROP. However, for WARN, cond may be DEFER, and
3795 for ACCEPT and DISCARD, it may be DISCARD after a nested ACL call. */
3796
3797 switch(acl->verb)
3798 {
3799 case ACL_ACCEPT:
3800 if (cond == OK || cond == DISCARD) return cond;
3801 if (endpass_seen)
3802 {
3803 HDEBUG(D_acl) debug_printf("accept: endpass encountered - denying access\n");
3804 return cond;
3805 }
3806 break;
3807
3808 case ACL_DEFER:
3809 if (cond == OK)
3810 {
3811 acl_temp_details = TRUE;
3812 return DEFER;
3813 }
3814 break;
3815
3816 case ACL_DENY:
3817 if (cond == OK) return FAIL;
3818 break;
3819
3820 case ACL_DISCARD:
3821 if (cond == OK || cond == DISCARD) return DISCARD;
3822 if (endpass_seen)
3823 {
3824 HDEBUG(D_acl) debug_printf("discard: endpass encountered - denying access\n");
3825 return cond;
3826 }
3827 break;
3828
3829 case ACL_DROP:
3830 if (cond == OK) return FAIL_DROP;
3831 break;
3832
3833 case ACL_REQUIRE:
3834 if (cond != OK) return cond;
3835 break;
3836
3837 case ACL_WARN:
3838 if (cond == OK)
3839 acl_warn(where, *user_msgptr, *log_msgptr);
49826d12 3840 else if (cond == DEFER && (log_extra_selector & LX_acl_warn_skipped) != 0)
9c7a242c
PH		 3841 log_write(0, LOG_MAIN, "%s Warning: ACL \"warn\" statement skipped: "
3842 "condition test deferred%s%s", host_and_ident(TRUE),
3843 (*log_msgptr == NULL)? US"" : US": ",
3844 (*log_msgptr == NULL)? US"" : *log_msgptr);
059ec3d9
PH		 3845 *log_msgptr = *user_msgptr = NULL; /* In case implicit DENY follows */
3846 break;
3847
3848 default:
3849 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown verb %d",
3850 acl->verb);
3851 break;
3852 }
3853
3854 /* Pass to the next ACL item */
3855
3856 acl = acl->next;
3857 }
3858
3859/* We have reached the end of the ACL. This is an implicit DENY. */
3860
3861HDEBUG(D_acl) debug_printf("end of %s: implicit DENY\n", acl_name);
3862return FAIL;
3863}
3864
3865
333eea9c
JH		 3866
3867
3868/* Same args as acl_check_internal() above, but the string s is
3869the name of an ACL followed optionally by up to 9 space-separated arguments.
3870The name and args are separately expanded. Args go into $acl_arg globals. */
f60d98e8
JH		 3871static int
3872acl_check_wargs(int where, address_item *addr, uschar *s, int level,
333eea9c
JH		 3873 uschar **user_msgptr, uschar **log_msgptr)
3874{
3875uschar * tmp;
bef3ea7f 3876uschar * tmp_arg[9]; /* must match acl_arg[] */
333eea9c 3877uschar * name;
bef3ea7f 3878int i;
333eea9c
JH		 3879
3880if (!(tmp = string_dequote(&s)) || !(name = expand_string(tmp)))
3881 goto bad;
3882
bef3ea7f 3883for (i = 0; i < 9; i++)
333eea9c
JH		 3884 {
3885 while (*s && isspace(*s)) s++;
3886 if (!*s) break;
bef3ea7f 3887 if (!(tmp = string_dequote(&s)) || !(tmp_arg[i] = expand_string(tmp)))
333eea9c
JH		 3888 {
3889 tmp = name;
3890 goto bad;
3891 }
3892 }
bef3ea7f
JH		 3893acl_narg = i;
3894for (i = 0; i < acl_narg; i++) acl_arg[i] = tmp_arg[i];
3895while (i < 9) acl_arg[i++] = NULL;
333eea9c 3896
bef3ea7f 3897return acl_check_internal(where, addr, name, level, user_msgptr, log_msgptr);
333eea9c
JH		 3898
3899bad:
3900if (expand_string_forcedfail) return ERROR;
3901*log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
3902 tmp, expand_string_message);
3903return search_find_defer?DEFER:ERROR;
3904}
3905
3906
3907
059ec3d9
PH		 3908/*************************************************
3909* Check access using an ACL *
3910*************************************************/
3911
3912/* This is the external interface for ACL checks. It sets up an address and the
3913expansions for $domain and $local_part when called after RCPT, then calls
3914acl_check_internal() to do the actual work.
3915
3916Arguments:
3917 where ACL_WHERE_xxxx indicating where called from
64ffc24f 3918 recipient RCPT address for RCPT check, else NULL
059ec3d9
PH		 3919 s the input string; NULL is the same as an empty ACL => DENY
3920 user_msgptr where to put a user error (for SMTP response)
3921 log_msgptr where to put a logging message (not for SMTP response)
3922
3923Returns: OK access is granted by an ACCEPT verb
3924 DISCARD access is granted by a DISCARD verb
3925 FAIL access is denied
3926 FAIL_DROP access is denied; drop the connection
3927 DEFER can't tell at the moment
3928 ERROR disaster
3929*/
3930
3931int
64ffc24f 3932acl_check(int where, uschar *recipient, uschar *s, uschar **user_msgptr,
059ec3d9
PH		 3933 uschar **log_msgptr)
3934{
3935int rc;
3936address_item adb;
64ffc24f 3937address_item *addr = NULL;
059ec3d9
PH		 3938
3939*user_msgptr = *log_msgptr = NULL;
3940sender_verified_failed = NULL;
fe0dab11 3941ratelimiters_cmd = NULL;
6ea85e9a 3942log_reject_target = LOG_MAIN|LOG_REJECT;
059ec3d9
PH		 3943
3944if (where == ACL_WHERE_RCPT)
3945 {
3946 adb = address_defaults;
3947 addr = &adb;
64ffc24f 3948 addr->address = recipient;
059ec3d9
PH		 3949 if (deliver_split_address(addr) == DEFER)
3950 {
3951 *log_msgptr = US"defer in percent_hack_domains check";
3952 return DEFER;
3953 }
3954 deliver_domain = addr->domain;
3955 deliver_localpart = addr->local_part;
3956 }
059ec3d9
PH		 3957
3958rc = acl_check_internal(where, addr, s, 0, user_msgptr, log_msgptr);
3959
817d9f57
JH		 3960/* Cutthrough - if requested,
3961and WHERE_RCPT and not yet opened conn as result of recipient-verify,
3962and rcpt acl returned accept,
3963and first recipient (cancel on any subsequents)
e4bdf652 3964open one now and run it up to RCPT acceptance.
e4bdf652 3965A failed verify should cancel cutthrough request.
e4bdf652 3966
817d9f57 3967Initial implementation: dual-write to spool.
e4bdf652
JH		 3968Assume the rxd datastream is now being copied byte-for-byte to an open cutthrough connection.
3969
3970Cease cutthrough copy on rxd final dot; do not send one.
3971
3972On a data acl, if not accept and a cutthrough conn is open, hard-close it (no SMTP niceness).
3973
3974On data acl accept, terminate the dataphase on an open cutthrough conn. If accepted or
3975perm-rejected, reflect that to the original sender - and dump the spooled copy.
3976If temp-reject, close the conn (and keep the spooled copy).
3977If conn-failure, no action (and keep the spooled copy).
e4bdf652
JH		 3978*/
3979switch (where)
3980{
3981case ACL_WHERE_RCPT:
3982 if( rcpt_count > 1 )
2e5b33cd 3983 cancel_cutthrough_connection("more than one recipient");
e4bdf652
JH		 3984 else if (rc == OK && cutthrough_delivery && cutthrough_fd < 0)
3985 open_cutthrough_connection(addr);
3986 break;
3987
3988case ACL_WHERE_PREDATA:
3989 if( rc == OK )
3990 cutthrough_predata();
3991 else
2e5b33cd 3992 cancel_cutthrough_connection("predata acl not ok");
e4bdf652
JH		 3993 break;
3994
3995case ACL_WHERE_QUIT:
3996case ACL_WHERE_NOTQUIT:
2e5b33cd 3997 cancel_cutthrough_connection("quit or notquit");
e4bdf652
JH		 3998 break;
3999
4000default:
4001 break;
4002}
4003
64ffc24f
PH		 4004deliver_domain = deliver_localpart = deliver_address_data =
4005 sender_address_data = NULL;
059ec3d9
PH		 4006
4007/* A DISCARD response is permitted only for message ACLs, excluding the PREDATA
4008ACL, which is really in the middle of an SMTP command. */
4009
4010if (rc == DISCARD)
4011 {
4012 if (where > ACL_WHERE_NOTSMTP || where == ACL_WHERE_PREDATA)
4013 {
4014 log_write(0, LOG_MAIN|LOG_PANIC, "\"discard\" verb not allowed in %s "
4015 "ACL", acl_wherenames[where]);
4016 return ERROR;
4017 }
4018 return DISCARD;
4019 }
4020
4021/* A DROP response is not permitted from MAILAUTH */
4022
4023if (rc == FAIL_DROP && where == ACL_WHERE_MAILAUTH)
4024 {
4025 log_write(0, LOG_MAIN|LOG_PANIC, "\"drop\" verb not allowed in %s "
4026 "ACL", acl_wherenames[where]);
4027 return ERROR;
4028 }
4029
4e88a19f
PH		 4030/* Before giving a response, take a look at the length of any user message, and
4031split it up into multiple lines if possible. */
059ec3d9 4032
e28326d8
PH		 4033*user_msgptr = string_split_message(*user_msgptr);
4034if (fake_response != OK)
4035 fake_response_text = string_split_message(fake_response_text);
059ec3d9
PH		 4036
4037return rc;
4038}
4039
38a0a95f
PH		 4040
4041
4042/*************************************************
4043* Create ACL variable *
4044*************************************************/
4045
4046/* Create an ACL variable or reuse an existing one. ACL variables are in a
4047binary tree (see tree.c) with acl_var_c and acl_var_m as root nodes.
4048
4049Argument:
4050 name pointer to the variable's name, starting with c or m
4051
4052Returns the pointer to variable's tree node
4053*/
4054
4055tree_node *
4056acl_var_create(uschar *name)
4057{
4058tree_node *node, **root;
4059root = (name[0] == 'c')? &acl_var_c : &acl_var_m;
4060node = tree_search(*root, name);
4061if (node == NULL)
4062 {
4063 node = store_get(sizeof(tree_node) + Ustrlen(name));
4064 Ustrcpy(node->name, name);
4065 (void)tree_insertnode(root, node);
4066 }
4067node->data.ptr = NULL;
4068return node;
4069}
4070
4071
4072
4073/*************************************************
4074* Write an ACL variable in spool format *
4075*************************************************/
4076
4077/* This function is used as a callback for tree_walk when writing variables to
4078the spool file. To retain spool file compatibility, what is written is -aclc or
4079-aclm followed by the rest of the name and the data length, space separated,
4080then the value itself, starting on a new line, and terminated by an additional
4081newline. When we had only numbered ACL variables, the first line might look
4082like this: "-aclc 5 20". Now it might be "-aclc foo 20" for the variable called
4083acl_cfoo.
4084
4085Arguments:
4086 name of the variable
4087 value of the variable
4088 ctx FILE pointer (as a void pointer)
4089
4090Returns: nothing
4091*/
4092
4093void
4094acl_var_write(uschar *name, uschar *value, void *ctx)
4095{
4096FILE *f = (FILE *)ctx;
4097fprintf(f, "-acl%c %s %d\n%s\n", name[0], name+1, Ustrlen(value), value);
4098}
4099
059ec3d9 4100/* End of acl.c */
Unnamed repository; edit this file 'description' to name the repository.