projects / exim.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Compile extension "encoded-character" (draft-ietf-sieve-3028bis-12) by default.
[exim.git] / src / src / acl.c
CommitLineData
7353285c 1/* $Cambridge: exim/src/src/acl.c,v 1.79 2007/08/29 13:58:25 ph10 Exp $ */
059ec3d9
PH		 2
3/*************************************************
4* Exim - an Internet mail transport agent *
5*************************************************/
6
184e8823 7/* Copyright (c) University of Cambridge 1995 - 2007 */
059ec3d9
PH		 8/* See the file NOTICE for conditions of use and distribution. */
9
10/* Code for handling Access Control Lists (ACLs) */
11
12#include "exim.h"
13
14
15/* Default callout timeout */
16
17#define CALLOUT_TIMEOUT_DEFAULT 30
18
19/* ACL verb codes - keep in step with the table of verbs that follows */
20
21enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
22 ACL_WARN };
23
24/* ACL verbs */
25
26static uschar *verbs[] =
27 { US"accept", US"defer", US"deny", US"discard", US"drop", US"require",
28 US"warn" };
29
4e88a19f
PH		 30/* For each verb, the conditions for which "message" or "log_message" are used
31are held as a bitmap. This is to avoid expanding the strings unnecessarily. For
32"accept", the FAIL case is used only after "endpass", but that is selected in
33the code. */
34
35static int msgcond[] = {
36 (1<<OK) | (1<<FAIL) | (1<<FAIL_DROP), /* accept */
37 (1<<OK), /* defer */
38 (1<<OK), /* deny */
39 (1<<OK) | (1<<FAIL) | (1<<FAIL_DROP), /* discard */
40 (1<<OK), /* drop */
41 (1<<FAIL) | (1<<FAIL_DROP), /* require */
42 (1<<OK) /* warn */
43 };
059ec3d9
PH		 44
45/* ACL condition and modifier codes - keep in step with the table that
71fafd95
PH		 46follows, and the cond_expand_at_top and uschar cond_modifiers tables lower
47down. */
059ec3d9 48
71fafd95
PH		 49enum { ACLC_ACL,
50 ACLC_ADD_HEADER,
51 ACLC_AUTHENTICATED,
8523533c
TK		 52#ifdef EXPERIMENTAL_BRIGHTMAIL
53 ACLC_BMI_OPTIN,
54#endif
71fafd95 55 ACLC_CONDITION,
c3611384 56 ACLC_CONTINUE,
71fafd95 57 ACLC_CONTROL,
8523533c
TK		 58#ifdef WITH_CONTENT_SCAN
59 ACLC_DECODE,
60#endif
61 ACLC_DELAY,
62#ifdef WITH_OLD_DEMIME
63 ACLC_DEMIME,
fb2274d4
TK		 64#endif
65#ifdef EXPERIMENTAL_DOMAINKEYS
66 ACLC_DK_DOMAIN_SOURCE,
67 ACLC_DK_POLICY,
68 ACLC_DK_SENDER_DOMAINS,
69 ACLC_DK_SENDER_LOCAL_PARTS,
70 ACLC_DK_SENDERS,
71 ACLC_DK_STATUS,
8e669ac1 72#endif
71fafd95
PH		 73 ACLC_DNSLISTS,
74 ACLC_DOMAINS,
75 ACLC_ENCRYPTED,
76 ACLC_ENDPASS,
77 ACLC_HOSTS,
78 ACLC_LOCAL_PARTS,
79 ACLC_LOG_MESSAGE,
6ea85e9a 80 ACLC_LOG_REJECT_TARGET,
71fafd95 81 ACLC_LOGWRITE,
8523533c
TK		 82#ifdef WITH_CONTENT_SCAN
83 ACLC_MALWARE,
84#endif
85 ACLC_MESSAGE,
86#ifdef WITH_CONTENT_SCAN
87 ACLC_MIME_REGEX,
88#endif
870f6ba8 89 ACLC_RATELIMIT,
8523533c
TK		 90 ACLC_RECIPIENTS,
91#ifdef WITH_CONTENT_SCAN
92 ACLC_REGEX,
93#endif
71fafd95
PH		 94 ACLC_SENDER_DOMAINS,
95 ACLC_SENDERS,
96 ACLC_SET,
8523533c 97#ifdef WITH_CONTENT_SCAN
8e669ac1 98 ACLC_SPAM,
8523533c
TK		 99#endif
100#ifdef EXPERIMENTAL_SPF
101 ACLC_SPF,
102#endif
103 ACLC_VERIFY };
059ec3d9 104
c3611384
PH		 105/* ACL conditions/modifiers: "delay", "control", "continue", "endpass",
106"message", "log_message", "log_reject_target", "logwrite", and "set" are
107modifiers that look like conditions but always return TRUE. They are used for
108their side effects. */
059ec3d9 109
9a26b6b2
PH		 110static uschar *conditions[] = {
111 US"acl",
71fafd95 112 US"add_header",
9a26b6b2 113 US"authenticated",
8523533c
TK		 114#ifdef EXPERIMENTAL_BRIGHTMAIL
115 US"bmi_optin",
116#endif
117 US"condition",
c3611384 118 US"continue",
8e669ac1 119 US"control",
8523533c
TK		 120#ifdef WITH_CONTENT_SCAN
121 US"decode",
122#endif
123 US"delay",
124#ifdef WITH_OLD_DEMIME
125 US"demime",
fb2274d4
TK		 126#endif
127#ifdef EXPERIMENTAL_DOMAINKEYS
7f45268c
PH		 128 US"dk_domain_source",
129 US"dk_policy",
130 US"dk_sender_domains",
131 US"dk_sender_local_parts",
132 US"dk_senders",
133 US"dk_status",
8523533c 134#endif
6ea85e9a
PH		 135 US"dnslists",
136 US"domains",
137 US"encrypted",
138 US"endpass",
139 US"hosts",
140 US"local_parts",
141 US"log_message",
142 US"log_reject_target",
143 US"logwrite",
8523533c
TK		 144#ifdef WITH_CONTENT_SCAN
145 US"malware",
146#endif
147 US"message",
148#ifdef WITH_CONTENT_SCAN
149 US"mime_regex",
150#endif
870f6ba8 151 US"ratelimit",
8523533c
TK		 152 US"recipients",
153#ifdef WITH_CONTENT_SCAN
154 US"regex",
155#endif
156 US"sender_domains", US"senders", US"set",
157#ifdef WITH_CONTENT_SCAN
158 US"spam",
159#endif
160#ifdef EXPERIMENTAL_SPF
161 US"spf",
162#endif
059ec3d9 163 US"verify" };
8e669ac1 164
c5fcb476 165
9a26b6b2
PH		 166/* Return values from decode_control(); keep in step with the table of names
167that follows! */
168
169enum {
c46782ef
PH		 170 CONTROL_AUTH_UNADVERTISED,
171 #ifdef EXPERIMENTAL_BRIGHTMAIL
9a26b6b2 172 CONTROL_BMI_RUN,
c46782ef
PH		 173 #endif
174 #ifdef EXPERIMENTAL_DOMAINKEYS
9a26b6b2 175 CONTROL_DK_VERIFY,
c46782ef
PH		 176 #endif
177 CONTROL_ERROR,
178 CONTROL_CASEFUL_LOCAL_PART,
179 CONTROL_CASELOWER_LOCAL_PART,
180 CONTROL_ENFORCE_SYNC,
181 CONTROL_NO_ENFORCE_SYNC,
182 CONTROL_FREEZE,
183 CONTROL_QUEUE_ONLY,
184 CONTROL_SUBMISSION,
185 CONTROL_SUPPRESS_LOCAL_FIXUPS,
186 #ifdef WITH_CONTENT_SCAN
9a26b6b2 187 CONTROL_NO_MBOX_UNSPOOL,
c46782ef
PH		 188 #endif
189 CONTROL_FAKEDEFER,
190 CONTROL_FAKEREJECT,
cf8b11a5 191 CONTROL_NO_MULTILINE,
047bdd8c 192 CONTROL_NO_PIPELINING,
4c590bd1
PH		 193 CONTROL_NO_DELAY_FLUSH,
194 CONTROL_NO_CALLOUT_FLUSH
c46782ef 195};
9a26b6b2 196
8800895a
PH		 197/* ACL control names; keep in step with the table above! This list is used for
198turning ids into names. The actual list of recognized names is in the variable
199control_def controls_list[] below. The fact that there are two lists is a mess
200and should be tidied up. */
9a26b6b2
PH		 201
202static uschar *controls[] = {
c46782ef 203 US"allow_auth_unadvertised",
9a26b6b2
PH		 204 #ifdef EXPERIMENTAL_BRIGHTMAIL
205 US"bmi_run",
206 #endif
207 #ifdef EXPERIMENTAL_DOMAINKEYS
208 US"dk_verify",
209 #endif
c46782ef
PH		 210 US"error",
211 US"caseful_local_part",
212 US"caselower_local_part",
213 US"enforce_sync",
214 US"no_enforce_sync",
215 US"freeze",
216 US"queue_only",
217 US"submission",
218 US"suppress_local_fixups",
9a26b6b2
PH		 219 #ifdef WITH_CONTENT_SCAN
220 US"no_mbox_unspool",
221 #endif
cf8b11a5
PH		 222 US"fakedefer",
223 US"fakereject",
aa6dc513 224 US"no_multiline_responses",
cf8b11a5 225 US"no_pipelining",
4c590bd1
PH		 226 US"no_delay_flush",
227 US"no_callout_flush"
c46782ef 228};
059ec3d9 229
047bdd8c 230/* Flags to indicate for which conditions/modifiers a string expansion is done
059ec3d9
PH		 231at the outer level. In the other cases, expansion already occurs in the
232checking functions. */
233
234static uschar cond_expand_at_top[] = {
235 TRUE, /* acl */
3e536984 236 TRUE, /* add_header */
059ec3d9 237 FALSE, /* authenticated */
8523533c
TK		 238#ifdef EXPERIMENTAL_BRIGHTMAIL
239 TRUE, /* bmi_optin */
8e669ac1 240#endif
059ec3d9 241 TRUE, /* condition */
c3611384 242 TRUE, /* continue */
059ec3d9 243 TRUE, /* control */
8523533c
TK		 244#ifdef WITH_CONTENT_SCAN
245 TRUE, /* decode */
246#endif
059ec3d9 247 TRUE, /* delay */
8523533c
TK		 248#ifdef WITH_OLD_DEMIME
249 TRUE, /* demime */
fb2274d4
TK		 250#endif
251#ifdef EXPERIMENTAL_DOMAINKEYS
7f45268c
PH		 252 TRUE, /* dk_domain_source */
253 TRUE, /* dk_policy */
254 TRUE, /* dk_sender_domains */
e715ad22 255 TRUE, /* dk_sender_local_parts */
7f45268c
PH		 256 TRUE, /* dk_senders */
257 TRUE, /* dk_status */
8523533c 258#endif
059ec3d9
PH		 259 TRUE, /* dnslists */
260 FALSE, /* domains */
261 FALSE, /* encrypted */
262 TRUE, /* endpass */
263 FALSE, /* hosts */
264 FALSE, /* local_parts */
265 TRUE, /* log_message */
6ea85e9a 266 TRUE, /* log_reject_target */
059ec3d9 267 TRUE, /* logwrite */
8523533c
TK		 268#ifdef WITH_CONTENT_SCAN
269 TRUE, /* malware */
270#endif
059ec3d9 271 TRUE, /* message */
8523533c
TK		 272#ifdef WITH_CONTENT_SCAN
273 TRUE, /* mime_regex */
274#endif
870f6ba8 275 TRUE, /* ratelimit */
059ec3d9 276 FALSE, /* recipients */
8523533c
TK		 277#ifdef WITH_CONTENT_SCAN
278 TRUE, /* regex */
279#endif
059ec3d9
PH		 280 FALSE, /* sender_domains */
281 FALSE, /* senders */
282 TRUE, /* set */
8523533c
TK		 283#ifdef WITH_CONTENT_SCAN
284 TRUE, /* spam */
285#endif
286#ifdef EXPERIMENTAL_SPF
287 TRUE, /* spf */
288#endif
059ec3d9
PH		 289 TRUE /* verify */
290};
291
292/* Flags to identify the modifiers */
293
294static uschar cond_modifiers[] = {
295 FALSE, /* acl */
3e536984 296 TRUE, /* add_header */
059ec3d9 297 FALSE, /* authenticated */
8523533c
TK		 298#ifdef EXPERIMENTAL_BRIGHTMAIL
299 TRUE, /* bmi_optin */
8e669ac1 300#endif
059ec3d9 301 FALSE, /* condition */
c3611384 302 TRUE, /* continue */
059ec3d9 303 TRUE, /* control */
8523533c
TK		 304#ifdef WITH_CONTENT_SCAN
305 FALSE, /* decode */
306#endif
059ec3d9 307 TRUE, /* delay */
8523533c
TK		 308#ifdef WITH_OLD_DEMIME
309 FALSE, /* demime */
fb2274d4
TK		 310#endif
311#ifdef EXPERIMENTAL_DOMAINKEYS
7f45268c
PH		 312 FALSE, /* dk_domain_source */
313 FALSE, /* dk_policy */
314 FALSE, /* dk_sender_domains */
e715ad22 315 FALSE, /* dk_sender_local_parts */
7f45268c
PH		 316 FALSE, /* dk_senders */
317 FALSE, /* dk_status */
8523533c 318#endif
059ec3d9
PH		 319 FALSE, /* dnslists */
320 FALSE, /* domains */
321 FALSE, /* encrypted */
322 TRUE, /* endpass */
323 FALSE, /* hosts */
324 FALSE, /* local_parts */
325 TRUE, /* log_message */
6ea85e9a 326 TRUE, /* log_reject_target */
8523533c
TK		 327 TRUE, /* logwrite */
328#ifdef WITH_CONTENT_SCAN
329 FALSE, /* malware */
330#endif
059ec3d9 331 TRUE, /* message */
8523533c
TK		 332#ifdef WITH_CONTENT_SCAN
333 FALSE, /* mime_regex */
334#endif
870f6ba8 335 FALSE, /* ratelimit */
059ec3d9 336 FALSE, /* recipients */
8523533c
TK		 337#ifdef WITH_CONTENT_SCAN
338 FALSE, /* regex */
339#endif
059ec3d9
PH		 340 FALSE, /* sender_domains */
341 FALSE, /* senders */
342 TRUE, /* set */
8523533c
TK		 343#ifdef WITH_CONTENT_SCAN
344 FALSE, /* spam */
345#endif
346#ifdef EXPERIMENTAL_SPF
347 FALSE, /* spf */
348#endif
059ec3d9
PH		 349 FALSE /* verify */
350};
351
c3611384 352/* Bit map vector of which conditions and modifiers are not allowed at certain
8f128379
PH		 353times. For each condition and modifier, there's a bitmap of dis-allowed times.
354For some, it is easier to specify the negation of a small number of allowed
355times. */
059ec3d9
PH		 356
357static unsigned int cond_forbids[] = {
358 0, /* acl */
8e669ac1 359
71fafd95 360 (unsigned int)
45b91596 361 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* add_header */
71fafd95 362 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
45b91596
PH		 363 (1<<ACL_WHERE_MIME)|(1<<ACL_WHERE_NOTSMTP)|
364 (1<<ACL_WHERE_NOTSMTP_START)),
71fafd95 365
45b91596
PH		 366 (1<<ACL_WHERE_NOTSMTP)| /* authenticated */
367 (1<<ACL_WHERE_NOTSMTP_START)|
368 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO),
8e669ac1 369
71fafd95 370 #ifdef EXPERIMENTAL_BRIGHTMAIL
3864bb8e 371 (1<<ACL_WHERE_AUTH)| /* bmi_optin */
8523533c
TK		 372 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
373 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_MIME)|
8e669ac1 374 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
8523533c
TK		 375 (1<<ACL_WHERE_MAILAUTH)|
376 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
45b91596
PH		 377 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_PREDATA)|
378 (1<<ACL_WHERE_NOTSMTP_START),
71fafd95 379 #endif
8e669ac1 380
059ec3d9 381 0, /* condition */
8e669ac1 382
c3611384
PH		 383 0, /* continue */
384
059ec3d9 385 /* Certain types of control are always allowed, so we let it through
2f079f46 386 always and check in the control processing itself. */
8e669ac1 387
059ec3d9 388 0, /* control */
8e669ac1 389
71fafd95 390 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 391 (unsigned int)
392 ~(1<<ACL_WHERE_MIME), /* decode */
71fafd95 393 #endif
8523533c 394
8f128379 395 (1<<ACL_WHERE_NOTQUIT), /* delay */
8e669ac1 396
71fafd95 397 #ifdef WITH_OLD_DEMIME
2f079f46
PH		 398 (unsigned int)
399 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* demime */
71fafd95 400 #endif
8e669ac1 401
71fafd95 402 #ifdef EXPERIMENTAL_DOMAINKEYS
2f079f46 403 (1<<ACL_WHERE_AUTH)| /* dk_domain_source */
fb2274d4
TK		 404 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
405 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
406 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
407 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
408 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
45b91596 409 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
84330b7b 410
2f079f46 411 (1<<ACL_WHERE_AUTH)| /* dk_policy */
fb2274d4
TK		 412 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
413 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
414 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
415 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
416 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
45b91596 417 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
84330b7b 418
2f079f46 419 (1<<ACL_WHERE_AUTH)| /* dk_sender_domains */
fb2274d4
TK		 420 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
421 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
422 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
423 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
424 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
45b91596 425 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
84330b7b 426
2f079f46 427 (1<<ACL_WHERE_AUTH)| /* dk_sender_local_parts */
fb2274d4
TK		 428 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
429 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
430 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
431 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
432 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
45b91596 433 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
84330b7b 434
2f079f46 435 (1<<ACL_WHERE_AUTH)| /* dk_senders */
fb2274d4
TK		 436 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
437 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
438 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
439 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
440 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
45b91596 441 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
84330b7b 442
2f079f46 443 (1<<ACL_WHERE_AUTH)| /* dk_status */
fb2274d4
TK		 444 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
445 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
446 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
447 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
448 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
45b91596 449 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_NOTSMTP_START),
71fafd95 450 #endif
fb2274d4 451
45b91596
PH		 452 (1<<ACL_WHERE_NOTSMTP)| /* dnslists */
453 (1<<ACL_WHERE_NOTSMTP_START),
059ec3d9 454
2f079f46
PH		 455 (unsigned int)
456 ~(1<<ACL_WHERE_RCPT), /* domains */
059ec3d9 457
45b91596
PH		 458 (1<<ACL_WHERE_NOTSMTP)| /* encrypted */
459 (1<<ACL_WHERE_CONNECT)|
460 (1<<ACL_WHERE_NOTSMTP_START)|
059ec3d9 461 (1<<ACL_WHERE_HELO),
8e669ac1 462
059ec3d9 463 0, /* endpass */
8e669ac1 464
45b91596
PH		 465 (1<<ACL_WHERE_NOTSMTP)| /* hosts */
466 (1<<ACL_WHERE_NOTSMTP_START),
059ec3d9 467
2f079f46
PH		 468 (unsigned int)
469 ~(1<<ACL_WHERE_RCPT), /* local_parts */
059ec3d9
PH		 470
471 0, /* log_message */
8e669ac1 472
6ea85e9a
PH		 473 0, /* log_reject_target */
474
059ec3d9 475 0, /* logwrite */
8e669ac1 476
71fafd95 477 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 478 (unsigned int)
479 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* malware */
71fafd95 480 #endif
8523533c 481
059ec3d9
PH		 482 0, /* message */
483
71fafd95 484 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 485 (unsigned int)
486 ~(1<<ACL_WHERE_MIME), /* mime_regex */
71fafd95 487 #endif
8523533c 488
870f6ba8
TF		 489 0, /* ratelimit */
490
2f079f46
PH		 491 (unsigned int)
492 ~(1<<ACL_WHERE_RCPT), /* recipients */
059ec3d9 493
71fafd95 494 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 495 (unsigned int)
496 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* regex */
497 (1<<ACL_WHERE_MIME)),
71fafd95 498 #endif
8523533c 499
059ec3d9
PH		 500 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* sender_domains */
501 (1<<ACL_WHERE_HELO)|
502 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
503 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
504 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
505
506 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* senders */
507 (1<<ACL_WHERE_HELO)|
508 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
509 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
510 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
511
512 0, /* set */
513
71fafd95 514 #ifdef WITH_CONTENT_SCAN
2f079f46
PH		 515 (unsigned int)
516 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* spam */
71fafd95 517 #endif
8523533c 518
71fafd95 519 #ifdef EXPERIMENTAL_SPF
8523533c
TK		 520 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf */
521 (1<<ACL_WHERE_HELO)|
522 (1<<ACL_WHERE_MAILAUTH)|
523 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
45b91596
PH		 524 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY)|
525 (1<<ACL_WHERE_NOTSMTP)|
526 (1<<ACL_WHERE_NOTSMTP_START),
71fafd95 527 #endif
8523533c 528
059ec3d9
PH		 529 /* Certain types of verify are always allowed, so we let it through
530 always and check in the verify function itself */
531
532 0 /* verify */
059ec3d9
PH		 533};
534
535
c5fcb476
PH		 536/* Bit map vector of which controls are not allowed at certain times. For
537each control, there's a bitmap of dis-allowed times. For some, it is easier to
538specify the negation of a small number of allowed times. */
539
540static unsigned int control_forbids[] = {
c46782ef
PH		 541 (unsigned int)
542 ~((1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)), /* allow_auth_unadvertised */
543
544 #ifdef EXPERIMENTAL_BRIGHTMAIL
8523533c 545 0, /* bmi_run */
c46782ef
PH		 546 #endif
547
548 #ifdef EXPERIMENTAL_DOMAINKEYS
45b91596
PH		 549 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* dk_verify */
550 (1<<ACL_WHERE_NOTSMTP_START),
c46782ef 551 #endif
3e11c26b 552
c5fcb476 553 0, /* error */
8e669ac1
PH		 554
555 (unsigned int)
c5fcb476 556 ~(1<<ACL_WHERE_RCPT), /* caseful_local_part */
8e669ac1
PH		 557
558 (unsigned int)
c5fcb476 559 ~(1<<ACL_WHERE_RCPT), /* caselower_local_part */
8e669ac1 560
45b91596
PH		 561 (1<<ACL_WHERE_NOTSMTP)| /* enforce_sync */
562 (1<<ACL_WHERE_NOTSMTP_START),
8e669ac1 563
45b91596
PH		 564 (1<<ACL_WHERE_NOTSMTP)| /* no_enforce_sync */
565 (1<<ACL_WHERE_NOTSMTP_START),
8e669ac1
PH		 566
567 (unsigned int)
c5fcb476
PH		 568 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* freeze */
569 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
e715ad22 570 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
8e669ac1
PH		 571
572 (unsigned int)
c5fcb476
PH		 573 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* queue_only */
574 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
e715ad22 575 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
8e669ac1
PH		 576
577 (unsigned int)
c5fcb476 578 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* submission */
8e669ac1 579 (1<<ACL_WHERE_PREDATA)),
8523533c 580
8800895a
PH		 581 (unsigned int)
582 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* suppress_local_fixups */
45b91596
PH		 583 (1<<ACL_WHERE_PREDATA)|
584 (1<<ACL_WHERE_NOTSMTP_START)),
8800895a 585
c46782ef 586 #ifdef WITH_CONTENT_SCAN
8e669ac1 587 (unsigned int)
14d57970 588 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* no_mbox_unspool */
e715ad22
TK		 589 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
590 (1<<ACL_WHERE_MIME)),
c46782ef 591 #endif
a6c4ab60 592
29aba418
TF		 593 (unsigned int)
594 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakedefer */
595 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
596 (1<<ACL_WHERE_MIME)),
597
8e669ac1 598 (unsigned int)
a6c4ab60 599 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakereject */
e715ad22
TK		 600 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
601 (1<<ACL_WHERE_MIME)),
8523533c 602
45b91596 603 (1<<ACL_WHERE_NOTSMTP)| /* no_multiline */
cf8b11a5
PH		 604 (1<<ACL_WHERE_NOTSMTP_START),
605
606 (1<<ACL_WHERE_NOTSMTP)| /* no_pipelining */
047bdd8c
PH		 607 (1<<ACL_WHERE_NOTSMTP_START),
608
609 (1<<ACL_WHERE_NOTSMTP)| /* no_delay_flush */
4c590bd1
PH		 610 (1<<ACL_WHERE_NOTSMTP_START),
611
612 (1<<ACL_WHERE_NOTSMTP)| /* no_callout_flush */
45b91596 613 (1<<ACL_WHERE_NOTSMTP_START)
c5fcb476
PH		 614};
615
616/* Structure listing various control arguments, with their characteristics. */
059ec3d9
PH		 617
618typedef struct control_def {
619 uschar *name;
620 int value; /* CONTROL_xxx value */
059ec3d9
PH		 621 BOOL has_option; /* Has /option(s) following */
622} control_def;
623
624static control_def controls_list[] = {
c46782ef 625 { US"allow_auth_unadvertised", CONTROL_AUTH_UNADVERTISED, FALSE },
8523533c 626#ifdef EXPERIMENTAL_BRIGHTMAIL
c46782ef 627 { US"bmi_run", CONTROL_BMI_RUN, FALSE },
fb2274d4
TK		 628#endif
629#ifdef EXPERIMENTAL_DOMAINKEYS
c46782ef 630 { US"dk_verify", CONTROL_DK_VERIFY, FALSE },
8523533c 631#endif
c46782ef
PH		 632 { US"caseful_local_part", CONTROL_CASEFUL_LOCAL_PART, FALSE },
633 { US"caselower_local_part", CONTROL_CASELOWER_LOCAL_PART, FALSE },
634 { US"enforce_sync", CONTROL_ENFORCE_SYNC, FALSE },
635 { US"freeze", CONTROL_FREEZE, TRUE },
4c590bd1 636 { US"no_callout_flush", CONTROL_NO_CALLOUT_FLUSH, FALSE },
047bdd8c 637 { US"no_delay_flush", CONTROL_NO_DELAY_FLUSH, FALSE },
c46782ef
PH		 638 { US"no_enforce_sync", CONTROL_NO_ENFORCE_SYNC, FALSE },
639 { US"no_multiline_responses", CONTROL_NO_MULTILINE, FALSE },
cf8b11a5 640 { US"no_pipelining", CONTROL_NO_PIPELINING, FALSE },
c46782ef 641 { US"queue_only", CONTROL_QUEUE_ONLY, FALSE },
8523533c 642#ifdef WITH_CONTENT_SCAN
c46782ef 643 { US"no_mbox_unspool", CONTROL_NO_MBOX_UNSPOOL, FALSE },
8523533c 644#endif
c46782ef
PH		 645 { US"fakedefer", CONTROL_FAKEDEFER, TRUE },
646 { US"fakereject", CONTROL_FAKEREJECT, TRUE },
647 { US"submission", CONTROL_SUBMISSION, TRUE },
648 { US"suppress_local_fixups", CONTROL_SUPPRESS_LOCAL_FIXUPS, FALSE }
059ec3d9
PH		 649 };
650
e5a9dba6
PH		 651/* Support data structures for Client SMTP Authorization. acl_verify_csa()
652caches its result in a tree to avoid repeated DNS queries. The result is an
653integer code which is used as an index into the following tables of
654explanatory strings and verification return codes. */
655
656static tree_node *csa_cache = NULL;
657
658enum { CSA_UNKNOWN, CSA_OK, CSA_DEFER_SRV, CSA_DEFER_ADDR,
659 CSA_FAIL_EXPLICIT, CSA_FAIL_DOMAIN, CSA_FAIL_NOADDR, CSA_FAIL_MISMATCH };
660
661/* The acl_verify_csa() return code is translated into an acl_verify() return
662code using the following table. It is OK unless the client is definitely not
663authorized. This is because CSA is supposed to be optional for sending sites,
664so recipients should not be too strict about checking it - especially because
665DNS problems are quite likely to occur. It's possible to use $csa_status in
666further ACL conditions to distinguish ok, unknown, and defer if required, but
667the aim is to make the usual configuration simple. */
668
669static int csa_return_code[] = {
670 OK, OK, OK, OK,
671 FAIL, FAIL, FAIL, FAIL
672};
673
674static uschar *csa_status_string[] = {
675 US"unknown", US"ok", US"defer", US"defer",
676 US"fail", US"fail", US"fail", US"fail"
677};
678
679static uschar *csa_reason_string[] = {
680 US"unknown",
681 US"ok",
682 US"deferred (SRV lookup failed)",
683 US"deferred (target address lookup failed)",
684 US"failed (explicit authorization required)",
685 US"failed (host name not authorized)",
686 US"failed (no authorized addresses)",
687 US"failed (client address mismatch)"
688};
689
059ec3d9
PH		 690/* Enable recursion between acl_check_internal() and acl_check_condition() */
691
692static int acl_check_internal(int, address_item *, uschar *, int, uschar **,
693 uschar **);
694
695
696/*************************************************
697* Pick out name from list *
698*************************************************/
699
700/* Use a binary chop method
701
702Arguments:
703 name name to find
704 list list of names
705 end size of list
706
707Returns: offset in list, or -1 if not found
708*/
709
710static int
711acl_checkname(uschar *name, uschar **list, int end)
712{
713int start = 0;
714
715while (start < end)
716 {
717 int mid = (start + end)/2;
718 int c = Ustrcmp(name, list[mid]);
719 if (c == 0) return mid;
720 if (c < 0) end = mid; else start = mid + 1;
721 }
722
723return -1;
724}
725
726
727/*************************************************
728* Read and parse one ACL *
729*************************************************/
730
731/* This function is called both from readconf in order to parse the ACLs in the
732configuration file, and also when an ACL is encountered dynamically (e.g. as
733the result of an expansion). It is given a function to call in order to
734retrieve the lines of the ACL. This function handles skipping comments and
735blank lines (where relevant).
736
737Arguments:
738 func function to get next line of ACL
739 error where to put an error message
740
741Returns: pointer to ACL, or NULL
742 NULL can be legal (empty ACL); in this case error will be NULL
743*/
744
745acl_block *
746acl_read(uschar *(*func)(void), uschar **error)
747{
748acl_block *yield = NULL;
749acl_block **lastp = &yield;
750acl_block *this = NULL;
751acl_condition_block *cond;
752acl_condition_block **condp = NULL;
753uschar *s;
754
755*error = NULL;
756
757while ((s = (*func)()) != NULL)
758 {
759 int v, c;
760 BOOL negated = FALSE;
761 uschar *saveline = s;
762 uschar name[64];
763
764 /* Conditions (but not verbs) are allowed to be negated by an initial
765 exclamation mark. */
766
767 while (isspace(*s)) s++;
768 if (*s == '!')
769 {
770 negated = TRUE;
771 s++;
772 }
773
cf00dad6
PH		 774 /* Read the name of a verb or a condition, or the start of a new ACL, which
775 can be started by a name, or by a macro definition. */
059ec3d9
PH		 776
777 s = readconf_readname(name, sizeof(name), s);
b8dc3e4a 778 if (*s == ':' || (isupper(name[0]) && *s == '=')) return yield;
059ec3d9
PH		 779
780 /* If a verb is unrecognized, it may be another condition or modifier that
781 continues the previous verb. */
782
783 v = acl_checkname(name, verbs, sizeof(verbs)/sizeof(char *));
784 if (v < 0)
785 {
786 if (this == NULL)
787 {
4e167a8c
PH		 788 *error = string_sprintf("unknown ACL verb \"%s\" in \"%s\"", name,
789 saveline);
059ec3d9
PH		 790 return NULL;
791 }
792 }
793
794 /* New verb */
795
796 else
797 {
798 if (negated)
799 {
800 *error = string_sprintf("malformed ACL line \"%s\"", saveline);
801 return NULL;
802 }
803 this = store_get(sizeof(acl_block));
804 *lastp = this;
805 lastp = &(this->next);
806 this->next = NULL;
807 this->verb = v;
808 this->condition = NULL;
809 condp = &(this->condition);
810 if (*s == 0) continue; /* No condition on this line */
811 if (*s == '!')
812 {
813 negated = TRUE;
814 s++;
815 }
816 s = readconf_readname(name, sizeof(name), s); /* Condition name */
817 }
818
819 /* Handle a condition or modifier. */
820
821 c = acl_checkname(name, conditions, sizeof(conditions)/sizeof(char *));
822 if (c < 0)
823 {
824 *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
825 saveline);
826 return NULL;
827 }
828
829 /* The modifiers may not be negated */
830
831 if (negated && cond_modifiers[c])
832 {
833 *error = string_sprintf("ACL error: negation is not allowed with "
834 "\"%s\"", conditions[c]);
835 return NULL;
836 }
837
838 /* ENDPASS may occur only with ACCEPT or DISCARD. */
839
840 if (c == ACLC_ENDPASS &&
841 this->verb != ACL_ACCEPT &&
842 this->verb != ACL_DISCARD)
843 {
844 *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
845 conditions[c], verbs[this->verb]);
846 return NULL;
847 }
848
849 cond = store_get(sizeof(acl_condition_block));
850 cond->next = NULL;
851 cond->type = c;
852 cond->u.negated = negated;
853
854 *condp = cond;
855 condp = &(cond->next);
856
857 /* The "set" modifier is different in that its argument is "name=value"
858 rather than just a value, and we can check the validity of the name, which
38a0a95f
PH		 859 gives us a variable name to insert into the data block. The original ACL
860 variable names were acl_c0 ... acl_c9 and acl_m0 ... acl_m9. This was
861 extended to 20 of each type, but after that people successfully argued for
641cb756
PH		 862 arbitrary names. In the new scheme, the names must start with acl_c or acl_m.
863 After that, we allow alphanumerics and underscores, but the first character
864 after c or m must be a digit or an underscore. This retains backwards
865 compatibility. */
059ec3d9
PH		 866
867 if (c == ACLC_SET)
868 {
47ca6d6c
PH		 869 uschar *endptr;
870
38a0a95f
PH		 871 if (Ustrncmp(s, "acl_c", 5) != 0 &&
872 Ustrncmp(s, "acl_m", 5) != 0)
47ca6d6c 873 {
38a0a95f
PH		 874 *error = string_sprintf("invalid variable name after \"set\" in ACL "
875 "modifier \"set %s\" (must start \"acl_c\" or \"acl_m\")", s);
876 return NULL;
47ca6d6c 877 }
38a0a95f
PH		 878
879 endptr = s + 5;
641cb756
PH		 880 if (!isdigit(*endptr) && *endptr != '_')
881 {
882 *error = string_sprintf("invalid variable name after \"set\" in ACL "
883 "modifier \"set %s\" (digit or underscore must follow acl_c or acl_m)",
884 s);
885 return NULL;
886 }
887
38a0a95f 888 while (*endptr != 0 && *endptr != '=' && !isspace(*endptr))
47ca6d6c 889 {
38a0a95f
PH		 890 if (!isalnum(*endptr) && *endptr != '_')
891 {
892 *error = string_sprintf("invalid character \"%c\" in variable name "
893 "in ACL modifier \"set %s\"", *endptr, s);
894 return NULL;
895 }
896 endptr++;
47ca6d6c 897 }
47ca6d6c 898
38a0a95f 899 cond->u.varname = string_copyn(s + 4, endptr - s - 4);
47ca6d6c 900 s = endptr;
059ec3d9
PH		 901 while (isspace(*s)) s++;
902 }
903
904 /* For "set", we are now positioned for the data. For the others, only
905 "endpass" has no data */
906
907 if (c != ACLC_ENDPASS)
908 {
909 if (*s++ != '=')
910 {
911 *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
912 cond_modifiers[c]? US"modifier" : US"condition");
913 return NULL;
914 }
915 while (isspace(*s)) s++;
916 cond->arg = string_copy(s);
917 }
918 }
919
920return yield;
921}
922
923
924
71fafd95
PH		 925/*************************************************
926* Set up added header line(s) *
927*************************************************/
928
929/* This function is called by the add_header modifier, and also from acl_warn()
930to implement the now-deprecated way of adding header lines using "message" on a
931"warn" verb. The argument is treated as a sequence of header lines which are
932added to a chain, provided there isn't an identical one already there.
933
934Argument: string of header lines
935Returns: nothing
936*/
937
938static void
939setup_header(uschar *hstring)
940{
941uschar *p, *q;
942int hlen = Ustrlen(hstring);
943
944/* An empty string does nothing; otherwise add a final newline if necessary. */
945
946if (hlen <= 0) return;
947if (hstring[hlen-1] != '\n') hstring = string_sprintf("%s\n", hstring);
948
949/* Loop for multiple header lines, taking care about continuations */
950
951for (p = q = hstring; *p != 0; )
952 {
953 uschar *s;
954 int newtype = htype_add_bot;
955 header_line **hptr = &acl_added_headers;
956
957 /* Find next header line within the string */
958
959 for (;;)
960 {
961 q = Ustrchr(q, '\n');
962 if (*(++q) != ' ' && *q != '\t') break;
963 }
964
965 /* If the line starts with a colon, interpret the instruction for where to
966 add it. This temporarily sets up a new type. */
967
968 if (*p == ':')
969 {
970 if (strncmpic(p, US":after_received:", 16) == 0)
971 {
972 newtype = htype_add_rec;
973 p += 16;
974 }
975 else if (strncmpic(p, US":at_start_rfc:", 14) == 0)
976 {
977 newtype = htype_add_rfc;
978 p += 14;
979 }
980 else if (strncmpic(p, US":at_start:", 10) == 0)
981 {
982 newtype = htype_add_top;
983 p += 10;
984 }
985 else if (strncmpic(p, US":at_end:", 8) == 0)
986 {
987 newtype = htype_add_bot;
988 p += 8;
989 }
990 while (*p == ' ' || *p == '\t') p++;
991 }
992
993 /* See if this line starts with a header name, and if not, add X-ACL-Warn:
994 to the front of it. */
995
996 for (s = p; s < q - 1; s++)
997 {
998 if (*s == ':' || !isgraph(*s)) break;
999 }
1000
1001 s = string_sprintf("%s%.*s", (*s == ':')? "" : "X-ACL-Warn: ", q - p, p);
1002 hlen = Ustrlen(s);
1003
1004 /* See if this line has already been added */
1005
1006 while (*hptr != NULL)
1007 {
1008 if (Ustrncmp((*hptr)->text, s, hlen) == 0) break;
1009 hptr = &((*hptr)->next);
1010 }
1011
1012 /* Add if not previously present */
1013
1014 if (*hptr == NULL)
1015 {
1016 header_line *h = store_get(sizeof(header_line));
1017 h->text = s;
1018 h->next = NULL;
1019 h->type = newtype;
1020 h->slen = hlen;
1021 *hptr = h;
1022 hptr = &(h->next);
1023 }
1024
1025 /* Advance for next header line within the string */
1026
1027 p = q;
1028 }
1029}
1030
1031
1032
1033
059ec3d9
PH		 1034/*************************************************
1035* Handle warnings *
1036*************************************************/
1037
1038/* This function is called when a WARN verb's conditions are true. It adds to
1039the message's headers, and/or writes information to the log. In each case, this
1040only happens once (per message for headers, per connection for log).
1041
71fafd95
PH		 1042** NOTE: The header adding action using the "message" setting is historic, and
1043its use is now deprecated. The new add_header modifier should be used instead.
1044
059ec3d9
PH		 1045Arguments:
1046 where ACL_WHERE_xxxx indicating which ACL this is
1047 user_message message for adding to headers
1048 log_message message for logging, if different
1049
1050Returns: nothing
1051*/
1052
1053static void
1054acl_warn(int where, uschar *user_message, uschar *log_message)
1055{
059ec3d9
PH		 1056if (log_message != NULL && log_message != user_message)
1057 {
1058 uschar *text;
1059 string_item *logged;
1060
1061 text = string_sprintf("%s Warning: %s", host_and_ident(TRUE),
1062 string_printing(log_message));
1063
1064 /* If a sender verification has failed, and the log message is "sender verify
1065 failed", add the failure message. */
1066
1067 if (sender_verified_failed != NULL &&
1068 sender_verified_failed->message != NULL &&
1069 strcmpic(log_message, US"sender verify failed") == 0)
1070 text = string_sprintf("%s: %s", text, sender_verified_failed->message);
1071
9c7a242c
PH		 1072 /* Search previously logged warnings. They are kept in malloc
1073 store so they can be freed at the start of a new message. */
059ec3d9
PH		 1074
1075 for (logged = acl_warn_logged; logged != NULL; logged = logged->next)
1076 if (Ustrcmp(logged->text, text) == 0) break;
1077
1078 if (logged == NULL)
1079 {
1080 int length = Ustrlen(text) + 1;
1081 log_write(0, LOG_MAIN, "%s", text);
1082 logged = store_malloc(sizeof(string_item) + length);
1083 logged->text = (uschar *)logged + sizeof(string_item);
1084 memcpy(logged->text, text, length);
1085 logged->next = acl_warn_logged;
1086 acl_warn_logged = logged;
1087 }
1088 }
1089
1090/* If there's no user message, we are done. */
1091
1092if (user_message == NULL) return;
1093
1094/* If this isn't a message ACL, we can't do anything with a user message.
1095Log an error. */
1096
1097if (where > ACL_WHERE_NOTSMTP)
1098 {
1099 log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
1100 "found in a non-message (%s) ACL: cannot specify header lines here: "
1101 "message ignored", acl_wherenames[where]);
1102 return;
1103 }
1104
71fafd95
PH		 1105/* The code for setting up header lines is now abstracted into a separate
1106function so that it can be used for the add_header modifier as well. */
059ec3d9 1107
71fafd95 1108setup_header(user_message);
059ec3d9
PH		 1109}
1110
1111
1112
1113/*************************************************
1114* Verify and check reverse DNS *
1115*************************************************/
1116
1117/* Called from acl_verify() below. We look up the host name(s) of the client IP
1118address if this has not yet been done. The host_name_lookup() function checks
1119that one of these names resolves to an address list that contains the client IP
1120address, so we don't actually have to do the check here.
1121
1122Arguments:
1123 user_msgptr pointer for user message
1124 log_msgptr pointer for log message
1125
1126Returns: OK verification condition succeeded
1127 FAIL verification failed
1128 DEFER there was a problem verifying
1129*/
1130
1131static int
1132acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
1133{
1134int rc;
1135
1136user_msgptr = user_msgptr; /* stop compiler warning */
1137
1138/* Previous success */
1139
1140if (sender_host_name != NULL) return OK;
1141
1142/* Previous failure */
1143
1144if (host_lookup_failed)
1145 {
1146 *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
1147 return FAIL;
1148 }
1149
1150/* Need to do a lookup */
1151
1152HDEBUG(D_acl)
1153 debug_printf("looking up host name to force name/address consistency check\n");
1154
1155if ((rc = host_name_lookup()) != OK)
1156 {
1157 *log_msgptr = (rc == DEFER)?
1158 US"host lookup deferred for reverse lookup check"
1159 :
1160 string_sprintf("host lookup failed for reverse lookup check%s",
1161 host_lookup_msg);
1162 return rc; /* DEFER or FAIL */
1163 }
1164
1165host_build_sender_fullhost();
1166return OK;
1167}
1168
1169
1170
e5a9dba6
PH		 1171/*************************************************
1172* Check client IP address matches CSA target *
1173*************************************************/
1174
1175/* Called from acl_verify_csa() below. This routine scans a section of a DNS
1176response for address records belonging to the CSA target hostname. The section
1177is specified by the reset argument, either RESET_ADDITIONAL or RESET_ANSWERS.
1178If one of the addresses matches the client's IP address, then the client is
1179authorized by CSA. If there are target IP addresses but none of them match
1180then the client is using an unauthorized IP address. If there are no target IP
1181addresses then the client cannot be using an authorized IP address. (This is
1182an odd configuration - why didn't the SRV record have a weight of 1 instead?)
1183
1184Arguments:
1185 dnsa the DNS answer block
1186 dnss a DNS scan block for us to use
1187 reset option specifing what portion to scan, as described above
1188 target the target hostname to use for matching RR names
1189
1190Returns: CSA_OK successfully authorized
1191 CSA_FAIL_MISMATCH addresses found but none matched
1192 CSA_FAIL_NOADDR no target addresses found
1193*/
1194
1195static int
1196acl_verify_csa_address(dns_answer *dnsa, dns_scan *dnss, int reset,
1197 uschar *target)
1198{
1199dns_record *rr;
1200dns_address *da;
1201
1202BOOL target_found = FALSE;
1203
1204for (rr = dns_next_rr(dnsa, dnss, reset);
1205 rr != NULL;
1206 rr = dns_next_rr(dnsa, dnss, RESET_NEXT))
1207 {
1208 /* Check this is an address RR for the target hostname. */
1209
1210 if (rr->type != T_A
1211 #if HAVE_IPV6
1212 && rr->type != T_AAAA
1213 #ifdef SUPPORT_A6
1214 && rr->type != T_A6
1215 #endif
1216 #endif
1217 ) continue;
1218
1219 if (strcmpic(target, rr->name) != 0) continue;
1220
1221 target_found = TRUE;
1222
1223 /* Turn the target address RR into a list of textual IP addresses and scan
1224 the list. There may be more than one if it is an A6 RR. */
1225
1226 for (da = dns_address_from_rr(dnsa, rr); da != NULL; da = da->next)
1227 {
1228 /* If the client IP address matches the target IP address, it's good! */
1229
1230 DEBUG(D_acl) debug_printf("CSA target address is %s\n", da->address);
1231
1232 if (strcmpic(sender_host_address, da->address) == 0) return CSA_OK;
1233 }
1234 }
1235
1236/* If we found some target addresses but none of them matched, the client is
1237using an unauthorized IP address, otherwise the target has no authorized IP
1238addresses. */
1239
1240if (target_found) return CSA_FAIL_MISMATCH;
1241else return CSA_FAIL_NOADDR;
1242}
1243
1244
1245
1246/*************************************************
1247* Verify Client SMTP Authorization *
1248*************************************************/
1249
1250/* Called from acl_verify() below. This routine calls dns_lookup_special()
1251to find the CSA SRV record corresponding to the domain argument, or
1252$sender_helo_name if no argument is provided. It then checks that the
1253client is authorized, and that its IP address corresponds to the SRV
1254target's address by calling acl_verify_csa_address() above. The address
1255should have been returned in the DNS response's ADDITIONAL section, but if
1256not we perform another DNS lookup to get it.
1257
1258Arguments:
1259 domain pointer to optional parameter following verify = csa
1260
1261Returns: CSA_UNKNOWN no valid CSA record found
1262 CSA_OK successfully authorized
1263 CSA_FAIL_* client is definitely not authorized
1264 CSA_DEFER_* there was a DNS problem
1265*/
1266
1267static int
1268acl_verify_csa(uschar *domain)
1269{
1270tree_node *t;
1271uschar *found, *p;
1272int priority, weight, port;
1273dns_answer dnsa;
1274dns_scan dnss;
1275dns_record *rr;
1276int rc, type;
1277uschar target[256];
1278
1279/* Work out the domain we are using for the CSA lookup. The default is the
1280client's HELO domain. If the client has not said HELO, use its IP address
1281instead. If it's a local client (exim -bs), CSA isn't applicable. */
1282
1283while (isspace(*domain) && *domain != '\0') ++domain;
1284if (*domain == '\0') domain = sender_helo_name;
1285if (domain == NULL) domain = sender_host_address;
1286if (sender_host_address == NULL) return CSA_UNKNOWN;
1287
1288/* If we have an address literal, strip off the framing ready for turning it
1289into a domain. The framing consists of matched square brackets possibly
1290containing a keyword and a colon before the actual IP address. */
1291
1292if (domain[0] == '[')
1293 {
1294 uschar *start = Ustrchr(domain, ':');
1295 if (start == NULL) start = domain;
1296 domain = string_copyn(start + 1, Ustrlen(start) - 2);
1297 }
1298
1299/* Turn domains that look like bare IP addresses into domains in the reverse
1300DNS. This code also deals with address literals and $sender_host_address. It's
1301not quite kosher to treat bare domains such as EHLO 192.0.2.57 the same as
1302address literals, but it's probably the most friendly thing to do. This is an
1303extension to CSA, so we allow it to be turned off for proper conformance. */
1304
7e66e54d 1305if (string_is_ip_address(domain, NULL) != 0)
e5a9dba6
PH		 1306 {
1307 if (!dns_csa_use_reverse) return CSA_UNKNOWN;
1308 dns_build_reverse(domain, target);
1309 domain = target;
1310 }
1311
1312/* Find out if we've already done the CSA check for this domain. If we have,
1313return the same result again. Otherwise build a new cached result structure
1314for this domain. The name is filled in now, and the value is filled in when
1315we return from this function. */
1316
1317t = tree_search(csa_cache, domain);
1318if (t != NULL) return t->data.val;
1319
1320t = store_get_perm(sizeof(tree_node) + Ustrlen(domain));
1321Ustrcpy(t->name, domain);
1322(void)tree_insertnode(&csa_cache, t);
1323
1324/* Now we are ready to do the actual DNS lookup(s). */
1325
28e6ef29 1326found = domain;
e5a9dba6
PH		 1327switch (dns_special_lookup(&dnsa, domain, T_CSA, &found))
1328 {
1329 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1330
1331 default:
1332 return t->data.val = CSA_DEFER_SRV;
1333
1334 /* If we found nothing, the client's authorization is unknown. */
1335
1336 case DNS_NOMATCH:
1337 case DNS_NODATA:
1338 return t->data.val = CSA_UNKNOWN;
1339
1340 /* We got something! Go on to look at the reply in more detail. */
1341
1342 case DNS_SUCCEED:
1343 break;
1344 }
1345
1346/* Scan the reply for well-formed CSA SRV records. */
1347
1348for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
1349 rr != NULL;
1350 rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
1351 {
1352 if (rr->type != T_SRV) continue;
1353
1354 /* Extract the numerical SRV fields (p is incremented) */
1355
1356 p = rr->data;
1357 GETSHORT(priority, p);
1358 GETSHORT(weight, p);
1359 GETSHORT(port, p);
1360
1361 DEBUG(D_acl)
1362 debug_printf("CSA priority=%d weight=%d port=%d\n", priority, weight, port);
1363
1364 /* Check the CSA version number */
1365
1366 if (priority != 1) continue;
1367
1368 /* If the domain does not have a CSA SRV record of its own (i.e. the domain
1369 found by dns_special_lookup() is a parent of the one we asked for), we check
1370 the subdomain assertions in the port field. At the moment there's only one
1371 assertion: legitimate SMTP clients are all explicitly authorized with CSA
1372 SRV records of their own. */
1373
1374 if (found != domain)
1375 {
1376 if (port & 1)
1377 return t->data.val = CSA_FAIL_EXPLICIT;
1378 else
1379 return t->data.val = CSA_UNKNOWN;
1380 }
1381
1382 /* This CSA SRV record refers directly to our domain, so we check the value
1383 in the weight field to work out the domain's authorization. 0 and 1 are
1384 unauthorized; 3 means the client is authorized but we can't check the IP
1385 address in order to authenticate it, so we treat it as unknown; values
1386 greater than 3 are undefined. */
1387
1388 if (weight < 2) return t->data.val = CSA_FAIL_DOMAIN;
1389
1390 if (weight > 2) continue;
1391
1392 /* Weight == 2, which means the domain is authorized. We must check that the
1393 client's IP address is listed as one of the SRV target addresses. Save the
1394 target hostname then break to scan the additional data for its addresses. */
1395
1396 (void)dn_expand(dnsa.answer, dnsa.answer + dnsa.answerlen, p,
1397 (DN_EXPAND_ARG4_TYPE)target, sizeof(target));
1398
1399 DEBUG(D_acl) debug_printf("CSA target is %s\n", target);
1400
1401 break;
1402 }
1403
1404/* If we didn't break the loop then no appropriate records were found. */
1405
1406if (rr == NULL) return t->data.val = CSA_UNKNOWN;
1407
1408/* Do not check addresses if the target is ".", in accordance with RFC 2782.
1409A target of "." indicates there are no valid addresses, so the client cannot
1410be authorized. (This is an odd configuration because weight=2 target=. is
1411equivalent to weight=1, but we check for it in order to keep load off the
1412root name servers.) Note that dn_expand() turns "." into "". */
1413
1414if (Ustrcmp(target, "") == 0) return t->data.val = CSA_FAIL_NOADDR;
1415
1416/* Scan the additional section of the CSA SRV reply for addresses belonging
1417to the target. If the name server didn't return any additional data (e.g.
1418because it does not fully support SRV records), we need to do another lookup
1419to obtain the target addresses; otherwise we have a definitive result. */
1420
1421rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ADDITIONAL, target);
1422if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1423
1424/* The DNS lookup type corresponds to the IP version used by the client. */
1425
1426#if HAVE_IPV6
1427if (Ustrchr(sender_host_address, ':') != NULL)
1428 type = T_AAAA;
1429else
1430#endif /* HAVE_IPV6 */
1431 type = T_A;
1432
1433
1434#if HAVE_IPV6 && defined(SUPPORT_A6)
1435DNS_LOOKUP_AGAIN:
1436#endif
1437
1438switch (dns_lookup(&dnsa, target, type, NULL))
1439 {
1440 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1441
1442 default:
1443 return t->data.val = CSA_DEFER_ADDR;
1444
1445 /* If the query succeeded, scan the addresses and return the result. */
1446
1447 case DNS_SUCCEED:
1448 rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ANSWERS, target);
1449 if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1450 /* else fall through */
1451
1452 /* If the target has no IP addresses, the client cannot have an authorized
1453 IP address. However, if the target site uses A6 records (not AAAA records)
1454 we have to do yet another lookup in order to check them. */
1455
1456 case DNS_NOMATCH:
1457 case DNS_NODATA:
1458
1459 #if HAVE_IPV6 && defined(SUPPORT_A6)
1460 if (type == T_AAAA) { type = T_A6; goto DNS_LOOKUP_AGAIN; }
1461 #endif
1462
1463 return t->data.val = CSA_FAIL_NOADDR;
1464 }
1465}
1466
1467
1468
059ec3d9
PH		 1469/*************************************************
1470* Handle verification (address & other) *
1471*************************************************/
1472
1473/* This function implements the "verify" condition. It is called when
1474encountered in any ACL, because some tests are almost always permitted. Some
1475just don't make sense, and always fail (for example, an attempt to test a host
1476lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
1477
1478Arguments:
1479 where where called from
1480 addr the recipient address that the ACL is handling, or NULL
1481 arg the argument of "verify"
1482 user_msgptr pointer for user message
1483 log_msgptr pointer for log message
1484 basic_errno where to put verify errno
1485
1486Returns: OK verification condition succeeded
1487 FAIL verification failed
1488 DEFER there was a problem verifying
1489 ERROR syntax error
1490*/
1491
1492static int
1493acl_verify(int where, address_item *addr, uschar *arg,
1494 uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
1495{
1496int sep = '/';
1497int callout = -1;
1498int callout_overall = -1;
4deaf07d 1499int callout_connect = -1;
059ec3d9
PH		 1500int verify_options = 0;
1501int rc;
1502BOOL verify_header_sender = FALSE;
1503BOOL defer_ok = FALSE;
1504BOOL callout_defer_ok = FALSE;
1505BOOL no_details = FALSE;
eafd343b 1506BOOL success_on_redirect = FALSE;
059ec3d9
PH		 1507address_item *sender_vaddr = NULL;
1508uschar *verify_sender_address = NULL;
1509uschar *pm_mailfrom = NULL;
1510uschar *se_mailfrom = NULL;
596875b3
PH		 1511
1512/* Some of the verify items have slash-separated options; some do not. Diagnose
1513an error if options are given for items that don't expect them. This code has
1514now got very message. Refactoring to use a table would be a good idea one day.
1515*/
1516
1517uschar *slash = Ustrchr(arg, '/');
059ec3d9
PH		 1518uschar *list = arg;
1519uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
1520
1521if (ss == NULL) goto BAD_VERIFY;
1522
1523/* Handle name/address consistency verification in a separate function. */
1524
1525if (strcmpic(ss, US"reverse_host_lookup") == 0)
1526 {
596875b3 1527 if (slash != NULL) goto NO_OPTIONS;
059ec3d9
PH		 1528 if (sender_host_address == NULL) return OK;
1529 return acl_verify_reverse(user_msgptr, log_msgptr);
1530 }
1531
1532/* TLS certificate verification is done at STARTTLS time; here we just
1533test whether it was successful or not. (This is for optional verification; for
1534mandatory verification, the connection doesn't last this long.) */
1535
1536if (strcmpic(ss, US"certificate") == 0)
1537 {
596875b3 1538 if (slash != NULL) goto NO_OPTIONS;
059ec3d9
PH		 1539 if (tls_certificate_verified) return OK;
1540 *user_msgptr = US"no verified certificate";
1541 return FAIL;
1542 }
1543
d7b47fd0
PH		 1544/* We can test the result of optional HELO verification that might have
1545occurred earlier. If not, we can attempt the verification now. */
059ec3d9 1546
596875b3
PH		 1547if (strcmpic(ss, US"helo") == 0)
1548 {
1549 if (slash != NULL) goto NO_OPTIONS;
0154e85a
TF		 1550 if (!helo_verified && !helo_verify_failed) smtp_verify_helo();
1551 return helo_verified? OK : FAIL;
596875b3 1552 }
059ec3d9 1553
e5a9dba6
PH		 1554/* Do Client SMTP Authorization checks in a separate function, and turn the
1555result code into user-friendly strings. */
1556
1557if (strcmpic(ss, US"csa") == 0)
1558 {
1559 rc = acl_verify_csa(list);
1560 *log_msgptr = *user_msgptr = string_sprintf("client SMTP authorization %s",
1561 csa_reason_string[rc]);
1562 csa_status = csa_status_string[rc];
1563 DEBUG(D_acl) debug_printf("CSA result %s\n", csa_status);
1564 return csa_return_code[rc];
1565 }
1566
596875b3
PH		 1567/* Check that all relevant header lines have the correct syntax. If there is
1568a syntax error, we return details of the error to the sender if configured to
1569send out full details. (But a "message" setting on the ACL can override, as
1570always). */
059ec3d9 1571
596875b3 1572if (strcmpic(ss, US"header_syntax") == 0)
059ec3d9 1573 {
596875b3 1574 if (slash != NULL) goto NO_OPTIONS;
1c41c9cc 1575 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP) goto WRONG_ACL;
596875b3
PH		 1576 rc = verify_check_headers(log_msgptr);
1577 if (rc != OK && smtp_return_error_details && *log_msgptr != NULL)
1578 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1579 return rc;
1580 }
059ec3d9 1581
1c41c9cc
PH		 1582/* Check that no recipient of this message is "blind", that is, every envelope
1583recipient must be mentioned in either To: or Cc:. */
1584
1585if (strcmpic(ss, US"not_blind") == 0)
1586 {
1587 if (slash != NULL) goto NO_OPTIONS;
1588 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP) goto WRONG_ACL;
1589 rc = verify_check_notblind();
1590 if (rc != OK)
1591 {
1592 *log_msgptr = string_sprintf("bcc recipient detected");
1593 if (smtp_return_error_details)
1594 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1595 }
1596 return rc;
1597 }
059ec3d9 1598
596875b3
PH		 1599/* The remaining verification tests check recipient and sender addresses,
1600either from the envelope or from the header. There are a number of
1601slash-separated options that are common to all of them. */
059ec3d9 1602
059ec3d9 1603
596875b3
PH		 1604/* Check that there is at least one verifiable sender address in the relevant
1605header lines. This can be followed by callout and defer options, just like
1606sender and recipient. */
059ec3d9 1607
596875b3
PH		 1608if (strcmpic(ss, US"header_sender") == 0)
1609 {
1c41c9cc 1610 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP) goto WRONG_ACL;
596875b3 1611 verify_header_sender = TRUE;
059ec3d9
PH		 1612 }
1613
1614/* Otherwise, first item in verify argument must be "sender" or "recipient".
1615In the case of a sender, this can optionally be followed by an address to use
1616in place of the actual sender (rare special-case requirement). */
1617
1618else if (strncmpic(ss, US"sender", 6) == 0)
1619 {
1620 uschar *s = ss + 6;
1621 if (where > ACL_WHERE_NOTSMTP)
1622 {
1623 *log_msgptr = string_sprintf("cannot verify sender in ACL for %s "
1624 "(only possible for MAIL, RCPT, PREDATA, or DATA)",
1625 acl_wherenames[where]);
1626 return ERROR;
1627 }
1628 if (*s == 0)
1629 verify_sender_address = sender_address;
1630 else
1631 {
1632 while (isspace(*s)) s++;
1633 if (*s++ != '=') goto BAD_VERIFY;
1634 while (isspace(*s)) s++;
1635 verify_sender_address = string_copy(s);
1636 }
1637 }
1638else
1639 {
1640 if (strcmpic(ss, US"recipient") != 0) goto BAD_VERIFY;
1641 if (addr == NULL)
1642 {
1643 *log_msgptr = string_sprintf("cannot verify recipient in ACL for %s "
1644 "(only possible for RCPT)", acl_wherenames[where]);
1645 return ERROR;
1646 }
1647 }
1648
596875b3
PH		 1649/* Remaining items are optional; they apply to sender and recipient
1650verification, including "header sender" verification. */
059ec3d9
PH		 1651
1652while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))
1653 != NULL)
1654 {
1655 if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
1656 else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
eafd343b 1657 else if (strcmpic(ss, US"success_on_redirect") == 0) success_on_redirect = TRUE;
059ec3d9
PH		 1658
1659 /* These two old options are left for backwards compatibility */
1660
1661 else if (strcmpic(ss, US"callout_defer_ok") == 0)
1662 {
1663 callout_defer_ok = TRUE;
1664 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1665 }
1666
1667 else if (strcmpic(ss, US"check_postmaster") == 0)
1668 {
1669 pm_mailfrom = US"";
1670 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1671 }
1672
1673 /* The callout option has a number of sub-options, comma separated */
1674
1675 else if (strncmpic(ss, US"callout", 7) == 0)
1676 {
1677 callout = CALLOUT_TIMEOUT_DEFAULT;
1678 ss += 7;
1679 if (*ss != 0)
1680 {
1681 while (isspace(*ss)) ss++;
1682 if (*ss++ == '=')
1683 {
1684 int optsep = ',';
1685 uschar *opt;
1686 uschar buffer[256];
1687 while (isspace(*ss)) ss++;
8e669ac1
PH		 1688
1689 /* This callout option handling code has become a mess as new options
1690 have been added in an ad hoc manner. It should be tidied up into some
4deaf07d 1691 kind of table-driven thing. */
8e669ac1 1692
059ec3d9
PH		 1693 while ((opt = string_nextinlist(&ss, &optsep, buffer, sizeof(buffer)))
1694 != NULL)
1695 {
1696 if (strcmpic(opt, US"defer_ok") == 0) callout_defer_ok = TRUE;
1697 else if (strcmpic(opt, US"no_cache") == 0)
1698 verify_options |= vopt_callout_no_cache;
1699 else if (strcmpic(opt, US"random") == 0)
1700 verify_options |= vopt_callout_random;
1701 else if (strcmpic(opt, US"use_sender") == 0)
1702 verify_options |= vopt_callout_recipsender;
1703 else if (strcmpic(opt, US"use_postmaster") == 0)
1704 verify_options |= vopt_callout_recippmaster;
1705 else if (strcmpic(opt, US"postmaster") == 0) pm_mailfrom = US"";
2a4be8f9
PH		 1706 else if (strcmpic(opt, US"fullpostmaster") == 0)
1707 {
1708 pm_mailfrom = US"";
1709 verify_options |= vopt_callout_fullpm;
1710 }
059ec3d9
PH		 1711
1712 else if (strncmpic(opt, US"mailfrom", 8) == 0)
1713 {
1714 if (!verify_header_sender)
1715 {
1716 *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
1717 "callout option only for verify=header_sender (detected in ACL "
1718 "condition \"%s\")", arg);
1719 return ERROR;
1720 }
1721 opt += 8;
1722 while (isspace(*opt)) opt++;
1723 if (*opt++ != '=')
1724 {
1725 *log_msgptr = string_sprintf("'=' expected after "
1726 "\"mailfrom\" in ACL condition \"%s\"", arg);
1727 return ERROR;
1728 }
1729 while (isspace(*opt)) opt++;
1730 se_mailfrom = string_copy(opt);
1731 }
1732
1733 else if (strncmpic(opt, US"postmaster_mailfrom", 19) == 0)
1734 {
1735 opt += 19;
1736 while (isspace(*opt)) opt++;
1737 if (*opt++ != '=')
1738 {
1739 *log_msgptr = string_sprintf("'=' expected after "
1740 "\"postmaster_mailfrom\" in ACL condition \"%s\"", arg);
1741 return ERROR;
1742 }
1743 while (isspace(*opt)) opt++;
1744 pm_mailfrom = string_copy(opt);
1745 }
1746
1747 else if (strncmpic(opt, US"maxwait", 7) == 0)
1748 {
1749 opt += 7;
1750 while (isspace(*opt)) opt++;
1751 if (*opt++ != '=')
1752 {
1753 *log_msgptr = string_sprintf("'=' expected after \"maxwait\" in "
1754 "ACL condition \"%s\"", arg);
1755 return ERROR;
1756 }
1757 while (isspace(*opt)) opt++;
1758 callout_overall = readconf_readtime(opt, 0, FALSE);
1759 if (callout_overall < 0)
1760 {
1761 *log_msgptr = string_sprintf("bad time value in ACL condition "
1762 "\"verify %s\"", arg);
1763 return ERROR;
1764 }
1765 }
4deaf07d
PH		 1766 else if (strncmpic(opt, US"connect", 7) == 0)
1767 {
1768 opt += 7;
1769 while (isspace(*opt)) opt++;
1770 if (*opt++ != '=')
1771 {
1772 *log_msgptr = string_sprintf("'=' expected after "
1773 "\"callout_overaall\" in ACL condition \"%s\"", arg);
1774 return ERROR;
1775 }
1776 while (isspace(*opt)) opt++;
1777 callout_connect = readconf_readtime(opt, 0, FALSE);
1778 if (callout_connect < 0)
1779 {
1780 *log_msgptr = string_sprintf("bad time value in ACL condition "
1781 "\"verify %s\"", arg);
1782 return ERROR;
1783 }
1784 }
059ec3d9
PH		 1785 else /* Plain time is callout connect/command timeout */
1786 {
1787 callout = readconf_readtime(opt, 0, FALSE);
1788 if (callout < 0)
1789 {
1790 *log_msgptr = string_sprintf("bad time value in ACL condition "
1791 "\"verify %s\"", arg);
1792 return ERROR;
1793 }
1794 }
1795 }
1796 }
1797 else
1798 {
1799 *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
1800 "ACL condition \"%s\"", arg);
1801 return ERROR;
1802 }
1803 }
1804 }
1805
1806 /* Option not recognized */
1807
1808 else
1809 {
1810 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
1811 "condition \"verify %s\"", ss, arg);
1812 return ERROR;
1813 }
1814 }
1815
1816if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
1817 (vopt_callout_recipsender|vopt_callout_recippmaster))
1818 {
1819 *log_msgptr = US"only one of use_sender and use_postmaster can be set "
1820 "for a recipient callout";
1821 return ERROR;
1822 }
1823
1824/* Handle sender-in-header verification. Default the user message to the log
1825message if giving out verification details. */
1826
1827if (verify_header_sender)
1828 {
8e669ac1 1829 int verrno;
059ec3d9 1830 rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
fe5b5d0b
PH		 1831 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, verify_options,
1832 &verrno);
1833 if (rc != OK)
8e669ac1 1834 {
fe5b5d0b
PH		 1835 *basic_errno = verrno;
1836 if (smtp_return_error_details)
1837 {
1838 if (*user_msgptr == NULL && *log_msgptr != NULL)
1839 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1840 if (rc == DEFER) acl_temp_details = TRUE;
1841 }
8e669ac1 1842 }
059ec3d9
PH		 1843 }
1844
1845/* Handle a sender address. The default is to verify *the* sender address, but
1846optionally a different address can be given, for special requirements. If the
1847address is empty, we are dealing with a bounce message that has no sender, so
1848we cannot do any checking. If the real sender address gets rewritten during
1849verification (e.g. DNS widening), set the flag to stop it being rewritten again
1850during message reception.
1851
1852A list of verified "sender" addresses is kept to try to avoid doing to much
1853work repetitively when there are multiple recipients in a message and they all
1854require sender verification. However, when callouts are involved, it gets too
1855complicated because different recipients may require different callout options.
1856Therefore, we always do a full sender verify when any kind of callout is
1857specified. Caching elsewhere, for instance in the DNS resolver and in the
1858callout handling, should ensure that this is not terribly inefficient. */
1859
1860else if (verify_sender_address != NULL)
1861 {
1862 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster))
1863 != 0)
1864 {
1865 *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
1866 "sender verify callout";
1867 return ERROR;
1868 }
1869
1870 sender_vaddr = verify_checked_sender(verify_sender_address);
1871 if (sender_vaddr != NULL && /* Previously checked */
1872 callout <= 0) /* No callout needed this time */
1873 {
1874 /* If the "routed" flag is set, it means that routing worked before, so
1875 this check can give OK (the saved return code value, if set, belongs to a
1876 callout that was done previously). If the "routed" flag is not set, routing
1877 must have failed, so we use the saved return code. */
1878
1879 if (testflag(sender_vaddr, af_verify_routed)) rc = OK; else
1880 {
1881 rc = sender_vaddr->special_action;
1882 *basic_errno = sender_vaddr->basic_errno;
1883 }
1884 HDEBUG(D_acl) debug_printf("using cached sender verify result\n");
1885 }
1886
1887 /* Do a new verification, and cache the result. The cache is used to avoid
1888 verifying the sender multiple times for multiple RCPTs when callouts are not
1889 specified (see comments above).
1890
1891 The cache is also used on failure to give details in response to the first
1892 RCPT that gets bounced for this reason. However, this can be suppressed by
1893 the no_details option, which sets the flag that says "this detail has already
1894 been sent". The cache normally contains just one address, but there may be
1895 more in esoteric circumstances. */
1896
1897 else
1898 {
1899 BOOL routed = TRUE;
2a3eea10 1900 uschar *save_address_data = deliver_address_data;
8e669ac1 1901
059ec3d9
PH		 1902 sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
1903 if (no_details) setflag(sender_vaddr, af_sverify_told);
1904 if (verify_sender_address[0] != 0)
1905 {
1906 /* If this is the real sender address, save the unrewritten version
1907 for use later in receive. Otherwise, set a flag so that rewriting the
1908 sender in verify_address() does not update sender_address. */
1909
1910 if (verify_sender_address == sender_address)
1911 sender_address_unrewritten = sender_address;
1912 else
1913 verify_options |= vopt_fake_sender;
1914
eafd343b
TK		 1915 if (success_on_redirect)
1916 verify_options |= vopt_success_on_redirect;
1917
059ec3d9
PH		 1918 /* The recipient, qualify, and expn options are never set in
1919 verify_options. */
1920
1921 rc = verify_address(sender_vaddr, NULL, verify_options, callout,
4deaf07d 1922 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, &routed);
059ec3d9
PH		 1923
1924 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1925
1926 if (rc == OK)
1927 {
1928 if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
1929 {
1930 DEBUG(D_acl) debug_printf("sender %s verified ok as %s\n",
1931 verify_sender_address, sender_vaddr->address);
1932 }
1933 else
1934 {
1935 DEBUG(D_acl) debug_printf("sender %s verified ok\n",
1936 verify_sender_address);
1937 }
1938 }
1939 else *basic_errno = sender_vaddr->basic_errno;
1940 }
1941 else rc = OK; /* Null sender */
1942
1943 /* Cache the result code */
1944
1945 if (routed) setflag(sender_vaddr, af_verify_routed);
1946 if (callout > 0) setflag(sender_vaddr, af_verify_callout);
1947 sender_vaddr->special_action = rc;
1948 sender_vaddr->next = sender_verified_list;
1949 sender_verified_list = sender_vaddr;
8e669ac1
PH		 1950
1951 /* Restore the recipient address data, which might have been clobbered by
2a3eea10 1952 the sender verification. */
8e669ac1 1953
2a3eea10 1954 deliver_address_data = save_address_data;
059ec3d9 1955 }
8e669ac1 1956
2a3eea10
PH		 1957 /* Put the sender address_data value into $sender_address_data */
1958
8e669ac1 1959 sender_address_data = sender_vaddr->p.address_data;
059ec3d9
PH		 1960 }
1961
1962/* A recipient address just gets a straightforward verify; again we must handle
1963the DEFER overrides. */
1964
1965else
1966 {
1967 address_item addr2;
1968
eafd343b
TK		 1969 if (success_on_redirect)
1970 verify_options |= vopt_success_on_redirect;
1971
059ec3d9
PH		 1972 /* We must use a copy of the address for verification, because it might
1973 get rewritten. */
1974
1975 addr2 = *addr;
1976 rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
4deaf07d 1977 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, NULL);
059ec3d9 1978 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
8e669ac1 1979
42855d71 1980 *basic_errno = addr2.basic_errno;
059ec3d9 1981 *log_msgptr = addr2.message;
8e669ac1 1982 *user_msgptr = (addr2.user_message != NULL)?
6729cf78 1983 addr2.user_message : addr2.message;
42855d71
PH		 1984
1985 /* Allow details for temporary error if the address is so flagged. */
1986 if (testflag((&addr2), af_pass_message)) acl_temp_details = TRUE;
059ec3d9
PH		 1987
1988 /* Make $address_data visible */
1989 deliver_address_data = addr2.p.address_data;
1990 }
1991
1992/* We have a result from the relevant test. Handle defer overrides first. */
1993
1994if (rc == DEFER && (defer_ok ||
1995 (callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER)))
1996 {
1997 HDEBUG(D_acl) debug_printf("verify defer overridden by %s\n",
1998 defer_ok? "defer_ok" : "callout_defer_ok");
1999 rc = OK;
2000 }
2001
2002/* If we've failed a sender, set up a recipient message, and point
2003sender_verified_failed to the address item that actually failed. */
2004
2005if (rc != OK && verify_sender_address != NULL)
2006 {
2007 if (rc != DEFER)
2008 {
2009 *log_msgptr = *user_msgptr = US"Sender verify failed";
2010 }
2011 else if (*basic_errno != ERRNO_CALLOUTDEFER)
2012 {
2013 *log_msgptr = *user_msgptr = US"Could not complete sender verify";
2014 }
2015 else
2016 {
2017 *log_msgptr = US"Could not complete sender verify callout";
2018 *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
2019 *log_msgptr;
2020 }
2021
2022 sender_verified_failed = sender_vaddr;
2023 }
2024
2025/* Verifying an address messes up the values of $domain and $local_part,
2026so reset them before returning if this is a RCPT ACL. */
2027
2028if (addr != NULL)
2029 {
2030 deliver_domain = addr->domain;
2031 deliver_localpart = addr->local_part;
2032 }
2033return rc;
2034
2035/* Syntax errors in the verify argument come here. */
2036
2037BAD_VERIFY:
2038*log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
596875b3
PH		 2039 "\"helo\", \"header_syntax\", \"header_sender\" or "
2040 "\"reverse_host_lookup\" at start of ACL condition "
059ec3d9
PH		 2041 "\"verify %s\"", arg);
2042return ERROR;
596875b3
PH		 2043
2044/* Options supplied when not allowed come here */
2045
2046NO_OPTIONS:
2047*log_msgptr = string_sprintf("unexpected '/' found in \"%s\" "
2048 "(this verify item has no options)", arg);
2049return ERROR;
1c41c9cc
PH		 2050
2051/* Calls in the wrong ACL come here */
2052
2053WRONG_ACL:
2054*log_msgptr = string_sprintf("cannot check header contents in ACL for %s "
2055 "(only possible in ACL for DATA)", acl_wherenames[where]);
2056return ERROR;
059ec3d9
PH		 2057}
2058
2059
2060
2061
2062/*************************************************
2063* Check argument for control= modifier *
2064*************************************************/
2065
2066/* Called from acl_check_condition() below
2067
2068Arguments:
2069 arg the argument string for control=
2070 pptr set to point to the terminating character
2071 where which ACL we are in
2072 log_msgptr for error messages
2073
2074Returns: CONTROL_xxx value
2075*/
2076
2077static int
2078decode_control(uschar *arg, uschar **pptr, int where, uschar **log_msgptr)
2079{
2080int len;
2081control_def *d;
2082
2083for (d = controls_list;
2084 d < controls_list + sizeof(controls_list)/sizeof(control_def);
2085 d++)
2086 {
2087 len = Ustrlen(d->name);
2088 if (Ustrncmp(d->name, arg, len) == 0) break;
2089 }
2090
2091if (d >= controls_list + sizeof(controls_list)/sizeof(control_def) ||
2092 (arg[len] != 0 && (!d->has_option || arg[len] != '/')))
2093 {
2094 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2095 return CONTROL_ERROR;
2096 }
2097
059ec3d9
PH		 2098*pptr = arg + len;
2099return d->value;
2100}
2101
2102
2103
870f6ba8
TF		 2104/*************************************************
2105* Handle rate limiting *
2106*************************************************/
2107
2108/* Called by acl_check_condition() below to calculate the result
2109of the ACL ratelimit condition.
2110
2111Note that the return value might be slightly unexpected: if the
2112sender's rate is above the limit then the result is OK. This is
2113similar to the dnslists condition, and is so that you can write
2114ACL clauses like: defer ratelimit = 15 / 1h
2115
2116Arguments:
2117 arg the option string for ratelimit=
90fc3069 2118 where ACL_WHERE_xxxx indicating which ACL this is
870f6ba8
TF		 2119 log_msgptr for error messages
2120
2121Returns: OK - Sender's rate is above limit
2122 FAIL - Sender's rate is below limit
2123 DEFER - Problem opening ratelimit database
2124 ERROR - Syntax error in options.
2125*/
2126
2127static int
90fc3069 2128acl_ratelimit(uschar *arg, int where, uschar **log_msgptr)
870f6ba8
TF		 2129{
2130double limit, period;
8f240103
PH		 2131uschar *ss;
2132uschar *key = NULL;
870f6ba8 2133int sep = '/';
8f240103 2134BOOL leaky = FALSE, strict = FALSE, noupdate = FALSE;
870f6ba8
TF		 2135BOOL per_byte = FALSE, per_cmd = FALSE, per_conn = FALSE, per_mail = FALSE;
2136int old_pool, rc;
2137tree_node **anchor, *t;
2138open_db dbblock, *dbm;
2139dbdata_ratelimit *dbd;
2140struct timeval tv;
2141
2142/* Parse the first two options and record their values in expansion
2143variables. These variables allow the configuration to have informative
2144error messages based on rate limits obtained from a table lookup. */
2145
2146/* First is the maximum number of messages per period and maximum burst
2147size, which must be greater than or equal to zero. Zero is useful for
2148rate measurement as opposed to rate limiting. */
2149
2150sender_rate_limit = string_nextinlist(&arg, &sep, NULL, 0);
2151if (sender_rate_limit == NULL)
2152 limit = -1.0;
2153else
2154 {
2155 limit = Ustrtod(sender_rate_limit, &ss);
2156 if (tolower(*ss) == 'k') { limit *= 1024.0; ss++; }
2157 else if (tolower(*ss) == 'm') { limit *= 1024.0*1024.0; ss++; }
2158 else if (tolower(*ss) == 'g') { limit *= 1024.0*1024.0*1024.0; ss++; }
2159 }
2160if (limit < 0.0 || *ss != 0)
2161 {
2162 *log_msgptr = string_sprintf("syntax error in argument for "
2163 "\"ratelimit\" condition: \"%s\" is not a positive number",
2164 sender_rate_limit);
2165 return ERROR;
2166 }
2167
2168/* Second is the rate measurement period and exponential smoothing time
2169constant. This must be strictly greater than zero, because zero leads to
2170run-time division errors. */
2171
2172sender_rate_period = string_nextinlist(&arg, &sep, NULL, 0);
2173if (sender_rate_period == NULL) period = -1.0;
2174else period = readconf_readtime(sender_rate_period, 0, FALSE);
2175if (period <= 0.0)
2176 {
2177 *log_msgptr = string_sprintf("syntax error in argument for "
2178 "\"ratelimit\" condition: \"%s\" is not a time value",
2179 sender_rate_period);
2180 return ERROR;
2181 }
2182
2183/* Parse the other options. Should we check if the per_* options are being
2184used in ACLs where they don't make sense, e.g. per_mail in the connect ACL? */
2185
2186while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2187 != NULL)
2188 {
2189 if (strcmpic(ss, US"leaky") == 0) leaky = TRUE;
2190 else if (strcmpic(ss, US"strict") == 0) strict = TRUE;
8f240103 2191 else if (strcmpic(ss, US"noupdate") == 0) noupdate = TRUE;
870f6ba8 2192 else if (strcmpic(ss, US"per_byte") == 0) per_byte = TRUE;
8f240103
PH		 2193 else if (strcmpic(ss, US"per_cmd") == 0) per_cmd = TRUE;
2194 else if (strcmpic(ss, US"per_rcpt") == 0) per_cmd = TRUE; /* alias */
870f6ba8
TF		 2195 else if (strcmpic(ss, US"per_conn") == 0) per_conn = TRUE;
2196 else if (strcmpic(ss, US"per_mail") == 0) per_mail = TRUE;
8f240103 2197 else key = string_sprintf("%s", ss);
870f6ba8 2198 }
8f240103 2199
870f6ba8
TF		 2200if (leaky + strict > 1 || per_byte + per_cmd + per_conn + per_mail > 1)
2201 {
2202 *log_msgptr = US"conflicting options for \"ratelimit\" condition";
2203 return ERROR;
2204 }
2205
2206/* Default option values */
8f240103 2207
870f6ba8
TF		 2208if (!strict) leaky = TRUE;
2209if (!per_byte && !per_cmd && !per_conn) per_mail = TRUE;
2210
8f240103
PH		 2211/* Create the lookup key. If there is no explicit key, use sender_host_address.
2212If there is no sender_host_address (e.g. -bs or acl_not_smtp) then we simply
2213omit it. The smoothing constant (sender_rate_period) and the per_xxx options
2214are added to the key because they alter the meaning of the stored data. */
2215
2216if (key == NULL)
2217 key = (sender_host_address == NULL)? US"" : sender_host_address;
870f6ba8 2218
8f240103
PH		 2219key = string_sprintf("%s/%s/%s/%s",
2220 sender_rate_period,
2221 per_byte? US"per_byte" :
2222 per_cmd? US"per_cmd" :
2223 per_mail? US"per_mail" : US"per_conn",
2224 strict? US"strict" : US"leaky",
2225 key);
870f6ba8
TF		 2226
2227HDEBUG(D_acl) debug_printf("ratelimit condition limit=%.0f period=%.0f key=%s\n",
2228 limit, period, key);
2229
8f240103
PH		 2230/* See if we have already computed the rate by looking in the relevant tree.
2231For per-connection rate limiting, store tree nodes and dbdata in the permanent
2232pool so that they survive across resets. */
870f6ba8
TF		 2233
2234anchor = NULL;
2235old_pool = store_pool;
2236
2237if (per_conn)
2238 {
2239 anchor = &ratelimiters_conn;
2240 store_pool = POOL_PERM;
2241 }
fe0dab11 2242else if (per_mail || per_byte)
870f6ba8 2243 anchor = &ratelimiters_mail;
fe0dab11
TF		 2244else if (per_cmd)
2245 anchor = &ratelimiters_cmd;
870f6ba8
TF		 2246
2247if (anchor != NULL && (t = tree_search(*anchor, key)) != NULL)
2248 {
2249 dbd = t->data.ptr;
2250 /* The following few lines duplicate some of the code below. */
8f240103 2251 rc = (dbd->rate < limit)? FAIL : OK;
870f6ba8
TF		 2252 store_pool = old_pool;
2253 sender_rate = string_sprintf("%.1f", dbd->rate);
2254 HDEBUG(D_acl)
2255 debug_printf("ratelimit found pre-computed rate %s\n", sender_rate);
2256 return rc;
2257 }
2258
2259/* We aren't using a pre-computed rate, so get a previously recorded
8f240103
PH		 2260rate from the database, update it, and write it back when required. If there's
2261no previous rate for this key, create one. */
870f6ba8
TF		 2262
2263dbm = dbfn_open(US"ratelimit", O_RDWR, &dbblock, TRUE);
2264if (dbm == NULL)
2265 {
2266 store_pool = old_pool;
2267 sender_rate = NULL;
2268 HDEBUG(D_acl) debug_printf("ratelimit database not available\n");
2269 *log_msgptr = US"ratelimit database not available";
2270 return DEFER;
2271 }
2272dbd = dbfn_read(dbm, key);
2273
2274gettimeofday(&tv, NULL);
2275
2276if (dbd == NULL)
2277 {
2278 HDEBUG(D_acl) debug_printf("ratelimit initializing new key's data\n");
2279 dbd = store_get(sizeof(dbdata_ratelimit));
2280 dbd->time_stamp = tv.tv_sec;
2281 dbd->time_usec = tv.tv_usec;
2282 dbd->rate = 0.0;
2283 }
2284else
2285 {
2286 /* The smoothed rate is computed using an exponentially weighted moving
2287 average adjusted for variable sampling intervals. The standard EWMA for
2288 a fixed sampling interval is: f'(t) = (1 - a) * f(t) + a * f'(t - 1)
2289 where f() is the measured value and f'() is the smoothed value.
2290
2291 Old data decays out of the smoothed value exponentially, such that data n
2292 samples old is multiplied by a^n. The exponential decay time constant p
2293 is defined such that data p samples old is multiplied by 1/e, which means
2294 that a = exp(-1/p). We can maintain the same time constant for a variable
2295 sampling interval i by using a = exp(-i/p).
2296
2297 The rate we are measuring is messages per period, suitable for directly
2298 comparing with the limit. The average rate between now and the previous
2299 message is period / interval, which we feed into the EWMA as the sample.
2300
2301 It turns out that the number of messages required for the smoothed rate
2302 to reach the limit when they are sent in a burst is equal to the limit.
2303 This can be seen by analysing the value of the smoothed rate after N
2304 messages sent at even intervals. Let k = (1 - a) * p/i
2305
2306 rate_1 = (1 - a) * p/i + a * rate_0
2307 = k + a * rate_0
2308 rate_2 = k + a * rate_1
2309 = k + a * k + a^2 * rate_0
2310 rate_3 = k + a * k + a^2 * k + a^3 * rate_0
2311 rate_N = rate_0 * a^N + k * SUM(x=0..N-1)(a^x)
2312 = rate_0 * a^N + k * (1 - a^N) / (1 - a)
2313 = rate_0 * a^N + p/i * (1 - a^N)
2314
2315 When N is large, a^N -> 0 so rate_N -> p/i as desired.
2316
2317 rate_N = p/i + (rate_0 - p/i) * a^N
2318 a^N = (rate_N - p/i) / (rate_0 - p/i)
2319 N * -i/p = log((rate_N - p/i) / (rate_0 - p/i))
2320 N = p/i * log((rate_0 - p/i) / (rate_N - p/i))
2321
2322 Numerical analysis of the above equation, setting the computed rate to
2323 increase from rate_0 = 0 to rate_N = limit, shows that for large sending
2324 rates, p/i, the number of messages N = limit. So limit serves as both the
2325 maximum rate measured in messages per period, and the maximum number of
2326 messages that can be sent in a fast burst. */
2327
2328 double this_time = (double)tv.tv_sec
2329 + (double)tv.tv_usec / 1000000.0;
2330 double prev_time = (double)dbd->time_stamp
2331 + (double)dbd->time_usec / 1000000.0;
870f6ba8
TF		 2332
2333 /* We must avoid division by zero, and deal gracefully with the clock going
2334 backwards. If we blunder ahead when time is in reverse then the computed
e5d5a95f 2335 rate will be bogus. To be safe we clamp interval to a very small number. */
870f6ba8 2336
e5d5a95f
TF		 2337 double interval = this_time - prev_time <= 0.0 ? 1e-9
2338 : this_time - prev_time;
2339
2340 double i_over_p = interval / period;
2341 double a = exp(-i_over_p);
870f6ba8
TF		 2342
2343 dbd->time_stamp = tv.tv_sec;
2344 dbd->time_usec = tv.tv_usec;
2345
2346 /* If we are measuring the rate in bytes per period, multiply the
2347 measured rate by the message size. If we don't know the message size
2348 then it's safe to just use a value of zero and let the recorded rate
2349 decay as if nothing happened. */
2350
2351 if (per_byte)
2352 dbd->rate = (message_size < 0 ? 0.0 : (double)message_size)
2353 * (1 - a) / i_over_p + a * dbd->rate;
90fc3069
TF		 2354 else if (per_cmd && where == ACL_WHERE_NOTSMTP)
2355 dbd->rate = (double)recipients_count
2356 * (1 - a) / i_over_p + a * dbd->rate;
870f6ba8
TF		 2357 else
2358 dbd->rate = (1 - a) / i_over_p + a * dbd->rate;
2359 }
2360
3348576f
TF		 2361/* Clients sending at the limit are considered to be over the limit. This
2362matters for edge cases such the first message sent by a client (which gets
2363the initial rate of 0.0) when the rate limit is zero (i.e. the client should
2364be completely blocked). */
2365
8f240103 2366rc = (dbd->rate < limit)? FAIL : OK;
870f6ba8
TF		 2367
2368/* Update the state if the rate is low or if we are being strict. If we
2369are in leaky mode and the sender's rate is too high, we do not update
2370the recorded rate in order to avoid an over-aggressive sender's retry
8f240103
PH		 2371rate preventing them from getting any email through. If noupdate is set,
2372do not do any updates. */
870f6ba8 2373
8f240103
PH		 2374if ((rc == FAIL || !leaky) && !noupdate)
2375 {
870f6ba8 2376 dbfn_write(dbm, key, dbd, sizeof(dbdata_ratelimit));
8f240103
PH		 2377 HDEBUG(D_acl) debug_printf("ratelimit db updated\n");
2378 }
2379else
2380 {
2381 HDEBUG(D_acl) debug_printf("ratelimit db not updated: %s\n",
2382 noupdate? "noupdate set" : "over the limit, but leaky");
2383 }
2384
870f6ba8
TF		 2385dbfn_close(dbm);
2386
2387/* Store the result in the tree for future reference, if necessary. */
2388
8f240103 2389if (anchor != NULL && !noupdate)
870f6ba8
TF		 2390 {
2391 t = store_get(sizeof(tree_node) + Ustrlen(key));
2392 t->data.ptr = dbd;
2393 Ustrcpy(t->name, key);
2394 (void)tree_insertnode(anchor, t);
2395 }
2396
2397/* We create the formatted version of the sender's rate very late in
2398order to ensure that it is done using the correct storage pool. */
2399
2400store_pool = old_pool;
2401sender_rate = string_sprintf("%.1f", dbd->rate);
2402
2403HDEBUG(D_acl)
2404 debug_printf("ratelimit computed rate %s\n", sender_rate);
2405
2406return rc;
2407}
2408
2409
2410
059ec3d9
PH		 2411/*************************************************
2412* Handle conditions/modifiers on an ACL item *
2413*************************************************/
2414
2415/* Called from acl_check() below.
2416
2417Arguments:
2418 verb ACL verb
2419 cb ACL condition block - if NULL, result is OK
2420 where where called from
2421 addr the address being checked for RCPT, or NULL
2422 level the nesting level
2423 epp pointer to pass back TRUE if "endpass" encountered
2424 (applies only to "accept" and "discard")
2425 user_msgptr user message pointer
2426 log_msgptr log message pointer
2427 basic_errno pointer to where to put verify error
2428
2429Returns: OK - all conditions are met
2430 DISCARD - an "acl" condition returned DISCARD - only allowed
2431 for "accept" or "discard" verbs
2432 FAIL - at least one condition fails
2433 FAIL_DROP - an "acl" condition returned FAIL_DROP
2434 DEFER - can't tell at the moment (typically, lookup defer,
2435 but can be temporary callout problem)
2436 ERROR - ERROR from nested ACL or expansion failure or other
2437 error
2438*/
2439
2440static int
2441acl_check_condition(int verb, acl_condition_block *cb, int where,
2442 address_item *addr, int level, BOOL *epp, uschar **user_msgptr,
2443 uschar **log_msgptr, int *basic_errno)
2444{
2445uschar *user_message = NULL;
2446uschar *log_message = NULL;
91ecef39 2447uschar *p = NULL;
059ec3d9 2448int rc = OK;
8523533c
TK		 2449#ifdef WITH_CONTENT_SCAN
2450int sep = '/';
2451#endif
059ec3d9
PH		 2452
2453for (; cb != NULL; cb = cb->next)
2454 {
2455 uschar *arg;
8e669ac1 2456 int control_type;
059ec3d9
PH		 2457
2458 /* The message and log_message items set up messages to be used in
2459 case of rejection. They are expanded later. */
2460
2461 if (cb->type == ACLC_MESSAGE)
2462 {
2463 user_message = cb->arg;
2464 continue;
2465 }
2466
2467 if (cb->type == ACLC_LOG_MESSAGE)
2468 {
2469 log_message = cb->arg;
2470 continue;
2471 }
2472
2473 /* The endpass "condition" just sets a flag to show it occurred. This is
2474 checked at compile time to be on an "accept" or "discard" item. */
2475
2476 if (cb->type == ACLC_ENDPASS)
2477 {
2478 *epp = TRUE;
2479 continue;
2480 }
2481
2482 /* For other conditions and modifiers, the argument is expanded now for some
2483 of them, but not for all, because expansion happens down in some lower level
2484 checking functions in some cases. */
2485
2486 if (cond_expand_at_top[cb->type])
2487 {
2488 arg = expand_string(cb->arg);
2489 if (arg == NULL)
2490 {
2491 if (expand_string_forcedfail) continue;
2492 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
2493 cb->arg, expand_string_message);
2494 return search_find_defer? DEFER : ERROR;
2495 }
2496 }
2497 else arg = cb->arg;
2498
2499 /* Show condition, and expanded condition if it's different */
2500
2501 HDEBUG(D_acl)
2502 {
2503 int lhswidth = 0;
2504 debug_printf("check %s%s %n",
2505 (!cond_modifiers[cb->type] && cb->u.negated)? "!":"",
2506 conditions[cb->type], &lhswidth);
2507
2508 if (cb->type == ACLC_SET)
2509 {
38a0a95f
PH		 2510 debug_printf("acl_%s ", cb->u.varname);
2511 lhswidth += 5 + Ustrlen(cb->u.varname);
059ec3d9
PH		 2512 }
2513
2514 debug_printf("= %s\n", cb->arg);
2515
2516 if (arg != cb->arg)
2517 debug_printf("%.*s= %s\n", lhswidth,
2518 US" ", CS arg);
2519 }
2520
2521 /* Check that this condition makes sense at this time */
2522
2523 if ((cond_forbids[cb->type] & (1 << where)) != 0)
2524 {
2525 *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
2526 cond_modifiers[cb->type]? "use" : "test",
2527 conditions[cb->type], acl_wherenames[where]);
2528 return ERROR;
2529 }
2530
2531 /* Run the appropriate test for each condition, or take the appropriate
2532 action for the remaining modifiers. */
2533
2534 switch(cb->type)
2535 {
71fafd95
PH		 2536 case ACLC_ADD_HEADER:
2537 setup_header(arg);
2538 break;
2539
059ec3d9
PH		 2540 /* A nested ACL that returns "discard" makes sense only for an "accept" or
2541 "discard" verb. */
71fafd95 2542
059ec3d9
PH		 2543 case ACLC_ACL:
2544 rc = acl_check_internal(where, addr, arg, level+1, user_msgptr, log_msgptr);
2545 if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
2546 {
2547 *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
2548 "\"%s\" command (only allowed with \"accept\" or \"discard\")",
2549 verbs[verb]);
2550 return ERROR;
2551 }
2552 break;
2553
2554 case ACLC_AUTHENTICATED:
2555 rc = (sender_host_authenticated == NULL)? FAIL :
2556 match_isinlist(sender_host_authenticated, &arg, 0, NULL, NULL, MCL_STRING,
2557 TRUE, NULL);
2558 break;
2559
71fafd95 2560 #ifdef EXPERIMENTAL_BRIGHTMAIL
8523533c
TK		 2561 case ACLC_BMI_OPTIN:
2562 {
2563 int old_pool = store_pool;
2564 store_pool = POOL_PERM;
2565 bmi_current_optin = string_copy(arg);
2566 store_pool = old_pool;
2567 }
2568 break;
71fafd95 2569 #endif
8523533c 2570
059ec3d9
PH		 2571 case ACLC_CONDITION:
2572 if (Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
2573 rc = (Uatoi(arg) == 0)? FAIL : OK;
2574 else
2575 rc = (strcmpic(arg, US"no") == 0 ||
2576 strcmpic(arg, US"false") == 0)? FAIL :
2577 (strcmpic(arg, US"yes") == 0 ||
2578 strcmpic(arg, US"true") == 0)? OK : DEFER;
2579 if (rc == DEFER)
2580 *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
2581 break;
2582
c3611384
PH		 2583 case ACLC_CONTINUE: /* Always succeeds */
2584 break;
2585
059ec3d9 2586 case ACLC_CONTROL:
c5fcb476
PH		 2587 control_type = decode_control(arg, &p, where, log_msgptr);
2588
8523533c 2589 /* Check if this control makes sense at this time */
c5fcb476
PH		 2590
2591 if ((control_forbids[control_type] & (1 << where)) != 0)
2592 {
2593 *log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
2594 controls[control_type], acl_wherenames[where]);
2595 return ERROR;
8e669ac1 2596 }
c5fcb476
PH		 2597
2598 switch(control_type)
059ec3d9 2599 {
c46782ef
PH		 2600 case CONTROL_AUTH_UNADVERTISED:
2601 allow_auth_unadvertised = TRUE;
2602 break;
2603
2604 #ifdef EXPERIMENTAL_BRIGHTMAIL
8523533c
TK		 2605 case CONTROL_BMI_RUN:
2606 bmi_run = 1;
2607 break;
c46782ef
PH		 2608 #endif
2609
2610 #ifdef EXPERIMENTAL_DOMAINKEYS
fb2274d4
TK		 2611 case CONTROL_DK_VERIFY:
2612 dk_do_verify = 1;
2613 break;
c46782ef
PH		 2614 #endif
2615
059ec3d9
PH		 2616 case CONTROL_ERROR:
2617 return ERROR;
2618
2619 case CONTROL_CASEFUL_LOCAL_PART:
2620 deliver_localpart = addr->cc_local_part;
2621 break;
2622
2623 case CONTROL_CASELOWER_LOCAL_PART:
2624 deliver_localpart = addr->lc_local_part;
2625 break;
2626
2627 case CONTROL_ENFORCE_SYNC:
2628 smtp_enforce_sync = TRUE;
2629 break;
2630
2631 case CONTROL_NO_ENFORCE_SYNC:
2632 smtp_enforce_sync = FALSE;
2633 break;
2634
c46782ef 2635 #ifdef WITH_CONTENT_SCAN
8523533c
TK		 2636 case CONTROL_NO_MBOX_UNSPOOL:
2637 no_mbox_unspool = TRUE;
2638 break;
c46782ef 2639 #endif
8523533c 2640
059ec3d9
PH		 2641 case CONTROL_NO_MULTILINE:
2642 no_multiline_responses = TRUE;
2643 break;
2644
cf8b11a5
PH		 2645 case CONTROL_NO_PIPELINING:
2646 pipelining_enable = FALSE;
2647 break;
2648
047bdd8c
PH		 2649 case CONTROL_NO_DELAY_FLUSH:
2650 disable_delay_flush = TRUE;
2651 break;
2652
4c590bd1
PH		 2653 case CONTROL_NO_CALLOUT_FLUSH:
2654 disable_callout_flush = TRUE;
2655 break;
2656
29aba418 2657 case CONTROL_FAKEDEFER:
8523533c 2658 case CONTROL_FAKEREJECT:
29aba418 2659 fake_response = (control_type == CONTROL_FAKEDEFER) ? DEFER : FAIL;
8523533c 2660 if (*p == '/')
8e669ac1 2661 {
8523533c 2662 uschar *pp = p + 1;
8e669ac1 2663 while (*pp != 0) pp++;
29aba418 2664 fake_response_text = expand_string(string_copyn(p+1, pp-p-1));
8523533c
TK		 2665 p = pp;
2666 }
2667 else
2668 {
2669 /* Explicitly reset to default string */
29aba418 2670 fake_response_text = US"Your message has been rejected but is being kept for evaluation.\nIf it was a legitimate message, it may still be delivered to the target recipient(s).";
8523533c
TK		 2671 }
2672 break;
8523533c 2673
059ec3d9
PH		 2674 case CONTROL_FREEZE:
2675 deliver_freeze = TRUE;
2676 deliver_frozen_at = time(NULL);
6a3f1455
PH		 2677 freeze_tell = freeze_tell_config; /* Reset to configured value */
2678 if (Ustrncmp(p, "/no_tell", 8) == 0)
2679 {
2680 p += 8;
2681 freeze_tell = NULL;
2682 }
2683 if (*p != 0)
2684 {
2685 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
2686 return ERROR;
2687 }
059ec3d9
PH		 2688 break;
2689
2690 case CONTROL_QUEUE_ONLY:
2691 queue_only_policy = TRUE;
2692 break;
2693
2694 case CONTROL_SUBMISSION:
87ba3f5f 2695 originator_name = US"";
059ec3d9 2696 submission_mode = TRUE;
69358f02 2697 while (*p == '/')
8e669ac1 2698 {
69358f02
PH		 2699 if (Ustrncmp(p, "/sender_retain", 14) == 0)
2700 {
2701 p += 14;
2702 active_local_sender_retain = TRUE;
8e669ac1
PH		 2703 active_local_from_check = FALSE;
2704 }
69358f02
PH		 2705 else if (Ustrncmp(p, "/domain=", 8) == 0)
2706 {
2707 uschar *pp = p + 8;
8e669ac1 2708 while (*pp != 0 && *pp != '/') pp++;
87ba3f5f
PH		 2709 submission_domain = string_copyn(p+8, pp-p-8);
2710 p = pp;
2711 }
8857ccfd
PH		 2712 /* The name= option must be last, because it swallows the rest of
2713 the string. */
87ba3f5f
PH		 2714 else if (Ustrncmp(p, "/name=", 6) == 0)
2715 {
2716 uschar *pp = p + 6;
8857ccfd 2717 while (*pp != 0) pp++;
2fe1a124 2718 submission_name = string_copy(parse_fix_phrase(p+6, pp-p-6,
87ba3f5f 2719 big_buffer, big_buffer_size));
8e669ac1 2720 p = pp;
69358f02 2721 }
8e669ac1
PH		 2722 else break;
2723 }
69358f02 2724 if (*p != 0)
059ec3d9 2725 {
69358f02 2726 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
059ec3d9
PH		 2727 return ERROR;
2728 }
2729 break;
8800895a
PH		 2730
2731 case CONTROL_SUPPRESS_LOCAL_FIXUPS:
2732 suppress_local_fixups = TRUE;
2733 break;
059ec3d9
PH		 2734 }
2735 break;
2736
71fafd95 2737 #ifdef WITH_CONTENT_SCAN
8523533c
TK		 2738 case ACLC_DECODE:
2739 rc = mime_decode(&arg);
2740 break;
71fafd95 2741 #endif
8523533c 2742
059ec3d9
PH		 2743 case ACLC_DELAY:
2744 {
2745 int delay = readconf_readtime(arg, 0, FALSE);
2746 if (delay < 0)
2747 {
2748 *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
2749 "modifier: \"%s\" is not a time value", arg);
2750 return ERROR;
2751 }
2752 else
2753 {
2754 HDEBUG(D_acl) debug_printf("delay modifier requests %d-second delay\n",
2755 delay);
2756 if (host_checking)
2757 {
2758 HDEBUG(D_acl)
2759 debug_printf("delay skipped in -bh checking mode\n");
2760 }
010c2d14
PH		 2761
2762 /* It appears to be impossible to detect that a TCP/IP connection has
2763 gone away without reading from it. This means that we cannot shorten
2764 the delay below if the client goes away, because we cannot discover
2765 that the client has closed its end of the connection. (The connection
2766 is actually in a half-closed state, waiting for the server to close its
2767 end.) It would be nice to be able to detect this state, so that the
2768 Exim process is not held up unnecessarily. However, it seems that we
2769 can't. The poll() function does not do the right thing, and in any case
2770 it is not always available.
2771
047bdd8c 2772 NOTE 1: If ever this state of affairs changes, remember that we may be
010c2d14 2773 dealing with stdin/stdout here, in addition to TCP/IP connections.
047bdd8c
PH		 2774 Also, delays may be specified for non-SMTP input, where smtp_out and
2775 smtp_in will be NULL. Whatever is done must work in all cases.
2776
2777 NOTE 2: The added feature of flushing the output before a delay must
2778 apply only to SMTP input. Hence the test for smtp_out being non-NULL.
2779 */
010c2d14 2780
8e669ac1 2781 else
86b8287f 2782 {
14f4a80d 2783 if (smtp_out != NULL && !disable_delay_flush) mac_smtp_fflush();
86b8287f 2784 while (delay > 0) delay = sleep(delay);
8e669ac1 2785 }
059ec3d9
PH		 2786 }
2787 }
2788 break;
2789
71fafd95 2790 #ifdef WITH_OLD_DEMIME
8523533c
TK		 2791 case ACLC_DEMIME:
2792 rc = demime(&arg);
2793 break;
71fafd95 2794 #endif
8523533c 2795
71fafd95
PH		 2796 #ifdef EXPERIMENTAL_DOMAINKEYS
2797 case ACLC_DK_DOMAIN_SOURCE:
fb2274d4
TK		 2798 if (dk_verify_block == NULL) { rc = FAIL; break; };
2799 /* check header source of domain against given string */
2800 switch (dk_verify_block->address_source) {
2801 case DK_EXIM_ADDRESS_FROM_FROM:
2802 rc = match_isinlist(US"from", &arg, 0, NULL,
2803 NULL, MCL_STRING, TRUE, NULL);
2804 break;
2805 case DK_EXIM_ADDRESS_FROM_SENDER:
2806 rc = match_isinlist(US"sender", &arg, 0, NULL,
2807 NULL, MCL_STRING, TRUE, NULL);
2808 break;
2809 case DK_EXIM_ADDRESS_NONE:
2810 rc = match_isinlist(US"none", &arg, 0, NULL,
2811 NULL, MCL_STRING, TRUE, NULL);
2812 break;
71fafd95
PH		 2813 }
2814 break;
2815
2816 case ACLC_DK_POLICY:
fb2274d4
TK		 2817 if (dk_verify_block == NULL) { rc = FAIL; break; };
2818 /* check policy against given string, default FAIL */
2819 rc = FAIL;
2820 if (dk_verify_block->signsall)
2821 rc = match_isinlist(US"signsall", &arg, 0, NULL,
2822 NULL, MCL_STRING, TRUE, NULL);
2823 if (dk_verify_block->testing)
2824 rc = match_isinlist(US"testing", &arg, 0, NULL,
2825 NULL, MCL_STRING, TRUE, NULL);
71fafd95
PH		 2826 break;
2827
2828 case ACLC_DK_SENDER_DOMAINS:
fb2274d4
TK		 2829 if (dk_verify_block == NULL) { rc = FAIL; break; };
2830 if (dk_verify_block->domain != NULL)
2831 rc = match_isinlist(dk_verify_block->domain, &arg, 0, &domainlist_anchor,
2832 NULL, MCL_DOMAIN, TRUE, NULL);
2833 else rc = FAIL;
71fafd95
PH		 2834 break;
2835
2836 case ACLC_DK_SENDER_LOCAL_PARTS:
fb2274d4
TK		 2837 if (dk_verify_block == NULL) { rc = FAIL; break; };
2838 if (dk_verify_block->local_part != NULL)
2839 rc = match_isinlist(dk_verify_block->local_part, &arg, 0, &localpartlist_anchor,
2840 NULL, MCL_LOCALPART, TRUE, NULL);
2841 else rc = FAIL;
71fafd95
PH		 2842 break;
2843
2844 case ACLC_DK_SENDERS:
fb2274d4
TK		 2845 if (dk_verify_block == NULL) { rc = FAIL; break; };
2846 if (dk_verify_block->address != NULL)
2847 rc = match_address_list(dk_verify_block->address, TRUE, TRUE, &arg, NULL, -1, 0, NULL);
2848 else rc = FAIL;
71fafd95
PH		 2849 break;
2850
2851 case ACLC_DK_STATUS:
fb2274d4
TK		 2852 if (dk_verify_block == NULL) { rc = FAIL; break; };
2853 if (dk_verify_block->result > 0) {
2854 switch(dk_verify_block->result) {
2855 case DK_EXIM_RESULT_BAD_FORMAT:
2856 rc = match_isinlist(US"bad format", &arg, 0, NULL,
2857 NULL, MCL_STRING, TRUE, NULL);
2858 break;
2859 case DK_EXIM_RESULT_NO_KEY:
2860 rc = match_isinlist(US"no key", &arg, 0, NULL,
2861 NULL, MCL_STRING, TRUE, NULL);
2862 break;
2863 case DK_EXIM_RESULT_NO_SIGNATURE:
2864 rc = match_isinlist(US"no signature", &arg, 0, NULL,
2865 NULL, MCL_STRING, TRUE, NULL);
2866 break;
2867 case DK_EXIM_RESULT_REVOKED:
2868 rc = match_isinlist(US"revoked", &arg, 0, NULL,
2869 NULL, MCL_STRING, TRUE, NULL);
2870 break;
2871 case DK_EXIM_RESULT_NON_PARTICIPANT:
2872 rc = match_isinlist(US"non-participant", &arg, 0, NULL,
2873 NULL, MCL_STRING, TRUE, NULL);
2874 break;
2875 case DK_EXIM_RESULT_GOOD:
2876 rc = match_isinlist(US"good", &arg, 0, NULL,
2877 NULL, MCL_STRING, TRUE, NULL);
2878 break;
2879 case DK_EXIM_RESULT_BAD:
2880 rc = match_isinlist(US"bad", &arg, 0, NULL,
2881 NULL, MCL_STRING, TRUE, NULL);
2882 break;
71fafd95 2883 }
fb2274d4 2884 }
71fafd95
PH		 2885 break;
2886 #endif
fb2274d4 2887
059ec3d9
PH		 2888 case ACLC_DNSLISTS:
2889 rc = verify_check_dnsbl(&arg);
2890 break;
2891
2892 case ACLC_DOMAINS:
2893 rc = match_isinlist(addr->domain, &arg, 0, &domainlist_anchor,
2894 addr->domain_cache, MCL_DOMAIN, TRUE, &deliver_domain_data);
2895 break;
2896
2897 /* The value in tls_cipher is the full cipher name, for example,
2898 TLSv1:DES-CBC3-SHA:168, whereas the values to test for are just the
2899 cipher names such as DES-CBC3-SHA. But program defensively. We don't know
2900 what may in practice come out of the SSL library - which at the time of
2901 writing is poorly documented. */
2902
2903 case ACLC_ENCRYPTED:
2904 if (tls_cipher == NULL) rc = FAIL; else
2905 {
2906 uschar *endcipher = NULL;
2907 uschar *cipher = Ustrchr(tls_cipher, ':');
2908 if (cipher == NULL) cipher = tls_cipher; else
2909 {
2910 endcipher = Ustrchr(++cipher, ':');
2911 if (endcipher != NULL) *endcipher = 0;
2912 }
2913 rc = match_isinlist(cipher, &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
2914 if (endcipher != NULL) *endcipher = ':';
2915 }
2916 break;
2917
2918 /* Use verify_check_this_host() instead of verify_check_host() so that
2919 we can pass over &host_data to catch any looked up data. Once it has been
2920 set, it retains its value so that it's still there if another ACL verb
2921 comes through here and uses the cache. However, we must put it into
2922 permanent store in case it is also expected to be used in a subsequent
2923 message in the same SMTP connection. */
2924
2925 case ACLC_HOSTS:
2926 rc = verify_check_this_host(&arg, sender_host_cache, NULL,
2927 (sender_host_address == NULL)? US"" : sender_host_address, &host_data);
2928 if (host_data != NULL) host_data = string_copy_malloc(host_data);
2929 break;
2930
2931 case ACLC_LOCAL_PARTS:
2932 rc = match_isinlist(addr->cc_local_part, &arg, 0,
2933 &localpartlist_anchor, addr->localpart_cache, MCL_LOCALPART, TRUE,
2934 &deliver_localpart_data);
2935 break;
2936
6ea85e9a
PH		 2937 case ACLC_LOG_REJECT_TARGET:
2938 {
2939 int logbits = 0;
2940 int sep = 0;
2941 uschar *s = arg;
2942 uschar *ss;
2943 while ((ss = string_nextinlist(&s, &sep, big_buffer, big_buffer_size))
2944 != NULL)
2945 {
2946 if (Ustrcmp(ss, "main") == 0) logbits |= LOG_MAIN;
2947 else if (Ustrcmp(ss, "panic") == 0) logbits |= LOG_PANIC;
2948 else if (Ustrcmp(ss, "reject") == 0) logbits |= LOG_REJECT;
2949 else
2950 {
2951 logbits |= LOG_MAIN|LOG_REJECT;
2952 log_write(0, LOG_MAIN|LOG_PANIC, "unknown log name \"%s\" in "
2953 "\"log_reject_target\" in %s ACL", ss, acl_wherenames[where]);
2954 }
2955 }
2956 log_reject_target = logbits;
2957 }
2958 break;
2959
059ec3d9
PH		 2960 case ACLC_LOGWRITE:
2961 {
2962 int logbits = 0;
2963 uschar *s = arg;
2964 if (*s == ':')
2965 {
2966 s++;
2967 while (*s != ':')
2968 {
2969 if (Ustrncmp(s, "main", 4) == 0)
2970 { logbits |= LOG_MAIN; s += 4; }
2971 else if (Ustrncmp(s, "panic", 5) == 0)
2972 { logbits |= LOG_PANIC; s += 5; }
2973 else if (Ustrncmp(s, "reject", 6) == 0)
2974 { logbits |= LOG_REJECT; s += 6; }
2975 else
2976 {
2977 logbits = LOG_MAIN|LOG_PANIC;
2978 s = string_sprintf(":unknown log name in \"%s\" in "
2979 "\"logwrite\" in %s ACL", arg, acl_wherenames[where]);
2980 }
2981 if (*s == ',') s++;
2982 }
2983 s++;
2984 }
2985 while (isspace(*s)) s++;
6ea85e9a
PH		 2986
2987
059ec3d9
PH		 2988 if (logbits == 0) logbits = LOG_MAIN;
2989 log_write(0, logbits, "%s", string_printing(s));
2990 }
2991 break;
8e669ac1 2992
71fafd95 2993 #ifdef WITH_CONTENT_SCAN
8523533c
TK		 2994 case ACLC_MALWARE:
2995 {
6ea85e9a 2996 /* Separate the regular expression and any optional parameters. */
8523533c
TK		 2997 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
2998 /* Run the malware backend. */
2999 rc = malware(&ss);
3000 /* Modify return code based upon the existance of options. */
3001 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
3002 != NULL) {
3003 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
3004 {
3005 /* FAIL so that the message is passed to the next ACL */
3006 rc = FAIL;
3007 }
3008 }
3009 }
3010 break;
3011
3012 case ACLC_MIME_REGEX:
71fafd95 3013 rc = mime_regex(&arg);
8523533c 3014 break;
71fafd95 3015 #endif
059ec3d9 3016
870f6ba8 3017 case ACLC_RATELIMIT:
90fc3069 3018 rc = acl_ratelimit(arg, where, log_msgptr);
870f6ba8
TF		 3019 break;
3020
059ec3d9
PH		 3021 case ACLC_RECIPIENTS:
3022 rc = match_address_list(addr->address, TRUE, TRUE, &arg, NULL, -1, 0,
3023 &recipient_data);
3024 break;
3025
71fafd95
PH		 3026 #ifdef WITH_CONTENT_SCAN
3027 case ACLC_REGEX:
3028 rc = regex(&arg);
8523533c 3029 break;
71fafd95 3030 #endif
8523533c 3031
059ec3d9
PH		 3032 case ACLC_SENDER_DOMAINS:
3033 {
3034 uschar *sdomain;
3035 sdomain = Ustrrchr(sender_address, '@');
3036 sdomain = (sdomain == NULL)? US"" : sdomain + 1;
3037 rc = match_isinlist(sdomain, &arg, 0, &domainlist_anchor,
3038 sender_domain_cache, MCL_DOMAIN, TRUE, NULL);
3039 }
3040 break;
3041
3042 case ACLC_SENDERS:
3043 rc = match_address_list(sender_address, TRUE, TRUE, &arg,
3044 sender_address_cache, -1, 0, &sender_data);
3045 break;
3046
3047 /* Connection variables must persist forever */
3048
3049 case ACLC_SET:
3050 {
3051 int old_pool = store_pool;
38a0a95f
PH		 3052 if (cb->u.varname[0] == 'c') store_pool = POOL_PERM;
3053 acl_var_create(cb->u.varname)->data.ptr = string_copy(arg);
059ec3d9
PH		 3054 store_pool = old_pool;
3055 }
3056 break;
3057
71fafd95 3058 #ifdef WITH_CONTENT_SCAN
8523533c
TK		 3059 case ACLC_SPAM:
3060 {
3061 /* Seperate the regular expression and any optional parameters. */
3062 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
3063 /* Run the spam backend. */
3064 rc = spam(&ss);
3065 /* Modify return code based upon the existance of options. */
3066 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
3067 != NULL) {
3068 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
3069 {
3070 /* FAIL so that the message is passed to the next ACL */
3071 rc = FAIL;
3072 }
3073 }
3074 }
3075 break;
71fafd95 3076 #endif
8523533c 3077
71fafd95 3078 #ifdef EXPERIMENTAL_SPF
8523533c
TK		 3079 case ACLC_SPF:
3080 rc = spf_process(&arg, sender_address);
3081 break;
71fafd95 3082 #endif
8523533c 3083
059ec3d9
PH		 3084 /* If the verb is WARN, discard any user message from verification, because
3085 such messages are SMTP responses, not header additions. The latter come
475fe28a
PH		 3086 only from explicit "message" modifiers. However, put the user message into
3087 $acl_verify_message so it can be used in subsequent conditions or modifiers
3088 (until something changes it). */
059ec3d9
PH		 3089
3090 case ACLC_VERIFY:
3091 rc = acl_verify(where, addr, arg, user_msgptr, log_msgptr, basic_errno);
475fe28a 3092 acl_verify_message = *user_msgptr;
059ec3d9
PH		 3093 if (verb == ACL_WARN) *user_msgptr = NULL;
3094 break;
3095
3096 default:
3097 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown "
3098 "condition %d", cb->type);
3099 break;
3100 }
3101
3102 /* If a condition was negated, invert OK/FAIL. */
3103
3104 if (!cond_modifiers[cb->type] && cb->u.negated)
3105 {
3106 if (rc == OK) rc = FAIL;
3107 else if (rc == FAIL || rc == FAIL_DROP) rc = OK;
3108 }
3109
3110 if (rc != OK) break; /* Conditions loop */
3111 }
3112
3113
3114/* If the result is the one for which "message" and/or "log_message" are used,
4e88a19f
PH		 3115handle the values of these modifiers. If there isn't a log message set, we make
3116it the same as the user message.
059ec3d9
PH		 3117
3118"message" is a user message that will be included in an SMTP response. Unless
3119it is empty, it overrides any previously set user message.
3120
3121"log_message" is a non-user message, and it adds to any existing non-user
3122message that is already set.
3123
4e88a19f
PH		 3124Most verbs have but a single return for which the messages are relevant, but
3125for "discard", it's useful to have the log message both when it succeeds and
3126when it fails. For "accept", the message is used in the OK case if there is no
3127"endpass", but (for backwards compatibility) in the FAIL case if "endpass" is
3128present. */
059ec3d9 3129
4e88a19f
PH		 3130if (*epp && rc == OK) user_message = NULL;
3131
3132if (((1<<rc) & msgcond[verb]) != 0)
059ec3d9
PH		 3133 {
3134 uschar *expmessage;
4e88a19f
PH		 3135 uschar *old_user_msgptr = *user_msgptr;
3136 uschar *old_log_msgptr = (*log_msgptr != NULL)? *log_msgptr : old_user_msgptr;
059ec3d9
PH		 3137
3138 /* If the verb is "warn", messages generated by conditions (verification or
4e88a19f
PH		 3139 nested ACLs) are always discarded. This also happens for acceptance verbs
3140 when they actually do accept. Only messages specified at this level are used.
059ec3d9
PH		 3141 However, the value of an existing message is available in $acl_verify_message
3142 during expansions. */
3143
4e88a19f
PH		 3144 if (verb == ACL_WARN ||
3145 (rc == OK && (verb == ACL_ACCEPT || verb == ACL_DISCARD)))
3146 *log_msgptr = *user_msgptr = NULL;
059ec3d9
PH		 3147
3148 if (user_message != NULL)
3149 {
3150 acl_verify_message = old_user_msgptr;
3151 expmessage = expand_string(user_message);
3152 if (expmessage == NULL)
3153 {
3154 if (!expand_string_forcedfail)
3155 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
3156 user_message, expand_string_message);
3157 }
3158 else if (expmessage[0] != 0) *user_msgptr = expmessage;
3159 }
3160
3161 if (log_message != NULL)
3162 {
3163 acl_verify_message = old_log_msgptr;
3164 expmessage = expand_string(log_message);
3165 if (expmessage == NULL)
3166 {
3167 if (!expand_string_forcedfail)
3168 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
3169 log_message, expand_string_message);
3170 }
3171 else if (expmessage[0] != 0)
3172 {
3173 *log_msgptr = (*log_msgptr == NULL)? expmessage :
3174 string_sprintf("%s: %s", expmessage, *log_msgptr);
3175 }
3176 }
3177
3178 /* If no log message, default it to the user message */
3179
3180 if (*log_msgptr == NULL) *log_msgptr = *user_msgptr;
3181 }
3182
3183acl_verify_message = NULL;
3184return rc;
3185}
3186
3187
3188
3189
3190
3191/*************************************************
3192* Get line from a literal ACL *
3193*************************************************/
3194
3195/* This function is passed to acl_read() in order to extract individual lines
3196of a literal ACL, which we access via static pointers. We can destroy the
3197contents because this is called only once (the compiled ACL is remembered).
3198
3199This code is intended to treat the data in the same way as lines in the main
3200Exim configuration file. That is:
3201
3202 . Leading spaces are ignored.
3203
3204 . A \ at the end of a line is a continuation - trailing spaces after the \
3205 are permitted (this is because I don't believe in making invisible things
3206 significant). Leading spaces on the continued part of a line are ignored.
3207
3208 . Physical lines starting (significantly) with # are totally ignored, and
3209 may appear within a sequence of backslash-continued lines.
3210
3211 . Blank lines are ignored, but will end a sequence of continuations.
3212
3213Arguments: none
3214Returns: a pointer to the next line
3215*/
3216
3217
3218static uschar *acl_text; /* Current pointer in the text */
3219static uschar *acl_text_end; /* Points one past the terminating '0' */
3220
3221
3222static uschar *
3223acl_getline(void)
3224{
3225uschar *yield;
3226
3227/* This loop handles leading blank lines and comments. */
3228
3229for(;;)
3230 {
3231 while (isspace(*acl_text)) acl_text++; /* Leading spaces/empty lines */
3232 if (*acl_text == 0) return NULL; /* No more data */
3233 yield = acl_text; /* Potential data line */
3234
3235 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
3236
3237 /* If we hit the end before a newline, we have the whole logical line. If
3238 it's a comment, there's no more data to be given. Otherwise, yield it. */
3239
3240 if (*acl_text == 0) return (*yield == '#')? NULL : yield;
3241
3242 /* After reaching a newline, end this loop if the physical line does not
3243 start with '#'. If it does, it's a comment, and the loop continues. */
3244
3245 if (*yield != '#') break;
3246 }
3247
3248/* This loop handles continuations. We know we have some real data, ending in
3249newline. See if there is a continuation marker at the end (ignoring trailing
3250white space). We know that *yield is not white space, so no need to test for
3251cont > yield in the backwards scanning loop. */
3252
3253for(;;)
3254 {
3255 uschar *cont;
3256 for (cont = acl_text - 1; isspace(*cont); cont--);
3257
3258 /* If no continuation follows, we are done. Mark the end of the line and
3259 return it. */
3260
3261 if (*cont != '\\')
3262 {
3263 *acl_text++ = 0;
3264 return yield;
3265 }
3266
3267 /* We have encountered a continuation. Skip over whitespace at the start of
3268 the next line, and indeed the whole of the next line or lines if they are
3269 comment lines. */
3270
3271 for (;;)
3272 {
3273 while (*(++acl_text) == ' ' || *acl_text == '\t');
3274 if (*acl_text != '#') break;
3275 while (*(++acl_text) != 0 && *acl_text != '\n');
3276 }
3277
3278 /* We have the start of a continuation line. Move all the rest of the data
3279 to join onto the previous line, and then find its end. If the end is not a
3280 newline, we are done. Otherwise loop to look for another continuation. */
3281
3282 memmove(cont, acl_text, acl_text_end - acl_text);
3283 acl_text_end -= acl_text - cont;
3284 acl_text = cont;
3285 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
3286 if (*acl_text == 0) return yield;
3287 }
3288
3289/* Control does not reach here */
3290}
3291
3292
3293
3294
3295
3296/*************************************************
3297* Check access using an ACL *
3298*************************************************/
3299
3300/* This function is called from address_check. It may recurse via
3301acl_check_condition() - hence the use of a level to stop looping. The ACL is
3302passed as a string which is expanded. A forced failure implies no access check
3303is required. If the result is a single word, it is taken as the name of an ACL
3304which is sought in the global ACL tree. Otherwise, it is taken as literal ACL
3305text, complete with newlines, and parsed as such. In both cases, the ACL check
3306is then run. This function uses an auxiliary function for acl_read() to call
3307for reading individual lines of a literal ACL. This is acl_getline(), which
3308appears immediately above.
3309
3310Arguments:
3311 where where called from
3312 addr address item when called from RCPT; otherwise NULL
3313 s the input string; NULL is the same as an empty ACL => DENY
3314 level the nesting level
3315 user_msgptr where to put a user error (for SMTP response)
3316 log_msgptr where to put a logging message (not for SMTP response)
3317
3318Returns: OK access is granted
3319 DISCARD access is apparently granted...
3320 FAIL access is denied
3321 FAIL_DROP access is denied; drop the connection
3322 DEFER can't tell at the moment
3323 ERROR disaster
3324*/
3325
3326static int
3327acl_check_internal(int where, address_item *addr, uschar *s, int level,
3328 uschar **user_msgptr, uschar **log_msgptr)
3329{
3330int fd = -1;
3331acl_block *acl = NULL;
3332uschar *acl_name = US"inline ACL";
3333uschar *ss;
3334
3335/* Catch configuration loops */
3336
3337if (level > 20)
3338 {
3339 *log_msgptr = US"ACL nested too deep: possible loop";
3340 return ERROR;
3341 }
3342
3343if (s == NULL)
3344 {
3345 HDEBUG(D_acl) debug_printf("ACL is NULL: implicit DENY\n");
3346 return FAIL;
3347 }
3348
3349/* At top level, we expand the incoming string. At lower levels, it has already
3350been expanded as part of condition processing. */
3351
3352if (level == 0)
3353 {
3354 ss = expand_string(s);
3355 if (ss == NULL)
3356 {
3357 if (expand_string_forcedfail) return OK;
3358 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s", s,
3359 expand_string_message);
3360 return ERROR;
3361 }
3362 }
3363else ss = s;
3364
3365while (isspace(*ss))ss++;
3366
3367/* If we can't find a named ACL, the default is to parse it as an inline one.
3368(Unless it begins with a slash; non-existent files give rise to an error.) */
3369
3370acl_text = ss;
3371
3372/* Handle the case of a string that does not contain any spaces. Look for a
3373named ACL among those read from the configuration, or a previously read file.
3374It is possible that the pointer to the ACL is NULL if the configuration
3375contains a name with no data. If not found, and the text begins with '/',
3376read an ACL from a file, and save it so it can be re-used. */
3377
3378if (Ustrchr(ss, ' ') == NULL)
3379 {
3380 tree_node *t = tree_search(acl_anchor, ss);
3381 if (t != NULL)
3382 {
3383 acl = (acl_block *)(t->data.ptr);
3384 if (acl == NULL)
3385 {
3386 HDEBUG(D_acl) debug_printf("ACL \"%s\" is empty: implicit DENY\n", ss);
3387 return FAIL;
3388 }
3389 acl_name = string_sprintf("ACL \"%s\"", ss);
3390 HDEBUG(D_acl) debug_printf("using ACL \"%s\"\n", ss);
3391 }
3392
3393 else if (*ss == '/')
3394 {
3395 struct stat statbuf;
3396 fd = Uopen(ss, O_RDONLY, 0);
3397 if (fd < 0)
3398 {
3399 *log_msgptr = string_sprintf("failed to open ACL file \"%s\": %s", ss,
3400 strerror(errno));
3401 return ERROR;
3402 }
3403
3404 if (fstat(fd, &statbuf) != 0)
3405 {
3406 *log_msgptr = string_sprintf("failed to fstat ACL file \"%s\": %s", ss,
3407 strerror(errno));
3408 return ERROR;
3409 }
3410
3411 acl_text = store_get(statbuf.st_size + 1);
3412 acl_text_end = acl_text + statbuf.st_size + 1;
3413
3414 if (read(fd, acl_text, statbuf.st_size) != statbuf.st_size)
3415 {
3416 *log_msgptr = string_sprintf("failed to read ACL file \"%s\": %s",
3417 ss, strerror(errno));
3418 return ERROR;
3419 }
3420 acl_text[statbuf.st_size] = 0;
f1e894f3 3421 (void)close(fd);
059ec3d9
PH		 3422
3423 acl_name = string_sprintf("ACL \"%s\"", ss);
3424 HDEBUG(D_acl) debug_printf("read ACL from file %s\n", ss);
3425 }
3426 }
3427
3428/* Parse an ACL that is still in text form. If it came from a file, remember it
3429in the ACL tree, having read it into the POOL_PERM store pool so that it
3430persists between multiple messages. */
3431
3432if (acl == NULL)
3433 {
3434 int old_pool = store_pool;
3435 if (fd >= 0) store_pool = POOL_PERM;
3436 acl = acl_read(acl_getline, log_msgptr);
3437 store_pool = old_pool;
3438 if (acl == NULL && *log_msgptr != NULL) return ERROR;
3439 if (fd >= 0)
3440 {
3441 tree_node *t = store_get_perm(sizeof(tree_node) + Ustrlen(ss));
3442 Ustrcpy(t->name, ss);
3443 t->data.ptr = acl;
3444 (void)tree_insertnode(&acl_anchor, t);
3445 }
3446 }
3447
3448/* Now we have an ACL to use. It's possible it may be NULL. */
3449
3450while (acl != NULL)
3451 {
3452 int cond;
3453 int basic_errno = 0;
3454 BOOL endpass_seen = FALSE;
3455
3456 *log_msgptr = *user_msgptr = NULL;
3457 acl_temp_details = FALSE;
3458
7353285c 3459 if ((where == ACL_WHERE_QUIT || where == ACL_WHERE_NOTQUIT) &&
059ec3d9
PH		 3460 acl->verb != ACL_ACCEPT &&
3461 acl->verb != ACL_WARN)
3462 {
7353285c 3463 *log_msgptr = string_sprintf("\"%s\" is not allowed in a QUIT or not-QUIT ACL",
059ec3d9
PH		 3464 verbs[acl->verb]);
3465 return ERROR;
3466 }
3467
3468 HDEBUG(D_acl) debug_printf("processing \"%s\"\n", verbs[acl->verb]);
3469
3470 /* Clear out any search error message from a previous check before testing
3471 this condition. */
3472
3473 search_error_message = NULL;
3474 cond = acl_check_condition(acl->verb, acl->condition, where, addr, level,
3475 &endpass_seen, user_msgptr, log_msgptr, &basic_errno);
3476
3477 /* Handle special returns: DEFER causes a return except on a WARN verb;
3478 ERROR always causes a return. */
3479
3480 switch (cond)
3481 {
3482 case DEFER:
3483 HDEBUG(D_acl) debug_printf("%s: condition test deferred\n", verbs[acl->verb]);
3484 if (basic_errno != ERRNO_CALLOUTDEFER)
3485 {
3486 if (search_error_message != NULL && *search_error_message != 0)
3487 *log_msgptr = search_error_message;
3488 if (smtp_return_error_details) acl_temp_details = TRUE;
3489 }
3490 else
3491 {
3492 acl_temp_details = TRUE;
3493 }
3494 if (acl->verb != ACL_WARN) return DEFER;
3495 break;
3496
3497 default: /* Paranoia */
3498 case ERROR:
3499 HDEBUG(D_acl) debug_printf("%s: condition test error\n", verbs[acl->verb]);
3500 return ERROR;
3501
3502 case OK:
3503 HDEBUG(D_acl) debug_printf("%s: condition test succeeded\n",
3504 verbs[acl->verb]);
3505 break;
3506
3507 case FAIL:
3508 HDEBUG(D_acl) debug_printf("%s: condition test failed\n", verbs[acl->verb]);
3509 break;
3510
3511 /* DISCARD and DROP can happen only from a nested ACL condition, and
3512 DISCARD can happen only for an "accept" or "discard" verb. */
3513
3514 case DISCARD:
3515 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"discard\"\n",
3516 verbs[acl->verb]);
3517 break;
3518
3519 case FAIL_DROP:
3520 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"drop\"\n",
3521 verbs[acl->verb]);
3522 break;
3523 }
3524
3525 /* At this point, cond for most verbs is either OK or FAIL or (as a result of
3526 a nested ACL condition) FAIL_DROP. However, for WARN, cond may be DEFER, and
3527 for ACCEPT and DISCARD, it may be DISCARD after a nested ACL call. */
3528
3529 switch(acl->verb)
3530 {
3531 case ACL_ACCEPT:
3532 if (cond == OK || cond == DISCARD) return cond;
3533 if (endpass_seen)
3534 {
3535 HDEBUG(D_acl) debug_printf("accept: endpass encountered - denying access\n");
3536 return cond;
3537 }
3538 break;
3539
3540 case ACL_DEFER:
3541 if (cond == OK)
3542 {
3543 acl_temp_details = TRUE;
3544 return DEFER;
3545 }
3546 break;
3547
3548 case ACL_DENY:
3549 if (cond == OK) return FAIL;
3550 break;
3551
3552 case ACL_DISCARD:
3553 if (cond == OK || cond == DISCARD) return DISCARD;
3554 if (endpass_seen)
3555 {
3556 HDEBUG(D_acl) debug_printf("discard: endpass encountered - denying access\n");
3557 return cond;
3558 }
3559 break;
3560
3561 case ACL_DROP:
3562 if (cond == OK) return FAIL_DROP;
3563 break;
3564
3565 case ACL_REQUIRE:
3566 if (cond != OK) return cond;
3567 break;
3568
3569 case ACL_WARN:
3570 if (cond == OK)
3571 acl_warn(where, *user_msgptr, *log_msgptr);
49826d12 3572 else if (cond == DEFER && (log_extra_selector & LX_acl_warn_skipped) != 0)
9c7a242c
PH		 3573 log_write(0, LOG_MAIN, "%s Warning: ACL \"warn\" statement skipped: "
3574 "condition test deferred%s%s", host_and_ident(TRUE),
3575 (*log_msgptr == NULL)? US"" : US": ",
3576 (*log_msgptr == NULL)? US"" : *log_msgptr);
059ec3d9
PH		 3577 *log_msgptr = *user_msgptr = NULL; /* In case implicit DENY follows */
3578 break;
3579
3580 default:
3581 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown verb %d",
3582 acl->verb);
3583 break;
3584 }
3585
3586 /* Pass to the next ACL item */
3587
3588 acl = acl->next;
3589 }
3590
3591/* We have reached the end of the ACL. This is an implicit DENY. */
3592
3593HDEBUG(D_acl) debug_printf("end of %s: implicit DENY\n", acl_name);
3594return FAIL;
3595}
3596
3597
3598/*************************************************
3599* Check access using an ACL *
3600*************************************************/
3601
3602/* This is the external interface for ACL checks. It sets up an address and the
3603expansions for $domain and $local_part when called after RCPT, then calls
3604acl_check_internal() to do the actual work.
3605
3606Arguments:
3607 where ACL_WHERE_xxxx indicating where called from
64ffc24f 3608 recipient RCPT address for RCPT check, else NULL
059ec3d9
PH		 3609 s the input string; NULL is the same as an empty ACL => DENY
3610 user_msgptr where to put a user error (for SMTP response)
3611 log_msgptr where to put a logging message (not for SMTP response)
3612
3613Returns: OK access is granted by an ACCEPT verb
3614 DISCARD access is granted by a DISCARD verb
3615 FAIL access is denied
3616 FAIL_DROP access is denied; drop the connection
3617 DEFER can't tell at the moment
3618 ERROR disaster
3619*/
3620
3621int
64ffc24f 3622acl_check(int where, uschar *recipient, uschar *s, uschar **user_msgptr,
059ec3d9
PH		 3623 uschar **log_msgptr)
3624{
3625int rc;
3626address_item adb;
64ffc24f 3627address_item *addr = NULL;
059ec3d9
PH		 3628
3629*user_msgptr = *log_msgptr = NULL;
3630sender_verified_failed = NULL;
fe0dab11 3631ratelimiters_cmd = NULL;
6ea85e9a 3632log_reject_target = LOG_MAIN|LOG_REJECT;
059ec3d9
PH		 3633
3634if (where == ACL_WHERE_RCPT)
3635 {
3636 adb = address_defaults;
3637 addr = &adb;
64ffc24f 3638 addr->address = recipient;
059ec3d9
PH		 3639 if (deliver_split_address(addr) == DEFER)
3640 {
3641 *log_msgptr = US"defer in percent_hack_domains check";
3642 return DEFER;
3643 }
3644 deliver_domain = addr->domain;
3645 deliver_localpart = addr->local_part;
3646 }
059ec3d9
PH		 3647
3648rc = acl_check_internal(where, addr, s, 0, user_msgptr, log_msgptr);
3649
64ffc24f
PH		 3650deliver_domain = deliver_localpart = deliver_address_data =
3651 sender_address_data = NULL;
059ec3d9
PH		 3652
3653/* A DISCARD response is permitted only for message ACLs, excluding the PREDATA
3654ACL, which is really in the middle of an SMTP command. */
3655
3656if (rc == DISCARD)
3657 {
3658 if (where > ACL_WHERE_NOTSMTP || where == ACL_WHERE_PREDATA)
3659 {
3660 log_write(0, LOG_MAIN|LOG_PANIC, "\"discard\" verb not allowed in %s "
3661 "ACL", acl_wherenames[where]);
3662 return ERROR;
3663 }
3664 return DISCARD;
3665 }
3666
3667/* A DROP response is not permitted from MAILAUTH */
3668
3669if (rc == FAIL_DROP && where == ACL_WHERE_MAILAUTH)
3670 {
3671 log_write(0, LOG_MAIN|LOG_PANIC, "\"drop\" verb not allowed in %s "
3672 "ACL", acl_wherenames[where]);
3673 return ERROR;
3674 }
3675
4e88a19f
PH		 3676/* Before giving a response, take a look at the length of any user message, and
3677split it up into multiple lines if possible. */
059ec3d9 3678
e28326d8
PH		 3679*user_msgptr = string_split_message(*user_msgptr);
3680if (fake_response != OK)
3681 fake_response_text = string_split_message(fake_response_text);
059ec3d9
PH		 3682
3683return rc;
3684}
3685
38a0a95f
PH		 3686
3687
3688/*************************************************
3689* Create ACL variable *
3690*************************************************/
3691
3692/* Create an ACL variable or reuse an existing one. ACL variables are in a
3693binary tree (see tree.c) with acl_var_c and acl_var_m as root nodes.
3694
3695Argument:
3696 name pointer to the variable's name, starting with c or m
3697
3698Returns the pointer to variable's tree node
3699*/
3700
3701tree_node *
3702acl_var_create(uschar *name)
3703{
3704tree_node *node, **root;
3705root = (name[0] == 'c')? &acl_var_c : &acl_var_m;
3706node = tree_search(*root, name);
3707if (node == NULL)
3708 {
3709 node = store_get(sizeof(tree_node) + Ustrlen(name));
3710 Ustrcpy(node->name, name);
3711 (void)tree_insertnode(root, node);
3712 }
3713node->data.ptr = NULL;
3714return node;
3715}
3716
3717
3718
3719/*************************************************
3720* Write an ACL variable in spool format *
3721*************************************************/
3722
3723/* This function is used as a callback for tree_walk when writing variables to
3724the spool file. To retain spool file compatibility, what is written is -aclc or
3725-aclm followed by the rest of the name and the data length, space separated,
3726then the value itself, starting on a new line, and terminated by an additional
3727newline. When we had only numbered ACL variables, the first line might look
3728like this: "-aclc 5 20". Now it might be "-aclc foo 20" for the variable called
3729acl_cfoo.
3730
3731Arguments:
3732 name of the variable
3733 value of the variable
3734 ctx FILE pointer (as a void pointer)
3735
3736Returns: nothing
3737*/
3738
3739void
3740acl_var_write(uschar *name, uschar *value, void *ctx)
3741{
3742FILE *f = (FILE *)ctx;
3743fprintf(f, "-acl%c %s %d\n%s\n", name[0], name+1, Ustrlen(value), value);
3744}
3745
059ec3d9 3746/* End of acl.c */
Unnamed repository; edit this file 'description' to name the repository.