Expand the documentation about the new submission mode behaviour.
[exim.git] / src / src / acl.c
CommitLineData
29aba418 1/* $Cambridge: exim/src/src/acl.c,v 1.33 2005/05/23 15:28:38 fanf2 Exp $ */
059ec3d9
PH
2
3/*************************************************
4* Exim - an Internet mail transport agent *
5*************************************************/
6
c988f1f4 7/* Copyright (c) University of Cambridge 1995 - 2005 */
059ec3d9
PH
8/* See the file NOTICE for conditions of use and distribution. */
9
10/* Code for handling Access Control Lists (ACLs) */
11
12#include "exim.h"
13
14
15/* Default callout timeout */
16
17#define CALLOUT_TIMEOUT_DEFAULT 30
18
19/* ACL verb codes - keep in step with the table of verbs that follows */
20
21enum { ACL_ACCEPT, ACL_DEFER, ACL_DENY, ACL_DISCARD, ACL_DROP, ACL_REQUIRE,
22 ACL_WARN };
23
24/* ACL verbs */
25
26static uschar *verbs[] =
27 { US"accept", US"defer", US"deny", US"discard", US"drop", US"require",
28 US"warn" };
29
30/* For each verb, the condition for which "message" is used */
31
32static int msgcond[] = { FAIL, OK, OK, FAIL, OK, FAIL, OK };
33
34/* ACL condition and modifier codes - keep in step with the table that
35follows. */
36
8523533c
TK
37enum { ACLC_ACL, ACLC_AUTHENTICATED,
38#ifdef EXPERIMENTAL_BRIGHTMAIL
39 ACLC_BMI_OPTIN,
40#endif
41ACLC_CONDITION, ACLC_CONTROL,
42#ifdef WITH_CONTENT_SCAN
43 ACLC_DECODE,
44#endif
45 ACLC_DELAY,
46#ifdef WITH_OLD_DEMIME
47 ACLC_DEMIME,
8e669ac1 48#endif
fb2274d4
TK
49#ifdef EXPERIMENTAL_DOMAINKEYS
50 ACLC_DK_DOMAIN_SOURCE,
51 ACLC_DK_POLICY,
52 ACLC_DK_SENDER_DOMAINS,
53 ACLC_DK_SENDER_LOCAL_PARTS,
54 ACLC_DK_SENDERS,
55 ACLC_DK_STATUS,
56#endif
8523533c
TK
57 ACLC_DNSLISTS, ACLC_DOMAINS, ACLC_ENCRYPTED, ACLC_ENDPASS,
58 ACLC_HOSTS, ACLC_LOCAL_PARTS, ACLC_LOG_MESSAGE, ACLC_LOGWRITE,
59#ifdef WITH_CONTENT_SCAN
60 ACLC_MALWARE,
61#endif
62 ACLC_MESSAGE,
63#ifdef WITH_CONTENT_SCAN
64 ACLC_MIME_REGEX,
65#endif
66 ACLC_RECIPIENTS,
67#ifdef WITH_CONTENT_SCAN
68 ACLC_REGEX,
69#endif
70 ACLC_SENDER_DOMAINS, ACLC_SENDERS, ACLC_SET,
71#ifdef WITH_CONTENT_SCAN
8e669ac1 72 ACLC_SPAM,
8523533c
TK
73#endif
74#ifdef EXPERIMENTAL_SPF
75 ACLC_SPF,
76#endif
77 ACLC_VERIFY };
059ec3d9
PH
78
79/* ACL conditions/modifiers: "delay", "control", "endpass", "message",
80"log_message", "logwrite", and "set" are modifiers that look like conditions
81but always return TRUE. They are used for their side effects. */
82
8523533c
TK
83static uschar *conditions[] = { US"acl", US"authenticated",
84#ifdef EXPERIMENTAL_BRIGHTMAIL
85 US"bmi_optin",
86#endif
87 US"condition",
8e669ac1 88 US"control",
8523533c
TK
89#ifdef WITH_CONTENT_SCAN
90 US"decode",
91#endif
92 US"delay",
93#ifdef WITH_OLD_DEMIME
94 US"demime",
95#endif
fb2274d4 96#ifdef EXPERIMENTAL_DOMAINKEYS
7f45268c
PH
97 US"dk_domain_source",
98 US"dk_policy",
99 US"dk_sender_domains",
100 US"dk_sender_local_parts",
101 US"dk_senders",
102 US"dk_status",
fb2274d4 103#endif
8523533c 104 US"dnslists", US"domains", US"encrypted",
059ec3d9 105 US"endpass", US"hosts", US"local_parts", US"log_message", US"logwrite",
8523533c
TK
106#ifdef WITH_CONTENT_SCAN
107 US"malware",
108#endif
109 US"message",
110#ifdef WITH_CONTENT_SCAN
111 US"mime_regex",
112#endif
113 US"recipients",
114#ifdef WITH_CONTENT_SCAN
115 US"regex",
116#endif
117 US"sender_domains", US"senders", US"set",
118#ifdef WITH_CONTENT_SCAN
119 US"spam",
120#endif
121#ifdef EXPERIMENTAL_SPF
122 US"spf",
123#endif
059ec3d9 124 US"verify" };
8e669ac1 125
c5fcb476
PH
126/* ACL control names */
127
128static uschar *controls[] = { US"error", US"caseful_local_part",
129 US"caselower_local_part", US"enforce_sync", US"no_enforce_sync", US"freeze",
8e669ac1 130 US"queue_only", US"submission", US"no_multiline"};
059ec3d9
PH
131
132/* Flags to indicate for which conditions /modifiers a string expansion is done
133at the outer level. In the other cases, expansion already occurs in the
134checking functions. */
135
136static uschar cond_expand_at_top[] = {
137 TRUE, /* acl */
138 FALSE, /* authenticated */
8523533c
TK
139#ifdef EXPERIMENTAL_BRIGHTMAIL
140 TRUE, /* bmi_optin */
8e669ac1 141#endif
059ec3d9
PH
142 TRUE, /* condition */
143 TRUE, /* control */
8523533c
TK
144#ifdef WITH_CONTENT_SCAN
145 TRUE, /* decode */
146#endif
059ec3d9 147 TRUE, /* delay */
8523533c
TK
148#ifdef WITH_OLD_DEMIME
149 TRUE, /* demime */
150#endif
fb2274d4 151#ifdef EXPERIMENTAL_DOMAINKEYS
7f45268c
PH
152 TRUE, /* dk_domain_source */
153 TRUE, /* dk_policy */
154 TRUE, /* dk_sender_domains */
e715ad22 155 TRUE, /* dk_sender_local_parts */
7f45268c
PH
156 TRUE, /* dk_senders */
157 TRUE, /* dk_status */
fb2274d4 158#endif
059ec3d9
PH
159 TRUE, /* dnslists */
160 FALSE, /* domains */
161 FALSE, /* encrypted */
162 TRUE, /* endpass */
163 FALSE, /* hosts */
164 FALSE, /* local_parts */
165 TRUE, /* log_message */
166 TRUE, /* logwrite */
8523533c
TK
167#ifdef WITH_CONTENT_SCAN
168 TRUE, /* malware */
169#endif
059ec3d9 170 TRUE, /* message */
8523533c
TK
171#ifdef WITH_CONTENT_SCAN
172 TRUE, /* mime_regex */
173#endif
059ec3d9 174 FALSE, /* recipients */
8523533c
TK
175#ifdef WITH_CONTENT_SCAN
176 TRUE, /* regex */
177#endif
059ec3d9
PH
178 FALSE, /* sender_domains */
179 FALSE, /* senders */
180 TRUE, /* set */
8523533c
TK
181#ifdef WITH_CONTENT_SCAN
182 TRUE, /* spam */
183#endif
184#ifdef EXPERIMENTAL_SPF
185 TRUE, /* spf */
186#endif
059ec3d9
PH
187 TRUE /* verify */
188};
189
190/* Flags to identify the modifiers */
191
192static uschar cond_modifiers[] = {
193 FALSE, /* acl */
194 FALSE, /* authenticated */
8523533c
TK
195#ifdef EXPERIMENTAL_BRIGHTMAIL
196 TRUE, /* bmi_optin */
8e669ac1 197#endif
059ec3d9
PH
198 FALSE, /* condition */
199 TRUE, /* control */
8523533c
TK
200#ifdef WITH_CONTENT_SCAN
201 FALSE, /* decode */
202#endif
059ec3d9 203 TRUE, /* delay */
8523533c
TK
204#ifdef WITH_OLD_DEMIME
205 FALSE, /* demime */
206#endif
fb2274d4 207#ifdef EXPERIMENTAL_DOMAINKEYS
7f45268c
PH
208 FALSE, /* dk_domain_source */
209 FALSE, /* dk_policy */
210 FALSE, /* dk_sender_domains */
e715ad22 211 FALSE, /* dk_sender_local_parts */
7f45268c
PH
212 FALSE, /* dk_senders */
213 FALSE, /* dk_status */
fb2274d4 214#endif
059ec3d9
PH
215 FALSE, /* dnslists */
216 FALSE, /* domains */
217 FALSE, /* encrypted */
218 TRUE, /* endpass */
219 FALSE, /* hosts */
220 FALSE, /* local_parts */
221 TRUE, /* log_message */
8523533c
TK
222 TRUE, /* logwrite */
223#ifdef WITH_CONTENT_SCAN
224 FALSE, /* malware */
225#endif
059ec3d9 226 TRUE, /* message */
8523533c
TK
227#ifdef WITH_CONTENT_SCAN
228 FALSE, /* mime_regex */
229#endif
059ec3d9 230 FALSE, /* recipients */
8523533c
TK
231#ifdef WITH_CONTENT_SCAN
232 FALSE, /* regex */
233#endif
059ec3d9
PH
234 FALSE, /* sender_domains */
235 FALSE, /* senders */
236 TRUE, /* set */
8523533c
TK
237#ifdef WITH_CONTENT_SCAN
238 FALSE, /* spam */
239#endif
240#ifdef EXPERIMENTAL_SPF
241 FALSE, /* spf */
242#endif
059ec3d9
PH
243 FALSE /* verify */
244};
245
c5fcb476 246/* Bit map vector of which conditions are not allowed at certain times. For
2f079f46
PH
247each condition, there's a bitmap of dis-allowed times. For some, it is easier
248to specify the negation of a small number of allowed times. */
059ec3d9
PH
249
250static unsigned int cond_forbids[] = {
251 0, /* acl */
8e669ac1 252
059ec3d9
PH
253 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_CONNECT)| /* authenticated */
254 (1<<ACL_WHERE_HELO),
8e669ac1 255
8523533c 256#ifdef EXPERIMENTAL_BRIGHTMAIL
3864bb8e 257 (1<<ACL_WHERE_AUTH)| /* bmi_optin */
8523533c
TK
258 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
259 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_MIME)|
8e669ac1 260 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
8523533c
TK
261 (1<<ACL_WHERE_MAILAUTH)|
262 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
263 (1<<ACL_WHERE_VRFY)|(1<<ACL_WHERE_PREDATA),
264#endif
8e669ac1 265
059ec3d9 266 0, /* condition */
8e669ac1 267
059ec3d9 268 /* Certain types of control are always allowed, so we let it through
2f079f46 269 always and check in the control processing itself. */
8e669ac1 270
059ec3d9 271 0, /* control */
8e669ac1 272
8523533c 273#ifdef WITH_CONTENT_SCAN
2f079f46
PH
274 (unsigned int)
275 ~(1<<ACL_WHERE_MIME), /* decode */
8523533c
TK
276#endif
277
059ec3d9 278 0, /* delay */
8e669ac1 279
f7b63901 280#ifdef WITH_OLD_DEMIME
2f079f46
PH
281 (unsigned int)
282 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* demime */
8523533c 283#endif
8e669ac1 284
fb2274d4 285#ifdef EXPERIMENTAL_DOMAINKEYS
2f079f46 286 (1<<ACL_WHERE_AUTH)| /* dk_domain_source */
fb2274d4
TK
287 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
288 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
289 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
290 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
291 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
292 (1<<ACL_WHERE_VRFY),
84330b7b 293
2f079f46 294 (1<<ACL_WHERE_AUTH)| /* dk_policy */
fb2274d4
TK
295 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
296 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
297 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
298 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
299 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
300 (1<<ACL_WHERE_VRFY),
84330b7b 301
2f079f46 302 (1<<ACL_WHERE_AUTH)| /* dk_sender_domains */
fb2274d4
TK
303 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
304 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
305 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
306 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
307 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
308 (1<<ACL_WHERE_VRFY),
84330b7b 309
2f079f46 310 (1<<ACL_WHERE_AUTH)| /* dk_sender_local_parts */
fb2274d4
TK
311 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
312 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
313 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
314 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
315 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
316 (1<<ACL_WHERE_VRFY),
84330b7b 317
2f079f46 318 (1<<ACL_WHERE_AUTH)| /* dk_senders */
fb2274d4
TK
319 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
320 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
321 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
322 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
323 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
324 (1<<ACL_WHERE_VRFY),
84330b7b 325
2f079f46 326 (1<<ACL_WHERE_AUTH)| /* dk_status */
fb2274d4
TK
327 (1<<ACL_WHERE_CONNECT)|(1<<ACL_WHERE_HELO)|
328 (1<<ACL_WHERE_RCPT)|(1<<ACL_WHERE_PREDATA)|
329 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
330 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
331 (1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_STARTTLS)|
332 (1<<ACL_WHERE_VRFY),
333#endif
334
059ec3d9
PH
335 (1<<ACL_WHERE_NOTSMTP), /* dnslists */
336
2f079f46
PH
337 (unsigned int)
338 ~(1<<ACL_WHERE_RCPT), /* domains */
059ec3d9
PH
339
340 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_CONNECT)| /* encrypted */
341 (1<<ACL_WHERE_HELO),
8e669ac1 342
059ec3d9 343 0, /* endpass */
8e669ac1 344
059ec3d9
PH
345 (1<<ACL_WHERE_NOTSMTP), /* hosts */
346
2f079f46
PH
347 (unsigned int)
348 ~(1<<ACL_WHERE_RCPT), /* local_parts */
059ec3d9
PH
349
350 0, /* log_message */
8e669ac1 351
059ec3d9 352 0, /* logwrite */
8e669ac1 353
8523533c 354#ifdef WITH_CONTENT_SCAN
2f079f46
PH
355 (unsigned int)
356 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* malware */
8523533c
TK
357#endif
358
059ec3d9
PH
359 0, /* message */
360
8523533c 361#ifdef WITH_CONTENT_SCAN
2f079f46
PH
362 (unsigned int)
363 ~(1<<ACL_WHERE_MIME), /* mime_regex */
8523533c
TK
364#endif
365
2f079f46
PH
366 (unsigned int)
367 ~(1<<ACL_WHERE_RCPT), /* recipients */
059ec3d9 368
8523533c 369#ifdef WITH_CONTENT_SCAN
2f079f46
PH
370 (unsigned int)
371 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)| /* regex */
372 (1<<ACL_WHERE_MIME)),
8523533c
TK
373#endif
374
059ec3d9
PH
375 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* sender_domains */
376 (1<<ACL_WHERE_HELO)|
377 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
378 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
379 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
380
381 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* senders */
382 (1<<ACL_WHERE_HELO)|
383 (1<<ACL_WHERE_MAILAUTH)|(1<<ACL_WHERE_QUIT)|
384 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
385 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
386
387 0, /* set */
388
8523533c 389#ifdef WITH_CONTENT_SCAN
2f079f46
PH
390 (unsigned int)
391 ~((1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP)), /* spam */
8523533c
TK
392#endif
393
394#ifdef EXPERIMENTAL_SPF
395 (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)| /* spf */
396 (1<<ACL_WHERE_HELO)|
397 (1<<ACL_WHERE_MAILAUTH)|
398 (1<<ACL_WHERE_ETRN)|(1<<ACL_WHERE_EXPN)|
399 (1<<ACL_WHERE_STARTTLS)|(1<<ACL_WHERE_VRFY),
400#endif
401
059ec3d9
PH
402 /* Certain types of verify are always allowed, so we let it through
403 always and check in the verify function itself */
404
405 0 /* verify */
059ec3d9
PH
406};
407
408
409/* Return values from decode_control() */
410
8e669ac1 411enum {
8523533c
TK
412#ifdef EXPERIMENTAL_BRIGHTMAIL
413 CONTROL_BMI_RUN,
8e669ac1 414#endif
fb2274d4
TK
415#ifdef EXPERIMENTAL_DOMAINKEYS
416 CONTROL_DK_VERIFY,
417#endif
8523533c 418 CONTROL_ERROR, CONTROL_CASEFUL_LOCAL_PART, CONTROL_CASELOWER_LOCAL_PART,
059ec3d9 419 CONTROL_ENFORCE_SYNC, CONTROL_NO_ENFORCE_SYNC, CONTROL_FREEZE,
8523533c
TK
420 CONTROL_QUEUE_ONLY, CONTROL_SUBMISSION,
421#ifdef WITH_CONTENT_SCAN
8e669ac1 422 CONTROL_NO_MBOX_UNSPOOL,
8523533c 423#endif
29aba418 424 CONTROL_FAKEDEFER, CONTROL_FAKEREJECT, CONTROL_NO_MULTILINE };
059ec3d9 425
c5fcb476
PH
426/* Bit map vector of which controls are not allowed at certain times. For
427each control, there's a bitmap of dis-allowed times. For some, it is easier to
428specify the negation of a small number of allowed times. */
429
430static unsigned int control_forbids[] = {
8523533c
TK
431#ifdef EXPERIMENTAL_BRIGHTMAIL
432 0, /* bmi_run */
433#endif
fb2274d4 434#ifdef EXPERIMENTAL_DOMAINKEYS
e715ad22 435 (1<<ACL_WHERE_DATA)|(1<<ACL_WHERE_NOTSMTP), /* dk_verify */
fb2274d4 436#endif
3e11c26b 437
c5fcb476 438 0, /* error */
8e669ac1
PH
439
440 (unsigned int)
c5fcb476 441 ~(1<<ACL_WHERE_RCPT), /* caseful_local_part */
8e669ac1
PH
442
443 (unsigned int)
c5fcb476 444 ~(1<<ACL_WHERE_RCPT), /* caselower_local_part */
8e669ac1 445
c5fcb476 446 (1<<ACL_WHERE_NOTSMTP), /* enforce_sync */
8e669ac1 447
c5fcb476 448 (1<<ACL_WHERE_NOTSMTP), /* no_enforce_sync */
8e669ac1
PH
449
450 (unsigned int)
c5fcb476
PH
451 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* freeze */
452 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
e715ad22 453 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
8e669ac1
PH
454
455 (unsigned int)
c5fcb476
PH
456 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* queue_only */
457 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
e715ad22 458 (1<<ACL_WHERE_NOTSMTP)|(1<<ACL_WHERE_MIME)),
8e669ac1
PH
459
460 (unsigned int)
c5fcb476 461 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* submission */
8e669ac1 462 (1<<ACL_WHERE_PREDATA)),
8523533c
TK
463
464#ifdef WITH_CONTENT_SCAN
8e669ac1 465 (unsigned int)
14d57970 466 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* no_mbox_unspool */
e715ad22
TK
467 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
468 (1<<ACL_WHERE_MIME)),
8523533c 469#endif
a6c4ab60 470
8e669ac1 471 (unsigned int)
29aba418
TF
472 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakedefer */
473 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
474 (1<<ACL_WHERE_MIME)),
475
476 (unsigned int)
a6c4ab60 477 ~((1<<ACL_WHERE_MAIL)|(1<<ACL_WHERE_RCPT)| /* fakereject */
e715ad22
TK
478 (1<<ACL_WHERE_PREDATA)|(1<<ACL_WHERE_DATA)|
479 (1<<ACL_WHERE_MIME)),
8523533c 480
c5fcb476
PH
481 (1<<ACL_WHERE_NOTSMTP) /* no_multiline */
482};
483
484/* Structure listing various control arguments, with their characteristics. */
059ec3d9
PH
485
486typedef struct control_def {
487 uschar *name;
488 int value; /* CONTROL_xxx value */
059ec3d9
PH
489 BOOL has_option; /* Has /option(s) following */
490} control_def;
491
492static control_def controls_list[] = {
8523533c
TK
493#ifdef EXPERIMENTAL_BRIGHTMAIL
494 { US"bmi_run", CONTROL_BMI_RUN, FALSE},
495#endif
fb2274d4
TK
496#ifdef EXPERIMENTAL_DOMAINKEYS
497 { US"dk_verify", CONTROL_DK_VERIFY, FALSE},
498#endif
c5fcb476
PH
499 { US"caseful_local_part", CONTROL_CASEFUL_LOCAL_PART, FALSE},
500 { US"caselower_local_part", CONTROL_CASELOWER_LOCAL_PART, FALSE},
501 { US"enforce_sync", CONTROL_ENFORCE_SYNC, FALSE},
502 { US"freeze", CONTROL_FREEZE, FALSE},
503 { US"no_enforce_sync", CONTROL_NO_ENFORCE_SYNC, FALSE},
504 { US"no_multiline_responses", CONTROL_NO_MULTILINE, FALSE},
505 { US"queue_only", CONTROL_QUEUE_ONLY, FALSE},
8523533c
TK
506#ifdef WITH_CONTENT_SCAN
507 { US"no_mbox_unspool", CONTROL_NO_MBOX_UNSPOOL, FALSE},
8523533c 508#endif
29aba418 509 { US"fakedefer", CONTROL_FAKEDEFER, TRUE},
0f9b0483 510 { US"fakereject", CONTROL_FAKEREJECT, TRUE},
c5fcb476 511 { US"submission", CONTROL_SUBMISSION, TRUE}
059ec3d9
PH
512 };
513
e5a9dba6
PH
514/* Support data structures for Client SMTP Authorization. acl_verify_csa()
515caches its result in a tree to avoid repeated DNS queries. The result is an
516integer code which is used as an index into the following tables of
517explanatory strings and verification return codes. */
518
519static tree_node *csa_cache = NULL;
520
521enum { CSA_UNKNOWN, CSA_OK, CSA_DEFER_SRV, CSA_DEFER_ADDR,
522 CSA_FAIL_EXPLICIT, CSA_FAIL_DOMAIN, CSA_FAIL_NOADDR, CSA_FAIL_MISMATCH };
523
524/* The acl_verify_csa() return code is translated into an acl_verify() return
525code using the following table. It is OK unless the client is definitely not
526authorized. This is because CSA is supposed to be optional for sending sites,
527so recipients should not be too strict about checking it - especially because
528DNS problems are quite likely to occur. It's possible to use $csa_status in
529further ACL conditions to distinguish ok, unknown, and defer if required, but
530the aim is to make the usual configuration simple. */
531
532static int csa_return_code[] = {
533 OK, OK, OK, OK,
534 FAIL, FAIL, FAIL, FAIL
535};
536
537static uschar *csa_status_string[] = {
538 US"unknown", US"ok", US"defer", US"defer",
539 US"fail", US"fail", US"fail", US"fail"
540};
541
542static uschar *csa_reason_string[] = {
543 US"unknown",
544 US"ok",
545 US"deferred (SRV lookup failed)",
546 US"deferred (target address lookup failed)",
547 US"failed (explicit authorization required)",
548 US"failed (host name not authorized)",
549 US"failed (no authorized addresses)",
550 US"failed (client address mismatch)"
551};
552
059ec3d9
PH
553/* Enable recursion between acl_check_internal() and acl_check_condition() */
554
555static int acl_check_internal(int, address_item *, uschar *, int, uschar **,
556 uschar **);
557
558
559/*************************************************
560* Pick out name from list *
561*************************************************/
562
563/* Use a binary chop method
564
565Arguments:
566 name name to find
567 list list of names
568 end size of list
569
570Returns: offset in list, or -1 if not found
571*/
572
573static int
574acl_checkname(uschar *name, uschar **list, int end)
575{
576int start = 0;
577
578while (start < end)
579 {
580 int mid = (start + end)/2;
581 int c = Ustrcmp(name, list[mid]);
582 if (c == 0) return mid;
583 if (c < 0) end = mid; else start = mid + 1;
584 }
585
586return -1;
587}
588
589
590/*************************************************
591* Read and parse one ACL *
592*************************************************/
593
594/* This function is called both from readconf in order to parse the ACLs in the
595configuration file, and also when an ACL is encountered dynamically (e.g. as
596the result of an expansion). It is given a function to call in order to
597retrieve the lines of the ACL. This function handles skipping comments and
598blank lines (where relevant).
599
600Arguments:
601 func function to get next line of ACL
602 error where to put an error message
603
604Returns: pointer to ACL, or NULL
605 NULL can be legal (empty ACL); in this case error will be NULL
606*/
607
608acl_block *
609acl_read(uschar *(*func)(void), uschar **error)
610{
611acl_block *yield = NULL;
612acl_block **lastp = &yield;
613acl_block *this = NULL;
614acl_condition_block *cond;
615acl_condition_block **condp = NULL;
616uschar *s;
617
618*error = NULL;
619
620while ((s = (*func)()) != NULL)
621 {
622 int v, c;
623 BOOL negated = FALSE;
624 uschar *saveline = s;
625 uschar name[64];
626
627 /* Conditions (but not verbs) are allowed to be negated by an initial
628 exclamation mark. */
629
630 while (isspace(*s)) s++;
631 if (*s == '!')
632 {
633 negated = TRUE;
634 s++;
635 }
636
cf00dad6
PH
637 /* Read the name of a verb or a condition, or the start of a new ACL, which
638 can be started by a name, or by a macro definition. */
059ec3d9
PH
639
640 s = readconf_readname(name, sizeof(name), s);
cf00dad6 641 if (*s == ':' || isupper(name[0] && *s == '=')) return yield;
059ec3d9
PH
642
643 /* If a verb is unrecognized, it may be another condition or modifier that
644 continues the previous verb. */
645
646 v = acl_checkname(name, verbs, sizeof(verbs)/sizeof(char *));
647 if (v < 0)
648 {
649 if (this == NULL)
650 {
651 *error = string_sprintf("unknown ACL verb in \"%s\"", saveline);
652 return NULL;
653 }
654 }
655
656 /* New verb */
657
658 else
659 {
660 if (negated)
661 {
662 *error = string_sprintf("malformed ACL line \"%s\"", saveline);
663 return NULL;
664 }
665 this = store_get(sizeof(acl_block));
666 *lastp = this;
667 lastp = &(this->next);
668 this->next = NULL;
669 this->verb = v;
670 this->condition = NULL;
671 condp = &(this->condition);
672 if (*s == 0) continue; /* No condition on this line */
673 if (*s == '!')
674 {
675 negated = TRUE;
676 s++;
677 }
678 s = readconf_readname(name, sizeof(name), s); /* Condition name */
679 }
680
681 /* Handle a condition or modifier. */
682
683 c = acl_checkname(name, conditions, sizeof(conditions)/sizeof(char *));
684 if (c < 0)
685 {
686 *error = string_sprintf("unknown ACL condition/modifier in \"%s\"",
687 saveline);
688 return NULL;
689 }
690
691 /* The modifiers may not be negated */
692
693 if (negated && cond_modifiers[c])
694 {
695 *error = string_sprintf("ACL error: negation is not allowed with "
696 "\"%s\"", conditions[c]);
697 return NULL;
698 }
699
700 /* ENDPASS may occur only with ACCEPT or DISCARD. */
701
702 if (c == ACLC_ENDPASS &&
703 this->verb != ACL_ACCEPT &&
704 this->verb != ACL_DISCARD)
705 {
706 *error = string_sprintf("ACL error: \"%s\" is not allowed with \"%s\"",
707 conditions[c], verbs[this->verb]);
708 return NULL;
709 }
710
711 cond = store_get(sizeof(acl_condition_block));
712 cond->next = NULL;
713 cond->type = c;
714 cond->u.negated = negated;
715
716 *condp = cond;
717 condp = &(cond->next);
718
719 /* The "set" modifier is different in that its argument is "name=value"
720 rather than just a value, and we can check the validity of the name, which
721 gives us a variable number to insert into the data block. */
722
723 if (c == ACLC_SET)
724 {
725 if (Ustrncmp(s, "acl_", 4) != 0 || (s[4] != 'c' && s[4] != 'm') ||
726 !isdigit(s[5]) || (!isspace(s[6]) && s[6] != '='))
727 {
728 *error = string_sprintf("unrecognized name after \"set\" in ACL "
729 "modifier \"set %s\"", s);
730 return NULL;
731 }
732
733 cond->u.varnumber = s[5] - '0';
734 if (s[4] == 'm') cond->u.varnumber += ACL_C_MAX;
735 s += 6;
736 while (isspace(*s)) s++;
737 }
738
739 /* For "set", we are now positioned for the data. For the others, only
740 "endpass" has no data */
741
742 if (c != ACLC_ENDPASS)
743 {
744 if (*s++ != '=')
745 {
746 *error = string_sprintf("\"=\" missing after ACL \"%s\" %s", name,
747 cond_modifiers[c]? US"modifier" : US"condition");
748 return NULL;
749 }
750 while (isspace(*s)) s++;
751 cond->arg = string_copy(s);
752 }
753 }
754
755return yield;
756}
757
758
759
760/*************************************************
761* Handle warnings *
762*************************************************/
763
764/* This function is called when a WARN verb's conditions are true. It adds to
765the message's headers, and/or writes information to the log. In each case, this
766only happens once (per message for headers, per connection for log).
767
768Arguments:
769 where ACL_WHERE_xxxx indicating which ACL this is
770 user_message message for adding to headers
771 log_message message for logging, if different
772
773Returns: nothing
774*/
775
776static void
777acl_warn(int where, uschar *user_message, uschar *log_message)
778{
779int hlen;
780
781if (log_message != NULL && log_message != user_message)
782 {
783 uschar *text;
784 string_item *logged;
785
786 text = string_sprintf("%s Warning: %s", host_and_ident(TRUE),
787 string_printing(log_message));
788
789 /* If a sender verification has failed, and the log message is "sender verify
790 failed", add the failure message. */
791
792 if (sender_verified_failed != NULL &&
793 sender_verified_failed->message != NULL &&
794 strcmpic(log_message, US"sender verify failed") == 0)
795 text = string_sprintf("%s: %s", text, sender_verified_failed->message);
796
9c7a242c
PH
797 /* Search previously logged warnings. They are kept in malloc
798 store so they can be freed at the start of a new message. */
059ec3d9
PH
799
800 for (logged = acl_warn_logged; logged != NULL; logged = logged->next)
801 if (Ustrcmp(logged->text, text) == 0) break;
802
803 if (logged == NULL)
804 {
805 int length = Ustrlen(text) + 1;
806 log_write(0, LOG_MAIN, "%s", text);
807 logged = store_malloc(sizeof(string_item) + length);
808 logged->text = (uschar *)logged + sizeof(string_item);
809 memcpy(logged->text, text, length);
810 logged->next = acl_warn_logged;
811 acl_warn_logged = logged;
812 }
813 }
814
815/* If there's no user message, we are done. */
816
817if (user_message == NULL) return;
818
819/* If this isn't a message ACL, we can't do anything with a user message.
820Log an error. */
821
822if (where > ACL_WHERE_NOTSMTP)
823 {
824 log_write(0, LOG_MAIN|LOG_PANIC, "ACL \"warn\" with \"message\" setting "
825 "found in a non-message (%s) ACL: cannot specify header lines here: "
826 "message ignored", acl_wherenames[where]);
827 return;
828 }
829
830/* Treat the user message as a sequence of one or more header lines. */
831
832hlen = Ustrlen(user_message);
833if (hlen > 0)
834 {
835 uschar *text, *p, *q;
836
837 /* Add a final newline if not present */
838
839 text = ((user_message)[hlen-1] == '\n')? user_message :
840 string_sprintf("%s\n", user_message);
841
842 /* Loop for multiple header lines, taking care about continuations */
843
844 for (p = q = text; *p != 0; )
845 {
846 uschar *s;
847 int newtype = htype_add_bot;
848 header_line **hptr = &acl_warn_headers;
849
850 /* Find next header line within the string */
851
852 for (;;)
853 {
854 q = Ustrchr(q, '\n');
855 if (*(++q) != ' ' && *q != '\t') break;
856 }
857
858 /* If the line starts with a colon, interpret the instruction for where to
859 add it. This temporarily sets up a new type. */
860
861 if (*p == ':')
862 {
863 if (strncmpic(p, US":after_received:", 16) == 0)
864 {
865 newtype = htype_add_rec;
866 p += 16;
867 }
8523533c
TK
868 else if (strncmpic(p, US":at_start_rfc:", 14) == 0)
869 {
870 newtype = htype_add_rfc;
871 p += 14;
8e669ac1 872 }
059ec3d9
PH
873 else if (strncmpic(p, US":at_start:", 10) == 0)
874 {
875 newtype = htype_add_top;
876 p += 10;
877 }
878 else if (strncmpic(p, US":at_end:", 8) == 0)
879 {
880 newtype = htype_add_bot;
881 p += 8;
882 }
883 while (*p == ' ' || *p == '\t') p++;
884 }
885
886 /* See if this line starts with a header name, and if not, add X-ACL-Warn:
887 to the front of it. */
888
889 for (s = p; s < q - 1; s++)
890 {
891 if (*s == ':' || !isgraph(*s)) break;
892 }
893
894 s = string_sprintf("%s%.*s", (*s == ':')? "" : "X-ACL-Warn: ", q - p, p);
895 hlen = Ustrlen(s);
896
897 /* See if this line has already been added */
898
899 while (*hptr != NULL)
900 {
901 if (Ustrncmp((*hptr)->text, s, hlen) == 0) break;
902 hptr = &((*hptr)->next);
903 }
904
905 /* Add if not previously present */
906
907 if (*hptr == NULL)
908 {
909 header_line *h = store_get(sizeof(header_line));
910 h->text = s;
911 h->next = NULL;
912 h->type = newtype;
913 h->slen = hlen;
914 *hptr = h;
915 hptr = &(h->next);
916 }
917
918 /* Advance for next header line within the string */
919
920 p = q;
921 }
922 }
923}
924
925
926
927/*************************************************
928* Verify and check reverse DNS *
929*************************************************/
930
931/* Called from acl_verify() below. We look up the host name(s) of the client IP
932address if this has not yet been done. The host_name_lookup() function checks
933that one of these names resolves to an address list that contains the client IP
934address, so we don't actually have to do the check here.
935
936Arguments:
937 user_msgptr pointer for user message
938 log_msgptr pointer for log message
939
940Returns: OK verification condition succeeded
941 FAIL verification failed
942 DEFER there was a problem verifying
943*/
944
945static int
946acl_verify_reverse(uschar **user_msgptr, uschar **log_msgptr)
947{
948int rc;
949
950user_msgptr = user_msgptr; /* stop compiler warning */
951
952/* Previous success */
953
954if (sender_host_name != NULL) return OK;
955
956/* Previous failure */
957
958if (host_lookup_failed)
959 {
960 *log_msgptr = string_sprintf("host lookup failed%s", host_lookup_msg);
961 return FAIL;
962 }
963
964/* Need to do a lookup */
965
966HDEBUG(D_acl)
967 debug_printf("looking up host name to force name/address consistency check\n");
968
969if ((rc = host_name_lookup()) != OK)
970 {
971 *log_msgptr = (rc == DEFER)?
972 US"host lookup deferred for reverse lookup check"
973 :
974 string_sprintf("host lookup failed for reverse lookup check%s",
975 host_lookup_msg);
976 return rc; /* DEFER or FAIL */
977 }
978
979host_build_sender_fullhost();
980return OK;
981}
982
983
984
985/*************************************************
e5a9dba6
PH
986* Check client IP address matches CSA target *
987*************************************************/
988
989/* Called from acl_verify_csa() below. This routine scans a section of a DNS
990response for address records belonging to the CSA target hostname. The section
991is specified by the reset argument, either RESET_ADDITIONAL or RESET_ANSWERS.
992If one of the addresses matches the client's IP address, then the client is
993authorized by CSA. If there are target IP addresses but none of them match
994then the client is using an unauthorized IP address. If there are no target IP
995addresses then the client cannot be using an authorized IP address. (This is
996an odd configuration - why didn't the SRV record have a weight of 1 instead?)
997
998Arguments:
999 dnsa the DNS answer block
1000 dnss a DNS scan block for us to use
1001 reset option specifing what portion to scan, as described above
1002 target the target hostname to use for matching RR names
1003
1004Returns: CSA_OK successfully authorized
1005 CSA_FAIL_MISMATCH addresses found but none matched
1006 CSA_FAIL_NOADDR no target addresses found
1007*/
1008
1009static int
1010acl_verify_csa_address(dns_answer *dnsa, dns_scan *dnss, int reset,
1011 uschar *target)
1012{
1013dns_record *rr;
1014dns_address *da;
1015
1016BOOL target_found = FALSE;
1017
1018for (rr = dns_next_rr(dnsa, dnss, reset);
1019 rr != NULL;
1020 rr = dns_next_rr(dnsa, dnss, RESET_NEXT))
1021 {
1022 /* Check this is an address RR for the target hostname. */
1023
1024 if (rr->type != T_A
1025 #if HAVE_IPV6
1026 && rr->type != T_AAAA
1027 #ifdef SUPPORT_A6
1028 && rr->type != T_A6
1029 #endif
1030 #endif
1031 ) continue;
1032
1033 if (strcmpic(target, rr->name) != 0) continue;
1034
1035 target_found = TRUE;
1036
1037 /* Turn the target address RR into a list of textual IP addresses and scan
1038 the list. There may be more than one if it is an A6 RR. */
1039
1040 for (da = dns_address_from_rr(dnsa, rr); da != NULL; da = da->next)
1041 {
1042 /* If the client IP address matches the target IP address, it's good! */
1043
1044 DEBUG(D_acl) debug_printf("CSA target address is %s\n", da->address);
1045
1046 if (strcmpic(sender_host_address, da->address) == 0) return CSA_OK;
1047 }
1048 }
1049
1050/* If we found some target addresses but none of them matched, the client is
1051using an unauthorized IP address, otherwise the target has no authorized IP
1052addresses. */
1053
1054if (target_found) return CSA_FAIL_MISMATCH;
1055else return CSA_FAIL_NOADDR;
1056}
1057
1058
1059
1060/*************************************************
1061* Verify Client SMTP Authorization *
1062*************************************************/
1063
1064/* Called from acl_verify() below. This routine calls dns_lookup_special()
1065to find the CSA SRV record corresponding to the domain argument, or
1066$sender_helo_name if no argument is provided. It then checks that the
1067client is authorized, and that its IP address corresponds to the SRV
1068target's address by calling acl_verify_csa_address() above. The address
1069should have been returned in the DNS response's ADDITIONAL section, but if
1070not we perform another DNS lookup to get it.
1071
1072Arguments:
1073 domain pointer to optional parameter following verify = csa
1074
1075Returns: CSA_UNKNOWN no valid CSA record found
1076 CSA_OK successfully authorized
1077 CSA_FAIL_* client is definitely not authorized
1078 CSA_DEFER_* there was a DNS problem
1079*/
1080
1081static int
1082acl_verify_csa(uschar *domain)
1083{
1084tree_node *t;
1085uschar *found, *p;
1086int priority, weight, port;
1087dns_answer dnsa;
1088dns_scan dnss;
1089dns_record *rr;
1090int rc, type;
1091uschar target[256];
1092
1093/* Work out the domain we are using for the CSA lookup. The default is the
1094client's HELO domain. If the client has not said HELO, use its IP address
1095instead. If it's a local client (exim -bs), CSA isn't applicable. */
1096
1097while (isspace(*domain) && *domain != '\0') ++domain;
1098if (*domain == '\0') domain = sender_helo_name;
1099if (domain == NULL) domain = sender_host_address;
1100if (sender_host_address == NULL) return CSA_UNKNOWN;
1101
1102/* If we have an address literal, strip off the framing ready for turning it
1103into a domain. The framing consists of matched square brackets possibly
1104containing a keyword and a colon before the actual IP address. */
1105
1106if (domain[0] == '[')
1107 {
1108 uschar *start = Ustrchr(domain, ':');
1109 if (start == NULL) start = domain;
1110 domain = string_copyn(start + 1, Ustrlen(start) - 2);
1111 }
1112
1113/* Turn domains that look like bare IP addresses into domains in the reverse
1114DNS. This code also deals with address literals and $sender_host_address. It's
1115not quite kosher to treat bare domains such as EHLO 192.0.2.57 the same as
1116address literals, but it's probably the most friendly thing to do. This is an
1117extension to CSA, so we allow it to be turned off for proper conformance. */
1118
1119if (string_is_ip_address(domain, NULL))
1120 {
1121 if (!dns_csa_use_reverse) return CSA_UNKNOWN;
1122 dns_build_reverse(domain, target);
1123 domain = target;
1124 }
1125
1126/* Find out if we've already done the CSA check for this domain. If we have,
1127return the same result again. Otherwise build a new cached result structure
1128for this domain. The name is filled in now, and the value is filled in when
1129we return from this function. */
1130
1131t = tree_search(csa_cache, domain);
1132if (t != NULL) return t->data.val;
1133
1134t = store_get_perm(sizeof(tree_node) + Ustrlen(domain));
1135Ustrcpy(t->name, domain);
1136(void)tree_insertnode(&csa_cache, t);
1137
1138/* Now we are ready to do the actual DNS lookup(s). */
1139
1140switch (dns_special_lookup(&dnsa, domain, T_CSA, &found))
1141 {
1142 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1143
1144 default:
1145 return t->data.val = CSA_DEFER_SRV;
1146
1147 /* If we found nothing, the client's authorization is unknown. */
1148
1149 case DNS_NOMATCH:
1150 case DNS_NODATA:
1151 return t->data.val = CSA_UNKNOWN;
1152
1153 /* We got something! Go on to look at the reply in more detail. */
1154
1155 case DNS_SUCCEED:
1156 break;
1157 }
1158
1159/* Scan the reply for well-formed CSA SRV records. */
1160
1161for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
1162 rr != NULL;
1163 rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
1164 {
1165 if (rr->type != T_SRV) continue;
1166
1167 /* Extract the numerical SRV fields (p is incremented) */
1168
1169 p = rr->data;
1170 GETSHORT(priority, p);
1171 GETSHORT(weight, p);
1172 GETSHORT(port, p);
1173
1174 DEBUG(D_acl)
1175 debug_printf("CSA priority=%d weight=%d port=%d\n", priority, weight, port);
1176
1177 /* Check the CSA version number */
1178
1179 if (priority != 1) continue;
1180
1181 /* If the domain does not have a CSA SRV record of its own (i.e. the domain
1182 found by dns_special_lookup() is a parent of the one we asked for), we check
1183 the subdomain assertions in the port field. At the moment there's only one
1184 assertion: legitimate SMTP clients are all explicitly authorized with CSA
1185 SRV records of their own. */
1186
1187 if (found != domain)
1188 {
1189 if (port & 1)
1190 return t->data.val = CSA_FAIL_EXPLICIT;
1191 else
1192 return t->data.val = CSA_UNKNOWN;
1193 }
1194
1195 /* This CSA SRV record refers directly to our domain, so we check the value
1196 in the weight field to work out the domain's authorization. 0 and 1 are
1197 unauthorized; 3 means the client is authorized but we can't check the IP
1198 address in order to authenticate it, so we treat it as unknown; values
1199 greater than 3 are undefined. */
1200
1201 if (weight < 2) return t->data.val = CSA_FAIL_DOMAIN;
1202
1203 if (weight > 2) continue;
1204
1205 /* Weight == 2, which means the domain is authorized. We must check that the
1206 client's IP address is listed as one of the SRV target addresses. Save the
1207 target hostname then break to scan the additional data for its addresses. */
1208
1209 (void)dn_expand(dnsa.answer, dnsa.answer + dnsa.answerlen, p,
1210 (DN_EXPAND_ARG4_TYPE)target, sizeof(target));
1211
1212 DEBUG(D_acl) debug_printf("CSA target is %s\n", target);
1213
1214 break;
1215 }
1216
1217/* If we didn't break the loop then no appropriate records were found. */
1218
1219if (rr == NULL) return t->data.val = CSA_UNKNOWN;
1220
1221/* Do not check addresses if the target is ".", in accordance with RFC 2782.
1222A target of "." indicates there are no valid addresses, so the client cannot
1223be authorized. (This is an odd configuration because weight=2 target=. is
1224equivalent to weight=1, but we check for it in order to keep load off the
1225root name servers.) Note that dn_expand() turns "." into "". */
1226
1227if (Ustrcmp(target, "") == 0) return t->data.val = CSA_FAIL_NOADDR;
1228
1229/* Scan the additional section of the CSA SRV reply for addresses belonging
1230to the target. If the name server didn't return any additional data (e.g.
1231because it does not fully support SRV records), we need to do another lookup
1232to obtain the target addresses; otherwise we have a definitive result. */
1233
1234rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ADDITIONAL, target);
1235if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1236
1237/* The DNS lookup type corresponds to the IP version used by the client. */
1238
1239#if HAVE_IPV6
1240if (Ustrchr(sender_host_address, ':') != NULL)
1241 type = T_AAAA;
1242else
1243#endif /* HAVE_IPV6 */
1244 type = T_A;
1245
1246
1247#if HAVE_IPV6 && defined(SUPPORT_A6)
1248DNS_LOOKUP_AGAIN:
1249#endif
1250
1251switch (dns_lookup(&dnsa, target, type, NULL))
1252 {
1253 /* If something bad happened (most commonly DNS_AGAIN), defer. */
1254
1255 default:
1256 return t->data.val = CSA_DEFER_ADDR;
1257
1258 /* If the query succeeded, scan the addresses and return the result. */
1259
1260 case DNS_SUCCEED:
1261 rc = acl_verify_csa_address(&dnsa, &dnss, RESET_ANSWERS, target);
1262 if (rc != CSA_FAIL_NOADDR) return t->data.val = rc;
1263 /* else fall through */
1264
1265 /* If the target has no IP addresses, the client cannot have an authorized
1266 IP address. However, if the target site uses A6 records (not AAAA records)
1267 we have to do yet another lookup in order to check them. */
1268
1269 case DNS_NOMATCH:
1270 case DNS_NODATA:
1271
1272 #if HAVE_IPV6 && defined(SUPPORT_A6)
1273 if (type == T_AAAA) { type = T_A6; goto DNS_LOOKUP_AGAIN; }
1274 #endif
1275
1276 return t->data.val = CSA_FAIL_NOADDR;
1277 }
1278}
1279
1280
1281
1282/*************************************************
059ec3d9
PH
1283* Handle verification (address & other) *
1284*************************************************/
1285
1286/* This function implements the "verify" condition. It is called when
1287encountered in any ACL, because some tests are almost always permitted. Some
1288just don't make sense, and always fail (for example, an attempt to test a host
1289lookup for a non-TCP/IP message). Others are restricted to certain ACLs.
1290
1291Arguments:
1292 where where called from
1293 addr the recipient address that the ACL is handling, or NULL
1294 arg the argument of "verify"
1295 user_msgptr pointer for user message
1296 log_msgptr pointer for log message
1297 basic_errno where to put verify errno
1298
1299Returns: OK verification condition succeeded
1300 FAIL verification failed
1301 DEFER there was a problem verifying
1302 ERROR syntax error
1303*/
1304
1305static int
1306acl_verify(int where, address_item *addr, uschar *arg,
1307 uschar **user_msgptr, uschar **log_msgptr, int *basic_errno)
1308{
1309int sep = '/';
1310int callout = -1;
1311int callout_overall = -1;
4deaf07d 1312int callout_connect = -1;
059ec3d9
PH
1313int verify_options = 0;
1314int rc;
1315BOOL verify_header_sender = FALSE;
1316BOOL defer_ok = FALSE;
1317BOOL callout_defer_ok = FALSE;
1318BOOL no_details = FALSE;
1319address_item *sender_vaddr = NULL;
1320uschar *verify_sender_address = NULL;
1321uschar *pm_mailfrom = NULL;
1322uschar *se_mailfrom = NULL;
596875b3
PH
1323
1324/* Some of the verify items have slash-separated options; some do not. Diagnose
1325an error if options are given for items that don't expect them. This code has
1326now got very message. Refactoring to use a table would be a good idea one day.
1327*/
1328
1329uschar *slash = Ustrchr(arg, '/');
059ec3d9
PH
1330uschar *list = arg;
1331uschar *ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size);
1332
1333if (ss == NULL) goto BAD_VERIFY;
1334
1335/* Handle name/address consistency verification in a separate function. */
1336
1337if (strcmpic(ss, US"reverse_host_lookup") == 0)
1338 {
596875b3 1339 if (slash != NULL) goto NO_OPTIONS;
059ec3d9
PH
1340 if (sender_host_address == NULL) return OK;
1341 return acl_verify_reverse(user_msgptr, log_msgptr);
1342 }
1343
1344/* TLS certificate verification is done at STARTTLS time; here we just
1345test whether it was successful or not. (This is for optional verification; for
1346mandatory verification, the connection doesn't last this long.) */
1347
1348if (strcmpic(ss, US"certificate") == 0)
1349 {
596875b3 1350 if (slash != NULL) goto NO_OPTIONS;
059ec3d9
PH
1351 if (tls_certificate_verified) return OK;
1352 *user_msgptr = US"no verified certificate";
1353 return FAIL;
1354 }
1355
1356/* We can test the result of optional HELO verification */
1357
596875b3
PH
1358if (strcmpic(ss, US"helo") == 0)
1359 {
1360 if (slash != NULL) goto NO_OPTIONS;
1361 return helo_verified? OK : FAIL;
1362 }
059ec3d9 1363
e5a9dba6
PH
1364/* Do Client SMTP Authorization checks in a separate function, and turn the
1365result code into user-friendly strings. */
1366
1367if (strcmpic(ss, US"csa") == 0)
1368 {
1369 rc = acl_verify_csa(list);
1370 *log_msgptr = *user_msgptr = string_sprintf("client SMTP authorization %s",
1371 csa_reason_string[rc]);
1372 csa_status = csa_status_string[rc];
1373 DEBUG(D_acl) debug_printf("CSA result %s\n", csa_status);
1374 return csa_return_code[rc];
1375 }
1376
596875b3
PH
1377/* Check that all relevant header lines have the correct syntax. If there is
1378a syntax error, we return details of the error to the sender if configured to
1379send out full details. (But a "message" setting on the ACL can override, as
1380always). */
059ec3d9 1381
596875b3 1382if (strcmpic(ss, US"header_syntax") == 0)
059ec3d9 1383 {
596875b3 1384 if (slash != NULL) goto NO_OPTIONS;
059ec3d9
PH
1385 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP)
1386 {
1387 *log_msgptr = string_sprintf("cannot check header contents in ACL for %s "
1388 "(only possible in ACL for DATA)", acl_wherenames[where]);
1389 return ERROR;
1390 }
596875b3
PH
1391 rc = verify_check_headers(log_msgptr);
1392 if (rc != OK && smtp_return_error_details && *log_msgptr != NULL)
1393 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1394 return rc;
1395 }
059ec3d9 1396
059ec3d9 1397
596875b3
PH
1398/* The remaining verification tests check recipient and sender addresses,
1399either from the envelope or from the header. There are a number of
1400slash-separated options that are common to all of them. */
059ec3d9 1401
059ec3d9 1402
596875b3
PH
1403/* Check that there is at least one verifiable sender address in the relevant
1404header lines. This can be followed by callout and defer options, just like
1405sender and recipient. */
059ec3d9 1406
596875b3
PH
1407if (strcmpic(ss, US"header_sender") == 0)
1408 {
1409 if (where != ACL_WHERE_DATA && where != ACL_WHERE_NOTSMTP)
1410 {
1411 *log_msgptr = string_sprintf("cannot check header contents in ACL for %s "
1412 "(only possible in ACL for DATA)", acl_wherenames[where]);
1413 return ERROR;
1414 }
1415 verify_header_sender = TRUE;
059ec3d9
PH
1416 }
1417
1418/* Otherwise, first item in verify argument must be "sender" or "recipient".
1419In the case of a sender, this can optionally be followed by an address to use
1420in place of the actual sender (rare special-case requirement). */
1421
1422else if (strncmpic(ss, US"sender", 6) == 0)
1423 {
1424 uschar *s = ss + 6;
1425 if (where > ACL_WHERE_NOTSMTP)
1426 {
1427 *log_msgptr = string_sprintf("cannot verify sender in ACL for %s "
1428 "(only possible for MAIL, RCPT, PREDATA, or DATA)",
1429 acl_wherenames[where]);
1430 return ERROR;
1431 }
1432 if (*s == 0)
1433 verify_sender_address = sender_address;
1434 else
1435 {
1436 while (isspace(*s)) s++;
1437 if (*s++ != '=') goto BAD_VERIFY;
1438 while (isspace(*s)) s++;
1439 verify_sender_address = string_copy(s);
1440 }
1441 }
1442else
1443 {
1444 if (strcmpic(ss, US"recipient") != 0) goto BAD_VERIFY;
1445 if (addr == NULL)
1446 {
1447 *log_msgptr = string_sprintf("cannot verify recipient in ACL for %s "
1448 "(only possible for RCPT)", acl_wherenames[where]);
1449 return ERROR;
1450 }
1451 }
1452
596875b3
PH
1453/* Remaining items are optional; they apply to sender and recipient
1454verification, including "header sender" verification. */
059ec3d9
PH
1455
1456while ((ss = string_nextinlist(&list, &sep, big_buffer, big_buffer_size))
1457 != NULL)
1458 {
1459 if (strcmpic(ss, US"defer_ok") == 0) defer_ok = TRUE;
1460 else if (strcmpic(ss, US"no_details") == 0) no_details = TRUE;
1461
1462 /* These two old options are left for backwards compatibility */
1463
1464 else if (strcmpic(ss, US"callout_defer_ok") == 0)
1465 {
1466 callout_defer_ok = TRUE;
1467 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1468 }
1469
1470 else if (strcmpic(ss, US"check_postmaster") == 0)
1471 {
1472 pm_mailfrom = US"";
1473 if (callout == -1) callout = CALLOUT_TIMEOUT_DEFAULT;
1474 }
1475
1476 /* The callout option has a number of sub-options, comma separated */
1477
1478 else if (strncmpic(ss, US"callout", 7) == 0)
1479 {
1480 callout = CALLOUT_TIMEOUT_DEFAULT;
1481 ss += 7;
1482 if (*ss != 0)
1483 {
1484 while (isspace(*ss)) ss++;
1485 if (*ss++ == '=')
1486 {
1487 int optsep = ',';
1488 uschar *opt;
1489 uschar buffer[256];
1490 while (isspace(*ss)) ss++;
8e669ac1
PH
1491
1492 /* This callout option handling code has become a mess as new options
1493 have been added in an ad hoc manner. It should be tidied up into some
4deaf07d 1494 kind of table-driven thing. */
8e669ac1 1495
059ec3d9
PH
1496 while ((opt = string_nextinlist(&ss, &optsep, buffer, sizeof(buffer)))
1497 != NULL)
1498 {
1499 if (strcmpic(opt, US"defer_ok") == 0) callout_defer_ok = TRUE;
1500 else if (strcmpic(opt, US"no_cache") == 0)
1501 verify_options |= vopt_callout_no_cache;
1502 else if (strcmpic(opt, US"random") == 0)
1503 verify_options |= vopt_callout_random;
1504 else if (strcmpic(opt, US"use_sender") == 0)
1505 verify_options |= vopt_callout_recipsender;
1506 else if (strcmpic(opt, US"use_postmaster") == 0)
1507 verify_options |= vopt_callout_recippmaster;
1508 else if (strcmpic(opt, US"postmaster") == 0) pm_mailfrom = US"";
1509
1510 else if (strncmpic(opt, US"mailfrom", 8) == 0)
1511 {
1512 if (!verify_header_sender)
1513 {
1514 *log_msgptr = string_sprintf("\"mailfrom\" is allowed as a "
1515 "callout option only for verify=header_sender (detected in ACL "
1516 "condition \"%s\")", arg);
1517 return ERROR;
1518 }
1519 opt += 8;
1520 while (isspace(*opt)) opt++;
1521 if (*opt++ != '=')
1522 {
1523 *log_msgptr = string_sprintf("'=' expected after "
1524 "\"mailfrom\" in ACL condition \"%s\"", arg);
1525 return ERROR;
1526 }
1527 while (isspace(*opt)) opt++;
1528 se_mailfrom = string_copy(opt);
1529 }
1530
1531 else if (strncmpic(opt, US"postmaster_mailfrom", 19) == 0)
1532 {
1533 opt += 19;
1534 while (isspace(*opt)) opt++;
1535 if (*opt++ != '=')
1536 {
1537 *log_msgptr = string_sprintf("'=' expected after "
1538 "\"postmaster_mailfrom\" in ACL condition \"%s\"", arg);
1539 return ERROR;
1540 }
1541 while (isspace(*opt)) opt++;
1542 pm_mailfrom = string_copy(opt);
1543 }
1544
1545 else if (strncmpic(opt, US"maxwait", 7) == 0)
1546 {
1547 opt += 7;
1548 while (isspace(*opt)) opt++;
1549 if (*opt++ != '=')
1550 {
1551 *log_msgptr = string_sprintf("'=' expected after \"maxwait\" in "
1552 "ACL condition \"%s\"", arg);
1553 return ERROR;
1554 }
1555 while (isspace(*opt)) opt++;
1556 callout_overall = readconf_readtime(opt, 0, FALSE);
1557 if (callout_overall < 0)
1558 {
1559 *log_msgptr = string_sprintf("bad time value in ACL condition "
1560 "\"verify %s\"", arg);
1561 return ERROR;
1562 }
1563 }
4deaf07d
PH
1564 else if (strncmpic(opt, US"connect", 7) == 0)
1565 {
1566 opt += 7;
1567 while (isspace(*opt)) opt++;
1568 if (*opt++ != '=')
1569 {
1570 *log_msgptr = string_sprintf("'=' expected after "
1571 "\"callout_overaall\" in ACL condition \"%s\"", arg);
1572 return ERROR;
1573 }
1574 while (isspace(*opt)) opt++;
1575 callout_connect = readconf_readtime(opt, 0, FALSE);
1576 if (callout_connect < 0)
1577 {
1578 *log_msgptr = string_sprintf("bad time value in ACL condition "
1579 "\"verify %s\"", arg);
1580 return ERROR;
1581 }
1582 }
059ec3d9
PH
1583 else /* Plain time is callout connect/command timeout */
1584 {
1585 callout = readconf_readtime(opt, 0, FALSE);
1586 if (callout < 0)
1587 {
1588 *log_msgptr = string_sprintf("bad time value in ACL condition "
1589 "\"verify %s\"", arg);
1590 return ERROR;
1591 }
1592 }
1593 }
1594 }
1595 else
1596 {
1597 *log_msgptr = string_sprintf("'=' expected after \"callout\" in "
1598 "ACL condition \"%s\"", arg);
1599 return ERROR;
1600 }
1601 }
1602 }
1603
1604 /* Option not recognized */
1605
1606 else
1607 {
1608 *log_msgptr = string_sprintf("unknown option \"%s\" in ACL "
1609 "condition \"verify %s\"", ss, arg);
1610 return ERROR;
1611 }
1612 }
1613
1614if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster)) ==
1615 (vopt_callout_recipsender|vopt_callout_recippmaster))
1616 {
1617 *log_msgptr = US"only one of use_sender and use_postmaster can be set "
1618 "for a recipient callout";
1619 return ERROR;
1620 }
1621
1622/* Handle sender-in-header verification. Default the user message to the log
1623message if giving out verification details. */
1624
1625if (verify_header_sender)
1626 {
8e669ac1 1627 int verrno;
059ec3d9 1628 rc = verify_check_header_address(user_msgptr, log_msgptr, callout,
fe5b5d0b
PH
1629 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, verify_options,
1630 &verrno);
1631 if (rc != OK)
8e669ac1 1632 {
fe5b5d0b
PH
1633 *basic_errno = verrno;
1634 if (smtp_return_error_details)
1635 {
1636 if (*user_msgptr == NULL && *log_msgptr != NULL)
1637 *user_msgptr = string_sprintf("Rejected after DATA: %s", *log_msgptr);
1638 if (rc == DEFER) acl_temp_details = TRUE;
1639 }
8e669ac1 1640 }
059ec3d9
PH
1641 }
1642
1643/* Handle a sender address. The default is to verify *the* sender address, but
1644optionally a different address can be given, for special requirements. If the
1645address is empty, we are dealing with a bounce message that has no sender, so
1646we cannot do any checking. If the real sender address gets rewritten during
1647verification (e.g. DNS widening), set the flag to stop it being rewritten again
1648during message reception.
1649
1650A list of verified "sender" addresses is kept to try to avoid doing to much
1651work repetitively when there are multiple recipients in a message and they all
1652require sender verification. However, when callouts are involved, it gets too
1653complicated because different recipients may require different callout options.
1654Therefore, we always do a full sender verify when any kind of callout is
1655specified. Caching elsewhere, for instance in the DNS resolver and in the
1656callout handling, should ensure that this is not terribly inefficient. */
1657
1658else if (verify_sender_address != NULL)
1659 {
1660 if ((verify_options & (vopt_callout_recipsender|vopt_callout_recippmaster))
1661 != 0)
1662 {
1663 *log_msgptr = US"use_sender or use_postmaster cannot be used for a "
1664 "sender verify callout";
1665 return ERROR;
1666 }
1667
1668 sender_vaddr = verify_checked_sender(verify_sender_address);
1669 if (sender_vaddr != NULL && /* Previously checked */
1670 callout <= 0) /* No callout needed this time */
1671 {
1672 /* If the "routed" flag is set, it means that routing worked before, so
1673 this check can give OK (the saved return code value, if set, belongs to a
1674 callout that was done previously). If the "routed" flag is not set, routing
1675 must have failed, so we use the saved return code. */
1676
1677 if (testflag(sender_vaddr, af_verify_routed)) rc = OK; else
1678 {
1679 rc = sender_vaddr->special_action;
1680 *basic_errno = sender_vaddr->basic_errno;
1681 }
1682 HDEBUG(D_acl) debug_printf("using cached sender verify result\n");
1683 }
1684
1685 /* Do a new verification, and cache the result. The cache is used to avoid
1686 verifying the sender multiple times for multiple RCPTs when callouts are not
1687 specified (see comments above).
1688
1689 The cache is also used on failure to give details in response to the first
1690 RCPT that gets bounced for this reason. However, this can be suppressed by
1691 the no_details option, which sets the flag that says "this detail has already
1692 been sent". The cache normally contains just one address, but there may be
1693 more in esoteric circumstances. */
1694
1695 else
1696 {
1697 BOOL routed = TRUE;
2a3eea10 1698 uschar *save_address_data = deliver_address_data;
8e669ac1 1699
059ec3d9
PH
1700 sender_vaddr = deliver_make_addr(verify_sender_address, TRUE);
1701 if (no_details) setflag(sender_vaddr, af_sverify_told);
1702 if (verify_sender_address[0] != 0)
1703 {
1704 /* If this is the real sender address, save the unrewritten version
1705 for use later in receive. Otherwise, set a flag so that rewriting the
1706 sender in verify_address() does not update sender_address. */
1707
1708 if (verify_sender_address == sender_address)
1709 sender_address_unrewritten = sender_address;
1710 else
1711 verify_options |= vopt_fake_sender;
1712
1713 /* The recipient, qualify, and expn options are never set in
1714 verify_options. */
1715
1716 rc = verify_address(sender_vaddr, NULL, verify_options, callout,
4deaf07d 1717 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, &routed);
059ec3d9
PH
1718
1719 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
1720
1721 if (rc == OK)
1722 {
1723 if (Ustrcmp(sender_vaddr->address, verify_sender_address) != 0)
1724 {
1725 DEBUG(D_acl) debug_printf("sender %s verified ok as %s\n",
1726 verify_sender_address, sender_vaddr->address);
1727 }
1728 else
1729 {
1730 DEBUG(D_acl) debug_printf("sender %s verified ok\n",
1731 verify_sender_address);
1732 }
1733 }
1734 else *basic_errno = sender_vaddr->basic_errno;
1735 }
1736 else rc = OK; /* Null sender */
1737
1738 /* Cache the result code */
1739
1740 if (routed) setflag(sender_vaddr, af_verify_routed);
1741 if (callout > 0) setflag(sender_vaddr, af_verify_callout);
1742 sender_vaddr->special_action = rc;
1743 sender_vaddr->next = sender_verified_list;
1744 sender_verified_list = sender_vaddr;
8e669ac1
PH
1745
1746 /* Restore the recipient address data, which might have been clobbered by
2a3eea10 1747 the sender verification. */
8e669ac1 1748
2a3eea10 1749 deliver_address_data = save_address_data;
059ec3d9 1750 }
8e669ac1 1751
2a3eea10
PH
1752 /* Put the sender address_data value into $sender_address_data */
1753
8e669ac1 1754 sender_address_data = sender_vaddr->p.address_data;
059ec3d9
PH
1755 }
1756
1757/* A recipient address just gets a straightforward verify; again we must handle
1758the DEFER overrides. */
1759
1760else
1761 {
1762 address_item addr2;
1763
1764 /* We must use a copy of the address for verification, because it might
1765 get rewritten. */
1766
1767 addr2 = *addr;
1768 rc = verify_address(&addr2, NULL, verify_options|vopt_is_recipient, callout,
4deaf07d 1769 callout_overall, callout_connect, se_mailfrom, pm_mailfrom, NULL);
059ec3d9 1770 HDEBUG(D_acl) debug_printf("----------- end verify ------------\n");
8e669ac1 1771
059ec3d9 1772 *log_msgptr = addr2.message;
8e669ac1 1773 *user_msgptr = (addr2.user_message != NULL)?
6729cf78 1774 addr2.user_message : addr2.message;
059ec3d9
PH
1775 *basic_errno = addr2.basic_errno;
1776
1777 /* Make $address_data visible */
1778 deliver_address_data = addr2.p.address_data;
1779 }
1780
1781/* We have a result from the relevant test. Handle defer overrides first. */
1782
1783if (rc == DEFER && (defer_ok ||
1784 (callout_defer_ok && *basic_errno == ERRNO_CALLOUTDEFER)))
1785 {
1786 HDEBUG(D_acl) debug_printf("verify defer overridden by %s\n",
1787 defer_ok? "defer_ok" : "callout_defer_ok");
1788 rc = OK;
1789 }
1790
1791/* If we've failed a sender, set up a recipient message, and point
1792sender_verified_failed to the address item that actually failed. */
1793
1794if (rc != OK && verify_sender_address != NULL)
1795 {
1796 if (rc != DEFER)
1797 {
1798 *log_msgptr = *user_msgptr = US"Sender verify failed";
1799 }
1800 else if (*basic_errno != ERRNO_CALLOUTDEFER)
1801 {
1802 *log_msgptr = *user_msgptr = US"Could not complete sender verify";
1803 }
1804 else
1805 {
1806 *log_msgptr = US"Could not complete sender verify callout";
1807 *user_msgptr = smtp_return_error_details? sender_vaddr->user_message :
1808 *log_msgptr;
1809 }
1810
1811 sender_verified_failed = sender_vaddr;
1812 }
1813
1814/* Verifying an address messes up the values of $domain and $local_part,
1815so reset them before returning if this is a RCPT ACL. */
1816
1817if (addr != NULL)
1818 {
1819 deliver_domain = addr->domain;
1820 deliver_localpart = addr->local_part;
1821 }
1822return rc;
1823
1824/* Syntax errors in the verify argument come here. */
1825
1826BAD_VERIFY:
1827*log_msgptr = string_sprintf("expected \"sender[=address]\", \"recipient\", "
596875b3
PH
1828 "\"helo\", \"header_syntax\", \"header_sender\" or "
1829 "\"reverse_host_lookup\" at start of ACL condition "
059ec3d9
PH
1830 "\"verify %s\"", arg);
1831return ERROR;
596875b3
PH
1832
1833/* Options supplied when not allowed come here */
1834
1835NO_OPTIONS:
1836*log_msgptr = string_sprintf("unexpected '/' found in \"%s\" "
1837 "(this verify item has no options)", arg);
1838return ERROR;
059ec3d9
PH
1839}
1840
1841
1842
1843
1844/*************************************************
1845* Check argument for control= modifier *
1846*************************************************/
1847
1848/* Called from acl_check_condition() below
1849
1850Arguments:
1851 arg the argument string for control=
1852 pptr set to point to the terminating character
1853 where which ACL we are in
1854 log_msgptr for error messages
1855
1856Returns: CONTROL_xxx value
1857*/
1858
1859static int
1860decode_control(uschar *arg, uschar **pptr, int where, uschar **log_msgptr)
1861{
1862int len;
1863control_def *d;
1864
1865for (d = controls_list;
1866 d < controls_list + sizeof(controls_list)/sizeof(control_def);
1867 d++)
1868 {
1869 len = Ustrlen(d->name);
1870 if (Ustrncmp(d->name, arg, len) == 0) break;
1871 }
1872
1873if (d >= controls_list + sizeof(controls_list)/sizeof(control_def) ||
1874 (arg[len] != 0 && (!d->has_option || arg[len] != '/')))
1875 {
1876 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
1877 return CONTROL_ERROR;
1878 }
1879
059ec3d9
PH
1880*pptr = arg + len;
1881return d->value;
1882}
1883
1884
1885
1886/*************************************************
1887* Handle conditions/modifiers on an ACL item *
1888*************************************************/
1889
1890/* Called from acl_check() below.
1891
1892Arguments:
1893 verb ACL verb
1894 cb ACL condition block - if NULL, result is OK
1895 where where called from
1896 addr the address being checked for RCPT, or NULL
1897 level the nesting level
1898 epp pointer to pass back TRUE if "endpass" encountered
1899 (applies only to "accept" and "discard")
1900 user_msgptr user message pointer
1901 log_msgptr log message pointer
1902 basic_errno pointer to where to put verify error
1903
1904Returns: OK - all conditions are met
1905 DISCARD - an "acl" condition returned DISCARD - only allowed
1906 for "accept" or "discard" verbs
1907 FAIL - at least one condition fails
1908 FAIL_DROP - an "acl" condition returned FAIL_DROP
1909 DEFER - can't tell at the moment (typically, lookup defer,
1910 but can be temporary callout problem)
1911 ERROR - ERROR from nested ACL or expansion failure or other
1912 error
1913*/
1914
1915static int
1916acl_check_condition(int verb, acl_condition_block *cb, int where,
1917 address_item *addr, int level, BOOL *epp, uschar **user_msgptr,
1918 uschar **log_msgptr, int *basic_errno)
1919{
1920uschar *user_message = NULL;
1921uschar *log_message = NULL;
1922uschar *p;
1923int rc = OK;
8523533c
TK
1924#ifdef WITH_CONTENT_SCAN
1925int sep = '/';
1926#endif
059ec3d9
PH
1927
1928for (; cb != NULL; cb = cb->next)
1929 {
1930 uschar *arg;
8e669ac1 1931 int control_type;
059ec3d9
PH
1932
1933 /* The message and log_message items set up messages to be used in
1934 case of rejection. They are expanded later. */
1935
1936 if (cb->type == ACLC_MESSAGE)
1937 {
1938 user_message = cb->arg;
1939 continue;
1940 }
1941
1942 if (cb->type == ACLC_LOG_MESSAGE)
1943 {
1944 log_message = cb->arg;
1945 continue;
1946 }
1947
1948 /* The endpass "condition" just sets a flag to show it occurred. This is
1949 checked at compile time to be on an "accept" or "discard" item. */
1950
1951 if (cb->type == ACLC_ENDPASS)
1952 {
1953 *epp = TRUE;
1954 continue;
1955 }
1956
1957 /* For other conditions and modifiers, the argument is expanded now for some
1958 of them, but not for all, because expansion happens down in some lower level
1959 checking functions in some cases. */
1960
1961 if (cond_expand_at_top[cb->type])
1962 {
1963 arg = expand_string(cb->arg);
1964 if (arg == NULL)
1965 {
1966 if (expand_string_forcedfail) continue;
1967 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s",
1968 cb->arg, expand_string_message);
1969 return search_find_defer? DEFER : ERROR;
1970 }
1971 }
1972 else arg = cb->arg;
1973
1974 /* Show condition, and expanded condition if it's different */
1975
1976 HDEBUG(D_acl)
1977 {
1978 int lhswidth = 0;
1979 debug_printf("check %s%s %n",
1980 (!cond_modifiers[cb->type] && cb->u.negated)? "!":"",
1981 conditions[cb->type], &lhswidth);
1982
1983 if (cb->type == ACLC_SET)
1984 {
1985 int n = cb->u.varnumber;
1986 int t = (n < ACL_C_MAX)? 'c' : 'm';
1987 if (n >= ACL_C_MAX) n -= ACL_C_MAX;
1988 debug_printf("acl_%c%d ", t, n);
1989 lhswidth += 7;
1990 }
1991
1992 debug_printf("= %s\n", cb->arg);
1993
1994 if (arg != cb->arg)
1995 debug_printf("%.*s= %s\n", lhswidth,
1996 US" ", CS arg);
1997 }
1998
1999 /* Check that this condition makes sense at this time */
2000
2001 if ((cond_forbids[cb->type] & (1 << where)) != 0)
2002 {
2003 *log_msgptr = string_sprintf("cannot %s %s condition in %s ACL",
2004 cond_modifiers[cb->type]? "use" : "test",
2005 conditions[cb->type], acl_wherenames[where]);
2006 return ERROR;
2007 }
2008
2009 /* Run the appropriate test for each condition, or take the appropriate
2010 action for the remaining modifiers. */
2011
2012 switch(cb->type)
2013 {
2014 /* A nested ACL that returns "discard" makes sense only for an "accept" or
2015 "discard" verb. */
2016
2017 case ACLC_ACL:
2018 rc = acl_check_internal(where, addr, arg, level+1, user_msgptr, log_msgptr);
2019 if (rc == DISCARD && verb != ACL_ACCEPT && verb != ACL_DISCARD)
2020 {
2021 *log_msgptr = string_sprintf("nested ACL returned \"discard\" for "
2022 "\"%s\" command (only allowed with \"accept\" or \"discard\")",
2023 verbs[verb]);
2024 return ERROR;
2025 }
2026 break;
2027
2028 case ACLC_AUTHENTICATED:
2029 rc = (sender_host_authenticated == NULL)? FAIL :
2030 match_isinlist(sender_host_authenticated, &arg, 0, NULL, NULL, MCL_STRING,
2031 TRUE, NULL);
2032 break;
2033
8523533c
TK
2034#ifdef EXPERIMENTAL_BRIGHTMAIL
2035 case ACLC_BMI_OPTIN:
2036 {
2037 int old_pool = store_pool;
2038 store_pool = POOL_PERM;
2039 bmi_current_optin = string_copy(arg);
2040 store_pool = old_pool;
2041 }
2042 break;
2043#endif
2044
059ec3d9
PH
2045 case ACLC_CONDITION:
2046 if (Ustrspn(arg, "0123456789") == Ustrlen(arg)) /* Digits, or empty */
2047 rc = (Uatoi(arg) == 0)? FAIL : OK;
2048 else
2049 rc = (strcmpic(arg, US"no") == 0 ||
2050 strcmpic(arg, US"false") == 0)? FAIL :
2051 (strcmpic(arg, US"yes") == 0 ||
2052 strcmpic(arg, US"true") == 0)? OK : DEFER;
2053 if (rc == DEFER)
2054 *log_msgptr = string_sprintf("invalid \"condition\" value \"%s\"", arg);
2055 break;
2056
2057 case ACLC_CONTROL:
c5fcb476
PH
2058 control_type = decode_control(arg, &p, where, log_msgptr);
2059
8523533c 2060 /* Check if this control makes sense at this time */
c5fcb476
PH
2061
2062 if ((control_forbids[control_type] & (1 << where)) != 0)
2063 {
2064 *log_msgptr = string_sprintf("cannot use \"control=%s\" in %s ACL",
2065 controls[control_type], acl_wherenames[where]);
2066 return ERROR;
8e669ac1 2067 }
c5fcb476
PH
2068
2069 switch(control_type)
059ec3d9 2070 {
8523533c
TK
2071#ifdef EXPERIMENTAL_BRIGHTMAIL
2072 case CONTROL_BMI_RUN:
2073 bmi_run = 1;
2074 break;
2075#endif
fb2274d4
TK
2076#ifdef EXPERIMENTAL_DOMAINKEYS
2077 case CONTROL_DK_VERIFY:
2078 dk_do_verify = 1;
2079 break;
2080#endif
059ec3d9
PH
2081 case CONTROL_ERROR:
2082 return ERROR;
2083
2084 case CONTROL_CASEFUL_LOCAL_PART:
2085 deliver_localpart = addr->cc_local_part;
2086 break;
2087
2088 case CONTROL_CASELOWER_LOCAL_PART:
2089 deliver_localpart = addr->lc_local_part;
2090 break;
2091
2092 case CONTROL_ENFORCE_SYNC:
2093 smtp_enforce_sync = TRUE;
2094 break;
2095
2096 case CONTROL_NO_ENFORCE_SYNC:
2097 smtp_enforce_sync = FALSE;
2098 break;
2099
8523533c
TK
2100#ifdef WITH_CONTENT_SCAN
2101 case CONTROL_NO_MBOX_UNSPOOL:
2102 no_mbox_unspool = TRUE;
2103 break;
2104#endif
2105
059ec3d9
PH
2106 case CONTROL_NO_MULTILINE:
2107 no_multiline_responses = TRUE;
2108 break;
2109
29aba418 2110 case CONTROL_FAKEDEFER:
8523533c 2111 case CONTROL_FAKEREJECT:
29aba418 2112 fake_response = (control_type == CONTROL_FAKEDEFER) ? DEFER : FAIL;
8523533c 2113 if (*p == '/')
8e669ac1 2114 {
8523533c 2115 uschar *pp = p + 1;
8e669ac1 2116 while (*pp != 0) pp++;
29aba418 2117 fake_response_text = expand_string(string_copyn(p+1, pp-p-1));
8523533c
TK
2118 p = pp;
2119 }
2120 else
2121 {
2122 /* Explicitly reset to default string */
29aba418 2123 fake_response_text = US"Your message has been rejected but is being kept for evaluation.\nIf it was a legitimate message, it may still be delivered to the target recipient(s).";
8523533c
TK
2124 }
2125 break;
8523533c 2126
059ec3d9
PH
2127 case CONTROL_FREEZE:
2128 deliver_freeze = TRUE;
2129 deliver_frozen_at = time(NULL);
2130 break;
2131
2132 case CONTROL_QUEUE_ONLY:
2133 queue_only_policy = TRUE;
2134 break;
2135
2136 case CONTROL_SUBMISSION:
87ba3f5f 2137 originator_name = US"";
059ec3d9 2138 submission_mode = TRUE;
69358f02 2139 while (*p == '/')
8e669ac1 2140 {
69358f02
PH
2141 if (Ustrncmp(p, "/sender_retain", 14) == 0)
2142 {
2143 p += 14;
2144 active_local_sender_retain = TRUE;
8e669ac1
PH
2145 active_local_from_check = FALSE;
2146 }
69358f02
PH
2147 else if (Ustrncmp(p, "/domain=", 8) == 0)
2148 {
2149 uschar *pp = p + 8;
8e669ac1 2150 while (*pp != 0 && *pp != '/') pp++;
87ba3f5f
PH
2151 submission_domain = string_copyn(p+8, pp-p-8);
2152 p = pp;
2153 }
2154 else if (Ustrncmp(p, "/name=", 6) == 0)
2155 {
2156 uschar *pp = p + 6;
2157 while (*pp != 0 && *pp != '/') pp++;
2158 originator_name = string_copy(parse_fix_phrase(p+6, pp-p-6,
2159 big_buffer, big_buffer_size));
8e669ac1 2160 p = pp;
69358f02 2161 }
8e669ac1
PH
2162 else break;
2163 }
69358f02 2164 if (*p != 0)
059ec3d9 2165 {
69358f02 2166 *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
059ec3d9
PH
2167 return ERROR;
2168 }
2169 break;
2170 }
2171 break;
2172
8523533c
TK
2173#ifdef WITH_CONTENT_SCAN
2174 case ACLC_DECODE:
2175 rc = mime_decode(&arg);
2176 break;
2177#endif
2178
059ec3d9
PH
2179 case ACLC_DELAY:
2180 {
2181 int delay = readconf_readtime(arg, 0, FALSE);
2182 if (delay < 0)
2183 {
2184 *log_msgptr = string_sprintf("syntax error in argument for \"delay\" "
2185 "modifier: \"%s\" is not a time value", arg);
2186 return ERROR;
2187 }
2188 else
2189 {
2190 HDEBUG(D_acl) debug_printf("delay modifier requests %d-second delay\n",
2191 delay);
2192 if (host_checking)
2193 {
2194 HDEBUG(D_acl)
2195 debug_printf("delay skipped in -bh checking mode\n");
2196 }
010c2d14
PH
2197
2198 /* It appears to be impossible to detect that a TCP/IP connection has
2199 gone away without reading from it. This means that we cannot shorten
2200 the delay below if the client goes away, because we cannot discover
2201 that the client has closed its end of the connection. (The connection
2202 is actually in a half-closed state, waiting for the server to close its
2203 end.) It would be nice to be able to detect this state, so that the
2204 Exim process is not held up unnecessarily. However, it seems that we
2205 can't. The poll() function does not do the right thing, and in any case
2206 it is not always available.
2207
2208 NOTE: If ever this state of affairs changes, remember that we may be
2209 dealing with stdin/stdout here, in addition to TCP/IP connections.
2210 Whatever is done must work in both cases. To detected the stdin/stdout
2211 case, check for smtp_in or smtp_out being NULL. */
2212
8e669ac1 2213 else
86b8287f
PH
2214 {
2215 while (delay > 0) delay = sleep(delay);
8e669ac1 2216 }
059ec3d9
PH
2217 }
2218 }
2219 break;
2220
8523533c
TK
2221#ifdef WITH_OLD_DEMIME
2222 case ACLC_DEMIME:
2223 rc = demime(&arg);
2224 break;
2225#endif
2226
fb2274d4
TK
2227#ifdef EXPERIMENTAL_DOMAINKEYS
2228 case ACLC_DK_DOMAIN_SOURCE:
2229 if (dk_verify_block == NULL) { rc = FAIL; break; };
2230 /* check header source of domain against given string */
2231 switch (dk_verify_block->address_source) {
2232 case DK_EXIM_ADDRESS_FROM_FROM:
2233 rc = match_isinlist(US"from", &arg, 0, NULL,
2234 NULL, MCL_STRING, TRUE, NULL);
2235 break;
2236 case DK_EXIM_ADDRESS_FROM_SENDER:
2237 rc = match_isinlist(US"sender", &arg, 0, NULL,
2238 NULL, MCL_STRING, TRUE, NULL);
2239 break;
2240 case DK_EXIM_ADDRESS_NONE:
2241 rc = match_isinlist(US"none", &arg, 0, NULL,
2242 NULL, MCL_STRING, TRUE, NULL);
2243 break;
2244 }
2245 break;
2246 case ACLC_DK_POLICY:
2247 if (dk_verify_block == NULL) { rc = FAIL; break; };
2248 /* check policy against given string, default FAIL */
2249 rc = FAIL;
2250 if (dk_verify_block->signsall)
2251 rc = match_isinlist(US"signsall", &arg, 0, NULL,
2252 NULL, MCL_STRING, TRUE, NULL);
2253 if (dk_verify_block->testing)
2254 rc = match_isinlist(US"testing", &arg, 0, NULL,
2255 NULL, MCL_STRING, TRUE, NULL);
2256 break;
2257 case ACLC_DK_SENDER_DOMAINS:
2258 if (dk_verify_block == NULL) { rc = FAIL; break; };
2259 if (dk_verify_block->domain != NULL)
2260 rc = match_isinlist(dk_verify_block->domain, &arg, 0, &domainlist_anchor,
2261 NULL, MCL_DOMAIN, TRUE, NULL);
2262 else rc = FAIL;
2263 break;
2264 case ACLC_DK_SENDER_LOCAL_PARTS:
2265 if (dk_verify_block == NULL) { rc = FAIL; break; };
2266 if (dk_verify_block->local_part != NULL)
2267 rc = match_isinlist(dk_verify_block->local_part, &arg, 0, &localpartlist_anchor,
2268 NULL, MCL_LOCALPART, TRUE, NULL);
2269 else rc = FAIL;
2270 break;
2271 case ACLC_DK_SENDERS:
2272 if (dk_verify_block == NULL) { rc = FAIL; break; };
2273 if (dk_verify_block->address != NULL)
2274 rc = match_address_list(dk_verify_block->address, TRUE, TRUE, &arg, NULL, -1, 0, NULL);
2275 else rc = FAIL;
2276 break;
2277 case ACLC_DK_STATUS:
2278 if (dk_verify_block == NULL) { rc = FAIL; break; };
2279 if (dk_verify_block->result > 0) {
2280 switch(dk_verify_block->result) {
2281 case DK_EXIM_RESULT_BAD_FORMAT:
2282 rc = match_isinlist(US"bad format", &arg, 0, NULL,
2283 NULL, MCL_STRING, TRUE, NULL);
2284 break;
2285 case DK_EXIM_RESULT_NO_KEY:
2286 rc = match_isinlist(US"no key", &arg, 0, NULL,
2287 NULL, MCL_STRING, TRUE, NULL);
2288 break;
2289 case DK_EXIM_RESULT_NO_SIGNATURE:
2290 rc = match_isinlist(US"no signature", &arg, 0, NULL,
2291 NULL, MCL_STRING, TRUE, NULL);
2292 break;
2293 case DK_EXIM_RESULT_REVOKED:
2294 rc = match_isinlist(US"revoked", &arg, 0, NULL,
2295 NULL, MCL_STRING, TRUE, NULL);
2296 break;
2297 case DK_EXIM_RESULT_NON_PARTICIPANT:
2298 rc = match_isinlist(US"non-participant", &arg, 0, NULL,
2299 NULL, MCL_STRING, TRUE, NULL);
2300 break;
2301 case DK_EXIM_RESULT_GOOD:
2302 rc = match_isinlist(US"good", &arg, 0, NULL,
2303 NULL, MCL_STRING, TRUE, NULL);
2304 break;
2305 case DK_EXIM_RESULT_BAD:
2306 rc = match_isinlist(US"bad", &arg, 0, NULL,
2307 NULL, MCL_STRING, TRUE, NULL);
2308 break;
2309 }
2310 }
2311 break;
2312#endif
2313
059ec3d9
PH
2314 case ACLC_DNSLISTS:
2315 rc = verify_check_dnsbl(&arg);
2316 break;
2317
2318 case ACLC_DOMAINS:
2319 rc = match_isinlist(addr->domain, &arg, 0, &domainlist_anchor,
2320 addr->domain_cache, MCL_DOMAIN, TRUE, &deliver_domain_data);
2321 break;
2322
2323 /* The value in tls_cipher is the full cipher name, for example,
2324 TLSv1:DES-CBC3-SHA:168, whereas the values to test for are just the
2325 cipher names such as DES-CBC3-SHA. But program defensively. We don't know
2326 what may in practice come out of the SSL library - which at the time of
2327 writing is poorly documented. */
2328
2329 case ACLC_ENCRYPTED:
2330 if (tls_cipher == NULL) rc = FAIL; else
2331 {
2332 uschar *endcipher = NULL;
2333 uschar *cipher = Ustrchr(tls_cipher, ':');
2334 if (cipher == NULL) cipher = tls_cipher; else
2335 {
2336 endcipher = Ustrchr(++cipher, ':');
2337 if (endcipher != NULL) *endcipher = 0;
2338 }
2339 rc = match_isinlist(cipher, &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
2340 if (endcipher != NULL) *endcipher = ':';
2341 }
2342 break;
2343
2344 /* Use verify_check_this_host() instead of verify_check_host() so that
2345 we can pass over &host_data to catch any looked up data. Once it has been
2346 set, it retains its value so that it's still there if another ACL verb
2347 comes through here and uses the cache. However, we must put it into
2348 permanent store in case it is also expected to be used in a subsequent
2349 message in the same SMTP connection. */
2350
2351 case ACLC_HOSTS:
2352 rc = verify_check_this_host(&arg, sender_host_cache, NULL,
2353 (sender_host_address == NULL)? US"" : sender_host_address, &host_data);
2354 if (host_data != NULL) host_data = string_copy_malloc(host_data);
2355 break;
2356
2357 case ACLC_LOCAL_PARTS:
2358 rc = match_isinlist(addr->cc_local_part, &arg, 0,
2359 &localpartlist_anchor, addr->localpart_cache, MCL_LOCALPART, TRUE,
2360 &deliver_localpart_data);
2361 break;
2362
2363 case ACLC_LOGWRITE:
2364 {
2365 int logbits = 0;
2366 uschar *s = arg;
2367 if (*s == ':')
2368 {
2369 s++;
2370 while (*s != ':')
2371 {
2372 if (Ustrncmp(s, "main", 4) == 0)
2373 { logbits |= LOG_MAIN; s += 4; }
2374 else if (Ustrncmp(s, "panic", 5) == 0)
2375 { logbits |= LOG_PANIC; s += 5; }
2376 else if (Ustrncmp(s, "reject", 6) == 0)
2377 { logbits |= LOG_REJECT; s += 6; }
2378 else
2379 {
2380 logbits = LOG_MAIN|LOG_PANIC;
2381 s = string_sprintf(":unknown log name in \"%s\" in "
2382 "\"logwrite\" in %s ACL", arg, acl_wherenames[where]);
2383 }
2384 if (*s == ',') s++;
2385 }
2386 s++;
2387 }
2388 while (isspace(*s)) s++;
2389 if (logbits == 0) logbits = LOG_MAIN;
2390 log_write(0, logbits, "%s", string_printing(s));
2391 }
2392 break;
8e669ac1 2393
8523533c
TK
2394#ifdef WITH_CONTENT_SCAN
2395 case ACLC_MALWARE:
2396 {
2397 /* Seperate the regular expression and any optional parameters. */
2398 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
2399 /* Run the malware backend. */
2400 rc = malware(&ss);
2401 /* Modify return code based upon the existance of options. */
2402 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2403 != NULL) {
2404 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
2405 {
2406 /* FAIL so that the message is passed to the next ACL */
2407 rc = FAIL;
2408 }
2409 }
2410 }
2411 break;
2412
2413 case ACLC_MIME_REGEX:
2414 rc = mime_regex(&arg);
2415 break;
2416#endif
059ec3d9
PH
2417
2418 case ACLC_RECIPIENTS:
2419 rc = match_address_list(addr->address, TRUE, TRUE, &arg, NULL, -1, 0,
2420 &recipient_data);
2421 break;
2422
8523533c
TK
2423#ifdef WITH_CONTENT_SCAN
2424 case ACLC_REGEX:
2425 rc = regex(&arg);
2426 break;
2427#endif
2428
059ec3d9
PH
2429 case ACLC_SENDER_DOMAINS:
2430 {
2431 uschar *sdomain;
2432 sdomain = Ustrrchr(sender_address, '@');
2433 sdomain = (sdomain == NULL)? US"" : sdomain + 1;
2434 rc = match_isinlist(sdomain, &arg, 0, &domainlist_anchor,
2435 sender_domain_cache, MCL_DOMAIN, TRUE, NULL);
2436 }
2437 break;
2438
2439 case ACLC_SENDERS:
2440 rc = match_address_list(sender_address, TRUE, TRUE, &arg,
2441 sender_address_cache, -1, 0, &sender_data);
2442 break;
2443
2444 /* Connection variables must persist forever */
2445
2446 case ACLC_SET:
2447 {
2448 int old_pool = store_pool;
2449 if (cb->u.varnumber < ACL_C_MAX) store_pool = POOL_PERM;
2450 acl_var[cb->u.varnumber] = string_copy(arg);
2451 store_pool = old_pool;
2452 }
2453 break;
2454
8523533c
TK
2455#ifdef WITH_CONTENT_SCAN
2456 case ACLC_SPAM:
2457 {
2458 /* Seperate the regular expression and any optional parameters. */
2459 uschar *ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size);
2460 /* Run the spam backend. */
2461 rc = spam(&ss);
2462 /* Modify return code based upon the existance of options. */
2463 while ((ss = string_nextinlist(&arg, &sep, big_buffer, big_buffer_size))
2464 != NULL) {
2465 if (strcmpic(ss, US"defer_ok") == 0 && rc == DEFER)
2466 {
2467 /* FAIL so that the message is passed to the next ACL */
2468 rc = FAIL;
2469 }
2470 }
2471 }
2472 break;
2473#endif
2474
2475#ifdef EXPERIMENTAL_SPF
2476 case ACLC_SPF:
2477 rc = spf_process(&arg, sender_address);
2478 break;
2479#endif
2480
059ec3d9
PH
2481 /* If the verb is WARN, discard any user message from verification, because
2482 such messages are SMTP responses, not header additions. The latter come
475fe28a
PH
2483 only from explicit "message" modifiers. However, put the user message into
2484 $acl_verify_message so it can be used in subsequent conditions or modifiers
2485 (until something changes it). */
059ec3d9
PH
2486
2487 case ACLC_VERIFY:
2488 rc = acl_verify(where, addr, arg, user_msgptr, log_msgptr, basic_errno);
475fe28a 2489 acl_verify_message = *user_msgptr;
059ec3d9
PH
2490 if (verb == ACL_WARN) *user_msgptr = NULL;
2491 break;
2492
2493 default:
2494 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown "
2495 "condition %d", cb->type);
2496 break;
2497 }
2498
2499 /* If a condition was negated, invert OK/FAIL. */
2500
2501 if (!cond_modifiers[cb->type] && cb->u.negated)
2502 {
2503 if (rc == OK) rc = FAIL;
2504 else if (rc == FAIL || rc == FAIL_DROP) rc = OK;
2505 }
2506
2507 if (rc != OK) break; /* Conditions loop */
2508 }
2509
2510
2511/* If the result is the one for which "message" and/or "log_message" are used,
2512handle the values of these options. Most verbs have but a single return for
2513which the messages are relevant, but for "discard", it's useful to have the log
2514message both when it succeeds and when it fails. Also, for an "accept" that
2515appears in a QUIT ACL, we want to handle the user message. Since only "accept"
2516and "warn" are permitted in that ACL, we don't need to test the verb.
2517
2518These modifiers act in different ways:
2519
2520"message" is a user message that will be included in an SMTP response. Unless
2521it is empty, it overrides any previously set user message.
2522
2523"log_message" is a non-user message, and it adds to any existing non-user
2524message that is already set.
2525
2526If there isn't a log message set, we make it the same as the user message. */
2527
2528if (((rc == FAIL_DROP)? FAIL : rc) == msgcond[verb] ||
2529 (verb == ACL_DISCARD && rc == OK) ||
2530 (where == ACL_WHERE_QUIT))
2531 {
2532 uschar *expmessage;
2533
2534 /* If the verb is "warn", messages generated by conditions (verification or
2535 nested ACLs) are discarded. Only messages specified at this level are used.
2536 However, the value of an existing message is available in $acl_verify_message
2537 during expansions. */
2538
2539 uschar *old_user_msgptr = *user_msgptr;
2540 uschar *old_log_msgptr = (*log_msgptr != NULL)? *log_msgptr : old_user_msgptr;
2541
2542 if (verb == ACL_WARN) *log_msgptr = *user_msgptr = NULL;
2543
2544 if (user_message != NULL)
2545 {
2546 acl_verify_message = old_user_msgptr;
2547 expmessage = expand_string(user_message);
2548 if (expmessage == NULL)
2549 {
2550 if (!expand_string_forcedfail)
2551 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
2552 user_message, expand_string_message);
2553 }
2554 else if (expmessage[0] != 0) *user_msgptr = expmessage;
2555 }
2556
2557 if (log_message != NULL)
2558 {
2559 acl_verify_message = old_log_msgptr;
2560 expmessage = expand_string(log_message);
2561 if (expmessage == NULL)
2562 {
2563 if (!expand_string_forcedfail)
2564 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand ACL message \"%s\": %s",
2565 log_message, expand_string_message);
2566 }
2567 else if (expmessage[0] != 0)
2568 {
2569 *log_msgptr = (*log_msgptr == NULL)? expmessage :
2570 string_sprintf("%s: %s", expmessage, *log_msgptr);
2571 }
2572 }
2573
2574 /* If no log message, default it to the user message */
2575
2576 if (*log_msgptr == NULL) *log_msgptr = *user_msgptr;
2577 }
2578
2579acl_verify_message = NULL;
2580return rc;
2581}
2582
2583
2584
2585
2586
2587/*************************************************
2588* Get line from a literal ACL *
2589*************************************************/
2590
2591/* This function is passed to acl_read() in order to extract individual lines
2592of a literal ACL, which we access via static pointers. We can destroy the
2593contents because this is called only once (the compiled ACL is remembered).
2594
2595This code is intended to treat the data in the same way as lines in the main
2596Exim configuration file. That is:
2597
2598 . Leading spaces are ignored.
2599
2600 . A \ at the end of a line is a continuation - trailing spaces after the \
2601 are permitted (this is because I don't believe in making invisible things
2602 significant). Leading spaces on the continued part of a line are ignored.
2603
2604 . Physical lines starting (significantly) with # are totally ignored, and
2605 may appear within a sequence of backslash-continued lines.
2606
2607 . Blank lines are ignored, but will end a sequence of continuations.
2608
2609Arguments: none
2610Returns: a pointer to the next line
2611*/
2612
2613
2614static uschar *acl_text; /* Current pointer in the text */
2615static uschar *acl_text_end; /* Points one past the terminating '0' */
2616
2617
2618static uschar *
2619acl_getline(void)
2620{
2621uschar *yield;
2622
2623/* This loop handles leading blank lines and comments. */
2624
2625for(;;)
2626 {
2627 while (isspace(*acl_text)) acl_text++; /* Leading spaces/empty lines */
2628 if (*acl_text == 0) return NULL; /* No more data */
2629 yield = acl_text; /* Potential data line */
2630
2631 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
2632
2633 /* If we hit the end before a newline, we have the whole logical line. If
2634 it's a comment, there's no more data to be given. Otherwise, yield it. */
2635
2636 if (*acl_text == 0) return (*yield == '#')? NULL : yield;
2637
2638 /* After reaching a newline, end this loop if the physical line does not
2639 start with '#'. If it does, it's a comment, and the loop continues. */
2640
2641 if (*yield != '#') break;
2642 }
2643
2644/* This loop handles continuations. We know we have some real data, ending in
2645newline. See if there is a continuation marker at the end (ignoring trailing
2646white space). We know that *yield is not white space, so no need to test for
2647cont > yield in the backwards scanning loop. */
2648
2649for(;;)
2650 {
2651 uschar *cont;
2652 for (cont = acl_text - 1; isspace(*cont); cont--);
2653
2654 /* If no continuation follows, we are done. Mark the end of the line and
2655 return it. */
2656
2657 if (*cont != '\\')
2658 {
2659 *acl_text++ = 0;
2660 return yield;
2661 }
2662
2663 /* We have encountered a continuation. Skip over whitespace at the start of
2664 the next line, and indeed the whole of the next line or lines if they are
2665 comment lines. */
2666
2667 for (;;)
2668 {
2669 while (*(++acl_text) == ' ' || *acl_text == '\t');
2670 if (*acl_text != '#') break;
2671 while (*(++acl_text) != 0 && *acl_text != '\n');
2672 }
2673
2674 /* We have the start of a continuation line. Move all the rest of the data
2675 to join onto the previous line, and then find its end. If the end is not a
2676 newline, we are done. Otherwise loop to look for another continuation. */
2677
2678 memmove(cont, acl_text, acl_text_end - acl_text);
2679 acl_text_end -= acl_text - cont;
2680 acl_text = cont;
2681 while (*acl_text != 0 && *acl_text != '\n') acl_text++;
2682 if (*acl_text == 0) return yield;
2683 }
2684
2685/* Control does not reach here */
2686}
2687
2688
2689
2690
2691
2692/*************************************************
2693* Check access using an ACL *
2694*************************************************/
2695
2696/* This function is called from address_check. It may recurse via
2697acl_check_condition() - hence the use of a level to stop looping. The ACL is
2698passed as a string which is expanded. A forced failure implies no access check
2699is required. If the result is a single word, it is taken as the name of an ACL
2700which is sought in the global ACL tree. Otherwise, it is taken as literal ACL
2701text, complete with newlines, and parsed as such. In both cases, the ACL check
2702is then run. This function uses an auxiliary function for acl_read() to call
2703for reading individual lines of a literal ACL. This is acl_getline(), which
2704appears immediately above.
2705
2706Arguments:
2707 where where called from
2708 addr address item when called from RCPT; otherwise NULL
2709 s the input string; NULL is the same as an empty ACL => DENY
2710 level the nesting level
2711 user_msgptr where to put a user error (for SMTP response)
2712 log_msgptr where to put a logging message (not for SMTP response)
2713
2714Returns: OK access is granted
2715 DISCARD access is apparently granted...
2716 FAIL access is denied
2717 FAIL_DROP access is denied; drop the connection
2718 DEFER can't tell at the moment
2719 ERROR disaster
2720*/
2721
2722static int
2723acl_check_internal(int where, address_item *addr, uschar *s, int level,
2724 uschar **user_msgptr, uschar **log_msgptr)
2725{
2726int fd = -1;
2727acl_block *acl = NULL;
2728uschar *acl_name = US"inline ACL";
2729uschar *ss;
2730
2731/* Catch configuration loops */
2732
2733if (level > 20)
2734 {
2735 *log_msgptr = US"ACL nested too deep: possible loop";
2736 return ERROR;
2737 }
2738
2739if (s == NULL)
2740 {
2741 HDEBUG(D_acl) debug_printf("ACL is NULL: implicit DENY\n");
2742 return FAIL;
2743 }
2744
2745/* At top level, we expand the incoming string. At lower levels, it has already
2746been expanded as part of condition processing. */
2747
2748if (level == 0)
2749 {
2750 ss = expand_string(s);
2751 if (ss == NULL)
2752 {
2753 if (expand_string_forcedfail) return OK;
2754 *log_msgptr = string_sprintf("failed to expand ACL string \"%s\": %s", s,
2755 expand_string_message);
2756 return ERROR;
2757 }
2758 }
2759else ss = s;
2760
2761while (isspace(*ss))ss++;
2762
2763/* If we can't find a named ACL, the default is to parse it as an inline one.
2764(Unless it begins with a slash; non-existent files give rise to an error.) */
2765
2766acl_text = ss;
2767
2768/* Handle the case of a string that does not contain any spaces. Look for a
2769named ACL among those read from the configuration, or a previously read file.
2770It is possible that the pointer to the ACL is NULL if the configuration
2771contains a name with no data. If not found, and the text begins with '/',
2772read an ACL from a file, and save it so it can be re-used. */
2773
2774if (Ustrchr(ss, ' ') == NULL)
2775 {
2776 tree_node *t = tree_search(acl_anchor, ss);
2777 if (t != NULL)
2778 {
2779 acl = (acl_block *)(t->data.ptr);
2780 if (acl == NULL)
2781 {
2782 HDEBUG(D_acl) debug_printf("ACL \"%s\" is empty: implicit DENY\n", ss);
2783 return FAIL;
2784 }
2785 acl_name = string_sprintf("ACL \"%s\"", ss);
2786 HDEBUG(D_acl) debug_printf("using ACL \"%s\"\n", ss);
2787 }
2788
2789 else if (*ss == '/')
2790 {
2791 struct stat statbuf;
2792 fd = Uopen(ss, O_RDONLY, 0);
2793 if (fd < 0)
2794 {
2795 *log_msgptr = string_sprintf("failed to open ACL file \"%s\": %s", ss,
2796 strerror(errno));
2797 return ERROR;
2798 }
2799
2800 if (fstat(fd, &statbuf) != 0)
2801 {
2802 *log_msgptr = string_sprintf("failed to fstat ACL file \"%s\": %s", ss,
2803 strerror(errno));
2804 return ERROR;
2805 }
2806
2807 acl_text = store_get(statbuf.st_size + 1);
2808 acl_text_end = acl_text + statbuf.st_size + 1;
2809
2810 if (read(fd, acl_text, statbuf.st_size) != statbuf.st_size)
2811 {
2812 *log_msgptr = string_sprintf("failed to read ACL file \"%s\": %s",
2813 ss, strerror(errno));
2814 return ERROR;
2815 }
2816 acl_text[statbuf.st_size] = 0;
2817 close(fd);
2818
2819 acl_name = string_sprintf("ACL \"%s\"", ss);
2820 HDEBUG(D_acl) debug_printf("read ACL from file %s\n", ss);
2821 }
2822 }
2823
2824/* Parse an ACL that is still in text form. If it came from a file, remember it
2825in the ACL tree, having read it into the POOL_PERM store pool so that it
2826persists between multiple messages. */
2827
2828if (acl == NULL)
2829 {
2830 int old_pool = store_pool;
2831 if (fd >= 0) store_pool = POOL_PERM;
2832 acl = acl_read(acl_getline, log_msgptr);
2833 store_pool = old_pool;
2834 if (acl == NULL && *log_msgptr != NULL) return ERROR;
2835 if (fd >= 0)
2836 {
2837 tree_node *t = store_get_perm(sizeof(tree_node) + Ustrlen(ss));
2838 Ustrcpy(t->name, ss);
2839 t->data.ptr = acl;
2840 (void)tree_insertnode(&acl_anchor, t);
2841 }
2842 }
2843
2844/* Now we have an ACL to use. It's possible it may be NULL. */
2845
2846while (acl != NULL)
2847 {
2848 int cond;
2849 int basic_errno = 0;
2850 BOOL endpass_seen = FALSE;
2851
2852 *log_msgptr = *user_msgptr = NULL;
2853 acl_temp_details = FALSE;
2854
2855 if (where == ACL_WHERE_QUIT &&
2856 acl->verb != ACL_ACCEPT &&
2857 acl->verb != ACL_WARN)
2858 {
2859 *log_msgptr = string_sprintf("\"%s\" is not allowed in a QUIT ACL",
2860 verbs[acl->verb]);
2861 return ERROR;
2862 }
2863
2864 HDEBUG(D_acl) debug_printf("processing \"%s\"\n", verbs[acl->verb]);
2865
2866 /* Clear out any search error message from a previous check before testing
2867 this condition. */
2868
2869 search_error_message = NULL;
2870 cond = acl_check_condition(acl->verb, acl->condition, where, addr, level,
2871 &endpass_seen, user_msgptr, log_msgptr, &basic_errno);
2872
2873 /* Handle special returns: DEFER causes a return except on a WARN verb;
2874 ERROR always causes a return. */
2875
2876 switch (cond)
2877 {
2878 case DEFER:
2879 HDEBUG(D_acl) debug_printf("%s: condition test deferred\n", verbs[acl->verb]);
2880 if (basic_errno != ERRNO_CALLOUTDEFER)
2881 {
2882 if (search_error_message != NULL && *search_error_message != 0)
2883 *log_msgptr = search_error_message;
2884 if (smtp_return_error_details) acl_temp_details = TRUE;
2885 }
2886 else
2887 {
2888 acl_temp_details = TRUE;
2889 }
2890 if (acl->verb != ACL_WARN) return DEFER;
2891 break;
2892
2893 default: /* Paranoia */
2894 case ERROR:
2895 HDEBUG(D_acl) debug_printf("%s: condition test error\n", verbs[acl->verb]);
2896 return ERROR;
2897
2898 case OK:
2899 HDEBUG(D_acl) debug_printf("%s: condition test succeeded\n",
2900 verbs[acl->verb]);
2901 break;
2902
2903 case FAIL:
2904 HDEBUG(D_acl) debug_printf("%s: condition test failed\n", verbs[acl->verb]);
2905 break;
2906
2907 /* DISCARD and DROP can happen only from a nested ACL condition, and
2908 DISCARD can happen only for an "accept" or "discard" verb. */
2909
2910 case DISCARD:
2911 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"discard\"\n",
2912 verbs[acl->verb]);
2913 break;
2914
2915 case FAIL_DROP:
2916 HDEBUG(D_acl) debug_printf("%s: condition test yielded \"drop\"\n",
2917 verbs[acl->verb]);
2918 break;
2919 }
2920
2921 /* At this point, cond for most verbs is either OK or FAIL or (as a result of
2922 a nested ACL condition) FAIL_DROP. However, for WARN, cond may be DEFER, and
2923 for ACCEPT and DISCARD, it may be DISCARD after a nested ACL call. */
2924
2925 switch(acl->verb)
2926 {
2927 case ACL_ACCEPT:
2928 if (cond == OK || cond == DISCARD) return cond;
2929 if (endpass_seen)
2930 {
2931 HDEBUG(D_acl) debug_printf("accept: endpass encountered - denying access\n");
2932 return cond;
2933 }
2934 break;
2935
2936 case ACL_DEFER:
2937 if (cond == OK)
2938 {
2939 acl_temp_details = TRUE;
2940 return DEFER;
2941 }
2942 break;
2943
2944 case ACL_DENY:
2945 if (cond == OK) return FAIL;
2946 break;
2947
2948 case ACL_DISCARD:
2949 if (cond == OK || cond == DISCARD) return DISCARD;
2950 if (endpass_seen)
2951 {
2952 HDEBUG(D_acl) debug_printf("discard: endpass encountered - denying access\n");
2953 return cond;
2954 }
2955 break;
2956
2957 case ACL_DROP:
2958 if (cond == OK) return FAIL_DROP;
2959 break;
2960
2961 case ACL_REQUIRE:
2962 if (cond != OK) return cond;
2963 break;
2964
2965 case ACL_WARN:
2966 if (cond == OK)
2967 acl_warn(where, *user_msgptr, *log_msgptr);
2968 else if (cond == DEFER)
9c7a242c
PH
2969 log_write(0, LOG_MAIN, "%s Warning: ACL \"warn\" statement skipped: "
2970 "condition test deferred%s%s", host_and_ident(TRUE),
2971 (*log_msgptr == NULL)? US"" : US": ",
2972 (*log_msgptr == NULL)? US"" : *log_msgptr);
059ec3d9
PH
2973 *log_msgptr = *user_msgptr = NULL; /* In case implicit DENY follows */
2974 break;
2975
2976 default:
2977 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "internal ACL error: unknown verb %d",
2978 acl->verb);
2979 break;
2980 }
2981
2982 /* Pass to the next ACL item */
2983
2984 acl = acl->next;
2985 }
2986
2987/* We have reached the end of the ACL. This is an implicit DENY. */
2988
2989HDEBUG(D_acl) debug_printf("end of %s: implicit DENY\n", acl_name);
2990return FAIL;
2991}
2992
2993
2994/*************************************************
2995* Check access using an ACL *
2996*************************************************/
2997
2998/* This is the external interface for ACL checks. It sets up an address and the
2999expansions for $domain and $local_part when called after RCPT, then calls
3000acl_check_internal() to do the actual work.
3001
3002Arguments:
3003 where ACL_WHERE_xxxx indicating where called from
3004 data_string RCPT address, or SMTP command argument, or NULL
3005 s the input string; NULL is the same as an empty ACL => DENY
3006 user_msgptr where to put a user error (for SMTP response)
3007 log_msgptr where to put a logging message (not for SMTP response)
3008
3009Returns: OK access is granted by an ACCEPT verb
3010 DISCARD access is granted by a DISCARD verb
3011 FAIL access is denied
3012 FAIL_DROP access is denied; drop the connection
3013 DEFER can't tell at the moment
3014 ERROR disaster
3015*/
3016
3017int
3018acl_check(int where, uschar *data_string, uschar *s, uschar **user_msgptr,
3019 uschar **log_msgptr)
3020{
3021int rc;
3022address_item adb;
3023address_item *addr;
3024
3025*user_msgptr = *log_msgptr = NULL;
3026sender_verified_failed = NULL;
3027
3028if (where == ACL_WHERE_RCPT)
3029 {
3030 adb = address_defaults;
3031 addr = &adb;
3032 addr->address = data_string;
3033 if (deliver_split_address(addr) == DEFER)
3034 {
3035 *log_msgptr = US"defer in percent_hack_domains check";
3036 return DEFER;
3037 }
3038 deliver_domain = addr->domain;
3039 deliver_localpart = addr->local_part;
3040 }
3041else
3042 {
3043 addr = NULL;
3044 smtp_command_argument = data_string;
3045 }
3046
3047rc = acl_check_internal(where, addr, s, 0, user_msgptr, log_msgptr);
3048
3049smtp_command_argument = deliver_domain =
2a3eea10 3050 deliver_localpart = deliver_address_data = sender_address_data = NULL;
059ec3d9
PH
3051
3052/* A DISCARD response is permitted only for message ACLs, excluding the PREDATA
3053ACL, which is really in the middle of an SMTP command. */
3054
3055if (rc == DISCARD)
3056 {
3057 if (where > ACL_WHERE_NOTSMTP || where == ACL_WHERE_PREDATA)
3058 {
3059 log_write(0, LOG_MAIN|LOG_PANIC, "\"discard\" verb not allowed in %s "
3060 "ACL", acl_wherenames[where]);
3061 return ERROR;
3062 }
3063 return DISCARD;
3064 }
3065
3066/* A DROP response is not permitted from MAILAUTH */
3067
3068if (rc == FAIL_DROP && where == ACL_WHERE_MAILAUTH)
3069 {
3070 log_write(0, LOG_MAIN|LOG_PANIC, "\"drop\" verb not allowed in %s "
3071 "ACL", acl_wherenames[where]);
3072 return ERROR;
3073 }
3074
3075/* Before giving an error response, take a look at the length of any user
3076message, and split it up into multiple lines if possible. */
3077
3078if (rc != OK && *user_msgptr != NULL && Ustrlen(*user_msgptr) > 75)
3079 {
3080 uschar *s = *user_msgptr = string_copy(*user_msgptr);
3081 uschar *ss = s;
3082
3083 for (;;)
3084 {
3085 int i = 0;
3086 while (i < 75 && *ss != 0 && *ss != '\n') ss++, i++;
3087 if (*ss == 0) break;
3088 if (*ss == '\n')
3089 s = ++ss;
3090 else
3091 {
3092 uschar *t = ss + 1;
3093 uschar *tt = NULL;
3094 while (--t > s + 35)
3095 {
3096 if (*t == ' ')
3097 {
3098 if (t[-1] == ':') { tt = t; break; }
3099 if (tt == NULL) tt = t;
3100 }
3101 }
3102
3103 if (tt == NULL) /* Can't split behind - try ahead */
3104 {
3105 t = ss + 1;
3106 while (*t != 0)
3107 {
3108 if (*t == ' ' || *t == '\n')
3109 { tt = t; break; }
3110 t++;
3111 }
3112 }
3113
3114 if (tt == NULL) break; /* Can't find anywhere to split */
3115 *tt = '\n';
3116 s = ss = tt+1;
3117 }
3118 }
3119 }
3120
3121return rc;
3122}
3123
3124/* End of acl.c */